Hello List! I'm (for some of you) your worst nightmare. Somebody who does not master the fine arts of cryptography, yet has an oppinion about cryptography. I might say I enjoy reading the thread on PKI, but I wasn't able to read it all.
Please understand this is not a flame against Landon, but rather at the whole culture of having a debate that puts people into two groups: a small one formed by initiated and a huge one with lay people. I am using his message, yet the ideas were already used on other debates and on other sites / forums / mlists. Bottom line, it's for everyone who might feel ofended by it and not for those who might find it anything but offensive. On Wed, Aug 29, 2012, at 06:00, Landon Hurley wrote: > In that case, perception of threat and more importantly loss of tangible > goods keeps PIN secure. Obviously that works for envelopes as well, but > honestly I think economics probably holds even more strongly. It's > cheaper to buy a ton of envelopes than an equal number of postcards. That's one of the best examples of a straw man fallacies. I'm quite sure it wasn't intended, as you were probably just fighting an older argument. Yet, someone might pick it up and use it. I think the argument with the envelope instead of a postcard is dated before considering encryption as an electronic envelope. Anyway, while the argument is in my oppinion brilliant, the explanation is childish. Or, if you preffer, it looks laid like an egg by the mind of the stereotypical nerd living in a basement. The real postman has way too much on his hands to waste time with every private message. Yet, the message might be delivered into the hands of a servant or family member. It's them, the people around, who are the most interested to find out the juicy story. Bringing in economics it's something that pops in more often year by year. Economics is a silly way of putting things. And what you are pointing out it's the accountancy, or bean counting if you preffer, and not economics. With other words, I might not know much about cryptography and its use, yet you guys don't know much about economics either. From an economic point of view, bordering marketing, it would be far better for me to invest into wonderful / interesting postcards which I might obviously stamp with my Business data, thus providing a vehicle for my brand. Even if the accountant might point out it's cheaper to have bulk envelopes and use regular copier paper. To expand the divagation: there are the financial point of view, the accountant point of view, the economics point of view. We can expand to the marketing point of view. All these are put in a blender with some liquid, say barf from the chief editor and processed untill smooth. Everything is than baked in whatever form the chief editor wants and delivered to the masses as economics. Yet, it's still extremely important to make the difference. > While we're kicking around pet theories though, I still think web mail > has to be a significant barrier. The ratio of people who use a browser > rather than a local mua at my uni are something like 4:1. If you get > people culturally used to using PKI though, they will, which in this > context would mean get them used to it in college. Just like the > Microsoft student pricing, the idea should be indoctrinate at a > relatively young age, so that they come to expect it later. I find it sickening the absolutist way of thinking when there's the place for relativism. I know both terms have various meanings nowadays so bare with me. Terrorism is relative. I make you live in fear. I am a terrorist. You find a way to threaten my family in a desperate and ilogical / aberrant attempt to stop me. Bravo! You are a terrorist too. Media and political voices today are doing what has been done for millenia: impose an absolutist view. I am terrorised by that guy I have a right to do whatever is neccesary to stop him or her. With a wonderful omision: nobody ever steps forward to specify what falls into whatever is neccesary. With other words: the assumed victim can prove far more vicious than the former agressor. What Microsoft is doing around the world is indoctrination. Although it's a light indoctination as college students around the world don't feel an impulse to call the BSA hotline when they get an unlicensed copy of some software. What people should do is educate. Not indoctrinate. And even accept the possibility people would choose otherwise. But you are right with the first part of this paragraph. While every once in a while there is a talk started somewhere, somehow about cryptography and how people do not use it, there are far less on campus training sessions. Highschool teachers are not stimulated with some credit points somewhere if they follow some classes about privacy. It's mostly a dry exchange of theories of why the World is the way it is now. Really, while people are giving savant talks about why OTHER people are not going their way, there are only a few who do the actual work. I read about high entropy. Most wikipedia articles are written by math majors who are pretty proud of the painting they could do with MathML. Can I use an .ogg music file as a key to a truecrypt container? No, you should use a high entropy pass phrase. How do I calculate if my password is high entropy enough? I want to see numbers, as in password lenght. Everybody gets it when somebody tells them a 4 letter password is weaker than a 9 alphanumeric. I've seen quite a few debates. Using logarithms. Each has a better idea which logarithmic value would be better. But how to give a benchmark? Myself I agree with the author of that cartoon [1] saying through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess. [1] https://xkcd.com/936/ I see webmail as far from a barrier. Get one plain text editor with encrypt / decrypt abilities. Than just copy and paste the armored text. What can be simpler? Why do I have to handle a buggy slow beast like thunderbird or evolution when I can do it with the balast provided by a modern web browser? If the browsers were of a smart design I could do everything on a 386. So, instead of having a complicated system with problems, just use a web interface and do all the mails offline in a folder. Faster, more portable. > Alice logs in to webmail, which makes her feel secure, and as far as she > can tell Bob logs into his, and nobody can open it up otherwise. There's > no perception of threat, probably because very few lay people understand > 1. How easy it is to intercept email and 2. How insecurely email is > stored. <soapbox>In the day and age when not having a Facebook account > gets you strange looks and mutters behind your back, unless you force > this upon people, it's not going to stick<jumps off>. Short of a massive > government surveillance controversy with jackbooted thugs roving the > country, nothing (for loose definitions of nothing) is going to convince > people to voluntarily seek PKI, because they don't see a threat. Even in > that situation, a good ~30% of the population can be counted on to come > back to the 'should have nothing to hide' argument. Nice story. Yet, when I search „Yahoo webmail” on Google there isn't an article in the first 25 links about the privacy issues of Yahoo. Yet, Yahoo advertises it's secure. You do have the nice ideas. But I don't see ANYTHING beyond that. Why look down at people? Lay people? A concept invented by the religious / initiated caste to sepparate themselves from the disgusting masses. It's not so much people are stupid. It's much because nerds have entrenched themselves in so many layers of silly talk that marketers were able to easily pull a nice one: The Cloud! Alice sees a nice window on her end of the cloud. For her, her window is magicaly tied to Bobs window. Also I can tell you from my personal experiece the whine about not having a Facebook account is just intelectual masturbation. Sure, a nerd would have been shocked for a normal person not to have an email address in 1998! But his social skills were close to zero. Meaning the effect is also close to zero. Now people want to know fast everything there is to know about you. So Facebook is the answer. Have a personality. Get some social skills. Be interesting. And in no time people will change from strange looks to „tell me more about not using Facebook”. It's cute to develop bondage though some sort of initiation, say Dungeons and Dragons if you like a cliché, but it's still jacking off. The world is the thing out, at large, and not some meetings in a basement. Also, from what I know and not some nation wide socio–economic study, people are extremely concerned about their privacy. That's because of two facts. One is the media fetish with fear. The other one is some well made information campaigns. So people do know Facebook leads to divorces and loss of money. But how can they still push the photo with that drunk dead prostitute to all their friends? They want something about privacy and security of communication. They have no alternative. And the temptation is so strong they fall back to what they know. Even if gpg is easily obtainabe, that is, still, almost nothing. Gpg is not a portable app. One must read a few cryptic pages. Even if clear, they are boring. Generate a key. What size? The answers are quite liberal: it depends on what you need. It should be *2048 or read some more dry text*. Alice gets Bob to install it too. Maybe Bob can't install it as it is a laptop from work. Boom! The dark basement wide–rimmed dork concludes: it's because lay people are not so smart like us. Fast forward 5 years from now, when he'll get a hair cut and a necktie as a token of his obedience to the firm and CEO, and the same dork is going to be quite inquisitorial in his attitude towards installing foreign, unauthorised software on the company laptop. Why, oh why? Something breaks, he has the images. The laptop is back to square one in less than half an hour. But he's now not a regular nerd. He's a cool geek. And he has more than 50 security arguments of why he must not waste time with mere mortals. You see, it's disgusting. Education. Or indoctrination if you preffer. Knowing about entropy. Knowing about what the cloud really is. Than back to the real life. It's from these people that the system admins are selected. They move out of their dirty basements. Maybe they have enough money to trick a girlfriend. And than they are the ones imposing all those restrictions. Mind you, is the CEO wasting sleep nights reading long man pages about making and storing a copy of every employee's email both outgoing and ingoing? Is the financial analyst blocking USB ports? Is the personal secretary of the President of the company making the software that lists login and logoff times for every white collar employee and the proxy that tracks their every move? Puhlease! > The barrier is solely cultural, not technical. Enigmail, Thunderbird and > gpg4win are trivial to set up. The first time I did it, it was on the > phone, talking someone through it. So we either need to invent some sort > of massive threat perception to unite everyone to adopt PKI, or just > continue to push it as a grass roots movement. Or if some kind person > would like to introduce a viable third option, I think a decent portion > of humanity would owe him/her a debt. On the other hand, I'm advocating > a rather heavy handed, Platonian, do it for people's own good even if > they don't like it/decide they need it, so I'm sure at least some, or > even most, will disagree as well. I will add my confession to the pile > of selfish reasons to want to have PKI become widespread. See above. Alice finally gets it. And she wants to comunicate secure with Bob. Bob CANNOT do it. Why? Not because he is stupid. Not because he lacks the special culture of the powers of two and an understanding of binary representation of a decimal number. But because a servant nerd is going to do anything in its power to stop this. If the same over the average intelligence social unfit would have written a company policy that everyone should have gpg installed on their work station and everyone should have one key for all business matter and one key for all private matter upon the penalty of something, now life would be different, don't you think? Or what are you offering? Bob should carry a second laptop for private matters? I used to have a bag of phones: the smallest number was 4. Should I put two laptops on top of that? And some bike gear also. Now that won't make me fit. That would lead straight to spine surgery. Now, Thunderbird is a pain in the behind. A team is trying hard to bring the anonymity of Tor to it. I hope they would be able to do it. It's large. It's slow. It used to have issues with the protocols. But, it's portable. Enigmail is an extension and that makes it rather portable. But gpg4win is NOT. Even if installing the three is quite easy, how about the bashing around with „you have to choose a good passphrase or it's worse than before”? Does Alice have to waste a month online trying to make sense out of what's written about having a good passphrase? And why? To find out she's only a lay person with wrong assumptions? No. Because she is only human. She is going to do it the way she knows it and pray nothing bad happens. This is what people have done for millenia. This is how, with modern medecine, homeopathy thrives. Why risk dying in the hands of a surgeon when you can be sure everybody dies sooner or later? Also I think people like you should work more and more on their pleasant side. Learn some skills that don't involve machines. Relax. Just because other bullied you, you don't have to be a bully. Or put it this way: what makes you sure your way is the good way? Just because you think you are smart, makes you smart enough to think for the others as well? What happens when you are in the wrong, even if you know what you say is gospel truth, and other people start imposing their ways upon you? How would that feel? I can assure you that a social unfit person would fare much much worse than one of those lay people outside. Question: sure, it's nice to see the signature used here, on the gpg list. But why do you people use it? Myself, an outsider, see it as a geek code. Sure, Werner is the gpg master. And somebody might impersonate him and talk about a terrible breach of security in the latest pack and offer an alternative download. But how about you, the rest? What difference does it make if I would impersonate you or you or you? I'd say get a cute tatoo some place obvious. It's far nicer. Cheers! _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
