The New Yorker has a fascinating new profile of Julian Assange, the mastermind behind WikiLeaks. Raffi Khatchadourian's piece is full of revelations about the enigmatic hacker-turned-"open-government activist", from details of his peripatetic childhood to an exclusive glimpse of Assange at work on the "Collateral Murder" video of an American Army helicopter shooting journalists and civilians in Baghdad.
Check it out—but also check out MoJo's controversial profile of Assange by David Kushner, which has just been updated and expanded. Like Kushner, Khatchadourian concludes that Assange's attempts to shine light on evildoers while lurking in the shadows is deeply contradictory: "The thing that he seems to detest most—power with accountability—is encoded in the site's DNA, and will only become more pronounced as WikiLeaks evolves into a real institution."
Perhaps the most interesting tidbit in the New Yorker story is its discussion of how WikiLeaks got its start. When WikiLeaks was in the planning stages in 2006, Assange said that he had more than 1 million documents; a claim that convinced Cryptome founder Jon Young that Assange was either exaggerating or up to no good. But now it seems that Assange did have his hands on a large, questionably obtained, cache of material. Khatchadourian reports that one WikiLeaks activist had access to a "tranche" of secret government documents obtained by Chinese hackers. The documents had been pulled off of Tor, the anonymizing network that WikiLeaks now encourages its leakers to use to stymie "internet spies." According to the New Yorker, WikiLeaks posted only a few of those swiped documents. If it's accurate, this anecdote raises some serious ethical and technical questions about how WikiLeaks operates. Does WikiLeaks condone this kind of online snooping? Has it relied upon it since its launch? Just how many of the senstive documents it's posted were genuinely leaked and how many were hacked?
From Assange's response, the only thing that's clear is that (yet again) questioning WikiLeaks' M.O. makes him tetchy. He seemed to approve of the New Yorker piece, re-tweeting its assertion that "Some WikiLeaks documents were siphoned off of Chinese hackers' activities"—a detail that helps its noble-hacker mystique. However, after Wired looked into the Tor issue, Assange tweeted that its "beatup on WL&Tor" had "no new info": "Don't be fooled." The Register found this micro-denial "sketchy"; in a comment to the site, Assange implied that Wired and the New Yorker had gotten the Tor story wrong, but didn't elaborate on whether WikiLeaks had in fact gotten its start with documents taken from the privacy network.
Perhaps the New Yorker misinterpreted the geekery behind WikiLeaks; perhaps Khatchadourian got stuck in Assange's web of plausible deniablility. Either way, a more detailed response from Assange would go a long way toward clearing the air. As Ryan Sholin writes, "Is it OK to hack Tor in the name of the public good?...I have a hard time trusting Tor or WikiLeaks right now."
Dave Gilson @'Mother Jones'
However this comment is also at the page above:
First off, please take a little time to read my comment here:
http://ryansholin.com/2010/05/31/wikileaks-and-tor-moral-use-of-an-amora...
http://ryansholin.com/2010/05/31/wikileaks-and-tor-moral-use-of-an-amora...
If you read that, I explain that Tor does not ensure (and has never promised to ensure) the security of the contents of data from point a to point b online. Tor obscures the origin from the destination.
The system is structured so that the exit nodes don't have to be trusted. If you read any of the Tor documentation, they tell you that. They tell you that anything you send over the wire unencrypted will come out for that last jump from exit-node to destination unencrypted, and anyone trying to intercept traffic at the exit node (the person running the node or an attacker) or the destination (the person running that service or an attacker) can read your stuff.
This is not news. On the other hand, your private information, including usernames/passwords, are probably in more danger on an open cafe wireless, where the kid next to you may be monitoring the unencrypted traffic on the wireless.
Mostly, we pay no attention to these things. But gosh, you'd expect Chinese hackers might have more incentive to take care? :)
Second, Assange says that something between a few and none of the materials published on Wikileaks came from the Chinese hacker monitoring. However the materials they did publish concerned documents outlining persecution of Tibetan activist NGOs and such. These organizations were warned.
This is a classic whistleblower scenario -- one I'd expect MoJo to understand. Any time there's a whistleblower, information is essentially stolen, violating some institution's security. This is true if it's Deep Throat spilling secrets to journalists he's sworn to keep. It's true if a chemical plant employee walks off with a manila folder with test results not meant for the public. It's true if someone takes information on a thumbdrive or laptop to present to the press or law enforcement. And it's true if someone intercepts a cell phone or internet data (whether or not from Tor).
All of these whistleblowers broke some form of security or confidentiality. I'm generally sorry when I hear that people are sniffing traffic from the Tor Network, but we know it happens, just as surely as we know somewhere right now, a sysadmin is reading someone's work email on an office server.
As we speak, there are activists, journalists, bloggers all over the world whose identity is being preserved by using Tor, writing in danger zones. Global Voices Online and Reporters without Borders are only two of the groups who train their people to use Tor to obscure the origin of their communications. They also teach people to use encrypted services (like https://gmail.com) rather than unencrypted services (http://gmail.com) so that end-to-end encryption will obscure the *contents* of their communication. Tor doesn't do that.
I'm former Tor staff, and a current volunteer. I spoke as executive director of Tor for a worldwide conference at Amnesty International (http://politics.gather.com/viewArticle.action?articleId=281474977022186), and was proud to be working with organizations including Human Rights Watch and many others during my tenure there. We focus on educating these people -- journalists, human rights activists, citizen journalists in countries where speech is not free, ...
We also document proper use of Tor to protect the user. However, my experience is that ignorant people will use Tor without protecting themselves or their data, and in the case of crackers, this can actually help law enforcement catch them. Although really *smart* criminals will use botnets and other more secure options than Tor, Tor remains the best solution for internet anonymity that doesn't involve stealing or exploiting someone else's computer or resources, and that is why it is in such widespread use among people who want to engage in civil disobedience, whistleblowing, or dissent.
You can learn more about who uses Tor, and why, here:
http://www.torproject.org/torusers.html.en
http://www.torproject.org/torusers.html.en
Assange stated pretty clearly that only a few whistleblower documents were published from Tor-sniffed hacking. Regardless of what you think of Wikileaks, dragging Tor through the mud just scares people away from a good resource, including people whose safety might eventually depend on their anonymity -- some successors of the Iranian election activists who used Tor to get media out of Iran, wherever that next need arises.
I'm no longer working on project staff, but I still do volunteer work for them. The way the media has engaged in scare tactics around something that isn't news (that exit nodes pass unencrypted content unencrypted) in a way that might scare someone into an insecure situation online, or drive them to use criminal means to protect themselves, makes me furious.
The Tor Project tried to make this into a teachable moment here:
https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext
https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext
I hope MoJo folks will learn more about Tor, and perhaps even support the project in the future. Feel free to contact me with any questions.
No comments:
Post a Comment