[liberationtech] CryptoParty Handbook

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Tue Oct 9 04:23:42 PDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 7 Oct 2012, at 22:35, Brian Conley wrote:

> Greg its called orbot and it runs on Android. Secondly I used to agree with you, but I'm increasingly coming to the conclusion that user education, not simplification, is the more important piece of the user security and privacy problem.

I am glad someone else is saying this.

While it's wonderful to say "sure security is easy, alls you gots to do is [LOTS OF SHIT THAT PEOPLE DON'T UNDERSTAND] and voilà you're secure, people want tools they can use.

As a geek/technical person/engineer/whatever you call me, I will say technical people are our own worst enemies. We overly complicate things, which is fine if you want to make people discover/learn through doing - but they have to be presented to the right people in the right way.

Most people, in fact even some technical people (shock!), want tools that just work.  Yes, they want them to be secure, but not at the expense of being easy to use.

Yes, as a technical person I love delving into the guts of something technical and just "geeking out" (as much as I hate that phrase), but I want to do that when I want.

I use the computer operating system I use, not because it's beautiful and shiny and whatever - I use it because a) on the user interface level it is reasonably easy to use, coherent, and consistent and b) because if I want to hack something deep down, I (mostly) can.


Technology is a tool. It is a tool to help you carry out a task and to get to an end goal.

If the technology gets in the way of carrying out that task, then (in my view) it has failed. Particularly if the user does not know how to fix it.

Security should be integrated into the tool. It should not be a bolt on. It should be integrated. The complexity of it should be secondary, not hidden, to the ultimate goal. If the user wants to get at the complexity, then they should be able.

Sending a PGP encrypted e-mail to you mom, should be as easy as sending an un-encrypted e-mail to your mom. But the education of why you should be sending an e-mail encrypted should also be given. Granted, a valid threat-model should be explained, as a given. 


> That said, the tools do need to get more accessible, but we are getting there. I don't believe there has been as sizable a change in public health and user information campaign efforts.

Technical people are our own worst enemies. We make things look more complicated than they need to be. Sometimes its laziness (naughty!), and sometimes I think its a job security thing (bad, but understandable...to a point).

What came out of the London Cryptoparty for me was, the amount of thought some people have put into the decision to not use a security tool.

A clearly intelligent person said (paraphrasing): "we spent time looking at the tool but we couldn't understand how it worked. Not the technical operation, but what we needed to do. Was it a desktop application. Did we have to run it on a server. Was it a mobile application." 

The guy had obviously spent time looking at it, but could not understand what he needed to do. He wasn't an idiot. 
He was someone who should be using the tool, *but decided against it because he didn't know its function*.

That to me was a (pardon the language) fucking eye opener. 

(NB: I am not having a go at the developers of this tool. Their work is excellent. But it just hows me how complicated (leaving aside the cryptographic/technical complexity) this is.)

It might be easy to say, but this almost as important as the security of the tool. Maybe as important.

Yes, the tool needs to be secure, but it needs to be easy to use. Otherwise, doesn't matter. 

That's not to say that I agree with giving people simplified, basic or plain wrong information. (more on that in a later e-mail)

Security is complicated stuff. Cryptography is complicated stuff. But it doesn't have to be presented as complicated to use it. I know bugger all about how a car works in detail, but I can operate a car, and when necessary do simple troubleshooting.

Any other approach and people are being treated like children. GIve them the information, but ultimately they'll decide if they want to use it.

Bernard (getting the flame-retardent suit ready)

- --------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJQdAk/AAoJENsz1IO7MIrr9XkH/12a+XSf/sX6dvtYxHv7QhNA
ZzrfmLcdV/zek5AGUrVxJrxIgPzdiGyQHqi+be9VMXCPgo1sZ7iLSTwm7ic/20J/
w4oenKbXUnjotbF0/ZdEYNp0LsFxrjpP/b74XN4F4Rx78Ax6hPlD8P4k2lW4ep/0
FjwPk1UK495mQJm6fXt3f2WEoB1uAA0clxjpXoUy8vZMjKeXtWu4is2qPbmc1o8W
FmDZH8A2izCLsrcqxW8kTwXoOc93hRAbWh+/fSvRV7lOPYXJPB2/6NNiL9AtKSq9
3EqP9ZzO8vQZ12CtRMn98ZbnnvIZRW48TremzqOFuG3mds+9PzFR/IjKVclJoVg=
=I2MK
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list