[messaging] EFF Secure Messaging Scorecard

Jacob Appelbaum jacob at appelbaum.net
Tue Nov 4 18:11:34 PST 2014

On 11/4/14, Eleanor Saitta <ella at dymaxion.org> wrote:
> Hash: SHA256
> On 2014.11.04 20.31, Mike Hearn wrote:
>> Nice!
>> I echo the confusion around GChat/FB being marked as audited. I
>> assume this is because the code has been audited by company
>> internal security staff, i.e. the presumed goal of the audit is to
>> find bugs and not subterfuge? It might be good to explain this if
>> so, in a tooltip for example.
> FB regularly brings in external security teams, so, uh, yeah.

Snowden told us a lot of what we'd like to know about those findings, I suppose.

> And if you can find a more competent security team than the team that
> works for Google, by all means, knock that point off, but you'll have
> to clone Halvar first.  There's basically no small team that can
> compete with a group like that.  Yes, public audits are significantly
> better than private for high-risk tools, but it's about driving
> process, and I don't think there's a huge amount to gain by
> "penalizing" Google there.

Does an internal audit of Google find a fault with US 702 collection
compliance? Does Halvar really get to say that this is a security
issue and thus they'll have to fix their PRISM enabled systems to make
it less SIGINT friendly? I doubt it very much.

The security people at Google are some of the best in the world. Their
hands are tied and they work for a company that orders them to do
specific tasks. As far as I can see - post MUSCULAR: they're ensuring
the only backdoors left are the ones they know, enable and sustain
under gag orders from the US Government.

All the best,

More information about the Messaging mailing list