Wickr vs stef's seven rules of thumb to detect snakeoil

stef s at ctrlc.hu
Mon Feb 2 02:18:28 PST 2015


On Sun, Feb 01, 2015 at 06:57:01PM -0800, Seth wrote:
> * not free software
> - Closed source (although audited by Veracode)

static analysis != audited. however i believe that without any static analysis
any product would be even more snakeoil. but you know how static analysis
goes, you get a long list of warnings and errors, and then you go supressing
them. ;) would be interesting to see the list of warnings and the mitigations.
but then, static analysis has its limits.

> * runs on a smartphone
> - yes

this is where we can stop. ;)

> * there is no threat model
> - (claims to be 'last messaging app standing with no 0days to date', claims
> nation threat attacks were expected from day one, claims zero knowledge
> company infrastructure server configuration)
> 
> * uses marketing-terminology like "cyber", "military-grade"
> - displays message 'securing your phone using military grade encryption'
> during app setup
> 
> * neglects general sad state of host security
> - unsure

see runs on a phone (i think someone noticed this redundancy in the original 7
rules as well)

> - https://wickr.com/ appears to require javascript to view

:/

> - Wickr company infrastructure security audited by iSecPartners

not everything must be bad, statistically speaking somethings must be right,
at least on a bell curve distribution between epic and fail. :)

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt



More information about the cypherpunks mailing list