The Guardian and the Wikileaks Encryption Key

rtfa-troll writes "Bruce Schneier has a good article explaining how the Guardian released the encryption key for the WikiLeaks cables and destroyed the main protection against the release of informers' personal information. The comments in Schneier's blog fill in details of how exactly WikiLeaks' secondary file security protections were also bypassed. Now the Guardian has an article that Assange risks arrest by Australia over the latest leaks, which include information about an Australian intelligence officer. They even say, 'We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,' and go on to state that 'The decision to publish by Julian Assange was his, and his alone,' something which seems clearly debunked in the analysis on Schneier's blog."

Links & hints to the data

[mcantsin]

http://cryptome.org/z/z.7z (368MB) pwd: ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay# http://pastebin.com/SBq9Xpsr http://cryptome.org/xyz/x.gpg.torrent (Returns xyz_x.gpg, 409MB. No passphrase yet) http://cryptome.org/xyz/y.gpg.torrent (Returns xyz_y.gpg, 88MB. No passphrase yet) http://cryptome.org/xyz/y-docs.gpg.torrent (Returns xyz_y-docs.gpg, 8MB. No passphrase yet) http://cryptome.org/xyz/z.gpg.torrent (Returns xyz_z.gpg, 368MB. Passphrase below) "xyz_z.gpg" and "z.gpg" appear to be identical and both decrypt to "z.7z." The decrypted file is "z.7z," 368MB, which unzips to "cables.csv," about 1.7GB in size, dated 4/12/2010.

Re:Links & hints to the data

[Ironchew]

They accepted the risks when they engaged in the covert operations to begin with. People who uncover secrets are not responsible for deaths -- killers are.

Re:Links & hints to the data

[rtfa-troll]

people will die as a result of these leaked cables.

Maybe. The question is, will more or less die as a result of Wikileaks making it public knowledge that they have leaked. As DarkOX already pointed out the secret services already have the files so they are looking for the sources already. Now it's possible for a source to simply type in their name and know if they are in there.

The other question is; who should take the blame. The US government which kept the names in plaintext in a database with millions of people having access; the Guardian which when trusted with secret data seems to have failed to put their IT security people on the case (how the hell else could they expect the password to an encrypted archive to change) or Wikileaks.

P.S. If you are a source and want to check if you are in there, do this on a local copy of the archives or at least do it over https. Remember that searching the archives for your name may be enough to trigger someone coming knocking.

Re:Links & hints to the data

[YesIAmAScript]

Not everyone in these documents was involved in covert operations.

I personally know a person who was mentioned in these documents. He can't be the only one who was innocently roped into this.

Re:Links & hints to the data

[Jeremiah+Cornelius]

These leaked cables are about HAVING KILLED PEOPLE!

Including the point-blank firing of weapons into the heads of toddlers.

Including Israeli lies about killing "terrorists" being revealed as bombing and killing 16 civilian villagers, at prayer.

Like most reactionary cranks, you fret SO over the theoretical loss of life that might occur, if illegal and anti-democratic secrecy is not punitively enforced.

Where is your concern, passion and outrage about the ACTUAL callous and criminal loss of life, that would have initiated any such threat?

Your hypocrisy and disingenuous moral posturing stinks like the foetid pool of death that you defend.

Re:Links & hints to the data

[a_nonamiss]

I'm sure you're correct in that most of the damage has already been done. I am, however, reacting to the cavalier attitude with which people seem to be treating this data. People have and will be killed over this information, and more importantly, next time someone is considering leaking something that may benefit the public as a whole, they're going to think twice about doing it. Because of that, this leak is a terrible thing for the world.

Re:Links & hints to the data

[Jah-Wren+Ryel]

Information wants to be free, and I do appreciate your eagerness to propagate this information, but people will die as a result of these leaked cables.

You've said that twice now. How do you know it to be true? These cables weren't internal CIA reports, most of them were not even classified and those few that were had only the lowest level of classification.

Furthermore, the information was "leaked" by the Guardian's careless publication of a password. Wikileaks officially publishing them now in an easily searchable form means anyone at risk has the ability to check for themselves if their names are mentioned - the bad guys have had the cables since at least last week, if not for the last few months following the publication of the password in February.

Re:Links & hints to the data

[Oxford_Comma_Lover]

They accepted the risks when they engaged in the covert operations to begin with. People who uncover secrets are not responsible for deaths -- killers are.

If your ex will kill you if he/she knows where you live, and I know your ex will do that, and I tell your ex where you live, I am *not* blameless

If the country you're in will kill you if it knows what you do, and I know the country will do that, and I tell them what you do, I am not blameless.

Saying someone accepted the risk of a bad result does not mean that other people who cause that result are inherently blameless. You may accept the risk of an accident when you drive to work in the morning, but if I hit you with my car, it may still be my fault.

Re:Links & hints to the data

[he-sk]

Information wants to be free, and I do appreciate your eagerness to propagate this information, but people will die as a result of these leaked cables.

You've said that twice now. How do you know it to be true?

It's true because it's in bold.

Re:Links & hints to the data

[Jeremiah+Cornelius]

Look at this from the tin-hat angle:

David Leigh/Guardian is working in the interest of CIA/MI6 and looking not to collaborate with WikiLeaks, but to ensnare him for prosecution.
Clue: DL Insisting on seeing the actual files
Clue: DL Pressing for the GPG passphrase
Clue: DL Publishing the ENTIRE proceeding and passphrase in a book

Dumbshit-Borg is either a long-time mole or was "turned"
Clue: D-B had full access to all unredacted material
Clue: D-B acrimoniously split with Assange/WikiLeaks over ego-boundary shit and speculative "risk" issues
Clue: D-B in his schism is part of the probable exposure of these cables - portrayed as an "accident", while he was unilaterally and admittedly sabotaging WikiLeaks
Clue: D-B can now say "I told you so" over this exposure of sources - pointing to this as evidence, rather than a situation he perpetrated

The US Army Counterintelligence Agency said in 2008 that WikiLeaks was"a potential force protection, counterintelligence, OPSEC, and INFOSEC threat to the US Army" and PLANNED OPERATIONS to neutralise/discredit WikiLeaks:

"The identification, exposure, or termination of employment of or legal actions against current or former insiders, leakers, or whistleblowers could damage or destroy this center of gravity and deter others from using Wikileaks.org to make such information public."

http://www.scribd.com/doc/28385794/Us-Intel-Wikileaks

Question: Do you think that the Agency makes these declarations in vain, for their entertainment value?

Question: Do you think they are alone, and that there are not equivalent planned and current operations by the CIA, etc.?

Question: Are the combined actions of DL and D-B implausible as the intended outcome of a counter-WikiLeaks strategy, set in motion by one or more intelligence agencies, including US Army Counterintelligence?

Think about it. Once they set this down IN PRINT, internally, and don't have a "positive" outcome? Sombody goes through the ringer.

This is likely all a setup. One with a scenario that is similar to the one indicated here, if not completely identical. It is one where where David Leigh and Dumbshit-Borg are either pathetic and self-serving dupes, or sickening quislings.

Either way, this is a noose fabricated of intentional actions with plausible deniability. Identify WikiLeaks with Assange's personality, and attack the personality. Attack the credibility of WikiLeaks methodology while distracting from their effectiveness and success in exposing filth, corruption and illegal government action.

I know the will get Assange one way or another. They just created the circumstance to have him charged in Australia - their one sure bet. But watch out, DL and D-B.

When your mysterious, untimely deaths occur, I will look at it as confirmation of these speculations.

And proudly burnish my tin-hat...

Re:Links & hints to the data

[Anonymous+Brave+Guy]

They accepted the risks when they engaged in the covert operations to begin with.

OK, here's a new plan.

Firstly, we must stop using human intelligence sources to anticipate and try to prevent criminal acts, because the sources are often inherently at risk and you don't want to protect them.

Because the public will not stand for the damaging acts that are likely to result, we need a new source of information to help prevent them. Let's make disclosure of all communications to the state mandatory, declare any use of encryption in communications or storage reasonable grounds to suspect criminal intent, and treat anyone who does it as a suspected terrorist until proven otherwise. If you've got nothing to hide, you've got nothing to fear, so obviously this won't have any chilling effects.

Also, we should stop conducting quiet diplomacy behind closed doors, because not everyone knows what their government is doing under those circumstances, and that is just wrong. Everyone needs to know everything that goes on in government immediately or the very fabric of society is at risk.

Instead of making deals with the devil, we must ensure that we fight any opposing philosophy to the bitter end, no matter the cost and no matter how long it takes. We have, after all, been highly successful in places like the Middle East using that strategy. Meanwhile, it's not as if developments like the Northern Irish peace process started with a few brave individuals on both sides meeting secretly to see if decades of bloodshed could be brought to an end or anything. That probably didn't save anyone's life or improve the quality of life across a whole country anyway.

While we're at it, we should probably also ban witness protection programmes. Courts must be open and impartial, and there is no risk to their effectiveness in cases relating to gang violence, sexual assaults, and corruption if everything is always heard with the press present.

Finally, we should definitely televise all official government meetings in real time. Politics can be kept at bay, and we are bound to wind up with more sensible policies if decisions are made based on which sound-bite will sound best on the evening news rather than the considered opinions of experts who are familiar with more subtle arguments than "Five minutes ago you agreed with part of something I almost said in another discussion, so if you don't back me up now that's a U-turn!!!!111!eleven!"

OK, here's another plan.

First, we could use just the tiniest bit of common sense. Some things are secret for good reasons, and whatever the conspiracy theorists like to say, I'm betting that most people in government, in the police, in the security services, and in the armed forces in my country are basically decent people doing their best to protect the rest of us from not-so-decent people. Those who abuse authority should be dealt with appropriately, but we could consider a less black-and-white view and not throw out the whole fridge because a bit of cheese got mouldy.

Transparency is important, and checks and balances are important, and oversight is important, and respect for democratic roots is important, and secrets should only be kept from the general public for legitimate reasons and for as long as absolutely necessary. However, I don't think we would like to live in a world where only the bad guys kept secrets at all, and I don't think we would like to live in a world where no-one was brave enough to stand up for what is right for fear of the repercussions when they were inevitably compromised.

Re:Links & hints to the data

[Jeremiah+Cornelius]

Just an aside here, I don't know how relevant it is.

I love how all the small-government types - the ones who think that the notions of commonwealth are somehow equivalent to boogieman socialism - get all righteously pro-State, when it comes to WikiLeaks. It is a curious kind of cognitive dissonance.

I propose that this psychological maladaptation is the expected outcome of an authoritarian personality forming in the context of what is, nominally, a republic.

George Orwell was impossibly subtle and perceptive in his fictional exposition of this as "DoubleThink". He demonstrates it as obvious, oxymoronic contradiction - a caricature of the actual mental state of those who enable and support totalitarian positions.

"Freedom isn't Free" Christ! That's the knee-jerk truism for "War is Peace", "Freedom is Slavery" and "Ignorance is Strength" in one, compact portmanteau!

Re:Links & hints to the data

[FoolishOwl]

Including the point-blank firing of weapons into the heads of toddlers.

I'm guessing you meant this:

WikiLeaks: Iraqi children in U.S. raid shot in head, U.N. says

Bradley Manning did the right thing.

Re:Links & hints to the data

[Pseudonym]

It's been a year, and so far, nobody has died as a result of the leaked cables. Not saying it won't happen, but it hasn't happened so far.

On the other hand, the cables contain information about people who have been murdered. These crimes would not be known, nor their murderers known, were it not for the release of the cables. So you seem to be advocating the cover-up an actual crime to potentially stop a future, theoretical crime. That'd be a great one for an undergraduate philosophy class to work through.

Re:Links & hints to the data

[Jeremiah+Cornelius]

No "few bad apples".

An airstrike was called in, to try and destroy evidence of the scene.

These are beginning to emerge as "business as usual" occurrences from Iraq and Afghanistan.

But, in history, we revile the Wehrmacht of Nazis for this same activity.

Re:Links & hints to the data

[ATMAvatar]

When dealing with a trusted keeper of secrets, there is a very fine line between "common sense, let them keep secrets" and simply being a dupe to a predatory and potentially crimial entity. Wikileaks wouldn't exist if the various governments of the world gave us even the slightest reason to trust them.

In the US, our elected officials are one step shy of openly taking bribes, and in the last few months, two of the three branches have been mired in what boils down to little more than a dick waving contest. We have spent a decade occupying two countries we invaded without the slightest bit of reliable intel that would give us reason to do so. Our economy was raped by Wall Street parasites that subsequently got written a big check and left without so much as a slap on the wrist.

I have absolutely zero faith that our government has the best interests of its people in mind. While I would not personally go as far as actively work to release classified documents, I find it particularly difficult to chastise anyone who believes they need to do so for the good of the public.

Re:Links & hints to the data

[AliasMarlowe]

I love how all the small-government types - the ones who think that the notions of commonwealth are somehow equivalent to boogieman socialism - get all righteously pro-State, when it comes to WikiLeaks. It is a curious kind of cognitive dissonance.

It is a cognitive dissonance which forms part of a larger pattern. There is even a freely downloadable book on the topic, written by a psychology professor.

Re:Links & hints to the data

[hxnwix]

"1,300 people were eventually killed, and 350,000 were displaced. That was a result of our leak," says Assange. It's a chilling statistic, but then he states: "On the other hand, the Kenyan people had a right to that information..."

1,300 accessories to murder, I'd say.

Let's put that in context:

The leak exposed massive corruption by Daniel Arap Moi, and the Kenyan people sat up and took notice. In the ensuing elections, in which corruption became a major issue, violence swept the country. "1,300 people were eventually killed, and 350,000 were displaced. That was a result of our leak," says Assange. It's a chilling statistic, but then he states: "On the other hand, the Kenyan people had a right to that information and 40,000 children a year die of malaria in Kenya. And many more die of money being pulled out of Kenya, and as a result of the Kenyan shilling being debased."

Removing the context as you did such that Assange apparently confessed to murder strikes me as rather dishonest. Assange has made real mistakes; focus on those unless your intent is merely to discredit his critics.

Re:Links & hints to the data

[SteveTheNewbie]

I had a long drawn out reply to this that got eaten. You'll have to live with the short form, sorry.

Your 1300 quoted is only half the text, you should read and consider the rest in the context it was said. People are trying to claim that the cables reveal names of possible informants who's lives subsequently become in danger. Can you please point to where the Kenya cables listed these 1300 people ? or was it possibly that the data highlighted corruption in the government that subsequently lead to an uprising in which 1300 people were killed ? Hopefully I really don't need to point out the difference to you in finer detail.

Added to this, I am puzzled by the focus on Assange as a figure to hate. In all the releases up until recently (and there is a reason that changed - Thanks Guardian, not Assange) the media were handling the releases, not Assange, if there were names not redacted, then the Media outlets that posted the cables are responsible for any harmful outcome, not Assange. If you want to hold Assange responsible then you could also equally hold the original leaker responsible, as well as the people that improperly secured the data, and while you are at it, the embassy for not obsficating things a little better, or maybe the original government that perpetrated these crimes (or individuals in many cases).

Why the hate on Assange ? it almost seems irrational.

Wikileaks did the right thing sorta

[DarkOx]

They were stupid to let the Guardian to get the key in the first place but once it was out making it more available was the right call.

When you had to get the data and key together that require time, and some computer skills. People who might retaliate against leakers have the resources to marry the key and copy of the data they either already had or could get from torrents.

That might be much harder to do for some poor tribesman who has limited or intermittent access to the internet. By making the information easier to get at, it lowers the bar, makes it easier for potential victims to know if they have been outed, and need to protect themselves.

the guardian

are playing a stupid game right now.

In their JA will face arrest in Australia article they earlier said something like "the Guardian unknowingly publish the password in the Guardian's book" etc,

now that phrase is nowhere to be found from the article...

DER SPIEGEL has a much better writeup

[SmilingBoy]

The Schneier article is very speculative and doesn't have many facts.

DER SPIEGEL has a much better and more detailed account: http://www.spiegel.de/international/world/0,1518,783778,00.html

Re:DER SPIEGEL has a much better writeup

[rtfa-troll]

The Spiegel article is referenced by Schneier so it's there for people to read. However, in one, but the most crucial, aspect the Spiegel article is wrong. It accepts the statement that the Guardian believed password was temporary at face value.

In a statement the Guardian rejected the accusations from Wikileaks, explaining that the paper had been told the password was temporary and would be deleted within hours. "No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files," the statement said. "That they didn't do so clearly shows the problem was not caused by the Guardian's book."

What's new in Schneier's article is that that is pretty clearly debunked. This was a standard GPG/PGP archive which had already been distributed. There was absolutely no reason to hand out the correct password and doing so is a clear breach of IT security norms (never give your password to anybody) for no good reason.

Clarification

[I(rispee_I(reme]

This is not the Wikileaks insurance file, which remains encrypted.

This is a different file, that the Guardian was privy to, and was then mirrored.
The password to this other file was published in a book.

I only mention this because the previous /. post on this topic had a lot of replies with the mentality that wikileaks has surrendered its insurance. Such is not the case.

RIP journalism

[E+IS+mC(Square)]

Among other revealations during this ordeal, one thing stands out - I now know how morally bankrupt main stream media have become, irrespective of how right or wrong assange is.

Guardian won awards for all the work done by wikileaks/manning, and now they just backstabbed them, and still have guts to defend their own actions.

NYT is even worse.

Whisleblowing investigative journalism is dead, sold out to big governments and corporations.

One thing

[joh]

The redacting that was done by The Guardian and others was just a reasonable thing to do, but it had one disadvantage: They published only selected and redacted cables and such you couldn't look for certain things by yourself. There's been more interesting stuff in the past centuries than The Guadian or Der Spiegel would recognize.

What's now possible is others sieving through these cables and I'm pretty sure that people will find interesting things. While it's not really a good thing for names of informants being published all this centralized knowledge and decisionmaking about what is good for the public to know is really getting on my nerves lately.

The key was not for the insurance file, however...

[kandresen]

From what is stated;
1) The key given to the reporter was not the key for the insurance file
2) The Assange had provided a backup method for others to recover the data in the case he was a) killed, b) otherwise rendered incapable to act by other than having the group act on his behalf
3) Whereas it is easy to revoke access to content on a central server, it is impossible to revoke access to a file that cannot be changed (a password can simply not be revoked unless you can write to it) In other words you cannot revoke passwords for content that is available on bit torrent etc.
4) The way encryption usually work is through two sets of keys, i.e. LUKS. The real key is essentially always 512bits, but nobody including you ever use this key - you have a password and a separate key that releases the 512bit key!!!
No, we do not know if there was a second pass-phrase key on the content provided to the reporter, but if it was, having one key which gives access to the full 512bit key and content might be used to reveal alternative keys to get the real key. One of which might cascade to the key used in the insurance file. Which is why it was truly irresponsible of the reporter to publish the key regardless!!! That is as far as I see neglect, and being clueless is under no circumstance justification. Yes, the password could be revoked on access, but any backup prior to revocation can as stated above would retain access with that key whether it is a tape, an USB copy, or bit torrent.

Anyway, it is not for sure there where any alternative keys combined with that content, however, we do know the group had access to release the content of the insurance file in case something did happen to Assange anyway...

That the Insurance file was released on Bit torrent was most certainly not a mistake, however, it will have been a mistake if an alternative key used on the content given to the reporter could cascade to this key somehow. (From what I have learned of the case, I kind of don't think the problem was here).

So that leaves the people who where on the inside with the knowledge necessary to release the key...

Sure, there has been a lot of mistakes happening; we can blame Assange for believing in the fools who left for OpenLeaks. They were likely always the number 1 threat to the whistle blowers: Internals who sabotage, steal and try to destroy the original organization with internal knowledge.

Mirror, mirror...

[AliasMarlowe]

David Leigh and Dumbshit-Borg are either pathetic and self-serving dupes, or sickening quislings

Indeed. According to Der Spiegel , the encrypted file was among those taken from Wikileaks by Domscheit-Berg when he acrimoniously left to start his own rival Openleaks site. It was then released by Openleaks using volunteers to seed torrents of many of their files. Meanwhile, David Leigh of The Guardian published the password which Assange had given him, thereby apparently breaking an agreement of confidentiality. Later, an Openleaks-associated news site let people know where the key to this particular file could be found.

Smelly sticky shit is indeed flying, but it looks like a side effect of Assange/Wikileaks being stabbed in the back by Domscheit-Berg/Openleaks and David Leigh of The Guardian. Whether the stabbing occurred by coordinated malice or combined stupidity and incompetence is still a little uncertain. Either way, it's hard to blame this directly on Assange/Wikileaks.