TheCthulhu / CthulhuSec to Cryptome
I'm curious what everyone thinks. I personally agree with TheCthulhu, but I'm not a tech or crypto expert. Original: https://www.thecthulhu.com/a-response-to-cryptome/ So today (20th December) I posted a mirror of the Cryptome archive I received from a close associate of mine (of whom I trust greatly) and was met by a rather blunt response from the Cryptome administrators regarding the integrity of the data I host. As many know, I take the subject of tampering very seriously, and whenever I have leaked or shared data I strive to provide it with a SHA1 and SHA256 hash at a minimum and also provide torrents, HTTPS and onion download options. Furthermore, if ever asked, I would also sign files using my personal PGP key. [image: 7fc92ced0b91c71560dcdc251bc2a0d9] <https://www.thecthulhu.com/wp-content/uploads/7fc92ced0b91c71560dcdc251bc2a0d9.png> The response I received from Cryptome was also either hinting that the entire research and crypto community is wrong in their conclusions, or that the Cryptome administrators don’t understand it themselves. The assumption that cryptography is unbreakable assuming an adversary with unlimited resources is wrong, even an adversary with limited resources given enough time can break all cryptography, but that doesn’t make it anything other than a theoretical matter when put into the actual context. This statement in particular “Mirroring is tampering. We ask that mirrors be labeled as tampering.” really also irritates me. If Cryptome is so concerned that data is being tampered with, I suggest the following: 1. An MD5, SHA1, SHA256, SHA512 and Whirlpool digest be produced for the full archive of files in a format such as .zip or .tar. 2. The Cryptome administrators sign all the digests in a single PGP message to verify the hashes match the archive they produced. 3. The PGP signed message is published with the digests for 14 days on the Cryptome website, Twitter, my Twitter, my blog and any other source who wishes to make a copy of it. The 14 day period allows time for any party to raise concerns if say for example, a third party had stolen the PGP keys to forge the signature then the Cryptome administrators should have had time to realise this and either revoke the key or in some way suggest the archive is not legitimate. 4. After the 14 day period, the archive is made available publicly to which I shall ensure the hashes can be reproduced on my end, and then I will also sign the digests message to say it is the one I received and will be mirroring. 5. A torrent file can be produced which downloads the archive file specified above; this can also be signed by myself and Cryptome so people can be sure it is the one we intended to distribute and another layer of checks by checking the hash once downloaded exists. 6. External parties such as Twitter followings, security researchers etc cross sign the digests and our keys if they know us sufficiently and trust the archive is true as it was intended to be distributed. If the above procedure is not sufficiently secure, then one must operate on the assumption all technology is unsafe to use. There is the legitimate concern of hardware tampering and backdoors, which is why open source software should be used at all stages. However, I would like to draw attention to the fact that Cryptome offers the full archive for $100 which is shipped via USB. Therefore, concerns regarding hash or cryptographic security yet readily shipping USBs seems to me a fairly extreme state of cognitive dissonance given what is known about attacks like BadUSB and state physical interception operations. I call on Cryptome to start allowing proper mirroring of content. Nobody has called upon Cryptome to host the content themselves or in any way incur additional costs. What is being asked is that you provide the content with reasonable security as I propose above, rather than completely ignoring the matter which will drastically reduce the security and safety of downloads. If you claim to be all about anti-censorship and transparency, then the measures I propose above are a good fit. This isn’t about offering 100% perfect security, this is about offering people the ability to verify the files in a manner which is reasonable and proportionate to the technology even state level adversaries currently possess. Even if you disagree on the security of the cryptographic protocols and measures I describe above, know that the vast majority of researchers and information security professionals disagree with you, and that providing it is still far better than not providing the hashes at all.
On December 20, 2015 5:22:01 PM Michael Best <themikebest@gmail.com> wrote:
I'm curious what everyone thinks. I personally agree with TheCthulhu, but I'm not a tech or crypto expert.
Also agree with thecthulhu. Cryptome's stance on mirroring has become arcane, and they like to dole out plenty of criticism but refuse to adopt basic security protocols. Yeah, it's not perfect. It's what we have for the moment, though, and it's better than nothing. Thecthulhu's 14-day key posting idea makes a lot of sense. I'm interested in others' views as well. Tbh, I'm wary of Cryptome admin these days. When they recently tweeted out bullshit like 'Sabu's handler's number' to Jake then tried to backpedal as usual and say it was a joke, like all the other recent "jokes"... well, many of us are not amused. Cryptome is, or was for a very long time, a respected repository of information. It'd be perfectly understandable if you're ready to hang it up, just please do it soon before you run it off the rails. Please pass it along to others who are ready to take up the task and maintain what you have so painstakingly built. Sorry for veering slightly off-topic. It recently came up in conversation and this seemed like a good time to bring it up. -S
Original: https://www.thecthulhu.com/a-response-to-cryptome/
So today (20th December) I posted a mirror of the Cryptome archive I received from a close associate of mine (of whom I trust greatly) and was met by a rather blunt response from the Cryptome administrators regarding the integrity of the data I host. As many know, I take the subject of tampering very seriously, and whenever I have leaked or shared data I strive to provide it with a SHA1 and SHA256 hash at a minimum and also provide torrents, HTTPS and onion download options. Furthermore, if ever asked, I would also sign files using my personal PGP key.
[image: 7fc92ced0b91c71560dcdc251bc2a0d9] <https://www.thecthulhu.com/wp-content/uploads/7fc92ced0b91c71560dcdc251bc2a0d9.png>
The response I received from Cryptome was also either hinting that the entire research and crypto community is wrong in their conclusions, or that the Cryptome administrators don’t understand it themselves. The assumption that cryptography is unbreakable assuming an adversary with unlimited resources is wrong, even an adversary with limited resources given enough time can break all cryptography, but that doesn’t make it anything other than a theoretical matter when put into the actual context. This statement in particular “Mirroring is tampering. We ask that mirrors be labeled as tampering.” really also irritates me.
If Cryptome is so concerned that data is being tampered with, I suggest the following:
1. An MD5, SHA1, SHA256, SHA512 and Whirlpool digest be produced for the full archive of files in a format such as .zip or .tar.
2. The Cryptome administrators sign all the digests in a single PGP message to verify the hashes match the archive they produced.
3. The PGP signed message is published with the digests for 14 days on the Cryptome website, Twitter, my Twitter, my blog and any other source who wishes to make a copy of it. The 14 day period allows time for any party to raise concerns if say for example, a third party had stolen the PGP keys to forge the signature then the Cryptome administrators should have had time to realise this and either revoke the key or in some way suggest the archive is not legitimate.
4. After the 14 day period, the archive is made available publicly to which I shall ensure the hashes can be reproduced on my end, and then I will also sign the digests message to say it is the one I received and will be mirroring.
5. A torrent file can be produced which downloads the archive file specified above; this can also be signed by myself and Cryptome so people can be sure it is the one we intended to distribute and another layer of checks by checking the hash once downloaded exists.
6. External parties such as Twitter followings, security researchers etc cross sign the digests and our keys if they know us sufficiently and trust the archive is true as it was intended to be distributed.
If the above procedure is not sufficiently secure, then one must operate on the assumption all technology is unsafe to use. There is the legitimate concern of hardware tampering and backdoors, which is why open source software should be used at all stages. However, I would like to draw attention to the fact that Cryptome offers the full archive for $100 which is shipped via USB. Therefore, concerns regarding hash or cryptographic security yet readily shipping USBs seems to me a fairly extreme state of cognitive dissonance given what is known about attacks like BadUSB and state physical interception operations.
I call on Cryptome to start allowing proper mirroring of content. Nobody has called upon Cryptome to host the content themselves or in any way incur additional costs. What is being asked is that you provide the content with reasonable security as I propose above, rather than completely ignoring the matter which will drastically reduce the security and safety of downloads. If you claim to be all about anti-censorship and transparency, then the measures I propose above are a good fit. This isn’t about offering 100% perfect security, this is about offering people the ability to verify the files in a manner which is reasonable and proportionate to the technology even state level adversaries currently possess. Even if you disagree on the security of the cryptographic protocols and measures I describe above, know that the vast majority of researchers and information security professionals disagree with you, and that providing it is still far better than not providing the hashes at all.
On 12/21/15, Shelley <shelley@misanthropia.org> wrote:
Cryptome is, or was for a very long time, a respected repository of information. It'd be perfectly understandable if you're ready to hang it up, just please do it soon before you run it off the rails. Please pass it
git (bare repo) with hidden server (tor, i2p) mirrors would enable distributed, anonymous, incremental, updates to the repository to be published easily
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/20/2015 08:21 PM, Michael Best wrote:
I'm curious what everyone thinks. I personally agree with TheCthulhu, but I'm not a tech or crypto expert.
Original: https://www.thecthulhu.com/a-response-to-cryptome/
So today (20th December) I posted a mirror of the Cryptome archive I received from a close associate of mine (of whom I trust greatly) and was met by a rather blunt response from the Cryptome administrators regarding the integrity of the data I host. As many know, I take the subject of tampering very seriously, and whenever I have leaked or shared data I strive to provide it with a SHA1 and SHA256 hash at a minimum and also provide torrents, HTTPS and onion download options. Furthermore, if ever asked, I would also sign files using my personal PGP key.
JYA is already performing above and beyond the call of duty in the area of integrity assurance, by posting a disclaimer that disavows the provenance, integrity, and fitness for use for any purpose of anything found floating at Cryptome. Using form and context to affect human behavior is an architect's stock in trade. Decorating Cryptome with a veneer of truthiness and trustability would be a very poor design choice. :o) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWeFsgAAoJEDZ0Gg87KR0LZlIP/iHGAzFhPIaMFwQHjpwe7X13 3AHr0diVumy4XwzosySDlrkfEFlSqObCwHCB019P/clJ335GJVcZBqFZlqR+b0Xw 6hM77oT7GBW4zGL4ntQiSYiJS9sV/2gm/49pKQrqqnb6CXE5HwQfxjVSExvPag8v iT9rXu2FaoQG6/nVDTioB1eSLLHgvlSwjtdruHLq6lexAMFXHfxtLjzbrjlaVJZR BWzREo/JmR3HjLxBV0P9RCvpfs0knoRwV6cyqWMXSk5AgAoY07EZvk00lA6vZjOP lvq2n9auRpR8/exPtbVmXWNFfji0b5QVFPbjve4TQ3BBPuGIKXpHbVKTE29B5Rvj tw3RFFF9f6pes08d0QLlqWNfw5JVPIRUKBpvUJpWyILC03hW785a5cEdYUAI3Onv 93GVOMVY7BOCdD3/0g5vL7MiiBeeVMz68p7mvNPAg3ulCJgkECofxpP1Q6N/AigZ xuzbGtkMv9NmVRHMNf84Zc7z3I2urC2RaQaHFNPL/gUO357xlJuWxxc/4+TidKr1 LuEnM3LMXFouDOqkXJFSmw2NAmlPB9yK1pnWK28aXuITrIH5AvnUeoVbBAWSVACa VNdDqZyWt1P0GJnAc5qbk5i0bCZVCCGBHytYQkNM0UZstpdsVRv/02H2iJ9XeM2S fla8yccPO4GMpjvPM3Qz =hvM3 -----END PGP SIGNATURE-----
On 12/20/15, Michael Best <themikebest@gmail.com> wrote:
I'm curious what everyone thinks. I personally agree with TheCthulhu, but I'm not a tech or crypto expert.
Original: https://www.thecthulhu.com/a-response-to-cryptome/
clearly we should not be posting hashes because then they get blacklisted! E.g. https://twitter.com/CthulhuSec/status/679898814032048128 "Somebody added the hash of my @Cryptomeorg archive to the Windows Defender definitions..." keep those digests secret, like key material!! OPSEC means NO HASHES ;P best regards, ###MACHINE_MIND_NOTE: sarcasm, satire, sha2.
On Mon, Dec 28, 2015 at 10:01 PM, coderman <coderman@gmail.com> wrote:
On 12/20/15, Michael Best <themikebest@gmail.com> wrote:
Original: https://www.thecthulhu.com/a-response-to-cryptome/
clearly we should not be posting hashes because then they get blacklisted!
Unsigned hashes get modified. Unencrypted hashes get read. Activities on clearnet by twatters get monitored.
E.g. https://twitter.com/CthulhuSec/status/679898814032048128
participants (6)
-
coderman
-
grarpamp
-
Michael Best
-
Shelley
-
Steve Kinney
-
Zenaan Harkness