The person wants with wiggling words explain away technical problems to engineers, which does not work. Espcially all this "but it was a beta and never released" which is completely beside the point (which makes you wonder, did the person not understand the point at all or wants to wiggle out again).
The passive agressive tone to some E.g "Who are you? Why are you here" to some security researchers does not show good intent. The wiggling out with "thats not important that happened some years ago" is not convincing.
"But some other company that uses your CA product"
Another company that you own had an "alledged" rogue dev, but the person says "no-one can know, thats the way of life, so we should move on". It feels like a SNL police sketch where the police asks a question and the suspect answers "I don't know what happend last week, and can we really know what is going on, does anyone know? And it was last week, we should just move on, goodbye officer"
"If the integrity of the people funding the operations"
It's not about the funding but the two companies had (have?) the same officers.
The only way forward that could have been successful IMHO:
1. I bought the operation (Trustcor) 1 year ago and have no documents about prior company development or involvements because I didn't get any when I bought the company - and the people I bought the company from don't answer my emails.
2. But I did switch the auditor (has not happened) to make sure everything is ok
3. I will do my best to find out what has happened back then.
I really don’t understand the claims of passive aggressive tone or explaining away technical problems to engineers. She was defensive, no doubt, but thats to be expected. She was trying to establish a fair ground for responding to what probably seems to her like absurd unfounded accusations. It sounds like she was in the middle of investigating things herself. She probably had legal limits to what could and couldn’t be discussed publicly and was trying to communicate that to people screaming at her.
None of the behavior was unexpected given the situation. That's really what I’m hung up about. There were two instances where people asked a bunch of questions and she responded to the 15 different ones being asked and then immediately there were like 2 responses from bystanders to the tune of “that response doesn’t engender confidence because TLDR” when in fact if you cared to read it it directly answered like 13 of 15 questions and then for two more said essentially that she was investigating the issue and didn’t immediately know (which you say is the correct response). If I faced a wall of questions my natural thought would he to be thorough and respond with a carefully thought out wall of answers…
I guess assessing the answers is subjective, I've read several of her long replies and either are weak or they do no contain an answer to the question, E.g.
"In Response to "How was an unobfuscated version of the Measurement Systems SDK incorporated into MsgSafe?":
Our company never published a production or supported version of the MsgSafe mobile app containing the Measurement Systems SD [...]"
This does not answer the question. It's irrelvant if the software was published or not, the question is, how does MsgSafe get an unobfuscated version of a software where everyone else got an obfuscated version? Why does MsgSafe include the only known unobfuscated version - if they are not the primary authors?
Answers are interwined with marketing, E.g. "We have innovated and lead the market in the adoption of TLS server certificate issuance for one of the longest-running and most respected dynamic DNS services worldwide and the positive impact this move has made cannot be overstated." - which has nothing to do with the issues at hand.
About security, the most concerning answer:
(Their website right now states: "Private, end-to-end encrypted")
In Response to: "[...] Nevertheless, I think it is reasonable expectation that a root certificate authority can get the crypto right, and so I'm concern regardless of the reason why.”:
[...] As far as you not believing the product is offering adequate encryption capabilities, let me first say that I do not want to drag the names of any other encryption products or services through the mud. To address your concerns, based on our teams exhausted research into many other providers offering similar services, one basic rule applies; whether the encryption or decryption functions are occurring on the client (often in javascript) or on the server, the server is still storing and handling the key material in the process. [...] If encryption occurs on the client then the key material is passed from the server to the browser over TLS. [...] As the MsgSafe website explains, our team has found that implementing the key material and encryption/decryption processing on the server provides security without the additional processing requirement on the client."
Either this is snakeoil ("Private, end-to-end encrypted") or they don't know about what they are doing.
There are many more of those answers in the thread, but dinners ready and I can't https://xkcd.com/386/
The person wants with wiggling words explain away technical problems to engineers, which does not work. Espcially all this "but it was a beta and never released" which is completely beside the point (which makes you wonder, did the person not understand the point at all or wants to wiggle out again).
The passive agressive tone to some E.g "Who are you? Why are you here" to some security researchers does not show good intent. The wiggling out with "thats not important that happened some years ago" is not convincing.
"But some other company that uses your CA product"
Another company that you own had an "alledged" rogue dev, but the person says "no-one can know, thats the way of life, so we should move on". It feels like a SNL police sketch where the police asks a question and the suspect answers "I don't know what happend last week, and can we really know what is going on, does anyone know? And it was last week, we should just move on, goodbye officer"
"If the integrity of the people funding the operations"
It's not about the funding but the two companies had (have?) the same officers.
The only way forward that could have been successful IMHO:
1. I bought the operation (Trustcor) 1 year ago and have no documents about prior company development or involvements because I didn't get any when I bought the company - and the people I bought the company from don't answer my emails.
2. But I did switch the auditor (has not happened) to make sure everything is ok
3. I will do my best to find out what has happened back then.