[liberationtech] Comments from Chile

[Nadim Kobeissi]

Hello,
I am a lead developer from the Cryptocat Project. Responding to the claim
that Cryptocat chats have been transcribed:

   - It is overwhelmingly likely that local spyware/keyloggers would be
   responsible for the transcription. This scenario is rendered highly
   plausible due to the mention that the computers were previously
   confiscated, allowing for spyware to be installed to capture
   screenshots/keystrokes/etc. While this is outside of Cryptocat's threat
   model, it is still an unfortunate threat to many, and we will be responding
   by including a tutorial on how to use Tails <https://tails.boum.org/> in
   conjunction with Cryptocat in order to mitigate this threat.
   - As an ancillary measure, and even though a non-spyware compromise is
   relatively unlikely in this scenario, we will be rotating all of our keys
   (SSL and otherwise) within 48 hours.
   - As an ancillary measure, we will be studying our network for evidence
   of compromise, and we will be migrating our servers to Iceland simply
   because we can and it's likely to be a good idea in the long-term.

Furthermore, I would like to mention that the Cryptocat Project's next
major release, Cryptocat 2, which is scheduled this month, will be deployed
in a largely decentralized fashion, getting rid of the server as a possible
compromise point. More information can be found at the Cryptocat
Development Blog: https://blog.crypto.cat.

Given the circumstances of this particular incident, I believe that this is
very likely a local spyware compromise. However, due to it being easily
within our capacity to take thorough measures, we will.

Warm regards,
NK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120731/1cf7e2bd/attachment.html>