|Home » Learning Curve
How do you do, Cablegate2
DreamWorks might sell a movie, but they can't buy the truth.
Cablegate2, the massive summer 2011 WikiLeaks release, was an extraordinary event, an event engineered by a couple of people who knew they might get blood on their hands but simply didn't care. Those two people are David Leigh of the Guardian (now thankfully retired) and Daniel Berg aka Daniel Schmitt aka Daniel Domscheit-Berg. There is no question of their culpability, but both did their utmost at the time to obfuscate the truth.
The following article summarises facts already known and published at this site.
David Leigh and his colleagues in crime did a lot to obfuscate what was going on with Cablegate. Leigh did this by deliberately conflating the concepts of 'password' and 'encryption key' in his book. And he did this in a diabolical way so as to get the reader confused. David Leigh knew better - he just didn't want you to know too.
Certainly David Leigh is not the sharpest tool in the shed when it comes to technology - and has also felled nasty comments on those who know more - but as seen in his own book, he had technical consultants at the Guardian involved from the get-go. And there is no way they wouldn't have understood the issues involved and communicated them to him. And then there is the process of fact-checking, a part of copyediting a work for publication. Had Leigh wanted to set the record straight, he certainly didn't lack the wherewithal. Leigh knew full well what he was doing, and he understood the ramifications as well, but he went ahead anyway, despite his understanding he was putting people's lives in jeopardy, so intense was his desire to crush WikiLeaks.
Leigh, it must be remembered, really wanted WikiLeaks gone. He engineered a secret deal with Bill Keller of the New York Times to preempt WikiLeaks in the release of Cablegate.
Not everyone in that inner circle approved, for Assange was alerted to what Leigh was up to, resulting in the surprise confrontation 1 November at the offices of the Guardian.
Leigh uses the encryption key for Cablegate as the title of one of the chapters of his book.
Near Lochnagar, Scotland August 2010
ASSANGE'S 58-CHARACTER PASSWORD
On the tiny silver Hewlett Packard thumb drive plugged into his MacBook were the full texts of more than 250,000 diplomatic cables. To search through them was maddening, tiring - and utterly compelling.
It had been a struggle to prise these documents out of Assange back in London. There were repeated pilgrimages to the mews house belonging to Vaughan Smith's Frontline Club near Paddington station before Assange reluctantly turned them over.
So Leigh knew about Cablegate and Assange wasn't willing to play, so Leigh pushed at him again and again.
He willingly passed on the less important war logs from Afghanistan and Iraq, but talked of how he would use his power to withhold the cables in order to 'discipline' the mainstream media.
It turns out, unsurprisingly, that Assange was right. But disciplining Leigh proved very difficult.
In return he would give Assange a promise to keep the cables secure, and not to publish them until the time came.
What rot. As soon as the opportunity came along in the persona of Heather Brooke who was peddling a renegade copy of Cablegate for employment, Leigh schemed to break the agreement and the memorandum of understanding the editor in chief Alan Rusbridger (Leigh's brother in law too) had signed and sent to Assange on Guardian masthead stationery.
Finally, after several pages of BS, Leigh gets down to explaining how things were done.
Eventually, Assange capitulated. Late at night, after a two-hour debate, he started the process on one of his little netbooks that would enable Leigh to download the entire tranche of cables. The Guardian journalist had to set up the PGP encryption system on his laptop at home across the other side of London. Then he could feed in a password.
No, it was a fucking encryption key.
Assange wrote down on a scrap of paper:
'That's the password', he said.
Now no one save Assange and Leigh know what Assange said. But Assange knows the difference between an encryption key and a password. And this wasn't a password.
WikiLeaks had already (and several times since) released encrypted files. They've done so for the Snowden leaks, and they also did so in 2010 with the massive file 'insurance.aes256'. Of note - it's a central issue - is that these files were widely distributed, and WikiLeaks encouraged people to download them, establish torrents, and so on. The file was announced on 30 July 2010. Even Domscheit-Berg sent the file on USB thumbs to several people by snail mail.
Entrusting you with data
We are contacting you today in a matter of trust. Enclosed with this letter you can find a USB stick containing information in an encrypted archive.
This information is being distributed to you and other trusted entities around the world in the light of challenges our project might face in the upcoming next
weeks. Distribution will make sure that no matter what happens, this information will be disclosed to the media and consequently the general public. It will also serve as an insurance for the well being of our project and us.
If anything goes wrong, a second mechanism will make sure that the keys for this material will be distributed publicly, enabling you to decrypt the archive and
help make sure it wasn't all for nothing.
We are entrusting you to not disclose the fact of receiving this letter and the
data to anyone. A lot might depend on it.
With the best regards and thank you,
The 'password' (encryption key) Assange gave Leigh was not the full thing:
But a part of it, with a key word omitted:
Which in itself said quite a lot about how Assange created encryption keys. And it was a good system. Note how he mixes upper case with lower case and numerals, underscores, and even one extraneous character. Good system indeed. Which thanks to Leigh the whole world now knows.
And according to Leigh, Assange tells him:
That's the password. But you have to add one extra word when you type it in. You have to put in the word 'Diplomatic' before the word 'History'. Can you remember that?'
Leigh promises he can remember that. Leigh goes on immediately:
Leigh set off home, and successfully installed the PGP software. He typed in the lengthy password, and was gratified to be able to download a huge file from Assange's temporary website.
Note the above is in bold italic as it's crucial to the deception Leigh is undertaking.
- Leigh is hinting that he needed the 'password' to download the file, which is not only ridiculous, but a deliberate lie.
- Leigh puts in the word 'temporary' to save his own sorry arse. There's no mention of 'temporary' in the exchange with Assange, and there's no reason to keep things 'temporary'. Most likely 'insurance.aes256' already had Cablegate, and it was already out there; had anyone succeeded in decrypting it? Do any readers know how hard (impossible) it is to crack AES 256?
The design and strength of all key lengths of the AES algorithm (128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.
One thing's certain: if the insurance file could be cracked, you'd know about it.
But how about Leigh? Leigh is admittedly a technological numbnuts. Read this from his continuation:
Then he realised it was zipped up - compressed using a format called 7z which he had never heard of, and couldn't understand. He got back in his car and drove through the deserted London streets in the small hours, to Assange's headquarters in Southwick Mews. Assange smiled a little pityingly, and unzipped it for him.
But hadn't Leigh ever heard of GOOGLE?
It's one thing to have fun mocking a new generation. But to not be able to use Google? Yet he admits he drove all the way back across town in the middle of the night to get help with something he could've found at his own keyboard in two seconds. So yes, David Leigh is an intellectual pygmy. But that doesn't matter. Further in the same chapter in Leigh's book:
Now, isolated up in the Highlands, with hares and buzzards for company, Leigh felt safe enough to work steadily through the dangerous contents of the memory stick. Obviously, there was no way he, or any other human, could read through a quarter of a million cables. Cut off from the Guardian's own network, he was unable to have the material turned into a searchable database. Nor could he call up such a monolithic file on his laptop and search through it in the normal simple-minded journalistic way, as a word processor document or something similar: it was just too big.
Harold Frayman, the Guardian's technical expert, was there to rescue him. Before Leigh left town, he sawed the material into 87 chunks, each just about small enough to call up and read separately. Then he explained how Leigh could use a simple program called TextWrangler to search for key words or phrases through all the separate files simultaneously, and present the results in a user-friendly form.
TextWrangler is a rather buggy (it may be better today) text editor from Bare Bones. Yes we should be frightened if Leigh needs help using a text editor and the search function therein. But the important thing is Leigh had technically competent people in the loop before he set off to the highlands.
Knowing further how much and how often all the crooks at the Guardian violated Alan's memorandum of understanding, it's impossible that Leigh didn't know by time of publication of his book the difference between password and encryption key.
So what's the difference between a password and an encryption key?
Encryption Keys and Passwords
A password is a word that let you pass. Such as 'Lucky sent me' at the door of a secret nightclub. Once you've passed into the protected location, the data is yours.
An encryption key is what's used to encrypt or decrypt a file. Symmetric encryption keys can be used for both. Files that are encrypted can be accessed. And opened (read). But they look like jibberish until they're decrypted. (Much good access will do you.)
Files behind a password can be encrypted (but often aren't). Encrypted files don't have to be in a password-protected area (and often aren't - 'insurance.aes256' is the perfect example). Files encrypted with serious algorithms (such as AES 256) are nigh on impossible to crack, and 'brute force' attacks (tossing every possible key at the files) can take tens or hundreds or thousands of years.
Remember too that the attacker won't know how many bytes are in the key. Cracking AES 256 takes serious time and computing power and most likely is beyond today's hardware capabilities, no matter how much hardware 1,000,000 NSAs might possess.
Encrypted files (such as 'insurance.aes256' or the Cablegate file) don't need to be hidden or protected. They already are. And although it's a good bet that this distinction is beyond the mind of David Leigh, it's not beyond Harold Frayman or anyone else in the Guardian's technical staff. Leigh got the files in the summer of 2010, and would have to be more of a dodo than he's already known to be to not remember how he downloaded the file Assange gave him, or what role his 'PGP' played in the process.
Leigh had to:
- Use the URL Assange gave him to download the file; then
- Use the encryption key (and his new PGP software) to decrypt it.
Anyone could have (and certainly did) point out to the withered Leigh that encryption keys don't change overnight, and they certainly can't expire; and any suggestion the file in question was at a temporary location totally lacks relevance as its location (and accessibility) are not an issue. The encryption key is. And David Leigh and everyone at the Guardian knew it.
And then of course we have the contribution of Daniel Domscheit-Berg. Berg sabotaged the WikiLeaks system in late summer 2010; backed down within minutes; was suspended from WikiLeaks for his act of sabotage, something any company anywhere would have done, nothing personal about it; then went berserk on a mail server in the Ruhr valley, the condition of which remains a mystery as 1) DDB says the mail server was in a terrible condition; but 2) he'd just spent €30,000 to upgrade all the WikiLeaks servers, of which the mail server was the most important. (He took €30,000 in funds and claims he spent it on servers.)
And it was after being caught out tinkering with (sabotaging) the mail server that DDB ran from WikiLeaks, knowing already what his fate was to be (not wanting to stick around to hear others tell him). Another case when the erratic DDB simply couldn't control those strange urges.
And then a mere two days later registered his own domain openleaks.org. That site is now offline; nothing ever came of all the bombastic talk.
But in the summer of 2011, still promoting his book, DDB came to the CCC summer camp outside Berlin and literally made a fool of himself, for which he was ousted from the world-famous organisation. Strike two. And Daniel Domscheit-Berg was hurting. He had a lucrative contract with DreamWorks in his pocket (and in his bank account) but his name was total dirt. DDB is not the kind of person to let that lie - he wanted revenge. And he blamed both the CCC and Julian Assange for his humiliation.
It was Herbert Snorrason who figured out what was going on in David Leigh's book. Snorrason had access to the mirrored WikiLeaks site; on a flight back to Iceland, he read David Leigh's book, and his eyes popped when he saw the title of Leigh's chapter.
Snorrason rushed home from the airport, downloaded the file, and tried David Leigh's encryption key on it. And shat a brick.
What to do now?
Here's where Herbert makes a big mistake. But one must forgive him, for he was naive (and perhaps a bit stupid) but didn't understand what Domscheit-Berg was all about. DDB had impressed Snorrason on his first visit to Iceland with an expensive leather bound edition of famous anarchist writings. Both DDB and Snorrason had an 'caviar affection' for anarchism; Snorrason trusted DDB and immediately confided in him. And DDB ran with the ball. Right to the offices of his disillusioned and former OpenLeaks media partner, the German publication (and website) Der Freitag (Friday).
Snorrason was afraid the cables would get out; Domscheit-Berg wanted them to get out. Anything to discredit WikiLeaks. Domscheit-Berg ran to Der Freitag and showed them how to get the Cablegate file (and how to decrypt it, no password needed). Der Freitag published a claim that they'd downloaded and decrypted the file, and hinted a bit about how it could be found; and the web swarm did the rest.
The file in question was in an unlisted directory on WikiLeaks mirrors. Directives to the web server software (Apache) were used to make sure the directory was not listed; the directive file itself by definition is not listed by Apache; the file essentially does not exist (unless you know its directory exists).
Staff at WikiLeaks must have been going through hell at the time. They must have understood that if the amateur hacks were close to the target, the bad guys - totalitarian regimes and so forth - were already there. People at WikiLeaks must have been burning the midnight oil for days, weeks, months, ever since Leigh published his book. They were already being blackmailed by Domscheit-Berg, who'd threatened to reveal sensitive names if criminal charges were brought against him; yet how to deal with him? As the amateur sleuths got closer, the people at WikiLeaks must have known a showdown was inevitable.
Lives were at stake. David Leigh didn't care, such was his bent. And don't talk to Domscheit-Berg: he's already revised history again for 'The Fifth Estate'. But Julian Assange and WikiLeaks? They cared. Obviously.
The Cablegate2 dump had as its intention to give the innocent a chance to find out that the 'bad people' in the world might be onto them. 251,287 cables; that's a lot to go through. Those who knew they might be in trouble would know where to look; as things turned out, no one came to harm. But this is not credit to Leigh or DDB. The two of them simply didn't care.
Glenn Greenwald's Account
Glenn Greenwald posted an account of Cablegate2 on 2 September 2011. Glenn is perhaps the best journalist online today, but technical wizard he's not - he ran into trouble with Edward Snowden's initial instructions, so the NSA whistleblower went to Laura Poitras instead. But a read of his piece is still beneficial on many points.
GG puts some of the blame on WikiLeaks, which is incorrect. He also confuses passwords and encryption keys, not uncommon and promoted by Leigh. But he does understand the reason WikiLeaks were forced to dump the lot when everyone but innocent people already had access.
Here's GG's first boner:
'WikiLeaks deserves some of the blame for what happened here; any group that devotes itself to enabling leaks has the responsibility to safeguard what it receives and to do everything possible to avoid harm to innocent people. Regardless of who is at fault - more on that in a minute - WikiLeaks, due to insufficient security measures, failed to fulfill that duty here.'
- The file in question was encrypted.
- The mirrors were beyond control. There were thousands of copies in the wild.
- There are even more copies of 'insurance.aes256' in the wild, but Leigh didn't have the encryption key, so it's safe.
- It's Leigh and DDB who made the unencrypted data accessible, no one else.
But GG gets most of it right:
'What happened here was that their hand was forced by the reckless acts of The Guardian's Leigh and Domscheit-Berg.'
But then slips again:
'The files had been disseminated on the BitTorrent file sharing network, with that password embedded in them.'
There's no 'password' 'embedded' in anything. Use any other encryption key and you get back gibberish. It's not hard to see why GG couldn't do what even Leigh could: install PGP, in his case to receive mail from Edward Snowden.
Nigel Parry's Account
Nigel Parry gets more of the details right, and he's not merciful in his opinion of Leigh and DDB.
The UK's Guardian newspaper's Investigative Editor, David Leigh, author of the 'Get this WikiLeaks book out the door quickly before other WikiLeaks books are published' WikiLeaks book has messed up.
And when I say 'messed up', I mean that Mr Leigh let slip the top secret password revealing the names of US collaborators around the world - information now freely available to all the enemies of the US.
And when I say 'let slip', I mean that David Leigh published the password as a chapter heading in his book, 'WIKILEAKS: Inside Julian Assange's War on Secrecy'.
Regardless how David Leigh & Co imagine computer security works - and right now they are desperately trying increasingly ridiculous arguments to blame WikiLeaks for Leigh's actions - there's no reason to publish any password this sensitive - ever.
The entire Leigh/Harding WikiLeaks book is written in the thrilled tone of a girl scout's diary, clearly reveling in the secret squirrel aspect of the story. And they're clearly clueless too.
Again: Leigh is demonstrably clueless, but technical staff at the Guardian, who worked from the get-go on Cablegate, are not, and they must have communicated their concerns to Leigh (and Harding and the book's copyeditors) who choose to ignore their warnings. Stupidity works only so long and only with special people, and it doesn't work that long even with David Leigh. So the unavoidable conclusion has to be that Leigh (and Harding and Rusbridger and all the rest who initially titled their book 'The Rise and Fall of WikiLeaks') were hoping (and working) for the 'fall' part. Any other conclusion is unreasonable, out of the question.
WikiLeaks had a good thing going: the 'drip-drip' of 251,287 cables would have gone on for years. (WikiLeaks today can 'drip-drip' with the Stratfor files instead.) This was something Leigh didn't like. He and his old media friends begrudged Assange his position and the power he wielded; they wanted to regard him as a source rather than a publisher in his own right; Assange won't sit in a corner and beg. The new media - the Fifth Estate - wasn't going to be replacing old school journalism, dammit. And when you're as old and withered in your ways as David Leigh (and so close to retirement) you don't let anything get in your way.
Certainly not the truth.
Nigel can wrap up.
Leigh has so far owned nothing and is owed no special consideration. He has not even said that he 'wishes he hadn't published the password' or anything vaguely similar. It's hard to respect people who screw up this much and then spend all their time blaming someone else. This man has spent much of the last year trashing Julian Assange for not caring about informants, even as he had already handed them over to their enemies with his moronic, clod-footed, password-publishing blunder.
But anyone familiar with the career of David Leigh knows this wasn't a blunder. This wasn't something David Leigh didn't understand a single time from summer 2010 to summer 2011. This wasn't something his colleagues at the Guardian didn't understand. This wasn't something that Ball wasn't immediately in the know about. They all knew.
And it wasn't a blunder either. David Leigh wanted to bring about the 'fall' of WikiLeaks. Blood on one's hands? It washes off.
And mix in a bit of 'diabolo' DDB and you have a lethal combination.
No one came to physical harm because of Cablegate2. On the contrary: Cablegate2 probably saved lives instead. But none of the credit for 'harm minimisation' here goes to Leigh or DDB. They weren't out for blood, not directly. But they didn't care if there was blood. They'd only blame WikiLeaks, and count on the way information spreads to confuse the issues and hide the truth.
There's a new movie soon to be released, based on the books of both DDB and Leigh, two of the biggest journalist criminals of our time. DDB is given a laughable role in the movie, responsible for things that are the diametric opposite of what he really did. DreamWorks might sell a movie, but they can't buy the truth.
Developers Workshop: The ABCs of XYZ
Learning Curve: Who wouldn't shout with the stakes so high
Industry Watch: Shoard (Sorkin is Smiling)
The Technological: Anke Domscheit Time Traveler
The Technological: That Super-Secret WikiLeaks Encryption Key File
Industry Watch: Statement by Julian Assange on the Domscheit-Bergs
Industry Watch: The Domscheit-Bergs Destroy 3,500 WikiLeaks Submissions