Updated The creator of digital library and whistle-blowing site Cryptome.org, John Young, has revoked a host of his PGP key pairs after learning they were compromised.
In a site statement on Tuesday, Young claimed to have learned "that all PGP public keys of John Young and Cryptome have been compromised."
He added "the keys have been revoked today".
Asked whether all of the keys were compromised, Young told The Register it was "just the keys announced, many more remain intact for the moment".
Young told us he found out about the compromise after discovering "encrypted material in plaintext early 15 September 2015. Not ready to reveal how or what the material concerned. Possibility of a ruse, diversion or decoy to conceal other breach(es)."
The site, which precedes WikiLeaks by a decade and was created by John Young and Deborah Natsios, has long been a repository for suppressed information, and a digital watering hole for the internet's populations of crypto-anarchists, cypherpunks, techie conspiracy theorists, and others.
This has brought Cryptome plenty of adverse attention, not least from direct contact by the FBI, mysterious hackers, through to what Young has described as "craven and shallow technical justifications" for censorship after the site's service provider found a dodgy PHP file.
Cryptome's mission statement says that it "welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance — open, secret and classified documents — but not limited to those."
The digital library was founded in 1996, months before President Clinton's Executive Order 13026 ended what are popularly considered as the Crypto Wars, a long conflict between the US government and public over controls on cryptography.
Young took to Twitter to assure readers of his site's information security credentials, and offer a suggestion regarding the vector of the attack which had compromised the public-private keys (PKs).
Cryptome uses several infosec systems, PK just one. Open to more. Compromise should be publicized but seldom is: hide, deny, ignore, delude.— Cryptome (@Cryptomeorg) September 16, 2015
Cryptome and JY use a slew of PKs and IDs other than those compromised. Many one-time. For mutual protection, to expire, isolate, expunge.— Cryptome (@Cryptomeorg) September 16, 2015
Few of Cryptome and JY PKs are on manipulable key servers. And none via transgressable WoT or cryptoparty. More signs cloak imposters.— Cryptome (@Cryptomeorg) September 16, 2015
Young told The Register he was working on attributing the attack.
Appears to be a breach of an isolated secure storage medium. Time frame to be determined. Likely attacker could come from that or other clues. We'll share what we learn as we learn it. Holding secrets is a withholding racket.
Asked if the compromise might affect Cryptome's ongoing work, Young suggested it "could be helpful to highlight the need for ever constant checking of allegedly reliable infosec systems. This infosec skepticism is a theme of Cryptome and even a few of the infosec experts, but hardly emphasized by the infosec industry." ®
Young has updated us about the "compromise", which he said related to his architectural work rather than Cryptome:
Key compromise is related to our architectural work on NYC No. 7 Subway Line Extension, recently opened. Project had hundreds of designers from around the world with access to files. Security of the project is primary and its design is not public. Extent of subway system security and file protection is restricted to need to know.
JYA and Cryptome passphrases remain secure. Key revocation done for caution.