trampCrypt family of CLI programs

Robert J. Hansen rjh at
Thu Aug 2 01:05:39 CEST 2012

On 8/1/2012 6:13 PM, vedaal at wrote:
> These users are *trusting* you with their sensitive information, 
> but are *blind* as to the problems that may occur.
> It is far, far worse to communicate using encryption, expecting 
> that privacy will be maintained, when unknown  to the user, it may 
> not be, than not to communicate at all.

I would say that it "may be far, far worse," but with that minor quibble
I could not agree more.


By itself, GnuPG is useless.  It may even be worse than useless.  In the
best case GnuPG can be an effective tool for ensuring the
confidentiality and integrity of messages, but in the worst case it's
just cryptographic fairy dust: people think that if they just do X
followed by Y and Z, they will somehow magically be secure.

Feynman warned against this thinking in science.  He called it
"cargo-cult science," after the South Pacific islanders who built
incredibly intricate religions based on imitating the forms of
airplanes, airbases and other things they saw during World War Two.  But
no matter how accurate the bamboo mock-up of a DC-3 cargo plane is,
without an understanding of Bernoulli's Principle, the Navier-Stokes
equations, fluid dynamics, mechanical engineering, Newtonian mechanics
and the like, you can't make a real DC-3 and your bamboo mock-up will
remain something that *looks* like a DC-3 while missing absolutely
everything that makes a real DC-3 what it is.

Cargo-cult cryptography is the exact same thing, just done with software
instead of bamboo.


What makes cargo-cult DC-3 airplanes safe is the fact they never get
airborne.  We know they are clearly, obviously, defective from the
get-go, and so we never trust them.  We might fool ourselves into
thinking we're on the right track and next year's bamboo DC-3 will be
able to take off to fly to John Frum [1] for sure, but this year's plane
is just not working.  Nobody really gets hurt.

But cryptography is not like an airplane, where the fake stuff becomes
evident very early on.  Cryptography is more like an ejection seat.
When you need it, it has to work right, the first time, even while the
aircraft is on fire, breaking up, and about to explode... and even then,
if you go into it without training, you'll probably be dead before you
hit the ground.

The popular understanding of an ejection seat -- "pull the D-rings and
enjoy the ride" -- is completely wrong.  Pilots have to train for
ejection because there are so many things that can screw up.  You have
to get into the right position for ejection because otherwise you'll
shatter your spinal column from the 35+ Gs of acceleration.  And once
you've ejected, with your vertebrae cracked and/or broken, you have to
consider the possibility you may be on fire.  (Seriously.  You were
sitting on top of a rocket motor inside an aircraft that was on fire and
about to explode.  You may be on fire.)

What do you do then?

Your shroud lines may get tangled.  How do you untangle them?  How do
you untangle them with a broken spinal column and your boots on fire?

You may be about to land in hostile territory, injured, and with an army
hunting you.  How do you hide and how do you evade?

The purpose of training is not to give you rote tools.  The purpose of
training is to teach you how these rote tools work, how to use them in
concert, when one tool is disadvised and another is strong, when two
tools can be combined in creative ways, and so forth.  It is to give you
the ability to improvise highly effective solutions to the demands of a
chaotic and ever-changing world.

Pilots call their training "training," and call their knowledge of how
to use their training "the Right Stuff."

In communications security, knowing how to use training is called
"tradecraft." [2]


Whenever I hear someone say that GnuPG is too hard to use, well, I
sympathize with them.  GnuPG is very hard to use.  It has a learning
curve like the Matterhorn.  I have no disagreement there.

But when I hear people say they have a great idea that will allow people
to keep secure against dedicated, serious adversaries while requiring
very little training or knowledge on the part of the user, well...

There is no replacement for tradecraft.

There will never be a replacement for tradecraft.

Tradecraft is always a hard skill to acquire.  (I am a rank amateur, and
I doubt many people on this list are better.)

And you can rely on a dedicated, serious adversary having excellent
tradecraft of their own.


More information about the Gnupg-users mailing list