Security Researchers: How to Critique a Tech Story Without Being Arrogant and Exclusionary

Nadim Kobeissi, creator of, speaking at the 2012 HOPE conference, held at New York’s Hotel Pennsylvania every two years. Credit: Quinn Norton/Wired

Two Fridays ago, Wired published a 2,000 word feature story by Quinn Norton about Cryptocat, an online chat system that’s working to make encrypted chat as simple as loading a web page. Norton profiled its creator Nadim Kobeissi, the intimidation from U.S. officials he’s claimed to have faced, and the difficult technical challenges that such a program entails.

The piece delves into Kobeissi’s motivations, the initial pushback from the security community and his dedication to making a security tool that’s actually usable by someone outside the rarefied world of crypto geeks.

I was quite pleased the story gathered a lot of attention, including making it onto the front page of Reddit.

A few days later, Christopher Sogohian, a well-known and widely respected voice in the security community, penned a response entitled “Tech journalists: Stop hyping unproven security tools,” lambasting Wired’s story, laying it side-by-side with other sites’ coverage of security vaporware. He called it “bad journalism.”

As the editor of the piece, I’m going to disagree.

Clearly, Cryptocat is not always the ideal tool. So far nothing is. But that doesn’t mean it’s a bad tool or that writing about it is bad journalism.

Even the well-tested tools like Tor, Off-The-Record IM encryption (OTR) and PGP (e-mail and disk encryption) are vulnerable to a simple keylogger being installed on a machine, among other attacks.

Cryptocat is a very interesting addition to the suite of security tools available to the world, and is a refreshing breakthrough — thanks to its focus on user experience, something that is abysmally lacking in security tools like Tor and OTR.

Celebrating that and explaining the motivation of its creator, while being clear about its technical limitations, isn’t hype. It’s good journalism, even if a very clubby and very vocal part of the security community blasts it.

While this post is a response to Soghoian’s critique, it’s not really directed at him — it’s meant for the portion of the security community his blast was emblematic of.

First, you’d have no indication from Soghoian’s critique that Quinn Norton is anything other than an overworked, technically illiterate blogger filling a quota by writing up press releases hyping the next big thing.

He writes: “When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.

By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples’ emails, step back, take a deep breath, and pull the power cord from your computer.”

Norton has never written a story for Wired or any other publication based off a press release. That’s not the kind of thing she covers. She covers Occupy and Anonymous – penning thoughtful, informed, well-sourced pieces that often climb past 3000 words. Moreover, she’s been part of security/geek/electronic freedom communities for years, and for more than a decade has been an educator teaching people how to use their computers..

She uses more crypto and practices more vigilant opsec than any other reporter I’ve ever met (and for good reason). But you’ll not find any indication of that in Soghoian’s post. Instead, she gets dismissed because she’s made comments on Twitter criticizing the security community for its first-world white male privilege.

Moreover, Soghoian suggesting that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to “step back, take a deep breath, and pull the power cord from your computer” isn’t just rude and obnoxious, it’s border-line sexist and an outright abuse of Soghoian’s place in the computer security world.

Intriguingly, even preemptively following Soghoian’s advice of “approaching an independent security researcher” about Cryptocat, doesn’t save Norton from Soghoian’s rant.