Hackers and Encryption
Found an article by Charles C. Mann over at The Atlantic:
Solving the key problem, one should note, didn't make encryption easy for novices—it made encryption easier for experts. In 1999 a Carnegie Mellon doctoral student named Alma Whitten asked twelve experienced computer users to send and receive five encrypted e-mail messages apiece with PGP. One couldn't manage it at all; three accidentally sent unencrypted messages; seven created them with the wrong key; two had so much difficulty with the other tasks that they never bothered to send out the public, encrypting half of their keys; two who received properly encrypted messages tried to decrypt their decryption key, rather than the messages. Whitten called her report, cowritten with J. D. Tygar of the University of California at Berkeley, "Why Johnny Can't Encrypt."
This reminds us what programmers already know. Users can mess up anything.
Of course, this issue is already quite well known in the hacking world.
Let's say I wanted to break into your computer system. I do, by the way, desperately, but that isn't really the point.
Option one: Break into your system. To do this, I need to know the ins and outs of your system AND I have to compete with the geeks that your company has hired.
Option two: Call you on the phone and ask for your login.
Me: Hi, this is Mumble from IT downstairs. It seems like your computer has a virus that is being sent to the main server. I need your login info before this thing spreads and shuts us all down.
It doesn't really matter what you say. If you are at work, think of the five people sitting nearest to you right now. I guarantee that one of them would tell me their login info. And, just to be a prick, I also have a sneaky suspicion that one of the five would say that you are the one dumb enough to fall for that trick.
That's why many hackers refer to themselves as "social engineers" or "people hackers". They're simply looking for the weakest link and that's normally some random person like you.