scr tales from the crypto

[jonah <jonah@xxxxxxxxxxx>]

Okay, seeing as how we've been dealing with a lot of stuff that might be
described as "abstract" recently, let's talk about something more
concrete and technologically-based now: security.

Now, I'm not half as expert as a lot of you when it comes to computer
security, you l33t old lot, you, but maybe I'll be of some use in this
discussion as a relatively smart layman with a reasonabl;e basic
grounding in computer use in general and who's not scared to figure things
out by RingTFM. If I "get it", then anyone can.

Now, I recently had cause to start to do some boning up on security
matters in order to fix and sort out a compromised RedHat box[0], so I'll
declare my interests up front and admit I have an ulterior
motive! :) Still, I don't intend to start a "clue up jonah" session - I'm
thinking of a general discussion, perhaps using the following as
jumping-off points.

What I keep reading again and again is that one of the main problems
facing security and cryptography is the conflict between utility and
usability[1]. As I understand it, this conflict arises from the need for
security to be quite complex in order to be implemented usefully, and yet
in order to ensure it's widespread use it needs to be transparent enough
at the user end to be accessable by Johnny X. L. Spreadsheet.

For instance, I've read that one of the main problems with crypto in
general is that the concepts of how it works can be tricky to grok. I must
admit that my grasp of how the key-based system used by P?GPG? actually
works is shaky at best, but then I haven't put a lot of effort into
finding out before now because it Just Works. That's something I intend to
rectify. Note: I'm not asking someone to send a "PGP for dummies" to the
list, I'll read up on it myself and then ask Dumb Questions if I still
don't understand.

So has anyone got any strong opinions or bright ideas as to how this could
be solved? Any of you IAs looked at this problem? Or should we just set
the bar higher for users? Is that even a realistic response given the
widespread public use of computers these days? If so, how can we rectify
that? Do we instigate a much more intensive program of IT training for
nippers? This could spin off into social solutions as well as
technological or interface solutions. Or better yet, all three.

And what about the nuts and bolts? It often seems to me that a lot of the
underlying structure of networked computing isn't fundamentally suited to
security, due to the environment in which it was developed (and perhaps
also due to a lack of low grade paranoia, high grade cynicism and
s00per-psychic precognitive powers on the part of the people who built
it). :) Is this fixable at this late a stage? 

In practical terms, all you sysadmins, what're the good habits that you
most *wish* your users would get into as regards security? What can we do
to help? Ask not what your network can do for you ...

Related tangent: Heh, what's the favourite LARTing you've ever given?

Um, is that enough to be getting on with?

I'm going to go off and do some reading up now (although it may take a
while since I fear/relish that I have a 3 party weekend coming up, so I
may be a bit brain dead).

Have a good weekend!

-- 
jonah
tyler durden is my bitch

[0] It's a Debian box now.
[1] This is also why I think that security might be an interesting and
fruitful topic for ::scr, populated as it is by techies, hardcore secrity
geeks and IAs.