There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

I agree that how a company handles incident response is important and the BlackPhone guys have apparently handled this well.

However, there are several things that are troubling about this story which lead me to not trust BlackPhone and question the security experience of the people designing it.

The first thing we notice about this exploit is that the library in question appears to be written in C, even though it's newly written code that is parsing complex data structures straight off the wire from people who might be attackers. What is this, 1976? These guys aren't programming smartcard chips without an OS, they're writing a text messaging app that runs on phones in which the OS is written in Java. Why the hell is the core of their secure messaging protocol written in C?

The second thing we notice is that the bug occurs due to a type confusion attack whilst parsing JSON. JSON?! Yup, SCIMP messages apparently contain binary signatures which are base 64 encoded, wrapped in JSON, and then base64 encoded again. A more bizarre or error-prone format is difficult to imagine. They manage to combine the efficiency of double-base64 encoding binary data with the tightness and simplicity of a text based format inspired by a scripting language which has, for example, only one kind of number (floating point). They get the joy of handling many different kinds of whitespace, escaping bugs, etc. And to repeat, they are parsing this mess of unneeded complexity .... in C.

Compare this to TextSecure, an app that does the same thing as the BlackPhone SMS app. TextSecure is written by Moxie Marlinspike, a man who Knows What He Is Doing(tm). TextSecure uses protocol buffers, a very simple and efficient binary format with a schema language and compiler. There is minimal scope for type confusion. Moreover, the entire app is written in Java, so there is no possibility of memory management errors whilst trying to read messages crafted by an attacker. By doing things this way they eliminate entire categories of bugs in one fell swoop.

So yes, whilst the BlackPhone team should be commended for getting a patch out to their users, this whole incident just raises deep questions about their design decisions and development processes. The fact that such a bug could occur should have been mind-blowingly obvious from the moment they wrote their first line of code.

Indeed. I once read that the limiting factor on how high we can build skyscrapers is not structural engineering but the explosion in space occupied by elevator shafts as you try and go higher and higher whilst preserving reasonable wait times.

Even in Finance, they've done that. Look at PayPal. The only reason that it exists is that the banks and credit card companies dragged their feet with online payments. They're now doing free electronic person-to-person transfers, but it's still expensive to take credit card payments online.

No, if you read the article they clearly state the keys were fraudulently obtained. If you obtain keys via fraud, they are almost by definition not "good keys".

Exactly. Go back a couple of hundred years and you even have well-off people saying 'I don't need to learn to write, I can afford to hire a scribe'. You had people saying 'not everyone needs to learn to read and write, there aren't enough jobs for that many scribes anyway'.

Before he retired, my stepfather was the head groundskeeper on a golf course. Not exactly the kind of job you think of as requiring coding skills. Except that they had a computerised irrigation system that could trigger sprinklers in response to various events (humidity sensors, motion sensors, time, and so on). It came with a partly-graphical domain-specific programming language for controlling it. It's going to be very hard in the next 50 years to find a job that doesn't require some programming to do it competently - even this kind of stereotypically low-tech job requires it now.

I used to pirate games and I used to buy games. I eventually couldn't be bothered with pirating and worrying about malware or with trying to jump through the hoops that the publishers wanted, so I stopped playing games altogether. Then gog.com launched and sold me games that I was nostalgic about, cheaply. Then they started selling newer games. I spent more with them last six months than I did on total on games in the five years since Steam was launched and the industry wend DRM-happy. I can download DRM-free installers for all of the games, often in OS X, Windows, and Linux versions.

It turns out that there's another answer to piracy that works: sell your product in a way that's easy to use at a reasonable price. Stop worrying about pirates and start worrying about customers. Someone who wouldn't buy your game anyway who pirates it is not a lost sale, but someone who can't be bothered to put up with your treating them like a criminal and so doesn't buy from you is. Buying a game from gog.com is easier than pirating and, if you factor in the cost of your time, probably cheaper as well.

Give me a product I want for a reasonable price and I will happily hand over my money, because I feel that I'm getting something valuable in return. Don't, and... well, computer games are not the only form of entertainment available.

RedPhone is free and open source end to end encrypted telephony that works OK (not amazingly, but as well as a typical commercial VoIP app does). People authenticate each other using their voices.

This is very true. However, WhatsApp appears to be a counter-example. They are deploying full end to end encryption and instead of ads, they just ..... charge people money, $1 per year. WhatsApp is not very big in the USA but it's huge everywhere else in the world.

The big problem is not people sharing with Facebook or Google or whoever (as you note: who cares?) but rather the last part - sharing with a foreign corporation is currently equivalent to sharing with its government, and people tend to care about the latter much more than the former. But that's a political problem. It's very hard to solve with cryptography. All the fancy science in the world won't stop a local government just passing a law that makes it illegal to use, and they all will because they all crave the power that comes with total knowledge of what citizens are doing and thinking.

Ultimately the solution must be two-pronged. Political effort to make it socially unacceptable for politicians to try and ban strong crypto. And the deployment of that crypto to create technical resistance against bending or breaking those rules.

That's not what the second link says is happening though.

My reading of the second article is that there is the following problem. Website G2A.com allows private re-sale of game keys, whether that's to undercut the retail prices or avoid region locking or whatever is irrelevant. Carders are constantly on the lookout for ways to cash out stolen credit card numbers. Because fraudulent card purchases can be rolled back and because you have to go through ID verification to accept cards, spending them at their own shops doesn't work - craftier schemes are needed.

So what they do is go online and buy game activation keys in bulk with stolen cards. They know it will take time for the legit owners of the cards to notice and charge back the purchase. Then they go to G2A.com and sell the keys at cut-down prices to people who know they are obtaining keys from a dodgy backstreet source, either they sell for hard-to-reverse payment methods like Western Union or they just bet that nobody wants to file a complaint with PayPal saying they got ripped off trying to buy a $60 game for $5 on a forum known for piracy and unauthorised distribution.

Then what happens? Well, the game reseller gets delivered a list of card chargebacks by their banks and are told they have a limited amount of time to get the chargeback problem under control. Otherwise they will get cut off and not be able to accept credit card payments any more. The only available route to Ubisoft or whoever at this point is to revoke the stolen keys to try and kill the demand for the carded keys.

If that reading is correct then Ubisoft aren't to blame here. They can't just let this trade continue or it threatens their ability to accept legitimate card payments.

I'd also like to plug the FFII for anyone in Europe. They have a few MEPs among their members and have had some important successes. Less relevant in this particular issue, but they have a lot of overlap with the EFF in other places.

In this case UBISOFT has a dispute with gray marketeers and decides to take it out on the customers instead of taking it to the courts

Ubisoft might not be able to take them to the courts. For example if these resellers are in China or developing countries where the local authorities don't care about foreign IP cases. Technically speaking, it's actually the customers who have a dispute with the resellers, because those resellers knowingly sold them dud keys. It's not much different than if you buy a fake branded Mac, take it to an Apple repair centre and they tell you to go away. Your dispute is not with Apple. Your dispute is with the entity that sold you the fake goods.

Look at it another way. What if these "resellers" were actually selling you random numbers instead of game activation keys. When you try them out and discover they don't work .... your dispute is not with Ubisoft. They would be totally correct to deny activation of the game. Your dispute is with the fraudster who sold you the invalid keys.

Legally speaking that would be a dispute between you and the bogus reseller. They sold you something that was effectively counterfeit. There's lots of well established law in this area.

Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

In my case, the vendor is called Google -- I have a Galaxy Nexus. This phone is just two years old. No updates to 4.4, 4.3 is the last version supported.

Thus, I lay blame at the feet of the vendor -- Google.

PS: No need to tell me about CyanogenMod. I know about that. This is not about geeks being able to root their phone and replace the OS. This is about Google not doing proper support for a commercial product, a behavior that any other company in the IT business would be grilled about on virtual hot coals.

That's actually what it's like at "Mojave Spaceport". Hangers of small aviation practicioners and their junk. Gary Hudson, Burt Rutan, etc. Old aircraft and parts strewn about. Left-over facilities from Rotary Rocket used by flight schools. A medium-sized facility for Orbital. Some big facilities for BAE, etc. An aircraft graveyard next door.

SS2 has not completed testing and it is probable that there will be a need for redesign of one or more components. So, this is a really bad time to have the hand-off. Publicity isn't a good reason.