Frank, Please, tell me more about how your allusion at the end of your post absolves you of the culpability of fact-checking!
Furthermore, I have confirmed with Chris concerning the browser plugin issue when I met him last week in D.C., while Patrick Ball and I had an exchange that was posted on libtech weeks ago under the migraine-inducing "What I learned from Cryptocat" thread. Did you even ask Chris or Patrick about the browser plugin platform? I'll eat a shoe if you did. I've been working for weeks on this and it's people like you who just make me feel like all my effort is completely worthless. NK On 9/11/2012 1:24 PM, [email protected] wrote: > Nadim, > > Toward the end of the piece, I said: some critics are now working with > Kobeissi to help clean up and secureCryptocat. > > What you are saying is that Cryptocat is now a browser-plugin only > application, and that therefore, if I understand your point, the > vulnerabilities alluded to by Chris and now Patrick are now all fixed. > > Are they? If they are, I have not yet read confirmation that they are > from others in this community. I'd welcome any input here. > > And, Nadim, I have and continue to support you for finally building a > truly user-friendly tool. We need tools that are both secure and > easier-to-use, and that was the point of the piece. > > Frank > > > > Frank Smyth > Executive Director > Global Journalist Security > [email protected] <mailto:[email protected]> > Tel. + 1 202 244 0717 > Cell + 1 202 352 1736 > Twitter: @JournoSecurity > Website: www.journalistsecurity.net <http://www.journalistsecurity.net> > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key> > > > Please consider our Earth before printing this email. > > Confidentiality Notice: This email and any files transmitted with it are > confidential. If you have received this email in error, please notify > the sender and delete this message and any copies. If you are not the > intended recipient, you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > > > > -------- Original Message -------- > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat > debate > From: Nadim Kobeissi <[email protected] <mailto:[email protected]>> > Date: Tue, September 11, 2012 1:14 pm > To: liberationtech <[email protected] > <mailto:[email protected]>> > > > I can't even- > > Frank sent me this article about 15 minutes ago and I answered with the > notion that Cryptocat has been a browser-plugin only app for more than a > month, and that his article is just incredibly ignorant and frustrating > as a result of it ignoring that. > > Relevant links: > https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/ > https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/ > > Excuse me while I now go waterboard myself, > NK > > On 9/11/2012 1:07 PM, [email protected] > <mailto:[email protected]> wrote: > > Hi everybody, > > > > Below is my CPJ blog on the Cryptocat debate. It makes some of the same > > points that I already made here a few weeks ago. And please know that my > > intent is to help work toward a solution in terms of bridging invention > > and usability. I know there are different views, and I have already > > heard some. Please feel free to respond. (If you wish you may wish to > > copy me at [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <http://mailto:[email protected]>> to avoid me missing > your note > > among others.) > > > > Thank you! Best, Frank > > > > > http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php > > > > > > > *In Cryptocat, lessons for technologists and journalists* > > > > By Frank Smyth/Senior Adviser for Journalist Security > > <http://www.cpj.org/blog/author/frank-smyth> > > /Alhamdulillah! /Finally, a technologist designed a security tool that > > everyone could use. A Lebanese-born, Montreal-based computer scientist, > > college student, and activist named Nadim Kobeissi had developed a > > cryptography tool, Cryptocat <https://crypto.cat/>, for the Internet > > that seemed as easy to use as Facebook Chat but was presumably far more > > secure. > > Encrypted communications are hardly a new idea. Technologists wary of > > government surveillance have been designing free encryption software > > since the early 1990s <http://www.pgpi.org/doc/overview/>. Of course, no > > tool is completely safe, and much depends on the capabilities of the > > eavesdropper. But for decades digital safety tools have been so hard to > > use that few human rights defenders and even fewer journalists (my best > > guess is one in a 100) employ them. > > Activist technologists often complain that journalists and human rights > > defenders are either too lazy or foolish to not consistently use digital > > safety tools when they are operating in hostile environments. > > Journalists and many human rights activists, for their part, complain > > that digital safety tools are too difficult or time-consuming to > > operate, and, even if one tried to learn them, they often don't work as > > expected. > > Cryptocat promised > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all> > > to finally bridge these two distinct cultures. Kobeissi was profiled > > > <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html> > > in /The New York Times/; /Forbes/ > > > <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/> > > and especially /Wired/ > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all> > > each praised the tool. But Cryptocat's sheen faded fast. Within three > > months of winning a prize associated with /The Wall Street Journal/ > > <http://datatransparency.wsj.com/>, Cryptocat ended up like a cat caught > > in storm--wet, dirty, and a little worse for wear. Analyst Christopher > > Soghoian--who wrote a /Times/ op-ed last fall > > > <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html> > > saying that journalists must learn digital safety skills to protect > > sources--blogged that Cryptocat had far too many structural flaws > > > <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb> > > for safe use in a repressive environment. > > An expert writing in /Wired/ agreed. Responding to another /Wired/ piece > > just weeks before, Patrick Ball said the prior author's admiration of > > Cryptocat was "inaccurate, misleading andpotentially dangerous > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>." > > Ball is one of the Silicon Valley-based nonprofit Benetech > > <http://www.benetech.org/> developers ofMartus > > <http://www.benetech.org/human_rights/martus.shtml>, an encrypted > > database used by groups to secure information like witness testimony of > > human rights abuses. > > But unlike Martus, which uses its own software, Cryptocat is a > > "host-based security" application that relies on servers to log in to > > its software. And this kind of application makes Cryptocat potentially > > vulnerable > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/> > > to manipulation through theft of login information--as everyone, > > including Kobeissi, now seems to agree. > > So we are back to where we started, to a degree. Other, older digital > > safety tools are "a little harder to use, but their security is real," > > Ball added in /Wired/. Yet, in the real world, fromMexico > > > <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php> > > to Ethiopia > > > <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>, > > from Syria > > > <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php> > > to Bahrain > > > <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>, > > how many human rights activists, journalists, and others actually use > > them? "The tools are just too hard to learn. They take too long to > > learn. And no one's going to learn them," a journalist for a major U.S. > > news organization recently told me. > > Who will help bridge the gap? Information-freedom technologists clearly > > don't build free, open-source tools to get rich. They're motivated by > > the recognition one gets from building an exciting, important new tool. > > (Kind of like journalists breaking a story.) Training people in the use > > of security tools or making those tools easier to use doesn't bring the > > same sort of credit. > > Or financial support. Donors--in good part, U.S. government agencies > > <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back the > > development of new tools rather than ongoing usability training and > > development. But in doing so, technologists and donors are avoiding a > > crucial question: Why aren't more people using security tools? These > > days--20 years into what we now know as the Internet--usability testing > > is key to every successful commercial online venture. Yet it is rarely > > practiced in the Internet freedom community. > > That may be changing. The anti-censorship circumvention tool Tor has > > grown progressively easier to use, and donors and technologists are now > > working to make it easier and faster still. Other tools, like Pretty > > Good Privacy <http://www.pgpi.org/> or its slightly improved German > > alternative <http://www.gnupg.org/>, still seem needlessly difficult to > > operate. Partly because the emphasis is on open technology built by > > volunteers, users are rarely if ever redirected how to get back on track > > if they make a mistake or reach a dead end. This would be nearly > > inconceivable today with any commercial application designed to help > > users purchase a service or product. > > Which brings us back to Cryptocat, the ever-so-easy tool that was not as > > secure as it was once thought to be. For a time, the online debate among > > technologists degenerated into thekind of vitriol > > <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one > > might expect to hear among, say, U.S. presidential campaigns. But wounds > > have since healed and some critics are now working with Kobeissi to help > > clean up and secure Cryptocat. > > Life and death, prison and torture remain real outcomes > > > <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php> > > for many users, and, as Ball noted in/Wired/, there are no security > > shortcuts in hostile environments. But if tools remain too difficult for > > people to use in real-life circumstances in which they are under duress, > > then that is a security problem in itself. > > The lesson of Cryptocat is that more learning and collaboration are > > needed. Donors, journalists, and technologists can work together more > > closely to bridge the gap between invention and use. > > Frank Smyth is CPJ's senior adviser for journalist security. He has > > reported on armed conflicts, organized crime, and human rights from > > nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda, > > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on > > Twitter @JournoSecurity <https://twitter.com/#!/JournoSecurity>. > > > > > > *Tags:* > > > > * Cryptocat <http://www.cpj.org/tags/cryptocat>, > > * Hacked <http://www.cpj.org/tags/hacked>, > > * Internet <http://www.cpj.org/tags/internet>, > > * Martus <http://www.cpj.org/tags/martus>, > > * Nadim Kobeissi <http://www.cpj.org/tags/nadim-kobeissi>, > > * Patrick Ball <http://www.cpj.org/tags/patrick-ball>, > > * Pretty Good Privacy <http://www.cpj.org/tags/pretty-good-privacy>, > > * Tor <http://www.cpj.org/tags/tor> > > > > September 11, 2012 12:12 PM ET > > > > Frank Smyth > > Executive Director > > Global Journalist Security > > [email protected] <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > Tel. + 1 202 244 0717 > > Cell + 1 202 352 1736 > > Twitter: @JournoSecurity > > Website: www.journalistsecurity.net <http://www.journalistsecurity.net> > <http://www.journalistsecurity.net> > > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > > > Please consider our Earth before printing this email. > > > > Confidentiality Notice: This email and any files transmitted with it are > > confidential. If you have received this email in error, please notify > > the sender and delete this message and any copies. If you are not the > > intended recipient, you are notified that disclosing, copying, > > distributing or taking any action in reliance on the contents of this > > information is strictly prohibited. > > > > > > > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
