By: Jack

Jack — Sun, 24 Apr 2011 22:14:06 +0000

So, you make some VERY good points, but I completely agree with “Yes But”. SDA’s are a nice to have specifically because of the lack of prevalence of people using GnuPG or PGP, etc. The one thing I can’t even figure out is what, exactly you are attributing to “laziness”? Lack of security isn’t always because of laziness, rather, because of lack of education. I’ve known brilliant, highly educated people who are not experts in security. So in your assessment, we just throw our hands up and send sensitive information them in the clear? I doubt that’s what you’re trying to convey.

You are clearly very educated with regard to security, and as such, your opinions better serve the ~uneducated without the added negativity (frustrating as it can be). Best to assume that when you’re posting to the net that you aren’t always talking to people that you’ve had to say the same thing to nine times.

Imagine if you went to the doctor and he had the attitude that your lack of ability to self diagnose was incredibly lazy of you. I’d be pissed too.

By: Yes But

Yes But — Mon, 19 Apr 2010 17:51:20 +0000

Excellent points. There’s just one problem — security is not binary. There is more security with an Self-Decrypting Archive than a plain-text email. That security is not merely an illusion, even if it is far less effective than tried-and-true encryption techniques.

In a cost-benefit analysis when dealing with someone who you will have to walk through the entire download, install, key generation, password selection, and any troubleshooting vs. simply ordering them to execute a Self-Decrypting Archive (SDA) for a single communication or otherwise seems to favor the SDA option. It’s more secure than a plain-text email, less secure than GnuPG’s full suite.

To claim it is “bad all around” fails to appreciate the nuances here. There are certainly instances when I’d rather send a rare sensitive communique to persons who would have no other use for encryption software. Asking them to install the full suite, generate a key, and password for one message seems beyond ridiculous.

Unfortunately, the SDA is the only solution I’ve stumbled upon. There is nothing else as simple out there. However, if you have that solution, _please_ share it because I’ve been searching for 2 weeks now.

You might argue that there are many means of bypassing the limited security SDA’s provide but that’s like arguing you shouldn’t use a simple doorknob lock because bank-vault doors are far more effective. An interested party still has to exert some effort to bypass a doorknob lock and most people aren’t capable of doing so (the vast majority of people can’t pick a lock) therefor we still use simple doorknob locks even though we know they won’t protect us from any hardcore attacks (just watch any horror movie).

In other words, most people won’t bother or can’t bypass a simple lock, the same could be said of SDA.

The problem is, of course, is some people who’d use an SDA may not understand the actual level of security they are getting but that is a whole other discussion.

Comments on: Self Decrypting Archives are BAD

By: Jack

By: Yes But