On distrusting trust.

Enigmail keeps nagging me to set it up properly. (It came with my copy of Thunderbird.) But I can't remember my GPG pass phrase. I should be able to, as it's based on [garble] of [garble], which I can't imagine forgetting. It's just I need to [garble]. I could just create a new one, but giving it verifiably to the few people who care would be even more of a nuisance.

I don't remember it because I don't use it. Cryptographic protection of privacy sounds like a good idea and something I should do. But I don't get the public-key infrastructure model at all. Keep in mind that I am intelligent and technically literate and have had ten years' geek culture exposure to the concept. How would one communicate it to someone without that at all?

(Excuse me while I pontificate on a subject I admit I don't understand properly.)

• The user is overwhelmingly the most insecure part of any network. The company I work for has all sorts of security policies, but the users are scientists and swap passwords the way they swap information. A security system that leaves any user writing passwords on Post-It notes is fundamentally broken. Most credit card fraud is by people and companies you gave the number to, not someone eavesdropping on the transaction. When your restricted LJ post gets out, you know damn well it was cut-and-paste fairies.

• Trust is not transitive - even if you don't confuse the technical and conventional meanings of the word. Just because someone signs someone else's key, why on Earth should I put the same trust in that as I do in my personal verification? I suspect a variation of geek social fallacy #4. And even with one's closest friends, trusting them in one respect in no way implies trusting them in another.

  I find someone's writing style a surer verification of identity - their writing is their public self on the Net. If the cryptographic signature was right but the writing style was wrong, I would first assume their computer had been cracked rather than that they had suddenly acquired a jarringly foreign turn of phrase.

• The Internet threat model - completely secure computers at either end, possibly-compromised wires in the middle - is completely arse-backwards. Pretty much no-one is eavesdropping (modulo insecure WiFi), but if you put the average Windows computer out on the wild Net, you may as well grease up, bend over and put up a neon sign flashing COME AND GET IT.

  (This is why all the silly crap your web browser does when it comes to a 'secure' page that hasn't bothered paying protection money to Verisign seems to make no goddamn sense - it's because it actually doesn't.)

There are many people reading who know this stuff better than I ever will. I ask you to take the time to shred the above.

I had to act before, now I talk.

I would rather work than go to a fucking office Christmas party. I'm not around you people or this place by choice.

Nice pubbing. The Princess Louise is a Sam Smith pub, so the real beer is sorta crappy but, at £1.66 a pint, cheap enough to put up with. Coincidentally bumped into valkyriekaren and wechsler, who were meeting Karen's brother there before dinner. ali_anarres showed and I returned her Perl book and we talked about her fantastic nu meeja job. allezbleu finally made it out of Hollywood and we had a lovely catch-up. And saw wintrmute for a few minutes at the end.

One (1) quick pt. became four, but these things happen.

Our overseas Christmas cards are done and posted, only slightly late.

Reflux on distrusting trust.

I think I've encapsulated what strikes me as most nonsensical about the 'web of trust' part of a Public Key Infrastructure system. Check this fucked-up shit: GnuPG Keysigning Party HOWTO.

I haven't required that level of ID verification from people I've shacked up with.

These people really think this will build a 'web of trust' involving someone other than dedicated and fanatical drones for the Cause those obsessed with "great opportunities to discuss the political and social issues surrounding strong cryptography, individual liberties, individual sovereignty, and even implementing encryption technologies or perhaps future work on free encryption software." That this will spread their web beyond people who are already true believers.

It's geek social fallacy #4 as a Taylorised procedure. It tries to make social trust into the binary absolute of mathematical, cryptographic trust, so looks like it was created by people with no damn clue what social interaction is or is for. Social interaction is all about the grey areas.