Fear-Mongering at TED

This TED talk trots out the usual fear-mongering that technology leads to terrorism. The facts are basically correct, but there are no counterbalancing facts, and the conclusions all one-sided. I’m not impressed with the speaker’s crowdsourcing solution, either. Sure, crowdsourcing is a great tool for a lot of problems, but it’s not the single thing that’s going to protect us from technological crimes.

If I didn’t know better, I would say it was a propaganda video.

Posted on July 30, 2012 at 12:40 PM32 Comments


Civil Libertarian July 30, 2012 1:03 PM

Goodman heads the Future Crimes Institute, a think tank and clearinghouse that researches and advises on the security and risk implications of emerging technologies. He also serves as the Global Security Advisor and Chair for Policy and Law at Singularity University.

It’s a shame TED is diluting the quality of its programs by letting people shill purely for their own commercial interests.

David July 30, 2012 1:11 PM

Of course, one could also say “Technology leads to wealth”, or “Technology leads to mass murderers”, or “Technology leads to global communities”. Where does one stop? Personally, I like “Technology leads to TED talks”…

Brandioch Conner July 30, 2012 1:35 PM

Maybe propaganda. Maybe marketing his services.

But it could have been tightened up a lot.

So personal cancer treatments could lead to personalized DNA attacks against leaders which we can counter by making their DNA info available to everyone so that everyone has the chance to do “penetration testing” against their leader’s DNA.

If the technology worked that way (I’m pretty sure it does not) then wouldn’t it just make the bad guys’ job easier by providing them with the DNA that they’d have to acquire some other way first?

And the whole point behind suicide bombers and such is that humans are cheaper than technology in some regions.

Julian July 30, 2012 1:36 PM

Anyone who starts his talk: “I study the future” doesn’t deserve any credibility. Presumably, when the future becomes the present and doesn’t match what he studied, he moves on to the new future.

Andrew July 30, 2012 1:40 PM

It’s probably worth noting that the speaker is affiliated with the Singularity Institute, an organization that is considerably heavy on ideas, and light on facts.

Jeff July 30, 2012 1:51 PM

It’s probably worth noting that TED talks are full of both people that are heavy on the idea of hearing themselves speak, and people that are heavy on the idea of self congratulation at being present at a TED talk. Both groups are heavy on ideas and light on facts.

Matt July 30, 2012 1:54 PM

I first saw this come across the TED stream, after his opening lines (~30 seconds) I stopped it knowing he’s hogwash.

On Bruce’s recommendation, I watched roughly 10 minutes, but had to stop here:
“A search engine can say who lives and who dies” – Give me a break.

John July 30, 2012 2:43 PM

Does anyone actually know whether tinfoil helmets are sufficient to shield from telepathic radiation or should I opt for some other material?

Scott H July 30, 2012 3:51 PM

@John: Sure, tin foil works great. But only if you ground it properly — think of it as a mobile Faraday cage. You’ll need a long trailer that touches the ground.

If you’re fashion-conscious, you should probably go with a complete tin foil wedding gown, with a long train and a wire mesh veil so they can’t get to you through your dental work.

I figured we may as well combine TED with high fashion and get all the foolishness in one go. 😉

Northern Realist July 30, 2012 4:11 PM

Image that – technologies could be used for bad things… WOW – what an acute grasp of the painfully obvious Goodman has!

greg July 30, 2012 6:24 PM

Point in fact TED talks have always been pretty mixed on quality, its not like its peer reviewed or anything.

Normally only the “good” talks get really popular.

But sometimes real crap gets to the top of the hit/like list.

Dirk Praet July 30, 2012 6:28 PM

Watch the entire video. Then watch it again imagining the speaker wearing a hoodie and a Guy Fawkes-mask. Substitute “terrorists” with “governments” and “criminals” with corporations. Same issues, same threats. Just a different angle.

I don’t see anything but a technology update for dummies and some cleverly disguised “me-marketing” here. I have strictly no idea how this person got invited to TED. In the fifties and sixties, the same sort of people on both sides of the curtain sparked the cold war which led to the rise of the military-industrial complex. Today, they are preparing our minds for cyber war and the ubiquitous surveillance state. I guess it’s just a matter of time before some genius revives the concept of mutually assured (cyber)destruction too.

Technology has certainly evolved rapidly over the last 50 years. Unfortunately, the human condition has not.

EH July 30, 2012 6:54 PM

He reminds me of a killer robot driving instructor who goes back into time for some reason.

Will July 30, 2012 7:55 PM

I tried my best…. but after 6 minutes I couldn’t listen to him anymore.

It will come as a shock to many of you, but terrorists can also use teh internetz!@!@ The terrorists even have opscenters (some guy in a basement with a computer). Danger! Danger!

p1ckl3 July 30, 2012 8:58 PM

Malte Spitz: Your phone company is watching (video)
Filmed Jun 2012 • Posted Jul 2012 • TEDGlobal 2012


“What kind of data is your cell phone company collecting? Malte Spitz wasn’t too worried when he asked his operator in Germany to share information stored about him. Multiple unanswered requests and a lawsuit later, Spitz received 35,830 lines of code — a detailed, nearly minute-by-minute account of half a year of his life.

Malte Spitz asked his cell phone carrier what it knew about him–and mapped what he found out.”

blister July 30, 2012 10:30 PM

Tech journalists: Stop hyping unproven security tools
Monday, July 30, 2012 | Christopher Soghoian


“Preface: Although this essay compares the media’s similar hyping of Haystack and Cryptocat, the tools are, at a technical level, in no way similar. Haystack was at best, snake oil, peddled by a charlatan. Cryptocat is an interesting, open-source tool created by a guy who means well, and usually listens to feedback.

In 2009, media outlets around the world discovered, and soon began to shower praise upon Haystack, a software tool designed to allow Iranians to evade their government’s Internet filtering. Haystack was the brainchild of Austin Heap, a San Francisco software developer, who the Guardian described as a “tech wunderkind” with the “know-how to topple governments.”

The New York Times wrote that Haystack “makes it near impossible for censors to detect what Internet users are doing.” The newspaper also quoted one of the members of the Haystack team saying that “It’s encrypted at such a level it would take thousands of years to figure out what you’re saying.”

Newsweek stated that Heap had “found the perfect disguise for dissidents in their cyberwar against the world’s dictators.” The magazine revealed that the tool, which Heap and a friend had in “less than a month and many all-nighters” of coding, was equipped with “a sophisticated mathematical formula that conceals someone’s real online destinations inside a stream of innocuous traffic.”

Heap was not content to merely help millions of oppressed Iranians. Newsweek quoted the 20-something developer revealing his long term goal: “We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you.

The Guardian even selected Heap as its Innovator of the Year. The chair of the award panel praised Heap’s “vision and unique approach to tackling a huge problem” as well as “his inventiveness and bravery.”

This was a feel-good tech story that no news editor could ignore. A software developer from San Francisco taking on a despotic regime in Tehran.

There was just one problem: The tool hadn’t been evaluated by actual security experts. Eventually, Jacob Appelbaum obtained a copy of and analyze the software. The results were not pretty — he described it as “the worst piece of software I have ever had the displeasure of ripping apart.”

Soon after, Daniel Colascione, the lead developer of Haystack resigned from the project, saying the program was an example of “hype trumping security.” Heap ultimately shuttered Haystack.

After the proverbial shit hit the fan, the Berkman Center’s Jillian York wrote:

I certainly blame Heap and his partners–for making outlandish claims about their product without it ever being subjected to an independent security review, and for all of the media whoring they’ve done over the past year.

But I also firmly place blame on the media, which elevated the status of a person who, at best was just trying to help, and a tool which very well could have been a great thing, to the level of a kid genius and his silver bullet, without so much as a call to circumvention experts. 


Cryptocat: The press is still hypin’

In 2011, Nadim Kobeissi, then a 20 year old college student in Canada started to develop Cryptocat, a web-based secure chat service. The tool was criticized by security experts after its initial debut, but stayed largely below the radar until April 2012, when it won an award at the Wall Street Journal’s Data Transparency Codeathon. Days later, the New York Times published a profile of Kobeissi, which the newspaper described as a “master hacker.”

Cryptocat originally launched as a web-based application, which required no installation of software by the user. As Kobeissi told the New York Times:

"The whole point of Cryptocat is that you click a link and you’re chatting with someone over an encrypted chat room... That’s it. You’re done. It’s just as easy to use as Facebook chat, Google chat, anything.” 

There are, unfortunately, many problems with the entire concept of web based crypto apps, the biggest of which is the difficulty of securely delivering javascript code to the browser. In an effort to address these legitimate security concerns, Kobeissi released a second version of Cryptocat in 2011, delivered as a Chrome browser plugin. The default version of Cryptocat on the public website was the less secure, web-based version, although users visiting the page were informed of the existence of the more secure Chrome plugin.

Forbes, Cryptocat and Hushmail

Two weeks ago, Jon Matonis, a blogger at Forbes included Cryptocat in his list of 5 Essential Privacy Tools For The Next Crypto War. He wrote that the tool “establishes a secure, encrypted chat session that is not subject to commercial or government surveillance.”

If there is anyone who should be reluctant offer such bold, largely-unqualified praise to a web-based secure communications tool like Cryptocat, it should be Matonis. Several years ago, before he blogged for Forbes, Matonis was the CEO of Hushmail, a web-based encrypted email service. Like Cryptocat, Hushmail offered a 100% web-based client, and a downloadable java-based client which was more resistant to certain interception attacks, but less easy to use.

Hushmail had in public marketing materials claimed that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” In was therefore quite a surprise when Wired reported in 2007 that Hushmail had been forced by a Canadian court to insert a backdoor into its web-based service, enabling the company to obtain decrypted emails sent and received by a few of its users.

The moral of the Hushmail story is that web based crypto tools often cannot protect users from surveillance backed by a court order.

Wired’s ode to Cryptocat

This past Friday, Wired published a glowing, 2000 word profile on Kobeissi and Cryptocat by Quinn Norton. It begins with a bold headline: “This Cute Chat Site Could Save Your Life and Help Overthrow Your Government,” after which, Norton describes the Cryptocat web app as something that can “save lives, subvert governments and frustrate marketers.”

In her story, Norton emphasizes the usability benefits of Cryptocat over existing secure communications tools, and on the impact this will have on the average user for whom installing Pidgin and OTR is too difficult. Cryptocat, she writes, will allow “anyone to use end-to-end encryption to communicate without … mucking about with downloading and installing other software.” As Norton puts it, Cryptocat’s no-download-required distribution model “means non-technical people anywhere in the world can talk without fear of online snooping from corporations, criminals or governments.”

In short, Norton paints a picture in which Cryptocat fills a critical need: secure communications tools for the 99%, for the tl;dr crowd, for those who can’t, don’t know how to, don’t have time to, or simply don’t want to download and install software. For such users, Cryptocat sounds like a gift from the gods.

Journalists love human interest stories

Kobeissi presents the kind of human interest story that journalists dream about: A Lebanese hacker who has lived through 4 wars in his 21 years, whose father was killed, whose house was bombed, who was interrogated by the “cyber-intelligence authorities” in Lebanon and by the Department of Homeland Security in the US, and who is now building a tool to help others in the Arab world overthrow their oppressive governments.

As such, it isn’t surprising that journalists and their editors aren’t keen to prominently highlight the unproven nature of Cryptocat, even though I’m sure Kobeissi stresses it in every interview. After all, which journalist in their right mind would want to spoil this story by mentioning that the web-based Cryptocat system is vulnerable to trivial man in the middle, HTTPS stripping attacks when accessed using Internet Explorer or Safari? What idiot would sabotage the fairytale by highlighting that Cryptocat is unproven, an experimental project by a student interested in cryptography?

And so, such facts are buried. The New York Times waited until paragraph 10 in a 16 paragraph story to reveal that Kobeissi told the journalist that his tool “is not ready for use by people in life-and-death situations.” Likewise, Norton waits until paragraph 27 of her Wired profile before she reveals that “Kobeissi has said repeatedly that Cryptocat is an experiment” or that “structural flaws in browser security and Javascript still dog the project.” The preceding 26 paragraphs are filled with feel good fluff, including description of his troubles at the US border and a three paragraph no-comment from US Customs.

At best, this is bad journalism, and at worst, it is reckless. If Cryptocat is the secure chat tool for the tl;dr crowd, burying its known flaws 27 paragraphs down in a story almost guarantees that many users won’t learn about the risks they are taking.

Cryptocat had faced extensive criticism from experts

Norton acknowledges in paragraph 23 of her story that “Kobeissi faced criticism from the security community.” However, she never actually quotes any critics. She quotes Kobeissi saying that “Cryptocat has significantly advanced the field of browser crypto” but doesn’t give anyone the opportunity to challenge the statement.

Other than Kobeissi, Norton’s only other identified sources in the story are Meredith Patterson, a security researcher who is quoted saying “although [Cryptocat] got off to a bumpy start, he’s risen to the occasion admirably” and an unnamed active member of Anonymous, who is quoted saying “if it’s a hurry and someone needs something quickly, [use] Cryptocat.”

It isn’t clear why Norton felt it wasn’t necessary to publish any dissenting voices. From her public Tweets, it is however, quite clear that Norton has no love for the crypto community, which she believes is filled with “privileged”, “mostly rich 1st world white boys w/ no real problems who don’t realize they only build tools [for] themselves.”

Even though their voices were not heard in the Wired profile, several prominent experts in the security community have criticized the web-based version of Cryptocat. These critics include Thomas Ptacek, Zooko Wilcox-O’Hearn, Moxie Marlinspike and Jake Appelbaum. The latter two, coincidentally, have faced pretty extreme “real world [surveillance] problems” documented at length, by Wired.

Security problems with Cryptocat and Kobeissi’s response

Since Cryptocat was first released, security experts have criticized the web-based app, which is vulnerable to several attacks, some possible using automated tools. The response by Kobeissi to these concerns has long been to point to the existence of the Cryptocat browser plugin.

The problem is that Cryptocat is described by journalists, and by Kobeissi in interviews with journalists, as a tool for those who can’t or don’t want to install software. When Cryptocat is criticized, Kobeissi then points to a downloadable browser plugin that users can install. In short, the only technology that can protect users from network attacks against the web-only Cryptocat also neutralizes its primary, and certainly most publicized feature.

Over the past few weeks, criticism of the web-based Cryptocat and its vulnerability to attacks has increased, primarily on Twitter. Responding to the criticism, on Saturday, Kobeissi announced that the the upcoming version 2 of Cryptocat will be browser-plugin only.

Kobeissi’s decision to ditch the no-download-required version of Cryptocat came just one day after the publication of Norton’s glowing Wired story, in which she emphasized that Cryptocat enables “anyone to use end-to-end encryption to communicate without … mucking about with downloading and installing other software.”

This was no doubt a difficult decision for Kobeissi. Rather than leading the development of a secure communications tool that Just Works without any download required, he must now rebrand Cryptocat as a communications tool that doesn’t require operating system install privileges, or one that is merely easier to download and install. This is far less sexy, but, importantly, far more secure. He made the right choice.


The technology and mainstream media play a key role in helping consumers to discover new technologies. Although there is a certain amount of hype with the release of every new app or service (if there isn’t, the PR people aren’t doing their jobs), hype is dangerous for security tools.

It is by now well documented that humans engage in risk compensation. When we wear seatbelts, we drive faster. When we wear bike helmets, we drive closer. These safety technologies at least work.

We also engage in risk compensation with security software. When we think our communications are secure, we are probably more likely to say things that we wouldn’t if our calls were going over a telephone like or via Facebook. However, if the security software people are using is in fact insecure, then the users of the software are put in danger.

Secure communications tools are difficult to create, even by teams of skilled cryptographers. The Tor Project is nearly ten years old, yet bugs and design flaws are still found and fixed every year by other researchers. Using Tor for your private communications is by no means 100% safe (although, compared to many of the alternatives, it is often better). However, Tor has had years to mature. Tools like Haystack and Cryptocat have not. No matter how good you may think they are, they’re simply not ready for prime time.

Although human interest stories sell papers and lead to page clicks, the media needs to take some responsibility for its ignorant hyping of new security tools and services. When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.

By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples’ emails, step back, take a deep breath, and pull the power cord from your computer.”


This work by Christopher Soghoian is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License


Coyne Tibbets July 31, 2012 12:15 AM

I don’t know what it takes to prevent terrorism with all this technology, but what we’ll probably wind up with is something like Larry Niven’s “Amalgamation of Regional Militia” . The core goal of the fictional ARM organization was to restrict all “dangerous technology”.

(If you read the stories, that turned out to be pretty much everything.)

Nick P July 31, 2012 1:15 AM

@ blister

Nice reporting on the bad reporting. I read the article about those five tools too. Reviewing them for security is still on my backburner. Needless to say, I wouldn’t have used cryptocat for anything security critical due to the nature of how it works & how it was developed. Brings back memories of the early Diaspora claims, development team & poor security reviews that ensued.

My main criticism of your post is using Tor as the point of comparison. Tor is an anonymity tool, whereas encrypted chat focuses on confidentiality (and often authenticity). I’m not crypto or math nerd, but I’d say that anonymity is still a baby field compared to cryptography. Basic encrypted chat is quite doable, even by non-experts with supplemental advice from experts (a few books come to mind). Good crypto is also in use in many commercial organizations staffed by 99% types, showing it can be used.

However, the 99% probably won’t use secure comms well, anyway. Here’s a point in that direction: a KGB source once said the best information on secure STUIII telephones usually came just before someone decided to switch to secure mode. They played convenience, were in a hurry, or just didn’t care. Sidestepped the security. Many attackers try that, yet others realize the users will do it for them given enough time. 😉

Dirk Praet July 31, 2012 6:59 AM

@ blister

Apart from your post being more appropriate in the Friday Squid blogging section, I concur with Nick P.

I saw a funny quote passing by on Twitter the other day: “Cryptography is like prison. The newcomer always gets jumped.”
Some media are indeed overhyping Cryptocat, which they are attributing qualities and properties it doesn’t have in some futile attempt to make it sound like a Hollywood story. That said, Nadim Kobeissi is not making any such claims himself and is very much open to suggestions, ideas, and criticism whilst continuing work on version 2. I see him having very interesting discussions with folks like Jacob Appelbaum, Moxie Marlinspike and the like. Other infosec people in good standing are contributing code or making suggestions such as looking into usage of security labels which the XMPP protocol allows for.

Cryptocat is a nice work in progress and well worth the attention and scrutiny from all of us in the security and digital rights community.

jolly July 31, 2012 8:25 AM

Back to Bruce’s original post, yes I saw this TED drivel recently. It made me ashamed for having ever boosted some hand-picked TED talks to friends. What if they lap up all TED stuff now?!

Bob T July 31, 2012 8:51 AM

I’m more afraid of terrorists like Marc Goodman in my own back yard than I am of Islamic terrorists in the Middle East. In the long run anyway.

I’ll tell you what Marc, don’t feel the pompous, self righteous need to protect me, by stifling me for my own good, thanks… A-hole…

vasiliy pupkin July 31, 2012 8:55 AM

Science/technology/knowledge are tools only, but they all are power as well. They are not bad or good by default. It all depends who is using them and what are goals of those users.
E.g. democratic government is using technology to fight r e a l violent crimes/terrorism/aggresion/outer thrat. Okay. Totalitarian government is using same technology to opress its citizens. I gues not okay.
Law enforcement officer is using technology within scope of his authority with judicial supervision to fight crime or just to snoop on somebody for personal or financial gain.
Solution? In the arms race of technology ‘good’ guys (criteria? who is in charge to decide who is good guy in that particular case of technology usage: for one terrorist for others freedom fighter) should be one step ahead of ‘bad’ guys in innovation. Just be proactive! Assume potential usage of new technology for bad usage and develop simultaneously counter measures upfront, not just wait until new technology applies by ‘bad’ guys. Anekdotically (no proof) under Khruchev soviets got simultaneous assignments to develop missiles and counter measure for the same type of missiles.
Admiral’s idea to switch from digital thinking (0-1, Y/N) sounds good for military in particular. Zero sum attittude in domestic politics, foreign policy and in military is the product of rigid digital type of thinking and proved to be counterproductive in the short and long run multiple times.

jake July 31, 2012 9:27 AM

bruce just bombed this dude’s set! see, terrorists! be afraid!

hyperbole aside, TED talks are often filled with wild speculation and are closer to masturbation than most would like to believe. i cannot watch them and find them painfully reminiscent of reality television.

echowit July 31, 2012 10:18 AM

@…several of the above …

I only endured 1:48 before hitting the back button but I think I agree it’s a not-very-subtle promo.

@David — “”Technology leads to TED talks”…”

My initial reaction exactly. Total TED fail.

Jan Doggen August 1, 2012 6:41 AM

The intention of Goodmans talk (“Showing the flip side of technologies”) are fine.
But his remarks are a bit overdone:

“We consistently underestimate what criminals and terrorists can do”. Do we? His speech may well prove the opposite, as well as his examples of crimes being prevented.

Then he describes what happened in Mumbai. “This is what radicals can do with openness”. So, what do you want, no ‘openness’? There are many many more examples of beneficial consequences of openness. Arab spring, anyone?

He compares robberies with guns to the Sony playstation hack: “Over 100 million people were robbed”. Technically speaking, well yes maybe: their passwords were posted. Much more interesting would be the number of people who were really harmed, like e.g. money was stolen from them, they were impersonated with bad consequences etc.

A picture with a bulls eye centered on a cell? Come on.

His talk would be fine if he had presented it as ‘this is what we have to watch out for nowadays, and maybe in the future’, but then without the alarmist tones.
His statement “Every time a new technology is introduced, criminals are there to exploit it” is a fact, not a disaster.

Otter August 2, 2012 4:52 PM

@ vasiliy pupkin

“E.g. democratic government is using technology to fight r e a l violent crimes/terrorism/aggresion/outer thrat. Okay. Totalitarian government is using same technology to opress its citizens. I gues not okay.”

You have proposed a good test to distinguish government from citizen.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.