[4159] in cryptography@c2.net mail archive
Re: PGP compromised on Windows 9x?
daemon@ATHENA.MIT.EDU (Michael J. Fromberger)
Mon Feb 8 13:26:11 1999
Date: Mon, 8 Feb 1999 13:04:58 -0500
From: "Michael J. Fromberger" <sting@linguist.dartmouth.edu>
To: cryptography@c2.net
Mail-Followup-To: cryptography@c2.net
In-Reply-To: <000001be535a$18f00de0$67c1e0ca@default>; from Tom Garner on Mon, Feb 08, 1999 at 08:56:43PM +0900
quoth Tom Garner:
> Greetings/Salutations,
>
> It troubles me, how lazy and stupid the average person is. How many TIMES
> do we have to say "don't use a passphrase that is..." or "make your
> passphrase 8 ALPHA-Numeric...".
>
> I say that it is TIME for programmers to QUIT giving us (and I say us, as in
> all of us), the opportunity to choose a passphrase that can be easily
> guessed by p.phrase hacking techniques.
>
> Isn't it possible w/out degrading any further on PGP's side the ability to
> have someone enter a passphrase and its either scrambled, or rejected for
> having "English words" in it?
>
> I've been reading for years how the PassPhrase is probably the only weak
> part in PGP, and why? Why GIVE US THE choice? Obviously we are not
> responsible enough to handle PassPhrase correctly.
>
> I'm sorry to sound a bit harsh, but I'm sick/tired of reading about
> passphrases being weak, and passwords being weak, and there is only one
> reason, that is our laziness.
>
> Tom
> ICQ: 4580576
While I think I agree with you in principle, there is an essential
dilemma here for the person writing the software: If users do not like
using your software, they will not use it. "Inconveniences" such as
this are often a big sticking point for your average "user on the
street," if you will permit me to label the typical consumer so.
More broadly, this is a problem which affects developers of both
commercial and open source software. In the commercial world, user
dissatisfaction translates into a customer for your competition. In
the open source world, it translates into a derivative version of your
program which disables the "inconvenience" at will. In either case,
this is strong negative feedback.
Ultimately, I think we all need to think hard about how to combat the
real root problem here, which is educating people.
As I see it, there are three components of this: People need first to
understand -what- security is, and what correlation it has directly in
their own lives. Second, they have to understand -how- to maintain
security, both in terms of encryption products, and the personal
disciplines required to make them useful. And third, they need to
understand -why- security needs to matter to them, not only for their
own sake, but also for the public good.
Right now, I think the public is at a fragile stage with regard to
cryptography and information security. Choosing good pass-phrases is
part of the "how" stage -- and if they don't even understand "what"
yet, forcing them to do this is nothing but an annoyance.
Turning off the user on the street is dangerous for us not only as
developers, but also in a political sense. We need the people to buy
in to "our" model of privacy and security, with strong crypto and no
key escrow...rather than the usual NSA/FBI driven model where strong
crypto is carefully regulated and the government gets all the keys.
If we torque too many people the wrong way, particularly at this early
stage, we'll poison our own well.
So, in summary, while I think you have your heart in the right place,
I also feel this is a bigger and more serious problem than can be
fixed simply by trying to legislate behaviour with the code itself.
Cheers,
-M
--
Michael J. Fromberger Software Engineer, Thayer School of Engineering
sting <at> linguist.dartmouth.edu http://www.dartmouth.edu/~sting/
xmnr9kXP/a0kTU1wvI+WTgEKWIJc/WrzrCD59vsGC5XXrYzcv42dWnaJap44nvVUAexMIY06
