Wikileaks’ security failure

Wikileaks has committed a cardinal security sin, and is busy trying to blame it on The Guardian.

It all revolves the infamous ‘Cablegate’ memos - the US diplomatic cables that Wikileaks has been peddling for some time now.

Wikileaks has been working with media organisations in an attempt to release the material in a piecemeal fashion. The reason for this is to cherry-pick the most significant material in order to make the greatest impact. And, although Julian Assange was at first somewhat indifferent to the possibly dangerous effects that publication might have on whistleblowers, informants and others mentioned in the cables, the media organisations have been making an effort to redact the cables to protect the innocent.

As The Guardian explains, in the early days, before Wikileaks fell out with the paper (and the New York Times) for refusing to worship at the alter of St Julian, Assange made the full archive of unredacted cables available to the paper, via a downloadable zip file. The file was encrypted with PGP to which the paper was given the password. The file was to be available for a limited time only.

At the same time, Assange distributed an encrypted archive, without revealing the password, to a select group of people. This was part of an insurance policy: Assange threatened to make the whole archive freely available if he was, for example, extradited to the US.

There’s hypocrisy in that, of course. If it is important for freedom and transparency that the cables should be published, why was Assange witholding them for personal reasons? Does he really conflate his own interests with those of the world? On the other hand, if it’s important that unredacted cables are not published, because of the damage they could cause to innocent people, then again Assange was being selfish and hypocritical for using them for his own self-interest.

It’s all moot now, of course.

The cables are out. One way or another (and with some pointing the finger at ex-Wikileaker Daniel Domscheit-Berg) the archive file has become readily available via torrents.

And the password?

In their excellent account of the Cablegate saga, Wikileaks: inside Julian Assange’s war on secrecy, Guardian journalists David Leigh and Luke Harding mentioned the password given them by Assange. Why wouldn’t they? As far as they were concerned, it was a unique password for a temporary file. I mean, Assange wouldn’t be dumb enough to use the same password anywhere else, would he?

Alas, he would. Yep, uber-hacker Assange reused a password. The insurance file, since leaked, can be decrypted using the same password. And boy, has it been decrypted. Head over to cryptome.org - the original, still operating and far superior whistleblower website - to get your own copy.

The reaction from Wikileaks was one of outrage, mixed with its usual brand of self-importance and martyrdom. While all but taking credit for the Arab Spring, the site has been frothing at the mouth about The Guardian and other media organisations, often descending to playground-level abuse. But the truth is, the fault lies squarely with Assange and Wikileaks and their ineptitude when it comes to security.

After all, Wikileaks has been touting these cables as the biggest thing since the Pentagon Papers. Surely, these of all files should have been secured with different passwords for separate files.

Wikileaks is now flooding the net with released cables. Now that it no longer has a monopoly on the material, it is indulging in a desperate bid to be first to publish. The organisation seems unaware that this nullifies its argument against The Guardian. It also dilutes their effect.

The biggest worry, though, is that Wikileaks has shown significant shortcomings when it comes to due diligence: it has demonstrated that it is not to be trusted when it comes to the custodianship of important material.

Let’s not forget that Wikileaks did not leak this material. Bradley Manning is accused of that and is paying a high price. Wikileaks is merely a conduit. And an incompetent one.