You have only translated the main page (with Google Translator...) to make it look like you have some Catalan content there. That's naughty.
"In order to be granted a .cat domain, one needs to belong to the Catalan linguistic and cultural community on the Internet. A person, organization or company is considered to belong if they either:[4]
1. already have content in Catalan published online.
2. have access to a special code (sometimes called ENS), issued during special promotions or by agreements with certain institutions.
3. develop activities (in any language) to promote the Catalan culture and language.
4. are endorsed by 3 people or 1 institution already using a .cat domain name."
I'm happy that the app is translated into Catalan. I hope the translation is better than the one on the website.
Just wanted to make sure you know what this domain is actually used for.
Who should I address a letter to request for the wayuu culture to have a .way tld?
As an example, the Catalan version of Wikipedia currently has +400.000 articles, being the 17th biggest.
To make clear what this means, you have to know that Catalan isn't even under the 100 most spoken languages worldwide (it has about 7 million speakers). So there is 1 article for every 17.5 people. Compared to the English version (4.4 million articles, 700 million speakers = 1 article every 159 people), or the Spanish one (1 million articles, 460 million speakers = 1 article every 460 people!), it is quite impressive.
So why would they want an own .cat domain? Because as a non-independent country / nationality, they are not allowed to have a two letter domain. Still, they wanted to be represented on the net so there was the PuntCAT foundation which did a huge effort in order to obtain the three letter .cat domain, but as it was sponsored, I imagine that they decided to restrict the usage of it to websites that have something to do with Catalan culture, or at least are written in Catalan.
I must say the Catalan culture and political movement is a pretty interesting topic itself, but I didn't want to make this post political, but rather interesting for "teh techies".
Summarizing, we might not have qualified for a two-letter domain because we are not an independent country.
In the face of the extensive criticism they could have just given up.
Instead they have acknowledged making mistakes, didn't give up, learnt from the mistake and changed their subsequent behavior. This is admirable.
I believe that we've been truly open source, transparent and accountable for our code since day one. There are other projects who are currently similarly open and transparent (I respect TextSecure for this,) but I can't say this is the standard in this field.
We've always solicited and compensated feedback from security enthusiasts, hobbyists and world-famous cryptographers alike. Over the past year, we've had the opportunity to grow into a product that examined what is fundamentally responsibly possible in the browser, and we've even landed ourselves as a primary use-case for the W3C's Web Cryptography working group. We've produced a true, responsible alternative for people who just don't know how to use anything more complicated than Facebook Chat, and we've made it clear that we are not trying to replace PGP or other iron-clad 30-year old solutions. We're trying to help mom and pop users.
Regarding our past vulnerabilities, I can't think of a fuller disclosure than dedicating an entire talk to detailing every single one of them: https://blog.crypto.cat/2013/11/documenting-and-presenting-v...
We also carried out a study to verify whether users were indeed clicking on the security warnings on our website: https://blog.crypto.cat/2013/11/yes-cryptocat-users-are-read...
We want to do things right. We are truly open source, truly honest, transparent and we take immediate steps for mitigation every time. We will continue to solicit audits and feedback for our more experimental browser client, but also hope to have a more grounded product in our upcoming Objective-C (iPhone) and Java (Android) apps.
Overcoming a bad reputation is extremely more difficult than keeping a good one. We have been less lucky than other projects. The fact that we used experimental platforms and coupled that with overly loud disclosure of all the failures those platforms lended us meant that we couldn't keep face as easily as other projects.
But that said, I can't but resent the continued accusation that after three years at this, myself and all other volunteers (a wide range) working on this haven't matured enough to know what we're doing, and haven't proven that we care very much to do it right. It's very relieving to hear that the community at HN can understand this and see that we have been proceeding responsibly for quite some time now.
The thing is, in the case of a significant percentage of people attempting crypto, it's not that they don't care, it's that they simply aren't capable of it. Jumblefucks like the telegram launch (which was too disorganised to be a clusterfuck, frankly) keep that fact fresh in everybody's mind.
What's interesting to note, though, is that people are now largely complaining about the fact that vulnerabilities have been found, rather than your response to them. I think maybe that's a more useful metric for how competently you're dealing with it than pure positive/negative response is, under the circumstances.
Bob has no medical training, but has a dremel and practiced on a pig head. He offers to do a filling for his pal. He makes a bit of a botch of it, but he larns from his mistake and carries on. Dentistry is important so it's admirable that Bob ignores the criticism. Bob's first pal is currently fighting off a severe infection, but Bob uses that as a learning experience.
Bob will get there one day!
My favorite expression when things get heated: "Nobody is going to die."
There are exceptions, of course, but a vast majority of the work we do just doesn't matter in the context of life and nature.
Cryptocat would never be used by Glenn Greenwald, but that's because he is privileged to have access to better crypto.
Will be definitely going over this later.
We have a commissioned audit for both apps, but it won't be starting for another two weeks. Thanks SO MUCH for your interest. We rely on security enthusiasts for comments and advice.
"Hey guys, here's the code, file some bugs for software that is of no use for you to spend time auditing" is pointless.
Adium has an incentive to read the libotr sources. Every user has a small incentive to read kernel sources.
Nobody has any meaningful incentives to read the cryptocat homebrew multiparty cryptosystem except the few you've paid to do so. This is cargo cult peer review; it looks like you're doing it but it doesn't actually yield the intended results.
PS: glad to see you switched to OTR for two party. You should have done that years ago, but at least you wised up in the end. Hopefully nobody got killed or tortured in the process.
Regarding OTR, we actually switched to that 16 months ago — it's not exactly like we recently wisened up.
[1] https://github.com/cryptocat/cryptocat/wiki/Multiparty-Proto...
Factor the ObjC version out to plain C, and call into it from your Objective C implementation. Make the plain C version the canonical version. (Things like Emscripten may be useful here for your JS use-case.) This is how libotr does it, and for good reason.
Then, others can use it, and perhaps you will get meaningful free auditing. What you're doing now probably won't attract that because unless your bug bounty is six-figures, nobody competent will spend any significant amount of time auditing it because they have no incentive to do so.
Surely, the best we can do as a community project is open up our code for more volunteers and experts to help and take a look. :-)
I do not use gnupg because the creators say it's nice, I use it because everybody including their competitors says it's OK.
1. Implements OTR / Isn't a roll your own flawed cryptosystem like telegram?
2. Can be used by non technical users
3. Can be used on linux, osx, windows, ios and android?
4. Does not crash all the time (ios's chatsecure)
5. Is open source?
So far, unable to find it. It's easy to be a critic. Cryptocat and textsecure are the only two contenders, and right now cryptocat is the closest one to meet all of those conditions.
I'm the primary developer of this. I feel like it fulfills a lot of the points that you argue, please feel free to take a look :)
[1]: http://blog.cryptographyengineering.com/2013/03/here-come-en...
This isn't, of course, to say that there haven't been vulnerabilities. But I have to stand behind our mitigation and disclosure policy as being very highly responsible and transparent.
So far, we've had three paid audits, with two more lined up, and regularly reward community bug-finders. We're planning more competitions for Cryptocat Mobile in March and April, with prizes such as iPhones and Nexus Phones. :-)
How do you manage to afford to finance the audits and bug bounties? We have found that some potential customers want to see us get security audited before trusting our solution, but from what we can tell this is a multi-hundred thousand dollar cost and requires us to freeze development while it takes place. We currently have zero day-to-day budget and runway for 6 months. How have you afforded it?
My biggest concern with cryptocat is that this info is kind of hidden and not bubbled up to the user.
In the web version, the way its handled makes it possible for the server operator to replace who you are talking to mid-conversation without warning unless you click a fingerprint button before and after every message you send which nobody is going to do
I know there is an issue for this on the web version ( https://github.com/cryptocat/cryptocat/issues/463 ), just wondering if the mobile ones take a different approach.
I imagine the Android and iOS apps would be ripe targets for bug finding adventures, but are there any places specifically that could use the kind of scrutiny that such an event could provide?
[0] - http://www.eventbrite.com/e/dc-internet-freedom-hackathon-ti...