SoylentNews is people
SoylentNews
https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08
https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-May/004995.html
Writing just for himself -- not for GnuPG and not for Enigmail and definitely not for his employer -- Robert J Hansen, an Enigmail developer and GnuPG volunteer, put together a postmortem on Efail:
Less than a week ago, some researchers in Europe published a paper with the bombshell title "Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels." There were a lot of researchers on that team but in the hours after release Sebastian Schinzel took the point on Twitter for the group.
Oh, my, did the email crypto world blow up. The following are some thoughts that have benefited from a few days for things to settle.
They say that when there's a fire in a nightclub you're at more risk of dying from the stampede than the blaze. The panic kills both by crushing people underfoot, and by clogging the exits so that people have to stay in the club longer and breathe more hot smoke-filled air. The fire is a problem but the panic is worse. That's what we saw here, and frankly I place a lot of blame for that at the feet of the Electronic Frontier Foundation.
Previously: PGP and S/MIME Vulnerable, Take Action Now (Update: Embargo Broken)
(Score: 4, Interesting) by choose another one on Friday May 25 2018, @01:13PM
Problem with post-mortems is that they necessarily involve hindsight, problem with planning to handle future events better is that you have to do it without hindsight.
This is _only_ because the stampede will kill you first, because people in the process of dying of smoke inhalation are not physically able to stampede. It is a fallacy to conclude from that risk statement that one should focus on preventing the stampede rather than preventing the blaze. There was no stampede in the ghost ship fire, no stampede in the Grenfell fire (where victims were in fact told by fire brigade to "stay put" and survivors are those who ignored the fire brigade), instead people (lots) died in the fire - should this be considered an improvement?
The decision to yell "fire" or not (or how loud to yell) is always going to be a tough one, for a good example look at aircraft evacs - even _test_ evacuations with fully briefed passengers who are not in panic mode cause injuries and definitely are a risk to life, hence in calling the evac on an actual aircraft you are almost certainly going to hurt someone, often badly and possibly fatally, but leave it too late and you've got Saudia 163 or Airtours at Manchester. What is the right decision? - we'll let you know afterwards, when we know if there was a fire or how bad it was and how many people got hurt. Brilliantly helpful that.
The one thing that is sure to help is properly trained, informed, and prepared passengers/users who comply with instructions in an orderly manner without panic. Unfortunately GnuPG doesn't have that, by a long way, to quote TFA:
See, whatever you do, even fixing the problem in the right way, people will die.