Wickr vs stef's seven rules of thumb to detect snakeoil
Seth
list at sysfu.com
Mon Feb 2 08:28:19 PST 2015
On Mon, 02 Feb 2015 02:51:00 -0800, rysiek <rysiek at hackerspace.pl> wrote:
> Dnia niedziela, 1 lutego 2015 22:03:13 Seth pisze:
>> I'd say the verdict leans towards snake-oil so far.
>
> "Leans"?..
I was trying to be politic about it. :D
To be fair the TLS setup on the secex.info mentioned in the video has
since been fixed, however I am not sure if the other flaws have been
addressed along with a public announcement that they were fixed. I'm
skeptical that's the case.
Wickr has been offering a $100,000 bug bounty for a year now. It might be
an opportunity for someone with the right skill set to clean up.
http://venturebeat.com/2014/01/15/wickr-bug-bounty/
Some additional thoughts:
1) Wickr claims on the front page of their web site that they are 'the
first company to put a warrant canary in our transparency report'. This
may be true with the crucial detail of it being including in a
transparency report.
At first I was pretty sure Nico Sell was claiming in a video or interview
that Wickr is the first company to use a warrant canary, which would be
patently untrue, but I could have misheard.
Rsync.net has been doing this since at least 2007. They are the first
company I am aware of to have done so.
http://www.rsync.net/resources/notices/canary.txt
http://lippard.blogspot.de/2007/03/rsyncnet-warrant-canary.html
2) I like the fact that Wickr has a desktop client. I have long wished
that something similar existed for TextSecure and Redphone.
3) Wickr has raised 30 million in venture capital in a round led by Jim
Breyer, founder and CEO of Breyer Capital who made his first billion with
an early investment in Facebook.
4) The 'Technical Mumbo Jumbo' youtube reviewer guy has another video
where he demonstrates how easy it is to grab a screenshot on an iOS device
of a 'self destructing' message. Screenshot has been disabled on Android,
but considering iOS was the first device Wickr was released on, this is an
embarrassing flaw in their client and marketing claims. I recommend
watching all his video reviews of Wickr.
More information about the cypherpunks
mailing list