Update: Chris responds
This is off the cuff…
But then their being butthurt does not make a lot of sense.
Soghoian was right. The media – me included, in my small way – tend to say “woo shiny new toy” at the slightest provocation – and in the case of Cryptocat we can be quite happy that Nadim Kobeissi has stepped up to the bat to fix the issues which have been seething in discussion for the past week or so on various security-related maillists and blogs.
So: Kudos to Cryptocat and Nadim.
Likewise: Hushmail bent over when the Government came to call; were the technology different that might not have been feasible.
And nobody’s mentioned DIASPORA* yet.
But how have WiReD responded?
Let’s selectively quote just on one aspect:
While this post is a response to Soghoian’s critique, it’s not really directed at him — it’s meant for the portion of the security community his blast was emblematic of.
First, you’d have no indication from Soghoian’s critique that Quinn Norton is anything other than an overworked, technically illiterate blogger filling a quota by writing up press releases hyping the next big thing.
Moreover, Soghoian suggesting that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to “step back, take a deep breath, and pull the power cord from your computer” isn’t just rude and obnoxious, it’s border-line sexist and an outright abuse of Soghoian’s place in the computer security world.
Intriguingly, even preemptively following Soghoian’s advice of “approaching an independent security researcher” about Cryptocat, doesn’t save Norton from Soghoian’s rant.
Norton asked Meredith Patterson, a talented and well-known security figure, who was initially critical of Cryptocat and who has reviewed the codebase, for comment:
But Patterson, one of the all-too few female security researchers, doesn’t seem to count for much in Soghoian’s analysis. In fact, his original blog post totally missed that Patterson had originally been critical of the project. Only after she pointed it out to him on Twitter, did he update the post, without noting on the post that he did so.
Instead, Soghoian believes, Norton should have turned to one of four more vocal critics he names — all of them men.
Right, so security is a feminist issue? No it’s not, no more than cookery is. There are associated gender stereotypes (which shift back and forth) but in the end the person who wields the knife and the frying pan be they Julia Child or Gordon Ramsay either produce a good meal, or they do not.
Nadim is a promising young chef. He is not saviour of the world, but give it time.
Hence the original headline:
This Cute Chat Site Could Save Your Life and Help Overthrow Your Government
…was hyperbole, and Ryan Single (editor) made a bad call; he says:
I won’t apologize for the headline which, though bold, was also accurate. Moreover, Quinn’s first draft had the section that Soghoian thought came too late — about the tool being in its early stages and being vulnerable to certain attacks — starting in the ninth paragraph of a very long piece.
Try “this cute chat site may in future, after peer review, further development and adoption, be a useful tool that could save your life” – it would be accurate and raise neither hype nor ire.
Also it seems as if Ryan is not on the same maillists as Nadim, Chris and sundry related characters in the discussion, else he’d know what the state of play is now; all the arguments are settled and a secure-enough way to move forwards with Cryptocat has been (apparently) agreed, and there is much clubbish accord and mutual support.
Once again the digital/print media are behind the times.
That’s the good thing about programmers – they defend their code like lions, but show them how to do it demonstrably better and they will generally spin on a dime and adopt the improvements, without rancour.
Ryan, instead, takes it a bit more personally, longer and harder, and tries to be snarky:
If only [normal people] would try harder [to do security better], one supposes, they’d figure out how how to use TOR, and make sure they did so without leaking data by running Flash. (What, you didn’t know to disable Flash and Java when using TOR? What, you don’t know how to do that?)
It’s called “Install the Tor browser bundle” – you don’t know that’s the preferred way to use Tor nowadays? That the switch-off-flash-fer-chrissakes comes for free that way?
Oops. Don’t put yourself on a pedestal as a security expert, Ryan.
What was Chris’ suggestion, something about unplugging your computer? I won’t suggest that, you need to make a living somehow. Just try keeping up to date re: that about which you write; and as a petty aside “Tor” takes mixed-case nowadays – and “Cryptocat” seems to take a single capital.
But instead of having that conversation and questioning the privileged world of the crypto community and how little its ultra-secure creations have filtered to the real world, Soghoian chose to craft a scathing jeremiad, penned from the safe confines of the center of the “crypto community,” whose main point seemed to be to tell a woman to shut up and unplug from the net.
It’s a shame that so many people read the post as an object lesson for tech journalists, rather than as an example of how those in a position of power can use it to put a woman, an outsider and an orthodoxy-challenging project in their “proper” places.
“We’re journalists who do our best reporting on stuff we don’t understand, and we are entitled to our roles as authorities by virtue of having access to significant communications channels. We see no contradiction in this, and when challenged will dissemble and pursue ad-hominem arguments to dilute the embarrassment”.
Is that about right, oh fellow privileged security geeks who have no right to express opinions regards our privileged understanding?
- Alec Muffett blogs for Computerworld UK