[liberationtech] What I've learned from Cryptocat
Jillian C. York
jilliancyork at gmail.com
Tue Aug 7 10:17:10 PDT 2012
Gotta agree with others who note consensus as a problem...the reason (in my
view) being that risk assessment is imperative and that no single guide can
respond to various risk models.
On Tue, Aug 7, 2012 at 1:25 AM, Luke Allnutt <AllnuttL at rferl.org> wrote:
>
> With Frank's message in mind, do list members have thoughts about the best
> dumbed-down guide for activists to stay safer online?
>
> I know EFF, MobileActive, and Movements.org have done some good work in
> this field, but wondered whether there is a consensus on a good short,
> easy-to-understand document for activists?
>
> Luke
>
>
>
>
> *<frank at journalistsecurity.net>*
> Sent by: liberationtech-bounces at lists.stanford.edu
>
> 08/07/2012 07:19 AM
> To
> "Moxie Marlinspike" <moxie at thoughtcrime.org>,
> liberationtech at lists.stanford.edu
> cc
> Subject
> Re: [liberationtech] What I've learned from Cryptocat
>
>
>
>
> Hey guys,
>
> I appreciate the importance and depth of this discussion. But I also wish
> to underscore that most of the people who are at risk are not using any
> tools whether they be CrytoCat, PGP, GChat or others for the simple reason
> that they either cannot figure them out, or don't have time to figure them
> out, or both. And I am talking about people at risk in many different
> nations.
>
> No doubt the functional security of tools is an indispensable, essential
> concern. Ignoring any vulnerabilities is dangerous, indeed. But the
> usability of the same tools and making them accessible to non-technologists
> is just as big a concern, in my view. I know you guys think that many such
> users including Western journalists are simply lazy. But many, if not most
> of the available tools are simply not intuitive, or not as much as most
> technologists who already know how to use them seem to think.
>
> How many people on this list have spent time asking non-technologists and
> other users who have tried, but have since given up even trying to use
> tools like PGP? Or have examined how new users interact with such tools? I
> have a great deal of respect for this community. But to be honest it seems
> to me that neither the technologists nor the donors have spent much time
> asking such questions.
>
> If a novice user make a mistake in PGP, for example, it's over. Options
> are not intuitive if you don't already know them. And if you hit the wrong
> button, you can end up at a deadend with no guidance how to get back on
> track. Trust me. I know. And I am not trashing PGP. I know well and fully
> appreciate it's value and I have used it and continue to use it hostile
> environments. And I also know that users and only users can make crucial
> choices during use for their own security. I get that, too. But most
> digital security tools still do not do a good job of laying out, let alone
> explaining the options. And I say that with respect for the value of the
> tools and options themselves.
>
> Cryptocat is one of the most user-friendly tools out there, and I think
> Nadim deserves credit for the effort. Of course, the vulnerabilities must
> be fixed before anyone should use it in a hostile environment. Although the
> level of vulnerability might also depend on the nature of the threat in any
> particular environment. But I also think we need to spend as much time
> making tools accessible as we do making them secure if we are going to
> reach the people who really need them. And right now few if any of these
> tools are having the reach that we all agree is needed. And that is an
> issue largely of usability.
>
> I think with more constructive collaboration we would achieve both. We
> need to. Thanks.
>
> Best, Frank
>
> Frank Smyth
> Executive Director
> Global Journalist Security
> *frank at journalistsecurity.net* <frank at journalistsecurity.net>
> Tel. + 1 202 244 0717
> Cell + 1 202 352 1736
> Twitter: @JournoSecurity
> Website: *www.journalistsecurity.net* <http://www.journalistsecurity.net/>
> *PGP Public Key* <http://www.journalistsecurity.net/franks-pgp-public-key>
>
>
>
> Please consider our Earth before printing this email.
>
> *Confidentiality Notice*: This email and any files transmitted with it
> are confidential. If you have received this email in error, please notify
> the sender and delete this message and any copies. If you are not the
> intended recipient, you are notified that disclosing, copying, distributing
> or taking any action in reliance on the contents of this information is
> strictly prohibited.
>
>
>
> -------- Original Message --------
> Subject: Re: [liberationtech] What I've learned from Cryptocat
> From: Moxie Marlinspike <*moxie at thoughtcrime.org* <moxie at thoughtcrime.org>
> >
> Date: Mon, August 06, 2012 10:29 pm
> To: *liberationtech at lists.stanford.edu*<liberationtech at lists.stanford.edu>
>
>
>
>
> On 08/06/2012 06:59 PM, Eleanor Saitta wrote:
> > Except that with your harm mitigation, you push many potential users
> > back to plaintext, where they are guaranteed to be owned. What
> > percentage of potential cryptocat users would the plugin version have to
> > stop from using the tool for you to accept that there was a place for
> > the non-plugin version?
>
> Let's stop using the word "plaintext," because my understanding is that
> none of the chat services we're speaking of transmit data in the clear.
> As I see it, there are currently three possible vectors for attack with
> "existing" web-based chat services:
>
> 1) SSL interception.
> 2) Server compromise.
> 3) Server operator.
>
> The technology in CryptoCat v1 does not address any of these three
> vectors, and all of them remain possible. My position is that it's
> actually more susceptible to attack via #1 and #2 than existing
> web-based chat solutions. I believe your position is that it improves
> on vector #3 by virtue of being not-Facebook. (I'm curious how you
> measure #3 in comparison to GChat.)
>
> If we postulate that CryptoCat does improve vector #3 by virtue of being
> not-Facebook, it isn't a result of the technology, but simply that we've
> agreed Nadim has a better monitoring/interception track record than
> Facebook. If that's something you think is valuable, it actually seems
> like it'd potentially be better served by having someone like the EFF or
> Riseup host a web-based and SSL-protected chat service, without brining
> any additional cryptography confusion into the mix. A trust project,
> not a cryptography project.
>
> Unfortunately for me, I'd rather depend on cryptography than people.
> But I believe that CryptoCat is actually well positioned to drive
> changes in the ecosystem that will allow them to really improve on those
> three vectors in time. I think it's difficult to experiment in public
> with security tools, however, and that it's a sage decision to make a
> secure solution available (CryptoCat v2) and work on reducing friction
> while maintaining security from there.
>
> - moxie
>
> -- *
> **http://www.thoughtcrime.org* <http://www.thoughtcrime.org/>
> _______________________________________________
> liberationtech mailing list*
> **liberationtech at lists.stanford.edu* <liberationtech at lists.stanford.edu>
>
> Should you need to change your subscription options, please go to:
> *
> **https://mailman.stanford.edu/mailman/listinfo/liberationtech*<https://mailman.stanford.edu/mailman/listinfo/liberationtech>
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here: *
> https://mailman.stanford.edu/mailman/listinfo/liberationtech*<https://mailman.stanford.edu/mailman/listinfo/liberationtech>
>
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on *http://twitter.com/#!/Liberationtech*<http://twitter.com/#!/Liberationtech>
> _______________________________________________
>
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
--
*+1-857-891-4244 |** jilliancyork.com | @jilliancyork *
"We must not be afraid of dreaming the seemingly impossible if we want the
seemingly impossible to become a reality" - *Vaclav Havel*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120807/0e3302d2/attachment.html>
More information about the liberationtech
mailing list