[cryptome] TheCthulhu / CthulhuSec to Cryptome

Shelley shelley at misanthropia.org
Sun Dec 20 17:59:37 PST 2015

On December 20, 2015 5:22:01 PM Michael Best <themikebest at gmail.com> wrote:

> I'm curious what everyone thinks. I personally agree with TheCthulhu, but
> I'm not a tech or crypto expert.

Also agree with thecthulhu.  Cryptome's stance on mirroring has become 
arcane, and they like to dole out plenty of criticism but refuse to adopt 
basic security protocols.  Yeah, it's not perfect.  It's what we have for 
the moment, though, and it's better than nothing.  Thecthulhu's 14-day key 
posting idea makes a lot of sense.  I'm interested in others' views as well.

Tbh, I'm wary of Cryptome admin these days.  When they recently tweeted out 
bullshit like 'Sabu's handler's number' to Jake then tried to backpedal as 
usual and say it was a joke, like all the other recent "jokes"... well, 
many of us are not amused.

Cryptome is, or was for a very long time, a respected repository of 
information.  It'd be perfectly understandable if you're ready to hang it 
up, just please do it soon before you run it off the rails.  Please pass it 
along to others who are ready to take up the task and maintain what you 
have so painstakingly built.

Sorry for veering slightly off-topic.  It recently came up in conversation 
and this seemed like a good time to bring it up.


> Original: https://www.thecthulhu.com/a-response-to-cryptome/
> So today (20th December) I posted a mirror of the Cryptome archive I
> received from a close associate of mine (of whom I trust greatly) and was
> met by a rather blunt response from the Cryptome administrators regarding
> the integrity of the data I host. As many know, I take the subject of
> tampering very seriously, and whenever I have leaked or shared data I
> strive to provide it with a SHA1 and SHA256 hash at a minimum and also
> provide torrents, HTTPS and onion download options. Furthermore, if ever
> asked, I would also sign files using my personal PGP key.
> [image: 7fc92ced0b91c71560dcdc251bc2a0d9]
> <https://www.thecthulhu.com/wp-content/uploads/7fc92ced0b91c71560dcdc251bc2a0d9.png>
> The response I received from Cryptome was also either hinting that the
> entire research and crypto community is wrong in their conclusions, or that
> the Cryptome administrators don’t understand it themselves. The assumption
> that cryptography is unbreakable assuming an adversary with unlimited
> resources is wrong, even an adversary with limited resources given enough
> time can break all cryptography, but that doesn’t make it anything other
> than a theoretical matter when put into the actual context. This statement
> in particular “Mirroring is tampering. We ask that mirrors be labeled as
> tampering.” really also irritates me.
> If Cryptome is so concerned that data is being tampered with, I suggest the
> following:
> 1. An MD5, SHA1, SHA256, SHA512 and Whirlpool digest be produced for the
> full archive of files in a format such as .zip or .tar.
> 2. The Cryptome administrators sign all the digests in a single PGP message
> to verify the hashes match the archive they produced.
> 3. The PGP signed message is published with the digests for 14 days on the
> Cryptome website, Twitter, my Twitter, my blog and any other source who
> wishes to make a copy of it. The 14 day period allows time for any party to
> raise concerns if say for example, a third party had stolen the PGP keys to
> forge the signature then the Cryptome administrators should have had time
> to realise this and either revoke the key or in some way suggest the
> archive is not legitimate.
> 4. After the 14 day period, the archive is made available publicly to which
> I shall ensure the hashes can be reproduced on my end, and then I will also
> sign the digests message to say it is the one I received and will be
> mirroring.
> 5. A torrent file can be produced which downloads the archive file
> specified above; this can also be signed by myself and Cryptome so people
> can be sure it is the one we intended to distribute and another layer of
> checks by checking the hash once downloaded exists.
> 6. External parties such as Twitter followings, security researchers etc
> cross sign the digests and our keys if they know us sufficiently and trust
> the archive is true as it was intended to be distributed.
> If the above procedure is not sufficiently secure, then one must operate on
> the assumption all technology is unsafe to use. There is the legitimate
> concern of hardware tampering and backdoors, which is why open source
> software should be used at all stages. However, I would like to draw
> attention to the fact that Cryptome offers the full archive for $100 which
> is shipped via USB. Therefore, concerns regarding hash or cryptographic
> security yet readily shipping USBs seems to me a fairly extreme state of
> cognitive dissonance given what is known about attacks like BadUSB and
> state physical interception operations.
> I call on Cryptome to start allowing proper mirroring of content. Nobody
> has called upon Cryptome to host the content themselves or in any way incur
> additional costs. What is being asked is that you provide the content with
> reasonable security as I propose above, rather than completely ignoring the
> matter which will drastically reduce the security and safety of downloads.
> If you claim to be all about anti-censorship and transparency, then the
> measures I propose above are a good fit. This isn’t about offering 100%
> perfect security, this is about offering people the ability to verify the
> files in a manner which is reasonable and proportionate to the technology
> even state level adversaries currently possess. Even if you disagree on the
> security of the cryptographic protocols and measures I describe above, know
> that the vast majority of researchers and information security
> professionals disagree with you, and that providing it is still far better
> than not providing the hashes at all.

More information about the cypherpunks mailing list