On 06/10/2013 03:14 AM, Hauke Laging wrote: <SNIP> What a mouthful. I shortened it to those things most relevant to me. My keys are NOT part of the WoT due mostly to nobody around my home having OpenPGP keys. I would say that I have a higher option that you do of the Wot when contrasted with one SSL licensing authority after another being compromised very badly.
>> The end result? decades of cleartext e-mail, long after we had >> the tools to do better :( I don't know quite what you mean by the tools. But I would love the requirement of some sort of secure token from an SMTP server trying to attach to another SMTP server. That would slow PeskySpammer from filling my email box with messages where the sending SMTP server is running on a hacked Windows PC. Actually it would stop it altogether until PeskySpammer figured out a work-around. Yes, I know, we have tons of hacked SSL certs on web-sites. But it would at least slow things down a little bit. But the big problem isn't technical. It is as expressed by one Unix / Linux Admin that I trust "not worth the effort." There is a massive sense of futility that we cannot solve the problem and thus no new RFC on email. Trust me on this one. My other POP email account can no longer send except through the web-mail account (maybe that has gone down too) because it is being blocked by something that has gone wrong. That something that has gone wrong may be the NSA or the FBI after my comment in the Washington Post on Prism. Can it be fixed? Yes if it is my current POP / IWSP that is causing the problem. But it can be done only by moving from my current IWSP to a new smaller IWSP that will accept input and be able to hack a temporary fix. But what is needed is a complete revamping on how email works including a new RFC and some way to reduce spam to a trickle and nobody but me wants it. You did see the spam in our mail chutes yesterday morning didn't you? They also sent it to the wireshark group and several others. I will be blocking not the host in the message but the host that it led to that had whois information that was bogus. > The reason hardly anybody uses crypto is not that its usage was > complicated (I know, I a minute Rob will post his usability study > link and ask for my sources...). It isn't. Not the basic operations > if you have a working configuration. And for the rest the users can > ask for help. > > The reason that most people do not use crypto is the most trivial > one: They don't think they need it. That isn't it at all. One of the people commenting on the Prism article at the Washignton Post said OpenPGP IS too complicated. It certainly isn't very easy for most people and I have even observed engineers struggling to use OpenPGP. I had a person that stupidly thought they could email me bad host names through their Yahoo web-mail account. Yahoo blocked their send. I have even run tests where I am the only person that had a particular hostname in their block-list and Yahoo even blocked those messages. That would be admirable if I got my names from email. I didn't. I got them from stabbed in links on vulnerable web servers. Even after I tried to get him to zip them with 7-Zip using the AES-128 encryption cipher he just wouldn't do it. A current person is using WinRAR exe installers and dumbly thought he could just send the EXE file as an attachment in email. He finally encrypted it with rar's simple cipher. Sure, you and others could decipher it easily but that was enough to get an email's virus-scanner to leave it alone. At least he listened to me and didn't use zip which was banned because of the ever-expanding zips. Now he has the problem of false detects due to using the WinRAR installer. I told him to shift to using Inno Setup. You do that and the problems go away, especially with a "Legal Copyright" string. The problem is more serious than whether they think they need any encryption or not. THEY HATE THE IDEA OF USING ENCRYPTION! My sig says it all and is attached manually because it really does show what the real problem is now. People including even the Computer Scientists are totally unable to think any more. Even the knowledge that PRISM is snooping into everything won't cause them to change. Why not? They are using Facebook, Twitter and other social services to broadcast everything they do now anyway. That is a sure sign that enciphering is not wanted. But encryption isn't just enciphering. It also includes signing. I would love for them to send me messages that are signed, especially if we exchanged the keys by hand. So why do they hate using encryption? It takes too much work. Unless they are forced to use encryption by somebody else, than dammit all to hell they are NOT GOING TO USE IT. They also trust the privacy of their email messages implicitly despite the fact that they use web-mail. Me? I am rather suspicious but I had a half-sister (blessed) that worked at Arlington Hall. The latest for me was an email message from somebody that used the Latin name for his eail account that was the equivalent of "one man army" (exercitussolus - two words contracted together) and his sig was even more entertaining: "Fortuna audaces adiuvat -- hos solos ?" Roughly translated that is "Fortune favors the bold - only these?" OOPS. I am now condemned for thinking and will be taken out and summarily shot. HHH --- Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop Thinking has been suspended indefinitely. Anybody caught thinking will be immediately shot!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
