
what to expect....
DNS hijacking of MX records;
The PGP algo has a decryption backdoor;
TOR is a honeypot run for ulterior motives.
The leak of a PGP-encrypted email between Ed Snowden's pet journalist Glenn Greenwald and a lawyer has created a bit of a fuss in crypto circles. Jesselyn Radack, a national security and human rights brief, said an encrypted email sent by her to Greenwald was this week leaked by persons unknown to Cryptome, the long-running …
I think you're dead on with "ignore" and I'm sure a phone call would be made to check.
As for thinking that NSA broke this, would they be that stupid to give away that they can break PGP over a relatively minor issue? On second thought, it's politics and government doing the Power Waltz.
1. Compromise the sender's PC.
2. Copy the email.
3. Insert false data pointing to a fake third key.
4. Post it to a hacker leak site.
5. Make popcorn to eat while watching what happens.
Possible results:
1. Cast doubt on journalist.
2. Cast doubt on Snowden.
3. Cast doubt on recipient.
4. Cause confusion amongst unconnected cryptos.
5. Possibly move punters from a secure PGP implementation to a secretly compromised solution.
Rumor has it, the government has people who know how to write malware not noticed by the AV vendors.
If that were true, then others would have discovered it too.
Or intentionally ignore?
That could apply to U.S. antivirus companies, but what about non-U.S. antivirus companies? Would they intentionally ignore U.S. gov malware if asked?
> the government has people who know how to write malware not noticed by the AV vendors
That would be delightful news if it were true, because it would mean there is at least ONE competent government department.
In reality, I rather suspect we're seeing another ballistic missile scare (when it was claimed the USSR had thousands of ICBMs and stuff like that, when in reality it turned out to be about two of them, which is rather more realistic if you consider how many other rockets you see being built and launched for actual profit).
I'd be inclined to bet your favourite spy agency's Malware Department is probably manned by some civil service geezer running a copy of Borland Turbo Pascal on DOS 5.0. :-/
I am not happy about this.
US security experts with a patriotic – generally pro-NSA – perspective (such as the th3j35t3r here), along with former NSA staffers (here), were delighted by the whole episode
Until their $PREFERRED_POLITICIAN is killed off by strategic leaks.
The rule of men, not of laws.
The lawyer would have needed to have previously imported the 'third party' public key to the keyring before the PGP / GPG client could encrypt the message content for that third party key.
It is more likely that the lawyer either mistakenly imported this third party key and then included the email address associated with the key before sending (odds on that?), or the email / PGP / GPG client has been compromised in some way which potentially allows spam emails to insert a public key into a users keyring (oo-er) without actually importing it and subsequently inserting the email address associated with the key into the recipient list automagically. This way you do not need to compromise the PGP encryption, you just get mailed a copy - waaaaaaaay easier.
"and then included the email address associated with the key before sending (odds on that?)"
The mail client in the message (see links in article) is iPGMail. This uses the email addresses in the keys automatically. You select which keys you want as recipients and it encrypts to those keys and sends to the addresses in those keys.
Hence it will indeed be that an imposter key was imported and used.
What is the legal position of Snowdon and asociated people? Are they fair prey for the spooks /FBI / local cops etc. Twelve good men and true may well consider Snowdon & Co have right on their side but does the law?
The leak might be legal FUD from the spooks or an illegal act by a concerned wellwisher.
"TThe NSA considers anyone on this planet to be fair prey. The FBI considers anyone in the USA to be fair prey. Local cops might be marginally better, but only because they lack the technical skills of the federal agencies." The NSA has to consider the possibilty of threats arising from any part of the planet. The FBI has to consider the chance that threats may arise within the USA. Local cops have the ability to call on the resources of the federal agencies. TFTFY.
> What is the legal position of Snowdon and asociated people?
Snowden is a spy under US law. He can never go to the US or any country with an extradition treaty with the US without being arrested and subsequently tried for espionage.
The people who've helped him (Assange etc) did not help him steal the secrets and are not on US soil, and so are not under US jurisdiction. They might still get barred from visiting the US if Uncle Sam feels vindictive, but can't really be prosecuted as they're not subject to US law.
I don't believe PGP, or traditional PKE, has been cracked.
But someone REALLY wants everyone off PKE lately.
And, strangely, the alternative pushed is this new-fangled perfect-forward-secrecy (only available with Elliptic Curve from what I can see with OpenSSL), that's still new, unknown and (security-wise) basically untested.
When you think the trick is being done... it's already happened.
As far as I'm concerned, until I see a documented attack that cannot have happened any other way, I'll stick with what I know works. Call me back when EC has been in worldwide deployment for a decade or two.
"I don't believe PGP, or traditional PKE, has been cracked...." Don't believe or don't want to believe? Either way, I would suggest the simpler and more likely explanation is that the lawyer and journo involved are both technically-illiterate. After all, when A$$nut was working with the Guardian he had to explain to their journos how to unzip docs, do you really think they're going to do any better with PGP? Personally, I think Greenie leaked it himself since no-one had noticed the non-award he "achieved".
Anyway, old Snowdope and Greenie are always banging on about open-ness, surely they should approve the leak?
"And, strangely, the alternative pushed is this new-fangled perfect-forward-secrecy (only available with Elliptic Curve from what I can see with OpenSSL), that's still new, unknown and (security-wise) basically untested."
You can implement PFS without using ECC, but just with standard Diffie-Hellman. I'm pretty sure both options are available in OpenSSL. Anyway, it's just an extra level of protection, it really can't make things worse.
Is it hard to believe that a journalist, working at a new job, is just getting free publicity?
1. Leak trivial email
2. Blame nefarious evil-doers
3. Free press
4. Viewers visit your new News site to see why you are being hacked
5. Profit!!!
At least his business plans are more complete than 99% of IT related businesses.
1. Leak trivial email, blame nefarious evil-doers, get free press.
2. Viewers visit your new News site to see why you are being hacked.
5. Profit!!!
At least his business plans are more complete than 99% of IT related businesses.
FTFY - now it is in typical internet business plan mode. WTF is that gibberish for number 2 though? It seems to be more of a !!! than the usual ???
Cryptome's stance that comsec experts 'often conceal vulnerabilities' is interesting as it implies ulterior motives to do so. No self respecting security expert would do this as they know full well that an undisclosed vulnerability will never be solved. Full disclosure is one of the first things such an expert will preach to anyone that would listen.
What motive would they have to do this when it can affect them directly as users of the same software.
It implies that cryptome is referring to computer security experts in the employment of someone with a vested interest in undermining PKE, the same entity which, crucially, would have most to gain from making it seem like PKE has an as of yet undisclosed vulnerability; whether or not that is the case being immaterial.
You proceed from a false assumption. Cryptologists work not only on creating secure encryption, but also work on breaking them. So whether or not you leak it depends very much on which side of the fence you are working. Comsec will invariably involve both types even if it is because the breakers infiltrate the creators.