[tor-talk] Fwd: Android Crypto Chat Apps - over Tor?

Christian Pietsch christian.pietsch at digitalcourage.de
Thu Jul 13 07:18:10 UTC 2017


Hi Roman,
hi Tor fans,

On Thu, Jul 13, 2017 at 11:04:19AM +0500, Roman Mamedov wrote:
> How can anyone trust this table in anything, when they get most basic facts
> such as this wrong?

This is the question. I am just an observer of this scam, but maybe I
can shed some light on it.

A friend of mine who reads the “Cryptography” mailing list forwarded
this e-mail to me on July 3 – as a recommendation I should check out:
http://www.metzdowd.com/pipermail/cryptography/2017-July/032401.html
When she did this, she had not yet read grampamp's response to it:
http://www.metzdowd.com/pipermail/cryptography/2017-July/032415.html

When I looked at Smoke's Sourceforge site on the same day, the
download area for binaries and source code contained no files at all –
only empty directories. Today I can see links to GitHub repos. The
source code names Alexis Megas as the sole author, e.g. here:
https://github.com/textbrowser/smokestack/blob/master/SmokeStack/app/src/main/java/org/purple/smokestack/Cryptography.java
Alexis Megas also seems to be associated with the suspicious GoldBug
software, as grarpamp found out:
https://lists.cpunks.org/pipermail/cypherpunks/2014-October/005633.html
https://lists.torproject.org/pipermail/tor-talk/2014-September/034897.html

So I do not think it is a coincidence that Smoke and Goldbug score so
many points on Smoke's “scorecard” – the evaluation is rigged in their
favor. Even those claims on that table that can be checked
independently are often false. As Roman mentioned, Telegram's client
is open source, and I can add that Conversations does not cost a dime
if you download the binary via F-Droid.

The reason why I called GoldBug suspicious is that I looked at the
“audit” you can still find on GoldBug's website in English and German
<https://sf.net/projects/goldbug/files/bigseven-crypto-audit.pdf>
as well as in WikiBooks (which has poor quality control):
https://en.wikibooks.org/wiki/Big_Seven_Crypto_Study
Grarpamp pointed out that the two people named as authors seem to
never have published anything else. I doubt they even exist.
I like this diagram: https://en.wikibooks.org/wiki/Big_Seven_Crypto_Study#/media/File:Figure_37_BIG_SEVEN_Open_Source_Crypto-Messenger_Overview.png
This is obviously neither a scientific study nor a security audit nor
a fair comparison, but somehow, not enough people noticed or
complained about it. Too many distractions these days, I guess.

Cheers,
C:

-- 
  Christian Pietsch | volunteering for
  Digitalcourage e.V., Marktstr. 18, D-33602 Bielefeld, Germany
  https://digitalcourage.de | https://bigbrotherawards.de
  How to avoid Google https://pad.okfn.org/p/google_alternatives
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20170713/8e6ee4ff/attachment.sig>


More information about the tor-talk mailing list