Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] DecryptoCat

Karl Fogel kfogel at red-bean.com
Thu Jul 4 16:08:47 PDT 2013


Jens Christian Hillerup <jens at hillerup.net> writes:
>So what do we do about this? Opening the source code as an argument
>for security no longer suffices. How can we raise money for rigid and
>independent quality assurance of software that in this case is
>designed to potentially saving lives? And how can we make sure that
>this money flows into the fund and out to the QAers on a regular
>basis?

For what it's worth: OpenITP's Peer Review Board [1] is intended to help
with exactly this.  It's under development; Eleanor Saitta on this list
can give a better sense of where things stand at this point, but I
wanted to let you know the effort is under way.

By the way, I don't agree with the original blog post's [2] ad hominem
remarks about Cryptocat's developers.  The most popular programs are
always where people are most excited to find bugs.  It's therefore hard
to compare Cryptocat's development against that of other security
projects, given that many of those projects are not as popular as
Cryptocat -- in other words, it's hard to establish what the baseline is
or should be.  So I wish people would be more circumspect about flinging
around words like "incompetent"; it just sets a bad tone and doesn't
help anything.  Cryptocat's response [3] is exemplary.

-Karl

[1] http://wiki.openitp.org/peerreviewboard:start
[2] http://tobtu.com/decryptocat.php
[3] https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/



More information about the liberationtech mailing list