[liberationtech] DecryptoCat
Nadim Kobeissi
nadim at nadim.cc
Mon Jul 8 04:02:24 PDT 2013
On 2013-07-08, at 12:13 PM, Ralph Holz <holz at net.in.tum.de> wrote:
> Hi Tom,
>
>> If you think this bug could never happen to you or your favorite pet
>> project; if you think there's nothing you can learn from this incident
>> - you haven't thought hard enough about ways it could have been
>> prevented, and thus how you can prevent bugs in your own codebase.
>
> Amen to that.
>
> Thanks for the write-up; it was my feeling, too, that too many people
> have been uttering very sharp criticism in this particular case, and
> that wasn't helping anyone.
>
> There are projects that don't get nearly as much coverage but have a
> very poor security record. I personally know programmers with a hell of
> a global reputation whose code contained bugs found by peers. We should
> keep things in perspective.
Thanks a lot for this kind call for perspective.
The fact remains that we messed up. But I'm sticking to the project and I am certain that we will mess up less and less, and evolve. It took exemplary projects like Tor and PGP ten+ years to reach the reputable status they're in today (where, mind you, critical bugs still happen!) — it may take us even longer. But the goals are too important to give up. We're in a situation where accessibility has failed to evolve precisely because you're largely barren from taking risks. A license to take risks isn't a license to keep messing up, but it's still necessary to investigate real problems to which we haven't been able to find solutions as a community so far.
If a bug like this happens again in the future, I will follow the same procedure of complete transparency and hold myself fully accountable for it. All the same, I am redoubling my efforts to bring in more cryptographers and auditors to Cryptocat — this is what I just spent my weekend in Germany doing.
But quite frankly, for now, I really think I need a small vacation. :-p
NK
>
> Ralph
>
> --
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universität München
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech
mailing list