lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 29 May 2006 13:23:29 -0700
From: Jon Callas <jon@....com>
To: Andre Gagne <gagne.andre@...il.com>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: On the Recent PGP and Truecrypt Posting

> From what I understand about this issue.  It seems the issue is  
> that users are not understanding how the system works.  This would  
> then be a usability issue where the user's idea of how the system  
> works and the actual way in which it works is very different.  PGP  
> has had issues with this in the past.  A very famous paper for  
> those of us studying usability and security titled "Why Johnny  
> Can't Encrypt" showed how unusable Encryption programs can be.   
> This is not a particular problem to PGP mind you, because security  
> originally came from the military it still suffers from the  
> military mindset:  It's about how hardened you can make it, not how  
> easy it is to use.  What they fail to realize is that if something  
> is unusable then people will come up with ways to circumvent it,  
> leading to a complete lack of security.  Look at passwords for  
> example; most people use easy to remember passwords and commonly  
> use the same one or two for everything.
>
> All of this being said.  I would recommend that PGP hires some HCI  
> (Human-Computer Interaction)  people to work on the next interface  
> of Truecrypt.  They're trained in how to eliminate this exact  
> problem.  Might cost them more than to keep on doing the same thing  
> they have been, but we might not have this sort of issue.  Dialog  
> boxes is not the only answer.
>
> Meh, Maybe I'm completely wrong?  just my two cents worth.

For what it's worth, before I did security, I did HCI. And trust me,  
I am well aware of Whitten's work. We've had Whitten come in and talk  
to us.

And we do have full-time HCI people. They live full and complete  
lives because the human factors of security is the hardest thing  
there is. We do extensive user testing on all our systems and the way  
things are presently done are as a result of that testing. However,  
count thoroughly on continued improvements based on continued testing.

However, we do not make Truecrypt, we make PGP. The Truecrypt people  
make Truecrypt.

	Jon

-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d



Download attachment "PGP.sig" of type "application/pgp-signature" (225 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ