Thursday, August 28, 2014

What do we want? Security! When do we want it? 30 years ago

There was one message that stuck to me like a barnacle at HOPEX:

"It has been 30 years & Johnny still can't encrypt"

This is to say that encryption - which we all know to be a Good Thing - is far too hard to do.

As evidence to back up this assertion I offer the simple question: How many IT professionals do you know that regularly uses PGP (or GPG) to encrypt their email?  Do you have a keyring with their public keys?

If you are an IT professional - how often do you encrypt data?  Have you ever set up an SSL certificate?  Exchanged SSH keys?

There you have it - even the experts don't encrypt and when they do it is painful.

I was having a conversation yesterday where we compared the average person's attitude about encryption to that of Big Business & Climate Change: "Oh Wow.  That's a Big Problem.  You mean I have to Think about that and maybe actually Do Something?  Well that sounds like a lot of work & expense that I don't want to be bothered doing.  Let's just ignore this & see if it goes away."

In fact, in terms of Big Business - security is an expense also. Have you ever noticed that SSN's and Credit Card numbers get encrypted now, but little else, if anything is?

This is the ugly face of "compliance" where you have IT departments going out of their way to do as little as possible to comply with the law - as opposed to embracing the idea & making changes across the board.

But, of course, neither of those problems are going away of their own volition.

What am I doing about it besides complaining?

I have started an OpenSource project on GitHub called "johnny".  (As in the quote above)

I will be adding tools here to allow people to perform different encryption-related functions.

We should be encrypting everything.

So I am going to try to make the tools available & simple to use in the hopes that I can encourage others to do likewise & start using them.

Remember:  It is one thing to find a needle in a haystack.  It is another thing entirely
to find a particular needle in a stack of needles.

No comments: