On WikiLeaks — VERY LONG AND GEEKY
Adapted from comments I posted at The Atlantic:
Thursday night, WikiLeaks stopped trying to do a carefully redacted and curated gradual release of the US State Department diplomatic cables they had in their possession, and instead they just dumped them all. 251287 cables plus metadata in half-gigabyte 7z files, dropped out into the jungle of BitTorrent with checksums and little else. Whee!
It was time. I tweeted a vote for it. So did a lot of people who are fans of Assange. I’m not a fan, or of how he has run WikiLeaks, and I am also not positively impressed by his best-known defector, Daniel Domscheit-Berg, who manages being even a less appealing character than Assange. I don’t have the attention span necessary for the full soap opera aspect of those two and their battle, so maybe I’m missing something, but they both come across pretty badly as data security professionals and as humans. There’s a lot of detail about the soap opera at Rixstep.
Alongside the DDB/JA soap opera of narcissist geeks, there was the actual work of WikiLeaks happening. You can love that or hate it, but it is important. A large part of the Arab world is in revolt, largely positive revolt, to a significant degree because of information disclosed as part of the “cablegate” releases. Less prominent upheaval is going on in other places as well as a result of the sunlight provided by WikiLeaks. Love them or hate them, think good or ill of Assange or DDB, they have lit a match for change that is largely positive so far. Personally, I am uncertain about what they’ve been doing. I agree with the principle that secrecy is generally overused by government, and there’s a lot of evidence to support that. For example, the so-called “state secrets” privilege in federal cases was essentially invented in US v Reynolds not to protect significant secrets, but rather to avoid liability for putting civilians into a military plane known to be unsafe for test flights. Ever since, it has been used more to avoid embarrassment and liability than to actually protect secrets that actually need protecting. Many of the Cablegate releases back that up: much of what was released before tonight was more embarrassing than it was really security-sensitive. On the other hand, I can see how it is sometimes positive for diplomacy to include secret communications and that also has examples in the Cablegate releases. There are frank analyses of events and individuals that are embarrassing today but which would have caused major disruptions and possibly even violence if they had been made public when written. I don’t know what the answer is. I do know that we’ve been keeping many more secrets than necessary for a long time, and that it is good to get many of those out inn the open. It will embarrass some people named Bush and Clinton (among many others) but there are many things they should be embarrassed for and ashamed of.
What led up to the point where WikiLeaks is releasing their whole stash and I wholly agree is an egregious comedy of errors in a field where I do know something: data security. Nigel Parry has a detailed account of what happened in, but it boils down to a serious of stupid acts that add up to a de facto release of the whole Cablegate stash months ago. Julian Assange passed the raw cables to a staff member of The Guardian in a shoddy fashion and later broadcasted the same file with the same encryption to the world at large as a mystery file amongst thousands of WikiLeaks texts in an attempt to assure that the archive could not be destroyed. Then, The Guardian published the password in a book, thinking (apparently) that the password they had was only for the file they received, as it should have been. As a result, there were many unidentifiable people around the world with the Cablegate archive in an encrypted file that they had downloaded to help WikiLeaks. That file could be decrypted by a password published at the top of a chapter of a book about WikiLeaks by one of their main media partners. In essence, the Cablegate unredacted archive had been released, and it was just a matter of who could put those two facts about WikiLeaks together. If there is something objectively worse than both secrets kept well AND secrets exposed to all, it is secrets that have leaked a little to an unknown audience. The only way to improve the situation was for WikiLeaks to let go: release the whole archive.
The story of the leak is one of (at minimum) technical incompetence at WikiLeaks. The WikiLeaks account of how DDB sabotaged them is an equivalent tale of technical incompetence combined with an inability to make objective judgments about other people. It seems likely that Assange’s legal troubles will end up reflecting a similar lack of ability to evaluate people and behave towards them in a suitable manner based on caution and self-discipline. No matter what side you take on the aims of WikiLeaks, the people of WikiLeaks are clearly not capable of handling their chosen roles. It seems to me that this is another example of something that has bothered me all of my professional life: insecurity experts calling themselves security experts. A knack for cracking other people’s security is a different talent from being able to build and operate systems securely. From what I recall of “Hacking, Obsession, and Madness,” (a tedious work of semi-fiction in which he plays a role and shares writing credit) Assange has demonstrated skill as a cracker. It isn’t clear that he has any talent as a builder. It is unfortunate that no one with a security mindset seems to have had any authority at WikiLeaks.
WikiLeaks’ objective errors:
- Overtrusting their media “partners.” These are journalists, not data security experts. Even if they always mean well, the phrases “bag of hammers” and “box of rocks” should have stayed in the mind of Assange at all times when dealing with them. Never trust stupid.
- Apparently giving each of their media “partners” absolutely identical files with absolutely identical content and encryption. Had the leak been less farcically inadvertent, this could have been used to identify a stealthy leaker.
- Failing to communicate to the dullards at the Guardian how important it was to never release that password. This has devolved into a slapfight over what was said exactly, but it is clear that they just didn’t get that this wasn’t just their password for the file they had. If Assange had not pulled an awful ad hoc key exchange mechanism out of the back of his head, it would have been *their* key for *their* file, and nothing more.
- Releasing the same content in an identically-encrypted file via BitTorrent on 2010-12-08 (as described at the Nigel Parry page to which you linked) with 3 other GPG files containing as yet unknown data, in a package of torrent files among which those 4 files stood out as something special.
When putting sensitive data into the hands of someone who is not expert at its handling, one must provide clear and complete instructions, make accidental leakage difficult and unlikely, and make leakage directly detrimental to the potential leaker as a means of focusing their attention. There is a well-known way to do that, first discussed by Phil Zimmerman 20 years ago for this sort of circumstance. WikiLeaks should have explained the risks to their partners and required them to publish public keys and solicit general communication using them. That would at least potentially make loss of the corresponding private keys a harmful event for the partners. WL could then give each partner their own slightly unique copy of the cable collection, each encrypted using their own individual public key. Then when WL wanted to use the anonymous BitTorrenting public for distributed backup, they could have used a symmetric cipher like AES256 as they did, or maybe they could have used a cipher not given its name by the US federal government, wrapped around AES256 or 3DES. Or a 4096-bit RSA key for which they didn’t release the public half. They could have made the special nature of those 4 files less obvious by stashing them without extensions in amongst the CRS and Scientology docs as binary blobs that most people wouldn’t even notice.
And in the final analysis WikiLeaks could have avoided the whole mess by not trying to nuance the process. For years, they operated successfully, if quietly, by doing their releases without first engaging media partners and planning out carefully curated and redacted dribbles of data. The cables are arguably special, but maybe not so much. In the end, the process of playing with the establishment media has proven a perilous game and in the end the only difference between what we have now and what we might have had with a direct release a year ago is a slower release, Assange in legal trouble that seems trumped up, WikiLeaks personnel shredded and fractured, an embarrassing personality battle playing out in public without anything significant happening with the real work of WikiLeaks, and a general loss of interest in WikiLeaks. This is almost certainly the end of WikiLeaks, and that’s a mostly bad thing.