"Export controls and usage controls [on cryptographic software] are slowing the deployment of security at the same time as the Internet is exponentially increasing in size and attackers are increasing in sophistication. This puts users in a dangerous position as they are forced to rely on insecure electronic communication."
@strypey@onepict Are any of you exceptionally pretentious freedom wizards actually doing export controlled cryptographic work right now, or just rehashing old fears from 20 years ago to drum up donations? I for one am in the field and I hate seeing things that aren’t true.
Rules and regulations are only oppressive and restrictive if you are an illiterate person and cannot read. https://www.bis.doc.gov/index.php/documents/regulations-docs/2337-ccl5-pt2-4/file
@onepict@strypey The same IETF that fixed the TPM IO buffer to 4k, rendering all currently motherboards unable to actually support dilithium or falcon based cryptography?
Maybe, just maybe, the IETF should focus on keeping the internet up and running before waxing philosophical about human rights issues.
@TunnelJanitor
Yeah, but we also know that RFCs are mainly guidelines. It would be nice if Orgs did choose to follow those guidelines, but we know they don't for their chosen technical reasons.
You can chose to build software that meets those guidelines or not. It's on devs and serve providers to run the Internet.
Just like you can choose to consider the greater ramifications of those systems on humanity.
@onepict@strypey Yeah, so the IETF actually isn’t responsible for the TPM 2.0 standard, it has it’s own non-ietf committee, and it’s literally half Feds, half engineers.
This field is extremely nuanced and the entire western internet is facing an existential crisis that nobody believes we have the tools to fix yet. I am exactly the right age to both know about the RSA tattoo and possess the technical Perl to read it. It’s not like it was, not at all.
@onepict@strypey Well, you are right on the need for education. You are also correct to blame government for the lack of innovation in the space, but I disagree on the reason. Well intentioned but overly aggressive agency recruitment policies. The conscription of the identified best potential minds before they have even finished forming is the real root cause, in my humble opinion. Innovation generally comes out of a garage.
@onepict@strypey The tie that binds us is that we want to have semi-respectful thoughtful debates with intelligent human beings, on the internet. This is the future the liberals want. Horrifying.
@canusfeminacanis
> We were talking about these issues, and basic remedies, 20 years ago
I've been online long enough to remember the websites of PGP software warning that it might be illegal to download their software if you were outside the US. It seemed ridiculous then and it seems even more so now.
@canusfeminacanis
> The UX of a lot of useful software is.... wanting
True, and this has been particularly true of Free Software, for reasons I'm happy to rant about at length ;) But I'm not just talking about the UI of PGP apps. I'm talking about the whole dance you have to go through to use PGP. I wrote an 'email with PGP for activists' HowTo in the late 2000s. Even then it was still so complicated very few people could get their heads around it.
@strypey@canusfeminacanis@onepict The reason for PGP specifically is that the technology itself is a step above in complexity compared to others. You have to understand key exchange to use it, because there is no central "trusted" authority. I don't think abstracting this away from the user is a good idea.
@dusnm
> I don't think abstracting this away from the user is a good idea
If a user is trusting a service to host not only email servers but webmail clients too, why wouldn't you trust them to do a good job of encryption with AutoCrypt? I agree it's not as privacy-protecting as managing your own keys. But sending letters in envelopes is still an improvement over sending postcards, which can be read by anyone involved in transport from sender to receiver.
@strypey Because unlike traditional post, this tech has the ability to create truly private, trustless emails a thing. Why would you want to trust anyone? Trust can always be abused.
we can trust ourselves to correctly perform every step of elaborate PGP dances, at all times. 2) we're willing to risk permanently losing access to our mail if we miss a step.
our threat model justifies both the effort and the risk.
It's a rare person for whom all 3 are true, and AutoCrypt is not a good enough solution.
@strypey It's also true that if all 3 aren't satisfied the communication isn't truly private and secure. You're willing to make certain compromises, I'm not.
@dusnm
>vif all 3 aren't satisfied the communication isn't truly private and secure
This is a false binary. Both privacy and security are on a slider, not an off/on switch. There is no perfect security or privacy. The question, case by case, is whether the practices are sufficiently secure or private to address the threat model.
I like the idea of managing my own digital security, as well as I can, as simply as I can. But it takes time, and not everyone has that time or the know-how.
It comes down to trusted servers...and the information available from them to assure oneself that they can be trusted.
There was a rather good encrypted email service circa 2010. Not too complicated, but more secure than usual. Eventually they wanted paying, and couldn't afford it.
@canusfeminacanis@strypey@onepict I use mailbox.org They're rather generous with their annual plan. I pay $30 annually, but you can opt for a cheaper plan if you wish. They support PGP encryption with your own keys, or you can leave everything up to them, your choice.
It's based off Ubuntu, minus blobs and other nonfree bacon bits. So I'd expect any 'buntu based distro to have worked during that period. Trisquel is just the most freedom-respecting.
> How far back? 2012/2013?
Not sure, I never had Mac hardware to try it on. Maybe ask on the Trisquel forums at Trisquel.info?
The more of us getting other people to read RFC1984 the better.
Governments and spy agencies will keep trying to push for encryption to be restricted or broken. We have to stay vigilant. The #IETF realised that and they also have human rights focused RFCs.
@jens went over some of them in a talk a few years ago. RFC8280 and RFC8890 are a good read as well. We should be priotitising the #humancentricinternet, and end users #humanrights.
Add comment