On Thu, Jul 24, 2014 at 08:39:35AM +0200, Stephan Neuhaus wrote:
On 2014-07-23, 23:59, stef wrote:
exactly this prompted me to come up with the seven rules of thumb to detect snakeoil:
not free software runs in a browser runs on a smartphone the user doesn't generate, or exclusively own the private encryption keys there is no threat model uses marketing-terminology like "cyber", "military-grade" neglects general sad state of host security
In order to qualify as snake oil according to this definition, do all of these have to be true, or is any criterion sufficient?
any is enough, but combo-bonuses are combo-bonuses.
Because if it's "any", then this https://www.cylab.cmu.edu/safeslinger/ is snakeoil, which I think is unfair. (Note that I'm not saying that this is a secure app; I haven't looked at the code. But you can't fault the authors on threat modelling etc. Its only "fault" is that it runs on a smart phone.)
well, you have a baseband stack behind it, and a vendor/provider delivering stuff without your consent, etc... -- otr fp: https://www.ctrlc.hu/~stef/otr.txt