back to article Snowden lawyer PGP email 'crack' flap: What REALLY happened?

The leak of a PGP-encrypted email between Ed Snowden's pet journalist Glenn Greenwald and a lawyer has created a bit of a fuss in crypto circles. Jesselyn Radack, a national security and human rights brief, ‪said an encrypted email sent by her to Greenwald was this week leaked by persons unknown to Cryptome, the long-running …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    what to expect....

    DNS hijacking of MX records;

    The PGP algo has a decryption backdoor;

    TOR is a honeypot run for ulterior motives.

    1. Anonymous Coward
      Anonymous Coward

      Re: what to expect....

      The third key is a false flag. At least one of the machines involved is compromised. Rumor has it, the government has people who know how to write malware not noticed by the AV vendors.

      1. Dr. Mouse

        Re: what to expect....

        Rumor has it, the government has people who know how to write malware not noticed by the AV vendors.

        Or intentionally ignore?

        1. Mark 85

          Re: what to expect....

          I think you're dead on with "ignore" and I'm sure a phone call would be made to check.

          As for thinking that NSA broke this, would they be that stupid to give away that they can break PGP over a relatively minor issue? On second thought, it's politics and government doing the Power Waltz.

          1. Anonymous Coward
            Anonymous Coward

            Re: give away that they can break PGP

            1. Compromise the sender's PC.

            2. Copy the email.

            3. Insert false data pointing to a fake third key.

            4. Post it to a hacker leak site.

            5. Make popcorn to eat while watching what happens.

            Possible results:

            1. Cast doubt on journalist.

            2. Cast doubt on Snowden.

            3. Cast doubt on recipient.

            4. Cause confusion amongst unconnected cryptos.

            5. Possibly move punters from a secure PGP implementation to a secretly compromised solution.

        2. BillG
          Big Brother

          Re: what to expect....

          Rumor has it, the government has people who know how to write malware not noticed by the AV vendors.

          If that were true, then others would have discovered it too.

          Or intentionally ignore?

          That could apply to U.S. antivirus companies, but what about non-U.S. antivirus companies? Would they intentionally ignore U.S. gov malware if asked?

      2. Anonymous Coward
        Anonymous Coward

        Re: what to expect....

        > the government has people who know how to write malware not noticed by the AV vendors

        That would be delightful news if it were true, because it would mean there is at least ONE competent government department.

        In reality, I rather suspect we're seeing another ballistic missile scare (when it was claimed the USSR had thousands of ICBMs and stuff like that, when in reality it turned out to be about two of them, which is rather more realistic if you consider how many other rockets you see being built and launched for actual profit).

        I'd be inclined to bet your favourite spy agency's Malware Department is probably manned by some civil service geezer running a copy of Borland Turbo Pascal on DOS 5.0. :-/

        1. oolor

          Re: what to expect....

          >running a copy of Borland Turbo Pascal on DOS 5.0. :-/

          Ah, a Real Programmer. That explains why the government cannot find anything (think veterans records in the States).

          If only...

        2. RMycroft

          Re: what to expect....

          I think they upgraded him to Free Pascal running on a Raspberry Pi last year. Now we're in trouble!

  2. Chris Miller

    All your key are belong us

    Message ends

  3. theOtherJT Silver badge

    Or perhaps someone snaffled her key out of some "bloody" ram...

  4. Brewster's Angle Grinder Silver badge

    Hey, if we're speculating wildly...

    A working Quantum Computer?

  5. bigtimehustler

    Hmm, I have to say the most likely explanation is exactly the one offered, a 3rd party managed to get the email sent to them with a key they can decrypt. Just a usual social engineering/malware attack which is only gaining conspiracy theories due to the parties involved.

    1. ElReg!comments!Pierre

      That, or...

      ... once one of the machines is compromised you don't even need the key...

  6. Destroy All Monsters Silver badge

    I am not happy about this.

    US security experts with a patriotic – generally pro-NSA – perspective (such as the th3j35t3r here), along with former NSA staffers (here), were delighted by the whole episode

    Until their $PREFERRED_POLITICIAN is killed off by strategic leaks.

    The rule of men, not of laws.

    1. Levente Szileszky

      Err...

      ...since when "a patriotic perspective" equals "generally pro-NSA", seriously?

      If anything "pro-NSA" = anti-Constitution != patriotic stance...

  7. Anonymous Coward
    Anonymous Coward

    But...

    The lawyer would have needed to have previously imported the 'third party' public key to the keyring before the PGP / GPG client could encrypt the message content for that third party key.

    It is more likely that the lawyer either mistakenly imported this third party key and then included the email address associated with the key before sending (odds on that?), or the email / PGP / GPG client has been compromised in some way which potentially allows spam emails to insert a public key into a users keyring (oo-er) without actually importing it and subsequently inserting the email address associated with the key into the recipient list automagically. This way you do not need to compromise the PGP encryption, you just get mailed a copy - waaaaaaaay easier.

    1. Anonymous Coward
      Anonymous Coward

      Re: But...

      "and then included the email address associated with the key before sending (odds on that?)"

      The mail client in the message (see links in article) is iPGMail. This uses the email addresses in the keys automatically. You select which keys you want as recipients and it encrypts to those keys and sends to the addresses in those keys.

      Hence it will indeed be that an imposter key was imported and used.

  8. Uffish

    Laws

    What is the legal position of Snowdon and asociated people? Are they fair prey for the spooks /FBI / local cops etc. Twelve good men and true may well consider Snowdon & Co have right on their side but does the law?

    The leak might be legal FUD from the spooks or an illegal act by a concerned wellwisher.

    1. ManxPower

      Re: Laws

      The NSA considers anyone on this planet to be fair prey. The FBI considers anyone in the USA to be fair prey. Local cops might be marginally better, but only because they lack the technical skills of the federal agencies.

      1. Matt Bryant Silver badge
        Facepalm

        Re: ManxPower Re: Laws

        "TThe NSA considers anyone on this planet to be fair prey. The FBI considers anyone in the USA to be fair prey. Local cops might be marginally better, but only because they lack the technical skills of the federal agencies." The NSA has to consider the possibilty of threats arising from any part of the planet. The FBI has to consider the chance that threats may arise within the USA. Local cops have the ability to call on the resources of the federal agencies. TFTFY.

    2. Vociferous

      Re: Laws

      > What is the legal position of Snowdon and asociated people?

      Snowden is a spy under US law. He can never go to the US or any country with an extradition treaty with the US without being arrested and subsequently tried for espionage.

      The people who've helped him (Assange etc) did not help him steal the secrets and are not on US soil, and so are not under US jurisdiction. They might still get barred from visiting the US if Uncle Sam feels vindictive, but can't really be prosecuted as they're not subject to US law.

  9. Crisp
    Coat

    -----BEGIN PGP MESSAGE-----

    Version: GnuPG v2.0.17 (MingW32)

    It's all plain text now baby!

    -----END PGP MESSAGE-----

  10. Lee D Silver badge

    Well

    I don't believe PGP, or traditional PKE, has been cracked.

    But someone REALLY wants everyone off PKE lately.

    And, strangely, the alternative pushed is this new-fangled perfect-forward-secrecy (only available with Elliptic Curve from what I can see with OpenSSL), that's still new, unknown and (security-wise) basically untested.

    When you think the trick is being done... it's already happened.

    As far as I'm concerned, until I see a documented attack that cannot have happened any other way, I'll stick with what I know works. Call me back when EC has been in worldwide deployment for a decade or two.

    1. Matt Bryant Silver badge
      Happy

      Re: Lee D Re: Well

      "I don't believe PGP, or traditional PKE, has been cracked...." Don't believe or don't want to believe? Either way, I would suggest the simpler and more likely explanation is that the lawyer and journo involved are both technically-illiterate. After all, when A$$nut was working with the Guardian he had to explain to their journos how to unzip docs, do you really think they're going to do any better with PGP? Personally, I think Greenie leaked it himself since no-one had noticed the non-award he "achieved".

      Anyway, old Snowdope and Greenie are always banging on about open-ness, surely they should approve the leak?

    2. codebeard

      Re: Well

      "And, strangely, the alternative pushed is this new-fangled perfect-forward-secrecy (only available with Elliptic Curve from what I can see with OpenSSL), that's still new, unknown and (security-wise) basically untested."

      You can implement PFS without using ECC, but just with standard Diffie-Hellman. I'm pretty sure both options are available in OpenSSL. Anyway, it's just an extra level of protection, it really can't make things worse.

  11. Anonymous Coward
    Anonymous Coward

    Occam's Razor

    Is it hard to believe that a journalist, working at a new job, is just getting free publicity?

    1. Leak trivial email

    2. Blame nefarious evil-doers

    3. Free press

    4. Viewers visit your new News site to see why you are being hacked

    5. Profit!!!

    At least his business plans are more complete than 99% of IT related businesses.

    1. Vociferous

      Re: Occam's Razor

      If this had been Assange's original lawyer, Mark "Sex By Surprise" Stephens, then I'd definitely have agreed. That moron was just a red nose and a pair of oversized shoes short of a circus act.

    2. oolor
      IT Angle

      Re: Occam's Razor

      1. Leak trivial email, blame nefarious evil-doers, get free press.

      2. Viewers visit your new News site to see why you are being hacked.

      5. Profit!!!

      At least his business plans are more complete than 99% of IT related businesses.

      FTFY - now it is in typical internet business plan mode. WTF is that gibberish for number 2 though? It seems to be more of a !!! than the usual ???

  12. Rob Crawford

    Alternately

    Corporate versions of PGP provide employers with the ability to decrypt employees encrypted messages

    1. Andrew Austin

      Re: Alternately

      ADK - look it up...

  13. Vociferous

    I've complete confidence in people's ability to screw up.

    I wouldn't be surprised if he'd managed to send the message unencrypted to a mailing list. Then printed it. And forgot to pick up the printout.

  14. Anonymous Coward
    Anonymous Coward

    Cryptome allegations

    Cryptome's stance that comsec experts 'often conceal vulnerabilities' is interesting as it implies ulterior motives to do so. No self respecting security expert would do this as they know full well that an undisclosed vulnerability will never be solved. Full disclosure is one of the first things such an expert will preach to anyone that would listen.

    What motive would they have to do this when it can affect them directly as users of the same software.

    It implies that cryptome is referring to computer security experts in the employment of someone with a vested interest in undermining PKE, the same entity which, crucially, would have most to gain from making it seem like PKE has an as of yet undisclosed vulnerability; whether or not that is the case being immaterial.

    1. Tom 13

      Re: Cryptome allegations

      You proceed from a false assumption. Cryptologists work not only on creating secure encryption, but also work on breaking them. So whether or not you leak it depends very much on which side of the fence you are working. Comsec will invariably involve both types even if it is because the breakers infiltrate the creators.

  15. southpacificpom

    Cryptomania

    First rule of security is that there is no security - always expect the unexpected.

  16. Anonymous Coward
    Anonymous Coward

    Patriotic?

    "US security experts with a patriotic – generally pro-NSA – perspective"

    Trampling over the constitution and ignoring everything that the country is supposed to stand for is patriotic now?

    1. Vociferous

      Re: Patriotic?

      > Trampling over the constitution and ignoring everything that the country is supposed to stand for is patriotic now?

      In the US... kindof. The more authoritarian someone is in the USA, the more likely to wrap himself in the flag and carry a cross.

  17. AbeSapian

    Heartbleed Anybody?

    Could this be related to the Heartbleed bug?

This topic is closed for new posts.

Other stories you might like