[liberationtech] About "Confide"

Sat Apr 26 14:18:47 PDT 2014

Anyone who is lauding the verifiability of open source security software
had best show that their code has been regularly and thoroughly audited.

It will be very easy for closed source alternatives -- snake oil or legit
-- for some time to point to heartbleed as a fatal flaw of hubris in the
argument that open sourcing is panacea to the trust issue.

It shook me.  Two years, undisclosed?  What a waste.

We really don't have a single solution that fits in one statement that a
consumer or naive investor is likely to understand.  So, there is going to
be education required, more than before.

In all kinds of communities.  I am not sure we have really assessed this
yet.  Can we assume that people who audit our code are going to disclose --
or sell the brokerable flaws?

How many eyes are there on your code, and how many are likely to share
their findings with you?

This is turning into an arms race.  And open source is also open to
exploitation, if we do not have enough eyes on our side, enough resources.

This is an important issue to examine at this point for every project,
wouldn't you think?

Shava Nerad
shava23 at gmail.com
On Apr 26, 2014 3:51 PM, "Mustafa Al-Bassam" <mus at musalbas.com> wrote:

> So yesterday a very user-friendly mobile application called "Confide"
> was released that claims to be "your off-the-record messenger"[1]. It
> has been getting a ton of press attention recently and has raised $1.9m
> in seed funding[2].
>
> It claims "with end-to-end encryption and disappearing messages, Confide
> is bringing off-the-record conversations online".
>
> What do people think of this?
>
> It is obviously a joke and a no-go to be used as something to be relied
> on for encrypted communications given that there is literally no
> information about the encryption used and it's closed sourced/can't be
> verified.
>
> However, the interesting thing about this is that it seems to be more
> focused around preventing the client itself from archiving chat messages
> rather than the server. For example, it boasts "screenshot protection"
> (Snapchat style?), and the FAQ states "more specifically, we think
> common use cases will include: Job referrals, HR issues, deal
> discussions, and even some good-natured office gossip"[3].
>
> Nevertheless, the unverifiable claims it make about encryption are
> worrying, and what's more worrying is a future of multi-million dollar
> funded weak sauce "encryption" applications that give a false sense of
> security that feed on an actual desire by users for privacy following
> the NSA leaks, that are more successful at attracting users than open
> source alternatives that are verifiable secure, thanks to the vast
> amount of resources they have in marketing.
>
> "Confide has raised $1.9 million in seed funding from WGI Group, Google
> Ventures, First Round Capital, SV Angel, Lerer Ventures, CrunchFund,
> Lakestar, Marker, David Tisch’s BoxGroup, Yelp CEO and co-founder Jeremy
> Stoppelman, Entourage creator Doug Ellin, and Access Hollywood host
> Billy Bush."[4]
>
> [1] https://getconfide.com/
> [2] http://techcrunch.com/2014/02/04/confide-1-9m/
> [3] https://getconfide.com/faq
> [4] http://techcrunch.com/2014/04/24/confide-android/
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140426/b836b659/attachment.html>