People cite sexual selection for all kinds of things, but it often just raises the question, why would that feature suddenly become selected for by the opposite sex? It seems like an convenient catch-all explanation.
If you don't understand what I mean, you might be thinking, "females preferred male features that were more masculine," but then I'd want to point out that our definition of 'masculine' is based off of men having those features. Also, in as much as animals evolve to become attractive to mates, it's also true that animals evolve to find features more or less attractive in mates. To cite another example, I've heard people claim that babies must have evolved to have cute features so that we'd take care of them, but it's a more feasible explanation to say that we're evolved to find immature features 'cute' in a way that inclined us to take care of our young.
I'm really interested to see what evidence ends up being offered in this. Can Netflix prove that ISPs are at fault? Can Verizon prove that it's not their fault.
I find this part pretty interesting:
Citing the Internet Phenomena blog, Verizon said that instead of using its ability to connect directly to every broadband network in the country, Netflix has tried to cut costs by relying on a "panoply of content-distribution and other middle-man networks" to reach customers.
It seems like an awfully strange complaint. How is Netflix supposed to "connect directly", and are people not supposed to use content distribution networks? What's the argument exactly on Verizon's side. If Netflix is using a "panoply of content-distribution networks", I would think that'd imply that they should be able to get decent distribution without suffering bottlenecks on their end of things.
I agree, though I also think it's good to realize that even if you don't ponder the symbolism of the red glass dishes, it may actually still be increasing your enjoyment. Great writers don't stick in a bunch of symbols for English professors to discover during a dry analysis. They *do* put in symbols and imagery and metaphor that will increase meaning and understanding by even casual readers, even if only on a subconscious level. Sometimes the authors put that stuff in only unconsciously themselves, but it's in there. You probably wouldn't enjoy it if it wasn't using metaphor to push certain psychology buttons in you.
And yet you could use the same encryption standards and public key management to encrypt anything. You're just being pedantic. There's no point in arguing here about specific standards.
I've never said it's impossible to make it better. But the user will always need some level of intervention (like at least caring that encryption happens, and checking that correct keys are used).
It depends on what you mean by "some level of intervention". Lots of people go to their bank's website without knowing that encryption is happening or that they keys are correct. Their browsers check the keys for them, providing some level of security even if they're totally unaware. No doubt things are *more* secure if people understand the encryption well enough to know how the security could be circumvented, but I'm not expecting that we can provide absolute security for all people. I'm thinking that we could provide much better security for all people-- which shouldn't be too hard since there's not much security now-- and the possibility of strong security for those who have even a basic understanding.
As an IT guy, I really like the concept of IPMI. I would love something like LogMeIn, but that allows you to take control of machines on a baseboard/lights-out level. The only problem is, there aren't any solutions that I'm aware of that offer that kind of easy, useful bulk management of lots of machines from a single pane. But more importantly, the concept of that kind of bulk management should trigger the thought, "Holy crap that opens a dangerous can of worms!" If lights-out management isn't secured properly, it gives an attacker a frightening level of access.
I don't know why they implemented these things without thinking it through. It's too hard to use legitimately, and too hard to manage security. I don't really even understand how I'm supposed to access and manage these systems in bulk, especially considered how often modern IT departments need to deal with remote machines that they never physically touch. If someone would develop a solution for IPMI that's not completely stupid-- think Meraki meets LogMeIn meets MDM-- an awful lot of IT departments would be falling all over themselves to buy hardware that supported it.
I can accommodate a conscientious objector when he's honest and decent, but you seem to be merely a contrarian, and an apologist for people who are putting whole populations in danger of serious illness through smug stubbornness and willful ignorance.
I don't like the us vs. them mentality either, but that doesn't keep me from calling out assholes for being assholes.
I agree that there's something a bit questionable about history and philosophy being lumped in with poetry and visual arts, but it's really hard to know where to draw the lines. Philosophy is arguably better suited to being treated as a soft science like psychology, but it doesn't quite fit there either. Meanwhile, some literature and poetry arguably border on being an expression of philosophy.
We're getting into a tangent here, but though I don't know how to classify things, I do think it's important to classify "science" as being somehow linked to philosophy. Science began as a subset of philosophy, and the validity of science is dependent "natural philosophy".
However, I'm not sure I share your view on philosophy's adherence to mathematical rigor. I've seen some mighty stupid philosophic arguments justified by what amounts to attempts to translate syllogisms into equations, and I think in the end, philosophy needs to make sense. It can be as obscure and difficult to understand as you'd like, but it has to come back to questions of "does this make sense?" and "is this true?" and "is this convincing?". Of course, the great thing about it is, that assertion is a matter of philosophic argument!
What happened to you to make you so bitter towards harmless humanities cranks?
I'm not sure why you'd put it that way. I would sooner say that, as a humanities crank myself, I'm bitter towards the treatment humanities get in academia, and in society as a whole. I'm not drawing on conservative news stories as much as on my own experience in going through higher education.
I promise you, any high-schooler coming into Lit 101 has a pretty narrow view of how to interact with art, because that's just not taught in high school, because high school English is geared towards SAT scoring. It's difficult to learn new ways of reading outside of the common-sense interpretations, the "what does X symbolize?" essay questions printed in sophomore textbooks.
I agree. That kind of analysis is stupid as well.
why pay thousands in tuition when you could just join a reading circle?
As much as anything, hopefully you will have a better reading circle if you're paying thousands of dollars in tuition to attend it. Otherwise, I'm not sure how the principle of the thing should differ. I guess a lot of people pay the tuition so that they can associate themselves symbolically with a minor league football team or basketball team, so paying for a superior reading circle doesn't seem so silly to me.
Towards the end of your post, I have no idea what you're going on about. I certainly didn't say that analyzing old artistic/literary works wasn't a good thing to do, or that you shouldn't learn theories and develop frameworks for discussing them. I didn't complain about professors not making sense to me. My complaint was more that my experiences with higher education indicates that it's generally not rigorous enough. It focuses on modernity and novelty, and the professors don't actually understand their own fields well enough-- when it's taught by professors at all. Instead everyone is focused on getting published, which often means being controversial or novel while paradoxically playing it safe to please your peers.
Actually, we apparently disagree. I believe that between "Who do you trust?" and "Whom do you trust?" it is more correct to use "whom". "Whom" is the direct object of "trust". The standard test applies: when you answer the question, would you use "he" or "him"?
Who is trustworthy?
He is trustworthy.
Whom do you trust?
I trust him.
Now, that's the issue of which is more correct. I wouldn't jump down your throat for asking, "Who do you trust?" but I think "whom" is actually more correct, so I wouldn't correct someone for saying it either.
Some critics think that the humanities have gotten too weird—that undergrads, turned off by an overly theoretical approach, don't want to participate anymore, and that teaching opportunities have disappeared as a result....
I think this is pointing at a larger cultural issue: The "Humanities" disappeared down a post-modern rabbit hole of nonsense. It's become widely held by "experts" that classics are all bullshit and only the most novel works are interesting. Paintings aren't important unless it's an abstract piece painted with feces. Literature isn't interesting unless it's incomprehensible. Philosophy isn't worth talking about unless it's mathematically provable.
These subjects have the potential to be incredibly interesting and even important to our lives, but instead it's relegated to pseudo-science and trivia, and as a result, a lot of the "expert" PhDs don't know what the hell they're talking about.
...when configured properly...assuming scripting is turned off by default.
You know what happens when we assume.
The problem with expecting people to have mail clients is that it can be very inconvenient when people aren't bringing their own computer with them. Web applications have the benefit of being available cross-platform on any computer with a web browser that can access the internet. Another problem is that mail client development has been somewhat stagnant. What are my options? Outlook or Thunderbird? And how has Thunderbird improved in the past 10 years?
I mean, really, email itself has been stagnant. You might angrily respond saying, "Well how do you expect it to develop? It does what it does, and it does it well!" And yet I'm still flooded with spam, and don't have an easy method of end-to-end encryption. There isn't good support for cross-platform server-side metadata extensions (e.g. if I tag an email message on my IMAP account in Thunderbird, and then I access it on another computer in Mac mail or Outlook, those tags aren't there). Email kind of sucks because it's stuck in the 1980s.
Usually don't reply to anonymous cowards, but I gather you're the same guy, so here goes:
And you're argument of "joe-normal's email program of choice doesn't make encryption easy" sounds like a complaint for the program or webpage, not against encryption.
That's because I'm not at all opposed to encryption. I'm saying that this stunt to advocate encryption will be ineffective. My argument is basically that we need to standardize on forms of encryption that will then be built into all platforms natively, including effective methods of key management, that make the whole process transparent to end-users. If end users need to install software, if they even need to understand that their email is encrypted in order to access it, then you're doing it wrong.
the discussion i had with my mother...
That's all well and good. Your mother sounds much more sensible than most people. You may think that she's clueless, but most people are both clueless and stubborn. They barely understand the concept of encryption, don't understand anything about how it works, are not very interested in security, and will outright refuse to accept changes in their workflow. If I were to set something up like this for my own mother, I wouldn't trust her to do it. I would have to set it up for her and then keep a copy of the keys myself as a safeguard. Even then, I'd worry that at some point, she'd decide to generate her own new keys and then lose them, because you just don't know what the hell that woman is going to do.
Myself, I wouldn't use GPG because there's not wide enough support. I use Outlook for work, and last time I tried it, the GPG plugin didn't work in Outlook and just crashed everything. I would sooner try to use S/MIME, which is more widely supported. But that's sort of my point-- you need a single set of standards that everyone is using, or else the encryption schemes have limited utility.
There is something nice and convenient about Web based E-mail, but it is at a cost of end to end security.
Not necessarily. We would just need a standard protocol for handling encrypted webmail, and then universal browser implementation for that protocol. Like maybe you wrap the output in <encrypted></encrypted> tags, and then browsers know how to interpret the tags and have access to the private keys. Google already syncs settings and extensions with your chrome profile, so if you trusted Google to do it, they could even sync your private keys. If you didn't trust Google, then we'd just need to figure out a different way to get access to your keys if you want to access your webmail away from your own computer.
Of course, then mail clients and mobile devices would need to support the same form of encryption as what the web browsers are using. That's the biggest issue: developing a standard for handling these things that everyone can agree on, and that everyone will implement. We already know how to do this. We're just not doing it.
What is the value of every message being encrypted if Apple can decrypt them at will?
IIRC Apple doesn't get your encryption keys in their system. I don't remember exactly how it works, but I remember reading that the encryption is from one endpoint to the other, and Apple doesn't actually have the ability to decrypt the message in transit. Now you could complain that they might have put in a back door. Well sure. That's possible with any closed source software-- and really even with FOSS software that hasn't been audited by someone you trust.
Of course its easy. But its also completely POINTLESS.
Well it really really depends. If you think that security is binary-- either "secure" or "not secure"-- then you grossly misunderstand the issue. Even if Apple can read your messages, which I could be wrong about but I believe they officially say that they can't, I would still trust Apple with a lot more information than I would trust the Internet are large. It's not locking your car to keep the valet out, it's asking the valet to lock your car once he's parked it.
And besides, as I've said, I don't really care about Apple. I'm not saying, "Don't encrypt your email! Just use Apple's Messenger instead because it's way better and secure!" I'm saying that if you want people to encrypt their email, look at what Apple's done as a possible model for how to accomplish that, because they succeeded in making it an easy process.
If you DO trust the endpoints, and they are the same entity as the intermediary then WHAT IS THE POINT OF IMPLEMENTING END TO END ENCYRPTION?
Yeah, kind of my point in saying, "Only if you assume that Apple is a burglar don't trust them with anything." There's levels of trust. I've given Apple my credit card before, and I trust that they're not going to charge me for anything that I didn't buy. Therefore, if I were going to send credit card information over the internet, I'd prefer to use their encryption over nothing.
But again, this isn't about Apple. I have no problem with you distrusting Apple. Still, you're going to have to trust someone sometime. You trust Mozilla? Fine, then let them implement an encryption scheme as simple for users to work with as Apple's is. I'd be perfectly happy with that.
If it hasn't come through in our discussions, my preference is for there to be improvements to be made to email, according to open standards that can be implemented by Mozilla, Apple, Google, and everyone else, that make encryption dead-simple. The fact is, email could stand to be improved in many ways, but it won't be anytime soon because you have Apple running off and doing it their own way, Google running off and doing it their own way, and Mozilla allowing you to install a plugin that calls another application that most people don't have installed, which then allows you to run a wizard, that dumps out a key, that needs to be backed up in some unspecified way or you lose all of your email, which also renders your email unreadable anywhere else.
Yes. And I'm an IT guy, and I'll tell you that an awful lot of people would have trouble with those directions even if they wanted to follow them. For your average person, they'd have to install Thunderbird, GPG, and Enigmail-- and with that, you've already lost 90% of users. You haven't even gotten to dealing with the encryption keys, but give those instructions to most people and they'll say, "But can't I just use the Internet?" by which they mean, they would rather use webmail than install 3 applications. They won't even understand what those 3 applications are. You can forget about Linux.
Plus, let's say they follow those directions and encrypt all of their email in Thunderbird. Now they're traveling and they want to read their email in webmail. Uh oh. It looks all weird. No problem, they'll just access it on their iPhone-- but it looks like gibberish there too!
Sorry, it's not going to work like this. It needs to be much much easier than this.
Whether you do or not isn't really my point. I was just using it as an example. They made it easy, and if you want people to encrypt their email, it needs to be equally easy.
Does trusting Apple to write your encryption software, manage your encryption keys for you, and handle your actual communications make any sense in the least?
It makes more sense than not encrypting your messages at all. Actually it's dramatically changing the sort of problem that you're dealing with. If you really just don't trust Apple at all, then I get it. Don't use their products at all, because they could have put in NSA backdoors to everything, so use FOSS.
But my point wasn't that we should trust Apple. My point was that Apple managed to create an encryption scheme for messaging that results in every message being encrypted, without the user being expected to do special configuration and key management, and it's baked into their software by default. If Apple can do it, why can't someone else?
For starters, if we want GPG to be the default for encryption, why can't we have thunderbolt built in such a way that it includes GPG, Enigmail, and everything else? Why not have the default setup prompt to set up encryption, generating keys or restoring them if they don't already exist? And what's your plan to standardizing backup/recovery of keys?
Fine, don't trust Apple, but then build your own system that's at least as good.
That's like trusting a burglar to set up your home security system
Only if you assume that Apple is a burglar, in which case, don't trust them with anything. But in reality, it's just too much of a big deal to not trust anyone with anything. I put my money in a bank, even knowing it's possible for them to make unethical use of my banking records. I store my email on Gmail. I store my website with my web host. I accept SSL certificates from certificate authorities. I buy my phone from Apple and my laptop from Lenovo. There could be hardware chips built in by the manufacturers that are logging my keys. Realistically what am I going to do if I don't trust anyone? Even when I use Linux, I'm still trusting people. I didn't do a code audit myself.
Yet, SSL handle only the encryption between a server, and the client application.
You can use the same encryption scheme for encrypting anything.
...will always require some minimal end-user intervention...
Not necessarily. You just need to make key management easy. I know people are going to get angry every time I bring up Apple, but OSX can store certificates/keys in the keyring, which can then be backed up to iCloud. Don't trust Apple if you like, but my point is that it's not impossible to make the whole thing much more automatic, safe, and easy for normal users.
The first automobiles didn't have keys, but people have learned to use and manage them. And for those keys you can't even download the management equipment, you have to go to a hardware store to get copies.
People understand what cars do better than they understand computers, and when you lose your car keys, you don't lose the whole car.
Apparently, it's impossible to make it "easy enough" for the average user.
And yet, as I point out, Apple has done it with iMessage. A lot of sites encrypt their traffic with SSL.
I think the real problem is one of standards. Email is from a time when everyone wanted open standards. Rather than improve and refine those standards, everyone is moving towards closed systems (Facebook/Apple Messengers, Google Hangouts, etc.). Nobody is even trying to improve email anymore.
I think you missed my point. I'm not saying there's no point in encrypting your email. I'm saying there's no point if the recipient doesn't have their own software and keys to decrypt the encrypted message.
I think that if that person knew what he was talking about, he would have said, "Open source has the potential to greatly increase the quality of code because the world can see the source and make fixes."
Just because there's the potential for FOSS to be more reliable and more secure doesn't mean that every project will be. And even so, nothing will eliminate all bugs.
Slashdot Mirror
People cite sexual selection for all kinds of things, but it often just raises the question, why would that feature suddenly become selected for by the opposite sex? It seems like an convenient catch-all explanation.
If you don't understand what I mean, you might be thinking, "females preferred male features that were more masculine," but then I'd want to point out that our definition of 'masculine' is based off of men having those features. Also, in as much as animals evolve to become attractive to mates, it's also true that animals evolve to find features more or less attractive in mates. To cite another example, I've heard people claim that babies must have evolved to have cute features so that we'd take care of them, but it's a more feasible explanation to say that we're evolved to find immature features 'cute' in a way that inclined us to take care of our young.
I'm really interested to see what evidence ends up being offered in this. Can Netflix prove that ISPs are at fault? Can Verizon prove that it's not their fault.
I find this part pretty interesting:
Citing the Internet Phenomena blog, Verizon said that instead of using its ability to connect directly to every broadband network in the country, Netflix has tried to cut costs by relying on a "panoply of content-distribution and other middle-man networks" to reach customers.
It seems like an awfully strange complaint. How is Netflix supposed to "connect directly", and are people not supposed to use content distribution networks? What's the argument exactly on Verizon's side. If Netflix is using a "panoply of content-distribution networks", I would think that'd imply that they should be able to get decent distribution without suffering bottlenecks on their end of things.
The less people know about it, the more secure it is.
Of course, it's also true that the fewer people know about it, the more likely it will be permanently lost.
I agree, though I also think it's good to realize that even if you don't ponder the symbolism of the red glass dishes, it may actually still be increasing your enjoyment. Great writers don't stick in a bunch of symbols for English professors to discover during a dry analysis. They *do* put in symbols and imagery and metaphor that will increase meaning and understanding by even casual readers, even if only on a subconscious level. Sometimes the authors put that stuff in only unconsciously themselves, but it's in there. You probably wouldn't enjoy it if it wasn't using metaphor to push certain psychology buttons in you.
TLS/SSL is not an encryption scheme.
And yet you could use the same encryption standards and public key management to encrypt anything. You're just being pedantic. There's no point in arguing here about specific standards.
I've never said it's impossible to make it better. But the user will always need some level of intervention (like at least caring that encryption happens, and checking that correct keys are used).
It depends on what you mean by "some level of intervention". Lots of people go to their bank's website without knowing that encryption is happening or that they keys are correct. Their browsers check the keys for them, providing some level of security even if they're totally unaware. No doubt things are *more* secure if people understand the encryption well enough to know how the security could be circumvented, but I'm not expecting that we can provide absolute security for all people. I'm thinking that we could provide much better security for all people-- which shouldn't be too hard since there's not much security now-- and the possibility of strong security for those who have even a basic understanding.
As an IT guy, I really like the concept of IPMI. I would love something like LogMeIn, but that allows you to take control of machines on a baseboard/lights-out level. The only problem is, there aren't any solutions that I'm aware of that offer that kind of easy, useful bulk management of lots of machines from a single pane. But more importantly, the concept of that kind of bulk management should trigger the thought, "Holy crap that opens a dangerous can of worms!" If lights-out management isn't secured properly, it gives an attacker a frightening level of access.
I don't know why they implemented these things without thinking it through. It's too hard to use legitimately, and too hard to manage security. I don't really even understand how I'm supposed to access and manage these systems in bulk, especially considered how often modern IT departments need to deal with remote machines that they never physically touch. If someone would develop a solution for IPMI that's not completely stupid-- think Meraki meets LogMeIn meets MDM-- an awful lot of IT departments would be falling all over themselves to buy hardware that supported it.
I can accommodate a conscientious objector when he's honest and decent, but you seem to be merely a contrarian, and an apologist for people who are putting whole populations in danger of serious illness through smug stubbornness and willful ignorance.
I don't like the us vs. them mentality either, but that doesn't keep me from calling out assholes for being assholes.
I think I understand. My immediate reaction to reading your post was, "I hope he still reads literature, for fun at least. :-("
I agree that there's something a bit questionable about history and philosophy being lumped in with poetry and visual arts, but it's really hard to know where to draw the lines. Philosophy is arguably better suited to being treated as a soft science like psychology, but it doesn't quite fit there either. Meanwhile, some literature and poetry arguably border on being an expression of philosophy.
We're getting into a tangent here, but though I don't know how to classify things, I do think it's important to classify "science" as being somehow linked to philosophy. Science began as a subset of philosophy, and the validity of science is dependent "natural philosophy".
However, I'm not sure I share your view on philosophy's adherence to mathematical rigor. I've seen some mighty stupid philosophic arguments justified by what amounts to attempts to translate syllogisms into equations, and I think in the end, philosophy needs to make sense. It can be as obscure and difficult to understand as you'd like, but it has to come back to questions of "does this make sense?" and "is this true?" and "is this convincing?". Of course, the great thing about it is, that assertion is a matter of philosophic argument!
But I'm going way off topic here.
What happened to you to make you so bitter towards harmless humanities cranks?
I'm not sure why you'd put it that way. I would sooner say that, as a humanities crank myself, I'm bitter towards the treatment humanities get in academia, and in society as a whole. I'm not drawing on conservative news stories as much as on my own experience in going through higher education.
I promise you, any high-schooler coming into Lit 101 has a pretty narrow view of how to interact with art, because that's just not taught in high school, because high school English is geared towards SAT scoring. It's difficult to learn new ways of reading outside of the common-sense interpretations, the "what does X symbolize?" essay questions printed in sophomore textbooks.
I agree. That kind of analysis is stupid as well.
why pay thousands in tuition when you could just join a reading circle?
As much as anything, hopefully you will have a better reading circle if you're paying thousands of dollars in tuition to attend it. Otherwise, I'm not sure how the principle of the thing should differ. I guess a lot of people pay the tuition so that they can associate themselves symbolically with a minor league football team or basketball team, so paying for a superior reading circle doesn't seem so silly to me.
Towards the end of your post, I have no idea what you're going on about. I certainly didn't say that analyzing old artistic/literary works wasn't a good thing to do, or that you shouldn't learn theories and develop frameworks for discussing them. I didn't complain about professors not making sense to me. My complaint was more that my experiences with higher education indicates that it's generally not rigorous enough. It focuses on modernity and novelty, and the professors don't actually understand their own fields well enough-- when it's taught by professors at all. Instead everyone is focused on getting published, which often means being controversial or novel while paradoxically playing it safe to please your peers.
Actually, we apparently disagree. I believe that between "Who do you trust?" and "Whom do you trust?" it is more correct to use "whom". "Whom" is the direct object of "trust". The standard test applies: when you answer the question, would you use "he" or "him"?
Who is trustworthy?
He is trustworthy.
Whom do you trust?
I trust him.
Now, that's the issue of which is more correct. I wouldn't jump down your throat for asking, "Who do you trust?" but I think "whom" is actually more correct, so I wouldn't correct someone for saying it either.
Some critics think that the humanities have gotten too weird—that undergrads, turned off by an overly theoretical approach, don't want to participate anymore, and that teaching opportunities have disappeared as a result. ...
I think this is pointing at a larger cultural issue: The "Humanities" disappeared down a post-modern rabbit hole of nonsense. It's become widely held by "experts" that classics are all bullshit and only the most novel works are interesting. Paintings aren't important unless it's an abstract piece painted with feces. Literature isn't interesting unless it's incomprehensible. Philosophy isn't worth talking about unless it's mathematically provable.
These subjects have the potential to be incredibly interesting and even important to our lives, but instead it's relegated to pseudo-science and trivia, and as a result, a lot of the "expert" PhDs don't know what the hell they're talking about.
Pro tip: use 'whom' when it's merited at the end of a sentence
That's a bad tip. First, that's not how the usage is determined, and second, you haven't cleared up the issue of "when is it merited?"
I believe the rule is that you use "whom" when it's the direct object of a verb or preposition.
...when configured properly...assuming scripting is turned off by default.
You know what happens when we assume.
The problem with expecting people to have mail clients is that it can be very inconvenient when people aren't bringing their own computer with them. Web applications have the benefit of being available cross-platform on any computer with a web browser that can access the internet. Another problem is that mail client development has been somewhat stagnant. What are my options? Outlook or Thunderbird? And how has Thunderbird improved in the past 10 years?
I mean, really, email itself has been stagnant. You might angrily respond saying, "Well how do you expect it to develop? It does what it does, and it does it well!" And yet I'm still flooded with spam, and don't have an easy method of end-to-end encryption. There isn't good support for cross-platform server-side metadata extensions (e.g. if I tag an email message on my IMAP account in Thunderbird, and then I access it on another computer in Mac mail or Outlook, those tags aren't there). Email kind of sucks because it's stuck in the 1980s.
And you're argument of "joe-normal's email program of choice doesn't make encryption easy" sounds like a complaint for the program or webpage, not against encryption.
That's because I'm not at all opposed to encryption. I'm saying that this stunt to advocate encryption will be ineffective. My argument is basically that we need to standardize on forms of encryption that will then be built into all platforms natively, including effective methods of key management, that make the whole process transparent to end-users. If end users need to install software, if they even need to understand that their email is encrypted in order to access it, then you're doing it wrong.
the discussion i had with my mother...
That's all well and good. Your mother sounds much more sensible than most people. You may think that she's clueless, but most people are both clueless and stubborn. They barely understand the concept of encryption, don't understand anything about how it works, are not very interested in security, and will outright refuse to accept changes in their workflow. If I were to set something up like this for my own mother, I wouldn't trust her to do it. I would have to set it up for her and then keep a copy of the keys myself as a safeguard. Even then, I'd worry that at some point, she'd decide to generate her own new keys and then lose them, because you just don't know what the hell that woman is going to do.
Myself, I wouldn't use GPG because there's not wide enough support. I use Outlook for work, and last time I tried it, the GPG plugin didn't work in Outlook and just crashed everything. I would sooner try to use S/MIME, which is more widely supported. But that's sort of my point-- you need a single set of standards that everyone is using, or else the encryption schemes have limited utility.
There is something nice and convenient about Web based E-mail, but it is at a cost of end to end security.
Not necessarily. We would just need a standard protocol for handling encrypted webmail, and then universal browser implementation for that protocol. Like maybe you wrap the output in <encrypted></encrypted> tags, and then browsers know how to interpret the tags and have access to the private keys. Google already syncs settings and extensions with your chrome profile, so if you trusted Google to do it, they could even sync your private keys. If you didn't trust Google, then we'd just need to figure out a different way to get access to your keys if you want to access your webmail away from your own computer.
Of course, then mail clients and mobile devices would need to support the same form of encryption as what the web browsers are using. That's the biggest issue: developing a standard for handling these things that everyone can agree on, and that everyone will implement. We already know how to do this. We're just not doing it.
What is the value of every message being encrypted if Apple can decrypt them at will?
IIRC Apple doesn't get your encryption keys in their system. I don't remember exactly how it works, but I remember reading that the encryption is from one endpoint to the other, and Apple doesn't actually have the ability to decrypt the message in transit. Now you could complain that they might have put in a back door. Well sure. That's possible with any closed source software-- and really even with FOSS software that hasn't been audited by someone you trust.
Of course its easy. But its also completely POINTLESS.
Well it really really depends. If you think that security is binary-- either "secure" or "not secure"-- then you grossly misunderstand the issue. Even if Apple can read your messages, which I could be wrong about but I believe they officially say that they can't, I would still trust Apple with a lot more information than I would trust the Internet are large. It's not locking your car to keep the valet out, it's asking the valet to lock your car once he's parked it.
And besides, as I've said, I don't really care about Apple. I'm not saying, "Don't encrypt your email! Just use Apple's Messenger instead because it's way better and secure!" I'm saying that if you want people to encrypt their email, look at what Apple's done as a possible model for how to accomplish that, because they succeeded in making it an easy process.
If you DO trust the endpoints, and they are the same entity as the intermediary then WHAT IS THE POINT OF IMPLEMENTING END TO END ENCYRPTION?
Yeah, kind of my point in saying, "Only if you assume that Apple is a burglar don't trust them with anything." There's levels of trust. I've given Apple my credit card before, and I trust that they're not going to charge me for anything that I didn't buy. Therefore, if I were going to send credit card information over the internet, I'd prefer to use their encryption over nothing.
But again, this isn't about Apple. I have no problem with you distrusting Apple. Still, you're going to have to trust someone sometime. You trust Mozilla? Fine, then let them implement an encryption scheme as simple for users to work with as Apple's is. I'd be perfectly happy with that.
If it hasn't come through in our discussions, my preference is for there to be improvements to be made to email, according to open standards that can be implemented by Mozilla, Apple, Google, and everyone else, that make encryption dead-simple. The fact is, email could stand to be improved in many ways, but it won't be anytime soon because you have Apple running off and doing it their own way, Google running off and doing it their own way, and Mozilla allowing you to install a plugin that calls another application that most people don't have installed, which then allows you to run a wizard, that dumps out a key, that needs to be backed up in some unspecified way or you lose all of your email, which also renders your email unreadable anywhere else.
Did you read their instructions?
Yes. And I'm an IT guy, and I'll tell you that an awful lot of people would have trouble with those directions even if they wanted to follow them. For your average person, they'd have to install Thunderbird, GPG, and Enigmail-- and with that, you've already lost 90% of users. You haven't even gotten to dealing with the encryption keys, but give those instructions to most people and they'll say, "But can't I just use the Internet?" by which they mean, they would rather use webmail than install 3 applications. They won't even understand what those 3 applications are. You can forget about Linux.
Plus, let's say they follow those directions and encrypt all of their email in Thunderbird. Now they're traveling and they want to read their email in webmail. Uh oh. It looks all weird. No problem, they'll just access it on their iPhone-- but it looks like gibberish there too!
Sorry, it's not going to work like this. It needs to be much much easier than this.
Whether you do or not isn't really my point. I was just using it as an example. They made it easy, and if you want people to encrypt their email, it needs to be equally easy.
Does trusting Apple to write your encryption software, manage your encryption keys for you, and handle your actual communications make any sense in the least?
It makes more sense than not encrypting your messages at all. Actually it's dramatically changing the sort of problem that you're dealing with. If you really just don't trust Apple at all, then I get it. Don't use their products at all, because they could have put in NSA backdoors to everything, so use FOSS.
But my point wasn't that we should trust Apple. My point was that Apple managed to create an encryption scheme for messaging that results in every message being encrypted, without the user being expected to do special configuration and key management, and it's baked into their software by default. If Apple can do it, why can't someone else?
For starters, if we want GPG to be the default for encryption, why can't we have thunderbolt built in such a way that it includes GPG, Enigmail, and everything else? Why not have the default setup prompt to set up encryption, generating keys or restoring them if they don't already exist? And what's your plan to standardizing backup/recovery of keys?
Fine, don't trust Apple, but then build your own system that's at least as good.
That's like trusting a burglar to set up your home security system
Only if you assume that Apple is a burglar, in which case, don't trust them with anything. But in reality, it's just too much of a big deal to not trust anyone with anything. I put my money in a bank, even knowing it's possible for them to make unethical use of my banking records. I store my email on Gmail. I store my website with my web host. I accept SSL certificates from certificate authorities. I buy my phone from Apple and my laptop from Lenovo. There could be hardware chips built in by the manufacturers that are logging my keys. Realistically what am I going to do if I don't trust anyone? Even when I use Linux, I'm still trusting people. I didn't do a code audit myself.
Yet, SSL handle only the encryption between a server, and the client application.
You can use the same encryption scheme for encrypting anything.
...will always require some minimal end-user intervention...
Not necessarily. You just need to make key management easy. I know people are going to get angry every time I bring up Apple, but OSX can store certificates/keys in the keyring, which can then be backed up to iCloud. Don't trust Apple if you like, but my point is that it's not impossible to make the whole thing much more automatic, safe, and easy for normal users.
The first automobiles didn't have keys, but people have learned to use and manage them. And for those keys you can't even download the management equipment, you have to go to a hardware store to get copies.
People understand what cars do better than they understand computers, and when you lose your car keys, you don't lose the whole car.
Is iMessage secure? No.
Explanation needed.
Apparently, it's impossible to make it "easy enough" for the average user.
And yet, as I point out, Apple has done it with iMessage. A lot of sites encrypt their traffic with SSL.
I think the real problem is one of standards. Email is from a time when everyone wanted open standards. Rather than improve and refine those standards, everyone is moving towards closed systems (Facebook/Apple Messengers, Google Hangouts, etc.). Nobody is even trying to improve email anymore.
I think you missed my point. I'm not saying there's no point in encrypting your email. I'm saying there's no point if the recipient doesn't have their own software and keys to decrypt the encrypted message.
I think that if that person knew what he was talking about, he would have said, "Open source has the potential to greatly increase the quality of code because the world can see the source and make fixes."
Just because there's the potential for FOSS to be more reliable and more secure doesn't mean that every project will be. And even so, nothing will eliminate all bugs.