When we need to secure our physical goods, there’s not much more we can do besides lock the door. Once folks get inside, they can get their hands on whatever they want.
Our digital treasures (also known as secrets) can have layers of security, but most people don’t take advantage of anything but password protection, even though we can lock digital stuff up twice. We can put a lock on the door (the server) but we can also put a lock on the stuff itself (encryption). That way, even if an intruder got into the server and started looking through its databases, none of the stuff would make any sense. It would all be encrypted gobbledygook. The Intercept, a news organization owned by First Look Media, has released a new open source tool to help organizations keep their emails in just such gobbledygook when stored on their servers.
On Wednesday, the site announced GPG Sync, a tool that makes it easier for organizations to keep all their internal communications encrypted. When digital goods (such as emails or files) are encrypted, it takes a key to read them. Usually, that key is held in a file on your actual device, not on a server. Journalist organizations, political campaigns and companies developing cutting edge intellectual property might especially benefit from keeping their communications accessible from the cloud but encrypted when no one is looking at them.
If the Democratic National Committee had been using encryption internally, it wouldn’t have mattered if Guccifer 2.0 (or whomever) had gotten inside their servers. Cybercriminals could not have done anything with what they found. According to Vanity Fair, Clinton’s campaign staff has gotten religion since, using Open Whisper System’s Signal for anything sensitive (though one would thought that a former Secretary of State would push all her supporters to use counter-surveillance measures from the start).
When using encryption, you give people that you are communicating with what’s called a public key. In order to send people messages that only they can read, you need to have that key. The public key is not sensitive. Many people post theirs on the web. It’s just that it’s one more thing to keep track of.
On the Github project page, the First Look team writes, “It quickly becomes unwieldy to ensure that everyone has a copy of everyone else’s current key, and that old revoked keys get refreshed to prevent users from accidentally using them.”
GPG Sync automates the syncing throughout an organization. As new people get hired, leave or change their keys, they don’t need to notify anyone. GPG Sync will manage it.
The project’s Wiki addresses the possibility of a breach. “At worst, a malicious authority could make you download fake public keys,” Lee writes. That would be aggravating, but not compromising. GPG Sync also gives an organization the ability to digitally sign keys, however. If organizations enable that feature, it would be much harder to even accomplish that, because users would see that the keys were no longer signed.
This is not the first free piece of code that First Look has released. It has previously released tools for redacting and stripping metadata from PDFs and for maintaining warrant canaries on websites.