[messaging] EFF Secure Messaging Scorecard

Jacob Appelbaum jacob at appelbaum.net
Tue Nov 4 18:11:34 PST 2014


On 11/4/14, Eleanor Saitta <ella at dymaxion.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 2014.11.04 20.31, Mike Hearn wrote:
>> Nice!
>>
>> I echo the confusion around GChat/FB being marked as audited. I
>> assume this is because the code has been audited by company
>> internal security staff, i.e. the presumed goal of the audit is to
>> find bugs and not subterfuge? It might be good to explain this if
>> so, in a tooltip for example.
>
> FB regularly brings in external security teams, so, uh, yeah.

Snowden told us a lot of what we'd like to know about those findings, I suppose.

>
> And if you can find a more competent security team than the team that
> works for Google, by all means, knock that point off, but you'll have
> to clone Halvar first.  There's basically no small team that can
> compete with a group like that.  Yes, public audits are significantly
> better than private for high-risk tools, but it's about driving
> process, and I don't think there's a huge amount to gain by
> "penalizing" Google there.

Does an internal audit of Google find a fault with US 702 collection
compliance? Does Halvar really get to say that this is a security
issue and thus they'll have to fix their PRISM enabled systems to make
it less SIGINT friendly? I doubt it very much.

The security people at Google are some of the best in the world. Their
hands are tied and they work for a company that orders them to do
specific tasks. As far as I can see - post MUSCULAR: they're ensuring
the only backdoors left are the ones they know, enable and sustain
under gag orders from the US Government.

All the best,
Jacob


More information about the Messaging mailing list