On Tue, Oct 7, 2014 at 1:25 PM, Greg <g...@kinostudios.com> wrote: > If you want me to open a CVE, I need to hear from you (and anyone else > advocating that I go through the process of opening and maintaining CVE > after CVE about the always imperfect PD we provide) why we should be > required to open a CVE when TrueCrypt, which provides _worse_ PD is not > asked to open and maintain CVEs for their (to-date-perpetually-worse) PD.
The baseline of security disclosures that you offer to your clients should not be determined by the failures of others. People have always felt uncomfortable about TrueCrypt for reasons such as these, and if you want to build greater trust with communities such as Libtech then you should learn from others' mistakes. I cannot tell you how you should interact with clients, but I can say that you have sold your product based on certain claims historical. Regardless of whether these claims were removed, I would argue that you maintain a responsibility to uphold those commitments. For that matter there is still language such as "virtually impossible" on your site [1], which appears increasingly like a departure from how Espionage works in its current state. In fact many privacy tools in the FOSS and other communities go as far as to caution users where their products don't work. I think you should strongly consider that by the way. I respect that you feel the need to be defensive right now, and appreciate that you haven't just abandoned the thread, but if there is unfair criticism of your product it still is not constructive to tell people to 'shut the fuck up.' Honestly, I don't care if you file a CVE or not, but please never use the human rights activist claim again. [1] https://www.taoeffect.com/blog/2014/07/major-advancements-in-deniable-encryption-arrive-in-espionage-3-6/ -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.