Twitter To Open Source Android Security Tech

itwbennett writes "Following last month's acquisition of Whisper Systems, Twitter is open sourcing 'some' of the company's Android security products. First up: TextSecure, a text messaging client that encrypts messages. Souce code is on GitHub now. 'Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent,' writes IDG News Service's Nancy Gohring."

Maybe it was required?

[migla]

Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent.

So, apparently whispersystems has to do with that Moxie Marlinspike character, who strikes me as someone who might have some open souring as a requisite for the acquisition?

Re:Maybe it was required?

Q: Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?

A: (Moxie Marlinspike) Same reason most enterprise software vendors' products aren't OSS, harder to sell software that way. =)

So I guess you're saying he wanted it open since he no longer has to worry about selling it? If you are, that's part of what burns me about open source... so many are on the band wagon until it means that they're the ones producing software while not standing a great chance to profit from their work.
 
Not far from the "IP doesn't really exist crowd"... they're all too happy to take what they want and claim that artists can make money elsewhere yet few, if any, produce a quality product themselves and even less of them give it out 100% free.

Re:Maybe it was required?

What about those like me? I release my software closed source, but after a short period I open source it under the AGPLv3 (A license that ensures the most end user freedoms, AFAICT).

Yeah, it's artificial scarcity, but I can't seem to get people to fund my development as the program is in progress, IN ADVANCE of the project actually being usable. This leaves me with the only option being to release it as closed source and charge for access after the program is complete. In 4 years I haven't yet drummed up enough donation support to fund development without a paywalled & closed source initial release. Now I use a "help free ProductX" progress bar indicating the amount of funds I require in order to fund the next iteration or program. When the gauge is full I open source the product.

Either by donation or paywall you're still paying only for the work I'm doing only once, not the act making infinitely reproducible copies. This is the hardest part to wrap your mind around I suppose. I only want to get paid when I'm doing work, or offering a service (that requires expenditure of time or money on my part). Traditional closed source software development only pays their devs when they work, but attempt to charge for every single copy.

Copying takes far less work than coding. Copies aren't scare. My work is scarce. I only want funding for my efforts. I need to have funding for my work because I'd like to continue doing it instead of digging ditches or busing tables.

The fallacy people like you fall into is the belief that people like me can actually release our products as 100% FLOSS software and still EAT. Closed and open sources can play in the same sandbox, in the same way that labor unions prove that Socialism and Capitalism can work together. At the end of the day, I want my users to have freedoms, but the truth is that most people don't put their money where their freely eating mouths are.

In the future, I may gain enough of a user base that the donations will be able to completely meet my financial prerequisites for the development... However, realize that I must bring in a bit MORE funding than merely enough to actually develop the product. I must have enough funding to have a bit of financial security. Else, I'm living "paycheck to paycheck" and risk one bad release causing me to end all development.

I call people like you software extremists. As any extremist you're likely immune to reason: Anything that's not white is 100% black. No Gray Allowed!!! Gray is THE DEVIL! (Failing to realize that the entire world is a beautiful place predominantly because it's made of many shades of many colors, including gray.)

You need a reality check: Absolutes are a rarity in nature, in fact, they don't exist naturally. To say FLOSS isn't about pushing an ulterior agenda is denialism; The same can be said of closed software.

Re:Maybe it was required?

[trawg]

This is a great model and I applaud it. I would much rather pay for software knowing that the end game is open source, rather than continually filling the coffers for the duration of a copyright period.

What software do you make; I would be interested in keeping an eye out?

This is really good news

[Mr_Plattz]

This makes a lot of sense. Twitter is and has always been a facilitator of open communication, particularly from censoring governments. This is just an extension of that.

I have always kept an eye on Whisper Systems and specifically TextSecure (and WhisperCore) but they never became really "usable". I would (and I think many people) love to be able to securely text message (or via iMessage or Facebook) knowing it's safely encrypted but still highly usable (similar to Pidgin + OTR).

Will they try to use this for corporate evil? Maybe. But at the same token WhisperSystems never had enough power/traction to develop what they really wanted and we (the people) needed.

Re:More "Web 2.0" crap that we had years ago?

[AJH16]

While yes, TextSecure is similar in nature to PGP, it isn't the tech, so much as the interface, that makes it a great app. While I can agree with some of your objections to what Web 2.0 heralds as new and I believe there are legitimate questions about the wisdom of the direction we are going with technology, I think your rant may be misplaced here. TextSecure is a local Android SMS client that smoothly integrates key exchange and secure messaging with SMS so that the user doesn't have to concern themselves as much with the "complicated" details. You simply choose a contact, request a key exchange, verify a code it gives you via some other channel to make sure there is no man in the middle and the keys are then stored with the contact for future verified, secure communication without having to do anything more than send text messages like you normally would (though through the TextSecure app).

What we should take from "Web 2.0" is the attention to what kinds of interfaces and interactions users gravitate towards and this is where TextSecure seems to shine the most. What we might be wiser not to take from Web 2.0 is some of the more questionable technical "innovation" that seems to be moving backward in capability to what we had in the past in the name of supporting the new UI. Examples from my perspective at least are the pushes towards things like Metro and trying to do entire desktop replacement application development in HTML5. Sure the idea of a pure touch friendly UI sounds good to marketing, but the fact is there is a lot that can't be effectively done with it. You might cover the needs of half the population even, but you are greatly limiting the development of the fringe of technology which has always been what pushes us forward.

Recently there seems to be this idea that the goal should be to get everyone, from the biggest technophiles to granny in a nursing home should embrace new tech, but too often the way that seems to be accomplished is the lazy approach of making a limited product that doesn't really push the envelope or encourage further growth. For the longest time tech has started in the hands of those who understand how to push it forward and then propagated down to the masses after going through a lot of refinement and filtering to find the best stuff. Now things just get thrown out to mass market and that filtering and direction is lost. Effectively control of the direction of technology is getting handed to marketing instead of technologists. That's a great way to make money, but a horrible way to move technological progression forward.

Similarly, HTML5 being used for desktop apps is a nice goal to try to have apps that can be used anywhere and not require install, but the fact is that the tools really aren't there to do it efficiently yet and it's really a wasteful process when you consider the extra development effort required for many projects combined with the extra energy required to run the necessarily inefficient code (just the lack of a good ability to push notification from server to client is a huge issue, let alone the security concerns and the performance of java script in general). On the other hand you do save having to produce hardware for the home, but that hardware and more is just having to go in data centers instead (though it is more fully utilized in a data center.)

Re:More "Web 2.0" crap that we had years ago?

[Gr8Apes]

The truly funny part is Web 2.0 is back to classic Client/Server programming, utilizing an HTML engine as the client. I believe that existed since the 60s with dumb terminals, but certainly no later than the early 80s with the current modern thick client/server model (think X11 and the like)

Regarding the open sourcing of the encryption code, generally self-written encryption routines are inadequate at best. If you're not leveraging one of the well vetted encryption libraries, odds are that your solution is weak and will only stand up to cursory inspection. Otherwise, you're using PGP, RSA, Blowfish, etc, and your code is merely a light wrapper around those libraries. (No, I did not review the code)

As for chat clients and the like connecting to each other with encryption, this has been around and open sourced a long time, one implementation is Off-the-Record. And of course there's the PGP solution that has been around since the early 90s.

N9(xx)

[muckracer]

Here's to hoping for a MeeGo port...

And good job, Twitter. Somehow you're becoming far more sympathetic than that 'other' big social network player...

Re:OPEN "SORES" SECURITY = oxymoron

[burning-toast]

Practically EVERY WEEK, & for YEARS now? Yes - You see a NEW "security bug" turning up on ANDROID, a Linux variant!

[Citation Needed]

Yes, I know... Don't feed the trolls and all of that...

- Toast