cryptocat mentioned on wired.com recently...
b. brewer
bbrewer at littledystopia.net
Sat Jul 28 10:25:52 PDT 2012
This Cute Chat Site Could Save Your Life and Help Overthrow Your Government
By Quinn NortonEmail Author July 27, 2012 | 12:15 pm | Categories:
Conferences, Crypto
Nadim Kobeissi, creator of Cryptocat, spoke in mid-July at the HOPE
conference, held at New Yorks Hotel Pennsylvania every two years.
Credit: Quinn Norton/Wired
Twenty-one-year-old college student Nadim Kobeissi is from Canada,
Lebanon and the internet.
He is the creator of Cryptocat, a project to combine my love of
cryptography and cats, he explained to an overflowing audience of
hackers at the HOPE conference on Saturday, July 14.
The site, crypto.cat, has a chunky, 8-bit sensibility, with a big-eyed
binary cat in the corner. The visitor has the option to name, then enter
a chat. Theres some explanatory text, but little else. Its deceptively
simple for a web app that can save lives, subvert governments and
frustrate marketers. But as little as two years ago such a site was
considered to be likely impossible to code.
Cryptocat is an encrypted web-based chat. Its the first chat client in
the browser to allow anyone to use end-to-end encryption to communicate
without the problems of SSL, the standard way browsers do crypto, or
mucking about with downloading and installing other software. For
Kobeissi, that means non-technical people anywhere in the world can talk
without fear of online snooping from corporations, criminals or governments.
The fact that you dont have to install anything, the fact that it
works instantly, this increases security, he explained, sitting down
with Wired at HOPE 9 to talk about Cryptocat, activism and getting
through American airports.
To create Cryptocat Kobeissi had to deal with controversies in computer
security, usability and geo-politics.
When he flies through the US, hes generally had the notorious SSSS
printed on his boarding pass, marking him for searches and
interrogations which Kobeissi says have focused on his development of
the chat client.
Online privacy doesnt have a lot of corporate or governmental fans
these days, but Kobeissi has faced controversy before.
During 2010 and 2011 I was a defender of WikiLeaks and the free press
in general, and I thought Collateral Murder (the WikiLeaks publication
of a controversial helicopter assault video) was a highly significant
piece of journalism, he said.
He mirrored WikiLeaks content and organized a march in support of the
organization during the period in late 2010 when WikiLeaks found itself
thrown off of Amazons hosting service and blocked by credit card
companies. I know for certain that its contributed to other defenders
of WikiLeaks and Bradley Manning being harassed, so its somewhat likely
that I could also be targeted. Still, Kobeissi points out that hes
never been questioned about WikiLeaks, only about Cryptocat.
His SSSSs can mean hours of waiting, and Kobeissi says he has been
searched, questioned, had his bags and even his passport taken away and
returned later. But hes kept his sense of humor about the experience,
even joking from the airport on his Twitter account.
Nadim Kobeissi
@kaepora
WHAT AN SSSS FOR THE FIFTH TIME IN A ROW HOW COULD THIS HAPPEN I AM SO
SURPRISED THIS IS SO SURPRISING pic.twitter.com/ooM1L0I7
17 Jun 12
Reply
Retweet
Favorite
The young and cheerfully sarcastic Kobeissi is somewhat baffled by the
border attention. Kobeissi said that in one of his last U.S. trips
through Charlotte, NC, In total I was searched either three or four
times, in a single visit. Why? Do bombs materialize? I dont
understand, he continued. If the searches, delays, and interrogations
about Cryptocat are an intimidation tactic, they havent worked.
Dear US Government, Im from Lebanon, Kobeissi said, laughing. You
dont scare me, you dont understand. My friends were killed in 2008, my
house was bombed and my neighborhood ruined. My father was killed in
2006. You dont scare me at all. If you want to scare me, send me for
torture in Syria. But you cant anymore, because Syrians are revolting.
A U.S. Customs and Border Protection spokesman declined to comment on
Kobeissis detentions at the border, saying he was prohibited from doing
so by privacy laws, though he maintains that it plays nicely with
foreigners.
The United States has been and continues to be a welcoming nation. U.S.
Customs and Border Protection not only protects U.S. citizens and lawful
permanent residents in the country but also wants to ensure the safety
of our international travelers who come to visit, study and conduct
legitimate business in our country.
Our dual mission is to facilitate travel in the United States while we
secure our borders, our people and our visitors from those that would do
us harm like terrorists and terrorist weapons, criminals, and
contraband. CBP officers are charged with enforcing not only immigration
and customs laws, but they enforce over 400 laws for 40 other agencies
and have stopped thousands of violators of U.S. law.
CBP strives to treat all travelers with respect and in a professional
manner, while maintaining the focus of our mission to protect all
citizens and visitors in the United States.
To get Cryptocat to the hands of Syrians resisting their government, or
Canadians resisting being profiled by marketers, Kobeissi had to build a
crypto tool in a place where no crypto tool has ever flourished your
browser. You have to make it just as easily accessible as Facebook Chat
or Google Talk, which is what Im trying to do with Cryptocat, he said.
Google, Facebook and a infinite variety of other sites are pushing more
functionality into the browser to increase the power of web apps, and
the browser has become, for many people, the main interface of their
computer. But from a security point of view, the browser has always
failed to provide for users in no way worse than in cryptography.
Encrypting data to keep it away from prying eyes, be they hackers or
nations has proved nearly impossible in the browser, which has relied on
one standard to do everything: SSL, which is known to be broken. The
terrible state of browser security plagued Kobeissi in his work to build
Cryptocat.
Browsers are huge, complex, multilayered beasts with lots of moving
parts, and every last one of them implements at best some dialect of
each of the many standards that a modern browser has to support, said
Meredith Patterson, a senior research scientist at Red Lambda. Patterson
deals with security and cryptography on an architectural level in her
research, and has reviewed and commented on Cryptocat.
Problems like bad browser sandboxing meant that something in one tab
could affect a session in a Cryptocat window. No libraries or standards
existed to handle normal encryption functions in Javascript. The biggest
problem is that delivery of Javascript code from server to browser could
be intercepted and modified by breaking the SSL connection without a
user ever knowing they were running malicious code.
Kobeissi faced criticism from the security community for even trying,
but he persevered. Now more than a year later, Cryptocat has
significantly advanced the field of browser crypto, he said with
obvious pride. We implemented elliptic curve cryptography, (and) a
cryptographically secure random number generator in the browser, along
with creating a Cryptocat Chrome app to address the code delivery problem.
I dont think Nadim really knew what he was in for when he started this
project, but although it got off to a bumpy start, hes risen to the
occasion admirably, said Patterson.
But Kobeissi also knows that its equally important that Cryptocat be
usable and pretty. Kobeissi wants Cryptocat to be something you want to
use, not just need to. Encrypted chat tools have existed for years but
have largely stayed in the hands of geeks, who usually arent the ones
most likely to need strong crypto. Security is not just good crypto.
Its very important to have good crypto, and audit it. Security is not
possible without (that), but security is equally impossible without
making it accessible.
Patterson agrees with Kobeissis approach. As much as it drives all of
us nerds batshit, J. Random internet user spends most if not all of her
time in the browser, and generally doesnt care to install even a
separate email client much less a separate chat client, she said. If
you dont go where the users live, you dont get users. End of story.
Nevertheless, Kobeissi has said repeatedly that Cryptocat is an
experiment. Structural flaws in browser security and Javascript still
dog the project as it moves toward version 2, scheduled for the end of
the year. Cryptocat 2 will be a full Jabber client, allowing for both
current style OTR and Multi Party, or mpOTR for group chats. OTR is
Off-The-Record messaging, the current gold standard in encrypted chat.
(Not to be confused with Google Talks OTR, which is not encrypted at all.)
Screenshot of the second version of Cryptocat, a Jabber/xmpp client with
full OTR support.
He isnt eager to bet his life on his work to date. But in environments
like the Arab revolts, he acknowledges that for all of Cryptocats
flaws, its better than software many people in Arab countries use right
now, which can put them in tremendous danger. If the alternative is
Facebook Chat or Google Talk or Skype please use Cryptocat by all
means, but its still an experiment.
Thus far Cryptocat hasnt penetrated far into the consciousness of the
common user, but for some groups in need of secure communications, its
already part of the toolkit. High security, simple to use, said an
active participant in the internet collective Anonymous, which has faced
prosecution and worse the world over. If its a hurry and someone needs
something quickly, Cryptocat.
Kobeissi himself grew up in Beirut, Lebanon. Besides authoring the
secure chat tool and being a security researcher, hes a political
science and philosophy major at Concordia University in Montreal,
Canada. His post-college job is set hell be developing Cryptocat full
time, living on grant money for the project.
He emigrated to Canada after a conversation with his mother, when
the-then teenager came to realize he might not live very long in Lebanon
an situation that informed his software design. Hes vocal about his
love of his adopted home in Canada, as well about how the internet and
games kept him going through the rough times in the wartorn country of
his birth, The happiest things in my childhood were Sega Game Gear and
Sega Genesis. Its clear that Cryptocats distinctive 8-bit feel isnt
just a gimmick.
Nowadays he sees himself as coming from two cultures, North American and
Middle Eastern, and it gives him a rare perspective on both the need and
usefulness of getting crypto into the hands of everyone.
This is something North Americans dont realize. Here were exporting
cryptography software. Generally, especially in todays context, the
Middle East imports cryptographic software, but its a foreign product.
A foreign civilization made it, he said.
He believes that by building Cryptocat with more sensitivity to the
pleasures of the user, he can help the people that need secure
communications most. I want it to be something that has a nice color
scheme, that works in your browser, that you can open instantly, thats
easily accessible, that has a cat, that has audio notifications, that
has desktop notifications, Kobeissi said, Because these are important
security features.
When faced with the torture of using crypto software or the torture of a
repressive government, some dissidents have intentionally or not
opted for the latter.
I have seen someone who I know knows how to use OTR not use OTR, and
get tortured as a result, in Syria OTR is not accessible, its not a
pleasure to use.
Pages: 1 2 View All
Related
You Might Like
Around the Web
Related Links by Contextly WikiLeaks Associates Hit Back Over U.S.
Twitter Records Demand
U.S. Soldier on 2007 Apache Attack: What I Saw
Another Hackers Laptop, Cellphones Searched at Border
FBI Drive for Encryption Backdoors Is Dij` Vu for Security Experts
Olympics Journalists Urged To Use Crypto, to Thwart Chinese Spying
Show More
Quinn Norton is a writer and photographer who peripatetically covers net
culture, copyright, computer security, intellectual property, body
modification, medicine, and biotech.
Read more by Quinn Norton
Follow @quinnnorton on Twitter.
More information about the cypherpunks-legacy
mailing list