On Sun, Feb 01, 2015 at 06:57:01PM -0800, Seth wrote: > * not free software > - Closed source (although audited by Veracode)
static analysis != audited. however i believe that without any static analysis any product would be even more snakeoil. but you know how static analysis goes, you get a long list of warnings and errors, and then you go supressing them. ;) would be interesting to see the list of warnings and the mitigations. but then, static analysis has its limits. > * runs on a smartphone > - yes this is where we can stop. ;) > * there is no threat model > - (claims to be 'last messaging app standing with no 0days to date', claims > nation threat attacks were expected from day one, claims zero knowledge > company infrastructure server configuration) > > * uses marketing-terminology like "cyber", "military-grade" > - displays message 'securing your phone using military grade encryption' > during app setup > > * neglects general sad state of host security > - unsure see runs on a phone (i think someone noticed this redundancy in the original 7 rules as well) > - https://wickr.com/ appears to require javascript to view :/ > - Wickr company infrastructure security audited by iSecPartners not everything must be bad, statistically speaking somethings must be right, at least on a bell curve distribution between epic and fail. :) -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
