Confirming the flat-earther's myths doesn't serve anyone

Confirming the flat-earther's myths doesn't serve anyone

Summary: My colleague David Berlind just can't seem to stop barking up the wrong tree when it comes to email security.  In his latest blog, Berlind accuses me of a "reality distortion field" which really isn't productive.

TOPICS: Collaboration

My colleague David Berlind just can't seem to stop barking up the wrong tree when it comes to email security.  In his latest blog, Berlind accuses me of a "reality distortion field" which really isn't productive.  While he has some legitimate complaints - which I've complained about too - Berlind is barking up the wrong tree when he should be joining me in my criticism for those individual companies that don't make it easy for consumers to deploy good security rather than indicting the entire Internet and the protocols that it encompasses.  [Update - Awesome and informative response from Ani Shrotri]

David claims there is no interoperable email cryptography standard when in fact we have S/MIME which is baked in to every reputable email client in the last decade.  The fact that Berlind can cite a specific email client that doesn't work with S/MIME is proof that that specific email client needs to be shamed; it's not an indictment on S/MIME.  If we applied Berlind's "reality field" logic, we can just throw our hands up of every single protocol on the Internet because we can find rare implementation-specific incompatibilities on every protocol used on the Internet.  Heck there are implementation-specific issues with SMTP and HTML, would David suggest that it's a reality distortion field to dare suggest that SMTP and HTML are universal standards?  Is David Berlind suggesting we come up with a better alternative to S/MIME and start the entire adoption process again when we're already 99% of the way there with S/MIME?

David says that secure email from Server to Client is too hard when in fact it's as easy as a click away.  So David's rebuttal to me is: OH MY GOD the user has to do something to turn it on.  What next David?  Are you going to complain that you have to strap yourself in with your seat belt to save your life in a car accident?  As I recall, it took decades to get people to get in the habit of putting on their seat belts and ultimately it didn't happen until we started fining people big money (even bigger for children) for not putting on their seat belts.  When it comes to enabling SSL on an email client, it's a ONE TIME SETUP which is even easier than strapping on the seat belt in your car which you have to do every time you get in your car.  At least you don't have to enable SSL for your POP/SMTP mail client every time you launch your email applications.

David then points out that even I admitted Hotmail (and Yahoo) didn't support encryption on the entire session while Google Gmail did.  But why attack me or the state of technology and call it a reality distortion field?  What productive purpose does that serve?  Why not join me in criticizing Microsoft and Yahoo?  Why not join me in criticizing Google for not automatically redirecting to secure SSL mode so that the remaining 99% of Gmail users can benefit?  Why not join me in criticizing ISPs for not disabling insecure POP3, SMTP, and IMAP mode?

The other side of the equation is that user perceptions need to be challenged and we can't just continue perpetuating inaccurate perceptions that security is a "black art" and that it's just too difficult.  Furthermore, users bare some of the responsibility for the lack of security because vendors are often punished for mandating security.  It's not entirely their fault for shying away from doing the right thing to avoid a beating from certain pundits.  Heck it wasn't long ago that Microsoft absolutely got slaughtered in the media for including a Firewall in Windows XP Service Pack 2 and so much FUD was thrown about that issue that many people to this day are afraid to even try Service Pack 2.

David also incorrectly cited the fact that Gmail doesn't support S/MIME.  But there is an S/MIME plug-in for Firefox for S/MIME signing.  Reading digital signatures on the other hand whether that's a web mail client or a traditional email client doesn't require any action on the part of the end user.  David wants a simple solution where he won't have to manually sign documents and buy a fax machine and I've given him the solution.  But again he's barking up the wrong tree complaining that the technology doesn't work because the businesses that he deals with won't accept these solutions and complains "oh but they can't print out those digital signatures".  But please stop for a moment and think about that statement; why do you even need to print it on paper in the first place when the digital signature is acceptable in court?  Since when did the Government mandate that Digital Signatures have to be printable (a technologically impossible feat)?

Think about how retarded it is to require 10 MB digital scans of paper per legal document when a 256 BYTE hash would equally suffice.Berlind’s argument is that Digital Signatures don’t work because you can’t print them out.  But this is really a laughable argument even if you ignore the technical reasons.  For obvious technical reasons, you can't realistically do Digital Signatures on paper because changing a single white space or capitalization would change the hash.  For obvious common sense reasons, there is also no requirement by the Government that Digital Signatures must be accompanied by paper versions because that would defeat the entire purpose of making Electronic Signatures legal in the first place which is to get rid of the cumbersome paper process.  The NSA has a whole suite of standards that includes a Digital Signature and Hashing standard that's acceptable for Government use, why shouldn't it be good enough for David Berlind and the companies he deals with?  So instead of calling these technologies "black art" and propelling the flat-earther's myths, why don't you join me in saying "there is a better way!".  Think about how retarded it is to require 10 MB digital scans of paper per legal document when a 256 BYTE hash would equally suffice.

So the technology is there and I've done everything I can to lead you to the clean water, now you just have to drink it.  There is no tooth fairy and there is no magical pixie dust - which is what David Berlind seems to be asking for - but the technology is mature and deployed.  So David Berlind should stop complaining about the technology and tell his business partners to get out of the dark ages.  Is that going to be an easy transition to educate people and change human behavior?  Of course it is but you're not helping the situation by tearing down perfectly good technology.

Comment:  A few readers are complaining that it's terrible that we have editors at ZDNet disagreeing with each other and that we should somehow speak with one voice.  We view this as a healthy thing that shows the diversity of spirited opinions at ZDNet blogs.  We do not "script" these debates out ahead of time.  As much as David Berlind and I disagree on this particular topic, we both agree that giving the reader all sides of the debate serves everyone's best interest.  These debates extend to the blogosphere outside of ZDNet and the readers are welcome to chime in on the talkback.  We don't even censor the talkback (short of adult material and vulgar language) and readers are welcome to criticize any of the bloggers here at ZDNet any way they like.  This is simply a testament to the fact that ZDNet respects intellectual freedom.

Topic: Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Secure EMail


    David Berlind appears to me to have become a crotchety Luddite.

    It's time for him to holler "Uncle" on this topic.

    • Well I hope I've informed him of some better options

      Well I hope I've informed him of some better options. He's not entirely wrong and I actually agree that there are problems. But like I said, he's barking up the wrong tree when he should be focusing his anger on the entities that are preventing progress rather than generalizing that it's a failure in technology. Like I said, I hope he?ll join me in criticizing those who stand in the way of what we?re all going after rather than tearing down my solutions which I have laid out.
  • Retarded?

    I haven't heard someone use that term as a pejorative in years. Way to buck the trend in our politically correct society.
    GW Mahoney
    • I said the process of using scanned images is retarded

      I said the process of using scanned images is retarded. Is it really that "pejorative"? Ok, should I have said speed challenged?
      • George, your use of the word was absolutely correct

        It's the use of the word to describe someone you don't agree with or possibly don't understand which is offensive.

        To retard something, or something which is retarded is to slow it down, or something which is slowed or blocked, as you have used the word.

        BTW, George, is it necessary to repeat your comment title in the text of the comment? It gets a little annoying reading the same sentence twice each time. Not a criticism, simply a request.
        • Are you even reading that correctly?

          I said the example of using of a 10MB scanned image in place of a 256 byte hash is retarded. How in the world do you interpret that as saying David is retarded?
          • Hmm, maybe I'm not reading you correctly

            I am not sure to interpret your post as saying I did use the world incorrectly or if you were merely making an example. Sorry if I read that wrong.
          • He agreed with you

            You misread him, George. He said that you actually used the word retarded as something that is slowed down.

            Another post quoted you as saying that by doing such was similar to be metaphorically mentally challenged.

            This is a common misconception by our overly political correct society. Many other words have been construed as such.
          • Yeah, I think you're right

            I realized that immediately after I posted.
    • Excuse me for sounding uneducated, however.

      Political Correctness has turned our society into a bunch of closet bigots. We are retarding our growth as a society by placing barriers on those and shaming them for such speech. By forcing our society to not show their public image for what it is, we in turn create that inward appearance that we only share with our closest of friends, meanwhile creating this second political personality who doesn't want to offend anyone publicly, yet wants to bash some heads in privately. However, when other influences such as heckling or intoxication come into play, the facade of political correctness is usually brushed away to reveal a person's true colours. So instead of creating a more tolerant society, we have in fact created a bunch of closet bigots.

      Of course our methodology behind teaching tolerance is always skewed and betrayed by our own media who doesn't do enough to portray everyone in an equal light. Much as I love the NBA, I do get an upset stomach when seeing a Basketball player on TV with a lawyer nearby when in the news.

      So if you try to forcibly distribute that political correctness fecal matter down my esophagus again, please take the time to find way properly disembowel yourself.
      • Sorry for my earlier comments

        They were quite rude in their expression of how I consider political correctness a sore subject.

        Please forgive me and have a happy and joyful day.
  • You two are funny

    Ever consider doing a comedy tour?

    Sometimes you have to let things slide. Present your side, and let the people decide for themselves which is better.

    Standardization is a good thing, but many tools are already in place to create a secure environment. This is like going to those old MS Big Day events where they would whip out their latest OS and show how they had all this new technology that other companies have had for ages. But because the event was in a remote location visited by a bunch of SMB folks. They didn't understand any better outside their little sphere of influence.
    • This is Ou

      You can judge how much he has been discredited by how loud he rants and attacks his opponent.
  • The two of you...

    ...please kiss and make up.
    We can't take much more of these types of exchanges! :)
    D T Schmitz
    • Hey I'm always up for a good debate

      • Though true, you could use some Tact

        I think language that you use can be taken as offensive. Not that I am up for a big throw-down. I say shoot it out in a round of Counter-Strike. If anyone cheats, they get duct-taped to a chair and rolled down the driveway.

        Part of this is that you are still based in the tech world so much that your personnel skills aren't up to media standards. But then again, you are a blogger, not always a journalist. There is a bit of difference.

        But then again, I am up for attacking anyone at the drop of a hat, so who am I to call the kettle black.
  • In the world of a mechanic who only has a hammer

    all problems are like nails.

    Real life is somewhat bigger. Real users (i.e. not having an encryptography degree) continue to face real problems.
    • What problems? Or are you just being rhetorical?

      Are you unable to check the ?use SSL? option when setting up your mail server? I mean it?s only a onetime thing and it?s certainly a lot easier than having to put your seat belt on everyday.
  • Digital Signatures

    As far as Digital Signatures. First sort out the dam English. Digital Signature, Digital ID, Digital Certificate, Electronic Signature,E Signature? Oh and then there is the ink Signature; you know the one we actually hand write. Stop redefining common words with new and very different meanings the public confusion this perpetuates is the industry's fault.
    I just purchased some property in California. Huge amount of documents that all needed to be signed and sent between states. Now it is possible to E-Sign what ever that is? ( Is that a Digital Signature, Digital Certificate, etc?) But this is an industry that is still telling customers that they can only use blue ink to sign not black ink. A signature is currently a visual verification. Any form of digital signing will have to have a unique personal visual component in order for the the business public to accept it.
    • Not really

      "A signature is currently a visual verification. Any form of digital signing will have to have a unique personal visual component in order for the business public to accept it."

      First of all, electronics don't have to mean digital signatures. Digital Signatures are the most secure form of electronic signatures, but the law doesn't necessarily require that level of security for electronic signatures.

      To answer your question, a Digital Signature doesn't "require a visual component" if your identity is cryptographically bound (proven) to your Digital Certificate. This binding process is done when you go to two registered Notaries (individuals) and get then to inspect two forms of Government issued IDs like your driver?s license and your passport. Once you're notarized, your Digital Certificate can be used to crank out highly trusted signatures. Without being notarized by the WOT (Web of Trust), your Digital Certificate can only prove your Digital Signature came from your email address. But how do I know that your email address is really you? The visual inspection of Government IDs by certified Notaries is what binds your identification to your email account and Digital Certificate. I'll be doing a tutorial on this as a follow-up next week with step by step instructions.

      Now I want to be clear that digital signatures and end-to-end encryption isn't needed for everyone. For most people who just want some privacy, just turning on SSL for POP3, SMTP, or IMAP, or Webmail is a simple and effective one time process.