«

On Aug 31, 11:08Â*pm, Bâ„®ar Bottoms <bearbotto...@gmai.invalid> wrote:
> On Tue, 31 Aug 2010 07:07:27 -0700 (PDT),TrulyMailSupport wrote:
> > If you would like to
> > audit our source code, we would be happy to show you some key parts of
> > it if you are ever in Santiago.
>
> I often fly down to South America.
>
> How about next Tuesday?

I'm not free on Tuesday but I'm free that Friday. Will that work for
you?

On Aug 31, 10:07*pm, "Mr. B" <n...@supplied.com> wrote:
> TrulyMailSupport wrote:
> >> 3. What is the encryption you are using?
>
> > We use both synchronous and asynchronous encryption. We use 4096 bit
> > keys which we feel is strong enough for now.
>
> Perhaps you could shed some light on which ciphers you use? *The more I read
> your posts, the more I think you are another snake-oil salesman.
>
> -- B

For some reasons, some of my responses don't get listed here. Anyway,
let me answer again: We use the Rikndael cipher. I wrote more detail
in another response but if something is still unclear, please let me
know and I will clarify.

I'm really not a snake-oil salesmen and I'm happy to show you whatever
you need to see.

On Sep 1, 12:14*am, TrulyMail Support <supp...@trulymail.com> wrote:
> On Aug 31, 10:07*pm, "Mr. B" <n...@supplied.com> wrote:
>
> > TrulyMailSupport wrote:
> > >> 3. What is the encryption you are using?
>
> > > We use both synchronous and asynchronous encryption. We use 4096 bit
> > > keys which we feel is strong enough for now.
>
> > Perhaps you could shed some light on which ciphers you use? *The more I read
> > your posts, the more I think you are another snake-oil salesman.
>
> > -- B
>
> For some reasons, some of my responses don't get listed here. Anyway,
> let me answer again: We use the Rikndael cipher. I wrote more detail
> in another response but if something is still unclear, please let me
> know and I will clarify.
>
> I'm really not a snake-oil salesmen and I'm happy to show you whatever
> you need to see.

Rijndael cipher is what my fat fingers were trying to type.

TrulyMail Support wrote:

> Like my earlier post, clearly another apology is in order. My
> intention was certainly not to offend (although, offending you is
> likely impossible so I'll say my intetion was not to anger you). My
> point was not that you can either trust us or go away. My point was
> that any startup (I admit we are very new at only two years old) is
> naturally protective of what they have. I know of firms who have had
> Chinese hackers literally simply rebrand something which took a
> significant amount of energy (and money) to produce. So, now there is
> a competitor there with zero development costs (save the hacking
> costs). That's tough (and a reminder to be cautious).
>
> It is important to us that we don't end up down that road. Handing out
> source code for everyone to see, rebrand, recompile, and redistribute
> on a whim seems not to be the best way to ensure a company has a
> future. That said, we do understand the need for others to see what we
> are doing in order to be confident enough to trust out products.

Well, you could always ask the people at this company:

http://www.redhat.com/

> While I, personally, don't have a background in cryptography, I do
> understand software. Our software is built on components, like most
> software today. Our TrulyMail client is built using Microsoft's .Net
> and our encryption uses their cryptographic library using the Rijndael
> algorithm (PROV_RSA_AES cryptographic service provider). We use a 4096-
> bit key, as mentioned earlier.

See, this is the kind of information we wanted. You are using RSA and AES
as your ciphers. You are using Microsoft's implementation of those ciphers.
That information goes a long way.

> Since we did not write the encryption algorithm, it didn't seem
> relevant to give names and cryptographic backgrounds of everyone at
> the company.

No, but it is still good to know. Even using someone else' implementation
of a cipher can be problematic, if you do not know what you are doing. I
have seen cases of poor random number generation leading to a break. I have
seen people fail to use block chaining, or select the wrong block chaining
mode. I have seen programs that do not properly verify public keys. The
list of mistakes people can make even when they use a very good cipher
implementation is long.

> I might be new to cryptography (and out of touch with the culture of
> extreme openness) but I do understand the need for privacy in an easy-
> to-use manner. I don't believe that only people who can configure
> complex software have the right to privacy. I believe that everyone
> deserves it and we're producing software to give that to them.

Except that configuring PGP is not a complicated process. I have seen
people with almost no technical background successfully use PGP to encrypt
their email.

On the flip side, I have seen attempts to simplify email encryption backfire
horribly. Hushmail is a good example of this: Hushmail was created with
the same goal you have, to bring email encryption to the masses and to make
it easier to deal with. Hushmail uses PGP. Yet when a steroids dealer
tried to use Hushmail, the DEA showed up in court with 12 DVDs of emails
that the dealer had sent and received, all decrypted, because Hushmail's
method of making cryptography easier wound up making it much less secure.

-- B

TrulyMail Support <> wrote in
news:c7958a6d-3b24-47ba-87e1-
ups.com:

....
> OK, please let me publicly apologize. It was never my
> intention to snub anyone here. My point was simply that it
> is easier to answer clear questions. Clearly I was
> inappropriate in my response and I hope you will forgive
> me.


There is no need for you to apologize to anyone - you have been
entirely forthcoming about your company and its products.
Moreover, you have shown the patience of a saint and remained
courteous even when repsonding to insulting confrontational
boors such as Ari.

I wish you and your company every success.

Regards,

Ari Silverstein <> wrote in
news::

> Harsh it was an intended to be. I get my knickers in a wad
> anytime I see people who want to play at privacy, make
> ostentatious claims about their products and refuse to
> offer any reasonable details as to basis for those claims.
> Call me old fashioned. Call me an asshole. I could care
> less.

You are an old-fashioned asshole, Ari, an asshole with a very
long track record. You are a man who has accomplished nothing
and who instead belittles and harrasses anyone who has.

You could care less, you say? Wonderful, because that creates a
marvellous symmetry - no one else cares what *you* have to say
except your sockpuppets.

On Tue, 31 Aug 2010 10:05:42 -0700 (PDT), TrulyMail Support wrote:

>>> It is clear that you would be best served by an open-source solution.
>>> If you believe everyone is best served by the same thing, you should
>>> hear some horror stories of our users about trying to get encrypted
>>> email to work when they used GPG and their broker used PGP. The short
>>> version is that in the end, they gave up and used clear-text email -
>>> far less than ideal.
>>
>> Oh I see so the alternative is to "trust you" and your Wizard of Oz
>> act behind your curtain?
>>
>> Har.
>>
>> You could be a honeypot, a NSA/CIA front company, a terrorist node and
>> a whole lot of other much nastier things than a clear text email
>> provider.
>
> Like my earlier post, clearly another apology is in order. My
> intention was certainly not to offend (although, offending you is
> likely impossible so I'll say my intetion was not to anger you). My
> point was not that you can either trust us or go away. My point was
> that any startup (I admit we are very new at only two years old) is
> naturally protective of what they have.

Bzzzzzzt, Wrong. There are so many open source startups with
transparency in development and code that I couldn't count them all in
a month.

>I know of firms who have had
> Chinese hackers literally simply rebrand something which took a
> significant amount of energy (and money) to produce. So, now there is
> a competitor there with zero development costs (save the hacking
> costs). That's tough (and a reminder to be cautious).

I know who you are talking about and it was their own fault that their
DB dev got leaked.

You can prattle on, divert and point to others while your hand is in
the proverbial cookie jar but nothing has changed.

You make unsubstantiated claims using smoke and mirrors tomfoolery
while playing with people's privacy. This "trust us, we're good guys"
is total bullshit and you are going to get the customers you seek.
Total nitwits with no clue that you are pushing out product with no
intention of backing your claims except for your own deceptions.

So be it. That's your business model. But fer the love of Christ,
don't foist this line on people around these parts who have been
exposing and devouring scammers and bottomfeeders for years.

Take your blood money and run.

> It is important to us that we don't end up down that road. Handing out
> source code for everyone to see, rebrand, recompile, and redistribute
> on a whim seems not to be the best way to ensure a company has a
> future.

Jeez, what a idiotic thing to say, it's baseless and completely
untrue.

Just out of morbid curiosity, how do you even manage to get yourself
motivated to post? It can't be fun for you any more after making a
fool of yourself so many times, can it? In fact the last two days
have been so horrible for you, you could reply to without embarrassing
yourself so much even you can't stand it. Pretty sad considering your
lack of self respect but fully inline with your ehical code toeard
open and transparent privacy (none) and the blitherings of your
misleading website..

Seriously. Why do you bother? You can't honestly believe anyone sees
you as anything but a clown any more, can you? Don't you have
anything you could be doing that would be a bit less of a nightmare
for you, like burning yourself with lit cigarettes or finger painting
with your own feces?

> That said, we do understand the need for others to see what we
> are doing in order to be confident enough to trust out products.
>
> We have chosen to err on the side of caution but if someone wants to
> see, they are welcome.

As long as they hump it to Santiago on their nickel to see a "bit of
your code". Of course.

Are you daft? You actually believe this is a legitimate possibility
for a software audit or do you believe we are so damned stupid that
this joke of an offer will be seen as anything other than what it is.

A joke.

> My saying that we would expose key parts was not intended to convey
> that we will keep some parts secret. The intention was that we will
> expose whatever you want to see about the encryption, if you are
> concerned about the encryption.

Backpedal much? What, no dinner now? "Trust you", you say?

Unfortunately, most Usenet readers will think this is a lie -- merely
because it almost always is. This will be a problem for you if you're
being honest. And if you're not being honest, your stupidity will be a
problem for you.

Either way, no one is going to take you up on this and you know it.
It's disingenuous but, at least, your consistent in that way.

>>>> If your implementation sucks, it doesn't matter if you have 400,096
>>>> megabit keys.
>>
>
> While I, personally, don't have a background in cryptography,

Well, slick, then you haven't got an ounce of credibility anymore.

> I do
> understand software. Our software is built on components, like most
> software today. Our TrulyMail client is built using Microsoft's .Net
> and our encryption uses their cryptographic library using the Rijndael
> algorithm (PROV_RSA_AES cryptographic service provider). We use a 4096-
> bit key, as mentioned earlier.

Guess what we do. Build sofwtaer on >NET frameworks in military server
environments under the strictest sets od cryotgraphic standadrss.
UH-huh, yeppers, and now you are Trulymail *support*?

Wow. Man, you blew it. You have a LONG way to go before you can even
SEE 'up'. Should have started out open and honest from the start, too
bad. Too sad. You might be attacked for trying to sell your own
product, but you get CRUCIFIED for being deceptive about it.

Hint: Just fess up now, be done with it.

> Since we did not write the encryption algorithm, it didn't seem
> relevant to give names and cryptographic backgrounds of everyone at
> the company.

What company? Who are you? No crypto background because you just rely
on Microsoft's implementations in a sort of "slap it in there and
alrighty that's great" approach?

Then if that approach is so wonderfully sound

<snigger>

why not state exactly that on your website?

About Us: Trulymail has no one with a cryptographic background, we
shove together components and sell them. Trust us. We trust
Microsoft."

Doesn't that have a nice ringy-dingy to it? I release it to you with
no claim to copyright. It's yours.

Use it. It's the truth.

> I don't believe you asked for my last name but if I misread your
> question, here is the answer. My name is John Andre. I have two
> decades experience in developing software using Microsoft technologies
> for various companies around the world (including in the Chile, US,
> Austria, Switzerland, and others).

OK then put that on your website too. See how easy this is?
Transparency. Honesty. You don't have to put up your picture in case
your ugly either.

> I might be new to cryptography (and out of touch with the culture of
> extreme openness) but I do understand the need for privacy in an easy-
> to-use manner. I don't believe that only people who can configure
> complex software have the right to privacy. I believe that everyone
> deserves it and we're producing software to give that to them.

So you say. No proof, no pudding. Sorry.

> We're now getting into personal philosophies and that was clearly not
> asked about so I will try to restrict this tangent.
>
> Again, to summarize, I apologize for my erring on the side of secrecy.
> TrulyMail was created because of the basic belief that freedom goes
> hand in hand with privacy.
>
> Now, feel free to rip into it.

All I do is stand back and let you hang yourself. And supply the tree
and the rope of course.
--
9ec4c12949a4f31474f299058ce2b22a

On Tue, 31 Aug 2010 23:34:30 +0100, Bâ„®ar Bottoms wrote:

> On Tue, 31 Aug 2010 10:07:21 -0700 (PDT), TrulyMail Support wrote:
>
>> On Aug 31, 11:08Â*pm, Bâ„®ar Bottoms <bearbotto...@gmai.invalid> wrote:
>>> On Tue, 31 Aug 2010 07:07:27 -0700 (PDT),TrulyMailSupport wrote:
>>>> If you would like to
>>>> audit our source code, we would be happy to show you some key parts of
>>>> it if you are ever in Santiago.
>>>
>>> I often fly down to South America.
>>>
>>> How about next Tuesday?
>>
>> I'm not free on Tuesday but I'm free that Friday. Will that work for
>> you?
>
> Are you crazy? Look what happened last time I was late.
>
> http://www.prorev.com/BARRY%20SEAL.jpg

lol

Oh me.
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

On Tue, 31 Aug 2010 17:13:29 +0100, Bâ„®ar Bottoms wrote:

> On Tue, 31 Aug 2010 11:25:32 -0400, Ari Silverstein wrote:
>
>> Don't even think about trying to sell to the US Gov't, DoD or any
>> of the intertwined military-intelligence agencies. They /really/ frown
>> on foreign nationals who play at such serious business.
>
> We will see. I say, see you next Tuesday Silverstein. Who needs to sell to
> the government? I have friends who will pay big for the right service.

Well Bottoms there are times I would much prefer to deal with you,
Debbie and the Bear crew than some of the dunderheads we have to screw
around with in the USGov.

Not many times.

Maybe only once to be truthful.
--
http://www.dwacon.com/images/melgibson.jpg

On Tue, 31 Aug 2010 19:52:53 GMT, nemo_outis wrote:

> Ari Silverstein <> wrote in
> news::
>
>> Harsh it was an intended to be. I get my knickers in a wad
>> anytime I see people who want to play at privacy, make
>> ostentatious claims about their products and refuse to
>> offer any reasonable details as to basis for those claims.
>> Call me old fashioned. Call me an asshole. I could care
>> less.
>
> You are an old-fashioned asshole, Ari, an asshole with a very
> long track record. You are a man who has accomplished nothing
> and who instead belittles and harrasses anyone who has.

All of which you of all people know is bullshit, Mr. Anonymousie.
Except the asshole part that is.

May I bring to your attention (get out your swatter and prepare to run
away like the coward you are, Mr. Anonymousie), that we discussed your
personal, paid involvement in one Fed Railroad emergency warning
system product development?

Hmmmmmmmmm?

Adn what was your answer, you flagellating Canuck?

"I'm retired".

**** off, we went ahead without you and put into play what is soon to
become a very robust warning system that will, can and shall save
lives and much serious injury. Made a few shekels at it too.

> You could care less, you say? Wonderful, because that creates a
> marvellous symmetry - no one else cares what *you* have to say
> except your sockpuppets.

Proof?

This from an anonymousie poster who hasn't the balls to come out of
hiding?

Har.

Btw, don't push your luck. I know exactly who you are. We vet before
we offer, my fine Canuckie friend.

Now don't you have some macaroni and cheese and an estranged wife to
look after?

Hmmmmmmm?

*<VVBG>*

P.S. Your hypocrisy regarding this subject of open and transparent
privacy is glaring but driven by your perpetual need to embarrass
yourself in your attempts to discredit me, you, like Trulymail, toss
aside all your own ethics and well established stands on these
matters. How pathetic of you. How very, very petty and fragile you
have become.

*Xpost reestablished you cowardized little freak of nature.*
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702