I think the issue with a lot of the groups making security software is largely one of usability, as you allude to as well. For all of the great security technology they have made they completely neglect a shiny and simple user interface. They are so technically advanced that what they see as a very simple to use system is for others something that is immensely difficult to master, or even if it only requires an hour for the average user to learn to use they do not have an hour to spend on learning it. Instead of 'build it and they will come' the cypherpunks motto should have been 'build it and then make an awesome intuitive GUI for it, and cleverly 'abstract' away the low level details into simpler concepts, and they will come'. For example, I think that the idea of calling public keys 'open locks' and private keys 'keys' would be far more beneficial to the average users ability to understand how public key crypto works, even though to someone even slightly versed in cryptography it sounds stupid. The major hurdle to getting people using security technology is to spend far more time and effort on user interfaces and simplified terminology than has been spent thus far. A system like Hushmail for idiot-proof encrypted E-mail can very well be secure, it just can not be entirely server side. If there is an application that simply allows a user to double click an icon, select a pseudonym to send a message to, type their message and hit send....the goal of Hushmail is accomplished without the major security flaws. The problem with Hushmail was not the simplicity of using the system, it was the inherently flawed design of the system. The best security applications are those that do not even appear to be security applications, but rather appear to be applications that the user would use for their non-security features. If you do not have a product that people want to use, it will not be used by anyone other than enthusiasts and smart people in certain situations who know that they need security to protect themselves. This is not to say that usability should come before security, but where it can be allowed for the most usable security systems should be implemented (IE: User selected delay on messages through a mix, rather than firing cycles of ten hours set by the mixes on the path), and a ton of time needs to be spent on user interfaces. Also a lot of thought needs to go into abstraction / simplification of any underlying security concepts that users are absolutely required to be exposed to, and as much as possible should happen in the background without the user being exposed to it at all.