-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for your comments, Ian. I think they're spot on.
At the time that the so-called Arab Spring was going on, I was invited to a
confab where there were a bunch of activists and it's always interesting to
talk to people who are on the ground. One of the things that struck me was
their commentary on how we can help them.
A thing that struck me was one person who said, "Don't patronize us. We know
what we're doing, we're the ones risking our lives." Actually, I lied. That
person said, "don't fucking patronize us" so as to make the point stronger. One
example this person gave was that they talked to people providing some social
meet-up service and they wanted that service to use SSL. They got a lecture how
SSL was flawed and that's why they weren't doing it. In my opinion, this was
just an excuse -- they didn't want to do SSL for whatever reason (very likely
just the cost and annoyance of the certs), and the imperfection was an excuse.
The activists saw it as being patronizing and were very, very angry. They had
people using this service, and it would be safer with SSL. Period.
This resonates with me because of a number of my own peeves. I have called this
the "the security cliff" at times. The gist is that it's a long way from no
security to the top -- what we'd all agree on as adequate security. The cliff
is the attitude that you can't stop in the middle. If you're not going to go
all the way to the top, then you might as well not bother. So people don't
bother.
This effect is also the same thing as the best being the enemy of the good, and
so on. We're all guilty of it. It's one of my major peeves about security, and
I sometimes fall into the trap of effectively arguing against security because
something isn't perfect. Every one of us has at one time said that some
imperfect security is worse than nothing because it might lull people into
thinking it's perfect -- or something like that. It's a great rhetorical
flourish when one is arguing against some bit of snake oil or cargo-cult
security. Those things really exist and we have to argue against them. However,
this is precisely being patronizing to the people who really use them to
protect themselves.
Note how post-Diginotar, no one is arguing any more for SSL Everywhere. Nothing
helps the surveillance state more than blunting security everywhere.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFRFVFhsTedWZOD3gYRAjX5AKCw+SBcR1TDlDuPorgri2makt30wACgs3iI
2f+SwEqjbAVyPhf9SH67Aa8=
=tB7/
-----END PGP SIGNATURE-----
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
