[liberationtech] Silent Circle Dangerous to Cryptography Software Development

[Moxie Marlinspike]

On 10/11/2012 09:15 AM, Nadim Kobeissi wrote:
> James, you can charge for a service and leave it as open source
> software. This has been done countless times over the years and has
> functioned successfully. I am not against Silent Circle costing money -
> I'm against it being closed source software.

The problem is that if you have an enterprise focus, you can't sell a
service, you have to sell software.  Serviced-based models have
certainly made inroads into the enterprise, but they still want to host
security-focused stuff themselves (even if it's encrypted end-to-end).
It's hard to sell an expensive site license for your software if the
software is freely available.

In general, I'm not actually convinced that OSS is a necessity for
secure communication tools.  Protocols can generally be verified on the
wire, and unfortunately, the number of people who are going to be able
to look at software-based cryptography and find vulnerabilities is very
small -- and two of them put their names behind Silent Circle.

It's certainly great if secure communication tools are open source, but
I think that I'd gladly trade OSS for tools that are crisp, incredibly
well polished, accessible, and a joy to use.  Not that they're
necessarily mutually exclusive, and not that we're necessarily going to
get that here.  Much has been made about the fact that Phil Z and Jon
Callas are responsible for this effort, but the cryptography is the easy
part.  I'd be much more interested if some really great software
developers or designers were starting a secure communications company.

- moxie

-- 
http://www.thoughtcrime.org