On 2013-07-08, at 12:13 PM, Ralph Holz <h...@net.in.tum.de> wrote: > Hi Tom, > >> If you think this bug could never happen to you or your favorite pet >> project; if you think there's nothing you can learn from this incident >> - you haven't thought hard enough about ways it could have been >> prevented, and thus how you can prevent bugs in your own codebase. > > Amen to that. > > Thanks for the write-up; it was my feeling, too, that too many people > have been uttering very sharp criticism in this particular case, and > that wasn't helping anyone. > > There are projects that don't get nearly as much coverage but have a > very poor security record. I personally know programmers with a hell of > a global reputation whose code contained bugs found by peers. We should > keep things in perspective.
Thanks a lot for this kind call for perspective. The fact remains that we messed up. But I'm sticking to the project and I am certain that we will mess up less and less, and evolve. It took exemplary projects like Tor and PGP ten+ years to reach the reputable status they're in today (where, mind you, critical bugs still happen!) — it may take us even longer. But the goals are too important to give up. We're in a situation where accessibility has failed to evolve precisely because you're largely barren from taking risks. A license to take risks isn't a license to keep messing up, but it's still necessary to investigate real problems to which we haven't been able to find solutions as a community so far. If a bug like this happens again in the future, I will follow the same procedure of complete transparency and hold myself fully accountable for it. All the same, I am redoubling my efforts to bring in more cryptographers and auditors to Cryptocat — this is what I just spent my weekend in Germany doing. But quite frankly, for now, I really think I need a small vacation. :-p NK > > Ralph > > -- > Ralph Holz > I8 - Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > Phone +49.89.289.18043 > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech