Slashdot Mirror
Engaging Newbies In Email Encryption and Network Privacy
reifman writes: All six parts of my series introducing beginners to PGP encryption and network privacy are now freely available. I hope it's useful for Slashdot readers to share with their less-technical acquaintances. There's an introduction to PGP, a guide to email encryption on the desktop, smartphone and in the browser, an introduction to the emerging key sharing and authentication startup, Keybase.io, and an intro to VPNs. There's a lot more work for us to do in the ease of use of communications privacy but this helps people get started more with what's available today.
For a personal clickwhoring blog, and "an introduction to the emerging key sharing and authentication startup".
Complete shit.
Thanks, Dicedot.
The fact that this is so long means that by default it's too much for newbies. Communications privacy is not ready for newbies. If you can explain it in 500 words or less (or 2 minutes of video or less) without any further help... that's when it's ready for newbies.
Helping with organizational effectiveness is our job.
Anything is better than nothing in this department. Without encryption, there is zero privacy.
I'd say the first problem is teaching people why they want privacy in the first place. I either run into the attitude of "I don't care about what I do, I'm doing nothing illegal", or the attitude of "the bad guys will get it anyway."
It is a similar attitude I see where people don't bother taking basic precautions with computers, assuming malware and reinstalling every few weeks to months is a fact of life.
After actually getting users to back up and secure their systems (install patches, run an adblocker, enable some "click to play" functionality), the first part is getting them to make and securely store a PGP [1] key, making sure to remember the key's passphrase and keep a good backup in offline sites of the key [2]. From there, it is setting up a web of trust (I tend to respond to messages in kind. Encrypted messages get an encrypted response, for example.)
The basics are not really hard to get down, but do take some time and thought, especially guarding one's private key, managing one's web of trust, and sending/receiving encrypted content. One of the advantages of OpenPGP is that the encryption format and the messaging format are independent. An encrypted message can arrive via SMS, SMTP, AIM, FB Messenger, a USENET post, file stashed on a USB flash drive, or many other ways.
[1]: Technically OpenPGP format, be it done by PGP, netpgp, GPG, Symantec Encryption Desktop, APG, or another utility.
[2]: I'd probably recommend buying three hardware AES encrypted USB flash drives. IronKey has the best reputation, and they have some cheapies that are not FIPS compliant that are relatively expensive ($35 for 4 GB)... but have a proven track record and are relatively reliable. Once a user copies their key to all three, the USB flash drives should be stashed in separate locations, as they shouldn't need to be accessed often.
Yes and no, but mostly no. (ObDisclosure: I help out with Enigmail.)
But that doesn't matter. When it comes to communications security the world is divided into two camps. The first one doesn't need it right now and the second one does. If you don't need communications security right now, that gives you a great amount of luxury to sit on the sidelines and wait for something better to come along. If you do, though ... then GnuPG and Enigmail are pretty much the best thing going right now, at least when it comes to email.
I'll be the first to agree that GnuPG is a usability nightmare. Absolutely. If you like I'll point you towards several references in the peer-reviewed literature that show why it's so bad. But when people start talking about alternatives, I want to know which alternatives they're suggesting; when people start talking about doing it better, I want to know what better means.