Re: For PGP Users-Likes and Dislikes of PGP

On Sun, 13 Aug 2006 15:52:15 +0200, Sebastian Gottschalk
wrote:

>Speechless wrote:
>> a) Download the software from their web site. (Everyone knows how to
>> download stuff from the web.)
>>
>> b) Install the software by clicking on the .exe file you've
>> downloaded. (Everyone knows click a mouse button.)
>
>Fine. Now FreeBSD tells me that it doesn't know what kind of file it is.

If you are smart enough to know what FreeBSD is, you ought to be smart
enough know that it wouldn't run on FreeBSD. (I do run FreeBSD on
some of my machines.)

The question is, are you, or anyone else in the crypto community,
smart enough to come up with a crypto system that will work for a user
who isn't quite sure what Microsoft Windows is?

PGP has been available to the masses for a very long time. Most
people have no clue what it is, and those that do, would rather avoid
using it at all costs. I wonder why? Could you enlighten me? Just
answer a couple of simple questions:

a) Why don't people like using PGP?
b) Does it matter how secure PGP is if people refuse use it?

I had PGP installed on my systems. Everyone I wanted to communicate
with, including those near and dear to me, told me to stuff it where
the sun don't shine. Can you suggest an easy-to-use alternative that
people will _want_ to use? Or, is crypto intended for use by swelled
heads in academia only?

>
>> c) Move the POP3 and SMTP server entries from your MUA to SecExMail.
>
>You're not serious, are you?

I am. SecExMail is a Mail Relay that will work with any MUA. To
configure it, you enter the POP3 and SMTP server addresses into
SecExMail, and then enter 127.0.0.1 as the server addresses in your
MAU for both POP3 and SMTP. This procedure takes about 2 hours per
user, not counting the labor hours spent on the corporate Help Desk,
talking the users through the procedure. The cost of deployment,
measured in labor hours per user is astronomical.
>
>> the system just works, and you can forget about it.
>
>It doesn't work, but if it would, you could forget about it. It doesn't
>offer anything.

It works quite well on Microsoft Windows. Due to user revolt against
PGP, the option was to either let the e-mails float through in clear
text, or to have them scrambled. SecExMail scrambles them so that
anyone casually running a packet sniffer on the network, is not able
to read them.

>
>> Have your granny try it. She might like it.
>
>Yeah. I'm gonna advise my granny to download and run executables offered
> in an eMail from a stranger...

You misunderstood. The e-mail receipient is given the URL to
Bytefusion's web site, where he can download the software directly
from the source. I know that there are quite a number of
man-in-the-middle issues with this, such as the receipient being
directed to a fake web site, ignorning the question of whether or not
Bytefusion is itself trustworthy but, this might be an opportunity for
you to come up with a better user driven distribution system and have
it incorporated into an Open Source product, if you are smart enough
to do this. Are you smart enough?

Re: For PGP Users-Likes and Dislikes of PGP

Speechless wrote:

>>> a) Download the software from their web site. (Everyone knows how
>>> to download stuff from the web.)
>>>
>>> b) Install the software by clicking on the .exe file you've
>>> downloaded. (Everyone knows click a mouse button.)
>> Fine. Now FreeBSD tells me that it doesn't know what kind of file
>> it is.
>
> If you are smart enough to know what FreeBSD is, you ought to be
> smart enough know that it wouldn't run on FreeBSD. (I do run FreeBSD
> on some of my machines.)

Fine, so how could I read your proprietary stuff? Why doesn't it follow
public, open, well-analyzed standards like OpenPGP or S/MIME?

> The question is, are you, or anyone else in the crypto community,
> smart enough to come up with a crypto system that will work for a
> user who isn't quite sure what Microsoft Windows is?

No, and this isn't the goal either. A crypto system is only secure if
the user understands at least the important require stuff.

> PGP has been available to the masses for a very long time. Most
> people have no clue what it is, and those that do, would rather avoid
> using it at all costs. I wonder why? Could you enlighten me?

It's no true. I would like if everyone used OpenPGP. Damn, I got a
signature from Werner Koch himself, I'd be easily trusted all the way.

> a) Why don't people like using PGP?

Don't ask me. Median computer users are totally stupid when it comes to
computers.

> b) Does it matter how secure PGP is if people refuse use it?

Yes.

> Or, is crypto intended for use by swelled heads in academia only?

No. It's supposed to be used by intelligent people, which don't know
anything much more about computers than the basic important things, but
are reasonable and understand what and why they're doing.

And actually Thunderbird with EnigMail+GnuPG is a quite userfriendly
OpenPGP eMail implementation.

>>> c) Move the POP3 and SMTP server entries from your MUA to
>>> SecExMail.
>> You're not serious, are you?
>
> I am. SecExMail is a Mail Relay that will work with any MUA. To
> configure it, you enter the POP3 and SMTP server addresses into
> SecExMail, and then enter 127.0.0.1 as the server addresses in your
> MAU for both POP3 and SMTP.

Yes, I know, the DTD allows to omit the IRONY tags. You, how does it
handle SSL and TLS? If it does, how does it react to
outdated/revoked/invalid server certificates? Yes, I better prepare my
laughter.

> It works quite well on Microsoft Windows. Due to user revolt against
> PGP, the option was to either let the e-mails float through in clear
> text, or to have them scrambled.

Common mail exchange between MTAs is SSL-encrypted. And it's real
encryption, not just scrambling.

> SecExMail scrambles them so that anyone casually running a packet
> sniffer on the network, is not able to read them.

Outlook Express hides header lines by default so no stupid attacker can
fake headers !!!!!1112

> this might be an opportunity for you to come up with a better user
> driven distribution system and have it incorporated into an Open
> Source product, if you are smart enough to do this. Are you smart
> enough?

I'm smart enough not not waste my time with trying the wrong things.

Re: For PGP Users-Likes and Dislikes of PGP

Speechless wrote:
> a) Why don't people like using PGP?

Many people do. The ones, who don't like it, mostly don't know it.

> b) Does it matter how secure PGP is if people refuse use it?

Many people don't.

> I had PGP installed on my systems. Everyone I wanted to communicate
> with, including those near and dear to me, told me to stuff it where
> the sun don't shine. Can you suggest an easy-to-use alternative that
> people will _want_ to use? Or, is crypto intended for use by swelled
> heads in academia only?

To securely use cryptography, there is a need for understanding
concepts. No-one can use cryptography without understanding concepts.
Cryptography used by people, who don't understand, is useless, because
it's completely insecure.

This is not a problem with PGP - it's a problem with cryptography.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

Re: For PGP Users-Likes and Dislikes of PGP

On Sun, 13 Aug 2006 19:55:16 +0200, Sebastian Gottschalk
wrote:

>Speechless wrote:
>
>>>> a) Download the software from their web site. (Everyone knows how
>>>> to download stuff from the web.)
>>>>
>>>> b) Install the software by clicking on the .exe file you've
>>>> downloaded. (Everyone knows click a mouse button.)
>>> Fine. Now FreeBSD tells me that it doesn't know what kind of file
>>> it is.
>>
>> If you are smart enough to know what FreeBSD is, you ought to be
>> smart enough know that it wouldn't run on FreeBSD. (I do run FreeBSD
>> on some of my machines.)
>
>Fine, so how could I read your proprietary stuff? Why doesn't it follow
>public, open, well-analyzed standards like OpenPGP or S/MIME?

I'm just an end user trying to implement a solution for a group of
about 20 close knit people. If you can't read it, so much the better.

>
>> The question is, are you, or anyone else in the crypto community,
>> smart enough to come up with a crypto system that will work for a
>> user who isn't quite sure what Microsoft Windows is?
>
>No, and this isn't the goal either. A crypto system is only secure if
>the user understands at least the important require stuff.

I can assure you that your idea of "important" is not congruent with
what the user thinks is important.

>
>> PGP has been available to the masses for a very long time. Most
>> people have no clue what it is, and those that do, would rather avoid
>> using it at all costs. I wonder why? Could you enlighten me?
>
>It's no true. I would like if everyone used OpenPGP. Damn, I got a
>signature from Werner Koch himself, I'd be easily trusted all the way.

OpenPGP is a specification, not a product.

>
>> a) Why don't people like using PGP?
>
>Don't ask me. Median computer users are totally stupid when it comes to
>computers.

Walk into a corporate environment with an attitude like that where all
the median computer users are found and even you will be amazed at the
velocity you will exit the premises to look for a new employer.

>
>> b) Does it matter how secure PGP is if people refuse use it?
>
>Yes.
>
>> Or, is crypto intended for use by swelled heads in academia only?
>
>No. It's supposed to be used by intelligent people, which don't know
>anything much more about computers than the basic important things, but
>are reasonable and understand what and why they're doing.

Oh, they understand precisely what they are doing and why they are
doing it...when it comes to using group dynamics to deflate someone's
swelled head.

>
>And actually Thunderbird with EnigMail+GnuPG is a quite userfriendly
>OpenPGP eMail implementation.

Thank you. This is the most useful thing you've said so far. I will
have a look at this software combination.

>
>>>> c) Move the POP3 and SMTP server entries from your MUA to
>>>> SecExMail.
>>> You're not serious, are you?
>>
>> I am. SecExMail is a Mail Relay that will work with any MUA. To
>> configure it, you enter the POP3 and SMTP server addresses into
>> SecExMail, and then enter 127.0.0.1 as the server addresses in your
>> MAU for both POP3 and SMTP.
>
>Yes, I know, the DTD allows to omit the IRONY tags. You, how does it
>handle SSL and TLS? If it does, how does it react to
>outdated/revoked/invalid server certificates? Yes, I better prepare my
>laughter.
>
>> It works quite well on Microsoft Windows. Due to user revolt against
>> PGP, the option was to either let the e-mails float through in clear
>> text, or to have them scrambled.
>
>Common mail exchange between MTAs is SSL-encrypted. And it's real
>encryption, not just scrambling.
>
>> SecExMail scrambles them so that anyone casually running a packet
>> sniffer on the network, is not able to read them.
>
>Outlook Express hides header lines by default so no stupid attacker can
>fake headers !!!!!1112
>
>> this might be an opportunity for you to come up with a better user
>> driven distribution system and have it incorporated into an Open
>> Source product, if you are smart enough to do this. Are you smart
>> enough?
>
>I'm smart enough not not waste my time with trying the wrong things.

Re: For PGP Users-Likes and Dislikes of PGP

Speechless wrote:

>> No, and this isn't the goal either. A crypto system is only secure if
>> the user understands at least the important require stuff.
>
> I can assure you that your idea of "important" is not congruent with
> what the user thinks is important.

Right, but this doesn't mean that it's me who's wrong with such an attitude.

>> It's no true. I would like if everyone used OpenPGP. Damn, I got a
>> signature from Werner Koch himself, I'd be easily trusted all the way.
>
> OpenPGP is a specification, not a product.

OpenPGP is a standard.

>>> a) Why don't people like using PGP?
>> Don't ask me. Median computer users are totally stupid when it comes to
>> computers.
>
> Walk into a corporate environment with an attitude like that where all
> the median computer users are found and even you will be amazed at the
> velocity you will exit the premises to look for a new employer.

Did you ever bother looking at corporate PGP solutions with a complete
OpenPGP-PKI, ADK and such stuff? This is exactly where the users get
their keys managed by an administrator, because it's not their
responsibility to ensure proper key management.

> Oh, they understand precisely what they are doing and why they are
> doing it...when it comes to using group dynamics to deflate someone's
> swelled head.

What part of "reasonable" didn't you understand? Hint: Software is
usually written for reasonable users, not for dummies. Cryptography
doesn't work for dummies either.