[FORGED] Re: [FORGED] Re: UK To Ban Crypto In Devices, Email And More

oshwm oshwm at openmailbox.org
Tue Nov 10 11:11:22 PST 2015



On 10/11/15 12:29, Neuhaus Stephan (neut) wrote:
> On 2015-11-09 21:12, "oshwm" <oshwm at openmailbox.org> wrote:
>> On 09/11/15 08:38, Neuhaus Stephan (neut) wrote:
>>> On 2015-11-08 09:45, "cypherpunks on behalf of oshwm"
>>> <cypherpunks-bounces at cpunks.org on behalf of oshwm at openmailbox.org>
>>> wrote:
>>>
>>>>
>>>>
>>>> On 08/11/15 08:40, Peter Gutmann wrote:
>>>>> oshwm <oshwm at openmailbox.org> writes:
>>>>>
>>>>>> Can GPG be easier to use, I think so, is it too difficult to use by
>>>>>> ordinary
>>>>>> people - no, they're just too fucking lazy and lack motivation.
>>>>>
>>>>> ... and this is pretty much the poster child for why we have so much
>>>>> unusable
>>>>> crypto today.
>>>>>
>>>>
>>>> Or, why we have such a fucking retarded human race with the attention
>>>> span of a knat who expect everything to be given to them on a plate.
>>>
>>> I think you're rather making Peter's point for him.
>>>
>>> Case in point: Would you care to try to explain to my dad (who is 76)
>>> what
>>> an expired PGP key means, exactly? What a trusted key is?  Hell, what a
>>> public key is, even? How a PGP plaintext signature could have failed to
>>> verify? (In this context, don't forget to explain to him the difference
>>> between UTF-8 and ISO 8859-1.) Hint: an attitude of "well, you just have
>>> to learn all these new concepts, you fucking retarded human with the
>>> attention span of a knat" is probably not going to help.
>>>
>>
>> I feel sorry for your dad, having a child that thinks so little of his
>> mental capacity.
> 
> I guess that’s what I get for choosing an example that makes the
> ad-hominem too easy.
> 

You see, I didn't know what ad hominem mean't so I had a choice, I could
wait for someone to explain it all to me or I could go and find out the
meaning for myself - which I did :P

>> If your dad can operate Windows and an email client then he has what is
>> needed to learn enough to sign and encrypt emails with GnuPG.
>> He doesn't need to know how crypto works or every minute detail, he just
>> needs to be able to make sense of a Wizard and to be able to click a few
>> buttons.
> 
> I don’t think that’s true, and the reason is that it’s not enough to learn
> the right sequence of buttons to press. You’re right: learning to press
> some buttons in the right sequence is the easy part. The tricky part
> happens when an error occurs, e.g., when a signature fails to verify. And
> signatures can fail to verify for a huge number of reasons and an
> Enigmail-style user interface will simply expose them to the user.
> Without a correct mental model—which goes beyond knowing button
> sequences—no one will be able to make a correct assessment of an error
> situation, no matter what the age, education, or mental capacity.
> 
>> He'll be at a disadvantage for not learning more about crypto and PGP
>> but he'll be able to maintain a small amount of privacy in his use of
>> email.
> 
> Only when things go right. And only if he cares enough. If there was some
> automated mechanism that would do all of these things automatically in the
> background, he could be using encrypted email without even knowing it.
> Like Skype, who at one time provided encrypted video and voice chat
> without users even being aware. That did more for security than exposing
> all the intricate details through an Enigmail-style UI.
> 

Skype: centralized authentication by a third party corporation - you
don't have to do any authentication for yourself, you just have to trust
that Microsoft will never act in a way inconsistent with your privacy or
freedom.

PGP: decentralized authentication where the amount of trust you have in
the certificates is fully under your control. But with this control
comes complexity because you don't have some benevolent overlord taking
care of your every need.

Take your pick, personally I don't trust big corporations and for that
reason will accept the extra complexity.

>> When he gets stuck he might be able to ask his son or daughter for help
> 
> He might indeed! Or he might not, given that his interest when interacting
> with a computer is to e.g. send an email to someone, not to have to expend
> work to preserve his privacy. I suspect that he’d rather go on with what
> he was doing — sending email — than asking me what a good but untrusted
> signature is. (For example.)
> 

If he has little interest in protecting his privacy why would he even
bother with any encryption no matter whether it's easy to use or not?

>> - assuming he hasn't given up asking because you hold his mental
>> capacity in such low regard.
> 
> OK, next time, I’ll *really* choose another example that doesn’t open
> myself up to the ad-hominem so easily.
> 

Yep, use stereotypes and you get what you deserve :P

>>> If we want "ordinary people” (whatever they are, but in a crypto context
>>> they’ll be more like my dad than like me) to use encryption, we will
>>> have
>>> to make it invisible to them. It doesn't even have to be perfect; good
>>> enough will do.
>>>
>>
>> You think if crypto is invisible to people then they'll be able to deal
>> with when things go wrong any better than your dad would be if you
>> equipped him with minimal knowledge of how to get by with PGP using e.g
>> Enigmail on Thunderbird?
> 
> In most cases, yes.  Also, it will enable things to go right more often,
> simply because configuration options will be removed, making the whole
> thing easier to write and test.
> 
>> The more you hide details from people, the less they are able to help
>> themselves.
> 
> That is only true for a very small number of specialists. The success of
> many products is precisely the careful hiding of many details, most of
> which would be unintelligible to the vast majority of users anyway. Unless
> you’re a trained engineer, you will have no detailed idea how a modern car
> engine works (or FM radio or …), for example. If you had to know these
> things in order to operate a car engine, there would be vastly fewer cars
> out there. And common failure modes of cars — low fuel, low oil or tire
> pressure and whatnot — have been incorporated into user interfaces that
> many people routinely and correctly use. That works only by not exposing
> details.
> 

You can drive a car mostly successfully without too much information but
if it stops at the side of the road and the limited info from your dials
doesn't tell you what's wrong then a bit more knowledge might just get
you home.
If anything, this matches the Enigmail model more than the invisible
crypto model.


> Fun,
> 
> Stephan
>> If I have downvote policy, I will downvote you.
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151110/c17da248/attachment-0002.sig>


More information about the cypherpunks mailing list