Many months ago, Wikileaks gave a trove of a quarter of a million U.S. diplomatic cables to the The New York Times, The Guardian, and other media with the understanding that they would only be released with any information that could lead to direct harm, such as source’s names, redacted.
Since then a relatively small number have been released in dribs and drabs with redactions, although I believe there have been one or two instances where the releasers have been accused of leaving in names (perhaps inadvertently) and putting individuals in danger.
Now the entire trove has been released, unecrypted and unredacted, onto the internet and thus irretrievably into the de facto public domain.
Everyone seems to be denying guilt and everyone is pointing fingers at everyone else.
I guess this is what comes from expecting an organization of leakers not to leak. :smack:
By “an organisation of leakers”, you realise you might mean the Guardian, right?
It should be trivially easy to prove whether or not Leigh is responsible for the leak. Wikileaks’ story is that David Leigh’s book, Wikileaks: Inside Julian Assange’s War on Secrecy contains the password to the encrypted document that was Assange’s trump card. It should be as simple as giving a page number - then anyone could buy the book (or just look it up in a bookstore), find the password and download the file to test it.
Whoever released it, there were too many people involved to be able to assume that secrets could be kept.
I’m a little confused about the business with the encrypted file and password. I know that there was an encrypted 1.4G so-called “insurance” file released onto the net. The collection that was just released is only half a gig compressed (65G when extracted). Is this the insurance file? I would think that, if a compressed 0.5G file extracts to 65G then a compressed and encrypted 1.4G file would extract to something much bigger than 65G. Is this release from some other encrypted file that I was unaware of?
From what I’ve seen, it consists only of a few things that were already public plus the diplomatic cables. I was under the impression that the insurance file contained much more than that.
Weirdly, Leigh seems to be denying his responsibility. If he did publish a password in his book then we’ll no for sure soon enough.
This article in Der Spiegel lays out the whole story. Long story short, as I understand it: Wikileaks put the encrypted data on the web, and gave the Guardian the URL and the password to unencrypt it. After the Guardian got the data, Wikileaks took it offline, but left it hidden in a secret folder on their servers. This was included in the set of data that was mirrored on several Bit Torrent sites. David Leigh of the Guardian later published the story of his meeting with Julian Assange, complete with the password that Assange gave him, in his book. Eventually, people figured out that both the encrypted file and the password that decrypts it were out in the open.
The insurance file is not the one decrypted by the password supplied by Leigh. There’s a whole bunch of details and speculation if you follow through all the comments on Bruce Schneier’s blog post about it.
It seems then that two rather dumb mistakes were made:
[ol]
[li]Using a hidden URL pointing to an apparently unprotected directory. This led to an unauthorized party accessing the file. Didn’t they realize that people would be all over their servers looking for hidden files?[/li][li]Publishing a password that was assumed to be obsolete but wasn’t because the file had been accessed by an unauthorized party.[/li][/ol]
There certainly are some security lessons to be learned from this incident.
[li]Using a hidden URL pointing to an apparently unprotected directory. This led to an unauthorized party accessing the file. Didn’t they realize that people would be all over their server looking for hidden files?[/li][/QUOTE]
“Apparently unprotected” apart from the encryption, you mean? Sure, Wikileaks could have had two layers of protection (one to prevent downloads, one to prevent decryption) - but the same dumbass move that defeated one layer could still have defeated both layers.
Like one commenter said: “Turns out key management is hard when one side publishes the key you gave them in a book.”
Oh my God! A British journalist didn’t exercise discretion! Why… why… why, if you can’t trust a British journalist, who CAN you trust? If there’s one thing I counted on in this world, it is that if I had a secret, I could count on British newspapers to keep it under wraps.
Plus, I’m shocked that something stored on the Internet for safe keeping has been compromised. If my time in government has taught me anything about cyber security, it is these four things: 1) don’t worry about plugging in your thumb drive into any ol’ computer you want – it’s just a thumbdrive; 2) cell phones, Blackberries, and iPhones are totally secure ways to communicate; 3) never change your password, because someone might forget it! 4) nobody has ever hacked the Internet, so don’t worry about leaving sensitive files up there.
It seems that the whiz kids at Wikileaks have also learned the last two lessons. Leading me to conclude that Assange isn’t just a jerk, he’s incompetent.
I read the link. Is there any indication that the insurance file contains any data that hasn’t been published? Is the insurance file larger than the data already in public?