On 1/16/2017 10:15 AM, Razer wrote:

If you really need security a small learning curve is acceptable and attainable.

No it is not. And proof is that it is not in fact attained. Further a small learning curve is not needed. We can in fact have zero clicks security - placing the burden on designers and developers, not users. For example phishing could easily be abolished by making all passwords zero knowledge password protocol under the hood and placing logins in the chrome. Well, not easily because we would have to rewrite existing standards and redo much existing software, but easily for the end user, who would scarcely notice that anything had changed. Similarly, it is possible to ensure that the mapping between public keys and IDs looks the same for everyone in the world, preventing MIM attacks without burdening the user to manage his public keys himself.

On 1/16/2017 11:04 AM, James A. Donald wrote:

Similarly, it is possible to ensure that the mapping between public keys and IDs looks the same for everyone in the world, preventing MIM attacks without burdening the user to manage his public keys himself.

At present three hundred million people communicate by Viber. When you install Viber, it generates a secret key and a public key and sends the public key to Viber headquarters. When Ann wants to message Bob, Viber headquarters sends Ann's client Bob's public key, and Bob's client Ann's public key. And then they can message each other, no one on the network, not even Viber headquarters, can know what they are saying to each other. Unfortunately Viber could send Ann a public key belonging to the CIA as Bob's key and Bob another key belonging to the CIA as Ann's key, and then the CIA can be in the middle as Ann and Bob send messages to each other. Ann thinks she is sending a message to Bob, but actually she is sending it to the CIA, which then resends it to Bob. To prevent this, to deny itself this capability, Viber could maintain a rolling global hash representing the current mapping between ids and public keys, and all past mappings between ids and public keys, and when it sends Ann the key for Bob, sends Ann the hash path connecting Bob's mapping to the current rolling hash for the entire world and all of history. We have several mutually hostile people and organizations monitoring this rolling hash, for example the KGB, the CIA, Wikileaks, and Trump's security guy (who I think is one of his sons or grandsons). Your software picks an organization at random. The user could intervene and pick one, or pick several, but ordinarily will not. Suppose Viber headquarters arranges for the CIA to spy on Ann and Bob. If Ann and Bob's Viber clients have both picked the CIA for their source for the rolling hash, then they are out of luck, but if one of them has picked the KGB and the other has picked the CIA, then the one that picks the KGB will get the correct version of the rolling hash, in which case the attempted man in the middle attack will fail, and that Viber headquarters is collaborating with the CIA will be exposed to the KGB, to Ann, and to Bob. Thus Viber could prove it is not spying on its users.

On 1/16/2017 1:16 PM, Shawn K. Quinn wrote:

Alternatively, how about Viber redesigning their software such that Alice and Bob can give each other their public keys without Viber headquarters even having to get involved,

I have written such software. Nobody wanted to use it. I simplified end user key management as much as I could, but it was not that simple.

On 1/16/2017 1:28 PM, juan wrote:

people need to learn how to manage their keys - it's not hard...

Is hard. We have been through this already.

On 01/16/2017 01:38 AM, James A. Donald wrote:

On 1/16/2017 1:28 PM, juan wrote:

...

people need to learn how to manage their keys - it's not hard...

Is hard.

We have been through this already.

It's not hard. People are just lazy and spoiled with their facebook messenger. Most users today value convenience over security. Whine, whine, whine and that includes many so called power users.

...

people need to learn how to manage their keys - it's not hard...

On 1/17/2017 9:55 AM, StealthMonger wrote:

Yes!

Is hard. Suppose I want to talk to you about something that is actually important. I ask you to email me your public key. How do I know that the key I receive is the key you sent? One solution is to make your public key as public as possible, affix it to all your communications and never change it. But you are not doing that.

On 01/16/2017 11:00 PM, James A. Donald wrote:

Is hard.

Suppose I want to talk to you about something that is actually important. I ask you to email me your public key. How do I know that the key I receive is the key you sent?

If you think someone's monkeying with your email, then you don't do the key exchange that way, you do it in person or at the very least you verify it in person or over the phone.

One solution is to make your public key as public as possible, affix it to all your communications and never change it.

But you are not doing that.

That's what keyservers are for. Affixing the key to every message is a needless waste of space. -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

On Tue, 17 Jan 2017 12:18:36 -0500 John Newman wrote:

You can also serve your keys on a web server you control over HTTPS with a legit signed certificate. $8 from comodo, free from the let's encrypt people and startssl people....

Why is comodo more trustable than the let's encrypt bunch?

On Tue, 17 Jan 2017 13:45:30 -0500 John Newman wrote:

On Tue, Jan 17, 2017 at 03:33:11PM -0300, juan wrote:

...

On Tue, 17 Jan 2017 12:18:36 -0500 John Newman wrote:

...

You can also serve your keys on a web server you control over HTTPS with a legit signed certificate. $8 from comodo, free from the let's encrypt people and startssl people....

Why is comodo more trustable than the let's encrypt bunch?

I don't see any reason it would be... I just mentioned comodo because they are cheap and slightly less of a hassle than going with the free CAs.

Apologies, I just realized I misread what you wrote. I took "free from the let's encrpt people" to mean "not dealing with them" or avoiding them. My bad!

John

On 01/15/2017 06:15 PM, Razer wrote:

If you really need security a small learning curve is acceptable and attainable. I also see an insidious trend towards cutting out 32 bit machines, Meaning po folk ain't entitled. 64 bit isn't inherently more secure that 32 bit should be 'left behind' for any reason beside... dast I say... "User base"? (Dast dast!) at the expense of the niche that really needs the security. Poor folks in authoritarian dictatorships and such lorded over by US installed strongmen.

The move towards 64-bit is not about security, but about the fact that 32-bit hardware is becoming increasingly more rare. My friend's 64-bit PC has a BIOS copyright date in 2006, and by no means is he usually an early adopter of new technology; by 2010 if not earlier it was much easier to get a new system that was 64-bit capable than one that specifically was not. I decommissioned my last 32-bit PC in 2011, and the only time I might need the 32-bit version of something is to run it in a VM on my laptop (it can only do 32-bit VMs, not 64-bit). For most code which does not actually require a 64-bit processor to run, it should be possible to compile 32-bit binaries. However we are moving towards a world where 64-bit is the rule not the exception and 32-bit is today what 16-bit was in, say, 20 years ago (1997-ish). -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com

On 01/15/2017 09:31 PM, Steve Kinney wrote:

A work in progress:

A Millenials' Digital Bill Of Rights

We hold these truths to be self evident, that all First World Middle Class tweens, teens and 20-somethings are created superior, and are endowed by their Creator with certain inalienable digital rights including:

To have their personal needs anticipated and met without effort on their part.

To do exactly as they please at all times with no chance of destructive consequences.

To maintain high bandwidth 24/7 ominplexed network participation with full privacy and security.

To by protected from abuse of State and Corporate power by State and Corporate actors.

Our up and coming Consumers did not choose these self- and mutually contradictory demands themselves; they have been indoctrinated by a seamless lifelong sales campaign, a uniform front of instant gratification product offerings and attractively packaged Experiences. No "conspiracy" was required to implement this program; it arose naturally from commercial competition. But this spontaneously self-organized Standard has been recognized, formalized, and is now consciously pursued by every significant vendor in the consumer electronics, software and network services sphere. The market has spoken and the UX future is now.

A monitored life for every consumer, in the cybernetic sense of the word monitored, has now become a conscious and calculated goal: An egocasting bubble for every consumer, unbreakable walls of contempt and alienation between every pseudo-tribe, a navigation funnel for every human need, and a grand illusion of personal autonomy for every captive consumer. All consumers shall be sold both aspirations and the fulfillment of those aspirations in an eternally self adjusting feedback cycle of surveillance and adaptive stimulation.

Users? Please. General purpose programmable computers in private hands create problems, not Solutions. Laughable wannabe-elitist Lusers are already being phased out of society, and good riddance. We will of course need a /few/ thoroughly vetted and deeply dependent grunt workers to design and program devices to meet sales and marketing objectives. There will also be deviant technophiliac rats in the walls of the global village, but exterminators make money you kno w.

"And our children will live ... to see that perfect world in which there's no war or famine, oppression or brutality -- one vast and ecumenical holding company, for whom all men will work to serve a common profit, in which all men will hold a share of stock, all necessities provided, all anxieties tranquilized, all boredom amused." -Arthur Jensen

https://www.youtube.com/watch?v=jxiT30N6ti4 Text Available at American Rhetoric: http://www.americanrhetoric.com/MovieSpeeches/moviespeechnetwork4.html