Article Lead Image

PGP encryption still intact despite Glenn Greenwald email leak

PGP encryption is probably not broken, but impersonation is still a problem.

 

Patrick Howell O'Neill

Internet Culture

Posted on Apr 8, 2014   Updated on May 31, 2021, 12:32 pm CDT

Cryptome, the digital leak library that predates WikiLeaks by ten years, published late Monday an encrypted, week-old email between journalist Glenn Greenwald and human rights lawyer Jesselyn Radack.

The email, which was a relatively inconsequential congratulations to Greenwald on winning the McGill Medal for Journalistic Courage, raised questions about Radack or Greenwald’s security being compromised. Another possible theory was that PGP (Pretty Good Privacy) encryption—which has been characterized as “the closest you’re likely to get to military-grade encryption”—may have been broken somehow. The news caused somes waves when the it hit late Monday night.

PGP is the 23-year-old encryption program Greenwald was first taught when he made contact with NSA contractor Edward Snowden. In the last year, a wide range of journalists have adopted PGP encryption in an effort to protect sources and beat surveillance. If PGP was broken, the implications for Internet privacy, security, and journalism would be enormous.

Opening the leak, Cryptome’s John Young asked for any more information to be sent his way: “Cryptome is not aware of any reports of PGP being broken although allegations about it are commonplace. If there such bonafide reports please send: cryptome[at]earthlink.net.”

Radack responded to the leak on Twitter last night, angrily confirming the email’s authenticity.

@Cryptomeorg WTF?? By hacking my PGP msg to .@ggreenwald & publishing it you’re trying to prove PGP isn’t perfect? No shit. Quit doxing.

— Jesselyn Radack (@JesselynRadack) April 8, 2014

Jacob Appelbaum, prominent privacy advocate and a developer on the Tor Project, investigated the email and called it “disinfo,” saying the Cryptome post does not include “the full message,” that Radack’s message was encrypted not only for Greenwald but also for an unidentified third party.

@joshuafoust She wasn’t hacked, she encrypted the message to a third key. I emailed @Cryptomeorg to update his disinfo post.

— Jacob Appelbaum (@ioerror) April 8, 2014

“I did some digging and I think you’ve come to the wrong conclusion about everything,” Appelbaum wrote in an email to Young, which was later published on Cryptome. “Actually, I think you are actively being played by someone to mess with everyone involved.”

The originally leaked email was allegedly modified to appear as though it was sent only between Greenwald and Radack. If that was the case, then someone else being able to read it would be cause for alarm.

However, Appelbaum is now claiming that Radack “sent that email to three different email addresses and the PGP encrypted message on Cryptome is truncated or tampered with in some fashion to remove evidence of the third key that was used.”

The third key involved is for an email addresss that may be run by a hostile party, with a PGP key. It is not controlled by Glenn or Jess.

— Jacob Appelbaum (@ioerror) April 8, 2014

I have a copy of the full original email and it is encrypted to three keys. Two of them are correct and the third is a likely hostile party.

— Jacob Appelbaum (@ioerror) April 8, 2014

While two of the three addresses did belong to Greenwald, the third apparently belongs to an unknown hostile party who was impersonating Greenwald.

“This clearly confused Jesselyn or her PGP mail client,” Appelbaum continued. “I do not believe that this is evidence of her or Glenn being compromised (other than the social engineering issue at hand) nor is this evidence of PGP being broken. Rather, it is a user interface security problem with iPGMail that is quite common with PGP/GnuPG in general.”

It seems that PGP itself was not broken. However, this episode does highlight the problem of impersonation.

Early this morning, Greenwald posted about a fake PGP key purporting to be from him.

FYI – this is a fake PGP key that someone created https://t.co/MueZoKJqIV

— Glenn Greenwald (@ggreenwald) April 8, 2014

I love the smell of active disinformation campaigns in the morning. Welcome to the information conflict zone: the entire internet

— Jacob Appelbaum (@ioerror) April 8, 2014

Photo by Gage Skidmore/Flickr (CC BY-SA 2.0) | Remix by Fernando Alfonso III 

Share this article
*First Published: Apr 8, 2014, 3:42 pm CDT