|Home » Industry Watch
OpenLeaks Off to a Flying Fail
Daniel Domscheit-Berg even has his German countrymen against him.
FINOWFURT (Rixstep) — Daniel Domscheit-Berg aka the Leberkäse Kid can't get the time of day, can't get anything right. More and more people are inclined to heave a sigh of relief.
After months of false starts and work weeks crammed with efforts to squeeze every last pfennig out of something Swedish journalists called a 'boy's adventure book' and others called even worse, the on-again off-again WikiLeaks thief is trying to rejoin the whistleblower community.
Except nobody believes in him anymore (if they ever did) and even the leaders of the world famous Chaos Computer Club (mentioned already in Underground) are trying to distance themselves.
Eleven Months of Run-Arounds
Daniel Domscheit-Berg still hasn't made up his mind whether he actually stole anything from WikiLeaks or not.
He told Marcel Rosenbach of Spiegel Online on 26 September last year that stealing from WikiLeaks was out of the question. Then he went on to successively brag heroically that he had in fact stolen, deny he had stolen, then finally in an interview with Artificial Eyes last March tried to explain that he made an attempt to return everything the very day he ran off with it.
But as revealed now by CCC board member Andy Müller-Maguhn, the CCC spent eleven months trying to get Domscheit-Berg to stick to a single story and return what he'd stolen. No such luck.
In a last-ditch effort, Domscheit-Berg was asked, if he continued to beat around the bush about the actual procedure involved in returning what he'd stolen, to just destroy it as people's lives could be in danger.
Andy Müller-Maguhn of the CCC now says Domscheit-Berg cannot be trusted. But it gets worse: for Domscheit-Berg has been trying to use a CCC summer event to promote his own work and fool people into thinking the CCC approve of it.
'We on the board of the CCC are not happy Domscheit-Berg has given the impression OpenLeaks will be tested by our own people and thus given a CCC stamp of approval. This is outrageous.'
- Andy Müller-Maguhn
Five Media Partners? Secure Submissions?
As WikiLeaks continues to amass more and more media partners (the total must be approaching one hundred by now) Domscheit-Berg's OpenLeaks can boast of but five. Save Denmark's Information.dk, they're all local lesser-known German news organisations and one consumer watch group.
The 'secure' website Domscheit-Berg put up for testing also turns out to be anything but secure. Hanno Böck found an invalid certificate at the site.
What is wrong here is that an intermediate certificate is missing - we have a so-called transvalid certificate (the term 'transvalid' has been used for it by the EFF SSL Observatory project). Firefox includes the root certificate from Go Daddy, but the certificate is signed by another certificate which itself is signed by the root certificate. To make this work, one has to ship the so-called intermediate certificate when opening an SSL connection.
The reason why most people won't see this warning and why it probably went unnoticed is that browsers remember intermediate certificates. If someone ever was on a webpage which uses the Go Daddy intermediate certificate, he won't see this warning. I saw it because I usually don't use Firefox and it had a rather fresh configuration.
But that's not all. Hanno continues.
There was another thing that bothered me: On top of the page, there's a line 'Before submitting anything verify that the fingerprints of the SSL certificate match!' followed by a SHA-1 certificate fingerprint. Beside the fact that it's english on a german page, this is a rather ridiculous suggestion.
Checking a fingerprint of an SSL connection against one you got through exactly that SSL connection is bogus. Checking a certificate fingerprint doesn't make any sense if you got it through a connection that was secured with that certificate. If checking a fingerprint should make sense, it has to come through a different channel. Beside that, nowhere is explained how a user should do that and what a fingerprint is at all.
Both issues give me the impression that the people who designed OpenLeaks don't really know how SSL works - and that's not a good sign.
Even Rupert's WSJ SafeHouse seems a safer bet.
CCC: 'Incomprehension and Resentment'
Domscheit-Berg was met by people at the CCC camp with Unwillen und Unverständnis - incomprehension and resentment.
He didn't bother to check whether the camp's infrastructure was sufficient to start the service. And his amateurish way of presenting a 'security test' was also roundly criticised.
'A good safety test works differently', said CCC spokesman Frank Rieger. 'Secrecy is not security', said CCC spokeswoman Constanze Kurz. 'Secure systems need transparency.'
Domscheit-Berg seems to be making enemies at the CCC the same way he did at WikiLeaks. A growing number of CCC members are tiring of him and beginning to question his integrity, according to Zeit Online. Hardly surprising either as he admits in his 'boy's adventure' book that he never paid his dues.
'His statements are not necessarily consistent', says Frank Rieger, thereby underscoring the understatement of the century.
And the great penetration test? What happened to it? Evidently not much. CCC hackers have no interest.
'Many are simply tired of his promises and have doubts about the implementation', says Constanze Kurz.
The question begging to be answered is what happened to Domscheit-Berg's touted 'architect' - the only one known of who actually left WikiLeaks at the same time as Domscheit-Berg. This anonymous 'architect', hired on by WikiLeaks as a half-time network engineer, was responsible for a security system at WikiLeaks that no one's been able to penetrate.
Domscheit-Berg's made a big thing since last September about how his 'architect' friend quit WikiLeaks too and how he subsequently joined OpenLeaks. Given the abysmal showing at Finowfurt this weekend, it's not likely that architect is still on board with Domscheit-Berg, leaving only the likes of Herbert Snorrason - an historian and not an IT guru and never on staff at Assange's WikiLeaks - and Domscheit-Berg himself.
Domscheit-Berg's professed background isn't enough to put together a secure submissions site. And it shows.
Postscript: Domscheit-Berg Expelled from CCC
Marcel Rosenbach reports the CCC now voted to expel Daniel Domscheit-Berg. Further details should arrive later today or tomorrow in Spiegel Online.
Off to a flying fail.
Pathological liars always have great faith in their own honesty. That's what helps them lie.
- Julian Assange
You have fucked up in so many ways and you want me to enumerate them but what is the point if you can't see things for yourself?
- Julian Assange to Daniel Domscheit-Berg May 2010
Industry Watch: The WikiLeaks Palace Revolt
Topsy: The Life and Times of the Leberkäse Kid
Zeit Online: Chaos Computer Club misstraut OpenLeaks
Hanno's Blog: OpenLeaks doing strange things with SSL
The Technological: Daniel Domscheit-Berg: The Reviews
The Technological: The Life and Times of the Leberkäse Kid
Red Hat Diaries: Unrequited Love, Uncomfortable Coincidences
Spiegel Online: WikiLeaks-Aussteiger haben Datenschatz entführt
Spiegel Online: Chaos Computer Club: Hacker distanzieren sich von OpenLeaks