
‘World’s Most Secure’ Email Service Is Easily Hackable - ptrptr
https://motherboard.vice.com/en_us/article/worlds-most-secure-email-service-is-easily-hackable
======
nyolfen
I would recommend changing this link to the linked writeup by Scott Helme:

[https://scotthelme.co.uk/nomx-the-worlds-most-secure-
communi...](https://scotthelme.co.uk/nomx-the-worlds-most-secure-
communications-protocol/)

~~~
detaro
which also has been on HN a few days ago:
[https://news.ycombinator.com/item?id=14209874](https://news.ycombinator.com/item?id=14209874)

------
nickpsecurity
I've always said consider any product, even a security product, insecure by
default until proven otherwise by careful inspection by people who know how to
find flaws. This was the recommendation of those that invented information
security. It was best approach then. It's still the best approach.

~~~
bmh_ca
Or monetize the contrapositive. Eg bug bounties.

~~~
nickpsecurity
Bug bounties don't prove anything. They're actually popular among peddlers of
insecure software. Only thing that proves something is someone who can find
vulnerabilities in the system got enough access and time to find something if
it's there. They might be paid or not. It's the level of review and who is
reviewing that matters most.

------
btschaegg
> A service that claims to be the only way to do email in a secure way [...]

And that, kids, is what we call the Dunning–Kruger effect.

~~~
geezerjay
Marketing ploys aren't exactly a sign of incompetence. Probably they made
those claims expecting that no one would bother checking.

~~~
btschaegg
Fair point. Although that also only would implicate that maybe, there _were_
competent people, it's just that no one bothered to ask them.

I don't know if that's making the matter better or worse ;-)

------
wand3r
The nomx response was here yesterday. Apparently the guy flashed the SD card,
rooted the device and used a payload written by a friend.

According to their account none of this was reproduced w/ an off the shelf
device rooted by nomx and placed on a network not 100% controlled by the
attackers for the challenge

