[Cryptography] another security vulnerability / travesty

John Denker jsd at av8n.com
Sat Oct 1 14:26:28 EDT 2016 

On 10/01/2016 12:47 AM, Peter Gutmann wrote:

> Fax is a lot harder to get at than email. 

Yes harder ... but wow, that's a really low bar.
Are you claiming it is "hard enough"?
Hard enough for what purpose?

If your main threat is script kiddies intercepting your email, then
OK, sure, faxing is somewhat harder to get at.

My point is that just because your desktop system didn't come preloaded
with tools to intercept faxes and voice calls doesn't mean the tools
cease to exist.

The topic hasn't been discussed much in this forum, but that doesn't
mean it ceases to exist.

Let's be clear:  As the proverb says, never confuse the absence of one
thing with the presence of another.  I said fax was not secure.  I
never said that email was better.  I asked an open-ended question:

   Suppose your aunt wanted to submit some medical documents
   to a clinic on the far side of town.  Short of hand-carrying 
   the documents, what would you recommend?

That's a sincere, non-rhetorical question.  I haven't heard an answer.


>  Account breaches are so
> routine and so vast in scope that they don't even make the news any more
> unless it's 100 million plus accounts affected.  OTOH when was the last time
> you heard about a single fax being intercepted?

Since you ask:

 *) The motto of the NSA is “collect it all, process it all, exploit it all.”
  Their notion of "all" definitely includes faxes.  Reference: Snowden.

Fax intercepts have been going on for a long time:

 *)  http://blog.al.com/live/2010/01/jurors_in_mobile_steroids_tria.html
  "Jurors in Mobile steroids trial hear wiretapped phone calls, see intercepted faxes, e-mails"
  (2010)

 *) http://www.economist.com/node/1842124
  "According to a European Parliament report, published in 2001, America's 
  National Security Agency (NSA) intercepted faxes and phone calls between
  Airbus, Saudi Arabian Airlines and the Saudi government in early 1994."

Perhaps more to the point, sometimes we see an attack against 100 million
low-value targets, but sometimes we see an attack against a much smaller
number of high-value targets.  NSA calls this "tailoring".

Also consider this:  Collect the faxes going to/from an AIDS clinic, or a
family planning clinic, or a civil-rights field office ... and then do a
"join" against the stolen OPM security-clearance database.  That tells
you exactly whom to blackmail.

The point is, you don't need to collect 100 million faxes to have an
impact, if people assume faxes are secure when they aren't.

More information about the cryptography mailing list