- cross-posted to:
- europe@feddit.org
- cross-posted to:
- europe@feddit.org
cross-posted from : https://lemmy.zip/post/56962298
You must log in or # to comment.
proprietary encryption algorithms verified by thought-leading cybersecurity experts and communities worldwide
Trust the experts bro
Well, if we relax and look at this from a different angle, for much of humanity’s history advantageous knowledge was hidden or limited from competition, and in many things it still is.
Except advantageous knowledge of chemistry for early cannons, for example, could be confirmed. Better gunpowder.
This - can’t.
Still, if the service is supposed to be security and privacy-oriented, how about you make the source-code available, so users can verify this for themselves?
Well, again, taking an unpopular but valid point of view - how good it really is to have the source code for finding vulnerabilities? Is it really harder to hide an intentional backdoor in the source code in plain sight than it is in something that’s only distributed in binaries? I have no relevant experience, but I’ve listened to a lecture by someone from Kaspersky lab saying that.
Having commonly available source code is good for development and learning of functionality of something, but security flaws have that subgroup of backdoors.
If open-source, a lot more eyes could be on it, and therefore the chances of intentionally implemented vulnerabilities, by Threema itself, would have a higher chance of being noticed before able to be exploited, by both hackers and Threema (partners).
If open-source, a lot more eyes could be on it
On the source code. Absolutely the same amount of eyes on the binary.
Anyway, there’s a joke (by Linus Torvalds, I think, but maybe I am wrong) that most of the eyes that could look at the code are attached to hands typing the thing about “more eyes”.
and therefore the chances of intentionally implemented vulnerabilities
Source code being available is obviously beneficial for learning how a program works as a whole, or participating in its development, obviously, but for finding things hidden I’m not sure.
Ah sorry, it seems I read over that part. Unless programmers have the exceptional skills and time required, to effectively reverse engineer these complex algorithms, nobody will bother to do so; especially when required after each update. On the contrary, if source code was available, the bar of entry is significantly lower and requires way less specialized skills. So save to say, most programmers won’t even bother inspecting a binary, unless there’s absolutely no other way around or have time to burn. Where as, if you’d open up the source, there would be a lot more, let’s say C programmers, able to inspect the algorithm. Really, have a look at what it requires to write binary code, let alone reverse engineering complicated code, that somebody else wrote.
I agree with Linus’ statement though: I rarely inspect source-code myself, but I find it more comforting knowing, package-maintainers for instance, could theoretically check the source before distribution. I stand by my opinion that it’s a bad look for a privacy- and security-oriented piece of software, to restrict non-“experts” from inspecting that, which should ensure that.
This is a private equity firm? Was Threema doing financially bad?
Looks like a planned exit. The private investors behind Threema (Afinum) say they have a 5-7 year investment window after which they sell to lock in profits on their investment. This acquisition would be consistent with that time frame.
Grain of salt: I’ve never heard of any of these companies and just did some quick research because I was curious.
Interestingly, Afinum is also a German based private equity firm which owned majority shares of Threema since 2020.
Kind of strange to see the company bouncing around between owners, but hopefully it can remain a good product and not become enshittified.
https://www.startupticker.ch/en/news/threema-transfers-ownership-the-second-time
