Asher Wolf: > The argument everyone is politely avoiding - while pondering the > numerous ways CryptoParty will expose already compromised individuals - > is whether the masses SHOULD use crypto. >
I'm not ignoring it and most of the world has been using crypto for online stuff since SSLv2 was released to the world. > Rain-check: it's happening - or at least, the users are are trying - > regardless of whether they're are doing it right, or regardless of > whether more experienced ppl are willing to offer their advice or not, > and completely separate to the philosophical, technical and security > related-discussions that are currently swirling. > > Basically: hello crypto, the users are here. > I'm sorry to say it but a lot of the users have been here for a while - most people that use crypto just don't know they're doing it. Ironically, if users don't get good advice, they'll just be in the same spot - thinking they're safe when they're not - all over again! >>From experience, most of the non-tech ppl who attended Melbourne's > Cryptoparty had previously attempted to install various tools by > themselves and had either (a) failed (b) installed them incorrectly (c) > couldn't figure out how to configure them (d) given up 'til now. > > CryptoParty is essentially the user saying: We are working together to > trying to figure out how to do it better. We need these tools. > > Whatever the best-practice model actually is, it'll be crowdsourced, > because people are unwilling to wait for easy 'crypto manna from > heaven', offered up on a plate. > > And frankly, the users have much to learn from the crypto experts and > it'd be a damn shame if knowledgeable people refused to teach or share > their expertise because ppl are "doing it wrong." I think that the real changes belong in the platforms - anything that requires configuration is probably already doomed to fail and screw a user. That's generally the approach that I've seen work - everything that requires 0) user education and 1) realistic honesty about threats or risks results in 2) denial or mistakes or a bork'ed tool shooting the user in the foot. > > We've known we've been doing it wrong for a long time now and going back > to Facebook to organise is no longer an option. > > The creation of CryptoParty was a spontaneous, viral storm. It was NOT a > concerted, centrally-organised campaign, with funding or even a > best-practice model. My hope is that experts contribute to eventually > provide a best-practice model, and that users give the necessary > feedback allowing for tweaks in tools and creation of more accessible > crypto. > Since clearly a few loud people were bent out of shape by my comments - they have no idea that I encouraged you or tried to help out; so let me set the record straight: go you! I think it is *great* to make the book and I think it is great to do it with a set of unifying principles - it will help to ensure that good stuff gets into the book and crappy stuff stays out of the book or is so noted as crappy or contentious. I think that means that peer review is essential before rushing to publish. I really encourage you to put in a few chapters about the following: social and technical compartmentalization targeted exploitation realities (from Core Impact to Metasploit) threat modeling intention/goal based risk analysis physical security risks practical information on real surveillance/censorship systems getting involved going from a user (to a translator or...) to a developer outlining the currently missing tools that we need to build Overall - I think the EFF's SSD is a great document to consider in the process and I think you're well aware of it... All the best, Jacob -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
