On Sun, Feb 01, 2015 at 06:57:01PM -0800, Seth wrote:
* not free software - Closed source (although audited by Veracode)
static analysis != audited. however i believe that without any static analysis any product would be even more snakeoil. but you know how static analysis goes, you get a long list of warnings and errors, and then you go supressing them. ;) would be interesting to see the list of warnings and the mitigations. but then, static analysis has its limits.
* runs on a smartphone - yes
this is where we can stop. ;)
* there is no threat model - (claims to be 'last messaging app standing with no 0days to date', claims nation threat attacks were expected from day one, claims zero knowledge company infrastructure server configuration)
* uses marketing-terminology like "cyber", "military-grade" - displays message 'securing your phone using military grade encryption' during app setup
* neglects general sad state of host security - unsure
see runs on a phone (i think someone noticed this redundancy in the original 7 rules as well)
- https://wickr.com/ appears to require javascript to view
:/
- Wickr company infrastructure security audited by iSecPartners
not everything must be bad, statistically speaking somethings must be right, at least on a bell curve distribution between epic and fail. :) -- otr fp: https://www.ctrlc.hu/~stef/otr.txt