I received a comment from Sonia on my post detailing Bruce Schneier’s tips for protecting yourself from the National Security Agency (NSA):
This kind of endeavor only works is everybody does it, otherwise is useless. Also inviting laymen to “learn” reveals how much you underestimate the fact that being a programmer gives you all the mental models you need.
Those people who “learn” will only end up compromising their own security under the impression that they are doing something secure.
Although I addressed these concerns in a reply I wanted to write a post because I feel what I’m about to say is relevant to anybody interested in computer security.
In another comment Sonia mentioned she (I’m assuming Sonia is female based on name, this being the Internet I could be incorrect) is a Ph.D. That being the case, I can see where her views on this subject come from. Oftentimes those of us who have been involved in the computer field for some time fall victim to two issues. First, we develop a form of elitist attitude that causes us to think of ourselves as somehow superior to non-techie people. Second, we forget about the early days when we knew little about computers. I’ve fallen victim to these issues before and I believe Sonia has fallen victim to them in her comment.
She does make a very important point. When you first dive into computer security you’re going to make mistakes. This is a problem all people face when learning something new. Just because you know how to utilize OpenPGP to encrypt your e-mail doesn’t mean you fully grasp underlying concepts such as private key security, the inability to know whether or not a closed system is secure, the value of a proper security audit, or the potential issue of generating keypairs on a system that lacks a true cryptographically secure pseudorandom number generator. All of these things, and more, play a part in OpenPGP and computer security.
You know what? That’s OK. You don’t need to know everything right away. Everybody has to start from the beginning. I didn’t become a computer programmer or system administrator overnight. I wasn’t blessed with the innate knowledge required to operate and manage an OpenBSD system. At one point I had no idea what Postfix was, let alone how to run and maintain a Postfix server. The difference between C and C++ were unknown to me back in the day. All of this knowledge came with due time. I’ve invested years into learning what I now know about computers and will likely invest a lifetime into learning more. When I started to program I made countless amateur mistakes. That didn’t discourage me because I learned from those mistakes. I’m happy to report that I’m still learning from my mistakes today.
Learning how to use the tools necessary to keep yourself safe online isn’t going to happen overnight. You’re going to make mistakes. Those mistakes will compromise your security. But you will learn from those mistakes and you will become more secure because of it.
Computer security isn’t an all-or-nothing thing. Even if you don’t practice proper private key security or generate an easily determinable keypair because your system lacks a secure pseudorandom number generator you’re more secure by using OpenPGP or Off-the-Record Messaging than not. Every encrypted communication requires potential spies to throw time and resources at decrypting it just to find out what’s in it. Simply put, every encrypted communication helps defend everybody’s privacy. As the number of encrypted communications increase potential spies must either prioritize the computing resources available to them or invest other resources into more computing resources.
reposting from the original thread
—–
> Starting with a defeatist attitude isn’t going to make the journey any easier.
I didn’t want to come across as defeatist. I am myself a big advocate of personal encryption, but what you then said
> I spend countless hours learning the based knowledge required to learn how to program before I even began learning how to program. It takes time, yes, but it’s material that can be learned.
actually makes my point better than I could have done it myself.
The idea of sitting down and explain to my dad what is public key encryption and how to use it and how not to save his encryption key on his dropbox (screwing up everything he thinks he knows about how to backup) is so headache inducing that I would not even start. Not to mention the moment he is going to ask “So how do I communicate with encryption on Facebook ?”
> I’ve fallen victim to these issues before and I believe Sonia has fallen victim to them in her comment.
You are obviously right.
… but the point I was making is that unless we give to the general public an easy to use and easy to understand suite of tools that are *actually* secure out of the box, encryption is not going to be used outside the people who really need to use it (the military, some companies, etc), and the people who think they need to, but actually don’t eg. your regular computer geek (which you and I are two instances of)
I think its a bit assuming to believe one can judge what another needs or doesn’t need. In my opinion everybody needs to use secure channels to communicate because the more encrypted communications that exist the safer all of us are (at the very least it costs wannabe snoops time and resources).
People are often quick to point out that public key cryptography is difficult to use. When you think about it the very concept of a computer is difficult to use. We learned how to use these machines from a starting point of very little knowledge. Unless you used computers at a young age it was intuitive to learn. But computers have become easier, in part, because people interact with them more on a daily basis. If one began using public key cryptography on a regular basis then it would become just as familiar as the concept of a mouse moving an on-screen pointer. Repetitiveness breeds familiarity.
Granted, e-mail is impossible to secure but it’s what everybody uses so you have to either convince people to using something besides e-mail or use something like OpenPGP to protect the contents of e-mails. Since e-mail is universal I find the latter to be easier to convince people to do. Ultimately, I would like to see something like Bitmessage evolve to a point that it’s relatively secure, anonymous, and easy to use. But that will take time and getting people signed on to us Bitmessage will take more time. Until then I will teach OpenPGP has a practical alternative to entirely unencrypted e-mail with the understanding that the people I teach will make mistakes and I will have to help them learn from those mistakes.
I get your point. You want people to use encryption not because they have an actual need for it (for instance my friends do not _need_ to encrypt their vacation pictures to me), but because it’s the right thing to do, that ultimately, the world is going to be a better place after the transition period of getting everybody on board.
I support this, but I also know that given, say, Facebook’s push to have everybody use their platform which, by design, offers very little (actually nothing) in terms of encryption, people might see encryption as something that stands on the way of their online social activity.
I am myself a big supporter of initiatives like Bitmessage. I wish that we could have everything work p2p. But encryption is not going to take root outside geek circles unless people (like my dad) have a strong intensive to use it.
This intensive is not given to us, even by the NSA revelations. For instance, nobody in the university student office considers the mess that would be caused by managing encryption keys to send updates about teaching updates to the graduates students. Even simple problems such as the policies about backups (it would be so easy to steal the keys from there) would be headache inducing to everybody.
Encrypting emails to _some_ of my friends is easy enough, but what we need is
1. True internet anonymity.
2. Social networks where you are not required to reveal your true identity if you do not which so.
3. The ability to communicate through those networks without the networks owners ever knowing what was said. ( I really mean that Facebook’s engineers should not be able to know that I say to my friends no Facebook — unless one of my friends disclose it publicly )
4. That companies (or whomever) wanting to send me job offers do so through encrypted emails. In fact that anybody ever sending me an email has an easy way to discover my public key and use it, otherwise my client rejects the email automatically.
5. And that law makers make it legal to refuse to disclose your encryption keys (for anything on your computer).
6. …and few other things that I am sure will come to me once I click submit 🙂
– S –
> I say to my friends no Facebook
Should have been: (…) I say to my friends on Facebook