I may or may not have any comments about your situation. Nevertheless, anyone responding to these comments needs to know that there is no guarantee that magikarp is actually Nadim himself, whether the account is compromised and so on. Catch 22 is in full mode in this thread and I would hope that this is not simply paranoia kicking in.
Hypothetically, what is the benefit of airing out of all this information ?
Hypothetically, what is the benefit of airing out of all this information ?
Media attention. That seems to be all this kid has done is wave things at the media that the media themselves don't understand. Cryptocat is a javascript implementation of XMPP with OTR enabled. Snore... Hop on Google chat and click "Off the record" and you've done the same thing cryptocat does. Unlike google chat you have to load up yet another Chrome browser extension that will no doubt eat more memory.
The "anapnea" thing he was involved in looks like a joke as well. "Encrypted tunneling network"? You mean a VPS you give people SSH access to? Mind blowing.
Google's "off the record" has nothing to do with the OTR protocol. It only instructs the server to stop archiving the conversation, and does not involve end-to-end crypto. Google still has access to the cleartext as it passes through their servers.
The first implementation of Cryptocat was bad in this regard, but the new version uses OTR. OTR virtually guarantees that a middle man can't interpret your communications by performing public key authentication and key negotiation--similar to SSL with mutual authentication using a shared secret (see http://www.cypherpunks.ca/otr/Protocol-v3-4.0.0.html, particularly the section on the Socialist Millionaires' Protocol.) You don't have to trust anyone to transport your data without snooping. Not only that, Cryptocat's new implementation is open source: https://github.com/cryptocat/cryptocat.
As you said. "Virtually". All of this relies on you trusting the third party involved here and that was my point. Whether its Google or some 23 year old kid, or if its open source or not doesn't matter.
He is quite literally doing the same thing as I could do in setting us open fire on a box and inviting everyone to conne t and turn on their client side OTR. Just because it's a chrome extension and written in JavaScript somehow changes that? No.
> As you said. "Virtually". All of this relies on you trusting the third party involved here and that was my point.
No, it doesn't. That's not what "virtually" means. It's guaranteed, barring some unexpected advance against one of the cryptographic algorithms used. In cryptography you use words like "essentially" or "infeasible", not "completely" and "impossible," because at the end of the day you are just hiding behind hard math problems.
The whole point of OTR is that you don't have to trust the third party, and you obviously do not understand that. They are just a transport. The analogy you are making could just as well be applied to any ISP inbetween you and the person you are talking to. They are a transport. Don't trust the client? Use another. Or are you seriously suggesting writing your own? Then you're starting down a very long path: http://cm.bell-labs.com/who/ken/trust.html
You also keep comparing it to Google's "no log" feature, but they have absolutely nothing in common. The "specs are not different"; they are completely different things.
It's disappointing that you're so stubborn, arrogant, insulting to the author, and wrong at the same time. OTR is a brilliant and fascinating protocol, particularly because it gives people who communicate deniability, which PGP, for example, doesn't. Cryptocat is helping popularize it, and that's good.
You're quite cocky for being so hilariously wrong. "Off the record" in GTalk makes it not log your conversation in your "Chats" folder. It has absolutely nothing to do whatsoever with encryption or deniability.
I'm sorry, I thought this was "hacker" news. I Expected people would know that Google's OTR and OTR XMPP spec are different. My point was that you shouldn't be using 3rd party services to talk to people if the information is legitimately sensitive.
The specs are not "different." They are completely different things.
You realize it is impossible to talk to somebody over the Internet, or in real life except in person, without relying on a third party, right? You choose who to trust, and OTR, the protocol, makes it so you only have to worry about the software used, not about the communications channel and anyone listening in on it.
> The specs are not different. They are completely different things.
Do you not have any reading comprehension? That's literally what I said. I haven't said anything against OTR at all. I fully support the use of XMPP and OTR for communications. You can attack me all you'd like, it doesn't change anything I said.
Hypothetically, what is the benefit of airing out of all this information ?