not free software runs in a browser runs on a smartphone the user doesn't generate, or exclusively own the private encryption keys there is no threat model uses marketing-terminology like "cyber", "military-grade" neglects general sad state of host security http://permalink.gmane.org/gmane.comp.security.cypherpunks/5131 Edit: ryseik proposes to add "does not have decent documentation of protocols/mode of operation available". See https://cpunks.org//pipermail/cypherpunks/2015-February/006691.html
I would maybe add lack of linux support. Many of the crappier VPN's and other "privacy"-type services don't support it and it's a sign that it's intended for the sheepish, unaware masses
Can't say I agree on #1 "not free software" but I get where they are coming from. For #6 though I couldn't agree more, that goes for security software as well as the 'privacy' types! Either way, thanks for sharing! Wish this forum had reputation options I'd +1 u 4 sure!
I think "Snake Oil" is a little harsh for several of the items on the list. Truecrypt was Snake Oil? AxCrypt is Snake Oil? In fact, it's just not an appropriate use of the term. So, when we connect to the brokers on the NYSE, or banks, etc. It's Snake Oil? SSL is Snake Oil? Again, an inappropriate, incorrect use of the term. So, Blackphone is Snake Oil? Silent Circle is Snake Oil? Again, an inappropriate, incorrect use of the term. I'll stop there. But the list is silly. "Snake Oil" is not the right terminology. You can think one product is not as strong as it should be, or could be, without it being "Snake Oil." That list was just silly, elementary, and almost offensive if it was meant to be taken seriously. First and foremost for the simple reason that the poster doesn't even understand what Snake Oil really is.
Even snake oil had omega fatty acids. Though, "snake oil" as a term for most things is misleading, as it usually implies quackery or swindlers offering a product/service that was never meant to live up to its hype (which we've had forever in the world of computers as a whole). There's also budding or less than perfect start up software/services that do want to bank on the need people have for its existence, just as the same as stuff existing to bank on the same need and then swindling people out of their money. Related to that is what Snowden and Schneier had briefly touched on the returning of the dark ages of cryptography software, or even software and services as a whole because mistrust of the current market. I like the first rule of that of "not free software". Of course there's a lot services that use open source software as a service, which can be solid or misleading depending on the people running it, but generally I agree with security there is a lot of great free, open, stuff out. The best way to guard against things that are misleading are through public discussions- such as forums, and especially this forum. Reviews and audits. Without the public voice and as many opinions as possible- any system will end up unchecked and corrupted. *cough* MSI mainboards *cough* (I like MSI stuff, don't get me wrong)
@LockBox Well, I have no clue who Stef is, or what he might or might not know about "Snake Oil". Why do you say that he doesn't understand? Or do you say that I don't understand? For what it's worth, ryseik also argues against the rigorous application of Stef's rules, specifically regarding Tox.im, on the cypherpunks list. He notes that, while Tox.im may not be perfect, people depending on Skype are getting killed in Syria. Maybe it's asking too much for developers to summarize their threat models, and to point out the threats that they don't protect against. And maybe it's unfair to label anything without such disclosure as "Snake Oil". But it's an arguable perspective, no? I suspect that #7 is the hardest one. Once your device has been pwned, neither GnuPG nor SSH nor TrueCrypt will necessarily protect you. Unless you've compartmentalized enough, anyway. Maybe there ought to be more prominent warnings. Blackphone and Silent Circle are tarred by #3, for sure. Now of course, at issue are the insecure radio and closed-source firmware, and maybe it's unfair to put that on the developers. But again, maybe there ought to be more prominent warnings.
Why do you think that Skype is endangering Syrians? While it is certainly vulnerable to lawful and maybe not-so-lawful intercept by authorities in the US and probably a few other countries, non-Western governments can't subpoena Microsoft for its logs. As far as I know, Skype is fairly decent when it comes to encrypting their calls to prevent snooping from anybody other than the US government and its allies (so long as the computer is not compromised of course)
IMO, 7 makes no sense... A tool that has a flawless implementation of crypto doesn't need to come bundled with an AV/HIPS/Firewall/etc. in order not to be snake oil (I'm exagerating a bit, but you get the idea). Also, why would it be snake oil if it runs in a browser or on a smartphone?
The argument, I think, is that it's "snake oil" if it doesn't prominently warn users that it's hosed if their devices are pwned. Again, there should arguably be prominent warnings. I get that it's an extreme position
@mirimir I'm sorry, I was going to reply hours ago when the site went down for maintenance. No...not at all! I was talking about the list you linked to. Sorry I didn't make that clear when I wrote that originally.
Hey, it's all good I was mostly kidding about that, but maybe I was feeling a little defensive Generally, though, I welcome rigorous debate and frank criticism
Here's another informative post from stef: https://cpunks.org//pipermail/cypherpunks/2015-February/006719.html