What is stopping PKI from growing was: Re: what is killing PKI?

[antispam06 at sent.at]

Hello List!

I'm (for some of you) your worst nightmare. Somebody who does not master
the fine arts of cryptography, yet has an oppinion about cryptography. I
might say I enjoy reading the thread on PKI, but I wasn't able to read
it all.

Please understand this is not a flame against Landon, but rather at the
whole culture of having a debate that puts people into two groups: a
small one formed by initiated and a huge one with lay people. I am using
his message, yet the ideas were already used on other debates and on
other sites / forums / mlists. Bottom line, it's for everyone who might
feel ofended by it and not for those who might find it anything but
offensive.

On Wed, Aug 29, 2012, at 06:00, Landon Hurley wrote:
> In that case, perception of threat and more importantly loss of tangible
> goods keeps PIN secure. Obviously that works for envelopes as well, but
> honestly I think economics probably holds even more strongly. It's
> cheaper to buy a ton of envelopes than an equal number of postcards.

That's one of the best examples of a straw man fallacies. I'm quite sure
it wasn't intended, as you were probably just fighting an older
argument. Yet, someone might pick it up and use it.

I think the argument with the envelope instead of a postcard is dated
before considering encryption as an electronic envelope. Anyway, while
the argument is in my oppinion brilliant, the explanation is childish.
Or, if you preffer, it looks laid like an egg by the mind of the
stereotypical nerd living in a basement. The real postman has way too
much on his hands to waste time with every private message. Yet, the
message might be delivered into the hands of a servant or family member.
It's them, the people around, who are the most interested to find out
the juicy story.

Bringing in economics it's something that pops in more often year by
year. Economics is a silly way of putting things. And what you are
pointing out it's the accountancy, or bean counting if you preffer, and
not economics. With other words, I might not know much about
cryptography and its use, yet you guys don't know much about economics
either. From an economic point of view, bordering marketing, it would be
far better for me to invest into wonderful / interesting postcards which
I might obviously stamp with my Business data, thus providing a vehicle
for my brand. Even if the accountant might point out it's cheaper to
have bulk envelopes and use regular copier paper.

To expand the divagation: there are the financial point of view, the
accountant point of view, the economics point of view. We can expand to
the marketing point of view. All these are put in a blender with some
liquid, say barf from the chief editor and processed untill smooth.
Everything is than baked in whatever form the chief editor wants and
delivered to the masses as economics. Yet, it's still extremely
important to make the difference.

 > While we're kicking around pet theories though, I still think web mail
> has to be a significant barrier. The ratio of people who use a browser
> rather than a local mua at my uni are something like 4:1. If you get
> people culturally used to using PKI though, they will, which in this
> context would mean get them used to it in college. Just like the
> Microsoft student pricing, the idea should be indoctrinate at a
> relatively young age, so that they come to expect it later.

I find it sickening the absolutist way of thinking when there's the
place for relativism. I know both terms have various meanings nowadays
so bare with me.

Terrorism is relative. I make you live in fear. I am a terrorist. You
find a way to threaten my family in a desperate and ilogical / aberrant
attempt to stop me. Bravo! You are a terrorist too.

Media and political voices today are doing what has been done for
millenia: impose an absolutist view. I am terrorised by that guy I have
a right to do whatever is neccesary to stop him or her. With a wonderful
omision: nobody ever steps forward to specify what falls into whatever
is neccesary. With other words: the assumed victim can prove far more
vicious than the former agressor.

What Microsoft is doing around the world is indoctrination. Although
it's a light indoctination as college students around the world don't
feel an impulse to call the BSA hotline when they get an unlicensed copy
of some software.

What people should do is educate. Not indoctrinate. And even accept the
possibility people would choose otherwise.

But you are right with the first part of this paragraph. While every
once in a while there is a talk started somewhere, somehow about
cryptography and how people do not use it, there are far less on campus
training sessions. Highschool teachers are not stimulated with some
credit points somewhere if they follow some classes about privacy. It's
mostly a dry exchange of theories of why the World is the way it is now.

Really, while people are giving savant talks about why OTHER people are
not going their way, there are only a few who do the actual work. I read
about high entropy. Most wikipedia articles are written by math majors
who are pretty proud of the painting they could do with MathML. Can I
use an .ogg music file as a key to a truecrypt container? No, you should
use a high entropy pass phrase. How do I calculate if my password is
high entropy enough? I want to see numbers, as in password lenght.
Everybody gets it when somebody tells them a 4 letter password is weaker
than a 9 alphanumeric. I've seen quite a few debates. Using logarithms.
Each has a better idea which logarithmic value would be better. But how
to give a benchmark? Myself I agree with the author of that cartoon [1]
saying through 20 years of effort, we've successfully trained everyone
to use passwords that are hard for humans to remember, but easy for
computers to guess.

[1] https://xkcd.com/936/

I see webmail as far from a barrier. Get one plain text editor with
encrypt / decrypt abilities. Than just copy and paste the armored text.
What can be simpler? Why do I have to handle a buggy slow beast like
thunderbird or evolution when I can do it with the balast provided by a
modern web browser? If the browsers were of a smart design I could do
everything on a 386. So, instead of having a complicated system with
problems, just use a web interface and do all the mails offline in a
folder. Faster, more portable.

> Alice logs in to webmail, which makes her feel secure, and as far as she
> can tell Bob logs into his, and nobody can open it up otherwise. There's
> no perception of threat, probably because very few lay people understand
> 1. How easy it is to intercept email and 2. How insecurely email is
> stored. <soapbox>In the day and age when not having a Facebook account
> gets you strange looks and mutters behind your back, unless you force
> this upon people, it's not going to stick<jumps off>. Short of a massive
> government surveillance controversy with jackbooted thugs roving the
> country, nothing (for loose definitions of nothing) is going to convince
> people to voluntarily seek PKI, because they don't see a threat. Even in
> that situation, a good ~30% of the population can be counted on to come
> back to the 'should have nothing to hide' argument.

Nice story. Yet, when I search „Yahoo webmail” on Google there isn't an
article in the first 25 links about the privacy issues of Yahoo. Yet,
Yahoo advertises it's secure. You do have the nice ideas. But I don't
see ANYTHING beyond that.

Why look down at people? Lay people? A concept invented by the religious
/ initiated caste to sepparate themselves from the disgusting masses.

It's not so much people are stupid. It's much because nerds have
entrenched themselves in so many layers of silly talk that marketers
were able to easily pull a nice one: The Cloud! Alice sees a nice window
on her end of the cloud. For her, her window is magicaly tied to Bobs
window.

Also I can tell you from my personal experiece the whine about not
having a Facebook account is just intelectual masturbation. Sure, a nerd
would have been shocked for a normal person not to have an email address
in 1998! But his social skills were close to zero. Meaning the effect is
also close to zero. Now people want to know fast everything there is to
know about you. So Facebook is the answer. Have a personality. Get some
social skills. Be interesting. And in no time people will change from
strange looks to „tell me more about not using Facebook”.

It's cute to develop bondage though some sort of initiation, say
Dungeons and Dragons if you like a cliché, but it's still jacking off.
The world is the thing out, at large, and not some meetings in a
basement.

Also, from what I know and not some nation wide socio–economic study,
people are extremely concerned about their privacy. That's because of
two facts. One is the media fetish with fear. The other one is some well
made information campaigns. So people do know Facebook leads to divorces
and loss of money. But how can they still push the photo with that drunk
dead prostitute to all their friends? They want something about privacy
and security of communication. They have no alternative. And the
temptation is so strong they fall back to what they know.

Even if gpg is easily obtainabe, that is, still, almost nothing. Gpg is
not a portable app. One must read a few cryptic pages. Even if clear,
they are boring. Generate a key. What size? The answers are quite
liberal: it depends on what you need. It should be *2048 or read some
more dry text*. Alice gets Bob to install it too. Maybe Bob can't
install it as it is a laptop from work. Boom! The dark basement
wide–rimmed dork concludes: it's because lay people are not so smart
like us. Fast forward 5 years from now, when he'll get a hair cut and a
necktie as a token of his obedience to the firm and CEO, and the same
dork is going to be quite inquisitorial in his attitude towards
installing foreign, unauthorised software on the company laptop. Why, oh
why? Something breaks, he has the images. The laptop is back to square
one in less than half an hour. But he's now not a regular nerd. He's a
cool geek. And he has more than 50 security arguments of why he must not
waste time with mere mortals.

You see, it's disgusting. Education. Or indoctrination if you preffer.
Knowing about entropy. Knowing about what the cloud really is. Than back
to the real life. It's from these people that the system admins are
selected. They move out of their dirty basements. Maybe they have enough
money to trick a girlfriend. And than they are the ones imposing all
those restrictions. Mind you, is the CEO wasting sleep nights reading
long man pages about making and storing a copy of every employee's email
both outgoing and ingoing? Is the financial analyst blocking USB ports?
Is the personal secretary of the President of the company making the
software that lists login and logoff times for every white collar
employee and the proxy that tracks their every move? Puhlease!

> The barrier is solely cultural, not technical. Enigmail, Thunderbird and
> gpg4win are trivial to set up. The first time I did it, it was on the
> phone, talking someone through it. So we either need to invent some sort
> of massive threat perception to unite everyone to adopt PKI, or just
> continue to push it as a grass roots movement. Or if some kind person
> would like to introduce a viable third option, I think a decent portion
> of humanity would owe him/her a debt. On the other hand, I'm advocating
> a rather heavy handed, Platonian, do it for people's own good even if
> they don't like it/decide they need it, so I'm sure at least some, or
> even most, will disagree as well. I will add my confession to the pile
> of selfish reasons to want to have PKI become widespread.

See above. Alice finally gets it. And she wants to comunicate secure
with Bob. Bob CANNOT do it. Why? Not because he is stupid. Not because
he lacks the special culture of the powers of two and an understanding
of binary representation of a decimal number. But because a servant nerd
is going to do anything in its power to stop this. If the same over the
average intelligence social unfit would have written a company policy
that everyone should have gpg installed on their work station and
everyone should have one key for all business matter and one key for all
private matter upon the penalty of something, now life would be
different, don't you think?

Or what are you offering? Bob should carry a second laptop for private
matters? I used to have a bag of phones: the smallest number was 4.
Should I put two laptops on top of that? And some bike gear also. Now
that won't make me fit. That would lead straight to spine surgery.

Now, Thunderbird is a pain in the behind. A team is trying hard to bring
the anonymity of Tor to it. I hope they would be able to do it. It's
large. It's slow. It used to have issues with the protocols. But, it's
portable. Enigmail is an extension and that makes it rather portable.
But gpg4win is NOT.

Even if installing the three is quite easy, how about the bashing around
with „you have to choose a good passphrase or it's worse than before”?
Does Alice have to waste a month online trying to make sense out of
what's written about having a good passphrase? And why? To find out
she's only a lay person with wrong assumptions? No. Because she is only
human. She is going to do it the way she knows it and pray nothing bad
happens. This is what people have done for millenia. This is how, with
modern medecine, homeopathy thrives. Why risk dying in the hands of a
surgeon when you can be sure everybody dies sooner or later?

Also I think people like you should work more and more on their pleasant
side. Learn some skills that don't involve machines. Relax. Just because
other bullied you, you don't have to be a bully.

Or put it this way: what makes you sure your way is the good way? Just
because you think you are smart, makes you smart enough to think for the
others as well? What happens when you are in the wrong, even if you know
what you say is gospel truth, and other people start imposing their ways
upon you? How would that feel? I can assure you that a social unfit
person would fare much much worse than one of those lay people outside.

Question: sure, it's nice to see the signature used here, on the gpg
list. But why do you people use it? Myself, an outsider, see it as a
geek code. Sure, Werner is the gpg master. And somebody might
impersonate him and talk about a terrible breach of security in the
latest pack and offer an alternative download. But how about you, the
rest? What difference does it make if I would impersonate you or you or
you? I'd say get a cute tatoo some place obvious. It's far nicer.

Cheers!