WikiLeaks exposes thousands of sources in written-password SNAFU

Inside Julian Assange's War on SecrecyThe cone of silence over WikiLeaks’ thousands of sources – many of whose lives are at risk if identified – has been shattered, all thanks to the most mundane, all-too-human security screwup imaginable.

To wit: WikiLeaks founder Julian Assange wrote down the password on a piece of paper, and then forgot to change it later.

The security breach has thrown open the doors to WikiLeaks’ entire archive of 251,000 secret U.S. diplomatic cables.

To the horror of the media partners it has worked with in the past to carefully redact the documents – The Guardian, The New York Times, El Pais, Der Spiegel and Le Monde – WikiLeaks has published its entire archive, unredacted, putting in danger several thousands of people whom the U.S. has tagged as being at risk if exposed. The documents also cite more than 150 whistleblowers.

“We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,” the organizations said in a joint statement.

“Our previous dealings with WikiLeaks were on the clear basis that we would only publish cables which had been subjected to a thorough joint editing and clearance process. We will continue to defend our previous collaborative publishing endeavour. We cannot defend the needless publication of the complete data – indeed, we are united in condemning it.”

The media partners made it clear that this time, with this move, Assange got no help from them. “The decision to publish by Julian Assange was his, and his alone,” they said in the statement.

Der Spiegel has chronicled the archive’s publishing, tracing it back to a meeting between Assange and David Leigh of The Guardian.

According to the account, as the British journalist recounts in his book “Inside Julian Assange’s War on Secrecy”, Leigh and Assange at one point sat down to discuss how Assange would provide Leigh with a file including all of the diplomatic dispatches received by WikiLeaks.

PasswordAccording to Der Spiegel, Assange placed the file on a server and wrote part of the password on a slip of paper. To make it work, one had to complete the list of characters with a certain word.

Can you remember it? Assange asked. Of course, Leigh said.

“At the time, Daniel Domscheit-Berg, who later founded the site OpenLeaks, was the German spokesman for WikiLeaks. When he and others undertook repairs on the WikiLeaks server, he took a dataset off the server which contained all manner of files and information that had been provided to WikiLeaks. What he apparently didn’t know at the time, however, was that the dataset included the complete collection of diplomatic dispatches hidden in a difficult-to-find sub-folder,” according to Der Spiegel.

With the dataset in the hands of Domscheit-Berg, Leigh went on to describe his meeting with Assange in his book. In the book, however, he included not only the portion of the password on the slip of paper, but also the part he had been asked to commit to memory.

What followed included feuding between Domscheit-Berg and Assange, attempts to prove that Assange wasn’t trustworthy, and the eventual disclosure that not only was the entire dataset circulating, but that the password could be found in Leigh’s book.

At this point, fingerpointing is rampant. WikiLeaks’ Twitter feed blames The Guardian. The Guardian is protesting its innocence, putting out a statement claiming that it had been told the password was only temporary.


WikiLeaks

It is strictly false that the Guardian was told the password or file were temporary, hence the elaborate password handover method.

The U.S. Embassy in London and the U.S. State Department were notified of the possible publication on August 25 to enable officials to warn the named informants. Hopefully, this has given them enough time to remove themselves from harm.

Whether that is possible for all the sources who’ve been put in harm’s way is an open question.

But one thing is certain: The platforms to which whistleblowers have hitherto brought their leaks are compromised. They are as riddled with security holes, as flailing with common human weaknesses, as the most ridiculed home user running an unsecured wireless network and the most inept office worker writing down his password on a Post-It note.

Let us hope that this carelessness, this breathtaking lapse in security hygiene, leads to no loss of life.