On Oct 3, 2014, at 12:04 PM, Steve Weis <[email protected]> wrote: > Hi Greg. The burden of proof is on Espionage to convince people that > it is safe. I can't trust it based on marketing claims alone. > > There is not a sufficiently detailed design document on the website, > much less a battle-tested, peer-reviewed design.
And how many free opensource source encryption utilities like Espionage fit that description? None? Maybe the defunct TrueCrypt? As far as crypto goes, we are using scrypt (free/open source) [1] and Apple's disk images (100% closed source). [1] https://www.tarsnap.com/scrypt.html We're not thrilled about the Apple part. I linked to a review by @ioerror (and someone he worked with) that contains their analysis of it in the r/security link that was mentioned earlier in this thread. We are investigating ways of removing our dependence on Apple's sparsebundles. > I don't see any reference to independent third-party audits. I would love to do a professional audit once we can safely afford one. In the meantime, those who would like to audit us pro-bono are welcome to so long as they sign the NDA: https://www.taoeffect.com/forum/index.php?board=14.0 BTW, does anyone here want to donate to an audit of Espionage? Cause that would be swell! (Should we start a TrueCrypt-like campaign? I'm not sure that would go over well given that we charge for it.) > I can't find any indication the development team has security or crypto > expertise and I > cannot personally sign an NDA to view the source code. I have security expertise, but am not a cryptographer, and therefore I use existing code, like Colin Percival's scrypt. > If I'm missing something or you're willing to give source access > without an NDA, please let me know. Why are you unable to sign the NDA? > Otherwise, I have to advise people to avoid Espionage. I'm sorry to hear that. :-( Here is a list of other software that supports deniability (but not the same kind that Espionage does) that you might want to recommend in its place: https://en.wikipedia.org/wiki/Deniable_encryption#Software Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA. > > > On Thu, Oct 2, 2014 at 5:50 PM, Greg <[email protected]> wrote: >> >> Stating a thing does not make it true, not matter how many times it is >> repeated. >> It is not "apply". It is apply. >> Anyone is welcome, so long as they: >> >> 1. Are software security professionals. (Nobody else matters in this >> context, after all.) >> 2. Don't work for government intelligence agencies. >> 3. Sign the NDA we give them, the salient points of which are enumerated on >> our site. >> >> They will be given a free license to Espionage. >> >> Also, you convince me how to keep providing high quality software and >> support while simultaneously making Espionage completely free and open >> source and I will do it in a flash. > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > [email protected].
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
