[liberationtech] Espionge.app's lack of plausible deniability (Was: TrueCrypt Alternatives?)

[Greg]

I have no intention of reviving a dead thread, but something has been bugging me about the email I send out below, specifically this little bit here:

> - Steve Weis, chief irresponsible discloser who also happens to work for Facebook where he spends his days helping his company feed your private data to the FBI, NSA, CIA, and other intelligent agencies.


Just want to apologize to Steve for that. I don't know what you do at Facebook, so I shouldn't assume. Perhaps you're even working on the opposite: preventing data leakage outside of Facebook (though I know you are limited because FB doesn't employ end-to-end crypto).

Anyways, sorry about that. I should not have let my upset result in making up accusations.

The rest of the email though, I stand by (including the STFU part, which is to be read in the context in which it was written. I do, however, welcome *all* _truthful_ honest criticism, and invite you to send it to me personally, or to our support address: support at taoeffect.com).

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Oct 7, 2014, at 10:25 AM, Greg <greg at kinostudios.com> wrote:

> Dear Tempest & Andy Iassacson,
> 
> I will reply to both of you here, and I'll also give an update on the status of this "bug" (turns out on closer inspection that software is behaving as it was designed to).
> 
> At the end of this <LONG RANT> I have a question for Collin regarding his request for a CVE.
> 
> On Oct 7, 2014, at 6:26 AM, Tempest <tempest at bitmessage.ch> wrote:
> 
>> Andy Isaacson:
>>> Nope nope nope.  You don't get to try to shame free research and sweep
>>> this issue under the rug by insisting on private email.
>> 
>> this right here.
> 
> 
> This right here is what's called a straw man argument:
> 
> A straw man is a common type of argument and is an informal fallacy based on the misrepresentation of an opponent's argument.[1] To be successful, a straw man argument requires that the audience be ignorant or uninformed of the original argument.
> 
> 
> This straw man argument is being repeated now by multiple people, and the more people continue to repeat it, the less likely the truth of the matter will be heard or understood, so at some point it becomes pointless for me to defend myself.
> 
> I will take it apart piece-by-piece one more time, and then I must GTD:
> 
> Re Andy's: "You don't get to try to shame free research"
> 
> I did not shame free research. I shamed Steve for irresponsible disclosure, and I will shame anyone and everyone who believes that is an acceptable thing to do, including you Andy, and you Tempest, and all other trolls who come out of the woodworks, up to the point where I simply become too exasperated to do so, as such is simply the nature of my character.
> 
> Re Andy's: "sweep this issue under the rug by insisting on private email."
> 
> I did not do, or attempt to try, to "sweep this issue under the rug".
> 
> The point of private email is to give developers of free, semi-free, available, and closed source software the opportunity to fix bugs before those bugs can be exploited by ass monkeys and used to harm people.
> 
> Here on this list of [Liberationtech], because I am doing the crime of charging for my work in an attempt to pay for Maslov's hierarchy of needs, I have attracted to myself several people who are now clamoring that irresponsible disclosure is The Right Thing To Do™.
> 
> Unbelievable.
> 
> You are hypocrites, and you are the dangerous ones, who allow yourselves to be swayed and blinded by red herrings, straw man arguments, into brandishing someone who is _on your side_ as an evil ally of the freaking "Patriot Act"!
> 
> Instead, you are choosing to ally yourselves against me, and stand beside and support:
> 
> - The concept of irresponsible disclosure
> - Steve Weis, chief irresponsible discloser who also happens to work for Facebook where he spends his days helping his company feed your private data to the FBI, NSA, CIA, and other intelligent agencies.
> 
> But that all doesn't matter, because here comes this schmuck Greg Slepak to this list and *DARES* to answer a question and offer the list a discount on his security software. *DARES* to engage the community honestly. *DARES* to request that any issues that might affect his customers be responsibly disclosed, and then *DARES* to get /upset/ when that doesn't happen.
> 
> Screw that. OK, you don't want Espionage? Fine. I've removed the discount code.
> 
> I will continue to work on making Espionage 100% open source [1], but in the meantime, sorry, this is software that is putting food the table and giving me the roof I need to prevent my laptop from being stolen or destroyed by the elements.
> 
> [1] https://mailman.stanford.edu/pipermail/liberationtech/2014-October/014433.html
> 
> 
> ### Update on this "bug"
> 
> I didn't do enough thorough testing of the software last night (probably because I was too busy replying to you people).
> 
> This morning I ran through the setup several times and noticed that the software appears to behaving exactly as it is coded to.
> 
> Yes, our timestamping is perfect yet (we know that), and it has always been on the list to make it even better. What I *am* concerned about is if there's some ancient text somewhere on our website or other materials that gives _anyone_ the impression that Espionage's plausible deniability is perfect, because it is not, and not only that, it will _never be perfect_. Ever. That is impossible due to the constantly changing nature of software.
> 
> So let me repeat: we are aware that the timestamping is imperfect. We are also aware that it is very difficult to test whether or not it is good in the first place, since measuring whether someone is reliably able to detect the fake data becomes hard and harder as the timestamping/tampering becomes more and more convincing. At some point we would literally need pay expert forensic detectors $$ to do the testing.
> 
> Speaking of which, are you going to give us that money? If not, STFU, please, because your anger at me at this point is pure burning hypocrisy as you type your upset emails at me on your closed source laptop using various pieces of closed source software to make it possible for your message to be delivered into my Inbox for the purpose of inciting a gag reflex within me.
> 
> There are a bunch of issues that we are wrestling with however. For example, did you know that in order to make convincing timestamps you have to force users to backup more fake data? Did you know that said users will then send you angry emails complaining and wondering why their bandwidth is being saturated by their backup service because Espionage is causing too much data to be backed up?
> 
> Did you have any idea that such an issue existed before I just brought it up?
> 
> Probably not, and that's because: (1) you aren't implementing PD in your non-existent encryption software, and (2) nobody but us is doing this type of thing.
> 
> This "bug" exists for _all_ existing encryption software, and to a much lesser extent it exists for Espionage because Espionage actually attempts to improve on the horrible situation out there.
> 
> So far the most valid criticism that has been expressed on this list was from Collin Anderson, who noticed that some hidden text on our website (you had to click a link to show it) said that our software had "you covered" if you lived in a "totalitarian regime". OK, boom. Just like that, the text is gone. I've already thanked Collin publicly on twitter for his observation, and I'll thank him again here: Thanks! :)
> 
> 
> There is this email that you can send your bugs, your complaints, etc. to:
> 
> 	support at taoeffect.com
> 
> We _will respond_.
> 
> We _do not_ brush anything under any rugs.
> 
> Why? Because our customers pay us to do that.
> 
> BTW, Collin, I honestly don't know whether or not this issue requires a CVE. I am deciding for now not to open one. If you want me to open a CVE, I need to hear from you (and anyone else advocating that I go through the process of opening and maintaining CVE after CVE about the always imperfect PD we provide) why we should be required to open a CVE when TrueCrypt, which provides _worse_ PD is not asked to open and maintain CVEs for their (to-date-perpetually-worse) PD.
> 
> It seems more like an issue of whether or not we have any text/documentation that could lead people to believe that Espionage provides perfect PD. Now _that_ I would be happy to eradicate with a flamethrower. Find it. Email it to me. It will be eradicated immediately just as I did with the hidden piece of text you found on our site.
> 
> Puking on hypocrisy,
> Greg Slepak
> 
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
> 
> --
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141008/c21ebff4/attachment.html>