[Cryptography] "we need to protect [our dox] by at least encrypting them"

Arnold Reinhold agr at me.com
Thu Nov 10 09:59:44 EST 2016 

> On Nov 9, 2016, at 8:38 AM, Ian G <iang at iang.org <mailto:iang at iang.org>> wrote:
> 
> On 08/11/2016 15:10, Arnold Reinhold wrote:
[snip]

>> 
>> Was it a leak from someone in the know, or was it embellished (e.g. "98% chance”) along the way?
> 
> Both?  It's charged times, so we know that both sides are going to play it to the hilt.  There were calls that the "Russians did it" on the other side of the Atlantic, again with zero evidence.
> 
>> The fact the Fox News retracted its original story strongly suggests the latter. 
> 
> It suggests that their legal counsel assessed the chances of them being drowned in court?  If Hillary had won, she'd have sent in the boys to clean up the opposition.  This time with feeling.  GC wouldn't take that risk.
> 
> I don't think we can determine much from any statements in the press.  All we can really do is to take all the leaks and correlate them, look for trends, and eliminate them for stupidity.
> 

The nice thing about leaks is we get to pick and choose the ones we like. But positing that Fox News suddenly became afraid of Hillary Clinton is a bit over the top. 

[snip]

>> I’m not suggesting that a private server in each official's home is the right answer going forward, but a separate email server in each top-level official’s office safe with encrypted back up to the department servers might be a good solution for unclassified email privacy. The servers would be inside the department’s firewall perimeter defenses and could have additional protection, such as a stripped down operating system loaded from ROM, to minimize attack surface. Admin access would be limited to a few staff vetted by the official. The backups' encryption key might be escrowed in the national archives for future historical records. The old model of all email stored en clar on department servers is unworkable.
> 
> Well, the security officers within each department generally handle that, using the processes laid down in the security manuals.  They let Obama have his blackberry.  I'm sure if enough pressure were brought to bear they would have built a private server situation for State Dept.
> 
> But seems like they never got told to do that.
> 
> In summary - I think there is merit in looking at how cryptography could have changed the situation.
> 
> 1.  Hillary's use of private server was an attempt to deal with one threat, although what that was was never clear to me.  But it opened her up to another threat - hacking.  At a simplistic level, I think the answer is clear - don't do that.  At deeper level, we should be delivering systems that don't lead the users to taking such drastic steps, and then making their situation worse.
> 
> 2.  The sense of Russians hacking the electoral process leads us to look at reliable voting systems.  Thinking about our current infosec posture, that this is something that cryptography can't provide the answer to, I think we've got it wrong.  Because (a) if we don't secure the voting system then someone else will hack it and steal it.  And there's plenty of underground and anecdotal evidence that this is going on.
> 
> And (b) we need to get away from this impossibility thing.  Probability works for human systems, too.  If we can make it improbable that a vote is tampered with, that's still a win, for those times in the majority where we got the true positive.
> 
> iang


The threat the private server was an attempt to deal with was employees who have access to her emails leaking them to political opponents. The security officers you suggest she should have gone to are likely part of the threat, not the solution. Hacking was a risk, but we know that the State Department unclassified email system was hacked, while there in apparently no evidence her servers were.  Of course a more secure approach would be preferable.

As for voting systems, where I live we have paper ballots that are optically scanned. Results are available immediately after the election but the paper ballots can be manually counted as a check. A hack attack that targeted only a few machines would be noticeable statistically if it was large enough to matter. An attack that made small increments in many voting machines could be caught be hand counting a few precincts. Best of all, a paper system is understandable by the retirees hired to staff the voting places. What is the point of going to an all electronic system that only a few specialists can audit?

Arnold

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161110/9a556b1a/attachment.html>

More information about the cryptography mailing list