Two Fridays ago, Wired published a 2,000 word feature story by Quinn Norton about Cryptocat, an online chat system that's working to make encrypted chat as simple as loading a web page. Norton profiled its creator Nadim Kobeissi, the intimidation from U.S. officials he's claimed to have faced, and the difficult technical challenges that such a program entails.
The piece delves into Kobeissi's motivations, the initial pushback from the security community and his dedication to making a security tool that's actually usable by someone outside the rarefied world of crypto geeks.
I was quite pleased the story gathered a lot of attention, including making it onto the front page of Reddit.
A few days later, Christopher Sogohian, a well-known and widely respected voice in the security community, penned a response entitled "Tech journalists: Stop hyping unproven security tools," lambasting Wired's story, laying it side-by-side with other sites' coverage of security vaporware. He called it "bad journalism."
As the editor of the piece, I'm going to disagree.
Clearly, Cryptocat is not always the ideal tool. So far nothing is. But that doesn't mean it's a bad tool or that writing about it is bad journalism.
Even the well-tested tools like Tor, Off-The-Record IM encryption (OTR) and PGP (e-mail and disk encryption) are vulnerable to a simple keylogger being installed on a machine, among other attacks.
Cryptocat is a very interesting addition to the suite of security tools available to the world, and is a refreshing breakthrough -- thanks to its focus on user experience, something that is abysmally lacking in security tools like Tor and OTR.
Celebrating that and explaining the motivation of its creator, while being clear about its technical limitations, isn't hype. It's good journalism, even if a very clubby and very vocal part of the security community blasts it.
While this post is a response to Soghoian's critique, it's not really directed at him -- it's meant for the portion of the security community his blast was emblematic of.
First, you'd have no indication from Soghoian's critique that Quinn Norton is anything other than an overworked, technically illiterate blogger filling a quota by writing up press releases hyping the next big thing.
He writes: "When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.
By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples' emails, step back, take a deep breath, and pull the power cord from your computer."
Norton has never written a story for Wired or any other publication based off a press release. That's not the kind of thing she covers. She covers Occupy and Anonymous - penning thoughtful, informed, well-sourced pieces that often climb past 3000 words. Moreover, she's been part of security/geek/electronic freedom communities for years, and for more than a decade has been an educator teaching people how to use their computers..
She uses more crypto and practices more vigilant opsec than any other reporter I've ever met (and for good reason). But you'll not find any indication of that in Soghoian's post. Instead, she gets dismissed because she's made comments on Twitter criticizing the security community for its first-world white male privilege.
Moreover, Soghoian suggesting that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to "step back, take a deep breath, and pull the power cord from your computer" isn't just rude and obnoxious, it's border-line sexist and an outright abuse of Soghoian's place in the computer security world.
Intriguingly, even preemptively following Soghoian's advice of "approaching an independent security researcher" about Cryptocat, doesn't save Norton from Soghoian's rant.
Norton asked Meredith Patterson, a talented and well-known security figure, who was initially critical of Cryptocat and who has reviewed the codebase, for comment:
But Patterson, one of the all-too few female security researchers, doesn't seem to count for much in Soghoian's analysis. In fact, his original blog post totally missed that Patterson had originally been critical of the project. Only after she pointed it out to him on Twitter, did he update the post, without noting on the post that he did so.
Instead, Soghoian believes, Norton should have turned to one of four more vocal critics he names -- all of them men.
Soghoian's main objection is that as a browser-based tool that relies on JavaScript, Cryptocat is vulnerable to man-in-the-middle attacks. Therefore, no one should rely on it at all and instead should install complicated crypto tools such as the OTR add-in that require both parties to a communication to have configured the software correctly (including knowing to turn off logging in their chat client.)
That, he says, was not made clear in Wired's story until late, implying we wanted to hide it from users.
For the record, the headline on the story, This Cute Chat Site Could Save Your Life and Help Overthrow Your Government, and the placement of the section on the tool's experimental nature, were my choices as the editor. I won't apologize for the headline which, though bold, was also accurate. Moreover, Quinn's first draft had the section that Soghoian thought came too late -- about the tool being in its early stages and being vulnerable to certain attacks -- starting in the ninth paragraph of a very long piece.
I made the decision to move it down, since the piece read much better in a different order. Leading with Kobeissi's background put the software in a different context - the software came across as an expression of a worldview informed by Kobeissi's life in Lebanon and the interrogations he says he's endured at the U.S. border.
We weren't hiding anything from readers -- we write long stories and our readers read them.
Soghoian says we failed our readers and put their lives at risk because Cryptocat is made for the "tl;dr crowd". For those who don't know, tl'dr means "Too Long; Didn't Read" and is used online to dismissively signal that a story is too long, but often it just demonstrates a person's intellectual laziness.
It's a very telling assumption about Wired readers and Cryptocat's users. In Soghoian's view, a simple encryption tool that focuses on user experience is meant for those who are lazy and stupid and who can't be bothered to read a longish story. It's a convenient way to elide longstanding criticism of security tools for being too difficult for even decently tech-savvy users to configure and install.
If only such people would try harder, one supposes, they'd figure out how how to use TOR, and make sure they did so without leaking data by running Flash. (What, you didn't know to disable Flash and Java when using TOR? What, you don't know how to do that?)
Speaking for a very vocal part of the crypto-community, he goes on to argue that it is dangerous to encourage people to use a tool that is safer than Twitter, Facebook, AIM or Google Chat, but not as safe as OTR.
There is, of course, some truth to this argument. But there's also a very persuasive counter-argument known as risk mitigation.
For instance, it is by now well documented that humans shouldn't have sex with another person unless both of them have been tested for sexually transmitted diseases, including HIV. That's not how humans work. Realizing that, health groups have found that encouraging the use of condoms -- even though they are known to occasionally break or not prevent disease transmission -- is part of the best policy for fighting sexually transmitted diseases.
Notably, the Catholic Church's stance against promoting condoms to prevent HIV relies on the "risk compensation" argument.
Oddly, however, Soghoian and others in the security community don't believe in the "risk compensation" argument when it comes to their own work.
For instance, Soghoian is one of the net's biggest proponents of increased use of SSL (encountered on the web as https://) as a way to increase user safety.
But SSL is widely known to be vulnerable to the exact same man-in-the-middle attack as Cryptocat. Soghoian knows about this problem and has written extensively about the flaws in SSL, as have the security experts that he prefers to Patterson. In short, it's not very hard for a business, an ISP or a country to muddle with SSL certificates so that it can spy on a user who thinks she is connecting securely to a site.
Clearly, a user who sees a lock icon in their browser might well say something more damning or explicit than they would if that icon weren't there assuring them they are safe.
Despite that, Soghoian has been a leader in pushing the net's biggest tech companies to adopt SSL by default, accusing them of putting users at risk by not doing so. In 2009, he published an open letter to then-Google CEO Eric Schmidt to implement HTTPS as the default for Gmail, Google Docs and Google Calendar. He later pushed Mozilla to turn Firefox's search box's default to encrypted Google search.
He and the security community are right - despite the known flaws in SSL, and Wired has covered their campaigns extensively.
However, nowhere in these efforts does Soghoian mention or address that a user who see HTTPS might engage in riskier behavior. For example an employee might send an e-mail critical of their boss from a private webmail account accessed on a work computer -- assuming that the communication is safe from prying eyes -- when in fact the certificates installed in their browser have been modified by their employer so that employees can be spied on. Or a Iranian activist could login to Facebook over HTTPS, only to find later she'd been spied on.
But when it comes to another tool with known vulnerabilities -- one created by an outsider to the clubby crypto community and one that's written up by a woman and reviewed by a female security expert, Soghoian turns to the "risk compensation" argument.
That's a shame because in the real world, most people don't chose to be activists or to be in a position where encryption is necessary. It's rarely a lifestyle and occupation choice, as it is for many in the U.S. They become activists or whistleblowers because something happens to them - or because there's some larger, inescapable event that intrudes on their lives.
What people do is turn to the tools that are familiar and easy - Skype, Facebook, Twitter -- not to installing PGP, TOR, Pidgin and OTR. Ideally, citizens-turned-activists will eventually learn to use those more complicated tools, but there's a continuum.
Or as Ethan Zuckerman of Global Voices said in 2008, "If you build tools specifically for activists they won’t use them, but if you build tools not for activists, they will use them."
To that end, last October, the Silicon Valley Human Rights Conference brought together front-line activists and engineers from Silicon Valley companies in both public and private meetings to drive home the point to these companies the necessity of making their tools safer for activists. That was done even though everyone in the security world knows activists *shouldn't* expect safety when using Twitter, Facebook, Google+, etc.
Soghoian was at that conference, and he wasn't protesting that goal.
Moreover, one of the core principles of security is "threat modeling," that is, choosing your security tools based on who you think your attacker might be. There are plenty of threats that do not involve the security services of repressive nation states.
For instance, if you are a victim of domestic violence, your threat model likely doesn't involve worrying about a state actor compromising a certificate authority to impersonate Facebook. Instead, you are more likely concerned that your e-mail and Facebook accounts and cell-phone records are being snooped on by an abuser, so a secure online encrypted chat site that can be used in an incognito window might be a very good security choice.
So why doesn't the "crypto community" think that CryptoCat or other tools like it have a place in that continuum?
It's a tool that can be used by the many people who currently don't have the skills or ability to install sophisticated crypto tools -- people who initially turn to Skype, Facebook and Twitter, but then realize they need more protection than that. It can also be used by those who have those skills but want to talk -- more securely -- with those who don't have those skills.
That's why Wired gave it the attention we did. After the story ran, Kobeissi, under a barrage of criticism, announced that version 2 won't work without a Chrome browser plugin to more securely deliver the necessary JavaScript.
His vocal critics crowed over his capitulation. Soghoian asked me for a retraction. Then they complained that version 2 was still unsafe since Google could decide to deliver an infected plug-in.
All of which shows they still don't get it.
Installing a Chrome or Firefox plugin is still immensely easier than installing OTR. The whole point of Cryptocat is to make it dead simple for people with real threats and a need to communicate to do so.
Now, web-based crypto is hard and is not immune to bending itself to comply with court orders, which as Soghoian notes to make his case, is something I reported. Wired discovered that the online encrypted e-mail company Hushmail had created a way for governments that had a Mutual Assistance Legal Agreement with Canada to subpoena Hushmail users' accounts. Hushmail even created rogue downloadable software to help bust open encrypted accounts for the government, though it's not clear the company was under any legal obligation to do so.
But, as I reported then, that doesn't mean that Hushmail is a bad choice for everyone or even most people - it simply depends on your threat model. If you are a journalist working to expose illegal U.S. government actions that include national security secrets or you are running a meth lab, it's probably not a great choice. If you are a dissident in the Middle East or a psychiatrist wanting secure communication with clients, Hushmail is a very good security option, especially since it's very easy to use.
There's a very beneficial conversation that needs to be had about when browser-based crypto is useful, when it's counter-productive or dangerous and how to communicate the difference to unsophisticated users. We could also talk about how to move users up the chain of secure communication software and how to make that move and the tools easier to use.
But instead of having that conversation and questioning the privileged world of the crypto community and how little its ultra-secure creations have filtered to the real world, Soghoian chose to craft a scathing jeremiad, penned from the safe confines of the center of the "crypto community," whose main point seemed to be to tell a woman to shut up and unplug from the net.
It's a shame that so many people read the post as an object lesson for tech journalists, rather than as an example of how those in a position of power can use it to put a woman, an outsider and an orthodoxy-challenging project in their "proper" places.
