It is a good thing that Wikileak has been able to publish hundreds of thousands of emails relating to crimes and murders of the agencies of the most powerful country in the world but I am at a loss to understand.

Perhaps my comprehension is wrong.

I understand an email send through HTTP will travel in clear text and could be intercepted, an email traveling through HTTPS will be typed in clear text on the sending computer, will travel encrypted and will be automatically decrypted by the destination computer (whose whistle-blower can give copies of each to Wikileak).

An email encrypted by encryption software will travel encrypted (twice if sent through HTTPS) and received encrypted (through HTTP) by the destination computer where it will have to be decrypted by the intended (human) receiver.

My question is: given the amount of secrecy (and money) those agencies are supposed to apply to their activities, how come the last method described is not used and the decryption deleted after reading?

I would appreciate very much your comments.

Probably 'accountability'. Emails are often archived so a 'who said what to who' audit path exists. I don't believe it's a layer 8 issue as such, more a policy/procedural thing.

Wikileaks also relies largely on whistle blowers.

So somebody inside that (encrypted) loop, has let the cat out of the bag so to speak.

So hypothetically:
Assassin sends email to "agency" saying "job is done, pay me"
"Agency" sends email to assassin saying "im not paying"
Assassin leaks emails to wikileaks.

Probably an unlikely scenario, but you get the idea.

I would suspect 'Wikileaks' says it all.

OP, you have assumed that all communications (in this case email) are wrapped up in encryption. government systems are likely as soft or softer than those in private sector.


its likely 1 of 4 scenarios

1. encryption wasnt used and data was intercepted
2. encryption was used and data was intercepted and cracked (weak encryption, etc)
3. one of the parties involved leaked the data
4. the decrypted data was stolen from one of the parties involved

I hate to say that Linux_Kidd indicates something that probably hits the nail on the head - the assumption their systems are secure.

One of Al Gore's family works at a US military facility in Europe where all their email runs through a Barracuda Spam Firewall. This was, for some time, totally open to the outside world with an 'admin/admin' password type of set up.

However, if trusted people have access to anything in the most trusted of environments - and they abuse that trust and leak information - then no amount of security can deal with it.

exactly!

from the security side i am more interested in knowing about how the data leaked vs its content. i guess their advanced DLP solution was also broken and/or compromised to get the data out

#3 on my list has many ways to subvert security measures, like taking a picture of the screen while reading the email. so unless that fancy DLP solution also includes super sensitive electromagnetic device detection in vicinity of computer monitors, or a CCvideo cam on every computer user with recognition smarts, then no DLP solution can combat picture taking.

Most likely it wasn't that the data was intercepted in transit but that it was compromised when at rest.

there is no conclusive data that can support or deny this assumption.

Nor vice versa. But consider the volume and consistency of data collected. To sniff a wire for that length of time is more risk than compromising a system with valid credentials.

I'd put my money on the 'at rest' possibility.

i didnt say sniff. "intercept" does not imply sniff.
hence why i am more interested in knowing the "how" vs the content.
cheers.

Interestingly, after Bank of America received a black eye over a leak of their emails, they now use PGP or something very much like it for their internal email, according to a branch manager I was talking to about this very subject. However, they still refuse to encrypt emails sent to you.

because they failed to recognize that a true user-to-user PKI solution requires the dummy end-users to be somewhat technical, and surely a bank like BoA doesnt want to deal with the dummy end-users not being able to decrypt those important spam/crap emails that BoA sends out, or, providing an robust functional alternative means spending lots more $$$, and the execs dont wish to lighten their pockets.

it does not seem a robust global federated PKI solution is feasible, so we resort to a hodge-podge gamut of point solutions which usually live within the edge.

And that's it.

Really, speculation is funny but goes no where. So let's go nowhere :-)

Internet is a very dangerous and hostile place, so I would vote for either 1 or 3. Even when the personal is trained to send their emails through secured services (e.g: an email client that works under TLS), once you mail leaves your sending box, it can be grabbed in many places. Many STMP servers will use SSL to get the mails form you, but won't use it to send them to their intended recipient, which is another SMTP server. Mails can be captured while traveling between servers. Or the admin of the server can be a Chinese spy. It seems the only secure way to send digital messages is using person-to-person encryption like the one provided by PGP, but even this is not 100% secure. If the Chinese spy gets the message now, he won't be able to read it. It the RSA algorithm gets cracked twelve years after, he will be able to read it then.

The possibility of someone purposely leaking the information is not to be overlooked, anyway.

E-mails are not sent via HTTP nor HTTPS. They are an entirely different protocol specific for web content (which is why you see HTTP(S) when signing into Gmail / Hotmail; as you're just using a web e-mail client) but the e-mails themselves are sent with SMTP.