[Cryptography] [cryptography] Equation Group Multiple Malware Program, NSA Implicated
Ray Dillinger
bear at sonic.net
Wed Feb 18 19:18:08 EST 2015
On 02/18/2015 02:32 AM, Ryan Carboni wrote:
> Can't trust anything, except the mail.
>
> Only solution: personally encrypt messages by hand, using computers and GPG
> only for transmitting master keys if the keys cannot be delivered in person.
>
> https://en.wikipedia.org/wiki/PGP_word_list
>
> Oddly there isn't as much outcry over this as compared to FBI black bag
> jobs, even though this is literally the same.
>
Ironically, I do in fact recommend postal mail over any software-
controlled process or public-key infrastructure as a means of
distributing initial keys (the seldom-changed keys that access
a key distribution channel).
Pretty much every PKI that exists is either pwned or useless as
far as I can tell. Some due to enemy action, others due to
mismatch in threat model or bluntly wrong assumptions about
trust. I have the good fortune to be working usually with
something more manageable than financial crypto: The problem
I usually am solving is not "How can I be introduced to anybody
at any time" but "How can I exchange secure messages with my
selected group of fifteen to fifty known correspondents?" And
the answer, of course, is not a PKI of any kind, it is a KDC.
Is someone monitoring the email? Almost definitely. Is
someone monitoring the text messages? Yup. Is someone
monitoring the phone call? "Metadata" sure but not likely
storing the audio. But postal mail? Someone opening and
reading the postal mail is unlikely, and if someone is, and
they're not an unambiguously criminal organization to start
with, that's a huge legal risk on their part.
The nice thing about postal mail, is that a letter is a physical
object that some human being with hands and eyes and a mind,
drawing a paycheck, would have to devote at least a few paid
seconds to opening and reading and understanding. Another
nice thing is that there are still laws and court precedents,
left over from a previous era, that should give any would-be
eavesdroppers at least on the government side pause about
opening and reading it, and most non-government organizations
simply don't have any expertise in intercepting it selectively.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150218/1321009b/attachment.sig>
More information about the cryptography
mailing list