Hacker News new | ask | show | jobs
by Arathorn 1281 days ago
The process is:

* Audits cost $$$K

* The Matrix project doesn’t have pots of money sitting around to spend on audits. We get around $8K/month of donations on Patreon, which currently doesn’t even cover the running costs of matrix.org.

* Therefore, to get an audit done, we need to find a someone who is so excited about Matrix that they’ll fund it. For instance, the most recent audit was funded by Gematik, the German healthcare interoperability agency.

* However, the reason that folks like this get excited about Matrix is because they want a secure decentralised open communication platform. If the perception of Matrix shifts that its security is “killed dead” or other such hyperbole due to the infosec community reacting to the overclaims in the paper, then it obviously undermines that interest in Matrix. Who wants to use a protocol whose security is declared dead by cryptographers? And so who would want burn money funding audits?

This may sound dramatic, but unfortunately it’s really how it works. Just as academic papers rely on presenting the most dramatic interpretation to get attention and boost their visibility and help them get funding… similarly, open source projects get disproportionately harmed by dramatic overclaims.
4 comments
tptacek 1280 days ago
It would behoove you to stop saying that the paper "overclaims" things. Maybe you believe I've "overclaimed" things, by saying that the paper killed your protocol as dead as TLS 1.0. I stand by that argument, but the paper's authors made no such claim. It's a dry, detailed, factual paper that just happens to rattle off a bunch of vulnerabilities both in your protocol and in Element's implementation of it.
link
shaldengeki 1280 days ago
Thank you for the clarification! Appreciate the candor here re: Element not being able to afford audits on its own. I get now why you might perceive commentary about security research as an existential threat.

For whatever it's worth, the specific thing you're doing with calling the discussion hyperbole and "overclaims" makes it harder for me to take you seriously.

link
jazzyjackson 1280 days ago
Element is a client, matrix is a protocol

I don't really know where you get off on telling people you don't take them seriously

link
progval 1281 days ago
Can't Element (the company) fund audits?
link
Arathorn 1281 days ago
Element doesn't have the $, thanks to footing the bill for most (90%+) of the core Matrix work on behalf of the rest of the Matrix ecosystem.
link
jacooper 1281 days ago
Element is probably already footing the bill for the main matrix.org server + they really need to improve their clients, and that is from a users perspective more important than a security audit.
link
matrigno 1280 days ago
What is the cost of a comprehensive audit?
link