Please excuse my ignorance. I searched on the webs but couldn't find what VCP means in this context. Can someone please decode that for me (and maybe other readers like me)?
The gist is they claim Wickr failed to pay promised rewards offered by its bug bounty program, even though Wickr patched the issues reported by the researcher.
> "Encryption works best if it's ubiquitous and automatic. The two forms of encryption you use most often -- https URLs on your browser, and the handset-to-tower link for your cell phone calls -- work so well because you don't even know they're there.
>
> Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting.
>
> This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive."
It's the least of Telegrams problems but let's not forget their home made crypto even though there are better alternatives. See the take-home message here:
> "We stress that this is a theoretical attack on the definition of security and we do not see any ...
After seeing your comments in this thread and looking at your comment history, I have to ask: What is your affiliation with Signal/Open Whisper Systems, if any?
Just very enthusiastic about Signal then, I guess?
Often when someone is so outspoken about a product it's because they have a vested interest in its success (and they don't always disclose that fact)... that's why I asked. Thanks.
More enthusiastic about privacy and free software. I often see worse apps recommended for privacy reasons, so why not bring up the flaws in those and what's better about this. If something better comes along I'll switch to that and recommend that instead.
Btw, Wire [1] messenger just implemented timed messages which expire, like Wickr offers. Combined with a non-requirement for registration with a phone number and Google Play Services makes it even more ideal.
Signal has that too https://whispersystems.org/blog/disappearing-messages/ And using GCM is only a problem for people running a custom Android ROM without Google Play Services. They can use MicroG instead. For the vast majority of people who do have Google Play on their phone this is completely irrelevant. Using GCM doesn't make Signal less private.
> Google doesn't see any data via gcm, it's just a tickle. If you want push messages, you gotta use a push network.
> I've also seen first hand how difficult 3rd party clients can be on large networks with actual client logic, and unfortunately we simply don't have the resources to deal with that.
> I hope that everyone here who prioritizes federation above all else moves to federated products that support their goals, and I hope that those projects can demonstrate that I'm wrong about the inability to build competitive user experiences over the long term.
> If the only thing that the remaining people here want out of LibreSignal is a websocket-only solution and gmscore isn't an option for whatever reason, I would consider a clean, well written, and well tested PR for websocket-only support in Signal. I expect it to have high battery consumption and an unreliable user experience, but would be fine with it if it comes with a warning and only runs in the absence of play services. However, I also realize that still won't help people that are trying to build a Google-free experience on Google's platform, since we still don't have the things we need to be comfortable distributing software outside of Play.
> The thing is, Wire is developed by a for-profit company that has yet to discover a sustainable business model. They seem to be in a hurry to gain users, boasting about their own app's security and privacy before it has ever been independently audited.
At the end of the day Signal doesn't transfer messages realiably, which is also often repeated problem on the Google Play reviews. So I can't put my confidence in a messenger which can't reliably deliver instant messages. Not to mention using it without submitting to Google (Chrome "app") and which also happens to be OWS customer.
You can see if your message was sent to the server and if the message was sent to your friends phone. I haven't really had any problems delivering messages apart from one time when they had servers problems.
No need to use Chrome if you don't want to, Chromium also works.
19 comments
[ 2.9 ms ] story [ 54.4 ms ] threadhttp://www.gizmodo.com.au/2016/06/why-you-should-stop-using-...
> "Encryption works best if it's ubiquitous and automatic. The two forms of encryption you use most often -- https URLs on your browser, and the handset-to-tower link for your cell phone calls -- work so well because you don't even know they're there. > > Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting. > > This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive."
https://www.schneier.com/blog/archives/2015/06/why_we_encryp...
Pavel himself admits security isn't a priority here https://twitter.com/durov/status/678305311921410048 in response to this:
Thomas H. Ptacek https://twitter.com/Snowden/status/678274362609426432 By default Telegram stores the PLAINTEXT of EVERY MESSAGE every user has ever sent or received on THEIR SERVER.
Edward Snowden https://twitter.com/Snowden/status/678274362609426432 I respect @durov, but Ptacek is right: @telegram's defaults are dangerous. Without a major update, it's unsafe.
https://twitter.com/Snowden/status/678274362609426432 To be clear, what matters is that the plaintext of messages is accessible to the server (or service provider), not whether it's "stored."
Moxie Marlinspike https://twitter.com/moxie/status/678219238394298372 It's just how Telegram works and is self-documented to work: Only their marketing copy suggests otherwise.
https://twitter.com/moxie/status/678277776391077888 If you're on an iPhone, they also send a plaintext copy of every msg you receive to Apple's servers. So not even in transit.
https://twitter.com/moxie/status/678309008789258240 For iOS push notification previews. They didn't do the work to make them privacy preserving.
It's the least of Telegrams problems but let's not forget their home made crypto even though there are better alternatives. See the take-home message here:
> "We stress that this is a theoretical attack on the definition of security and we do not see any ...
Often when someone is so outspoken about a product it's because they have a vested interest in its success (and they don't always disclose that fact)... that's why I asked. Thanks.
[1] https://medium.com/wire-news/safe-and-tidy-with-timed-messag...
> Google doesn't see any data via gcm, it's just a tickle. If you want push messages, you gotta use a push network.
https://twitter.com/whispersystems/status/695399112833761283
Those who want to use Signal without GCM can help out with code https://github.com/LibreSignal/LibreSignal/issues/43 or money to anyone who does the work https://www.bountysource.com/issues/35722527-create-proper-p...
> I've also seen first hand how difficult 3rd party clients can be on large networks with actual client logic, and unfortunately we simply don't have the resources to deal with that.
> I hope that everyone here who prioritizes federation above all else moves to federated products that support their goals, and I hope that those projects can demonstrate that I'm wrong about the inability to build competitive user experiences over the long term.
> If the only thing that the remaining people here want out of LibreSignal is a websocket-only solution and gmscore isn't an option for whatever reason, I would consider a clean, well written, and well tested PR for websocket-only support in Signal. I expect it to have high battery consumption and an unreliable user experience, but would be fine with it if it comes with a warning and only runs in the absence of play services. However, I also realize that still won't help people that are trying to build a Google-free experience on Google's platform, since we still don't have the things we need to be comfortable distributing software outside of Play.
https://github.com/LibreSignal/LibreSignal/issues/37#issueco...
Here's a great comment about Wire https://www.reddit.com/r/privacy/comments/57s7qw/wire_messen...
> The thing is, Wire is developed by a for-profit company that has yet to discover a sustainable business model. They seem to be in a hurry to gain users, boasting about their own app's security and privacy before it has ever been independently audited.
> In December 2014, when they launched Wire, they claimed they could not read their users' messages. They were forced to retract their statement when a journalist asked about it https://motherboard.vice.com/read/wire-built-by-ex-skype-emp... , and didn't add end-to-end encryption until March 2016 http://www.reuters.com/article/us-dataprotection-messaging-w... . Contrary to popular belief, the protoco...
No need to use Chrome if you don't want to, Chromium also works.