So to recap: It hasn't been a few hours since Silent Circle released *some* of their source code, and we already know that:
1. Silent Circle isn't in built to be a secure communications platform, but is simply a rebranding of TiviPhone, a latvian-made VoIP software, with added encryption libraries, 2. The encryption libraries are themselves not developed by Silent Circle, but are third party libraries, 3. The third party librares are in some cases outdated, even in the face of security advisories, 4. There's a good possibility of a buffer overflow being there somewhere, with over 40 uses of snprintf(). I know what I'm doing this weekend! :D NK On Wed, Feb 13, 2013 at 11:33 PM, Nathan of Guardian < nat...@guardianproject.info> wrote: > Fabio Pietrosanti (naif): > > Here some notes i collected with a quick review of the source code: > > I can see the headlines now... > > "Cryptography super-group more like a cover band" > "Cryptography Boy Band covers Latvian super-group" > "Cryptography super-group? More like Milli Vanilli!" > > or perhaps simply: > "SilentCircle's premiere product was outsourced, and based on > out-of-date security libraries with known bugs" > > Finally, just to be clear, I have nothing against re-using code, > especially open-source projects that are complimentary. This is exactly > what we have done for our work on OSTN/OStel. > > I do have a problem with people representing software they license from > someone else as their own brilliant, weaved-by-the-gods invention. > > +n > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
