[liberationtech] My CPJ blog: Lessons from the Cryptocat debate
Nadim Kobeissi
nadim at nadim.cc
Tue Sep 11 14:24:31 PDT 2012
I'm sorry, everyone. I'll try to not lose my temper; it's just that
after the n'th article misinterpreting Cryptocat it becomes hard not to.
I'd like to apologize for the heated conversation.
NK
On 9/11/2012 5:18 PM, Nadim Kobeissi wrote:
> Thanks, Brian. For my perspective, there's admittedly some frustration
> with my work being analyzed in the state it was in months ago,
> especially considering that the beta release for Cryptocat 2 is so
> close. This is not the first time my work has been covered in a
> non-satisfactory fashion and I wish people would contact me first/check
> out the Cryptocat blog/etc. to figure out some standing questions they
> may have.
>
> I respect your perspective and completely agree with it. I should be
> less frustrated.
>
> NK
>
> On 9/11/2012 5:04 PM, Brian Conley wrote:
>> Nadim,
>>
>> I'm quite confused about your frustration and your ire.
>>
>> Excluding the fact that the title references Cryptocat, the main focus
>> of the blogpost is restated in the conclusion:
>>
>> "The lesson of Cryptocat is that more learning and collaboration are
>> needed. Donors, journalists, and technologists can work together more
>> closely to bridge the gap between invention and use."
>>
>> It's not about whether or not Cryptocat is a good or useful tool, Frank
>> is using Cryptocat as a device to initiate discussion about this: "These
>> days--20 years into what we now know as the Internet--usability testing
>> is key to every successful commercial online venture. Yet it is rarely
>> practiced in the Internet freedom community."
>>
>> Would you really disagree?
>>
>> Secondly, I guess its possible that I'm the only one ignorant of this,
>> but I can't recall *ever* hearing of @innonews and a quick reference
>> shows that they have 61 followers, one might consider them to be
>> leveraging "trolling" to generate traffic.
>>
>> Thirdly, people will stop taking you seriously if you can't take
>> yourself seriously enough to ignore criticism and learn only from
>> critiques. A critique is where someone looks at your work and offers
>> nuanced suggestions as to what you might do differently, critics
>> themselves are often simply self-aggrandizing. Most of what I have read
>> in the media criticizing Cryptocat has been just that, criticism and
>> self-aggrandizement.
>>
>> It was great to meet in person, and I look forward to seeing what you
>> come up with. I for one am quite excited and inspired by your efforts,
>> and look forward to what you come up with next.
>>
>> Brian
>>
>>
>> On Tue, Sep 11, 2012 at 12:53 PM, Nadim Kobeissi <nadim at nadim.cc
>> <mailto:nadim at nadim.cc>> wrote:
>>
>> Thanks, Frank. I hope I'll never be in the position where I have to
>> resort to your blog in order to make my case to a wider audience.
>>
>> NK
>>
>> On 9/11/2012 3:51 PM, frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net> wrote:
>> > I do not pretend to know something about security technology.
>> > I do know something about journalists and human rights defenders
>> at risk.
>> >
>> > What is needed is a constructive dialogue between our two communities.
>> > In that regard it is unfortunate that you have declined CPJ's offer to
>> > write your own piece for CPJ in response to, or notwithstanding
>> mine. It
>> > would give you the opportunity to make your case to a much wider
>> > audience. The issues are much bigger and more important than
>> either of us.
>> >
>> > Frank Smyth
>> > Executive Director
>> > Global Journalist Security
>> > frank at journalistsecurity.net <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > Tel. + 1 202 244 0717 <tel:%2B%201%20202%20244%200717>
>> > Cell + 1 202 352 1736 <tel:%2B%201%20202%20352%201736>
>> > Twitter: @JournoSecurity
>> > Website: www.journalistsecurity.net
>> <http://www.journalistsecurity.net> <http://www.journalistsecurity.net>
>> > PGP Public Key
>> <http://www.journalistsecurity.net/franks-pgp-public-key>
>> >
>> >
>> > Please consider our Earth before printing this email.
>> >
>> > Confidentiality Notice: This email and any files transmitted with
>> it are
>> > confidential. If you have received this email in error, please notify
>> > the sender and delete this message and any copies. If you are not the
>> > intended recipient, you are notified that disclosing, copying,
>> > distributing or taking any action in reliance on the contents of this
>> > information is strictly prohibited.
>> >
>> >
>> >
>> > -------- Original Message --------
>> > Subject: Re: [liberationtech] My CPJ blog: Lessons from the
>> Cryptocat
>> > debate
>> > From: Nadim Kobeissi <nadim at nadim.cc <mailto:nadim at nadim.cc
>> <mailto:nadim at nadim.cc>>>
>> > Date: Tue, September 11, 2012 3:39 pm
>> > To: liberationtech <liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>
>> > <mailto:liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>>>
>> >
>> >
>> > I don't have time for a wall of text. Long story short: if
>> @ionnonews
>> > "misinterpreted" your article, it's because your article is
>> horribly
>> > open to misinterpretation. I interpreted your article
>> similarly to them
>> > and am sure most people did.
>> >
>> > I'm so sick of having to deal with horrible coverage of my
>> work. First
>> > Wired, then Wired (again,) then this. Really, the most
>> sensible person
>> > has been Chris Soghoian, even though he's been harsh. At least
>> he checks
>> > his facts, is constructive and isn't just a pretentious nobody
>> > pretending to know something about security.
>> >
>> > NK
>> >
>> > On 9/11/2012 3:07 PM, frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>> wrote:
>> > > Nadim,
>> > >
>> > > I read about the browser plug-in being added nearly two
>> months, as you
>> > > state, in Forbes on July 30.
>> > >
>> http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-javascript-encryption/
>> >
>> > > Yet it was a month and six weeks later, respectively, when
>> Chris and
>> > > Patrick each wrote their critiques in response to the first
>> Wired
>> > > piece. I also read your exchange with Patrick some weeks
>> ago, and I have
>> > > spoken to Patrick, albeit before he wrote his piece in Wired.
>> > >
>> > > What I have not read here or elsewhere is anything
>> indicating that there
>> > > is now a consensus that Crypocat has been fixed. (And that
>> is essential
>> > > for me and CPJ, as I explain below.) Instead I reflected
>> what I think is
>> > > accurate; that you are others are still working to make sure
>> it is
>> > > secure. I think most readers would conclude that I have
>> faith that it is
>> > > being secured. And this is quite different from what @innonews
>> > > erroneously tweeted that I and CPJ said that Cryptocat is
>> unsafe.
>> > >
>> > > If anything, Nadim, I was responding to Patrick for ending
>> his article
>> > > and seemingly the conversation by saying that PGP and
>> Pidgin/OTR are
>> > > harder to user but they are really secure. My point (Patrick
>> and I have
>> > > been having this discussion for over a decade) is that these
>> tools'
>> > > relative lack of usability still keeps them out of the reach
>> of people
>> > > who really do need to use them. And my point in the piece is
>> that
>> > > everyone who cares about human rights should care more about
>> usability.
>> > >
>> > > I also gave you credit here, and I think, in the piece, for
>> finally
>> > > making a tool that really achieves usability.
>> > >
>> > > Please know, too, none of this is abstract for me. In May,
>> as I told you
>> > > a few weeks later at Google, I trained a group of investigative
>> > > journalists in El Salvador and from Peru in May in how to
>> use Cryptocat,
>> > > as I was convinced it was safe. (Also telling them no one
>> tool is ever
>> > > completely safe.) After Chris' piece, I found myself
>> unexpectedly
>> > > telling the same journalists that Cryptocat had
>> vulnerabilities that I,
>> > > for one, as a non-technologist, was not aware of before. I
>> sent them
>> > > Chris' piece, and told them that, if they wish to continue using
>> > > Cryptocat, they should do so with caution.
>> > >
>> > > For me, and for CPJ, the decision to recommend a tool is a
>> weighty one.
>> > > It would be irresponsible to recommend a tool to journalists
>> unless
>> > > there is a clear consensus within this community that the
>> tool is safe.
>> > > I thought there was a consensus before. I then learned that
>> there was
>> > > not one. And then I wrote what I think is accurate; there is
>> now a
>> > > consensus that whatever vulnerabilities Cryptocat did have
>> before are
>> > > now in the process of being fixed.
>> > >
>> > > To be clear where we disagree. I did not say that CPJ is now
>> verifying
>> > > Cryptocat is fixed and safe to use. As a non-technologist
>> that would
>> > > never be role.
>> > >
>> > > I realize that you see the piece as an attack on Crypocat.
>> It was not
>> > > meant to be and I do not think most readers, who are not
>> technologists,
>> > > of CPJ's blog will see it that way, either. It was meant as
>> a call for
>> > > more usability, using Cryptocat, in fact, as a model.
>> > >
>> > > Frank
>> > >
>> > > Frank Smyth
>> > > Executive Director
>> > > Global Journalist Security
>> > > frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > Tel. + 1 202 244 0717 <tel:%2B%201%20202%20244%200717>
>> > > Cell + 1 202 352 1736 <tel:%2B%201%20202%20352%201736>
>> > > Twitter: @JournoSecurity
>> > > Website: www.journalistsecurity.net
>> <http://www.journalistsecurity.net> <http://www.journalistsecurity.net>
>> > <http://www.journalistsecurity.net>
>> > > PGP Public Key
>> <http://www.journalistsecurity.net/franks-pgp-public-key>
>> > >
>> > >
>> > > Please consider our Earth before printing this email.
>> > >
>> > > Confidentiality Notice: This email and any files transmitted
>> with it are
>> > > confidential. If you have received this email in error,
>> please notify
>> > > the sender and delete this message and any copies. If you
>> are not the
>> > > intended recipient, you are notified that disclosing, copying,
>> > > distributing or taking any action in reliance on the
>> contents of this
>> > > information is strictly prohibited.
>> > >
>> > >
>> > >
>> > > -------- Original Message --------
>> > > Subject: Re: [liberationtech] My CPJ blog: Lessons from
>> the Cryptocat
>> > > debate
>> > > From: Nadim Kobeissi <nadim at nadim.cc
>> <http://nadim@nadim.cc> ><mailto:nadim at nadim.cc <mailto:nadim at nadim.cc>
>> > <http://nadim@nadim.cc>>>
>> > > Date: Tue, September 11, 2012 1:34 pm
>> > > To: liberationtech <liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>
>> > <mailto:liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>>
>> > > <mailto:liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>
>> > <http://mailto:liberationtech@lists.stanford.edu>>>
>> > >
>> > >
>> > > Frank,
>> > > Please, tell me more about how your allusion at the end
>> of your post
>> > > absolves you of the culpability of fact-checking!
>> > >
>> > > Furthermore, I have confirmed with Chris concerning the
>> browser plugin
>> > > issue when I met him last week in D.C., while Patrick
>> Ball and I had an
>> > > exchange that was posted on libtech weeks ago under the
>> > > migraine-inducing "What I learned from Cryptocat" thread.
>> > >
>> > > Did you even ask Chris or Patrick about the browser
>> plugin platform?
>> > > I'll eat a shoe if you did. I've been working for weeks
>> on this and it's
>> > > people like you who just make me feel like all my effort
>> is completely
>> > > worthless.
>> > >
>> > > NK
>> > >
>> > > On 9/11/2012 1:24 PM, frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>> wrote:
>> > > > Nadim,
>> > > >
>> > > > Toward the end of the piece, I said: some critics are
>> now working with
>> > > > Kobeissi to help clean up and secureCryptocat.
>> > > >
>> > > > What you are saying is that Cryptocat is now a
>> browser-plugin only
>> > > > application, and that therefore, if I understand your
>> point, the
>> > > > vulnerabilities alluded to by Chris and now Patrick
>> are now all fixed.
>> > > >
>> > > > Are they? If they are, I have not yet read
>> confirmation that they are
>> > > > from others in this community. I'd welcome any input here.
>> > > >
>> > > > And, Nadim, I have and continue to support you for
>> finally building a
>> > > > truly user-friendly tool. We need tools that are both
>> secure and
>> > > > easier-to-use, and that was the point of the piece.
>> > > >
>> > > > Frank
>> > > >
>> > > >
>> > > >
>> > > > Frank Smyth
>> > > > Executive Director
>> > > > Global Journalist Security
>> > > > frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>>
>> > > > Tel. + 1 202 244 0717 <tel:%2B%201%20202%20244%200717>
>> > > > Cell + 1 202 352 1736 <tel:%2B%201%20202%20352%201736>
>> > > > Twitter: @JournoSecurity
>> > > > Website: www.journalistsecurity.net
>> <http://www.journalistsecurity.net> <http://www.journalistsecurity.net>
>> > <http://www.journalistsecurity.net>
>> > > <http://www.journalistsecurity.net>
>> > > > PGP Public Key
>> <http://www.journalistsecurity.net/franks-pgp-public-key>
>> > > >
>> > > >
>> > > > Please consider our Earth before printing this email.
>> > > >
>> > > > Confidentiality Notice: This email and any files
>> transmitted with it are
>> > > > confidential. If you have received this email in
>> error, please notify
>> > > > the sender and delete this message and any copies. If
>> you are not the
>> > > > intended recipient, you are notified that disclosing,
>> copying,
>> > > > distributing or taking any action in reliance on the
>> contents of this
>> > > > information is strictly prohibited.
>> > > >
>> > > >
>> > > >
>> > > > -------- Original Message --------
>> > > > Subject: Re: [liberationtech] My CPJ blog: Lessons
>> from the Cryptocat
>> > > > debate
>> > > > From: Nadim Kobeissi <nadim at nadim.cc
>> <http://nadim@nadim.cc> ><http://nadim@nadim.cc
>> > <http://nadim@nadim.cc>> ><mailto:nadim at nadim.cc
>> <mailto:nadim at nadim.cc> <http://nadim@nadim.cc>
>> > > <http://nadim@nadim.cc <http://nadim@nadim.cc>>>>
>> > > > Date: Tue, September 11, 2012 1:14 pm
>> > > > To: liberationtech
>> <liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>
>> > <mailto:liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>>
>> > > <mailto:liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>
>> > <http://mailto:liberationtech@lists.stanford.edu>>
>> > > > <mailto:liberationtech at lists.stanford.edu
>> <mailto:liberationtech at lists.stanford.edu>
>> > <http://mailto:liberationtech@lists.stanford.edu>
>> > > <http://mailto:liberationtech@lists.stanford.edu
>> > <http://mailto:liberationtech@lists.stanford.edu>>>>
>> > > >
>> > > >
>> > > > I can't even-
>> > > >
>> > > > Frank sent me this article about 15 minutes ago
>> and I answered with the
>> > > > notion that Cryptocat has been a browser-plugin
>> only app for more than a
>> > > > month, and that his article is just incredibly
>> ignorant and frustrating
>> > > > as a result of it ignoring that.
>> > > >
>> > > > Relevant links:
>> > > >
>> https://blog.crypto.cat/2012/08/moving-to-a-browser-app-model/
>> > > >
>> https://blog.crypto.cat/2012/09/cryptocat-2-demo-video-posted/
>> > > >
>> > > > Excuse me while I now go waterboard myself,
>> > > > NK
>> > > >
>> > > > On 9/11/2012 1:07 PM, frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>> wrote:
>> > > > > Hi everybody,
>> > > > >
>> > > > > Below is my CPJ blog on the Cryptocat debate. It
>> makes some of the same
>> > > > > points that I already made here a few weeks ago.
>> And please know that my
>> > > > > intent is to help work toward a solution in
>> terms of bridging invention
>> > > > > and usability. I know there are different views,
>> and I have already
>> > > > > heard some. Please feel free to respond. (If you
>> wish you may wish to
>> > > > > copy me at frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>>
>> > > > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>>> to avoid me
>> missing
>> > > > your note
>> > > > > among others.)
>> > > > >
>> > > > > Thank you! Best, Frank
>> > > > >
>> > > > >
>> http://www.cpj.org/security/2012/09/in-cryptocat-lessons-for-technologists-and-journal.php
>> > > >
>> > > > >
>> > > > >
>> > > > > *In Cryptocat, lessons for technologists and
>> journalists*
>> > > > >
>> > > > > By Frank Smyth/Senior Adviser for Journalist
>> Security
>> > > > > <http://www.cpj.org/blog/author/frank-smyth>
>> > > > > /Alhamdulillah! /Finally, a technologist
>> designed a security tool that
>> > > > > everyone could use. A Lebanese-born,
>> Montreal-based computer scientist,
>> > > > > college student, and activist named Nadim
>> Kobeissi had developed a
>> > > > > cryptography tool, Cryptocat
>> <https://crypto.cat/>, for the Internet
>> > > > > that seemed as easy to use as Facebook Chat but
>> was presumably far more
>> > > > > secure.
>> > > > > Encrypted communications are hardly a new idea.
>> Technologists wary of
>> > > > > government surveillance have been designing free
>> encryption software
>> > > > > since the early 1990s
>> <http://www.pgpi.org/doc/overview/>. Of course, no
>> > > > > tool is completely safe, and much depends on the
>> capabilities of the
>> > > > > eavesdropper. But for decades digital safety
>> tools have been so hard to
>> > > > > use that few human rights defenders and even
>> fewer journalists (my best
>> > > > > guess is one in a 100) employ them.
>> > > > > Activist technologists often complain that
>> journalists and human rights
>> > > > > defenders are either too lazy or foolish to not
>> consistently use digital
>> > > > > safety tools when they are operating in hostile
>> environments.
>> > > > > Journalists and many human rights activists, for
>> their part, complain
>> > > > > that digital safety tools are too difficult or
>> time-consuming to
>> > > > > operate, and, even if one tried to learn them,
>> they often don't work as
>> > > > > expected.
>> > > > > Cryptocat promised
>> > > > >
>> <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
>> > > > > to finally bridge these two distinct cultures.
>> Kobeissi was profiled
>> > > > >
>> <http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html>
>> > > > > in /The New York Times/; /Forbes/
>> > > > >
>> <http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/>
>> > > > > and especially /Wired/
>> > > > >
>> <http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all>
>> > > > > each praised the tool. But Cryptocat's sheen
>> faded fast. Within three
>> > > > > months of winning a prize associated with /The
>> Wall Street Journal/
>> > > > > <http://datatransparency.wsj.com/>, Cryptocat
>> ended up like a cat caught
>> > > > > in storm--wet, dirty, and a little worse for
>> wear. Analyst Christopher
>> > > > > Soghoian--who wrote a /Times/ op-ed last fall
>> > > > >
>> <http://www.nytimes.com/2011/10/27/opinion/without-computer-security-sources-secrets-arent-safe-with-journalists.html>
>> > > > > saying that journalists must learn digital
>> safety skills to protect
>> > > > > sources--blogged that Cryptocat had far too many
>> structural flaws
>> > > > >
>> <http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=AroundWeb>
>> > > > > for safe use in a repressive environment.
>> > > > > An expert writing in /Wired/ agreed. Responding
>> to another /Wired/ piece
>> > > > > just weeks before, Patrick Ball said the prior
>> author's admiration of
>> > > > > Cryptocat was "inaccurate, misleading
>> andpotentially dangerous
>> > > > >
>> <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/2/>."
>> > > > > Ball is one of the Silicon Valley-based
>> nonprofit Benetech
>> > > > > <http://www.benetech.org/> developers ofMartus
>> > > > >
>> <http://www.benetech.org/human_rights/martus.shtml>, an encrypted
>> > > > > database used by groups to secure information
>> like witness testimony of
>> > > > > human rights abuses.
>> > > > > But unlike Martus, which uses its own software,
>> Cryptocat is a
>> > > > > "host-based security" application that relies on
>> servers to log in to
>> > > > > its software. And this kind of application makes
>> Cryptocat potentially
>> > > > > vulnerable
>> > > > >
>> <http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/>
>> > > > > to manipulation through theft of login
>> information--as everyone,
>> > > > > including Kobeissi, now seems to agree.
>> > > > > So we are back to where we started, to a degree.
>> Other, older digital
>> > > > > safety tools are "a little harder to use, but
>> their security is real,"
>> > > > > Ball added in /Wired/. Yet, in the real world,
>> fromMexico
>> > > > >
>> <http://www.cpj.org/blog/2011/09/mexican-murder-may-mark-grim-watershed-for-social.php>
>> > > > > to Ethiopia
>> > > > >
>> <http://www.cpj.org/2012/07/ethiopia-sentences-eskinder-six-others-on-terror-c.php>,
>> > > > > from Syria
>> > > > >
>> <http://www.cpj.org/security/2012/05/dont-get-your-sources-in-syria-killed.php>
>> > > > > to Bahrain
>> > > > >
>> <http://www.cpj.org/2012/09/bahrain-should-scrap-life-sentence-of-blogger-alsi.php>,
>> > > > > how many human rights activists, journalists,
>> and others actually use
>> > > > > them? "The tools are just too hard to learn.
>> They take too long to
>> > > > > learn. And no one's going to learn them," a
>> journalist for a major U.S.
>> > > > > news organization recently told me.
>> > > > > Who will help bridge the gap?
>> Information-freedom technologists clearly
>> > > > > don't build free, open-source tools to get rich.
>> They're motivated by
>> > > > > the recognition one gets from building an
>> exciting, important new tool.
>> > > > > (Kind of like journalists breaking a story.)
>> Training people in the use
>> > > > > of security tools or making those tools easier
>> to use doesn't bring the
>> > > > > same sort of credit.
>> > > > > Or financial support. Donors--in good part, U.S.
>> government agencies
>> > > > >
>> <http://www.fas.org/sgp/crs/row/R41120.pdf>--tend to back the
>> > > > > development of new tools rather than ongoing
>> usability training and
>> > > > > development. But in doing so, technologists and
>> donors are avoiding a
>> > > > > crucial question: Why aren't more people using
>> security tools? These
>> > > > > days--20 years into what we now know as the
>> Internet--usability testing
>> > > > > is key to every successful commercial online
>> venture. Yet it is rarely
>> > > > > practiced in the Internet freedom community.
>> > > > > That may be changing. The anti-censorship
>> circumvention tool Tor has
>> > > > > grown progressively easier to use, and donors
>> and technologists are now
>> > > > > working to make it easier and faster still.
>> Other tools, like Pretty
>> > > > > Good Privacy <http://www.pgpi.org/> or its
>> slightly improved German
>> > > > > alternative <http://www.gnupg.org/>, still seem
>> needlessly difficult to
>> > > > > operate. Partly because the emphasis is on open
>> technology built by
>> > > > > volunteers, users are rarely if ever redirected
>> how to get back on track
>> > > > > if they make a mistake or reach a dead end. This
>> would be nearly
>> > > > > inconceivable today with any commercial
>> application designed to help
>> > > > > users purchase a service or product.
>> > > > > Which brings us back to Cryptocat, the
>> ever-so-easy tool that was not as
>> > > > > secure as it was once thought to be. For a time,
>> the online debate among
>> > > > > technologists degenerated into thekind of vitriol
>> > > > >
>> <http://www.wired.com/threatlevel/2012/08/security-researchers/all/> one
>> > > > > might expect to hear among, say, U.S.
>> presidential campaigns. But wounds
>> > > > > have since healed and some critics are now
>> working with Kobeissi to help
>> > > > > clean up and secure Cryptocat.
>> > > > > Life and death, prison and torture remain real
>> outcomes
>> > > > >
>> <http://www.cpj.org/reports/2011/12/journalist-imprisonments-jump-worldwide-and-iran-i.php>
>> > > > > for many users, and, as Ball noted in/Wired/,
>> there are no security
>> > > > > shortcuts in hostile environments. But if tools
>> remain too difficult for
>> > > > > people to use in real-life circumstances in
>> which they are under duress,
>> > > > > then that is a security problem in itself.
>> > > > > The lesson of Cryptocat is that more learning
>> and collaboration are
>> > > > > needed. Donors, journalists, and technologists
>> can work together more
>> > > > > closely to bridge the gap between invention and use.
>> > > > > Frank Smyth is CPJ's senior adviser for
>> journalist security. He has
>> > > > > reported on armed conflicts, organized crime,
>> and human rights from
>> > > > > nations including El Salvador, Guatemala,
>> Colombia, Cuba, Rwanda,
>> > > > > Uganda, Eritrea, Ethiopia, Sudan, Jordan, and
>> Iraq. Follow him on
>> > > > > Twitter @JournoSecurity
>> <https://twitter.com/#!/JournoSecurity>.
>> > > > >
>> > > > >
>> > > > > *Tags:*
>> > > > >
>> > > > > * Cryptocat <http://www.cpj.org/tags/cryptocat>,
>> > > > > * Hacked <http://www.cpj.org/tags/hacked>,
>> > > > > * Internet <http://www.cpj.org/tags/internet>,
>> > > > > * Martus <http://www.cpj.org/tags/martus>,
>> > > > > * Nadim Kobeissi
>> <http://www.cpj.org/tags/nadim-kobeissi>,
>> > > > > * Patrick Ball
>> <http://www.cpj.org/tags/patrick-ball>,
>> > > > > * Pretty Good Privacy
>> <http://www.cpj.org/tags/pretty-good-privacy>,
>> > > > > * Tor <http://www.cpj.org/tags/tor>
>> > > > >
>> > > > > September 11, 2012 12:12 PM ET
>> > > > >
>> > > > > Frank Smyth
>> > > > > Executive Director
>> > > > > Global Journalist Security
>> > > > > frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>>
>> > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>>
>> > > > <mailto:frank at journalistsecurity.net
>> <mailto:frank at journalistsecurity.net>
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>
>> > > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>
>> > > <http://mailto:frank@journalistsecurity.net
>> > <http://mailto:frank@journalistsecurity.net>>>>
>> > > > > Tel. + 1 202 244 0717
>> <tel:%2B%201%20202%20244%200717>
>> > > > > Cell + 1 202 352 1736
>> <tel:%2B%201%20202%20352%201736>
>> > > > > Twitter: @JournoSecurity
>> > > > > Website: www.journalistsecurity.net
>> <http://www.journalistsecurity.net> <http://www.journalistsecurity.net>
>> > <http://www.journalistsecurity.net>
>> > > <http://www.journalistsecurity.net>
>> > > > <http://www.journalistsecurity.net>
>> > > > > PGP Public Key
>> <http://www.journalistsecurity.net/franks-pgp-public-key>
>> > > > >
>> > > > >
>> > > > > Please consider our Earth before printing this
>> email.
>> > > > >
>> > > > > Confidentiality Notice: This email and any files
>> transmitted with it are
>> > > > > confidential. If you have received this email in
>> error, please notify
>> > > > > the sender and delete this message and any
>> copies. If you are not the
>> > > > > intended recipient, you are notified that
>> disclosing, copying,
>> > > > > distributing or taking any action in reliance on
>> the contents of this
>> > > > > information is strictly prohibited.
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Unsubscribe, change to digest, or change
>> password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> > > > >
>> > > > --
>> > > > Unsubscribe, change to digest, or change password at:
>> > > >
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> > > >
>> > > --
>> > > Unsubscribe, change to digest, or change password at:
>> > > https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> > >
>> > >
>> > >
>> > > --
>> > > Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> > >
>> > --
>> > Unsubscribe, change to digest, or change password at:
>> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >
>> >
>> >
>> > --
>> > Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> >
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>>
>>
>> --
>>
>>
>>
>> Brian Conley
>>
>> Director, Small World News
>>
>> http://smallworldnews.tv <http://smallworldnews.tv/>
>>
>> m: 646.285.2046
>>
>> Skype: brianjoelconley
>>
>> public
>> key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCEEF938A1DBDD587 <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0>
>>
>>
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
More information about the liberationtech
mailing list