Hello everyone, I urge you to read our response at the Cryptocat Development Blog, which strongly clarifies the situation:
https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/ Thank you, NK On 2013-07-04, at 12:18 PM, Jens Christian Hillerup <[email protected]> wrote: > On Thu, Jul 4, 2013 at 11:36 AM, KheOps <[email protected]> wrote: > Just came accross this: > http://tobtu.com/decryptocat.php > > Eep! > > It seems like the saying "given enough eyeballs, all bugs are shallow" has > become obsolete, huh? Peer review is an integral part to developing secure > cryptography implementations, but unfortunately this fundamentally crashes > with the hacker mantra of "just do it". It's a shame that this project did > not get this kind of attention until after people started relying on > it---that could have saved a lot of people from a lot of shouting in any case. > > So what do we do about this? Opening the source code as an argument for > security no longer suffices. How can we raise money for rigid and independent > quality assurance of software that in this case is designed to potentially > saving lives? And how can we make sure that this money flows into the fund > and out to the QAers on a regular basis? > > I don't know, sadly, but I'd love to discuss it. > > JC > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
