Hacker News new | ask | show | jobs
by shaldengeki 1287 days ago
> Ironically, the drama over this paper is now putting funding for the other audits at risk, however - as who wants to fund a project with a bunch of loud infosec folks declaring it shit?

I'm not familiar with how the funding here works - can you describe the process by which audits would be abandoned as a result of internet commentary? Who is threatening to withhold funding for future audits? From my outsider's perspective, that would seem like _incredibly_ poor decision-making on behalf of the Matrix folks.
1 comments
Arathorn 1286 days ago
The process is:

* Audits cost $$$K

* The Matrix project doesn’t have pots of money sitting around to spend on audits. We get around $8K/month of donations on Patreon, which currently doesn’t even cover the running costs of matrix.org.

* Therefore, to get an audit done, we need to find a someone who is so excited about Matrix that they’ll fund it. For instance, the most recent audit was funded by Gematik, the German healthcare interoperability agency.

* However, the reason that folks like this get excited about Matrix is because they want a secure decentralised open communication platform. If the perception of Matrix shifts that its security is “killed dead” or other such hyperbole due to the infosec community reacting to the overclaims in the paper, then it obviously undermines that interest in Matrix. Who wants to use a protocol whose security is declared dead by cryptographers? And so who would want burn money funding audits?

This may sound dramatic, but unfortunately it’s really how it works. Just as academic papers rely on presenting the most dramatic interpretation to get attention and boost their visibility and help them get funding… similarly, open source projects get disproportionately harmed by dramatic overclaims.

link
tptacek 1286 days ago
It would behoove you to stop saying that the paper "overclaims" things. Maybe you believe I've "overclaimed" things, by saying that the paper killed your protocol as dead as TLS 1.0. I stand by that argument, but the paper's authors made no such claim. It's a dry, detailed, factual paper that just happens to rattle off a bunch of vulnerabilities both in your protocol and in Element's implementation of it.
link
shaldengeki 1286 days ago
Thank you for the clarification! Appreciate the candor here re: Element not being able to afford audits on its own. I get now why you might perceive commentary about security research as an existential threat.

For whatever it's worth, the specific thing you're doing with calling the discussion hyperbole and "overclaims" makes it harder for me to take you seriously.

link
jazzyjackson 1286 days ago
Element is a client, matrix is a protocol

I don't really know where you get off on telling people you don't take them seriously

link
progval 1286 days ago
Can't Element (the company) fund audits?
link
Arathorn 1286 days ago
Element doesn't have the $, thanks to footing the bill for most (90%+) of the core Matrix work on behalf of the rest of the Matrix ecosystem.
link
jacooper 1286 days ago
Element is probably already footing the bill for the main matrix.org server + they really need to improve their clients, and that is from a users perspective more important than a security audit.
link
matrigno 1286 days ago
What is the cost of a comprehensive audit?
link