I have no intention of reviving a dead thread, but something has been bugging
me about the email I send out below, specifically this little bit here:
> - Steve Weis, chief irresponsible discloser who also happens to work for
> Facebook where he spends his days helping his company feed your priva
On Oct 7, 2014, at 11:31 AM, Collin Anderson wrote:
> For that matter there is still language such as "virtually impossible" on
> your site [1], which appears increasingly like a departure from how
> Espionage works in its current state. In fact many privacy tools in the FOSS
> and other commu
On Tue, Oct 7, 2014 at 1:25 PM, Greg wrote:
> If you want me to open a CVE, I need to hear from you (and anyone else
> advocating that I go through the process of opening and maintaining CVE
> after CVE about the always imperfect PD we provide) why we should be
> required to open a CVE when TrueC
Dear Tempest & Andy Iassacson,
I will reply to both of you here, and I'll also give an update on the status of
this "bug" (turns out on closer inspection that software is behaving as it was
designed to).
At the end of this I have a question for Collin regarding his
request for a CVE.
On Oct
Andy Isaacson:
> Nope nope nope. You don't get to try to shame free research and sweep
> this issue under the rug by insisting on private email.
this right here. i've found the developer's words on this matter
especially disheartening, particularly since he came into this thread
through attemptin
On Mon, Oct 06, 2014 at 09:16:42PM -0700, Greg wrote:
> I believe clicking on the email I gave him would take approximately the same
> amount of time as replying to the list, but I could be mistaken.
You joined a list where to a certain degree there is
a consensus that, given Patriot Act and simi
On Mon, Oct 06, 2014 at 06:35:35PM -0700, Greg wrote:
> Thanks for letting me know. Looks like only some of the sparsebundles
> are getting properly timestamped for some reason. We'll fix this for
> the next release.
>
> You of all people, however, should know better [1] than to ignore my
> reques
Il martedì 7 ottobre 2014 03:50:39 CEST, Greg ha scritto:
On Oct 6, 2014, at 6:41 PM, Collin Anderson
wrote:
On Mon, Oct 6, 2014 at 9:35 PM, Greg wrote:
Although this isn't a serious bug, it's still a
security-related issue and you don't know how failing to
responsibly disclose it could af
I think the point has been made. And, substantively, this thread has
been interesting. So let's get back to the subject at hand or, if it
has run its course, let's move on.
Thanks,
Yosem
(One of the moderators)
On Mon, Oct 6, 2014 at 9:16 PM, Greg wrote:
> Dear Travis,
>
> On Oct 6, 2014, at 9:0
Dear Travis,
On Oct 6, 2014, at 9:08 PM, Travis Biehn wrote:
> Greg,
> When someone else discovers an issue with your product and you find out about
> it - you should be thankful.
>
I was thankful. I literally thanked him.
> In fact "irresponsible disclosure" supposes that this vulnerability w
Greg,
When someone else discovers an issue with your product and you find out
about it - you should be thankful.
They could have just as easily sold the bug silently to the intelligence
community - or let you otherwise continue to produce insecure software.
In fact "irresponsible disclosure" sup
On Oct 6, 2014, at 7:21 PM, Collin Anderson wrote:
> Here I attempted to make a professional point that you are purporting to
> offer software to an audience whose needs you do not seem to be able to
> serve. Your seriousness in regard to the obligations that those needs incur
> seems to have o
On Mon, Oct 6, 2014 at 10:01 PM, Greg wrote:
> Collin, do you have something useful to add to this discussion or are you
> just getting a kick out of trolling me and the list?
>
No, I kept my trolling to Twitter. Fun was had by many.
Here I attempted to make a professional point that you are pu
On Oct 6, 2014, at 6:54 PM, Collin Anderson wrote:
> On Mon, Oct 6, 2014 at 9:50 PM, Greg wrote:
> I have no idea why it suddenly broke.
>
> If you have no idea why something fairly basic and important broke, should
> you be purporting to be safe enough to cover the use case of "a human rights
On Mon, Oct 6, 2014 at 9:50 PM, Greg wrote:
> I have no idea why it suddenly broke.
If you have no idea why something fairly basic and important broke, should
you be purporting to be safe enough to cover the use case of "a human
rights activist inside of a totalitarian regime"?
--
*Collin Da
On Oct 6, 2014, at 6:41 PM, Collin Anderson wrote:
> On Mon, Oct 6, 2014 at 9:35 PM, Greg wrote:
> Although this isn't a serious bug, it's still a security-related issue and
> you don't know how failing to responsibly disclose it could affect someone.
>
> It seems that you were called out on s
On Mon, Oct 6, 2014 at 9:35 PM, Greg wrote:
> Although this isn't a serious bug, it's still a security-related issue and
> you don't know how failing to responsibly disclose it could affect someone.
>
It seems that you were called out on something fairly basic -- is this
about bug reporting or p
Dear Steve,
Thanks for letting me know. Looks like only some of the sparsebundles are
getting properly timestamped for some reason. We'll fix this for the next
release.
You of all people, however, should know better [1] than to ignore my request
that you disclose any security-related matters i
To start with, the fake sparesebundle metadata and band modification
times (i.e. the metadata's metadata) are distinguishable from a real
sparsebundle's. Espionage's attempt to manipulate the metadata
actually seems to be giving away which ones are fake.
Take a look at each sparesbundle's "bands"
Dear Steve,
On Oct 6, 2014, at 9:48 AM, Steve Weis wrote:
> Hello Greg. I tried out Espionage.app and it was easy to distinguish
> real encrypted images from fake images via filesystem metadata. I
> don't think Espionage offers any realistic notion of plausible
> deniability, especially against
Hello Greg. I tried out Espionage.app and it was easy to distinguish
real encrypted images from fake images via filesystem metadata. I
don't think Espionage offers any realistic notion of plausible
deniability, especially against "totalitarian regimes" as the webpage
claims.
This took no special s
21 matches
Mail list logo