Articles

WikiLeaks password leak FAQ

In Cryptography on September 3, 2011 by Matt Giuca Tagged:

The news broke yesterday that the entire trove of diplomatic cables held by WikiLeaks is now public and unredacted, due to a bizarre cryptographic mixup between WikiLeaks and the Guardian. WikiLeaks broke the story, after keeping quiet about it for months (I think people outside of the organisation had started to put the pieces together), accusing the Guardian, a UK newspaper, of publishing a book that negligently divulged the password to the encrypted file. The Guardian fired back, claiming that WikiLeaks said the password was temporary and that it’s their fault for making the encrypted data available. I don’t want to go into the politics here — this is a technical blog. I have already seen a lot of confusion online, both in the media and in the more technically literate (such as on Slashdot). I want to put together this FAQ to answer some of the common criticisms. Here I will try to remain politically impartial, and answer these questions from a cryptography standpoint. I’m not a qualified cryptographer (I don’t know where to begin a cryptanalysis of AES), but I do have a detailed understanding of the technology involved here. I would appreciate any corrections you might have in the comments section.

I am not affiliated with WikiLeaks. I am piecing together this information from various sources, but as you shall see, the facts are really not in question here (at least, everything relevant to a cryptographic discussion of the situation) — what is in question is who is at fault, and cryptography can tell us that.

The bottom line is, as I wrote yesterday, that cryptographically, WikiLeaks is in the right and Guardian is in the wrong. From what I can gather, WikiLeaks followed reasonable security expectations, and Guardian broke them. I would encourage anyone who places the blame on WikiLeaks to read this FAQ in detail (or at least skim through for any questions you may have).

The executive summary

It makes no sense to blame WikiLeaks. As I will address below, the security practices could have been improved to prevent this from happening, but I don’t think it is reasonable to expect WikiLeaks to plan for this scenario. By definition (by giving the cables to David Leigh, the Guardian editor responsible for disclosing the passphrase), WikiLeaks chief Julian Assange was trusting Leigh with everything. There are a million things Leigh could have done to break the security. He could have left the cables sitting unencrypted on a laptop connected to the Internet (and in fact, according to WikiLeaks, he did that too). He could have uploaded the cables to a public server if he’d been malicious. Assange had to trust that he wasn’t going to be malicious or stupid with the cables, by the definition of the operation. Divulging the password was just another possible malicious/stupid thing that Assange had to trust Leigh not to do, and he did it. In any other security model they could have used to transfer the cables, there are equally stupid things Leigh could have done to mess up. So I feel that it is unfair to blame WikiLeaks for not predicting Leigh’s stupidity.

Ignoring stupidity on the part of trusted parties, the system as described above was entirely secure. This is my main point: WikiLeaks made an encrypted file public. Guardian made the passphrase public. Either one of these is safe on its own, but if both are public, the system breaks. So clearly, one of the two parties is to blame. The clear cryptographic answer is: Guardian is to blame. When we use encryption, it is entirely expected and normal for the encrypted text to be visible to the public. If the encrypted text isn’t visible to the public, it can’t possibly be transmitted. You can’t run a secure system under the assumption that an encrypted file will not be seen by others. The entire point of cryptography is that we transmit the encrypted text “in the clear” (without further encryption). On the flipside, the entire point of cryptography is that we don’t divulge the encryption key. So WikiLeaks was in the right to make the encrypted file public (however that happened), assuming that the passphrase would be kept private. The Guardian was in the wrong to make the passphrase public, assuming that the encrypted file would be kept private. By definition, the encrypted file was public because it was available from a public server for at least a few hours.

Again, Leigh was a non-technical person, so we can’t expect him to have understood all of these subtleties. But let’s remember what we’re dealing with here: arguably the most important secret documents in history. The man should have gotten a better technical understanding of cryptography before he did this, and failing that, given that he was not an expert, he should not have presumed it was safe to disclose the password. Even assuming no technical knowledge, it is completely idiotic to publish any kind of password, even an expired one. If nothing else, it would have been safe in case Assange did re-use the same password again. And just to dig a bit deeper: Assange took the extra step of creating a salt, the additional word that he told Leigh to remember and insert into the password but not write down, for the express purpose of protecting the data in the event that someone got a hold of the piece of paper. The final, clinching, idiotic move is that Leigh wrote the salt in the book as well as the password — the one thing he was never supposed to write down.

What are the facts?

Firstly, let me state the facts as I see them. Feel free to skip this lengthy section, but I will refer to it later on. I’ll begin by quoting a passage from the book WikiLeaks: Inside Julian Assange’s War on Secrecy. This book, published in February 2011, is available in book stores and can be found online. It was written by two Guardian journalists David Leigh and Luke Harding. Chapter 11, entitled “The Cables,” details the story of how Julian Assange, the editor in chief of WikiLeaks, sent over 251,000 U.S. diplomatic cables to David Leigh, for the purpose of redacting and publishing the cables via the Guardian. The following passage appears verbatim from the book, except that I have replaced the passphrases with XXXs (if you want to find them, they are readily available online as of yesterday). This is largely the same passage that WikiLeaks quoted in their release (but I got it from another copy to be sure):

Eventually, Assange capitulated. Late at night, after a two-hour debate, he started the process on one of his little netbooks that would enable Leigh to download the entire tranche of cables. The Guardian journalist had to set up the PGP encryption system on his laptop at home across the other side of London. Then he could feed in a password.  Assange wrote down on a scrap of paper: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. “That’s the password,” he said. “But you have to add one extra word when you type it in. You have to put in the word ‘XXXXXXXXXX’ before the word ‘XXXXXXX’. Can you remember that?”

“I can remember that.”

Leigh set off home, and successfully installed the PGP software. He typed in the lengthy password, and was gratified to be able to download a huge file from Assange’s temporary website. Then he realized it was zipped up – compressed using a format called 7z which he had never heard of, and couldn’t understand. He got back in his car and drove through the deserted London streets in the small hours, to Assange’s headquarters in Southwick Mews. Assange smiled a little pityingly, and unzipped it for him.

This is about all the information I need to go on, and it’s written in Leigh’s (or his associate’s) own words, so it is difficult to dispute. WikiLeaks quoted this above passage, adding that the reason for having to add the extra word ‘XXXXXXXXXX’ was “so if the paper were seized, the password would not work without Leigh’s co-operation.”

The Guardian’s full statement from yesterday appears below:

It’s nonsense to suggest the Guardian’s WikiLeaks book has compromised security in any way.

Our book about WikiLeaks was published last February. It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours.

It was a meaningless piece of information to anyone except the person(s) who created the database.

No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files. That they didn’t do so clearly shows the problem was not caused by the Guardian’s book.

Damning for WikiLeaks, and the media have sure picked up on it. Essentially, WikiLeaks was incompetent in their handling of the situation. If WikiLeaks had done their job properly, it wouldn’t have mattered whether or not the password was published.

Except that because I understand the cryptography, I don’t need the Guardian to tell me what WikiLeaks “should” have done. I can piece together the blame just from reading the story of what went down that night when Assange gave the cables to Leigh. The only interesting claim from Guardian’s statement is this: “we were told it was a temporary password which would expire and be deleted in a matter of hours.” That is the only fact that is in dispute here — not whether or not the password was temporary (it is an indisputable fact that it wasn’t), but whether or not WikiLeaks told the Guardian that it was temporary. If they did, then some of the blame can be put on them. But just some. WikiLeaks vehemently denies that they told Guardian that the password was temporary, tweeting today: “It is strictly false that the Guardian was told the password or file were temporary, hence the elaborate password handover method.” We will never know whether WikiLeaks did or did not tell Guardian that the password was temporary. But we can deduce from the facts that the password was not temporary, and anyone with a basic knowledge of security (certainly anyone entrusted with the most politically explosive documents in history) should have known not to publish a password that a serious-looking white-haired Aussie in a black trench coat gave to you on a piece of paper and then explicitly told you a second part of the password which you were not to write down.

So the password is now public knowledge. But what about the archive? The password is useless without access to the encrypted files. We know that the encrypted archive is circulating around the torrents as we speak. It shouldn’t be too hard to find. The question is, where did it come from? Obviously it was originally created by Julian Assange. The details on how it leaked out are very sketchy, but most articles seem to point to this anonymous PasteBin post which seems to link things together (hyperlinks mine):

No-one took note of the Leigh book since where the encrypted file was located was a mystery! Enter the 2nd bad guy of our story: Daniel Domscheit-Berg. DDB said he didn’t know the password before reading the Leigh book, but apparently *did* know the hidden file name on Bittorrent. Using this these two facts (pw+hidden file location), he then went around ingratiating himself with various players by handing them the entire Cablegate archive under the mutually deniable cover of “warning” them about the Leigh book. Enraged after being expelled from the CCC [Chaos Computer Club] he “gave” the cables in this way to more and more people in exchange for alliances and positive spin culminating with the now infamous Freitag and Information.dk articles and now the thing is fucking everywhere…

So it’s hard to say how that file leaked out, but speculation says that since it was on the WikiLeaks server temporarily, and WikiLeaks was aggressively mirroring their site to avoid being taken down, it was copied within the few hours that it was available online, and spread from there. Spiegel reports (courtesy Jonathan for the link) that the file was left on the WikiLeaks server for an extended time, and that Daniel Domscheit-Berg took a copy of the data when he left, and it spread from there. This seems to be corroborated by a report by Nigel Parry (an excellent write-up of the whole debacle — courtesy Will for that link). In any case, it is largely irrelevant how this file got out, because it was already public in the first place, and that shouldn’t have been a problem.

So it seems, the facts were these:

  1. Assange created an encrypted archive with PGP, using symmetric encryption (passphrase). It is unclear when this took place (whether this was created specifically for Leigh, or whether it was created earlier).
  2. Around July 2010, he met Leigh in person, giving him most of the passphrase on a piece of paper, and verbally giving him the remainder of the password as a “salt”. It is unclear whether Assange told Leigh the password was temporary or would expire.
  3. Assange uploaded the encrypted file to the public WikiLeaks server, where it was visible to the public in its encrypted form. It is unclear (and irrelevant) whether SSL was used.
  4. Leigh downloaded the encrypted file from the WikiLeaks server.
  5. Leigh used PGP and the passphrase given to him by Assange to decrypt the file.
  6. Somehow, the encrypted data file ended up in circulation on BitTorrent. The facts surrounding this are sufficiently shady that I won’t go into details here.
  7. About seven months later, in February 2011, Leigh published a book containing the full passphrase given to him by Assange, including the “salt” that he was told to remember.
  8. WikiLeaks immediately found out about this, but kept quiet so as not to draw attention to it.
  9. In August 2011, rumours begin to circulate on the Internet that both the encrypted file and the password are readily available.
  10. On 1 September, WikiLeaks makes a public announcement calling out the Guardian.

Another thing that is unclear is whether WikiLeaks created a separate archive/passphrase for each journalistic organisation they shared the cables with, or whether there was one passphrase shared between all the journalists. Either scenario is feasible. Many people are denouncing the “stupidity” that Assange would reuse the same passphrase that he gave to Leigh when he later distributed the file, but given that we don’t know where the encrypted file came from, it may in fact be that he only used this passphrase one time, and the archive that spread on BitTorrent is the same one that was only available for Leigh to download for a short time.

Assuming the above facts, I will address most of the questions or points of misinformation that I have seen in the past 48 hours.

Why didn’t Assange transmit the file over a secure connection, such as SSL?

We don’t know whether SSL, (TLS) was used, and it doesn’t matter. SSL doesn’t authenticate the client, it authenticates the server. If Leigh had connected to the WikiLeaks server over SSL, then he would have known he was talking to WikiLeaks, but WikiLeaks wouldn’t have known they were talking to Leigh. To demonstrate, visit https://www.google.com/accounts/. This page is sent to your browser via a secure connection, so you know you are talking to Google. But anybody in the world can visit that page. Google doesn’t know who you are (yet).

The file didn’t leak because of a man in the middle capturing the HTTP traffic between WikiLeaks and Leigh. It leaked because it was available on a public server. If I haven’t answered your question, please read the next one.

Okay, why didn’t Assange require that Leigh log in to the server (via SSL) to download the file?

So firstly, let’s assume that we’re using this as an alternative to PGP — that is, the file is made available to Leigh in plain text, but that it required a secure (SSL) log-in with a password that only Leigh knew. This would work much the same way as requiring someone log in to Gmail to retrieve a file — there would be a secure connection between WikiLeaks and Leigh and this time WikiLeaks would know that Leigh was the one downloading the file. Nobody else could log in to that file, and nobody could snoop the HTTP traffic between WikiLeaks and Leigh. Importantly, it would have been a temporary password, as Leigh believed. Once Leigh finished downloading the file, WikiLeaks would permanently delete it, ensuring that the password was now useless. In hindsight, perhaps this would have been a better idea (but once again, Assange would have to have predicted that Leigh would be stupid enough to disclose the passphrase).

It’s a reasonable solution, but has a few technical flaws. Firstly, you have to assume that WikiLeaks is set up with server software that handles authenticated file downloads. Such software is readily available as open source, but takes time to set up and understand its security implications. Also, no software is perfect, and such programs are commonly found to have security flaws which let the wrong person log in. So it would have been more dangerous to trust such software. (PGP, on the other hand, isn’t being used for authentication, but for encryption — there is no software bug that would let someone without the passphrase decrypt the file, since the passphrase is mathematically required to decrypt it.)

Secondly, we would have to assume that the connection to the server and Leigh’s client were secure. SSL has a number of well-known vulnerabilities which make it inappropriate for security of this importance. SSL requires verification from a trusted root certificate authority. WikiLeaks does not seem to have a verified certificate, and given the current political climate, it might be difficult for them to get one. Either way, a man in the middle could be using a dodgy certificate to snoop on the traffic as it is transferred. This also assumes that Leigh’s browser is clean: it doesn’t have any bad certificate authorities installed, it doesn’t have any dodgy browser extensions, he isn’t using Internet Explorer 6, and so on. Any spyware on his machine could grab either his authentication password or the document itself and transfer it to another party. That is why Assange explicitly requested that the cables only be decrypted on a computer not connected to the Internet. If the cables were transferred in the clear over SSL, they would have immediately become stored on a machine connected to the Internet — not to mention the fact that WikiLeaks would have had to store the cables unencrypted on their machine too.

So it would have been much less secure to use authenticated SSL instead of PGP. But that doesn’t mean Assange couldn’t have combined both of these approaches for maximum security. To pull this off, he’d have to have given Leigh two separate passwords: one for the authenticated login, and one for the decryption. He’d have to have set up a web server with SSL and an authentication system, and created a user account for Leigh, with the password given, then encrypted the file with PGP and uploaded it into Leigh’s private directory on the server. Then, he would have had to ensure that Leigh was actually handshaking with his server, and not a man in the middle — WikiLeaks would need a valid SSL certificate. He could have obtained one from a CA, but as I said above, that could have been difficult given the political state. He could alternatively have self-signed it, and then instructed Leigh to install the WikiLeaks root certificate into his browser. Then he would still have had to trust that there was no dodgy software on Leigh’s computer and that his browser was up to date. And after all that, he would still have had to tell Leigh to take the encrypted file off the computer onto a separate offline machine in order to run PGP to decrypt the file. If, after all that, Leigh disclosed the password, it would probably have been okay, because it is unlikely that anybody would have intercepted that encrypted file.

But think about it from Assange’s perspective (without the benefit of hindsight). Why would you go to all the trouble of setting up and training someone to use the above setup (someone who, by his own admission, isn’t even capable of using 7-zip — imagine guiding him through the steps of installing a root certificate in the browser), when a) your basic security is already bulletproof assuming nobody divulges the passphrase, and b) the additional more complex security is riddled with the sorts of holes I mentioned above? I just wouldn’t consider it to be worth the effort. I would consider “just” PGP to be “good enough”. You might say, “but Julian, this is a super duper top secret document, and you really should go to the extra effort.” You may have a point. But I don’t think it’s fair to blame Mr. Assange for “only” using the most robust encryption known to man once, rather than using it twice.

Let’s be clear on how secure the PGP solution is: You are sending encrypted data over the Internet. I still can’t believe that I’m reading technical people berating WikiLeaks for sending an encrypted message “in the clear” (i.e., not taking pains to prevent the encrypted document from going public) — this is a silly argument because by definition, an encrypted message sent “in the clear” is not in the clear — it is encrypted.

Why didn’t WikiLeaks use asymmetric (public/private key) cryptography instead of symmetric (passphrase)?

It wouldn’t have made a significant difference to the security. A lot of people are saying this, going on a general understanding that “asymmetric cryptography is better than symmetric.” Asymmetric cryptography is useful for a lot of things symmetric isn’t, but that doesn’t make it intrinsically “better.”

The asymmetric solution would have been for Leigh to generate a public/private key pair using PGP, and keep his private key safe. Leigh would have had to send his public key to Assange, who wouldn’t be able to trust that it belonged to Leigh because it was sent over the Internet. They would still have to have met in person in order to exchange Leigh’s public key (for Assange to be totally confident that the public key did in fact belong to Leigh) — this sort of in-person meeting is not out of the ordinary for even normal people not engaged in secret international diplomacy. Then Assange would have been able to encrypt the document using Leigh’s public key and send it over the Internet to Leigh, who would then have used PGP to decrypt the document using his private key. We shall assume that, as above, the encrypted document managed to get out into the public sphere.

Note the similarities here between the symmetric and asymmetric version. It would still require an in-person meeting, and it would still require that Leigh kept on his computer a secret which would expose the document if it ever got out. You might say that Leigh wouldn’t have divulged his private key, because he knew how important it was, but then again, you might have thought the same thing about a super top secret passphrase. Fundamentally, both systems are equivalent.

The reason why asymmetric cryptography is useful over symmetric is that it doesn’t require individualised in-person key exchanges. Once you have established the trustworthiness of a public key, you can send encrypted documents to that person forever. Since this was presumably a one-time exchange, and the two would have had to have met in person anyway to be very confident in establishing trust, there is no advantage in this case of using asymmetric cryptography over symmetric.

Why didn’t WikiLeaks choose a meaningless passphrase?

This is a criticism I share. If you have seen the actual passphrase, you will know that it is an ordinary English phrase which is fairly descriptive of the source material. It is long and properly padded with random characters, so would likely never have been brute forced. But it still would have been best if the password was a sequence of random characters, not a sentence. In particular, Leigh possibly wrote the passphrase down in the book to show how tantalising it was when he saw the passphrase. In that sense, the passphrase forms part of his narrative, in a way that “6105ffc4#098f#4f99#acab#c2bcf7b71bd4″ would not have. A similar argument would apply to the private key option discussed above (by definition, a private key is not a meaningful phrase).

But once again, Assange would have had to reason “if I choose an English passphrase, Leigh might be tempted to write it down in his book, so I had better choose a random string of digits.” That thought probably never crossed his mind, because the idea that Leigh would write a passphrase in a book just because it was an English passphrase is nonsensical.

Why didn’t WikiLeaks remove the file immediately after the transfer?

It’s not clear to me whether they did or didn’t do this. Spiegel claims that Assange simply left the file there for an extended period of time. This probably wasn’t wise, but again, it wasn’t tremendously irresponsible either, given that the file was encrypted, and had already been public for several hours anyway. Assange could have assumed that the file was already public, and so if the password leaked out, the damage would be done either way. Still, if this is true, it doesn’t sit well for Assange. It would have been a good precaution to delete the file anyway.

Why didn’t WikiLeaks remove the files once they discovered the password printed in the book?

It was too late. This was the Guardian’s retort when this whole thing exploded yesterday: “No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files.” This statement betrays a fatal misunderstanding of the issue here. By the time the book was published, WikiLeaks had no control over that file. It wasn’t a password to a file on the WikiLeaks servers. It was a password to a file that was, by that time, mirrored on hundreds of other servers and circulating the Internet at large. There was no way to delete it. On the other hand, there wasn’t really any evidence linking the password to the file, so there was a chance that nobody knew about it. WikiLeaks did the best thing they could do: they said nothing about it to anyone. Seven months later, they finally broke their silence after it became clear that the Internet was piecing things together.

Why didn’t WikiLeaks simply set the encrypted file to expire after a certain period of time?

This is one of the most common criticisms. Many technical people have stated: “PGP lets you set keys to expire at a certain date. Assange could have used that technology.”

It isn’t true. In fact, if you have such technology, Microsoft, Sony and the MPAA would love to hear from you, because that would be the holy grail of DRM technology. You can’t make bits that “expire” or “self-destruct” — they are infinitely copyable and don’t disappear unless every single person who has a copy of them simultaneously and voluntarily deletes them. That tends not to happen.

When people say “PGP lets keys expire,” they’re thinking of signatures, not encryption. PGP has two main uses: signing files (“is this file really from the person who claims to be its author?”) and encrypting files (“nobody can read this file except its intended recipient”). On the opposite side, you can verify a signature or decrypt a file. When verifying a signature, it is in the client (the one verifying the file)’s best interests to fail if there is any doubt, so the client will first check that the signature is valid, and then check that the key’s expiration date is in the future compared to the computer’s clock. You could set your computer’s clock back if you wanted to trick your computer into passing the verification, or hack the source to PGP to disable this check, but then you would only be hurting yourself: you’d be tricking yourself into thinking the signature is valid when in reality it might not be.

With decryption, it’s the other way around. It is in the client (the one decrypting the file)’s best interests to succeed wherever possible. I can imagine a version of PGP that first decrypts the file, then checks whether the key’s expiration date is in the future compared to the computer’s clock, and if it isn’t, it says “could not decrypt.” But that would be pointless, because any hacker who really wanted the contents of that file would either set her clock back, to trick the computer into passing the time check, or hack the source to PGP to disable it. Since there is this obvious possibility, PGP doesn’t include that feature at all. You cannot make bits rot.

Returning to the DRM analogy, it has been pointed out that companies like Ubisoft and Blizzard make games that require an “always-on” Internet connection to work. Why couldn’t Assange put similar DRM on the files, requiring Leigh to be always connected to his server to access it (and therefore, have the ability to revoke access when necessary). The problem is that DRM is just all of the above discussion wrapped in a different coating. Most DRM relies on security through obscurity — the video game software is hard-coded to fail without an Internet connection, but the data is still present locally. That’s why most of these games get hacked (and if people are willing to put the time into hacking Driver, surely it’ll be worth it to get the WikiLeaks cables). The “phone home” DRM would come in one of two forms: either the data is stored locally, but it is encrypted, and the decryption key would be sent from the server, or the server would be streaming the data live upon request. Both of these are vulnerable to the same problems as the SSL scenario I talked about above: either you are sending the key, or the cables, over the wire, and that isn’t good. It is much safer for Assange to meet Leigh and hand him a piece of paper than to be sending keys over the network. It is really not feasible to use DRM to make a document expire after some time.

It is possible that Leigh believed that Assange had used this sort of technology, not being a technical person. But that was his misunderstanding — one that he should have clarified before publishing the passphrase in a book.

Why did Assange tell Leigh that it was a temporary password?

Whether or not he said this is something we’ll never know the answer to, since it’s WikiLeaks’ word against the Guardian. It’s not scientific of me to make guesses like this, but I’m going to, because I know Mr. Assange’s reputation. Before he was a WikiLeaks activist, Assange was a cryptography researcher. He created the Rubberhose file system to allow people to safely carry digital secrets without divulging their existence. I cannot say for sure what Assange told Leigh about that passphrase, and I have never met Mr. Assange, but judging by his reputation alone, he knows cryptography inside out. He knows which pieces of information are safe to divulge, and which aren’t. I find it hard to believe that Assange would have accidentally told Leigh that this was a temporary password, when we know just by virtue of the fact he used PGP that it wasn’t temporary.

If I can make some further speculation, I would imagine that Assange told Leigh something along these lines: “I am going to give you access to a file on my web server that will be temporarily available. After a few hours, the file will not be available any more, so you have to download it soon. Also, here is the password which you can use to decrypt the file.”

It’s possible that a non-technical person may have misunderstood the above sentences as suggesting that the password would be useless after those few hours. That still doesn’t excuse the divulging of a password. If someone says something about a red button which you didn’t fully understand, it is probably not a good idea to push the red button.

Also, I can only imagine that Assange did stress the utmost importance of keeping the password secure, and not writing down the additional “salt” word — after all, why would he tell him to remember the salt in the first place if it was safe to write it down?

Why did WikiLeaks re-use the same password for subsequent distribution of the same file?

It isn’t clear how that encrypted file got out, or whether or not WikiLeaks reused the password. This is an (as far as I can tell) unsubstantiated claim that is going around. But let us assume that this is the case. That is: We shall assume that subsequent (or prior) to their dealings with Leigh, WikiLeaks distributed the same cables to other journalistic organisations (as they are known to have done), and in their haste, used the same passphrase to avoid re-encrypting the data. I have found no evidence to support this, but let’s assume it for the time being.

It has been claimed that this violated the principle of discretionary access control, or similar: much like you wouldn’t let different users run software under the same user account, you shouldn’t use the same password for different organisations. There is some wisdom to this. Let us assume that WikiLeaks gave the encrypted file to N organisations, and that there is a probability p, where 0 ≤ p ≤ 1, that any given encrypted file will leak out, and another probability, q, where 0 ≤ q ≤ 1, that the corresponding passphrase will leak out. If you make a separate encrypted bundle for each organisation, then the document will be exposed if and only if one of the encrypted files leaked out, and the passphrase corresponding to that same file also leaked out. It doesn’t matter if the Times encrypted file is leaked and the Guardian key is leaked, since the key doesn’t unlock that file. The probability of a “game over” scenario (the cables go public) is 1 – (1 – p×q)N. That’s because p×q is the probability that both the data and key for the same file get loose, (1 – p×q) is the probability that they don’t both get loose, and N is the number of keys you have to worry about (so multiply the safe probability that many times, then invert it to get the game over probability). For example, if p = 0.3, q = 0.1, and N = 10, the game over probability is 1 – (1 – 0.03)10 = 1 – 0.9710 = 1 – 0.74 = 0.26. Compare that to the scenario in which you make the same bundle and passphrase for all the journalists. Now the document will be exposed if and only if any of the encrypted files leaks out and any passphrase leaks out. The probability of the “game over” scenario is now (1 – (1-p)N)×(1 – (1-q)N). That’s because we now measure the individual probability of any data leaking and any key leaking, and multiply them together. This gives us much worse odds: For example, if p = 0.3, q = 0.1, and N = 10, the game over probability is now (1 – (1 – 0.3)10)×(1 – (1 – 0.1)10) = (1 – 0.710)×(1 – 0.910) = (1 – 0.028)×(1 – 0.35) = 0.97 × 0.65 = 0.63. So the underlying maths confirms our intuition that it is better to give each person we deal with a different key.

But now let’s try to make some reasonable estimates for p and q (and continue assuming that N = 10). Given how important the passphrase is, we’d like to think that q is extremely extremely low. Again, Assange was operating under the assumption that q is near 0, but for the sake of argument, let’s keep q at the generously high 0.1. What is a reasonable value for p? As I’ve stated above, we are operating under the assumption that all of the encrypted data is public, at least for a short while. Every time we share this (for each N), the data will be on a public web server for several hours: a web server that is possibly being mirrored by thousands of other computers across the world in real-time. So if I had to guess, I would place p at 1, or very close to it. That’s not a silly assumption, given that again, the whole point of cryptography is that it is safe to assume the encrypted data is being seen by everyone. Basically, although he didn’t realise it, Leigh was betting that p was 0 when he published the passphrase. Now let’s run the numbers again with p = 1 and q = 0.1. If you give everybody their own individual key, the game over probability is 1 – (1 – 1*0.1)10 = 1 – 0.910 = 1 – 0.35 = 0.65. If you share the key between all the journalists, the game over probability is (1 – (1 – 1)10)×(1 – (1 – 0.1)10) = (1 – 010)×(1 – 0.910) = (1 – 0)×(1 – 0.35) = 1 × 0.65 = 0.65. If p (or q) is 1, then it makes no difference. If you are operating under the assumption that all the encrypted files are being captured by the public (and we are), then you cannot afford to let any single key slip out. There is one other advantage to having separate keys for each journalist, and that is that if a key does slip out, you know who to blame. But that isn’t the problem here.

To use a real-world analogy, say there is an office with 10 rooms and 10 keys. It is more secure if each key only unlocks one room, because then if someone steals a key, they can only access the contents of one room and not all 10. But that isn’t a good analogy for the cables because all the organisations were given the same file. If any one leaks out, it’s game over. So a more appropriate analogy is if there is an office with one big room with 10 doors and 10 keys. Now it doesn’t matter if each key only unlocks one specific door, or if all the keys unlock all the doors. Either way, if someone gets one key, they can steal everything in the room. Given that the whole point of this operation was to trust the journalists with the entire set of cables, there isn’t much more security you can have. You simply have to trust that none of the journalists will reveal his key. It doesn’t matter whether all the journalists have the same key, or if they are given individual ones.

In any event, p is probably not quite 1, so it probably would have been prudent for WikiLeaks to use separate passphrases for each journalist, and it certainly wouldn’t have hurt. But did they? It isn’t clear that Assange distributed the same file and passphrase to multiple people, and it isn’t clear how the file leaked out at all (more on that in the next section). But the point of this section is to show that, however negligent it was to leave that encrypted file on a hard drive, it pales into insignificance next to the negligence of divulging the passphrase. Again, we are operating under the assumption that the encrypted file is available to the public (there is no other way to run a cryptosystem), and therefore we require that the password is secure. We assume that p is 1 or close to it, and we require that q is as close as possible to 0.

How did the encrypted file get out onto the Internet?

I’ve put this question last, as it’s the least important. Hopefully by now, I’ve made the case that it doesn’t matter how the data file got out, who is to blame, or whether or not it was deliberate, because of the basic tenet of cryptography that your encrypted text is not something you need to keep secure. But it deserves to be addressed. I have read many theories, and have not yet seen any clear evidence about this:

  • First and foremost, there is some chance that it was grabbed from the WikiLeaks server during the hours that it was online for Leigh to download.
  • According to the Spiegel article, the file was only used the one time (to give the data to Leigh), but it leaked out because it wasn’t deleted by Assange, instead remaining on the server for an extended time before it was ultimately mirrored.
  • An insider at WikiLeaks could have posted the encrypted file online (either accidentally or deliberately).
  • The encrypted file could have been leaked from the Guardian (either accidentally or deliberately). WikiLeaks claims that “David Leigh and the Guardian … violated … our requirements that the unpublished cables be kept safe from state intelligence services by keeping them only on computers not connected to the internet.” If this claim is true, it is not unlikely that the files were stolen from the Guardian computers by government agents or others.
  • If WikiLeaks did use the same passphrase and encrypted file to give the cables to the handful of other organisations they worked with, any one of them could have leaked the encrypted file online (either accidentally or deliberately).

Basically, we don’t know how. But it is the least important fact in this debate.

Update: Several people have written to point out that the encrypted data file, z.gpg, was published by WikiLeaks themselves as part of the November 28, 2010 dump of the full WikiLeaks server archive. A post on the front page of wikileaks.org still reads “All released leaks archived (2010-11-28): Due to recent attacks on our infrastructure, we’ve decided to make sure everyone can reach our content. As part of this process we’re releasing archived copy of all files we ever released – that’s almost 20,000 files. The archive linked here contains a torrent generated for each file and each directory.” That link (now removed), I am told, contained the encrypted file unlocked by Leigh’s password. (Thanks to Justin for a full explanation.) I must stress that this file was made available by WikiLeaks in November 2010, three months before Leigh’s book was published.

Conclusion

Clearly, an avalanche of “mistakes” has led to this unfortunate ending. I genuinely believe that Leigh never meant to disclose a live password, but this doesn’t excuse his ignorance of basic security practices (passwords are secret: even if you think they have expired, it’s best not to assume, especially when international diplomacy is at stake). Roughly outlined, the “mistakes” I have seen people claim are as follows:

  • Assange decided to trust Leigh in the first place,
  • Assange decided to send a file encrypted with PGP “in the clear” (without a second layer of encryption), allowing anyone online to get access to it,
  • Assange chose to symmetrically encrypt the file with a passphrase, rather than require Leigh establish a public/private key pair,
  • Assange chose a passphrase that was an English phrase and not random gibberish,
  • Assange possibly told Leigh that it was a temporary passphrase (according to Leigh),
  • Assange possibly left the file sitting on the drive after it had been sent (according to Spiegel),
  • Assange possibly re-used the same file and passphrase to give to multiple journalists (according to some rumours I’ve seen going around),
  • Leigh published the passphrase in a book.

The above dot points roughly outline what appears to be a rather damning case against Assange. But let’s not forget the first rule of cryptography: establish what is a secret and what is not. Once you have done that, you can set about protecting the secrets at all costs, and operate under the assumption that everything else can be seen by anyone, without any concern. It is not “lazy” or “irresponsible” to encrypt a file, and then send that encrypted file over a public network. It is not “lazy” or “irresponsible” to publish an encrypted file on BitTorrent and point at it with a public tweet saying “I have posted an encrypted file, which I would like as many people as possible to download.” (Assange did that too.) Much of the modern world’s infrastructure is built upon these cryptographic principles, from the DRM on your iPhone apps, to the transfer details you give to your bank website. Every single one of the “mistakes” Assange made was only a mistake in the context of the final error — the publishing of the passphrase in the book. Assange shouldn’t be held accountable for his “mistakes” because they were all rational decisions when operating under the assumption that your passphrase is safe. If you aren’t operating under that assumption, then it’s basically game over anyway.

This document has made the case that protecting the data from your collaborator wilfully publishing the passphrase is a lot more complicated than the media and the commentators are giving Assange credit for. He would have had to go to extreme lengths to seal up all of the issues I’ve mentioned, and that would have bought him a modest amount of additional security. But it probably wouldn’t have been worth it, and it’s pretty hard to make a case for doing so before the fact. What we’re really talking about in this article is shades of caution. Assange could have been more cautious, but in the end, you are pretty much hosed if your collaborator gives up the encryption passphrase, and if you want to blame someone, it should be them.

As my friend Richard said, “[The Guardian have] done the harm that Wikileaks never did but copped months of trash talk and threat of prosecution for.” WikiLeaks will likely take the fall for this, but as cryptographers, we know where the real blame lies.

Acknowledgements to Will for reading through this post and suggesting improvements.

About these ads

152 Responses to “WikiLeaks password leak FAQ”

  1. Asymmetric encryption shares an advantage with the meaningless passphrase mentioned (along with the rebuttal): it’s quite hard to publish a private key in a book.
    It would still have required Assange to predict that Leigh would publish a passphrase, but with hindsight it’d be worth remembering this advantage. It does tie down the security of the decryption method to the security of the files of someone’s computer, but we’d already have to trust in such security as it’s implied that the decrypted data itself would be sitting on the computer too.

    • Sorry for not replying sooner. Some comments later on referred back to this one so I’ll reply now. I agree that had asymmetric encryption been used, it would have been far less likely that Leigh would have published it. But again, that would have required Assange to specifically consider the scenario of the key being deliberately published — he was probably more worried about the passphrase being extracted by force, in which case both methods have the same level of security.

      • Matt, could you or someone else please explain something to me? I’ve read through a few technical overviews of pgp online, and this is still a point that is unclear to me.

        In order to decrypt a file that is encrypted with a public key, don’t I need to have the passphrase AND the private key? And doesn’t the private key have to be stored in a physical file on my computer (the “keyring”)?

        I apologize for my ignorance, but I really have taken some time to try to figure out the answer to this.

        • Well you would encrypt *either* with a passphrase *or* a public key, not both. So you only need the private key to decrypt. What might be confusing is that the private key *itself* typically (or, SHOULD) be encrypted with a passphrase. Therefore, you need the private key and the private key’s passphrase (known only to the private key holder) to decrypt.

          Yes, the passphrase is stored in a physical file (often called the keyring) on the computer.

          So in this scenario, if Assange had opted to use asymmetric crypto, Leigh would have a private key on his computer, protected by a passphrase known only to him, and then he would give his public key to Assange. If someone seized his PC, they would need his passphrase as well to unlock any data. So that scenario *is* plausible, but it is fairly complicated compared to a passphrase for encryption.

          • Thanks, Matt. Just to be clear … In this scenario, if Leigh publishes his passphrase in a book, it is useless without the private key that sits in a physical file on his laptop, right? (I thought this is what David implied when he wrote, “It does tie down the security of the decryption method to the security of the files of someone’s computer…”)

            If so, I can’t see how this is not a MUCH stronger security measure than symmetric encryption.

            And when you say it’s “fairly complicated,” in terms of usability for Leigh, isn’t it still just a matter of entering a passphrase to decrypt the file? (I’m not concerned with the complexity of the transfer right now.)

            • Yes, that’s all correct. The passphrase to the private key is useless without the private key itself.

              Well whenever you say something is “much stronger”, you have to consider what the threat model is. (A retinal scanner is no more secure than a rickety lock against a bear attack.) If the threat model is “what happens if Leigh publishes the passphrase in public?”, then yes, public key encryption is a better protection against that than symmetric encryption. But that isn’t a typical threat model in cryptography, because it is impractical to conduct top secret document transfers assuming your colleague is an idiot. (i.e., you are already trusting him with top secret documents anyway.)

              Threat models Assange might have considered are: “what if someone steals the piece of paper?” (make Leigh memorise part of the passphrase), “what if someone gets the encrypted file in transit?” (make sure the passphrase is private), “what if someone cracks the passphrase by brute force?” (make sure it is long — 58 characters is long enough to last many trillion centuries of brute force cracking), “what if someone steals the piece of paper AND forces Leigh to confess his memorised part of the passphrase?” (that is a risk Assange took). All of these questions have analogue with the private key version — in particular the last one: “what if someone steals the private key AND forces Leigh to confess his private key passphrase?” If you do the whole security analysis, the public key version doesn’t add much security — EXCEPT in the situation nobody predicted, which is Leigh would voluntarily publish his passphrase.

              By “fairly complicated”, I meant more the fact that Leigh would have to generate a public/private key pair, think of a secure passphrase, and learn the security ramifications (i.e., don’t share the private key, but do share the public key, don’t leave the private key on a machine connected to the Internet, etc). Given that he didn’t understand the security ramifications of a simple passphrase, it is not clear that he could have been trusted with a private key either.

              Sorry this is a very long reply.

            • I’ve been trying to point out that it’s not just an issue of complexity with the asymmetric procedure, but that it does not provide any additional security /unless/ you assume that the passphrase will be leaked. Yes, it would have prevented this specific situation, but Assange did not predict that Leigh would be stupid enough to make the complete passphrase, including the verbal-only salt, public knowledge.

              Try to imagine you’re Assange going through the process with Leigh. You’ve encrypted the file with a passphrase; you’ve written most of the passphrase down and told Leigh the rest of it, implying (if not saying explicitly) that you do not want the full passphrase to be written. This is in case someone gets physical access to the harddisk with the encrypted file on it as well as the paper with the partial passphrase on it; they can’t get to the data. If the data needs a private key to decrypt it, then that will be stored on the same harddrive, and so the only missing information will be the passphrase either way.

              This leads to an extended security option where you’d have the private key stored on a USB stick or similar, and make sure you don’t keep it near the sensitive harddrive. But assuming some shadowy authority has stolen the computer/drive, they almost certainly found that USB stick too. There really is no security benefit in asymmetric cryptography; all it does is make it harder to be a complete idiot.

              • Ah, Matt said the same things but in a different way. :)

              • Ben, I didn’t want to take up any more of Matt’s time, but since you jumped in, I’ll say that I’m not persuaded by the “threat models” defense of Assange.

                You: “[asymmetric encryption] does not provide any additional security /unless/ you assume that the passphrase will be leaked.”

                You (and others) are arguing in terms of what Assange would have had to assume (e.g., Leigh would be careless or stupid or malicious) to justify asymmetric encryption; I’m arguing in terms of what Assange DID (implicitly) assume. What I would say is that Assange should NOT have assumed that the passphrase would NOT be mishandled in some way. Why base your security on that assumption if it’s not necessary to do so? (Especially when a breach would have such devastating consequences.) As much as possible and feasible, this possibility should have been anticipated, and the potential and impact of the damage from it minimized.

                You: “If the data needs a private key to decrypt it, then that will be stored on the same harddrive, and so the only missing information will be the passphrase either way.”

                OK, so in the case that someone gains access to Leigh’s passphrase and laptop the two methods are equivalent. Same is true if they somehow gain access to his passphrase and private key. Granted. But this just goes back to the first point. Why assume that the passphrase alone will not be compromised? Asymmetric handles this case much better than symmetric.

                The specific manner in which the passphrase was leaked is ugly, and surely no one could or should have anticipated it. (In a technical sense, we can call it malicious.) But I don’t understand how people can find the possibility of a compromised passphrase so extraordinary that the assumption should be that it will not happen.

                • If Assange assumed that the passphrase was not safe given that he had already taken measures (the verbal “salt”) to ensure it could not be trivially obtained, then there is no method of cryptography solid enough to allow Leigh access to the cables.

                • “Asymmetric handles this case much better than symmetric.”
                  Not technically. In fact, symmetric might be a bit better off. Basically, both approaches require three pieces of information to get the data:
                  Symmetric: 1. Encrypted file, 2. Paper containing most of passphrase, 3. Memorised extra word of passphrase.
                  Asymmetric: 1. Encrypted file, 2. Encrypted private key file, 3. Memorised passphrase to private key file.

                  In either case, if all three are compromised, you’re hosed. If a subset of the three are compromised, you’re OK. Let’s look at the threat model for those three being compromised.

                  1. Encrypted file will almost certainly be public (could have taken some extra caution to minimise this risk, but we assume it’s public).
                  2. In the symmetric case, this would require either that a) someone raids Leigh’s house and finds the paper, or b) Leigh voluntarily publishes the passphrase. (a) is a risk Assange was willing to take, (b) probably didn’t cross his mind. In the asymmetric case, this would require either that a) someone raids Leigh’s house and grabs his computer, finding the encrypted private key file, b) someone hacks Leigh’s computer and gets the encrypted private key file there or c) Leigh voluntarily publishes the private key file on the Internet.
                  3. This would require either that a) someone coerces Leigh to divulge the salt/private key passphrase, either by force or by legal threat, or b) Leigh voluntarily publishes the salt/private key passphrase. (a) is a risk Assange was willing to take, (b) probably didn’t cross his mind. In the asymmetric case, there is a third possibility: Leigh chooses a very weak passphrase which can be brute-forced.

                  Considering all of the above, you’ll see that the threat models are very very similar. You said “The specific manner in which the passphrase was leaked is ugly, and surely no one could or should have anticipated it,” but you still think that the general scenario of passphrase compromise is more likely than private key compromise. I would say (if we don’t assume malice on Leigh’s part) that the passphrase is actually a bit more secure, because it is not stored on a computer. In the symmetric model, the three pieces of information are quite nicely distributed across three media: 1. Leigh’s computer, 2. A piece of paper in Leigh’s desk, 3. Leigh’s head. Someone would have to compromise the computer, the desk and the head to break in. But the asymmetric model sees those three pieces of information in just two media: 1/2: Leigh’s computer. 3. Leigh’s head. Someone only needs to compromise the computer and the head. And the “head” is already compromised because it’s going around publishing secrets in books. Who’s to say that in the asymmetric world, Leigh wouldn’t have written in his book “Assange asked me to think of a passphrase to protect my private key, so I wrote ‘monkey’.” Bam — now all we need is Leigh’s private key file.

                  I am still convinced that if we *don’t* assume malice, symmetric encryption is approximately as safe as asymmetric for this particular scenario.

  2. I’m so happy to have read this! I know absolutely nothing about how these things work, and reading various articles and the comments to them only added to my confusion. You made sense of something I thought I’d never understand the first thing about. Thank you so much!

  3. thank you so much for this. After reading it’s clear a lot of people are talking bollocks.

  4. The most eloquent and comprehensive description and analysis of events I have seen so far, I can’t see David Leigh having any rebuttal to this.
    But then again his tactic will likely try and convince those who don’t understand the technology that Assange is evil, and hope the wider public never have it explained to them that he and he alone is the person solely responsible for all the cables being leaked.
    Had he have done it on purpose and stood by his actions I’d actually have some respect for him.

  5. [...] auch Matt Guica in einem lesenswerten Beitrag über die kryptografischen Aspekte der Affäre schreibt, bleibt folgendes unverständlich: Warum [...]

  6. This is very informative and helpful to someone who isn’t very techy at all. Thanks!

  7. Agree with all of the above technically, but tech consultancy being my profession, have plenty of experience of what to assume and not assume non-technical collaborators (typically clients) understand. Basically, if they screw up because of a lack of understanding of a platform I introduce them to, that’s my fault.

    The technology is excellent,as we all know, and humans are invariably the problem. Humans are pretty much the only factor we have to worry about in security procedures.

    That Leigh left a meeting with Assange without a full understanding of the security is to me the one and only failure.

  8. If the journalist drove back with his laptop to Assange to let him install 7zip, why on earth do all the sending via internet anyway? It would have been much safer to give him a prepared laptop or a drive with truecrypt on it, plus the data, right then and there.

    • mwb, that’s a really good point. I’ll consider adding it to the article. It’s hard to think of an answer (besides maybe “that isn’t how we normally do things”). One answer to that may be that if Leigh was intercepted on the way back, he would have the drive with the encrypted data *and* the password on his person. It is better practice to send the data and password in two separate communication channels. Also Assange didn’t know that Leigh was going to have to drive all the way back to install 7-zip ;)

  9. Brilliant technical summary. As to “Why didn’t WikiLeaks choose a meaningless passphrase?”, well,
    it was a passphrase for a non-technical journalist who may have been intercepted by security services. Therefore the written part of the passphrase had to be salted with a verbal portion. Using your example, “6105ffc4#098f#4f99#acab#c2bcf7b71bd4″, if Assange wrote down “6105ffc4#098f#4f99#acab7b71bd4″ then he would have to have said to Leigh “This is the password, but you have to remember to insert #c2bc before the f7b71bd4, can you remember that?”, then the answer would have been no, and Assange would have known that in advance from having met Leigh.
    As your excellent article points out, the Guardian is in the wrong. I don’t think you need to be a cryptographer or even a very experienced computer user to understand that. I think the real question is was this gross incompetence or malicious.
    The Guardian initially blamed the ‘time-limited password’ excuse, which means they are unwittingly claiming ignorance at the time and worse, ongoing ignorance. Then a Guardian journalist blamed the use of symmetric rather than assymetric encryption, again ongoing ignorance. Then they blamed the reuse of the password, which is irrelevant since the passphrase wasn’t hacked, it was published.
    So that is all strong evidence for the cock-up theory, that the Guardian are utter fools who cannot be trusted with their own data, let alone their sources of registered readers.
    However, by the time the Guardian book was published they had already broken with Wikileaks by giving the cables to the New York Times against Assanges stated wishes, and breaking their agreement. The Guardian did this to get acces through NYT to US state security services, presumably partly to ensure they never got prosecuted. They describe regular meetings in darkened rooms with angry american agents. That is strong circumstantial evidence that the Guardian had motives for deliberately releasing this information to discredit Wikileaks, perhaps on behalf of the US who know the data was already compromised. Indeed, new charges have been threatened against Assange by Australia for releasing the name of an Autralian agent due to this fiasco.
    Given that, it is not a fatuous question to ask ‘Can the Guardian, with all it’s technical staff and scientific writers, really have been so stupid as to publish a passphrase for such an important file in a book that must have been proof-read carefully by lawyers?’

    • “Then a Guardian journalist blamed the use of symmetric rather than assymetric encryption” — really? I haven’t seen that. Do you have a link?

      In any case, I really doubt this was actively malicious on Leigh’s part. I don’t know why he would risk the reputation of his organisation, even if he really wanted to discredit Assange. “Never attribute to malice that which is adequately explained by stupidity.”

      From what I read, the book was rushed out which is why they didn’t catch this. But yeah … surely if you are going to write a damning book about someone, any publisher worth anything at all would give it to a lawyer to peruse (even just to see if there’s anything libellous in there). Maybe it can’t be adequately explained by stupidity.

      • I think the meetings with the US security services described by both Leigh and Bill Keller of the NYT may explain motivation for a malicious release.

        I’m not sure how to link to tweets, but Heather Brooke recently tweeted this to defend her colleague:

        newsbrooke Heather Brooke
        @
        seems odd that @wikileaks only used symmetric key encryption for such sensitive leaked data. #securityfail
        1 Sep

  10. Maybe the following t-shirt print will become popular again after the cablegate#2 drama:

    #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
    $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
    lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

  11. Thank you so much for clarity .. a fine piece of writing too. Like Maria i too do not know how such coding systems work. i am inclined to believe that Guardian people were very stupid rather than malicious.. Also Assange, surely. I don’t quite agree that such a very important file should have been protected by only one password.. (and an unchanging one) — i’m thinking of the kind of encryption systems that they had to decode at bletchley park!! … it just seems flimsy to have a phrase with one word unwritten. (i might even have guessed that word myself). But thanks again. very interesting.

    • My understanding is that one password is a good as two – if he leaked one then he could leak both… also, to change the password changes the file so an older version of the file would still have the previous password (see original article discussion of expiring passwords for similar situation) … changing it would only mean you needed to find the right key to the right door of the same room (see the original article and someone who understands algebra if you still don’t understand its metaphor).

      • Yep, that’s right. Also if you’re thinking about Bletchley Park, that was in the 40s, comparatively very primitive technology. You must understand that the encryption used by Assange (PGP — available to anybody for free), combined with his 58-character password, is astronomically more secure than anything that was used in WWII.

        For an idea of the scale of security we’re talking about, visit https://www.grc.com/haystack.htm. Type Assange’s 58-character password in there. This website estimates that if you take today’s state of the art password cracking technology on the most powerful machines in the world, multiply it a few hundred times for good measure, and then start trying to brute force guess Assange’s password on the WikiLeaks data file, it would take a good 16.40 million trillion trillion trillion trillion trillion trillion trillion centuries. This is the strongest encryption that we (anybody on the planet) know how to do, and nobody on the planet knows how to break it.

        Except of course, if someone tells you the password, it’s all over. The same would be true if the German soldiers printed the password in a newspaper. The same is true if I give my neighbour the key to my house, and he goes and copies it and gives copies to burglars. It is impossible to design a security system that is invulnerable to a trusted party disclosing the secret required to open it.

  12. If David Leigh had been using asymmetric encryption, and was already using his private key in multiple sensitive places, it may be slightly more secure… because even as a cryptographic novice, he would instinctively be more wary of leaking his own key to the public.

    In that case, if he did leak the key, it would be possible to find out whether he did it in malice (generated a new key specifically for the purpose of leaking, or re-encrypting the file under a different key) or in a genuine misunderstanding (in which case he’s the security risk we already know he is).

  13. Good piece Matt. Linked in the Guardian comments to the recent editorial piece.

  14. I’m sure that Assange didn’t tell Leigh that the password was temporary. That’s not plausible. In his book, Leigh refers to “Assange’s temporary web site”, not temporary password. Leigh probably just assumed that the password was also temporary, as he is not technically savvy, and unfortunately didn’t ask WikiLeaks before publishing it in a book.

    Leigh says the cable file that he used had a different name than the one that circulated. This leads me to believe that Assange did make a copy for Leigh and probably deleted it when Leigh was finished with it. The problem is that he used the same password as for the original file. He should not have given a journalist that password. That was his mistake, in my view. He should have used a new password. Then, when he deleted that file, the password would have been useless. Domscheit-Berg has accused Assange of laziness on that point. But Leigh says in his book that Assange capitulated (to giving him the cables) late at night after a 2-hour debate. He just used the password that came to mind.

    It should be noted that it was Daniel Domscheit-Berg and his media partner Der Frietag who brought the situation to the attention of millions of people, who immediately went about trying to find the file and the password. They did this maliciously to harm Wikileaks’ reputation. If they had not, only a few people would have known how to find the cables.

    • “The problem is that he used the same password as for the original file. He should not have given a journalist that password. That was his mistake, in my view.”
      It probably looks like that file was created before Assange met with Leigh (June 9, 2010, people are saying is the date stamp on the file). But this file may not have been intended for general circulation. This was not the same file as insurance.aes256.

      The point of my section “Why did WikiLeaks re-use the same password for subsequent distribution of the same file?” is that even if the file wasn’t intended for general circulation, you still have to assume that the file was already public in encrypted form, since it was sent over the Internet. Therefore, it may have been a mistake to use the same file again or keep that file in the archive, but it’s just “shades of caution” as I put it — it isn’t fundamentally insecure to publish an encrypted file that you have already sent over the open network.

      • Maybe I didn’t make myself clear. I have the same criticism of Assange that David Brockerhoff (a few posts below mine) does. There seem to have been 2 copies of the file. The one that is circulating now was created in June 2010. If Assange made one for Leigh, it would have been created in August 2010. That file no longer exists, as far as the public knows. Assange may have deleted it, rightly. But he used the same password for both files.

        I’m sure the file wasn’t intended for general circulation -not that it would matter, since it’s encrypted. It wound up on the web inadvertently. But Assange should not have given Leigh the password to the master file that was in Wikileaks possession. Assange should have created a password specifically for the copy he gave Leigh. I’m sure this did not seem important at the time, but it’s unwise to give a key to someone whom you would not trust with your life. The password could end up anywhere. In this case, surprisingly, it ended up in a book that was published on several continents.

        I don’t place most of the blame on Assange. To my mind, he is third in line. Daniel Domscheit-Berg is first, because he acted maliciously, deliberately revealing the existence of the file and password in order to disparage Wikileaks and to promote his own leaking platform. David Leigh is second, because he was stupid and careless, but he was not malicious. There is no way he would have wanted to compromise the Guardian’s exclusivity. That would harm the Guardian financially. Julian Assange is third, for giving a reporter a password to an file he intended to keep.

        No one has mentioned Der Frietag and Der Spiegel’s role, which is neglectful. Had these papers not printed Domscheit-Berg’ story, we would not be talking about this now. Der Frietag had been maligning Wikileaks for a few weeks, because they are partnered with Openleaks. They print DDB’s anti-Wikileaks propaganda, typically leaving out key points and, of course, ignoring DDB’s bad behavior. They do this because they want to lure potential leakers away from Wikileaks to Openleaks, so they have a crack at the leaks. Der Spiegel appears to have printed the story in order to compete with Der Frietag. Both papers printed intentionally vague accounts of the loose password and file, but that just made people curious, so people went hunting for that file. It was irresponsible.

        .

        • Okay, but my point is that even if the files were different, if they had largely the same content (i.e., 251,000 cables), then it doesn’t matter if you publish the next file with the same password. Because we assume encrypted traffic is public and any disclosure of the password will expose the encrypted file, it doesn’t matter if you encrypt two cable dumps with the same password or a different password (even if it’s for different people). It is still the case that a disclosure of the password places the whole dump in jeopardy.

          “it’s unwise to give a key to someone whom you would not trust with your life” — indeed, maybe it was unwise of Assange to trust Leigh, but that was the premise of the whole operation. He had to trust Leigh with his life (or at least, the full set of cables) or they wouldn’t have been in business at all. Assange made a mistake trusting Leigh, but that doesn’t mean it’s Assange’s _fault_ that the cables are now public.

          I didn’t go into details on the Der Spiegel or DDB roles deliberately — I wanted to focus on the cryptographic points I made and not go into the politics of it.

          • I see your point, and I appreciate that this is the cryptographic point of view. I assume that is Assange’s logic as well, as he has a cryptographic background. But the rest of the world will expect Assange to have applied some common sense to the problem. In my mind, common sense dictates that a reporter should not be left in possession of a password to a file that still exists and on whose exclusivity Wikileaks depends.

            Theoretically, disclosure of any password would place the whole dump in jeopardy, so it doesn’t matter how many different copies or passwords you have. I see your point. But in practice, exposure of the password does not necessarily place the whole dump in jeopardy. It can’t if only one copy was encrypted with that password, and that copy was destroyed. I understand that Assange was operating under the assumption that everything is public, so the number of passwords wouldn’t matter. But someone who was not thinking quite so strictly vertically might have thought in terms of rendering Leigh’s password useless by making it unique to a copy that Leigh already possesses.

            I think I know what you’re thinking: Leigh’s copy of the file can still end up in the public domain and so can his password. Yes, but it would be entirely Leigh’s fault if that were to happen. Wikileaks would have nothing to do with it and could not be blamed for any part of it. Using a unique password would have worked out better.

            • I’m not sure if you’re saying “it wasn’t Assange’s fault but the world will blame him because they don’t understand cryptography,” or if you’re saying “from a cryptographic standpoint, it wasn’t Assange’s fault, but from a common sense standpoint, it was.”

              If you’re saying the former: Yes, I agree. That’s why I wrote this, to try and spread the message that cryptographically it isn’t Assange’s fault.

              If you’re saying the latter: I kind of get what you mean, but it still comes down to the cryptography — that is the maths behind it. You’re saying that Assange shouldn’t have trusted cryptography, he should have trusted “common sense”. But that isn’t how things work. If I were to trust “common sense” I wouldn’t get on a plane, because my intuition says metal placed miles up in the air falls down. And I certainly wouldn’t send my credit card details over the Internet, because my intuition says that bits of sensitive information being sent through hundreds of metres of copper, owned and monitored by hundreds of different organisations and governments is not safe if those bits allow whoever has them to take my money. But I do use online banking because I trust the cryptography, which tells me “it is safe to send those bits encrypted, and assume that governments are recording those bits, because you have a symmetric key which only you and your bank know.”

              You said “common sense dictates that a reporter should not be left in possession of a password to a file that still exists and on whose exclusivity Wikileaks depends” — that may be true but that’s why I wrote this, to show that that “common sense” doesn’t hold up under mathematical analysis, because any way you look at the problem (how can I transfer secret data to the Guardian), you always come to the same conclusion no matter which approach you take: We’re going to have to assume that the Guardian doesn’t deliberately compromise the security of the operation. If Leigh had uploaded the entire unencrypted file to a web server, you might have made the same argument, “common sense dictates that a reporter should not be left in posession of a file on whose exclusitivity Wikileaks depends” — if you wanted to, you could blame Wikileaks for giving Leigh the files at all. But that was the whole point of their arrangement. The Guardian compromised the security of the operation, and there is no approach you can recommend for transferring these files which does not depend upon the Guardian’s cooperation in remaining secure.

              • “We’re going to have to assume that the Guardian doesn’t deliberately compromise the security of the operation.”

                Hm. I´m not so sure about that. When the book was published at the beginning of February 2011, the Guardian and J had already fallen out. The Guardian´s public Anti-Assange started way back in December 2010, with an article by Libby Brooks dated 9 December 2010 entitled “No one gains from this ‘rape-rape’ defence of Julian Assange”, see: http://www.guardian.co.uk/commentisfree/2010/dec/09/nobody-gains-from-misogynist-defence-of-assange. At least that´s the first time it became so obvious that I even wrote a blog entry on that ongoing and cleverly set up gradual `change of mood´ at Assange´s former “partners” at The Guardian (for my blog entry see here: http://theassangefactor.blogspot.com/2010/12/wikiblokesphere-vs-wikiblamesphere.html ).

                From then on and until today, The Guardian presented a constant flow of attacks, leaks and allegations (several biaised articles about the Court case, articles by James Ball on the NDA story – now we understand even better why WL insisted on having those NDAs signed -, the inane Heather Brookes soap (even it wasn´t The Guardian that officially broke that part of the story), with Annex DDB catapulted on the world scene again (see: http://www.guardian.co.uk/media/2011/may/13/wikileaks-spokesman-assange-gagging-order e.g.).

                They were clever enough to insert a couple of articles and put up some smokescreens. e.g. by publishing stuff by Mark Stephens (see: http://www.guardian.co.uk/commentisfree/2011/feb/25/europe-open-justice-sweden-assange) as fig leaf, but it was still more than obvious to most of us that they changed sides.

                Add to this that in February 2011, the exclusivity agreement WL+4(5) media outlets had expired, WL and The Guardians had fallen out and Assange had already started collaberating with other (smaller) international media outlets and partners. I remember The Guardian being really pissed. I think they were aware that they weren´t the only ones to access the (unredacted) anymore anyway. After they´d lost their exclusivity access and therefore control, they didn´t have much more to lose anyway by giving away the password.

                Sorry, but I don´t buy that `it was all stupidity´ story. I´m not directly saying they published the PW in the book to gag Assange or to put pressure on him, I have no reliable proof for that, but I´m not the first one to deny the possibility of it. In the best case, the decision to publish it was driven by utter stupidity, combines with carelessness, pomposity and conceit.

                All this being said, a totally un-cryptographical side-note: I (as a non-techy) instantly liked the way Assange constructed the passphrase when I first read it. It may not have been the most cautious phrase, from a techy-savy point of view. But from a human point of view, it is precious.The heart of the matter shines through it beautifully, and it becomes more than clear that the project was so much a part of J´s entire existence and reason of being that he wasn´t willing or able to invent a passphrase made just of a random string of figures, signs and letters. After all, that´s the stuff real history is made of. All in all, the course of events since Cablegate did prove him right.

      • There was no need for that file to be public – they could easily have sent it via sftp. If they thought that file was going public, they never should have given the guardian a password that would unlock it – the authority to release the key to a publicly distributed version of the cables wasn’t an ability that the guardian wanted or needed, but assange gave it to them because he was too lazy to set up a new password.

        • It’s easy to say stuff like “send it by sftp” but actually setting it up so that it’s secure is near impossible. Believe me, I tried. I set up an SSH account that refused login but allowed SFTP, and it only just worked. It was technically possible to break out of the SFTP jail; just extremely difficult (I forget the procedure). And you also have the same issue of how to transfer the public key and passphrase to log in to the SSH server to retrieve the encrypted file.

        • You seem to have missed the point of encryption. It is standard practice to encrypt a file with a passphrase. Then, you keep the passphrase secret, but send the encrypted file publicly. The fact that it is encrypted makes it safe to send it in public. The SFTP option (or SSH) is the same argument I covered in the section “Why didn’t Assange require that Leigh log in to the server (via SSL) to download the file?” — he could have set that up but it would have required setting up server software, creating an account for Leigh, ensuring that he knew how to use sftp on top of the existing PGP solution, etc. The security implictations for allowing someone to SSH onto your server are non-trivial, because it is too easy for an experienced user to do things with your server that you don’t want. (SSH allows someone to be logged into your server.)

          Every suggestion that people have raised in all of the 100+ comments on this post raises many more security questions. Complexity is the enemy of security. Assange picked an approach that was dead simple, well-defended against outsiders breaking it, and nigh-impossible to accidentally screw up. The ONLY flaw in the system was that Leigh deliberately compromised the password, and the entire point of my article is that he could have found some way to compromise ANY other security solution you can think of. The problem with all of the comments saying “why didn’t Assange use system X instead of symmetric encryption” is that you’re saying that with the full benefit of hindsight — changing to another system might have prevented this specific problem, but it could have created many more potential problems you’re not thinking of.

          • We’ve not dealing with standard practice here, we’re dealing with a high risk, high security scenario where Wikileaks should not have naively relied on PGP to protect them. Like you say, they had set up a system that was technically resistant to all forms of attack, except to the biggest security hole in any system – people. Under that circumstance you do not assume that the passphrase will never leak, so you make sure that the cyphertext is as protected as is humanly possible.

            Wikileaks should never have had that file on a publicly accessible web server. There are any number of ways they could have distributed that file – sftp into a server that they didn’t trust for anything but that transaction, physical transport using deniable encryption techniques (Assange did invent rubberhose, after all), SSL using client authentication, etc. You can poke holes in any of these schemes, but none as big as “hey, what if one of the many people you have given the password to accidentally releases it?”

            • There was nothing accidental about Leigh saying “HERE IS THE PASSWORD JULIAN ASSANGE GAVE ME”. It is possible that he did not understand the security compromise he was committing. But no matter how thoroughly you protect a file, it is *always* susceptible to breach by malice or carelessness.

              It seems to me that Wikileaks’s principle, which is sound from a technical point of view, is that there is no way to protect the data they have while it is being transferred. There is no point in trying to protect a file while it is in transit as there are too many ways it can be stolen (including snooping, even with SSL; SSL just makes it harder to snoop, not impossible). Furthermore, if the data is public then it can be used as additional insurance if the server is destroyed or compromised. Passphrase decryption is the best solution because it relies least on data that can be lost, deleted, destroyed or stolen.

              Assange trusted Leigh enough to give him the data and passphrase. If he had used asymmetric encryption, this specific scenario would not have happened, but there is no way to say the Leigh would not have also released his private key. “Look at this pretty pattern of letters and numbers. This is the key Assange gave me. It’s almost like The Da Vinci Code.”

  15. I’m not sure how the encrypted file (z.gpg, that is) ended up on BitTorrent, but if the timestamp for http://enigma.bailey.st/wiki/file/xyz-magnets.txt on the http://enigma.bailey.st/wiki/file/ mirror is to be believed, there’s been a valid magnet URI for z.gpg in the wild since June 9, 2010 at the latest.

    Confirming this would involve determining when a file with that hash entered the DHT, and I don’t know of a way to do that, but it’s certainly possible that the file was in the DHT but not on any trackers for six months.

  16. From a trustworthy source that was directly involved in the whole drama I know that Assange/WL should have given the Guardian an own copy of the dump with an own encryption-password. At least that was the procedure that wikileaks internally had agreed on. Instead he simply copied the the mastercopy with the masterpassword that was lying on the WL-Fileserver and gave it to The Guardian.

  17. Btw. there are SSL Client certificates which do verify the clients authenticity ;) But overall very very good summary

  18. Its awesome. Really; you guys opening eyes of whole world. Thank you.. Keep posting indian diplomats

  19. Thanks immensely for this clear and thorough explanation!

  20. [...] - WikiLeaks password leak FAQ – Matt Giuca, Unspecified Behaviour: cryptographically, WikiLeaks is in the right and Guardian is in the wrong. From what I can gather, WikiLeaks followed reasonable security expectations, and Guardian broke them. [...]

  21. You cleared up a lot of question that i had been searching for, great work thanks for saving me alot of time.

  22. I’m not computer savvy but I can understand loud and clear what you are saying.

    Thanks Matt

  23. A good write-up. A few addenda:

    1. The torrent link to the file was distributed in December 2010 as a part of the Wikileaks archive. I saved the archive and after seeing Twitter discussion of the archive I went to see a directory, xyz, which was discussed on Twitter on August 31, 2011 as a way to locate the file.

    2. The archive directory contained torrents for four encrypted files: x.gpg, y.gpg, y-docs.gpg, and z.pgp. I downloaded the four and tried to open each with the passphrase published by Leigh as discussed on Twitter. It opened only the z-pgp file, to reveal the 7z file.

    3. Those torrents pointed to files on a mirror site and remain available:

    http://193.198.207.6/wiki/file/xyz/

    4. Several Tweeters deserve credit for finding and announcing the file and for placing it on Pastebin. Nigel Parry’s excellent account covers much but not all of this. More can be found by a Twitter search on the topic.

    5. Leigh may have slightly misdescribed accessing the file on the WL server by using the passphrase. The file was likely downloaded without a passphrase then the passphrase was used to decrypt. Unless the same passphrase was used for online access as well as to decrypt. There is no restriction on access to the mirror site files.

    6. You are probably aware that David Leigh and the Guardian’s James Ball claim the file the Guardian accessed was not the same as the one now generally available, the z,pgp file, and that the two differ in file size, filename and SHA1 hash.. I have tweeted Leigh and Ball asking for the file size, filename and SH1 hash for the Guardian file. No answer from either.

    7. The x.pgp file is similar in size to the z.pgp file. Whether it contains a somewhat different set of cables is intriguing. The y.gpg and y-docs.gpg files are much smaller but may contain material which links the four.

    8. The full story remains to be told and yours is a most helpful beginning.

    9. Release of the unredacted full cables is benefiticial and it may be that this was arranged in ways not yet revealed. The peculiar story so far told is not altogether believable.

    10. Bear in mind that cryptographers are notorious mistake makers, often due to their high qualifications which blinds to the simple error. But they also fake mistakes to deceive. The best ones fear this more than sophisticated attacks, and they relish catching each other making seemingly dumb mistakes. They are immensively crafty and not altogether believable, by design, just like most of us.

    11. Julian Assange is noted for elaborate jokes and stings and adept social engineering. His toying with the media is a long-developed skil shared with cryptographersl. However, he happly confesses to messing up, or pretends to as a lure for suckers. Well, that was in the cypherpnks yearss when he was unknown and not subject to massive accusations and adorations. I suspect he is quite pleased with the keystone cops furor.

    • Thanks for your addenda. A few replies.
      1. Yes, a few people have pointed this out. I’ll add that to the blog post as it appears to be an important fact.
      5. Yes, although I didn’t say it, I’m sure Leigh got that part wrong. It doesn’t make sense that you would put the password in before downloading it, if PGP is involved.
      6. Yes I have seen that claim. The claim was that the *filename* differed [EDIT: I am corrected below]. Guardian never said anything about the file size or hash, as far as I know (nor would I expect them to check such things or even know what a hash is). So I doubt you’ll get a response, but if you do I’d be happy to hear it and link to it. If the file size or hash differed, it would perhaps be an interesting remark, but just claiming the filename differs is just more of their misdirection — files can easily be renamed without making any difference.

      • James Ball (@jamesrbuk) is claiming that the filename, file size, and SHA-1 hash of the file they received are completely different:

        but he hasn’t responded to John’s or my requests for any of those three pieces of data.

      • It actually doesn’t matter whether the filename, size or hash were the same or different. The fact is that Leigh compromised an insanely sensitive collection of data by publishing a password, and (I assume) never for a moment thought it was a bad idea.

        Yes, Wikileaks should definitely be using different passphrases for each encrypted file they have, but it’s not their fault that Leigh, his publisher, editors and legal counsel are complete idiots.

        • He never thought it was a bad idea because re-using a password that you’ve already given to someone is an even worse idea. Leigh never should have done it, but it would have been easy for Assange to prevent him from doing any damage.

  24. Re: Why didn’t WikiLeaks use asymmetric (public/private key) cryptography instead of symmetric (passphrase)?

    Hey Matt, how about responding to David’s point (comment #1)? If Assange had encrypted with Leigh’s public key (either created by Leigh, or by Assange for Leigh), then the passphrase would only work on machines with Leigh’s private key. How does that not make a big difference?

    • OK I have responded to David now. You’re right, but if we *assume* that Leigh was not going to publish the passphrase deliberately (a reasonable assumption in cryptography), then the two scenarios are equivalent — both would have required that someone coerce the passphrase / private key from Leigh. They have roughly the same attack vector; the only difference being the much higher educational overhead in using public key cryptography.

      Everyone knows what a password is, how to use it, and how to keep it secret. I’d have been more worried about giving someone a public/private key pair who doesn’t know how to use it. For example, try telling Leigh “THIS key is safe to give out, THIS key you must protect at all costs.” How do we know he wouldn’t have given out the private key by mistake?

      WITHOUT the benefit of hindsight, I think the passphrase approach was the best trade-off between simplicity and security. Of course, in hindsight, it didn’t work out so well.

  25. This is a great article. But I want to know why more people aren’t blaming Domscheit-Berg here. Assange was careless and Leigh downright stupid, but Domscheit-Berg did what he did with intention.

    • Indeed. It sounds like his actions were quite reckless as he possibly was the one that first publicly joined all the dots together. Without his actions, we might never have connected that file to the password. But I didn’t focus on him in the article, because my point was to deflect the blame on Assange on to the person who is _cryptographically_ to blame (Leigh). DDB’s role was merely wiping away some of the obscurity, not technically compromising the security.

      Also I’m very unclear on what exactly his role was. I think the facts are more hazy.

  26. Really great article.

  27. [...] left testicle for this code phrase until last week. Maybe they didn’t have to, because it was published in a fracking book by an arrogant ass of a journalist named David [...]

  28. Re: Why didn’t WikiLeaks remove the file immediately after the transfer?

    It’s not clear to me whether they did or didn’t do this. Spiegel claims that Assange simply left the file there for an extended period of time. This probably wasn’t wise, but again, it wasn’t tremendously irresponsible either, given that the file was encrypted, and had already been public for several hours anyway. Assange could have assumed that the file was already public, and so if the password leaked out, the damage would be done either way. Still, if this is true, it doesn’t sit well for Assange. It would have been a good precaution to delete the file anyway.

    What do you mean the file had been “public for several hours anyway”? Aren’t you speculating that Assange gave Leigh a password for the download (network connection) as well as a passphrase for the encrypted file? That makes perfect sense. Then how is the file “public” if it requires a password to access it?

    This is the key mistake made by Assange. That file should have been deleted from the server immediately after Leigh’s download. Assange should have made certain that there was no other physical file in existence encrypted with Leigh’s passphrase. How was Assange not “terribly irresponsible” to leave that file around to potentially be (copied and distributed and) opened with Leigh’s passphrase?

    The best security protocol might not be able to foreclose all damage in the case of a mishandled password, but shouldn’t it minimize the risk and extent of damage if mishandling occurs?

    • “Aren’t you speculating that Assange gave Leigh a password for the download (network connection) as well as a passphrase for the encrypted file?”

      No, I’m assuming that the file was available (encrypted with PGP) on the public network, for download without a passphrase. That seems to be the story. My section entitled “Why didn’t Assange require that Leigh log in to the server (via SSL) to download the file?” is speculation on what *could* have been an alternative setup involving a log-in, but as far as I know, this wasn’t done. (And my conclusion in that section is that it could have been done, but probably wouldn’t have been worth it.)

    • “This is the key mistake made by Assange. That file should have been deleted from the server immediately after Leigh’s download. Assange should have made certain that there was no other physical file in existence encrypted with Leigh’s passphrase.”

      That was my criticism as well. The file that Assange set up for Leigh may have been deleted, but it shared a password with a file that was not deleted. It should have had its own password. I can understand that Assange did not foresee that Leigh would publish a password and that the file would inadvertently be placed on the internet. No one could have foreseen this debacle. But I would not trust a reporter to keep a password under wraps. (I guess that is the lesson everyone has learned.) Assange’s error might not have mattered if not for a series of errors and actions by other people, but coincidences happen.

      It reminds me of how the internet has connected people and events in ways that would not have been conceivable 20 years ago. People don’t conceive of them now, hence the problem.

  29. As David Watt noted, there is a real advantage to using asymmetric encryption, in that it is much harder to disclose a private key, particularly in a manner that can be colored as ignorant and innocent. There is also another useful feature in using asymmetric encryption that cannot be replicated with symmetric encryption: the private key is (or should be) intrinsically valuable to the owner, because it should be the key to more than just one encrypted object from one person.

    If a media organization wishes to be trusted to receive sensitive information, they should be publishing a public key and soliciting material using it or at least signing communications using it. This may seem like a perverse recommendation for security, given the normal (and proper) security admonitions against using the same keys for too many diverse things, but for public key transactions those do not hold. Material received with only the protection of a public key that is too valuable to “burn” with disclosure can always be further protected after receipt.

    I go into a bit more detail at http://grumpybozo.tumblr.com/post/9738668653/secure-file-sharing-101-an-allegory and http://grumpybozo.tumblr.com/post/9699205522/wikileaks but the short version is that this mess has completed the necessary evidence to conclude that while WikiLeaks and specifically Assange may be expert at freeing and disclosing other peoples’ secrets, they are rank amateurs at keeping secrets, including both their own and those they liberate. It has become ridiculous to refer to Assange as a security expert, because he has proven himself only to be an insecurity expert.

    That of course does not exonerate David Leigh. Far from it. I don’t think it is clear that he published the password knowing or hoping that it was usable with a published file, since the story he tells about it has a certain cuteness to it and one who doesn’t use long passwords much might find it amusing in itself. On the other hand, it is absolutely clear from his responses to the public release that he has no difficulty telling lies to protect himself in the hope that people won’t check documented facts. At very least the man is an incompetent and untrustworthy fool. At worst, he was also so eager to destroy Assange and WikiLeaks that he was willing to harm others who he had claimed to want to protect, in order to blame Assange.

    • Hi Bill, I replied on your blog post. I think the main point here is that Assange would have had to plan for the scenario where Leigh maliciously published the key. I doubt anything so stupid crossed Assange’s mind. Therefore, there is not really an advantage to using asymmetric encryption over symmetric.

      • The more people you share a secret with, the more likely it is going to leak. That’s infosec 101. Assange should have prepared for the possibility that one of his partners screwed up, and compartmentalised his passwords so that any keys that would result in public release were under the control of wikileaks alone (or at least only under the control of people they wanted to empower to release such information.)

        It seems like Leigh had Assumed that Assange had done this and given him a password that unlocked his version and his version only, while Assange had assumed that Leigh knew it would still be a really stupid idea to release the password. Both are at fault, but since Assange is the one who claimed to be an expert at this stuff, IMO he is the one who must take the lion’s share of the blame.

        • I’m not convinced that Assange did reuse the passphrase. Is the evidence for this that Tweet that says “name, size and hash are different”? The one where the Tweeter has not responded to people asking for the hash he has?

          • Assange either re-used the passphrase for a new file, or he continued to use the same encrypted file after the password was known to the guardian. Either option is just as bad. He should have deleted his copy of the file encrypted with that passphrase once the guardian had a copy.

            • Yes, I can see how that responds to my question for evidence that Assange reused the passphrase.

              The way I understand the order of events, the file was already being distributed publicly by the time Leigh received the file. If that’s not the case, it was certainly hitting torrents while Leigh’s book was still at the printers’.

              • I’m not sure if that was sarcasm or not, but in case it was I’ll make myself clearer. (If it wasn’t I don’t mean to offend.)

                A file was released over bittorrent with the passphrase. A file with that same passphrase was given to the guardian.

                That is two separate uses of the same passphrase for entirely different purposes. It does not matter which one happened first, and it does not matter whether it was the same file or two different ones. Separate files should have been encrypted with separate passwords. To do otherwise is giving the guardian authority that they didn’t need, and apparently weren’t aware they had.

                • Then the question has to be asked: where did the file on bittorrent come from? Maybe it came from a rigorous Wikileaks backup.

                  But think about this for a second: Assange is aware that the encrypted cables are available to the public. If he gives Leigh his own passphrase to them, then the public copy is clearly safe. But if Leigh is compromised to the point that the passphrase and encrypted data are extracted/retrieved/released etc., then the public copy is now effectively breached too. And that’s really what Assange was concerned with; that someone would get a physical copy of Leigh’s data and the passphrase. In that context, it doesn’t matter whether he has a copy that’s already out there, or a specific one for him.

                  Furthermore, if Assange did give Leigh a copy with a custom passphrase, and Leigh published that passphrase in his book, he would instantly be a target for anyone who wants access to the cables, “enemy” or “ally” alike. The fact that the data was already publicly available could have saved his life …

                  • Wikileaks doesn’t need a backup of the file with the guardian’s password – they should have the same data with their own password. The copy distributed to the guardian should have been destroyed at wikileak’s end.

                    “If he gives Leigh his own passphrase to them, then the public copy is clearly safe. But if Leigh is compromised to the point that the passphrase and encrypted data are extracted/retrieved/released etc., then the public copy is now effectively breached too.”

                    Yes, if the guardian’s whole system was compromised, the cables would be in the wild. This is just as true under the current situation with a single password as it would be under a system with individual ones. This does not excuse them from guarding against the more likely scenario that the guardian’s password is leaked.

                    “And that’s really what Assange was concerned with; that someone would get a physical copy of Leigh’s data and the passphrase.”

                    I’d agree, that is what Assange was worried about. And in doing so he disregarded the far more likely scenario I mentioned above. Once again, the single password system makes this no less likely.

                    “Furthermore, if Assange did give Leigh a copy with a custom passphrase, and Leigh published that passphrase in his book, he would instantly be a target for anyone who wants access to the cables, “enemy” or “ally” alike. The fact that the data was already publicly available could have saved his life …”

                    I don’t think you seriously believe that Assange used a single password out of fear for the life of the Leigh, but, he would equally be a target under the other situation, since if he could release his copy of cables under threat of death, he could even more easily release the passphrase when threatened.

                    • I don’t think you seriously believe that Assange should have predicted Leigh would be so stupid as to write down and publish the passphrase and salt in his book. Or if you DO think that, then you’re just as stupid as Leigh was.

                      Seriously. Assange decided to trust Leigh with the data. That meant trusting him to not reveal the method of decrypting the data. Whether that is simply a passphrase or a private key + passphrase combination is irrelevant. Assange took special steps to ensure that the passphrase did not accidentally fall into the wrong hands; Leigh was required to volunteer the verbal part of the passphrase to break his security model. And it would have worked too, if it wasn’t for those meddling kids — I mean, if Leigh had more on his mind than having his name on a best-seller.

        • “It seems like Leigh had Assumed that Assange had done this and given him a password that unlocked his version and his version only.”
          But if Leigh was operating under that assumption (a perfectly valid assumption), it is *still* grossly irresponsible to release the passphrase, because it could be the case that his version is out in the wild. Again: if a file is encrypted, it’s safe to assume that the encrypted file is public (if your security rests on the fact that the encrypted file is private, then *there is no point encrypting it*). So it doesn’t matter whether Assange reused the passphrase for other versions (and there is no evidence that he did) — the file made specifically for Leigh was transferred over the Internet and surely all traffic out of wikileaks.org is being captured by some authority somewhere. Therefore, even if Assange never reused the passphrase again, it is still on Leigh’s head not to release it.

          I find the argument “Assange is to blame because he knows what he’s doing” to be tiring. If a parent gave their kid a house key and the kid lost it and the house was broken into, maybe you can blame the parent for trusting the key with a kid. But Leigh is a grown man, a journalist who’s job is to divulge information while keeping sources and other names secret, and operating under a legally binding contract to do so. Should Leigh have known better? Of course. Is it Assange’s fault for not guarding against every stupid thing Leigh could have done? I don’t see how he could have. Again, give me any secure method for transferring information from one party to another, and I’ll tell you how the second party could fuck it up and leak the information.

  30. Thanks

  31. The Guardian’s saucy retort that WikiLeaks “have had seven months to remove the files” is so full of fail I can hardly believe my eyes.

    Does no one working at this newspaper have any familiarity with cryptography? They do have a web site. Someone maintains user account tables with hashed passwords (or perhaps not). Someone at least managed to install a valid TLS certificate for the id.guardian.co.uk. Why not ask him or her a few questions before issuing a statement that shows them to be utterly clueless when it comes to securing information?

    I would not share grandma’s secret cookie recipe with these clowns, much less trust them with information that might compromise my safety or livelihood. Good luck cultivating those sources.

    • I think even if you know about cryptography, you can still get away with publishing such a statement, betting on the average person’s lack of knowledge. It’s up to us to educate the public.

  32. This was a really good summary of the crypto/security aspect of things. Thanks. I tried to summarize how the final story broke here at http://nigelparry.com/news/guardian-david-leigh-cablegate.shtml

  33. I also learnt several things from your useful article.
    thanks =)

  34. Your post is by far the most illuminating I have read on the topic of the Wikileaks password – thank you for making this subject so clear for even the non-technical to read.

    However, I think you re being naive: Leigh, like so many journalists, may actually be a CIA/MI5 asset.

    Lets look at the evidence:

    We know through recent FOI releases that the US government has “independent” journalists on its payroll and even “placed” information through them in newspapers, on radio and on TV. It may even have used those assets to sway juries and achieve convictions in places such as Miami, convictions unachievable anywhere else on the planet. (source: http://www.pslweb.org/reporters-for-hire/ ).

    There is sufficient international disquiet over inexplicable verdicts in US trials of anyone labelled by a US President as an enemy of the state to doubt that Assange has any chance of a fair trial in the USA, regardless of the charge or the quality of evidence presented. We know of at least one case where a murder conviction was secured on the basis on absolutely no evidence presented whatever and in spite of the prosecution entering a “nuli prosequi” motion (Gerardo Hernandez V The State of Florida, 2001)

    We have sufficient evidence from News of the World and its links to the Metropolitan Police to at least entertain the doubt that Leigh’s actions are suspect and worthy of investigation. His improbable computer illiteracy is simply not credible: how can any editor not know how to unzip a file when he is daily bombarded with high definition still, audio and video files sent over the internet from his teams of reporters in the field? Unzipped, these could take hours to transmit, zipped they go through in seconds. The midnight trip across London described may even be evidence of an elaborate attempt to create a “plausible deniability” scenario, such as we are seeing unfold in the media. Seeking to prove that Assange was somehow at fault may be a vital part of the smoke screen he and his handlers need to protect his cover and a degree of computer illiteracy might just be sufficient human grounding for the cover story to hold.

    I accept that you have deliberately not addressed Leigh’s credibility or motives in your article – correctly so, as it would have diverted you from your central technical point on the nature of encryption (and ensured a deluge of unhelpful conspiracy theorist comment). It might even have brought a legal action against you.

  35. Thanks for all the replies, everybody. I previously had the site set to require approval (which is why it took so long for them to show up). I have changed the settings so that comments no longer require approval.

  36. Nice post. I’m glad to ahve read it as it sums up a lot of information from scattered sources that tbh, I didn’t have the inclination to go and discover myself, so thank you :-)

    After reading the whole post there is one thing that is screaming out at me. Why did Assange let Leigh download the file over the internet? Assange met Leigh to hand him the passphrase, and salt in one meeting, then again to help Leigh unzip the file. Why the hell didn’t Assange copy the file across himself using a portable drive, with the file encrypted, then decrypt it himself. If Assange had done that then he would not have had to write the passphrase on a piece of paper, or tell Leigh the salt. Leigh would have gotten his files. The destination computer could have been verified as being offline from the internet.

    Encryption is only really needed when storing files where others’ may have access, or when transfering files, again, where others’ may have access, so it would make perfect sense for Assange to dump the encrypted file on say an external drive, copy the file over to Leigh’s computer, and decrypt it himself.

    However, if Assange used the method mentioned above to distribute the same file (with the same encryption) to other journalists then yes, downloading from a server would be the most efficient as Assange wouldn’t have to physically meet each of them. But I do suspect he had to in order to give them the passphrase.

    Whether Assange thought about this as an option (him copying over the encrypted file and decrypting it himself) or not is a mystery, and will probably never be known, but in my experience the safest form of ever transfering encrypted files from A to B is to do it yourself. That way you don’t have to divulge any part of the passphrase to anyone. A secret is no longer a secret once you tell one other person. All that said, if Leigh’s computer had a key logger installed… game over.

    Still, a great article that I enjoyed reading. I do agree with your opinion that fault lies with Leigh, and the passphrase (with the salt!!!!) being published in a book. The transfer of data could have been carried out differently and possibly avoided what happened.

  37. I’m also very happy, and thankful. You are a master in making complex things understandable by non specialists. Thanks for the effort and time spent in writing this.

  38. @John Young wrote lots of good stuff, including:

    > 6. You are probably aware that David Leigh and the Guardian’s
    > James Ball claim the file the Guardian accessed was not the same
    > as the one now generally available, the z,pgp file, and that the two
    > differ in file size, filename and SHA1 hash.. I have tweeted Leigh
    > and Ball asking for the file size, filename and SH1 hash for the
    > Guardian file. No answer from either.

    Megabytes, kilobytes, gigabytes, file size … it all gets very confusing if you can’t figure out what a 7zip file is.

    Also, Leigh may have been given a separate password for WL server access to download the encrypted zip file.

    @axenicely:

    Using public/private (asymmetric) encryption and why JA didn’t use this and the answer is that it is beyond the ken of the average person to set up, which means that it was well beyond Leigh’s technical capabilities …

  39. i appreciated it, and shared the link, and an exerpt. wikileaks sent it to me. they liked it too, i guess.
    no need to respond. you’re too busy evolving… ;)

  40. I actually missed the link. Didn’t mean to overspam. :-)

    Great stuff! I told James Ball off for trashing your article wholesale. :-) Are you on Twitter?

    Sign me up on an e-list if you have one. It’s great you wrote this. I’m still understanding parts of all of this myself!

    • Thanks Nigel. Hmm, just found James Ball’s tweet. I told him to leave a comment here.
      Twitter @mgiuca. I don’t have a mailing list but I usually tweet WikiLeaks related stuff.

  41. Quick note: asymmetric cryptography with a PGP private key would only have been secure (without hindsight) if a passphrase was still required for decryption. In this scenario, Assange would no doubt consider that Leigh’s harddrive has been compromised or seized, and that the encrypted file AND the matching private key were accessible to cryptologists attempting to access the data. It is therefore no different from the passphrase-only decryption method unless you assume that Leigh will deliberately compromise the security.

    And it’s fair to say that Assange assumed that Leigh understood the confidential severity of the data and its decryption process, and that Leigh would NOT deliberately compromise it by publishing the genuine passkey used verbatim.

    (Leigh COULD have invented a new passphrase for his book, but didn’t. The security compromise is entirely his fault.)

    • Yep. Asymmetric would still have been a plausible option. The private key would absolutely have required a passphrase. That would have been the equivalent to the one-word salt — the “can you remember that?” part of the equation.

      • I’m not saying that it’s implausible; just that it provides only equivalent security and not increased, without hindsight. Leigh’s breach could have been stopped with requiring a private key, but there was no reason for Assange to assume that Leigh would publish the full, genuine passphrase, including salt, verbatim in any medium.

  42. What still puzzles me is that David Leigh’s book wasn’t published in a vacuum. The book would have been run by legal people and I would expect points would have been raised and discussed. I imagine any legal person would have discussed chapter 11 and the implications of publishing the password. So a book in its editing stage and pre-publishing stage would be viewed by a few people. It still astounds me that not one of these people were some what tech savvy, it is possible but how likely?

  43. I suspect the lawyers came up with the idea that the Guardian/Leigh could always fall back on Leigh’s complete noob persona when it came to passwords and the expiring thing, just like Maxwell Smart’s mission messages.

    It’s now not hard to see Leigh really believing that the piece of paper Assange gave him might mysteriously go up in smoke, Asange having impregnated it previously with some new nanotech or something …

    • I get the feeling from the extracts of Leigh’s book I’ve seen that he really didn’t take it seriously. He wants it to be a best-selling thriller in the fiction section.

  44. Excellent work here, Matt.

    The belt-and-suspenders method would have been for WikiLeaks to encrypt the archive and then give Leigh access to it via SSH. But, if it’s true that he needed help using 7Zip there’s little chance that Leight could have wrapped his head around something like Putty and scp.

    Which begs the question others have asked: Where were the Guardian’s IT people? They have an excellent web site, someone set it up and maintains it. According to Netcraft their web servers all run on Solaris:

    http://uptime.netcraft.com/up/graph?site=guardian.co.uk

    They must have sys-admins on staff who know the basics of cryptography. Leigh cannot ask his own IT staff what to use to open a .7z archive he has to ask Julian Assange? Do they not trust any of their IT staff or is it beneath the geriatric management to ask younger underlings for help?

    • One word for you: WinSCP.

    • I do find it kind of funny that Assange was effectively running tech support that night. As for SSH, I guess that falls into my “why didn’t Assange require that Leigh log in to the server (via SSL) to download the file?” category (though I was thinking about it in terms of a web server, the same could apply for SSH). a) the added technical overhead, need to create an account for Leigh with a password, etc, and b) the fact that it would have had to be encrypted with PGP anyway just to be sure.

      Also if I were running the WL servers, I probably would not, as a policy, give outsiders SSH access on the servers. Too much possible harm that could be done even by a normal user (since you’re letting them run bash commands — that is probably something you want to avoid).

  45. Couldit be that the z.gpg file was actually created by Manning?

  46. I agree with the previous comment that the http://enigma.bailey.st/wiki/file/xyz-magnets.txt is completely mysterious due to its timestamp. Why would a magnet be created for that directory only? Why on that day? Surely Assange didn’t intend to give a magnet to Leigh?

  47. My first question to Leigh would be: “If you really believed that the passphrase was temporary, why didn’t you take a few seconds to try it again before you published your book to make sure it no longer worked?”

  48. Great article, you’ve made this aspect quite easy to understand. After reading many of the comments I had a thought;

    Isn’t it possible that Assange had the file publicly located as an insurance policy? With all of the threats against his life he could have simply left instructions to release the PW if he was taken out.

    I also think Leigh knew full well that the PW wasn’t temporary. He could have wanted something sensational in his book, so it could drive sales through the roof. It’s become clear that The Guardian doesn’t care about the signed agreement they made, or their reputation for integrity, as they’ve broken it in at least 3 instances (Sending the cables to the Times, keeping them on an internet linked computer, and now releasing the PW).

  49. One thing I forgot to add.

    If Assange had told him that the file would be taken down soon, why no mention of that in the book?

  50. [...] to publish a WikiLeaks password in a book on the cablegate affair has left infosecurity experts dumbfounded. Last week, the publication led to WikiLeaks hurriedly publishing, unredacted, all 251,000 of the [...]

  51. [...] Quello che invece si può dimostrare, e le considerazioni tratte dagli eccellenti articoli di Matt Giuca, Nigel Parry e Glenn Greenwald lo testimoniano a suon di (buoni) argomenti, è che il Guardian [...]

  52. Thanks for this excellent (!) explanation. I am a non-technical person at all, but still managed to follow your reasonning from beginning to end. At least I think so:-)

    The two major human “errors” I see here are the following:

    ° David Leigh´s stupidity (or: bad intent, but this we don´t know) when he published the passphare *and* the “salt” in his book without counter-checking whether it was still active

    ° Daniel Domscheit-Berg´s obvious malice consisting in voluntarily putting the pieces together, then spreading the rumours over the net (alone, or helped by some friends) and telling “Der Freitag” about the connection for no other plausible reason than revenge.

    Because that´s how the last piece of the puzzle was inserted, wasn´t it? So far, nobody had noticed anything.

    What a coincidence all this happened quickly after the CCC exclusion… a propos… have a closer look at the date when it all became viral: around the 2oth of August… now wind back 12 months…. coincidence, any?

    I know that´s the human aspect of it, not the technical aspect, but in the end, that´s what caused the forest fire… Disgusting.

    • “Because that´s how the last piece of the puzzle was inserted, wasn´t it?”
      Yes, I believe so. I didn’t make a big deal out of it because the point of my article was not to identify how the file got out or how the pieces were linked together, but to justify the initial security setup provided by Assange, assuming that it was OK for the file to be made public.

  53. Thanks for your reply. Yes, I got your point and find it very important and highly valuable that you sorted out the technical aspects so clearly. Your blog entry is the best info I´ve found about the issue so far, and I´ve spend the whole night scrawling the web.

    Still, I also find it necesary to point to where the real human irresponsibility/bad intent of some people – note: not Assange – that were involved into the process, which, as a result, makes them responsible. I don´t accept their tactic that is: focussing as much as possible on Assange´s possible lapses to distract from their own stupidity/hubris (best case scenario) or maliciousness (worst case scenario)..

    To my understanding, the whole issue didn´t happen the way it happen because of any technical lapses – again, thanks for making that cristal clear. It happened because some people – those who are now trying to put all the blame on Assange – weren´t able to keep their mouths shut, or deliberately chose to make a scandal and put their own egos in the front row. The best encryption technique won´t help if entrusted people break basic rules of confidentiality. There was a chain of people who broke those rules, deliberately or involuntarily, which led to the situation we have now. These people deserve to be named and blamed.

    By the way, your assumption that Assange said it was a `temporary website´, not a `temporary password´ seems to be correct. Page 139 of the Guardian book says:

    “Leigh set off home, and sucessfully installed the PGP software. He typed in the lengthy password, and was gratified to be able to download a huge file from Assange´s temporary website”.

    I repeat: “Temporary website.”

    • Yep, I agree. Thanks for summarising. I think he failed to make the distinction between “temporary website” and “temporary password”. I don’t think he deliberately leaked the cables at all, but now Guardian is deliberately trying to “frame” Assange for this stuff-up.

  54. Thanks for a wonderfully lucid analysis. In The Guardian’s defence, I would ask whether we definitely know that Assange told Leigh not to write down the ‘salt’. Leigh, not being a cryptographer, may not have realised why one part of the password (the salt) was not written down.

    Also, did Assange contact Leigh privately after Leigh’s book was published, to tell him he’d compromised security? I can see why Assange wouldn’t declare this in public, as it would inevitably lead to more people trying to access the information, but I would have expected Assange to at least have voiced these anxieties to Leigh in private.

    • I can’t say for sure that Assange specifically asked Leigh not to write down the salt. I don’t think that gets Leigh off the hook though: if someone gives you a scrap of paper but tells you that it’s missing one word which you have to remember, you would have to be an idiot to then write it down (otherwise, why wouldn’t Assange have just written it down for me?)

      I don’t know whether Assange contacted Leigh. I can’t imagine he did. How would that help? Leigh couldn’t have helped prevent the spread of information. If I were Assange in February, I wouldn’t say another word to Leigh. He might have gone and tweeted “Assange claims my password could be used to unlock the cables — this is a ridiculous claim.” and immediately set off the hunt for the encrypted file. I would want as few people as possible to know that the passphrase might link to a live file, and especially not the blabber-mouth that caused this in the first place.

  55. [...] Quello che invece si può dimostrare, e le considerazioni tratte dagli eccellenti articoli di Matt Giuca, Nigel Parry e Glenn Greenwald lo testimoniano a suon di (buoni) argomenti, è che il Guardian [...]

  56. After Leigh came back asking, “Help! What is .7z?,” I wonder if Assange’s first thought was along the lines of, “Oh God, what have I done?!”

  57. Good points, Matt. I was thinking simply that if Assange had contacted Leigh in private as soon as the book was published, it might back up his claim that he was deeply disturbed by release of the password and salt when the book came out (even if it wouldn’t have stopped people being able to access the information.) But your point about Assange perhaps being wary of saying *anything* more to Leigh is a good one. I do feel sorry for Leigh though. There is no question of him compromising the sources of the classified information on wikileaks on purpose. I tend to feel great sympathy for people who blunder by mistake.

    • Yeah but Assange wouldn’t have any way to prove publicly that he did contact Leigh anyway, so there’s not much point in doing it.

      I have sympathy for those who blunder by mistake, and I’d hate to be in Leigh’s position. I’ve certainly been very harsh on him in this article. But — when you make a mistake you own up to it and then you deserve sympathy. Neither Leigh nor anyone at Guardian has yet admitted any wrongdoing, claiming that it was “ridiculous” to suggest that the passphrase compromised the documents. And I also understand that when someone is suing you for breach of contract, your lawyers are telling you not to admit any wrongdoing, so I understand why Guardian has not done so. But rather than keeping quiet about it, Guardian has published multiple articles (coming up to about a dozen at last count — eg http://www.guardian.co.uk/media/2011/sep/02/wikileaks-publishes-cache-unredacted-cables) specifically accusing WikiLeaks of leaking the file, saying “We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,” and completely failing to mention the fact that Guardian leaked the cables before WikiLeaks decided to publish them (after the leak was public). This is, at best, deceit by omission and a massive conflict of interest, and at worst, a total lie. Therefore, I have no sympathy for Leigh or anyone at the Guardian, a news organisation that has shown in the past week that it is willing to sacrifice the truth to save its own face.

  58. @ Matt I happy to see that you are now engaging the overall discussion other than the purely technical/cryptographic aspect of the events. I think its makes a lot of seance now that you have masterfully eradicated and clarified on the cryptographically-factual side of the coin.

    I would like to see even more evidence in form of links etc as to what makes Daniel Domsheit-Berg urgently responsible for the ultimate leakage of the unredacted cables, which he undeniably seems to be judging from the evidence thus far. He seems to be slipping under the radar, and gone completely silent in the aftermath of him being excluded from the ccc, a surprising turn of events since he as over the months been notoriously vocal at least when it comes to the character assassination of Julian Assange.

    • Thanks. But as I’ve said, while I’m aware of the role DDB probably played in this debacle, I haven’t found a lot of evidence and I’m not willing to go into speculation on that here (personally — I won’t censor any comments you might have unless I have to for legal reasons). I suppose that supports your view that he’s been “slipping under the radar” — the fact that there is a lot of speculation but no hard evidence.

      • Well Matt, in an effort to dot the “i’s and cross the t’s as to Daniel Domscheit-Bergs culpability, I found two important pieces of information that certainly need digging into.
        1) Upon his departure from Wikileaks in September 2010 DDM took with him the full database of diplomatic cables, in what is believed to be a malicious act of sabotage. A few months later (interested in knowing exactly when) he returned this data. It would be interesting to know who the credible source of this information is. Further more it is known that DDM in fact did not return all the data he, seemingly deliberately took from and together with the WikiLeaks servers, since it turned out that he actually retained at least 3500 allegedly pivotal documents that he later inexplicably destroyed. Question: Why did he return only some and not all of the data that he arguably unlawfully took from WikiLeaks? What is his explanation?!

        Now here comes the, some-what, confusing piece. Random sources have it that it whas after he had returned the file containing the full unredacted cables that some Wikileaks supporter/supporters uploaded the file to Bittorrent. My question is; What is the relevance or connection of the timing between DDM returning the data, on the one hand and suporter/supporters uploading the file to bittorrent, on the other?

        2) Lastly its been stated that DDM was the first to publicly hint on the fact that full unredacted cables exsisted publicly on the internet and that the password to that file was also in public domain. Question; Exactly what did he reveal or say and to whom ?!

      • Correction: I noticed that I repeatedly refereed to Daniel Domscheit-Berg as “DDM” in my reply above, which is obviously a mistake. I meant the abbreviation DDB.

  59. I have to say, you’re an exceptionally good writer. Have you offered a shorter version of this piece to any of the broadsheets? My guess is that they would jump at the chance to run it. But space limitation would mean you’d have to cut it significantly.

  60. Yes, writing ‘short’ is much more difficult than writing ‘long’, as Mark Twain and others have remarked. I reckon you could do it, though, especially if you referred readers to the more in-depth analysis here for further clarification. I only stumbled on this article because someone on facebook linked to it – I’m sure hundreds of broadsheet readers would be keen to read such a lucid analysis. Go for it – but maybe best not to approach The Guardian… :-)

  61. Look no more! I just found it! This is an in-depth, time-lined and very well referenced account of Daniel Domscheit-Berg activities since the nascent days of WikiLeaks up until now, by Rixtep. It is in my opinion an invaluable piece of reading for those of us that are interested in learning that facts. You get the full account of the lies, the stealing of documents, the sabotage, the attempts to hijact wikileaks mail servers, even more lies, even more sabotage.
    http://rixstep.com/1/20110829,00.shtml

  62. [...] https://unspecified.wordpress.com/2011/09/03/wikileaks-password-leak-faq/ Share this:EmailLike this:LikeBe the first to like this post. Categories: wikileaks Comments (0) Trackbacks (0) Leave a comment Trackback [...]

  63. Amazing piece that I’m just getting around to reading. Well done Matt.

  64. Incredibly out of date comment, but nonetheless maybe worth noting that in the C4 doc broadcast in November 2011 David Leigh says (with a grin and a bit of a chuckle): “This piece of paper was written on by Julian Assange – it’s a bit of a souvenir, I suppose – in July 2010, when he wrote down the password which was going to enable us to access the entire 250,000 State Department cables, and he told me that this file would expire, would be deleted within a matter of hours. It says ‘A collection of history since 1966 to the present day’…and then there’s a little hash symbol, and he said, ‘Here’s what I’ve written down, but when you put in this password you have to add an extra word, so that it says A collection of diplomatic history…’. And I said, yes Julian, right, I’ll remember that, you know, and I’ll put in that extra word. [Laughs] So it was all very James Bond.’

    So it’s pretty clear, from Leigh’s own admission, that Assange told him the file, rather than the password, would expire.

    (42.04 here: http://www.youtube.com/watch?v=2v8dniyCCwY&feature=fvsr)

    • No, it’s not clear at all. “he told me that this file would expire, would be deleted within a matter of hours” This is not a quote from Assange, nor are they worded as two separate clauses. Consider: “he told me that this file would expire, i.e. would be deleted within a matter of hours”. What Leigh is being told is that the ACCESS to the file will expire because the file will be deleted.

      If Leigh truly believed that the file would expire because it’s been deleted, then he would have believed that HIS copy would be deleted too, along with the master copy.

    • What? You used a quote by Leigh to “prove” that Leigh was right? Usually if you want to show someone is in the wrong by “admission”, you have to show a quote from them, not their accuser. What is this I don’t even.

  65. Ahaa, its good discussion concerning this piece of
    writing here at this web site, I have read all that, so at this time me also
    commenting at this place.

  66. I really wonder why you called this blog, “WikiLeaks password leak FAQ
    Unspecified Behaviour”. Regardless I really loved
    the blog!I appreciate it-Felipe

  67. […] a chave necessária para extrair o texto do ficheiro inicial. A chave que foi divulgada em 2011 deu acesso ao material do Cablegate (comunicações diplomáticas secretas dos […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: