"Roth had notified them about the hole via Twitter"
I guess that's why he's a security researcher and not a security professional.
I'm definitely more "security researcher" than "security professional," and on several occasions have notified firms of vulnerabilities and abuse by Twitter...when emails, phone calls, and other more orthodox channels of communication have been ignored.
Sometimes, public shaming works where reasonable discourse doesn't.
You're talking X terminals or NC stations. The catch is that you have to trust the server in these operations. The idea they're trying to pull off is to have effectively secure e-mail such that not even the server can read it, even under duress. Oh, and do it with turnkey simplicity so that even the stupid can do secure e-mail.
And it should have been obvious to any IT professional why that is the case.
They claim they could not read user's encryption keys, but they provide the software that handles the keys. And can replace it without the user's knowledge. Yet, despite this obvious false claim, and having been called out on it, they *still* claim they could not obtain user's passwords.
That is either world class incompetent, or plain disingenuous.
Either way, nobody I would want to trust with my communications.
Any chance for the poor sods who were stupid enough to back these people to get back their money?
Biting the hand that feeds IT © 1998–2019