[liberationtech] Cryptography super-group creates unbreakable encryption

Nadim Kobeissi nadim at nadim.cc
Fri Feb 15 14:01:32 PST 2013 

On Fri, Feb 15, 2013 at 4:35 PM, Adam Fisk <afisk at bravenewsoftware.org>wrote:

> I'm certainly more confident in the overall security of silent circle in
> its first release than I was in the overall security of cryptocat.
>

Of course this is true. The first release of Cryptocat was made in early
2011 by me back when I was in my second year of university and only barely
beginning to understand proper programming and security practice. It was an
experimental product full of holes and by no means secure. The first
release of Silent Circle was by a team of superheroes with 25 years of
experience in being totally badass. Big difference!

That isn't how I am arguing that open source = more real security. I am
arguing that open source enhances a project's capacity to iterate towards
better security. Of course, the starting points are always different. Sure,
if you're an industry godfather with a bajillion dollars, your first
product is going be a lot better than a then-20 year old living on noodles.

But when your model is closed-source, you're not participating in
reviewable, verifiable security practice and you're negatively affecting
the practical cryptography industry as a whole. Look at Cryptocat — it
progressed from a toy into a real product that I'm proud of, and that fully
passed a security audit with a 100/100 score just last week (
https://blog.crypto.cat/2013/02/cryptocat-passes-security-audit-with-flying-colors/)
 after two years of hard work, restructuring and redesigning the whole
thing, and getting alternatively beaten up and helped by experts in the
field.— This would have *never* happened had we not been open source from
the beginning.

Being open source is a painful but necessary process. It invites criticism,
bone-breaking and having to admit bad design, apologize for your mistakes
and work hard on fixing them. But only through that process you create
something great that benefits the security community by offering
opportunities to learn. Sure, Silent Circle started off as a good product,
but by being closed-source they disregard the proper practice of what makes
this industry progress in terms of engineering, and they cast a shadow of
uncertainty and closed progress upon themselves, too.


>
> -Adam
>
>
> On Wednesday, February 6, 2013, Nadim Kobeissi wrote:
>
>> What I'm trying to point out is that Silent Circle can call itself a
>> super-group creating unbreakable encryption, market closed-source software
>> towards activists, and some experts will still speak out for
>> them favourably.
>>
>>
>> NK
>>
>>
>> On Wed, Feb 6, 2013 at 11:21 PM, Brian Conley <brianc at smallworldnews.tv>wrote:
>>
>>> C'mon Nadim, that's a bit of a cheap shot, no? Do you disagree
>>> fundamentally with anything he said there?
>>>
>>> Brian
>>>
>>> On Feb 6, 2013, at 19:56, Nadim Kobeissi <nadim at nadim.cc> wrote:
>>>
>>>  Chris Soghoian gives Silent Circle's unbreakable encryption an entire
>>> article's worth of lip service here, it must be really unbreakable:
>>>
>>> http://www.theverge.com/2013/2/6/3950664/phil-zimmermann-wants-to-save-you-from-your-phone
>>>
>>>
>>> NK
>>>
>>>
>>> On Wed, Feb 6, 2013 at 10:49 PM, Brian Conley <brianc at smallworldnews.tv>wrote:
>>>
>>>> I heard they have a super secret crypto clubhouse in the belly of an
>>>> extinct volcano.
>>>>
>>>> Other rumors suggest they built their lab in the liberated tunnels
>>>> beneath bin ladens secret lair in Pakistan...
>>>>
>>>> Sent from my iPad
>>>>
>>>> On Feb 6, 2013, at 19:42, Nadim Kobeissi <nadim at nadim.cc> wrote:
>>>>
>>>>  Actual headline.
>>>>
>>>>
>>>> http://www.extremetech.com/mobile/147714-cryptography-super-group-creates-unbreakable-encryption-designed-for-mass-market
>>>>
>>>>
>>>> NK
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>
> --
> Sent from Gmail Mobile
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130215/b03b2cde/attachment.html>

More information about the liberationtech mailing list