On 2014-07-23, 23:59, stef wrote:
exactly this prompted me to come up with the seven rules of thumb to detect snakeoil:
not free software runs in a browser runs on a smartphone the user doesn't generate, or exclusively own the private encryption keys there is no threat model uses marketing-terminology like "cyber", "military-grade" neglects general sad state of host security
In order to qualify as snake oil according to this definition, do all of these have to be true, or is any criterion sufficient? Because if it's "any", then this https://www.cylab.cmu.edu/safeslinger/ is snakeoil, which I think is unfair. (Note that I'm not saying that this is a secure app; I haven't looked at the code. But you can't fault the authors on threat modelling etc. Its only "fault" is that it runs on a smart phone.) Fun, Stephan --