On Thu, Jul 24, 2014 at 08:39:35AM +0200, Stephan Neuhaus wrote:On 2014-07-23, 23:59, stef wrote:exactly this prompted me to come up with the seven rules of thumb to detect
snakeoil:
not free software
runs in a browser
runs on a smartphone
the user doesn't generate, or exclusively own the private encryption keys
there is no threat model
uses marketing-terminology like "cyber", "military-grade"
neglects general sad state of host security
In order to qualify as snake oil according to this definition, do all of
these have to be true, or is any criterion sufficient?
any is enough, but combo-bonuses are combo-bonuses.Because if it's "any", then this https://www.cylab.cmu.edu/safeslinger/ is
snakeoil, which I think is unfair. (Note that I'm not saying that this is a
secure app; I haven't looked at the code. But you can't fault the authors on
threat modelling etc. Its only "fault" is that it runs on a smart phone.)
well, you have a baseband stack behind it, and a vendor/provider delivering
stuff without your consent, etc...