[liberationtech] Espionge.app's lack of plausible deniability (Was: TrueCrypt Alternatives?)
Travis Biehn
tbiehn at gmail.com
Mon Oct 6 21:08:12 PDT 2014
Greg,
When someone else discovers an issue with your product and you find out
about it - you should be thankful.
They could have just as easily sold the bug silently to the intelligence
community - or let you otherwise continue to produce insecure software.
In fact "irresponsible disclosure" supposes that this vulnerability was
difficult to uncover. If the vulnerability was particularly easy -for any
threat actor- to uncover then an argument can be made that delaying
disclosure is irresponsible.
Travis
On Oct 6, 2014 11:11 PM, "Greg" <greg at kinostudios.com> wrote:
> On Oct 6, 2014, at 7:21 PM, Collin Anderson <collin at averysmallbird.com>
> wrote:
>
> Here I attempted to make a professional point that you are purporting to
> offer software to an audience whose needs you do not seem to be able to
> serve. Your seriousness in regard to the obligations that those needs incur
> seems to have only come up to denigrate Steve for having laid bare the
> situation, and in what appears to have been a few minutes worth of research.
>
>
> Irresponsible disclosure is a serious problem, yes.
>
> Are you endorsing irresponsible disclosure...?
>
> No, I kept my trolling to Twitter. Fun was had by many.
>
>
> And you are actually proud of trolling...?
>
> Not sure what's so difficult about asking us to just change the text.
> We're happy to address you concerns. You don't need to troll us to get a
> response, in fact you're more likely to get a better one when you don't
> troll.
>
> Rather than this blasé and hostile attitude, you should have expressed
> some shame for using this community to push your software.
>
>
> Someone wanted to know about truecrypt alternatives, and I here was my
> reply:
>
> *See this list on ArsTechnica's forum:*
>
> *http://arstechnica.com/civis/viewtopic.php?f=21&t=1245367*
> <http://arstechnica.com/civis/viewtopic.php?f=21&t=1245367>
>
> *I work for Tao Effect LLC, our software is on that list, and you can read
> about how its plausible deniability compares to TrueCrypt's here (forgive
> this subreddit's insane color scheme):*
>
>
> *http://www.reddit.com/r/security/comments/2b5icu/major_advancements_in_deniable_encryption_arrive/cj24a1n*
> <http://www.reddit.com/r/security/comments/2b5icu/major_advancements_in_deniable_encryption_arrive/cj24a1n>
>
> *In case anyone on this list wants a license, here's a code for 15%
> off: LIBERATIONTECH*
>
> *There are 10 of them and you can use them on espionageapp.com
> <http://espionageapp.com/>. They expire November 1st.*
>
>
>
> But you haven't. Let us know when Steve's bug has a CVE number.
>
>
> Sure, I can do that for you. :)
>
> I can also change the website's wording for you. Just send us an email
> with how you would prefer we phrase our website's text:
> support at taoeffect.com
>
> Kind regards,
> Greg Slepak
>
> --
> Please do not email me anything that you are not comfortable also sharing with
> the NSA.
>
>
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141007/c863cb04/attachment.html>
More information about the liberationtech
mailing list