[OTR-users] [cryptofestival-london] Second free CryptoCLASS, at Mozilla this time.

Fri Mar 28 10:23:37 EDT 2014

(I have CC’ed the OTR users list on this mail as I feel its a topic of interest. If that was not acceptable, apologies.)

> There's nothing wrong with OTR, it's just harder to teach to non technical people.

I’d disagree with that.

Instant messaging is essentially human interactions, supported by computer.

I’d argue OTR (cryptography) is just computers interacting, a computer exchanging messages which are validated somehow by the other computer.

When I interviewed the participants of my study, there was a mixture of good structural mental models and bad functional mental models, and vice-versa.

A number of participants were involved in scenarios where they had to validate humans identities, sometimes remotely (one situation: different parties in London, Syria, Bahrain).

When probed they explained their completely human procedures. Not surprisingly they were similar to the interactions carried out by OTR.

One conclusion I made was that non-technical people CAN understand OTR - the issue is OTR is implemented in user software in ways they CANNOT understand (or find difficult) - jargon, cryptogtaphic terms, overly complicated language.

Hence, my wanting to change how it’s explained.

Thanks,
Bernard

On 28 Mar 2014, at 12:29, Simon Vans-Colina <simon at vans-colina.com> wrote:

> Signed PGP part
> BitMessage or Pond for Asynchronous messaging and Moxies TextSecure app for chat. There's nothing wrong with OTR, it's just harder to teach to non technical people.
> 
> 
> 
> 
> On Fri, Mar 28, 2014 at 12:15 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
> 
> > If not PGP and OTR, then what?
> >
> > On 28/03/14 09:08, Simon Vans-Colina wrote:
> > > Bernard, Sounds like a good idea. One of the criteria when we're running
> > > the class is to try teach technologies that we can reasonably expect the
> > > whole class to be able to get up and running in an hour.
> > >
> > > We decided to avoid PGP because there's too many different
> > implementations
> > > so it makes it hard to show people how to use it, as well as the fact
> > that
> > > it leaks meta data, only secures a very narrow definition of 'private'
> > and
> > > is generally a pain to use.
> > >
> > > OTR kind of suffers some of the same issues...
> > >
> > > Drop me a mail off list, as we grow crypto class i want to change the
> > > format slightly so we have a tutorial about threat-modelling at the start
> > > and then go to break out sessions to help people with what they're
> > > interested in. Would you be willing to run an OTR chat breakout session?
> > >
> > > Cheers
> > >
> > >
> > > On Thu, Mar 27, 2014 at 10:16 PM, Bernard Tyers - ei8fdb <
> > ei8fdb at ei8fdb.org>wrote:
> > >
> > >> Hi there,
> > >
> > >> I’d like to propose a user-centred secure instant messaging class (aka
> > >> securing IM with OTR), focused to non-crypto/tech people.
> > >
> > >> Reasoning:
> > >
> > >> I have seen and taken part in a number of cryptoparty OTR classes. I
> > have
> > >> observed the “non-technical people” in the room and on average the
> > >> information being provided is overly technical, overly crypto focused.
> > >
> > >> As a result the majority of the people who are not
> > >> crypto/security/technical savvy leave feeling a) less informed, b) more
> > >> scared, c) put off using these tools.
> > >
> > >> I’ve carried out an study (about 8 months) on adoption of OTR by
> > >> “non-technical” users (mainly journos/human rights defenders) and it is
> > >> terrible.
> > >
> > >> There are a number of reasons why, some include: people think they
> > >> understand the tool, but in fact they do not. As a result they are even
> > >> more insecure. They start using a tool as a result of advice from a
> > trusted
> > >> person but due to a number of issues they stop using it, or use it
> > >> incorrectly.
> > >
> > >> A lot is down to the software design, and exposure of overly complex
> > >> concepts that they do not need to know about.
> > >
> > >> This is exactly what should not be happening.
> > >
> > >> Proposal:
> > >> I would like to propose the focus of this user centred secure IM class
> > >> should be on people who do not have the skills/know-how to learn more.
> > >
> > >> I am not concerned with uninformed tech/security/crypto people - if
> > >> someone who has the capability of understanding concepts but chooses not
> > >> to, it is their concern.
> > >
> > >> I’d be happy to run a class where everyone is welcome. The focus on the
> > >> class would be the “less” technical user. Technical/security people
> > would
> > >> be welcome, but the content may not be pitched to their level of
> > interest.
> > >> However, in the spirit of a good “barcamp” like mode, I’d be very happy
> > to
> > >> have input where necessary.
> > >
> > >> No jargon allowed! This would be an experimental class with some goals:
> > >
> > >> 1. Give good, solid knowledge to users about the best approaches,
> > >> software, etc for secure IM. This would be used by the user to inform
> > their
> > >> decisions, without seeking input from trusted parties.
> > >> 2. Get users current issues, and difficulties with using these tools.
> > >> 3. Carry out ad-hoc user testing of some tools to get feedback from
> > users.
> > >
> > >> I would like to hear your opinions, and constructive criticism on the
> > idea.
> > >
> > >> All the best,
> > >> Bernard
> > >
> > >
> > >
> > >> On 27 Mar 2014, at 11:01, Arjen Kamphuis <arjen at gendo.ch> wrote:
> > >
> > >>> Done. Will also point it out specifically to some people.
> > >>>
> > >>> On 03/27/2014 10:52 AM, Simon Vans-Colina wrote:
> > >>>> Hi List,
> > >>>>
> > >>>> The first CryptoCLASS (held at London Hackspace) was a success, so
> > we're
> > >>>> doing it again. This time we'll be at Mozilla in Covent Garden.
> > >>>>
> > >>>> We'd really appreciate your help getting the word out, the first one
> > was
> > >>>> fully subscribed so we've moved to a bigger venue and I'd really like
> > to
> > >>>> fill this one up too.
> > >>>>
> > >>>> If you could please retweet this tweet
> > >>>> https://twitter.com/CryptoClass/status/448925286848278528 we'd really
> > >>>> appreciate it.
> > >>>>
> > >>>> Thanks
> > >>>> Simon and Sara
> > >>>>
> > >>>>
> > >
> > >> --------------------------------------
> > >> Bernard / bluboxthief / ei8fdb
> > >
> > >> If you’d like to get in touch, please do: http://me.ei8fdb.org/
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > GPG: 4096R/1318EFAC5FBBDBCE
> > git://github.com/infinity0/pubkeys.git
> >
> >
> 
> 
> --
> +447447914640 -- http://simon.vc -- @simonvc
> 
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> 

--------------------------------------
Bernard / bluboxthief / ei8fdb

If you’d like to get in touch, please do: http://me.ei8fdb.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140328/a5d81697/attachment.pgp>