> It suffices Edward Snowden, who successfully communicated with Laura Poitras and Glenn Greenwald that way. For months before meeting them in Hong Kong. Without raising a flag at the NSA or any of its partners. Yet, your "commercial grade tactical security" is only level 2/5 on your scale, which therefore does not look very reasonable.

You may have a point there, but using encryption on GNU/Linux is the bare minimum needed against commercial intrusion. Less than that, and you are not even protected agaist commercial intrusion. The fact that he exchanged top secret encrypted emails with correspondents probably using *PGP on Windows* (a bad joke) doesn't make the underlying security scheme suitable, even if he was lucky enough to escape it. He might as well have used plain text email on Windows and still not detected, but this wouldn't make it suitable for top secret communications either, would it?

So Edward Snowden was using hardened GNU/Linux? Then Snowden or one of his close friends should be quite a security guy and/or fluent with FOSS. Interesting that. I wonder where he got his laptop from. And he insisting on his correpondents must use PGP (on Windows!) before he can communicate with them over email is even more interesting. Given that he was conscious enough to use PGP on hardened GNU/Linux, I would have either (a) given my prospective correspondents an exhaustive recipe, or (b) not used email at all. And the fact that he managed to not get caught in spite of *that* security flop is still more interesting.

It seems that it was not Edward Snowden's security savvy, but simply that NSA et.al. have botched it big time - on purpose or not.

That being said, there are other aspects of security and privacy. Firstly,

(1) I like standing on the safe ground and keep a good dose of safety margin. So I would rather err on the side of caution.

(2) We cannot afford to take - good or bad - examples as precedents in defining our security measures. We have to account for the threat *potentials* (and add a healthy dose of margin on top of it) to define them.

Second, there are certain curiousities with Edward Snowden case.

(3) Edward Snowden might have exploited the status of having a low profile (i.e. not being singled out) by then. I don't know the details of his story yet, but if he was not singled out by NSA prior to his communications with the media, then his encrypted communications might not be scrutinized. Also, he might have taken his chances (as it seems so) and been just lucky.

(4) Edward Snowden, Julian Assange... I take such incidents with a small dose of salt. I don't want to delve into it as it is controversial. While I am not skeptical, I don't take anything for granted either.

Anyway, regardless of Snowden case, (1) and (2) is enough for me to adopt more strict measures than it is perceivably necessary. (Not that I apply myself everything I say.)

A separate topic to discuss vulnerabilities, possible attack vectors and defenses would have been nice, and I had hoped that of the security thread in troll lounge, albeit it has diverged into something else.

Reply via email to