Snowden triggers flood of Crapware [was: Gruveo, more secure skype?]

stef s at ctrlc.hu
Thu Jul 24 14:44:21 PDT 2014


On Thu, Jul 24, 2014 at 10:54:16PM +0200, stef wrote:
> On Thu, Jul 24, 2014 at 10:41:35PM +0200, Stephan Neuhaus wrote:
> > On 2014-07-24, 18:16, stef wrote:
> > > On Thu, Jul 24, 2014 at 04:06:03PM +0200, Stephan Neuhaus wrote:
> > >> So if I mention to you that a certain app just happens to run on a
> > >> smartphone, your Spidey-sense would be tingling, no matter if the app
> > >> has had excellent threat modelling, code audit etc?
> > > 
> > > it's rule of thumb. right? there might be exceptions (i know of exactly one),
> > > which strengthen the rule ;)
> > 
> > Sorry to insist, but I gave you a concrete app, namely safeslinger:
> > https://www.cylab.cmu.edu/safeslinger/ Do you think that it is snake oil?
> 
> unless it is being deployed for confidentiality defending against only low level
> adversaries (but by stating this i already narrowed down the threat-model
> significantly). i believe so. it is an app, nothing more.

not saying that the research and the protocols might be sound. but even much
more mature algos that are yet unbroken on a scientific level do not pass the
rule of thumb when they're implemented on smartphones. all of matejs concerns
apply. the phone is basically a huge side channel. not saying you can't build
castles on sand, but their threat model is quite limited. just a few days ago
i believe eugen posted a nice list of ios bugdoors. no insult to the product
in question, its the underlying platform that's broken.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt



More information about the cypherpunks mailing list