[Cryptography] "we need to protect [our dox] by at least encrypting them"

Ian G iang at iang.org
Wed Nov 9 08:38:30 EST 2016

On 08/11/2016 15:10, Arnold Reinhold wrote:

>> On Nov 7, 2016, at 7:57 PM, ianG <iang at iang.org 
>> <mailto:iang at iang.org>> wrote:
>> On 07/11/2016 18:57, Arnold Reinhold wrote:
>>> On Sat, 5 Nov 2016 14:29 IanG wrote:
>>>> with the news that 5 intelligence services were likely (99%)
>>>> to have hacked Hillary's private servers,
>>> This claim is based on a Fox News story
>>> http://www.foxnews.com/politics/2016/11/03/sources-99-percent-chance-foreign-intel-agencies-breached-clinton-server.html
>>> that has since been revised to say:
>>>   "Authorities are operating under the working assumption there is a
>>> high chance Hillary Clinton’s private server was breached, one source
>>> with intimate knowledge of the FBI investigation told Fox News – though
>>> there still are no digital fingerprints proving a breach.
>>>   The source said the server may have been hacked by up to five foreign
>>> intelligence agencies. While other sources believe this is probable,
>>> evidence has not emerged to confirm this.
>> Yes - it's a leak.  There is a rebellion going on in the FBI.
>> Of course, there is no evidence to confirm it.  Nor is there any 
>> evidence to confirm anything Snowden said about the NSA.  Nor has the 
>> White House confirmed that wikileaks maildrops are essentially 
>> accurate, or identified the ones that have been changed.  Nor has 
>> Sweden admitted that its case against Snowden is made up.  Nor nor nor.
> Was it a leak from someone in the know, or was it embellished (e.g. 
> "98% chance”) along the way?

Both?  It's charged times, so we know that both sides are going to play 
it to the hilt.  There were calls that the "Russians did it" on the 
other side of the Atlantic, again with zero evidence.

> The fact the Fox News retracted its original story strongly suggests 
> the latter.

It suggests that their legal counsel assessed the chances of them being 
drowned in court?  If Hillary had won, she'd have sent in the boys to 
clean up the opposition.  This time with feeling.  GC wouldn't take that 

I don't think we can determine much from any statements in the press.  
All we can really do is to take all the leaks and correlate them, look 
for trends, and eliminate them for stupidity.

It has been suggested only part in sarcasm that the way to gain 
credibility is to take public information and call it a leak...

>>> If the other leaks have indeed been directed by a state actor, likely
>>> Russia, as several intelligence agencies have concluded, why hold back
>>> before the election convincing evidence she was hacked?
>> Most or all intel agencies won't futz with the American election. 
>>  Most or all foreign governments will not have a preference for one 
>> or other candidate.  Most or all governments will recoil with horror 
>> at the accusation that they are interfering with the American election.
>> So, no, they won't release it.  Nor admit it.  Ever.
> Except that there have been numerous reports, from multiple sources, 
> that Russia is indeed futzing with the American elections. People 
> close to Putin have said on video that electing Clinton means war. 
> Bluster no doubt, but hardly neutral. And Russia doesn’t have to admit 
> anything, the can just anonymously leak the deleted Clinton email 
> through Wikileaks or some other channel. The fact that they have not 
> appeared as of 9 am on election day, suggests Russia doesn’t have them.

Yes I think you might be half-right on that one. There are claims that 
Russia is engaged in standard levels of aggressive propaganda. E.g.,

Still zero evidence, but motive is clear.  The one-sided bellicosity is 
sufficient reason to get involved.

Whether propaganda qualifies as interference, I don't know.  If it does, 
then unfortunately all the media, government, and leadership are also 
interfering.  I think it's that ugly side of the democratic coin - when 
we do it, it's rights, freedom of speech, democracy and apple pie.  When 
they do it, it's an attack on our rights, our freedoms, our democracy.

The question that I have, outside propaganda is whether there is 
actually a cyberthreat to the process?  Whether a foreign power would 
enter into the voting machines and hack them left or right as desired?  
I suggest that is nonsense in this particular case, but it's hard to 
prove an absence.  We can only wait for evidence of positive interference.

>>> And if you believe the other leaks were from insiders, not state actors,
>>> all the more reason that Hillary was wise to use a private server 
>>> with a annouonumsly
>>> few hand-picked admins she trusted. We have been deluged with Secret and
>>> Top Secret documents purloined by Manning and Snowden. The handful of
>>> emails on Hillary’s server that the FBI says were or should have been
>>> classified seem to be among the few U.S. state secrets that the public
>>> has yet to see.
>> Unfortunately, the NSA, the FBI and the various other 
>> counter-intelligence agencies which are tasked at protecting the 
>> government are not going to see that as any more than self-serving 
>> bluster.  And in court - if it ever were to get there - it would be 
>> demolished.  That alone would send the perp to jail.  E.g., if the 
>> answer to a few upsets within is that we go it alone, that means 
>> every agency, every secretary, every sysadmin who thinks he can do 
>> better than the NSA ... has carte blanche.
> I’m not suggesting that a private server in each official's home is 
> the right answer going forward, but a separate email server in each 
> top-level official’s office safe with encrypted back up to the 
> department servers might be a good solution for unclassified email 
> privacy. The servers would be inside the department’s firewall 
> perimeter defenses and could have additional protection, such as a 
> stripped down operating system loaded from ROM, to minimize attack 
> surface. Admin access would be limited to a few staff vetted by the 
> official. The backups' encryption key might be escrowed in the 
> national archives for future historical records. The old model of all 
> email stored en clar on department servers is unworkable.

Well, the security officers within each department generally handle 
that, using the processes laid down in the security manuals.  They let 
Obama have his blackberry.  I'm sure if enough pressure were brought to 
bear they would have built a private server situation for State Dept.

But seems like they never got told to do that.

In summary - I think there is merit in looking at how cryptography could 
have changed the situation.

1.  Hillary's use of private server was an attempt to deal with one 
threat, although what that was was never clear to me.  But it opened her 
up to another threat - hacking.  At a simplistic level, I think the 
answer is clear - don't do that.  At deeper level, we should be 
delivering systems that don't lead the users to taking such drastic 
steps, and then making their situation worse.

2.  The sense of Russians hacking the electoral process leads us to look 
at reliable voting systems.  Thinking about our current infosec posture, 
that this is something that cryptography can't provide the answer to, I 
think we've got it wrong.  Because (a) if we don't secure the voting 
system then someone else will hack it and steal it.  And there's plenty 
of underground and anecdotal evidence that this is going on.

And (b) we need to get away from this impossibility thing. Probability 
works for human systems, too.  If we can make it improbable that a vote 
is tampered with, that's still a win, for those times in the majority 
where we got the true positive.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161109/742e6805/attachment.html>

More information about the cryptography mailing list