[stevewatson301]

I'm not seeing where she's provided answers to the questions that really matter. All she's done is to talk in a patronizing manner to the CA members regarding their inability to understand corporate structures, as well as never answering how or why a MITM companies' SDK ended up being embedded in their app.

Further, even in times of stress, lashing out isn't the best decision. If I were interrogated by a cop and I called them a bunch of names, I would attract additional charges, on top of being suspected of commiting the crime that I've been accused of.

[themoonisachees]

To be fair they do say (without proof but that can be hard to provide) that the spyware was put there by a contract developer that was not authorized to add 3rd party tools but did anyway. That being said, given how extremely evasive they were and the lack of any tangible proof, I don't think it is unreasonable to doubt this explanation (how come you think a contract dev implementing malware isn't grounds for a lawsuit, shouldn't that be an open and shut case?)

[hamburglar]

I have to say that even if the “rogue developer” story is accurate, the reaction to it is a little underwhelming. “Sure, our supposed E2EE software did some crazy sketchy shit including proxying trivially-decryptable network packets to god-knows-where through our servers, but, uh, that guy doesn’t work here anymore” is supposed to be satisfying?

[dcow]

She also said they we advised legally against pursing legal action and damages, though it crossed their minds.

[themoonisachees]

well, silver lining is that they now have provable damages from this dev's actions in that it played a role in sinking their business.

[willcipriano]

The dev will just pull up the Jira ticket that says "Add malware to app" in court. That's why they were advised not to sue.

[KingOfCoders]

Hopefully he made a screenshot.

I'm advising people for a long time now to make screenshots of emails etc. - at least have everything in writing, don't act on phone calls if you feel things are "in a grayzone" (happens often in startups).

[yakak]

Its pretty clear that a dev with a second degree in law still wouldn't have been able to determine whether companies that shared most of the same infrastructure and listed corporate officers were 3rd parties in the context of software, without grilling someone who may or may not be a Trustcor executive, may or may not be the past founder and may or may not be dead, where such a death neither implies nor dismisses the possibility that they are still running the company.

[wbl]

Why didn't they have sufficient code review?

[KingOfCoders]

I wondered the same about those "audits". When we had to introduce SOX and had compliance audits, every moving of my small finger needed to be reviewed and documented and have a trail to a senior manager approving the move of my small finger.

[dcow]

She didn't lash out, everyone else did? She made it very clear numerous times that she didn't think the forum appropriate for discussion of speculation.

[KptMarchewa]

There were a lot of thinly veiled legal threats.

[berkut]

Where are you seeing her "lash" out? I can't see anything I'd describe that way in the (original) thread...

[stevewatson301]

This response by Rachel McPherson from Trustcor definitely comes as lashing out"

> Apparently it may also come as a surprise to some readers and the researchers themselves that other root program members are in fact international governments, and some are also defense companies, or companies who are wholly-owned by defense companies and/or state-owned enterprises, meaning "businesses" that are completely owned or controlled by governments. Further, some of those governments are not free/democratic and in fact some have tragic modern histories of basic human rights violations. We are none of those things and our company does not identify with those values. Given this point above, why of all potential targets are these researchers interested in TrustCor? They could go after countries with human rights violations that have placed a CA in the program.

[berkut]

Seriously!?

I'd argue it could be termed "what-aboutism", but I personally fail to see how that matches my definition of "lashing out"...

[shkkmo]

> Apparently it may also come as a surprise to some readers and the researchers themselves that...

This part in particular is what I would view as "lashing out"

[KingOfCoders]

Yeah, security researches at Google don't know this!

[CoastalCoder]

> I'd argue it could be termed "what-aboutism",

I agree that it's "what-aboutism". In that regard, it does nothing to establish that TrustCor meets the standards for being a CA.

It does raise a good question for parallel discussion, though: Should Mozilla also be scrutinizing a whole bunch of other CAs as well?

[KingOfCoders]

Not only "SDK ended up being embedded in their app" but why they had an unobfuscated version when everyone else has only an obfuscated version of that SDK.