I was talking about the exploration issue. If you were looking for something specific why not try help / Google?

No, it doesn't. S/MIME, PGP-mail, etc. Of course that only works if the party you're e-mailing can also use client-side e-mail encryption.

Google is working on enabling OpenPGP-encrypted e-mail for Gmail with a Chrome extension: https://github.com/google/end-...

Meh. Everything is bigger than Hollywood.

Okay, that's a little bit of an exaggeration, but honestly, on the scale of major first-world institutions that people know and recognize, Hollywood is pretty small potatoes. Apple alone rakes in more than double the entire worldwide film industry's take. 2013 worldwide film industry revenues: $88B, and Hollywood is only about 2/3 of that. 2014 Apple revenues: $183B. IBM also is also bigger than Hollywood. Google is about as big as Hollywood. Ford is bigger than Hollywood. GM is bigger than Hollywood. Exxon Mobil is more than six times as large as Hollywoood.

The film industry is almost noise in the US national economy. It's chump change.

Where Hollywood is a heavyweight, though, is in politics. It has massively disproportionate power in comparison to its segment of the economy. Why? Simple: political power is about influence, not money, and Hollywood has direct access to the voters' brains. Large quantities of money can also buy access to said brains, but there is no amount of money that could buy as much political advertising as Hollywood can pack into its entertainment output. And any individual actor of note can stand up and say something and get press coverage that would cost tens of millions if purchased, free.

Luckily, Hollywood isn't politically homogeneous, so to a large degree the politics of our entertainment media reflect the same varied sets of opinions found in the nation as a whole. Not perfectly, but largely. There are some areas in which the interests of Hollywood are highly homogeneous, however, such as around copyright law, and there they wield incredible clout.

Anyway, my core point here isn't about that, it's just that Hollywood's visibility and influence makes it seem much bigger than its actual economic status.

There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

I agree that how a company handles incident response is important and the BlackPhone guys have apparently handled this well.

However, there are several things that are troubling about this story which lead me to not trust BlackPhone and question the security experience of the people designing it.

The first thing we notice about this exploit is that the library in question appears to be written in C, even though it's newly written code that is parsing complex data structures straight off the wire from people who might be attackers. What is this, 1976? These guys aren't programming smartcard chips without an OS, they're writing a text messaging app that runs on phones in which the OS is written in Java. Why the hell is the core of their secure messaging protocol written in C?

The second thing we notice is that the bug occurs due to a type confusion attack whilst parsing JSON. JSON?! Yup, SCIMP messages apparently contain binary signatures which are base 64 encoded, wrapped in JSON, and then base64 encoded again. A more bizarre or error-prone format is difficult to imagine. They manage to combine the efficiency of double-base64 encoding binary data with the tightness and simplicity of a text based format inspired by a scripting language which has, for example, only one kind of number (floating point). They get the joy of handling many different kinds of whitespace, escaping bugs, etc. And to repeat, they are parsing this mess of unneeded complexity .... in C.

Compare this to TextSecure, an app that does the same thing as the BlackPhone SMS app. TextSecure is written by Moxie Marlinspike, a man who Knows What He Is Doing(tm). TextSecure uses protocol buffers, a very simple and efficient binary format with a schema language and compiler. There is minimal scope for type confusion. Moreover, the entire app is written in Java, so there is no possibility of memory management errors whilst trying to read messages crafted by an attacker. By doing things this way they eliminate entire categories of bugs in one fell swoop.

So yes, whilst the BlackPhone team should be commended for getting a patch out to their users, this whole incident just raises deep questions about their design decisions and development processes. The fact that such a bug could occur should have been mind-blowingly obvious from the moment they wrote their first line of code.

What's preventing you from mousing over the ribbon to explore possible commands?

Microsoft may not care because, as you say, I am probably not their target market, but that has nothing to do with it.

Of course it does. Saying product X doesn't work properly because it doesn't do use case Y for which is was never intended is fallacious. "This wine glass sucks because when I try and use it to hammer nails it shatters" is simply silly.

This is the sort of thing that Microsoft tends to say, and completely avoids a number of important points. What are you basing this determination on? I could believe the "uses more features" claim -- that can be measured -- but what about the "more effectively" claim? Whenever Microsoft says things like that, they're basing it on stuff like how many keystrokes/mouse clicks it takes to do something. That's a very poor measure of how effective users are, though.

The most common testing Microsoft does is giving experienced Office users a series of tasks often using features of Office that they aren't familiar with or necessarily even know exist. For example someone who frequently does PowerPoints may not know about transitions between slides, tell them to change the transition in a presentation. The level of success is then measured.

Prior to the ribbon, using menus, the typical Office user could complete 30% of those tasks successfully. With the first release of the ribbon it doubled and we are in the latest beta at 80%. That's a huge change in effectiveness.

They can also measure based on those tests how many of the tasks the typical users were able to complete immediately i.e. which ones they know how to do before taking the test. That number has gone up as well though not as much. They also look at time to complete simple tasks which is what you are talking about with the mouse clicks. That changes a bit with context sensitivity but the huge drop in effectiveness by that measure was moving away from keyboard shortcuts when people transitioned from WordPerfect.

Indeed. I once read that the limiting factor on how high we can build skyscrapers is not structural engineering but the explosion in space occupied by elevator shafts as you try and go higher and higher whilst preserving reasonable wait times.

One browser that supports multiple profiles should accomplish that just fine.

You're not a web developer are you?

You were using your personal experience, "I do this X, I do Y". That's not valid because you aren't the target market.

The people who use Office constantly most likely are able to use more features more effectively more often as a result of the ribbon. If they were to look at there 2003 documents and compare them to their 2013 documents they would see a difference. I'm not sure if you are pulling a valid sample or not, your typical Office user doesn't have strong opinions on computer issues and likely is easily led in the conversation towards and opinion depending on who they are speaking with.

People who need to stand and use a interface a tiny minority? Google's estimate on number of computer panels currently in all uses is 10b globally. If even .1% are being used for an extended period of time that's a substantial chunk of the market.

As for artist,s, architects... they come in around 2% of users. More than say developers.

If you don't need to use Office much or a competitor you aren't the target market.

Do you think a Cuban could make a post as critical of their government as you just did? Or are you expecting to be disappeared tonight?

No, if you read the article they clearly state the keys were fraudulently obtained. If you obtain keys via fraud, they are almost by definition not "good keys".

RedPhone is free and open source end to end encrypted telephony that works OK (not amazingly, but as well as a typical commercial VoIP app does). People authenticate each other using their voices.

This is very true. However, WhatsApp appears to be a counter-example. They are deploying full end to end encryption and instead of ads, they just ..... charge people money, $1 per year. WhatsApp is not very big in the USA but it's huge everywhere else in the world.

The big problem is not people sharing with Facebook or Google or whoever (as you note: who cares?) but rather the last part - sharing with a foreign corporation is currently equivalent to sharing with its government, and people tend to care about the latter much more than the former. But that's a political problem. It's very hard to solve with cryptography. All the fancy science in the world won't stop a local government just passing a law that makes it illegal to use, and they all will because they all crave the power that comes with total knowledge of what citizens are doing and thinking.

Ultimately the solution must be two-pronged. Political effort to make it socially unacceptable for politicians to try and ban strong crypto. And the deployment of that crypto to create technical resistance against bending or breaking those rules.