top | item 9843661

(no title)

purp | 10 years ago

A sweet hack, and full marks for humor in the FAQ.[1]

  Q: Is it secure? 
  A: Security is not binary.

  Q: OK, how secure is it? 
  A: It seems like you just asked that question.

  Q: No, the first question was if it's secure, 
     the second question was how secure is it. 
  A: Well now that wasn't even a question at all. 
     Tell you what, if you find an unreported security 
     vulnerability I'll buy you a beer.

[1] http://trustiosity.com/snow/faq.html

discuss

fallat|10 years ago

Personally I find this really unsettling for non-technical users. Almost asshole-ish. It's funny to us...but seriously providing a real answer after all that would even be sufficient. Not just answering with a "yes", but with a little blurb on how it is secure.

RyanZAG|10 years ago

Oh, so when someone doesn't lie to you it's unsettling?

The only way to know if something is secure is when it's adopted en-mass and you see if it really was secure or not. You could read the WinXP pamphlet on security back when it was released and it had endless bullet points about how secure it was. It was probably the least secure software in the history of computing based on actual attacks after the fact.

Security isn't something you provide an answer to unless you're selling snake oil. Luckily, it seems most people prefer buying snake oil and are happy to eat up a vendor telling them how secure an utterly untested product is.

Security theory is not something you can understand as a non-technical user anyway.

Swannie|10 years ago

Q: Is it secure? A: No.

Q: What do you mean "No"? A: We believe we have done a good job in securing it.

Q: So did you do a good job? A: We hope so!

Q: You "hope so", what sort of answer is that? A: Trust us. It's secure. We are not hackers. We don't want to steal your data. We did not put in any back doors. We audited the code ourselves. There are not any kernel level hacks, root kits, or otherwise. This has been tested against a variety of anti-virus scanners and none of them flagged anything. We're very good. Please please trust us?

BuildTheRobots|10 years ago

> Personally I find this really unsettling for non-technical users.

There is of course the counter argument, that if you're non-technical, you probably shouldn't be trying to implement a cryptographic layer-3 network for any reason other than "the lols".

tomtomtom777|10 years ago

I am not sure how many non-technical users will have an urge to install something like Snow.

boomshucka|10 years ago

Really, any user that doesn't "get" these answers shouldn't be anywhere near this.

chrisdevereux|10 years ago

Given that this is an unproven experiment that could potentially be misinterpreted as something more, that could a feature, not a bug.

homulilly|10 years ago

I don't think non-technical users will be using a project like this anyway.

unknown|10 years ago

[deleted]

kragen|10 years ago

I’m not part of the Snow project, but I have the impression it’s still pretty experimental. If so, it’s probably better for non-technical users to remain unsettled about it for a while yet.

perfTerm|10 years ago

How many nontechnical users use github? Although there are plenty of developers with a minimal understanding of security as well

unknown|10 years ago

[deleted]

0xdeadbeefbabe|10 years ago

That "is it secure" question is a lie in question form.

chm|10 years ago

I doubt his software is intended for non-technical use.

noja|10 years ago

Non-technical users are not reading github pages.

E1OX8|10 years ago

It's funny and I get what he/she is trying to say, but it's not that clever because there's no definition of what a security vulnerability is.

Pond is a great example of doing this well: https://pond.imperialviolet.org/threat.html

"if an entity can do something that is not listed here then that should count as a break of Pond"

cbd1984|10 years ago

    Q: What attacks is it secure against?
    A: ...

    Q: How do you know it's secure against anything at all?
    A: ...

ytdht|10 years ago

so it is as secure as every other pieces of software out there