CipherShed compromised from the beginning?

Talk, discussions and suggestions for the project itself or the forum and wiki. Not for discussion the project's goals.

CipherShed compromised from the beginning?

Postby brosef » Thu Jan 08, 2015 3:55 am

How can we trust CipherChed when one of the project managers and security developers works for DISA?

Jason Pyeron: https://www.linkedin.com/in/jpyeron
What is DISA? https://en.wikipedia.org/wiki/Defense_I ... ems_Agency

It looks to me like the CipherShed project was founded with a mole from the beginning. How can anyone trust this project? It's DOA IMO.
brosef
 
Posts: 1
Joined: Thu Jan 08, 2015 3:45 am

Re: CipherShed compromised from the beginning?

Postby srg » Thu Jan 08, 2015 3:08 pm

Oh god, you caught us.

CipherShed tried so hard to hide that Jason was even involved in the project. And by "tried so hard to hide," I mean put the information on our public wiki, including the LinkedIn profile, to make the public aware of who we are. All of us. That was a big discussion in the beginning of the project: To be anonymous or not. We chose "not."

Don't use the software then, brosef. I'd recommend BitLocker. Continue your supposititious campaign against CipherShed, ignoring our public code development and publicly archived mailing lists. We'll keep doing what we do, you keep doing what you do.

On a more serious note, why don't you do something constructive like getting involved with CipherShed. That way you can monitor and question everything CipherShed does? That would be more productive then trolling a forum and reddit.
srg
 
Posts: 16
Joined: Fri Jun 06, 2014 9:13 pm

Re: CipherShed compromised from the beginning?

Postby blakdawg » Fri Jan 09, 2015 7:55 am

Transparency is a must for any crypto project.


Yeah! We knew all about the guys who wrote TrueCrypt, so there's no way we could possibly trust software that wasn't at least as transparent.

If you fuckers don't get on this right now and publish everybody's resume going back a full 20 years, I am going to demand a full refund of my purchase price, INCLUDING SHIPPING. Also, we should probably have some naked pictures of their girlfriends. And they need to tell us if they use emacs or vi, and why.
blakdawg
 
Posts: 1
Joined: Fri Jan 09, 2015 7:50 am

Re: CipherShed compromised from the beginning?

Postby SallyRutherford » Fri Jan 09, 2015 8:19 am

OP raises some interesting questions. I stumbled across this thread from elsewhere, I won't give the exact location since the link includes personal information and I do not support doxxing. However, what was interesting is that Pyeron was being accused of being a dual U.S. / Israeli citizen. That has far greater impact on the integrity of CipherShed than the fact that he used to work for the Department of Defense.

I don't know what to believe, but something very fishy is up with the CipherShed project.
Last edited by compul on Fri Jan 09, 2015 12:16 pm, edited 1 time in total.
Reason: We will in no way tolerate any form of discrimination on this forum, including anti-semitism. Please do watch your tongue, mr. Troll.
SallyRutherford
 
Posts: 1
Joined: Fri Jan 09, 2015 8:13 am

Re: CipherShed compromised from the beginning?

Postby compul » Fri Jan 09, 2015 12:26 pm

To all the real people reading this troll's monologues:

Yes, Jason Pyerons commits will be subject to the utmost scrutiny of a fixed number of different security reviewers (from different countries and continents, by the way); just like any other person's commits, too. We go off the default assumption that any commit may contain backdoors and / or bugs (purposefully planted or not), and thusly scrutinize every single change of the code. You may also refer to https://wiki.ciphershed.org/Introduction ("Philosophy") to get an idea of how we operate, and https://wiki.ciphershed.org/WhosWho for more information on the other people that are currently more closely involved with the organization of the CipherShed Project.

Thank you. :)
User avatar
compul
Site Admin
 
Posts: 69
Joined: Fri Jun 06, 2014 6:15 pm

Re: CipherShed compromised from the beginning?

Postby krisives » Fri Jan 09, 2015 5:46 pm

I saw this post on /r/crypto and deciced it was time I started checking out what is going on to continue TrueCrypt, so I have registered here (hope I can get around to helping out soon)

I don't fault OP for being hyper-sensitive or wanting to keep a better eye on source code changes, but as @compul said the same standard should be held for anyone committing code. There is nothing wrong with wanting to look at the code more. I do think it's wrong to call someone out without a modicum of proof or even a direction to go in. I would say the way to beat potential enemies like the NSA or GCHQ would be to take everything good from them and let them keep all of the bad parts. If we're not capable of determining what those parts are, we're pretty screwed anyhow.

Also, just curious, but why did OP make a new account, was the original account banned?
krisives
 
Posts: 1
Joined: Fri Jan 09, 2015 5:39 pm

Re: CipherShed compromised from the beginning?

Postby JeSuisCharlie » Fri Jan 09, 2015 9:37 pm

When is Mr. Pyeron going to release a public statement about his associatIon with the U.S. DoD to the CipherShed community?

Does CipherShed plan on employing the use of a warrant canary in order to alert users when they receive an NSL?
JeSuisCharlie
 
Posts: 1
Joined: Fri Jan 09, 2015 9:32 pm

Re: CipherShed compromised from the beginning?

Postby compul » Sat Jan 10, 2015 1:10 pm

krisives wrote:Also, just curious, but why did OP make a new account, was the original account banned?

No, he was not. Because he is a troll, I would presume.

JeSuisCharlie wrote:Does CipherShed plan on employing the use of a warrant canary in order to alert users when they receive an NSL?


That has been discussed at length in the past. Some do have warrant canaries in their mail signatures. However, we are multiple individuals from multiple countries / continents around the globe. Thus if some do receive NSLs, then ideally there are still others in other countries who haven't. Also we meet regularly on voicechat, so that impersonation is not possible for an extended timeframe.

Further, warrant canaries are untested in court. Publicly known canaries are also known to the agencies sending those letters, and those agencies might very well try enforcing keeping the canary up, and producing a false feeling of security in the community.

On the grounds of something along those lines, we at the time decided to not have a mandatory canary in all core members' email signatures (If the server admin received an NSL, the agencies may just keep maintaining the website themselves - including the canary. Again, a false sense of security would do more harm than what was gained.)

On the other hand, there may or may not (I literally do not know, obviously!) exist private canaries between the members, such that if one member receives an NSL in country A, the other one from country B can sound the alarm

You get the idea; CipherShed is not one entity that can be compromised with one letter from one judge in one country, but is spread out across the globe (USA, Europe and Asia currently).
User avatar
compul
Site Admin
 
Posts: 69
Joined: Fri Jun 06, 2014 6:15 pm

Re: CipherShed compromised from the beginning?

Postby srg » Sat Jan 10, 2015 5:33 pm

The "BrosefRebooted" account was banned. There's no need for one person to have multiple accounts, it causes confusion. Please use your original account. It was never banned or restricted in any way (and wont be).

Stallman wrote:Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.

And this is it.

BrosefRebooted wrote:How can you let Jason Pyeron participate in this project when he has known ties to DISA and the DoD? People are not going to take this project seriously if a U.S. Government employee, especially a DoD contractor, is one of the main contributors.

Because there are policies in place that force a review of everyones (including Jason's) code changes. In addition, the code changes are public. If one has reason not to trust the binaries, then one can compile from the GitHub repo themselves. We provide instructions. They can review each and every commit to ensure that nothing evil is being done.

BrosefRebooted wrote:3. We need a full biographical details of every CipherShed project contributor. I see at least 8 people in the CipherShed Redmine that aren't listed on the about page. Any gaps in employment history need to be justified with corroborating evidence and alibis in order to assure the community that they were not employed by the U.S. government or another five eyes nation during that time period.

That will never happen. Not because we refuse to, but because it's a distributed project. If we requre every person sending a pull request or filing a bug report to give us a full biographical background, we wont get anywhere. No one will contribute; developers will go elsewhere, the project will die.

Why don't you trust the code instead of the people behind it? You're not running people on your computer, you're running the code. It shouldn't matter of god himself wrote the code, the director of the NSA, or some homeless hobo on the street. It's the code itself that matters. You're focusing on the wrong thing here.

BrosefRebooted wrote:You claim to be transparent but I see no evidence of transparency. Transparency is a must for any crypto project.

I take it you never once used TrueCrypt then? Because we know those guys (or girls, or NSA empoyees) were so open with their personal details.

BrosefRebooted wrote:Finally, I am getting involved. That's the point of raising these questions in this forum.

Yes, and I accept that and we as a group will respond to it. We're not ignoring you or sweeping this under the rug. However, you aren't understanding that we already thought about this and developed policies and procedures and priorities to deal accordingly. Such as focusing on the code, not the people. Bill Cox himself said he doesn't even trust his own machine. Read the mailing list archives, including the original list hosted on FreeLists.

blakdawg wrote:And they need to tell us if they use emacs or vi, and why.

I use vim. I have used pure vi in the past on my FreeBSD system, but vim is easier to use and has syntax highlighting. I realize that hiding my .vimrc is compromising the entire CipherShed project (you know, all my secret NSA backdoors are in my ~/.vimrc), so I'll be sure to post it on GitHub. I used emacs twice. It's annoying. Never again.

SallyRutherford wrote:I won't give the exact location since the link includes personal information and I do not support doxxing.

Oh, that's nice that you don't support the sharing of detailed personal information!

JeSuisCharlie wrote:When is Mr. Pyeron going to release a public statement about his associatIon with the U.S. DoD to the CipherShed community?

I think he already did on the mailing list. There is also discussion on how to go about handling events like this in the future, as they will undoubtedly occur again.
srg
 
Posts: 16
Joined: Fri Jun 06, 2014 9:13 pm

Re: CipherShed compromised from the beginning?

Postby rusty » Sat Jan 10, 2015 7:59 pm

srg wrote:
JeSuisCharlie wrote:When is Mr. Pyeron going to release a public statement about his associatIon with the U.S. DoD to the CipherShed community?

I think he already did on the mailing list. There is also discussion on how to go about handling events like this in the future, as they will undoubtedly occur again.


I've been silently waiting for a post from jpyeron as well. It seems to me that his silence has confirmed the original OP's suspicion. Instead he has his cronies reply in this thread for him.

You could have provided a link to his supposed public statement on the mailing list. Instead, I went in search on my own, and while I did find the discussion about this thread ... I did not find the statement from jpyeron. All I found was a discussion about how to handle this "public relations" situation and how to do damage control. People just want an honest answer from jpyeron, not a cooked up public relations stunt.

Here's a link to the thread in the mailing list archive: https://lists.ciphershed.org/pipermail/ ... 00940.html

As far as I can tell, the Russian bloke Alexander is the only person that "gets it".
rusty
 
Posts: 1
Joined: Sat Jan 10, 2015 7:46 pm

Next

Return to Meta

Who is online

Users browsing this forum: No registered users and 1 guest