It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. Near as I can tell, this is what happened: In order to send the Guardian the cables, WikiLeaks encrypted them and put them on its website at a hidden URL.
WikiLeaks sent the Guardian the URL.
WikiLeaks sent the Guardian the encryption key.
The Guardian downloaded and decrypted the file.
WikiLeaks removed the file from their server.
Somehow, the encrypted file ends up on BitTorrent. Perhaps someone found the hidden URL, downloaded the file, and then uploaded it to BitTorrent. Perhaps it is the "insurance file." I don't know.
The Guardian published a book about WikiLeaks. Thinking the decryption key had no value, it published the key in the book.
A reader used the key from the book to decrypt the archive from BitTorrent, and published the decrypted version: all the U.S. diplomatic cables in unredacted form. Memo to the Guardian: Publishing encryption keys is almost always a bad idea. Memo to WikiLeaks: Using the same key for the Guardian and for the insurance file -- if that's what you did -- was a bad idea. Read more: Bruce Schneier
QR:
WikiLeaks sent the Guardian the URL.
WikiLeaks sent the Guardian the encryption key.
The Guardian downloaded and decrypted the file.
WikiLeaks removed the file from their server.
Somehow, the encrypted file ends up on BitTorrent. Perhaps someone found the hidden URL, downloaded the file, and then uploaded it to BitTorrent. Perhaps it is the "insurance file." I don't know.
The Guardian published a book about WikiLeaks. Thinking the decryption key had no value, it published the key in the book.
A reader used the key from the book to decrypt the archive from BitTorrent, and published the decrypted version: all the U.S. diplomatic cables in unredacted form. Memo to the Guardian: Publishing encryption keys is almost always a bad idea. Memo to WikiLeaks: Using the same key for the Guardian and for the insurance file -- if that's what you did -- was a bad idea. Read more: Bruce Schneier
QR:
0 comments:
Post a Comment