This is pretty fucking awesome! This 21 year old kid may have just possibly saved all possibility for peaceful return of democracy to the USA in the future and help other small countries gain freedom.
https://crypto.cat/
https://project.crypto.cat/
https://crypto.cat/
https://project.crypto.cat/
http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/
This Cute Chat Site Could Save Your Life and Help Overthrow Your Government
By Quinn Norton
Twenty-one-year-old college student Nadim Kobeissi is from Canada, Lebanon and the internet.
He is the creator of Cryptocat, a project “to combine my love of cryptography and cats,” he explained to an overflowing audience of hackers at the HOPE conference on Saturday, July 14.
The site, crypto.cat, has a chunky, 8-bit sensibility, with a big-eyed binary cat in the corner. The visitor has the option to name, then enter a chat. There’s some explanatory text, but little else. It’s deceptively simple for a web app that can save lives, subvert governments and frustrate marketers. But as little as two years ago such a site was considered to be likely impossible to code.
Cryptocat is an encrypted web-based chat. It’s the first chat client in the browser to allow anyone to use end-to-end encryption to communicate without the problems of SSL, the standard way browsers do crypto, or mucking about with downloading and installing other software. For Kobeissi, that means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments.
“The fact that you don’t have to install anything, the fact that it works instantly, this increases security,” he explained, sitting down with Wired at HOPE 9 to talk about Cryptocat, activism and getting through American airports.
To create Cryptocat Kobeissi had to deal with controversies in computer security, usability and geo-politics.
When he flies through the US, he’s generally had the notorious “SSSS” printed on his boarding pass, marking him for searches and interrogations — which Kobeissi says have focused on his development of the chat client.
Online privacy doesn’t have a lot of corporate or governmental fans these days, but Kobeissi has faced controversy before.
“During 2010 and 2011 I was a defender of WikiLeaks and the free press in general, and I thought ‘Collateral Murder’ (the WikiLeaks publication of a controversial helicopter assault video) was a highly significant piece of journalism,” he said.
He mirrored WikiLeaks content and organized a march in support of the organization during the period in late 2010 when WikiLeaks found itself thrown off of Amazon’s hosting service and blocked by credit card companies. “I know for certain that it’s contributed to other defenders of WikiLeaks and Bradley Manning being harassed, so it’s somewhat likely that I could also be targeted.” Still, Kobeissi points out that he’s never been questioned about WikiLeaks, only about Cryptocat.
His SSSS’s can mean hours of waiting, and Kobeissi says he has been searched, questioned, had his bags and even his passport taken away and returned later. But he’s kept his sense of humor about the experience, even joking from the airport on his Twitter account.
“Dear US Government, I’m from Lebanon,” Kobeissi said, laughing. “You don’t scare me, you don’t understand. My friends were killed in 2008, my house was bombed and my neighborhood ruined. My father was killed in 2006. You don’t scare me at all. If you want to scare me, send me for torture in Syria. But you can’t anymore, because Syrians are revolting.”
A U.S. Customs and Border Protection spokesman declined to comment on Kobeissi’s detentions at the border, saying he was prohibited from doing so by privacy laws, though he maintains that it plays nicely with foreigners.
The United States has been and continues to be a welcoming nation. U.S. Customs and Border Protection not only protects U.S. citizens and lawful permanent residents in the country but also wants to ensure the safety of our international travelers who come to visit, study and conduct legitimate business in our country.
Our dual mission is to facilitate travel in the United States while we secure our borders, our people and our visitors from those that would do us harm like terrorists and terrorist weapons, criminals, and contraband. CBP officers are charged with enforcing not only immigration and customs laws, but they enforce over 400 laws for 40 other agencies and have stopped thousands of violators of U.S. law.
CBP strives to treat all travelers with respect and in a professional manner, while maintaining the focus of our mission to protect all citizens and visitors in the United States.
To get Cryptocat to the hands of Syrians resisting their government, or Canadians resisting being profiled by marketers, Kobeissi had to build a crypto tool in a place where no crypto tool has ever flourished — your browser. “You have to make it just as easily accessible as Facebook Chat or Google Talk, which is what I’m trying to do with Cryptocat,” he said.
Google, Facebook and a infinite variety of other sites are pushing more functionality into the browser to increase the power of web apps, and the browser has become, for many people, the main interface of their computer. But from a security point of view, the browser has always failed to provide for users — in no way worse than in cryptography.
Encrypting data to keep it away from prying eyes, be they hackers or nations has proved nearly impossible in the browser, which has relied on one standard to do everything: SSL, which is known to be broken. The terrible state of browser security plagued Kobeissi in his work to build Cryptocat.
“Browsers are huge, complex, multilayered beasts with lots of moving parts, and every last one of them implements at best some dialect of each of the many standards that a modern browser has to support,” said Meredith Patterson, a senior research scientist at Red Lambda. Patterson deals with security and cryptography on an architectural level in her research, and has reviewed and commented on Cryptocat.
Problems like bad browser sandboxing meant that something in one tab could affect a session in a Cryptocat window. No libraries or standards existed to handle normal encryption functions in Javascript. The biggest problem is that delivery of Javascript code from server to browser could be intercepted and modified by breaking the SSL connection without a user ever knowing they were running malicious code.
Kobeissi faced criticism from the security community for even trying, but he persevered. Now more than a year later, “Cryptocat has significantly advanced the field of browser crypto,” he said with obvious pride. “We implemented elliptic curve cryptography, (and) a cryptographically secure random number generator in the browser,” along with creating a Cryptocat Chrome app to address the code delivery problem.
“I don’t think Nadim really knew what he was in for when he started this project, but although it got off to a bumpy start, he’s risen to the occasion admirably,” said Patterson.
But Kobeissi also knows that it’s equally important that Cryptocat be usable and pretty. Kobeissi wants Cryptocat to be something you want to use, not just need to. Encrypted chat tools have existed for years — but have largely stayed in the hands of geeks, who usually aren’t the ones most likely to need strong crypto. “Security is not just good crypto. It’s very important to have good crypto, and audit it. Security is not possible without (that), but security is equally impossible without making it accessible.”
Patterson agrees with Kobeissi’s approach. “As much as it drives all of us nerds batshit, J. Random internet user spends most if not all of her time in the browser, and generally doesn’t care to install even a separate email client — much less a separate chat client,” she said. “If you don’t go where the users live, you don’t get users. End of story.”
Nevertheless, Kobeissi has said repeatedly that Cryptocat is an experiment. Structural flaws in browser security and Javascript still dog the project as it moves toward version 2, scheduled for the end of the year. Cryptocat 2 will be a full Jabber client, allowing for both current style OTR and Multi Party, or mpOTR for group chats. OTR is Off-The-Record messaging, the current gold standard in encrypted chat. (Not to be confused with Google Talk’s OTR, which is not encrypted at all.)
Last edited:
