Ah, I thought you might have (since you were awfully specific about which ones). Well, I'd personally much rather buy them from GOG than from the EA store, so I'm pretty happy EA went with that channel.
Well if you didn't see it yet, GOG.com released Ultima 1-4 last week and Ultima 5-6 this week. If you can sit patiently for about another week, I expect you'll be satisfied.
I agree that that would be a very silly thing to tell the person. But the only evidence we have to suggest that that's what Assange told Leigh is Leigh's word. So you're trusting the word of a man who is now undertaking one of the biggest ass-coverings in history.
I've written a giant document analysing the criticism of WikiLeaks handling of this matter here. I understand if you don't have time to read it, but here's what I've written in response to the criticism that Assange shouldn't have told Leigh that it was a temporary password:
WikiLeaks vehemently denies that they told Guardian that the password was temporary, tweeting: “It is strictly false that the Guardian was told the password or file were temporary, hence the elaborate password handover method.”
Whether or not he said this is something we’ll never know the answer to, since it’s WikiLeaks’ word against the Guardian. It’s not scientific of me to make guesses like this, but I’m going to, because I know Mr. Assange’s reputation. Before he was a WikiLeaks activist, Assange was a cryptography researcher. He created the Rubberhose file system to allow people to safely carry digital secrets without divulging their existence. I cannot say for sure what Assange told Leigh about that passphrase, and I have never met Mr. Assange, but judging by his reputation alone, he knows cryptography inside out. He knows which pieces of information are safe to divulge, and which aren’t. I find it hard to believe that Assange would have accidentally told Leigh that this was a temporary password, when we know just by virtue of the fact he used PGP that it wasn’t temporary.
If I can make some further speculation, I would imagine that Assange told Leigh something along these lines: “I am going to give you access to a file on my web server that will be temporarily available. After a few hours, the file will not be available any more, so you have to download it soon. Also, here is the password which you can use to decrypt the file.”
It’s possible that a non-technical person may have misunderstood the above sentences as suggesting that the password would be useless after those few hours. That still doesn’t excuse the divulging of a password. If someone says something about a red button which you didn’t fully understand, it is probably not a good idea to push the red button.
Also, I can only imagine that Assange did stress the utmost importance of keeping the password secure, and not writing down the additional “salt” word — after all, why would he tell him to remember the salt in the first place if it was safe to write it down?
I don't claim to be an expert, but I'm pretty sure I can easily create a PGP key that is time-limited, which would render the Wikileaks position bogus. At least, GPG certainly supports such keys.
As I think you later realised, that's impossible. PGP supports keys that can expire, but that's only for signing. You can't possibly design an encrypted file that might expire.
There's a deeper issue here, though. Possibly the system used here wasn't the public-private key encryption that I associate with PGP. I'm confused by what I've read so far.
It was symmetric encryption (passphrase), not private key.
it used a simple password-protection protocol which is always going to be inherently less secure. Whichever way I spin it, I can't get Wikileaks to not look pretty incompetent when it comes to security. Which is surprising, considering what they do.
Why is it "always going to be inherently less secure"? From a security standpoint, both solutions are equivalent.
The asymmetric solution would have been for Leigh to generate a public/private key pair using PGP, and keep his private key safe. Leigh would have had to send his public key to Assange, who wouldn't be able to trust that it belonged to Leigh because it was sent over the Internet. They would still have to have met in person in order to exchange Leigh's public key (for Assange to be totally confident that the public key did in fact belong to Leigh). Then Assange would have been able to encrypt the document using Leigh's public key and send it over the Internet to Leigh, who would then have used PGP to decrypt the document using his private key. We shall assume that, as above, the encrypted document managed to get out into the public sphere.
Note the similarities here between the symmetric and asymmetric version. It would still require an in-person meeting, and it would still require that Leigh kept on his computer a secret which would expose the document if it ever got out. You might say that Leigh wouldn't have divulged his private key, because he knew how important it was, but you might have thought the same thing about a super top secret passphrase. Fundamentally, both systems are the same.
The reason why asymmetric cryptography is useful over symmetric is that it doesn't require individualised in-person key exchanges. Once you have established the trustworthiness of a public key, you can send encrypted documents to that person forever. Since this was presumably a one-time exchange, and the two would have had to have met in person anyway to be very confident in establishing trust, there is no advantage in this case of using asymmetric cryptography over symmetric.
What kind of security policy is this, giving trust to outsiders, hoping that they will do the right thing? You may have the contract on your side, but litigation will not put the toothpaste back in the tube.
Really it's just shoddy security practices by Wikileaks. They could have managed this in a way where they did not have to trust the reporter to do the right thing.
How could they have done that? The very premise of this whole operation was that the Guardian would have access to the unredacted, unencrypted cables for the purpose of redacting and publishing. You may disagree with the operation, but that was the plan.
Tell me how you would design a secure system around this plan which did not involve trusting editors at the Guardian to do the right thing. Build any cryptosystem you like -- either the editors will not have access to the cables (and so you've failed to meet the goals), or you will have to trust that they don't just dump the whole thing online as soon as they get it. The contract (and morals) is the only thing preventing them from doing that.
I understand all of those concepts, but you missed my point: any disclosure of the passphrase would necessarily bring the whole system down. This is true regardless of whether he gave each journalist a separate passphrase, or used one passphrase for all of them.
No, and that is the whole point. If they publish the password in a book, then they themselves must also publish their copy of the archive - or the password is useless. So if one organisation publishes their file, and then another publishes their password, there is no issue.
No, it isn't true that Guardian would have had to publish a copy of the archive. Assuming the archive was sent encrypted, but without any further encryption wrapping around it (which is a reasonable system, since after all, the file is encrypted with the strongest encryption known to man), we can assume that anybody in public already had a copy of the encrypted archive. If Assange distributed the archive to many journalists, with a different passphrase on each, it wouldn't make a difference, since we would have to assume that all of the encrypted archives are public. So it still would only take the disclosure of a single key to break the system.
I'm not talking about content (as in "let's keep the details on Iraq secret but the contents of the president's breakfast public"). I'm talking about fundamental units of information (as in "let's keep the private key secret but the public key public", or more to the point, "let's keep the plaintext secret but the ciphertext can be viewed by the public"). See my response to your other post.
It's so basic it should be a non-issue: WikiLeaks is currently taking heat for making the ciphertext of an encrypted file public, while the Guardian disclosed the passphrase to that file. How is this WikiLeak's fault? We all make ciphertexts of encrypted files public all the time -- that is the whole point of encryption.
My point is, you can't keep everything secret. If you did, you wouldn't be able to release your public key. And you wouldn't be able to disclose the details of the AES algorithm, to be vetted by security professionals. And you wouldn't be able to transmit even the binary for your decryption program to untrusted people, because then someone could reverse engineer it. And, importantly for this discussion, you wouldn't be able to transmit encrypted documents over the open internet.
Because if you kept everything secret, then you wouldn't be able to make ANYTHING (not even the encrypted text) public. That's why the first step of security is to decide which things can (or must) be made public, and which things must be kept secret. So we have established theory that says "don't make your algorithm secret -- it will leak out eventually", which is why we have public algorithms like AES. We have a notion of public keys, which we put on the public servers. And we of course acknowledge that once something is encrypted, we can put it out over an unsecure wire. But we also know that there are things which must not be disclosed. Private keys must be kept to yourself. Passphrases must be kept between only the people who are sharing the encrypted data. Of course the plaintext itself must not be disclosed publicly.
Once we have established which bits of information are secrets (passphrases, private keys, plaintext) and which may be exposed on an open wire (algorithm descriptions, public keys, ciphertext), and ONLY once we have established that, can we go about carefully guarding the secrets, and stop worrying about the non-secrets.
I've written a full post on this issue here, but I'll respond to your individual points.
If you are going to share extremely sensitive documents with several people, why the FUCK wouldn't you create several *different archives* with different passwords - one for each individual you are sharing the information with?!
I agree, it is somewhat unusual for WL to have disseminated the cables in an encrypted archive, deleted the archive, then at a later time shared the same encrypted archive rather than creating a new one. It might have been better to create a new one with a new password, and may have added some extra layers of security, but from a cryptographic standpoint this was perfectly reasonable behaviour.
You need to consider this as a cryptographic system (as I'm sure Julian Assange did), and that means considering what information is public and what information is secret. The archive was encrypted, and the ciphertext was shared across the open Internet (I assume over SSL, but still not requiring authentication). Therefore, we must assume that the encrypted archive is public from that point forwards. The password that unlocked that archive was kept secret and treated as extremely sensitive by WL. By Leigh's own description, JA handed it to him in person on a piece of paper, and then verbally gave him a salt to apply to the password. It's strange that the passphrase wasn't a collection of random letters, but apart from that, all of this makes cryptographic sense.
Now let's suppose that you need to send the exact same document to another journalist at a later date. While maybe you should re-encrypt it, cryptographically it doesn't make any difference, because we are operating under the assumption that the original encrypted archive was public from the last time we put it on the open network. Therefore, reusing the same archive again with the same passphrase doesn't weaken our security very much. To put it another way, even if WL had destroyed that archive and never reused the passphrase, someone in the general public could theoretically have a copy of it from the one time it was shared, and therefore could have decrypted it when Leigh disclosed the passphrase.
Give each individual access for a short period of time, and then DELETE THE INDIVIDUAL FUCKING ARCHIVES FROM YOUR SERVER! This has the additional benefit of being able to trace any future leaks.
Technically it is too late by this point. Once you have put it on the open internet for a short period of time, you have to assume that it is public, and rely on the encryption on the archive itself, and your endpoint not to disclose the passphrase. They could have set up a login system that requires the client to authenticate. That would have guarded against the contact disclosing the password at some point in the future. But is there any reason to have planned for that scenario? You are already giving the full dump of sensitive documents to your contact, so cryptographically it makes no difference whether you do it by an authenticated login or by transmitting an encrypted document. The end result is the same -- only you and your contact have the plaintext -- assuming your contact is not malicious or stupid. If your contact is malicious or stupid, you're fucked anyway because he has the documents. To put it another way, the system would have been secure if Leigh had not disclosed the password, which Leigh was contractually obliged not to do. Any other system would have required the same level of trust in Leigh. This was an error on Leigh's part, not WikiLeaks and not the technology.
Seriously, if you have disseminated the password to your single "master copy" archive to multiple organisations, then it might as well not be encrypted. If they had created different archives + passwords for each recipie
Mm, well, no I would say that's the second law of security. You can't keep the secrets secret until you have determined which pieces of information should be kept secret.
Yes but this is what I meant by "Nobody is denying the facts here (the only thing that's in contention is where the blame lies)." -- I accept that there is a debate going on as to who said what was temporary and who should or shouldn't have disclosed what. But the following facts are not in dispute: (1) WikiLeaks provided the documents (encrypted) and passphrase to Guardian, (2) Guardian editors revealed passphrase in book. So there is no need for a theory that someone else got hold of the password: Leigh published it. I'm not sure who published the encrypted data, but I believe it was WL themselves. Following cryptographic principles, WL was not at fault to publish the encrypted data, because that isn't the part that was supposed to be secret; the passphrase was.
To your points: (1) Yes, WikiLeaks did know the password was out there many months ago. They did not make a public statement about it until today, because they didn't want to draw attention to it. At the time of the book's publishing, the encrypted files were already available online, and there was nothing that anybody could have done to keep it from getting out (besides not saying anything). WikiLeaks had no power to change the password or revoke the file by that time. I wrote a full post on this issue. (2) I find it very hard to believe that WL would have told the guardian that the password was temporary, since it clearly wasn't (it was PGP). I imagine there was a misunderstanding which went something along these lines: 1. JA hosts a file on a private server. The connection to the server itself is over SSL. However, JA knows that SSL is not sufficient to prevent others from downloading the file, since it doesn't require authentication on the part of the client. So he also encrypts the file itself. 2. JA explains to DL that the connection to the server is encrypted and the file will only be temporarily hosted. DL, by his own admission a non-technical person (he needed JA's help to use 7-zip) misunderstands this as "the password on the file is temporary." 3. JA separately hands DL a piece of paper containing the password to decrypt the file. 4. DL downloads and decrypts the file using the password. 5. JA is operating under the assumption that the encrypted file is public (since it was available on an open network, via SSL, but still available to the public). Therefore, it is safe to distribute the same file on another date (I'm not exactly sure how this encrypted file eventually got out, but suffice to say that it is now public, and this is cryptographically not to be unexpected or a problem). 6. DL, not realising the importance of the password (he figures that now that the file has been taken off JA's server, the password is no longer valid) writes it down into his book. 7. The editors, under pressure to release, do not vet the contents of the book, and publish it. 8. JA reads the book and finds the password. By this point, it is too late to do anything other than keep silent about it as long as possible.
...can someone who illegally obtained classified documents and released them into the public domain then sue someone else for stealing their illegally obtained documents and releasing them into the public domain.
The two situations are totally different. The very reason that nobody can sue Julian Assange (or any other newspaper that has ever leaked something) is because they did not "illegally [obtain] classified documents". There is a deliberate asymmetry in the law here: it is illegal to disseminate classified information, but it is not illegal to receive or publish it. That is why Bradley Manning is locked up, but Julian Assange is not (well, not relating to the cables anyway).
On the other hand, WikiLeaks and The Guardian had a contractual obligation not to divulge the contents of those cables. Nobody at WikiLeaks "leaked" the cables to The Guardian -- they were transferred to The Guardian under contract. This is a case of breach of contract, nothing else.
For what it's worth it seems much more likely to me that someone within WikiLeaks who was disaffected them stole the data/password and release them than the Guardian did it. Just because it was the (supposedly) time limited password given to the Guardian doesn't mean no one else had access to it.
Maybe cut back on the conspiracy theories. Nobody is denying the facts here (the only thing that's in contention is where the blame lies). The story comes straight from the book written by The Guardian editors -- Julian Assange gave the password to Leigh, and he published the password in his book. The problem is that Leigh thought it was a time limited password, when it wasn't. (If he knew anything about cryptography, it would have been obvious that it wasn't, because it was a decryption password, not an access password.)
It has often been said in security that the first law of security is being clear about what is a secret and what is not. Once we have decided that, we can safely distribute the non-secrets as long as we hide the secrets. This is, for example, why I am perfectly comfortable revealing my public key to everybody on the planet.
So who is to blame? In one corner, WikiLeaks (allegedly... I'm not clear on the details) released this encrypted file to the public. In the other corner, The Guardian released the passphrase. WikiLeaks blames The Guardian for releasing the passphrase, while The Guardian blames WikiLeaks for releasing the enciphered data (it claims that it was a one-time password that should have been safe to give out).
Clearly, from a cryptographic standpoint, WikiLeaks is right here, and The Guardian is at fault. We must be operating under the assumption that the encrypted data file is non-secret, and the passphrase is secret. That is why it was safe to transmit the encrypted data file over the Internet, but Julian wrote the passphrase down on a piece of paper and handed it directly, as well as verbally giving Leigh an unwritten salt.
Yes -- very well put about the access password vs decryption password. To put it another way, there was no point in having the password at all if the password was eventually to be made public.
JA sent a file over the network, then deleted it afterwards. There are two scenarios: we can either a) assume that nobody did or ever will get their hands on the data being sent, or b) assume that someone might have or might in the future get their hands on the data. If we're going with (a), then we don't need a password at all -- it could have been sent in the clear. Obviously, that isn't the assumption we are operating under. So it must be (b), and therefore, we should assume that that password is a highly sensitive secret for the rest of time. It should have been destroyed.
Perhaps the mistake was trusting this complicated logic to a man who didn't know how to use 7-zip.
Your post basically answers itself. They did change their position on the issue because they got a lot of heat for not redacting the cables. That is why for the past year (with the Cablegate cables) they have been working with news organisations to carefully redact them before releasing, and releasing them in small batches a few at a time. That has consistently been WL's position for the past year. Complaining that The Guardian released the cables that were supposedly sent to them for the sole purpose of redacting them is not inconsistent with their recent position.
(I have often said that one is not a hypocrite for changing one's beliefs, only for simultaneously saying one thing and doing another.)
Hmm, when you say "take advantage of it" are you talking about the well-known MD5 collision attack, or the PHP crypt bug?
Re the collision attack: I think you are right. But still, advice going around is "don't use MD5". Researchers are still chipping away at it, so there's no telling when they'll have a working preimage attack.
Re the PHP crypt bug: my understanding is that it's quite serious in that it can throw away the input and just use the salt, causing widespread MD5 collisions. So that could definitely be used to impersonate someone. The former is a slight cryptographic weakness, the latter is a serious bug.
Well that makes my point, though: you can arbitrarily nest protocols inside one another, so it doesn't make sense to talk about them strictly in layers. Rather than saying "HTTP can drop to a lower layer", why not throw away the concept of layers, and just have a more vague concept of "application level" versus "transport level" and so on, like the 4-level IP stack.
Thank you. Yes, the four-layer Internet Protocol Suite thing makes a lot more sense. Rather than trying to say "there are seven layers stacked on top of each other," it seems like here, the protocols are arranged into four logical "protocol groups" with clearly-defined roles, and no sense of "protocols in layer N run on top of those in layer N-1". In the IP suite, it seems valid for protocols in the same group to run on top of each other (e.g., HTTP runs over SSL; ICMP runs over IP).
Good point about the null. I see that it works that way for non-SSL traffic, but I still don't see how the "session layer" sits in between HTTP and TCP (even if you consider it to be "null"). It seems like session layer protocols are an entirely different sort of connection.
As for ICMP, I see what you mean that it's sort of part of the IP protocol (IP wouldn't work without ICMP), but it is syntactically formed inside an IP packet, and I do believe it is constructive to think of ICMP as being "on top of" IP and not part of it (that's certainly how you'd implement it -- your ICMP code would certainly be calling your "construct IP packet" code at some point).
MD5 is vulnerable to collision, but not yet preimage attacks. The preimage attack the GP is mentioning is something like this: Alice is required to digitally sign off on all money withdrawals from an account, and MD5 is used as a hash algorithm. Bob creates two documents, one saying "I authorize the withdrawal of $100." and another saying "I authorize the withdrawal of $1,000,000." He uses a collision attack to ensure that these two documents both hash to the same MD5 value. He then gives Alice the $100 note to sign. She does so creating a digital signature, which happens to also be valid for the $1,000,000 note (unbeknownst to her). Bob then submits the $1,000,000 request for withdrawal, along with a valid signature from Alice.
In general, it is Very Bad if two documents can be created with the same hash. But yes, not going to help cracking passwords though.
Unless they use Gmail and have the "Undo Send" labs feature turned on. It actually waits 10 seconds after you hit Send before it sends the email. During that time, you can click "Undo" to cancel it. I've used it so many times.
I've never really been a fan of the OSI model. The idea of the hierarchy is great; sandwiching it into discrete layers seems problematic.
Wikipedia's definition of the OSI model states that "there are seven layers, each generically known as an N layer. An N+1 entity requests services from the layer N entity." Makes sense. So, why are both ICMP and IP considered to be in layer 3? ICMP is built on top of IP, so it should be in the layer above IP, but it doesn't actually provide transport (or at least, isn't meant to). HTTP is in layer 7, but it can be sent directly on top of TCP, which is in layer 4, skipping over two layers. (Or it can be tunnelled over SSL, but still skipping layer 5.)
I prefer to think of the IP stack being a directed acyclic graph of technologies, each depending on another, rather than an explicit linear division into layers.
But it's only "infringement" because the copyright holders have framed your perception of what infringement means. Surely there must be a difference between me sharing a game with a couple of friends for the sole purpose of playing a multiplayer game together for one afternoon and then having them all delete it afterwards, and me giving it out for them to play in full in their own time without having to purchase the game.
One is a single shared experience, and a powerful advertisement. The other is blatant piracy.
Again, I refer you to the DVD scenario: you wouldn't expect all of your friends to purchase a DVD for the purpose of a movie night.
Slashdot Mirror
Ah, I thought you might have (since you were awfully specific about which ones). Well, I'd personally much rather buy them from GOG than from the EA store, so I'm pretty happy EA went with that channel.
Well if you didn't see it yet, GOG.com released Ultima 1-4 last week and Ultima 5-6 this week. If you can sit patiently for about another week, I expect you'll be satisfied.
I know, I know. It's something I need to work on ;)
I agree that that would be a very silly thing to tell the person. But the only evidence we have to suggest that that's what Assange told Leigh is Leigh's word. So you're trusting the word of a man who is now undertaking one of the biggest ass-coverings in history.
I've written a giant document analysing the criticism of WikiLeaks handling of this matter here. I understand if you don't have time to read it, but here's what I've written in response to the criticism that Assange shouldn't have told Leigh that it was a temporary password:
WikiLeaks vehemently denies that they told Guardian that the password was temporary, tweeting: “It is strictly false that the Guardian was told the password or file were temporary, hence the elaborate password handover method.”
Whether or not he said this is something we’ll never know the answer to, since it’s WikiLeaks’ word against the Guardian. It’s not scientific of me to make guesses like this, but I’m going to, because I know Mr. Assange’s reputation. Before he was a WikiLeaks activist, Assange was a cryptography researcher. He created the Rubberhose file system to allow people to safely carry digital secrets without divulging their existence. I cannot say for sure what Assange told Leigh about that passphrase, and I have never met Mr. Assange, but judging by his reputation alone, he knows cryptography inside out. He knows which pieces of information are safe to divulge, and which aren’t. I find it hard to believe that Assange would have accidentally told Leigh that this was a temporary password, when we know just by virtue of the fact he used PGP that it wasn’t temporary.
If I can make some further speculation, I would imagine that Assange told Leigh something along these lines: “I am going to give you access to a file on my web server that will be temporarily available. After a few hours, the file will not be available any more, so you have to download it soon. Also, here is the password which you can use to decrypt the file.”
It’s possible that a non-technical person may have misunderstood the above sentences as suggesting that the password would be useless after those few hours. That still doesn’t excuse the divulging of a password. If someone says something about a red button which you didn’t fully understand, it is probably not a good idea to push the red button.
Also, I can only imagine that Assange did stress the utmost importance of keeping the password secure, and not writing down the additional “salt” word — after all, why would he tell him to remember the salt in the first place if it was safe to write it down?
As I think you later realised, that's impossible. PGP supports keys that can expire, but that's only for signing. You can't possibly design an encrypted file that might expire.
It was symmetric encryption (passphrase), not private key.
Why is it "always going to be inherently less secure"? From a security standpoint, both solutions are equivalent.
The asymmetric solution would have been for Leigh to generate a public/private key pair using PGP, and keep his private key safe. Leigh would have had to send his public key to Assange, who wouldn't be able to trust that it belonged to Leigh because it was sent over the Internet. They would still have to have met in person in order to exchange Leigh's public key (for Assange to be totally confident that the public key did in fact belong to Leigh). Then Assange would have been able to encrypt the document using Leigh's public key and send it over the Internet to Leigh, who would then have used PGP to decrypt the document using his private key. We shall assume that, as above, the encrypted document managed to get out into the public sphere.
Note the similarities here between the symmetric and asymmetric version. It would still require an in-person meeting, and it would still require that Leigh kept on his computer a secret which would expose the document if it ever got out. You might say that Leigh wouldn't have divulged his private key, because he knew how important it was, but you might have thought the same thing about a super top secret passphrase. Fundamentally, both systems are the same.
The reason why asymmetric cryptography is useful over symmetric is that it doesn't require individualised in-person key exchanges. Once you have established the trustworthiness of a public key, you can send encrypted documents to that person forever. Since this was presumably a one-time exchange, and the two would have had to have met in person anyway to be very confident in establishing trust, there is no advantage in this case of using asymmetric cryptography over symmetric.
How could they have done that? The very premise of this whole operation was that the Guardian would have access to the unredacted, unencrypted cables for the purpose of redacting and publishing. You may disagree with the operation, but that was the plan.
Tell me how you would design a secure system around this plan which did not involve trusting editors at the Guardian to do the right thing. Build any cryptosystem you like -- either the editors will not have access to the cables (and so you've failed to meet the goals), or you will have to trust that they don't just dump the whole thing online as soon as they get it. The contract (and morals) is the only thing preventing them from doing that.
I understand all of those concepts, but you missed my point: any disclosure of the passphrase would necessarily bring the whole system down. This is true regardless of whether he gave each journalist a separate passphrase, or used one passphrase for all of them.
No, it isn't true that Guardian would have had to publish a copy of the archive. Assuming the archive was sent encrypted, but without any further encryption wrapping around it (which is a reasonable system, since after all, the file is encrypted with the strongest encryption known to man), we can assume that anybody in public already had a copy of the encrypted archive. If Assange distributed the archive to many journalists, with a different passphrase on each, it wouldn't make a difference, since we would have to assume that all of the encrypted archives are public. So it still would only take the disclosure of a single key to break the system.
I'm not talking about content (as in "let's keep the details on Iraq secret but the contents of the president's breakfast public"). I'm talking about fundamental units of information (as in "let's keep the private key secret but the public key public", or more to the point, "let's keep the plaintext secret but the ciphertext can be viewed by the public"). See my response to your other post.
It's so basic it should be a non-issue: WikiLeaks is currently taking heat for making the ciphertext of an encrypted file public, while the Guardian disclosed the passphrase to that file. How is this WikiLeak's fault? We all make ciphertexts of encrypted files public all the time -- that is the whole point of encryption.
The second rule is pretty important, I agree.
My point is, you can't keep everything secret. If you did, you wouldn't be able to release your public key. And you wouldn't be able to disclose the details of the AES algorithm, to be vetted by security professionals. And you wouldn't be able to transmit even the binary for your decryption program to untrusted people, because then someone could reverse engineer it. And, importantly for this discussion, you wouldn't be able to transmit encrypted documents over the open internet.
Because if you kept everything secret, then you wouldn't be able to make ANYTHING (not even the encrypted text) public. That's why the first step of security is to decide which things can (or must) be made public, and which things must be kept secret. So we have established theory that says "don't make your algorithm secret -- it will leak out eventually", which is why we have public algorithms like AES. We have a notion of public keys, which we put on the public servers. And we of course acknowledge that once something is encrypted, we can put it out over an unsecure wire. But we also know that there are things which must not be disclosed. Private keys must be kept to yourself. Passphrases must be kept between only the people who are sharing the encrypted data. Of course the plaintext itself must not be disclosed publicly.
Once we have established which bits of information are secrets (passphrases, private keys, plaintext) and which may be exposed on an open wire (algorithm descriptions, public keys, ciphertext), and ONLY once we have established that, can we go about carefully guarding the secrets, and stop worrying about the non-secrets.
I've written a full post on this issue here, but I'll respond to your individual points.
I agree, it is somewhat unusual for WL to have disseminated the cables in an encrypted archive, deleted the archive, then at a later time shared the same encrypted archive rather than creating a new one. It might have been better to create a new one with a new password, and may have added some extra layers of security, but from a cryptographic standpoint this was perfectly reasonable behaviour.
You need to consider this as a cryptographic system (as I'm sure Julian Assange did), and that means considering what information is public and what information is secret. The archive was encrypted, and the ciphertext was shared across the open Internet (I assume over SSL, but still not requiring authentication). Therefore, we must assume that the encrypted archive is public from that point forwards. The password that unlocked that archive was kept secret and treated as extremely sensitive by WL. By Leigh's own description, JA handed it to him in person on a piece of paper, and then verbally gave him a salt to apply to the password. It's strange that the passphrase wasn't a collection of random letters, but apart from that, all of this makes cryptographic sense.
Now let's suppose that you need to send the exact same document to another journalist at a later date. While maybe you should re-encrypt it, cryptographically it doesn't make any difference, because we are operating under the assumption that the original encrypted archive was public from the last time we put it on the open network. Therefore, reusing the same archive again with the same passphrase doesn't weaken our security very much. To put it another way, even if WL had destroyed that archive and never reused the passphrase, someone in the general public could theoretically have a copy of it from the one time it was shared, and therefore could have decrypted it when Leigh disclosed the passphrase.
Technically it is too late by this point. Once you have put it on the open internet for a short period of time, you have to assume that it is public, and rely on the encryption on the archive itself, and your endpoint not to disclose the passphrase. They could have set up a login system that requires the client to authenticate. That would have guarded against the contact disclosing the password at some point in the future. But is there any reason to have planned for that scenario? You are already giving the full dump of sensitive documents to your contact, so cryptographically it makes no difference whether you do it by an authenticated login or by transmitting an encrypted document. The end result is the same -- only you and your contact have the plaintext -- assuming your contact is not malicious or stupid. If your contact is malicious or stupid, you're fucked anyway because he has the documents. To put it another way, the system would have been secure if Leigh had not disclosed the password, which Leigh was contractually obliged not to do. Any other system would have required the same level of trust in Leigh. This was an error on Leigh's part, not WikiLeaks and not the technology.
Mm, well, no I would say that's the second law of security. You can't keep the secrets secret until you have determined which pieces of information should be kept secret.
Yes but this is what I meant by "Nobody is denying the facts here (the only thing that's in contention is where the blame lies)." -- I accept that there is a debate going on as to who said what was temporary and who should or shouldn't have disclosed what. But the following facts are not in dispute: (1) WikiLeaks provided the documents (encrypted) and passphrase to Guardian, (2) Guardian editors revealed passphrase in book. So there is no need for a theory that someone else got hold of the password: Leigh published it. I'm not sure who published the encrypted data, but I believe it was WL themselves. Following cryptographic principles, WL was not at fault to publish the encrypted data, because that isn't the part that was supposed to be secret; the passphrase was.
To your points: (1) Yes, WikiLeaks did know the password was out there many months ago. They did not make a public statement about it until today, because they didn't want to draw attention to it. At the time of the book's publishing, the encrypted files were already available online, and there was nothing that anybody could have done to keep it from getting out (besides not saying anything). WikiLeaks had no power to change the password or revoke the file by that time.
I wrote a full post on this issue.
(2) I find it very hard to believe that WL would have told the guardian that the password was temporary, since it clearly wasn't (it was PGP). I imagine there was a misunderstanding which went something along these lines:
1. JA hosts a file on a private server. The connection to the server itself is over SSL. However, JA knows that SSL is not sufficient to prevent others from downloading the file, since it doesn't require authentication on the part of the client. So he also encrypts the file itself.
2. JA explains to DL that the connection to the server is encrypted and the file will only be temporarily hosted. DL, by his own admission a non-technical person (he needed JA's help to use 7-zip) misunderstands this as "the password on the file is temporary."
3. JA separately hands DL a piece of paper containing the password to decrypt the file.
4. DL downloads and decrypts the file using the password.
5. JA is operating under the assumption that the encrypted file is public (since it was available on an open network, via SSL, but still available to the public). Therefore, it is safe to distribute the same file on another date (I'm not exactly sure how this encrypted file eventually got out, but suffice to say that it is now public, and this is cryptographically not to be unexpected or a problem).
6. DL, not realising the importance of the password (he figures that now that the file has been taken off JA's server, the password is no longer valid) writes it down into his book.
7. The editors, under pressure to release, do not vet the contents of the book, and publish it.
8. JA reads the book and finds the password. By this point, it is too late to do anything other than keep silent about it as long as possible.
The two situations are totally different. The very reason that nobody can sue Julian Assange (or any other newspaper that has ever leaked something) is because they did not "illegally [obtain] classified documents". There is a deliberate asymmetry in the law here: it is illegal to disseminate classified information, but it is not illegal to receive or publish it. That is why Bradley Manning is locked up, but Julian Assange is not (well, not relating to the cables anyway).
On the other hand, WikiLeaks and The Guardian had a contractual obligation not to divulge the contents of those cables. Nobody at WikiLeaks "leaked" the cables to The Guardian -- they were transferred to The Guardian under contract. This is a case of breach of contract, nothing else.
Maybe cut back on the conspiracy theories. Nobody is denying the facts here (the only thing that's in contention is where the blame lies). The story comes straight from the book written by The Guardian editors -- Julian Assange gave the password to Leigh, and he published the password in his book. The problem is that Leigh thought it was a time limited password, when it wasn't. (If he knew anything about cryptography, it would have been obvious that it wasn't, because it was a decryption password, not an access password.)
It has often been said in security that the first law of security is being clear about what is a secret and what is not. Once we have decided that, we can safely distribute the non-secrets as long as we hide the secrets. This is, for example, why I am perfectly comfortable revealing my public key to everybody on the planet.
So who is to blame? In one corner, WikiLeaks (allegedly... I'm not clear on the details) released this encrypted file to the public. In the other corner, The Guardian released the passphrase. WikiLeaks blames The Guardian for releasing the passphrase, while The Guardian blames WikiLeaks for releasing the enciphered data (it claims that it was a one-time password that should have been safe to give out).
Clearly, from a cryptographic standpoint, WikiLeaks is right here, and The Guardian is at fault. We must be operating under the assumption that the encrypted data file is non-secret, and the passphrase is secret. That is why it was safe to transmit the encrypted data file over the Internet, but Julian wrote the passphrase down on a piece of paper and handed it directly, as well as verbally giving Leigh an unwritten salt.
Yes -- very well put about the access password vs decryption password. To put it another way, there was no point in having the password at all if the password was eventually to be made public.
JA sent a file over the network, then deleted it afterwards. There are two scenarios: we can either a) assume that nobody did or ever will get their hands on the data being sent, or b) assume that someone might have or might in the future get their hands on the data. If we're going with (a), then we don't need a password at all -- it could have been sent in the clear. Obviously, that isn't the assumption we are operating under. So it must be (b), and therefore, we should assume that that password is a highly sensitive secret for the rest of time. It should have been destroyed.
Perhaps the mistake was trusting this complicated logic to a man who didn't know how to use 7-zip.
Your post basically answers itself. They did change their position on the issue because they got a lot of heat for not redacting the cables. That is why for the past year (with the Cablegate cables) they have been working with news organisations to carefully redact them before releasing, and releasing them in small batches a few at a time. That has consistently been WL's position for the past year. Complaining that The Guardian released the cables that were supposedly sent to them for the sole purpose of redacting them is not inconsistent with their recent position.
(I have often said that one is not a hypocrite for changing one's beliefs, only for simultaneously saying one thing and doing another.)
Hmm, when you say "take advantage of it" are you talking about the well-known MD5 collision attack, or the PHP crypt bug?
Re the collision attack: I think you are right. But still, advice going around is "don't use MD5". Researchers are still chipping away at it, so there's no telling when they'll have a working preimage attack.
Re the PHP crypt bug: my understanding is that it's quite serious in that it can throw away the input and just use the salt, causing widespread MD5 collisions. So that could definitely be used to impersonate someone. The former is a slight cryptographic weakness, the latter is a serious bug.
Well that makes my point, though: you can arbitrarily nest protocols inside one another, so it doesn't make sense to talk about them strictly in layers. Rather than saying "HTTP can drop to a lower layer", why not throw away the concept of layers, and just have a more vague concept of "application level" versus "transport level" and so on, like the 4-level IP stack.
Thank you. Yes, the four-layer Internet Protocol Suite thing makes a lot more sense. Rather than trying to say "there are seven layers stacked on top of each other," it seems like here, the protocols are arranged into four logical "protocol groups" with clearly-defined roles, and no sense of "protocols in layer N run on top of those in layer N-1". In the IP suite, it seems valid for protocols in the same group to run on top of each other (e.g., HTTP runs over SSL; ICMP runs over IP).
Good point about the null. I see that it works that way for non-SSL traffic, but I still don't see how the "session layer" sits in between HTTP and TCP (even if you consider it to be "null"). It seems like session layer protocols are an entirely different sort of connection.
As for ICMP, I see what you mean that it's sort of part of the IP protocol (IP wouldn't work without ICMP), but it is syntactically formed inside an IP packet, and I do believe it is constructive to think of ICMP as being "on top of" IP and not part of it (that's certainly how you'd implement it -- your ICMP code would certainly be calling your "construct IP packet" code at some point).
Read up on the difference between Collision attack and Preimage attack.
MD5 is vulnerable to collision, but not yet preimage attacks. The preimage attack the GP is mentioning is something like this: Alice is required to digitally sign off on all money withdrawals from an account, and MD5 is used as a hash algorithm. Bob creates two documents, one saying "I authorize the withdrawal of $100." and another saying "I authorize the withdrawal of $1,000,000." He uses a collision attack to ensure that these two documents both hash to the same MD5 value. He then gives Alice the $100 note to sign. She does so creating a digital signature, which happens to also be valid for the $1,000,000 note (unbeknownst to her). Bob then submits the $1,000,000 request for withdrawal, along with a valid signature from Alice.
In general, it is Very Bad if two documents can be created with the same hash. But yes, not going to help cracking passwords though.
Sounds like they need Retaliation!
Unless they use Gmail and have the "Undo Send" labs feature turned on. It actually waits 10 seconds after you hit Send before it sends the email. During that time, you can click "Undo" to cancel it. I've used it so many times.
I've never really been a fan of the OSI model. The idea of the hierarchy is great; sandwiching it into discrete layers seems problematic.
Wikipedia's definition of the OSI model states that "there are seven layers, each generically known as an N layer. An N+1 entity requests services from the layer N entity." Makes sense. So, why are both ICMP and IP considered to be in layer 3? ICMP is built on top of IP, so it should be in the layer above IP, but it doesn't actually provide transport (or at least, isn't meant to). HTTP is in layer 7, but it can be sent directly on top of TCP, which is in layer 4, skipping over two layers. (Or it can be tunnelled over SSL, but still skipping layer 5.)
I prefer to think of the IP stack being a directed acyclic graph of technologies, each depending on another, rather than an explicit linear division into layers.
But it's only "infringement" because the copyright holders have framed your perception of what infringement means. Surely there must be a difference between me sharing a game with a couple of friends for the sole purpose of playing a multiplayer game together for one afternoon and then having them all delete it afterwards, and me giving it out for them to play in full in their own time without having to purchase the game.
One is a single shared experience, and a powerful advertisement. The other is blatant piracy.
Again, I refer you to the DVD scenario: you wouldn't expect all of your friends to purchase a DVD for the purpose of a movie night.