I don't have time for a wall of text. Long story short: if @ionnonews "misinterpreted" your article, it's because your article is horribly open to misinterpretation. I interpreted your article similarly to them and am sure most people did.
I'm so sick of having to deal with horrible coverage of my work. First Wired, then Wired (again,) then this. Really, the most sensible person has been Chris Soghoian, even though he's been harsh. At least he checks his facts, is constructive and isn't just a pretentious nobody pretending to know something about security. NK On 9/11/2012 3:07 PM, [email protected] wrote: > Nadim, > > I read about the browser plug-in being added nearly two months, as you > state, in Forbes on July 30. > http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-javascript-encryption/ > > Yet it was a month and six weeks later, respectively, when Chris and > Patrick each wrote their critiques in response to the first Wired > piece. I also read your exchange with Patrick some weeks ago, and I have > spoken to Patrick, albeit before he wrote his piece in Wired. > > What I have not read here or elsewhere is anything indicating that there > is now a consensus that Crypocat has been fixed. (And that is essential > for me and CPJ, as I explain below.) Instead I reflected what I think is > accurate; that you are others are still working to make sure it is > secure. I think most readers would conclude that I have faith that it is > being secured. And this is quite different from what @innonews > erroneously tweeted that I and CPJ said that Cryptocat is unsafe. > > If anything, Nadim, I was responding to Patrick for ending his article > and seemingly the conversation by saying that PGP and Pidgin/OTR are > harder to user but they are really secure. My point (Patrick and I have > been having this discussion for over a decade) is that these tools' > relative lack of usability still keeps them out of the reach of people > who really do need to use them. And my point in the piece is that > everyone who cares about human rights should care more about usability. > > I also gave you credit here, and I think, in the piece, for finally > making a tool that really achieves usability. > > Please know, too, none of this is abstract for me. In May, as I told you > a few weeks later at Google, I trained a group of investigative > journalists in El Salvador and from Peru in May in how to use Cryptocat, > as I was convinced it was safe. (Also telling them no one tool is ever > completely safe.) After Chris' piece, I found myself unexpectedly > telling the same journalists that Cryptocat had vulnerabilities that I, > for one, as a non-technologist, was not aware of before. I sent them > Chris' piece, and told them that, if they wish to continue using > Cryptocat, they should do so with caution. > > For me, and for CPJ, the decision to recommend a tool is a weighty one. > It would be irresponsible to recommend a tool to journalists unless > there is a clear consensus within this community that the tool is safe. > I thought there was a consensus before. I then learned that there was > not one. And then I wrote what I think is accurate; there is now a > consensus that whatever vulnerabilities Cryptocat did have before are > now in the process of being fixed. > > To be clear where we disagree. I did not say that CPJ is now verifying > Cryptocat is fixed and safe to use. As a non-technologist that would > never be role. > > I realize that you see the piece as an attack on Crypocat. It was not > meant to be and I do not think most readers, who are not technologists, > of CPJ's blog will see it that way, either. It was meant as a call for > more usability, using Cryptocat, in fact, as a model. > > Frank > > Frank Smyth > Executive Director > Global Journalist Security > [email protected] <mailto:[email protected]> > Tel. + 1 202 244 0717 > Cell + 1 202 352 1736 > Twitter: @JournoSecurity > Website: www.journalistsecurity.net <http://www.journalistsecurity.net> > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key> > > > Please consider our Earth before printing this email. > > Confidentiality Notice: This email and any files transmitted with it are > confidential. If you have received this email in error, please notify > the sender and delete this message and any copies. If you are not the > intended recipient, you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > > > > -------- Original Message -------- > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat > debate > From: Nadim Kobeissi <[email protected] <mailto:[email protected]>> > Date: Tue, September 11, 2012 1:34 pm > To: liberationtech <[email protected] > <mailto:[email protected]>> > > > Frank, > Please, tell me more about how your allusion at the end of your post > absolves you of the culpability of fact-checking! > > Furthermore, I have confirmed with Chris concerning the browser plugin > issue when I met him last week in D.C., while Patrick Ball and I had an > exchange that was posted on libtech weeks ago under the > migraine-inducing "What I learned from Cryptocat" thread. > > Did you even ask Chris or Patrick about the browser plugin platform? > I'll eat a shoe if you did. I've been working for weeks on this and it's > people like you who just make me feel like all my effort is completely > worthless. > > NK > > On 9/11/2012 1:24 PM, [email protected] > <mailto:[email protected]> wrote: > > Nadim, > > > > Toward the end of the piece, I said: some critics are now working with > > Kobeissi to help clean up and secureCryptocat. > > > > What you are saying is that Cryptocat is now a browser-plugin only > > application, and that therefore, if I understand your point, the > > vulnerabilities alluded to by Chris and now Patrick are now all fixed. > > > > Are they? If they are, I have not yet read confirmation that they are > > from others in this community. I'd welcome any input here. > > > > And, Nadim, I have and continue to support you for finally building a > > truly user-friendly tool. We need tools that are both secure and > > easier-to-use, and that was the point of the piece. > > > > Frank > > > > > > > > Frank Smyth > > Executive Director > > Global Journalist Security > > [email protected] <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > Tel. + 1 202 244 0717 > > Cell + 1 202 352 1736 > > Twitter: @JournoSecurity > > Website: www.journalistsecurity.net <http://www.journalistsecurity.net> > <http://www.journalistsecurity.net> > > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > > > Please consider our Earth before printing this email. > > > > Confidentiality Notice: This email and any files transmitted with it are > > confidential. If you have received this email in error, please notify > > the sender and delete this message and any copies. If you are not the > > intended recipient, you are notified that disclosing, copying, > > distributing or taking any action in reliance on the contents of this > > information is strictly prohibited. > > > > > > > > -------- Original Message -------- > > Subject: Re: [liberationtech] My CPJ blog: Lessons from the > Cryptocat > > debate > > From: Nadim Kobeissi <[email protected] <http://[email protected]> > ><mailto:[email protected] > <http://[email protected]>>> > > Date: Tue, September 11, 2012 1:14 pm > > To: liberationtech <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <http://mailto:[email protected]>>> > > > > > > I can't even- > > > > Frank sent me this article about 15 minutes ago and I answered with > the > > notion that Cryptocat has been a browser-plugin only app for more > than a > > month, and that his article is just incredibly ignorant and > frustrating > > as a result of it ignoring that. > > > > Relevant links: > > https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/ > > https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/ > > > > Excuse me while I now go waterboard myself, > > NK > > > > On 9/11/2012 1:07 PM, [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <http://mailto:[email protected]>> wrote: > > > Hi everybody, > > > > > > Below is my CPJ blog on the Cryptocat debate. It makes some of > the same > > > points that I already made here a few weeks ago. And please know > that my > > > intent is to help work toward a solution in terms of bridging > invention > > > and usability. I know there are different views, and I have > already > > > heard some. Please feel free to respond. (If you wish you may > wish to > > > copy me at [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>> to avoid me missing > > your note > > > among others.) > > > > > > Thank you! Best, Frank > > > > > > > http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php > > > > > > > > > > > *In Cryptocat, lessons for technologists and journalists* > > > > > > By Frank Smyth/Senior Adviser for Journalist Security > > > <http://www.cpj.org/blog/author/frank-smyth> > > > /Alhamdulillah! /Finally, a technologist designed a security tool > that > > > everyone could use. A Lebanese-born, Montreal-based computer > scientist, > > > college student, and activist named Nadim Kobeissi had developed a > > > cryptography tool, Cryptocat <https://crypto.cat/>, for the > Internet > > > that seemed as easy to use as Facebook Chat but was presumably > far more > > > secure. > > > Encrypted communications are hardly a new idea. Technologists > wary of > > > government surveillance have been designing free encryption > software > > > since the early 1990s <http://www.pgpi.org/doc/overview/>. Of > course, no > > > tool is completely safe, and much depends on the capabilities of > the > > > eavesdropper. But for decades digital safety tools have been so > hard to > > > use that few human rights defenders and even fewer journalists > (my best > > > guess is one in a 100) employ them. > > > Activist technologists often complain that journalists and human > rights > > > defenders are either too lazy or foolish to not consistently use > digital > > > safety tools when they are operating in hostile environments. > > > Journalists and many human rights activists, for their part, > complain > > > that digital safety tools are too difficult or time-consuming to > > > operate, and, even if one tried to learn them, they often don't > work as > > > expected. > > > Cryptocat promised > > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all> > > > to finally bridge these two distinct cultures. Kobeissi was > profiled > > > > <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html> > > > in /The New York Times/; /Forbes/ > > > > <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/> > > > and especially /Wired/ > > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all> > > > each praised the tool. But Cryptocat's sheen faded fast. Within > three > > > months of winning a prize associated with /The Wall Street > Journal/ > > > <http://datatransparency.wsj.com/>, Cryptocat ended up like a cat > caught > > > in storm--wet, dirty, and a little worse for wear. Analyst > Christopher > > > Soghoian--who wrote a /Times/ op-ed last fall > > > > <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html> > > > saying that journalists must learn digital safety skills to > protect > > > sources--blogged that Cryptocat had far too many structural flaws > > > > <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb> > > > for safe use in a repressive environment. > > > An expert writing in /Wired/ agreed. Responding to another > /Wired/ piece > > > just weeks before, Patrick Ball said the prior author's > admiration of > > > Cryptocat was "inaccurate, misleading andpotentially dangerous > > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>." > > > Ball is one of the Silicon Valley-based nonprofit Benetech > > > <http://www.benetech.org/> developers ofMartus > > > <http://www.benetech.org/human_rights/martus.shtml>, an encrypted > > > database used by groups to secure information like witness > testimony of > > > human rights abuses. > > > But unlike Martus, which uses its own software, Cryptocat is a > > > "host-based security" application that relies on servers to log > in to > > > its software. And this kind of application makes Cryptocat > potentially > > > vulnerable > > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/> > > > to manipulation through theft of login information--as everyone, > > > including Kobeissi, now seems to agree. > > > So we are back to where we started, to a degree. Other, older > digital > > > safety tools are "a little harder to use, but their security is > real," > > > Ball added in /Wired/. Yet, in the real world, fromMexico > > > > <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php> > > > to Ethiopia > > > > <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>, > > > from Syria > > > > <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php> > > > to Bahrain > > > > <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>, > > > how many human rights activists, journalists, and others actually > use > > > them? "The tools are just too hard to learn. They take too long to > > > learn. And no one's going to learn them," a journalist for a > major U.S. > > > news organization recently told me. > > > Who will help bridge the gap? Information-freedom technologists > clearly > > > don't build free, open-source tools to get rich. They're > motivated by > > > the recognition one gets from building an exciting, important new > tool. > > > (Kind of like journalists breaking a story.) Training people in > the use > > > of security tools or making those tools easier to use doesn't > bring the > > > same sort of credit. > > > Or financial support. Donors--in good part, U.S. government > agencies > > > <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back the > > > development of new tools rather than ongoing usability training > and > > > development. But in doing so, technologists and donors are > avoiding a > > > crucial question: Why aren't more people using security tools? > These > > > days--20 years into what we now know as the Internet--usability > testing > > > is key to every successful commercial online venture. Yet it is > rarely > > > practiced in the Internet freedom community. > > > That may be changing. The anti-censorship circumvention tool Tor > has > > > grown progressively easier to use, and donors and technologists > are now > > > working to make it easier and faster still. Other tools, like > Pretty > > > Good Privacy <http://www.pgpi.org/> or its slightly improved > German > > > alternative <http://www.gnupg.org/>, still seem needlessly > difficult to > > > operate. Partly because the emphasis is on open technology built > by > > > volunteers, users are rarely if ever redirected how to get back > on track > > > if they make a mistake or reach a dead end. This would be nearly > > > inconceivable today with any commercial application designed to > help > > > users purchase a service or product. > > > Which brings us back to Cryptocat, the ever-so-easy tool that was > not as > > > secure as it was once thought to be. For a time, the online > debate among > > > technologists degenerated into thekind of vitriol > > > > <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one > > > might expect to hear among, say, U.S. presidential campaigns. But > wounds > > > have since healed and some critics are now working with Kobeissi > to help > > > clean up and secure Cryptocat. > > > Life and death, prison and torture remain real outcomes > > > > <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php> > > > for many users, and, as Ball noted in/Wired/, there are no > security > > > shortcuts in hostile environments. But if tools remain too > difficult for > > > people to use in real-life circumstances in which they are under > duress, > > > then that is a security problem in itself. > > > The lesson of Cryptocat is that more learning and collaboration > are > > > needed. Donors, journalists, and technologists can work together > more > > > closely to bridge the gap between invention and use. > > > Frank Smyth is CPJ's senior adviser for journalist security. He > has > > > reported on armed conflicts, organized crime, and human rights > from > > > nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda, > > > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on > > > Twitter @JournoSecurity <https://twitter.com/#!/JournoSecurity>. > > > > > > > > > *Tags:* > > > > > > * Cryptocat <http://www.cpj.org/tags/cryptocat>, > > > * Hacked <http://www.cpj.org/tags/hacked>, > > > * Internet <http://www.cpj.org/tags/internet>, > > > * Martus <http://www.cpj.org/tags/martus>, > > > * Nadim Kobeissi <http://www.cpj.org/tags/nadim-kobeissi>, > > > * Patrick Ball <http://www.cpj.org/tags/patrick-ball>, > > > * Pretty Good Privacy > <http://www.cpj.org/tags/pretty-good-privacy>, > > > * Tor <http://www.cpj.org/tags/tor> > > > > > > September 11, 2012 12:12 PM ET > > > > > > Frank Smyth > > > Executive Director > > > Global Journalist Security > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>> > > > Tel. + 1 202 244 0717 > > > Cell + 1 202 352 1736 > > > Twitter: @JournoSecurity > > > Website: www.journalistsecurity.net > <http://www.journalistsecurity.net> > <http://www.journalistsecurity.net> > > <http://www.journalistsecurity.net> > > > PGP Public Key > <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > > > > > > Please consider our Earth before printing this email. > > > > > > Confidentiality Notice: This email and any files transmitted with > it are > > > confidential. If you have received this email in error, please > notify > > > the sender and delete this message and any copies. If you are not > the > > > intended recipient, you are notified that disclosing, copying, > > > distributing or taking any action in reliance on the contents of > this > > > information is strictly prohibited. > > > > > > > > > > > > -- > > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > -- > > Unsubscribe, change to digest, or change password at: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
