Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] What I've learned from Cryptocat

Luke Allnutt AllnuttL at rferl.org
Tue Aug 7 01:25:04 PDT 2012


With Frank's message in mind, do list members have thoughts about the best 
dumbed-down guide for activists to stay safer online? 

I know EFF, MobileActive, and Movements.org have done some good work in 
this field, but wondered whether there is a consensus on a good short, 
easy-to-understand document for activists?

Luke





<frank at journalistsecurity.net> 
Sent by: liberationtech-bounces at lists.stanford.edu
08/07/2012 07:19 AM

To
"Moxie Marlinspike" <moxie at thoughtcrime.org>, 
liberationtech at lists.stanford.edu
cc

Subject
Re: [liberationtech] What I've learned from Cryptocat






Hey guys,

I appreciate the importance and depth of this discussion. But I also wish 
to underscore that most of the people who are at risk are not using any 
tools whether they be CrytoCat, PGP, GChat or others for the simple reason 
that they either cannot figure them out, or don't have time to figure them 
out, or both. And I am talking about people at risk in many different 
nations.

No doubt the functional security of tools is an indispensable, essential 
concern. Ignoring any vulnerabilities is dangerous, indeed. But the 
usability of the same tools and making them accessible to 
non-technologists is just as big a concern, in my view. I know you guys 
think that many such users including Western journalists are simply lazy. 
But many, if not most of the available tools are simply not intuitive, or 
not as much as most technologists who already know how to use them seem to 
think.

How many people on this list have spent time asking non-technologists and 
other users who have tried, but have since given up even trying to use 
tools like PGP? Or have examined how new users interact with such tools? I 
have a great deal of respect for this community. But to be honest it seems 
to me that neither the technologists nor the donors have spent much time 
asking such questions.

If a novice user make a mistake in PGP, for example, it's over. Options 
are not intuitive if you don't already know them. And if you hit the wrong 
button, you can end up at a deadend with no guidance how to get back on 
track. Trust me. I know. And I am not trashing PGP. I know well and fully 
appreciate it's value and I have used it and continue to use it hostile 
environments. And I also know that users and only users can make crucial 
choices during use for their own security. I get that, too. But most 
digital security tools still do not do a good job of laying out, let alone 
explaining the options. And I say that with respect for the value of the 
tools and options themselves.

Cryptocat is one of the most user-friendly tools out there, and I think 
Nadim deserves credit for the effort. Of course, the vulnerabilities must 
be fixed before anyone should use it in a hostile environment. Although 
the level of vulnerability might also depend on the nature of the threat 
in any particular environment. But I also think we need to spend as much 
time making tools accessible as we do making them secure if we are going 
to reach the people who really need them. And right now few if any of 
these tools are having the reach that we all agree is needed. And that is 
an issue largely of usability.

I think with more constructive collaboration we would achieve both. We 
need to. Thanks.

Best, Frank

Frank Smyth
Executive Director
Global Journalist Security
frank at journalistsecurity.net
Tel.  + 1 202 244 0717
Cell  + 1 202 352 1736
Twitter:  @JournoSecurity
Website: www.journalistsecurity.net
PGP Public Key
 

 
Please consider our Earth before printing this email.

Confidentiality Notice: This email and any files transmitted with it are 
confidential. If you have received this email in error, please notify the 
sender and delete this message and any copies. If you are not the intended 
recipient, you are notified that disclosing, copying, distributing or 
taking any action in reliance on the contents of this information is 
strictly prohibited.



-------- Original Message --------
Subject: Re: [liberationtech] What I've learned from Cryptocat
From: Moxie Marlinspike <moxie at thoughtcrime.org>
Date: Mon, August 06, 2012 10:29 pm
To: liberationtech at lists.stanford.edu




On 08/06/2012 06:59 PM, Eleanor Saitta wrote:
> Except that with your harm mitigation, you push many potential users
> back to plaintext, where they are guaranteed to be owned. What
> percentage of potential cryptocat users would the plugin version have to
> stop from using the tool for you to accept that there was a place for
> the non-plugin version?

Let's stop using the word "plaintext," because my understanding is that
none of the chat services we're speaking of transmit data in the clear.
As I see it, there are currently three possible vectors for attack with
"existing" web-based chat services:

1) SSL interception.
2) Server compromise.
3) Server operator.

The technology in CryptoCat v1 does not address any of these three
vectors, and all of them remain possible. My position is that it's
actually more susceptible to attack via #1 and #2 than existing
web-based chat solutions. I believe your position is that it improves
on vector #3 by virtue of being not-Facebook. (I'm curious how you
measure #3 in comparison to GChat.)

If we postulate that CryptoCat does improve vector #3 by virtue of being
not-Facebook, it isn't a result of the technology, but simply that we've
agreed Nadim has a better monitoring/interception track record than
Facebook. If that's something you think is valuable, it actually seems
like it'd potentially be better served by having someone like the EFF or
Riseup host a web-based and SSL-protected chat service, without brining
any additional cryptography confusion into the mix. A trust project,
not a cryptography project.

Unfortunately for me, I'd rather depend on cryptography than people.
But I believe that CryptoCat is actually well positioned to drive
changes in the ecosystem that will allow them to really improve on those
three vectors in time. I think it's difficult to experiment in public
with security tools, however, and that it's a sage decision to make a
secure solution available (CryptoCat v2) and work on reducing friction
while maintaining security from there.

- moxie

-- 
http://www.thoughtcrime.org
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click 
above) next to "would you like to receive list mail batched in a daily 
digest?"

You will need the user name and password you receive from the list 
moderator in monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click 
above) next to "would you like to receive list mail batched in a daily 
digest?"

You will need the user name and password you receive from the list 
moderator in monthly reminders. You may ask for a reminder here: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120807/c51dab5d/attachment.html>


More information about the liberationtech mailing list