[liberationtech] My CPJ blog: Lessons from the Cryptocat debate
Nadim Kobeissi
nadim at nadim.cc
Tue Sep 11 12:53:41 PDT 2012
Thanks, Frank. I hope I'll never be in the position where I have to
resort to your blog in order to make my case to a wider audience.
NK
On 9/11/2012 3:51 PM, frank at journalistsecurity.net wrote:
> I do not pretend to know something about security technology.
> I do know something about journalists and human rights defenders at risk.
>
> What is needed is a constructive dialogue between our two communities.
> In that regard it is unfortunate that you have declined CPJ's offer to
> write your own piece for CPJ in response to, or notwithstanding mine. It
> would give you the opportunity to make your case to a much wider
> audience. The issues are much bigger and more important than either of us.
>
> Frank Smyth
> Executive Director
> Global Journalist Security
> frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> Tel. + 1 202 244 0717
> Cell + 1 202 352 1736
> Twitter: @JournoSecurity
> Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
>
>
> Please consider our Earth before printing this email.
>
> Confidentiality Notice: This email and any files transmitted with it are
> confidential. If you have received this email in error, please notify
> the sender and delete this message and any copies. If you are not the
> intended recipient, you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited.
>
>
>
> -------- Original Message --------
> Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
> debate
> From: Nadim Kobeissi <nadim at nadim.cc <mailto:nadim at nadim.cc>>
> Date: Tue, September 11, 2012 3:39 pm
> To: liberationtech <liberationtech at lists.stanford.edu
> <mailto:liberationtech at lists.stanford.edu>>
>
>
> I don't have time for a wall of text. Long story short: if @ionnonews
> "misinterpreted" your article, it's because your article is horribly
> open to misinterpretation. I interpreted your article similarly to them
> and am sure most people did.
>
> I'm so sick of having to deal with horrible coverage of my work. First
> Wired, then Wired (again,) then this. Really, the most sensible person
> has been Chris Soghoian, even though he's been harsh. At least he checks
> his facts, is constructive and isn't just a pretentious nobody
> pretending to know something about security.
>
> NK
>
> On 9/11/2012 3:07 PM, frank at journalistsecurity.net
> <mailto:frank at journalistsecurity.net> wrote:
> > Nadim,
> >
> > I read about the browser plug-in being added nearly two months, as you
> > state, in Forbes on July 30.
> > http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-javascript-encryption/
>
> > Yet it was a month and six weeks later, respectively, when Chris and
> > Patrick each wrote their critiques in response to the first Wired
> > piece. I also read your exchange with Patrick some weeks ago, and I have
> > spoken to Patrick, albeit before he wrote his piece in Wired.
> >
> > What I have not read here or elsewhere is anything indicating that there
> > is now a consensus that Crypocat has been fixed. (And that is essential
> > for me and CPJ, as I explain below.) Instead I reflected what I think is
> > accurate; that you are others are still working to make sure it is
> > secure. I think most readers would conclude that I have faith that it is
> > being secured. And this is quite different from what @innonews
> > erroneously tweeted that I and CPJ said that Cryptocat is unsafe.
> >
> > If anything, Nadim, I was responding to Patrick for ending his article
> > and seemingly the conversation by saying that PGP and Pidgin/OTR are
> > harder to user but they are really secure. My point (Patrick and I have
> > been having this discussion for over a decade) is that these tools'
> > relative lack of usability still keeps them out of the reach of people
> > who really do need to use them. And my point in the piece is that
> > everyone who cares about human rights should care more about usability.
> >
> > I also gave you credit here, and I think, in the piece, for finally
> > making a tool that really achieves usability.
> >
> > Please know, too, none of this is abstract for me. In May, as I told you
> > a few weeks later at Google, I trained a group of investigative
> > journalists in El Salvador and from Peru in May in how to use Cryptocat,
> > as I was convinced it was safe. (Also telling them no one tool is ever
> > completely safe.) After Chris' piece, I found myself unexpectedly
> > telling the same journalists that Cryptocat had vulnerabilities that I,
> > for one, as a non-technologist, was not aware of before. I sent them
> > Chris' piece, and told them that, if they wish to continue using
> > Cryptocat, they should do so with caution.
> >
> > For me, and for CPJ, the decision to recommend a tool is a weighty one.
> > It would be irresponsible to recommend a tool to journalists unless
> > there is a clear consensus within this community that the tool is safe.
> > I thought there was a consensus before. I then learned that there was
> > not one. And then I wrote what I think is accurate; there is now a
> > consensus that whatever vulnerabilities Cryptocat did have before are
> > now in the process of being fixed.
> >
> > To be clear where we disagree. I did not say that CPJ is now verifying
> > Cryptocat is fixed and safe to use. As a non-technologist that would
> > never be role.
> >
> > I realize that you see the piece as an attack on Crypocat. It was not
> > meant to be and I do not think most readers, who are not technologists,
> > of CPJ's blog will see it that way, either. It was meant as a call for
> > more usability, using Cryptocat, in fact, as a model.
> >
> > Frank
> >
> > Frank Smyth
> > Executive Director
> > Global Journalist Security
> > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > Tel. + 1 202 244 0717
> > Cell + 1 202 352 1736
> > Twitter: @JournoSecurity
> > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> <http://www.journalistsecurity.net>
> > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
> >
> >
> > Please consider our Earth before printing this email.
> >
> > Confidentiality Notice: This email and any files transmitted with it are
> > confidential. If you have received this email in error, please notify
> > the sender and delete this message and any copies. If you are not the
> > intended recipient, you are notified that disclosing, copying,
> > distributing or taking any action in reliance on the contents of this
> > information is strictly prohibited.
> >
> >
> >
> > -------- Original Message --------
> > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
> > debate
> > From: Nadim Kobeissi <nadim at nadim.cc <http://nadim@nadim.cc> ><mailto:nadim at nadim.cc
> <http://nadim@nadim.cc>>>
> > Date: Tue, September 11, 2012 1:34 pm
> > To: liberationtech <liberationtech at lists.stanford.edu
> <mailto:liberationtech at lists.stanford.edu>
> > <mailto:liberationtech at lists.stanford.edu
> <http://mailto:liberationtech@lists.stanford.edu>>>
> >
> >
> > Frank,
> > Please, tell me more about how your allusion at the end of your post
> > absolves you of the culpability of fact-checking!
> >
> > Furthermore, I have confirmed with Chris concerning the browser plugin
> > issue when I met him last week in D.C., while Patrick Ball and I had an
> > exchange that was posted on libtech weeks ago under the
> > migraine-inducing "What I learned from Cryptocat" thread.
> >
> > Did you even ask Chris or Patrick about the browser plugin platform?
> > I'll eat a shoe if you did. I've been working for weeks on this and it's
> > people like you who just make me feel like all my effort is completely
> > worthless.
> >
> > NK
> >
> > On 9/11/2012 1:24 PM, frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>> wrote:
> > > Nadim,
> > >
> > > Toward the end of the piece, I said: some critics are now working with
> > > Kobeissi to help clean up and secureCryptocat.
> > >
> > > What you are saying is that Cryptocat is now a browser-plugin only
> > > application, and that therefore, if I understand your point, the
> > > vulnerabilities alluded to by Chris and now Patrick are now all fixed.
> > >
> > > Are they? If they are, I have not yet read confirmation that they are
> > > from others in this community. I'd welcome any input here.
> > >
> > > And, Nadim, I have and continue to support you for finally building a
> > > truly user-friendly tool. We need tools that are both secure and
> > > easier-to-use, and that was the point of the piece.
> > >
> > > Frank
> > >
> > >
> > >
> > > Frank Smyth
> > > Executive Director
> > > Global Journalist Security
> > > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>>
> > > Tel. + 1 202 244 0717
> > > Cell + 1 202 352 1736
> > > Twitter: @JournoSecurity
> > > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> <http://www.journalistsecurity.net>
> > <http://www.journalistsecurity.net>
> > > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
> > >
> > >
> > > Please consider our Earth before printing this email.
> > >
> > > Confidentiality Notice: This email and any files transmitted with it are
> > > confidential. If you have received this email in error, please notify
> > > the sender and delete this message and any copies. If you are not the
> > > intended recipient, you are notified that disclosing, copying,
> > > distributing or taking any action in reliance on the contents of this
> > > information is strictly prohibited.
> > >
> > >
> > >
> > > -------- Original Message --------
> > > Subject: Re: [liberationtech] My CPJ blog: Lessons from the Cryptocat
> > > debate
> > > From: Nadim Kobeissi <nadim at nadim.cc <http://nadim@nadim.cc> ><http://nadim@nadim.cc
> <http://nadim@nadim.cc>> ><mailto:nadim at nadim.cc <http://nadim@nadim.cc>
> > <http://nadim@nadim.cc <http://nadim@nadim.cc>>>>
> > > Date: Tue, September 11, 2012 1:14 pm
> > > To: liberationtech <liberationtech at lists.stanford.edu
> <mailto:liberationtech at lists.stanford.edu>
> > <mailto:liberationtech at lists.stanford.edu
> <http://mailto:liberationtech@lists.stanford.edu>>
> > > <mailto:liberationtech at lists.stanford.edu
> <http://mailto:liberationtech@lists.stanford.edu>
> > <http://mailto:liberationtech@lists.stanford.edu
> <http://mailto:liberationtech@lists.stanford.edu>>>>
> > >
> > >
> > > I can't even-
> > >
> > > Frank sent me this article about 15 minutes ago and I answered with the
> > > notion that Cryptocat has been a browser-plugin only app for more than a
> > > month, and that his article is just incredibly ignorant and frustrating
> > > as a result of it ignoring that.
> > >
> > > Relevant links:
> > > https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/
> > > https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/
> > >
> > > Excuse me while I now go waterboard myself,
> > > NK
> > >
> > > On 9/11/2012 1:07 PM, frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>> wrote:
> > > > Hi everybody,
> > > >
> > > > Below is my CPJ blog on the Cryptocat debate. It makes some of the same
> > > > points that I already made here a few weeks ago. And please know that my
> > > > intent is to help work toward a solution in terms of bridging invention
> > > > and usability. I know there are different views, and I have already
> > > > heard some. Please feel free to respond. (If you wish you may wish to
> > > > copy me at frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>>
> > > > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>>> to avoid me missing
> > > your note
> > > > among others.)
> > > >
> > > > Thank you! Best, Frank
> > > >
> > > > http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php
> > >
> > > >
> > > >
> > > > *In Cryptocat, lessons for technologists and journalists*
> > > >
> > > > By Frank Smyth/Senior Adviser for Journalist Security
> > > > <http://www.cpj.org/blog/author/frank-smyth>
> > > > /Alhamdulillah! /Finally, a technologist designed a security tool that
> > > > everyone could use. A Lebanese-born, Montreal-based computer scientist,
> > > > college student, and activist named Nadim Kobeissi had developed a
> > > > cryptography tool, Cryptocat <https://crypto.cat/>, for the Internet
> > > > that seemed as easy to use as Facebook Chat but was presumably far more
> > > > secure.
> > > > Encrypted communications are hardly a new idea. Technologists wary of
> > > > government surveillance have been designing free encryption software
> > > > since the early 1990s <http://www.pgpi.org/doc/overview/>. Of course, no
> > > > tool is completely safe, and much depends on the capabilities of the
> > > > eavesdropper. But for decades digital safety tools have been so hard to
> > > > use that few human rights defenders and even fewer journalists (my best
> > > > guess is one in a 100) employ them.
> > > > Activist technologists often complain that journalists and human rights
> > > > defenders are either too lazy or foolish to not consistently use digital
> > > > safety tools when they are operating in hostile environments.
> > > > Journalists and many human rights activists, for their part, complain
> > > > that digital safety tools are too difficult or time-consuming to
> > > > operate, and, even if one tried to learn them, they often don't work as
> > > > expected.
> > > > Cryptocat promised
> > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
> > > > to finally bridge these two distinct cultures. Kobeissi was profiled
> > > > <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html>
> > > > in /The New York Times/; /Forbes/
> > > > <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/>
> > > > and especially /Wired/
> > > > <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
> > > > each praised the tool. But Cryptocat's sheen faded fast. Within three
> > > > months of winning a prize associated with /The Wall Street Journal/
> > > > <http://datatransparency.wsj.com/>, Cryptocat ended up like a cat caught
> > > > in storm--wet, dirty, and a little worse for wear. Analyst Christopher
> > > > Soghoian--who wrote a /Times/ op-ed last fall
> > > > <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html>
> > > > saying that journalists must learn digital safety skills to protect
> > > > sources--blogged that Cryptocat had far too many structural flaws
> > > > <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb>
> > > > for safe use in a repressive environment.
> > > > An expert writing in /Wired/ agreed. Responding to another /Wired/ piece
> > > > just weeks before, Patrick Ball said the prior author's admiration of
> > > > Cryptocat was "inaccurate, misleading andpotentially dangerous
> > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>."
> > > > Ball is one of the Silicon Valley-based nonprofit Benetech
> > > > <http://www.benetech.org/> developers ofMartus
> > > > <http://www.benetech.org/human_rights/martus.shtml>, an encrypted
> > > > database used by groups to secure information like witness testimony of
> > > > human rights abuses.
> > > > But unlike Martus, which uses its own software, Cryptocat is a
> > > > "host-based security" application that relies on servers to log in to
> > > > its software. And this kind of application makes Cryptocat potentially
> > > > vulnerable
> > > > <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/>
> > > > to manipulation through theft of login information--as everyone,
> > > > including Kobeissi, now seems to agree.
> > > > So we are back to where we started, to a degree. Other, older digital
> > > > safety tools are "a little harder to use, but their security is real,"
> > > > Ball added in /Wired/. Yet, in the real world, fromMexico
> > > > <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php>
> > > > to Ethiopia
> > > > <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>,
> > > > from Syria
> > > > <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php>
> > > > to Bahrain
> > > > <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>,
> > > > how many human rights activists, journalists, and others actually use
> > > > them? "The tools are just too hard to learn. They take too long to
> > > > learn. And no one's going to learn them," a journalist for a major U.S.
> > > > news organization recently told me.
> > > > Who will help bridge the gap? Information-freedom technologists clearly
> > > > don't build free, open-source tools to get rich. They're motivated by
> > > > the recognition one gets from building an exciting, important new tool.
> > > > (Kind of like journalists breaking a story.) Training people in the use
> > > > of security tools or making those tools easier to use doesn't bring the
> > > > same sort of credit.
> > > > Or financial support. Donors--in good part, U.S. government agencies
> > > > <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back the
> > > > development of new tools rather than ongoing usability training and
> > > > development. But in doing so, technologists and donors are avoiding a
> > > > crucial question: Why aren't more people using security tools? These
> > > > days--20 years into what we now know as the Internet--usability testing
> > > > is key to every successful commercial online venture. Yet it is rarely
> > > > practiced in the Internet freedom community.
> > > > That may be changing. The anti-censorship circumvention tool Tor has
> > > > grown progressively easier to use, and donors and technologists are now
> > > > working to make it easier and faster still. Other tools, like Pretty
> > > > Good Privacy <http://www.pgpi.org/> or its slightly improved German
> > > > alternative <http://www.gnupg.org/>, still seem needlessly difficult to
> > > > operate. Partly because the emphasis is on open technology built by
> > > > volunteers, users are rarely if ever redirected how to get back on track
> > > > if they make a mistake or reach a dead end. This would be nearly
> > > > inconceivable today with any commercial application designed to help
> > > > users purchase a service or product.
> > > > Which brings us back to Cryptocat, the ever-so-easy tool that was not as
> > > > secure as it was once thought to be. For a time, the online debate among
> > > > technologists degenerated into thekind of vitriol
> > > > <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one
> > > > might expect to hear among, say, U.S. presidential campaigns. But wounds
> > > > have since healed and some critics are now working with Kobeissi to help
> > > > clean up and secure Cryptocat.
> > > > Life and death, prison and torture remain real outcomes
> > > > <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php>
> > > > for many users, and, as Ball noted in/Wired/, there are no security
> > > > shortcuts in hostile environments. But if tools remain too difficult for
> > > > people to use in real-life circumstances in which they are under duress,
> > > > then that is a security problem in itself.
> > > > The lesson of Cryptocat is that more learning and collaboration are
> > > > needed. Donors, journalists, and technologists can work together more
> > > > closely to bridge the gap between invention and use.
> > > > Frank Smyth is CPJ's senior adviser for journalist security. He has
> > > > reported on armed conflicts, organized crime, and human rights from
> > > > nations including El Salvador, Guatemala, Colombia, Cuba, Rwanda,
> > > > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and Iraq. Follow him on
> > > > Twitter @JournoSecurity <https://twitter.com/#!/JournoSecurity>.
> > > >
> > > >
> > > > *Tags:*
> > > >
> > > > * Cryptocat <http://www.cpj.org/tags/cryptocat>,
> > > > * Hacked <http://www.cpj.org/tags/hacked>,
> > > > * Internet <http://www.cpj.org/tags/internet>,
> > > > * Martus <http://www.cpj.org/tags/martus>,
> > > > * Nadim Kobeissi <http://www.cpj.org/tags/nadim-kobeissi>,
> > > > * Patrick Ball <http://www.cpj.org/tags/patrick-ball>,
> > > > * Pretty Good Privacy <http://www.cpj.org/tags/pretty-good-privacy>,
> > > > * Tor <http://www.cpj.org/tags/tor>
> > > >
> > > > September 11, 2012 12:12 PM ET
> > > >
> > > > Frank Smyth
> > > > Executive Director
> > > > Global Journalist Security
> > > > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
> <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>>
> > > <mailto:frank at journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>
> > > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>
> > <http://mailto:frank@journalistsecurity.net
> <http://mailto:frank@journalistsecurity.net>>>>
> > > > Tel. + 1 202 244 0717
> > > > Cell + 1 202 352 1736
> > > > Twitter: @JournoSecurity
> > > > Website: www.journalistsecurity.net <http://www.journalistsecurity.net>
> <http://www.journalistsecurity.net>
> > <http://www.journalistsecurity.net>
> > > <http://www.journalistsecurity.net>
> > > > PGP Public Key <http://www.journalistsecurity.net/franks-pgp-public-key>
> > > >
> > > >
> > > > Please consider our Earth before printing this email.
> > > >
> > > > Confidentiality Notice: This email and any files transmitted with it are
> > > > confidential. If you have received this email in error, please notify
> > > > the sender and delete this message and any copies. If you are not the
> > > > intended recipient, you are notified that disclosing, copying,
> > > > distributing or taking any action in reliance on the contents of this
> > > > information is strictly prohibited.
> > > >
> > > >
> > > >
> > > > --
> > > > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > > >
> > > --
> > > Unsubscribe, change to digest, or change password at:
> > > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > >
> > >
> > >
> > > --
> > > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > >
> > --
> > Unsubscribe, change to digest, or change password at:
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >
> >
> > --
> > Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list