[liberationtech] 13 reasons not to start using PGP

[Ali-Reza Anghaie]

On Sat, Oct 12, 2013 at 2:37 PM, carlo von lynX
<lynX at time.to.get.psyced.org> wrote:
>
> On 10/11/2013 08:19 PM, Ali-Reza Anghaie wrote:
>>
>> 1) It puts an over-abundance of faith in toolsets in opening and
>> closing "You have to get used to learning new software frequently."
>> Realistically if this was a toolsets problem then EFF and EPIC
>> wouldn't exist - it's not. It's a problem of State that can only be
>> fought through OPSEC, policy, and risk management. Since it's not
>> entirely reasonable to have end-users living the spook lifesystem then
>> it leaves ~policy~ as the best out for end-users with tools (like PGP)
>> being the defensive linemen.
>
> Currently it is a major toolset problem.
> That doesn't preclude there are other problems, too.

Except that wasn't communicated - as a matter of course you (just
below) said you are too "competent" to make such mistakes. Agreed. And
as another matter of course (above) you said it had gone ~viral~...

This is important when you're presenting something as a broker for
radical change (and it ~is~ radical from 90% of end-users viewpoints).

>> 2) Combined with (1) - then providing no immediate alternative - it
>> creates the environment in which snake oil fills the gaps. Then we're
>> back out fighting the snakeoil because we were too busy eating our
>> young (or old in this case) to pay attention to the collateral damage
>> to our end-users.
>
> I am not recommending any snake oil because I am too competent
> for that. What I am recommending is source codes that give me
> a good impression and deserve a serious review.
>
> And I'm also saying that yet another PGP user interface is useless.
>
> The current policy of recommending PGP over more advanced tools is
> probably causing damage to our end-users.

The current policy of recommending tools that don't readily replace
PGP ~in the way end-users user it today~ is causing more damage IMO.
That's what I mean - ~you~ aren't pointing people at Snake Oil. You're
just delivering a message of impending doom without giving them a
flyer on where to go next that also fits where they ~can~ go
(supported, COTS, or whatever).

In essence I'm saying it's dangerous to make such proclamations -
however valid in ~our~ community - to the wide-open spaces of the
Internet when "we" also aren't ready at-hand to provide solutions.

>> 3) It groups multiple problem sets into the responsibilty domain of
>> PGP - when it/they don't have to be, perhaps even undesirable to be so
>> (from both technical and sociological viewpoints).
>
> It's like saying if the mirror in your car is broken it has
> nothing to do with driving, because the mirror isn't doing the
> driving.

No it's not - it's saying the car isn't responsible for the red light
camera. It's important to break these things out in domains for which
they (in this case PGP) was designed.

>> So in terms of broad proclamations I think it's prudent to keep those
>> at a policy level - and the rest behind transparent but loosely narrow
>> doors until the collective geekdom "we" can get traction on better
>> alternatives. -Ali
>
> PGP/mail is so broken that there is a risk that even if there
> are bugs in the new software programs they may cause less damage
> as PGP. We're at a point that we can't safely argue which of the
> two options are safer, and each user would have to take a chance
> for himself. That's why I urge you to review the alternatives so
> we CAN make reasonable recommendations like we used to do.

That's not what you did though - you say that now but there was a
broad "viral" proclamation.

And it was full of good tasty morsels.

Now I encourage you to course-correct and massage it out a bit more
with more meat, more stay tuned, more don't jump ship yet, etc. That
is if you intend to maintain this course (now w/ thirteen).

Thanks again - that's my last on this topic. Cheers, -Ali