On 11/4/14, Eleanor Saitta <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 2014.11.04 20.31, Mike Hearn wrote: >> Nice! >> >> I echo the confusion around GChat/FB being marked as audited. I >> assume this is because the code has been audited by company >> internal security staff, i.e. the presumed goal of the audit is to >> find bugs and not subterfuge? It might be good to explain this if >> so, in a tooltip for example. > > FB regularly brings in external security teams, so, uh, yeah.
Snowden told us a lot of what we'd like to know about those findings, I suppose. > > And if you can find a more competent security team than the team that > works for Google, by all means, knock that point off, but you'll have > to clone Halvar first. There's basically no small team that can > compete with a group like that. Yes, public audits are significantly > better than private for high-risk tools, but it's about driving > process, and I don't think there's a huge amount to gain by > "penalizing" Google there. Does an internal audit of Google find a fault with US 702 collection compliance? Does Halvar really get to say that this is a security issue and thus they'll have to fix their PRISM enabled systems to make it less SIGINT friendly? I doubt it very much. The security people at Google are some of the best in the world. Their hands are tied and they work for a company that orders them to do specific tasks. As far as I can see - post MUSCULAR: they're ensuring the only backdoors left are the ones they know, enable and sustain under gag orders from the US Government. All the best, Jacob _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
