An encrypted WikiLeaks file containing 251,000 unredacted U.S. State Department cables is now widely available online, along with the passphrase to open it. The release of the documents in raw form, including the names of U.S. informants around the globe, has raised concerns that dozens of people could now be in danger.
The release of the file comes amidst a heated blame fest between WikiLeaks and the Guardian newspaper in London, which let slip the encrypted version of the database and the decryption key respectively. As details surface about how the leak occurred, it appears that both organizations share the blame.
The 1.73-GB file and passphrase were published Thursday on Cryptome, a competing secret-spilling site, after news broke over the last week that the file had been circulating on the internet unnoticed for several months. Wired.com’s keyword search of the file shows that the uncensored cables contain more than 2,000 occurrences of the phrase “strictly protect”, which is used in cables to denote sources of information whose identities diplomats consider confidential.
It’s unclear how the release will affect imprisoned 23-year-old Pfc. Bradley Manning, who’s facing a court-martial for allegedly leaking the database to WikiLeaks last year.
WikiLeaks had given the Guardian access to the file, along with the passphrase, last summer when WikiLeaks founder Julian Assange met with Guardian editor David Leigh.
WikiLeaks, the Guardian and other media outlets have been publishing the cables in dribs and drabs since last November, after carefully removing the names of most informants. The full database of cables was to have been released piecemeal through Nov. 29 of this year. But last Friday, as news of the leaked file and passphrase was made public, WikiLeaks suddenly began publishing a torrent of cables from the database. It has so far published about 144,000 cables, most of them unclassified. The Associated Press found the names of 90 confidential U.S. sources, including human rights workers laboring under totalitarian regimes, named in that subset of cables.
WikiLeaks said in a statement that it “advanced its regular publication schedule, to get as much of the material as possible into the hands of journalists and human rights lawyers who need it,” before information about the file and passphrase was widely published and repressive regimes sifted through the cables. WikiLeaks has been soliciting votes from the public on whether people agree or disagree that all 250,000 of the cables should be released in raw, unredacted form.
The popular vote favors release, and WikiLeaks has hinted on Twitter its intention to publish. But this time third parties have overtaken the secret-spilling site, and the file is already easily found elsewhere.
WikiLeaks blames the Guardian for disclosing the password in a book it published earlier this year about its WikiLeaks collaboration. WikiLeaks called the Guardian’s action “gross negligence or malice.” “The Guardian disclosure is a violation of the confidentiality agreement between WikiLeaks and Alan Rusbridger, editor-in-chief of the Guardian, signed July 30, 2010,” the group said in a lengthy statement.
The Guardian has downplayed its role in the debacle, while simultaneously revealing a lack of security savvy at the dawn of its relationship with WikiLeaks. The paper notes that although the Guardian’s book did reveal the passphrase, it did not reveal the location of the file, and that Assange had told the paper that “it was a temporary password which would expire and be deleted in a matter of hours. It was a meaningless piece of information to anyone except the person(s) who created the database.”
“No concerns were expressed when the book was published, and if anyone at WikiLeaks had thought this compromised security, they have had seven months to remove the files,” the paper went on to say. “That they didn’t do so clearly shows the problem was not caused by the Guardian’s book.”
Crypto keys, however, last forever, and even if WikiLeaks hadn’t blundered in its handling of the encrypted file, the Guardian clearly should have treated the key as highly sensitive for the foreseeable future.
The fracas heated up last Friday when an editor for the German news weekly Der Freitag revealed that his publication had found the uncensored cables in a 1.73-GB password-protected file named “cables.csv” that was available on the internet, and that the password had inadvertently been published online.
WikiLeaks revealed on Wednesday that the passphrase had indeed been published in a book written by Leigh. In the book, Leigh wrote that during the paper’s meeting with Assange in Belgium last year, Assange had given him the passphrase, in part in writing, and in part orally.
Assange had told the paper that the file, which was placed in a subdirectory on a WikiLeaks server, would remain online only a short time, after which it would be removed. Assange, however, apparently never removed the file, and it later found its way into the hands of the organization’s former spokesman, Daniel Domscheit-Berg, and then back to WikiLeaks, after which it wound up on BitTorrent as part of a large archive of WikiLeaks files, which could be downloaded by anyone.
See also:Kim Zetter is a senior reporter at Wired covering cybercrime, privacy, security and civil liberties.
Follow @KimZetter on Twitter.