"The frustrating and ironic thing about GPG is that even experts make mistakes with it. [...] in his first email to me, Snowden had forgotten to attach his key, which meant I could not encrypt my response. I had to send him an unencrypted email asking for his key first."
So, not only can't Johny encrypt (http://www.gaudior.net/alma/johnny.pdf), but neither can security experts when their lives may depend on it. Proving once more that not only do we need better security tools, but - above all - more usable security tools.
I'm not a security expert.... but shouldn't exchange of the public key happen outside the channel of the message (ie. using a public key / certificate authority)? Otherwise, I could fake the message origination: write my own message, encrypt w/ my private key, and then sending you my public key -- you'd never know the message came from me rather than Snowden. (Could also do a more-sophisticated MITM.)
I guess is an opportunistic encryption vs no-encryption scenario, since Snowden was sending his emails anonymously at that time there was no way for him to verify his identity to anyone. However, this was before there was any attention on him and sending his public key inside his first encrypted email would at least offer guarantees of the form: "If this connection is not MITM'ed now, it cannot become MITM'ed in the future". I suppose Snowden would know if there was indiscriminate and automatic mass-interception of GPG at the time (there might be now).
I am also not a crypto expert, but as I understand it: Micah could have also encrypted the email with the key given to him by the 'anonymous mailer', included the hash of that key as part of his message and then signed the whole message with his own key. Since Snowden trusted Micah's key, he could verify the email signature and then check that the included hash matched his own key. A MITM attacker could intercept Snowden's first email and change the key, but then Micah would have hashed the fake key and included that in his email, which the MITM couldn't alter without breaking the signature, then Snowden would have seen the wrong hash on the reply email and know of the presence of the attacker.
An anonymous person contacts you - how do you get their key from a public authority? There is no impersonation attack possible in this case.
Someone claiming to be Edward Snowden contacts you today (now that he is longer anonymous) - in this case yes, the author just including their key would not necessarily be secure.
If you're being contacted by an anonymous person you have no idea who they are in the first place. Since you don't know an anonymous person's identity, how are you supposed to fetch and validate their public key?
The basic idea of public key is to be visible to everybody. I consider the real problem to be "spamming." If you have some site which stores the keys and it has a thousand of different public keys claiming to be from, e.g. "Laura Poitras" you don't know which one is the real one. So the selection of the "real" key between of all of possible keys is something that should be verified independently. Even if you have only one key, you must verify that really that key belongs to the person you want to reach.
Snowden solved it by requesting the public tweet of Lauras's key fingerprint which was enough. Having the match of the fingerprint is enough. It's much smaller than the whole key. For example, if Laura's key is 4096 bits to print it you'd need around 700 letters. But to verify some 4096 bits you have to actually be Laura's key, it's enough that the fingerprint of, for example, 160 bits match: the math magic involved in creating the fingerprint should guarantee you that nobody can create another key and have the same fingerprint.
In the article, the fingerprint used 4 bits per letter, and there were 40 letters, so it was just 160 bits that Snowden used to verify the key.
What a great article. To think this guy had no idea for months he was talking to one of the biggest whistleblowers of our generation. Reading this makes me wonder if there's room for a yellow pages style public key directory for journalists. That would of saved a lot of time and hassle.
Equally awesome is that he DID know for months he had been talking to one of the biggest whistleblowers of our generation, and he maintained enough OPSEC (i.e. "STFU") that this didn't become widely known.
I'm sure you've heard the phrase, "Discretion is the better part of valor". It is good to be brave, however it is also good to be discreet. If you are cautious and discreet (keep your mouth shut and don't brag), you will probably not be put into a situation that requires bravery.
At its core, it's just a keystore with some innovative verification features (face it: key signing parties weren't working). It has some optional sugar on top.
I do think it's a mistake for them to allow uploading your private key. They really shouldn't be encouraging private key promiscuity like that. Otherwise, I really like the service and hope it catches on.
No, and you also don't have to use its client software. You can (and I do) use the service solely by signing JSON documents locally and uploading the signature.
Depends on your opinion, and honestly if he _was_ a legitimate whistle blower (as stated by current law, not my personal view), don't we think he'd be protected under the Whistleblower Act (http://www.law.cornell.edu/uscode/text/18/794) or any sort of legislation ->currently<- in place? Matters of National Security does not qualify and to be frank, and its pretty clear he is guilty of treason (no matter what my opinion is, again). This most likely isn't a popular view here on YC (I am not judging anyone openly here), but this makes for fascinating reading. Edward Snowden is no better than John Walker, Aldrich Ames, Aaron Burr (VP of the United States!!), and Benedict Arnold. Russia really didn't want him, but they sure didn't exactly push back considering whatever Snowden had on his person (or remotely access to) and surely has been taken and shared with the Chinese as well. I'm simply trying to provide the deep (on occasion conflicting) loyalties that underlie many security professionals in this country that are married to the ultimate goal of protecting interests domestic and abroad of the United States. They are the best and brightest, and the leadership generally above them are FROM the ranks of trusted/vetted/experienced individuals.
Your post is interesting, so I'm not downvoting, but at the same time it comes across as a shill post.
> Russia really didn't want him, but they sure didn't exactly push back considering whatever Snowden had on his person (or remotely access to) and surely has been taken and shared with the Chinese as well.
To be frank, if security (at the NSA) was/is as lax as Snowden claims, then none of the information is probably news to Russia or China. That said, I was under the impression that Russia and China aren't exactly bed-fellows, yet you claim that 'surely' the information has been shared. I don't think that's a foregone conclusion (assuming that there is any new information to share).
> I'm simply trying to provide the deep (on occasion conflicting) loyalties that underlie many security professionals in this country that are married to the ultimate goal of protecting interests domestic and abroad of the United States.
The problem is that protecting US interests isn't some cut-and-dry thing. The CIA trained and funded Osama bin Laden to 'protect US interests' (in repelling the USSR from Afghanistan). How did that work out? The US went into Iraq because "WMDs" existed that Saddam Hussein was going to launch against our allies. How did that work out? The US intelligence community has been pushing for revolution in the Middle East... now we have a bunch of countries in turmoil, and ISIS running rampant. How did that work out?
I remember top US officials claiming that the Iraqis would "welcome us as liberators" as if everyone would just abandon Saddam and start cheering "USA! USA!" as soon as troops cross the border.
I question the qualifications of the people making these decisions.
> They are the best and brightest, and the leadership generally above them are FROM the ranks of trusted/vetted/experienced individuals.
I'm not really sure what this has to do with anything. How does this relate to Snowden? How does this related to NSA whistleblowers? How does this relate to treason even?
> Snowden had forgotten to attach his key, which meant I could not encrypt my response.... His oversight was of no security consequence—it didn’t compromise his identity in any way...
Uh, didn't it compromise security by making it possible for someone else to MITM the rest of the emails Snowden received? They see the public key request before he does, send out their key instead, suppress his real response from being sent to them, decrypt mails to him and re-encrypt with his real key so he doesn't notice. AFAICT it indeed didn't compromise his identity, but the privacy and authenticity of the rest of the conversation.
Granted, like a lot of MITM scenarios, using crypto at all drastically raises the bar from permitting passive eavesdropping, to requiring a lot of access and agility to eavesdrop. At least, this is my personal, semi-informed conclusion lately -- I don't know what the experts say.
No that is not a solution.
If they swapped the public key they can read the message being sent back (it is encrypted with their public key), then encrypt it again with the real public key.
The only solution is to use another channel to authenticate the other's key, be it GPG's web of trust, or any other imperfect way (phone call, physically meeting, ...)
First, Agree on a reply latency -- say, 1 day.
Then, instead of simply replying to a message, you have an irritating four-step process:
1. Wait until one day after you received the message.
2. Send a digest of the message and your public key.
3. Wait another day.
4. Send the message itself.
All that sending would be using PGP.
The receiver must make sure that the delays for receiving the digest and the reply body are what the expect. This method requires a MITM to either anticipate what the message is or introduce an extra day of latency, which the receiving would notice.
You don't ask for your message back, you ask for the message Snowden sent again. The MITM-party can't have that, assuming that Snowden started with your correct public key.
But no more insecure than the original interaction. It's a generic problem with anonymous public key crypto. Hence the stuff with the twitter fingerprint.
Twitter fingerprint was for Laura's key. Micah's public key was already published and already signed by other known people, so Snowden was sure than only Micah can read the e-mails for Micah, unless somebody hacked Micah's computer, when all bets are off and GPG doesn't help anyway.
Yes but the Man in the Middle could very well be the author of the e-mail to Micah, didn't he? Micah would then have tweeted a fingerprint leading to eavesdropping.
No, not "eavesdropping." The fingerprint is only a fingerprint and only of the public key. It doesn't give new secrets away. Nobody can use it to read any mails of somebody else.
I should get back into doing GPG key signings. I really hope that, sometime soonish, someone does a decent browser email crypto thing. It doesn't have to be perfect, it just has to add to the amount of encrypted traffic on the internet.
The problem with GPG integration IMHO is not technical, it's practical: Most people (as it happens with tor) do not understand how it works and more specifically why it should work that way to avoid snooping and MiTM attacks. Until we solve that part, Pretty Good Privacy, won't work for most people.
As Einstein said: "Things should be made as simple as possible, but not simpler". By making PGP simpler, you're effectively killing it by adding more and more attack vectors.
One thing that worries me about GPG's trust model is that marginal trust doesn't actually stack very well. If three of my friends go to a key signing party, and each check some guy's ID to his face, I'm not really that much more confident that it wasn't a fake ID. The same holds, albeit weaker, over more spread out interactions... Only signing keys when I've known the person interacting in public under that identity for a protracted time seems a solution, but dramatically limits the growth of the network.
There's a well known problem with manufacturing inspction called "the two inspector problem".
Ann ispects units, then hands them on to Bob who performs a final inspection. Ann is falling behind so she gives the units a quick short less thorough inspection. She knows that Bob will catch the problem. Bob gets a sudden extra load of units, so he too gives them a less rigorous inspection. Bob knows that Ann has previously inspected them. It happens surprisingly often although not quite in that form.
There's a whole bunch of research shwoing what a group of people do when estimating numbers - they tend to clump around whatthe first person says.
I suspect three people checking and ID would be subject to both of these problems.
You can cryptographically verify any biometric passport (all Visa Waiver Program countries have them) and most European ID cards with any NFC-capable Android smartphone. They include the holder's name and picture and are signed by the government-controlled CA for that country's identity documents.
Hm, the only thing this app would do for me was optically scan the machine-readable print on the back on my ID-card. Didn't seem to want to do anything with the NFC-chip in it.
I am not sure, but I think that an implicit goal of keysigning is to: one, get any chain at all between two people for the more common case of no chain compared to the rarer case of active malice; and two, if enough people do it the graph should reveal impostors or at least a discrepancy that can be investigated. Someone may not realize there's a fake key out there with their name on it until a bunch of people start signing each others keys and uploading the wad of signatures to keyservers.
Very problematic is the potential of signers spam. Imagine people who blindly sign the keys only to appear listed when somebody looks for somebody well-known. Imagine ads in PGP keys.
Interesting. Potentially problematic, but it should be something we can deal with. Requiring acceptance of a signature for it to be posted seems like it does the job.
I think Keybase (https://keybase.io/) could really be the answer to this. Once there's a real public key directory and API things can really start to happen on the backend without most users even realizing it.
They recommend you to upload your _private_ key to their servers though! (Ok, encrypted with scrypt... but still...) ... a very bad thing to recommend users to do.
It's optional and encrypted, for most users it's the right choice. If you think of security as a spectrum - on one side you have protecting against dragnet collection and on the other you have protection from targeted attacks. Too often security discussions only talk about perfect security and while that is important, in the general case I think this is a good thing for most people.
I mostly agree (and my key never leaves my computer, though I've been considering sticking something in a safety deposit box), but I'm not entirely unsympathetic to the desire to offer more functionality. Is there a good solution involving delegation and short-lived keys?
Agreed, but this is all part of the core usability problem: it's too hard for users to reliably not lose their keys, and it's too hard to safely access them from all the places they're needed.
This article highlights for me how much the world could change if the overall knowledge level about PK crypto was raised -- if it became as intuitive for the non-technical user as, say, protecting physical keys.
Prohibiting strong crypto would create a huge contraband problem. That is, if you wanted to make strong crypto popular and attractive, you could hardly do better than to ban it.
0.) Greenwald makes same pattern of mistakes at least 3 times.
Get a tainted USB by federal express and get the USB firmware
level compromise.
Its a common LAZY practice, so ALL USB in Fedex are changed at
the central shipping hub. The history is to dissolve glue on envelope
and reseal. Today it is automated, perhaps. This is sci fi, of course.
2nd time Greenwald - use your partner to carry the solid state
devices. Lead to the 'drug war sweep' at the airport. Yes, your
clothes are removed to 'distract you' and to make sure that you
are not 'hiding' any USB drives.
3.) There are few 'excellent journalists' left. That's why WE
concentrated all of them on da verge as a single point of failure.
4.)Salient fact: there are only 2 techies that know gpg in the
org and the journalists dont care to learn or dont know what is
important?
6.)xkcd comic badone has hammer on your head and u will give
password. a/pple bio-metrics fooled again by latex clone.
no 3 is how u play. game: chess 'sing fortissimo' n-q6
(if I play a rank 1600 move, it means REVOKE credentials,
a 1900 move means pass)
7.)thought experiment - the radio operator is parachuted into
enemy territory. Captured and turned? or maybe...
8.)increas eing the noise to the signal for the metadata is more
important.of the h-l or letter h munus 1 which looks like letter l -
-pg for 3 letter acronym - is basic. so, twitter source is too low
entropy. steagan image or TWO simple texxt on public website
forum means plenty oof of downloaders.
summary
1.)who are the top 3 in the world?
2.)single point of faliure on one email website?
3.)meta-info ENCRYPTED MESSAGE HIDING plus tor, etc
trust attack or even simple denial of service attack leaving only
the 'bad ones' to be used.
8.)joke crypto. old Russian proverb.
we pretend to work and they pretend to play us ... oops pay us..
yoops slay us? So mister red wald start up the joke contest
and have plenty of playing the part of the green herring or is it
purple herring - fuscia maybe? - i dunno.
THIS WIL INNCREASE THE NOISE TO SIGNAL ratio where bad
tyoists yuuppsie TYPISTS are then on the tracking list.
Using number theory and the many old people who love to play
games and trade joiokes it is now time to look at spam and emails
Glad to see The Intercept is still bringing those hard-hitting revelatory leaks instead of merely capitalizing on public idolization with hagiographic exclusives.
I think the guy was trying to say that this was a war and that the informationin the article shouldn't have been shared, not just that but there was no real substance to what was shared and that the whole article was basically bragging.
Didn't really comment on the substance of what he was saying, other than to say that he was free to say what ever he liked.
I wonder, just a little bit, if the [deleted] poster, "soodef_32", isn't one of the TLA sockpuppets that we've seen hinted at, the ones that just stir up arguments to make sane people abandon targeted on-line forums.
So, not only can't Johny encrypt (http://www.gaudior.net/alma/johnny.pdf), but neither can security experts when their lives may depend on it. Proving once more that not only do we need better security tools, but - above all - more usable security tools.