-----BEGIN PGP SIGNED MESSAGE----- 'Punks, It's time for dave's quarterly "why are we here" post: Well, the good news is that people in "the mainstream" are beginning to notice PGP and discuss the need for its existence. The bad news is that PGP is not really ready for them. As a system administrator for many novice users (hundreds at a time in the past), I can say with humble authority that PGP, no matter how trivially simple it may seem to us, is well beyond the ken of most users (I won't attempt to put a %age on them, let's just say it's well into the 90's). And it's not like no-one's noticing either: - From a pure cost:benefit ratio, PGP is not yet a useful tool for most users. I hate to frame it in such "'mersh" terms when the flow on this list is largely fascinating crypto-math or splendidly colorful insults, but let's admit our dirty little secret: PGP won't be widespread, people won't really appreciate all the good crypto work being done here and repressive government agencies and paranoid lawmakers will continue to whittle away at electronic privacy rights until the day that PGP becomes a widely-used, viable commercial utility. All you ViaCrypt people just sit tight: I'll get to you below. :) I was particularly dis-Mayed by the initial reception that the Netscape folks received here. The Netscape/BofA posting I made recently obviously touched a nerve and well it should. I can certainly understand why Timothy would get CPO (completely pissed off) and want to take a vacation after some of the flotsam I saw drifting by here. As others have noted, some of your remarks were ill-considered and lacked tact. That doesn't make you bad people: I open mouth and insert foot now and then myself, but it's a good thing to consider next time an earnest startup working on a devilishly fasttrack schedule and trying to incorporate crypto comes online here. Let me take this opportunity to offer an olive branch to the Netscape people. Your first shot with SSL is "okay," and I'll do what little I can to help you find/implement/test something better (even if you never return my phone calls, Tom Paquin!). Now then, if you'll bear with me: - -------------------------------------------------
From: stephen.mccluskey.@hammar.pp.se (Stephen Mccluskey ) Newsgroups: alt.security.pgp Subject: Re: I NUKED PGP. Why? This is why: [elided] Message-ID: <9412160602073878@hammar.pp.se> [elided] John Dulaney has received a bit of flak for his statement that PGP is too complicated for the average user. Although I'm not an average user, I'd have to agree. The average user in our department can handle a word processor, do a bit with electronic mail, format a disk and a few other rudimentary things in DOS, and that's about it. If PGP is going to take off, it needs to consider their needs by seamlessly and transparently connecting with both mailers and word processers, so encrypting and sending a file would be no more complicated than printing, faxing, or e-mailing the same file. [elided]
Actually, what it needs to break down to is a system software extension (to use the Mac as an example) that adds a smart "Encrypt/Decrypt" button (with a "sign" option) to every appropriate document-editing window, since printing, faxing and/or email are ALSO pretty challenging-to-impossible to a vast number of novice users. I'm not trying to insult the novices out there at all (if anything I sympathize with their plight and spend huge chunks of my time explaining the rudiments to them over and over again), I'm just speaking from experience as a sysadmin, tech support manager and educator. - -------------------------------------------------
From: trimble@beckman.uiuc.edu (Chris Trimble) Newsgroups: alt.security.pgp Subject: Re: I NUKED PGP. Why? This is why: [elided] Message-ID: <3cmuhl$5vu@vixen.cso.uiuc.edu> [elided] Not everyone in the world who might need/ want to use PGP is a computer-savvy guy. This is something that I discussed with the MacPGP developers some two years ago. I offered to rewrite it from scratch, and was told not to because "there is a much better interface in development and will be available soon". I still have yet to see any of that.
Me either. BTW, does anyone know what ever happened to Crunch's OOP version for the Mac circa 1993?
MacPGP is an example of a program that violates Apple's HIG up the wahzoo.
This is an dramatic understatement, and considering that the MacOS and Windows versions are the most likely candidates for spreading the use of crypto among mainstream users and thus further widening the opening of the barn door referred to in the post about Newt Gingrinch, it's a case of near-criminal neglect on the part of the low-level and interface-level Cypherpunks. I have no problems (well almost none) with the MacPGP versions I've used, but friends/colleagues/students I've exposed it to are generally left dumbfounded. This significantly adds to the difficulty of explaining WHAT cryptography is, explaining WHY they need it and then trying to show them a simple tool for empowering themselves with it. I'd estimate that _maybe_ 10 of the roughly 250+ people I've spent quality time explaining PGP to are still using it. This is the lowest success-rate (measured in persistence of use) of any single piece of software I teach people how to use. This bodes not well for the future of electronic privacy and personal cryptography, especially when you factor in the minute percentage of those people who'll actually cast an informed vote on anything crypto-related in the next election. Not well at all. Time is on the side of the NSA, unfortunately. ViaCrypt has kindly offered to send me a beta of their upcoming Mac version with enhanced AppleEvents support. This promises to open up some scripting capabilities not present in other earlier versions. I'm hopeful that, even if it doesn't differ significantly from MacPGP 2.6ui v1.2, the ViaCrypt app and the tech support that ViaCrypt provides will go a long way toward getting some of my users/clients/students using it, and I'm happy to pass the business along to them in light of their efforts. The Cypherpunks should really launch a new list oriented toward novices with basic questions. It could be a Web page with a question form, or even an email address for the Web-challenged (I may do it, but I welcome any offers to help). As an incentive to Cypherpunks, their friends and colleagues and members of the general public, I'm hereby offering to spend some time answering questions for novice users at either: <crypto-questions@lsd.com> or <pgp-questions@lsd.com>. Feel free to spread the word on this FREE (but limited by my time) service I'm offering. When the volume becomes too heavy, I'll ask you all to participate as well by asking you to identify what platform you use and what areas you're particularly savvy in ("Bo Knows Remailers."). Think of it as cypherpunk pro bono work: heck if _lawyers_ can do it, then altruistic 'punks can too, right? Those two addresses are NOW up-and-running, BTW. Both map to the same tech supt account, so circulate the one you think sounds most appropriate.
[MacPGP] completely locks your machine without any kind of dialog box when you are decrypting or encrypting, the menus aren't particularly related to the items under them, etc etc.
Indeed, MacPGP is the single most un-Maclike app I run regularly, without exception. I've been using it for three years, and while there has been progress, it's been extremely limited, mostly in fixing the most egregious GUI violations and keeping up-to-date with improvements in PGP source code. So IMHO the Cypherpunks, as one of the formost proponents of this technology, are basically shooting themselves in both left feet by not immediately and actively setting aside their wonderful projects to come up with more uncrackable crypto-algorithms (I'm not saying to STOP!) and focus for a few solid months collaborating on two extremely workable, fabulously easy implementations of the most basic functions of PGP for Windows and Mac boxes that any novice user can "plug in" and run alongside the software they use daily (word processors, email apps, even spreadsheets). In addition to the system extension idea above, drag-n-drop apps for Mac desktops that people can plop a WP file on to encrypt/decrypt/sign it and the analog for Windows users should be a SUPER-HIGH PRIORITY starting yesterday. Is it beyond the scope of possibilities to actually get the most code-wise capable people here to stop flaming each other and name-calling and work together for a while? How much bigger a barrel must we be staring down before there's some significant togetherness resulting in visible software?
If the "cypherpunks" really want to see a world of free encryption, then they should start putting more effort into making that encryption more comprehensible to the ordinary user. Right now, PGP is a program that isn't, and is essentially only usable to those who are computer-savvy.
Let me cite a small example: a few minutes ago, I let a close personal friend sit down at my workstation to telnet to her email account, and she proceded, while my back was turned for *just a moment*, to close *every dang window* in *all 14 processes* I had running (including some text and a script I'd been editing - grrr) so that she could (get this...) "clean up the screen." I explained in the most non-emotional, non-accusatory terms what she'd just done (without mentioning the hours of work she'd cost me by not saving certain things). Her response mechanism was to tear up and begin to (almost) cry. No, it has nothing to do with the Moon, and yes, this normally a very competent person (errr, computing matters excluded, need I mention?). Anyway, it was my own dang fault, wasn't it? Of course it was: how could _she_ know that there's an easy mechanism for _hiding_ all the windows in the bg processes? That's far too hidden a feature. Sure, there's a "Hide Others" menu item under an iconic menu (cute but cryptic), but what does "Others" refer to? Everyone else in the room who might look over your shoulder? Think about it. For that matter, what the HECK is a "console" window, or a "verbose" menu command? And this is on a friggin' MACINTOSH! We're not even talking Windows here, lads, much less X Windows... or even
gasp< DOS! ;)
Anyway, this is just an object lesson on how exCRUciatingly simple crypto is going to have to become. Too bad we can't get it all running by the end of the day, because in half an hour I have to attempt to teach that same friend to use PGP... ...wish me luck. dave _____________________________________________________________ "Civil Liberty Through Easy Cryptography." (ibi, nuntium!) -----BEGIN PGP SIGNATURE----- Version: 2.6ui iQCVAgUBLveIhqHBOF9KrwDlAQG4YwQAwqbqD6Qx291kAzSmtJRaReUrIV7/X1WC Hp2j2ABshWe35TFwdc1n8KhShUYljnMCEWvNvTYOzTCFpdLLAf5lOc0tSH1RVYGH kWtoeBEn3ciqBHXBddeQazS0SRm9lAcd4oX3Zwt4wXokE2hnaF3KGamJI2sVZ+Io b3RIBVNJOGI= =9Qwl -----END PGP SIGNATURE-----