> Start using encryption to make your communication harder to snoop. GPG for email and OTR for instant messaging are great places to start.
I am oftentimes surprised by how few self-identifying hackers use end-to-end encryption like PGP/GPG.
Many of us use clients like Thunderbird already, which make GPG setup and use rather simple. I set up GPG on Thunderbird for my dad (who is a complete Luddite) - it took me <15 minutes, and he's been using it to email with me for over a year.
I encourage everyone reading this to set aside 15 minutes to set up GPG encryption and send a GPG-signed/encrypted email to a friend[0]. You'll see it's not so scary, and this is one of the single biggest things you can do to protect your privacy online.
[0] If you don't have any friends with PGP keys, feel free to email me. :)
The UX problem with PGP is that you can't tell if some random has PGP before you send an email to them without manual effort. The amount of friction required is too much and leads to little adoption.
With OTR, if the person is 'online' you can just initiate a convo with them and passively have OTR enabled if the other client supports it. You also have forward secrecy, a critical feature PGP lacks.
PGP UX is horrible and still stuck in the 90s! It's great for people who need it and it was really necessary to be invented. But something like OTR is the real successor.
> PGP UX is horrible and still stuck in the 90s! It's great for people who need it and it was really necessary to be invented. But something like OTR is the real successor.
As tptacek commented on an earlier post, all of the alternatives to PGP provide more or less the same UX that PGP is capable of. It's not inconceivable that my PGP client could do most of the legwork (ie, fetching keys from keyservers, encrypting automatically, etc.) for me while maintaining compatibility with PGP.
In any case, I don't really want to enter a PGP vs. OTR discussion right now, because my original point is that many self-identified hackers use neither. If people read this thread and begin to use either one or the other, I consider that to be a win for now!
> (ie, fetching keys from keyservers, encrypting automatically, etc)
No no no no no! The keyservers have no authentication for key addition. Anybody can put up a key for any email address and effectively wedge themselves man in the middle.
Also, the paranoid in me (and probably more significantly, the keyboard-activist-in-the-safety-of-my-parents-basement) suggests that it might be wise to access keyservers over TOR.
If _I_ were involved with PRISM, the pipe running to pgp.mit.edu would be one of the most monitored connections around. "Hmmm, someone just searched for a PGP key for FedRegister - lets see what else that IP address has searched for, and what's in all the gmail inboxes that have ever been accessed using that IP address…"
Yes, I redact my above comment to remove that example.
However, I still stand by my statement that PGP UX is a client issue, not an inherent protocol issue (ie, it's fixable without abandoning PGP entirely).
That's pretty much the same as learning to say "parlez-vous anglais?" before traveling to France though.
On those rare occasions when I need to email "some random", I can either choose to communicate in cleartext, or the very first exchange can be "Hi, where do I find your public key?"
May I suggest (at least for people who aren't trying to remain anonymous/pseudo-anonymous here), PGP/GPG key IDs and fingerprints in your profiles?
(Perhaps anonymous accounts could set up anonymous email accounts and single purpose generated GPG keys? A Gamil/Yahoo/Hotmai/Live email accunt in which you can spamfilter everything that's not GPG encrypted?)
> May I suggest (at least for people who aren't trying to remain anonymous/pseudo-anonymous here), PGP/GPG key IDs and fingerprints in your profiles?
PGP fingerprints should be verified out-of-band (ie, in person) before being signed.
However, that's not a bad idea as long as people understand what the fingerprints do and do not imply.
I, for one, put my PGP fingerprint on my business cards. Most people don't even notice it (it's light grey text on white, easy to miss), but a few have caught on.
First, "everyone" does not have to use PGP for signing to be worthwhile. And I'm not saying that everyone already does; I'm saying that we should start.
Furthermore,
> Gmail, and other webmail clients are why PGP doesn't get used.
Gmail presents inherent problems with privacy and data access from the get-go. It's not a coincidence that Gmail's web interface will never be compatible with PGP.
Fortunately, Gmail still allows IMAP access, which means that people who use clients like Thunderbird and Outlook (yes, Outlook) can use PGP with their Gmail-hosted email addresses.
Maybe you're not one of those people, but a large number of people on HN are.
while I agree that users could do a lot of the computing that is now outsourced to the cloud on their own computers, I think there is a lot of convenience in the cloud model and it may be hard to get consumers to move away from it. I would like to hear more about how we might actually effect change so that the government simply doesnt have the right to requisition data from companies as they have been.
As amirmc said, I think the move towards a decentralized system, as the Internet itself operates, can be a viable solution to the cloud problem.
What we see today is accumulation of great power and influence in the hands of a few Big Tech companies. Even without cooperation with NSA, such imbalance is dangerous.
It's like a reverse trend from personal computing back to mainframe era, where users are expected to plug into the Source, conduct their affairs, and then unplug, leaving all data in the central repository, looked after by someone else.
If we could devise a set of standard protocols for cloud communication (like we have for emails), it would give us an opportunity to shift control from centralized proprietary platforms back to users. Any party could then implement the protocol and any user would be free to choose how to access their data, where to store, and who to communicate, as long as they're on the Internet.
While I agree effecting change in the government is very important it cannot be the only thing people focus on. It won't solve the underlying problem in any meaningful way. Other governments are not subject to US rules and vice versa, so anyone who has a tap on the backbones can still snoop as much as they please. Moving people to decentralised systems and/or proper crypto is going to be more impactful overall.
Interesting article and I like the motivation behind it, which seems to be owning your own data and keeping it private. It does get a little preachy for me though with sentiments such as this "...which is bad like any nonfree program". Why is any (or every) non-free program bad? That remark displays close mindedness, but I realize that Stallman is the free software guy so I guess it's to be expected. Just a little too idealistic and old fashioned sounding for my taste.
What is meant by 'non-free' is software that is not open-source and licensed in such a way that it must legally remain so.
It's fairly simple to follow from there, isn't it? If the software you use falls under such definition, then you are (unless handy with advanced debuggers) mostly blind to what it is doing. To claim as much is the very opposite of "closed-mindedness".
Now, according to the credit at least, Stallman didn't write this article (though you are obviously correct in suggesting that his ethos drives the point). But can we really in this PRISM era point to Stallman, whose historical warnings were obviously prescient beyond the basic measure of sense held by the dominant digerati, and dismiss him as 'preachy'?
I must apologize for my mistake, I actually read one of the linked articles (from the main article) and though that was the main article.
I'm still of the opinion that nonfree does not equate to nongood. It should be more like "nonfree software is not easy to audit, therefore it is potentially not safe." When people make blanket statements that are overly simplistic, I automatically feel like their logic is compromised. Their emotions or prejudice are getting in the way of accuracy, which is important when making statements about what other people should do.
Imagine that today you have a government you can trust. But what about 5 years from now? Or ten years from now?
Some Americans think they have a bad government. Perhaps they should spend some time in countries who'll shoot you or imprison you for your opinions. Many people live under worse regimes right now.
Privacy protecting software is vital, and needs to be done as well as changing bad government behaviours.
Even if you can trust your government, what about the people in other nations who may have a different concept of privacy that have no influence over your government? What about authoritarian and criminal governments?
I am oftentimes surprised by how few self-identifying hackers use end-to-end encryption like PGP/GPG.
Many of us use clients like Thunderbird already, which make GPG setup and use rather simple. I set up GPG on Thunderbird for my dad (who is a complete Luddite) - it took me <15 minutes, and he's been using it to email with me for over a year.
I encourage everyone reading this to set aside 15 minutes to set up GPG encryption and send a GPG-signed/encrypted email to a friend[0]. You'll see it's not so scary, and this is one of the single biggest things you can do to protect your privacy online.
[0] If you don't have any friends with PGP keys, feel free to email me. :)