On Mon, 30 Aug 2010 21:50:58 -0700 (PDT), TrulyMail Support wrote:
>> Looks fairly interesting, but I'd like a lot more info on who they are....
>
> I'm John from TrulyMail Support. What would you like to know about us?
>
> The short version is that we are a Chilean company and we offer a
> secure, powerful, easy-to-use, email client which includes
> automatically encrypted messages between TrulyMail users (and optional
> encryption between email users) along with many other features. Our
> system is quite rich and you can read more about it here:
> http://trulymail.com/Features.aspx
Thanks for the info, John.
What is you and your companies background in delivering and
implementing encryption?
Who is "John", who are the investors, management and directors of
Trulymail?
--
´Looking Above and Beyond the Ramp: A Study of Buffalo Students˙
Attitudes toward Alternative Modes of Transportation"
On Aug 31, 12:10*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> Thanks for the info, John.
>
> What is you and your companies background in delivering and
> implementing encryption?
TrulyMail (the company) has been around a short time (two years). Our
products include the TrulyMail Client and related TrulyMail services
(encrypted, private messaging, for example). We have been offering
these products for about two years now.
> Who is "John", who are the investors, management and directors ofTrulymail?
I am John (though, I am not the only one here named John). The
identities of our investors is not public information. Is this
something that is important for you to know? If so, may I ask why?
> On Mon, 30 Aug 2010 21:50:58 -0700 (PDT), TrulyMail Support wrote:
>
>>> Looks fairly interesting, but I'd like a lot more info on who they
>>> are....
>>
>> I'm John from TrulyMail Support. What would you like to know about us?
>>
>> The short version is that we are a Chilean company and we offer a
>> secure, powerful, easy-to-use, email client which includes
>> automatically encrypted messages between TrulyMail users (and optional
>> encryption between email users) along with many other features. Our
>> system is quite rich and you can read more about it here:
>> http://trulymail.com/Features.aspx
1. Where is the source code? It would be nice if we could see what you mean
when you say "strong key encryption."
2. Why should we use this when we can already send encrypted email, and when
we have been doing so for a long time now? What exactly does your software
bring to the table, and why should we sacrifice compatibility with existing
cryptosystems?
> On Mon, 30 Aug 2010 21:50:58 -0700 (PDT), TrulyMail Support wrote:
> Looks fairly interesting, but I'd like a lot more info on who they are....
> I'm John from TrulyMail Support. What would you like to know about us?
> The short version is that we are a Chilean company and we offer a
> secure, powerful, easy-to-use, email client which includes
> automatically encrypted messages between TrulyMail users (and optional
> encryption between email users) along with many other features. Our
> system is quite rich and you can read more about it here:
> http://trulymail.com/Features.aspx
> Thanks for the info, John.
> What is you and your companies background in delivering and
> implementing encryption?
> Who is "John", who are the investors, management and directors of
> Trulymail?
> --
> “Looking Above and Beyond the Ramp: A Study of Buffalo Students’
> Attitudes toward Alternative Modes of Transportation"
Some additional questions (you know how suspecious we are in this
group:-)).
1. Is the service free? I can't see anything about cost. If free,
do you intend to start charging in the future?
2. Your website is in English only. Seems strange for a company
located in Chile.
3. What is the encryption you are using?
> * Some additional questions (you know how suspecious we are in this
> group:-)).
You are always welcome to ask. I will answer what I can.
> 1. Is the service free? *I can't see anything about cost. *
Yes, all existing TrulyMail services are free. Our TrulyMail Client is
also free.
> If free,
> do you intend to start charging in the future?
We will not charge for what we currently give away for free. However,
we will be offering additional services which will require a small fee
to use. Think of it like Skype: You get some services for free and
some you pay for.
> 2. Your website is in English only. *Seems strange for a company
> located in Chile.
This is not a question.
> 3. What is the encryption you are using?
We use both synchronous and asynchronous encryption. We use 4096 bit
keys which we feel is strong enough for now.
On Tue, 31 Aug 2010 01:42:07 -0700 (PDT), TrulyMail Support wrote:
> On Aug 31, 12:10*pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>
>> Thanks for the info, John.
>>
>> What is you and your companies background in delivering and
>> implementing encryption?
>
> TrulyMail (the company) has been around a short time (two years). Our
> products include the TrulyMail Client and related TrulyMail services
> (encrypted, private messaging, for example). We have been offering
> these products for about two years now.
>
>> Who is "John", who are the investors, management and directors ofTrulymail?
>
> I am John (though, I am not the only one here named John). The
> identities of our investors is not public information. Is this
> something that is important for you to know? If so, may I ask why?
If you're dealing with security products, especially without open
source coding, /who/ you are and your background is extremely
important.
On Tue, 31 Aug 2010 06:17:30 -0700 (PDT), TrulyMail Support wrote:
>> 2. Your website is in English only. *Seems strange for a company
>> located in Chile.
>
> This is not a question.
And your answer is not an answer.
Clue: If you are going to be a serious player in encrypted
technologies, acting in seclusion and secrecy is going to run against
any hopes for respectability and credibility.
Only buffoons and morons will be your clientele.
--
9ec4c12949a4f31474f299058ce2b22a
<<< my apologies if this post gets repeated, the reply function was
not working as I expected >>>
> 1. Where is the source code? It would be nice if we could see what you mean
> when you say "strong key encryption."
TrulyMail is not open-source (at least not at this time). Accordingly,
our source code is not available to the public. If you would like to
audit our source code, we would be happy to show you some key parts of
it if you are ever in Santiago.
For us, strong-key means 4096-bit keys. That's quite a bit higher than
what is offered by PGP and others.
> 2. Why should we use this when we can already send encrypted email, and when
> we have been doing so for a long time now?
If you have a system you like, keep using it. We feel there are plenty
of users who do not encrypt now who should and will, if we make it
easy enough for them.
> What exactly does your software
> bring to the table, and why should we sacrifice compatibility with existing
> cryptosystems?
While we think we bring a lot to the table (see our features page on
our website: http://trulymail.com/Features.aspx) we also understand
that there are users who prefer to stick to the systems they already
know.
You have a choice. We think we are a great choice but it all depends
on your needs.
On Tue, 31 Aug 2010 07:07:27 -0700 (PDT), TrulyMail Support wrote:
> <<< my apologies if this post gets repeated, the reply function was
> not working as I expected >>>
>
>> 1. Where is the source code? It would be nice if we could see what you mean
>> when you say "strong key encryption."
>
> TrulyMail is not open-source (at least not at this time). Accordingly,
> our source code is not available to the public. If you would like to
> audit our source code, we would be happy to show you some key parts of
> it if you are ever in Santiago.
*LOL*
What a crock.
> For us, strong-key means 4096-bit keys. That's quite a bit higher than
> what is offered by PGP and others.
If your implementation sucks, it doesn't matter if you have 400,096
megabit keys.
>> 2. Why should we use this when we can already send encrypted email, and when
>> we have been doing so for a long time now?
>
> If you have a system you like, keep using it. We feel there are plenty
> of users who do not encrypt now who should and will, if we make it
> easy enough for them.
> You have a choice. We think we are a great choice but it all depends
> on your needs.
I chose to pass.
Quickly, completely and what may be forever.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
On Aug 31, 8:44 pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
> On Tue, 31 Aug 2010 06:17:30 -0700 (PDT),TrulyMailSupport wrote:
> >> 2. Your website is in English only. Seems strange for a company
> >> located in Chile.
>
> > This is not a question.
>
> And your answer is not an answer.
>
> Clue: If you are going to be a serious player in encrypted
> technologies, acting in seclusion and secrecy is going to run against
> any hopes for respectability and credibility.
>
> Only buffoons and morons will be your clientele.
I had in no way intended to hide anything in my response. I think open
conversations are great. That said, one cannot answer a statement. I
could guess at what the real question is (are we really in Chile; why
is our website in English; is our use of English-only accidental;
etc.) but that would be me putting my questions into your mouth and
that just doesn't seem appropriate to me.
I do feel your response was a bit harsh but this is not a place to
critique communication style.
I will list what you might have intended to ask and if I get it right,
great. If not, I hope you will ask a clear question.
a) We are really in Chile.
b) We did choose English on purpose.
c) If we were targeting only Spanish speakers, then we would have
created everything in Spanish. However, we recognize that English is
the main international language and that is what we use here. English
is quite common here in Chile amongst the highly educated. Since we
are targeting the people of the world, English seems a more reasonable
language than Spanish.
There are plenty of companies based in countries where English is not
the official (Switzerland, Germany, etc.) who focus their
communications on English for the same reasons we do.
Now, if I may, why does it seem strange to you that our website is in
English? It helped you to learn more about us, did it not? If it did,
then it has served us well.
> If you're dealing with security products, especially without open
> source coding, /who/ you are and your background is extremely
> important.
I guess it all depends on who we are targeting as our customer. For
John Q. Public to choose a system to keep his private messages
private, does he care about who made Thunderbird+GPG+Enigmail or who
made TrulyMail?
I believe he does not. I believe his primary concern is how to keep
his private communications private without spending a day getting
three pieces of software installed, setup, and configured to
interoperate. Of course, the easier path for him is to use TrulyMail,
click the Next button a few times, and have everything done
automatically.
You are clearly a very detail-oriented person. You want to know
everything about whatever topic you dig into. There is nothing wrong
with that. There are many open source systems out there which allow
you to go through the code line-by-line and you can see everything it
does.
We are not that kind of company. We are a 'bring secure, convenient
communications to the masses' kind of company.
> On Tue, 31 Aug 2010 06:17:30 -0700 (PDT), TrulyMail Support wrote:
> 2. Your website is in English only. Seems strange for a company
> located in Chile.
> This is not a question.
> And your answer is not an answer.
You just beat me in making this reply! If this was a reply from
a salesman to me, he would have just sealed the loss of the sale.
> Clue: If you are going to be a serious player in encrypted
> technologies, acting in seclusion and secrecy is going to run against
> any hopes for respectability and credibility.
> Only buffoons and morons will be your clientele.
> > ...we would be happy to show you some key parts of
> > it if you are ever in Santiago.
>
> *LOL*
>
> What a crock.
It is clear that you would be best served by an open-source solution.
If you believe everyone is best served by the same thing, you should
hear some horror stories of our users about trying to get encrypted
email to work when they used GPG and their broker used PGP. The short
version is that in the end, they gave up and used clear-text email -
far less than ideal.
> If your implementation sucks, it doesn't matter if you have 400,096
> megabit keys.
You're welcome to try to decrypt our messages. I'll buy you a nice
dinner if you can do it.
TrulyMail Support wrote:
>> 3. What is the encryption you are using?
>
> We use both synchronous and asynchronous encryption. We use 4096 bit
> keys which we feel is strong enough for now.
Perhaps you could shed some light on which ciphers you use? The more I read
your posts, the more I think you are another snake-oil salesman.
On Tue, 31 Aug 2010 07:48:47 -0700 (PDT), TrulyMail Support wrote:
>> If you're dealing with security products, especially without open
>> source coding, /who/ you are and your background is extremely
>> important.
>
> I guess it all depends on who we are targeting as our customer. For
> John Q. Public to choose a system to keep his private messages
> private, does he care about who made Thunderbird+GPG+Enigmail or who
> made TrulyMail?
>
> I believe he does not. I believe his primary concern is how to keep
> his private communications private without spending a day getting
> three pieces of software installed, setup, and configured to
> interoperate. Of course, the easier path for him is to use TrulyMail,
> click the Next button a few times, and have everything done
> automatically.
Let me translate. You want newbies, dumbasses and those with no
education in anything cryptology to guy into your product.
OK, at least we have your marketing plan down.
> You are clearly a very detail-oriented person. You want to know
> everything about whatever topic you dig into. There is nothing wrong
> with that. There are many open source systems out there which allow
> you to go through the code line-by-line and you can see everything it
> does.
Hardly detail oriented. Examining open source code isn't my cop of tea
either.
But I do believe in peer review and your rather flippant attitude "see
you in Santiagoe" toward your code is utter ********.
But, hey, there is a large market for morons who will trust their
privacy with people like you so have at it. Expect to get zero
credibility from anyone has any teensy bit of workable knowledge
regarding encryption.
> We are not that kind of company. We are a 'bring secure, convenient
> communications to the masses' kind of company.
You're a bring the bucks to John kinda company who hides behind single
names and averts the honest intentions of prying eyes.
> Different fits for different people.
Most certainly but you can have your profits and your credibility as
well. For whatever reason, none of which I can think of that is either
honest or straightforward, Trulymail has decided to take the lowest of
low roads.
The only reasons you would do so are:
1) Trulymail is comprised of a set of waffling imbeciles.
2) You're crooked
You see, transparency is the lifeblood of professional cryptology. The
breast that feeds its reliability and innocence. You guys are as
valuable as a tit on a boy pig.
Now you are exposed which is a good thing for everyone including you.
Repent. Turn away from the Dark Side.
This "trust us, we're really good guys" is a bunch of hocus-pocus BS,
it demeans you and it demeans your products.
On Tue, 31 Aug 2010 07:39:38 -0700 (PDT), TrulyMail Support wrote:
> On Aug 31, 8:44 pm, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>> On Tue, 31 Aug 2010 06:17:30 -0700 (PDT),TrulyMailSupport wrote:
>>>> 2. Your website is in English only. Seems strange for a company
>>>> located in Chile.
>>
>>> This is not a question.
>>
>> And your answer is not an answer.
>>
>> Clue: If you are going to be a serious player in encrypted
>> technologies, acting in seclusion and secrecy is going to run against
>> any hopes for respectability and credibility.
>>
>> Only buffoons and morons will be your clientele.
>
> I had in no way intended to hide anything in my response. I think open
> conversations are great. That said, one cannot answer a statement. I
> could guess at what the real question is (are we really in Chile; why
> is our website in English; is our use of English-only accidental;
> etc.) but that would be me putting my questions into your mouth and
> that just doesn't seem appropriate to me.
It's Usenet.
What is appropriate is this discussion. Or lack of one. You want to
dance around direct questions or offer flippant responses to
professional inquiry. Yes, that is tissue paper hanging from your
shoe.
> I do feel your response was a bit harsh but this is not a place to
> critique communication style.
Harsh it was an intended to be. I get my knickers in a wad anytime I
see people who want to play at privacy, make ostentatious claims about
their products and refuse to offer any reasonable details as to basis
for those claims. Call me old fashioned. Call me an *******. I could
care less.
It's not me who is hiding behind a Harry Potter Invisibility Cloak and
shouting "No problems, trust me."
> I will list what you might have intended to ask and if I get it right,
> great. If not, I hope you will ask a clear question.
>
> a) We are really in Chile.
How do we know? Because you say so? Ain't flying.
> b) We did choose English on purpose.
> c) If we were targeting only Spanish speakers, then we would have
> created everything in Spanish. However, we recognize that English is
> the main international language and that is what we use here. English
> is quite common here in Chile amongst the highly educated. Since we
> are targeting the people of the world, English seems a more reasonable
> language than Spanish.
>
> There are plenty of companies based in countries where English is not
> the official (Switzerland, Germany, etc.) who focus their
> communications on English for the same reasons we do.
>
> Now, if I may, why does it seem strange to you that our website is in
> English? It helped you to learn more about us, did it not? If it did,
> then it has served us well.
Blitherings aside, it might as well be in Yiddish except of course
that Jews don't trust much of anyone.
Certainly not those with Harry Potter Syndrome.
Picking this issue (English v.s Yiddish) is a nice dodge but the
bottom line is this.
Maybe you will make money, maybe you won't. But until you come clean,
you will *never* have the credibility that an honest, open and
concerned cryptology company would desire.
I suggest that you could care less.
P.S. Don't even think about trying to sell to the US Gov't, DoD or any
of the intertwined military-intelligence agencies. They /really/ frown
on foreign nationals who play at such serious business.
--
9ec4c12949a4f31474f299058ce2b22a
On Tue, 31 Aug 2010 07:58:02 -0700 (PDT), TrulyMail Support wrote:
>>> ...we would be happy to show you some key parts of
>>> it if you are ever in Santiago.
>>
>> *LOL*
>>
>> What a crock.
>
> It is clear that you would be best served by an open-source solution.
> If you believe everyone is best served by the same thing, you should
> hear some horror stories of our users about trying to get encrypted
> email to work when they used GPG and their broker used PGP. The short
> version is that in the end, they gave up and used clear-text email -
> far less than ideal.
Oh I see so the alternative is to "trust you" and your Wizard of Oz
act behind your curtain?
Har.
You could be a honeypot, a NSA/CIA front company, a terrorist node and
a whole lot of other much nastier things than a clear text email
provider.
>> If your implementation sucks, it doesn't matter if you have 400,096
>> megabit keys.
>
> You're welcome to try to decrypt our messages. I'll buy you a nice
> dinner if you can do it.
I won't be in Santiago anytime soon. Offer rings as hollow as your
unknown implementation of this "encryption" you have.
>> I chose to pass.
>
> You get to. Good luck to you, sir.
On Aug 31, 9:57*pm, Nomen Nescio <nob...@dizum.com> wrote:
> > On Tue, 31 Aug 2010 06:17:30 -0700 (PDT),TrulyMailSupport wrote:
> > 2. Your website is in English only. *Seems strange for a company
> > located in Chile.
> > This is not a question.
> > And your answer is not an answer.
>
> * You just beat me in making this reply! *If this was a reply from
> a salesman to me, he would have just sealed the loss of the sale.
OK, please let me publicly apologize. It was never my intention to
snub anyone here. My point was simply that it is easier to answer
clear questions. Clearly I was inappropriate in my response and I hope
you will forgive me.
On Tue, 31 Aug 2010 11:25:32 -0400, Ari Silverstein wrote:
> Don't even think about trying to sell to the US Gov't, DoD or any
> of the intertwined military-intelligence agencies. They /really/ frown
> on foreign nationals who play at such serious business.
We will see. I say, see you next Tuesday Silverstein. Who needs to sell to
the government? I have friends who will pay big for the right service.
TrulyMail Support wrote:
> OK, please let me publicly apologize. It was never my intention to
> snub anyone here. My point was simply that it is easier to answer
> clear questions. Clearly I was inappropriate in my response and I hope
> you will forgive me.
OK, here is a clear question for you, which you keep avoiding: which
ciphers does your software use?
> > It is clear that you would be best served by an open-source solution.
> > If you believe everyone is best served by the same thing, you should
> > hear some horror stories of our users about trying to get encrypted
> > email to work when they used GPG and their broker used PGP. The short
> > version is that in the end, they gave up and used clear-text email -
> > far less than ideal.
>
> Oh I see so the alternative is to "trust you" and your Wizard of Oz
> act behind your curtain?
>
> Har.
>
> You could be a honeypot, a NSA/CIA front company, a terrorist node and
> a whole lot of other much nastier things than a clear text email
> provider.
Like my earlier post, clearly another apology is in order. My
intention was certainly not to offend (although, offending you is
likely impossible so I'll say my intetion was not to anger you). My
point was not that you can either trust us or go away. My point was
that any startup (I admit we are very new at only two years old) is
naturally protective of what they have. I know of firms who have had
Chinese hackers literally simply rebrand something which took a
significant amount of energy (and money) to produce. So, now there is
a competitor there with zero development costs (save the hacking
costs). That's tough (and a reminder to be cautious).
It is important to us that we don't end up down that road. Handing out
source code for everyone to see, rebrand, recompile, and redistribute
on a whim seems not to be the best way to ensure a company has a
future. That said, we do understand the need for others to see what we
are doing in order to be confident enough to trust out products.
We have chosen to err on the side of caution but if someone wants to
see, they are welcome.
My saying that we would expose key parts was not intended to convey
that we will keep some parts secret. The intention was that we will
expose whatever you want to see about the encryption, if you are
concerned about the encryption.
>
> >> If your implementation sucks, it doesn't matter if you have 400,096
> >> megabit keys.
>
While I, personally, don't have a background in cryptography, I do
understand software. Our software is built on components, like most
software today. Our TrulyMail client is built using Microsoft's .Net
and our encryption uses their cryptographic library using the Rijndael
algorithm (PROV_RSA_AES cryptographic service provider). We use a 4096-
bit key, as mentioned earlier.
Since we did not write the encryption algorithm, it didn't seem
relevant to give names and cryptographic backgrounds of everyone at
the company.
I don't believe you asked for my last name but if I misread your
question, here is the answer. My name is John Andre. I have two
decades experience in developing software using Microsoft technologies
for various companies around the world (including in the Chile, US,
Austria, Switzerland, and others).
I might be new to cryptography (and out of touch with the culture of
extreme openness) but I do understand the need for privacy in an easy-
to-use manner. I don't believe that only people who can configure
complex software have the right to privacy. I believe that everyone
deserves it and we're producing software to give that to them.
We're now getting into personal philosophies and that was clearly not
asked about so I will try to restrict this tangent.
Again, to summarize, I apologize for my erring on the side of secrecy.
TrulyMail was created because of the basic belief that freedom goes
hand in hand with privacy.
On Aug 31, 11:08Â*pm, Bâ„®ar Bottoms <bearbotto...@gmai.invalid> wrote:
> On Tue, 31 Aug 2010 07:07:27 -0700 (PDT),TrulyMailSupport wrote:
> > If you would like to
> > audit our source code, we would be happy to show you some key parts of
> > it if you are ever in Santiago.
>
> I often fly down to South America.
>
> How about next Tuesday?
I'm not free on Tuesday but I'm free that Friday. Will that work for
you?
On Aug 31, 10:07*pm, "Mr. B" <n...@supplied.com> wrote:
> TrulyMailSupport wrote:
> >> 3. What is the encryption you are using?
>
> > We use both synchronous and asynchronous encryption. We use 4096 bit
> > keys which we feel is strong enough for now.
>
> Perhaps you could shed some light on which ciphers you use? *The more Iread
> your posts, the more I think you are another snake-oil salesman.
>
> -- B
For some reasons, some of my responses don't get listed here. Anyway,
let me answer again: We use the Rikndael cipher. I wrote more detail
in another response but if something is still unclear, please let me
know and I will clarify.
I'm really not a snake-oil salesmen and I'm happy to show you whatever
you need to see.
On Sep 1, 12:14*am, TrulyMail Support <supp...@trulymail.com> wrote:
> On Aug 31, 10:07*pm, "Mr. B" <n...@supplied.com> wrote:
>
> > TrulyMailSupport wrote:
> > >> 3. What is the encryption you are using?
>
> > > We use both synchronous and asynchronous encryption. We use 4096 bit
> > > keys which we feel is strong enough for now.
>
> > Perhaps you could shed some light on which ciphers you use? *The moreI read
> > your posts, the more I think you are another snake-oil salesman.
>
> > -- B
>
> For some reasons, some of my responses don't get listed here. Anyway,
> let me answer again: We use the Rikndael cipher. I wrote more detail
> in another response but if something is still unclear, please let me
> know and I will clarify.
>
> I'm really not a snake-oil salesmen and I'm happy to show you whatever
> you need to see.
Rijndael cipher is what my fat fingers were trying to type.
> Like my earlier post, clearly another apology is in order. My
> intention was certainly not to offend (although, offending you is
> likely impossible so I'll say my intetion was not to anger you). My
> point was not that you can either trust us or go away. My point was
> that any startup (I admit we are very new at only two years old) is
> naturally protective of what they have. I know of firms who have had
> Chinese hackers literally simply rebrand something which took a
> significant amount of energy (and money) to produce. So, now there is
> a competitor there with zero development costs (save the hacking
> costs). That's tough (and a reminder to be cautious).
>
> It is important to us that we don't end up down that road. Handing out
> source code for everyone to see, rebrand, recompile, and redistribute
> on a whim seems not to be the best way to ensure a company has a
> future. That said, we do understand the need for others to see what we
> are doing in order to be confident enough to trust out products.
Well, you could always ask the people at this company:
> While I, personally, don't have a background in cryptography, I do
> understand software. Our software is built on components, like most
> software today. Our TrulyMail client is built using Microsoft's .Net
> and our encryption uses their cryptographic library using the Rijndael
> algorithm (PROV_RSA_AES cryptographic service provider). We use a 4096-
> bit key, as mentioned earlier.
See, this is the kind of information we wanted. You are using RSA and AES
as your ciphers. You are using Microsoft's implementation of those ciphers.
That information goes a long way.
> Since we did not write the encryption algorithm, it didn't seem
> relevant to give names and cryptographic backgrounds of everyone at
> the company.
No, but it is still good to know. Even using someone else' implementation
of a cipher can be problematic, if you do not know what you are doing. I
have seen cases of poor random number generation leading to a break. I have
seen people fail to use block chaining, or select the wrong block chaining
mode. I have seen programs that do not properly verify public keys. The
list of mistakes people can make even when they use a very good cipher
implementation is long.
> I might be new to cryptography (and out of touch with the culture of
> extreme openness) but I do understand the need for privacy in an easy-
> to-use manner. I don't believe that only people who can configure
> complex software have the right to privacy. I believe that everyone
> deserves it and we're producing software to give that to them.
Except that configuring PGP is not a complicated process. I have seen
people with almost no technical background successfully use PGP to encrypt
their email.
On the flip side, I have seen attempts to simplify email encryption backfire
horribly. Hushmail is a good example of this: Hushmail was created with
the same goal you have, to bring email encryption to the masses and to make
it easier to deal with. Hushmail uses PGP. Yet when a steroids dealer
tried to use Hushmail, the DEA showed up in court with 12 DVDs of emails
that the dealer had sent and received, all decrypted, because Hushmail's
method of making cryptography easier wound up making it much less secure.
TrulyMail Support <support@trulymail.com> wrote in
news:c7958a6d-3b24-47ba-87e1-00ec465dcf58@t5g2000prd.googlegro
ups.com:
....
> OK, please let me publicly apologize. It was never my
> intention to snub anyone here. My point was simply that it
> is easier to answer clear questions. Clearly I was
> inappropriate in my response and I hope you will forgive
> me.
There is no need for you to apologize to anyone - you have been
entirely forthcoming about your company and its products.
Moreover, you have shown the patience of a saint and remained
courteous even when repsonding to insulting confrontational
boors such as Ari.
Ari Silverstein <AriSilverstein@yahoo.com> wrote in
news:8e4l7dFvt8U1@mid.individual.net:
> Harsh it was an intended to be. I get my knickers in a wad
> anytime I see people who want to play at privacy, make
> ostentatious claims about their products and refuse to
> offer any reasonable details as to basis for those claims.
> Call me old fashioned. Call me an *******. I could care
> less.
You are an old-fashioned *******, Ari, an ******* with a very
long track record. You are a man who has accomplished nothing
and who instead belittles and harrasses anyone who has.
You could care less, you say? Wonderful, because that creates a
marvellous symmetry - no one else cares what *you* have to say
except your sockpuppets.
On Tue, 31 Aug 2010 10:07:21 -0700 (PDT), TrulyMail Support wrote:
> On Aug 31, 11:08Â*pm, Bâ„®ar Bottoms <bearbotto...@gmai.invalid> wrote:
>> On Tue, 31 Aug 2010 07:07:27 -0700 (PDT),TrulyMailSupport wrote:
>>> If you would like to
>>> audit our source code, we would be happy to show you some key parts of
>>> it if you are ever in Santiago.
>>
>> I often fly down to South America.
>>
>> How about next Tuesday?
>
> I'm not free on Tuesday but I'm free that Friday. Will that work for
> you?
Are you crazy? Look what happened last time I was late.
On Tue, 31 Aug 2010 10:05:42 -0700 (PDT), TrulyMail Support wrote:
>>> It is clear that you would be best served by an open-source solution.
>>> If you believe everyone is best served by the same thing, you should
>>> hear some horror stories of our users about trying to get encrypted
>>> email to work when they used GPG and their broker used PGP. The short
>>> version is that in the end, they gave up and used clear-text email -
>>> far less than ideal.
>>
>> Oh I see so the alternative is to "trust you" and your Wizard of Oz
>> act behind your curtain?
>>
>> Har.
>>
>> You could be a honeypot, a NSA/CIA front company, a terrorist node and
>> a whole lot of other much nastier things than a clear text email
>> provider.
>
> Like my earlier post, clearly another apology is in order. My
> intention was certainly not to offend (although, offending you is
> likely impossible so I'll say my intetion was not to anger you). My
> point was not that you can either trust us or go away. My point was
> that any startup (I admit we are very new at only two years old) is
> naturally protective of what they have.
Bzzzzzzt, Wrong. There are so many open source startups with
transparency in development and code that I couldn't count them all in
a month.
>I know of firms who have had
> Chinese hackers literally simply rebrand something which took a
> significant amount of energy (and money) to produce. So, now there is
> a competitor there with zero development costs (save the hacking
> costs). That's tough (and a reminder to be cautious).
I know who you are talking about and it was their own fault that their
DB dev got leaked.
You can prattle on, divert and point to others while your hand is in
the proverbial cookie jar but nothing has changed.
You make unsubstantiated claims using smoke and mirrors tomfoolery
while playing with people's privacy. This "trust us, we're good guys"
is total ******** and you are going to get the customers you seek.
Total nitwits with no clue that you are pushing out product with no
intention of backing your claims except for your own deceptions.
So be it. That's your business model. But fer the love of Christ,
don't foist this line on people around these parts who have been
exposing and devouring scammers and bottomfeeders for years.
Take your blood money and run.
> It is important to us that we don't end up down that road. Handing out
> source code for everyone to see, rebrand, recompile, and redistribute
> on a whim seems not to be the best way to ensure a company has a
> future.
Jeez, what a idiotic thing to say, it's baseless and completely
untrue.
Just out of morbid curiosity, how do you even manage to get yourself
motivated to post? It can't be fun for you any more after making a
fool of yourself so many times, can it? In fact the last two days
have been so horrible for you, you could reply to without embarrassing
yourself so much even you can't stand it. Pretty sad considering your
lack of self respect but fully inline with your ehical code toeard
open and transparent privacy (none) and the blitherings of your
misleading website..
Seriously. Why do you bother? You can't honestly believe anyone sees
you as anything but a clown any more, can you? Don't you have
anything you could be doing that would be a bit less of a nightmare
for you, like burning yourself with lit cigarettes or finger painting
with your own feces?
> That said, we do understand the need for others to see what we
> are doing in order to be confident enough to trust out products.
>
> We have chosen to err on the side of caution but if someone wants to
> see, they are welcome.
As long as they hump it to Santiago on their nickel to see a "bit of
your code". Of course.
Are you daft? You actually believe this is a legitimate possibility
for a software audit or do you believe we are so damned stupid that
this joke of an offer will be seen as anything other than what it is.
A joke.
> My saying that we would expose key parts was not intended to convey
> that we will keep some parts secret. The intention was that we will
> expose whatever you want to see about the encryption, if you are
> concerned about the encryption.
Backpedal much? What, no dinner now? "Trust you", you say?
Unfortunately, most Usenet readers will think this is a lie -- merely
because it almost always is. This will be a problem for you if you're
being honest. And if you're not being honest, your stupidity will be a
problem for you.
Either way, no one is going to take you up on this and you know it.
It's disingenuous but, at least, your consistent in that way.
>>>> If your implementation sucks, it doesn't matter if you have 400,096
>>>> megabit keys.
>>
>
> While I, personally, don't have a background in cryptography,
Well, slick, then you haven't got an ounce of credibility anymore.
> I do
> understand software. Our software is built on components, like most
> software today. Our TrulyMail client is built using Microsoft's .Net
> and our encryption uses their cryptographic library using the Rijndael
> algorithm (PROV_RSA_AES cryptographic service provider). We use a 4096-
> bit key, as mentioned earlier.
Guess what we do. Build sofwtaer on >NET frameworks in military server
environments under the strictest sets od cryotgraphic standadrss.
UH-huh, yeppers, and now you are Trulymail *support*?
Wow. Man, you blew it. You have a LONG way to go before you can even
SEE 'up'. Should have started out open and honest from the start, too
bad. Too sad. You might be attacked for trying to sell your own
product, but you get CRUCIFIED for being deceptive about it.
Hint: Just fess up now, be done with it.
> Since we did not write the encryption algorithm, it didn't seem
> relevant to give names and cryptographic backgrounds of everyone at
> the company.
What company? Who are you? No crypto background because you just rely
on Microsoft's implementations in a sort of "slap it in there and
alrighty that's great" approach?
Then if that approach is so wonderfully sound
<s******>
why not state exactly that on your website?
About Us: Trulymail has no one with a cryptographic background, we
shove together components and sell them. Trust us. We trust
Microsoft."
Doesn't that have a nice ringy-dingy to it? I release it to you with
no claim to copyright. It's yours.
Use it. It's the truth.
> I don't believe you asked for my last name but if I misread your
> question, here is the answer. My name is John Andre. I have two
> decades experience in developing software using Microsoft technologies
> for various companies around the world (including in the Chile, US,
> Austria, Switzerland, and others).
OK then put that on your website too. See how easy this is?
Transparency. Honesty. You don't have to put up your picture in case
your ugly either.
> I might be new to cryptography (and out of touch with the culture of
> extreme openness) but I do understand the need for privacy in an easy-
> to-use manner. I don't believe that only people who can configure
> complex software have the right to privacy. I believe that everyone
> deserves it and we're producing software to give that to them.
So you say. No proof, no pudding. Sorry.
> We're now getting into personal philosophies and that was clearly not
> asked about so I will try to restrict this tangent.
>
> Again, to summarize, I apologize for my erring on the side of secrecy.
> TrulyMail was created because of the basic belief that freedom goes
> hand in hand with privacy.
>
> Now, feel free to rip into it.
All I do is stand back and let you hang yourself. And supply the tree
and the rope of course.
--
9ec4c12949a4f31474f299058ce2b22a
Re: Truly Trulymail 
Linear Mode
