Forgot your password?
typodupeerror
The Courts Technology

WikiLeaks Sues the Guardian Over Leak 289

Posted by samzenpus
from the leaking-the-leakers dept.
An anonymous reader writes "WikiLeaks complaining of a leak is hard to get one's head around. That it's suing The Guardian — its great ally — is even harder. That The Guardian did such a ridiculous thing to warrant litigation in the first place almost defies belief." Update: 09/01 04:59 GMT by S : Changed the first link to point to the statement on WikiLeaks' website. The Guardian has denied the allegations, saying, "Our book about WikiLeaks was published last February. It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours."
This discussion has been archived. No new comments can be posted.

WikiLeaks Sues the Guardian Over Leak

Comments Filter:
  • Message not found

    Message does not exist. Either you've got a bad link or the poster has deleted the message.

    Lovely!

  • by SuperKendall (25149) on Thursday September 01, 2011 @12:53AM (#37272160)

    There is no honor amongst thieves.

    Either you support leaks or you do not. Selective leaking is simply propaganda dressed up to look pretty.

    • by Black Parrot (19622) on Thursday September 01, 2011 @12:58AM (#37272180)

      It's going to get even funnier when we find out that the US State Department leaked it to The Guardian as payback for all the diplomatic cable leaks...

    • by c0lo (1497653) on Thursday September 01, 2011 @01:00AM (#37272190)

      There is no honor amongst thieves.

      Either you support leaks or you do not. Selective leaking is simply propaganda dressed up to look pretty.

      Just from curiosity: is the identity of the original leakers also subject to your postulate on selective leaking? (i.e. is there any category of information that should not leak?)

      • by Seraphim_72 (622457) on Thursday September 01, 2011 @01:17AM (#37272260)

        is the identity of the original leakers also subject to your postulate on selective leaking?

        It certainly is part of Assange's. I can only ever assume that it was the papers that heald him back. His redactions are a joke after all.

         

        is there any category of information that should not leak?

        Many say no. But claiming special dispensation on a leak .. that is just delicious.

        -Seraphim

        • by c0lo (1497653) on Thursday September 01, 2011 @01:38AM (#37272344)

          is there any category of information that should not leak?

          Many say no. But claiming special dispensation on a leak .. that is just delicious.

          -Seraphim

          I wonder what you understand on the difference between "secrecy in governance" and "personal privacy"/"anonymity"/"pseudonimity"?

          • by Seraphim_72 (622457) on Thursday September 01, 2011 @02:46AM (#37272618)

            I understand them well. I would never cede their understanding to Julien Assange however. His *version* of them never involves himself, or perhaps always or only involves himself. If your life blood is "leaks" then you had best be squeaky clean yourself, and open. He is not. At least Robin Hood admitted he was a thief.

            • by c0lo (1497653) on Thursday September 01, 2011 @02:57AM (#37272646)

              I understand them well. I would never cede their understanding to Julien Assange however. His *version* of them never involves himself, or perhaps always or only involves himself. If your life blood is "leaks" then you had best be squeaky clean yourself, and open. He is not. At least Robin Hood admitted he was a thief.

              So, you don't deny the right of the "innocent" people to have their identity protected, you just deny Assange's right to complain that actions of The Guardian allegedly breached the rights to anonymity for these people?

              Would it matter for you if I'm pointing that the complaint is actually issued by WikiLeaks as an organisation?

        • by TapeCutter (624760) on Thursday September 01, 2011 @04:05AM (#37272922) Journal

          is the identity of the original leakers also subject to your postulate on selective leaking?

          It certainly is part of Assange's.

          I call bullshit, what are the names of the leaker's revealed or confirmed by Assange?

      • by SuperKendall (25149) on Thursday September 01, 2011 @01:42AM (#37272364)

        Just from curiosity: is the identity of the original leakers also subject to your postulate on selective leaking?

        The names of many people who would not have like to have been named were in the documents leaked and released. I do not see why the person leaking should expect any special treatment in that regard; of course an organization that leaks that would see fewer leaks come in to be sure, but it is fair game if someone ELSE can extract it from the site data is leaked to...

        You have to figure as a leaker it is more likely than not someone will figure out it is you, and be prepared for that eventuality. If the leak is truly important enough, that will not matter.

        • by ozmanjusri (601766) <aussie_bob@NOsPam.hotmail.com> on Thursday September 01, 2011 @02:00AM (#37272460) Journal
          "would not have like to have been named " is very different to "were unfairly harmed by being named."
          • by SuperKendall (25149) on Thursday September 01, 2011 @02:15AM (#37272512)

            "would not have like to have been named " is very different to "were unfairly harmed by being named."

            There were at least a few tribal leaders in Afghanistan named who were in fact worried about being killed, far worse than anything the leaker faces.

            There is no difference at all, and in fact in many of these documents people are being named that are worried about being killed - also exact positions of military bases useful for mortars, etc.

        • by c0lo (1497653) on Thursday September 01, 2011 @02:26AM (#37272546)

          Just from curiosity: is the identity of the original leakers also subject to your postulate on selective leaking?

          The names of many people who would not have like to have been named were in the documents leaked and released.

          Well, the devil in the details. It's not about what the people want or not, it's the difference between what one is doing (which is important) and the identity/position of the person doing it (which may be important - if that person has chances of persisting in doing it. e.g. Hillary asking for private data on UN officials - or may be not important - I didn't care to know who is the blonde nurse Gaddafi hold dear, she wasn't doing anything of consequence to Libyan people).

          With the CableGate leak, WL seems to try protecting the identity of the people that are not of any consequence in the action.

          I do not see why the person leaking should expect any special treatment in that regard; of course an organization that leaks that would see fewer leaks come in to be sure, but it is fair game if someone ELSE can extract it from the site data is leaked to...

          Difference between expectations and risks. Would I be a leaker, I'd expect the leak destination to do everything possible to protect my identity (even if I would also be prepared for the risk of this not happening, I consider the expectation of anonymity as legitimate).

          From this "generalized" angle (i.e. "category of info that should not leak") , I'm not seeing in any way as paradoxical the current WL action against Guardian. If WL is right, that's a breach in the agreement the two parties had, agreement by which WL were doing "their best" to keep the "innocent's identities" covered.

          To put it in short: the fact that two actions share a common mean to reach a goal does not make the two actions equivalent.
          I still don't see publishing facts and publishing person identities as being two similar actions only because both are done by "leaking".

    • by Relic of the Future (118669) <dales@digitaFREEBSDlfreaks.org minus bsd> on Thursday September 01, 2011 @01:05AM (#37272210)

      The point of leaking is to expose malfeasance. The point of redacting the leaked material was to limit collateral damage to those who had not acted poorly. You only leak what you need to leak in order to expose the bad acts and bad actors, but no more than that.

      WikiLeaks' act of leaking the original (redacted) leaks and their suit against this new (non-redacted) leak are a consistent stance from the point of doing the most good while avoiding the most damage. But oh, to live in your simple world...

      • by flyingsquid (813711) on Thursday September 01, 2011 @01:32AM (#37272322)

        The point of leaking is to expose malfeasance. The point of redacting the leaked material was to limit collateral damage to those who had not acted poorly. You only leak what you need to leak in order to expose the bad acts and bad actors, but no more than that.

        WikiLeaks' act of leaking the original (redacted) leaks and their suit against this new (non-redacted) leak are a consistent stance from the point of doing the most good while avoiding the most damage. But oh, to live in your simple world...

        From the New York Times, August 30: "WASHINGTON — In a shift of tactics that has alarmed American officials, the antisecrecy organization WikiLeaks has published on the Web nearly 134,000 leaked diplomatic cables in recent days, more than six times the total disclosed publicly since the posting of the leaked State Department documents began last November. A sampling of the documents showed that the newly published cables included the names of some people who had spoken confidentially to American diplomats and whose identities were marked in the cables with the warning “strictly protect.” State Department officials and human rights activists have been concerned that such diplomatic sources, including activists, journalists and academics in authoritarian countries, could face reprisals, including dismissal from their jobs, prosecution or violence."

        In other words, Wikileaks no longer gives a s*** about protecting peoples' identity as long as they can get some media attention, and probably never have. As soon as Wikileaks stopped being front-page news, they increased the volume of the leaks and stopped editing them. Headlines, after all, are far more important than people's heads. But oh, to live in your simple world...

        • by Xest (935314) on Thursday September 01, 2011 @03:52AM (#37272878)

          "In other words, Wikileaks no longer gives a s*** about protecting peoples' identity"

          Well it's about weighing the dangers against the benefits, and as the dangers to date have seemed to be completely negligible I'm not sure I can blame them. When they did it last time, no harm came from it, even the Pentagon agreed.

          This time, when they worked with media organisations they got nothing but shit off them. The old school media being pissed off that they'd been shown up in terms of their lack of journalistic capability by a bunch of upstarts and their falling hook line and sinker for Domscheit-Berg's FUD, Domscheit-Berg being someone who, for all his talk has yet to actually achieve anything worthwhile whatsoever, and on the contrary has achieved plenty of things that frankly make him a dick.

          If Wikileaks is going back to just leaking raw data then I don't blame them, they were better off that way not getting fucked by a media that wanted to pick and choose what to release and what to redact so it could pursue it's own political agenda, and then launch rabid attacks against Wikileaks when it was done.

          I don't believe Wikileaks is anything like perfect, it has many problems, but they were better off just leaking data and not really doing anything beyond that. Everything more they have done, even when they've tried to do so because people are telling them it's more "ethical" has just blown up in their faces. So again, it's no surprise they've gone back to their original ways- things worked out much better for them back then. Even if you don't agree with what they do it's not hard to see why they're now doing what they're doing, and it's easy to see that an irresponsible media shares some of the blame because when it was given a chance to do things a bit better, it turned round and stabbed it's partner in the back.

          Old school media is to blame for many Western problems due to the fact it's more interested in politics than news, this is yet another demonstration of that, and is why Wikileaks is sensible in just sticking to real actual news than wasting time playing the media's political games.

          Of course, if you care about protecting people's identities and think it's important, Wikileaks have asked for volunteers to help do redactions themselves because otherwise they wouldn't have the manpower to do it, and leaking with minimal chance of harm has arguably demonstrated itself better than not leaking at all as it has exposed the likes of the corrupt Tunisian and Egyptian regimes giving more weight to the revolutions in those countries. Of course, if you're like most Slashdotters I'm sure rather than volunteering to do something about it you'll just sit bitching and moaning revelling in your inaction instead though.

          • by GauteL (29207) on Thursday September 01, 2011 @07:36AM (#37273750)

            "If Wikileaks is going back to just leaking raw data then I don't blame them, they were better off that way not getting fucked by a media" ... "I don't believe Wikileaks is anything like perfect, it has many problems, but they were better off just leaking data" [Emphasis mine].

            Aside from a slight sympathy with people in general, who cares if Wikileaks gets "fucked" or what Wikileaks are better off doing? Surely the important thing here is the exposure of malfeasance, while doing your best to protect the innocent? If the promotion of Wikileaks becomes more important than the actual leaks, you have just proven the parent post's point. And if the newspapers don't print what Wikileaks want them to print, they can always release the information themselves as well.

            As a side note I'd rather see Assange and Wikileaks get fucked than some innocent who just happens to be put in danger due to his identity being revealed by Wikileaks. At least Assange made the concious choice to put themselves in the spotlight for this.

      • by LordLimecat (1103839) on Thursday September 01, 2011 @01:35AM (#37272334)

        The point of leaking is to expose malfeasance

        So every one of those diplomatic cables exposed malfeasance? Tsvingarai is guilty of malfeasance?

        WikiLeaks' act of leaking the original (redacted) leaks and their suit against this new (non-redacted) leak are a consistent stance from the point of doing the most good while avoiding the most damage.

        Assange doesnt think there should be any secrets, and has a known axe to grind with the US. There may be other reasons for why he leaks the way he does, but one only has to see the edits that he did to "collateral murder" (or even the title he gave it) to see that hes hardly some noble unbiased source.

      • by drnb (2434720) on Thursday September 01, 2011 @01:39AM (#37272348)

        The point of leaking is to expose malfeasance.

        Not necessarily. Leaking is also a tool of embarrassment, harassment, political manipulation, etc. When leaking selectively, one side and not the other, the point may be entirely political.

      • by gl4ss (559668) on Thursday September 01, 2011 @01:48AM (#37272398) Homepage Journal

        deciding "good" should not be wikileaks motive unless they want to be an old school political movement.

        that just makes them users of power, instead of a tool for people(unable to do it themself) to publish things anonymously. when they decide what's good or bad, they're taking active part in politics of what's good or bad, deciding what's immoral and whats moral, deciding who is guilty and who is innocent, what's true and what's not - and by that way they get responsibility as well as they're no longer a carrier but also a censorship authority.

        Luther wouldn't have had much liberating effect on the world if he had decided what's a good thing to have in the bible and what's not, only whole translation done as well as he could was worthwhile.

      • by antifoidulus (807088) on Thursday September 01, 2011 @01:50AM (#37272408) Homepage Journal
        If you really believe that Wikileaks has no political agenda besides exposing malfeasance I have some documents I would like to sell you.
      • by c0lo (1497653) on Thursday September 01, 2011 @02:31AM (#37272562)

        The purpose of accepting leaks as declared by Wikileaks is to expose malfeasance.

        There, FTFY (otherwise "leaking" may a mean to various ends). Otherwise, all's well.

      • by Anonymous Coward on Thursday September 01, 2011 @05:46AM (#37273288)

        The point of leaking is to expose malfeasance. The point of redacting the leaked material was to limit collateral damage to those who had not acted poorly. You only leak what you need to leak in order to expose the bad acts and bad actors, but no more than that.

        WikiLeaks' act of leaking the original (redacted) leaks and their suit against this new (non-redacted) leak are a consistent stance from the point of doing the most good while avoiding the most damage. But oh, to live in your simple world...

        BULLSHIT

        Wikileaks is awfully selective about what they term malfeasance and who they target with their leaks. They don't have the guts to actually leak things about Russia or China - because they know they'd end up with a 9mm-hole-induced headache.

        They target they US because:

        1. Assange is a bog-standard anti-American, sheltered, coddled, ignorant Western leftist twerp, albeit with enough charisma to set up Wikileaks (and play around with his adoring girls..). Don't think so? Follow his history.

        2. They know the US plays nice - they won't wind up with the aforementioned 9mm headache.

      • by ArcherB (796902) on Thursday September 01, 2011 @08:27AM (#37273990) Journal

        You only leak what you need to leak in order to expose the bad acts and bad actors, but no more than that.

        And who gets to decide who are the "bad" actors and who are the good ones? What gives WikiLeaks the right to be my judge and jury? No investigation, no trial, no chance for rebuttal, just BAM, and your name is attached to something "bad" that may or may not have happened, or that you may or may not have had anything at all to do with.

        Your innocence in this case is not relevant. Getting the opportunity to defend yourself is not important. The lives of your family, your wife, kids, parents, distant cousins who you never met, may be the price for the "bad" things that some document says you did.

        Sorry, but a right to fair trial and an investigation into the allegations are a basic, fundamental, global human right. WikiLeaks has stripped that basic human right from everyone whose name is on any document that has ever been leaked by them.

      • by sycodon (149926) on Thursday September 01, 2011 @09:13AM (#37274282)

        Honest officer, I just wanted to burn up that little pile of trash, not the whole damned neighborhood.

        Wikileaks is not equipped to make informed decisions on what should be leaked nor what should and should not be redacted. They material they have is largely out of context and undoubtedly incomplete.

      • by LWATCDR (28044) on Thursday September 01, 2011 @10:36AM (#37274966) Homepage Journal

        "You only leak what you need to leak in order to expose the bad acts and bad actors, but no more than that."
        Okay so it would be okay for someone to post that you are cheating on your mate, downloading porn, and or that you like to dress up as a little girl and have Rupert Murdoch spank you with a fish? I am sure that many people would find thing that you do to be bad acts.

        "The point of redacting the leaked material was to limit collateral damage to those who had not acted poorly." And you trust a private group with no public oversight to do this more than a democratically elected government? Really?
        Even using your own rules Wikileaks fails I will go back to your rules.
        "You only leak what you need to leak in order to expose the bad acts and bad actors, but no more than that." So why did wikileaks leak a list of locations of important contractors? I am talking about parts makers. What bad act and bad actors where exposed? Why did they release pager data from 9/11 of private people paging their loved ones that they where ok? What bad acts and actors where involved in those?
        Wikileaks has failed.
        They failed by your rules.
        They failed in basic security by giving out a password to sensitive data.
        They have failed to redact data that could get people hurt.
        They have failed to present the data without bias.

        " But oh, to live in your simple world..." it seems that you do as well.

    • by Sulphur (1548251) on Thursday September 01, 2011 @01:07AM (#37272228)

      There is no honor amongst thieves.

      Either you support leaks or you do not. Selective leaking is simply propaganda dressed up to look pretty.

      Of course there is; they honor each other by stealing from each other.

    • by Jonner (189691) on Thursday September 01, 2011 @02:46AM (#37272622)

      There is no honor amongst thieves.

      Either you support leaks or you do not. Selective leaking is simply propaganda dressed up to look pretty.

      To me, this issue emphasizes one thing that's always bothered me about wikileaks.org: It's not actually a Wiki. Wikis are about maximum user freedom, but I don't think that's ever been true of wikileaks.org.

  • by mykos (1627575) on Thursday September 01, 2011 @12:54AM (#37272162)
    "...Free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master. "
  • Password (Score:3, Informative)

    by Anonymous Coward on Thursday September 01, 2011 @01:05AM (#37272208)

    The supposed password, as it appears on page 148 of the pdf [googlecode.com] version of the book, is ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#

    Supposedly applies to "cables.csv" but not to the insurance.aes torrent released last year by Wikileaks.

    • by TheLink (130905) on Thursday September 01, 2011 @01:46AM (#37272386) Journal
      To me it shows a great lack of discretion by the Guardian or at least David Leigh. Even if passwords are temporary you do not leak them to the public. It potentially provides clues to others on how passwords are constructed, and the security systems used (it might not apply to wikileaks, but it certainly applies to many organizations).

      Journalists change names of sources/interviewees/places all the time, the same should apply for passwords.
      • by Adayse (1983650) on Thursday September 01, 2011 @03:08AM (#37272684) Journal

        To me it shows a great lack of discretion by the Guardian or at least David Leigh.

        I agree. The Guardian is one of my favourite publications but they shouldn't be claiming that their publishing the password was reasonable as they are doing. They undeniably and stupidly broke half the security making it likely that they are dumb enough to be the source of the file leak as well.

      • by ace123 (758107) <patrick.horn@gmail.com> on Thursday September 01, 2011 @04:24AM (#37272968) Homepage

        This is why an encryption key is never "temporary" -- it shows no discretion on the part of the journalists to leak a key. This is not a password that can be revoked--it's a key. If you have a key for your previous house, you don't ever give the key away while telling people the address -- the lock has probably not been changed.

        Honestly I don't know why he didn't use SCP or SFTP, giving the journalist the fingerprint+password over a second channel... It's easy to revoke a password, and hard to MITM the leap-of-faith while maintaining the correct fingerprint. But hindsight is 20-20... I wouldn't have thought of this issue either.

        I know most people are complaining about the irony of a leak at wikileaks, but has nobody considered the fact that the gpg-encrypted file was publicly available on a "temporary server", probably for at least a few hours (it must have taken Leigh some time to drive home and start the download).

        At the time, wikileaks may not have been as popular, but it's not a stretch to imagine somebody was randomly browsing the IP address of that "temporary server" at the time, and noticed the encrypted file. Wikileaks is not your ordinary file host with uninteresting data on it--every file on there can be considered politically sensitive, and it may have been downloaded by several governments the instant Assange started the http daemon.

        So it's not a stretch to imagine somebody downloads the file and leaves it on his hard drive waiting for the password to come out. Heck, I may have done this once or twice to the "insurance" file--and the only thing more obvious than "insurance" is a file named "cables.gpg".

      • Re:Password (Score:4, Insightful)

        by gsslay (807818) on Thursday September 01, 2011 @05:26AM (#37273216)

        To me it shows that the whole Wikileaks/Guardian set up was a gaggle of amateurs dabbling in information that they did not know how to handle.

        Either this data is highly sensitive and needs great care in handling, which they demonstrated they were unable to do, or it isn't and there is no need for the encryption etc. Wikileak's claim that it is mostly not sensitive, should be public, and they are the self-appointing ones to set it free. This debacle demonstrates that they handled it like it was entirely sensitive, shouldn't be made public, and they are not the ones to be trusted to do it.

        Their own actions make a nonsense of their claims.

  • by Lord_of_the_nerf (895604) on Thursday September 01, 2011 @01:09AM (#37272234)

    The coastguard?

    I'm starting a new website, to be called 'Open-Wiki-Leaks-Leaks'.

  • Food for thought (Score:5, Insightful)

    by subreality (157447) on Thursday September 01, 2011 @01:12AM (#37272240)

    FTFA:

    Wikileaks complaining of a leak?

    Yes, and damned well they should unless your moral views are very shallow.

    How many US politicians are laughing at the Wikileaks/Guardian partnership exploding so spectacularly?

    I'd say it's the CIA laughing. This is incredibly valuable for them. They lose some secrets, but they discredit the messenger (And anyone who tries to replace them) to prevent future leaks. If I was running the CIA, I'd certainly run a program to discredit Wikileaks. A few rape allegations here, an ideological schism in the organization alleging untrustworthiness, some unveiling of sources to make future sources afraid...

    Does Wikileaks finally realise there's a need for secrecy/privacy in the world?

    Finally? They've said that all along. That's why they were redacting the documents in the first place.

    Does privacy/secrecy all boil down to where someone draws an arbitrary line in the sand?

    Yes. The world is a fuzzy place and doesn't lend itself to simple morals where you can divide things into the dark side and the light side. At some point it just comes down to someone looking at the situation and doing what they feel is right.

    Should a lack of privacy/secrecy be all or nothing?

    Of course not. In general, I believe that the larger an entity is, the less privacy they deserve.

    Is Wikileaks cementing views that it is or isn't an organisation of journalists who are guided by traditional journalistic ethics?

    They publish the truth and protect sources who need protection. They've pretty much always been in that camp.

    • by SuperKendall (25149) on Thursday September 01, 2011 @01:55AM (#37272438)

      Finally? They've said that all along. That's why they were redacting the documents in the first place.

      You are attempting to claim Wikileaks is 100% pure here.

      The reality is no-one can truly judge what should be redacted over thousands of documents. A lot of REALLY bad information was released and not redacted in the documents Wikileaks released. Names were named. Why you are trying to paint WikiLeaks as wholly noble when they are the same shade of grey is a mystery to me.

      Yes they tried to redact some stuff, but you also cannot know WHY they redacted what they did - you can never know what ulterior motive Wkileaks might have had for redaction. Michelangelo once famously said when asked how he carved David that "It is easy. You just chip away the stone that doesn't look like David.". Well given enough documents you can tell whwatever story you like through redaction - and don't forget there are two levels at work, the leakers redactions in addition to WikiLeaks.

      • by subreality (157447) on Thursday September 01, 2011 @02:56AM (#37272644)

        You are attempting to claim Wikileaks is 100% pure here.

        No, I'm claiming that "Wikileaks [ ... ] realizes there's a need for secrecy/privacy in the world", and providing evidence to support that claim.

        And yes, the job's too big for one person... that's why they were farming it out to reasonably respectable news organizations which are (well, should have been) capable of handling this level of journalistic ethics.

        Have a look at the actual leaks. The redactions aren't like the black pages you get back on an FOIA request. They're omitting names and other specifics, but leaving the intention of the documents perfectly well intact. Sure, that can still be used to hide an agenda on WL's part, but that just calls for critical thinking skills.

        I'm not giving them a free pass, but it does appear that they're trying to do the right thing. How could they even cheat at this? Tell their press partners "hey, we need to redact these documents but, uh, could you do it with this other agenda in mind?"

        For better or worse, we'll find out: since the raw information is now available, we can see what was redacted and if it was done with an agenda.

    • by c0lo (1497653) on Thursday September 01, 2011 @02:49AM (#37272628)

      FTFA:

      Wikileaks complaining of a leak?

      Yes, and damned well they should unless your moral views are very shallow.

      Yes and damned well they should.

      Because two actions use the same mean doesn't make the actions equivalent.
      To put it into perspective: self-defense and premeditated murder may use a firearm. Are they equivalent?

    • by dbIII (701233) on Thursday September 01, 2011 @06:59AM (#37273588)

      If I was running the CIA, I'd certainly run a program to discredit Wikileaks. A few rape allegations here, an ideological schism in the organization alleging untrustworthiness, some unveiling of sources to make future sources afraid...

      Nice theory, but since those things actually happened instead of a major fuckup it's incredibly unlikely that the CIA was involved :)

    • by Beyond_GoodandEvil (769135) on Thursday September 01, 2011 @08:13AM (#37273910) Homepage
      At some point it just comes down to someone looking at the situation and doing what they feel is right.
      At that point you may as well start the good intentions paving company and be done with it. Also no snowflake in an avalanche feels responsible.
  • by gstrickler (920733) on Thursday September 01, 2011 @01:31AM (#37272318)
    Leaking unredacted documents is exactly what wikileaks was widely criticized for in their first big release (~70k cables). In that case, they staunchly defended the practice. Now they're complaining, and even suing over the exact same thing, only they weren't the ones to expose them this time. When did they change their position on this issue? And if they have changed it, are they now prepared to apologize for their prior behavior?
    • by mgiuca (1040724) on Thursday September 01, 2011 @01:44AM (#37272374)

      Your post basically answers itself. They did change their position on the issue because they got a lot of heat for not redacting the cables. That is why for the past year (with the Cablegate cables) they have been working with news organisations to carefully redact them before releasing, and releasing them in small batches a few at a time. That has consistently been WL's position for the past year. Complaining that The Guardian released the cables that were supposedly sent to them for the sole purpose of redacting them is not inconsistent with their recent position.

      (I have often said that one is not a hypocrite for changing one's beliefs, only for simultaneously saying one thing and doing another.)

      • by gstrickler (920733) on Thursday September 01, 2011 @02:11AM (#37272498)
        As I said in my initial post, changing position is fine. However, when you change your (in this case very public) position, you should publicly acknowledge that you have done so, and take responsibility for any issues your prior position caused. To my knowledge, they have done none of that. Last I heard from them is that they were "right" to release the unredacted cables in the past, and "it didn't matter because no harm was done". That's an irresponsible position to take. If they have apologized or accepted responsibility for their earlier irresponsibility, please direct me to it, because I not seen it. Until then, I still consider them to be irresponsible hypocrites.
  • Idiots. (Score:5, Insightful)

    by v(*_*)vvvv (233078) on Thursday September 01, 2011 @01:33AM (#37272328)

    Who in their right mind would think it okay to publish a password and publish the correct one? They could have published the same book with a fake password all the same, yet obviously it was the password.

    As for it being temporary, it wasn't an access password, but a decryption password. And in the eyes of the law, why would what Wikileaks said even matter if non-disclosure was part of their arrangement?

    • by mgiuca (1040724) on Thursday September 01, 2011 @01:49AM (#37272402)

      Yes -- very well put about the access password vs decryption password. To put it another way, there was no point in having the password at all if the password was eventually to be made public.

      JA sent a file over the network, then deleted it afterwards. There are two scenarios: we can either a) assume that nobody did or ever will get their hands on the data being sent, or b) assume that someone might have or might in the future get their hands on the data. If we're going with (a), then we don't need a password at all -- it could have been sent in the clear. Obviously, that isn't the assumption we are operating under. So it must be (b), and therefore, we should assume that that password is a highly sensitive secret for the rest of time. It should have been destroyed.

      Perhaps the mistake was trusting this complicated logic to a man who didn't know how to use 7-zip.

    • Re:Idiots. (Score:4, Insightful)

      by Chuck Chunder (21021) on Thursday September 01, 2011 @02:00AM (#37272466) Homepage Journal

      Who in their right mind would think it okay to publish a password and publish the correct one?

      I am guessing that the choice of password played into this. Had it been random, nonsensical and dull it probably wouldn't have been published, but "CollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#" has descriptive value.

      I remember hearing or reading about an idea that involved identifying a leaker by seeding different people with documents that contained juicy, unique phrases to tempt journalists into quoting them directly, thereby identifying the source of the document.

      This isn't the same, but having a password that has meaning in relation to the contents of the documents certainly adds some risk. A pass phrase should be context free.

      • by igb (28052) on Thursday September 01, 2011 @04:22AM (#37272964)
        There's a reason why in proper IA environments, people who are given actual sight of actual key material are trained, and that key material itself is classified to the level of the ciphertext it unlocks. No one comes out of this well: a bunch of people who don't understand how to keep stuff long-term safe playing at spies.

        For the Graun to publish key material, even stuff they "know" to be meaningless, is irresponsible. Publishing that key assumed that the ciphertext had been securely destroyed, and I cannot for one second believe that a newspaper has the IA regime in place to do that, nor the ability to know that the initial transfer from Wikileaks to the Graun hadn't been observed by a state or non-state actor.

        For Wikileaks to use the same passphrase for their insurance copy of the file and the copy they passed to their collaborators is insane: there must be fifty and more groups with that pass phrase if the same process was repeated for all the people working on those cables. That meant that a repressive regime had a large choice of people in many countries they could kidnap and extract the key from, for example.

      • by gsslay (807818) on Thursday September 01, 2011 @05:34AM (#37273246)

        Mod parent up.

        You are spot on. If the password had been random then it most certainly wouldn't have been mentioned. But the password used gives "insight" into how those handling it were treating it. Someone was being smart-arse. Someone was saying "I can encrypt this with a straight-forward description of what I regard this to be". Someone was making a statement in saying "This is no big secret, it's just a history".

        But of course, the fact they encrypted it immediately demonstrates the reverse. They were saying one thing, yet doing the other, and in doing so managed to fail completely at both.

  • by solanum (80810) on Thursday September 01, 2011 @01:37AM (#37272340)

    ...can someone who illegally obtained classified documents and released them into the public domain then sue someone else for stealing their illegally obtained documents and releasing them into the public domain.

    For what it's worth it seems much more likely to me that someone within WikiLeaks who was disaffected them stole the data/password and release them than the Guardian did it. Just because it was the (supposedly) time limited password given to the Guardian doesn't mean no one else had access to it.

    • by mgiuca (1040724) on Thursday September 01, 2011 @02:01AM (#37272472)

      ...can someone who illegally obtained classified documents and released them into the public domain then sue someone else for stealing their illegally obtained documents and releasing them into the public domain.

      The two situations are totally different. The very reason that nobody can sue Julian Assange (or any other newspaper that has ever leaked something) is because they did not "illegally [obtain] classified documents". There is a deliberate asymmetry in the law here: it is illegal to disseminate classified information, but it is not illegal to receive or publish it. That is why Bradley Manning is locked up, but Julian Assange is not (well, not relating to the cables anyway).

      On the other hand, WikiLeaks and The Guardian had a contractual obligation not to divulge the contents of those cables. Nobody at WikiLeaks "leaked" the cables to The Guardian -- they were transferred to The Guardian under contract. This is a case of breach of contract, nothing else.

      For what it's worth it seems much more likely to me that someone within WikiLeaks who was disaffected them stole the data/password and release them than the Guardian did it. Just because it was the (supposedly) time limited password given to the Guardian doesn't mean no one else had access to it.

      Maybe cut back on the conspiracy theories. Nobody is denying the facts here (the only thing that's in contention is where the blame lies). The story comes straight from the book written by The Guardian editors -- Julian Assange gave the password to Leigh, and he published the password in his book. The problem is that Leigh thought it was a time limited password, when it wasn't. (If he knew anything about cryptography, it would have been obvious that it wasn't, because it was a decryption password, not an access password.)

      • by solanum (80810) on Thursday September 01, 2011 @02:32AM (#37272566)

        Sorry, the first part was meant to be funny... As for the second, according to the Guardian at http://www.guardian.co.uk/world/2011/sep/01/unredacted-us-embassy-cables-online [guardian.co.uk]

        "The embassy cables were shared with the Guardian through a secure server for a period of hours, after which the server was taken offline and all files removed, as was previously agreed by both parties. This is considered a basic security precaution when handling sensitive files. But unknown to anyone at the Guardian, the same file with the same password was republished later on BitTorrent, a network typically used to distribute films and music. This file's contents were never publicised, nor was it linked online to WikiLeaks in any way.

        "Our book about WikiLeaks was published last February. It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours.

        So 1) WikiLeaks knew the password was out there many months ago, 2) if they were TOLD the password was temporary they didn't misunderstand anything...

        • by mgiuca (1040724) on Thursday September 01, 2011 @03:15AM (#37272730)

          Yes but this is what I meant by "Nobody is denying the facts here (the only thing that's in contention is where the blame lies)." -- I accept that there is a debate going on as to who said what was temporary and who should or shouldn't have disclosed what. But the following facts are not in dispute: (1) WikiLeaks provided the documents (encrypted) and passphrase to Guardian, (2) Guardian editors revealed passphrase in book. So there is no need for a theory that someone else got hold of the password: Leigh published it. I'm not sure who published the encrypted data, but I believe it was WL themselves. Following cryptographic principles, WL was not at fault to publish the encrypted data, because that isn't the part that was supposed to be secret; the passphrase was.

          To your points: (1) Yes, WikiLeaks did know the password was out there many months ago. They did not make a public statement about it until today, because they didn't want to draw attention to it. At the time of the book's publishing, the encrypted files were already available online, and there was nothing that anybody could have done to keep it from getting out (besides not saying anything). WikiLeaks had no power to change the password or revoke the file by that time.
          I wrote a full post [tumblr.com] on this issue.
          (2) I find it very hard to believe that WL would have told the guardian that the password was temporary, since it clearly wasn't (it was PGP). I imagine there was a misunderstanding which went something along these lines:
          1. JA hosts a file on a private server. The connection to the server itself is over SSL. However, JA knows that SSL is not sufficient to prevent others from downloading the file, since it doesn't require authentication on the part of the client. So he also encrypts the file itself.
          2. JA explains to DL that the connection to the server is encrypted and the file will only be temporarily hosted. DL, by his own admission a non-technical person (he needed JA's help to use 7-zip) misunderstands this as "the password on the file is temporary."
          3. JA separately hands DL a piece of paper containing the password to decrypt the file.
          4. DL downloads and decrypts the file using the password.
          5. JA is operating under the assumption that the encrypted file is public (since it was available on an open network, via SSL, but still available to the public). Therefore, it is safe to distribute the same file on another date (I'm not exactly sure how this encrypted file eventually got out, but suffice to say that it is now public, and this is cryptographically not to be unexpected or a problem).
          6. DL, not realising the importance of the password (he figures that now that the file has been taken off JA's server, the password is no longer valid) writes it down into his book.
          7. The editors, under pressure to release, do not vet the contents of the book, and publish it.
          8. JA reads the book and finds the password. By this point, it is too late to do anything other than keep silent about it as long as possible.

        • by Kjella (173770) on Thursday September 01, 2011 @05:02AM (#37273124) Homepage

          Having a "doomsday" file out there in case Wikileaks is taken down, everyone arrested and whatnot is a good precaution. Reusing a password that many people in many organizations they've shared it with know is insanely stupid, no matter what. They should have used a password they and only they knew. Because as this case proves, that means they've lost control of their doomsday device. They don't have control over the file and they don't have control over the password.

          They should have used a different file for partners, that they controlled tightly with very limited risk even if the password was exposed. Of course they couldn't ultimately have stopped the Guardian if they had revealed both that file and the password, but at least you didn't hand over the keys to your doomsday device. That is just epic fail on the side of Wikileaks, no matter if the Guardian acted stupid or not.

    • by MarkvW (1037596) on Thursday September 01, 2011 @02:26AM (#37272552)

      Anybody can sue anybody about anything almost anywhere. Frivolous crap like this gets thrown out of court pretty fast.

      A lawsuit exposes Wikileaks to civil discovery. Civil discovery is very broad. Think about the story that the Guardian could write with what they learn about Wikileaks personnel in the civil discovery process. Think about the secrecy that Wikileaks gives up by prosecuting a lawsuit.

      This is posing. Assange is a nauseating individual. While Bradley Manning sits his ass in jail, that scumbag Assange fritters away the donations of true believers in a frivolous lawsuit that will never go anywhere.

  • by mgiuca (1040724) on Thursday September 01, 2011 @01:54AM (#37272436)

    It has often been said in security that the first law of security is being clear about what is a secret and what is not. Once we have decided that, we can safely distribute the non-secrets as long as we hide the secrets. This is, for example, why I am perfectly comfortable revealing my public key to everybody on the planet.

    So who is to blame? In one corner, WikiLeaks (allegedly... I'm not clear on the details) released this encrypted file to the public. In the other corner, The Guardian released the passphrase. WikiLeaks blames The Guardian for releasing the passphrase, while The Guardian blames WikiLeaks for releasing the enciphered data (it claims that it was a one-time password that should have been safe to give out).

    Clearly, from a cryptographic standpoint, WikiLeaks is right here, and The Guardian is at fault. We must be operating under the assumption that the encrypted data file is non-secret, and the passphrase is secret. That is why it was safe to transmit the encrypted data file over the Internet, but Julian wrote the passphrase down on a piece of paper and handed it directly, as well as verbally giving Leigh an unwritten salt.

    • by FranTaylor (164577) on Thursday September 01, 2011 @03:57AM (#37272898)

      Why is wikileaks in the right?

      What kind of security policy is this, giving trust to outsiders, hoping that they will do the right thing? You may have the contract on your side, but litigation will not put the toothpaste back in the tube.

      Really it's just shoddy security practices by Wikileaks. They could have managed this in a way where they did not have to trust the reporter to do the right thing.

    • by FranTaylor (164577) on Thursday September 01, 2011 @04:05AM (#37272920)

      It has often been said in security that the first law of security is being clear about what is a secret and what is not.

      I think perhaps the first law of security is that you actually have to keep the secrets secret.

      • by mgiuca (1040724) on Thursday September 01, 2011 @04:15AM (#37272944)

        Mm, well, no I would say that's the second law of security. You can't keep the secrets secret until you have determined which pieces of information should be kept secret.

        • by FranTaylor (164577) on Thursday September 01, 2011 @05:04AM (#37273140)

          And if you don't keep the secrets secret, the entire exercise is pointless!

          • by mgiuca (1040724) on Thursday September 01, 2011 @05:33AM (#37273234)

            The second rule is pretty important, I agree.

            My point is, you can't keep everything secret. If you did, you wouldn't be able to release your public key. And you wouldn't be able to disclose the details of the AES algorithm, to be vetted by security professionals. And you wouldn't be able to transmit even the binary for your decryption program to untrusted people, because then someone could reverse engineer it. And, importantly for this discussion, you wouldn't be able to transmit encrypted documents over the open internet.

            Because if you kept everything secret, then you wouldn't be able to make ANYTHING (not even the encrypted text) public. That's why the first step of security is to decide which things can (or must) be made public, and which things must be kept secret. So we have established theory that says "don't make your algorithm secret -- it will leak out eventually", which is why we have public algorithms like AES. We have a notion of public keys, which we put on the public servers. And we of course acknowledge that once something is encrypted, we can put it out over an unsecure wire. But we also know that there are things which must not be disclosed. Private keys must be kept to yourself. Passphrases must be kept between only the people who are sharing the encrypted data. Of course the plaintext itself must not be disclosed publicly.

            Once we have established which bits of information are secrets (passphrases, private keys, plaintext) and which may be exposed on an open wire (algorithm descriptions, public keys, ciphertext), and ONLY once we have established that, can we go about carefully guarding the secrets, and stop worrying about the non-secrets.

        • by FranTaylor (164577) on Thursday September 01, 2011 @05:07AM (#37273152)

          I don't understand your logic.

          Deciding what is secret and what is not is just a matter of content. Deciding that you need to keep the secrets secret affects the fundamental policies of how you do things.

          • by mgiuca (1040724) on Thursday September 01, 2011 @05:36AM (#37273248)

            I'm not talking about content (as in "let's keep the details on Iraq secret but the contents of the president's breakfast public"). I'm talking about fundamental units of information (as in "let's keep the private key secret but the public key public", or more to the point, "let's keep the plaintext secret but the ciphertext can be viewed by the public"). See my response to your other post.

            It's so basic it should be a non-issue: WikiLeaks is currently taking heat for making the ciphertext of an encrypted file public, while the Guardian disclosed the passphrase to that file. How is this WikiLeak's fault? We all make ciphertexts of encrypted files public all the time -- that is the whole point of encryption.

  • by Rosco P. Coltrane (209368) on Thursday September 01, 2011 @02:28AM (#37272558)

    I think not. Alanis Morrissette never mentioned Wikileaks.

  • by NicknamesAreStupid (1040118) on Thursday September 01, 2011 @02:53AM (#37272636)
    . . . performed by lawyers on behalf of their clients?
  • by tick-tock-atona (1145909) on Thursday September 01, 2011 @04:11AM (#37272934)
    If you are going to share extremely sensitive documents with several people, why the FUCK wouldn't you create several *different archives* with different passwords - one for each individual you are sharing the information with?!

    Give each individual access for a short period of time, and then DELETE THE INDIVIDUAL FUCKING ARCHIVES FROM YOUR SERVER! This has the additional benefit of being able to trace any future leaks.

    Seriously, if you have disseminated the password to your single "master copy" archive to multiple organisations, then it might as well not be encrypted. If they had created different archives + passwords for each recipient this would be a non-issue.

    An analogous situation is where you're setting up a webserver which hosts multiple sites/apps. You run the server process of each site as a different user because that way if one site is exploited, the damage is contained to that site only.

    I seriously wonder if Wikileaks employees run their desktops as root.
    • by mgiuca (1040724) on Thursday September 01, 2011 @04:40AM (#37273024)

      I've written a full post on this issue here [tumblr.com], but I'll respond to your individual points.

      If you are going to share extremely sensitive documents with several people, why the FUCK wouldn't you create several *different archives* with different passwords - one for each individual you are sharing the information with?!

      I agree, it is somewhat unusual for WL to have disseminated the cables in an encrypted archive, deleted the archive, then at a later time shared the same encrypted archive rather than creating a new one. It might have been better to create a new one with a new password, and may have added some extra layers of security, but from a cryptographic standpoint this was perfectly reasonable behaviour.

      You need to consider this as a cryptographic system (as I'm sure Julian Assange did), and that means considering what information is public and what information is secret. The archive was encrypted, and the ciphertext was shared across the open Internet (I assume over SSL, but still not requiring authentication). Therefore, we must assume that the encrypted archive is public from that point forwards. The password that unlocked that archive was kept secret and treated as extremely sensitive by WL. By Leigh's own description, JA handed it to him in person on a piece of paper, and then verbally gave him a salt to apply to the password. It's strange that the passphrase wasn't a collection of random letters, but apart from that, all of this makes cryptographic sense.

      Now let's suppose that you need to send the exact same document to another journalist at a later date. While maybe you should re-encrypt it, cryptographically it doesn't make any difference, because we are operating under the assumption that the original encrypted archive was public from the last time we put it on the open network. Therefore, reusing the same archive again with the same passphrase doesn't weaken our security very much. To put it another way, even if WL had destroyed that archive and never reused the passphrase, someone in the general public could theoretically have a copy of it from the one time it was shared, and therefore could have decrypted it when Leigh disclosed the passphrase.

      Give each individual access for a short period of time, and then DELETE THE INDIVIDUAL FUCKING ARCHIVES FROM YOUR SERVER! This has the additional benefit of being able to trace any future leaks.

      Technically it is too late by this point. Once you have put it on the open internet for a short period of time, you have to assume that it is public, and rely on the encryption on the archive itself, and your endpoint not to disclose the passphrase. They could have set up a login system that requires the client to authenticate. That would have guarded against the contact disclosing the password at some point in the future. But is there any reason to have planned for that scenario? You are already giving the full dump of sensitive documents to your contact, so cryptographically it makes no difference whether you do it by an authenticated login or by transmitting an encrypted document. The end result is the same -- only you and your contact have the plaintext -- assuming your contact is not malicious or stupid. If your contact is malicious or stupid, you're fucked anyway because he has the documents. To put it another way, the system would have been secure if Leigh had not disclosed the password, which Leigh was contractually obliged not to do. Any other system would have required the same level of trust in Leigh. This was an error on Leigh's part, not WikiLeaks and not the technology.

      Seriously, if you have disseminated the password to your single "master copy" archive to multiple organisations, then it might as well not be encrypted. If they had created different archives + passwords for each recipie

      • by tick-tock-atona (1145909) on Thursday September 01, 2011 @05:56AM (#37273318)
        Sorry, none of your points hold water. Defence in depth [wikipedia.org], Separation of duties [wikipedia.org] and Discretionary access control [wikipedia.org] are all well known security tenets.

        But in the WikiLeaks scenario, what is "the damage"? If any one journalist is "compromised" (say, publishes the password in a book), all the cables go public unredacted. This is true whether they are all sharing the same password or not.

        No, and that is the whole point. If they publish the password in a book, then they themselves must also publish their copy of the archive - or the password is useless. So if one organisation publishes their file, and then another publishes their password, there is no issue.

  • Mixed feelings (Score:2, Insightful)

    by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Thursday September 01, 2011 @04:26AM (#37272976) Homepage

    On one hand, their anger is understandable. Even when your business is to reveal secrets, you need to also keep some secrets (ask any reporter with an anonymous source). It sounds hypocritical, but it really isn't. You can argue all you want about whether some military secrets endanger national security or the safety of civilians, but it should be clear that, for example, evidence of military or political wrong-doing is in the public interest, while access information to private computers or bank accounts is not (even if the person is guilty of wrong-doing). And on another level, a journalist publishing information given him by a confidential source is fulfilling his journalistic duty, while a journalist publishing information the source told him not to publish (which may possibly identify the source) is breaching trust.

    On the other hand, taking this to court is completely fucking retarded. It kills any remaining relations with the newspaper, harms their relations with the other papers, hurts public opinion (because of the appearance of hypocrisy), draws public attention to the very matter they wanted to keep confidential (Streisand effect), and has no chance of stopping the damage.

    Also, as the article says, what the hell was the point of publishing the passphrase in the first place?

  • by drolli (522659) on Thursday September 01, 2011 @06:23AM (#37273416) Journal

    JA copies confidential files into a secret directory on a server and does not warn the people who have the right and the access to the parent directory, then does not delete these after transmission, and he chooses a simple password transmitted in a public place AFAIU (instead of a larger key transmitted on a physical medium, like a cd or an sd card) which he does not warn his partner never to reveal it and handle it with care, does not make sure he has the organizational, physical and administrative control over this server.

    Holy shit this guy fucked up. For acting cool he compromised *all* security principles. In the company where i worked security was hanging not so high, but putting data, even encrypted to a server outside the companies full control was *strictly* forbidden.

    If i would have to design something which is easy to give, i would choose a bootable linux read-only USB stick (so that anybody can just freshly boot) with networking turned off and an encrypted container and instruct my partner to open it on a freshly bought random netbook. Easy, cheap, fast, safe.

    But not as cool and you have to explain a few minutes.

"Your mother was a hamster, and your father smelt of elderberrys!" -- Monty Python and the Holy Grail

Working...