WikiLeaks exposes thousands of sources in written-password SNAFU

Filed Under: Data loss, Law & order, Privacy

Inside Julian Assange's War on SecrecyThe cone of silence over WikiLeaks' thousands of sources - many of whose lives are at risk if identified - has been shattered, all thanks to the most mundane, all-too-human security screwup imaginable.

To wit: WikiLeaks founder Julian Assange wrote down the password on a piece of paper, and then forgot to change it later.

The security breach has thrown open the doors to WikiLeaks' entire archive of 251,000 secret U.S. diplomatic cables.

To the horror of the media partners it has worked with in the past to carefully redact the documents - The Guardian, The New York Times, El Pais, Der Spiegel and Le Monde - WikiLeaks has published its entire archive, unredacted, putting in danger several thousands of people whom the U.S. has tagged as being at risk if exposed. The documents also cite more than 150 whistleblowers.

"We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk," the organizations said in a joint statement.

"Our previous dealings with WikiLeaks were on the clear basis that we would only publish cables which had been subjected to a thorough joint editing and clearance process. We will continue to defend our previous collaborative publishing endeavour. We cannot defend the needless publication of the complete data – indeed, we are united in condemning it."

The media partners made it clear that this time, with this move, Assange got no help from them. "The decision to publish by Julian Assange was his, and his alone," they said in the statement.

Der Spiegel has chronicled the archive’s publishing, tracing it back to a meeting between Assange and David Leigh of The Guardian.

According to the account, as the British journalist recounts in his book "Inside Julian Assange's War on Secrecy", Leigh and Assange at one point sat down to discuss how Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.

PasswordAccording to Der Spiegel, Assange placed the file on a server and wrote part of the password on a slip of paper. To make it work, one had to complete the list of characters with a certain word.

Can you remember it? Assange asked. Of course, Leigh said.

"At the time, Daniel Domscheit-Berg, who later founded the site OpenLeaks, was the German spokesman for WikiLeaks. When he and others undertook repairs on the WikiLeaks server, he took a dataset off the server which contained all manner of files and information that had been provided to WikiLeaks. What he apparently didn't know at the time, however, was that the dataset included the complete collection of diplomatic dispatches hidden in a difficult-to-find sub-folder," according to Der Spiegel.

With the dataset in the hands of Domscheit-Berg, Leigh went on to describe his meeting with Assange in his book. In the book, however, he included not only the portion of the password on the slip of paper, but also the part he had been asked to commit to memory.

What followed included feuding between Domscheit-Berg and Assange, attempts to prove that Assange wasn’t trustworthy, and the eventual disclosure that not only was the entire dataset circulating, but that the password could be found in Leigh's book.

At this point, fingerpointing is rampant. WikiLeaks' Twitter feed blames The Guardian. The Guardian is protesting its innocence, putting out a statement claiming that it had been told the password was only temporary.

The U.S. Embassy in London and the U.S. State Department were notified of the possible publication on August 25 to enable officials to warn the named informants. Hopefully, this has given them enough time to remove themselves from harm.

Whether that is possible for all the sources who’ve been put in harm's way is an open question.

But one thing is certain: The platforms to which whistleblowers have hitherto brought their leaks are compromised. They are as riddled with security holes, as flailing with common human weaknesses, as the most ridiculed home user running an unsecured wireless network and the most inept office worker writing down his password on a Post-It note.

Let us hope that this carelessness, this breathtaking lapse in security hygiene, leads to no loss of life.

, , , , , , ,

You might like

2 Responses to WikiLeaks exposes thousands of sources in written-password SNAFU

  1. MiWNaked · 1147 days ago

    Assange should have never left the file in an unlinked subdirectory.
    Delete the file as soon as it has been given to the media was mistake 1.

    Dozens had access to the server, and the file z.pgp was accidentally circulated via torrent when this organization was facing DDoS and hosting issues.

    I went though some old archives and I do indeed have a copy. Wikileaks mirror 2010 is probably still being seeded on tpb.

    The password was not published directly in the Guardian's book, but it easily derivable from dialog written in the book. As long as the file existed, the book should not have revealed it. It would have had just a bit as in impact if they had published a fake key.
    Mistake 2.

    Wikileaks publishing the unredacted contents of z.pgp. Mistake 3
    This is where Assange, an Australia citizen may have breached Australian law. Previously the media in Australian published the governments condemnation of the site and previous leaks, but WL was found to have not broken au.law because the published works were properly redacted. no offense had been committed and was supported by our strong Privacy and Whistleblower laws.

    Some would argue it would help end US conflict and reveal some of the underhanded tricks our foreign masterers werre playing on us. The most recent headlines relating to cablegate downunder were that the American MPA and RIAA leaned on the 3rd largest ISP because the largest "fought dirty".

    Because of mistake 2, WL could have indemnified themselves of the unredacted works. Yes the docs were effectively in the public domain accidentally but encrypted. As long as they did not reveal the key they were not laible for it's contents.

    Sorry Julian, but the sloppiness of your organization might have crucified you in Oz. We would all love to have a beer with you, grill some meats on a barbie, watch the popular regional ball game. However your presence in Australia may lead to premature incarceration.

    Maybe you should get in touch with Bob Brown (greens) because both the PM and opposition want your blood -- in some sort of fiendish infopolitical Vampric way.

  2. Teresa Stokes · 1146 days ago

    Well, now that the cat's out of the bag, what WAS the wretched password? Can anyone enlighten me? I would hope it was a pretty strong one, but this just goes to show that you should never write it down on a piece of paper!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.