[Cryptography] "we need to protect [our dox] by at least encrypting them"

ianG iang at iang.org
Sat Nov 5 09:29:38 EDT 2016 

On 04/11/2016 21:28, Arnold Reinhold wrote:
> On Thu, 03 Nov 2016 16:06 Henry Baker <hbaker1 at pipeline.com
> <mailto:hbaker1 at pipeline.com>> pointed out:
>> https://wikileaks.org/podesta-emails/emailid/43625
...
>> I know I'm like a broken record on this, but I think we should arrange
>> a briefing on the cyber threat for all associated with your effort.
>>  We have a real security threat on our stuff here.
>>
>> I would gladly work up something with our techie.  We've developed a
>> lot of expertise in this, unfortunately.
...
> “…the general lack of security for e-mail is a real threat to personal
> privacy.” …
...
> Neither her servers nor the State Department’s were suitable for
> classified material, but most cables at the Secret level and below from
> that era were leaked by Pvt, Manning via Wikileaks. If there were
> messages on her server at that level, they may be among the few that are
> not already on Wikileaks.


So, as a breed, we continue to miss the big picture and focus on the 
details - mail is insecure, why didn't PGP work, surely we can't 
overcome the shame of email, and we must simply must HTTPSise the net 
before the Ruskies come and kill us all in our beds.

In the above, "we should at least encrypt the dox..." is just laughable. 
  I mean, I share the guy's pain - but it's missing the threat by a 
planetary mile.

The big picture is this:  the node is the threat, not the wire.  This 
case as 99% of the threat evidence out there is all about hacking some 
server and scarfing up everything, *or* some insider threat leaking the 
trove.

Or both - with the news that 5 intelligence services were likely (99%) 
to have hacked Hillary's private servers, and wikileaks likely getting 
their leaks from insiders.

Which is to say, we could paper the planet with wire encryption - pure 
PGP mail and HTTPS as standard - and we'd not move the threat needle by 
more than 1%.

Here's a new data point from Wired - how long did it take the browser 
manufacturers to respond to the bleedingly obvious failed GUI of the 
padlock?  20 years.
https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/

That article is the Good, the Bad and the Ugly of security thinking. 
Count the years - SSL and secure browsing invented in 1994, and the GUI 
was screwed by Netscape 1.0.  Now, in 2014, a browser manufacturer 
starts to seriously think about how to present the user a message.

> Eschewing email altogether would likely have impaired her effectiveness,
> so given the limited tools she had available at the time, her use of a
> private server may have been in the country’s best interest.

Yeah.  In effect, using completely clear email would have probably 
assisted her cause.  She hid in the noise, and her own intel services, 
chartered to protect the government's secrets, didn't spot it.

What screwed her was that the node was breached.  6 times.

Which was why she wasn't allowed to have a private server in the first 
place.

iang

More information about the cryptography mailing list