Mailing List Archive: GnuPG: users

learning curve like Monte Cervino

Index | Next | Previous | View Threaded

peter.segment at wronghead

Aug 2, 2012, 12:49 AM

Post #1 of 3 (139 views)
Permalink

learning curve like Monte Cervino

On 01/08/12 23:05, Robert J. Hansen - rjh [at] sixdemonbag wrote:

> By itself, GnuPG is useless. [...and more, much more, on steep
learning curves and cargo-cult security].

I happen to agree with most of what was writetn in your lengthy
expose. But you omit one important problem: the program like
gpg is deployed, 99% of the time, with no user specific threat
analysis. This means that it must answer all conceivable threats,
which in turn makes it so hard to use that it's adoption rate
is, well, what it is.

You are very rigorous in your views on the subject. Consequently
(at least as I read your text) you reject the most damaging canon
of the contemporary "computer security industry", the one that
demands no knowledge, no conceptual understanding and no discipline
on the part of the end user - it all has to be solved for him by
the software. For this I applaud you.

However, I would add one more thing as necessary for successful
use of any security software: *user-specific threat analysis*.
Without it, gpg - or any other piece of software - is indeed not
much different from that plane mock-up in New Guinea. If such
threat analysis was done more frequently than appears to be the
case, perhaps we would end up with specific tools, ones that do not
attempt to cover all conceivable threats but address only threats
specific to some segment of user population. What they would
loose in the width of applicability they would gain in simplicity
in code and simplicity in use - both extremely desirable security
software characteristics.

This was precisely the process that led to my post that this
discussion is an offshoot of. In other words, users from that
original thread certainly didn't "have a great idea that will
allow people to keep secure against dedicated, serious adversaries
while requiring very little training or knowledge on the part of
the user". They have performed a very thorough threat analysis
of *their circumstances*, and are looking for either an existing
software or possibility of constructing a new one, that would be
best suited to *their threat model*.

Peter M.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

hka at qbs

Aug 2, 2012, 6:21 AM

Post #2 of 3 (132 views)
Permalink

Re: learning curve like Monte Cervino [In reply to]

On Thursday 02 of August 2012 07:49:22 peter.segment [at] wronghead wrote:
> On 01/08/12 23:05, Robert J. Hansen - rjh [at] sixdemonbag wrote:
> > By itself, GnuPG is useless. [....and more, much more, on steep
> > learning curves and cargo-cult security].
>
> You are very rigorous in your views on the subject. Consequently
> (at least as I read your text) you reject the most damaging canon
> of the contemporary "computer security industry", the one that
> demands no knowledge, no conceptual understanding and no discipline
> on the part of the end user - it all has to be solved for him by
> the software. For this I applaud you.

Is it really so hard to demand from users to
1. understand that private key is sensitive, so is password protecting it
2. that you need to validate certificates/public keys from other parties
3. the only hardware that does crypo you can trust is your own hardware

You can be a secure user of GPG (or any other crypto suite) without
understanding block chaining modes or why ECC is better than RSA.

As a hammer user you must learn not to use it to drive screws in to wood,
even if it appears to work. You *need* to have basic understaing of tools
you use.

Regards,
--
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Aug 2, 2012, 6:49 AM

Post #3 of 3 (133 views)
Permalink

Re: learning curve like Monte Cervino [In reply to]

On 8/2/2012 3:49 AM, peter.segment [at] wronghead wrote:
> I happen to agree with most of what was writetn in your lengthy
> expose. But you omit one important problem: the program like gpg is
> deployed, 99% of the time, with no user specific threat analysis.

GnuPG is not required to be all things to all people. GnuPG is just
required to be an RFC4880-conformant encryption and signing application.
It's a tool in the toolbox, nothing more. It can be used in a broad
variety of ways. As I pointed out a couple of emails back, it can even
be set up in ways that end-users need to know nothing about the Web of
Trust.

> This means that it must answer all conceivable threats, which in turn
> makes it so hard to use that it's adoption rate is, well, what it
> is.

No. Read:

Shirley Gaw, Edward W. Felten and Patricia Fernandez-Kelly.
"Secrecy, Flagging and Paranoia: Adoption Criteria in
Encrypted Email." _Proceedings of CHI 2006_.

That remains the best serious analysis of why encrypted email rates are
so low.

> Consequently (at least as I read your text) you reject the most
> damaging canon of the contemporary "computer security industry", the
> one that demands no knowledge, no conceptual understanding and no
> discipline on the part of the end user - it all has to be solved for
> him by the software. For this I applaud you.

Which confuses me, given that you seem to be saying you want users to
not need to know anything about the underlying crypto, or how it ought
be used for maximum effect.

> However, I would add one more thing as necessary for successful use
> of any security software: *user-specific threat analysis*.

Google the list archives again for the phrase "threat model." We tend
to talk about that a lot here.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads