Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Group Chat Vulnerability Discovered in Cryptocat, Project Fixes and Apologizes

Unknown Lamer posted 1 year,26 days | from the can't-catch-a-break dept.

Bug 83

alphadogg writes "The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations." The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat's gracious response, overly acerbic and dismissive of the project).

cancel ×


Sorry! There are no comments related to the filter you selected.


Anonymous Coward | 1 year,26 days | (#44202055)

Not true !! You get owned for your nothingness !!

Why not use OTR? (2)

walshy007 (906710) | 1 year,26 days | (#44202081)

Why not just use OTR with pidgin? Supports any protocol you'd care to mention.

Re:Why not use OTR? (0)

Anonymous Coward | 1 year,26 days | (#44202267)

Why not just use OTR with pidgin? Supports any protocol you'd care to mention.


Re:Why not use OTR? (1)

Anonymous Coward | 1 year,26 days | (#44202289)

Hmm... the one that works and isn't written by a bunch of monkeys, or the one that runs inside a web browser... oh such a tough decision.

Re:Why not use OTR? (0)

Anonymous Coward | 1 year,26 days | (#44205573)

That sounds like a problem of Pidgins. Modern Javascript can do just about as much as any other stack these days. That's kind of the point of HTML5.

Re:Why not use OTR? (0)

Anonymous Coward | 1 year,26 days | (#44202467)

Installing Pidgin is a large barrier for most people, and it doesn't run on iOS anyway.

Like it or not, the world is moving beyond the need to install apps locally, to web apps which don't need installation and run anywhere.

Re:Why not use OTR? (2)

hairyfeet (841228) | 1 year,26 days | (#44202505)

And you want to see why that is a BAD IDEA see above. With these "apps" like it or not you are giving control to a few major corps that have been repeatedly shown to work with the US government hand in glove so it really won't be hard for them to make sure only "backdoor equipped" or vulnerable to MITM apps are allowed.

This is why those that give a rat's ass about security and doesn't want everything they say or do to be public record really needs to stick with X86, leave the phones and tablets for directions and seeing what guy played third stringer on that movie you are watching. all this pushing "web and cloud" only crap does is give the corps and govs a datamining field day.

Re:Why not use OTR? (0)

Anonymous Coward | 1 year,26 days | (#44202597)

Maybe, or maybe not, but it doesn't really matter because that ship has sailed.

Virtually nobody I know is willing to go through all the bother of installing Pidgin + OTR. In fact, most of them wouldn't even be capable of that. It's beyond their tech ability. That's true of the majority of people, which means that Pidgin + OTR is not even a possibility unless it becomes as easy to use as visiting a web site.

Most people I talk to aren't using x86 PCs. In 10 years, almost nobody will be.

Re:Why not use OTR? (0)

Anonymous Coward | 1 year,26 days | (#44202855)

> Virtually nobody I know is willing to go through all the bother of installing Pidgin + OTR.

They probably aren't looking for encrypted communication to protect from a corrupt government or similar powers, because even the worst install procedure is better than being thrown into prison.

Re:Why not use OTR? (1)

SuperTechnoNerd (964528) | 1 year,26 days | (#44204399)

Screw the morons. Let them wallow in their stupidity..

Re:Why not use OTR? (1)

SuperTechnoNerd (964528) | 1 year,26 days | (#44204393)

I don't have any mod points at this time. Here are some virtual ones.
+5 +5 +5 +5
you hit the nail on the head. As least some one sees whats happening..

Re:Why not use OTR? (1)

hairyfeet (841228) | 1 year,26 days | (#44204657)

Thanks and they can have my X86 units when they are prying my cold dead hands from it!

And for the moronic AC that says "in 10 years nobody will be using X86" I have YET to see a God damned cell phone that can do ANY real work, all it is is tweets for twits and social shit, and every Foleo style crap they have come up with to shoehorn a phone or tablet into a tool to do actual work has been full of fail.

Personally I think if Ballmer doesn't get his fat,stupid,buzzword loving ass out of the big chair a Steve Jobs type is gonna come along and bitchslap the business away from his dumb ass,I really do. PCs are still selling nearly half a BILLION units a year, that is some damned good business yet the fat retard is trying to burn his own business to the ground in the hopes he can force people to pay Apple money for MSFT shit and that is NOT gonna happen, no way in hell.

So the time is right for somebody to do the exact same play Jobs did, take BSD, make an easy to use GUI, hell I'd try to buy E17 outright, or maybe come up with a KDE ripoff, and get together with the OEMs and undercut the fuck out of the fat moron,say $25 a copy. for a final insult talk to the WINE guys about slapping their emulator in there to cover some of the "must haves" while they talk to Valve and the other companies about porting to the new OS. You can tell the OEMs are REALLY tired of the fat idiot fucking them over, hell Acer has done everything but call him a fucking moron and ALL of the OEMs have come out saying Windows 8 is fucking stupid and you know Intel isn't gonna walk away from all that money and I doubt AMD is either, so it really wouldn't be hard for the OEMs to pull a "gang of nine" and cut MSFT right out of the game.

So if the retard wants to jerk off to a Surface running an appstore? let 'em, the OEMs are ripe for the taking and mark my words somebody is gonna see that business is worth having and take it away from the fat bastard. if they don't fire the idiot I predict MSFT will be where RIM is now by 2020, on the ropes and dying, and as long as somebody comes along to take the business I honestly won't care, I'll be happy to line my shelves with their product and give MSFT the same finger they have been giving us system builders.

Re:Why not use OTR? (0)

Anonymous Coward | 1 year,26 days | (#44204781)

You mean "the sheep are being led away from local apps, and gleefully surrendering control of their data to central authorities."

Just because a lot of people are too stupid to think for themselves anymore doesn't mean that all of this cloud faggotry is a good thing.

Re: Why not use OTR? (0)

Anonymous Coward | 1 year,25 days | (#44209199)

Repliers here have the idea that all you need is a browser. Cryptocat is a browser plugin. In iOS you can't even add duckduckgo as a search engine to the browser.

Nothing overly dismissive there (5, Insightful)

Anonymous Coward | 1 year,26 days | (#44202089)

This bug and the history of it point to the cryptocat people being utterly incompetent. It's perfectly possible that they did what they did with the best of intentions and that they reacted as well as they could - that does not change one iota about them being incompetent and that you better don't trust the work of incompetent engineers. It's nice that that civil engineer did not intend to kill anyone and that she helped in rescuing people, but still her incompetence is what caused the bridge to collapse and what makes it reasonable to be suspicious of the other bridges she's responsible for.

Re:Nothing overly dismissive there (0, Insightful)

Anonymous Coward | 1 year,26 days | (#44202151)

I somewhat suspect that, at this point, they're more competent than you in the matter. They have experience.

It beats sitting on your ass doing nothing.

Re:Nothing overly dismissive there (0, Insightful)

Anonymous Coward | 1 year,26 days | (#44202249)

I like how some idiot with mod point modded your appeal to accomplishment up.

When you want to add a new wing to your house and neighbour says "Hey, the architect you hired is utterly incompetent and nothing he built stands longer than a year", I hope you'll stick to your principles and dismiss him with "At this point he's more competent than you, and you haven't even built a shed in your life".

Re:Nothing overly dismissive there (1)

gl4ss (559668) | 1 year,26 days | (#44202329)

I somewhat suspect that, at this point, they're more competent than you in the matter. They have experience.

It beats sitting on your ass doing nothing.

they might not. after all they named their project so that I thought it's something like netcat with crypto.

it's very web 2.5 though.

Re:Nothing overly dismissive there (2)

gweihir (88907) | 1 year,26 days | (#44204615)

That is not how it works. Designing and implementing crypto correctly requires _understanding_. A test-and-fix approach where somebody else has found the issue, gives you exactly nothing. Experience can help in debugging, but crypto implementation security is not a problem where debugging skills help at all. The problem is that the software fulfills all its functional requirements, i.e. it works. That it can easily be attacked does not cause any crashes or problems that the developer or users can notice when using the software and hence the experience they made is largely useless.

Re:Nothing overly dismissive there (-1)

Anonymous Coward | 1 year,26 days | (#44202179)

Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?

Re:Nothing overly dismissive there (2, Insightful)

Anonymous Coward | 1 year,26 days | (#44202255)

Writing crypto apps that manage to use a string of digits as the key instead of the number it represents doesn't contribute to cryptography anything either - if only a lesson "why non-experts shouldn't do cryptography".

You're probably great cook, architect, furniture builder and shoemaker - or you're always keeping quiet about burnt food, leaky roofs, uncomfortable chairs and too tight shoes, right?

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44203067)

Is that you, Jacob?

I follow you on Twitter. Not a stalker or anything, just a fan. *wink*

Just a thing I'd like you to know: Nassim is young, and he may not yet have developed the full ability to process criticism properly, hostile or not. He's one of those people who will shut out completely to fully legitimate feedback when there's a remote possibility to interpret the feedback as a personal attack. I recommend to be more delicate with him.

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44203927)

> He's one of those people who will shut out completely to fully legitimate feedback when there's a remote possibility to interpret the feedback as a personal attack.

Such a person has absolutely no business in cryptography.

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,26 days | (#44204637)

Indeed. Security, and in particular crypto, is different. Experience is of limited value, what is needed is understanding. One problem is that testing is completely useless to find security problems in crypto. Most developers today rely on testing as primary quality analysis tool, and it does not cut it for crypto.

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44205197)

"non-experts shouldn't do cryptography".

What are we gonna do when the current bunch of experts die off then? Learning is a process, everyone starts off a noob doing stupid shit. Some of them remain so, others improve.

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44205247)

Learning is a process, everyone starts off a noob doing stupid shit.

Yes, but one would prefer that they didn't publish "security" software for other people to use.

Re:Nothing overly dismissive there (4, Insightful)

rtfa-troll (1340807) | 1 year,26 days | (#44202261)

Go blow it out your ass, you smug little prick. What have you contributed to cryptography that is so great and awesome?

Probably.. nothing. And that's exactly the point. By contributing nothing he has put nobody's life in danger. Crypto systems are essentially security and safety systems which have to work right. When they are done wrong people think they are safe and take risks they would not take otherwise.

Re:Nothing overly dismissive there (1)

Intrepid imaginaut (1970940) | 1 year,26 days | (#44202535)

They do make that clear on their website however.

For myself I'm waiting on peer to peer encrypted chat. That's where things get interesting.

Re:Nothing overly dismissive there (1)

wmac1 (2478314) | 1 year,26 days | (#44202897)

I am waiting for a peer-to-peer email replacement that solves the issue of trusting companies and data centers on storing and transferring messages.

A few years ago I wrote a peer-to-peer chat application (used an existing java library) for a postgraduate course homework. I wouldn't offer that to public though.

Re:Nothing overly dismissive there (1)

Intrepid imaginaut (1970940) | 1 year,26 days | (#44202959)

You'd still need some kind of centralised authentication server for email however, as it's domain related, otherwise it wouldn't be email, just a slower form of chat.

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44203589)

You'd still need some kind of centralised authentication server for email however, as it's domain related, otherwise it wouldn't be email, just a slower form of chat.


See: DHT and bitcoin for examples of how you can tell one item from another without relying on a centralized authority.

Re:Nothing overly dismissive there (3, Informative)

chihowa (366380) | 1 year,26 days | (#44204225)

As it is designed, email is capable of peer-to-peer(ish, if people have their own domains) operation and if people used PGP the messages would be safe in transit. It's not totally decentralized, though, as you still depend on DNS.

More importantly, a shift away from centralized corporate mail servers toward individual (or at least family or co-op) mail servers can happen gradually without relying on the network effect to legitimize a new system.

Re:Nothing overly dismissive there (2)

gweihir (88907) | 1 year,26 days | (#44204677)

Not true. DNS is not strictly needed. If you are paranoid, you can send emails to user@ip_address. That does require a static IP address though and the right configuration at the target MTA, but nothing else.

Re:Nothing overly dismissive there (1)

wmac1 (2478314) | 1 year,25 days | (#44210627)

The p2p messaging would not use a definite path between source and target and could possibly store the encrypted message parts on other PCs if the receiver's computer is not available.

The IP address could also change (a unique identifier might still be needed though).

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,25 days | (#44211051)

Complete nonsense. You are talking about anonymization techniques, not P2P techniques. Anonymization can be done on top of P2P, but it is something entirely different with different aims, techniques and requirements. Anonymity can also be done without P2P, which clearly shows the concepts are different.

And of course a unique identifier is needed. How would Email be addressed otherwise? That you cannot see that the presence of such an identifier is critical for the system to work clearly shows that you have no clue what you are talking about.

Maybe read up on the concepts before talking such incredible BS...

Re:Nothing overly dismissive there (1)

wmac1 (2478314) | 1 year,24 days | (#44216991)

Nonsense is your existence. I was not talking about Anonymization at all. Go back to your freaking hole ass-hole.

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,24 days | (#44219785)

Pathetic. Incompetent and unaware of it.

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,26 days | (#44204663)

Aehm, SMPT is P2P and has always been P2P? Just run your own server. All you need for that is a static IP or a working dynamic DNS resolver. That you have to trust "companies and data centers" is just your own laziness.

It never ceases to amaze me how clueless some people are.

Re:Nothing overly dismissive there (0)

wmac1 (2478314) | 1 year,25 days | (#44210607)

You don't know anything about P2P , do you?

Emails need domain names and name service and domains are centralized services. The transfer of emails also happen in a deterministic way (i.e. between the source and target servers). It means the email service depends on the existence of the source and target servers at all times.

It never ceases to amaze me how clueless people talk big.

Re:Nothing overly dismissive there (2)

gweihir (88907) | 1 year,25 days | (#44210999)

You are impressively stupid. You managed to get _everything_ wrong. Truly an accomplishment. Have you bothered to look up even one of the things you talk about? Apparently not.

You seem to be unaware that the source and target Mail servers are the source and target of the Email. "Smarthosts" and things like POP3 are a crutch for crippled systems that cannot act as mail-server themselves. And you seem to be unaware of exponential back-off, repeated delivery attempts and secondary MXes. And you are unaware that DNS is neither needed for Email delivery, nor centralized. At best, DNS is hybrid. In a very real sense, DNS is P2P for almost everything. You can also send Emails to an IP address without problem, as long as the target server is configured for it. And what does "deterministic" have to do with it? Do you somehow believe P2P means undirected, random propagation of data?

What an incredible collection of nonsense.

Re:Nothing overly dismissive there (1)

wmac1 (2478314) | 1 year,24 days | (#44216973)

You are an asshole and a freaking illiterate stupid. And yes, you deserve that freak tag on your name.

I was not suggesting to implement SMTP using P2P. Go back to your stupidity hole.

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,24 days | (#44219765)

Says the one that is not even able to have, maybe, a look at RFC2822....

Re:Nothing overly dismissive there (1)

wmac1 (2478314) | 1 year,23 days | (#44225013)

At the time I implemented my first SMTP, POP3 and HTTP servers using C (and developed SMTP and POP3 server libraries for Delphi) you were possibly in primary school. Go back to your pathetic hole.

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,23 days | (#44232649)

Meaningless posing. Seems to me you never understood what you were doing (if you are not lying). Implementing something specified by others and actually understanding architectural characteristics and what their effect is are two entirely different things. And you decidedly have not kept up with things.

What also seems to elude you is that your past "accomplishments" are entirely meaningless. (Which is why I do not claim any. So far I could easily blow you out of the water, but that is not how this game works.) What counts is whether what you say make sense or not. What you said so far does not make sense and indicates a fundamental lack of understanding how things actually work. It also seems that you have stopped to understand what your own level of competence is (or never understood it). Here is a reference for you Dunning–Kruger effect []

Re:Nothing overly dismissive there (1)

wmac1 (2478314) | 1 year,22 days | (#44236337)

Yes, bla bla bla

You don't even understand the basic concepts of P2P.

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44205099)

Your argument is theoretically correct. But in REALITY even OKW/Chi, who had the resources of Germany behind them, made some very serious mistakes. You know OKW as in "Oberkommando der Wehrmacht". And Enigma was one of their better systems. They could have made it easily unbreakable if they had applied some more analysis of uboot sinking statistics and less half-arsed decisions.

Here you can find my attempt at not making crypto mistakes:

let me know my mistakes at

NSA will translate the German for you at their front "".

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,26 days | (#44202251)

Completely agree with you and was going to post the same. No mercy for people marketing crapware as cryptographically-secure software.

A mistake is possible (even with many people looking at the code), but a sequence of mistakes is a pattern not to be ignored.

Re:Nothing overly dismissive there (4, Interesting)

Anonymous Coward | 1 year,26 days | (#44202307)

It is a devastatingly simple and obvious bug that any code review would have spotted. It's laughably amateurish.

It's especially egregious after the rant the author (isn't there just one?) went on about Javascript cryptography. Couldn't have happened to a nicer guy.

After all, what's the single biggest challenge in JavaScript cryptography? Random number generation. So what's the FIRST thing you look at when reviewing? Random number generation for keys. And what, pray, is their excuse for not using window.crypto.getRandomValues() with a typed array of bytes, which is guaranteed to be available in every supported browser? What, in fact, is their excuse for not using Uint8Array for carrying keys wherever they go?

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,26 days | (#44204699)

Indeed. That random number generation and use is critical is well-known to anybody with a clue since Netscape messed it up almost 20 years ago (in 1996). Since that time, nobody competent has any excuse to not very carefully scrutinize this part of the system in any review worth the name.

Re:Nothing overly dismissive there (0)

Anonymous Coward | 1 year,25 days | (#44207495)

No, the single biggest challenge in JavaScript cryptography is you don't get to control the code. A man in the middle can insert whatever JavaScript they want and then spy on you. You also can't sign the JavaScript because their man-in-middle can just hack your sign checking code.

Re:Nothing overly dismissive there (1)

gweihir (88907) | 1 year,26 days | (#44204595)

Indeed. The mistakes made are utter beginners mistakes. Nobody halfway competent in the implementation of cryptography would ever make them, as competent people would have recognized these components as critical for the security of the product. The only other explanation is malicious intent.

Given these two alternatives, the only possible recommendation is "Stay away from this software, do not use it for any purpose."

Where is the HTML5 version of cryptocat? (1)

hellop2 (1271166) | 1 year,26 days | (#44202091)

Does anyone know what happened to the HTML5 (non-plugin) based server-side version of cryptocat?

I don't care if it's less secure than the new plugin-required version.. it will still probably defend against an eavesdropper in my college dorm or at Starbucks.

Re:Where is the HTML5 version of cryptocat? (-1, Troll)

Sc00bz (2975039) | 1 year,26 days | (#44202923)

It's called Facebook chat with HTTPS turned on.

The really scary thing... (1)

fuzzyfuzzyfungus (1223518) | 1 year,26 days | (#44202097)

The really ugly 'gotcha', with any attempt at encrypted/obfuscated/steganographic communication, cryptocat included but hardly alone, is storage.

If your adversary is just drinking from the firehose, and lacks the ability to do more than a cursory inspection, all you have to do is be better than their cryptoanalysts today. If they have sufficient storage to archive a nontrivial percentage of what passes by(or their cursory inspection is good enough to classify suspicious encrypted traffic for storage) you have to be better, today, than their cryptoanalysts for however long what you are saying is relevant. The former is hard, the latter is downright scary.

Re:The really scary thing... (1)

Eivind (15695) | 1 year,26 days | (#44203549)

True, you have to stay secure for the length of time the message has value. This varies. If you're the military, and reporting the position of a patrol in the field, this doesn't need to stay secret for very long. (3 days later the info is pretty useless anyway)

Breaktroughs in algorithms makes this hard. You can nest encryption, which means you're safe unless *all* of the levels are cracked, but it's a hassle.

Why not use Skype (1)

Anonymous Coward | 1 year,26 days | (#44202115)

It's encrypted end to end and you can totally discuss your plans and share secrets using the instant messaging. For better protection, why not wrap them in a PDF labelled 'secret plans NSA do not read"?

Plus its from a trusted company that never harms their customers, Microsoft, in a country with strong privacy laws, America. So its double plus good private!

Re:Why not use Skype (0)

Anonymous Coward | 1 year,26 days | (#44202157)

It's the United States douchebag not America. This is why the US is the US and you are but a 3rd world mud puddle with a big ox shit in the center.

A mathematician's apology (0)

Anonymous Coward | 1 year,26 days | (#44202129)

Elitist arse as he was, at least Hardy never wanted his work to be used for anything except enjoyment of pure knowledge.

Cryptography's a horrible thing, really: it starts off with the principle that man is evil and will fuck you up if you don't protect yourself from him, and then it ignores all the usual imperfections which will actually catch you out - from the plaintext endpoints to the inadequate implementation to the rubber hose. I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me. Lack of privacy is a social problem soluble by bringing up people with a better attitude toward their fellow man, not a technical one soluble with an arms race (which you will lose, btw).

Re:A mathematician's apology (4, Insightful)

lxs (131946) | 1 year,26 days | (#44202211)

I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me

Neither do I, but such is the world we live in. All you can do is accept that the world is a mostly shitty place, deeply appreciate the moments of stunning beauty it offers as well and try to improve your little corner of it.

Re:A mathematician's apology (0)

Anonymous Coward | 1 year,26 days | (#44202277)

I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me

Neither do I, but such is the world we live in. All you can do is accept that the world is a mostly shitty place, deeply appreciate the moments of stunning beauty it offers as well and try to improve your little corner of it.

Fantastic point of view regarding about why you should take your electronic privacy very seriously!

Re:A mathematician's apology (0)

Anonymous Coward | 1 year,26 days | (#44202911)

the world is a mostly shitty place

I smell a gritty reboot of The Hitchhiker's Guide.

Re:A mathematician's apology (0)

Anonymous Coward | 1 year,26 days | (#44203027)

the terrestrial electricity grid allows for monitoring of data, to date usually passive, but when people start bugging out about a "vunerability" it becomes irritating.

Fundamentally speaking, assume that anything plugged-in is being monitored; jamming and interference is an altogether different story, but the public needs to wake up and smell the roses on the electricity-snooping.

Facebook and Google, to name a few, are "harvesting" data for their use, that of their partners, and the obvious MOSSAD/NSA/CIA etcetera, but the mass-media is currently deployed in weakening the credibility of the "State", austensibly for future privatization schemes.

Beauty is in the eye of it`s Beholder

Re:A mathematician's apology (1)

stenvar (2789879) | 1 year,26 days | (#44203061)

Cryptography's a horrible thing, really: it starts off with the principle that man is evil and will fuck you up if you don't protect yourself

Societies are composed of many different kinds of individuals, and each individual can behave in many different ways. You need to protect yourself even if just a small percentage of people in society want to harm you some of the time.

Lack of privacy is a social problem soluble by bringing up people with a better attitude toward their fellow man, not a technical one soluble with an arms race (which you will lose, btw).

Bullshit. We're biological beings subject to natural laws. A society in which everybody cooperates is provably not a stable solution, nor, for that matter, is it a very good solution. Yes, that's a mathematical fact.

The percentage of people wanting to harm you today is remarkably small by historical standards, and the amount of protection you need is small. Be happy about that, and then take some reasonable precautions, like everybody else.

Re:A mathematician's apology (1)

Antique Geekmeister (740220) | 1 year,26 days | (#44203383)

> I don't really want to live in a world where I have to actively hide shit from people or they'll try to take advantage of me. Lack of privacy is a social problem soluble by bringing up people with a better attitude toward their fellow man, not a technical one soluble with an arms race (which you will lose, btw).

Goodness, you are an optimist. The military, economic, or social advantage to accessing private communications is very large, and the social and economic and political advantages are _tremendous_. Education won't solve that: the first person in the "educated" world who starts copying test answers, or reading their boss's private correspondence, will have tremendous advantages socially and in the workplace. That's part of what the NSA was doing to EU communications: industrial espionage to benefit American companies.

God says (0)

Anonymous Coward | 1 year,26 days | (#44202147)

case judging heal infer interior you awesome Drunkard studying
trouble illuminating Kuwait 10 quiet know miss Brazil

overly acerbic? (0)

Anonymous Coward | 1 year,26 days | (#44202155)

I say it's only fair:
a security/cryptography product with that amount of failures is only conceivable if the authors don't care or are not prepared in the field.

We're not talking about average bugs. If you miss a string-to-int key conversion and no one notices it, you aren't testing anything or no one cares about the project.
Which is something you can expect out of your average program, but not from a crypto software.

What's noteworthy here? (0)

Anonymous Coward | 1 year,26 days | (#44202161)

What's noteworthy here? Operating systems and browsers have dozens of security bugs discovered each year. Or is this cleverly hidden Slashvertisment again?

Just host .onion hidden service forums! (0)

Anonymous Coward | 1 year,26 days | (#44202193)

Go to it - it's easy to do... Host a Tor Hidden Service .onion forum!

an example is HackBB: []

which is easy to remember and leads here:

http://clsvtzwzdgzkjda7.onion/ [clsvtzwzdgzkjda7.onion]

What are you waiting for?

Re:Just host .onion hidden service forums! (0)

Anonymous Coward | 1 year,26 days | (#44202345)

Someone to figure out how to mitigate the deanonymization attack on hidden services.

Re:Just host .onion hidden service forums! (1)

Ash-Fox (726320) | 1 year,26 days | (#44203781)

Cloudflare is better at protecting my server infrastructure than TOR is.

I am under surveillance, my computer has been back (0)

Anonymous Coward | 1 year,26 days | (#44202225)

* REMOVED from the author's blog but still on (for now) []

blog owner: []
Known for: Cryptocat

WHY was this removed? Was it a work of fiction, fishing, or paranoia?


"Disclaimer: While this story sounds highly suspect, especially considering that I have been the target of FBI entrapment less than a year ago, please take it with a grain of salt. After all, this may all be just one big prank, with me as the victim.

I am under surveillance, my computer has been backdoored

For public record:

On January 12, 2013, I had an interview with Radio-Canada regarding Cryptocat, my surveillance by the U.S. Government, how the FBI tried to entrap me, and so on. It was a successful interview and everything went well.

On January 31st, 2013, a person identifying as PG sent me an email saying that he would wish to meet to discuss a business opportunity with me. He specified Concordia Universityâ(TM) bar, Reggieâ(TM)s, as the place where he would like to meet. At the time I received his email, I was in a class at Concordia just one floor above that bar.

I answered PG telling him that I leave for New York City that day. He insisted he can meet me before I leave. When I asked him what heâ(TM)d like to discuss, he simply answered âoeIâ(TM)ll be wearing a black suit. See you at Reggieâ(TM)s at 12:45PM.â

I insisted that I would not meet with him unless he specified his reason. He said he needed a website for his new business venture, a traffic ticket contestation service. I replied saying sorry, I am not available for this sort of work. PG replied: âoeOK, thank you.â

At 1:00PM, I received an email, sent from a Blackberry, from someone claiming to be PGâ(TM)s colleague. They identified themselves as GB. GB mentioned that he was surprised that I am not at Reggieâ(TM)s, and that PG had asked him to write an email to me since PG is partially blind and cannot write emails. This is very strange to me since PG had written to me many emails during this incident.

At this point, I angrily replied to both GB and PG asking them to go away, and that I had already said that I am not available for a meeting or for hire.

Hours went by with no answer. Then, PG again sent an email (this time switching to the French language) in which he claimed that the radio interviewees from Radio-Canada had given him my contact information (this was denied by Radio-Canada when I checked with them.) In this new email, PG suddenly claimed that he was both a Juror and that he was previously a correspondent for Le Monde Paris.

PG then claimed that he knew people at CSIS, Canadian Intelligence, who were interested in acquiring Cryptocat. GB had incidentally mentioned that PG was interested in Cryptocat acquisition. In the same email, PG also mentioned that he too went to NYC often due to being invited to CIA conferences there. He said: âoeIâ(TM)m sure you know what Iâ(TM)m talking about re. CIA conferences, since you yourself seem to be funded by the U.S. Government.â

To this I replied: âoeWell, this was never a story of a business venture at all, was it? I am not surprised. I must admit, a former Juror and Parisian journalist who claims to work for CSIS; you inspire a lot of confidence ;-)â PG replied: âoeWe will speak Tuesday upon your return.â

Ever since my return from NYC, for days now, the Secure File Transfer desktop client that I use to connect to Cryptocat and other services in order to manage critical file and data transfers has been attempting to connect to, by itself:

        Hostnames that appear to belong to CSIS.
        Hostnames belonging to Lexum, a Montreal âoesoftware company that provides products and services to legal information users as well as various other organizations and companies that prepare, manage and publish large collections of documents.â also provides IT services for the Supreme Court of Canada, Courts Administration Service (CAS), Canadaâ(TM)s Department of Justice, and the Federation of Law Societies of Canada âoeto name a fewâ. They are located a 20 minute drive from where I live.
        Hostnames that appear to belong to the Supreme Court of Canada, operated by Lexum.

These connections were all detected and prevented by my external firewall system. I have documented the connections to the extent possible. In anger, I called a close friend to complain about these connections. Shortly after my phone call, the connection requests stopped, even though they had been occurring for days.

I immediately then tried to call PG. The first time, his phone rang a couple of times and he then hung up. The same thing happened the second time, except he hung up more quickly. The third time, he turned his phone off."


Re:I am under surveillance, my computer has been b (0)

Anonymous Coward | 1 year,26 days | (#44202269)

mod parent up


"I am under surveillance by Canadian agents, my computer has been backdoored (" []

"Addendum (added Feb. 10, 1:50PM EST): Iâ(TM)ve decided that the way Iâ(TM)m going to deal with this is by doing disk forensics on my computer and moving on, continuing my life as normal. I am not going to slip into total paranoia because of this incident. I have a history of attempted entrapments, of border interrogations and of surveillance, and with this incident, hereâ(TM)s what Iâ(TM)ll say:

If any agency is continuing to monitor me because of Cryptocat, you are invited to meet me under honest pretenses and have a cup of coffee with me. Just donâ(TM)t lure me in with lies and donâ(TM)t backdoor my computers. Be honest with me and I will have no problem discussing my work with you. I am not a criminal, I am an upstanding citizen. If you want answers, then contact me and be honest about it. You have nothing to fear from me.

In order not to cause unnecessary drama, to protect my privacy and to lessen my stress levels, Iâ(TM)m removing this blog post until further notice and investigation. This attracted way more attention that I wanted it to. I just wanted to protect myself, not cause a media uproar. Thank you everyone for your support. This is already a stressful situation and the huge level of attention to this blog post is just making everything more stressful to deal with." []

Re:I am under surveillance, my computer has been b (0)

Anonymous Coward | 1 year,26 days | (#44202281)


Creator of CryptoCat -- the web app that uses military-grade encryption to protect conversations -- is under surveillance by the government and may have had his computer compromised by CSIS agents ( []

would you lick sheldon cooper's penis? (-1)

Anonymous Coward | 1 year,26 days | (#44202373)


Only effects group chats? (0)

Anonymous Coward | 1 year,26 days | (#44202571)

Sounds like one of the devs is NSA...let's avoid this one shall we...

Informants can compromise comms; alternatives (0)

Paul Fernhout (109597) | 1 year,26 days | (#44203093)

So, strategies towards social change are better off being legal and transcendent (e.g. Bucky Fuller's idea of creating alternatives that make the status quo obsolete). So a lot of the focus on encrypted communications misses the big picture of the vast 21st century changes we are seeing towards post-scarcity...

Or as I say here: []
Our biggest advantage is that no one takes us seriously. :-)

And our second biggest advantage is that our communications are monitored, which provides a channel by which we can turn enemies into friends. :-)

And our third biggest advantage is we have no assets, and so are not a profitable target and have nothing serious to fight over amongst ourselves. :-)"

Let's hope those advantages all hold true for a long time. :-)

. . .

On dealing with the social hurricane of the CIA

If we thought about the CIA, or Al-Qaeda, or really many other agencies or organizations around the globe dealing in intelligence or covert operations as hurricanes in history, it is foolish to think one person can stand against a hurricane. What is likely to happen is you will get a 2X4 ripped from a house driven through your brain at 150 mph, such as, essentially, (spoiler) in the ending of the Directors' Cut of Brazil (though by other means). But, maybe there are other ways to approach this situation?

There are at least eight ways that I can see at the moment to deal with the hurricane of the CIA (or other global hurricanes, including to some extent Al-Qaeda, Mossad, MI6, or whoever):

* To begin with, for an official organization sponsored by a state like the CIA, one could hope for democratic oversight, which presumably exists in some form, as a first line of reigning such an organization in. But in practice such control is subverted by, as the above example with Obama suggested by Wayne Madsen, the fact that you are looking at an overall system where the agency protects its own existence. See Langdon Winner's "Autonomous Technology: Technics-out-of-control as a Theme in Political Thought" for examples of how this "reverse adaptation" happens for all sorts of organizations. If the CIA is running its own candidates, and all choices have such ties, well, then there is not much to choose from, right? As with Kerry vs. Bush, both Skull and Bones alumni whoever wins: []
So, it's not even the foxes guarding the chickens. It is the fox guarding itself... If we just accept that the agency is not going away, and can not be directly overseen, then we can move on to other ways of looking at the situation of how to co-exist with it.

* Historically, humans have survived hurricanes even with few resources like in Haiti. One can study how they have done that:
        "In Haiti, the Art of Resilience " []
Perhaps the very notion of having less makes one have a stronger community? The CIA has had difficulties infiltrating strong tribal communities, although while that may work for Afghans as a close-knit tribal culture knowing people from birth, that probably won't work for the internet (where no one knows both if you're a dog and if you work for the CIA.)
        "On the Internet, Nobody Knows You're a Dog " []
        "CNC Machinist job related to custom bicycles & CIA version & comments" []
And in any case, simply resisting infiltration would not deal with the bigger issues of a malfunctioning intelligence sector, directing the tools of abundance to be used as weapons to fight over perceived scarcity (like if your closeknit community gets wiped out by a government-created or terrorist-created bioweapon that wipes out humanity). So, I outline it for completeness, but it is in practice not much of an answer, and in any case, it would leave one always living in fear...

* In order to contain excesses, one could point out some form of corruption or cover-up at the center which, the theory goes, if only exposed would lead to some sort of popular rebellion. Example from fiction, with a key scene at the end where the population revolts in response to seeing one short video about how the government faked one news item: :-)
        "The Running Man" []
Lots of people try to expose hypothetical coverups involving the intelligence community (and such efforts are usually labeled "conspiracy theory"), but I suggest is mostly ineffective because like a hurricane, the center is probably just very calm. And people there are probably, truly, for the most part, thinking they are doing good, because that is their world view. Of course, Hitler also though he was doing good, and pretty much everything he did was legal, because he defined the law (the Nazis were, as I said, sticklers for proper paperwork and legality):
        "Hitler's World View: A Blueprint for Power " []
And in any case, the center is protected by layers of gale force winds around it. I suggest it is more useful to think that an agency like the CIA exists in its present form because of an overall social heat-dynamics in our society. Assuming an agency is the way it is because of just a few agents or a few "bad apples" at the bottom of the barrel seems to be a fundamental misunderstanding of the nature of a hurricane (or a social organization). I'm not saying leadership does not matter (it does). There may well be some bad apples in the CIA (almost certainly, as any human organization has them, and secrecy helps breed and protect them). But the issue is more what sustains and empowers the bad apples, same as one can ask how individual terrorists may be empowered by grievances in a society or other social dynamics that cause, say, an otherwise moderate Muslim to look the other way (or even aid) a terrorist as opposed to turn one in. Effective anti-terrorism programs work to reduce that level of societal support for violent vengeful solutions in various ways and to help people learn how to work towards non-violent win/win solutions when possible. To build on that analogy, for background, how hurricanes work is explained here by Marshall Brain: [] []
Essentially, for the USA, from that video, and stretched a bit for comedic effect, hurricanes often start in Africa near the Middle East and grow in strength from all the heat energy in the ocean and then may make landfall often around Washington, D.C.. I'd suggest that if we think about that analogy, we may find several other approaches to intervention to ensure the CIA is less harmful and is performing useful operations for truly increasing and maintaining US (and global) security.

* As an individual, or through a society defining building codes, one can build a hurricane proof place to live; examples: [] []
Likewise, one can just lay low and live a very simple and non-controversial life, full of all the goodness one can. That's a great solution for an individual, one I highly recommend. Examples: [] [] []
But for a society, it leaves out the sense that "silence implies consent". So, it's a good personal solution, and I hope most people pursue it, but then there are the solutions for the rest of us to pursue, us presumably identified as potential troublemakers and sent to places like Princeton to train us to make trouble in nicely organized clean-looking ways. :-) At the level of society, I'm not sure what building codes would be equivalent to, but they are probably like the idea of upholding the US Constitution somehow. Thus, many on the US political "right" are really right as far as supporting the Constitution. :-) Even if in the USA, a lot of other unrelated ideological baggage sometimes goes with that, a situation made problematical given that the founders did not anticipate a society with this much technology, a concentration of wealth, a dependency on a complex technosphere just to survive (no more family farms), etc.. Related: []
Thus, for example, the call for a "basic income" in order to make our economics work better is rejected by the "conservatives" as just another tax and unconstitutional government intrusion, so everyone is getting squeezed between a political system conceived in the 18th century and a techno-economical system conceived of in the 20th century (and continually refined in the 21st). So, that leaves anyone trying to make change caught with one foot in each of two worlds, the 18th century and the 21st century. So, we have a "Tea Party" that literally seems to be out of the 18th century. :-) But they drive to their events in 21st century horseless carriages and essentially use magic to talk to each other. See:'s_three_laws []
"Any sufficiently advanced technology is indistinguishable from magic."
But their politics do not accept that they live in an age of magic, where most typical human labor has less and less economic value... That is the real tragic irony of the Tea Party in the USA. However, on the left, the Green movement often actively rejects technology, rather than engaging with it to make it better, leaving that to conservatives. Even engineers can get locked into a deep irony. Here is a recent link Harold Helm sent me:
        "Idea Lab - Why Are So Many Terrorists Engineers? -" []

"They say they believe in freedom and share our values. They say a few bad apples shouldn't bring down judgment on their entire kind. Don't be fooled. Though they walk among us with impunity, they are, in the words of Henry Farrell, a political scientist at George Washington University, "a group that is notoriously associated with terrorist violence and fundamentalist political beliefs." They are engineers. ... Gambetta and Hertog found engineers only in right-wing groups -- the ones that claim to fight for the pious past of Islamic fundamentalists or the white-supremacy America of the Aryan Nations (founder: Richard Butler, engineer) or the minimal pre-modern U.S. government that Stack and Bedell extolled. Among Communists, anarchists and other groups whose shining ideal lies in the future, the researchers found almost no engineers. Yet these organizations mastered the same technical skills as the right-wingers. ... The engineer mind-set, Gambetta and Hertog suggest, might be a mix of emotional conservatism and intellectual habits that prefers clear answers to ambiguous questions -- "the combination of a sharp mind with a loyal acceptance of authority." Do people become engineers because they are this way? Or does engineering work shape them? It's probably a feedback loop of both, Gambetta says."
Obviously, with my having an engineering mindset (even with degrees in psychology and E&E biology) and my arguing for transforming the CIA instead of disbanding it, that's something to think about in terms of considering where I am coming from.
* The video above suggests most US-damaging hurricanes start in Africa, around the Sahara desert. If we were to reforest the Sahara desert and the Middle East (it once was forest, chopped down in part from human efforts), perhaps not so many hurricanes would get started there? So, a large amount of charity directed to that part of the world, to rebuild infrastructure and make the world work for everyone, might yield great benefits in terms of reducing the things that justify an out-of-control CIA. And I'm not talking about the "charity" of yet another war, I'm talking about trillions of dollars in aid to that area entirely in a civilian way. So, we can perhaps get rid of both many social hurricanes and many physical hurricanes for one single huge investment by the USA (and maybe create millions of US jobs sending US civilians abroad to help).

* As those storms from Africa move across the Atlantic Ocean, they pick up energy from the heat of the ocean. Global warming has been predicted to lead to superstorms as the oceans have more energy.
        "Superstorms, Climate Change and Superstorm Seasons" []
Think also of Jupiter's Great Red Spot that is essentially a permanent big hurricane. If you reduce the overall energy in the system, the hurricanes will not be so bad, like if we reduce CO2 and methane emissions from coal and animals that lead to global warming, perhaps by an ideological shift towards accounting for externalities or creating a more compassionate food system. So, likewise, if our society changes to a post-scarcity abundance paradigm, then we may see less tensions across the globe, which means less reason for the CIA to act so crazily sometimes. War may be a "racket", but we can still do what we can to give people less excuses for it.

* Related to the above, if, within itself, the CIA adopts a post-scarcity abundance-based ideology, then it might transcend being such an irony, which might be like a hurricane changing its structure to a regular storm. []
So, very useful would be anything people can do specifically to get the agency to grasp how, say, using vast supercomputer networks to spy on people so you can keep them working is ironic when you could just have the spy computers do the work you're forcing people to do. (That links to some of my indirect work as above, assuming communications are monitored.)

* One can also live below the waves or live up in space, beyond the reach of a hurricane. For example: []
Also related to that is the possibility that global warming is driven in part from an increase in solar output. A space-faring civilization could deal with that by putting up some kind of shading between the Earth and the sun to precisely adjust the amount of solar radiation the Earth receives, so if the sun outputs 1% more over a century, the civilization could put up some extra sun blocking panels (perhaps even just capturing the energy as electricity to be beamed for other uses in the solar system).

To some extent, all the eight solutions can work together. Note than none of them require disbanding the CIA. None of them require violence. They all require being like the Peacemaker in his approach to Tadodaho though.

As Thich Nhat Hanh says in "Creating True Peace : Ending Violence in Yourself, Your Family, Your Community, and the World", which I quote here: []

"Sometime, people who cannot find any way to resolve a problem with someone else are tempted to eliminate the problem by eliminating the other person. They wish the other person would just go away, die, or disappear. That desire may be strong enough to lead them to kill. Killing another person is not an act of freedom but an act of despair and great ignorance; it will not bring freedom or peace. (page 92)
                Our enemy is never another person; our enemy is the wrong perceptions and suffering within him, within her [or sometime even within ourselves about them]. When a doctor sees a person who is suffering, he [or she] tries to identify the sickness within the patient to remove it. He [or she] does not try to kill his patient. The role of the doctor is not to kill people but to cure the illness within them. It is the same with a person who had suffered so much and who has been making you suffer -- the solution is not to kill him [or her] but to try to relieve him [or her] of his [or her] suffering. This is the guidance of our spiritual teachers. It is the practice of understanding and love. In order to truly love, we must first understand. (pages 89-90)"

When the Peacemaker sang the song correctly, he helped change the wrong perceptions in Tadodaho.

Just like the Peacemaker could instead have killed Tadodaho in vengeance, to be left without a "firekeeper", we could get rid of hurricanes in the USA by removing the Earth's atmosphere, the sun, or the oceans, but then we would freeze, asphyxiate, and/or dehydrate. So, we as a society need to address the way things are put together that create and sustain hurricanes like the CIA, and not, for example, talk about eliminating individual (human) molecules that may make up the hurricane (such talk of eliminating individuals would be illegal, not to mention, to my mind, both immoral and ineffective).

The same probably goes for addressing the hurricane of Al-Qaeda, IMHO, where the CIA's attempts with drones to knock off individuals seems to have only made the overall US security situation worse (especially given mass collateral casualties, including of children, three of whom are claimed to have been killed by a drone use authorized by Obama within days of taking office).
        "President Obama 'orders Pakistan drone attacks'" []
        "What are the risks of the C.I.A.'s covert drone program?" []
        "The Forty-Year Drone War" []

Example of a need for changing views:
        "Obama Finds Predator Drones Hilarious" []

"Operating for years in Afghanistan and Pakistan as an officially secret counterterrorism program, the drones have drawn controversy for their notoriously high civilian casualty rate, the anti-American rage they provoke in the region, and for the dubious constitutionality of assassinating foreign nationals. So when Obama incorporated a Predator Drone joke into his Correspondents Dinner routine, it raised some eyebrows: ..."
But sometimes we try to make light of the things we are scared of, or conflicted about, or that our unconscious is trying to bring to our attention.

So, each of the above eight items tries to address some "wrong perception" in our society about how resources should be deployed and what ideology should be used in thinking that through... And they are ways to avoid, say, the irony of using advanced US technology as in military robotics (such as through the CIA) to enrage people as the CIA (as directed by politicians) tries to enforce a social order based on making people act like robots rather than to help them be all they want to be or can be as human beings (hopefully becoming all they want to be in partnership with compassionate and friendly and enlightened robots).

Again, to follow Woodrow Wilson's points, better ideas (science) could help with that, as could better stories and ideals (literature and the humanities), as could some better tools that merge the two. The Haudenosaunee (People of the Longhouse) may have not had so much fancy technology as the Europeans (ignoring their biotech in terms of the three sisters of corn, squash, and beans), but they certainly had, as above, powerful stories that allowed them to build an expanding, resilient, and sustainable civilization that was relatively peaceful and equitable at least internally.

For an old example of the CIA and tools for processing stories and other information: []

"XSIS and The Customer Information Analyst: Why would Xerox develop an incredible spreadsheet that could display images, conjugate Russian verbs and why did that happen in a strange group called XSIS located in Los Angeles and Washington? Apparently they had an important customer with a lot of complex information to analyze. How did Angela Coppola know that 1000 people would show up for OOPSLA'86 when the PC committee predicted 100-200? What sort of technology could the National Security Administration use to print Chinese leaflets circa 1978? The Xerox Analyst served the CIA as a analytic tool for many years. Even 13 years later it still offers tools more powerful than MSOffice. The Analyst is still alive and well and forms a key component in TI ControlWorks Wafer Fab Automation System."
But the message of those tools has still not sunk in -- material abundance is possible for all. People may still find reasons to compete (over mates, over social status, etc.) but at least fighting over *stuff* is becoming obsolete (or, similarly, we can move beyond thinking there is not enough *stuff* to build a lot of different communities that follow different rules within them). Except our entire military and intelligence apparatus is configured assuming the big problem is fighting over stuff one way or another, and becomes, in a way, a self-fulfilling prophecy, or some kind of social knot.

The good news is that a move towards better information, stories, paradigms, and tools to help everyone realize this is happening already in our society through the internet, as the greatest educational and analysis tool we've ever created, as part of making a "noosphere". []

It lets me draw from many sources, and easily find good stories like about Tadodaho and the Peacemaker. Google is, to an extent, already a big example of what I have been talking about, and by itself, it may well change the CIA for the better. But perhaps we can do more.

Of course, the internet may have its own set of social hurricanes to deal with. :-) Sometimes we create more problems than we solve.

I am sorry I can only deliver this text, and not deliver the tools and semantically tagged content so that anyone could use it to create such a web of ideas and/or collaboratively improve on it. Maybe someday...

Anyway, I've reached the point where this 60+ page essay is confusing me and I can't keep it all in my head, and I've read it over so many times it is a blur, so a smarter and probably kinder person would probably sit on it for more days and edit it down, but I'll send it anyway in hopes others might find a nugget or two of something useful if they look at it someday. And presumably, I'll improve it in the future with other tools. I hope.

Still, it just seems to get longer the more I work on it. Also, I have to accept that by sending it I may well make it *less* likely that I personally will succeed at any of this, as beyond the time it took to write it, drawing more attention to myself is generally not a good thing for programmer productivity (or maybe security, as suggested in an ancient "Chinese" curse of "May you come to the attention of those in authority".) But, I can hope that even if the chance I succeed at building FOSS intelligence tools might go down by me sending this, the chance that the community builds them someday might go up some. And in the long term, that may be what matters most. It is really this idea of FOSS intelligence tools, joined with the Native American story of Tadodaho and the Peacemaker, which matters most, as the essence of the "song". But I'm obviously not much of a singer (even though my mother was), and I hope perhaps, someone out there can truly sing this song right (maybe after rewriting it in a totally different key), singing in a way to change the heart of the unreformed Tadodahos of today, so they can become part of a world community that is educated, healthy, joyful, prosperous and mutually/intrinsically secure.

So, from one reformed Tadodaho to possibly others, even ones not on the CC list or BCC lists but who might be reviewing this anyway, all the best. :-) My thanks to everyone on the two lists who, like Leon Shenandoah, have been an inspiration to me one way or another.

Re:Informants can compromise comms; alternatives (0)

Anonymous Coward | 1 year,26 days | (#44203427)

goooo aderal!

A valuable lesson (1)

zzyzyx (1382375) | 1 year,26 days | (#44203603)

The last sentence of this article says it all :

Also I learned that it means nothing when I hear "it is open source and peer reviewed".

The analysis is correct, these people have no clue (2)

gweihir (88907) | 1 year,26 days | (#44204563)

The mistakes made are utter beginner's mistakes that nobody even halfway competent with regard to cryptography would make. The only other possibility is that these mistakes were made intentionally.

While it is unclear whether utter cluelessness or devious intent is to blame, this software should not be trusted on any level or for any purpose. Of the people writing it can make this kind of mistake, then there will likely be a number of other mistakes in it that affect security and this piece of trash should be regarded as broken for any purpose.

Doing crypto is not a beginner's game. There are countless ways to get it wrong, and most of them cannot be found by testing, but require in-depth understanding and meticulous analysis of the mechanisms used. And encryption software being OSS only helps if some people with a clue care to review it.

Re:The analysis is correct, these people have no c (0)

Anonymous Coward | 1 year,25 days | (#44207387)

So, do crypto, you have to be competent.

But ... you gain competence how?

Because, by your rules, you can't gain competence by the normal process of trying something, making a mistake and fixing it.

Sorry, you set the whole situation of up as a George Bush "With Us or Agin Us" dichotomy, I'm just carrying it to it's logical extension.

Re:The analysis is correct, these people have no c (1)

TCM (130219) | 1 year,25 days | (#44207581)

You gain competence the same way pilots do. They don't get to fly hundreds-of-passengers boeings on their first day either. It's OK to be a crypto beginner. But why do they publish a chat system instead of scribbling around in Cryptool?

If you see someone looking into a loaded shotgun barrel with their finger on the trigger, you don't say "oh, let him learn by trial and error". You take the gun from him, slap him across the face and send him learning the basics.

Re:The analysis is correct, these people have no c (1)

gweihir (88907) | 1 year,25 days | (#44210915)

You gain competence by studying it, but trying things, etc. Before that you already have to be a pretty good and experienced programmer. People without that skill should not even try, it is a mandatory skill. You cannot learn how to program well doing crypto, crypto has a whole additional set of difficult and subtle requirements.

And no, test-and-fix does not work for crypto. That is not "my rule", but in the very nature of things. The problem is that testing will not show the mistakes for crypto, and hence it is not the "normal" process at all.

All pretty obvious to anybody that actually cares to find out. Your cluelessness is a disgrace.

A lot of shit talk here (0)

Anonymous Coward | 1 year,26 days | (#44204871)

Various comments posted along the lines of "clueless nubs, crypto is the realm of spr smrt ppls, just give it up" as if any of these academic geniuses have stepped up and produced their own open source cryptographic chat application that runs in a web browser.

This is how it works: freely available source for everyone to look through leads to someone spotting a problem, followed by a quick fix.

Nobody is actually that impressed when you spew on about how "you have to be smart" to understand cryptography, especially when you're repeating things that others have already said, word for word. It's as annoying as the people who read an article or two and then start posting the same old tired nonsense about the number of atoms in the universe and how long it might take to brute force something. Just shut the fuck up already.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>