[messaging] Are we pursuing real solutions for security?
Christine Corbett Moran
corbett at alum.mit.edu
Tue Mar 11 14:51:00 PDT 2014
I was helping a relative upgrade their phone OS recently
there were about 30 dialogues that popped up: everything from user
agreements, to "are you sure you don't want to make this the default
each one filled the relative with a fundamental anxiety, and probably
rightly so as a wrong answer might mean starting from dialogue 0, or worse,
doing things "wrong" or loosing data.
there was no learning procedure: each dialogue even if we had seen it
before, invoked a new terror in its new context
so this is a very important point: minimizing this (to absolutely minimum),
and also whatever method we choose actually reducing anxiety rather than
an alternative is to mostly operate zero-click and let those who want to
ponder the inevitability of surveillance to verify their fingerprints in
the most ascetic of manners by going to an obscure corner of an otherwise
human usable app. in any case making life easier for the ascetics is also a
On Tue, Mar 11, 2014 at 10:35 PM, Moxie Marlinspike
<moxie at thoughtcrime.org>wrote:
> You might enjoy this paper written by a non-cryptographer:
> In his words, "people feel genuine anxiety when asked if they want large
> fries for just 50 cents more."
> Some of my other favorite quotes:
> "'Chains of Attestation' is a great name for a heavy metal band, but it
> is less practical in the real, non- Ozzy-Ozbourne-based world..."
> "PGP enthusiasts are like your friend with the ethno-literature degree
> whose multi-paragraph email signature has fourteen Buddhist quotes about
> wisdom and mankind’s relationship to trees. It’s like, I GET IT. You
> care deeply about the things that you care about. Please leave me alone
> so that I can ponder the inevitability of death."
> - moxie
> On 03/11/2014 03:33 AM, Tony Arcieri wrote:
> > I feel like solutions that rely on manual verification of key
> > fingerprints fall into this category:
> > http://i.imgur.com/2bEWKNS.png
> > I don't think these solutions are providing effective security. I feel
> > we need to start from the real needs of real users, and work backwards.
> > One can propose a study for optimum time-based fingerprint verification
> > and study fingerprint accuracy, but are fingerprints even a good idea? I
> > feel that's where you need to start with any sort of usability study.
> > Cryptocat's usability studies are addressing this problem. Short
> > Authentication Strings are addressing this problem. Solutions for
> > optimal fingerprint comparison accuracy, IMO, are ignoring the problem,
> > and studying the wrong solution.
> > Thoughts?
> > --
> > Tony Arcieri
> > _______________________________________________
> > Messaging mailing list
> > Messaging at moderncrypto.org
> > https://moderncrypto.org/mailman/listinfo/messaging
> Messaging mailing list
> Messaging at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging