On Wed, Oct 03, 2012 at 09:19:13PM +0200, Stan Tobias wrote: [snip] > Do we really have evidence people can't encrypt? For me the "johnny" > articles were not quite clear about it (they seemed to investigate > a different aspect). I don't believe people are stupid. They can > learn to use cryptography, just as they have learned many other things > in their lives.
I have anecdotal evidence that people *think* they can't. Just this week, my wife asked me how to change the passphrase on her PGP private key. Now, I would have expected this to be an easy, very visible operation, and been thunderstruck if I should find it were not, but whatever. So I followed her to the computer and just sat there making encouraging murmurs while she easily navigated Enigmail to the dialog and did it. If she had expected the software to be usable, she wouldn't have needed me at all, because it is. This isn't confined to crypto software. A great many people have acquired considerable skill with computers but little confidence therein. There seems to be a lingering expectation that you need a team of experts to handle the unfamiliar. Lots of people don't realize that the experts have been and gone, that the result of good engineering is that the engineer can go home and let you use the machine without his oversight. [snip] > Can you imagine a responsible person exchanging sensitive information, > while not being certain what he does is safe? Oh, yes. We have no choice. See any number of articles about thieves copying out tens of thousands of *plaintext* passwords from some e-tailer's systems, or boxes of *unencrypted* backup tapes lost. Those businesses still have customers. I think that one hope of the encrypt-by-default camp is that, when enough people see encryption as normal, these execrable blunders won't happen anymore. Another anecdotal data point: I am still flabbergasted to hear that people design their systems that way -- to me, it's just *not normal*. Or look at the dozen messages I get every day purporting to be from some bank or ISP, telling me that I must send them my password right away or Bad Things will happen. Someone must actually respond to these, or the bad guys wouldn't keep at it. Probably responsible people, but they don't know *how* to behave responsibly in this context. I wish our trading partners would crypto-sign all of their emails, so that it could be simple for people to spot scams, and those scams at least would lose value and disappear. > It's a matter of personal > integrity, it's not enough to tell a user "click here and there, and > you're fine"; we have to first convince ourselves what we do is right. > The upshot is that you cannot make cryptography easier for users, they > will have to study and understand it themselves anyway. This much I agree with. But I wonder why they don't. We don't have to understand how locks are made, but we do have to understand how to use them. And the vast majority of Joe Average Citizens do. Billions of people have learned to use banks and checkbooks at least somewhat securely. I think one difference here is that one is taught from an early age and *expected* to learn their proper use. Another is that financial institutions are in the business (when they can remember it) of keeping things safe, and won't interact with you unless you follow procedures designed to promote that safety. Few find this unreasonable. Heh, of course I want people to make good practical use of crypto. Not doing so is costing me time and money. It's costing them, too, because I will dump my cart and walk away from an e-store if I think their processes are too loose -- and I won't be back. Ceteris paribus, I would choose a medical practice which has good secure and convenient IRM over one that doesn't, and I'm learning how to find that out. I will write and mail a paper check if I don't trust the look of your online payment system. I'm not a security expert, but somehow I realized that I need security in the virtual world as in the physical world and I had better understand how to get it. If more people would cross that bridge, I wouldn't have to work so hard, because more of the burden would be shared. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Who also thinks locks are interesting. I'm weird -- so what?
pgphka6nfZwyW.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users