An encrypted WikiLeaks file containing some 251,000 unredacted U.S. State Department cables is now widely available online, along with the passphrase to open it. The release of the documents in raw form, with the names of U.S. informants around the globe exposed in them, has raised concerns that dozens of people could now be in danger.
The release of the file comes amidst a heated blamefest between WikiLeaks and the
Guardian newspaper in London, who let slip the encrypted version of the database and the decryption key respectively. As details about how the leak occurred surface, it appears that both organizations share the blame.
The 1.73-GB file and passphrase were
published Thursday on Cryptome, a competing secret-spilling site, after news broke over the last week that they had been circulating on the internet unnoticed for several months. A keyword search through the file by Wired.com shows that the uncensored cables contain over 2,000 occurrences of the phrase “strictly protect”, which is used in cables to denote sources of information whose identities diplomats consider confidential.
It’s unclear how the release will affect imprisoned 23-year-old Pfc. Bradley Manning, who’s facing court martial for allegedly leaking the database to WikiLeaks last year.
WikiLeaks had given the
Guardian access to the file, along with the passphrase, last summer when WikiLeaks founder Julian Assange met with
Guardian editor David Leigh.
WikiLeaks, the
Guardian and other media outlets have been publishing the cables in dribs and drabs since last November, after carefully removing the names of most informants. The full database of cables was to have been released piecemeal through November 29 of this year. But on Friday, as news of the leaked file and passphrase were made public, WikiLeaks suddenly began publishing a torrent of cables from the database. It has so far published about 144,000 cables, most of them unclassified. The Associated Press found the names of 90 confidential U.S. sources, including human rights workers laboring under totalitarian regimes, named in that subset of cables.
WikiLeaks said in a statement that it “advanced its regular publication schedule, to get as much of the material as possible into the hands of journalists and human rights lawyers who need it,” before information about the file and passphrase was widely published and repressive regimes sifted through the cables. WikiLeaks has been soliciting votes from the public on whether people agree or disagree that all 250,000 of the cables should be released in raw, unredacted form. The popular vote favors release, and WikiLeaks has telegraphed on Twitter its intention to publish. But this time third parties have overtaken the secret-spilling site, and the file is already easily found elsewhere.
WikiLeaks blames the
Guardian for disclosing the password, which it did so in a book it published earlier this year about its collaboration with WikiLeaks. WikiLeaks called the
Guardian’s action “
gross negligence or malice.” “The Guardian disclosure is a violation of the confidentiality agreement between WikiLeaks and Alan Rusbridger, editor-in-chief of the Guardian, signed July 30, 2010,” the group said in a lengthy statement.
The
Guardian has downplayed its role in the debacle, while simultaneously revealing a lack of security savviness at the dawn of its relationship with WikiLeaks. The paper notes that although the
Guardian’s book did reveal the passphrase, it did not reveal the location of the file, and that Assange had told the paper that “it was a temporary password which would expire and be deleted in a matter of hours. It was a meaningless piece of information to anyone except the person(s) who created the database.”
“No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files,” the paper went on to say. “That they didn’t do so clearly shows the problem was not caused by the Guardian’s book.”
Crypto keys, however, last forever, and even if WikiLeaks hadn’t blundered in its handling of the encrypted file, the
Guardian clearly should have treated the key as highly-sensitive for the foreseeable future.
The fracas heated up last Friday when an editor for the German news weekly
Der Freitag revealed that his publication had
found the uncensored cables in a 1.73-GB password-protected file named “cables.csv” that was available on the internet, and that the password had inadvertently been published online.
WikiLeaks revealed on Wednesday that the passphrase was indeed been published in a book written by Leigh. In the book, Leigh wrote that during the paper’s meeting with Assange in Belgium last year, Assange had given him the passphrase, in part in writing, and in part orally.
Assange had told the paper that the file, which was placed in a subdirectory on a WikiLeaks server, would remain online only a short time, after which it would be removed. Assange, however, apparently never removed the file, and it later found its way into the hands of the organization’s former spokesman, Daniel Domscheit-Berg, and then back to WikiLeaks, after which it wound up on BitTorrent as part of a large archive of WikiLeaks files, which could be downloaded by anyone.
Kim Zetter @
'Wired'
