[mwg66]

Thanks for taking the time and the link. But I'm not sure that thread answers any of the above concerns, really.

"We have a shoe-string budget, no equipment beyond our own personal phones and laptops, no office space beyond what we can borrow for free. None of us are paid for our work on Sukey and many of us also have full-time careers."

I wont point out the benefits of actually being "open" in then. Limited resources can traditionally be overcome with collaborative development.

Again, I commend the effort. But I continue to urge nobody to trust a protest tool until these concerns are properly addressed.

These are not difficult questions and the continued absence of answers only confirms my fears for the project.

[Gausie]

"Some minds are like concrete - thoroughly mixed and permanently set" - Benjamin Franklyn or Karl Marx or John Lennon (or insert any other name you like)

We're hoping to get code up onto the git today, maybe tomorrow. The guy who's volunteered to do it spent the evening at a party then the night at the New Cross library occupation. He's just gone to bed.

I'm sure you'll find something to moan about in the code when you see it - i read negativity towards the entire project from your very first paragraph.

When you trawl through the code you'll note that no personal identifiers are stored anywhere. We had to finish the proof of concept in a rush so you'll also see function stubs that do nothing, inconsistencies in APIs, poorly commented code and incredible inefficiencies. These flag some of the areas of future development. But you'll also note that the unfinished or inefficient bits are to do with user functionality. Anything to do with security is not compromised.

But I'm not sure any of this is really relevant. The key question is: how sensitive is the data?

Sure, we don't encrypt the SMS messages we send to old phones - if we did the users couldn't read them so it would be pointless sending them in the first place. But the content of those messages is innocent.

Likewise we don't encrypt tweets (in or out). What would be the point? If you lose the original then I'm sure our friends at Cheltenham will have a backup....

We can do nothing about the telcos using their geolocation features to track the whereabouts of phones. But that's really not a Sukey issue - cos the same issues apply to anyone using a mobile phone for any purpose at any dem. You could of course advocate people leave their own fones at home and buy a disposable and untraceable (yeah, right!) phone just for the dem. Good luck with that one.

You "continue to urge nobody to trust a protest tool until these concerns are properly addressed" - yet I'm still to see a concise description of what these purported concerns are. A cynical man might say: "I would urge nobody to take any notice of a self important pompous windbag who seems to want to obstruct something he clearly doesn't understand".

I've extended an invitation to you privately to come along to a hackathon and to help us. And I extend it again. This genuine and heartfelt invitation remains open - come along, understand what we're doing, add your experience and knowledge to the pot and help to shape the design. Get into a positive frame of mind and be a part of this.

Make something happen.

Gausie

[rst]

It's funny. This is in some ways the best answer I've seen to the security questions to date from anyone connected to the project. In particular, you're absolutely right that "the key question is: how sensitive is the data?" So long as you're only aggregating stuff that was already public anyway (e.g., public tweet streams), you're not adding additional risk in any obvious way.

But on the other hand, to the extent that you're going beyond aggregating and curating public data, you are adding risk. And on both your web site and in other public discussions, you seem to acknowledge that there's something there to talk about (why have a security page otherwise?), but there's been a continual marked reluctance to get into specifics about even the nature of what data you're collecting, let alone how you're managing it.

What's more worrisome, this all comes after the assertion that even though the "user functionality" code is slipshod, you're still confident that "anything to do with security is not compromised." Security doesn't work like that. If you're unfortunate enough to have a buffer overflow on the machine running your stuff, it's compromised. Even if that's only in the "user functionality" code. Even if it isn't your code at all, but some other service that you weren't using, but forgot to turn off or firewall away.

You might also want to try a bit harder to see things from the point of view of your critics. One of the things they're thinking about is the Haystack anti-censorship project, which attracted enormous hype in the technical and mainstream press, but collapsed after a much-delayed security audit found the code badly wanting. I now find a collection of laments about it[1] as the top result in a Google search for "iran social media security fiasco". That's what your critics are worried about. And I'm not sure it's entirely fair on your part to ask for a more specific run-down of technical risks than that when outsiders haven't yet seen, in specific technical detail, a full run-down from your side of what the system is supposed to do in the first place.

[1] The actual page: http://webography.wordpress.com/2010/09/24/recent-resources-...

EDIT [in response to [name redacted]]: I understand that you guys are under time constraints, but you and Gausie did find time to write over 1500 words of comments between you on this HN page alone. If you'd written half that much text describing your security model in a concrete, specific, technical way we'd be having a much more productive conversation.

[TimHardy]

Hi

Thank you, yes we know about haystack and are very aware of the dangers. I also have a heavily annotated copy of The Net Delusion sat on my desk right now. We're not going into this blindly and each of us has a tin foil hat ;)

I do apologise if we're coming over as distracted by this conversation and in a hurry to get back with our work. I fear this risks becoming an "emacs vs vi" thread that ultimately resolves nothing - I've worked close to 100 hours already this week and will be working flat out until well past midnight GMT tonight. To be brutally honest while security is critical participating in this particular conversation cannot be an immediate priority for me and the team even though we do welcome your interest and criticisms.

I asked for patience. I'll repeat that again. We are exhausted and rushed off our feet not least because we have to earn a living when not working on Sukey. Please give us time. By all means if you don't trust us, don't use it and don't sign up now. Wait and see.

We are in a massive crunch to get ready for the TUC demonstration on 26 March. We are supporting the legal, democratic right of peaceful protest within a democratic society. If and when we extend the tool - as we hope to do - so that it could be used in authoritarian regimes then it has to be bullet proof security but right now we want our users to go into it with open eyes - aware of all the criticisms you guys have raised and having read our: http://sukey.org/idiotwarning

I hope that we will have addressed all of your issues and will have got the code up under a licence that makes everybody happy before the 26 March.

I'm really sorry if that answer doesn't satisfy some of you. We are not bad people just very busy and under enormous stress. I apologise if that has made us seem curt or evasive. I do hope that you come to realise that with time.

An email from RMS has to be one of the high points of my life so far: front page, however briefly, on HN comes second :) You are important to us but our priority right now has to be getting the code right and ready and addressing criticisms in the code rather than debating it online.

[TimHardy]

[in response to edited comment above] My point exactly - this thread was a massive distraction from our core tasks which is why I asked for patience.

Doing a "hit and run" response to comments on HN between other tasks takes far, far less time than writing a concrete, specific, water-tight technical document on security. No one on this thread was happy with the one we rushed out before and rightly so. We're not going to repeat that mistake :)

[mwg66]

Nicely said.

Sorry, my own response wouldn't post inline - see http://news.ycombinator.com/item?id=2185676

[mwg66]

Gausie,

Glad to hear you will be getting the code on Github. I look forward to it.

My first paragraph? You mean when I commended the project and it's motivation?

"But I'm not sure any of this is really relevant. The key question is: how sensitive is the data?"

If it identifies my participation in potentially anti-Government protest, then rather. All I have asked for is transparency and disclosure. If security is not so important, why have you gone to the trouble of the pitching for trust so heavily on your website?

"We can do nothing about the telcos using their geolocation features to track the whereabouts of phones."

Of course, you surrendor certain freedoms whenever you carry a mobile phone. But there is an important distinction between triangulating my cell position and this application.

Furthermore, I think my concerns have been concise enough. You have just refused to answer them. If you did that, there would be no more discussion. And that's why the original post has been consistently upvoted on this thread.

"I've extended an invitation to you privately to come along to a hackathon and to help us. And I extend it again."

When did you invite me the first time? No really, I have no idea.

Anyway, I might have taken you up on that offer if you didn't just call me a "self important pompous windbag".

That's a real mature and educated argument, thank you.

Congratulations on doing your project a momentous disservice.