Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Fwd: Re: When It Comes to Human Rights, There Are No Online Security Shortcuts | Threat Level |

Katrin Verclas katrin at
Fri Aug 10 13:08:08 PDT 2012

---------- Forwarded message ----------
From: "Patrick Ball" <pball at>
Date: Aug 10, 2012 3:47 PM
Subject: Re: [liberationtech] When It Comes to Human Rights, There Are No
Online Security Shortcuts | Threat Level |
To: "Nadim Kobeissi" <nadim at>
Cc: "Katrin Verclas" <katrin at>

[Katrin: again, your call whether to repost to the list]


Sorry about the photos. Given that there's a pretty prominent photo of you
at Wired, you must know that we do not control whether or which photos
Wired puts up. That's simply their style.

I've spent a lot of my life building Martus, and that's the solution I
think best serves the community I work with. Other tools may contribute in
the future, and we're busy collaborating as much as we can to integrate our
tool with Tor, Guardian, and some non-security data collection stuff. In my
experience, the best chance of getting users to adopt crypto it to build it
into an application they already want to use. We're doing that with the
tools human rights activists use for data collection and analysis.

I hope you continue with your research to build new tools. There are many
months (indeed, person-years) of testing between cool ideas and production
code that non-technical users can trust. I wish the discussion I'm watching
on libtech had a bit more consideration of making sure code is solid before
shipping it to the world. That's the point I pushed you about in my
previous message.

My op-ed addresses existing tools offered as secure to our community.
Singel said these tools (in particular Hushmail) are good for human rights
activists. I think that's a terrible idea, and that's what I said.

I appreciate your invitation to the technical conversation, but that's not
really what I do. It's not my job to fix Cryptocat.  Nor do you need my
help! I think you're well on your way, and you have far abler assistance
than I could provide.

It is part of my job to help the human rights community use good crypto
tools. I've built and supported Martus for 10 years, and we have a thriving
user community all over the world. In Martus, we didn't invent any piece of
the crypto. We used standard, well-tested algorithms (from BouncyCastle)
and standard protocols. We're not computer scientists or number theory
guys. My team are software engineers, and we know that we're not competent
to invent new crypto. Our job is to build a tool that meets a need we know
about from our users, and we're pretty happy with how it's going.

Re experts: I'm contrasting myself with *journalists* -- and most sharply,
with Singel's remark about Hushmail which is what motivated my op-ed. By
expert, I would certainly include you, Jake, moxie, and the other serious
computer scientists on the libtech list. My apologies if this is unclear.

Again, my best wishes in your R&D, and I look forward to your next ideas --

On 10 Aug 2012, at 12:28, Nadim Kobeissi wrote:

> Patrick,
> Thanks for your well-wishes, but I'm under the impression that
> actually participating in the conversation and technical debate would
> be far, far more productive than ample servings of high-level
> gratuitous formality. It's one thing to compliment Jake and I on the
> research we're doing and then writing an article that almost fully
> does not pay heed to it, and entirely another to actually delve into
> that discussion yourself instead of ignoring it in favor of a piece
> with a picture of yourself at its top and two paragraphs on how
> experts like you need to be consulted at its bottom.
> There's a certain amount of honest contribution that I'm expecting
> here, and your article, while better than most that have surrounded
> this topic, would have been better served actually contributing to the
> conversation that *is* fixing Cryptocat, instead of dismissing it
> entirely in favor of things less worthwhile.
> NK
> On Fri, Aug 10, 2012 at 12:21 PM, Patrick Ball <pball at> wrote:
>> [Katrin: feel free to repost to the list if you want, the traffic is too
high so I don't want to join. I lurk occasionally.]
>> Nadim,
>> Research is great, and I am personally delighted you're doing it. Great
things may come of it, and the notes in the later part of the thread to
which Katrin alludes are very interesting. As I noted in the op-ed, the
browser extension may mature into a really useful tool -- once it's been
tested and reviewed and tested some more.
>> For the meantime: mark it alpha. In a giant, blinking font write: "not
for use by people who are really at risk." Writing "with some limitations"
is insufficient warning to non-technical users in a space where the risks
are this high. Leaving it up with the implication that it's tested software
that people at risk can depend on is irresponsible.
>> It's really cool that you and Jake and others are thinking up neat ideas
at dinner. You're both very smart and creative guys, and that's a great
place to start. It's not something you should then make public for
vulnerable people to depend on.
>> Schneier taught me years ago that security is really really hard. We
can't trust it until we've tested every which way anyone in good or bad
faith can think up. Even then, there might always be another crack, but our
confidence increases with each positive review and new attack our tool
withstands. Your browser extension may get there, but it's a ways off yet.
I hope you persist. Good luck.
>> -- PB.
>> On 10 Aug 2012, at 12:07, Katrin Verclas wrote:
>>> Patrick, care to comment? You might also want to review the
conversation on the libtech list (all 62 messages) where a lot of issues
related to Cyrptocat and security and activism has been discussed in great
detail, and with a lot of thought and care.
>>> (And, for the record, I have no editorial judgement one way or another
- really just shared a link here.  I have appreciated, however, the really
good conversation on this on libtech)
>>> Katrin
>>> On Aug 10, 2012, at 2:40 PM, Nadim Kobeissi wrote:
>>>> I'm sorry to have to say this, but this piece seems to expressly
>>>> ignore a lot of the research and discussion that's already happened
>>>> about Cryptocat and (I'm sorry) is very self-promotional of Ball and
>>>> Martus. The discussion around improving code delivery, which has been
>>>> going on for months, is completely ignored and instead there's a
>>>> picture of Patrick Ball in an article in which he asks Cryptocat to
>>>> 'consult experts.' If Mr. Ball had bothered weighing into any
>>>> conversation before writing this piece, or contacting me at all, I
>>>> would perceive the article as far more honest.
>>>> NK
>>>> On Fri, Aug 10, 2012 at 6:15 AM, Katrin Verclas <
katrin at> wrote:
>>>>> and Ball from Martus/Benetech weighs in...
>>>>> _______________________________________________
>>>>> liberationtech mailing list
>>>>> liberationtech at
>>>>> Should you need to change your subscription options, please go to:
>>>>> If you would like to receive a daily digest, click "yes" (once you
>>>>> above) next to "would you like to receive list mail batched in a daily
>>>>> digest?"
>>>>> You will need the user name and password you receive from the list
>>>>> in monthly reminders. You may ask for a reminder here:
>>>>> Should you need immediate assistance, please contact the list
>>>>> Please don't forget to follow us on!/Liberationtech
>>> Katrin Verclas
>>> katrin at
>>> skype/twitter: katrinskaya
>>> (347) 281-7191
>>> Check out
>>> Using Mobile Technology More Securely. For Activists, Rights Defenders,
and Journalists.
>>> A global network of people using mobile technology
for social impact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list