I have no intention of reviving a dead thread, but something has been bugging me about the email I send out below, specifically this little bit here:
> - Steve Weis, chief irresponsible discloser who also happens to work for > Facebook where he spends his days helping his company feed your private data > to the FBI, NSA, CIA, and other intelligent agencies. Just want to apologize to Steve for that. I don't know what you do at Facebook, so I shouldn't assume. Perhaps you're even working on the opposite: preventing data leakage outside of Facebook (though I know you are limited because FB doesn't employ end-to-end crypto). Anyways, sorry about that. I should not have let my upset result in making up accusations. The rest of the email though, I stand by (including the STFU part, which is to be read in the context in which it was written. I do, however, welcome *all* _truthful_ honest criticism, and invite you to send it to me personally, or to our support address: [email protected]). Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 7, 2014, at 10:25 AM, Greg <[email protected]> wrote: > Dear Tempest & Andy Iassacson, > > I will reply to both of you here, and I'll also give an update on the status > of this "bug" (turns out on closer inspection that software is behaving as it > was designed to). > > At the end of this <LONG RANT> I have a question for Collin regarding his > request for a CVE. > > On Oct 7, 2014, at 6:26 AM, Tempest <[email protected]> wrote: > >> Andy Isaacson: >>> Nope nope nope. You don't get to try to shame free research and sweep >>> this issue under the rug by insisting on private email. >> >> this right here. > > > This right here is what's called a straw man argument: > > A straw man is a common type of argument and is an informal fallacy based on > the misrepresentation of an opponent's argument.[1] To be successful, a straw > man argument requires that the audience be ignorant or uninformed of the > original argument. > > > This straw man argument is being repeated now by multiple people, and the > more people continue to repeat it, the less likely the truth of the matter > will be heard or understood, so at some point it becomes pointless for me to > defend myself. > > I will take it apart piece-by-piece one more time, and then I must GTD: > > Re Andy's: "You don't get to try to shame free research" > > I did not shame free research. I shamed Steve for irresponsible disclosure, > and I will shame anyone and everyone who believes that is an acceptable thing > to do, including you Andy, and you Tempest, and all other trolls who come out > of the woodworks, up to the point where I simply become too exasperated to do > so, as such is simply the nature of my character. > > Re Andy's: "sweep this issue under the rug by insisting on private email." > > I did not do, or attempt to try, to "sweep this issue under the rug". > > The point of private email is to give developers of free, semi-free, > available, and closed source software the opportunity to fix bugs before > those bugs can be exploited by ass monkeys and used to harm people. > > Here on this list of [Liberationtech], because I am doing the crime of > charging for my work in an attempt to pay for Maslov's hierarchy of needs, I > have attracted to myself several people who are now clamoring that > irresponsible disclosure is The Right Thing To Do™. > > Unbelievable. > > You are hypocrites, and you are the dangerous ones, who allow yourselves to > be swayed and blinded by red herrings, straw man arguments, into brandishing > someone who is _on your side_ as an evil ally of the freaking "Patriot Act"! > > Instead, you are choosing to ally yourselves against me, and stand beside and > support: > > - The concept of irresponsible disclosure > - Steve Weis, chief irresponsible discloser who also happens to work for > Facebook where he spends his days helping his company feed your private data > to the FBI, NSA, CIA, and other intelligent agencies. > > But that all doesn't matter, because here comes this schmuck Greg Slepak to > this list and *DARES* to answer a question and offer the list a discount on > his security software. *DARES* to engage the community honestly. *DARES* to > request that any issues that might affect his customers be responsibly > disclosed, and then *DARES* to get /upset/ when that doesn't happen. > > Screw that. OK, you don't want Espionage? Fine. I've removed the discount > code. > > I will continue to work on making Espionage 100% open source [1], but in the > meantime, sorry, this is software that is putting food the table and giving > me the roof I need to prevent my laptop from being stolen or destroyed by the > elements. > > [1] > https://mailman.stanford.edu/pipermail/liberationtech/2014-October/014433.html > > > ### Update on this "bug" > > I didn't do enough thorough testing of the software last night (probably > because I was too busy replying to you people). > > This morning I ran through the setup several times and noticed that the > software appears to behaving exactly as it is coded to. > > Yes, our timestamping is perfect yet (we know that), and it has always been > on the list to make it even better. What I *am* concerned about is if there's > some ancient text somewhere on our website or other materials that gives > _anyone_ the impression that Espionage's plausible deniability is perfect, > because it is not, and not only that, it will _never be perfect_. Ever. That > is impossible due to the constantly changing nature of software. > > So let me repeat: we are aware that the timestamping is imperfect. We are > also aware that it is very difficult to test whether or not it is good in the > first place, since measuring whether someone is reliably able to detect the > fake data becomes hard and harder as the timestamping/tampering becomes more > and more convincing. At some point we would literally need pay expert > forensic detectors $$ to do the testing. > > Speaking of which, are you going to give us that money? If not, STFU, please, > because your anger at me at this point is pure burning hypocrisy as you type > your upset emails at me on your closed source laptop using various pieces of > closed source software to make it possible for your message to be delivered > into my Inbox for the purpose of inciting a gag reflex within me. > > There are a bunch of issues that we are wrestling with however. For example, > did you know that in order to make convincing timestamps you have to force > users to backup more fake data? Did you know that said users will then send > you angry emails complaining and wondering why their bandwidth is being > saturated by their backup service because Espionage is causing too much data > to be backed up? > > Did you have any idea that such an issue existed before I just brought it up? > > Probably not, and that's because: (1) you aren't implementing PD in your > non-existent encryption software, and (2) nobody but us is doing this type of > thing. > > This "bug" exists for _all_ existing encryption software, and to a much > lesser extent it exists for Espionage because Espionage actually attempts to > improve on the horrible situation out there. > > So far the most valid criticism that has been expressed on this list was from > Collin Anderson, who noticed that some hidden text on our website (you had to > click a link to show it) said that our software had "you covered" if you > lived in a "totalitarian regime". OK, boom. Just like that, the text is gone. > I've already thanked Collin publicly on twitter for his observation, and I'll > thank him again here: Thanks! :) > > > There is this email that you can send your bugs, your complaints, etc. to: > > [email protected] > > We _will respond_. > > We _do not_ brush anything under any rugs. > > Why? Because our customers pay us to do that. > > BTW, Collin, I honestly don't know whether or not this issue requires a CVE. > I am deciding for now not to open one. If you want me to open a CVE, I need > to hear from you (and anyone else advocating that I go through the process of > opening and maintaining CVE after CVE about the always imperfect PD we > provide) why we should be required to open a CVE when TrueCrypt, which > provides _worse_ PD is not asked to open and maintain CVEs for their > (to-date-perpetually-worse) PD. > > It seems more like an issue of whether or not we have any text/documentation > that could lead people to believe that Espionage provides perfect PD. Now > _that_ I would be happy to eradicate with a flamethrower. Find it. Email it > to me. It will be eradicated immediately just as I did with the hidden piece > of text you found on our site. > > Puking on hypocrisy, > Greg Slepak > > -- > Please do not email me anything that you are not comfortable also sharing > with the NSA. > > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > [email protected].
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
