Re: [tor-talk] Fwd: Android Crypto Chat Apps - over Tor?

2017-07-13 Thread Christian Pietsch 
Hi Roman,
hi Tor fans,

On Thu, Jul 13, 2017 at 11:04:19AM +0500, Roman Mamedov wrote:
> How can anyone trust this table in anything, when they get most basic facts
> such as this wrong?

This is the question. I am just an observer of this scam, but maybe I
can shed some light on it.

A friend of mine who reads the “Cryptography” mailing list forwarded
this e-mail to me on July 3 – as a recommendation I should check out:
http://www.metzdowd.com/pipermail/cryptography/2017-July/032401.html
When she did this, she had not yet read grampamp's response to it:
http://www.metzdowd.com/pipermail/cryptography/2017-July/032415.html

When I looked at Smoke's Sourceforge site on the same day, the
download area for binaries and source code contained no files at all –
only empty directories. Today I can see links to GitHub repos. The
source code names Alexis Megas as the sole author, e.g. here:
https://github.com/textbrowser/smokestack/blob/master/SmokeStack/app/src/main/java/org/purple/smokestack/Cryptography.java
Alexis Megas also seems to be associated with the suspicious GoldBug
software, as grarpamp found out:
https://lists.cpunks.org/pipermail/cypherpunks/2014-October/005633.html
https://lists.torproject.org/pipermail/tor-talk/2014-September/034897.html

So I do not think it is a coincidence that Smoke and Goldbug score so
many points on Smoke's “scorecard” – the evaluation is rigged in their
favor. Even those claims on that table that can be checked
independently are often false. As Roman mentioned, Telegram's client
is open source, and I can add that Conversations does not cost a dime
if you download the binary via F-Droid.

The reason why I called GoldBug suspicious is that I looked at the
“audit” you can still find on GoldBug's website in English and German

as well as in WikiBooks (which has poor quality control):
https://en.wikibooks.org/wiki/Big_Seven_Crypto_Study
Grarpamp pointed out that the two people named as authors seem to
never have published anything else. I doubt they even exist.
I like this diagram: 
https://en.wikibooks.org/wiki/Big_Seven_Crypto_Study#/media/File:Figure_37_BIG_SEVEN_Open_Source_Crypto-Messenger_Overview.png
This is obviously neither a scientific study nor a security audit nor
a fair comparison, but somehow, not enough people noticed or
complained about it. Too many distractions these days, I guess.

Cheers,
C:

-- 
  Christian Pietsch | volunteering for
  Digitalcourage e.V., Marktstr. 18, D-33602 Bielefeld, Germany
  https://digitalcourage.de | https://bigbrotherawards.de
  How to avoid Google https://pad.okfn.org/p/google_alternatives


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Fwd: Android Crypto Chat Apps - over Tor?

2017-07-13 Thread Roman Mamedov 
On Thu, 13 Jul 2017 07:06:03 +0200
"Tom A."  wrote:

> Hi Grump,
> thanks for the classification. who is able to evaluate this? rather than
> posting vagueness?
> at which apps can you add/apply customized e2e encryption?
> https://smokeappope.sourceforge.io/#MobileScoreCard


I'm not aware what's the context of this thread, but speaking of the table
presented -- why does it claim "No" for "Client Open Source" for Telegram?

  https://f-droid.org/packages/org.telegram.messenger/

How can anyone trust this table in anything, when they get most basic facts
such as this wrong?

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk