
Snowden’s Favorite Cloud Service Now Has a Group Chat App - justinkramp
https://motherboard.vice.com/read/snowdens-favorite-cloud-service-now-has-a-group-chat-app
======
curiousgal
I always cringe when I come across this type of Snowden branding. Can't put my
finger on the reason.

~~~
zeveb
From my perspective, it's like branding something with names like Stalin,
Dahmer or Ames. I really wish more people would maturely reflect on Snowden's
misunderstanding; pride; failure to avail himself of legal means to correct
his misunderstanding; and ultimate treason. He has caused extraordinarily
grave damage to his nation's security and — since that nation is the sole
guarantor of global security — to the security of mankind. From my
perspective, he should be despised at worst, pitied at best.

~~~
DKnoll3
I'd love to hear more about his misunderstanding, please continue.

------
CiPHPerCoder
I'm starting to look through the code right now. A scroll through their open
source page indicates they're using libsodium, which is a good sign that they
avoided most of the foot-cannons alluded to on this page:
[https://gist.github.com/tqbf/be58d2d39690c3b366ad](https://gist.github.com/tqbf/be58d2d39690c3b366ad)

~~~
lisper
The SpiderOak folks seem to know what they're doing. But if you don't trust
them, here's a completely open secure communications tool:

[https://github.com/Spark-Innovations/SC4](https://github.com/Spark-
Innovations/SC4)

It's based on TweetNaCl, libsodium's smaller sibling. It can run standalone,
i.e. no server required.

No group chat yet, but that's a relatively straightforward extension. I have
two-party chat working in private beta. (Chat does require a server, though.)

~~~
CiPHPerCoder
> The SpiderOak folks seem to know what they're doing.

I'm inclined to agree with that assessment.

> But if you don't trust them

Trust, but verify.

IIRC they were discussing hiring a friend of mine (whose knowledge in software
security is something I respect greatly).

------
walterbell
Is Semaphor focused on group chat (Slack) or are there plans to support
private communications (text, audio, video) like Wire? Unlike Signal, Wire
allows registration with only an email address (via
[http://app.wire.com](http://app.wire.com)) and does not force you to upload
your contacts to their server.

Article: [http://arstechnica.com/business/2016/03/go-ahead-make-
some-f...](http://arstechnica.com/business/2016/03/go-ahead-make-some-free-
end-to-end-encrypted-video-calls-on-wire/)

Security: [https://www.documentcloud.org/documents/2756350-Wire-
Securit...](https://www.documentcloud.org/documents/2756350-Wire-Security-
Whitepaper.html)

Code: [https://github.com/wireapp/wire](https://github.com/wireapp/wire)

~~~
fizzbatter
How's the UX of wire?

I'm dying for an app that eventually does three things:

1\. Secure. A few of them exist

2\. UX. I love Telegram, shame it doesn't fit item #1

3\. Temporary. I actually really love Snapchat's ephemeral images and/or
messaging. Telegram does a good job at this with auto destructing messages..
but it saves images on the system[1], and i don't trust it removing from the
cloud in a timely manner. And of course, Telegram fails #1.. making temporary
communication all the more troublesome.

[1]: This may be limited to certain systems, such as Android. But yea, don't
save an image of an important document in a "secret" chat on Android.. it
saves it to your filesystem.

~~~
Siimteller
1\. End-to-end using Proteus which is inspired by Axolotl (now Signal).
Whitepaper available (wire.com/privacy), independent security review
underway). Right now only crypto/comms part open source but there will be more
news in this.

2\. It's similar. Visually distinct the UX is close enough to what people are
used to from other IM apps, I would say.

3\. Not. We've experimented with this internally but so far have not decided
to release ephemeral aspect to public. Not enough demand. As someone else
commented - you can delete content from your devices (syned across if you're
logged in from more than one), but content will remain on other people's
devices.

~~~
walterbell
Are decrypted messages/assets stored in plaintext in the local device cache,
or subject to local device backups? Can the local device cache be manually
flushed, made subject to OS-level data protection policy, or eliminated
entirely?

~~~
Siimteller
-Messages stored locally use the device encryption/OS-level protection

-Not included in backups

-Can be deleted either manually (per message/per chat) or altogether by uninstalling

------
wonderlusts
Source code:
[https://spideroak.com/solutions/semaphor/source](https://spideroak.com/solutions/semaphor/source)

------
squidlogic
Good luck to them.

After helping make a slack-style client-side encrypted productivity app
([https://balboa.io](https://balboa.io)) that has been on life-support for the
last 2 months, I have a lot of respect for people that attempt to make this
space more secure.

It's not easy.

A few lessons learned that may be useful to others:

1\. Most businesses and consumers are ok with their data being available to
companies like Slack and Google because they trust these companies. They feel
that regardless of reality, their data is safer with Google or Slack because
those companies have a lot more to lose if they fail.

2\. The SME space for productivity apps is pretty much the same as the
consumer space. You're going to be competing with Google. SMEs are actually
really cheap and scrappy: they don’t spend money on non-bottom line affecting
stuff. If you want to sell security to them, it has to be essentially free

3\. Reputation is more important than (or at least AS important as) your
technical chops. You're asking people to trust you. You can show that you are
competent by demonstrating a mastery of the technology, but that may not be
enough to show that you are also trustworthy.

------
newscracker
SpiderOak describes this as "Collaboration and messaging for teams." It seems
like it's for (for-profit) business teams and not for personal "teams" or
groups or non-profits/social groups. I guess the pricing model mentioned in
the article is to get businesses that use Slack or Hipchat or other system.

I don't like SpiderOak's pricing models in general because of how it seems to
oversell and upsell services. For personal teams/groups, there are free
services like Telegram (awesome user experience that keeps improving at a fast
pace but poorer homegrown crypto with normal messages stored in plaintext on
the servers) and Signal (great crypto but awful user experience, slow and
buggy app and slow and unreliable message delivery).

~~~
rarrrrrr
Thanks for taking a look and for your feedback! Do you have any
recommendations for us for alternative pricing?

One of the things we tried to accommodate is that teams can be paid for by the
individual members instead of one entity having to foot the whole bill. This
was one of the common complaints we saw about Slack, where large communities
enjoy using it but had no way to pay for better service.

You can use Semaphor for free just like Slack, with limited historical content
retention.

Also, for what it's worth, I use Signal daily for personal messaging, and my
own experience with it has been great. We think of Semaphor and the
team/business context as as having pretty different requirements (and
therefore somewhat different underlying crypto structures) than individual
messaging. The biggest differences are about message retention and what
happens when you want to invite a new member to an established conversation.

~~~
newscracker
Sorry, when I wrote my comment, I could not find any information from your
website about the pricing of Semaphor and what the tiers provide (it just says
"plans starting from $6"). The article didn't really explain the plans and
what they provide either.

It seems like the personal plan pricing is high, considering that "personal"
use as such may not be high volume or high storage in general for such an
application. But that's just a thought without any information, and as such,
not useful. It may be easier to judge it after knowing what it provides in
every tier.

My comment on pricing was based on the pricing model you have for the backup
service, which is highly nonlinear with a very high jump between tiers to push
people to buy into a larger one. The plans at 30GB and 1TB remind me of
Dreamhost and oversold plans (not that it's wrong business wise, but it
doesn't seem fair from the customer's point of view).

------
implicit_none
Downloadable here:
[https://spideroak.com/opendownload](https://spideroak.com/opendownload)

~~~
fizzbatter
Bummer, they say Android, but the download isn't available.

~~~
rarrrrrr
Sorry! Ironically (since we're using Google's Golang) Android has been the
hardest platform for us to finish. We've got Mac, iOS, Linux, and Windows now,
and are running Android internally but it's not release ready yet. Should have
it within a few weeks. It is likely to require a newish Android version
though. Thanks for taking a look!

