Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] What I've learned from Cryptocat

Ali-Reza Anghaie ali at packetknife.com
Mon Aug 6 17:53:48 PDT 2012


On Mon, Aug 6, 2012 at 8:43 PM, Jillian C. York <jilliancyork at gmail.com> wrote:
> It's difficult.  I'm not a technologist, but I understand the issues and the
> user needs well.  My "type," I'd surmise, is few and far between.

The problem isn't that your type is few and far between - the problem
is that InfoSec has almost wholly ignored ESTABLISHED activists. As if
the techniques, acceptable risk levels, etc. are new issues. They're
simply not.

> Security experts have obvious reasons for being conservative, and I get
> that.  Nevertheless, there are a lot of users who would benefit from a
> little bit of added security.  The question, then, as I see it, is:
>
> How do we provide that little bit while still making users aware of risks?

It's been my experience that providing these risks in-band is just not
doable - and the target end-users don't have time to worry about it.
So OPSEC has to be something that tools like Cryptocat don't assume
responsibility for. These is InfoSec sacrilege but it's the way
activists have traditionally had to work in the first place. As an
example, lets say w/ Iran, you're never - ever - going to be able to
address the OPSEC concerns of a given Internet cafe. What you can do
instead is provide a tool that works from every possible cafe and
trust the end-user to manage the OPSEC of their surroundings such that
perimeter controls, MITM risks, etc. are mitigated another way.

If that's not tenable for Nadim or his particular crowd then a shift
from developer to activist needs to be made. Just like any other
process, the product isn't out their for product's sake - it has
"customers".. and it's not those people who think they need an easier
lazier option to setting up OTR or PGP.

BTW, you're not without understanding and support in the Security
community. Meredith Patterson among others have batted this around
with me on Twitter - and understand the economics of the situation
fine.

Good luck Nadim and friends, -Ali



More information about the liberationtech mailing list