Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
coderman: a direct, demonstration / walk through is a very different learning experience compared to manuals and command lines staring back at you from the abyss. we're past that though. there is gui implementation of gpg. the hard part largely comes down to it being a new concept for novices. usability with respect to security and privacy technology a great challenge worthy in many facets. you speak from experience teaching others - your input on specifics of successfully teaching others, rather than dismissal of anecdotes, is certainly needed! (as are others reading this list who otherwise lurk compulsively ;) the means i've used to walk others through the process involved either instant messaging or irc. hardly ideal communication mediums for instructing novice users. but, in the end, it worked and the people use it now. i also have a section of a tutorial i've drafted that details how to install enigmail in icedove with images at very step. the release of the tutorial is on hold until an issue in whonix is fixed though. again, i'm not taking issue with the notion that installing and using gpg is dificult. i take issue with the reckless headline that states it shouldn't be used, particularly given what is stated in the op-ed. math is tough so you shouldn't learn it. sounds silly, no? -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
Human's aren't cognitively flawed. The human brain is a cognitive miser, utilizing smart heuristics to process more efficiently. Check out the king of Bounded Rationality, Gerd Gigerenzer. The brain optimizes to conserve calories. http://www.edge.org/conversation/smart-heuristics-gerd-gigerenzer On 1/16/14 7:26 AM, coderman wrote: On Thu, Jan 16, 2014 at 4:25 AM, coderman coder...@gmail.com wrote: ... usability with respect to security and privacy technology a great challenge worthy in many facets. also required reading, Peter's BlueHat talk on congitively flawed humans: http://www.cs.auckland.ac.nz/~pgut001/pubs/psychology.pdf -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
On Thu, Jan 16, 2014 at 6:20 AM, Mrs. Y. networksecurityprinc...@gmail.com wrote: ... http://www.edge.org/conversation/smart-heuristics-gerd-gigerenzer your caloric heuristic optimization, is my bug. (now if only we could patch wetware! ;) Tempest: perhaps we should clarify incentives. Johnny has zero incentive in the modern social world to use crypto, and high barriers to any interest that does occur. journalists and human rights workers are motivated like never before, and likely more sophisticated. however they still struggle with technical tools for strong privacy. my challenge was to the cypherpunks list for digital monies; favorable selection if there ever was! yet still not 100% and some contexts place severe penalties on even a single, innocent failure. as for the title and research, it does not imply encryption is useless and should be abandoned. it does imply that casual, less technical users (Johnny) need a system which is intuitive, fails safe, and unambiguously expressive about failures. any improvement to usability is useful. we certainly need much improvement for pervasively employed end-to-end privacy. best regards, -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
On Thu, Jan 16, 2014 at 12:58:37PM +, Tempest wrote: a direct, demonstration / walk through is a very different learning experience compared to manuals and command lines staring back at you from the abyss. we're past that though. there is gui implementation of gpg. the hard part largely comes down to it being a new concept for novices. no, there are several unnecessary problems that people are confronted with specifically with pgp. you are talking as if the 15 reasons weren't there and weren't real. we're just making things up. again, i'm not taking issue with the notion that installing and using gpg is dificult. i take issue with the reckless headline that states it shouldn't be used, particularly given what is stated in the op-ed. math is tough so you shouldn't learn it. sounds silly, no? you are making that claim, not me. i am saying there are better tools. instead of insisting on a broken horse carriage, start building a car: 1. get a peer review because they deserve it 2. get better UI and UX because it *can* be done 3. get your hands dirty improving code 4. produce packages for f-droid and other OS distributions 5. use software that doesn't mess up if you click the wrong thing you can reach me on both pond and retroshare, to name two of them. what i am saying is that if they aren't peer reviewed enough that is not an excuse to stick with horse carriages but a reason to start working on it. after all it's a feasible path to take, while fixing pgp over smtp is impossible. remember when skype got popular? it took johnny five minutes to start having end-to-end encrypted chat and telephony. too bad it was a commercial product so they broke it a year or two later - but it was the proof of concept that it can be achieved. sure, doing it without trusting a company is more difficult, but i named several tools that solved that problem. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] 15 years later, why can't Johnny still not encrypt?
Hi all! When doing research on email encryption and why it's still not widely used, I've read Alma Whittens Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0 [1] from '99. I wonder if anyone knows of similar but more recent usability studies on encryption software? Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX – or are there other reasons that today are seen as more important? [1] – https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten.ps Best regards, Anders Thoresson Freelance reporter and...@thoresson.net http://anders.thoresson.se http://www.dn.se/blogg/teknikbloggen http://twitter.com/thoresson -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
On Wed, 2014-01-15 at 11:23 +0100, Anders Thoresson wrote: Comparing the findings made by Whittens and compare them to the software = available today, not much seems to have happened. But does the conclusion= still holds, that a lack of mass-adoption of email encryption is due to = problematic UX =E2=80=93 or are there other reasons that today are seen a= s more important? I don't think it's about UI issues anymore, simply about the lack of a critical mass and the move to webmail. Webmail operators, who by and large are also ad mongers, have zero interest in providing tools for client-side encryption since that would prevent them from analysing the message content and use it for targeting ads. --ll -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
Anders Thoresson and...@thoresson.net [2014-01-15 11:23:04 +0100]: Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX This reminds me of a recent Ars Technica story[1] with the headline, Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away? Sub-heading: How to to encrypt e-mail, and why most don't bother. – or are there other reasons that today are seen as more important? There was a thread on LibTech titled 10 reasons not to start using PGP[2] that you might be interested in. [1]: http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to-keep-the-nsa-away/ [2]: https://www.mail-archive.com/liberationtech@lists.stanford.edu/msg07744.html -- Pranesh Prakash Policy Director, Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org --- Access to Knowledge Fellow, Information Society Project, Yale Law School M: +1 520 314 7147 | W: http://yaleisp.org PGP ID: 0x1D5C5F07 | Twitter: https://twitter.com/pranesh_prakash -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
On Wed, Jan 15, 2014 at 06:00:14AM -0500, Pranesh Prakash wrote: Anders Thoresson and...@thoresson.net [2014-01-15 11:23:04 +0100]: Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX I believe UX has no chance of fixing the usability if the way the underpinnings work undermine any such effort. The number one problem being that there EXISTS a way to message unencrypted, and that the user is expected to make sure that encryption is being used. Pond is a good example on how to do away with that. Pond is easier to use, because it CANNOT send unencrypted messages. Also RetroShare is easier to handle than PGP. And both are really bad UX-wise as yet. Any UX designer working on them half a day could improve them a lot whereas trying to fix PGP+email is a lost game. We discussed this topic in a usability session at the 30c3. Videos will appear on youbroketheinternet.org in the coming weeks and I'll keep libtech posted. There was a thread on LibTech titled 10 reasons not to start using PGP[2] that you might be interested in. Thanks for the referral, Pranesh. :) Since the current reason count is at 15, you may want to read the updated version at http://secushare.org/PGP -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
The Symposium on Usable Security is an entire conference dedicated to the subject. They have their proceedings all available on their website: http://cups.cs.cmu.edu/soups/2013/program.html - Greg On 1/15/14, 5:23 AM, Anders Thoresson wrote: Hi all! When doing research on email encryption and why it's still not widely used, I've read Alma Whittens Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0 [1] from '99. I wonder if anyone knows of similar but more recent usability studies on encryption software? Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX – or are there other reasons that today are seen as more important? [1] – https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten.ps Best regards, Anders Thoresson Freelance reporter and...@thoresson.net http://anders.thoresson.se http://www.dn.se/blogg/teknikbloggen http://twitter.com/thoresson -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
Lars Luthman: I don't think it's about UI issues anymore, simply about the lack of a critical mass and the move to webmail. Webmail operators, who by and large are also ad mongers, have zero interest in providing tools for client-side encryption since that would prevent them from analysing the message content and use it for targeting ads. that may be part of it. but, when i do have to walk new users through getting gpg and enigmail up and running, they often complain about it and would otherwise give up if i didn't insist. whether that speaks to the tech itself or the desire for instant gratification by users is a matter for debate. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] 15 years later, why can't Johnny still not encrypt?
carlo von lynX: There was a thread on LibTech titled 10 reasons not to start using PGP[2] that you might be interested in. Thanks for the referral, Pranesh. :) Since the current reason count is at 15, you may want to read the updated version at and it's still a horrible head line. lack of easier usability is not an argument to not start using something. it's a logical fallacy. you should change it. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.