Stef's seven rules of thumb to detect snakeoil

Discussion in 'privacy technology' started by mirimir, Feb 3, 2015.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    1. not free software
    2. runs in a browser
    3. runs on a smartphone
    4. the user doesn't generate, or exclusively own the private encryption keys
    5. there is no threat model
    6. uses marketing-terminology like "cyber", "military-grade"
    7. neglects general sad state of host security
    http://permalink.gmane.org/gmane.comp.security.cypherpunks/5131

    Edit: ryseik proposes to add "does not have decent documentation of protocols/mode of operation available". See https://cpunks.org//pipermail/cypherpunks/2015-February/006691.html
     
    Last edited: Feb 4, 2015
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    I would maybe add lack of linux support. Many of the crappier VPN's and other "privacy"-type services don't support it and it's a sign that it's intended for the sheepish, unaware masses
     
  3. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Can't say I agree on #1 "not free software" but I get where they are coming from.
    For #6 though I couldn't agree more, that goes for security software as well as the 'privacy' types!

    Either way, thanks for sharing! Wish this forum had reputation options I'd +1 u 4 sure!
     
    Last edited: Feb 3, 2015
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I think "Snake Oil" is a little harsh for several of the items on the list.

    Truecrypt was Snake Oil?
    AxCrypt is Snake Oil?
    In fact, it's just not an appropriate use of the term.

    So, when we connect to the brokers on the NYSE, or banks, etc. It's Snake Oil?
    SSL is Snake Oil?
    Again, an inappropriate, incorrect use of the term.

    So, Blackphone is Snake Oil?
    Silent Circle is Snake Oil?
    Again, an inappropriate, incorrect use of the term.

    I'll stop there. But the list is silly. "Snake Oil" is not the right terminology. You can think one product is not as strong as it should be, or could be, without it being "Snake Oil."

    That list was just silly, elementary, and almost offensive if it was meant to be taken seriously. First and foremost for the simple reason that the poster doesn't even understand what Snake Oil really is.
     
  5. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Even snake oil had omega fatty acids. Though, "snake oil" as a term for most things is misleading, as it usually implies quackery or swindlers offering a product/service that was never meant to live up to its hype (which we've had forever in the world of computers as a whole). There's also budding or less than perfect start up software/services that do want to bank on the need people have for its existence, just as the same as stuff existing to bank on the same need and then swindling people out of their money. Related to that is what Snowden and Schneier had briefly touched on the returning of the dark ages of cryptography software, or even software and services as a whole because mistrust of the current market.

    I like the first rule of that of "not free software". Of course there's a lot services that use open source software as a service, which can be solid or misleading depending on the people running it, but generally I agree with security there is a lot of great free, open, stuff out.

    The best way to guard against things that are misleading are through public discussions- such as forums, and especially this forum. Reviews and audits. Without the public voice and as many opinions as possible- any system will end up unchecked and corrupted.


    *cough* MSI mainboards *cough* (I like MSI stuff, don't get me wrong)
     
    Last edited: Feb 3, 2015
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    @LockBox

    Well, I have no clue who Stef is, or what he might or might not know about "Snake Oil". Why do you say that he doesn't understand? Or do you say that I don't understand?

    For what it's worth, ryseik also argues against the rigorous application of Stef's rules, specifically regarding Tox.im, on the cypherpunks list. He notes that, while Tox.im may not be perfect, people depending on Skype are getting killed in Syria.

    Maybe it's asking too much for developers to summarize their threat models, and to point out the threats that they don't protect against. And maybe it's unfair to label anything without such disclosure as "Snake Oil". But it's an arguable perspective, no?

    I suspect that #7 is the hardest one. Once your device has been pwned, neither GnuPG nor SSH nor TrueCrypt will necessarily protect you. Unless you've compartmentalized enough, anyway. Maybe there ought to be more prominent warnings.

    Blackphone and Silent Circle are tarred by #3, for sure. Now of course, at issue are the insecure radio and closed-source firmware, and maybe it's unfair to put that on the developers. But again, maybe there ought to be more prominent warnings.
     
  7. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Why do you think that Skype is endangering Syrians? While it is certainly vulnerable to lawful and maybe not-so-lawful intercept by authorities in the US and probably a few other countries, non-Western governments can't subpoena Microsoft for its logs. As far as I know, Skype is fairly decent when it comes to encrypting their calls to prevent snooping from anybody other than the US government and its allies (so long as the computer is not compromised of course)
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    On the cypherpunks list, rysiek pointed to this: https://about.okhin.fr/posts/Stupid_journos/
     
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    IMO, 7 makes no sense... A tool that has a flawless implementation of crypto doesn't need to come bundled with an AV/HIPS/Firewall/etc. in order not to be snake oil (I'm exagerating a bit, but you get the idea). Also, why would it be snake oil if it runs in a browser or on a smartphone? o_O
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    The argument, I think, is that it's "snake oil" if it doesn't prominently warn users that it's hosed if their devices are pwned.
    Again, there should arguably be prominent warnings.

    I get that it's an extreme position ;)
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    @mirimir

    I'm sorry, I was going to reply hours ago when the site went down for maintenance.

    No...not at all! I was talking about the list you linked to. Sorry I didn't make that clear when I wrote that originally.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    Hey, it's all good :) I was mostly kidding about that, but maybe I was feeling a little defensive :oops: Generally, though, I welcome rigorous debate and frank criticism :)
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
Loading...