Re: Question: How to check anonimity claims of a newish P2P system

cipherpunk_at_gmail.com
Date: 07/04/05


Date: 4 Jul 2005 02:52:15 -0700

Here are some reasonably good rules of thumb for evaluating security
software.

1. Is the source available? The right answer here is "yes". If the
answer is "no", you need to ask very hard questions about why the
source isn't available. Don't settle for answers like "if we published
the source code, it'd make the system easy to subvert, so we hide it
for your protection". If that's true, that's a clear admission their
system is badly broken.

2. If they're using new protocols, have they published papers about
them in technical literature? If the answer is "no", you need to ask
hard questions about why not. Either (a) the technical journals don't
think their protocol is all it's cracked up to be, or (b) they didn't
publish the protocol in order to keep it "stronger" to "protect" you...
see question 1.

3. Have they hired an outside security firm to investigate their
claims? If so, where's their report--and if not, why haven't they?

4. Who wrote it? Do the people who wrote it have a reputation for
having earned their bones breaking protocols? If they won't tell you
who wrote it, why won't they tell you?

... Zultrax has no source available (that I could see). Citeseer, a
major computer science reference site, has never heard of their ZEPP
protocol. I could find no independent review of the ZEPP protocol, and
they're not saying who designed it or what their backgrounds are.

Color me deeply skeptical.