17:08 06 September 2011 by Paul Marks
WikiLeaks founder Julian Assange has defended the organisation’s release of all 251,000 secret US diplomatic cables that it held without the redaction of the names of informants mentioned in them.
In an interview with New Scientist, Assange said the leak publishing outfit’s usual editorial “harm minimisation” procedures had become irrelevant after other websites published the full text of the unredacted cables.
That full-text publication became possible when WikiLeaks: Inside Julian Assange’s war on secrecy was published in February. Written by two journalists at the newspaper The Guardian, based in London, the book revealed the decryption key for a computer file containing all the US state department cables leaked to WikiLeaks.
The Guardian team say they believed the key had expired – but it had not.
“That is not how file decryption works,” Assange says. “The only thing that was temporary was the website location the file was stored in. But the password is not used for the website – it is used for decrypting the file.
“We entrusted all 251,000 cables to The Guardian so they could read them and do their journalism on them,” he says. “Our security arrangement was perfect, assuming the password was not disclosed.” The Guardian‘s David Leigh was given a written copy of a lengthy encryption key – a passphrase – plus an additional word that he had to commit to memory for insertion at a set point within the phrase, adding security if the paper copy was lost.
Trickle of leaks
He later included these details in the book WikiLeaks, which he co-authored. So when the AES256-encrypted file was tracked down to BitTorrent sites – where WikiLeaks had supposedly placed it as a defence against denial-of-service attacks – the cables could be decrypted and began trickling onto rival leak sites like Cryptome.org.
The publication of the passphrase and additional secret word in The Guardian‘s book has horrified not only WikiLeaks but security engineers in general. Their view is perhaps best summed up by the influential BT infosecurity expert Bruce Schneier on his blog: “Memo to The Guardian: publishing encryption keys is almost always a bad idea.”
The reason? Even if the passphrase had expired – it hadn’t in this case – the way it is put together, alongside knowledge of the use of an additional word, gives an attacker very strong clues as to how an organisation habitually structures its keys, passwords or passphrases. “It describes our internal security mechanisms,” says Assange.
Three weeks ago, other leak sites realised that The Guardian‘s passphrase decrypted the BitTorrent file – and the unredacted US cables began appearing on non-WikiLeaks sites. “So we contacted the US state department, Amnesty International and Human Rights Watch and told them what was occurring,” says Assange – presumably so they could prepare any informants for possible trouble.
Race for knowledge
Then late last week WikiLeaks published the whole tranche of unredacted cables. “The reason being that a race commenced between the governments who need to be reformed and the people who can reform them using the material,” says Assange.
“Additionally, for harm minimisation, there are people who need to know that they are mentioned in the material before intelligence agencies know they are mentioned – or at least as soon after as possible.
“By the time we published the cables, the material was already on dozens of websites, including Cryptome, and were being tweeted everywhere. And even a searchable public interface had been put up on one of them.”
Another motive for publishing the tranche, Assange claims, was the provision of a reliable source for the leaks. In the field of leak publishing, he says, WikiLeaks has become a trusted brand. Although versions of the cable tranche were appearing online, “there was not an authorised version of the cables that the public could rely on”.
What does he mean by an “authorised” version of cables, when they were US government property?
“By ‘authorised’ I mean a version that is known to be true – it doesn’t have another agenda. The unauthorised versions that were being tweeted everywhere – although as far as we can determine they were accurate, the public and journalists couldn’t know they were accurate.”
He points to stories published in Tajikistan and Pakistan that have been based on fake cables. “WikiLeaks is a way for journalists and the public to check whether a claimed story based on a cable is actually true. They can come to our site to check. We have a 100 per cent accuracy record.”