On 11/26/06, Ulex Europae <europus@gmail.com> wrote:
On 11/26/06, R.A. Hettinga <rah@shipwright.com> wrote:
... It's hard to remember, but cypherpunks write code. Well, most of us do. :-)
Their own code.
You want code, you write it.
Yes, you've advanced that notion before. That sort of penurious antipathy is why encrypted communications as a matter of course will never catch on.
nah, that only means the masses won't be coding their own anonymity and privacy systems, which is a good thing (the masses would fuck it up with impressive ROT13 style). this also means that the developers who can scratch this itch (a usable, secure, and windows application) are going to be fewer and far between. don't fret, it only takes one to code it and then all your seething masses can steep themselves in the hedonistic pleasures of anonymity and privacy in their familiar environments. and last but not least, regarding RAH's virtuous invitation to sling a little logic yourself: bitching on a mailing list about the platform specific deficiencies of anonymity/privacy software is not likely to conjure up one of these "usable, secure, windows capable" developers anxious to pleasure your impatient expectations of convenience. teaching yourself how to build secure privacy systems [0][1] so you can meet these wants with your own effort is more likely to result in the outcome you seek. with that colorful retort out of the way, you are absolutely correct about the usability and integration aspects of a given system affecting penetration in target user base and the actual security provided [2]. as was mentioned earlier, a virtual machine to host a well tested, robust installation of unix'y network intensive applications on windows is a compromise that often keeps both parties happy. there really is no good answer if you have to rely on the windows TCP stack under load, especially for non server flavors of windows (that is, even overlapped i/o will run into problems: about ~4,000 sockets last time i tested on xp pro). we used this virtual machine approach in janusvm [3], and tried to focus on good usability via two methods: a.) trimming the install process down as simple as possible (could be better. vmware requested we cease distribution of the combined janusvm+player+one-click-installer due to their licensing terms on the player distribution) b.) performing all of the anonymous Tor proxy of traffic transparently at the network level using a default PPTP VPN route through the virtual machine. the user feedback has been positive, since this obviates the need for error prone and tedious application specific configuration to use Tor, and avoids leaking information when a plug-in or scripting facility has the ability to bypass application proxy settings or is not resolving addresses via SOCKSv4a / MapAddr. (not to mention that some applications which don't even support SOCKS or HTTP proxies can now use Tor) "encrypted communications as a matter of course" is not yet dead. it's just taking a little longer than anyone expected back when the battle was raging over cipher implementations and encrypted network protocols with nary a thought to end user experience. best regards, 0. "Secure Programming for Linux and Unix HOWTO -- Creating Secure Software" http://www.dwheeler.com/secure-programs/ 1. "Anonymity bibliography" http://freehaven.net/anonbib/ 2. "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 (1999)" http://citeseer.ist.psu.edu/whitten99why.html 3. JanusVM http://janusvm.peertech.org/ [yes, this dc14 release is old, but it's held up well and we will have a new version in january. (and yes, it made it through dc14 open wireless use without a scratch. we should have clued in the sheeps on the wall... ;) ]