Nigel Parry, Wednesday, August 31st, 2011
The UK’s Guardian newspaper’s Investigative Editor, David Leigh, author of the “Get this Wikileaks book out the door quickly before other Wikileaks books are published” Wikileaks book has messed up.
And when I say “messed up”, I mean that Mr. Leigh let slip the top secret password revealing the names of U.S. collaborators around the world—information now freely available to all the enemies of the U.S.
And when I say “let slip”, I mean that David Leigh published the password as a chapter heading in his book, “WIKILEAKS: Inside Julian Assange’s War on Secrecy”:
Dum dum-de dum dum dum dum dum.
Over the last week, a storm has been brewing, as German newspapers reported a leak of unredacted United States embassy cables, as Wikileaks put it when the Cablegate publishing began in November 2010:
…the largest set of confidential documents ever to be released into the public domain. The documents will give people around the world an unprecedented insight into US Government foreign activities.
The leaked Cablegate documents—251,287 in all—began being released on November 28th, 2010, in dribs and drabs by Wikileaks, who argued:
“The embassy cables will be released in stages over the next year. The subject matter of these cables is of such importance, and the geographical spread so broad, that to do otherwise would not do this material justice.”
Guardian Investigative Editor, David Leigh, has been one of the fiercest critics of Wikileaks’ head Julian Assange since the media partnership with the whistleblower publishing organization collapsed. Repeatedly on his @davidleigh3 Twitter feed, and in interviews, he has blasted Assange for his allegedly cavalier attitude towards informant name redactions from the raw Cablegate files.
It was a powerful criticism to give credence. The US Army Joint Chiefs of Staff Chairman, Admiral Mike Mullen, used it himself in July 2010, saying that Wikileaks “might already have on their hands the blood of some young soldier”. The Defense Secretary would later concede that this was not the case.
When David Leigh met Julian Assange in July 2010, and took possession of the Cablegate files, Assange wrote down a password for Leigh, and told him to remember a word to insert into the password later. The account is given in pages 138-139 of David Leigh and Luke Harding’s book, Wikileaks: Inside Julian Assange’s War on Secrecy:
I remember reading this shortly after the book was released and instinctively thinking “bad idea”.
On a basic security level, revealing any information about how Julian Assange formulates his passwords could have implications in any of the other myriad of sensitive areas Wikileaks deals with. Any files encrypted by Assange at the same time—or before—the cables, and in the possession of any entity hostile to Wikileaks, are now more vulnerable since Leigh’s book gave up its clue about how Assange formulates passwords.
And anyone who has access to the original file David Leigh was given, could now decrypt it. Unless the original file was carefully protected throughout its entire life, decrypted and unzipped, then destroyed after the data was released, that password will work on copies of it for ever. No backsies. So regardless how David Leigh & Co. imagine computer security works—and right now they are desperately trying increasingly ridiculous arguments to blame Wikileaks for Leigh’s actions—there’s no reason to publish any password this sensitive—ever.
The entire Leigh/Harding Wikileaks book is written in the thrilled tone of a girl scout’s diary, clearly reveling in the secret squirrel aspect of the story. And they’re clearly clueless too. Leigh at one point drives across town so Assange can show him how to unzip the Cablegate file. Perhaps not the best people to share secrets with.
Cat out the bag
On August 25th, Der Freitag reported that a file containing the unredacted cables was available on the Internet. TechCrunch summarized the story a couple of days later:
In the story, published on Friday, editor Steffen Kraft claims to have found online a “password protected csv file” containing a 1.73GB cache of entirely unredacted diplomatic cables, originating from Wikileaks. According to Kraft, the password for the file is also easy to locate.
On August 29th, Der Spiegelconfirmed the story:
In the summer of 2010, Assange stored the password-protected file containing the cables in a concealed location on a WikiLeaks server. He gave the password to an external contact to allow him access to the material contained in the file.
When Domscheit-Berg left the organization in September 2010 together with a German programmer, the two men took the contents of the server with them, including the encrypted file containing the documents. As a result, Assange no longer had access to the file.
At the end of 2010, Domscheit-Berg finally returned to WikiLeaks a collection of various files that he had taken with him, including the encrypted cables. Shortly afterwards, WikiLeaks supporters released a copy of this data collection onto the Internet as a kind of public archive of the documents that WikiLeaks had previously published. The supporters clearly did not realize, however, that the data contained the original cables, as the file was not only encrypted but concealed in a hidden subdirectory.
From the two German reports, it became clear that a torrented mirror of Wikileaks had accidently included an encrypted copy of the Cablegate cables. And that the password was easy to find on the Internet.
This last part immediately brought to mind the Guardian‘s Wikileaks book and David Leigh and Luke Harding’s inexplicable need to tell people the password for the original encrypted Cablegate file.
Meanwhile, none of the German reporters wanted to be the one to mention which password and which archive. In the case of both, there aren’t that many options.
It was Domscheit-Berg who allegedly connected the dots for the German media organizations. Unparalleled Wikileaks news follower and gatherer Asher Wolf later perhaps best summed up the tangled web with a tweet quoting @Nin_99:
wl fucked up b/c they had file on public server, leigh fucked up b/c he told everyone the pw, ddb told everyone who would listen about all
Surely it couldn’t be that easy? In the evening of August 30th, I started searching the various Wikileaks torrents online and that I’d downloaded, looking in directories for encrypted file. I wrote to several of the German journalists who had broke the story and asked them outright if David Leigh’s password opened the archive. No response. I asked David Leigh himself. He declined to respond.
I tweeted other people who closely follow the Wikileaks story. It was a treasure hunt with clues. An anonymous Twitter user, @Nin_99, joined in and messaged us, pointing to a suspicious directory on a downloaded Wikileaks torrent, shared online:
@flyingmonkeyair @JLLLOW @Asher_Wolf @m_cetera Anyone might guess what’s in these here: http://18.104.22.168/wiki/file/xyz/ (from torrent)
@Nin_99 had been exploring the directory for a few days, trying different passwords on it.
In the directory, date-stamped 9 June 2010, were 4 files, all encoded with Pretty Good Privacy (PGP) encoding, the files names with *.gpg suffixes.
I started at the bottom of the list, putting in the David Leigh password. It unzipped z.gpg into a file called z.7z. Opening that file and extracting it using the Ez7z compression/decompression program, the file spat out a file called cables.csv, dated with a creation date of April 12, 2010 at 9:22PM.
It was a 1.61GB file but it had been reported in the German press to be 1.73GB. Gigabytes are confusing for many in that 1GB is not actually equal to 1,000MB but rather to 1,024MB. 1.61GB is therefore indeed 1,730 million bytes, and calling this 1.73GB would be an easy mistake for someone to make from the incorrect assumption that 1,000MB=1GB.
So there it was. After Wikileaks, the various media partners, Aftenposten—who apparently scored a copy of cables.csv back in December 2010—and the German reporters, I was the first person out of the loop and in the wild to have unzipped the unredacted Cablegate cables.
I private messaged @Nin_99 to save them some time and let them know the password opened z.gpg.
Game over at this point. The cat was forever out of the bag. Regardless even of what we both did, it was only a matter of time before someone else unpacked the unredacted cables. The various media organization’s hints were more than enough.
It’s a bad day for @DavidLeigh3 & the Guardian. His book password decrypts an old wikileaks.org dir file into cables.csv, 1.61GB #Cablegate
and a minute or so later:
Just to be clear: I ran the password from p139 of @DavidLeigh3’s book and it opened into cables.csv #Wikileaks #FAIL
It was a tense minute or so after I first unzipped the cables. The bigger the secrets, the bigger the sense of personal responsibility. If the United States government was unhappy about redacted cables being released by media organizations, it was going to have a giant WikiCow about the unredacted ones being released to the whole world.
I e-mailed Wikileaks, copying the tweet URL. Whether in response or not, Wikileaks sprung into action and released a statement within 20 minutes:
Statement on the betrayal of WikiLeaks passwords by the Guardian.
GMT Wed Aug 31 22:27:48 2011 GMT
A Guardian journalist has, in a previously undetected act of gross negligence or malice, and in violation a signed security agreement with the Guardian’s editor-in-chief Alan Rusbridger, disclosed top secret decryption passwords to the entire, unredacted, WikiLeaks Cablegate archive. We have already spoken to the State Department and commenced pre-litigation action. We will issue a formal statement in due course.
Within an hour, @Nin_99 had uploaded the unredacted cables onto the Internet, and within a couple of hours, the cables were also available at longtime transparency website Cryptome.org.
During that one minute—when I realized I was one of the few people in the world with access to this data—I grasped why so many people had been such dicks about the documents.
Several “unauthorized” copies have long existed outside of the ones that Wikileaks and the official media partners have. James Ball and Heather Brooke both weaseled jobs at the Guardian due to the Wikileaks insider knowledge and/or possession of the cables. In Ball’s case, he was a former Wikileaks employee.
Assimilation was the way the Guardian hung onto exclusivity as long as it could. There’s been a feeding trough around the Cablegate documents and no one has been sharing nicely.
The week before this “Cablegategate” story broke, Domscheit-Berg made a big public show by claiming to have destroyed a large trove of Wikileaks documents because ‘Wikileaks couldn’t keep data safely’. Then apparently he went back to some members of the media to explain to them exactly how to add 2 and 2 together in order to guarantee that sensitive Wikileaks data would be publicly released in an unsafe way.
It is hard to describe the depths of shame that one would imagine that David Leigh would be feeling about making the most momentous Internet blunder since HBGary CEO Aaron Barr stuck his penis in an e-hornets’ nest.
Yet there’s zero sign of shame over at the Guardian. Over at David Leigh’s twitter feedthere is only hostility and denial:
Shame to see time-wasting efforts to drag Guardian into #Assange-Domscheit-Berg row over #wikleaks leaks. No dog in that fight, folks
Deranged nonsense from Assange, attempting to deflect blame on to Guardian for his own chaotic mistakes. Sad to watch
Note for nerds: The cables file originally accessed by the Guardian WASN’T called z.gpg. It’s a quite different file. Mysterious, isn’t it?
And some of this stuff is not only not true, but contradicts other information the Guardian is putting out. David Leigh underling James Ball was dispatched to write the Guardian’s excuse up, under a headline so transparent it couldn’t be leaked, WikiLeaks prepares to release unredacted US cables. Their own investigative editor is such a clod-footed moron as to publish a top secret password in his “rush it out to cash in” book, but it’s not David Leigh who is to blame for what has already happened, it’s Wikileaks fault for the redundant action it hasn’t even taken yet!
Wikileaks put out a statement about David Leigh on 1 September 2011, accusing him of “negligently disclos[ing] top secret WikiLeaks’ decryption passwords” and announcing “pre-litigation action against the Guardian and an individual in Germany who was distributing the Guardian passwords for personal gain”.
All this amateur hour PR scrambling by the Guardianis causing a few problems, glaring contradictions being one of them. Leigh’s Twitter feed claims:
“Note for nerds: The cables file originally accessed by the Guardian WASN’T called z.gpg. It’s a quite different file. Mysterious, isn’t it?
Meanwhile, the Guardian’s in-house former Wikileaks nerd, James Ball, writes in his article that:
“This file, it was later discovered, was the same file that had been shared with the Guardian via the secure server. It shared the same file name and file size, and could be unlocked using the same password as that given to Leigh.”
Mysterious, isn’t it?
Nigel Parry was one of the first bloggers, the first warblogger, producer of the first alt.news site out of a warzone, the cofounder of the Electronic Intifada, Electronic Iraq, and Electronic Lebanon alternative news websites, and offers communications solutions via his business nigelparry.net.