cryptocat mentioned on wired.com recently...

[b. brewer]

This Cute Chat Site Could Save Your Life and Help Overthrow Your Government
By Quinn NortonEmail Author July 27, 2012 | 12:15 pm | Categories: 
Conferences, Crypto

Nadim Kobeissi, creator of Cryptocat, spoke in mid-July at the HOPE 
conference, held at New Yorks Hotel Pennsylvania every two years. 
Credit: Quinn Norton/Wired


Twenty-one-year-old college student Nadim Kobeissi is from Canada, 
Lebanon and the internet.

He is the creator of Cryptocat, a project to combine my love of 
cryptography and cats, he explained to an overflowing audience of 
hackers at the HOPE conference on Saturday, July 14.

The site, crypto.cat, has a chunky, 8-bit sensibility, with a big-eyed 
binary cat in the corner. The visitor has the option to name, then enter 
a chat. Theres some explanatory text, but little else. Its deceptively 
simple for a web app that can save lives, subvert governments and 
frustrate marketers. But as little as two years ago such a site was 
considered to be likely impossible to code.

Cryptocat is an encrypted web-based chat. Its the first chat client in 
the browser to allow anyone to use end-to-end encryption to communicate 
without the problems of SSL, the standard way browsers do crypto, or 
mucking about with downloading and installing other software. For 
Kobeissi, that means non-technical people anywhere in the world can talk 
without fear of online snooping from corporations, criminals or governments.

The fact that you dont have to install anything, the fact that it 
works instantly, this increases security, he explained, sitting down 
with Wired at HOPE 9 to talk about Cryptocat, activism and getting 
through American airports.

To create Cryptocat Kobeissi had to deal with controversies in computer 
security, usability and geo-politics.

When he flies through the US, hes generally had the notorious SSSS 
printed on his boarding pass, marking him for searches and 
interrogations  which Kobeissi says have focused on his development of 
the chat client.

Online privacy doesnt have a lot of corporate or governmental fans 
these days, but Kobeissi has faced controversy before.

During 2010 and 2011 I was a defender of WikiLeaks and the free press 
in general, and I thought Collateral Murder (the WikiLeaks publication 
of a controversial helicopter assault video) was a highly significant 
piece of journalism, he said.

He mirrored WikiLeaks content and organized a march in support of the 
organization during the period in late 2010 when WikiLeaks found itself 
thrown off of Amazons hosting service and blocked by credit card 
companies. I know for certain that its contributed to other defenders 
of WikiLeaks and Bradley Manning being harassed, so its somewhat likely 
that I could also be targeted. Still, Kobeissi points out that hes 
never been questioned about WikiLeaks, only about Cryptocat.

His SSSSs can mean hours of waiting, and Kobeissi says he has been 
searched, questioned, had his bags and even his passport taken away and 
returned later. But hes kept his sense of humor about the experience, 
even joking from the airport on his Twitter account.
Nadim Kobeissi
@kaepora

WHAT AN SSSS FOR THE FIFTH TIME IN A ROW HOW COULD THIS HAPPEN I AM SO 
SURPRISED THIS IS SO SURPRISING pic.twitter.com/ooM1L0I7
17 Jun 12
Reply
Retweet
Favorite

The young and cheerfully sarcastic Kobeissi is somewhat baffled by the 
border attention. Kobeissi said that in one of his last U.S. trips 
through Charlotte, NC, In total I was searched either three or four 
times,  in a single visit. Why? Do bombs materialize? I dont 
understand, he continued. If the searches, delays, and interrogations 
about Cryptocat are an intimidation tactic, they havent worked.



Dear US Government, Im from Lebanon, Kobeissi said, laughing. You 
dont scare me, you dont understand. My friends were killed in 2008, my 
house was bombed and my neighborhood ruined. My father was killed in 
2006. You dont scare me at all. If you want to scare me, send me for 
torture in Syria. But you cant anymore, because Syrians are revolting.

A U.S. Customs and Border Protection spokesman declined to comment on 
Kobeissis detentions at the border, saying he was prohibited from doing 
so by privacy laws, though he maintains that it plays nicely with 
foreigners.

The United States has been and continues to be a welcoming nation. U.S. 
Customs and Border Protection not only protects U.S. citizens and lawful 
permanent residents in the country but also wants to ensure the safety 
of our international travelers who come to visit, study and conduct 
legitimate business in our country.

Our dual mission is to facilitate travel in the United States while we 
secure our borders, our people and our visitors from those that would do 
us harm like terrorists and terrorist weapons, criminals, and 
contraband. CBP officers are charged with enforcing not only immigration 
and customs laws, but they enforce over 400 laws for 40 other agencies 
and have stopped thousands of violators of U.S. law.

CBP strives to treat all travelers with respect and in a professional 
manner, while maintaining the focus of our mission to protect all 
citizens and visitors in the United States.

To get Cryptocat to the hands of Syrians resisting their government, or 
Canadians resisting being profiled by marketers, Kobeissi had to build a 
crypto tool in a place where no crypto tool has ever flourished  your 
browser. You have to make it just as easily accessible as Facebook Chat 
or Google Talk, which is what Im trying to do with Cryptocat, he said.

Google, Facebook and a infinite variety of other sites are pushing more 
functionality into the browser to increase the power of web apps, and 
the browser has become, for many people, the main interface of their 
computer. But from a security point of view, the browser has always 
failed to provide for users  in no way worse than in cryptography.

Encrypting data to keep it away from prying eyes, be they hackers or 
nations has proved nearly impossible in the browser, which has relied on 
one standard to do everything: SSL, which is known to be broken. The 
terrible state of browser security plagued Kobeissi in his work to build 
Cryptocat.

Browsers are huge, complex, multilayered beasts with lots of moving 
parts, and every last one of them implements at best some dialect of 
each of the many standards that a modern browser has to support, said 
Meredith Patterson, a senior research scientist at Red Lambda. Patterson 
deals with security and cryptography on an architectural level in her 
research, and has reviewed and commented on Cryptocat.

Problems like bad browser sandboxing meant that something in one tab 
could affect a session in a Cryptocat window. No libraries or standards 
existed to handle normal encryption functions in Javascript. The biggest 
problem is that delivery of Javascript code from server to browser could 
be intercepted and modified by breaking the SSL connection without a 
user ever knowing they were running malicious code.

Kobeissi faced criticism from the security community for even trying, 
but he persevered. Now more than a year later, Cryptocat has 
significantly advanced the field of browser crypto, he said with 
obvious pride. We implemented elliptic curve cryptography, (and) a 
cryptographically secure random number generator in the browser, along 
with creating a Cryptocat Chrome app to address the code delivery problem.

I dont think Nadim really knew what he was in for when he started this 
project, but although it got off to a bumpy start, hes risen to the 
occasion admirably, said Patterson.

But Kobeissi also knows that its equally important that Cryptocat be 
usable and pretty. Kobeissi wants Cryptocat to be something you want to 
use, not just need to. Encrypted chat tools have existed for years  but 
have largely stayed in the hands of geeks, who usually arent the ones 
most likely to need strong crypto. Security is not just good crypto. 
Its very important to have good crypto, and audit it. Security is not 
possible without (that), but security is equally impossible without 
making it accessible.

Patterson agrees with Kobeissis approach. As much as it drives all of 
us nerds batshit, J. Random internet user spends most if not all of her 
time in the browser, and generally doesnt care to install even a 
separate email client  much less a separate chat client, she said. If 
you dont go where the users live, you dont get users. End of story.

Nevertheless, Kobeissi has said repeatedly that Cryptocat is an 
experiment. Structural flaws in browser security and Javascript still 
dog the project as it moves toward version 2, scheduled for the end of 
the year. Cryptocat 2 will be a full Jabber client, allowing for both 
current style OTR and Multi Party, or mpOTR for group chats. OTR is 
Off-The-Record messaging, the current gold standard in encrypted chat. 
(Not to be confused with Google Talks OTR, which is not encrypted at all.)


Screenshot of the second version of Cryptocat, a Jabber/xmpp client with 
full OTR support.

He isnt eager to bet his life on his work to date. But in environments 
like the Arab revolts, he acknowledges that for all of Cryptocats 
flaws, its better than software many people in Arab countries use right 
now, which can put them in tremendous danger. If the alternative is 
Facebook Chat or Google Talk or Skype please use Cryptocat by all 
means, but its still an experiment.

Thus far Cryptocat hasnt penetrated far into the consciousness of the 
common user, but for some groups in need of secure communications, its 
already part of the toolkit. High security, simple to use, said an 
active participant in the internet collective Anonymous, which has faced 
prosecution and worse the world over. If its a hurry and someone needs 
something quickly, Cryptocat.

Kobeissi himself grew up in Beirut, Lebanon. Besides authoring the 
secure chat tool and being a security researcher, hes a political 
science and philosophy major at Concordia University in Montreal, 
Canada. His post-college job is set  hell be developing Cryptocat full 
time, living on grant money for the project.

He emigrated to Canada after a conversation with his mother, when 
the-then teenager came to realize he might not live very long in Lebanon 
 an situation that informed his software design. Hes vocal about his 
love of his adopted home in Canada, as well about how the internet and 
games kept him going through the rough times in the wartorn country of 
his birth, The happiest things in my childhood were Sega Game Gear and 
Sega Genesis. Its clear that Cryptocats distinctive 8-bit feel isnt 
just a gimmick.

Nowadays he sees himself as coming from two cultures, North American and 
Middle Eastern, and it gives him a rare perspective on both the need and 
usefulness of getting crypto into the hands of everyone.

This is something North Americans dont realize. Here were exporting 
cryptography software. Generally, especially in todays context, the 
Middle East imports cryptographic software, but its a foreign product. 
A foreign civilization made it, he said.

He believes that by building Cryptocat with more sensitivity to the 
pleasures of the user, he can help the people that need secure 
communications most. I want it to be something that has a nice color 
scheme, that works in your browser, that you can open instantly, thats 
easily accessible, that has a cat, that has audio notifications, that 
has desktop notifications, Kobeissi said, Because these are important 
security features.

When faced with the torture of using crypto software or the torture of a 
repressive government, some dissidents have  intentionally or not  
opted for the latter.

I have seen someone who I know knows how to use OTR not use OTR, and 
get tortured as a result, in Syria OTR is not accessible, its not a 
pleasure to use.

Pages: 1 2 View All
Related
You Might Like
Around the Web
Related Links by Contextly WikiLeaks Associates Hit Back Over U.S. 
Twitter Records Demand
U.S. Soldier on 2007 Apache Attack: What I Saw
Another Hackers Laptop, Cellphones Searched at Border
FBI Drive for Encryption Backdoors Is Dij` Vu for Security Experts
Olympics Journalists Urged To Use Crypto, to Thwart Chinese Spying


Show More


Quinn Norton is a writer and photographer who peripatetically covers net 
culture, copyright, computer security, intellectual property, body 
modification, medicine, and biotech.

Read more by Quinn Norton

Follow @quinnnorton on Twitter.