[liberationtech] Will this work, or just hype?

Erik Sundelof erik at sundelof.com
Sun Feb 13 20:51:08 PST 2011 

Leslie,

Unfortunately that in many ways is worse for applicability as you are 
then into the application mess on different platforms - iPhones, 
Androids, Blackberry, Windows, and (yes) Symbian. I will not get into 
details of the data storage models on these devices and Mobile OS, but 
will leave it as simple as this: If it is an application it will have a 
local storage and unless they have a cryptation that is very 
sophisticated I wouldn't believe this is a viable solution for 
applications with higher needs of security.

Secondly you will then need an application on your phone. That alone 
will create a problem for a real world application.

Thirdly you will need a dataplan on your phone from what I see. 
Basically you are effectively not using the power of SMS in the true sense.

Conclusively, I do not see this as a viable solution for the predominant 
cases of mobile applications. This is even before we start to look at 
whether the transaction is secured. Sure TigerText could employ The 
Guardian Projects mobile based Tor solution but that will not be enough 
in places where you need a much higher security level.

Best,

Erik





Leslie Wu wrote:
> I talked to someone who I think was the CTO of TigerText at Health 2.0 
> in SF last quarter (they wanted our mobile health startup to use their 
> technology) and my impression was that the messaging was sent 
> encrypted via the mobile application and thus "secure SMS" really 
> means SMS-like communication through a mobile application (text 
> messaging as a channel is not used, and thus messaging is not stored 
> as text messages IIRC).
>
> That said, this definitely serves a need on the Health 2.0 side of 
> things due to the interpretation of HIPAA policies, and perhaps calls 
> for an open source equivalent that would be then available for Android 
> / iPhone / mobile web devices with graceful degradation to less secure 
> text messaging.
>
> ~Leslie Wu, CS PhD[candidate]
> http://graphics.stanford.edu/~lwu2/ 
> <http://graphics.stanford.edu/%7Elwu2/>
>
> On Sat, Feb 12, 2011 at 7:27 PM, Erik Sundelof <erik at sundelof.com 
> <mailto:erik at sundelof.com>> wrote:
>
>     All,
>
>     Ian, I completely agree. I denote these type of solutions more
>     like "text messaging security for cheating" as that is really the
>     level of security you obtain by it.
>
>     Anyhow who claims they can really delete text messages from phones
>     securely are not very honest. ALL text message solutions use a
>     basic infrastructure created by large corporations and in any
>     region where you want activism that infrastructure is own by the
>     bad elements you want to get rid of, influence or lobby.
>
>     There is unfortunately NO 100% secure version of text messaging.
>     Working with that as a premise is dangerous and untrue to your end
>     users.
>
>     Best,
>
>     Erik
>     --------------------------------------------
>     http://www.sundelof.com
>
>
>     Ian Young wrote:
>>     It took me a lot of digging to find even a hint of a technical
>>     explanation, but buried in the FAQ is this:
>>     Q: What if I send a TigerText to someone who does not have
>>     TigerText installed??
>>     A: The user will receive a message from TigerText that encourages
>>     them to install the application...
>>
>>     So they're going with the DRM-style approach, which is exactly as
>>     secure as it always has been. This isn't to say that the service
>>     doesn't have some utility; it protects you against a benign but
>>     careless recipient losing their phone and exposing embarrassing
>>     correspondence from you. And implemented right, it could protect
>>     you against eavesdropping (assuming you trust TigerText
>>     themselves). But selling a service on hype like "self-destructing
>>     text messages" without any discussion of the limitations is
>>     disingenuous and dangerous. To piggyback on the other discussion,
>>     outlandish claims like these are a great argument for teaching
>>     security fundamentals to non-security-minded people.
>>
>>     Ian
>>
>>     On Sat, Feb 12, 2011 at 1:28 PM, Yosem Companys
>>     <companys at stanford.edu <mailto:companys at stanford.edu>> wrote:
>>     >
>>     > This Text Message Will Self Destruct In 60 Seconds
>>     >
>>     > By Mike Melanson / February 11, 2011 2:34 PM
>>     >
>>     > The self-destructing message, whether a piece of paper that
>>     mystically disintegrates at the appropriate moment or the
>>     microfiche that goes up in a poof of smoke, is a staple of any
>>     spy movie and a childhood wish of my own. TigerText, a private
>>     SMS app, has made my childhood dream a reality.
>>     >
>>     > The company, which has had a free app available, has brought
>>     this spy-novel feature to the enterprise with this week's
>>     release of an enterprise app.
>>     >
>>     > According to TechCrunch, the app lets users determine when and
>>     how the messages are deleted.
>>     >
>>     > As we reported last year, TigerText's mobile apps allows users
>>     to send text messages or photos that can then be deleted off both
>>     the sender's and receiver's phone after a selected period of
>>     time. Once a sender selects the message lifespan (from 1 minute
>>     up to 30 days), expired messages are not only deleted from both
>>     phones, but are not stored on any server and they cannot be
>>     retrieved once expired. Users can also select a "Delete on Read"
>>     option, which will delete the text 60 seconds after the recipient
>>     opens the message.
>>     >
>>     > The latest version of the app caters to businesses by allowing
>>     users to perform a one-time login to authenticate with the
>>     company. TigerText describes the app as "a cross-platform
>>     collaboration tool for your organization that allows you to
>>     deploy your own private, secure mobile network where your
>>     employees can safely communicate on their existing mobile devices
>>     within your company."
>>     >
>>     > "Text messaging, just like email, can be used against your
>>     organization," writes the company on its website. "If the
>>     messages no longer exist, there is no risk of data breach or
>>     exposure."
>>     >
>>     > The app is available on iOS, Android and Blackberry platforms
>>     and administrators can manage user settings from the Web. It
>>     enters an increasingly crowded space, with apps
>>     like Kik,Beluga and GroupMe entering the free message game, but
>>     this one has that special spin for the security-minded.
>>     >
>>     > From what we can tell, however, the app is missing one huge
>>     feature - the little whisp of smoke, wafting out the crack of
>>     your phone case whenever a message is deleted.
>>     >
>>     > _______________________________________________
>>     > liberationtech mailing list
>>     > liberationtech at lists.stanford.edu
>>     <mailto:liberationtech at lists.stanford.edu>
>>     >
>>     > Should you need to change your subscription options, please go to:
>>     >
>>     > https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>     >
>>     > If you would like to receive a daily digest, click "yes" (once
>>     you click above) next to "would you like to receive list mail
>>     batched in a daily digest?"
>>     >
>>     > You will need the user name and password you receive from the
>>     list moderator in monthly reminders.
>>     >
>>     > Should you need immediate assistance, please contact the list
>>     moderator.
>>     >
>>     > Please don't forget to follow us on
>>     http://twitter.com/#!/Liberationtech
>>     <http://twitter.com/#%21/Liberationtech>
>>
>>     ------------------------------------------------------------------------
>>     _______________________________________________ liberationtech
>>     mailing list liberationtech at lists.stanford.edu
>>     <mailto:liberationtech at lists.stanford.edu> Should you need to
>>     change your subscription options, please go to:
>>     https://mailman.stanford.edu/mailman/listinfo/liberationtech If
>>     you would like to receive a daily digest, click "yes" (once you
>>     click above) next to "would you like to receive list mail batched
>>     in a daily digest?" You will need the user name and password you
>>     receive from the list moderator in monthly reminders. Should you
>>     need immediate assistance, please contact the list moderator.
>>     Please don't forget to follow us on
>>     http://twitter.com/#!/Liberationtech
>>     <http://twitter.com/#%21/Liberationtech>
>
>     _______________________________________________
>     liberationtech mailing list
>     liberationtech at lists.stanford.edu
>     <mailto:liberationtech at lists.stanford.edu>
>
>     Should you need to change your subscription options, please go to:
>
>     https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>     If you would like to receive a daily digest, click "yes" (once you
>     click above) next to "would you like to receive list mail batched
>     in a daily digest?"
>
>     You will need the user name and password you receive from the list
>     moderator in monthly reminders.
>
>     Should you need immediate assistance, please contact the list
>     moderator.
>
>     Please don't forget to follow us on
>     http://twitter.com/#!/Liberationtech
>     <http://twitter.com/#%21/Liberationtech>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110213/d2e3d5ae/attachment.html>

More information about the liberationtech mailing list