<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>On 08/11/2016 15:10, Arnold Reinhold wrote:<br>
</p>
<blockquote cite="mid:C7851A65-33BE-4296-8533-7722FE5FA9BA@me.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 7, 2016, at 7:57 PM, ianG <<a
moz-do-not-send="true" href="mailto:iang@iang.org"
class="">iang@iang.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">On 07/11/2016 18:57, Arnold
Reinhold wrote:</span><br style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;"
class="">
<blockquote type="cite" style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">On Sat, 5 Nov
2016 14:29 IanG wrote:<br class="">
<br class="">
<blockquote type="cite" class="">with the news that 5
intelligence services were likely (99%)<br class="">
to have hacked Hillary's private servers,<br class="">
</blockquote>
<br class="">
This claim is based on a Fox News story<br class="">
<a moz-do-not-send="true"
href="http://www.foxnews.com/politics/2016/11/03/sources-99-percent-chance-foreign-intel-agencies-breached-clinton-server.html"
class="">http://www.foxnews.com/politics/2016/11/03/sources-99-percent-chance-foreign-intel-agencies-breached-clinton-server.html</a><br
class="">
that has since been revised to say:<br class="">
<br class="">
"Authorities are operating under the working assumption
there is a<br class="">
high chance Hillary Clinton’s private server was breached,
one source<br class="">
with intimate knowledge of the FBI investigation told Fox
News – though<br class="">
there still are no digital fingerprints proving a breach.<br
class="">
<br class="">
The source said the server may have been hacked by up to
five foreign<br class="">
intelligence agencies. While other sources believe this is
probable,<br class="">
evidence has not emerged to confirm this.<br class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">Yes - it's a leak. There is
a rebellion going on in the FBI.</span><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">Of course, there is no
evidence to confirm it. Nor is there any evidence to
confirm anything Snowden said about the NSA. Nor has the
White House confirmed that wikileaks maildrops are
essentially accurate, or identified the ones that have
been changed. Nor has Sweden admitted that its case
against Snowden is made up. Nor nor nor.</span><br
style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div><br class="">
</div>
Was it a leak from someone in the know, or was it embellished
(e.g. "98% chance”) along the way?</div>
</blockquote>
<br>
Both? It's charged times, so we know that both sides are going to
play it to the hilt. There were calls that the "Russians did it" on
the other side of the Atlantic, again with zero evidence.<br>
<br>
<blockquote cite="mid:C7851A65-33BE-4296-8533-7722FE5FA9BA@me.com"
type="cite">
<div>The fact the Fox News retracted its original story strongly
suggests the latter. <br class="">
</div>
</blockquote>
<br>
It suggests that their legal counsel assessed the chances of them
being drowned in court? If Hillary had won, she'd have sent in the
boys to clean up the opposition. This time with feeling. GC
wouldn't take that risk.<br>
<br>
I don't think we can determine much from any statements in the
press. All we can really do is to take all the leaks and correlate
them, look for trends, and eliminate them for stupidity.<br>
<br>
It has been suggested only part in sarcasm that the way to gain
credibility is to take public information and call it a leak...<br>
<br>
...<br>
<blockquote cite="mid:C7851A65-33BE-4296-8533-7722FE5FA9BA@me.com"
type="cite">
<div>
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">If the other
leaks have indeed been directed by a state actor, likely<br
class="">
Russia, as several intelligence agencies have concluded,
why hold back<br class="">
before the election convincing evidence she was hacked?<br
class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">Most or all intel agencies
won't futz with the American election. Most or all
foreign governments will not have a preference for one or
other candidate. Most or all governments will recoil with
horror at the accusation that they are interfering with
the American election.</span><br style="font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">So, no, they won't release
it. Nor admit it. Ever.</span><br style="font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class="">
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
</div>
</blockquote>
<div><br class="">
</div>
Except that there have been numerous reports, from multiple
sources, that Russia is indeed futzing with the American
elections. People close to Putin have said on video that
electing Clinton means war. Bluster no doubt, but hardly
neutral. And Russia doesn’t have to admit anything, the can just
anonymously leak the deleted Clinton email through Wikileaks or
some other channel. The fact that they have not appeared as of 9
am on election day, suggests Russia doesn’t have them. <br
class="">
</div>
</blockquote>
<br>
Yes I think you might be half-right on that one. There are claims
that Russia is engaged in standard levels of aggressive propaganda.
E.g.,<br>
<a class="moz-txt-link-freetext" href="https://medium.com/@thegrugq/security-cyber-and-elections-part-1-cd04de8ed125#.klog9gty7">https://medium.com/@thegrugq/security-cyber-and-elections-part-1-cd04de8ed125#.klog9gty7</a><br>
<br>
Still zero evidence, but motive is clear. The one-sided bellicosity
is sufficient reason to get involved.<br>
<br>
Whether propaganda qualifies as interference, I don't know. If it
does, then unfortunately all the media, government, and leadership
are also interfering. I think it's that ugly side of the democratic
coin - when we do it, it's rights, freedom of speech, democracy and
apple pie. When they do it, it's an attack on our rights, our
freedoms, our democracy.<br>
<br>
The question that I have, outside propaganda is whether there is
actually a cyberthreat to the process? Whether a foreign power
would enter into the voting machines and hack them left or right as
desired? I suggest that is nonsense in this particular case, but
it's hard to prove an absence. We can only wait for evidence of
positive interference.<br>
<br>
<blockquote cite="mid:C7851A65-33BE-4296-8533-7722FE5FA9BA@me.com"
type="cite">
<div>
<blockquote type="cite" class="">
<div class=""><br style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<blockquote type="cite" style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">And if you
believe the other leaks were from insiders, not state
actors,<br class="">
all the more reason that Hillary was wise to use a private
server with a annouonumsly</blockquote>
</div>
</blockquote>
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-size-adjust: auto;
-webkit-text-stroke-width: 0px;" class="">few hand-picked
admins she trusted. We have been deluged with Secret and<br
class="">
Top Secret documents purloined by Manning and Snowden. The
handful of<br class="">
emails on Hillary’s server that the FBI says were or
should have been<br class="">
classified seem to be among the few U.S. state secrets
that the public<br class="">
has yet to see.<br class="">
</blockquote>
<br style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant-caps: normal;
font-weight: normal; letter-spacing: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; widows: auto; word-spacing:
0px; -webkit-text-stroke-width: 0px; float: none; display:
inline !important;" class="">Unfortunately, the NSA, the
FBI and the various other counter-intelligence agencies
which are tasked at protecting the government are not
going to see that as any more than self-serving bluster.
And in court - if it ever were to get there - it would be
demolished. That alone would send the perp to jail.
E.g., if the answer to a few upsets within is that we go
it alone, that means every agency, every secretary, every
sysadmin who thinks he can do better than the NSA ... has
carte blanche.</span><br style="font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;"
class="">
</div>
</blockquote>
<div><br class="">
</div>
I’m not suggesting that a private server in each official's home
is the right answer going forward, but a separate email server
in each top-level official’s office safe with encrypted back up
to the department servers might be a good solution for
unclassified email privacy. The servers would be inside the
department’s firewall perimeter defenses and could have
additional protection, such as a stripped down operating system
loaded from ROM, to minimize attack surface. Admin access would
be limited to a few staff vetted by the official. The backups'
encryption key might be escrowed in the national archives for
future historical records. The old model of all email stored en
clar on department servers is unworkable.</div>
</blockquote>
<br>
Well, the security officers within each department generally handle
that, using the processes laid down in the security manuals. They
let Obama have his blackberry. I'm sure if enough pressure were
brought to bear they would have built a private server situation for
State Dept.<br>
<br>
But seems like they never got told to do that.<br>
<br>
In summary - I think there is merit in looking at how cryptography
could have changed the situation.<br>
<br>
1. Hillary's use of private server was an attempt to deal with one
threat, although what that was was never clear to me. But it opened
her up to another threat - hacking. At a simplistic level, I think
the answer is clear - don't do that. At deeper level, we should be
delivering systems that don't lead the users to taking such drastic
steps, and then making their situation worse.<br>
<br>
2. The sense of Russians hacking the electoral process leads us to
look at reliable voting systems. Thinking about our current infosec
posture, that this is something that cryptography can't provide the
answer to, I think we've got it wrong. Because (a) if we don't
secure the voting system then someone else will hack it and steal
it. And there's plenty of underground and anecdotal evidence that
this is going on.<br>
<br>
And (b) we need to get away from this impossibility thing.
Probability works for human systems, too. If we can make it
improbable that a vote is tampered with, that's still a win, for
those times in the majority where we got the true positive.<br>
<br>
iang<br>
</body>
</html>