[liberationtech] My CPJ blog: Lessons from the Cryptocat debate
Nadim Kobeissi
nadim at nadim.cc
Tue Sep 11 12:39:05 PDT 2012
I don't have time for a wall of text. Long story short: if @ionnonews
"misinterpreted" your article, it's because your article is horribly
open to misinterpretation. I interpreted your article similarly to them
and am sure most people did.
I'm so sick of having to deal with horrible coverage of my work. First
Wired, then Wired (again,) then this. Really, the most sensible person
has been Chris Soghoian, even though he's been harsh. At least he checks
his facts, is constructive and isn't just a pretentious nobody
pretending to know something about security.
NK
On 9/11/2012 3:07 PM, frank at journalistsecurity.net wrote:
> Nadim,
>
> I read about the browser plug-in being added nearly two months, as you
> state, in Forbes on July 30.
> http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-javascript-encryption/
> Yet it was a month and six weeks later, respectively, when Chris and
> Patrick each wrote their critiques in response to the first Wired
> piece. I also read your exchange with Patrick some weeks ago, and I have
> spoken to Patrick, albeit before he wrote his piece in Wired.
>
> What I have not read here or elsewhere is anything indicating that there
> is now a consensus that Crypocat has been fixed. (And that is essential
> for me and CPJ, as I explain below.) Instead I reflected what I think is
> accurate; that you are others are still working to make sure it is
> secure. I think most readers would conclude that I have faith that it is
> being secured. And this is quite different from what @innonews
> erroneously tweeted that I and CPJ said that Cryptocat is unsafe.
>
> If anything, Nadim, I was responding to Patrick for ending his article
> and seemingly the conversation by saying that PGP and Pidgin/OTR are
> harder to user but they are really secure. My point (Patrick and I have
> been having this discussion for over a decade) is that these tools'
> relative lack of usability still keeps them out of the reach of people
> who really do need to use them. And my point in the piece is that
> everyone who cares about human rights should care more about usability.
>
> I also gave you credit here, and I think, in the piece, for finally
> making a tool that really achieves usability.
>
> Please know, too, none of this is abstract for me. In May, as I told you
> a few weeks later at Google, I trained a group of investigative
> journalists in El Salvador and from Peru in May in how to use Cryptocat,
> as I was convinced it was safe. (Also telling them no one tool is ever
> completely safe.) After Chris' piece, I found myself unexpectedly
> telling the same journalists that Cryptocat had vulnerabilities that I,
> for one, as a non-technologist, was not aware of before. I sent them
> Chris' piece, and told them that, if they wish to continue using
> Cryptocat, they should do so with caution.
>
> For me, and for CPJ, the decision to recommend a tool is a weighty one.
> It would be irresponsible to recommend a tool to journalists unless
> there is a clear consensus within this community that the tool is safe.
> I thought there was a consensus before. I then learned that there was
> not one. And then I wrote what I think is accurate; there is now a
> consensus that whatever vulnerabilities Cryptocat did have before are
> now in the process of being fixed.
>
> To be clear where we disagree. I did not say that CPJ is now verifying
> Cryptocat is fixed and safe to use. As a non-technologist that would
> never be role.
>
> I realize that you see the piece as an attack on Crypocat. It was not
> meant to be and I do not think most readers, who are not technologists,
> of CPJ's blog will see it that way, either. It was meant as a call for
> more usability, using Cryptocat, in fact, as a model.
>
> Frank
>
> Frank Smyth
> Executive Director
> Global Journalist Security
> frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> Tel. + 1 202 244 0717
> Cell + 1 202 352 1736
> Twitter: @JournoSecurity
> Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
>
>
> Please consider our Earth before printing this email.
>
> Confidentiality Notice: This email and any files transmitted with it are
> confidential. If you have received this email in error, please notify
> the sender and delete this message and any copies. If you are not the
> intended recipient, you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited.
>
>
>
> -------- Original Message --------
> Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
> debate
> From: Nadim Kobeissi <nadim at nadim.cc <mailto:nadim at nadim.cc>>
> Date: Tue, September 11, 2012 1:34 pm
> To: liberationtech <liberationtech at lists.stanford.edu
> <mailto:liberationtech at lists.stanford.edu>>
>
>
> Frank,
> Please, tell me more about how your allusion at the end of your post
> absolves you of the culpability of fact-checking!
>
> Furthermore, I have confirmed with Chris concerning the browser plugin
> issue when I met him last week in D.C., while Patrick Ball and I had an
> exchange that was posted on libtech weeks ago under the
> migraine-inducing "What I learned from Cryptocat" thread.
>
> Did you even ask Chris or Patrick about the browser plugin platform?
> I'll eat a shoe if you did. I've been working for weeks on this and it's
> people like you who just make me feel like all my effort is completely
> worthless.
>
> NK
>
> On 9/11/2012 1:24 PM, frank at journalistsecurity.net
> <mailto:frank at journalistsecurity.net> wrote:
> > Nadim,
> >
> > Toward the end of the piece, I said: some critics are now working with
> > Kobeissi to help clean up and secureCryptocat.
> >
> > What you are saying is that Cryptocat is now a browser-plugin only
> > application, and that therefore, if I understand your point, the
> > vulnerabilities alluded to by Chris and now Patrick are now all fixed.
> >
> > Are they? If they are, I have not yet read confirmation that they are
> > from others in this community. I'd welcome any input here.
> >
> > And, Nadim, I have and continue to support you for finally building a
> > truly user-friendly tool. We need tools that are both secure and
> > easier-to-use, and that was the point of the piece.
> >
> > Frank
> >
> >
> >
> > Frank Smyth
> > Executive Director
> > Global Journalist Security
> > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > Tel. + 1 202 244 0717
> > Cell + 1 202 352 1736
> > Twitter: @JournoSecurity
> > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> <http://www.journalistsecurity.net>
> > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
> >
> >
> > Please consider our Earth before printing this email.
> >
> > Confidentiality Notice: This email and any files transmitted with it are
> > confidential. If you have received this email in error, please notify
> > the sender and delete this message and any copies. If you are not the
> > intended recipient, you are notified that disclosing, copying,
> > distributing or taking any action in reliance on the contents of this
> > information is strictly prohibited.
> >
> >
> >
> > -------- Original Message --------
> > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
> > debate
> > From: Nadim Kobeissi <nadim at nadim.cc <http://nadim@nadim.cc> ><mailto:nadim at nadim.cc
> <http://nadim@nadim.cc>>>
> > Date: Tue, September 11, 2012 1:14 pm
> > To: liberationtech <liberationtech at lists.stanford.edu
> <mailto:liberationtech at lists.stanford.edu>
> > <mailto:liberationtech at lists.stanford.edu
> <http://mailto:liberationtech@lists.stanford.edu>>>
> >
> >
> > I can't even-
> >
> > Frank sent me this article about 15 minutes ago and I answered with the
> > notion that Cryptocat has been a browser-plugin only app for more than a
> > month, and that his article is just incredibly ignorant and frustrating
> > as a result of it ignoring that.
> >
> > Relevant links:
> > https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/
> > https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/
> >
> > Excuse me while I now go waterboard myself,
> > NK
> >
> > On 9/11/2012 1:07 PM, frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>> wrote:
> > > Hi everybody,
> > >
> > > Below is my CPJ blog on the Cryptocat debate. It makes some of the same
> > > points that I already made here a few weeks ago. And please know that my
> > > intent is to help work toward a solution in terms of bridging invention
> > > and usability. I know there are different views, and I have already
> > > heard some. Please feel free to respond. (If you wish you may wish to
> > > copy me at frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>> to avoid me missing
> > your note
> > > among others.)
> > >
> > > Thank you! Best, Frank
> > >
> > > http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php
> >
> > >
> > >
> > > *In Cryptocat, lessons for technologists and journalists*
> > >
> > > By Frank Smyth/Senior Adviser for Journalist Security
> > > <http://www.cpj.org/blog/author/frank-smyth>
> > > /Alhamdulillah! /Finally, a technologist designed a security tool that
> > > everyone could use. A Lebanese-born, Montreal-based computer scientist,
> > > college student, and activist named Nadim Kobeissi had developed a
> > > cryptography tool, Cryptocat <https://crypto.cat/>, for the Internet
> > > that seemed as easy to use as Facebook Chat but was presumably far more
> > > secure.
> > > Encrypted communications are hardly a new idea. Technologists wary of
> > > government surveillance have been designing free encryption software
> > > since the early 1990s <http://www.pgpi.org/doc/overview/>. Of course, no
> > > tool is completely safe, and much depends on the capabilities of the
> > > eavesdropper. But for decades digital safety tools have been so hard to
> > > use that few human rights defenders and even fewer journalists (my best
> > > guess is one in a 100) employ them.
> > > Activist technologists often complain that journalists and human rights
> > > defenders are either too lazy or foolish to not consistently use digital
> > > safety tools when they are operating in hostile environments.
> > > Journalists and many human rights activists, for their part, complain
> > > that digital safety tools are too difficult or time-consuming to
> > > operate, and, even if one tried to learn them, they often don't work as
> > > expected.
> > > Cryptocat promised
> > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
> > > to finally bridge these two distinct cultures. Kobeissi was profiled
> > > <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html>
> > > in /The New York Times/; /Forbes/
> > > <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/>
> > > and especially /Wired/
> > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
> > > each praised the tool. But Cryptocat's sheen faded fast. Within three
> > > months of winning a prize associated with /The Wall Street Journal/
> > > <http://datatransparency.wsj.com/>, Cryptocat ended up like a cat caught
> > > in storm--wet, dirty, and a little worse for wear. Analyst Christopher
> > > Soghoian--who wrote a /Times/ op-ed last fall
> > > <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html>
> > > saying that journalists must learn digital safety skills to protect
> > > sources--blogged that Cryptocat had far too many structural flaws
> > > <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb>
> > > for safe use in a repressive environment.
> > > An expert writing in /Wired/ agreed. Responding to another /Wired/ piece
> > > just weeks before, Patrick Ball said the prior author's admiration of
> > > Cryptocat was "inaccurate, misleading andpotentially dangerous
> > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>."
> > > Ball is one of the Silicon Valley-based nonprofit Benetech
> > > <http://www.benetech.org/> developers ofMartus
> > > <http://www.benetech.org/human_rights/martus.shtml>, an encrypted
> > > database used by groups to secure information like witness testimony of
> > > human rights abuses.
> > > But unlike Martus, which uses its own software, Cryptocat is a
> > > "host-based security" application that relies on servers to log in to
> > > its software. And this kind of application makes Cryptocat potentially
> > > vulnerable
> > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/>
> > > to manipulation through theft of login information--as everyone,
> > > including Kobeissi, now seems to agree.
> > > So we are back to where we started, to a degree. Other, older digital
> > > safety tools are "a little harder to use, but their security is real,"
> > > Ball added in /Wired/. Yet, in the real world, fromMexico
> > > <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php>
> > > to Ethiopia
> > > <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>,
> > > from Syria
> > > <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php>
> > > to Bahrain
> > > <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>,
> > > how many human rights activists, journalists, and others actually use
> > > them? "The tools are just too hard to learn. They take too long to
> > > learn. And no one's going to learn them," a journalist for a major U.S.
> > > news organization recently told me.
> > > Who will help bridge the gap? Information-freedom technologists clearly
> > > don't build free, open-source tools to get rich. They're motivated by
> > > the recognition one gets from building an exciting, important new tool.
> > > (Kind of like journalists breaking a story.) Training people in the use
> > > of security tools or making those tools easier to use doesn't bring the
> > > same sort of credit.
> > > Or financial support. Donors--in good part, U.S. government agencies
> > > <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back the
> > > development of new tools rather than ongoing usability training and
> > > development. But in doing so, technologists and donors are avoiding a
> > > crucial question: Why aren't more people using security tools? These
> > > days--20 years into what we now know as the Internet--usability testing
> > > is key to every successful commercial online venture. Yet it is rarely
> > > practiced in the Internet freedom community.
> > > That may be changing. The anti-censorship circumvention tool Tor has
> > > grown progressively easier to use, and donors and technologists are now
> > > working to make it easier and faster still. Other tools, like Pretty
> > > Good Privacy <http://www.pgpi.org/> or its slightly improved German
> > > alternative <http://www.gnupg.org/>, still seem needlessly difficult to
> > > operate. Partly because the emphasis is on open technology built by
> > > volunteers, users are rarely if ever redirected how to get back on track
> > > if they make a mistake or reach a dead end. This would be nearly
> > > inconceivable today with any commercial application designed to help
> > > users purchase a service or product.
> > > Which brings us back to Cryptocat, the ever-so-easy tool that was not as
> > > secure as it was once thought to be. For a time, the online debate among
> > > technologists degenerated into thekind of vitriol
> > > <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one
> > > might expect to hear among, say, U.S. presidential campaigns. But wounds
> > > have since healed and some critics are now working with Kobeissi to help
> > > clean up and secure Cryptocat.
> > > Life and death, prison and torture remain real outcomes
> > > <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php>
> > > for many users, and, as Ball noted in/Wired/, there are no security
> > > shortcuts in hostile environments. But if tools remain too difficult for
> > > people to use in real-life circumstances in which they are under duress,
> > > then that is a security problem in itself.
> > > The lesson of Cryptocat is that more learning and collaboration are
> > > needed. Donors, journalists, and technologists can work together more
> > > closely to bridge the gap between invention and use.
> > > Frank Smyth is CPJ's senior adviser for journalist security. He has
> > > reported on armed conflicts, organized crime, and human rights from
> > > nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda,
> > > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on
> > > Twitter @JournoSecurity <https://twitter.com/#!/JournoSecurity>.
> > >
> > >
> > > *Tags:*
> > >
> > > * Cryptocat <http://www.cpj.org/tags/cryptocat>,
> > > * Hacked <http://www.cpj.org/tags/hacked>,
> > > * Internet <http://www.cpj.org/tags/internet>,
> > > * Martus <http://www.cpj.org/tags/martus>,
> > > * Nadim Kobeissi <http://www.cpj.org/tags/nadim-kobeissi>,
> > > * Patrick Ball <http://www.cpj.org/tags/patrick-ball>,
> > > * Pretty Good Privacy <http://www.cpj.org/tags/pretty-good-privacy>,
> > > * Tor <http://www.cpj.org/tags/tor>
> > >
> > > September 11, 2012 12:12 PM ET
> > >
> > > Frank Smyth
> > > Executive Director
> > > Global Journalist Security
> > > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>>
> > > Tel. + 1 202 244 0717
> > > Cell + 1 202 352 1736
> > > Twitter: @JournoSecurity
> > > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> <http://www.journalistsecurity.net>
> > <http://www.journalistsecurity.net>
> > > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
> > >
> > >
> > > Please consider our Earth before printing this email.
> > >
> > > Confidentiality Notice: This email and any files transmitted with it are
> > > confidential. If you have received this email in error, please notify
> > > the sender and delete this message and any copies. If you are not the
> > > intended recipient, you are notified that disclosing, copying,
> > > distributing or taking any action in reliance on the contents of this
> > > information is strictly prohibited.
> > >
> > >
> > >
> > > --
> > > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > >
> > --
> > Unsubscribe, change to digest, or change password at:
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list