What is stopping PKI from growing was: Re: what is killing PKI?

antispam06 at sent.at antispam06 at sent.at
Fri Aug 31 14:07:19 CEST 2012


Thank you Faramir!

I was so afraid nobody would feed the troll and the archives would split
the OP and the answer because of the passing month.

On Fri, Aug 31, 2012, at 04:36, Faramir wrote:
> El 29-08-2012 5:28, antispam06 at sent.at escribió:
> > I'm (for some of you) your worst nightmare. Somebody who does not
> > master the fine arts of cryptography, yet has an oppinion about
> > cryptography. I might say I enjoy reading the thread on PKI, but I
> > wasn't able to read it all.
> 
>   I don't think that is anybody's nightmare. After all, many of us are
> not "masters of cryptography".

A user with an attitude. A newcomer with an idea. Anything that disrupts
a pecking order is a potential nighmare as it might imply the subject
might be subjected to beak hits in the cranial area for the following
days.

The reality there are only a few masters of cryptography. The others
just translate the math into scripts the best they can. Which means less
than optimal.

The other reality is that other people don't bother to read and
comprehend something unless they see a gain, they can feel a profit,
whatever that might be. Which, in the light of the „knowledge”, makes
them stupid. Stupid for not thinking the same way as the subject, the
self of the idea generator if you like.

Thus a pornographer in Islam is far more willing to encrypt his
transactions than a highschooler who writes about what „everybody
knows”. Only to find out 10 years later that there were people that it
would have been better not to know.
 
> > Please understand this is not a flame against Landon, but rather at
> > the whole culture of having a debate that puts people into two
> > groups: a small one formed by initiated and a huge one with lay
> > people. I am using
> 
>   Right, but it doesn't require high technological skills or a degree
> in computer science to become an initiated. It can be explained in 20
> minutes, while you drink a coffee. Manuals are long and sometimes hard
> to understand, because they must cover a lot of information, and list
> all these options we will never use (but are still there, because what
> I don't use is a must-have for other people). Just stay with us a bit,
> and soon you'll find yourself transformed into a GPG initiated.

Tech. Skill. Being smart. Being less smart. Being not smart at all. Why
all this? The carrot at the end of the rope is enough for an ass. People
don't go though 4 years of University to be more educated. They want
access to those better paid jobs everybody talks about. Bringing to the
table a fake aura of erudition is only a side effect. It's nice, but not
good enough. Exaggerated sex and drinking records are far easier to
bring to the table for far less effort.

Manuals are long and hard to understand because they were produced
through the same process: reward. Only a few accidental professors do
try to teach students something. Most want to further their academic
career. Which is why, each of them, good or bad, chose that particular
path in life. In their world a 50 page book made out of a single diagram
populated with very basic language is risible. And a 5 000 page compact
text is very academic–ish. Read that and that's what you do have on your
hands: a very compact typed succession of words. Those words can become
meaningful if the student is particularly attracted to the subject and
is ready to absorb almost anything in relation.

You have to see it in perspective. In 19 century US people were actually
punished for teaching dark skinned individuals how to read. It was THE
law. Yet, some of those „darkies” went to great lenghts to learn it. The
same way a dedicated scientist would read any kind of junk in hopes of
finding a gem that would further one's knowledge.

Make education available to everyone no matter the color of the skin and
some people would still not know how to read. Make it mandatory and some
would even rebel against it. The same goes for the sciences. Make a
vaccine. Many would ignore it till it's too late and there's an oubreak.
Make it compulsory vaccinations and people would develop legends.
Against the process, of course.

The trick is to make it so simple people won't be able to resist. As
long as the alphabet is a dry succesion of signs there would be people
who don't know how to read. Make it fun and it would be hard to stand.
Make reading fun and people would go from being able to sign their names
to being able to actually read.

Now, make cryptography simple is bound to make it weak. But I don't mean
to make it simple that way. Make it obvious. The computer does the work.
If it does the work for the bad guys decrypting messages, why shouldn't
it work for the common man as well? After all, we're past the days of
Enigma. Today I can't imagine a room filled with people with pens and
papers scribbling fast theories of how to break a gpg ascii armoured
text. Today it's the day of the dictionary attack.

I wonder how would be in the day when I would ask the next search
engine: I had a highschool friend that went around calling himself John
when his name was actually Sam. He's probably balding by now and must
have a huge beer belly as he used to love that drink. And poof! There I
have a screen filled with pictures of potential people. Today it's only
the dictionary attack. Facebook indexes everything and given the data
given by the antourage of a particular user the system can pull him out
of the crowd for me or for anybody asking. Recording conversations goes
the same way. I want to search anybody who says a particular word.
Nothing smart. Actually the very fast process pushed by the future IBM
to the National Socialists. So, at least for me, it's hard to see what's
smart or inovative to what Google or NSA are doing today.

Back to what you have written: just „stay with us” is not enough. The
man of the 2001 needs defaults. The ability to further ones knowledge is
a nice feature, but less relevant. I think it never was. But that's only
speculation.

> ...
> > I think the argument with the envelope instead of a postcard is
> > dated before considering encryption as an electronic envelope.
> > Anyway, while
> 
>   Well, but it is. It is an almost impossible to open envelope, but
> encrypted email still have the recipient's address, and the info of
> the sender, at plain sight.

So does the envelope. A white envelope, unless dropped in a private
meeting, means anybody can feel to be the recipient. So there should be
at least a recipient. But, usually it's quite easy to locate the sender
too. Centuries back, that could be avoided through means closer to
stegranography: send a messenger who would not catch attention directly
to the intended target.

The envelope example has some shortcomings. The sender was easy to find
out. The recipient was obvious. Yet, the text, now, that was a problem.
Writing was not for everyone. And people could learn different
alphabets. And write gibberish. See Helsinki slang.

> ...
> > stereotypical nerd living in a basement. The real postman has way
> > too much on his hands to waste time with every private message.
> > Yet, the message might be delivered into the hands of a servant or
> > family member. It's them, the people around, who are the most
> > interested to find out the juicy story.
> 
>   That is also very true, Eve is probably very close to either the
> sender or the recipient. Unless we are talking about NSA, CIA, or Men
> in Black, but if that is the case, then using cryptography is only a
> small part of the protection measures.

Here, you are wrong. There is no unless. Take Soviet Union. Some say
they reached the one fifth mark of the population doing the spying on
others. The proportion is irelevant. Today, the NKVD siblings have the
same purpose, no matter what the charter says. And they are ready to be
somehow next to everyone. In a way, that's a very good sign. It's a
dumbing down of the organisation. Back in 1960 they had to prioritise.
They had to schedule whom to monitor and whom not.

Also, in the Politics of Fear if you are not with me than, surely, you
are against me. So, it used to be information gathering and bullying the
boss' enemies. Today it's personal. It'd ideological.
 
> > I see webmail as far from a barrier. Get one plain text editor
> > with encrypt / decrypt abilities. Than just copy and paste the
> > armored text.
> 
>   Or even better, attach the armored file to the message, and then you
> don't even have to worry about html stuff messing it.

My provider gives me an option to send plain text so there's no problem
here. But your idea is way better as it is more portable.

> > What can be simpler? Why do I have to handle a buggy slow beast
> > like thunderbird or evolution when I can do it with the balast
> > provided by a
> 
>   As a thunderbird user, I don't find it buggy or slow. At least, it
> didn't use to be slow.

As a former pine user I find it a disgusting waste. Kidding. But take a
look at its history. Some insecure protocols, yet simple. And badly
handled. No privacy in mind. No security in mind. After all, this is the
15th major version and there still are some issues. And it's a mammoth.
100Mb of memory for an IMAP check?

Also, enigmail is the fruit of the plugin concept. So the plugin
platform gets the merit and not Thunderbird. Thunderbird does not care
much about security in the general sense. More about things that can't
be shifted to anybody else.

> 
> ...
> > everything on a 386. So, instead of having a complicated system
> > with problems, just use a web interface and do all the mails
> > offline in a folder. Faster, more portable.
> 
>   Not sure about the faster part, you have more steps to follow to
> send a message. But it still can be done. And as you need to carry
> your encryption tools with you, you can also carry a portable install
> of Thunderbird+GPG+Enigmail. Well, not sure if GPG2 will run in
> portable mode, but for a while we can still use 1.4.x branch

For a while.

Yes, the PortableApps guys offer the whole pack of three, all portable.
 
> ...
> > Why look down at people? Lay people? A concept invented by the
> > religious / initiated caste to sepparate themselves from the
> > disgusting masses.
> 
>   Lol, it is not like that. It is we are talking about encryption and
> why except us -the paranoid guys- the other people don't use it. It is
> not about education level, intelligence, or anything like that, in
> fact, if we were looking down at people, we would be saying "they
> aren't capable of using this stuff", instead of that, we are talking
> about "why don't they use it? How can we make them use it?".

See? You're misusing terms. Living into a large Panopticon and calling
another one paranoid, even yourself.
 
> ...
> > It's cute to develop bondage though some sort of initiation, say 
> > Dungeons and Dragons if you like a cliché, but it's still jacking
> > off. The world is the thing out, at large, and not some meetings in
> > a basement.
> 
>   Initiation? I'm lost now... I came here, joined the list, read a
> bit, made some questions, tried GPG, left a orphan key... and somehow,
> now I'm a GPG user. And to think it all started when a teacher said
> "well, this is my public key, your assignment is to send an encrypted
> message to me, that is the link to PGP's site". And of course, I
> thought "isn't there a free version?"

Oh, really? And you've been a registered user of the list since 2011.
What does initiation mean to you? Does it have to include severe
beatings? Sexual assault from your peers? Does it need incantations and
certain uniforms?
 
>   By the way, some years ago I went to a CAcert assurer's meeting. It
> was on a coffee shop, no basements involved.

It can be on the top floor of the tallest building eyes can see. Does it
make it less of a Dungeon?

> ...
> > Even if gpg is easily obtainabe, that is, still, almost nothing.
> > Gpg is not a portable app. One must read a few cryptic pages. Even
> > if clear,
> 
>   It used to be. You can still get the portable version.

Of a version that is going to slowly die. In an age where install means
being able to control your terminal, which is a no–no.

Sure. Somebody who can't even get administrator rights on a system, what
can he do? The system, the operating system can spy on you. Just like
with enigmail on thunderbird, it can be a particular driver on your OS. 

I don't know the way out. So I'm glad I'm not a developer of security
apps.
 
> > they are boring. Generate a key. What size? The answers are quite 
> > liberal: it depends on what you need. It should be *2048 or read
> > some
> 
>   Unfortunately, it really depends on your needs. But there is hope:
> the standard answer here is "most people should stick to the
> defaults". There are even some straight forward wizards to set it up
> and generate your key (like enigmail's wizard).
>   Options are more complex, but people with unusual needs should know
> they have to devote more time reading manuals, after all, they already
> devoted some time to discover they have unusual needs.

They should be stimulated. They should know is old wives talk: you
should know better! Or that's the way it is!

Because the complicated part is far from building or installing an app.
It's the whole system that is rotten. The TCP/IP is made so anybody can
put a third and a fourth man in the middle. HTTP is so visionary and so
plain text. Take Yahoo for example. They have put the login page through
SSL. Nice. Yahoo Messenger protocol sends it all in plain text. Chat
programs store the passwords in plain text. And there are enough holes
in that protocol that any feature can be changed. Say one user is
„invisible”. Well, whole sites are dedicated to seeking them online.
There's one invisible noun. Yet, with Yahoo there are two switches: one
for the web and one for the messenger.

GPG? GPG is fine. Yet, GPG does not come with a text editor embeded.
Which editor? Any! Take your pick. Most are made by people with the IQ
of a frozen hamburger. The original text has one copy in memory, one in
the temp folder (it used to be directories, no?), maybe one in the
journals. All in plain text. Isn't it a bit silly to debate the entropy
of a pass phrase?

> 
> ...
> > Now, Thunderbird is a pain in the behind. A team is trying hard to
> > bring the anonymity of Tor to it. I hope they would be able to do
> > it. It's
> 
>   Well, but remember email encryption is not about anonymity, it is
> about privacy. Pretty Good Privacy, not Pretty Good Anonymity. Sure,
> some people wants both, but that is out of our scope.

Well, the bad guys still have to match the key fingerprints or IDs. If
they are on a key server, that's fine. Anyway, there has to be a WOT in
place too. I can generate a new key with your handler and email in no
time. And put it on every known keyserver. Does it mean it's you? You
can't even kill it, as you can't generate a revocation key. But that
leads to deniability which is another can of worms.

The Tor interaction with Thunderbird shows bad practices. I'm sure there
is a lot more just based on how they develop things.

Not connected with Thunderbird, GPG, or any app mentioned here. But
there used to be a real problem with buffer overflows. It was simple. It
was obvious. Developers knew about the potential. Yet nobody cared less
than the developers. They only fixed bugs rated dangerous. The ones
writing that junk are the teachers of today Python and PHP hackers. And
their software is safe because Python takes care of buffer overflows?
It's the same bad practices that reproduce themselves at an amazing
rate. 

Sendmail would have to worry about libc. And they had the decency to
generate workarounds for the libc bugs if needed. Thunderbird depends on
many packs. The plugin interface is not safe. It was not supposed to be
safe. And they are only bothered by the obvious memory leaks. And that's
still good. So many projects are happy to shift the blame and say: it's
not us, is one of the packs we use and the bug has been filled.

All this because I just gave an example of how Thunderbird is broken.
Also, you seem to have driven around the point of the message.

Anyway, myself I like a good debate.

Only that „out of our scope” is a bit too much. Privacy is exemplified
as the confidential talk between a patient and a doctor. And the dorks
stop here in their analysis. It's already too much. Time for a WoW or
something else.

The patient is presumed sick with a Cancer. The doctor sends an
encrypted message. Nobody can read it. Yet, the patient is gloomy. Do we
know the content? Sure. So the pretty good privacy has failed miserably.

The patient has a private and confidential chat with a representative of
a medical laboratory specialised in blood analysis. Do we know the
answer? Yes. We're not sure what particular strain of the virus. But
that's less relevant. Or maybe the patient is happy. So the answer is
negative or with no important impact in his life. But, is it? Maybe the
partener does not know that. A wonderful gesture of protecting the
partner can turn into a relationship breaker. Some would not stand to
lose the relationship, so they would expose the partener too. Pretty
good privacy? Next to nothing.

But in the world out there there are not just STDs, terminal illnesses
or teen pregnancies. A wistleblower or a political opposition member
need privacy too. Yet, they can be torn to bits and their secrets
extracted through the wonderful and never dying security concept of the
rubberhose hacking.

You can argue that they need anonymity too. I say the first implies the
latter. One might be gloomy for a number of reasons once the others
don't know the sender was from oncology, or even in a medical job.

> 
> ...
> > portable. Enigmail is an extension and that makes it rather
> > portable. But gpg4win is NOT.
> 
>   Until very recent times, GPG branch 1.4.x windows binary was easy to
> find, and could be run in portable mode. Probably there will be (or
> already are?) packages offering portable Thunderbird+Enigmail+GPG combo.

PortableApps.com. Wonderful project. I love them and used them whenever
I'm on Windows.

> 
> ...
> > Also I think people like you should work more and more on their
> > pleasant side. Learn some skills that don't involve machines.
> > Relax. Just because other bullied you, you don't have to be a
> > bully.
> 
>   I think you are following stereotypes a bit too much. You imagine
> people here are fit for the "Revenge of the Nerds" movie casting.

Actually, I was going for cliché.

And I don't imagine. I exagerate. In order to make a point. This list is
wonderful. No sarcasm. But some of the energies could flow better, in my
oppinion, if directed on a different course. Yes, there is an
initiation. Even if that's not quite as dramatic as people imagine
things when they read about initiations. Same way as a ritual can be as
simple as start walking with the right foot when one's on the way to
something important. You don't need the silly costumes and pomp of an
Easter Mass or a Royal Wedding.

I'm sorry. I'm an asshole. I've seen and ignored bits of messages and
today I'm too damn lazy to even search for them. I am also afraid at
being told I point fingers. If I point any fingers, are at the keyboard.

Myself I used to hoist a booored face when repeatedly asked the same
question over again till I understood it's not the same mouth that is
asking the question.

> 
> > Or put it this way: what makes you sure your way is the good way?
> > Just
> ...
> 
>    Well, we are the Iluminati, our Order comes from the time lay
> people used to live in caves, while we already had cable TV. Bazinga!

That should explain it. But beware. A friend was just suspended on
Ubuntu forums for pointing out through ridicule the stupidity of a
moderator. For the moderator there was no need to have HTTPS support for
Ubuntu forums because lots of others don't have it too. And a second
moderator pointed out smartly how his skill with Google can show there
is no need for SSL because their master, Canonical, does need it.

> 
> > Question: sure, it's nice to see the signature used here, on the
> > gpg list. But why do you people use it? Myself, an outsider, see it
> > as a geek code. Sure, Werner is the gpg master. And somebody might
> 
>   Well, I use it in a vain attempt to make people aware about there is
> something called OpenPGP. Also, because the first time I found spam
> messages sent... by me to me, I was very worried about how my email
> box had been compromised, I changed password, ran every anti-malware
> tool I could find, and so on. Then I learned anybody can fake that. No
> compromise at all, the spammer just crafted a message that to me,
> looked like a message sent from my email box. So I said "fake this,
> M.F.!" and started signing my messages.

Hahaha. That is a story I enjoy each time I read it. You are probably
not aware, but some of the high masters of hexadecimal good and evil in
some large multinational corporations didn't know that either. For each
it all started with some fake memo sent from the CEO. What's worse is
that it has never crossed their minds for a moment that the technique
could have been used before in their corporation for smaller names. At
this point I raise my hat to the work done by black hats everywhere.

But you can sign your mails with „Zzz” without the quotes and have the
same effect. You can argue somebody would impersonate you on this list
or another and... the chance can be as high as having your key stolen if
you are not careful.

For that a very important aspect is the handler should become an
identity. At that point it's getting harder and harder to impersonate
you. But that can take years, and strong key generation is much shorter
today.

> 
>   By the way, I caught you. You say you are an outsider, yet you know
> about GPG, Thunderbird, Enigmail, you know they can be portable, you
> know about gpgp4win -and it has its own mailing list, so usually it is
> not mentioned here-, you know how easy is to encrypt text on a plain
> text editor with encryption capabilities and paste ascii armored text
> on the webmail composer. You talked about TOR, and you know the
> password strength is related to the entropy it has. You know xkcd
> comic. You even know about Allice and you don't think she is a
> Twilight character. You don't fool us, your geek coefficient is at
> least as high as ours!

But I am an outsider of this list. I haven't been involved on this list
since the days of the, than, new site when there was a debate between
having index.html.en or index.en.html.

I am an outsider for Thunderbird too. I hated all Netscape derivates.
I'm not saying I was a IE supporter. But bad design is still bad design.
I bought the lie of Firefox and dumped it when they started growing
bigger and against their own statements just to please Google and other
corporate friends. I'm back because NoScript can't fit well on other
browsers. But Thunderbird is still just a once in a decade GUI to backup
mail accounts.

The fact that I know how easy can one use a text editor to encrypt and
decript does not make the perspective brighter as all text editors I use
are unsafe. Thus, one have to encrypt the whole system and hope the
memory modules are cold the time someone touches the box. Not much
optimism there.

I know password strength is related to the entropy. I fail to see the
point in some of the tomes I have read. I can use capitals and numbers.
Or lowercase US version of the latin alphabet, as the computers still
aren't smart enough to handle other languages without complicated
translation libraries, and maybe numbers / digits and a space. Vs having
lowercase, uppercase, digits, signs and tremble day and night about the
entropy. The way I figgure it's either badly understood by me or badly
defined by the others. 

Because „Cliché” can be cracked even easier than „Jimi Hendrix”, yet
having a Hendrix poster behind me won't help with „greatest1guitarist”,
but some warning mechanisms against weak passwords will aim for my head
for that last one. Dictionary word, no variation, no signs. Heaven
forbid I double some letter!

Alice is Alice Cooper and I always felt nerds were so nasty to make
stories about Alice and Bob (Geldof), and have Charlie and Chuck and
Dave and so on. Yet only Eve is the passive attacker.

As for having the geek as the good guy, I'm against. There's nothing
worth praise in beeing a geek. Thus the use of the uglier nerd. There's
an article about this written by a guy with much better command of the
English language:
http://th-rough.eu/writers/campagna-eng/night-living-geeks.

Cheers! 



More information about the Gnupg-users mailing list