Sophos Cloud Optix
The cone of silence over WikiLeaks’ thousands of sources – many of whose lives are at risk if identified – has been shattered, all thanks to the most mundane, all-too-human security screwup imaginable.
To wit: WikiLeaks founder Julian Assange wrote down the password on a piece of paper, and then forgot to change it later.
The security breach has thrown open the doors to WikiLeaks’ entire archive of 251,000 secret U.S. diplomatic cables.
To the horror of the media partners it has worked with in the past to carefully redact the documents – The Guardian, The New York Times, El Pais, Der Spiegel and Le Monde – WikiLeaks has published its entire archive, unredacted, putting in danger several thousands of people whom the U.S. has tagged as being at risk if exposed. The documents also cite more than 150 whistleblowers.
“We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,” the organizations said in a joint statement.
“Our previous dealings with WikiLeaks were on the clear basis that we would only publish cables which had been subjected to a thorough joint editing and clearance process. We will continue to defend our previous collaborative publishing endeavour. We cannot defend the needless publication of the complete data – indeed, we are united in condemning it.”
The media partners made it clear that this time, with this move, Assange got no help from them. “The decision to publish by Julian Assange was his, and his alone,” they said in the statement.
Der Spiegel has chronicled the archive’s publishing, tracing it back to a meeting between Assange and David Leigh of The Guardian.
According to the account, as the British journalist recounts in his book “Inside Julian Assange’s War on Secrecy”, Leigh and Assange at one point sat down to discuss how Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.
According to Der Spiegel, Assange placed the file on a server and wrote part of the password on a slip of paper. To make it work, one had to complete the list of characters with a certain word.
Can you remember it? Assange asked. Of course, Leigh said.
“At the time, Daniel Domscheit-Berg, who later founded the site OpenLeaks, was the German spokesman for WikiLeaks. When he and others undertook repairs on the WikiLeaks server, he took a dataset off the server which contained all manner of files and information that had been provided to WikiLeaks. What he apparently didn’t know at the time, however, was that the dataset included the complete collection of diplomatic dispatches hidden in a difficult-to-find sub-folder,” according to Der Spiegel.
With the dataset in the hands of Domscheit-Berg, Leigh went on to describe his meeting with Assange in his book. In the book, however, he included not only the portion of the password on the slip of paper, but also the part he had been asked to commit to memory.
What followed included feuding between Domscheit-Berg and Assange, attempts to prove that Assange wasn’t trustworthy, and the eventual disclosure that not only was the entire dataset circulating, but that the password could be found in Leigh’s book.
At this point, fingerpointing is rampant. WikiLeaks’ Twitter feed blames The Guardian. The Guardian is protesting its innocence, putting out a statement claiming that it had been told the password was only temporary.
http://twitter.com/#!/wikileaks/status/109386723066257409
The U.S. Embassy in London and the U.S. State Department were notified of the possible publication on August 25 to enable officials to warn the named informants. Hopefully, this has given them enough time to remove themselves from harm.
Whether that is possible for all the sources who’ve been put in harm’s way is an open question.
But one thing is certain: The platforms to which whistleblowers have hitherto brought their leaks are compromised. They are as riddled with security holes, as flailing with common human weaknesses, as the most ridiculed home user running an unsecured wireless network and the most inept office worker writing down his password on a Post-It note.
Let us hope that this carelessness, this breathtaking lapse in security hygiene, leads to no loss of life.
Assange should have never left the file in an unlinked subdirectory.
Delete the file as soon as it has been given to the media was mistake 1.
Dozens had access to the server, and the file z.pgp was accidentally circulated via torrent when this organization was facing DDoS and hosting issues.
I went though some old archives and I do indeed have a copy. Wikileaks mirror 2010 is probably still being seeded on tpb.
The password was not published directly in the Guardian's book, but it easily derivable from dialog written in the book. As long as the file existed, the book should not have revealed it. It would have had just a bit as in impact if they had published a fake key.
Mistake 2.
Wikileaks publishing the unredacted contents of z.pgp. Mistake 3
This is where Assange, an Australia citizen may have breached Australian law. Previously the media in Australian published the governments condemnation of the site and previous leaks, but WL was found to have not broken au.law because the published works were properly redacted. no offense had been committed and was supported by our strong Privacy and Whistleblower laws.
Some would argue it would help end US conflict and reveal some of the underhanded tricks our foreign masterers werre playing on us. The most recent headlines relating to cablegate downunder were that the American MPA and RIAA leaned on the 3rd largest ISP because the largest "fought dirty".
Because of mistake 2, WL could have indemnified themselves of the unredacted works. Yes the docs were effectively in the public domain accidentally but encrypted. As long as they did not reveal the key they were not laible for it's contents.
Sorry Julian, but the sloppiness of your organization might have crucified you in Oz. We would all love to have a beer with you, grill some meats on a barbie, watch the popular regional ball game. However your presence in Australia may lead to premature incarceration.
Maybe you should get in touch with Bob Brown (greens) because both the PM and opposition want your blood — in some sort of fiendish infopolitical Vampric way.
Well, now that the cat's out of the bag, what WAS the wretched password? Can anyone enlighten me? I would hope it was a pretty strong one, but this just goes to show that you should never write it down on a piece of paper!