Re: Joe Sixpack doesn't run Linux
At 12:21 PM 5/24/02 -0700, Curt Smith wrote: >If there were servers on the internet which automatically >displayed all plaintext e-mail messages which passed through >them as webpages (for the bored, curious, and opportunistic), >THEN everyone would see the value of encrypted e-mail. Hmm, didn't Sircam do a bit of that? But it sent files, not your entire mail spool; and it didn't try too hard to broadcast (it could have always forwarded a copy to usenet in addition to your contacts). Not sure if disk-encryption would have helped; it just would have sent one of the open (cleartext) files. Sircam forwarding a saved, encrypted email would have been harmless modulo traffic analysis. To encourage WiFi encryption you could use a high-gain antenna and anonymously (re) broadcast traffic you found. And publicize the site. Don't do this too early during deployment or you'll stunt the early growth.
Re: Joe Sixpack doesn't run Linux
> If there were servers on the internet which automatically > displayed all plaintext e-mail messages which passed through > them as webpages (for the bored, curious, and opportunistic), > THEN everyone would see the value of encrypted e-mail. Most of them do ... they are called MAEs - it's just that *you* don't belong to the set of people that get to see it. = end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: Joe Sixpack doesn't run Linux
-- On 23 May 2002 at 10:57, Meyer Wolfsheim wrote: > 3. The people who might use it if it is easy. > > This is Joe Sixpack. This is who you are worrying about, wanting > S/MIME to deliver on its promises. This is Templeton is worrying > about, wanting opportunistic mail encryption. Joe sixpack is willing and able to make the necessary mental effort if there is money at stake -- which of course there is not. The first recorded use of envelopes in mail was in financial transactions. People would create a clay tablet containing marks representing so many goods of this type, so many goods of another type, bake it, then wrap in another clay envelope, and bake that. Right now Joe Sixpack relies on the widely shared secret of his credit card number, and that sharing worries him more than somewhat. Problems resulting from that sharing are dealt with by the credit card company's arbitration facitilities, which cost him, the card company, and the merchant dearly. The big lack of demand for encryption by Joe Sixpack is a result of the lack of financial transactions using the internet between Joe sixpack and Bob sixpack. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG GLOU6WqBTbh5/1XBintStENCsUIWt7tnZNUrmtbZ 4ydGcwGiWOaRxYAIjlkIr8jUnEMBYpo4PElVUT14t
Re: Joe Sixpack doesn't run Linux
On Fri, 24 May 2002, Curt Smith wrote: > The lack of e-mail detailing financial transactions is also the > reason many businesses chose not to incur the overhead of > secure communications. > > If there were servers on the internet which automatically > displayed all plaintext e-mail messages which passed through > them as webpages (for the bored, curious, and opportunistic), > THEN everyone would see the value of encrypted e-mail. http://www.shmoo.com/~pablos/pages/RandomMailReader.html
Re: Joe Sixpack doesn't run Linux
The lack of e-mail detailing financial transactions is also the reason many businesses chose not to incur the overhead of secure communications. If there were servers on the internet which automatically displayed all plaintext e-mail messages which passed through them as webpages (for the bored, curious, and opportunistic), THEN everyone would see the value of encrypted e-mail. --- [EMAIL PROTECTED] wrote: > ... > The big lack of demand for encryption by Joe Sixpack is a > result of the lack of financial transactions using the > internet between Joe sixpack and Bob sixpack. > > --digsig > James A. Donald > = end LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Re: Joe Sixpack doesn't run Linux
Meyer Wolfsheim <[EMAIL PROTECTED]> writes: >S/MIME support is in just about every popular email client out of the box. >Why is PGP more widely used? > >[Good reasons snipped] Those who care about security [0] use PGP, the rest use S/MIME. To steal a line from Hexed: "S/MIME: For people who could care less". Actually it's not even that, it's closer to: "Plaintext: For people who could care less". I have yet to exchange an encrypted S/MIME message of any significance with anyone, ever. Even if the other side is using an S/MIME-enabled mailer, we usually end up using PGP even if it means having to try half a dozen different versions to find one which will process the other side's messages. While I'm in a quoting mood, there's also Marshall Rose's comment about X.400 to steal: Two people meet at a conference and exchange email addresses. They get back to their offices and want to communicate securely. If both sides are using PGP x.y.z, they communicate securely. If one side is using PGP x.y.z and the other isn't, they wait for a message and then keep trying different PGP versions until they find one which will process the message. If they aren't using PGP, they communicate in plaintext and hope no-one's listening. (In case that's forwarded or quoted out of context, this is a comment on a social issue, not a software issue). Peter. [0] With the corollary: "and aren't government users", S/MIME is used a fair bit in certain areas, it just doesn't get much public exposure.
Re: Joe Sixpack doesn't run Linux
On Thu, 23 May 2002, Curt Smith wrote: > This is a fairly accurate description of the situation, but > neglects to emphasize that the reason [1-cypherpunk] bothers > convincing [2-coerced associate] to use encrypted e-mail is > because [1] understands its importance and is attempting to > share/spread that understanding. Yes, [1] understands its importance. I think you overestimate the amount of effort put forth by [1] to "spread the Word", though. While evangelizing strong crypto might be second-nature to a cypherpunk, the other members of [1] are standards-setters because they must be. They require [2] to use strong crypto, because it is their asses if they don't. They don't care, and don't need to care, if [2] understands the value of strong crypto, as long as [2] uses it in communication with [1]. > Although [3-Joe Sixpack] may not understand or appreciate > encryption, [3]'s support is helpful to protect [1]'s > cryptography rights. Furthermore once [3] has crypto, [3] will > resist attempts to take it away (along with his six pack, > etc.). With this, I fully agree. The challenge is to design a system that satisfies the security requirements for [1]'s threat model and the usability requirements for [3]'s attention span. It has yet to be done. All attempts thus far have been lucky if they only fail at one of those two goals. Most fail at both. -MW-
Re: Joe Sixpack doesn't run Linux
This is a fairly accurate description of the situation, but neglects to emphasize that the reason [1-cypherpunk] bothers convincing [2-coerced associate] to use encrypted e-mail is because [1] understands its importance and is attempting to share/spread that understanding. Although [3-Joe Sixpack] may not understand or appreciate encryption, [3]'s support is helpful to protect [1]'s cryptography rights. Furthermore once [3] has crypto, [3] will resist attempts to take it away (along with his six pack, etc.). --- Meyer Wolfsheim <[EMAIL PROTECTED]> wrote: > ... > There are three main classes of mail encryption users: > > 1. The people who demand true security. > > These are the cypherpunks, the government agencies, the savvy > drug dealers, financial traders, etc. They won't trust S/MIME, > they won't trust EnvelopeMail, and they won't use Zixit. They > might use PGP, though if they have the resources they'll use > something developed securely in-house. This class is fairly > small. > > 2. The people coerced into using encryption by [1]. > > This is the government contractors, cypherpunks' relatives, > the drug couriers, and other business partners of the first > class. These people will use whatever standard is dictated by > the people with whom they must do business. This class is > also small, but makes up the majority of mail encryption > users today. > > 3. The people who might use it if it is easy. > > This is Joe Sixpack. This is who you are worrying about, > wanting S/MIME to deliver on its promises. This is Templeton > is worrying about, wanting opportunistic mail encryption. > > Public key crypto is a complicated, confusing concept. To > date, no one has even proposed a system that would be both > secure under a reasonable threat model for [1] and simple > enough to be groked by [3]. And guess what? [3] doesn't care. > [3] isn't asking for it. [3] might use it if it existed, but > you'd be lucky to be appreciated for your troubles. Most > likely, you're only in for a lot of criticism when your > solution doesn't measure up to [1]'s standards. > > If you want to be the guardian of Joe Sixpack, go right > ahead. Be warned that it is a thankless job. > > > -MW- = end LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
Joe Sixpack doesn't run Linux
On Thu, 23 May 2002, Lucky Green wrote: > Adam wrote: > > Which is too bad. If NAI-PGP went away completely, then > > compatability problems would be reduced. I also expect that > > the German goverment group currently funding GPG would be > > more willing to fund UI work for windows. > > Tell me about it. PGP, GPG, and all its variants need to die before > S/MIME will be able to break into the Open Source community, thus > removing the last, but persistent, block to an instant increase in > number of potential users of secure email by several orders of > magnitude. > > Here's to hoping, Good god, Lucky. Are you serious? If S/MIME were actually usable and accessible to the end user today, PGP and GnuPG would be irrelevant. You think that a smattering of Open Source users are what is preventing widespread usage of S/MIME? That's too kind to both the "Open Source Community" and to S/MIME. S/MIME support is in just about every popular email client out of the box. Why is PGP more widely used? This shouldn't be the case -- installing PGP, configuring it to work with your mail program, etc., isn't trivial. As much as I would like to say that security issues, such as the inability of Alice to prevent Bob from encrypting messages to Alice with a 40 bit cipher, are what puts PGP in the lead, the truth is that many users would likely be happy to use a less secure mail encryption program if it meant one less installation step. No, the many version and implementation incompatibilities in the S/MIME space, coupled with the reliance on a central third-party CA, are S/MIME's downfall. Thinking that PGP's existence has anything to do with this is silly. Remove PGP, and you won't find more S/MIME users. You'll see more unencrypted email, and more "new proposals" for encrypted email (such as the zero-UI and passive attack protection systems that Brad Templeton and Bram Cohen have been passing wind about for a few years now). There are three main classes of mail encryption users: 1. The people who demand true security. These are the cypherpunks, the government agencies, the savvy drug dealers, financial traders, etc. They won't trust S/MIME, they won't trust EnvelopeMail, and they won't use Zixit. They might use PGP, though if they have the resources they'll use something developed securely in-house. This class is fairly small. 2. The people coerced into using encryption by [1]. This is the government contractors, cypherpunks' relatives, the drug couriers, and other business partners of the first class. These people will use whatever standard is dictated by the people with whom they must do business. This class is also small, but makes up the majority of mail encryption users today. 3. The people who might use it if it is easy. This is Joe Sixpack. This is who you are worrying about, wanting S/MIME to deliver on its promises. This is Templeton is worrying about, wanting opportunistic mail encryption. Public key crypto is a complicated, confusing concept. To date, no one has even proposed a system that would be both secure under a reasonable threat model for [1] and simple enough to be groked by [3]. And guess what? [3] doesn't care. [3] isn't asking for it. [3] might use it if it existed, but you'd be lucky to be appreciated for your troubles. Most likely, you're only in for a lot of criticism when your solution doesn't measure up to [1]'s standards. If you want to be the guardian of Joe Sixpack, go right ahead. Be warned that it is a thankless job. -MW-