1. 15

  2. 5

    “Does it protect against country level actors? Most probably not.”

    This isn’t true. Decent, decentralized solutions will protect against them if they’re not targeting you directly. Their main MO right now is mass surveillance with reactive, attack systems. They have smaller portion of resources for direct attacks. The centralized, popular solutions can be subverted much easier since the teams can focus on them. That’s why NSA… did subvert a bunch… while less popular solutions without single point of failure remained viable.

    GPG-encrypted files on any number of OS’s, configurations, transports, etc are anything from impossible to a nightmare for them to automatically attack. At best, they’re targeting the most popular configs by the least-cautious people. Mighty NSA says as much in Snowden leaks where analysts just give up when casual targets use GPG. They forward to TAO if target is important. On their end, the GPG-like tools increases exposure probability. A tool that almost always works fine starting to crash often might get the user to talk to a person that could investigate it. The files that caused the crash would be right there to tell where the vulnerability is.

    Note: Anyone wondering, “Why’s he keep bringing up NSA if not everyone is that important to U.S. attackers?” Obviously, what worked against the world’s most powerful attacker should work against those with less resources.

    1. 1

      the context of the article invokes the average investigative journalist with an old windows version as the victim, and any random customer of finfisher/hackingteam as the adversary - not the NSA, but the hungarian or turkish services for example. Also ~/.gnupg is quite a standard path to harvest with any RAT probably windows has a similar standard location, quite to opposite of being a nightmare to attack.

      1. 4

        Give them a LiveCD with the stuff built-in. Brian Krebs has taught plenty laypeople to do that for online banking.

        1. 3

          Consider your average investigative journalist or whistleblower, with windows or a mac, that they haven’t updated because then their kids favorite game doesn’t run anymore or they simply don’t want windows 10.

          That doesn’t sound like an investigator that should be handling cases with data that needs encryption. That doesn’t even sound like a professional journalist, letting his kid use his work machine that can contain such data.

          1. 2

            sadly reality is like that. look at the snowden movie how glen and the other journalists handled the case.

            1. 2

              Like you said, we should expect some effort on their part. Like stf said, many have horrid INFOSEC and OPSEC practices if they practice it at all. Security community needs to keep making idiotproof tech and guides for them.