[liberationtech] About "Confide"

Mustafa Al-Bassam mus at musalbas.com
Sat Apr 26 14:55:32 PDT 2014 

On 26/04/14 22:18, Shava Nerad wrote:
> Anyone who is lauding the verifiability of open source security software
> had best show that their code has been regularly and thoroughly audited. 
> 
> It will be very easy for closed source alternatives -- snake oil or
> legit -- for some time to point to heartbleed as a fatal flaw of hubris
> in the argument that open sourcing is panacea to the trust issue.
> 
> It shook me.  Two years, undisclosed?  What a waste.
> 
> We really don't have a single solution that fits in one statement that a
> consumer or naive investor is likely to understand.  So, there is going
> to be education required, more than before.
> 

"If you believe a single long-standing vulnerability invalidates the
security advantages of open-source, you should really learn what a
fallacy is." (joepie91)

> In all kinds of communities.  I am not sure we have really assessed this
> yet.  Can we assume that people who audit our code are going to disclose
> -- or sell the brokerable flaws?
> 
> How many eyes are there on your code, and how many are likely to share
> their findings with you? 
> 
> This is turning into an arms race.  And open source is also open to
> exploitation, if we do not have enough eyes on our side, enough resources.
> 
> This is an important issue to examine at this point for every project,
> wouldn't you think?
> 

I think those are fair point. Taking a wild guess: the people who aren't
willing to share vulnerabilities could be more highly motivated because
they're paid to do so (intelligence agencies, exploit production
companies). People who are willing to share vulnerabilities may not be
likewise directly rewarded for doing so or as motivated, unless there is
a bug bounty or it is a paid audit.

However, is the "not enough eyes on our side" problem really exclusive
to open source software? Vulnerabilities in closed source software are
still found all the time through black-box testing. Many of them go
unreported.

> Shava Nerad
> shava23 at gmail.com <mailto:shava23 at gmail.com>
> 
> On Apr 26, 2014 3:51 PM, "Mustafa Al-Bassam" <mus at musalbas.com
> <mailto:mus at musalbas.com>> wrote:
> 
>     So yesterday a very user-friendly mobile application called "Confide"
>     was released that claims to be "your off-the-record messenger"[1]. It
>     has been getting a ton of press attention recently and has raised $1.9m
>     in seed funding[2].
> 
>     It claims "with end-to-end encryption and disappearing messages, Confide
>     is bringing off-the-record conversations online".
> 
>     What do people think of this?
> 
>     It is obviously a joke and a no-go to be used as something to be relied
>     on for encrypted communications given that there is literally no
>     information about the encryption used and it's closed sourced/can't be
>     verified.
> 
>     However, the interesting thing about this is that it seems to be more
>     focused around preventing the client itself from archiving chat messages
>     rather than the server. For example, it boasts "screenshot protection"
>     (Snapchat style?), and the FAQ states "more specifically, we think
>     common use cases will include: Job referrals, HR issues, deal
>     discussions, and even some good-natured office gossip"[3].
> 
>     Nevertheless, the unverifiable claims it make about encryption are
>     worrying, and what's more worrying is a future of multi-million dollar
>     funded weak sauce "encryption" applications that give a false sense of
>     security that feed on an actual desire by users for privacy following
>     the NSA leaks, that are more successful at attracting users than open
>     source alternatives that are verifiable secure, thanks to the vast
>     amount of resources they have in marketing.
> 
>     "Confide has raised $1.9 million in seed funding from WGI Group, Google
>     Ventures, First Round Capital, SV Angel, Lerer Ventures, CrunchFund,
>     Lakestar, Marker, David Tisch’s BoxGroup, Yelp CEO and co-founder Jeremy
>     Stoppelman, Entourage creator Doug Ellin, and Access Hollywood host
>     Billy Bush."[4]
> 
>     [1] https://getconfide.com/
>     [2] http://techcrunch.com/2014/02/04/confide-1-9m/
>     [3] https://getconfide.com/faq
>     [4] http://techcrunch.com/2014/04/24/confide-android/
>     --
>     Liberationtech is public & archives are searchable on Google.
>     Violations of list guidelines will get you moderated:
>     https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>     Unsubscribe, change to digest, or change password by emailing
>     moderator at companys at stanford.edu <mailto:companys at stanford.edu>.
> 
> 
>

More information about the liberationtech mailing list