Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Privacy The Media Your Rights Online

The Guardian and the Wikileaks Encryption Key 196

rtfa-troll writes "Bruce Schneier has a good article explaining how the Guardian released the encryption key for the WikiLeaks cables and destroyed the main protection against the release of informers' personal information. The comments in Schneier's blog fill in details of how exactly WikiLeaks' secondary file security protections were also bypassed. Now the Guardian has an article that Assange risks arrest by Australia over the latest leaks, which include information about an Australian intelligence officer. They even say, 'We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,' and go on to state that 'The decision to publish by Julian Assange was his, and his alone,' something which seems clearly debunked in the analysis on Schneier's blog."
This discussion has been archived. No new comments can be posted.

The Guardian and the Wikileaks Encryption Key

Comments Filter:
  • by mcantsin ( 2417600 ) on Friday September 02, 2011 @06:56PM (#37292314)
    http://cryptome.org/z/z.7z [cryptome.org] (368MB) pwd: ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay# http://pastebin.com/SBq9Xpsr [pastebin.com] http://cryptome.org/xyz/x.gpg.torrent [cryptome.org] (Returns xyz_x.gpg, 409MB. No passphrase yet) http://cryptome.org/xyz/y.gpg.torrent [cryptome.org] (Returns xyz_y.gpg, 88MB. No passphrase yet) http://cryptome.org/xyz/y-docs.gpg.torrent [cryptome.org] (Returns xyz_y-docs.gpg, 8MB. No passphrase yet) http://cryptome.org/xyz/z.gpg.torrent [cryptome.org] (Returns xyz_z.gpg, 368MB. Passphrase below) "xyz_z.gpg" and "z.gpg" appear to be identical and both decrypt to "z.7z." The decrypted file is "z.7z," 368MB, which unzips to "cables.csv," about 1.7GB in size, dated 4/12/2010.
  • by DarkOx ( 621550 ) on Friday September 02, 2011 @07:04PM (#37292390) Journal

    They were stupid to let the Guardian to get the key in the first place but once it was out making it more available was the right call.

    When you had to get the data and key together that require time, and some computer skills. People who might retaliate against leakers have the resources to marry the key and copy of the data they either already had or could get from torrents.

    That might be much harder to do for some poor tribesman who has limited or intermittent access to the internet. By making the information easier to get at, it lowers the bar, makes it easier for potential victims to know if they have been outed, and need to protect themselves.

    • by Kjella ( 173770 )

      When you had to get the data and key together that require time, and some computer skills

      Not really, the file was on TPB (among many other places) and the password was being relayed all over the net. Millions of people - and I mean that literally - have the required access and skill if they have the slightest bit of interest then they'll be able to get the decrypted information. Very shortly - if not alreadty - there'd be torrents with the unencrypted information. And it'd be no hard than starting any other torrent, which I consider a rather basic task today.

  • the guardian (Score:3, Interesting)

    by Anonymous Coward on Friday September 02, 2011 @07:05PM (#37292396)

    are playing a stupid game right now.

    In their JA will face arrest in Australia article they earlier said something like "the Guardian unknowingly publish the password in the Guardian's book" etc,

    now that phrase is nowhere to be found from the article...

  • by SmilingBoy ( 686281 ) on Friday September 02, 2011 @07:08PM (#37292412)

    The Schneier article is very speculative and doesn't have many facts.

    DER SPIEGEL has a much better and more detailed account: http://www.spiegel.de/international/world/0,1518,783778,00.html [spiegel.de]

    • by rtfa-troll ( 1340807 ) on Friday September 02, 2011 @07:33PM (#37292626)
      The Spiegel article is referenced by Schneier so it's there for people to read. However, in one, but the most crucial, aspect the Spiegel article is wrong. It accepts the statement that the Guardian believed password was temporary at face value.

      In a statement the Guardian rejected the accusations from Wikileaks, explaining that the paper had been told the password was temporary and would be deleted within hours. "No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files," the statement said. "That they didn't do so clearly shows the problem was not caused by the Guardian's book."

      What's new in Schneier's article is that that is pretty clearly debunked. This was a standard GPG/PGP archive which had already been distributed. There was absolutely no reason to hand out the correct password and doing so is a clear breach of IT security norms (never give your password to anybody) for no good reason.

    • by drolli ( 522659 )

      Besides the fact that the Spiegel (as a WL partner) is heavily involved in mud-slinging towards OL/DDB.

      To me it is obvious that OL/DDB had nothing to do with this problem. I get more and more the feeling that this problem was the reason DDB left.

      The idea that any intelligence agency needed the help of openleaks to test the guardian pwd against any encrypted document they find is funny.

  • So whatever happened to books, or the relevant chapters, being given out privately to the people in them prior to publishing? I thought that was standard practice.

    I suppose it got put to the wayside since it was only relevant when the concepts of truth and balanced reporting were practised. As far as papers go, the Guardian is still far from the worst offender, but it used to be a high quality liberal broadsheet. The last few years it has seemed to put most value on web hits over quality paper journalism. S

  • Clarification (Score:5, Informative)

    by I(rispee_I(reme ( 310391 ) on Friday September 02, 2011 @07:17PM (#37292488) Journal

    This is not the Wikileaks insurance file, which remains encrypted.

    This is a different file, that the Guardian was privy to, and was then mirrored.
    The password to this other file was published in a book.

    I only mention this because the previous /. post on this topic had a lot of replies with the mentality that wikileaks has surrendered its insurance. Such is not the case.

  • RIP journalism (Score:5, Insightful)

    by E IS mC(Square) ( 721736 ) on Friday September 02, 2011 @07:21PM (#37292522) Journal

    Among other revealations during this ordeal, one thing stands out - I now know how morally bankrupt main stream media have become, irrespective of how right or wrong assange is.

    Guardian won awards for all the work done by wikileaks/manning, and now they just backstabbed them, and still have guts to defend their own actions.

    NYT is even worse.

    Whisleblowing investigative journalism is dead, sold out to big governments and corporations.

  • One thing (Score:4, Insightful)

    by joh ( 27088 ) on Friday September 02, 2011 @07:37PM (#37292642)

    The redacting that was done by The Guardian and others was just a reasonable thing to do, but it had one disadvantage: They published only selected and redacted cables and such you couldn't look for certain things by yourself. There's been more interesting stuff in the past centuries than The Guadian or Der Spiegel would recognize.

    What's now possible is others sieving through these cables and I'm pretty sure that people will find interesting things. While it's not really a good thing for names of informants being published all this centralized knowledge and decisionmaking about what is good for the public to know is really getting on my nerves lately.

  • "...and go on to state that 'The decision to publish by Julian Assange was his, and his alone,' something which seems clearly debunked in the analysis on Schneier's blog."

    Neither the media nor law makers will ever let the facts get in the way of their objectives. And because law enforcement has no small stake in this, either because their own fat is in this frying pan, or due to marching orders from the law makers, neither will they.

  • Has Assange verified this? With the code breaking computers available to the US it would be possible to figure out the key and impersonate Assange as a very effective smear campaign. It would also put americans and their spies at risk but that's not stopped them before.
  • Here's an Amazon book review [amazon.com] critical of the disclosure of the password in the book. I registered my support for the critique with a 'helpful' click.

  • by kandresen ( 712861 ) on Friday September 02, 2011 @08:53PM (#37293124)

    From what is stated;
    1) The key given to the reporter was not the key for the insurance file
    2) The Assange had provided a backup method for others to recover the data in the case he was a) killed, b) otherwise rendered incapable to act by other than having the group act on his behalf
    3) Whereas it is easy to revoke access to content on a central server, it is impossible to revoke access to a file that cannot be changed (a password can simply not be revoked unless you can write to it) In other words you cannot revoke passwords for content that is available on bit torrent etc.
    4) The way encryption usually work is through two sets of keys, i.e. LUKS. The real key is essentially always 512bits, but nobody including you ever use this key - you have a password and a separate key that releases the 512bit key!!!
    No, we do not know if there was a second pass-phrase key on the content provided to the reporter, but if it was, having one key which gives access to the full 512bit key and content might be used to reveal alternative keys to get the real key. One of which might cascade to the key used in the insurance file. Which is why it was truly irresponsible of the reporter to publish the key regardless!!! That is as far as I see neglect, and being clueless is under no circumstance justification. Yes, the password could be revoked on access, but any backup prior to revocation can as stated above would retain access with that key whether it is a tape, an USB copy, or bit torrent.

    Anyway, it is not for sure there where any alternative keys combined with that content, however, we do know the group had access to release the content of the insurance file in case something did happen to Assange anyway...

    That the Insurance file was released on Bit torrent was most certainly not a mistake, however, it will have been a mistake if an alternative key used on the content given to the reporter could cascade to this key somehow. (From what I have learned of the case, I kind of don't think the problem was here).

    So that leaves the people who where on the inside with the knowledge necessary to release the key...

    Sure, there has been a lot of mistakes happening; we can blame Assange for believing in the fools who left for OpenLeaks. They were likely always the number 1 threat to the whistle blowers: Internals who sabotage, steal and try to destroy the original organization with internal knowledge.

  • They made secure efforts in transmitting the data. It was the Guardian that betrayed the trust of Wikileaks and all those identities that were suppose to be withheld. The Guardian kept the data file and let it leak and then published the password... In effect the Guardian published everything in the clear. They are the ones to be held responsible.

  • Just reading through a few of the cables that have leaked regarding my country and I came across several cables that have named names of sources with the tag "(strictly protect)". Now, in my country, their lives are certainly not in danger, but their jobs certainly are.

    The biggest achievement of cablegate would be to make everyone think twice about talking to any US diplomats.

"Everyone's head is a cheap movie show." -- Jeff G. Bone