[liberationtech] Crowd steps up to fund 'NSA-proof' app

Thu Jul 11 23:47:40 PDT 2013

I can't wait until S̶i̶l̶e̶n̶t̶ ̶C̶i̶r̶c̶l̶e̶ Heml.is is open source!

On 07/12/2013 01:29 AM, phryk wrote:
> On Thu, 11 Jul 2013 23:09:04 -0700
> Brian Conley <brianc at smallworldnews.tv> wrote:
> 
>> If it's not open source we aren't trusting it, so wait and see.
> 
> My thought exactly. The companies involved in PRISM denied giving the
> feds access to their data, so why won't some guys I've never even heard
> of before not do the same?
> 
> They answer the question if it will be open source on their Blog[1] like
> this:
> 
>> We have all intentions of opening up the source as much as possible
>> for scrutiny and help! What we really want people to understand
>> however, is that Open Source in itself does not guarantee any privacy
>> or safety. It sure helps with transparency, but technology by itself
>> is not enough. The fundamental benefits of Heml.is will be the app
>> together with our backend infrastructure, which is what really makes
>> the system interesting and secure.
> 
> From this I imply 2 things:
> 	- It's not going to be completely open source (bleh!)
> 	- It's not p2p since they have some sort of "backend
> 	  infrastructure" (bleh, too!)
> 
> They also intend to publish the app with a freemium model, something
> for which I don't really see the need after collecting over 100k$
> (currently 134,347).
> 
> Then they come up with some pretty unbelievable claims before the
> product is even out. Like 
> "Developing the most secure, fun and sexy messenger IN THE UNIVERSE!"
> 
> They also directly say that you won't be able to run your own server,
> something which I *always* dislike. Oh, and messages will be stored on
> their server until delivery, so we already know where the feds will
> want to listen.
> 
> The Aljazeera post also hails it as "the first secure mobile messaging
> system.". Did I miss something there? What about XMPP+OTR? What about
> Whispers' TextSecure?
> 
> All in all, this is not something that seems trustworthy to me, and I
> don't even know anything of use on crypto. My personal evaluation is
> that donating to other open source crypto solutions would be much more
> efficient and useful. At best, sponsor many different projects so that
> when one project is (temporarily) compromised by an 0day or something
> like that you still have alternatives. With heml.is even the
> compromisation of one server would completely break it. Once
> their infrastructure is compromised, the communication of ALL its'
> users is compromised. This wouldn't even have to do anything with
> heml.is' security itself but could just be a software update where the
> default of one small option was changed…
> 
> 
> Just my 2cents,
> 
> 	phryk
> 
> 
> [1]
> http://hemlismessenger.wordpress.com/2013/07/10/first-bunch-of-questions-from-our-funders-answered/
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 