Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [cryptography] "Meet the groundbreaking new encryption app set to revolutionize privacy..."

Eugen Leitl eugen at
Fri Feb 8 12:46:34 PST 2013

----- Forwarded message from Jon Callas <jon at> -----

From: Jon Callas <jon at>
Date: Fri, 8 Feb 2013 11:26:23 -0800
To: Randombit List <cryptography at>
Subject: Re: [cryptography] "Meet the groundbreaking new encryption app set
	to revolutionize privacy..."
X-Mailer: Apple Mail (2.1283)

Hash: SHA1

Thanks for your comments, Ian. I think they're spot on.

At the time that the so-called Arab Spring was going on, I was invited to a confab where there were a bunch of activists and it's always interesting to talk to people who are on the ground. One of the things that struck me was their commentary on how we can help them.

A thing that struck me was one person who said, "Don't patronize us. We know what we're doing, we're the ones risking our lives." Actually, I lied. That person said, "don't fucking patronize us" so as to make the point stronger. One example this person gave was that they talked to people providing some social meet-up service and they wanted that service to use SSL. They got a lecture how SSL was flawed and that's why they weren't doing it. In my opinion, this was just an excuse -- they didn't want to do SSL for whatever reason (very likely just the cost and annoyance of the certs), and the imperfection was an excuse. The activists saw it as being patronizing and were very, very angry. They had people using this service, and it would be safer with SSL. Period.

This resonates with me because of a number of my own peeves. I have called this the "the security cliff" at times. The gist is that it's a long way from no security to the top -- what we'd all agree on as adequate security. The cliff is the attitude that you can't stop in the middle. If you're not going to go all the way to the top, then you might as well not bother. So people don't bother.

This effect is also the same thing as the best being the enemy of the good, and so on. We're all guilty of it. It's one of my major peeves about security, and I sometimes fall into the trap of effectively arguing against security because something isn't perfect. Every one of us has at one time said that some imperfect security is worse than nothing because it might lull people into thinking it's perfect -- or something like that. It's a great rhetorical flourish when one is arguing against some bit of snake oil or cargo-cult security. Those things really exist and we have to argue against them. However, this is precisely being patronizing to the people who really use them to protect themselves.

Note how post-Diginotar, no one is arguing any more for SSL Everywhere. Nothing helps the surveillance state more than blunting security everywhere.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

cryptography mailing list
cryptography at

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the liberationtech mailing list