[liberationtech] DecryptoCat
Nadim Kobeissi
nadim at nadim.cc
Thu Jul 4 05:14:44 PDT 2013
Hello everyone,
I urge you to read our response at the Cryptocat Development Blog, which strongly clarifies the situation:
https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/
Thank you,
NK
On 2013-07-04, at 12:18 PM, Jens Christian Hillerup <jens at hillerup.net> wrote:
> On Thu, Jul 4, 2013 at 11:36 AM, KheOps <kheops at ceops.eu> wrote:
> Just came accross this:
> http://tobtu.com/decryptocat.php
>
> Eep!
>
> It seems like the saying "given enough eyeballs, all bugs are shallow" has become obsolete, huh? Peer review is an integral part to developing secure cryptography implementations, but unfortunately this fundamentally crashes with the hacker mantra of "just do it". It's a shame that this project did not get this kind of attention until after people started relying on it---that could have saved a lot of people from a lot of shouting in any case.
>
> So what do we do about this? Opening the source code as an argument for security no longer suffices. How can we raise money for rigid and independent quality assurance of software that in this case is designed to potentially saving lives? And how can we make sure that this money flows into the fund and out to the QAers on a regular basis?
>
> I don't know, sadly, but I'd love to discuss it.
>
> JC
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech
mailing list