top | item 33814409

(no title)

I'm not seeing where she's provided answers to the questions that really matter. All she's done is to talk in a patronizing manner to the CA members regarding their inability to understand corporate structures, as well as never answering how or why a MITM companies' SDK ended up being embedded in their app.

Further, even in times of stress, lashing out isn't the best decision. If I were interrogated by a cop and I called them a bunch of names, I would attract additional charges, on top of being suspected of commiting the crime that I've been accused of.

discuss

themoonisachees|3 years ago

To be fair they do say (without proof but that can be hard to provide) that the spyware was put there by a contract developer that was not authorized to add 3rd party tools but did anyway. That being said, given how extremely evasive they were and the lack of any tangible proof, I don't think it is unreasonable to doubt this explanation (how come you think a contract dev implementing malware isn't grounds for a lawsuit, shouldn't that be an open and shut case?)

hamburglar|3 years ago

I have to say that even if the “rogue developer” story is accurate, the reaction to it is a little underwhelming. “Sure, our supposed E2EE software did some crazy sketchy shit including proxying trivially-decryptable network packets to god-knows-where through our servers, but, uh, that guy doesn’t work here anymore” is supposed to be satisfying?

dcow|3 years ago

She also said they we advised legally against pursing legal action and damages, though it crossed their minds.

wbl|3 years ago

Why didn't they have sufficient code review?

dcow|3 years ago

She didn't lash out, everyone else did? She made it very clear numerous times that she didn't think the forum appropriate for discussion of speculation.

KptMarchewa|3 years ago

There were a lot of thinly veiled legal threats.

berkut|3 years ago

Where are you seeing her "lash" out? I can't see anything I'd describe that way in the (original) thread...

stevewatson301|3 years ago

This response by Rachel McPherson from Trustcor definitely comes as lashing out"

> Apparently it may also come as a surprise to some readers and the researchers themselves that other root program members are in fact international governments, and some are also defense companies, or companies who are wholly-owned by defense companies and/or state-owned enterprises, meaning "businesses" that are completely owned or controlled by governments. Further, some of those governments are not free/democratic and in fact some have tragic modern histories of basic human rights violations. We are none of those things and our company does not identify with those values. Given this point above, why of all potential targets are these researchers interested in TrustCor? They could go after countries with human rights violations that have placed a CA in the program.

KingOfCoders|3 years ago

Not only "SDK ended up being embedded in their app" but why they had an unobfuscated version when everyone else has only an obfuscated version of that SDK.