[liberationtech] Wicker: Déjà vu all over again

Tom Ritter tom at ritter.vg
Tue Jun 10 14:03:56 PDT 2014 

I just want to jump in and mention again that it's entirely possible to
pick apart applications written for Android, iPhone, Windows, Mac, etc and
understand how they operate.  Going even deeper than just 'what they store
on disk' and 'what they send on the wire'.  It requires a little bit of
technological know-how, but places one could look for that expertise are
organizations' technologists, the computer security group at one's
university, many of the people on this mailing list, groups like Citizen
Lab, and just following tutorials online and learning it yourself.

The 'Trust but Verify' applies to open source, closed source, and that
window of 'open source but distributes binaries e.g. through the play
store'.

-tom


On 10 June 2014 16:37, Jillian C. York <jilliancyork at gmail.com> wrote:

> I have to say: I'm not as uncomfortable with this article as I thought I'd
> be.  I'm definitely uncomfortable with some of Wickr's promotional text
> ("military-grade encryption," "leave no trace") but I felt that this
> particular article addressed the NSA concerns and was fairly realistic
> about what Wickr can and cannot do.
>
> I've been playing around with Wickr and for normal concerns (like, a
> parent looking at a kid's phone, or even me losing my phone), it's great!
>  I see it more of a Snapchat competitor than a TextSecure competitor, but I
> really think it will do well with a certain crowd.
>
> Still, I'd much prefer it to be open-source.
>
>
> On Tue, Jun 10, 2014 at 3:13 PM, Yosem Companys <companys at stanford.edu>
> wrote:
>
>> From: Brian Behlendorf <brian at behlendorf.com>
>>
>> You don't have to; "trust, but verify".  Or trust those who *can* verify.
>> Microsoft, Google and Apple are at the top of the "most trusted brands"
>> lists and have been for years, so even in the light of the Snowden
>> revelations, most have tended to give them the benefit of the doubt and
>> keep using their proprietary software and services.  But those who don't,
>> and instead use self-hosted open source tools, are making a different trust
>> choice - they prefer to trust Linus Torvalds, the Linux community, Firefox
>> developers, Pidgin developers, Apache developers, and the broader developer
>> community, on a gut-level calculus that those parties are less likely to
>> intentionally corrupt their software, and are more likely to find
>> each-other's (intentional or accidental) corruptions.  That calculus
>> integrates across all software, teams, and time, so even disasters like
>> Heartbleed aren't enough to change the result for most of us.  Speaking
>> personally, it only reinforced it, by watching not only how quickly the
>> disparate communities reacted and pushed solutions out, but how much it's
>> caused further inspection of OpenSSL and other underlying packages.
>>
>> This calculus does have some bigger blindspots, though - I was never
>> comfortable with promoting TrueCrypt, a package written by intentionally
>> anonymous authors without any of the trappings of an open source project -
>> open revision control, open bug tracker, open discussion boards for
>> development.  I like being able to attach names to code - software is made
>> of people, not unlike Soylent Green.  Even though it's not really truely
>> Open Source licensed, I trust qmail, djbdns, and other packages written by
>> Dan J. Bernstein because he's a no-bullshit mathematician, scientist,
>> coder, and fighter for liberty (see Bernstein v. United States).
>>
>> With proprietary solutions, including Wickr, the "verify" window is much
>> more narrow.  You can inspect what it sends over the wire or stores on
>> disk, but even that's pretty opaque.  Without that "verify" loop, you can
>> trust those who they've hired to do security audits.  You can also figure
>> out whether you trust Nico herself.  There are those of us on the advisory
>> board for Wickr (full disclosure) who are working with them to figure out
>> some way to broaden that trust+verify window.  We'll see what happens.
>>
>> Brian
>>
>>
>> --
>> Liberationtech is public & archives are searchable on Google. Violations
>> of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator at
>> companys at stanford.edu.
>>
>
>
>
> --
> "We must not be afraid of dreaming the seemingly impossible if we want the
> seemingly impossible to become a reality" - *Vaclav Havel*
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140610/20d20b91/attachment-0001.html>

More information about the liberationtech mailing list