[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG (fwd)

2015-12-03 14:13:37
On 12/03/2015 09:44 AM, Dave Crocker wrote:
On 12/2/2015 7:58 PM, Chris Lewis wrote:
You will find no person more in agreement that we cannot train 100% of
people with PSAs and similar (the fact that 419s still flow is certainly
proof of that), but the reality is that most people do learn such things
one way or another.

"Most people" do not.  Not even close to most people and very nearly
never any people consistently, since the ability of humans to perform
real-time and nuanced monitoring reliably like this, reliably and over
time, borders on no ability at all.

Feel free to provide documentation to the contrary.

I'm going to appear flippant, but I think it's appropriate.

Neither you nor I have been killed by a bus. Every time we meet I "document" that fact by saying "hi Dave" and chatting a bit (or do you want to see my passport next time?).

In fact, very few people have been killed by buses.

That success is not part of our genetic makeup, it's not wired in. It required training to achieve that, it's very real-time, and requires nuanced monitoring ("is that thing possibly going to hit me?" to a degree that technology cannot make us immune). Nor does the fact that a few people have been killed by a bus mean that the training didn't work.

We can build the signs, the fences, the traffic signals and so on, but, none of that's going to save me if I walk around the center of the city with my eyes closed.

The reality is that trying to retain the privacy level that some people think they need to have cannot be done "reliably" and still permit the use of the Internet in the way that most people want. If we want to "nanny" privacy to this level, we really should be talking about filters that prevent people from giving out their phone numbers, addresses, pictures of pets (with geolocation in the jpgs), and vacation schedules in email or anywhere else.

People have to partition what they do between "what must be kept private" and what doesn't need to, and use measures appropriate to their actions at the time.

The issue isn't whether people generally understand the general issue.
It's whether they can develop very specific understandings and apply
them in real time, to useful effect over extended time.

I contend that people can acquire general understandings (at least in this area) that requires no deep-dive into understanding the underlying technology to achieve the level of privacy they want, and in fact it's quite easy to a level far exceeding just removing "from" clauses. To whit: "If you want email privacy, use an anon remailer, there's lots listed on <search engine of choice>, and check out the reviews".

[My advice would also be "don't subscribe to IETF lists". I've gotten 11 spams in the few days since I created this email address to participate in this discussion.]

Trying to "measure" the result of training is usually futile, because
correctly posing the questions, and getting useful answers is equally
complicated and fraught with definitional/terminology problems.

Right.  That should alert us all to the challenges of the training itself.

Or, alert us that our measurement methods are completely bogus, and we really should be measuring it some other way.

While I have no way to prove this, I should think that the success rates of 419s is lower than it would have been in the society of 20 years ago. If not, the human race is far stupider than anyone thought and we're all doomed.

[I should be careful in saying that, after having one experience intervening with one allegedly hi-tech astute husband and wife who were about to fall for the exact same phish for the second time.]

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>