Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Espionge.app's lack of plausible deniability (Was: TrueCrypt Alternatives?)

mutek mutek at riseup.net
Tue Oct 7 01:26:10 PDT 2014


Il martedì 7 ottobre 2014 03:50:39 CEST, Greg ha scritto:
> On Oct 6, 2014, at 6:41 PM, Collin Anderson 
> <collin at averysmallbird.com> wrote:
>
>> On Mon, Oct 6, 2014 at 9:35 PM, Greg <greg at kinostudios.com> wrote:
>> Although this isn't a serious bug, it's still a 
>> security-related issue and you don't know how failing to 
>> responsibly disclose it could affect someone.
>> 
>> It seems that you were called out on something fairly basic -- 
>> is this about bug reporting or public embarrassment on a matter 
>> that you would have wished to remain shuffled away in private 
>> correspondences?
>
> Sorry, I don't understand your question, could you rephrase it?
>
> I am embarrassed for Steve Weis. If I were employing him, I'd 
> fire him for claiming to be a security professional while not 
> knowing how responsibly disclose a bug.
>
> Re "fairly basic": yes, modifying timestamps is fairly basic 
> stuff (and it worked in all our tests just fine). I have no idea 
> why it suddenly broke.
>
> - Greg

IMHO it's fair to let you some time to find the bug but then it's a must 
have to public the issue to advice your client to check for their sensible 
data.
This is only because you claim that there no evidence at all to reproduce 
at the moment this issue.
The check made by Steve was so simple that there no concern about some 
"responsability" on disclosing the bug because it's a simple process in a 
public domain.
At the moment "security by obscurity" it's not more an option nor a must 
have.
regards
mutek



More information about the liberationtech mailing list