[Discuss] Secure Email

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Greg Rundlett (freephile)
> 
> I like their "No Bullshit"
> stance https://kolabnow.com/feature/sustainable

Oh, um - I just read that. The "No Bullshit" policy is a nice catch phrase, but ...  My commentary below:


> In times of insecurity, snake oil merchants travel the intertubes. Whether they
> promise "end to end encryption" 

Agreed, 100%.


> (but control the software that controls your
> key), 

Hold on there. Cuz that's what we do, I know something about it. Yeah, I write software that controls your key, but so what? It's open source, it's peer reviewed, and it's solid. THAT is not a flaw. Even for the closed source code, and binaries that we distribute, the government cannot compel us to write malicious or backdoored binaries. Nor would they need to - 

If you want to know the REAL security flaw, it's the binary distribution channels. For example, you build some software, you digitally sign it, you stick it on your website or something. Then when users download it, they have a secure https connection, and digitally signed software ... But wait! Did anyone scrutinize the phrase "secure https connection?" Because the reality is, WE ALL KNOW, there are hundreds of certificate authorities out there, with at least hundreds of individual humans scattered about the world who have access to the root CA private keys. And every government has control of at least one of them. So the base assumption needs to be, a government agency could establish a MITM attack to substitute malicious binaries, while maintaining solid green checkmarks and passing all the x509 validity checks. The device they tried to make Ladar install at lavabit was exactly this - a MITM device that could MITM encrypt/decrypt all the SMTP/TLS traffic.

For a company that's supposed to be all about security, I'd like to see kolab acting a little more knowledgeable, relying less on marketing fluff and FUD.


> claim to be "NSA proof" (but accept US venture capital) or make other
> outlandish promises: If something sounds too good to be true, it most likely is.

*sigh*  Speaking of snakeoil. This is coming from the company that just says "Hey, We're Swiss. That means we're secure." How about putting some technical details where your loud mouth is? Stop waving flashy objects in front of users' eyes, as if there's anything about US venture capital that prevents you from building good cryptographic principles into your product.

I know we have taken US investment capital, and I certainly know I don't have anyone telling me how to design our product.

I call "Bullshit" on the "No Bullshit" policy.


> Kolab Now has built up the entire chain, from choosing a Swiss data centre
> without foreign capital, ensuring physical control of the hardware, which it
> owns, to building up a software stack without proprietary components. Using
> advanced network defence techniques in combination with Kolab Enterprise, a
> solution that we have developed ourselves, Kolab Now provides the best security
> possible with feature rich collaboration on any platform. And we're working hard
> to increase what is possible both in terms of security and features.

Marketing buzzwords and fluff.  I call "Bullshit" on the "No Bullshit" policy.