The real shame is that there are probably people going to be killed because of the irresponsible ego tripping of a couple of journalists, deluded 'transparency advocates' and other mentally unstable individuals.
Also, what was Assange thinking? 'Oh I'll just give these people the material, we can trust them?' And the notion that journalists, many of whom are as technologically illiterate as they come, would store these files on a computer not connected to any network is so naive it's not even funny anymore.
> The real shame is that there are probably people going to be killed because of the irresponsible ego tripping of a couple of journalists, deluded 'transparency advocates' and other mentally unstable individuals.
That's what people were saying about the Afghanistan and Iraq log leaks.
Get a sense of perspective. The USA and its allies (who are, of course, by all their own laws, complicit) have directly killed and caused the deaths of over a million people in Iraq and Afghanistan during the faked hunt for Osama. The vast majority of those were of course absolutely unrelated to the conflict in any way. And of the rest, most were innocent in this context because they didn't support Osama and weren't shooting at us until we started shooting at them.
There are a million dead, at least, many of them with holes made by US (and allied) munitions, and you're quibbling about a few who could be threatened, in what has actually been by far the largest and safest (innocents/dictators hurt) release of classified documents EVER.
This is serious stuff, stuff worth having posted everywhere, spammed to everyone, SMSing to every phone in the world, etc, on the chance that one copy would get through and let one journalist write one good expose. That it's been managed so as to have a groundbreakingly huge ratio of exposes written to actual data leaked is a stunning testimony to their delicate and thoughtful handling of the media organizations. What we see in North America and the EU is just a shadow of the literally world-wide (and now, hopefully, world-wise) fallout from these leaks.
Irresponsible ego tripping and deluded transparency advocates indeed.
"Our book about WikiLeaks was published last February. It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours.
"It was a meaningless piece of information to anyone except the person(s) who created the database.
"No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files. That they didn't do so clearly shows the problem was not caused by the Guardian's book."
"According to Der Spiegel: At the end of 2010, Domscheit-Berg [former worker at Wikileaks and founder of rival, OpenLeaks] finally returned to WikiLeaks a collection of various files that he had taken with him, including the encrypted cables. Shortly afterwards, WikiLeaks supporters released a copy of this data collection onto the Internet as a kind of public archive of the documents that WikiLeaks had previously published. The supporters clearly did not realize, however, that the data contained the original cables, as the file was not only encrypted but concealed in a hidden subdirectory."
So The Guardian deliberately leaked the password and Wikileaks accidentally leaked the file. Personally, I think both sound like pretty stupid things to do ...
> "No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files. That they didn't do so clearly shows the problem was not caused by the Guardian's book."
That's a pretty bullshit excuse. Wasn't the insurance file on PirateBay? How exactly should they have removed that once it was out there?
From what I've read, I've been given the idea that the files transferred to The Guardian were encrypted for them only - that the password they had worked against that file alone.
Presumably (hopefully?) the insurance file uses a different password. I was also under the (perhaps wrong) impression that no-one actually knows what's in the insurance file.
I can't imagine the insurance file being little more than the full uncensored cable archive. What else could it be? If Wikileaks had a gigabyte of compromising information on the US government or some other powerful entity, surely they would release it? Isn't that their stated mission?
From what I gather it sounds like they're trying to redact important info from cables prior to release so they don't get their asses burned any more than they have. They've got a collection of cables they haven't yet processed and are now being leaked.
Wikileaks has demonstrated a propensity to keep things close to chest. Perhaps the insurance file contains private documents not yet released that are personally embarrassing to important individuals (e.g., those likely to be involved in the extradition and/or untimely demise of Assange) but not particularly relevant from a national standpoint. Not sure, but I definitely don't think that the cables are the only potential information contained in the insurance file. Wikileaks, especially after their bout of airtime last winter, got a lot of data from a lot of different sources. There's a lot of stuff there to collate.
The details are confusing but apparently it wasn't the insurance file, it was the full cables archive which for some unexplained reason was being served over bittorrent by someone.
I read the book in question. A password to an encrypted file is given at some point, but it is presented as a one-time thing to transfer a specific private file. If Wikileaks reused this password for something else, then it's pretty stupid of them.
It's quite odd. Certainly Assange is quite technically savvy -- he's a reformed (genuine) hacker -- after all. So I just can't imagine him re-using passwords. Similarly, I would have thought that he'd be enough of a control freak to, you know, check this stuff out himself.
I agree that this is a weird thing. From my reading it appears that the encrypted archive sent to the Guardian got out somehow and that combined with the password (recklessly) published in the book, the data can be decrypted to reveal the full unredacted archive.
There are some interesting considerations involved in what this means for distributing highly sensitive data to non-technical people. They apparently have no comprehension that a PGP-encrypted file is not like a web service where you can just go in and change the password in a jiffy -- as long as that file exists, the same password will work on it, forever. The rebuttal quoted indicates that WL said it was a "temporary" password, so it seems that via a misinterpretation at the Guardian, its editors expected the password to stop working on that file in a matter of hours.
It would be really interesting to see PGP files that were time-sensitive, and used passwords that only worked within X time. Does anyone know if something like that has been done?
What would have been a more secure way to distribute the archive? Only bundle 1000 cables at a time, each file with a unique password? Require journalists to view the files on premises at WL so that there was no loss of control on the data? Bundle everything up in a black-box .exe that self-destructed in x time (though, unless implemented carefully, this would still reveal private data once a competent person got a hold of it)? Why weren't these files asymmetrically encrypted anyway? Surely it is not very likely that the private key of a user would be published in a book or that a user would upload his private key to bittorrent. Lots of interesting possibilities here...
It would be really interesting to see PGP files that were time-sensitive, and used passwords that only worked within X time. Does anyone know if something like that has been done?
I'm not a cryptographer, but it seems to me like something of this nature is impossible without maintaining control of the decryption process. You could add a timestamp to the file, but the workaround would be to change your computer's clock or rewrite the decryption software. You would have to include a cryptographically-signed timestamp from a trusted time server in the en/decryption process. Once that signed timestamp is obtained, though, it could be distributed along with the password and a modified application that uses the stored timestamp instead of a live one from the server.
My knowledge comes from reading about failed DRM schemes and the comments of tptacek and cpercival, so I can only point out things that wouldn't work, not what will.
I can't imagine how you could build a foolproof (or more importantly, state-sponsored-team-of-experts-proof) time-limited system. Assuming the file is digital, and can be accessed freely, you can make infinite bit-identical copies and fiddle your system clocks to make it work.
You'd need some sort of physical real-time clock combined with the memory storing the material, which wipes it after
a given time. Maybe even a physical medium which degrades over time[3] could work, but that could be foiled by controlling the environmental conditions (inert gas atmosphere to avoid oxidation, cold temps to slow electron migration, etc).
My personal approach would be something like providing an incredibly locked-down laptop/netbook (https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sop... would be a good start), but with additional physical security improvements (battery/big caps wired directly to HDD and RAM via a set of tamper switches[1], disabling all IO ports in software and filling them with epoxy / disconnecting internally) You could then wire in an RTC to the same system, as well as perhaps using a GPS receiver to verify the time (Yes, you could jam/spoof GPS signals if you knew to expect them, but that's still raising the bar).
One final approach would be to have some other trusted party/system which remains in your control, and have some challenge/response auth which you can disable/destroy after a fixed time.
To conclude, I can't see any way to build time-limited encryption without some external trusted authority or some trusted physical infrastructure.
[1] Not just physical switches, but as many things as you can come up with: Light sensors, pressure sensors (especially if you can gas-seal the enclosure and keep it at elevated/vacuum pressures), temperature to avoid cooling attacks, resistive/optic-fibre security meshes. Another amusing idea would be to use a GPS receiver to ensure that data can only be viewed from a given physical location[2].
[2] This gets used in _Distress_ by Greg Egan, although I'd thought about it myself long before reading the book.
The only way to time-limit data would be to find some kind of cryptographic function which can't be parallelized, requires a certain amount of work, and then make assumptions about the speed with which this could be done based on resources available to an attacker. You could at least set a lower bound for time given likely resources. I find it highly unlikely that even national technical means include general purpose reconfigurable logic much faster than 50x the open state of the art; if your problems keep changing, reconfigurable logic is going to be needed.
The key is to have lots of problems nested together, which must be solved in series.
Computers scale a lot better than people, so something which required a human to try to solve a puzzle to get a key, then use that key to decrypt the next puzzle, and so on, probably has better characteristics.
A trusted third party or tamper-resistant hardware is far more practical.
Indeed, it seems something like a dongle that kept its own clock would be required to implement this in a way that couldn't be circumvented merely by setting your PC's clock back. The firmware could wipe as soon as the clock in the device hits time X; if you distribute these close enough to X, even an experienced hacker would be unable to get around the deletion without destroying the whole device.
Alternatively, this dongle could contain the necessary private key to decrypt the file instead of the data itself, or another component required to unlock the data a la RSA SecurID.
I would be greatly interested to see relatively secure self-destructing USB sticks.
Obviously someone interested in copying the data at whatever cost will be able to do it, but that's not the use case pertinent to this story. This would not be designed to taunt your enemies, but rather ensure security of data in the hands of individuals who may not understand how to handle it properly.
The Guardian was operating under a grievous misunderstanding about the nature of the encrypted data, but from my vantage point I don't see that they operated out of intentional malice. If you are distributing data to compliant parties and just want to ensure a tidy cleanup to prevent mishandling or theft, something like this definitely could be useful.
Your only defense is compartmentalization. Segregate the data and encrypt each segment separately. Communicated the data and keys through separate channels to separate parties. Hope that, therefore, a compromise is limited to a single compartment.
You could also make decryption dependent upon a network connection (e.g. Adobe DRM, et al.), but with "the opposition" potentially in control of the network and/or able to compromise you physical security, and with the decrypted results readily copy-able (they always are, one way or another), this is probably more trouble than it's worth.
P.S. I didn't mean actually Adobe DRM; rather, just citing them as an example instance of such a thing (though, truth be told, I've never looked at how they do theirs, in detail).
This is ridiculous. I don’t know how any whistleblower could trust Wikileaks after what has happened during the last few weeks.
There clearly is a need for a competent whistleblower website. Wikileaks has shown itself to be incapable of filling that role. Egos shouldn’t be more important than leaks.
Pretty disgusting how this entire press release amounts to political posturing and taking credit for the Arab Spring, with, what, one sentence about how terrible it is that names are now being released unredacted?
You can argue that Wikileaks isn't the one ultimately responsible for this, that it's the Guardian or the US government or whatever, but in their response they seem almost totally unconcerned with protecting individuals, and overwhelmingly concerned with getting credit for political revolutions.
This is like asking for spoilers for The Titanic. The news of the leak has only been the biggest single news event on the planet for the past eighteen months. If you suspect it to implicate you and you didn't already do your best to escape there isn't much that can be done.
Remember though, that the USA shared more information with the worst of these dictators, till close to the end, than the leaked cables reveal in total. This whole FUD about Wikileaks killing whistleblowers is just a smokescreen. Our government still routinely drone-bombs more innocents weekly than have ever been suggested to be in danger, let alone dead, because of anything WikiLeaks has ever done.
Excuse my ignorance, but what has happened over the last few weeks? I didn't have an uplink and it's not like there's a reliable archive of important news stories.
The Guardian isn't saying PGP passwords are temporary. They're saying they had assumed the PGP-encrypted file they were provided was single-use, intended only for them and removed after they copied it.
That's a reasonable assumption. Why wasn't it single-use? Aren't people's lives presumably at stake here? How many lives do you need to risk before it becomes worth it to re-encrypt a data set? Why, after disclosing the encryption key to a journalist, did Assange retain the (now tainted) file?
Even if those at the Guardian believed the password only applied to their copy, publishing the password amounts to the Guardian making their copy a target to be copied/stolen. Why should the Guardian think they have better protection against copying their copy than the U.S. gov did in not allowing the cables to be copied in the first place?
This is a good reason for not simply giving The Guardian a giant encrypted dump of all the data. Either way, The Guardian's lack of opsec doesn't set the bar for Wikileaks.
Wasn't the whole idea behind Wikileaks supposed to be that it was run by people with the greatest possible opsec/tradecraft crediblity? How does it make sense for that group to literally delegate all their security to a news publishing organization?
And having done that, by their own admission, how does pointing the finger at The Guardian's lack of opsec capability exonerate Wikileaks?
If Domscheit-Berg wasn't meant to have access to the data, why did he have access to the data? The way both parties relate the story, Domscheit-Berg's exposure to the data appears to have been "accidental": Assange left the unredacted data set on a Wikileaks-owned server that Domscheit-Berg managed, trusting a obscured directory name to protect them.
By Der Spiegel's recounting, it hardly matters what Domscheit-Berg's intentions were, because the files were unknowingly swept up in Wikileaks BitTorrent disaster recovery process. At that point, it became simply a matter of time before the contents of the data set became public, with or without Domscheit-Berg's promotion.
The personality conflicts here between Domscheit-Berg and Assange and Rusbridger and Leigh are probably a red herring. The evidence we have now strongly suggests that Wikileaks was not a careful steward of the data they had; that Wikileaks own convenience trumped tradecraft and security.
That's fine and human and normal for most types of data. But most of the time, we're not dealing with the names of informants and whistleblowers in the world's most repressive countries.
I’m not outraged, more amused. Wikileaks has to take responsibility and communicate better. Especially their communication has been a disaster.
If they want to be a respected whistleblower website they have to show that they are competent. I’m sorry, but I just cannot see how Wikileaks has done that during the last few weeks and months. Based on that I personally wouldn’t trust them with anything. I wouldn’t be surprised if many other people (who, unlike me, actually have something important to leak) think the same way.
(I don’t even want to say anything about DDB.)
But I guess saying something critical about Wikileaks (even if you support the idea of a place for anyone to safely leak stuff) isn’t very popular around these parts. Ah, well.
Wikileaks was the source of the data, and not only distributed extremely sensitive information in a permanently retrievable form to a person who did not understand the implications related to handling that data, but they also (lazily) left the file available online, in a place where it was accidentally included in at least some of the WL archives circulating BitTorrent. Wikileaks certainly holds the larger portion of the blame, though the publication of the password was ridiculously reckless.
A quick whois [1] against the original link by used by Cryptome suggests possible origin of leak is Phillip Bailey[2]. If /xyz/ existed within the contingency torrent which was released to the pirate bay (someone else confirm please :) then that suggests that he was just hosting a HTTP mirror of the torrent; if it doesn't exist then who knows how deep the rabbit hole goes?
A number of people have speculated that cables.csv == insurance.aes256 or whatever its called, due to the similarity in filesizes. Doesn't the insurance file predate the embassy cables affair though?
The link pointed to an IP address that appeared to be a wikileaks mirror; the z.gpg file was buried deep in the mirror in a directory that also, interestingly had a large x.gpg and a y.gpg.
Can someone explain why/how the cables allegedly kicked off Arab Spring? I get how they pertain to Egypt's former information minister specifically, but wasn't the greater amount of unrest in the region preexisting?
The first Arab revolution was in Tunisia. Shortly before that there was a Wikileaks release about the corruption of the Tunisian dictator and his family. The success of the Tunisian revolution inspired the other Arab countries to revolt.
I believe this argument to be totally overblown. The release of the cables did nothing IMHO to inform the Tunisian people about the corruption of the Ben Ali and his family. I visit Tunisia regularly and have family there. The corruption was widely known throughout the country and spoken about behind closed doors. Ben Ali himself was tolerated but his wife and her family were despised.
You are absolutely correct. Wikileaks published a cable that said (paraphrasing) that the US was unsatisfied with Ben Ali and wouldn't mind if he went. This only helped the Tunisians understand their own government, and what was possible politically.
Are you kidding? The guy who set himself on fire did so because his fruit cart was taken. He wasn't some high minded HN/Reddit addict who dropped his monocle when he read about some corruption issue. Tunisians dont need wikileaks to tell them their government is corrupt.
Its sad that the netizen class is going to give wikileaks credit for everything good that happens from now on. What self-congratulatory armchair revolutionary nonsense.
It's unfortunate that they're unredacted, but doesn't it seem like it would be against Wikileaks' purpose to cherry pick information to release? I mean I thought they were supposed to be about "information freedom", not pushing their own agenda.
They have to check the leaks to make sure that they aren't putting any ones life in danger (when they haven't done this in the past their enemies have used it against them in the ongoing PR battle). That takes time.
It also means that they do cherry pick because they have to prioritize what leaks they will check and release first.
They've got 250,000 cables. A small team is going to take a long time to check 250,000 cables.
No doubt they do keyword searches of the cables to find the juicy ones and release those first, but, what you gonna do... release the boring, mundane stuff first? No one would pay attention to you.
I think the boring, mundane stuff could potentially be the most interesting stuff. Run statistical analysis for unusual words and phrases and find the secret diplomatic codes. :)
People really can be naive sometimes. Yes, the content of those cables should be public knowledge. But the names of informants should not be released- I dread to think how many people could die as a result of this.
Surely the largest part of the "blame" has to lie with the US authorities for putting such sensitive cables somewhere where so many people (Bradley Manning being only one of them) could access them?
That was done in response to the fallout from 9/11, where it was demonstrated that there was very little inter-agency cooperation, especially in sharing information about terrorism/terrorists.
It was a calculated decision to greatly increase information sharing between government agencies (including the military) to allow for better cooperation.
Well... it seems they did not calculate accurately the permission controls to prevent people like Manning making and distributing a copy of all those files.
I think it's more appropriate to blame the second law of thermodynamics and the internet. It's increasingly, if not impossibly, hard to keep information isolated.
My suggestion to anyone with secrets that valuable is to assume they get leaked and have a plan for that.
I'm curious if Wikileaks saw this coming, but I suspect they were naive enough to believe they could maintain control.
All serious implications aside for a moment, isn't this refreshingly ironic? Wikileaks having to deal with important information about THEM being leaked for a change.
Refreshing? No, it is the brain-dead cached response, one that has been invoked countless times for everything to do with Wikileaks internals.
The donation list became public? 'Oh ho ho, how ironic!' One of the supporters splits and writes a book about it? 'isn't this refreshingly ironic?' The cable database goes public? 'how very ironic!' And so on.
I'm about as sick of it as I am of articles about a random bit of Wikipedia vandalism.
Even worse then! Why should an organization trying to leak as much about anyone they can and matters be above their own standards and mantras? If "True information does good." well then who knows what this and the other leaks were good for.
I do not see wikileaks as any more trustworthy or "better" or "more ethical" than the authorities they are acting against - yes, AGAINST, read Assange's book, he has an agenda and it might not be as altruistic and do-good as most people like to believe.
"I do not see wikileaks as any more trustworthy or "better" or "more ethical" than the authorities they are acting against"
Um.. let's see... last I checked, Wikileaks hadn't tortured any prisoners, invaded any countries, or murdered countless civilians. So, yeah, I'd count them as just a tad more ethical than the scumbags they're releasing dirt on.
Every country gets the government they deserve (and vote).
But what makes you think Assange and his gang would make better decisions given they were in the exact same situation? Power corrupts and wikileaks certainly demonstrated on several occasions just how incredibly powerful they are or can be.
I am from Europe so this might be a bit different "over there" but what I was trying to say was: I do not trust WikiLeaks and Assange or question them more or less than I trust and question my government and I certainly do not see Assange's understanding of and longing for anarchy (see his book) as an appropriate replacement of our current governments. Do you?
I don't care about whether Wikileaks suffers leaks or not. I am a little sick of the 'ironic' spin. By this point, it's about ironic as Alanis Morrissette's 'Ironic'.
Also, what was Assange thinking? 'Oh I'll just give these people the material, we can trust them?' And the notion that journalists, many of whom are as technologically illiterate as they come, would store these files on a computer not connected to any network is so naive it's not even funny anymore.