Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Wicker: Déjà vu all over again

Jillian C. York jilliancyork at
Tue Jun 10 13:37:50 PDT 2014

I have to say: I'm not as uncomfortable with this article as I thought I'd
be.  I'm definitely uncomfortable with some of Wickr's promotional text
("military-grade encryption," "leave no trace") but I felt that this
particular article addressed the NSA concerns and was fairly realistic
about what Wickr can and cannot do.

I've been playing around with Wickr and for normal concerns (like, a parent
looking at a kid's phone, or even me losing my phone), it's great!  I see
it more of a Snapchat competitor than a TextSecure competitor, but I really
think it will do well with a certain crowd.

Still, I'd much prefer it to be open-source.

On Tue, Jun 10, 2014 at 3:13 PM, Yosem Companys <companys at>

> From: Brian Behlendorf <brian at>
> You don't have to; "trust, but verify".  Or trust those who *can* verify.
> Microsoft, Google and Apple are at the top of the "most trusted brands"
> lists and have been for years, so even in the light of the Snowden
> revelations, most have tended to give them the benefit of the doubt and
> keep using their proprietary software and services.  But those who don't,
> and instead use self-hosted open source tools, are making a different trust
> choice - they prefer to trust Linus Torvalds, the Linux community, Firefox
> developers, Pidgin developers, Apache developers, and the broader developer
> community, on a gut-level calculus that those parties are less likely to
> intentionally corrupt their software, and are more likely to find
> each-other's (intentional or accidental) corruptions.  That calculus
> integrates across all software, teams, and time, so even disasters like
> Heartbleed aren't enough to change the result for most of us.  Speaking
> personally, it only reinforced it, by watching not only how quickly the
> disparate communities reacted and pushed solutions out, but how much it's
> caused further inspection of OpenSSL and other underlying packages.
> This calculus does have some bigger blindspots, though - I was never
> comfortable with promoting TrueCrypt, a package written by intentionally
> anonymous authors without any of the trappings of an open source project -
> open revision control, open bug tracker, open discussion boards for
> development.  I like being able to attach names to code - software is made
> of people, not unlike Soylent Green.  Even though it's not really truely
> Open Source licensed, I trust qmail, djbdns, and other packages written by
> Dan J. Bernstein because he's a no-bullshit mathematician, scientist,
> coder, and fighter for liberty (see Bernstein v. United States).
> With proprietary solutions, including Wickr, the "verify" window is much
> more narrow.  You can inspect what it sends over the wire or stores on
> disk, but even that's pretty opaque.  Without that "verify" loop, you can
> trust those who they've hired to do security audits.  You can also figure
> out whether you trust Nico herself.  There are those of us on the advisory
> board for Wickr (full disclosure) who are working with them to figure out
> some way to broaden that trust+verify window.  We'll see what happens.
> Brian
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at

"We must not be afraid of dreaming the seemingly impossible if we want the
seemingly impossible to become a reality" - *Vaclav Havel*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list