This project has moved. For the latest updates, please go here.

CipherShed team clearly confused by secure code

Topics: Users Discussion
Jan 5, 2015 at 11:59 PM
someone from our team has been reviewing veracrypt's commits, and described them as "terrible"
Source CipherShed forum Admin...

https://forum.ciphershed.org/viewtopic.php?f=3&t=73&sid=66adcb77738bbd4c9ebd9c4cd6e8e5b2

If they say this about VeraCrypt I wouldn't feel safe using CipherShed at all.
Coordinator
Jan 6, 2015 at 1:36 PM
Well..apparently the post was changed after your posting in order to use more politically correct phrasing...
Nevertheless, I doesn't seem to be an objective analysis of my work to say the least.

Personally, I have always been saying good things about the CipherShed people and their work. I have never criticized their work nor given any thoughts about the quality of their coding.
I'm very disappointed by the behavior reflected by this post. If they have any remarks or if they found any issues, they can just come forwards and show the issues so I can solve them. They didn't....They prefer just criticizing.

Is this the spirit of Open Source? Is this how the work of others should be respected? Are we really collaborating for the common good or is it a competition?

From the post, they seem to think that they are the best coders around. I have nothing against that claim but telling people that others don't know how to code properly is a way too far and too arrogant.

Anyway, this is very disappointing from the CipherShed team and it changed my way of looking to them. I'm not sure anymore if they are really working for the good of the community or it is just for personal ego.

From my side, this will not change my commitment to VeraCrypt. I'll continue providing the community with the best security possible and I'll continue sharing the source code of all the enhancements so that others (even CipherShed) can benefit from them.
Jan 6, 2015 at 2:11 PM
There is little point them editing it now, I caught them almost straight away.

To be honest Mounir you should not be disappointed by their comments.

Think about it this way, they clearly do not understand the coding you have done, this suggests to me they are not actually as competent as you are.

CipherShed obviously felt threatened by VeraCrypt, which is nice to know. They simply assumed they were going to be the natural successors to TrueCrypt because they set up a website and forum. They have done little else during the time since TrueCrypt went down. I believe they are still agonising over what to name their product :)

I recommend you push forward regardless of any criticism Mounir, in fact I would be encouraged by such comments. You are clearly a huge issue for them, perhaps they secretly admire your work. After all they must have seen my post here within a few hours of me making it, which demonstrates they are learning from your forum.

TrueCrypt and CipherShed are currently both less secure products than VeraCrypt, there is no dispute about that. The fact CipherShed will never be able to back up their claims against VeraCrypt will speak volumes to the users. CypherShed will not be able to find any of your code which weakens VeraCrypt in any way, it's almost like a recommendation in itself, peer reviewed :)

Continue to push on Mounir, you have a steady and loyal following behind you !
Jan 6, 2015 at 3:20 PM
Edited Jan 6, 2015 at 3:24 PM
Strongly agree with L0ck. VeraCrypt is now on its sixth product release, and CipherShed is still vaporware with no released product and no projected release date AFAIK.

That said, IMO their idea of moving away from the TrueCrypt license is a good one and I hope VeraCrypt will over time replace all of the legacy code and thus escape that licensing encumbrance.
Jan 6, 2015 at 4:26 PM
Hi everybody,

a visitor on IRC brought this to my attention today.

The "quote" originated from a late sunday evening voicechat, and should not be taken word for word as is. For some reason I did not realise that when writing that answer. There was no intent to attack VC or Mounir in any way.

In fact, I believe that having seperate projects -- while of course having disadvantages -- can also have advantages for the community. Therefore I want to stress that I agree with L0ck and commenter8, and that you should indeed keep on "pushing forward". It will keep us all on our toes. ;)

compul
Jan 6, 2015 at 6:47 PM
I apologize; I was the other person on the referenced chat.

I did not intend this connotation by what I said.

VeraCrypt has a different development and change management approach and priorities than I am comfortable with. That is the basis for what I said and that should put what I said in the proper light.

I have nothing but the best wishes for VeraCrypt, or any other FDE. I have no desire to publicly criticize anyone who is trying, as I know with 100% certainty that I do not create perfect code. I completely borked the boot loader on the last release by making it too big.

If there are any questions you would like me to answer, please ask publicly or privately.

Respectfully,

Jason Pyeron
Jan 6, 2015 at 7:32 PM
Thank you compul and jpyeron for taking the time to clarify your position.

I am only speaking for myself, but I understand and accept your explanations, thank you.

I suspect you might be concerned that to a casual observer it may appear that far from believing the VeraCrypt commits are "terrible", the ChiperShed team are reading through the VeraCrypt code for clues on how to do things. I am sure this is not the case in reality.

I understand ChiperShed is run on a "committee" basis, while open and fair it does seem very unproductive.

You asked for questions.

As you have already commented VeraCrypt is a one man operation, however Mounir has made many security enhancements and new features over the last 6 months or so. How has ChiperShed been doing during this time period, considering it is a multi member team effort ?

Will you be releasing a GPT version before VeraCrypt or are you waiting until after ?

Will ChiperShed always be less secure than VeraCrypt or do you intend to follow VeraCrypt's lead by increasing the brute force protection with a greater number of hash iterations, perhaps even equalling VeraCrypt ?

Bearing in mind VeraCrypt is 100% about security, in your own opinion, did you actually find any weakness in the VeraCrypt code ?
Jan 6, 2015 at 8:26 PM
Edited Jan 6, 2015 at 8:28 PM
jpyeron, you refer to "the boot loader on the last [CipherShed] release", but in reality there has never been even an initial release of CipherShed...

https://ciphershed.org/download/

CipherShed
Secure Encryption Software
Download

The first version of CipherShed is in development. The current process consists of “rebranding” the TrueCrypt 7.1a code.

If you would like to compile our current development code, please see the instructions on our wiki.
Jan 6, 2015 at 9:09 PM
I do enjoy your posts commenter8 :D

Oh and I would like to take this opportunity to thank you very much for the excellent wiki article, nicely done. :)
Coordinator
Jan 6, 2015 at 10:57 PM
Thank you Jason for your clarifications. Apology accepted.

It is unfortunate that these comments were made public. I can't hide the fact it broke the image I had of CipherShed.
For more than ten years, I have been contributing to the Open Source community through divers projects (Wine, OpenSSL...) and I always felt that it was like a big family where we all work hard to help each other and provide the best to the end users. I have never seen this kind of Open Source work as a competition or a fight for stardom but the posted comment gave me the opposite impression, as if we were back to school days.

That being said, we all make mistakes at one point or another. What counts is how these mistakes make us better in the future. Personally, I hope that this episode will benefit to the community by providing a more harmonious collaborative environment that will bring more features and more security to all.

Cheers,

Mounir IDRASSI
Jan 6, 2015 at 11:20 PM
Edited Jan 6, 2015 at 11:23 PM
L0ck wrote:
I understand ChiperShed is run on a "committee" basis, while open and fair it does seem very unproductive.
Yes, it does seem that way sometimes. But the initial effort in organization will hopefully pay off in the long run.
You asked for questions.

As you have already commented VeraCrypt is a one man operation, however Mounir has made many security enhancements and new features over the last 6 months or so. How has ChiperShed been doing during this time period, considering it is a multi member team effort ?
It was a slow start. but we have addressed our plan and now we our on implementation.
Will you be releasing a GPT version before VeraCrypt or are you waiting until after ?
We are not waiting, but VeraCrypt does not have any impact on our schedule. Given our primary focus on a 100% rewrite (Apache/BSD or other OSI approved re-license is a goal), lifting it from VeraCrypt would not help, as VeraCrypt's license would be incompatible.
Will ChiperShed always be less secure than VeraCrypt or do you intend to follow VeraCrypt's lead by increasing the brute force protection with a greater number of hash iterations, perhaps even equalling VeraCrypt ?
All of the audit findings will be fixed. There are additional findings that are being addressed too.
Bearing in mind VeraCrypt is 100% about security, in your own opinion, did you actually find any weakness in the VeraCrypt code ?
As Bugzilla reports, Zarro bugs found. All software has bugs. Does VeraCrypt have a bug reporting process? When I get some free time (I am head down right now) I can make reports.


commenter8 wrote:
jpyeron, you refer to "the boot loader on the last [CipherShed] release", but in reality there has never been even an initial release of CipherShed...

https://ciphershed.org/download/
Yes, our website is not updated. It was posted under news, which now has a link to an older release.

We use an Apache release methodology. Build, publish, vote on quality Alpha/Beta/GA. We have been publishing the releases to github for distribution.


idrassi wrote:
It is unfortunate that these comments were made public. I can't hide the fact it broke the image I had of CipherShed.
Next time I am in Paris, I can take you out for a glass of wine, until then I hope your views grow fonder.
For more than ten years, I have been contributing to the Open Source community through divers projects (Wine, OpenSSL...) and I always felt that it was like a big family where we all work hard to help each other ...
Thank you for your contributions.
Jan 7, 2015 at 12:07 AM
jpyeron wrote:
It was a slow start. but we have addressed our plan and now we our on implementation.
Great, so when should we expect a release ?
All of the audit findings will be fixed. There are additional findings that are being addressed too.
Thanks for your reply, but I was specifically asking if ChipherShed will continue to be less secure than VeraCrypt with regards to brute force protection ?

I ask this because we have a lot of new members here who value speed over security, As VeraCrypt is 100% security conscious we need a faster - less secure alternative to direct these members to. As TrueCrypt has expired I hoped to be able to send them your way. However if you intend to follow VeraCrypt and increase your brute force protection, to perhaps match VeraCrypt, then I will have to find something else to recommend.
Does VeraCrypt have a bug reporting process? When I get some free time (I am head down right now) I can make reports.
This is great news, I really look forward to your findings, there is nothing better than peer review. At the moment there is a ticket system but soon there will be Redmine. If you are keen to start you are more than welcome to post on this forum.
Jan 7, 2015 at 12:08 AM
Edited Jan 7, 2015 at 12:09 AM
According to the CipherShed Roadmap, the "Full Production Release" (version 1.0.0) of CipherShed is still a very distant goal. Calling the current developer's build a "rebranding release" doesn't make it a release in anything other than fictional terms. A release is full production software, not a beta version and not a developer's draft.

https://issues.ciphershed.org/projects/ciphershed/roadmap
Jan 7, 2015 at 2:23 AM
L0ck wrote:
Great, so when should we expect a (CipherShed) release ?
We are going to strive for weekly build releases, but for a release to be eligible for a GA label, it must complete a full security audit. In other words, it is too early answer.
Thanks for your reply, but I was specifically asking if ChipherShed will continue to be less secure than VeraCrypt with regards to brute force protection ?
No and yes, one of our focuses is on enterprise IT, as such these will be configurable. Users and enterprise IT departments will be able to tune CipherShed to meet their requirements, such as algorithms, and parameters. We will of course have secure defaults and recommendations.
I ask this because we have a lot of new members here who value speed over security, As VeraCrypt is 100% security conscious we need a faster - less secure alternative to direct these members to. As TrueCrypt has expired I hoped to be able to send them your way. However if you intend to follow VeraCrypt and increase your brute force protection, to perhaps match VeraCrypt, then I will have to find something else to recommend.
I am not sure how to answer this, please use your best judgment. If you feel that the user’s requirements are not a fit for VeraCrypt, please do send them our way and we will see if we can help. Of course we will strive for the best performance and security possible, just like any other software development team would.
Jan 7, 2015 at 12:38 PM
Thank you for your replies. :)
We will of course have secure defaults and recommendations.
Can I ask if these defaults will be less secure than VeraCrypt is currently ?

I appreciate this doesn't seem a fair request, however it would be useful to us if ChiperShed was somewhat weaker by default with regards to brute force protection. As I mentioned above we need somewhere to send the users who seem to require speed over security.
Jan 7, 2015 at 1:10 PM
L0ck wrote:
Thank you for your replies. :)
We will of course have secure defaults and recommendations.
Can I ask if these defaults will be less secure than VeraCrypt is currently ?

I appreciate this doesn't seem a fair request, however it would be useful to us if ChiperShed was somewhat weaker by default with regards to brute force protection. As I mentioned above we need somewhere to send the users who seem to require speed over security.
The defaults will be to the most secure and privacy preserving settings offered by that release of CipherShed. I cannot answer to which hypothetical release will be more or less secure. I could imagine that there would be a profile named “Performance” that could be selected, but we are not at that step yet.
Jan 8, 2015 at 12:02 AM
OK thank you jpyeron, I guess we will all have to wait for an actual release of CipherShed before we can definitively answer our questions.

As you are involved with ChiperShed would you please come back and post here when you have a release ?

Thanks.
Jan 9, 2015 at 3:37 AM
CipherShed has been compromised since the founding.

Jason Pyeron works for DISA, a government agency, according to his LinkedIn profile. https://www.linkedin.com/in/jpyeron

It looks like CipherShed has been compromised in the initial founding and is not a viable alternative to TrueCrypt.

List of CipherShed project members: https://ciphershed.org/about/
You should research each and every project member.

What is DISA? https://en.wikipedia.org/wiki/Defense_Information_Systems_Agency

DISA provides information assurance to the DoD (Department of Defense) and works directly with USCYBERCOM.

Any of Jason Pyeron's code changes or reccemendations must be looked at very very carefully for backdoors. These can be hidden in plain sight even in open source projects, for example the Dual_EC_DRBG algorithm which was intentionally weak in order to compromise pseudorandom number generation. The NSA plants operatives in open source projects, hacker conferences, IETF meetings, RFC specs, etc. in attempt to deliberately weaken cryptography.

Use CipherShed at your own risk.
Jan 18, 2015 at 6:31 PM
I would like to say that I regret the team approach CipherShed on the work of VeraCrypt. Particularly I don't think CipherShed is bad (although a product has not yet been officially released). I'm with VeraCrypt and I identify more with the security philosophy employed by Mr Mounir, and therefore, even after the release of final versions of the CipherShed I still plan to continue with the VeraCrypt and indicate to other people.

I hope Mr Mounir don't get discouraged because he is doing an amazing job! And congratulations for him is very little! While I am a student my financial resources are still very few but still I am planning a donation to the project VeraCrypt. Even if it's little, certainly will be a donation of heart! and it's going to be what I can give ... [I'm just a Brazilian student and the Euro is 3.5 times more valuable than the Real (my currency)] but I will as a form of encouragement and thanks to Mr Mounir.

P.S.: Sorry for my bad English, it's not my native language.
Jan 18, 2015 at 9:00 PM
Hi TCalhau

We are sure CipherShed will be a good product, in fact I am recommending it to users here who require speed over security. Jason Pyeron implied in the posts above there may be a "Performance" option. I took this to mean they would weaken security by reducing iterations so people can authenticate their password faster.

As you identify more with the security philosophy of VeraCrypt, "no compromise" you will be pleased to learn Mounir has held firm to the VeraCrypt principles recently. An attempt to encourage a reduction in brute force protection within VeraCrypt, has been rejected.

As a VeraCrypt user I would like to say thank you very much for your donation :) Your English is very good by the way, I wouldn't have known it wasn't your first language.
Jan 26, 2015 at 3:27 PM
aussieboss wrote:
CipherShed has been compromised since the founding.

Jason Pyeron works for DISA, a government agency, according to his LinkedIn profile. https://www.linkedin.com/in/jpyeron
Jason Pyeron does not currently work for DISA. I thought it was important to point out your original statement is not correct.