Thanks, Frank. I hope I'll never be in the position where I have to resort to your blog in order to make my case to a wider audience.
NK On 9/11/2012 3:51 PM, [email protected] wrote: > I do not pretend to know something about security technology. > I do know something about journalists and human rights defenders at risk. > > What is needed is a constructive dialogue between our two communities. > In that regard it is unfortunate that you have declined CPJ's offer to > write your own piece for CPJ in response to, or notwithstanding mine. It > would give you the opportunity to make your case to a much wider > audience. The issues are much bigger and more important than either of us. > > Frank Smyth > Executive Director > Global Journalist Security > [email protected] <mailto:[email protected]> > Tel. + 1 202 244 0717 > Cell + 1 202 352 1736 > Twitter: @JournoSecurity > Website: www.journalistsecurity.net <http://www.journalistsecurity.net> > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key> > > > Please consider our Earth before printing this email. > > Confidentiality Notice: This email and any files transmitted with it are > confidential. If you have received this email in error, please notify > the sender and delete this message and any copies. If you are not the > intended recipient, you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > > > > -------- Original Message -------- > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat > debate > From: Nadim Kobeissi <[email protected] <mailto:[email protected]>> > Date: Tue, September 11, 2012 3:39 pm > To: liberationtech <[email protected] > <mailto:[email protected]>> > > > I don't have time for a wall of text. Long story short: if @ionnonews > "misinterpreted" your article, it's because your article is horribly > open to misinterpretation. I interpreted your article similarly to them > and am sure most people did. > > I'm so sick of having to deal with horrible coverage of my work. First > Wired, then Wired (again,) then this. Really, the most sensible person > has been Chris Soghoian, even though he's been harsh. At least he checks > his facts, is constructive and isn't just a pretentious nobody > pretending to know something about security. > > NK > > On 9/11/2012 3:07 PM, [email protected] > <mailto:[email protected]> wrote: > > Nadim, > > > > I read about the browser plug-in being added nearly two months, as you > > state, in Forbes on July 30. > > > http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-javascript-encryption/ > > > Yet it was a month and six weeks later, respectively, when Chris and > > Patrick each wrote their critiques in response to the first Wired > > piece. I also read your exchange with Patrick some weeks ago, and I have > > spoken to Patrick, albeit before he wrote his piece in Wired. > > > > What I have not read here or elsewhere is anything indicating that there > > is now a consensus that Crypocat has been fixed. (And that is essential > > for me and CPJ, as I explain below.) Instead I reflected what I think is > > accurate; that you are others are still working to make sure it is > > secure. I think most readers would conclude that I have faith that it is > > being secured. And this is quite different from what @innonews > > erroneously tweeted that I and CPJ said that Cryptocat is unsafe. > > > > If anything, Nadim, I was responding to Patrick for ending his article > > and seemingly the conversation by saying that PGP and Pidgin/OTR are > > harder to user but they are really secure. My point (Patrick and I have > > been having this discussion for over a decade) is that these tools' > > relative lack of usability still keeps them out of the reach of people > > who really do need to use them. And my point in the piece is that > > everyone who cares about human rights should care more about usability. > > > > I also gave you credit here, and I think, in the piece, for finally > > making a tool that really achieves usability. > > > > Please know, too, none of this is abstract for me. In May, as I told you > > a few weeks later at Google, I trained a group of investigative > > journalists in El Salvador and from Peru in May in how to use Cryptocat, > > as I was convinced it was safe. (Also telling them no one tool is ever > > completely safe.) After Chris' piece, I found myself unexpectedly > > telling the same journalists that Cryptocat had vulnerabilities that I, > > for one, as a non-technologist, was not aware of before. I sent them > > Chris' piece, and told them that, if they wish to continue using > > Cryptocat, they should do so with caution. > > > > For me, and for CPJ, the decision to recommend a tool is a weighty one. > > It would be irresponsible to recommend a tool to journalists unless > > there is a clear consensus within this community that the tool is safe. > > I thought there was a consensus before. I then learned that there was > > not one. And then I wrote what I think is accurate; there is now a > > consensus that whatever vulnerabilities Cryptocat did have before are > > now in the process of being fixed. > > > > To be clear where we disagree. I did not say that CPJ is now verifying > > Cryptocat is fixed and safe to use. As a non-technologist that would > > never be role. > > > > I realize that you see the piece as an attack on Crypocat. It was not > > meant to be and I do not think most readers, who are not technologists, > > of CPJ's blog will see it that way, either. It was meant as a call for > > more usability, using Cryptocat, in fact, as a model. > > > > Frank > > > > Frank Smyth > > Executive Director > > Global Journalist Security > > [email protected] <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > Tel. + 1 202 244 0717 > > Cell + 1 202 352 1736 > > Twitter: @JournoSecurity > > Website: www.journalistsecurity.net <http://www.journalistsecurity.net> > <http://www.journalistsecurity.net> > > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > > > Please consider our Earth before printing this email. > > > > Confidentiality Notice: This email and any files transmitted with it are > > confidential. If you have received this email in error, please notify > > the sender and delete this message and any copies. If you are not the > > intended recipient, you are notified that disclosing, copying, > > distributing or taking any action in reliance on the contents of this > > information is strictly prohibited. > > > > > > > > -------- Original Message -------- > > Subject: Re: [liberationtech] My CPJ blog: Lessons from the > Cryptocat > > debate > > From: Nadim Kobeissi <[email protected] <http://[email protected]> > ><mailto:[email protected] > <http://[email protected]>>> > > Date: Tue, September 11, 2012 1:34 pm > > To: liberationtech <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <http://mailto:[email protected]>>> > > > > > > Frank, > > Please, tell me more about how your allusion at the end of your post > > absolves you of the culpability of fact-checking! > > > > Furthermore, I have confirmed with Chris concerning the browser > plugin > > issue when I met him last week in D.C., while Patrick Ball and I > had an > > exchange that was posted on libtech weeks ago under the > > migraine-inducing "What I learned from Cryptocat" thread. > > > > Did you even ask Chris or Patrick about the browser plugin platform? > > I'll eat a shoe if you did. I've been working for weeks on this and > it's > > people like you who just make me feel like all my effort is > completely > > worthless. > > > > NK > > > > On 9/11/2012 1:24 PM, [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <http://mailto:[email protected]>> wrote: > > > Nadim, > > > > > > Toward the end of the piece, I said: some critics are now working > with > > > Kobeissi to help clean up and secureCryptocat. > > > > > > What you are saying is that Cryptocat is now a browser-plugin only > > > application, and that therefore, if I understand your point, the > > > vulnerabilities alluded to by Chris and now Patrick are now all > fixed. > > > > > > Are they? If they are, I have not yet read confirmation that they > are > > > from others in this community. I'd welcome any input here. > > > > > > And, Nadim, I have and continue to support you for finally > building a > > > truly user-friendly tool. We need tools that are both secure and > > > easier-to-use, and that was the point of the piece. > > > > > > Frank > > > > > > > > > > > > Frank Smyth > > > Executive Director > > > Global Journalist Security > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>> > > > Tel. + 1 202 244 0717 > > > Cell + 1 202 352 1736 > > > Twitter: @JournoSecurity > > > Website: www.journalistsecurity.net > <http://www.journalistsecurity.net> > <http://www.journalistsecurity.net> > > <http://www.journalistsecurity.net> > > > PGP Public Key > <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > > > > > > Please consider our Earth before printing this email. > > > > > > Confidentiality Notice: This email and any files transmitted with > it are > > > confidential. If you have received this email in error, please > notify > > > the sender and delete this message and any copies. If you are not > the > > > intended recipient, you are notified that disclosing, copying, > > > distributing or taking any action in reliance on the contents of > this > > > information is strictly prohibited. > > > > > > > > > > > > -------- Original Message -------- > > > Subject: Re: [liberationtech] My CPJ blog: Lessons from the > Cryptocat > > > debate > > > From: Nadim Kobeissi <[email protected] <http://[email protected]> > ><http://[email protected] > <http://[email protected]>> ><mailto:[email protected] <http://[email protected]> > > <http://[email protected] <http://[email protected]>>>> > > > Date: Tue, September 11, 2012 1:14 pm > > > To: liberationtech <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <http://mailto:[email protected]>> > > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>>> > > > > > > > > > I can't even- > > > > > > Frank sent me this article about 15 minutes ago and I > answered with the > > > notion that Cryptocat has been a browser-plugin only app for > more than a > > > month, and that his article is just incredibly ignorant and > frustrating > > > as a result of it ignoring that. > > > > > > Relevant links: > > > https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/ > > > https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/ > > > > > > Excuse me while I now go waterboard myself, > > > NK > > > > > > On 9/11/2012 1:07 PM, [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>> wrote: > > > > Hi everybody, > > > > > > > > Below is my CPJ blog on the Cryptocat debate. It makes some > of the same > > > > points that I already made here a few weeks ago. And please > know that my > > > > intent is to help work toward a solution in terms of > bridging invention > > > > and usability. I know there are different views, and I have > already > > > > heard some. Please feel free to respond. (If you wish you > may wish to > > > > copy me at [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>> > > > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>> > > > <http://mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>>> to avoid me missing > > > your note > > > > among others.) > > > > > > > > Thank you! Best, Frank > > > > > > > > > http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php > > > > > > > > > > > > > > > *In Cryptocat, lessons for technologists and journalists* > > > > > > > > By Frank Smyth/Senior Adviser for Journalist Security > > > > <http://www.cpj.org/blog/author/frank-smyth> > > > > /Alhamdulillah! /Finally, a technologist designed a > security tool that > > > > everyone could use. A Lebanese-born, Montreal-based > computer scientist, > > > > college student, and activist named Nadim Kobeissi had > developed a > > > > cryptography tool, Cryptocat <https://crypto.cat/>, for the > Internet > > > > that seemed as easy to use as Facebook Chat but was > presumably far more > > > > secure. > > > > Encrypted communications are hardly a new idea. > Technologists wary of > > > > government surveillance have been designing free encryption > software > > > > since the early 1990s <http://www.pgpi.org/doc/overview/>. > Of course, no > > > > tool is completely safe, and much depends on the > capabilities of the > > > > eavesdropper. But for decades digital safety tools have > been so hard to > > > > use that few human rights defenders and even fewer > journalists (my best > > > > guess is one in a 100) employ them. > > > > Activist technologists often complain that journalists and > human rights > > > > defenders are either too lazy or foolish to not > consistently use digital > > > > safety tools when they are operating in hostile > environments. > > > > Journalists and many human rights activists, for their > part, complain > > > > that digital safety tools are too difficult or > time-consuming to > > > > operate, and, even if one tried to learn them, they often > don't work as > > > > expected. > > > > Cryptocat promised > > > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all> > > > > to finally bridge these two distinct cultures. Kobeissi was > profiled > > > > > <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html> > > > > in /The New York Times/; /Forbes/ > > > > > <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/> > > > > and especially /Wired/ > > > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all> > > > > each praised the tool. But Cryptocat's sheen faded fast. > Within three > > > > months of winning a prize associated with /The Wall Street > Journal/ > > > > <http://datatransparency.wsj.com/>, Cryptocat ended up like > a cat caught > > > > in storm--wet, dirty, and a little worse for wear. Analyst > Christopher > > > > Soghoian--who wrote a /Times/ op-ed last fall > > > > > <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html> > > > > saying that journalists must learn digital safety skills to > protect > > > > sources--blogged that Cryptocat had far too many structural > flaws > > > > > <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb> > > > > for safe use in a repressive environment. > > > > An expert writing in /Wired/ agreed. Responding to another > /Wired/ piece > > > > just weeks before, Patrick Ball said the prior author's > admiration of > > > > Cryptocat was "inaccurate, misleading andpotentially > dangerous > > > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>." > > > > Ball is one of the Silicon Valley-based nonprofit Benetech > > > > <http://www.benetech.org/> developers ofMartus > > > > <http://www.benetech.org/human_rights/martus.shtml>, an > encrypted > > > > database used by groups to secure information like witness > testimony of > > > > human rights abuses. > > > > But unlike Martus, which uses its own software, Cryptocat > is a > > > > "host-based security" application that relies on servers to > log in to > > > > its software. And this kind of application makes Cryptocat > potentially > > > > vulnerable > > > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/> > > > > to manipulation through theft of login information--as > everyone, > > > > including Kobeissi, now seems to agree. > > > > So we are back to where we started, to a degree. Other, > older digital > > > > safety tools are "a little harder to use, but their > security is real," > > > > Ball added in /Wired/. Yet, in the real world, fromMexico > > > > > <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php> > > > > to Ethiopia > > > > > <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>, > > > > from Syria > > > > > <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php> > > > > to Bahrain > > > > > <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>, > > > > how many human rights activists, journalists, and others > actually use > > > > them? "The tools are just too hard to learn. They take too > long to > > > > learn. And no one's going to learn them," a journalist for > a major U.S. > > > > news organization recently told me. > > > > Who will help bridge the gap? Information-freedom > technologists clearly > > > > don't build free, open-source tools to get rich. They're > motivated by > > > > the recognition one gets from building an exciting, > important new tool. > > > > (Kind of like journalists breaking a story.) Training > people in the use > > > > of security tools or making those tools easier to use > doesn't bring the > > > > same sort of credit. > > > > Or financial support. Donors--in good part, U.S. government > agencies > > > > <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back > the > > > > development of new tools rather than ongoing usability > training and > > > > development. But in doing so, technologists and donors are > avoiding a > > > > crucial question: Why aren't more people using security > tools? These > > > > days--20 years into what we now know as the > Internet--usability testing > > > > is key to every successful commercial online venture. Yet > it is rarely > > > > practiced in the Internet freedom community. > > > > That may be changing. The anti-censorship circumvention > tool Tor has > > > > grown progressively easier to use, and donors and > technologists are now > > > > working to make it easier and faster still. Other tools, > like Pretty > > > > Good Privacy <http://www.pgpi.org/> or its slightly > improved German > > > > alternative <http://www.gnupg.org/>, still seem needlessly > difficult to > > > > operate. Partly because the emphasis is on open technology > built by > > > > volunteers, users are rarely if ever redirected how to get > back on track > > > > if they make a mistake or reach a dead end. This would be > nearly > > > > inconceivable today with any commercial application > designed to help > > > > users purchase a service or product. > > > > Which brings us back to Cryptocat, the ever-so-easy tool > that was not as > > > > secure as it was once thought to be. For a time, the online > debate among > > > > technologists degenerated into thekind of vitriol > > > > > <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one > > > > might expect to hear among, say, U.S. presidential > campaigns. But wounds > > > > have since healed and some critics are now working with > Kobeissi to help > > > > clean up and secure Cryptocat. > > > > Life and death, prison and torture remain real outcomes > > > > > <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php> > > > > for many users, and, as Ball noted in/Wired/, there are no > security > > > > shortcuts in hostile environments. But if tools remain too > difficult for > > > > people to use in real-life circumstances in which they are > under duress, > > > > then that is a security problem in itself. > > > > The lesson of Cryptocat is that more learning and > collaboration are > > > > needed. Donors, journalists, and technologists can work > together more > > > > closely to bridge the gap between invention and use. > > > > Frank Smyth is CPJ's senior adviser for journalist > security. He has > > > > reported on armed conflicts, organized crime, and human > rights from > > > > nations including El Salvador, Guatemala, Colombia, Cuba, > Rwanda, > > > > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow > him on > > > > Twitter @JournoSecurity > <https://twitter.com/#!/JournoSecurity>. > > > > > > > > > > > > *Tags:* > > > > > > > > * Cryptocat <http://www.cpj.org/tags/cryptocat>, > > > > * Hacked <http://www.cpj.org/tags/hacked>, > > > > * Internet <http://www.cpj.org/tags/internet>, > > > > * Martus <http://www.cpj.org/tags/martus>, > > > > * Nadim Kobeissi <http://www.cpj.org/tags/nadim-kobeissi>, > > > > * Patrick Ball <http://www.cpj.org/tags/patrick-ball>, > > > > * Pretty Good Privacy > <http://www.cpj.org/tags/pretty-good-privacy>, > > > > * Tor <http://www.cpj.org/tags/tor> > > > > > > > > September 11, 2012 12:12 PM ET > > > > > > > > Frank Smyth > > > > Executive Director > > > > Global Journalist Security > > > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <http://mailto:[email protected]>> > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>> > > > <mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>> > > > <http://mailto:[email protected] > <http://mailto:[email protected]> > > <http://mailto:[email protected] > <http://mailto:[email protected]>>>> > > > > Tel. + 1 202 244 0717 > > > > Cell + 1 202 352 1736 > > > > Twitter: @JournoSecurity > > > > Website: www.journalistsecurity.net > <http://www.journalistsecurity.net> > <http://www.journalistsecurity.net> > > <http://www.journalistsecurity.net> > > > <http://www.journalistsecurity.net> > > > > PGP Public Key > <http://www.journalistsecurity.net/franks-pgp-public-key> > > > > > > > > > > > > Please consider our Earth before printing this email. > > > > > > > > Confidentiality Notice: This email and any files > transmitted with it are > > > > confidential. If you have received this email in error, > please notify > > > > the sender and delete this message and any copies. If you > are not the > > > > intended recipient, you are notified that disclosing, > copying, > > > > distributing or taking any action in reliance on the > contents of this > > > > information is strictly prohibited. > > > > > > > > > > > > > > > > -- > > > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > -- > > > Unsubscribe, change to digest, or change password at: > > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > > > > > > -- > > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > -- > > Unsubscribe, change to digest, or change password at: > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
