Post by email@example.com
It suffices Edward Snowden, who successfully communicated with Laura
Poitras and Glenn Greenwald that way. For months before meeting them in Hong
Kong. Without raising a flag at the NSA or any of its partners. Yet, your
"commercial grade tactical security" is only level 2/5 on your scale, which
therefore does not look very reasonable.
You may have a point there, but using encryption on GNU/Linux is the bare
minimum needed against commercial intrusion. Less than that, and you are not
even protected agaist commercial intrusion. The fact that he exchanged top
secret encrypted emails with correspondents probably using *PGP on Windows*
(a bad joke) doesn't make the underlying security scheme suitable, even if he
was lucky enough to escape it. He might as well have used plain text email on
Windows and still not detected, but this wouldn't make it suitable for top
secret communications either, would it?
So Edward Snowden was using hardened GNU/Linux? Then Snowden or one of his
close friends should be quite a security guy and/or fluent with FOSS.
Interesting that. I wonder where he got his laptop from. And he insisting on
his correpondents must use PGP (on Windows!) before he can communicate with
them over email is even more interesting. Given that he was conscious enough
to use PGP on hardened GNU/Linux, I would have either (a) given my
prospective correspondents an exhaustive recipe, or (b) not used email at
all. And the fact that he managed to not get caught in spite of *that*
security flop is still more interesting.
It seems that it was not Edward Snowden's security savvy, but simply that NSA
et.al. have botched it big time - on purpose or not.
That being said, there are other aspects of security and privacy. Firstly,
(1) I like standing on the safe ground and keep a good dose of safety margin.
So I would rather err on the side of caution.
(2) We cannot afford to take - good or bad - examples as precedents in
defining our security measures. We have to account for the threat
*potentials* (and add a healthy dose of margin on top of it) to define them.
Second, there are certain curiousities with Edward Snowden case.
(3) Edward Snowden might have exploited the status of having a low profile
(i.e. not being singled out) by then. I don't know the details of his story
yet, but if he was not singled out by NSA prior to his communications with
the media, then his encrypted communications might not be scrutinized. Also,
he might have taken his chances (as it seems so) and been just lucky.
(4) Edward Snowden, Julian Assange... I take such incidents with a small dose
of salt. I don't want to delve into it as it is controversial. While I am not
skeptical, I don't take anything for granted either.
Anyway, regardless of Snowden case, (1) and (2) is enough for me to adopt
more strict measures than it is perceivably necessary. (Not that I apply
myself everything I say.)
A separate topic to discuss vulnerabilities, possible attack vectors and
defenses would have been nice, and I had hoped that of the security thread in
troll lounge, albeit it has diverged into something else.