> Responding to accusations on a public forum is understandably stressful, I could understand how it's hard to stay entirely placid in that situation.
Which is why at that point you hire lawyers and a corporate communications agency to do this for you. When your company's existence is on the line, you don't want to do that stuff yourself.
Which is very hard when given an exploding timeline of a few days to respond… Honestly I felt like some of her responses were crafted with input form people with legal training and that’s exactly what turned people off because everyone knows lawyers can’t be trusted rite.
The CA forum is designed to be a forum of trust, on eye level.
The fact that her responses read like a letter written by a bad lawyer already violates that trust. She's saying as little as possible, admitting nothing, and constantly trying to evade claims on a technicality.
I guess to me that behavior also makes sense if one has nothing to hide and is unfairly being asked for a bunch of info that isn’t appropriate or relevant to provide because of absurd unsubstantiated claims that they are in bed with malware authors by a journalist who seemingly has an agenda.
Interesting way to describe a situation in which company A had the same owners as malware company B and also integrated a never-before-seen unobfuscated copy of company B's malware into company A's app.
The claims are neither absurd nor unsubstantiated.
Rachel admits that TrustCor (company A) and Measurement Systems (Company B) had the same investors:
> Unknown until recently by any employee officers of TrustCor we and Measurement Systems S de RL had in common a group of investors who represented funds (groups of companies and other funds), not individuals.
She argues it doesn't matter because those people don't own TrustCor anymore, but can't or won't provide any details about the supposed ownership transfer.
Rachel also admits that the supposedly secure email app owned by TrustCor (which lies about being E2EE) had Measurement Systems' malware built into it, which she blames on a rogue employee:
> Prior to my original reply, we had already completed an investigation related to this activity. Our software revision control system revealed immediately when the software was introduced and which developer introduced it. [...] Also as I previously stated, "Whether or not the SDK was added for a developer’s own financial gain or otherwise is beyond us and we don’t care to speculate." Our investigation found the developer in question properly signed our standard "Confidentiality Obligation and Invention Agreement” that requires any developer to obtain a corporate license to any 3rd party software or intellectual property the developer chooses to include. We confirmed through corporate records and email searches that no such agreement was ever obtained by the company or company counsel. Also, none was included inside the software/check-in to revision control. We also confirmed no approval for including this third-party software was ever obtained from Wylie (technically the manager of the developers at that time). Technically that individual developer violated our Confidentiality Obligation and Invention Agreement.
So, which part of what I said is not actually true?
I could be mistaken, but TrustCor CA is company C. TrustCor (company B) is where rouge contractor allegedly added "malware", or in industry parlance, analytics software, to a product as part of work to instrument the app that never shipped publicly and thus never harmed users. But TrustCor CA is operated entirely independently from Company B. Furthermore, this entire thing is predicated on an allegation that because some piece of analytics malware appears unobfuscated in their app but obfuscated in others, they must have exclusive access to the source and therefore must be the authors. That's.. quite the leap. I can think of many other simple explanations for why the incorrect build of some software might appear in a software product. Anyway I don't believe it's correct to say Company B that "put malware in" their app is the same as Company C that operates an above board CA. And I'm beginning to question whether this software the opportunistic researches found is actually even malware in the first place.
> I could be mistaken, but TrustCor CA is company C. TrustCor (company B) is where rouge contractor allegedly added "malware", or in industry parlance, analytics software, to a product as part of work to instrument the app that never shipped publicly and thus never harmed users.
> Anyway I don't believe it's correct to say Company B that "put malware in" their app is the same as Company C that operates an above board CA.
You are mistaken. There is no Company C.
The company that put the malware in their app is MsgSafe.io, a "secure email" provider that advertises E2EE but doesn't actually provide E2EE. MsgSafe is owned by TrustCor. Again, this is something that Rachel readily and repeatedly admits in the email thread, for example in her 18 November email:
> Also, I will use "our company" when speaking of TrustCor (the CA operator) and MsgSafe (the email service).
MsgSafe may technically be a different company from Trustcor in the same sense that Google and Alphabet are technically different companies, but Rachel considers them both together to be "our company."
TrustCor/MsgSafe, Rachel's "our company," is Company A.
Company B is Measurement Systems. Measurement Systems is the company that provides the malware to app developers, not the company that put the malware in in their app. As quoted in my previous post, Rachel admits that TrustCor and Measurement Systems had the same investors. According to public records they still have the same investors. Rachel claims that the previous owners have since divested, but (1) this is not reflected by public records and (2) she is unable or unwilling to provide any documentation of it. Also as quoted in my previous post, Rachel admits that TrustCor/MsgSafe's app contained Measurement Systems' SDK.
> to a product as part of work to instrument the app that never shipped publicly and thus never harmed users.
This is false. The app, although in "beta," was available on the Play Store and linked from MsgSafe.io as well as publicly advertised from the MsgSafe.io twitter account.
> Furthermore, this entire thing is predicated on an allegation that because some piece of analytics malware appears unobfuscated in their app but obfuscated in others, they must have exclusive access to the source and therefore must be the authors. That's.. quite the leap. I can think of many other simple explanations for why the incorrect build of some software might appear in a software product.
No, it's not. There are various other pieces of evidence tying TrustCor/MsgSafe to Measurement Systems, including domain registrations and common investors.
> And I'm beginning to question whether this software the opportunistic researches found is actually even malware in the first place.
This, now, is truly absurd. The Measurement Systems' malware SDK captured and uploaded information including wifi router SSID and MAC, the phone number and email address associated with the device it's running on, the device IMEI, clipboard contents, and GPS locations [1]. There is no good-faith argument that can be made against it being malware.
I've seen many analytics frameworks that try to capture whatever device identifiers they can get their hands on. I bet half the apps on your phone use one. And this has been an accepted practice in the industry for years. Why do you think Apple and browsers have been slowly removing access to these IDs? I tend to agree that such data collection is unnecessary and unwanted, but if a product or service is putting that shit in their software, and they call it out in their privacy policy and users consent to providing that information, then I don't see the legal problem. Though I certainly wish we would make laws that disallow such practices.
Which is why at that point you hire lawyers and a corporate communications agency to do this for you. When your company's existence is on the line, you don't want to do that stuff yourself.