US banks that can send PGP/MIME e-mail

[Nomen Nescio]

>Figuring out how to install an app is not the problem.  Figuring out
>how to *use OpenPGP* is the problem.  The app is not the same as the
>amount of specialized knowledge required to use the app successfully.

The installation problem takes care of the other.  Hushmail users need
not know any more than yahoo users when opening an account.  A HM user
may not even be aware that PGP is in play, or what PGP is.

>OpenPGP has a learning curve like the Matterhorn.  This is a
>long-known and long-lamented fact.  If you can fix that, then maybe
>things will change.  As things stand, though, I doubt they will
>change.

It's been fixed.  Check out countermail.com, or hushmail.com.

>> take the bait.  Such an app could embed an email client that does
>> everything the advanced users would do, and hide everything
>> possible.  Such an app could even hide the email address, and hide
>> the fact that email is used at all, if they wanted.

>Then why bother at all with email and OpenPGP?

For the /other/ users.

>> They're not good at it.

>On the contrary, many of them are phenomenally good at it.
>Operations Research is part of the business school in most
>universities, and the OR geeks tend to be astonishingly good at what
>they do -- which is maximize efficiencies and cut inefficiencies.

I'm not sure why you put so much stock into the MBA.  An MBA merely
makes someone into a good bullshitter, so their idea, however flawed,
is better marketed to upper management.  In the end, the result is
better marketing spin, not better ideas.  And worse, better ideas end
up losing out to better marketed ideas.  When one MBA is pitted
against another, the decision makers ignore it anyway, and vote with
their gut and use whatever data supports the decision they've already
made -- not the other way around.  It's a sham.

>I understand that many geeks like to look down our noses at people in
>the B-schools, but really, that's a shallow prejudice that we as a
>community need to get over.  There are some alarmingly sharp people
>over there.

It's really not a good time to attempt to prop these guys up, when
every economy in the world is suffering acutely from their colossal
and aggregate incompetence.

>> A bank forward-thinking enough to cater to nerds with ssh for
>> transactions and openpgp for statements would spend the least
>> amount on security

>I'm going to have to ask to see the business study you're using to
>back this up.

Do you need a business study to prove that a helicopter costs more to
maintain than a bicycle?  The contrast is so sharp, one would be a
fool to even consider funding such a study.

I won't waste any time trying to track down the proof that you're
asking for.  But I will say that ssh and textual interfaces are
decades more mature than javascript, Adobe Flash, Flash cookies, and
all the other dodgy shit you find on bank sites (and casino sites
alike).  And the difference in complexity is staggering -- complexity
being directly proportional to defects, which in turn are directly
proportional to security vulnerabilites.  

Moreover, an SSH server wouldn't drag the bank into the vicious
pattern of chasing the shiny.. e.g. there would not be a need to work
on improving the smoothness of animations that must glide accross the
screen.  

New web frills are emerging on a rapid and ongoing basis - highly
unstable.  This means the cost of securing it is an ongoing cost.
This recurring cost is needed just to keep up with the new bugs that
are being introduced -- a cost that comes on top of the normal cost of
intrusion detection and incident response.

>This is your prejudice, nothing more.

I know studies have already proven the relationship between complexity
and bugs - although I don't recall where the research was done, it's
not just my imagination.  And the relationship between bugs and
vulnerabilities is security 101.