[liberationtech] Espionge.app's lack of plausible deniability (Was: TrueCrypt Alternatives?)

Tue Oct 7 01:41:30 PDT 2014

On Mon, Oct 06, 2014 at 06:35:35PM -0700, Greg wrote:
> Thanks for letting me know. Looks like only some of the sparsebundles
> are getting properly timestamped for some reason. We'll fix this for
> the next release.
> 
> You of all people, however, should know better [1] than to ignore my
> request that you disclose any security-related matters in a
> responsible way (by emailing us directly).

Nope nope nope.  You don't get to try to shame free research and sweep
this issue under the rug by insisting on private email.

You've been repeatedly promoting and defending your closed-source app on
a public forum, and insisting on NDA for actual in-depth research.  A
researcher graciously donates to you his time in downloading your app
and actually thinking about it for 15 minutes, and then takes 5 minutes
to actually tell you about a bug he found.

He is *entirely* within his rights to choose the forum for disclosure.
Since you're promoting yourselves in the public forum, criticism in the
public forum is appropriate too.

In this case, your attitude is inappropriate and dangerous to the
community you are trying to serve.  The bug was evidently easily
discoverable if Steve found it within minutes.  You are giving evidence
of being incompetent at the task you're advertising yourselves as
solving, and if you are incompetent then you are actively endangering
the people you purport to protect.

(The incompetence consists in either not knowing about the information
disclosure channel, or per your claim that this recently broke, in not
having a test in your system to notice that you experienced a regression 
in a critical feature of your information hiding system.  The system
design that is implied by the bug description you used seems fairly
horrifyingly insecure to me, but perhaps you've got a clear and secure
design that you simply haven't shared.)

Given that you're trying to make a profit from your product, you're
going to have to step up and pay for the necessary security audits to
gain confidence that your product is secure -- nobody else has an
obligation to do free review work so that you can make a larger profit.

When systems are open sourced, well engineered, and potentially of broad
interest or applicability, it can make sense for skilled engineers to put
volunteer effort into reviewing their security.

When systems are proprietary, make grandiose claims of dubious validity,
and do not carry any of the hallmarks of being well engineered, it is
unlikely that they are worth spending much time on.  It might make sense
to take a paid gig reviewing such a system, but I'd probably turn down
that gig if it seemed like the creators were unlikely to use my feedback
to build a system that was actually useful.

-andy