[liberationtech] Espionge.app's lack of plausible deniability (Was: TrueCrypt Alternatives?)
mutek
mutek at riseup.net
Tue Oct 7 01:26:10 PDT 2014
Il martedì 7 ottobre 2014 03:50:39 CEST, Greg ha scritto:
> On Oct 6, 2014, at 6:41 PM, Collin Anderson
> <collin at averysmallbird.com> wrote:
>
>> On Mon, Oct 6, 2014 at 9:35 PM, Greg <greg at kinostudios.com> wrote:
>> Although this isn't a serious bug, it's still a
>> security-related issue and you don't know how failing to
>> responsibly disclose it could affect someone.
>>
>> It seems that you were called out on something fairly basic --
>> is this about bug reporting or public embarrassment on a matter
>> that you would have wished to remain shuffled away in private
>> correspondences?
>
> Sorry, I don't understand your question, could you rephrase it?
>
> I am embarrassed for Steve Weis. If I were employing him, I'd
> fire him for claiming to be a security professional while not
> knowing how responsibly disclose a bug.
>
> Re "fairly basic": yes, modifying timestamps is fairly basic
> stuff (and it worked in all our tests just fine). I have no idea
> why it suddenly broke.
>
> - Greg
IMHO it's fair to let you some time to find the bug but then it's a must
have to public the issue to advice your client to check for their sensible
data.
This is only because you claim that there no evidence at all to reproduce
at the moment this issue.
The check made by Steve was so simple that there no concern about some
"responsability" on disclosing the bug because it's a simple process in a
public domain.
At the moment "security by obscurity" it's not more an option nor a must
have.
regards
mutek
More information about the liberationtech
mailing list