Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] DecryptoCat

Nadim Kobeissi nadim at nadim.cc
Thu Jul 4 05:14:44 PDT 2013


Hello everyone,
I urge you to read our response at the Cryptocat Development Blog, which strongly clarifies the situation:

https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/

Thank you,
NK

On 2013-07-04, at 12:18 PM, Jens Christian Hillerup <jens at hillerup.net> wrote:

> On Thu, Jul 4, 2013 at 11:36 AM, KheOps <kheops at ceops.eu> wrote:
> Just came accross this:
> http://tobtu.com/decryptocat.php
> 
> Eep!
> 
> It seems like the saying "given enough eyeballs, all bugs are shallow" has become obsolete, huh? Peer review is an integral part to developing secure cryptography implementations, but unfortunately this fundamentally crashes with the hacker mantra of "just do it". It's a shame that this project did not get this kind of attention until after people started relying on it---that could have saved a lot of people from a lot of shouting in any case.
> 
> So what do we do about this? Opening the source code as an argument for security no longer suffices. How can we raise money for rigid and independent quality assurance of software that in this case is designed to potentially saving lives? And how can we make sure that this money flows into the fund and out to the QAers on a regular basis?
> 
> I don't know, sadly, but I'd love to discuss it.
> 
> JC
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech




More information about the liberationtech mailing list