Paul Marks, senior technology correspondent
It's a basic tenet of information security not to reveal your passwords - or how you generally construct them. So The Guardian newspaper's recently highlighted decision to publish a WikiLeaks password in a book on the cablegate affair has left infosecurity experts dumbfounded. Last week, the publication led to WikiLeaks hurriedly publishing, unredacted, all 251,000 of the US diplomatic cables it has in its possession - including the names of informants who have provided intelligence to US diplomats over many years.
While both sides have attempted to claim the moral high ground in their ongoing online spat, the affair has left both looking utterly untrustworthy to potential whistle-blowers - and future transparency will be the likely victim.
The Guardian/WikiLeaks argument began last November when their collaboration on the publishing of the first tranche of US diplomatic cables turned sour. In a subsequent book on the affair, the British newspaper's David Leigh took the rather odd decision to use a lengthy WikiLeaks passphrase as a chapter heading - presumably for dramatic effect - justifying the move on the grounds that he'd been told it was a temporary passphrase to the leaked cables that would soon expire.
WikiLeaks denies this was the case. It was not a changeable passphrase for something like a webserver, if I understand WikiLeaks' objections correctly. Rather than a password they could change, it was a file-specific Pretty Good Privacy (PGP) decryption key for a file containing all 251,000 of the unredacted state department cables. And as the key for a lone encrypted file it was not temporary - re-encrypting a cleartext copy would have been the only way to create another password/phrase.
This week, somebody who tracked down or knew the hidden location of the PGPed cable file (which was distributed on BitTorrent sites) is said to have decrypted the leaked cables using The Guardian's published passphrase and transmitted them to sites like Cryptome.org, a radical, no-holds-barred transparency website run by New York architect John Young, who's been posting leaked documents and pictures for a lot longer than Julian Assange and his crew - but without the media hoo-ha, which Young abhors.
Small subsets of the cables in the file tranche were meant to be under scrutiny by up to 50 media partners worldwide for informant redaction. But with the cat out of the bag, Assange on Friday decided to forget the redaction process and go public, dumping the whole tranche of 251,000 cables online sans redaction. "We're shining a light on 45 years of US 'diplomacy', it is time to open the archives forever," WikiLeaks tweeted. The move was welcomed by Young as a return to WikiLeaks's "courageous founding principles of full disclosure".
But the move will almost certainly put informants at risk and is, frankly, hard to fathom. Source protection has to go beyond the leaker to the informants providing the information. Worse for WikiLeaks, it certainly won't encourage future whistle-blowers to turn to them.
Five major news outfits that have worked with WikiLeaks have condemned the unredacted data dump outright, while others see the move as petulant and a sign of the end of the organisation as a meaningful transparency force. So far WikiLeaks appears to have been lucky with the fate of informants - thanks to intelligent redaction alongside expert media partners - but it looks like it may have just become the architect of its own undoing.
superheroes superheroes home depot home depot candice swanepoel ice cube man u
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.