On 06/28/2012 06:28 AM, Nathan of Guardian wrote: > On 06/28/2012 04:58 AM, ilf wrote: >> Opinions on this? Has there been any peer-review? > > Not as far as I know, but I think can tackle it quickly here from what > is on their website. Most of this is the usual open-vs-closed type > issues, but still important to reiterate. > > I have also cc'd their privacy@ address so they can join the libtech > list and respond if they choose. I should also disclose my well-known > bias towards open source and open standards. > > PROS > - it is free (as in free cheese samples at the grocery store) > - they have some sense of user-oriented design/threat model design > - their claimed data retention / privacy policies seem ideal > - the claim that centrally stored data is minimal
Proof? What is claimed to be stored? > - it comes with all that proclaimed "easy to use" and "just works" > attitude that is part of the Apple iOS world; from screenshots, it looks > simple enough to use How do they deal with an active MITM? > - better than an unencrypted SMS! Heh - really? Probably... :) > > CONS > - closed-source, no ability to publicly audit without some sort of NDA Do they offer the ability to audit with an NDA? > - includes "patent-pending technology" aka proprietary, encumbered, not > an open/known standard Sounds sketchy. > - limited to distribution where Apple and partner countries allow it Bad news. > - only works on iOS I assume they'll make an Android version too? > - no perfect-forward secrecy, it seems, meaning any encrypted on a > remote device, can easily be tied back to your wickr ID and/or your > cryptographic key Holy. Fucking. Shit. So that basically says it all - where they say "Leave No Trace" what they mean is "Leave a cryptographic trace!" > - no information about client-to-server connection (SSL, TLS? resistant > to man-in-the-middle attacks?) Has anyone intercepted this data yet? > - centralized service with no option of hosting your own Bummer. > - "Activist" is not one of their user stories/types that they have > designed around, though they claim "freedom fighters" are among their > existing users That's hilarious. > - based on their "third parties" policy, it seems their system design is > susceptible to lawful intercept Awesome! Nothing quite like a backdoor when you're using it to ensure you "Leave No Trace!" > > Would I recommend it? Probably not, but I am curious to see what sort of > mainstream uptake they might get, much in the same way I am curious > about SilentCircle.com, which is offering a very similar set of promises > as Wickr. > SilentCircle has Jon Callas and Phil Zimmerman. That's a totally different ballgame. While I dislike that they're likely re-inventing the wheel in a few places, I can't say that it's too similar. All the best, Jake _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
