Search This Site


Saturday, September 3, 2011

WikiLeaks US Cables Published... Update

Here's a summary of he said/she said on the full, unredacted release of sensitive US cables on the Internet, so far as I understand it.

WikiLeaks, as represented by Julian Assange, claims that reporter David Leigh of the UK newspaper Guardian negligently revealed a key encryption password in a book, WikiLeaks: Inside Julian Assange's War on Secrecy, published last February by the Guardian. This has apparently been alleged mainly through Twitter. Assange appears to be mum on the subject of how the encrypted database got out there in the first place - as it had apparently only been distributed to key media partners via secure servers that were taken offline after the distribution.

Somehow a copy or copies were diverted from that download to unknown individuals (so much for "secure.") It is unclear from news reports who reported this - perhaps it is just being assumed simply because the database did indeed become widely copied. From the Guardian
The embassy cables were shared with the Guardian through a secure server for a period of hours, after which the server was taken offline and all files removed, as was previously agreed by both parties. This is considered a basic security precaution when handling sensitive files. But unknown to anyone at the Guardian, the same file with the same password was republished later on BitTorrent, a network typically used to distribute films and music. This file's contents were never publicised, nor was it linked online to WikiLeaks in any way.
So both parties are throwing their hands up in that plausible deniability way.

Someone must have been aware of that download diversion, while it was happening. These things are typically detectable even without a secure connection setup, and if it was a "secure" connection, at the very least it should have been tightly monitored.

Someone is being disingenuous here.

In any case, the Guardian claims that the password was intended to be a temporary one, rendered obsolete once the transfer was completed, so I suppose they felt free in publishing an "obsolete" password in a book. I call bullshit on this one. Regardless of whether one party or another knew of the diversion, it should have have been enough of a "known unknown" for anyone who cared about the security of the data - and both parties make this claim - to treat it as a hot and active password. Or at least warm enough to override any titillation value of having a secret (oooh!) password in the book.

No comments:

Post a Comment

I welcome all reactions and points of view, so comments here are not moderated. Cheerfully "colorful" language is great. I'll even tolerate some ad hominem directed against me... each other, not so much. Racist or excessively abusive comments (or spam) will be deleted at my discretion.