Wednesday, May 13, 2015 - 19:16

Bleep. Just more useless closed source cryptography

Bleep is a secure Messenger for iOS,  Android and for Windows and OSX desktops. The company behind it are the same guys who are behind BitTorrent and Bleep is exploiting on this fact. Most notably with its decentralized approach. But ...

To grab a random quote from their website

Software Engineering at it's finest. If you haven't read the blog post on this app then you need too. Once you see how it works your gonna want it. Most secure messaging I've seen yet.

How does he know? Aside from the fact that software engineering is usually not at its finest the interesting part of that quote is Most secure messaging I've seen yet... How does he know that?

Unless he works for BitTorrent - which would be awkward - there's no way to even tell that. There's no way to check it and there's no credible expert who's looked into it. And there will be none unless BitTorrent pays for an audit.

Cryptography is a field where you cannot even assume that someone bothers with your shitty product even if it is open source. There's simply too much around and too much of that is utter crap. And no one likes to waste their time.

A closed source approach to a product implementing cryptography is mostly doomed from the start. It doesn't mean you cannot be successful in marketing it. You can. There are numerous examples of successful products which are among the worst spawns of Crypto-Crap the world has ever seen.

Just implementing cryptography is not enough. To be secure it needs to be implemented properly. And more often than not this is not the case. So while a product in fact does encrypt whatever it is supposed to encrypt it does it in a way that makes the encryption prone to attacks. And that more often than not is not an obvious problem. The two ways out of this are A open source and B paid audit. The problem with the latter is that any relevant updates also require an updated audit.

Unless you have one or the other saying the product is worth shit is a pretty bold claim. And being a US based entity makes that problem even worse.

Being BitTorrent'ish Bleep is a decentralized messenger and that's pretty much all it is. Is it implementing cryptography? It is. Does it work? Who knows? It might or it might not. It might is not a qualified parameter if you actually need it. Closed Source cryptography without an audit is nothing else than an optional feature.

To quote another guy from the website...

Great App.. Encrypted, Decentralized.. What more could you want?

How about knowing if that encryption works?

Comments

Wayne's picture
Wayne

...and no offline installer. Next!

Good Info, but...'s picture
Good Info, but...

... now that you bashed Bleep, & purport that its crap, What GOOD NEWS do u have for us? For Example, What IS the best iOS/Android product out there for our security needs? Please Advise. Thank You.

admin's picture
admin
in reply to Good Info, but...
For the time being ... use Signal. It has two major advantages. It's primarily done by someone from within the community and it's open source. So there's credibility and opportunity to have a look at it. And those are two major factors. If one of those two is missing be very careful. There are so many BS products out there that it's simply impossible to look at all of them. Even if they are open source. So usually the focus is on those where you can assume that the guys should have a clue. Now that doesn't mean that bleep is not secure. But if you NEED that security you probably do not want to gamble on that for really no particular reason. At the moment Signal gives you the best we can do for a package that's still fairly simple to use if you follow the safeguards.

Add new comment

This form is protected by Google Recaptcha. By clicking here you agree to include Google Recaptcha for this session. The page will reload and the form will become avaiable.