Sophos Cloud Optix
Interest in a free, encrypted web chat service called Cryptocat has spiked following the detainment and interrogation of its developer at the US border.
The developer, Nadim Kobeissi of Montreal, was detained at the US-Canada border on Wednesday, he tweeted.
PrivacySOS has posted the relevant tweets here. Here’s what Kobeissi said about the ordeal:
Out of my 4 DHS interrogations in the past 3 weeks, it’s the first time I’m asked about Cryptocat crypto and my passport is confiscated.
Kobeissi says that his interrogator, who claimed 22 years of computer experience, asked him which algorithms Cryptocat used and about its “censorship resistance”.
In addition, his passport was confiscated for about an hour, he said.
Following the incident, interest in the program has risen sharply. “Cryptocat usage has sizably gone up in the past 24 hours,” Kobeissi told me in an email exchange.
The project’s aim is to provide encrypted communications that are easily accessible and free from the governmental or corporate interception that shadow other chat services, such as those from Facebook, Google or Yahoo.
If and when the application reaches its potential, it will provide a safe way for people to communicate when such communications could put their lives at risk. Examples include communications between those who participated in the uprisings of the Arab Spring.
It’s understandable that a spectrum of online users, from government resisters to cyber criminals and terrorists, would be interested in an encrypted, untraceable chat service.
But just because US security developed an interest in the developer, in Cryptocat and in its cryptographic strength, we shouldn’t foster unrealistic ideas about what the application can do, Kobeissi told me, reiterating an earlier tweet:
I really hope this incident doesn't blow confidence in Cryptocat out of proportion. I don't think I was interrogated because Cryptocat is this super incredible encrypted communication tool that scares the US national security - I believe I've been targeted for interrogation simply because of the general nature and apparent popularity of my work.
Kobeissi’s concerns that users not put themselves at risk when using Cryptocat likely have to do with the program’s limitations. According to the project site, this is what Cryptocat can’t do:
* Cryptocat does not anonymize you: While your communications are encrypted, your identity can still be traced since Cryptocat does not mask your IP address. For anonymization, we highly recommend using Tor. Cryptocat even offers a Tor Hidden Service at xdtfje3c46d2dnjd.onion.
* Cryptocat does not protect against key loggers: Your messages are encrypted as they go through the wire, but that doesn't mean that your keyboard is necessarily safe. Cryptocat does not protect against hardware or software key loggers which might be snooping on your keyboard strokes and sending them to an undesired third party.
* Cryptocat does not protect against untrustworthy people: Parties you're conversing with may still leak your messages without your knowledge. Cryptocat aims to make sure that only the parties you're talking to get your messages, but that doesn't mean these parties are necessarily trustworthy.
In other words, Cryptocat at this point is, in Kobeissi’s own words, a “really cool project,” but its developers still have plenty of work to do:
It promises to deliver something great and I've been doing some serious, peer-reviewed, open research and development on all of its aspects. However, the reason why I always make sure to mention that it's still an experiment is that I understand that other projects, such as Tor and OTR, have been under development for five years, ten years or more. Cryptocat is barely over a year old. It needs a lot more testing, a lot more research in order for me to ascertain its effectiveness on the field. Security is difficult.
As Slashdot commenter eldavojohn noted, Kobeissi’s interrogation well may have arisen out of the US’s export controls on levels of encryption, covered under the Arms Export Control Act (AECA) of 1976.
To the US government, certain strengths of cryptographic software constitute munitions; hence, their export has been banned.
If you look at the history of AECA prosecutions, you’ll see that Kobeissi is in good company.
- 1990s: RSA Data Security, who was in a licensing dispute over use of the RSA algorithm in PGP, filed a report on Phil Zimmermann for allegedly violating the AECA. The US Customs Service started an investigation but dropped it after three years.
- 2006: Boeing was fined $15 million for unlicensed foreign sales involving a gyroscopic microchip or gyrochip with military applications.
- 2004–2006: there were 283 arrests, 198 indictments, and 166 convictions based on AECA violations.
- 2007: ITT Corporation was fined for transferring night vision goggles and classified information about countermeasures against laser weapons, including light interference filters, to engineers in Singapore, the People’s Republic of China, and the United Kingdom. They were fined $100 million, although they were also given the option of spending half of that sum on research and development of new night vision technology, the intellectual property rights for which the US government retained.
Obviously, US interest in cryptography is nothing new. There’s nothing remarkable about the interrogation of a developer associated with a program designed to escape censorship and surveillance.
Hopefully, the news coverage continues to promote increased interest in this worthwhile project.
But let’s hope that people read the fine print about what this program can and can’t do.
Kobeissi’s right: it would be a tragedy if the result of his detainment and interrogation were that people put themselves in harm’s way, using Cryptocat without a realistic idea of the level of protection it provides.
Read the fine print. Proceed with caution.
This is a great article, and Kobeissi seems to be treating the entire episode with thought, care and maturity.
Lisa, I fully echo your sentiment that it would be great if the media helps grow interest in Cryptocat on the back of this story, but with the accuracy and sobriety you showed rather than sensationalism and conspiracy theories. Excellent!
— Gavin
Thanks, Gavin. Yea, I endeavor to pop the bubble of my journalistic sensationalism as quickly as it inflates!!
I'm with you. I like Kobeissi's take on it: humble, realistic, sober.
Sounds great, but when it seems his password was confiscated so the govenrment could get into the innerworkings of the program algorithm. It makes the whole thing less secure, as now the government understands decrypting the communications, which is all they wanted to begin with. I suggest he change it completely so they spent their time for nothing. This had nothing to do with the US exporting as he is a Canadian, and is bringing in technology, not exporting it out.
So yes this brings about a secure way, but now it's not protecting you from the groups who do spy on the people. And where do most the leaks happen? from Government, so expect others to begin leaking his security as the government begins to research into it more, and use these against you, when they feel they would rather have you in a jail cell, because your beliefs don't match their own
Personally if the government was liked and did what they people wanted, and not their own agenda, then they would have nothing to fear. Isn't that how it goes? Be a liked company, not one the people fear and hate.
"so the govenrment could get into the innerworkings of the program algorithm."
What?! that makes absolutely no sense. It is open source, everyone already has access to the programs source code, and because they can examine the algorithm, that doesnt mean they can defeat the math problem.
His PassPORT was confiscated, not his passWORD. Bit of a difference. 🙂
"…if the government was liked and did what they (sic) people wanted…"
…um, I notice that you’re not providing any detail on exactly what that condition would entail.
Let me help you out. What people want from government is that it should protect their lives and property fully. If it did that, then it would actually BE government. But that's not what it does, because that's not what the counterfeit we call "government" actually is. Instead, what we have is a political state, masquerading as government.
It’s an easy fraud to pull off because of the persistent, ubiquitous myth that the only way to govern is through political power backed by the threat of force. The logical absurdity that you can safeguard your freedom by giving someone the power to take it away remains safely unquestioned by a populace conditioned to believe that they are "free" because they have to ability to choose their tyrants at the voting booth.
Reducing the problem to issues of "left and right" is demonstrably success-proof. Enmity between "liberals" and "conservatives" ensures that the problem will remain unresolved. While we squabble and bicker with each other over political nits, the state grows increasingly incompetent to protect us, in direct proportion to the growth of its size, complexity, and power over our lives. And yet, incomprehensibly, we beat our breasts and call for even more of the problem — "Government must DO something…!"
I agree. The problem is that we don't have government. What we have is a civilization-wide addiction to the belief that political power is the solution to all our problems. Yeah, right…in exactly the same way that giving an addict more heroin is the solution to his addiction.
Doesn’t it just boil down to the public not allowed to have secrets?
Software labels “munitions”? Come on Gov – what dolt do you think is going to fall for that?
The US government is just saying that they want to be able to read all our email, chats, follow us around the ‘net, listen and watch our Skype chats, and prefer to have cameras and mics in our bedrooms, but this sort of chicanery is the start. More like follow-up to all the other blatant lies about protecting us from ourselves.
I am proud to say I am Lebanese<3
This reminds me of Phil Zimmerman & PGP. Also, the US has a track record of rewarding criminals while harassing legit citizens. I've seen this before. http://bit.ly/KBvUdZ (non-decryptable encryption)
Border crossings can be nasty. That Nadim Korbeissi was harassed is not surprising. Why he was harassed is not surprising. That he was harassed is stupid. That's the border guards for you.
I wouldn’t trust anything web based, remember the history of LE/TLA and hushmail?
If there is no weakness found yet, whether planted on purpose, or by accident, I expect some weakness to be found and exploited eventually.
There are too many side channel attacks against electronics to trust anything electronic. TEMPEST is but one example.
I want to alert all readers interested in Cryptocat to an article posted yesterday by Christopher Soghoian:
"Tech journalists: Stop hyping unproven security tools," http://paranoia.dubfire.net/2012/07/tech-journali…
Soghoian points to journalistic hyping of Cryptocat as one example of our laziness, given that the tool has significant, easily exploitable issues. He writes: "which journalist in their right mind would want to spoil this story by mentioning that the web-based Cryptocat system is vulnerable to trivial man in the middle, HTTPS stripping attacks when accessed using Internet Explorer or Safari?"
He also points out that we journalists love human interest stories. Yes, we do. Humans do as a whole, though, and we write for humans.
I was relieved to reread this post and find that in writing it, I underscored the unproven nature of the Cryptocat project—something that Kobeissi is laudibly emphatic about when talking to journalists.
Did I go further than that, seeking the opinion of other security analysts? No, I did not.
Should I have? Of course. Every source, every scrap of information we put across should be vetted.
Will that happen? No.
The truth of it is that journalists don't always do deep dives and interview experts for every quick writeup. We serve as echo chambers. It doesn't always amount to laziness; it's the simple, harsh economics of being a freelancer. I'd prefer to work full-time as a salaried writer who researches everything far more deeply. That's not happening in this economy, though, so in the meantime, I'll just try to do a better job. And pester Tom Ptacek et al. for input, which inquiries they might well ignore.
Not to host a pity-party here, but journalists are easy to ignore. Typically, security researchers have more important things on their plates than vetting every story that pops up for every journalist that wanders by.
Regardless, I promise to keep trying, within the parameters of limited time and resources, to do better.
From https://en.wikipedia.org/wiki/Cryptocat :
"The software has been subject to a full breach of its alleged security model. In June 2013, a tool called DecryptoCat was published that could be used to decrypt any message that had been transferred using Cryptocat between May 2012 and April 2013. This tool was accompanied by a code analysis document that highlighted multiple misunderstanding about cryptography by Cryptocat's authors, who were described as "completely incompetent" by the analyst."