Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] DecryptoCat

Nadim Kobeissi nadim at nadim.cc
Mon Jul 8 04:02:24 PDT 2013


On 2013-07-08, at 12:13 PM, Ralph Holz <holz at net.in.tum.de> wrote:

> Hi Tom,
> 
>> If you think this bug could never happen to you or your favorite pet
>> project; if you think there's nothing you can learn from this incident
>> - you haven't thought hard enough about ways it could have been
>> prevented, and thus how you can prevent bugs in your own codebase.
> 
> Amen to that.
> 
> Thanks for the write-up; it was my feeling, too, that too many people
> have been uttering very sharp criticism in this particular case, and
> that wasn't helping anyone.
> 
> There are projects that don't get nearly as much coverage but have a
> very poor security record. I personally know programmers with a hell of
> a global reputation whose code contained bugs found by peers. We should
> keep things in perspective.

Thanks a lot for this kind call for perspective.

The fact remains that we messed up. But I'm sticking to the project and I am certain that we will mess up less and less, and evolve. It took exemplary projects like Tor and PGP ten+ years to reach the reputable status they're in today (where, mind you, critical bugs still happen!) — it may take us even longer. But the goals are too important to give up. We're in a situation where accessibility has failed to evolve precisely because you're largely barren from taking risks. A license to take risks isn't a license to keep messing up, but it's still necessary to investigate real problems to which we haven't been able to find solutions as a community so far.

If a bug like this happens again in the future, I will follow the same procedure of complete transparency and hold myself fully accountable for it. All the same, I am redoubling my efforts to bring in more cryptographers and auditors to Cryptocat — this is what I just spent my weekend in Germany doing.

But quite frankly, for now, I really think I need a small vacation. :-p

NK

> 
> Ralph
> 
> -- 
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universität München
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech




More information about the liberationtech mailing list