Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] My CPJ blog: Lessons from the Cryptocat debate

Nadim Kobeissi nadim at nadim.cc
Tue Sep 11 10:34:57 PDT 2012


Frank,
Please, tell me more about how your allusion at the end of your post
absolves you of the culpability of fact-checking!

Furthermore, I have confirmed with Chris concerning the browser plugin
issue when I met him last week in D.C., while Patrick Ball and I had an
exchange that was posted on libtech weeks ago under the
migraine-inducing "What I learned from Cryptocat" thread.

Did you even ask Chris or Patrick about the browser plugin platform?
I'll eat a shoe if you did. I've been working for weeks on this and it's
people like you who just make me feel like all my effort is completely
worthless.

NK

On 9/11/2012 1:24 PM, frank at journalistsecurity.net wrote:
> Nadim,
> 
> Toward the end of the piece, I said: some critics are now working with
> Kobeissi to help clean up and secureCryptocat.
> 
> What you are saying is that Cryptocat is now a browser-plugin only
> application, and that therefore, if I understand your point, the
> vulnerabilities alluded to by Chris and now Patrick are now all fixed.
> 
> Are they? If they are, I have not yet read confirmation that they are
> from others in this community. I'd welcome any input here.
> 
> And, Nadim, I have and continue to support you for finally building a
> truly user-friendly tool. We need tools that are both secure and
> easier-to-use, and that was the point of the piece.
> 
> Frank
> 
> 
> 
> Frank Smyth
> Executive Director
> Global Journalist Security
> frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> Tel.  + 1 202 244 0717
> Cell  + 1 202 352 1736
> Twitter:  @JournoSecurity
> Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
>  
>  
> Please consider our Earth before printing this email.
> 
> Confidentiality Notice: This email and any files transmitted with it are
> confidential. If you have received this email in error, please notify
> the sender and delete this message and any copies. If you are not the
> intended recipient, you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited.
> 
> 
> 
>     -------- Original Message --------
>     Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
>     debate
>     From: Nadim Kobeissi <nadim at nadim.cc <mailto:nadim at nadim.cc>>
>     Date: Tue, September 11, 2012 1:14 pm
>     To: liberationtech <liberationtech at lists.stanford.edu
>     <mailto:liberationtech at lists.stanford.edu>>
> 
> 
>     I can't even-
> 
>     Frank sent me this article about 15 minutes ago and I answered with the
>     notion that Cryptocat has been a browser-plugin only app for more than a
>     month, and that his article is just incredibly ignorant and frustrating
>     as a result of it ignoring that.
> 
>     Relevant links:
>     https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/
>     https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/
> 
>     Excuse me while I now go waterboard myself,
>     NK
> 
>     On 9/11/2012 1:07 PM, frank at journalistsecurity.net
>     <mailto:frank at journalistsecurity.net> wrote:
>     > Hi everybody,
>     > 
>     > Below is my CPJ blog on the Cryptocat debate. It makes some of the same
>     > points that I already made here a few weeks ago. And please know that my
>     > intent is to help work toward a solution in terms of bridging invention
>     > and usability. I know there are different views, and I have already
>     > heard some. Please feel free to respond. (If you wish you may wish to
>     > copy me at frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
>     > <mailto:frank at journalistsecurity.net
>     <http://mailto:frank@journalistsecurity.net>> to avoid me missing
>     your note
>     > among others.)
>     > 
>     > Thank you! Best, Frank
>     > 
>     > http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php
> 
>     > 
>     > 
>     >   *In Cryptocat, lessons for technologists and journalists*
>     > 
>     > By Frank Smyth/Senior Adviser for Journalist Security
>     > <http://www.cpj.org/blog/author/frank-smyth>
>     > /Alhamdulillah! /Finally, a technologist designed a security tool that
>     > everyone could use. A Lebanese-born, Montreal-based computer scientist,
>     > college student, and activist named Nadim Kobeissi had developed a
>     > cryptography tool, Cryptocat <https://crypto.cat/>, for the Internet
>     > that seemed as easy to use as Facebook Chat but was presumably far more
>     > secure.
>     > Encrypted communications are hardly a new idea. Technologists wary of
>     > government surveillance have been designing free encryption software
>     > since the early 1990s <http://www.pgpi.org/doc/overview/>. Of course, no
>     > tool is completely safe, and much depends on the capabilities of the
>     > eavesdropper. But for decades digital safety tools have been so hard to
>     > use that few human rights defenders and even fewer journalists (my best
>     > guess is one in a 100) employ them.
>     > Activist technologists often complain that journalists and human rights
>     > defenders are either too lazy or foolish to not consistently use digital
>     > safety tools when they are operating in hostile environments.
>     > Journalists and many human rights activists, for their part, complain
>     > that digital safety tools are too difficult or time-consuming to
>     > operate, and, even if one tried to learn them, they often don't work as
>     > expected.
>     > Cryptocat promised
>     > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
>     > to finally bridge these two distinct cultures. Kobeissi was profiled
>     > <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html>
>     > in /The New York Times/; /Forbes/
>     > <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/>
>     > and especially /Wired/
>     > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
>     > each praised the tool. But Cryptocat's sheen faded fast. Within three
>     > months of winning a prize associated with /The Wall Street Journal/
>     > <http://datatransparency.wsj.com/>, Cryptocat ended up like a cat caught
>     > in storm--wet, dirty, and a little worse for wear. Analyst Christopher
>     > Soghoian--who wrote a /Times/ op-ed last fall
>     > <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html>
>     > saying that journalists must learn digital safety skills to protect
>     > sources--blogged that Cryptocat had far too many structural flaws
>     > <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb>
>     > for safe use in a repressive environment.
>     > An expert writing in /Wired/ agreed. Responding to another /Wired/ piece
>     > just weeks before, Patrick Ball said the prior author's admiration of
>     > Cryptocat was "inaccurate, misleading andpotentially dangerous
>     > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>."
>     > Ball is one of the Silicon Valley-based nonprofit Benetech
>     > <http://www.benetech.org/> developers ofMartus
>     > <http://www.benetech.org/human_rights/martus.shtml>, an encrypted
>     > database used by groups to secure information like witness testimony of
>     > human rights abuses.
>     > But unlike Martus, which uses its own software, Cryptocat is a
>     > "host-based security" application that relies on servers to log in to
>     > its software. And this kind of application makes Cryptocat potentially
>     > vulnerable
>     > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/>
>     > to manipulation through theft of login information--as everyone,
>     > including Kobeissi, now seems to agree.
>     > So we are back to where we started, to a degree. Other, older digital
>     > safety tools are "a little harder to use, but their security is real,"
>     > Ball added in /Wired/. Yet, in the real world, fromMexico
>     > <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php>
>     > to Ethiopia
>     > <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>,
>     > from Syria
>     > <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php>
>     > to Bahrain
>     > <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>,
>     > how many human rights activists, journalists, and others actually use
>     > them? "The tools are just too hard to learn. They take too long to
>     > learn. And no one's going to learn them," a journalist for a major U.S.
>     > news organization recently told me.
>     > Who will help bridge the gap? Information-freedom technologists clearly
>     > don't build free, open-source tools to get rich. They're motivated by
>     > the recognition one gets from building an exciting, important new tool.
>     > (Kind of like journalists breaking a story.) Training people in the use
>     > of security tools or making those tools easier to use doesn't bring the
>     > same sort of credit.
>     > Or financial support. Donors--in good part, U.S. government agencies
>     > <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back the
>     > development of new tools rather than ongoing usability training and
>     > development. But in doing so, technologists and donors are avoiding a
>     > crucial question: Why aren't more people using security tools? These
>     > days--20 years into what we now know as the Internet--usability testing
>     > is key to every successful commercial online venture. Yet it is rarely
>     > practiced in the Internet freedom community.
>     > That may be changing. The anti-censorship circumvention tool Tor has
>     > grown progressively easier to use, and donors and technologists are now
>     > working to make it easier and faster still. Other tools, like Pretty
>     > Good Privacy <http://www.pgpi.org/> or its slightly improved German
>     > alternative <http://www.gnupg.org/>, still seem needlessly difficult to
>     > operate. Partly because the emphasis is on open technology built by
>     > volunteers, users are rarely if ever redirected how to get back on track
>     > if they make a mistake or reach a dead end. This would be nearly
>     > inconceivable today with any commercial application designed to help
>     > users purchase a service or product.
>     > Which brings us back to Cryptocat, the ever-so-easy tool that was not as
>     > secure as it was once thought to be. For a time, the online debate among
>     > technologists degenerated into thekind of vitriol
>     > <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one
>     > might expect to hear among, say, U.S. presidential campaigns. But wounds
>     > have since healed and some critics are now working with Kobeissi to help
>     > clean up and secure Cryptocat.
>     > Life and death, prison and torture remain real outcomes
>     > <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php>
>     > for many users, and, as Ball noted in/Wired/, there are no security
>     > shortcuts in hostile environments. But if tools remain too difficult for
>     > people to use in real-life circumstances in which they are under duress,
>     > then that is a security problem in itself.
>     > The lesson of Cryptocat is that more learning and collaboration are
>     > needed. Donors, journalists, and technologists can work together more
>     > closely to bridge the gap between invention and use.
>     > Frank Smyth is CPJ's senior adviser for journalist security. He has
>     > reported on armed conflicts, organized crime, and human rights from
>     > nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda,
>     > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on
>     > Twitter @JournoSecurity <https://twitter.com/#!/JournoSecurity>.
>     > 
>     > 
>     >         *Tags:*
>     > 
>     >   * Cryptocat <http://www.cpj.org/tags/cryptocat>,
>     >   * Hacked <http://www.cpj.org/tags/hacked>,
>     >   * Internet <http://www.cpj.org/tags/internet>,
>     >   * Martus <http://www.cpj.org/tags/martus>,
>     >   * Nadim Kobeissi <http://www.cpj.org/tags/nadim-kobeissi>,
>     >   * Patrick Ball <http://www.cpj.org/tags/patrick-ball>,
>     >   * Pretty Good Privacy <http://www.cpj.org/tags/pretty-good-privacy>,
>     >   * Tor <http://www.cpj.org/tags/tor>
>     > 
>     > September 11, 2012 12:12 PM ET
>     > 
>     > Frank Smyth
>     > Executive Director
>     > Global Journalist Security
>     > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
>     <mailto:frank at journalistsecurity.net
>     <http://mailto:frank@journalistsecurity.net>>
>     > Tel.  + 1 202 244 0717
>     > Cell  + 1 202 352 1736
>     > Twitter:  @JournoSecurity
>     > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
>     <http://www.journalistsecurity.net>
>     > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
>     > 
>     > 
>     > Please consider our Earth before printing this email.
>     > 
>     > Confidentiality Notice: This email and any files transmitted with it are
>     > confidential. If you have received this email in error, please notify
>     > the sender and delete this message and any copies. If you are not the
>     > intended recipient, you are notified that disclosing, copying,
>     > distributing or taking any action in reliance on the contents of this
>     > information is strictly prohibited.
>     > 
>     > 
>     > 
>     > --
>     > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>     > 
>     --
>     Unsubscribe, change to digest, or change password at:
>     https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 



More information about the liberationtech mailing list