I don't think so. This is a high value vulnerability, you keep it in the back pocket. Especially since it has demonstrated key extrication and affects a large number of hardware and software platforms.

This doesn't negate the fact that this was their favorite vulnerability. Realistically most intelligence services probably new about this shortly after that commit.

Your entire post is factually incorrect.

" and it's basically an inherent flaw down to the fact that the internet (TCP/IP) is routed randomly"

The Internet and TCP/IP are not routed randomly, your basic failure to understand that leads me to believe that you shouldn't be advocating for adding latency to HFT infrastructure you don't understand.

This is totally valid. Obviously not the point I'm trying to make. The suggestion you had above of making some kind of event that shuts it down is a good one, I'lll have to give it some thought. :)

Hah, yeah. I've had mixed reactions to that. :-) I'll probably replace it with something a little less threatening that still gets the point across.

When I read the summary I immediately thought to myself that I have similar goals to these guys, in that I want to make cryptography easily accessible to a wide variety of users. I'm specifically focused on secure file transfer, and am in open beta. You guys can check it out at https://www.senderdefender.com/ and let me know what you think. Given how insecure cloud data is in general I suspect we will see a growing number of client side encrypted communication tools.

Matt

I think I have some insight into this as I have an end to end encrypted cloud service called coinlock.com My slashvertisement on the subject was ignored though ;) millions in funding tends to get people noticed.

Anyway on this particular subject I think you have hit the nail on the head. The key to long term security is to completely open up the API and separate the client side components so that third parties can use te service with their own sotware or with the software that you have provided them directly on their local computer.

This is easier said than done for most services, but its something that I am striving towards and intend to do a full client auditable release as well as publish the public facing api. This idea that people can move their services outside of the country and it matters I think is very flawed. U.S. companies are subject to the law regardless of where they do their hosting, and the managment team is the weakest link in the security chain. This is something that is best solved by transparency.