[ale] OT fyi CryptoCat allows instant easy encrypted chat

Michael Trausch mbt at naunetcorp.com
Fri Aug 2 14:12:29 EDT 2013


Agreed. 

True security comes from awareness, education and understanding. Without these things, it is impossible to be secure.

This is why many software vulnerabilities exist and may be exploited. Not because it is difficult to be secure, but because without a deep understanding of what you're doing---something that is difficult to do when you're working in something like PHP, Python, or Java---you have unintended consequences.

Put another way; in C-land, you have only to worry about the compiler and libraries you're using. In a high level VM such as PHP, Python or Java, you not only have those to worry about, but also the VM's compiler and code quality for security as well.

While C makes it easy to shoot oneself in the foot, everything else adds complexity to the stack that can be very difficult to manage. And for that matter, bugs in such VMs, while rare, REALLY screw you when you run into them. 

Especially VM-level bugs that turn into leakage, escalation or other problems. That's not hard to do in a system where the VM is considered to be a trusted component. 

Sent from my iPhone

On Aug 2, 2013, at 1:21 PM, JD <jdp at algoloma.com> wrote:

> Good-enough security is only - good enough - until it is breached. Then, if the
> breach happens in a silent way, we can be using completely compromised systems
> and not know any better.  That seems bad to me.
> 
> On 08/02/2013 10:11 AM, Michael Trausch wrote:
>> Like anything else, the security that it gives is proportional to one's
>> understanding of its application and usage. I have zero experience or knowledge
>> of CryptoCat, other than I follow its author on Twitter and I think he might be
>> a legitimate white hat individual. But I would not trust the source without
>> reading it myself or having had it read by someone whose opinion i trust on such
>> matters, such as a real security professional. 
>> 
>> Security in today's world is nothing to joke about. The only thing I can say for
>> sure is that if a person does not know about security themselves and doesn't
>> choose to lean on a trustworthy source for security information, they will be
>> compromised at some point without enough mitigation to be safe.
>> 
>> Time tested solutions are also great from a security viewpoint. For example,
>> many people have vetted Tor and understand how it works. OpenVPN is a most
>> excellent means to privately communicate with a network you control, whether
>> personal or corporate. Both are understood and widely deployed and audited. That
>> does not ensure or guarantee perfect security, but it increases my confidence
>> that it is a truly secure solution. 
>> 
>> Sent from my iPhone
>> 
>> On Aug 2, 2013, at 8:46 AM, Pete Hardie <pete.hardie at gmail.com
>> <mailto:pete.hardie at gmail.com>> wrote:
>> 
>>> I've seen some stuff on the net claiming that cryptocat is not as secure as it
>>> claims - YMMV
>>> 
>>> Pete Hardie
>>> --------
>>> Better Living Through Bitmaps
>>> 
>>> 
>>> On Thu, Aug 1, 2013 at 7:16 PM, Ron Frazier (ALE)
>>> <atllinuxenthinfo at techstarship.com <mailto:atllinuxenthinfo at techstarship.com>>
>>> wrote:
>>> 
>>>    Hi all,
>>> 
>>>    I wanted to pass along some info about a way to instantly set up an
>>>    encrypted chat session.  I thought this had been on the list before, but I
>>>    searched my email archive and couldn't find it in the ALE folder.  So,
>>>    please forgive if this has already been mentioned.  Maybe I was on another
>>>    list when it was mentioned.
>>> 
>>>    Anyway, CryptoCat is a project that allows you to set up private encrypted
>>>    peer to peer and group chats almost instantly.  It's very quick and easy
>>>    to use after installing the browser plugin.
>>> 
>>>    https://crypto.cat/
>>> 
>>>    It's still a work in progress, so you would have to read the docs on the
>>>    site and determine how much faith you want to put in it.
>>> 
>>>    There was a weakness in prior versions from 2.0 - 2.0.42 which weakened
>>>    the group chat.  Private chats were not affected.  The blog suggests
>>>    upgrading to 2.1.* where the problems have been fixed.  Apparently there
>>>    was a weakness in the random number generator.
>>> 
>>>    https://blog.crypto.cat/
>>> 
>>>    Some people on the DC-404 list recommended not using this for anything too
>>>    sensitive, and I certainly wouldn't bet my life on it.  However, I would
>>>    use it if I just wanted to do a quick chat that I didn't want snooped on
>>>    and needed moderate security.  I have used it once after someone I was
>>>    communicating with suggested skype and I mentioned misgivings about that.
>>>     The process was very painless and we were chatting to each other within 5
>>>    minutes after I got the link from him.
>>> 
>>>    Here's the link to the Firefox plugin.
>>> 
>>>    https://addons.mozilla.org/en-__US/firefox/user/kaepora/
>>>    <https://addons.mozilla.org/en-US/firefox/user/kaepora/>
>>> 
>>>    It also works on Chrome, Safari, and Mac.  I guess my IE friends and
>>>    family are out of luck.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list