::scr tales from the crypto

jonah scr@thegestalt.org
Mon, 22 Apr 2002 06:05:45 -0700 (PDT)


on 21/4/02 8:38 pm, David Cantrell at david@cantrell.org.uk wrote:

> On Fri, Apr 19, 2002 at 10:39:46AM -0700, jonah wrote:
> 
>> Now, I recently had cause to start to do some boning up on security
>> matters in order to fix and sort out a compromised RedHat box[0] ...
>> 
>> [0] It's a Debian box now.
> 
> Oh good, you did the right thing.  Once a box has been haxX0red, the
> only way to re-secure it is to reinstall from known-good media.

Yes, many thanks to you who contributed to the (void) thread giving the
McDonnells(?) advice when they had an "infestation", and to the authors of
this: 

http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html

> I am not convinced that just because security and cryptography tools
> are currently hard to use (OK ok, have fucking awful interfaces which
> even the most leet of experts have trouble with at times) means that
> this is inevitable.

Oh, I agree, after all, I found the pointy-drooly PGP interface relatively
simple to use. It allowed me to generate keys and encrypt stuff etc
without any trouble, but it also allowed me to do so without having to
understand the concepts behind it. And this is perhaps where the danger
lies - not from the technology being too hard for people to use, but the
underlying concepts being too hard to understand. 

> Yes, how it works should be less important to ordinary users than the
> fact that it DOES work.  Trouble is, with the lamentable state that
> the tools are in right now, if you don't understand how it works,
> you'll probably not use the tools very effectively.  That, however, is
> a "mere matter of programming" (and sysadminning).

So, for example, for someone who didn't know how the dual key system
works, then they wouldn't necessarily know how important it was to keep
your private key locked up safe in your sock drawer. Okay, they *do* get
various clues (such as the fact it's called a *private* key) and the
documentation may SCREAM it at them, but who reads the
documentation? Especially if it's given a good interface and becomes very
easy to use and Just Works? So, they may leave their private key somewhere
over-acessable, or even be tricked into revealing it by a cunning social
engineer.
 
>>Or should we just set the bar higher for users?
>
> Yes, I do think the bar should be set higher.  It shouldn't be a
> 'hard' bar of course - idiots driving computers can hurt themselves
> but not others, so we shouldn't ban them altogether.  But I would love
> to see lack of computer-driving clue become as much of a social stigma
> as lack of car- driving clue.

Now as those of you who know me realise, I'm very much of the "computers
should be universally accessable" school of thought. Let's face it, the
widespread uptake computers by the public is responsible for the current
employment of many if not most of us. I love the idea of everybody being
able to get the same edifying benefits from this technology as I do.

However, I can see the problems that arise from a lack of understanding of
the technology all around me. After all, I'm not the only one to have some
clueless fuck send me 5Mb email attachments when I'm on a dial-up
connection, or vital information in a proprietary format that I cannot
read. But as I think, from his post, Dave agrees, it's not a simple
question of "computers should only be used by the Clued" versus "we should
put up with the unClued in the name of equality, tolerance and keeping
ourselves in work". What we really need to do is seriously swell the ranks
of the Clued.

Although I don't use the computing/driving analogy a lot because of the
fundamental differences between the two activities, I do agree with
David's point about stigma there. I've always had a feeling that computers
are the new cars (ever since I heard my first Loaded Lad's processor-speed
bragging match down the pub). 

> Training would of course be a good thing, but everywhere I look,
> education about computers is turning into mere instruction on how to
> use whatever the flavour-of-the-month is in crappy office tools.  
> Maybe someone needs to organise a concerted hack on all the schools in
> the country to persuade them of just how important real understanding
> of these things is.

(Loud noises of approval). Yes - for sure. This is why I think that the
debate usually revolves around "make it easier" vs. "keep out idiots" -
because making sure that everyone gets the training required to make
computers universally and *usefully* acessable is a Really Hard
problem. The trouble with "IT" as I've seen it taught recently is exactly
the problem Dave mentions here. 

The thing is, because the government and the bashers of the state
education system seem to insist that a good ROI for the taxpayer is the
only yardstick by which the educational merit of a course should be
judged, all early computer training seems to be vocational. "Here's what
you need to know to become a good little office drone" and "what use is an
understanding of how  email attachments actually work to someone who's
just going to use MS Office?" This is, IMHO, a woefully short-sighted
view.

Separate specialist classes in computer science might have been
appropriate when computers were specialist things separate from day-to-day
life, but if the gubbermint, business, the hacker community (and everyone
else who stands to benefit from a wide take-up of computer use) want
computers to be useful in day to day life then we really *need* to
instigate a program to address this. I think that starting them early is
an excellent idea and that general Computer Literacy (not MS Office
training or at the other extreme CompSci) should be as important a subject
as literacy and numeracy.

It's the only way to be sure.

-- 
matt
I've got me arse-kicking boots on tonight