On Mon, 02 Feb 2015 02:51:00 -0800, rysiek <rysiek@hackerspace.pl> wrote:
Dnia niedziela, 1 lutego 2015 22:03:13 Seth pisze:
I'd say the verdict leans towards snake-oil so far.
"Leans"?..
I was trying to be politic about it. :D To be fair the TLS setup on the secex.info mentioned in the video has since been fixed, however I am not sure if the other flaws have been addressed along with a public announcement that they were fixed. I'm skeptical that's the case. Wickr has been offering a $100,000 bug bounty for a year now. It might be an opportunity for someone with the right skill set to clean up. http://venturebeat.com/2014/01/15/wickr-bug-bounty/ Some additional thoughts: 1) Wickr claims on the front page of their web site that they are 'the first company to put a warrant canary in our transparency report'. This may be true with the crucial detail of it being including in a transparency report. At first I was pretty sure Nico Sell was claiming in a video or interview that Wickr is the first company to use a warrant canary, which would be patently untrue, but I could have misheard. Rsync.net has been doing this since at least 2007. They are the first company I am aware of to have done so. http://www.rsync.net/resources/notices/canary.txt http://lippard.blogspot.de/2007/03/rsyncnet-warrant-canary.html 2) I like the fact that Wickr has a desktop client. I have long wished that something similar existed for TextSecure and Redphone. 3) Wickr has raised 30 million in venture capital in a round led by Jim Breyer, founder and CEO of Breyer Capital who made his first billion with an early investment in Facebook. 4) The 'Technical Mumbo Jumbo' youtube reviewer guy has another video where he demonstrates how easy it is to grab a screenshot on an iOS device of a 'self destructing' message. Screenshot has been disabled on Android, but considering iOS was the first device Wickr was released on, this is an embarrassing flaw in their client and marketing claims. I recommend watching all his video reviews of Wickr.