Greg, When someone else discovers an issue with your product and you find out about it - you should be thankful.
They could have just as easily sold the bug silently to the intelligence community - or let you otherwise continue to produce insecure software. In fact "irresponsible disclosure" supposes that this vulnerability was difficult to uncover. If the vulnerability was particularly easy -for any threat actor- to uncover then an argument can be made that delaying disclosure is irresponsible. Travis On Oct 6, 2014 11:11 PM, "Greg" <[email protected]> wrote: > On Oct 6, 2014, at 7:21 PM, Collin Anderson <[email protected]> > wrote: > > Here I attempted to make a professional point that you are purporting to > offer software to an audience whose needs you do not seem to be able to > serve. Your seriousness in regard to the obligations that those needs incur > seems to have only come up to denigrate Steve for having laid bare the > situation, and in what appears to have been a few minutes worth of research. > > > Irresponsible disclosure is a serious problem, yes. > > Are you endorsing irresponsible disclosure...? > > No, I kept my trolling to Twitter. Fun was had by many. > > > And you are actually proud of trolling...? > > Not sure what's so difficult about asking us to just change the text. > We're happy to address you concerns. You don't need to troll us to get a > response, in fact you're more likely to get a better one when you don't > troll. > > Rather than this blasé and hostile attitude, you should have expressed > some shame for using this community to push your software. > > > Someone wanted to know about truecrypt alternatives, and I here was my > reply: > > *See this list on ArsTechnica's forum:* > > *http://arstechnica.com/civis/viewtopic.php?f=21&t=1245367* > <http://arstechnica.com/civis/viewtopic.php?f=21&t=1245367> > > *I work for Tao Effect LLC, our software is on that list, and you can read > about how its plausible deniability compares to TrueCrypt's here (forgive > this subreddit's insane color scheme):* > > > *http://www.reddit.com/r/security/comments/2b5icu/major_advancements_in_deniable_encryption_arrive/cj24a1n* > <http://www.reddit.com/r/security/comments/2b5icu/major_advancements_in_deniable_encryption_arrive/cj24a1n> > > *In case anyone on this list wants a license, here's a code for 15% > off: LIBERATIONTECH* > > *There are 10 of them and you can use them on espionageapp.com > <http://espionageapp.com/>. They expire November 1st.* > > > > But you haven't. Let us know when Steve's bug has a CVE number. > > > Sure, I can do that for you. :) > > I can also change the website's wording for you. Just send us an email > with how you would prefer we phrase our website's text: > [email protected] > > Kind regards, > Greg Slepak > > -- > Please do not email me anything that you are not comfortable also sharing with > the NSA. > > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
