Wickr vs stef's seven rules of thumb to detect snakeoil
Searched the cpunk archives and was surprised to find no mention of wickr yet. I thought I'd run it through stef's seven rules of thumb to detect snakeoil so here goes: * not free software - Closed source (although audited by Veracode) * runs in a browser - no * runs on a smartphone - yes * the user doesn't generate, or exclusively own the private encryption keys - unsure (displays a message about 'securing your phone using military grade encryption' during first app launch/sign-in, believe local keys are generated during this step.) * there is no threat model - (claims to be 'last messaging app standing with no 0days to date', claims nation threat attacks were expected from day one, claims zero knowledge company infrastructure server configuration) * uses marketing-terminology like "cyber", "military-grade" - displays message 'securing your phone using military grade encryption' during app setup * neglects general sad state of host security - unsure Additional notes: - Offers desktop app for Win/OSX/Linux since 2014/12 - https://wickr.com/ appears to require javascript to view - Founder Nico Sell is long time Def-Con organizer, founded Def-Con for kids (now called Rootz Asylum) in 2010 - Wickr company infrastructure security audited by iSecPartners
On Mon, Feb 2, 2015, at 01:57 PM, Seth wrote:
I thought I'd run it through stef's seven rules of thumb to detect snakeoil so here goes:
* not free software - Closed source (although audited by Veracode)
From Wikipedia:
"Veracode’s patented binary static analysis technology analyzes binary code to create a detailed model of the application’s data and control paths." "Veracode’s binary static analysis technology analyzes all application code without requiring access to source code." Does anyone know how this works against self-encrypted binaries? Alfie -- Alfie John alfiej@fastmail.fm
On Sun, 01 Feb 2015 18:57:01 -0800, Seth
Searched the cpunk archives and was surprised to find no mention of wickr yet.
I thought I'd run it through stef's seven rules of thumb to detect snakeoil so here goes:
Yikes, just found this excellent video review of Wickr and it's not flattering: https://www.youtube.com/watch?v=GDq7GJWKyqc. The presenter sums it up as "this is really a classic example of what can happen when you try to do your security in secret, and nobody really looks too closely at what you're doing." Main flaws claimed to be found by reviewer: Password stored on servers hardware binding is a joke caught using static AES key Were not signing their messages TOFU (Trust On First Use) architecture Crappy TLS implementation Wickr servers using PHP scripts I'd say the verdict leans towards snake-oil so far.
Dnia niedziela, 1 lutego 2015 22:03:13 Seth pisze:
Main flaws claimed to be found by reviewer:
Password stored on servers hardware binding is a joke caught using static AES key Were not signing their messages TOFU (Trust On First Use) architecture Crappy TLS implementation Wickr servers using PHP scripts
I'd say the verdict leans towards snake-oil so far.
"Leans"?.. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On Mon, 02 Feb 2015 02:51:00 -0800, rysiek
Dnia niedziela, 1 lutego 2015 22:03:13 Seth pisze:
I'd say the verdict leans towards snake-oil so far.
"Leans"?..
I was trying to be politic about it. :D To be fair the TLS setup on the secex.info mentioned in the video has since been fixed, however I am not sure if the other flaws have been addressed along with a public announcement that they were fixed. I'm skeptical that's the case. Wickr has been offering a $100,000 bug bounty for a year now. It might be an opportunity for someone with the right skill set to clean up. http://venturebeat.com/2014/01/15/wickr-bug-bounty/ Some additional thoughts: 1) Wickr claims on the front page of their web site that they are 'the first company to put a warrant canary in our transparency report'. This may be true with the crucial detail of it being including in a transparency report. At first I was pretty sure Nico Sell was claiming in a video or interview that Wickr is the first company to use a warrant canary, which would be patently untrue, but I could have misheard. Rsync.net has been doing this since at least 2007. They are the first company I am aware of to have done so. http://www.rsync.net/resources/notices/canary.txt http://lippard.blogspot.de/2007/03/rsyncnet-warrant-canary.html 2) I like the fact that Wickr has a desktop client. I have long wished that something similar existed for TextSecure and Redphone. 3) Wickr has raised 30 million in venture capital in a round led by Jim Breyer, founder and CEO of Breyer Capital who made his first billion with an early investment in Facebook. 4) The 'Technical Mumbo Jumbo' youtube reviewer guy has another video where he demonstrates how easy it is to grab a screenshot on an iOS device of a 'self destructing' message. Screenshot has been disabled on Android, but considering iOS was the first device Wickr was released on, this is an embarrassing flaw in their client and marketing claims. I recommend watching all his video reviews of Wickr.
On Sun, Feb 01, 2015 at 06:57:01PM -0800, Seth wrote:
* not free software - Closed source (although audited by Veracode)
static analysis != audited. however i believe that without any static analysis any product would be even more snakeoil. but you know how static analysis goes, you get a long list of warnings and errors, and then you go supressing them. ;) would be interesting to see the list of warnings and the mitigations. but then, static analysis has its limits.
* runs on a smartphone - yes
this is where we can stop. ;)
* there is no threat model - (claims to be 'last messaging app standing with no 0days to date', claims nation threat attacks were expected from day one, claims zero knowledge company infrastructure server configuration)
* uses marketing-terminology like "cyber", "military-grade" - displays message 'securing your phone using military grade encryption' during app setup
* neglects general sad state of host security - unsure
see runs on a phone (i think someone noticed this redundancy in the original 7 rules as well)
- https://wickr.com/ appears to require javascript to view
:/
- Wickr company infrastructure security audited by iSecPartners
not everything must be bad, statistically speaking somethings must be right, at least on a bell curve distribution between epic and fail. :) -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
On Mon, 02 Feb 2015 02:18:28 -0800, stef
* runs on a smartphone - yes
this is where we can stop. ;)
What are the primary objections to the smart phone as a platform again? Off the top of my head 1) Evil blackbox baseband controller 2) Products of corrupt mega-corps in bed with the surveillance state 3) App Stores could be used to push malware onto device
participants (4)
-
Alfie John -
rysiek -
Seth -
stef