This project has moved. For the latest updates, please go here.

Transparency and Legitamacy Questions

Topics: Users Discussion
Jan 9, 2015 at 9:46 PM
  1. Why does VeraCrypt use CodePlex over GitHub? Especially since CodePlex is owned and operated by Microsoft. Even better, why doesn't VeraCrypt move to a solution hosted by a non-U.S. entity? Surely France has a decent option?
  2. Why is Mounir the only developer? Does he not want to allow external code contributions and collaboration?
  3. What do we know about Mounir? With the recent disclosure that CipherShed is a U.S. DoD operation, we need to question the background of Mounir as well. If one TrueCrypt fork was infiltrated then it's likely that others such as VeraCrypt were as well. Does Mounir have any known connections to the French DGES / DCRI or any other French government organization?
Jan 9, 2015 at 10:20 PM
Edited Jan 9, 2015 at 10:20 PM
  1. It was simpler for Mounir to maintain as he was on his own.
  2. He would dearly love some help, unfortunately few people are skilled enough and out of those few even less want to work for free.
  3. All we know is he a kind chap who provides secure code for free. He does seem skilled in his work and no one has yet found a weakness or back-door. He has a business and professional reputation to maintain, he has not taken on VeraCrypt lightly, he has much to lose and little to gain.
Coordinator
Jan 9, 2015 at 10:58 PM
VeraCrypt project is hosted on Sourceforge (https://sourceforge.net/p/veracrypt), Github (https://github.com/veracrypt/VeraCrypt) and Codeplex. The main git repository is Sourceforge. I choose Codeplex because it was the one that offers the easiest interface for editing a documentation.
I know there is a type of users that are suspicious of anything touched by Microsoft but one must remain realistic: the code integrity is handled through different mirros not only Codeplex. Binaries are mirrored through different mirrors and their checksums and PGP signatures are published and copied over different sources: Pastbin (http://pastebin.com/u/veracrypt) and Reddit (https://www.reddit.com/user/veracrypt).

I have already asked for any hosting proposal that gives guarantees about security and availability. All proposals are welcomed. Nevertheless, I see no reason why not use any freely available hosting service while having the control of the integrity of the content.

Since the beginning of the project, I was asking for contributions and for collaborations. For now, apart from few patches that were not included because of quality issues, I didn't receive any proposal for collaboration. I reiterate my statement that VeraCrypt is an open source project open to everybody. There many features that are waiting for skilled people to implement (like GPT/UEFI support). So spread the word.

As for my own credentials, my LinkedIn profile is open for professionals who would like to connect and share information about my background. As you can imagine, I will not spill my private life on the internet but I can give here a public statement that I don't and have never worked for any government agency. Before starting my consulting business, I was employed by a smart card manufacturer. Smart card professionals, especially in France, knows me and some of my contributions in this field are publicly available.
For example, for several years, I was the only one proving a patch for a Microsoft dll in order to help Smart Card developpers test their CSP dlls on Windows without the need of requesting a signature from Microsoft. You can type "advapi32 patch" in Google and you'll see the results pointing to my work.
Also, I was the first to implement Smart Card support in WINE (the Windows emulator) through the implementation of a pcsclite based winscard.dll for Linux and MacOSX. As of today, I'm still the only source for a 100% working winscard implementation on Linux.

With the latest revelations about US activities, I understand the need for people to scrutinize the people behind security related project. We need to be as transparent as possible without falling into voyeurism. Personnaly, I decide to put my reputation at stake by going public about VeraCrypt since 2013, at a time when no body cared about TrueCrypt weaknesses. My motivation behind veraCrypt remains the same and it is not related to any shadowy organization or quest for profit, but rather the simple wish to provide users with something useful and secure in the most transparent way.
Jan 10, 2015 at 3:29 AM
Edited Jan 10, 2015 at 3:30 AM
Thanks for answering my questions Mounir. Your answers are well thought out, and your words quell my fears and inspire confidence. This is what we need, a developer being open an honest when put to the test while fully explaining your reasoning.

Unlike CipherShed, their reaction to the recent revelation of the main developer working for the U.S. Department of Defense was just to tell everyone to "audit the code". No explanation, no reaction, no statement from Mr. Pyeron. Just a "so what, who cares that he works for the DoD" and "audit the code". Nothing to inspire confidence at all.

Does VeraCrypt employ the use of a warrant canary in the event of government intervention?
Jan 10, 2015 at 12:20 PM
You do know warrant canary's are illegal don't you ?

The first thing a government does is tell the victim that they are not allowed to tell anyone they are subject to inspection or even if they are being forced to do something against the project.

The best we can hope for is Mounir simply does not sign any more code and just takes the site down.

You may have seen other projects offering warrant canary's to make their users feel better. However when the time comes, 5am in the morning when they kick your door in and explain in very clear language that if you tell anyone they have visited, you will serve a long jail sentence, I doubt anyone would actually think or dare to alert the users.

Don't forget these people also have families and houses, they could lose both if they don't comply, we cannot expect this sort of commitment from a free open source project.

All I am trying to say is, it does not matter if VeraCrypt has a warrant canary procedure or not. It is also most important that you don't place too much trust in other peoples so called warrant canary's.
Jan 10, 2015 at 1:18 PM
See Mounir's reply in this thread regarding how he will react.

Compatibility question and trust question
Jan 10, 2015 at 1:45 PM
L0ck wrote:
You do know warrant canary's are illegal don't you ?
.

Legal challenges are still in the USA courts. This has not stopped companies in the USA from proceeding to use the warrant canarys. Does France have any restrictions on the usage of warrant canary?

https://www.eff.org/deeplinks/2014/04/warrant-canary-faq

http://www.yalelawjournal.org/forum/warrant-canaries-and-disclosure-by-design
Jan 10, 2015 at 4:38 PM
Sorry, yes I always assume everything is UK when people write in English :)

I don't know about USA law.

I have read and heard "stories" which I have no reason to doubt about the UK gov "methods" for dealing with this sort of thing.

They range from actual gagging laws to threats of fabricated charges. Also RIPA is hell for the UK public.
Jan 26, 2015 at 2:52 PM
Edited Jan 26, 2015 at 2:54 PM
JeSuisCharlie wrote:
Thanks for answering my questions Mounir. Your answers are well thought out, and your words quell my fears and inspire confidence. This is what we need, a developer being open an honest when put to the test while fully explaining your reasoning.

Unlike CipherShed, their reaction to the recent revelation of the main developer working for the U.S. Department of Defense was just to tell everyone to "audit the code". No explanation, no reaction, no statement from Mr. Pyeron. Just a "so what, who cares that he works for the DoD" and "audit the code". Nothing to inspire confidence at all.

Does VeraCrypt employ the use of a warrant canary in the event of government intervention?
I am not I understand the reason for the distrust towards Mr. Pyeron. He does currently work for DISA. He seems to have reasonable answers to most concerns.