Schneier on Security

blister • July 30, 2012 10:30 PM

Tech journalists: Stop hyping unproven security tools
Monday, July 30, 2012 | Christopher Soghoian
paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html

static.guim.co.uk/sys-images/Media/Pix/pictures/2010/3/25/1269523445370/Austin-Heap-001.jpg

“Preface: Although this essay compares the media’s similar hyping of Haystack and Cryptocat, the tools are, at a technical level, in no way similar. Haystack was at best, snake oil, peddled by a charlatan. Cryptocat is an interesting, open-source tool created by a guy who means well, and usually listens to feedback.

In 2009, media outlets around the world discovered, and soon began to shower praise upon Haystack, a software tool designed to allow Iranians to evade their government’s Internet filtering. Haystack was the brainchild of Austin Heap, a San Francisco software developer, who the Guardian described as a “tech wunderkind” with the “know-how to topple governments.”

The New York Times wrote that Haystack “makes it near impossible for censors to detect what Internet users are doing.” The newspaper also quoted one of the members of the Haystack team saying that “It’s encrypted at such a level it would take thousands of years to figure out what you’re saying.”

Newsweek stated that Heap had “found the perfect disguise for dissidents in their cyberwar against the world’s dictators.” The magazine revealed that the tool, which Heap and a friend had in “less than a month and many all-nighters” of coding, was equipped with “a sophisticated mathematical formula that conceals someone’s real online destinations inside a stream of innocuous traffic.”

Heap was not content to merely help millions of oppressed Iranians. Newsweek quoted the 20-something developer revealing his long term goal: “We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you.

The Guardian even selected Heap as its Innovator of the Year. The chair of the award panel praised Heap’s “vision and unique approach to tackling a huge problem” as well as “his inventiveness and bravery.”

This was a feel-good tech story that no news editor could ignore. A software developer from San Francisco taking on a despotic regime in Tehran.

There was just one problem: The tool hadn’t been evaluated by actual security experts. Eventually, Jacob Appelbaum obtained a copy of and analyze the software. The results were not pretty — he described it as “the worst piece of software I have ever had the displeasure of ripping apart.”

Soon after, Daniel Colascione, the lead developer of Haystack resigned from the project, saying the program was an example of “hype trumping security.” Heap ultimately shuttered Haystack.

After the proverbial shit hit the fan, the Berkman Center’s Jillian York wrote:

I certainly blame Heap and his partners–for making outlandish claims about their product without it ever being subjected to an independent security review, and for all of the media whoring they’ve done over the past year.

But I also firmly place blame on the media, which elevated the status of a person who, at best was just trying to help, and a tool which very well could have been a great thing, to the level of a kid genius and his silver bullet, without so much as a call to circumvention experts. 

blogs-images.forbes.com/jonmatonis/files/2012/07/web_chat.png

Cryptocat: The press is still hypin’

In 2011, Nadim Kobeissi, then a 20 year old college student in Canada started to develop Cryptocat, a web-based secure chat service. The tool was criticized by security experts after its initial debut, but stayed largely below the radar until April 2012, when it won an award at the Wall Street Journal’s Data Transparency Codeathon. Days later, the New York Times published a profile of Kobeissi, which the newspaper described as a “master hacker.”

Cryptocat originally launched as a web-based application, which required no installation of software by the user. As Kobeissi told the New York Times:

"The whole point of Cryptocat is that you click a link and you’re chatting with someone over an encrypted chat room... That’s it. You’re done. It’s just as easy to use as Facebook chat, Google chat, anything.” 

There are, unfortunately, many problems with the entire concept of web based crypto apps, the biggest of which is the difficulty of securely delivering javascript code to the browser. In an effort to address these legitimate security concerns, Kobeissi released a second version of Cryptocat in 2011, delivered as a Chrome browser plugin. The default version of Cryptocat on the public website was the less secure, web-based version, although users visiting the page were informed of the existence of the more secure Chrome plugin.

Forbes, Cryptocat and Hushmail

Two weeks ago, Jon Matonis, a blogger at Forbes included Cryptocat in his list of 5 Essential Privacy Tools For The Next Crypto War. He wrote that the tool “establishes a secure, encrypted chat session that is not subject to commercial or government surveillance.”

If there is anyone who should be reluctant offer such bold, largely-unqualified praise to a web-based secure communications tool like Cryptocat, it should be Matonis. Several years ago, before he blogged for Forbes, Matonis was the CEO of Hushmail, a web-based encrypted email service. Like Cryptocat, Hushmail offered a 100% web-based client, and a downloadable java-based client which was more resistant to certain interception attacks, but less easy to use.

Hushmail had in public marketing materials claimed that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” In was therefore quite a surprise when Wired reported in 2007 that Hushmail had been forced by a Canadian court to insert a backdoor into its web-based service, enabling the company to obtain decrypted emails sent and received by a few of its users.

The moral of the Hushmail story is that web based crypto tools often cannot protect users from surveillance backed by a court order.

Wired’s ode to Cryptocat

This past Friday, Wired published a glowing, 2000 word profile on Kobeissi and Cryptocat by Quinn Norton. It begins with a bold headline: “This Cute Chat Site Could Save Your Life and Help Overthrow Your Government,” after which, Norton describes the Cryptocat web app as something that can “save lives, subvert governments and frustrate marketers.”

In her story, Norton emphasizes the usability benefits of Cryptocat over existing secure communications tools, and on the impact this will have on the average user for whom installing Pidgin and OTR is too difficult. Cryptocat, she writes, will allow “anyone to use end-to-end encryption to communicate without … mucking about with downloading and installing other software.” As Norton puts it, Cryptocat’s no-download-required distribution model “means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments.”

In short, Norton paints a picture in which Cryptocat fills a critical need: secure communications tools for the 99%, for the tl;dr crowd, for those who can’t, don’t know how to, don’t have time to, or simply don’t want to download and install software. For such users, Cryptocat sounds like a gift from the gods.

Journalists love human interest stories

Kobeissi presents the kind of human interest story that journalists dream about: A Lebanese hacker who has lived through 4 wars in his 21 years, whose father was killed, whose house was bombed, who was interrogated by the “cyber-intelligence authorities” in Lebanon and by the Department of Homeland Security in the US, and who is now building a tool to help others in the Arab world overthrow their oppressive governments.

As such, it isn’t surprising that journalists and their editors aren’t keen to prominently highlight the unproven nature of Cryptocat, even though I’m sure Kobeissi stresses it in every interview. After all, which journalist in their right mind would want to spoil this story by mentioning that the web-based Cryptocat system is vulnerable to trivial man in the middle, HTTPS stripping attacks when accessed using Internet Explorer or Safari? What idiot would sabotage the fairytale by highlighting that Cryptocat is unproven, an experimental project by a student interested in cryptography?

And so, such facts are buried. The New York Times waited until paragraph 10 in a 16 paragraph story to reveal that Kobeissi told the journalist that his tool “is not ready for use by people in life-and-death situations.” Likewise, Norton waits until paragraph 27 of her Wired profile before she reveals that “Kobeissi has said repeatedly that Cryptocat is an experiment” or that “structural flaws in browser security and Javascript still dog the project.” The preceding 26 paragraphs are filled with feel good fluff, including description of his troubles at the US border and a three paragraph no-comment from US Customs.

At best, this is bad journalism, and at worst, it is reckless. If Cryptocat is the secure chat tool for the tl;dr crowd, burying its known flaws 27 paragraphs down in a story almost guarantees that many users won’t learn about the risks they are taking.

Cryptocat had faced extensive criticism from experts

Norton acknowledges in paragraph 23 of her story that “Kobeissi faced criticism from the security community.” However, she never actually quotes any critics. She quotes Kobeissi saying that “Cryptocat has significantly advanced the field of browser crypto” but doesn’t give anyone the opportunity to challenge the statement.

Other than Kobeissi, Norton’s only other identified sources in the story are Meredith Patterson, a security researcher who is quoted saying “although [Cryptocat] got off to a bumpy start, he’s risen to the occasion admirably” and an unnamed active member of Anonymous, who is quoted saying “if it’s a hurry and someone needs something quickly, [use] Cryptocat.”

It isn’t clear why Norton felt it wasn’t necessary to publish any dissenting voices. From her public Tweets, it is however, quite clear that Norton has no love for the crypto community, which she believes is filled with “privileged”, “mostly rich 1st world white boys w/ no real problems who don’t realize they only build tools [for] themselves.”

Even though their voices were not heard in the Wired profile, several prominent experts in the security community have criticized the web-based version of Cryptocat. These critics include Thomas Ptacek, Zooko Wilcox-O’Hearn, Moxie Marlinspike and Jake Appelbaum. The latter two, coincidentally, have faced pretty extreme “real world [surveillance] problems” documented at length, by Wired.

Security problems with Cryptocat and Kobeissi’s response

Since Cryptocat was first released, security experts have criticized the web-based app, which is vulnerable to several attacks, some possible using automated tools. The response by Kobeissi to these concerns has long been to point to the existence of the Cryptocat browser plugin.

The problem is that Cryptocat is described by journalists, and by Kobeissi in interviews with journalists, as a tool for those who can’t or don’t want to install software. When Cryptocat is criticized, Kobeissi then points to a downloadable browser plugin that users can install. In short, the only technology that can protect users from network attacks against the web-only Cryptocat also neutralizes its primary, and certainly most publicized feature.

Over the past few weeks, criticism of the web-based Cryptocat and its vulnerability to attacks has increased, primarily on Twitter. Responding to the criticism, on Saturday, Kobeissi announced that the the upcoming version 2 of Cryptocat will be browser-plugin only.

Kobeissi’s decision to ditch the no-download-required version of Cryptocat came just one day after the publication of Norton’s glowing Wired story, in which she emphasized that Cryptocat enables “anyone to use end-to-end encryption to communicate without … mucking about with downloading and installing other software.”

This was no doubt a difficult decision for Kobeissi. Rather than leading the development of a secure communications tool that Just Works without any download required, he must now rebrand Cryptocat as a communications tool that doesn’t require operating system install privileges, or one that is merely easier to download and install. This is far less sexy, but, importantly, far more secure. He made the right choice.

Conclusion

The technology and mainstream media play a key role in helping consumers to discover new technologies. Although there is a certain amount of hype with the release of every new app or service (if there isn’t, the PR people aren’t doing their jobs), hype is dangerous for security tools.

It is by now well documented that humans engage in risk compensation. When we wear seatbelts, we drive faster. When we wear bike helmets, we drive closer. These safety technologies at least work.

We also engage in risk compensation with security software. When we think our communications are secure, we are probably more likely to say things that we wouldn’t if our calls were going over a telephone like or via Facebook. However, if the security software people are using is in fact insecure, then the users of the software are put in danger.

Secure communications tools are difficult to create, even by teams of skilled cryptographers. The Tor Project is nearly ten years old, yet bugs and design flaws are still found and fixed every year by other researchers. Using Tor for your private communications is by no means 100% safe (although, compared to many of the alternatives, it is often better). However, Tor has had years to mature. Tools like Haystack and Cryptocat have not. No matter how good you may think they are, they’re simply not ready for prime time.

Although human interest stories sell papers and lead to page clicks, the media needs to take some responsibility for its ignorant hyping of new security tools and services. When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.

By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples’ emails, step back, take a deep breath, and pull the power cord from your computer.”

http://www.guardian.co.uk/technology/2010/mar/21/austin-heap-haystack-iran
http://www.nytimes.com/2010/02/19/opinion/19iht-edcohen.html
http://www.thedailybeast.com/newsweek/2010/08/06/needles-in-a-haystack.print.html
http://www.guardian.co.uk/technology/2010/sep/17/haystack-software-security-concerns
twitter.com/ioerror/status/24425326976
http://www.guardian.co.uk/technology/2010/sep/17/haystack-software-security-concerns
blog.austinheap.com/haystack-halting-testing/
jilliancyork.com/2010/09/13/haystack-and-media-irresponsibility/
nadim.cc/
news.ycombinator.com/item?id=2855257
http://www.matasano.com/articles/javascript-cryptography/
twitter.com/random_walker/status/192745147040145408
datatransparency.wsj.com/
http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html?_r=1
http://www.matasano.com/articles/javascript-cryptography
chrome.google.com/webstore/detail/gonbigodpnfghidmnphnadhepmbabhij
http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
http://www.wired.com/threatlevel/2012/07/crypto-cat-encryption-for-all/all/
en.wikipedia.org/wiki/Wikipedia:Too_long;_didn%27t_read
http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html?_r=2
http://www.thoughtcrime.org/software/sslstrip/
en.wikipedia.org/wiki/Inverted_pyramid
twitter.com/quinnnorton/statuses/229177519704784897
twitter.com/quinnnorton/statuses/229178651059568640
twitter.theinfo.org/227813118108127232#id227966760802975744
http://www.matasano.com/articles/javascript-cryptography/
news.ycombinator.com/item?id=2855257
http://www.wired.com/threatlevel/2010/11/hacker-border-search/
http://www.wired.com/threatlevel/2011/10/doj-wikileaks-probe/
twitter.com/kaepora/statuses/228247942723678208
twitter.theinfo.org/227813118108127232#id227966760802975744
blog.crypto.cat/2012/07/cryptocat-2-deployment-notes/
en.wikipedia.org/wiki/Risk_compensation
bits.blogs.nytimes.com/2012/06/27/an-app-that-encrypts-shreds-hashes-and-salts/
http://www.blogger.com/email-post.g?blogID=16750015&postID=8560613549686010811

This work by Christopher Soghoian is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

paranoia.dubfire.net/
creativecommons.org/licenses/by-nc-sa/3.0/