[messaging] EFF Secure Messaging Scorecard
jacob at appelbaum.net
Tue Nov 4 18:11:34 PST 2014
On 11/4/14, Eleanor Saitta <ella at dymaxion.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 2014.11.04 20.31, Mike Hearn wrote:
>> I echo the confusion around GChat/FB being marked as audited. I
>> assume this is because the code has been audited by company
>> internal security staff, i.e. the presumed goal of the audit is to
>> find bugs and not subterfuge? It might be good to explain this if
>> so, in a tooltip for example.
> FB regularly brings in external security teams, so, uh, yeah.
Snowden told us a lot of what we'd like to know about those findings, I suppose.
> And if you can find a more competent security team than the team that
> works for Google, by all means, knock that point off, but you'll have
> to clone Halvar first. There's basically no small team that can
> compete with a group like that. Yes, public audits are significantly
> better than private for high-risk tools, but it's about driving
> process, and I don't think there's a huge amount to gain by
> "penalizing" Google there.
Does an internal audit of Google find a fault with US 702 collection
compliance? Does Halvar really get to say that this is a security
issue and thus they'll have to fix their PRISM enabled systems to make
it less SIGINT friendly? I doubt it very much.
The security people at Google are some of the best in the world. Their
hands are tied and they work for a company that orders them to do
specific tasks. As far as I can see - post MUSCULAR: they're ensuring
the only backdoors left are the ones they know, enable and sustain
under gag orders from the US Government.
All the best,
More information about the Messaging