[themoonisachees]

To be fair they do say (without proof but that can be hard to provide) that the spyware was put there by a contract developer that was not authorized to add 3rd party tools but did anyway. That being said, given how extremely evasive they were and the lack of any tangible proof, I don't think it is unreasonable to doubt this explanation (how come you think a contract dev implementing malware isn't grounds for a lawsuit, shouldn't that be an open and shut case?)

[hamburglar]

I have to say that even if the “rogue developer” story is accurate, the reaction to it is a little underwhelming. “Sure, our supposed E2EE software did some crazy sketchy shit including proxying trivially-decryptable network packets to god-knows-where through our servers, but, uh, that guy doesn’t work here anymore” is supposed to be satisfying?

[dcow]

She also said they we advised legally against pursing legal action and damages, though it crossed their minds.

[themoonisachees]

well, silver lining is that they now have provable damages from this dev's actions in that it played a role in sinking their business.

[willcipriano]

The dev will just pull up the Jira ticket that says "Add malware to app" in court. That's why they were advised not to sue.

[KingOfCoders]

Hopefully he made a screenshot.

I'm advising people for a long time now to make screenshots of emails etc. - at least have everything in writing, don't act on phone calls if you feel things are "in a grayzone" (happens often in startups).

[yakak]

Its pretty clear that a dev with a second degree in law still wouldn't have been able to determine whether companies that shared most of the same infrastructure and listed corporate officers were 3rd parties in the context of software, without grilling someone who may or may not be a Trustcor executive, may or may not be the past founder and may or may not be dead, where such a death neither implies nor dismisses the possibility that they are still running the company.

[wbl]

Why didn't they have sufficient code review?

[KingOfCoders]

I wondered the same about those "audits". When we had to introduce SOX and had compliance audits, every moving of my small finger needed to be reviewed and documented and have a trail to a senior manager approving the move of my small finger.