Good to see you again, John; you’ve been missed. :) > When dealing with software touching on issues of privacy, security, or > encryption, one MUST consider the often vociferous reactions of the tinfoil > hat crowd. As Rob has continuously tried to communicate, irrationality and > guilt-by-association are common features when dealing with this type of > paranoia..
You’re being a little harsher than I am, but I completely understand. The problem to me is not the paranoia: it’s the toxic mix of scared uncertainty and small amounts of self-serving certainty. A few years ago there was a well-received movie about a fictional worldwide plague — _Contagion_, I think it was. In the movie the vast majority of humanity felt completely defenseless against this disease. There were a lot of research scientists who were advising caution and to not panic and to wash your hands and everything else, but there was also an unethical health journalist (played by Jude Law) who wrote screeds about how They Are Lying To You and how This Homeopathic Remedy Cures The Plague and … etc. And, of course, people read his articles, did exactly what he advised, and died in large numbers. The people weren’t paranoid. They were scared and they felt helpless. They felt uncertain. They weren’t the problem. The journalist who was only after page views… that’s the guy who has a seat in Hell close to the fire. It only takes a small number of quacks to undo the work of legions of public health specialists. Look at how many parents are skipping on vaccines due to the Wakefield fraud, for instance. And we see it here, in our own community. The vast majority of our users are scared and uncertain. Let me emphasize: *there’s nothing wrong with that*. If you’re scared about government surveillance, we understand. We are, too. If you’re scared about Google reading your Gmail for ad purposes, we understand. We are, too. And if you don’t know what you can do about it, we understand, and we really want to help you. If there’s one thing I could recommend to people to help improve their communications security, it’s this: cultivate a healthy distrust of whoever claims to have answers. Real answers tend to be couched in references to published books by respected authorities and sometimes peer-reviewed, refereed journals. They’re also never as clear as you’d like. Fake answers tend to be couched in “trust me” and “it’s obvious that…”, and promise you a simple answer to a complicated question. For instance, consider the question: “Is DSA still safe?” Answer 1: “We think so. Looking over Google Scholar I haven’t seen any papers claiming it’s broken. A lot of people distrust 1024-bit crypto; Ross Anderson’s _Security Engineering_ and Schneier and Ferguson’s _Practical Cryptography_ both advise against using it. So, DSA-1024 is probably best avoided, but DSA-2048 and DSA-3072 should still be fine.” Answer 2: “No. NIST limited DSA to 1024 bits because that’s the limit at which rainbow tables can be used to attack the system. If they’d gone just a few bits further the rainbow table attack would become impossible. So, why would NIST limit it like that? Clearly, it’s to facilitate attacks on the system. DSA was designed to be weak from the very get-go. Don’t use it, period.” … One of these two answers is weapons-grade gibberish. It isn’t just factually wrong, it’s *nonsense*, on the same level as arguing that since the U.S. was attacked by naval aviation on December 7, 1941, we were wrong to declare war on Japan, we should have instead declared war on our true enemy, naval aviation, and begun by sinking our own carriers in order to strike a blow against the true enemy. No, I’m not kidding: to someone who knows DSA’s history and how rainbow tables are used, answer #2 is literally at that level of pants-on-head nonsense. There are a *lot* of people in the community giving answers like #2. And since they offer certainty, a lot of normal users will listen to them, because the normal users are scared and uncertain. So, yes. A small number of paranoids and tinfoil-hatters will make hay out of things both real and imagined. But honestly, I’m not worried about whether they continue to use Enigmail. These people are deeply disturbed and they’ll do whatever their personal demons tell them to do. What worries me a *lot* is all the misinformation and misunderstandings and rumors they can sow within the community. Cultivate a healthy distrust of anyone who claims to have answers — and especially me. :)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
