Oh dear

Posted by William M. Connolley on September 1, 2011
(13)
More »

There is a Wikileaks fiasco going about. Der Spiegel has what looks like a plausible story. If you read the Wikileaks version after that, the latter looks rather incomplete and self-serving. The Grauniad also says “not us guv” which isn’t quite true: if they hadn’t been dumb enough to publish the password, all would have been well. But assuming DS has this right, fundamentally this is a Wikileaks foul up.

h/t Bruce (not Steve) Schneier.

[Update: no-one has dented the DS story as far as I can see. So I think that, as told, this remains fundamentally a WL foul up. However (whilst I think the Grauniad were correct to believe that the password they'd got was now irrelevant) they (a) should not have published it, just on general sanity grounds (b) they should not have published it because they could not be confident that they hadn't ended up with a backup of the file themselves, somewhere]

Keywords: , ,
(13)
More »

Comments

  1. #1 blueshift
    2011/09/01

    The Oh Dear made me think that RP Jr had done something silly again.

    [Sorry. I did consider giving it a more descriptive title -W]

  2. #2 M
    2011/09/01

    The Grauniad claim about a “temporary password” really doesn’t excuse ever publishing that password – obviously, if a password-protected or encrypted file exists, a copy could be made, and that copy’s password won’t change even if the master copy’s password does. And why do you need to publish the real password? How was the book better by having a real password instead of a fake password? In fact, it would have been sufficient to just say something along the lines of “Assange placed the file on a server and wrote down the password on a slip of paper — but not the entire password. To make it work, one had to complete the list of characters with a certain word. Can you remember it? Assange asked. Of course, responded Leigh”, just like the Der Spiegel article.

    [I'm not so sure. Obviously, yes, it would have been better, as things turned out, not to publish the password. But the Grauniad *were* told it was temporary, and they believed that. It is fairly clear from the description of them having to be told how to install PGP that they didn't really understand things, so took it at face value. The real true underlying problem was that same file escaping. Clearly, Assange should not have just re-used the same encrypted file for local storage - he should he reencrypted it. Apart from anything else, had he done so it would have been possible to tell exactly whose copy escaped with certainty -W]

    (Well, I suppose a clever person could add a time-stamp into the file so that the file couldn’t be opened outside of a given time window, but that’s easy enough to subvert, too…)

    [Not possible -W]

    (of course, a clever person would also not have let a copy of the file get loose… but that’s hard, when you’ve already given it to half a dozen news organizations)

    [As far as can be told, the release wasn't a consequence of giving it to various news orgs, but an internal Wikileaks/Assange error -W]

  3. #3 Nick Stokes
    2011/09/01

    The Guardian sniffily says:
    “Avoiding the re-use of passwords and avoiding republishing temporary files are both considered basic security procedures among online security experts.”
    I imagine not publishing a password in a book is also basic.

    Assange lamented the Grauniad’s spelling accuracy in this case.

    [The Grauniad is clearly trying to avoid blame, which is wise, because after all Real People might die because of this, or more prosaically Real People might sue. But I think they are correct. Certainly the Wikileaks statement, which attempts to throw all blame on the G, is entirely self-serving -W]

  4. #4 Ed
    2011/09/01

    *sigh*
    Remember, if you had literally 300 million dollars or something similar burning a hole in your pocket which you wanted to use to shut up Wikileaks, don’t you think you could find some *pretty* good ways to do it?

    What you fail to realize in accusing wikileaks in fouling up is that they have very limited resources. Given the realities on the ground, you should realize that there is no way in hell that you or anyone you know could have done any better if your life depended on it. Literally.

    [I disagree. Assuming Der Spiegel is correct in its description of events, this is essentially a Wikileaks foulup. Just because you like what they do is not a good reason for defending their errors -W]

  5. #5 Vince whirlwind
    2011/09/01

    It isn’t Wikileaks’ fault that these documents were not properly secured by the US government. Criticisms of Wikileaks are aimed at diverting attention away from the lapses in competence by the US government.

    [Errm, clearly it wasn't Wikileaks fault that they were stolen initially. But there is no evidence anyone else got these files direct from the Govt, nor did the US govt deliberately put them onto the internet - that is due to Wikileaks. Disliking US Govt security is no reason to shift the blame for the ultimate release -W]

    The public release of the unredacted documents only means that now everybody knows that everybody knows the contents of those documents. Previously, all we knew was that the US government had lost control of them, without knowing who had access to them.

    If Assange gained access to these documents in the first place, that indicates that almost anybody else could also have gained access to them, especially those organisations with a large budget, a strong motivation, and long-standing history of subverting US citizens in order to gain access to classified documents: Russia, Israel, China.

    Lapses in security are more dangerous when they are secret. Now those exposed by these cables *know* they have been exposed whereas previously their exposure was only something they could guess at.

  6. #6 Ed
    2011/09/01

    *deeper sigh*
    1. The encrypted information was intentionally published by Wikileaks. *It was not an accident*. They published the file, it says right there in both places. This is the way it is supposed to go: publish the encrypted material so everyone has a copy, it easier and faster to transfer the password than the file (which is not a trivial concern even with modern high bandwith, you can write in on paper, remember it, tell it by mouth, it takes less time to share or destroy if the gov comes knocking on your door), and secondly the encryption will eventually be broken so we can be sure that many years down the road people will have access to it, even if something happens to the password or to wikileaks.
    2. Obviously this scheme depends on nobody *publishing the password*. That’s called operational security. People with the password have to be on your side, it always comes down to trust of people in the end in any security system. Always. It is not possible to have security if you cannot trust the people involved. That is why they signed an agreement, so everybody understood and knew. I garauntee that Assange made it clear that the password is not to be published. Information always leaks out, it gets copied by windows into areas on the harddrive during swapping, scheduled backups that are sometimes unintended, files that are only deleted (which does not destroy the data) or sent to “the recycle bin” instead of destroyed by overwriting. *Everyone* involved in a secure operation knows this. You cannot control the data absolutely, you do what you can as it will help but the main thing is the password/key. You never publish they keys, not ever, not after you think it is okay, never, unless you want other people to have access to the encrypted data. I can garauntee you that the journalist knew or should have known that, and that was an assumption in the security protocols.
    3. The bastard greedy turncoat journalist published the damn password to make more money on their book, that is the beginning and the end of the problem here.
    4. The informants are *not* really in danger. The US government has *always known* since the first leak essentially what the files were because they knew more or less what was stolen especially after the access logs of Manning were identified and they have had ages to question him, and has at the very least, we can be sure, for the past many months since the password and encrypted file were known, had an exact copy of all cables. Pause to digest. They had what, a year, and at the very least months since the password was released, to search through the files and make sure that all informants were protected/warned. And you can bet that they got the password and recognized it as soon as it was out because they were watching.
    Think about that for a second. This is not a surprise to the informants. The pentagon or state dep or whoever is resposible for protecting the informants can very easily protect them, and they have plenty of resources to take precautions too, and faster than in a year as the state dep apparently was doing, and better precautions than just notification.
    In other words informants are not in danger unless the government decides to use them as sacrificial lambs to make Wikileaks look bad. Which they may well do, and when they do people like you will fall for it hook line and sinker just like you just swallowed the crap in the first paragraph in the Spiegel article and like you always do.
    If that’s the way you want to be we will be back in a world without wikileaks or anyone like them in no time. And you will have only yourselves to thank, because the government and other enemies of freedom beat you, fooled you, were smarter than you, better than you, stronger than you, kicked your ass, fucked you over a barrel and left you crying, and you were the dumb commoner that let them, whether you ever realize it or not.

  7. #7 Lassi Hippeläinen
    2011/09/02

    “In a statement the Guardian rejected the accusations from Wikileaks, explaining that the paper had been told the password was temporary and would be deleted within hours.”

    Bullshit. A password can only be used to control access to a service. You control access to a document with encryption, and there are no temporary decryption keys. Even the Guardian must know the difference, and they knew they had in their hands a decryption key.

    [It isn't quite right, but it isn't bullshit. The Guardian were told that the file they downloaded would be available from the server for hours only - and that was correct. The key error is Assange's archiving of the file encrypted with the same password as he gave the Guardian -W]

  8. #8 J
    2011/09/02

    The Oh Dear made me think that RP Jr had done something silly again.

    [Sorry. I did consider giving it a more descriptive title -W]

    The immediate juxtaposition of posts titled “Ha ha” and “Oh Dear” is kind of amusing.

  9. #9 Lassi Hippeläinen
    2011/09/02

    @8: From the WikiLeaks version of the story I understood that the published “password” was a PGP passphrase to encrypt files, not an account password. The Guardian shouldn’t have published it.

    [I think you are correct about that. But it doesn't alter the case -W]

  10. #10 Egbert
    2011/09/02

    If you look at Der Spiegel’s proposed sequence, DDB is the key actor. He walks off with the goods apparently. How did he get the funds to attend Davos to publicise OpenLeaks? £20,000 a day or something like that to attend? How did he manage to get security cleared, given his association with WikiLeaks? How long does that process take? Was he invited to Davos? If so, by whom? So many questions not asked.

    [Personalities definitely played a part here. JA might perhaps not be an ideal face for WL -W]

  11. #11 Ed
    2011/09/02

    Reading the comments at Scheiers blog it becomes clear that the news articles, as I suspected, are inaccurate. The file escaped because it was included in the files for a mirror of the wikileaks server.

    Which is a form of backup.

    Again, the whole point of encryption in this context is so that if the encrypted file does escape your control, whether it is due to an unexpected backup, because you lost the laptop or CD on the subway, because the servers were raided by the feds or compromised by your enemy, or *whatever* then *that is not a big deal* *because no one else knows the key*.

    So yes, it was clearly mainly the guardian/journalist’s fault here. Wikileaks made a minor mistake, *which they had made accommodations for through encryption*. The journalist undermined the encryption of the file and on purpose for a quick buck.

    [BTW - if you want an offline reply, you should be honest enough to provide a real email address -W]

  12. #12 Lassi Hippeläinen
    2011/09/03

    @9: It does alter the case. Guardian didn’t publish the password of their WikiLeaks account, they published the encryption key of the file. For what purpose? To show off? Leigh could have changed one or two of the words without losing credibility.

    For a long discussion about the technicalities, see
    http://unspecified.wordpress.com/2011/09/03/wikileaks-password-leak-faq/

    [The discussion there seems to boil down to "WikiLeaks made an encrypted file public. Guardian made the passphrase public". I agree that is correct. I disagree with the interpretation there, which exhonerate WL. As I've said before: my view is that the blame lies with WL, for publicly distributing a copy of the file encrypted with the same password they gave the Grauniad. This is the heart of the problem, and it is WL's fault. The rest of the stuff there is a long tedious screed of no value -W]

    P.S. #9 should have referred to 7, not 8. I tried to add a comment to point the obvious typo, but the spam filter blocked me, because too many comments had been sent from my address. Maybe you should allow two fast ones from the same address to enable quick corrections?