Slashdot Mirror
Engaging Newbies In Email Encryption and Network Privacy
reifman writes: All six parts of my series introducing beginners to PGP encryption and network privacy are now freely available. I hope it's useful for Slashdot readers to share with their less-technical acquaintances. There's an introduction to PGP, a guide to email encryption on the desktop, smartphone and in the browser, an introduction to the emerging key sharing and authentication startup, Keybase.io, and an intro to VPNs. There's a lot more work for us to do in the ease of use of communications privacy but this helps people get started more with what's available today.
I just make sure not to send any sensitive information, account #'s, etc through e-mail. Until they make privacy and security easy and transparent to the user, that will be my defense. I don't have time to become an expert in this shit just to send a simple communication. Until then this will be a niche market with very few people using it.
For a personal clickwhoring blog, and "an introduction to the emerging key sharing and authentication startup".
Complete shit.
Thanks, Dicedot.
Works natively, easier to manage, and since you are using a native program it's probably encrypting the public and private key. 3rd party apps don't get encryption support.
You are off to a bad start. As sensational as your statement is, and with the full understanding of your desire to immediately capture the readers attention, you really ned to change it. E-mail privacy isn't broken. E-mail is by design not a private communication system. What you have written is not unlike claiming that DC-10s are broken because they cannot fly to the moon. You immediately caught my attention though. I'll grant you that! :-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
There's a lot more work for us to do in the ease of use of communications privacy
Why is there? Why hasn't private key ala GPG/PGP become a totally integrated feature in mail clients? Even years ago when there was still a decent free Windows PGP with all the add-ons they had it integrated pretty well into Outlook and basic clipboard operations.
Why isn't it just a completely vendor-integrated feature, with address books having default fields for public keys, smartphone integration, etc. On a phone it could be totally automated to send PGP encrypted mail by default with only a prompt for your thumbprint to authenticate access to your private key. (This may or may not be a great security practice, but it's already widespread and well integrated and the post was about ease of use to begin with.)
Is it patents on PGP? "Meh" public attitude? Vendors pushing other solutions (S/MIME) or other certificate-driven solutions or "enterprise" authentication systems not wanting to give any room for what could be a free cross-platform solution?
Your Smartphone guide is for iPhone only. Looks like you need to write another chapter. (please)
yesterday that they're not going to allow email encryption, why bother? You just know the SOCTUS will select Jeb for President so there's no use in fighting it.
Troll? Stupid? Drunk? Insane? Republican?
The fact that this is so long means that by default it's too much for newbies. Communications privacy is not ready for newbies. If you can explain it in 500 words or less (or 2 minutes of video or less) without any further help... that's when it's ready for newbies.
Helping with organizational effectiveness is our job.
When activists like Moxie Marlinspike are calling for the end of PGP, it's probably time to look into alternatives.
PGP's problems are endemic to its design. It cannot be fixed, and increased adoption won't help.
Have a nice time.
Is there a chapter on convincing people why they need to go to all of this extra effort to secure their e-mail?
Most people say "yeah, whatever, too much work" when I try to tell them their e-mail is like sending a postcard in the postal system and what they need to do to not make it like that. Even when I ask if they'd put account and credit-card numbers on a post-card.
Since they bemoan SCOTUS potentially squeezing a republican into the presidency, it is more likely that they are a useful idiot/democrat.
>> PGP is a system of encryption that operates with a pair of keys that operate symmetrically.
Stop, go back and rewrite this stuff for newbies...if that really is your audience.
I think if you want encryption to work, what you need is not a clever little article that explains it, nor is it a startup company that stores public keys in a novel way. First, you need standards. Open, free, and universally supported.
For example, if you want to encrypt email, you need a standard way of encrypting email that's supported and endorsed by pretty much everyone-- Microsoft, Google, Apple, Yahoo, and random IMAP/POP/Webmail providers. You need them all onboard so that you can trust that, if you want send an encrypted email to someone, the recipient will be able to read it in whatever webmail or mail client they're using. This implies that they already have all the necessary software installed, keys generated, and public keys stored in accessible places.
If you haven't figured it out yet, I'm not just talking about encryption algorithms. Saying, "We have a standard, and it's PGP!" doesn't address the issue. Even if you get everyone to agree that PGP is the correct method for encrypting email, you still have a series of problems-- Do they have PGP installed on their computer? Do they have a way to read PGP-encrypted emails on their phone? Do they have a way to read PGP-encrypted emails on their webmail, when they want to check their email from a friend's house? And how are you anticipating that people will manage their keys so that they're secure, backed up, an pretty much impossible to lose?
Someone needs to work out a vision for how this is supposed to work, and then pretty much everyone needs to get onboard. Until this is just built into every email client (including webmail), it's not going to work.
Anything is better than nothing in this department. Without encryption, there is zero privacy.
I'd say the first problem is teaching people why they want privacy in the first place. I either run into the attitude of "I don't care about what I do, I'm doing nothing illegal", or the attitude of "the bad guys will get it anyway."
It is a similar attitude I see where people don't bother taking basic precautions with computers, assuming malware and reinstalling every few weeks to months is a fact of life.
After actually getting users to back up and secure their systems (install patches, run an adblocker, enable some "click to play" functionality), the first part is getting them to make and securely store a PGP [1] key, making sure to remember the key's passphrase and keep a good backup in offline sites of the key [2]. From there, it is setting up a web of trust (I tend to respond to messages in kind. Encrypted messages get an encrypted response, for example.)
The basics are not really hard to get down, but do take some time and thought, especially guarding one's private key, managing one's web of trust, and sending/receiving encrypted content. One of the advantages of OpenPGP is that the encryption format and the messaging format are independent. An encrypted message can arrive via SMS, SMTP, AIM, FB Messenger, a USENET post, file stashed on a USB flash drive, or many other ways.
[1]: Technically OpenPGP format, be it done by PGP, netpgp, GPG, Symantec Encryption Desktop, APG, or another utility.
[2]: I'd probably recommend buying three hardware AES encrypted USB flash drives. IronKey has the best reputation, and they have some cheapies that are not FIPS compliant that are relatively expensive ($35 for 4 GB)... but have a proven track record and are relatively reliable. Once a user copies their key to all three, the USB flash drives should be stashed in separate locations, as they shouldn't need to be accessed often.
Both the EFF and the FSF have email self defence guides you can also check out:
https://ssd.eff.org/
https://emailselfdefense.fsf.org/
I've had great success with mailvelope plug-in https://www.mailvelope.com/hel... it has support for firefox and chrome. It makes PGP encrypting mail secure and integrates well with existing mail accounts rather seamlessly. I'm a longtime user of PGP and mail encryption and this was one of the first times I've seen it done correctly and easy to use.
I am a figment of my own imagination.
Yes and no, but mostly no. (ObDisclosure: I help out with Enigmail.)
But that doesn't matter. When it comes to communications security the world is divided into two camps. The first one doesn't need it right now and the second one does. If you don't need communications security right now, that gives you a great amount of luxury to sit on the sidelines and wait for something better to come along. If you do, though ... then GnuPG and Enigmail are pretty much the best thing going right now, at least when it comes to email.
I'll be the first to agree that GnuPG is a usability nightmare. Absolutely. If you like I'll point you towards several references in the peer-reviewed literature that show why it's so bad. But when people start talking about alternatives, I want to know which alternatives they're suggesting; when people start talking about doing it better, I want to know what better means.
How many would-be beginners fled away when they saw they would have to read a six parts series?
Cool! I want privacy for my Facebook, Twitter, Tumblr, and Instagram, and text messages, how do I get that? I use email to communicate with my grandparents, but how do I get it for the stuff I use, like, every day?
Ok, I look at your series, and I'm thinking: my father would stop after reading the first paragraph. Security, encryption, privacy, they all suffer from people trying to educate the general public on TLAs, hard math, installing utilities.
When will the security community learn that we don't need all those explanations, we need it to just work. We need encryption by default and unless this is available mainstream it's not gonna happen.
Same thing for programmers. Nobody wants to learn about security, and especially about all those encryption algorithms, perfect-forward-secrecy etcetera. It just needs to be default in all frameworks, libraries. I don't care there are so many cyphers, just give me proper defaults.
The problem with security is just that the community around it does a very bad job of making it simple. It needs to disappear into the woodwork guys!
has already anyone tried it?