7 September 2011
Disclosure Sites Insecurity Inevitability
Cryptome, September 6, 2011
A response to a query on the security of disclosure sites.
Cybersecurity wizards often repeat that a race is on between cyber defenders
against cyber attackers and the attackers are winning due to the greater
variety of attacker swarms against Maginot Line defenders.
A Dutch official said today that online security of government websites cannot
be assured, that ordinary paper and mail are much superior. That has been
Cryptome's advice for several years -- that online security is very poor
and security peddlers and product distributors are concealing this deficiency
to capitalize on the popularity of the Internet -- among them disclosure
New cyber defenses become outdated instantly due to a continuous onslaught,
some by amateurs having fun, some by competitors, most by criminals who sell
their produce to a bevy of purchasers, governmental, commercial, individual.
Attacks are increasing geometrically as youngsters (and oldsters) coming
into cyber marauding proliferate, in particular in nations outside the major
powers who are learning the limits of power in cyberworld they have created
This means that any platform which offers disclosure services, aka leaksites,
will lag the prowess and multitude of attackers and should warn submitters
that the first and most important defense must start on the submitters' end.
And that the greater the risk a submission poses to the submitter the greater
the need for for submitter's own defenses and never rely upon the platform's
promises of protection. This was put in a nutshell by a National Security
Agency paper in 2000 addressing the futility of computer security, "The
Inevitability of Failure: The Flawed Assumption of Security in Modern Computing
Beyond unavoidable insecurity in computers and networks, submissions may
be intercepted in transit, misplaced at the platform end, misunderstood and/or
misjudged by the platform staff, or improperly explained and published.
Disclosure platforms do not have sufficient stable, well-trained staff to
compensate for the turnover in volunteers with their limited skills ineptly
directly by site operators.
You will recall that these are all applicable to WikiLeaks and most of its
emulators as well as governments, commerce and the wealthy. OpenLeaks has
attempted to address them but it is quite difficult not only for a low-resourced
initiative but also for the well-endowed.
At the moment the well-endowed and those less so are obscuring the lack of
online and other forms of digital security, instead engage in what the wizards
call "security by obscurity," hoping attackers will not find and exploit
As we see near daily, admission of security breaches are escalating not because
the providers want to tell but because insecurity is being exposed by those
who wish to no longer hide the truth known to insiders and a growing crowd
of outsiders. To wit, DDB and others in the security and hacker world. They
are calumnized by insiders who hope to maintain obscurity a while longer.
This means your most distinguished institutional readers in finance, law,
government, intelligence and the rest who vaunt their prowess for credibility,
authenticity and security, face increasing disclosure of faults in their
protection pretenses -- which includes global Cyber Command initiatives.
The petit furor with Wikileaks, OpenLeaks, Anonymous and newsy ilk portends
a grand furor building toward disclosing something wonderful, I hope, about
the cost of excessive secrecy and security obscurity, no matter who lurks
beneath the cloak. Wikileaks and emulators are the least problematic compared
to the Titanic-grade protectors of the commonweal who are being outmatched
by icebergs much more threatening than security-truth-disclosure sites.