crystal faeries

divine love consciousness blog

1st January 1970
[Question Mark]

The actual problems of fraudulent documents are worse than Bruce describes below, for in the scenarios he presents, it is assumed that the authenticity of none of the documents being presented to the public can be either proved nor disproved. There is, however, a distressing legal precedent in at least the legal procedures of the fraudulent corrupt criminal cabal naming itself THE UNITED STATES, INCORPORATED, which has declared that PKI signed documents are irrefutably validly assignable to, and the liability of, their signer. This is all well and good until such time as that "signer" loses control of their "private key", which is way too easy to do in the day and age of unremovable rootkits which can reside inside your hard disks surviving even drive reformatting, (authored by the NSA), inside the "management engine" hardware backdoor iNtel builds into all their CPUs, (the NSA bought their perversion of their "Hardware Random Number Generator" inside their CPUs so that modern Linux™ and BSD UNIX operating systems will not use them), inside the GPU card, etc., not the least adverse and untrustworthy actor operating such being the nefarious and notorious NSA. Specifically because i have known of these problems for many years due to my own careful analysis of the overall technology, (yes, i am an ex- computer design engineer), i have never, and never will, utilize PKI cryptography, so if anyone ever presents a document and claims that a PKI signature on it proves i am the author of it and it validly documents something i said? it's utter bullshit, period.
Be warned, all users of GPG or PGP encryption! -- celeste:crystalfaery 2016-09-14 16:52:37+00:00

| Feed: [1]Schneier on Security |
| Item: [2]Organizational Doxing and Disinformation |

In the past few years, the devastating effects of hackers breaking into an organization's network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to [3]Sony, to the National Security Agency, to the cyber-arms weapons manufacturer [4]Hacking Team, to the online adultery site [5]Ashley Madison, and to the Panamanian tax-evasion law firm [6]Mossack Fonseca.

This style of attack is known as [7]organizational doxing. The hackers, in some cases individuals and in others nation-states, are out to make political points by revealing proprietary, secret, and sometimes incriminating information. And the documents they leak do that, airing the organizations' embarrassments for everyone to see.

In all of these instances, the documents were real: the email conversations, still-secret product details, strategy documents, salary information, and everything else. But what if hackers were to alter documents before releasing them? This is the next step in organizational doxing -- and the effects can be much worse.

It's one thing to have all of your dirty laundry aired in public for everyone to see. It's another thing entirely for someone to throw in a few choice items that aren't real.

Recently, Russia has started [8]using forged documents as part of broader disinformation campaigns, particularly in relation to Sweden's entering of a military partnership with NATO, and Russia's invasion of Ukraine.

Forging thousands -- or more -- documents is difficult to pull off, but slipping a single forgery in an actual cache is much easier. The attack could be something subtle. Maybe a country that anonymously publishes another country's diplomatic cables wants to influence yet a third country, so adds some particularly egregious conversations about that third country. Or the next hacker who steals and publishes email [9]from climate change researchers invents a bunch of over-the-top messages to make his political point even stronger. Or it could be personal: someone dumping email from thousands of users making changes in those by a friend, relative, or lover.

Imagine trying to explain to the press, eager to publish the worst of the details in the documents, that everything is accurate except this particular email. Or that particular memo. That the salary document is correct except that one entry. Or that the secret customer list posted up on WikiLeaks is correct except that there's one inaccurate addition. It would be impossible. Who would believe you? No one. And you couldn't prove it.

It has long been easy to forge documents on the Internet. It's easy to create new ones, and modify old ones. It's easy to change things like a document's creation date, or a photograph's location information. With a little more work, pdf files and images can be altered. These changes will be undetectable. In many ways, it's surprising that this kind of manipulation hasn't been seen before. My guess is that hackers who leak documents don't have the secondary motives to make the data dumps worse than they already are, and nation-states have just gotten into the document leaking business.

Major newspapers do their best to verify the authenticity of leaked documents they receive from sources. They only publish the ones they know are authentic. The newspapers consult experts, and pay attention to forensics. They have tense conversations with governments, trying to get them to verify secret documents they're not actually allowed to admit even exist. This is only possible because the news outlets have ongoing relationships with the governments, and they care that they get it right. There are lots of instances where neither of these two things are true, and lots of ways to leak documents without any independent verification at all.

No one is talking about this, but everyone needs to be alert to the possibility. Sooner or later, the hackers who steal an organization's data are going to make changes in them before they release them. If these forgeries aren't questioned, the situations of those being hacked could be made worse, or erroneous conclusions could be drawn from the documents. When someone says that a document they have been accused of writing is forged, their arguments at least should be heard.

This essay [10]previously appeared on


Posted:   2016-09-14 11:21:10 UTC
Author:   Bruce Schneier
Filed under:   data loss, doxing, essays, forgery, hacking

References: Visible links:

Created by Chronicle v4.6