Page 1 of 1

Web Site

PostPosted: Thu Jun 19, 2014 11:24 am
by Resonance
Hi Compul,

I have a few critiques that might improve the website

Banner: Secure Encryption Software
"CipherShed is completely free encryption software for keeping your data secure and private. Learn how to use CipherShed."
It would be better to say Beta software or something similar, because any changes to the TC software could accidentally break security.

The security audit is not complete, so technically neither TC nor Ciphershed are verified software, therefore I strongly recommend to use the term security software, not secure software, or keep your data secure. Even if the TC passes with flying colors, Csh would need to undergo a similar process because, as well all know, even a single line of mistake in code can break the security of the final product.

Smaller issues

Your link to the Forum, is not a link to the forum.

I assume your phrase "CipherShed is available for Windows, Mac and Linux." means that Beta builds will be available very soon. Otherwise the word available looks strange in this context.

Re: Web Site

PostPosted: Fri Jun 20, 2014 2:51 am
by compul
last two issues changed, thanks.
When CipherShed is available, the core devs will have checked every single line of new or changed code, thus we will consider it secure software. In a sense CS will undergo a similar process by being reviewed by our core devs. "keep your data secure" would make the same assumptions as "secure software". So far CipherShed is not released yet, and we never claimed the old TC was secure software. So that doesn't influence us, even if the audit finds something.
TL;DR: I think secure encryption software is just fine.

Re: Web Site

PostPosted: Fri Jun 20, 2014 9:46 am
by Resonance

You do not have a clear understanding of the programming security issues. You may want to inform yourself more because what you are saying is inaccurate and ignored important points. You may want to reconsider your role as the page's designer if you do not understand the security implications for new users and beta software. CS is not secure software; it is security software. It is based on TC, software of security-unknown status. Once anything is changed, it becomes security-unknown and reliability-unknown.

TC + a few small changes + informal self review = "secure software" ?!?!

There are literally dozens of comments under every TC article, explaining how even small changes to code could break something and it might be very hard to notice. They get it. You don't. Most agree that the code is rather disorganized. That leaves two options: re-write a lot (high chance of errors), or start from scratch (even higher chance for errors).

TC audit is being organized by a cr. professor from Hopkins. Have they agreed to audit your project too? Until you all get an outside audit, nothing about CS is assumable to be secure, and the software should be called beta. Now, it's clear you are willing to put users at risk.

I hope some of the projects leaders read here, not just amateurs, because you are massively misportraying what the project is producing
and offering to the public. Your download page is offering a beta software fork, of unknown security, unknown reliability and murky legal status. You could put new users in a world of hurt, all by accident. Once you get an outside review, all that changes towards the good. The software may be used by thousands of people. Please show them the decency to be forthcoming about the benefits, status and risks of the software. It's a beta fork off of software of indeterminate status.

Re: Web Site

PostPosted: Fri Jun 20, 2014 10:11 am
by compul
I don't feel the need for an argument of that kind, especially here on the forum. I'll simply wait for others to comment.

Re: Web Site

PostPosted: Fri Jun 20, 2014 11:20 am
by PID0
Resonance: I really dislike your overly patronising tone here. What makes you trust the professor from Hopkins any more than some of the security professionals we have working on CS?

Security is a judgement on the ability of the system to withstand a given threat. There are inherent/structural issues with the TrueCrypt code which will be tackled over time, we've already started cleaning the code up and our long term aim is to replace it entirely, so I can assure you as one of the core devs, that CS is already more secure than TrueCrypt.

With big development projects (~110,000 lines of code) there are always risks with carrying on the work of others and generally managing changes, that's the nature of collaborative projects (of which TC was also). The first release was to provide a boilerplate version of TC with the immediately identified code flaws fixed. After which we will rewrite the TC code from scratch under the CS brand/license.

It's quite healthy to maintain some scepticism about the tools you use to protect your privacy and we would never recommend that CS is the only tool you need. However as far as anyone who has looked at the code has found, there are ZERO serious vulnerabilities in either TrueCrypt or CipherShed. Sheer logic demands we give it the benefit of the doubt until such a time as new evidence is presented that it is vulnerable (at which time we'll fix it).

We will always be reviewing and testing the code to make it safer and more secure, that process will never stop. Writing the app again from scratch will provide some level of assurance that no nasty hidden vulnerabilities have crept into the code over the years of TC development. However our advice, in lieu of any evidence to the contrary, is that CipherShed is secure enough for the majority of users (and is certainly more secure than TrueCrypt).

Re: Web Site

PostPosted: Sat Jun 21, 2014 12:47 pm
by Sabbath

I believe we have been incredibly patient with you on this forum, you are becoming something of a forum joke with your rather odd ramblings.

You have failed to answer points made against you on other threads, you post misleading and often just plain inaccurate messages to satisfy your narcissism.

Claims that you are conducting psychological tests on our project and team are borderline certifiable. I suggest you seek help for a delusional personality disorder.

You appear to be inordinately angry with compul, the very person who has defended your membership here, despite receiving advice to the contrary.

I think the very least you can do to demonstrate your appreciation of compul's sympathy and restraint towards you, would be to voluntarily tidy your own mess from our forum. I do not believe it fair for you to insult compul's abilities while at the same time expecting compul to clean up after you.