Hacker News new | past | comments | ask | show | jobs | submit login
Why I Wrote PGP (1999) (philzimmermann.com)
422 points by pdkl95 on Aug 8, 2021 | hide | past | favorite | 181 comments



There’s something… different about how people (techie people are most of my sample) would write before the 00’s. I’m not sure if it has to do with the medium, or the constraints of the time, but reading it always fills me with something I can best describe as peace/nostalgia. The belief that technology honestly can change the world for the better and that the most influential people driving it have good motives instead of profit motives. And they were real visionaries most of the time. By contrast, anything seemingly after the dot com boom (I can’t draw a clear line, this is just throwing a dart) seems, I don’t know how to describe it. Too self-aware, too clever? It’s similar to the contrast between HN and other forums/social media out there. I’m not sure, but whenever an older article or something shows up, I usually enjoy it. Perhaps it’s that only the best have survived till now.


I am with you. But I think I know what it is, you touched on it and almost had it. It was indeed peace, we almost had it, world peace - feeling utopian and all loving in the 90s.

Then came 9/11. It’s the single point in history where just about everything to do with American society can be defined to be before and after.

Doesn’t matter what you think about the event and it’s authenticity as described, the fact of the matter is that America as a country has been locked in this sort of country wide PTSD since and have changed completely. Along with it went peace, calmness, secularism, egalitarianism and altruism. We’re constantly the hunted now, the ones who need security, everything needs to be dumbed down, so called common sense rules and it better be mine common sense and not yours. And on and on it goes. We’re operating like a demented, schizophrenic who has woken up from a nightmare every day of their lives and have lost the fact they are living in their head instead of in the real world.


>Then came 9/11

The rising pessimism and negativity since 2008/09 is a global phenomenon. I think it's wrong and very US-centric to attribute that to 9/11.

The 2008 financial crisis and the rise of social media has probably more to do with the rise of millennial pessimism and negativity.


I wouldn’t understate the role of companies like Google that pioneereed “exploiting idealism as a PR strategy.” The IPO listing claimed “Google is not a conventional company and does not intend to become one” and their recruiting tag line was “Do cool things that matter.” They leaned hard into social issues like gay marriage and paid lip service to FOSS and hacker pet topics. But over time they’ve shown willingness to sacrifice any amount of user privacy, willingness to censor and suppress, willingness to illegally collude against labor, and willingness to embrace special rules to protect elites in their club.

People nowadays complain that gay pride parades have gotten too corporate, but especially by companies that are willing to exploit people in other ways. But this is simply the playbook Google pioneered, to take good will around certain social issues and use it as a decoy while you pick people’s pockets and put your boot on their face. I don’t think we can understate the extent to which good causes have been infiltrated by bad corporate actors and how much that had undermined our trust in our communities.


I think the 2008 financial crisis showed most millennials that they would never be able to own anything of real worth and value from their work alone, that they would not accrue their own generational wealth but instead inherit from their parents (if they inherit at all), and that unless you're born into the big club, are useful to the big club, or are a massive outlier, that hard work and personal sacrifice will not materially improve your condition in life.

At least that's what I got from it as an "elder millennial" (born in the very early 1980s).


We had worse crises before that didn’t change societies so deeply. With 9/11 we started renouncing to the concept of freedom that we gained with illuminism and the French revolution. Then we started putting “safety” before everything else.


We had worse crises before that didn’t change societies so deeply

During the Red Scare, loyalty review boards were instituted and civil servants insufficiently 'American' were sacked in the thousands.


But there isn't a singular date to associate with the Red Scare... that's more a nebulous period of time. It was also a gradual process. The West was already preparing for the oncoming cold-war with the USSR before the end of WW2.

The loyalty boards and Hollywood blacklisting were definitely a change is society, but it was so slow moving that I wouldn't compare it to a shift like 9/11.

The world wasn't really different before and after something like the hearings of the House Un-American Activities Committee, even though that is what would be a likely event you'd associate with the Red Scare.

When I think of 20th century cultural events that had an shift in society, I think more of the Cuban missile crisis, the Challenger disaster, the fall of the Berlin wall, etc... shorter events (not necessarily instantaneous, but well defined times) where you could define shifts in culture to before/after.


Change can still be change without being sudden.


> Then we started putting “safety” before everything else.

One caveat.

It's safety first, unless they decide to go to war to ensure continued access to cheap commodities (Iraq) or to play weird sociopath power games (Vietnam).

It's going to be kind of rich when they ask people from podunk towns in "flyover country" to go fight their next war, after years of ridiculing them and decimating their local economies.


I agree with the poster below me.

While the financial crisis might be more of a root of all problems in Millenial and generations that followed minds it’s not where it all started (I am a Millenial)

Also don’t forget 2008 was the year of the iPhone. The year we started inching towards being an always on society.


I agree, I think the difference is that in 1999 when he wrote that piece, there wasn't a clear audience in front of him that could react immediately. Nowadays, everything that gets written is immediately posted into social networks to be given instant gratification.


> Then came 9/11

> American

Yes, except the world is large and frankly in most parts of the world 9/11 doesn't factor very large in memory. As such, I doubt it was the single most important factor in changing this feeling of world peace which again, definitely didn't exist outside of the US. All you need to think about to see that is look at why 9/11 happened and think of all the murdered people those folks must have seen to get that angry.


> and think of all the murdered people those folks must have seen to get that angry.

Come now don't be naïve: those same folk get just as rabidly homicidal over a silly little cartoon.

Some societies are just not compatible with legal systems that a) limits the use of force to the government alone, b) place the rules and rights of men above religions.

Never the two shall meet.


9/11 is an inflection point in modern day America, but there have been other equal/greater inflection points. Revolutionary War, Civil War, WW2… lots of war


Absolutely, and wars waged without declaration that were equally traumatic. Within the lifetime of the Internet, I think 9/11 is the major inflection


Or alternatively, then came Internet for the masses. Before that a lid was kept on a huge part of the population, the dream of raw global information sharing turned out to be a nightmare our societies/species is no ready for.


It's the "Eternal September" or "September that Never Ended" for the internet in general. With mass use came mass marketing and a switch from authentic information dissemination Internet to pure and absolute profiteering of everything you see on the internet.

Do a random search in Google (DDG, or Bing) of ANY term at all, and you will see that the full first page links to pages that wrote whatever content for a profit (either by selling ads, or by a paywall, etc).

Long lost are sites like Xoom, Geocities or similar where people wrote about their knowledge just for the sake of it. Long gone are the "web rings" that took you into cliques of people wanting to share knowledge of some specific subject.

Nowadays the closest you can get to that sort of information is in forums like this or reddit (and this last is questionable). That's why adding "site:reddit.com" when searching for some opinion is becoming more useful compared to pure serach engine results.


Wikipedia and community wikis also centralized (drained?) a lot of knowledge that might have otherwise existed on separately hosted sites linked through webrings.


> Doesn’t matter what you think about the event and it’s authenticity as described

Interesting small mention. Is it common in America to disbelieve in the mainstream history of 9/11? I’m just getting glimpses from the new world via the internet and have no ear to the ground there


I'm not sure what the original commenter was talking about, but no, it's not. There is vast agreement in the US about what happened.


Not as vast as you think [1]. Also as of late it appears the victims don’t want their president there in their 20th reunion for similar reasons.

[1] https://en.m.wikipedia.org/wiki/Opinion_polls_about_9/11_con...


The answer to that is a personal one and I suggest for anybody on either side of any argument to recall Nietzsche’s saying - Convictions are more dangerous foes of truth than lies.


> America as a country has been locked in this sort of country wide PTSD since and have changed completely.

Population wise, that was the case for a number of years after 9/11. In terms of government policy, it's still the case. But in terms of the former, it's fading away as more time passes. People who were born in 2001 are or will turn 20 this year. Just like events like the attack on pearl harbor and the Cuban missle crises, 9/11 will also become an event that's just known by reading history rather than a first hand experience.


They won't remember the transition or really realize it happened, but the cultural echoes last a hell of a lot longer than direct memory of the event. Hell, the reverberations of the civil war still echo today.


> It was indeed peace, we almost had it, world peace - feeling utopian and all loving in the 90s.

Think you might need to qualify that. The mid-90s saw the Bosnian and Rwandan genocides.


It won’t be the first time in history, Americans and with them the “western” world turned a blind eye to who’s backs their hedonistic party was carried over.

If you look at what was life like. What people cared about. What songs sang about. What households looked like. War was as far a concept from the average American.

Sure we had the gulf war early 90s. We had Bosnia during Clinton years. But most Americans were more concerned with becoming stock traders from home, saving willy and the earth and how Clinton’s cigars were used.

Americans bombers dropping bombs by the ton to the backdrop of western advancement has almost become an expectation in our campaign of spreading our brand of democracy and its freedoms or else.


> We had Bosnia during Clinton years.

Oppose them or support them, it was literally American bombing campaigns that stopped the Bosnian genocide and the ethnic cleansing of Kosovo.


Admittedly the Yugoslav wars are not my strong suit in history, but if protecting genocide is all that is American, it makes you wonder where have we been the past decade when it came to Yemen. Same with the Uyghurs in China. Same with the civil war in Syria. I can list a few more...

Feels like there was something more that led America to Bosnia, and it wasn't just our benevolence and saving the world from itself.


> Feels like there was something more that led America to Bosnia, and it wasn't just our benevolence and saving the world from itself.

There was a lot of pressure to "do something" in the Balkans, and the military wasn't averse to showing off its goods, so something was done. Imagine the media pressure with Yemen x1000. That was Bosnia and Kosovo (probably mostly because it was in Europe).

Also, US military has intervened militarily in Syria, many times, and even with troops on the ground. Did you miss it?

The Uyghurs are a poor analogy, because despite the intense oppression they're under, they're not being mass-murdered. And a humanitarian intervention in China due to Uyghur situation is just not in the cards, because realism.

So sure, Bosnia+Kosovo interventions weren't just "benevolence". It was a convergance of factors (power dynamics, US President open to idea, media+public pressure, limiting intervention to air campaign, etc). But it wasn't an oil pipeline or some ridiculous conspiracy, either, like I sometimes hear.


Aside from shifts in morality and underlying cynicism that took place online from around 2007, once the "unwashed masses" because addicted to Facebook, I think the biggest thing that killed good writing online was analytics.

Once most people discovered their well thought-out blogpost got only 100 page views while a meme with a cat got 10 million, many just gave up. But what's missing in those numbers is, of those 100 page views, perhaps 10 were people you actually respect, have influence in your field, were actually using your Open Source project etc.

By optimising metric like page views we lost sight of the genuine impact we might have had with good writing.


By now the concept of competing for attention, for the limited 3-4 hours of free time you have a day is well known. To maximize engagement and clicks you just have to appeal to the shittiest parts of human nature - anger, fear, low attention spans. A few people figured out how to make the equivalent of cocaine (e.g outrage porn news, gamified social media) and now there is no going back - you compete with cocaine whether you like it or not. The more technical phrasing is that "intermittent variable rewards" are highly addictive - and this basically explains the entire design of social media or the shitty mobile games you see now.

You can read statements/watch videos by Chamath Palihapitiya or Sean Parker admitting to this being an explicit strategy at Facebook. "Digital Minimalism" by Cal Newport is also a nice book that covers some of the same ground.

If you ask me, our current way of managing society is a failure. You have large, well-coordinated organizations basically selling cocaine (fast food, youtube, social media, cigarettes) on end, but the other end (consumers) are necessarily less coordinated and informed because they don't operate within an organizational hierarchy with centralized decision making, shared knowledge and people dedicating 8 hours a day to maintaining those systems. Theoretically, companies live and die by how much value they create for their their customers. Practically, many companies resemble organized militia waging asymmetric warfare on unorganized masses in an increasingly zero-sum world.

I think we need to focus a lot on organizing as people outside of the structure of a for-profit corporation. Theoretically the government plays this role but it's not enough.

(inb4 omg you hate capitalism stupid commie)


>> in an increasingly zero-sum world

I don't understand this part - what do you mean by that? Why would the world be increasingly zero-sum?


Most of the developed economies of the world have seen lower productivity growth since the booms after WW2 and have never recovered to previous levels. There are some arguments to be made that much of our current economic growth is artificial as well. The IT revolution has also not made much of a dent in overall productivity growth, at least as of yet - I don't know whether this is an artifact of how its measured, or the growth is yet to come, or perhaps there really isn't any growth. The bigger point is that our economies are simply not designed to work in a world where there is low growth [1]. In a zero growth world, the only way to make money is to take it from someone else, so you get more zero-sum behavior. The slow growth is also in line with what folks from the WEF are saying [2]

[1] https://www.strongtowns.org/the-growth-ponzi-scheme

[2] https://investmentmonitor.ai/global/the-urgent-case-for-stak...


One difference (in this article at least) is that there are no jokes or unnecessary cultural references.

Another might be called moral clarity. Unfortunately, it's usually an illusion. We have much more experience with technologies invented under optimistic assumptions turning out to be a moral gray area at best, when you look at how they're used.

I found this paper interesting:

The Moral Character of Cryptographic Work https://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf


I'd put "jokes" and "cultural references" together under "tone". Recent articles often feel like they're trying to catch the attention of children. There are lots of "candies" to make you read: pictures, GIFs, jokes, an attention grabbing title, colors, emojis, a friendly tone, lots of exclamation marks. On the other hand, that article is mostly black on white text, that's plain in a good way.


It's the recurring critique on my blog posts: that there is too much text and too little pictorial content. I'm not going to change anything because of that but it is interesting how you have identified this as a good thing when the bulk of the feedback that I get about this is negative.


I've just read "Pianojacq, an easy way to learn to play the piano" from your blog. I like it. There is a video to show everything, and a direct link to the software. The tone is what I called "plain in a good way" in my comment, it's mostly information organized logically. I wish more blogs were like yours.


Thank you! The software has come a very long way since that first blog post (and so have my piano playing skills :) ).


I especially hate this "corporate fun" style when it's a big tech repository where each bullet point of a list is replaced by an emoji.


I really have a hard time with emojis outside of communications. Either they are saying something that was already said by the word or words before, and in that case they are useless, or they replace a word and make text harder to read. I also really don't like the concept of making objects into emojis, as we already have words to describre that, and emojis reflect a very limited world. For example, if you look at the food emojis, this is basically "I live in San Francisco and all of the food I get is from restaurants". I think I've heard it described one day as "the world of people that live in airports", and that fits well.


That's because young people have very short attention span and they must be fed with instant gratifications all the time to continue reading. Those "candies" are targeted at them.


No those "candies" are to create feeling that you are peers and that it is informal communication.

That is why most people like movies made by Quentin Tarantino and not by Andrei Tarkovsky.

I don't like when someone puts memes in each paragraph but at the same time I don't like to read "guru on a high horse" that comes like he is a smart ass because he pretends to be professional and all that.


I think both types of candies can coexist. If someone makes a joke, it's probably to grab your attention. If someone talks about politics, it's probably to signal something to their peers. If someone uses the last marvel as an example, it's probably a bit of both.

> I don't like when someone puts memes in each paragraph but at the same time I don't like to read "guru on a high horse" that comes like he is a smart ass because he pretends to be professional and all that.

That's fair, I don't like this style too. Which is why I like to describe what I like as "plain English". I'd say the characteristic is that the content is mostly information, and not signalling or entertainment.


Is it really just young people?

Don’t old people who sit in front of the news get a similar rush?


That was my experience working with developers of different ages. Those who were born before 1995-2000 year are fine spending hours focusing on books. Those who were born after, prefer to learn from short engaging videos. I don't judge anyone, that's just my observations, I don't claim if one method is better than the other.


Where do you get that? Do you mean software developers specifically?


I don't think they are targeted only to them. The short attention span can be a thing, although I'm not sure it's generational. For example, the usual newspaper has a lot of small articles).

On the other hand, part of the candies is to reassure your audience and try to bring them to you with something else than your content. That part applies to everyone, regardless of their age. For example, if you do a blog post on a programming technique, you could try to brand it (and yourself) as "software craftsmanship", insert a few references to people in that space, add a few paragraphs talking mostly about this ideology and not the content. Or you could use a lot of examples, references and jokes from something cultural (the current popular thing on netflix for example). These "candies" aren't targeted at people with short attention span.


> [...] young people have [...]

I hope you will forgive me for saying this but every generation leverages criticism on preceding generations for some perceived flaw. When you look back at other similar criticisms it generally can be seen as very overblown. I think in this case it's fair to say that this is not something that must be done to them, it's just something that is done to them. When you get used to something, that's what you like - it's not an intrinsic trait like you're making it seem.


I think you are biased, and falling to the age-old "young/old people bad" where young/old is picked on which one you are not

Commodari E, Guarnera M. Attention and aging. Aging Clin Exp Res. 2008 Dec;20(6):578-84. doi: 10.1007/BF03324887. PMID: 19179843.


> One difference (in this article at least) is that there are no jokes or unnecessary cultural references. As someone who started his professional career in the mid 90s, working in what we now call cyber security, and having written both then and after a long gap… now. I was initially baffled and then somewhat put-off by the way style has changed between say 2000 and 2010. First I put it down to just being older. Then I wondered if authors were encouraged to “put more of you” into writing (which I am not a fan of unless you are explicitly writing autobiographically). Part of “bring your whole self to work”? Then I wondered if it was just an attempt to add colour to what may be a rather dry subject for anyone other than those working in our niche. Finally I thought that perhaps it was something a little more profound. A desire by the author to connect at some deeper level than the dry content, with an audience, a tribe if you will.


All those "jokes" are exhausting. I usually don't have the energy to finish reading an article. I assumed it was a problem with myself, lack of attention. Until some day I read an article from beginning to end, it was captivating. I found that weird, then I checked the date of the article: 1950.


Link? :D <- Emoticon for the short of attention span.

Honestly, I know it's popular to cast these things as 'Gen Z, kids these days don't know how it used to be'....but I know this 51 year old guy doesn't have near the attention span reading that he used to.


You are right. All the good movements in tech happened ~20 years ago. Free Software/Open Source, Wikipedia, etc, all date back to early days.

Now it's all about that SaaS money.I don't mind the money part, but sadly, tech has become a gold mine for predators who smell the money and are out for blood.


I think much of it has to do with that they were originally written for books, magazines with thorough editorial practices and a reputation to preserve.

'Richard Feynman and The Connection Machine'[1] another HN favorite comes to my mind. It was originally written for Physics Today magazine.

I don't think it's limited to only long form content, Even today printed news papers which have been in existence for >=~100 years does have better quality of writing than online content(even from the same news media) due to some resemblance of their editorial practices.

But all those printed newspapers are on the verge of bankruptcy or already dead. Their online counterpart is now only concerned with how many articles can be published/hour, There's not even proof reading because of this as they have to please Google, Facebook, Apple for those screen time.

I've noticed when I give interviews to online news the writer often has to work with their web-admin to fix errors in my statements after publishing(when it's different from what I actually said)and often it takes several hours if it even happens. Where as in printed news papers had the habit of error correction in the next issue.

[1] https://longnow.org/essays/richard-feynman-connection-machin...


To me, there was something to say vs people posting shit just to meet a quota. There seems to be much less thought/research/editing of content now. It wasn't so gamefied before HTML2.0 and social.


Not convinced HTML2 'gamified' anything.

"HTML 1" wasn't really a standard anyway and I don't remember what html2 actually brought - I remember not every browser in the mid 90s did tables, client side image maps etc but they were later additions to html2.

Javascript (which came in with html 3.2) was far more of a step change than html2


I think they meant "Web 2.0"


Yes, you are correct. Totally meant Web2.0 when things became interactive and sites started allowing users to post comments and what not.


HTML5 brings incredible things to the table however with its taints of corporate presence and those who hold a dictation in direction. This is not "free".

HTML doesn't have to be the only web transport. Build your browser and make your own protocol. IPFS is doing just fine.

HTML4 was the last true free-release from any corporate grab. And it has everything youll ever need. However it just sits there forgotten taken by the glory of HTML5.


I agree with you, but my hypothesis is straightforward -- it's the money. The internet in particular, but tech more broadly, is now a mainstream industry, generating and attracting a lot of money. In the US, even a poorly paid SWE, for instance, is almost certainly making well above the median income. Decently paid SWEs make a lot more, and well paid SWES... And of course those who actually employ well paid SWEs and are only paying their developers the least they can get away with, while still paying them a lot, are obviously raking it in.

There's good and bad in this, but it does clearly change things. When there's that much money on the line, ironically the stakes become higher and there's less genuine creativity and risk taking. The flip side is of course true -- too little money is a problem (I mean, I'm not about to trade my SWE gig for working in an Amazon warehouse as a means of spurring personal creativity), but given enough money past a certain baseline, things do change. There's a sweet spot at "enough money that people can feel free to be creative and take risks" and "so much money people are scared to take too many risks".


It was a different time. The people writing these things were more nerdy and more mature. The social internet hadn't taken over. People weren't concerned with votes, stars, comments, likes, splashiness, attention, or trading funny pictures of cats. You could take your time to write something considered just because you needed to get the information down. Software projects were idealistic because most software out there was proprietary and expensive; paid software was an entrepreneurial risk, and free software was transgressive.

If a culture is popular, it tends to saturate. The old internet simply couldn't compete with the new one.


The dot com boom is a reasonable point in time to make the cut. But it's never a single event. Ever other posters referenced 9/11, which was definitely another major event.

I'd add Columbine as another event, which occurred in 1999 [1]. That seemed to have a lasting affect on that cohort, which was also the group that got hit hard in the 2008 downturn.

But maybe a better line is the rise of Facebook, which shifted the story from the promise of tech to the promise of social connections.

Of course, technology will never be able to safe us, and the human condition is what it is. So, really, while a small passionate group seemed excited back in the mid 90s, it was always false gold.

[1] https://en.wikipedia.org/wiki/Columbine_High_School_massacre


I suspect it is that there are a lot less abstractions and the thinking is much more moored in the material. In this profoundly technical article there is barely even a mention of computers or algorithms, and the vision is of a more analogue world (of paper bills, phone companies, physical wiretaps, human agents).

The modern internet is almost entirely clashes of abstract concepts. It also shows up in the slight breakdown on the internet of basic, verifiable facts. Nobody is relying on real-world stimulus to form opinions. It is a bit draining to keep up with.

That and there is less optimism because it is clear how slowly the world changes. Consider the "The government has a track record that does not inspire confidence..." paragraph. Written 30 years ago, part of it could credibly be talking about Assange, have names swapped for Trump, etc. At some point intelligent people are going to get jaded pretending that this is new based on the overwhelming evidence that the internet gives us access to.


Money/Greed attracts a certain type of person who has different values, priorities, and interests.

I think it mostly comes down to that.


Ever watched old commercials? It feels like they were less "in your face", not constantly jumping up and down for your attention. Calmly spoken and more likely to actually say something about the product. That shift is another indicator of the shift of things getting dumbed down in a way.


The utopianists saw what they had wrought, and did not like it.


Very similar to the cryptocurrency field. Lots of noise nowadays.


Bitcoin was born in the aftermath of the global financial crisis and the occupy wall street movement.[1] Events where, giant banks and institutions received trillions of dollars in unprecedented bail outs while 'main street' suffered with record unemployment, foreclosures, and destruction of small businesses.

People rightfully realised that perhaps government should not have absolute and total control of the monetary supply and financial system. That a 'Plan B' may be in order.

Unfortunately, today it's 90% people trying to get rich quick.

[1]: https://en.bitcoin.it/wiki/Genesis_block


> Unfortunately, today it's 90% people trying to get rich quick.

And that is, unsurprisingly (and quite banally), used by many detractors to dismiss it all while handwaving away:

> Bitcoin was born in the aftermath of the global financial crisis and the occupy wall street movement.[1] Events where, giant banks and institutions received trillions of dollars in unprecedented bail outs while 'main street' suffered with record unemployment, foreclosures, and destruction of small businesses.

> People rightfully realised that perhaps government should not have absolute and total control of the monetary supply and financial system.

Like people still hand wave away all the metadata and other work-arounds to compromising popular crypto systems that are highly touted because they are popular/convenient/etc or all the "get rich quick" mentality/motivations that exist outside of cryptocurrencies and have always existed…


> And that is, unsurprisingly (and quite banally), used by many detractors to dismiss it all

There is a stronger argument against crypto: the main use case (outside speculation) seems to be illegal activities. If what you are doing is legal, why not use government currency? If what you are doing is illegal, crypto is great. A currency outside the control of the government (police) is almost by definition made for illegal activities.

In some countries, illegal activities are morally correct, though. Crypto helps here.

But crypto has enabled entirely new types of crimes that did not exist before: ransomware.

I have not completely for or against crypto. I am responding to your comment that people are dismissing because it seems like speculation only. I don't think that is true and that there are better reasons for dismissal?


If by trying to avoid aiding and abbeting the system described as:

> …giant banks and institutions received trillions of dollars in unprecedented bail outs [1] while 'main street' suffered with record unemployment, foreclosures, and destruction of small businesses.

> People rightfully realized that perhaps government should not have absolute and total control of the monetary supply and financial system.

Is defined as illegal in of itself by a government, then sure, there's no argument against dismissing it as illegal. Just like PGP falling under being illegal (from another comment) because it could exist as:

> digital copies of the binaries and source code were prohibited for export as a munition

There's no successful argument one can make against such illegality to said government. And I wouldn't bother, such people will never acquiesce if they haven't felt the lack of sufficient recourse to [1] (because they quite possibly may gain a lot of benefits by being indirectly or directly involved in [1])

Luckily, reality isn't so rigid as to what people (or even other traditional governments abroad) will actually accept (then and now) and have sovereignty over deciding what they want for themselves and side stepping based on what can actually be enforced in totality in practice regardless of what any given institutionalized jurisdiction may think of it.


1. Why does FedEx exist? If what you are doing is legal, shouldn't you use USPS?

2. There are plenty of things that are federally illegal but many consider to be morally legal. Examples include, for example, weed dispensaries operating in states that have legislated cannabis.

3. What happens if a future government makes funding of ETE encrypted software, without CSAM scanning, illegal?


I think FOSS didn't predict that work done by volunteers will be appropriated repackaged and sold by big corporations without sharing profits with contributors nor sharing any patches. This caused people to develop defensively - contribute as little as possible and only for their own benefits. Developers no longer wanted to be taken as fools.


From an old comment of mine on the topic:

https://youtu.be/sKOk4Y4inVY?t=518 [1]

1. "In 1995, there was a debate at Harvard Law School – four of us discussing the future of public key encryption and its control. I was on the side, I suppose, of freedom. It’s where I try to be. With me at that debate was a man called Daniel Weitzner who now works in the White House making Internet policy for the Obama administration.

On the other side was the then Deputy Attorney General of the United States and a lawyer in private practice named Stewart Baker who had been chief council to the National Security Agency, our listeners, and who was then in private life helping businesses to deal with the listeners. He then became, later on, the deputy for policy planning in the Department of Homeland Security in the United States and has much to do with what happened in our network after 2001.

At any rate, the four of us spent two pleasant hours debating the right to encrypt and at the end there was a little dinner party at the Harvard faculty club, and at the end, after all the food had been taken away and just the port and the walnuts were left on the table, Stuart said, “All right, among us now that we are all in private, just us girls, I’ll let our hair down.”

He didn’t have much hair even then, but he let it down.

“We are not going to prosecute your client, Mr. Zimmermann," he said. “Public key encryption will become available. We fought a long, losing battle against it, but it was just a delaying tactic.” And then he looked around the room and he said, ”But nobody cares about anonymity, do they?"

And a cold chill went up my spine and I thought, all right, Stuart, and now I know you’re going to spend the next twenty years trying to eliminate anonymity in human society and I am going to try to stop you and we’ll see how it goes.

And it’s going badly. We didn’t build the net with anonymity built in. That was a mistake. Now we are paying for it." -Eben Moglen


Thank you for posting this partial transcription. The whole speech is well worth listening to.

The loss of freedom has only accelerated since 2012, when Moglen gave this speech. I wish he would give them more often. He’s truly a voice for freedom, and there are not that many.


Tor is the anonymous net. It might be not perfect against targeting state-level attackers, but generally it works and delivers its promise.


> it works

Does it? Dragnet surveillance might not easily inspect all Tor traffic, but it can easily see who is using it, flag those identities, and put them on a list for increased scrutiny. Unless a major web browser has it enabled by default, I don’t see it delivering on its promise.


> What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

——

I agree with you. And also perhaps those of us with nothing to hide really need to spend more time on Tor


Don't leave the onion network. It's the exit nodes where 1/3 are hostile.


Thats a really good point actually!


The fact it is state built and state funded doesnt give me confidence that it protects you against state level adversary.


They built it for their spies, so they can exchange information without traces. And they popularize it, so metadata analysis becomes useless. It's unlikely to have vulnerabilities, because other states could find and use them.


If it was indeed built for spies as they claim then I would expect that they know how to track communications through it because you have to know when your spies are leaking materials or have gone rogue.


The fact that the inventor of onion routing technology from the United States Naval Research Laboratory was involved in the creation of Tor pretty much ensures that Tor will be useless at evading 5 Eyes and equivalent nation-state actors.

If they've not come at you when you're using Tor then it's that they don't care to find you. It's not that they can't find you.


PGP felt so subversive back in the day.

Key signing parties[1] and porting the "international" version[2] to run on the Amiga. And the very real threat that the Clipper Chip[3] would lead to the outlawing of all other encryption methods.

[1] https://en.wikipedia.org/wiki/Key_signing_party

[2] https://www.unix-ag.uni-kl.de/~conrad/krypto/pgp263.features...

[3] https://en.wikipedia.org/wiki/Clipper_chip


The sad thing is if the clipper chip was ubiquitous today that could have killed the ability for spammers to spoof numbers. Some days I can get a dozen robo calls, each with a different spoofed number. People that want non-backdoored crypto could still do so.

I'm still blown away at how hard it is to get people to use any encryption, even people who work in infosec/etc. If nothing else, 2020 was a great year for the uptick in using crypto to communicate with non-technical fam and friends.


Robo calls should be filtered at the network level. The Clipper Chip would have done nothing to prevent this.

There is actually encryption technology[1] available that would solve this or at least make it traceable and blockable. But here we are.

[1] https://en.wikipedia.org/wiki/STIR/SHAKEN

Edit: Also the political situation at the time was that if Clipper was adopted, all other encryption technology would be outlawed. It was a very scary time.


The key word here being "should", and they are clearly not filtering at the network level. I can tell, I still get spoofed robocalls... The clipper chip provided end users the ability to cryptographically prove callers were who they claimed to be independent of the network operator, which is a key need of a crypto system.

Robocalling with spoofed ANI has been a problem long enough that I think we can safely say the network operator is 100% complicit with this activity now. The phone company could track down kids war-dialing blocks of numbers in the 1980's in order to make sure they were not telemarketers not paying higher telemarketing fees. Do people really think the phone company is not getting a cut of these robospoofers?


You don't need a clipper chip to trace nuisance calls. You need an authenticated network that records the origin of calls, and hopefully passes that through when calls are forwarded and makes it simple and worthwhile to report nuisance calls and aggregates those reports and takes meaningful action against the origins.

Anyway, we're getting shaken/stir or whatever RealSoonNow(TM), so we'll probably have better CallerID. I don't think it'll be enough to solve the problem, without a reporting mechanism, but I guess we'll see in the next couple years.


"You don't need a clipper chip to trace nuisance calls. You need an authenticated network that records the origin of calls,"

So where is this magical solution you speak of? We're all products that the phone company sells to telemarketers, there is no incentive for them to give us these tools now.

Again, the clipper chip would have made it difficult for anyone to pretend to be someone they are not, cryptographic signature is part of the deal to ensure you are talking to who you think you are talking to.


Would you want the same capability on the Internet? If not, what makes Internet communication different from POTS communication?


Internet connections have a more-or-less reliable source IP (spoofing does occasionally happen and we take measures to mitigate it), IP ranges have owners and if an address is consistently used for abuse (attacks, spam email, ...) then people do report this to the owner of that address?


> IP ranges have owners and if an address is consistently used for abuse (attacks, spam email, ...)

IP ranges have registrants. Servers usually are assigned IP addresses temporarily by the registrant, or by someone the registrant has assigned the block of addresses to by some other means. This means differs from region to region. In the US the responsible party is ARIN, and registrants can reassign addresses using a database called SWIP. In the EU both registrants and their partners use the same database called RIPE. I have never registered addresses in other regions.

> then people do report this to the owner of that address?

Yes. Registrant again, but yes. And if you don't get satisfaction, then you can (and should) escalate all the way to the region's authority.


Yes.

Email has a "from" address that the SMTP protocol (the thing that often carries emails) that is separate from the IP address of the sending server, the exact same way "CALLER-ID" is a separate field from the billing address (called ANI, or Automatic Network Identification) in telephone networks.

Requiring that ANI match CALLER-ID would break many voicemail systems and call-forwarding systems. They can be fixed, but it will be expensive to do so.

Similarly, requiring the email "from" address agree with the SMTP server's responsibilities breaks mailing lists and email-forwarding, and again, this can be fixed, but it is proving expensive to do so.


I would want to require:

1) That the source IP address be from a range 'controlled' by the operator of a given AS. This might be proven, semi Out of Band, for a duration by a PKI challenge with a key representing that authority. (Allows distributed services on the same IP anywhere. Fulfillment can be asynchronous if UDP.) Edit: This would also be how to securely claim an AS route; you might still need a link authorized for this level of service.

2) The mentioned feedback mechanism should be coupled with 'do not forward me anything from IP || net/mask for X time' via a similar mechanism. A reason might be provided, reasons of clear abuse MAY be aggregated and used to isolate misbehaving hosts / networks.


> Some days I can get a dozen robo calls, each with a different spoofed number.

I live in the EU and have literally never gotten a robo call in my life. It's a political problem, not a technical one.


The US government intentionally made it inconvenient and infeasible to include encryption at a key time in technological development, and I think it had lasting consequences.

Yes, if the internet community had acceded to their demands to use the clipper chip, that would have been one route to them lowering the barriers they had put in place to encryption. They also could have just recognized that widespread encryption was in the national interest without the clipper chip, instead of deciding it was opposed to it.


Yes, the only munition available on a t-shirt!


Did PGP did that too? I know DeCSS did this. Did they borrow the idea from PGP?



And AACS as well.

I remember buying some FreeBSD disks from Walnut Creek CDROM in the 90s, these shipped to my home in Mexico. When they Arrived, apparently Kerberos was not included in the distribution because "it was not possible to export weapons outside of the USA". 12 year old me was completely puzzled at what that was about.


The government thinks it still is.


PGP's biggest weakness was that it was too early. There was no normal user accessible software available. No regular person was going to establish the web of trust or use command line utilities.

So now we have easy, strong encryption and the keys are controlled by...someone. Definitely not the user, though.

Funny story - even Phil Zimmerman can't use PGP: https://twitter.com/josephbonneau/status/638772283713060864 So maybe it is just a hard problem.


No, PGP's weakness is that the Web of Trust is an unworkable solution for the general population for key exchange. It works fine for a you and your circle of crypto nerds, but as a general solution it's impossible.

IMHO this is a case where perfect was the enemy of good. Many possible solutions were rejected because there was a possibility that someone could MITM your first contact, even though in the real world this is unlikely. The key registries were almost a solution but none of them ever gained enough traction to be a default solution and mail clients were strangely hesitant to incorporate them even when they did implement PGP.

PGP was always half of the solution. Sadly they never figured out the other half. Microsoft almost got it working with Exchange, but even then you usually it only works on a single domain at a time. You can't use encrypt an email to someone at a different company even if they are using Exchange.


Web of Trust is a perfectly fine system but UI-wise a total disaster. There's also the reality that what most people need most of the time is a web of trust that includes government agencies, banks and other major institutions.

For the vast majority of useful communications for users, your web of trust ideally goes You -> Government ID Agency <- Recipient. And that's fine - that's what people actually need. People get scammed or deceived by faking those credentials.


Having to physically meet people to exchange long hex strings was never going to scale.


No but that's the point: you do have to physically go to the DMV, or the bank, quite frequently. And for most people, the important point to point communications are interactions you want validated against those entities.


Web of Trust mixes two kinds of trust.

If my mom gives me her public key, I trust that it is her public key. If my mom signs some other person's public key - I really don't know how much I trust that. Trusting that somebody is who they say they are is not the same as trusting them to properly vouch for another person.


This is still a UI problem though more then any other: Web of Trust stored and it could have displayed the actual verification chains, and set up some decent defaults based on that - i.e. "Government", "Bank", "Personally Verified", "Friend of a Friend" - all of this would be easy to communicate via what keys signed what exactly who you were dealing with.

This even leads to a logical DNS integration: debian.org advertises the core group of keys which should verify people on that address via DNS, and it shows up as "DNS-only" or something.

Good crypto frequently undermines itself by trying to be adversarial to the whole concept of government or big companies (look at TLS - it succeeded because it's the antithesis of this) but those the primary users and coordinators that can drive adoption.

I have this complaint with Signal right now: if Signal wanted a legitimate funding source, they should sell a "verified Signal" service to let companies subscribe to use Signal as an alternative to SMS providers - my father wants to do this for his small business right now, to replace the SMS bulk sender and be able to send larger files to people securely.

Instead we've got whatever cryptocurrency ridiculousness.


This is the reason Frendster failed. Friending someone automatically made you a friend with all of their friends, even the ones that were jerks or you had never met.


Notably, in recent hosted versions of Exchange that has been resolved since they can use Azure AD to authenticate across tenants, and if you don’t have Office 365 you can make a temp account in their tenant when you click on the link to see the email. It works fine (unless you’re still on-prem for email).


I fundamentally disagree with you that web of trust is hard.

There are much harder problems solved in easy to use ways, there’s just very little financial gain for this problem.


Matthew Green does a pretty good job picking apart PGP's issues, although he completely fails at suggesting alternatives and also completely ignores non-email use cases.

https://blog.cryptographyengineering.com/2014/08/13/whats-ma...


There isn't "an" alternative to PGP, because the idea of a single tool like PGP that covers all the use cases PGP attempts to cover has been revealed to be bankrupt. PGP does a bad job at practically everything it's applied to, because different problem domains ask different things from their cryptography. Backup tools want deduplication. Secure messaging wants relentless forward secrecy. Package signing systems want short, simple signatures --- meanwhile, messaging systems want authenticated key exchanges without signatures. Sometimes you want non-repudiation, but often you want the opposite.

To put this in perspective, it's a little like someone invented a bad balanced binary tree before anybody else came up with a hash table or a radix tree or a heap, and then a weird subculture formed around that balanced binary tree based on the idea that you should only ever use that tree algorithm, even though someone subsequently came up with red-black trees that were superior in every way to the original.


it's a little like someone invented a bad balanced binary tree

It's a little like that culturally but it's almost entirely unlike that technically - a suboptimal data structure or algo tend to be just suboptimal-but-functional whereas bad cryptography and bad cryptography engineering often fail catastrophically. I know you know this, of course! But for one thing, someone used an iffy analogy on the internet, etc. For another, PGP people love misusing exactly this sort of analogy.


I'd use the analogy of "someone came up with C and then people came up with high level languages and even low-level languages that provided memory safety and..." but then we'd just be in another debate about how mired in the 1980s we should remain. :)


Have you written anything on proposed solutions? That would be an interesting read if you have.


I am so tired of crypto experts criticizing PGP without suggesting an alternative. So much has been written, so many soapboxes have been climbed on, and yet there seems to be no good replacement.

I deeply respect Philip Zimmermann for creating "pretty good privacy" rather than trying for "perfect privacy". PGP is exactly that: pretty good. Not great, not perfect, but pretty good indeed. And it's there. And it works. It's a compromise, which works well for many people's requirements. Oh, and did I mention that it EXISTS?

I use PGP every day. My private keys are stored on Yubikeys, which is supported. I have offline backups of those, which is supported, too. I can encrypt my backups for multiple keys, sign lists of hashes of files to verify integrity, and people can send me private E-mail.

None of this works perfectly, but it does work, and (not being a teenager anymore) I appreciate the fact that PGP has worked since 1991 or so, and I can reasonably expect it to work for the rest of my lifetime, unlike much modern software, which while being incredibly fashionable, seems to flare out a couple of years later.


This article present some alternatives to PGP. https://latacora.micro.blog/2019/07/16/the-pgp-problem.html


With attacks on encryption and privacy by governments and big companies, we need more tools such as PGP.

The user should hold the keys, not a government or company.

Technical aspects are generally secondary, and should improve, but we shouldn’t dismiss good approaches due to implementation details.


You're absolutely correct. But unless the tools are designed so the average user can easily manage their own keys, it's basically PGP again.

I think U2F/WebAuthn dongles actually could solve this problem but there are all sorts of new problems now like "how do I use this with my iPhone and also with my PC" or "what happens when lose my (physical) keychain with my dongle".


This is an especially funny thing to say when you compare the number of daily users Signal --- itself a niche cryptosystem --- has to PGP.


Funny term, “niche cryptosystem”

It’s like a frog, which is about to beat a frog with a wand, frog says, come on, I am already a frog!


The Signal protocol is very well designed but the implementation requires a telephone number (I know it is coming). That's a step removed from PGP which can be completely offline.


That's interesting and all, but my point is just that you'll have to stop and think about how many orders of magnitude separate the userbase sizes.

A simpler way to make the same point would be that relative to modern cryptography, to a first approximation, nobody uses PGP.


A good point, but one addition: nobody directly uses PGP.

While Debian and other package signing continues to use PGP (and yes, Debian may move away, and signify/minisign is preferable) there are lots of “infrastructure” uses.


Maybe only the right people use PGP.


I honestly have no trouble believing that's what PGP's userbase believes about themselves, which is absolutely part of the problem.


Safe communication should be available to everybody. Given how many professional engineers botch PGP at some point, it isn't exactly a great option for people like journalists who may need to depend on it with their lives.

"Don't worry, these few thousand techies are the only ones that need secure communication" is sheer arrogance.


That's fine, but even the "right" people need to interact with the "unwashed masses" sometimes. If your cryptosystem isn't readily accessible to everyone, it's kind of useless.


Not necessarily an endorsement (although I do own one), OnlyKey lets you store and use PGP keys in this way as well as U2F, OTP, etc.


OpenPGP implementations suck for usability. All the other messaging implementations also suck for usability.

Having obscure arguments about the underlying cryptography is fun and all, but doesn't really make the world a better place.


Some past threads:

Why I Wrote PGP (1999) - https://news.ycombinator.com/item?id=10581971 - Nov 2015 (47 comments)

Why I Wrote PGP (1999) - https://news.ycombinator.com/item?id=6823668 - Nov 2013 (109 comments)


My undergrad university library has (had?) a bound copy of PGP source code on the stacks for checkout.

If I remember correctly, digital copies of the binaries and source code were prohibited for export as a munition, but publishing the source code in a book, made it a book, and thus eligible for export.


> But while technology infrastructures can persist for generations, laws and policies can change overnight. Once a communications infrastructure optimized for surveillance becomes entrenched, a shift in political conditions may lead to abuse of this new-found power. Political conditions may shift with the election of a new government, or perhaps more abruptly from the bombing of a federal building.

Prescient.


The technotronic era involves the gradual appearance of a more controlled society. Such a society would be dominated by an elite, unrestrained by traditional values. Soon it will be possible to assert almost continuous surveillance over every citizen and maintain up-to-date complete files containing even the most personal information about the citizen. These files will be subject to instantaneous retrieval by the authorities.

(Zbigniew Brzezinski, Between Two Ages, 1971)


[flagged]


We've banned this account for posting the same things over and over. Single-purpose accounts are not allowed here, and using the site primarily for political/ideological battle is also not allowed here.

Please don't create accounts to break HN's rules with.

https://news.ycombinator.com/newsguidelines.html


I guess. Pretty much everyone was saying that back then.


According to the legend, they weren't allowed to publish PGP on the internet because US laws forbade exporting of cryptographic tools, so they made a book with the entire source code and shipped that overseas.


Yes, export regulations were heavy back then. To have proper SSL in your Netscape, you had to import this patch file from Australia. And then we had this whole Crypto Wars thing going on. Look at Steven Levy's excellent book on the subject, or search on the Wired archives.


I wouldn't call it legend, it was released via MIT press. See: https://en.m.wikipedia.org/wiki/Pretty_Good_Privacy


It's not a legend, it's easy enough to confirm.

https://philzimmermann.com/EN/essays/BookPreface.html


As I heard it at the time, they had to actually physically carry the book overseas.


I have sooooo many lost emails due to lost pgp configurations. Encrypted blobs in my mail spools.


The fact that you couldn't restore no matter what without the key speaks for pgp rather than against, in my book.

By comparison I have very little trust in modern IM software.


Do you think I could restore an encrypted signal backup without the key?


You missed my point which was not about whether you could, but about whether someone else could, either from your backup or from a entirely different copy they could have acquired during the original transmission.

Same way I wouldn't trust a gmail/outlook/whatever-apple-named-theirs automatic mail encryption the way I can trust a bulky weird to use pgp one.


> but about whether someone else could...

Why would they be able to? I haven't heard of any such exploits for Signal, and their crypto as well as their app-related code is open, well-documented, and repeatedly audited.


You're focusing on signal for some reason, ignoring the larger point being made

Also:

> their crypto as well as their app-related code is open, well-documented, and repeatedly audited.

And since nobody builds their executable from source, it doesn't at all guarantee anything about the version I have on my phone right now, unless I do a lot of extra check that virtually no one will do on every update. If whatever entity* aiming for me chose to target a specific update at me on the store that did a clear copy send on the side, I would never know.

* Say, China aiming for a chinese user on whatever chinese app store is popular at the moment, to take the most obvious (but clearly not only) exemple


> And since nobody builds their executable from source

How many people build gnupg or gpg-agent from source?

> Whatever entity

Seems like something your local apt/pacman repository mirror host could do too.

It's a fair concern. I'm not trying to be disingenuous, sorry if it comes off that way. I'm just focusing on Signal because you wrote "modern IM software".


> How many people build gnupg or gpg-agent from source?

More people than those build signal from source

> Seems like something your local apt/pacman repository mirror host could do too.

Which is why I focus on build from source, and more people fo it for pgp than any im software out there.


Today's analogy is bitcoin... Will all Bitcoin just be lost one day, because all keys get lost?

I am aware that "there are solutions", but are they (really) enough? Isn't "breaking in" required at some point?

Another endgame for Bitcoin is that all Bitcoin are stolen through the one tool which helps with ("unbreakable") encryption: Hacking / social engineering.

Besides that we hab substantial discussions about why PGP isn't really cutting it for use with email (to cumbersome, at one point you lose your private key, recipient struggles to decrypt, etc.).


More and more Bitcoin is going to be held by custodians, like crypto exchanges, retail trading apps like Robinhood, and even traditional banks. Handling your own Bitcoin keys will end up being a niche cypherpunk thing, like using command-line PGP. It's actually a perfect analogy, because most popular "E2EE" chat apps are also custodial with your keys.


You don't own your bitcoin then (if you are not the only one who has the key) - Elon Musk pointed that out. The custodian owns your Bitcoin (and can run away with them or also lose the key).


No shit, but the successful custodians are the ones who have insurance on deposits and enough reputation that people are not afraid of them exit scamming. You don’t physically hold your stocks and cash either.


"No shit" - It's a bit over the top to denounce me here as "Mr. Obvious", but funny, so this shall be forgiven to you. Musk is hot and at the forefront and he said it the other day. There is a lot of running away with bitcoins still/currently (Mt. Gox) and they are not insured. Probably the endgame of Bitcoin: All Bitcoin get lost or stolen, but were reimbursed/payed out via an insurance :-D - The full value of all Bitcoin payed by the insurance.


Is there a good websites listing the ways being spied on can affect you personally?

Would be great every time a "I don't care if the NSA watch my dick picks, bro" naive person bring this to my face again.


In addition to the reason already mentioned, one of the most important reasons privacy is necessary is how people - especially children - discover new aspects of their own identity, personality, and interests.

Children will experiment when they think their parents aren't watching. Freedom to experiment and explore their interaction with the world is obviously very important for children, but this use of privacy never really goes away. Consider if you wanted to learn an instrument but have never played music before (or any other difficult skill). You probably want the freedom to practice badly for a while. If you had to practice knowing people were watching you, would you feel as free to experiment learning this type of skill?

Problems of abuse and power are obviously very important concerns. However, I believe the chilling effect surveillance has on people will cause a major shift away from people experimenting with learning new things and exploring their hobbies will become an insidious, system damage to culture and social liberty.


Well my main reasons outside them are:

A) Abuse. The assumption that only true, evil crimes mean surveilance technology will be used is wrong. It will be used to harass partners, exes, famous people, activists, journalists, people with the wrong skin tone etc. In fact all of this happened already.

B) Power. Giving a government global surveilance capabilities also increases it's power into a realm where the government's nature will change. It will declare things being its business that were formely none of its business. It will go good for a while because our aystems change slowly, but at one point authotarians will take power and then you provided them with the perfect tool to target, assassinate, control and enforce.

C) Vulnerable groups. There are certain professions and groups that enjoy protection from government spying for a good reason. If you accept surveilance for yourself, you are also accepting it for them. And the next time you might really need your client-attorny-priviledge or your doctor-patient communication to stay private, it might be too late.

These are mostly "systemical" perspectives, but they are much stronger for me than "It is gross, they should not watch it".


Not really a website, but this paper[1] breaks down and refutes the "I've got nothing to hide" argument quite well.

[1]: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565


I met an American guy around 2005 who told me something that got me to think: He did not use any "public" email service (gmail, yahoo, hotmail, etc). When I asked him why, did he believe the government could do something to him? his answer was (heavily parphrased):

"It is not about what the government can to today with it, it is what the government will be able to do in the future"

You may believe that your dick picks are OK now and laugh at the thought of some FBI/NSA official having to comb those on a friday afternoon. But in 10/15 years time you may be in a situation where, said official will bring your dick-picks as evidence of how since so long ago you were a crazy sex maniac.


Created 1991, updated 1999


I think one of the best arguments for using PGP is how long it's been around and is still in use, for two reasons:

The encryption mechanisms have been tested many times by many people.

And the tooling exists for just about platform and language.


The encryption mechanisms were tested, found wanting, and replaced in subsequent systems. PGP's installed base prevented them from keeping up. As a result, the constructions used in PGP today are essentially reviled by cryptography engineers.


Really? The fundamentals or the implementation?


The fundamentals. I mean, very much both! But the fundamentals are the more important part.


What do you mean by "constructions"?


Cryptographic constructions.


Can you recommend a text about this? As a layperson, I'm still having trouble understanding what you mean by that.


Here's a quick overview: We have what we call primitives that achieve a certain goal. For example AES on its own does a pretty good job of being a block cipher. However it doesn't fulfil all our expectations for actual secure communication alone and for this we need to use it as part of a slightly larger scheme.

These are the constructions tptacek refers to. How we put together the bits we have in a way that meets our expectations, which we refer to as semantic security. This doesn't just apply to AES but also to public key crypto as well. This might seem quite abstract, so let me put it this way: AES alone doesn't know if the ciphertext you feed it has been modified by an attacker. It will simply process that data with a given key. The decrypting software might notice and report an error (the message will look garbled), and there are circimstances where this can actually be exploited to reveal information. This is not what we expected to happen.

We've learned a lot about this since the early 90s. Many modern primitives actually come with all the parts we would call a construction built in, to avoid potential misuse (although these schemes are for the most part academic right now). Almost all modern systems combine primitives like AES in such a way as to meet our expectations. Except perhaps Telegram but nobody knows what they're smoking.

If you want an actual textbook, Introduction to Modern Cryptography by Katz and Lindell, or Cryptography Made Simple by Nigel Smart will cover this in plenty of detail, and are also good all round introductions to most areas of cryptography by leading experts. I learn towards the book by Smart, but either will be perfectly fine.


This is pure snark and should be downvoted into oblivion, but by 2015 even Phil Zimmerman couldn't figure out the tooling:

"Sorry, but I cannot decrypt this message. I don't have a version of PGP that runs on any of my devices"

https://twitter.com/josephbonneau/status/638772283713060864


Strange, I've found it for all major platforms. I don't do much encryption, but keygen and message signing works for me on Android, iOS, GNU+Linux, FreeBSD, Mac, and Windows.


'The only way to hold the line on privacy in the information age is strong cryptography.'


Everything is hackable. Connect a computer to the internet and you basically have lost.

We know that today, encryption isn't the final solution when there are hackers and social engineering.


My favourite conspiracy theory is that the whole Trevor Martin/George Zimmerman affair (https://en.wikipedia.org/wiki/Killing_of_Trayvon_Martin) was pushed so hard by US media mainly to suppress any reference to George Zimmerman and PGP after the publication of Snowden's papers.


Couldn't be genuine outrage about a child getting murdered in cold blood


Did you mean Phil Zimmermann? The two last names aren't spelled the same (and it peeves Phil when people forget the second n).


You've got at least two incorrect names in your post, and possibly three.

Trayvon (not Trevor) Martin was killed by George Zimmerman. Phil Zimmermann (different last name than George 'nn' vs 'n') wrote PGP.


I think that sometimes we forget that PGP is primarily a political statement. It makes the world a better place simply by existing.


PGP key server on a eth dapp?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: