WikiLeaks, Guardian furious at source of security breach: the two of them
Julian Assange, Guardian editor blame each other for brilliant teamwork that revealed what both wanted to hide.
WikiLeaks.org has posted an editorial accusing a reporter at the British Guardian newspaper of "negligently disclosed top secret WikiLeaks' decryption passwords" – a goof that turned what could have been a minor error by WikiLeaks itself into a major disaster, according to an article apparently written by WikiLeaks founder Julian Assange.
German newspapers reported yesterday that an encrypted version of a file containing all 250,000 secret cables WikiLeaks obtained about the U.S. State Department was posted online earlier in the year, but no one interested had been able to decrypt it.
That changed after a Guardian investigations editor named David Leigh, "recklessly and without gaining out approval, knowingly disclosed the decryption passwords in a book published by the Guardian," in February, according to an editorial published by WikiLeaks.org today.
The password allowed anyone interested to decrypt the file and get access to more than 100,000 cables that were being released slowly and in planned stages as newspapers that agreed to work on the documents were able to read, fact-check and redact from them names of low-level intelligence sources and other material WikiLeaks had agreed not to disseminate.
The Guardian responded immediately, claiming any responsibility was not theirs, but Assange's.
The book covering the portion of the cables that had already been released did include a password, the Guardian story said.
Guardian staffers said they'd been told the password was temporary and would be changed before the book was published. Even if it weren't, the password only worked on a particular file that was not available publicly, so there were two solid reasons publishing it would do no harm, the Guardian protested.
"It was a meaningless piece of information to anyone except the person(s) who created the database," the Guardian's protest read, in part.
"Unknown to anyone at the Guardian, the same file with the same password was republished later on BitTorrent, a network typically used to distribute films and music. This file's contents were never publicised, nor was it linked online to WikiLeaks in any way."
Really? That's your excuse? That WikiLeaks logo wasn't on the outside of the file so no one was ever going to figure out what it was supposed to be, match it up with the encrypted versions identified as having come mistakenly from WikiLeaks and then put that together with the password you printed in your book?
Ignore for the moment that – no matter what document you're talking about and what population of people are involved – if there is an encrypted file in one place and the password to open it in another, someone somewhere will eventually put the two together.
Half the episodes of Scooby Doo Where Are You were based on security truths less obvious than that one and half the self-serious police procedurals on TV still are.
Forget that you ignored a security truism so glaringly clear that cartoon dogs are able to understand it and, instead, on the idea that publishing any password in any medium is unforgivably stupid unless you want the information it protects to be published in the open.
Forget that in this case the password was protecting something not so vital to national interests as the state of the Royal Prince's bowels, or whatever News of the World was trying to find out by hacking the voice mails of everyone in England.
Remember that these are or were supposed to have been a clear look at the unexpurgated discussions of U.S. officials and diplomats about specific political discussions with foreign governments, complete with information on where they got what secret information they had and how they went about reaching a decision.
Without putting a point on it too often, that kind of thing is more important that trivia about the Royal Family's sex lives, which means that passwords revealing them should not be published at all, in any medium, ever. Publishing it, one must assume, will give control over the information to those even less responsibility than one's self (unless, of course, one's self is a British tabloid hack, in which case one's self is certainly less responsible and probably less hygienic than most of the great apes, several breeds of lemming and at least one variety of South American Sloth).
And Julian "my middle name is 'secrecy' because vanity only leaves enough room in my head for two names, and the middle one is more 'forgotten' than 'secret," Assange – thanks for the lesson in how to manage life on the run from the authorities and all the tradecraft of the skilled citizen-spy interested in revealing the dirty secrets of government to the world as long as he doesn't have to keep track of what files he's actually included in the attachments or backups he's putting out over the open Internet.
You've demonstrated that, no matter how risky one's life already is, how high the stakes and how ruthlessly exploited every mistake will be, it's possible to make things worse by being careless and stupid, but still try to hang on to one's dignity by blaming every one else in sight for preventing every technically savvy government in the world from taking advantage of a goof up so huge you wouldn't be safe from a 10-year old, let alone the trenchcoats who actually are following you.
The two of you should go off somewhere for a long, private weekend so you can spend the entire time kicking one another in the shin. It wouldn't improve the CableGate situation, but it would make the rest of us feel better.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.