[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sen. Patrick Leahy's PGP key now avail.
At 5:06 AM 5/3/96, Bill Stewart wrote:
>One of the most important parts of any security analysis is the
>threat models. In this case, we're talking about sending email
>_to_the_government_.
>
>There may be something you want to tell the Senator or his staff that
>you want kept private from the public or from rest of the government,
>and Tim's phrase "Unless the information is 'secret'" seems to cover that.
>Maybe you want to say "My company lost $X to competitor Y"; that's private.
>Maybe you want to say "The FBI is reading your email, y'know..."
>Maybe you want to attach a $20 MarkTwain DigiCash campaign contribution.
And besides my explicit mention of "unless secret," which I suspect is not
the case in the context of "communicating with Sen. Leahy," I also
explicity mentioned that it is unlikely Sen. Leahy is doing the reading of
e-mail or the encrypting. The PGP key is really "Leahy's office key."
I'd say it's 99.95% likely that the PGP key was generated by a staffer--the
resident e-mail geek--and that only staffers know how to use PGP. (In fact,
probably only the one staffer who generated the key and knows the
passphrase....)
This gives new meaning to "man in the channel." When you send an encrypted
message to "Senator Leahy," be sure to tell "Mitch" it's urgent that the
Senator see it!
(Don't misunderstand me, anyone. I'm not expecting perfect security, and
the fact that secretaries and staffers may likely be the actual "keepers of
the keys" is hardly new or surprising. They've always served this role. And
until this changes, with PGP getting easier to use or with a more
conventional key arrangement, I expect few senators will be typing in PGP
stuff.
(By "more conventional" I mean a model where some token or object is used,
as with the crypto ignition keys, which I can imagine _some_ Senators
actually carry and use, depending on their connections to the intelligence
and military establishment. Or biometric security, etc.)
>But usually, telling the government something is fairly similar to
>publishing it, in terms of expectation of privacy, even in a republic.
>The tradeoff is between using PGP to make a point, and getting the staff
>to read it. Typically, Congressional Staffs are Your Friends, at least
>more directly than the Congresscritters themselves. Lobby _them_;
>making their job easier is a good start.
I agree. My main point was that staffers are already extremely pressed for
time, often quickly sorting incoming constituent mail into "yes" or "no"
piles for later counting on some issue. It's unlikely in the extreme that a
PGP-encrypted mail message will be looked at, unless the staffer thinks it
must be spook-related. When the staffer finds it's just a position advocacy
letter, and that he spent time decrypting it, it'll likely have the
opposite effect we want.
And it _still_ won't be the "real" Senator Leahy doing the decrypting!
So, what is accomplished except "feel good" thoughts?
--Tim May
Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
[email protected] 408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
Licensed Ontologist | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."