On 10/11/15 12:29, Neuhaus Stephan (neut) wrote:
On 2015-11-09 21:12, "oshwm" <oshwm@openmailbox.org> wrote:
On 09/11/15 08:38, Neuhaus Stephan (neut) wrote:
On 2015-11-08 09:45, "cypherpunks on behalf of oshwm"
<cypherpunks-bounces@cpunks.org on behalf of oshwm@openmailbox.org>
wrote:
On 08/11/15 08:40, Peter Gutmann wrote:
oshwm <oshwm@openmailbox.org> writes:
Can GPG be easier to use, I think so, is it too difficult to use by
ordinary
people - no, they're just too fucking lazy and lack motivation.
... and this is pretty much the poster child for why we have so much
unusable
crypto today.
Or, why we have such a fucking retarded human race with the attention
span of a knat who expect everything to be given to them on a plate.
I think you're rather making Peter's point for him.
Case in point: Would you care to try to explain to my dad (who is 76)
what
an expired PGP key means, exactly? What a trusted key is? Hell, what a
public key is, even? How a PGP plaintext signature could have failed to
verify? (In this context, don't forget to explain to him the difference
between UTF-8 and ISO 8859-1.) Hint: an attitude of "well, you just have
to learn all these new concepts, you fucking retarded human with the
attention span of a knat" is probably not going to help.
I feel sorry for your dad, having a child that thinks so little of his
mental capacity.
I guess that’s what I get for choosing an example that makes the
ad-hominem too easy.
You see, I didn't know what ad hominem mean't so I had a choice, I could
wait for someone to explain it all to me or I could go and find out the
meaning for myself - which I did :P
If your dad can operate Windows and an email client then he has what is
needed to learn enough to sign and encrypt emails with GnuPG.
He doesn't need to know how crypto works or every minute detail, he just
needs to be able to make sense of a Wizard and to be able to click a few
buttons.
I don’t think that’s true, and the reason is that it’s not enough to learn
the right sequence of buttons to press. You’re right: learning to press
some buttons in the right sequence is the easy part. The tricky part
happens when an error occurs, e.g., when a signature fails to verify. And
signatures can fail to verify for a huge number of reasons and an
Enigmail-style user interface will simply expose them to the user.
Without a correct mental model—which goes beyond knowing button
sequences—no one will be able to make a correct assessment of an error
situation, no matter what the age, education, or mental capacity.
He'll be at a disadvantage for not learning more about crypto and PGP
but he'll be able to maintain a small amount of privacy in his use of
email.
Only when things go right. And only if he cares enough. If there was some
automated mechanism that would do all of these things automatically in the
background, he could be using encrypted email without even knowing it.
Like Skype, who at one time provided encrypted video and voice chat
without users even being aware. That did more for security than exposing
all the intricate details through an Enigmail-style UI.
Skype: centralized authentication by a third party corporation - you
don't have to do any authentication for yourself, you just have to trust
that Microsoft will never act in a way inconsistent with your privacy or
freedom.
PGP: decentralized authentication where the amount of trust you have in
the certificates is fully under your control. But with this control
comes complexity because you don't have some benevolent overlord taking
care of your every need.
Take your pick, personally I don't trust big corporations and for that
reason will accept the extra complexity.
When he gets stuck he might be able to ask his son or daughter for help
He might indeed! Or he might not, given that his interest when interacting
with a computer is to e.g. send an email to someone, not to have to expend
work to preserve his privacy. I suspect that he’d rather go on with what
he was doing — sending email — than asking me what a good but untrusted
signature is. (For example.)
If he has little interest in protecting his privacy why would he even
bother with any encryption no matter whether it's easy to use or not?
- assuming he hasn't given up asking because you hold his mental
capacity in such low regard.
OK, next time, I’ll *really* choose another example that doesn’t open
myself up to the ad-hominem so easily.
Yep, use stereotypes and you get what you deserve :P
If we want "ordinary people” (whatever they are, but in a crypto context
they’ll be more like my dad than like me) to use encryption, we will
have
to make it invisible to them. It doesn't even have to be perfect; good
enough will do.
You think if crypto is invisible to people then they'll be able to deal
with when things go wrong any better than your dad would be if you
equipped him with minimal knowledge of how to get by with PGP using e.g
Enigmail on Thunderbird?
In most cases, yes. Also, it will enable things to go right more often,
simply because configuration options will be removed, making the whole
thing easier to write and test.
The more you hide details from people, the less they are able to help
themselves.
That is only true for a very small number of specialists. The success of
many products is precisely the careful hiding of many details, most of
which would be unintelligible to the vast majority of users anyway. Unless
you’re a trained engineer, you will have no detailed idea how a modern car
engine works (or FM radio or …), for example. If you had to know these
things in order to operate a car engine, there would be vastly fewer cars
out there. And common failure modes of cars — low fuel, low oil or tire
pressure and whatnot — have been incorporated into user interfaces that
many people routinely and correctly use. That works only by not exposing
details.
You can drive a car mostly successfully without too much information but
if it stops at the side of the road and the limited info from your dials
doesn't tell you what's wrong then a bit more knowledge might just get
you home.
If anything, this matches the Enigmail model more than the invisible
crypto model.
Fun,
Stephan
—
If I have downvote policy, I will downvote you.
oshwm