[liberationtech] A modest proposal for protecting the work (and freedom) of activists.

[Patrick Schleizer]

Katy Pearce:
> they have so much ICT security training and
> documentation thrown at them in a multitude of languages, yet they still
> don't use it.

As someone who writes documentation (for the Whonix project and
previously for torproject wiki), I suppose instructions are too long and
complex. The problem is, you cannot dumb down below a certain level of
complexity at documentation level without leaving out security critical
points.

To get simpler documentation and more usable tools some day, the
underlying tools need to be simplified first. Just a small example. gpg
uses key ids and fingerprints. But comparing key ids for verification
isn't save, only the full fingerprint is. In comparison to OTR, there
are only fingerprints, no key ids. So in that regard OTR is a little
less complex than gpg. This results in instructions for gpg getting
longer since this important additional information has to be covered.

It also seems to me, that new tools which have recently been designed
are less complex (only talking about the interface, not code) and
therefore simpler to document. Systems such as pond and bitmessage are
to my knowledge secure by default. There is no way to drop back to
cleartext communication. Secure by default means less complexity, fewer
things to explain, document. Gpg in comparison is more like an
afterthought to secure e-mail.