Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: On the Recent PGP and Truecrypt Posting

from [Jon Callas] Network Security [Permanent Link]
Subject: Re: On the Recent PGP and Truecrypt Posting
Date: Mon, 29 May 2006 13:23:29 -0700
From what I understand about this issue. It seems the issue is that users are not understanding how the system works. This would then be a usability issue where the user's idea of how the system works and the actual way in which it works is very different. PGP has had issues with this in the past. A very famous paper for those of us studying usability and security titled "Why Johnny Can't Encrypt" showed how unusable Encryption programs can be. This is not a particular problem to PGP mind you, because security originally came from the military it still suffers from the military mindset: It's about how hardened you can make it, not how easy it is to use. What they fail to realize is that if something is unusable then people will come up with ways to circumvent it, leading to a complete lack of security. Look at passwords for example; most people use easy to remember passwords and commonly use the same one or two for everything.

All of this being said. I would recommend that PGP hires some HCI (Human-Computer Interaction) people to work on the next interface of Truecrypt. They're trained in how to eliminate this exact problem. Might cost them more than to keep on doing the same thing they have been, but we might not have this sort of issue. Dialog boxes is not the only answer.

Meh, Maybe I'm completely wrong? just my two cents worth.

For what it's worth, before I did security, I did HCI. And trust me, I am well aware of Whitten's work. We've had Whitten come in and talk to us.

And we do have full-time HCI people. They live full and complete lives because the human factors of security is the hardest thing there is. We do extensive user testing on all our systems and the way things are presently done are as a result of that testing. However, count thoroughly on continued improvements based on continued testing.

However, we do not make Truecrypt, we make PGP. The Truecrypt people make Truecrypt.

        Jon

--
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d


Attachment: PGP.sig
Description: PGP signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  4nNukeWare<--V 0.91 SQL Injection exploits, CrAzY . CrAcKeR
Next by Date:  phpMyDesktop|arcade 1.0 FINAL Code Execution, darkgod . xsf
Previous by Thread:  Re: On the Recent PGP and Truecrypt Posting, Jon Callas
Next by Thread:  Re: On the Recent PGP and Truecrypt Posting, Andreas Beck
Indexes:  [Date] [Thread] [Top] [All Lists]