Entries Tagged "leaks"

Page 13 of 15

U.S. Strategy to Prevent Leaks is Leaked

As the article says, it doesn’t get any more ironic than that.

More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet.

Me:

I think the government is learning what the music and movie industries were forced to learn years ago: it’s easy to copy and distribute digital files. That’s what’s different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it’s trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don’t know what those new models will be, but they will be different.

The more I think about it, the more I see this as yet another example of the Internet making information available. It’s done that to the music and movie industry. It’s done that to corporations and other organizations. And it’s doing that to government as well. This is the world we live in; the sooner the U.S. government realizes its secrecy paradigm has irrevocably changed, the sooner it will figure out how to thrive in this new paradigm.

Shutting WikiLeaks down won’t stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.

EDITED TO ADD (1/27): The story turned out to be too good to be true; it’s been retracted.

Posted on January 27, 2011 at 6:22 AMView Comments

WikiLeaks

I don’t have a lot to say about WikiLeaks, but I do want to make a few points.

1. Encryption isn’t the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and—so it seems—put into an archive on SIPRNet, where lots of people had access to them in their unencrypted form.

2. Secrets are only as secure as the least trusted person who knows them. The more people who know a secret, the more likely it is to be made public.

3. I’m not surprised these cables were available to so many people. We know access control is hard, and it’s impossible to know beforehand what information people will need to do their jobs. What is surprising is that there weren’t any audit logs kept about who accessed all these cables. That seems like a no-brainer.

4. This has little to do with WikiLeaks. WikiLeaks is just a website. The real story is that “least trusted person” who decided to violate his security clearance and make these cables public. In the 1970s, he would have mailed them to a newspaper. Today, he used WikiLeaks. Tomorrow, he will have his choice of a dozen similar websites. If WikiLeaks didn’t exist, he could have made them available via BitTorrent.

5. I think the government is learning what the music and movie industries were forced to learn years ago: it’s easy to copy and distribute digital files. That’s what’s different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it’s trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don’t know what those new models will be, but they will be different.

EDITED TO ADD (12/10): Me in The Economist:

The State Department has learned what the music and film industries learned long ago: that digital files are easy to copy and distribute, says Bruce Schneier, a security expert. Companies are about to make that discovery, too. There will be more leaks, and they will be embarrassing.

Posted on December 9, 2010 at 5:50 AMView Comments

WikiLeaks Insurance File

Now this is an interesting development:

In the wake of strong U.S. government statements condemning WikiLeaks’ recent publishing of 77,000 Afghan War documents, the secret-spilling site has posted a mysterious encrypted file labeled “insurance.”

The huge file, posted on the Afghan War page at the WikiLeaks site, is 1.4 GB and is encrypted with AES256. The file’s size dwarfs the size of all the other files on the page combined. The file has also been posted on a torrent download site.

It’s either 1.4 Gig of embarrassing secret documents, or 1.4 Gig of random data bluffing. There’s no way to know.

If WikiLeaks wanted to prove that their “insurance” was the real thing, they should have done this:

  1. Encrypt each document with a separate AES key.
  2. Ask someone to publicly tell them to choose a random document.
  3. Publish the decryption key for that document only.

That would be convincing.

In any case, some of the details might be wrong. The file might not be encrypted with AES256. It might be Blowfish. It might be OpenSSL. It might be something else. Some more info here.

EDITED TO ADD (8/9): Weird Iranian paranoia:

An Iranian IT expert warned here on Wednesday that a mysterious download file posted by the WikiLeaks website, labeled as ‘Insurance’, is likely a spy software used for identifying the information centers of the United States’ foes.

“The mysterious file of the WikiLeaks might be a trap for intelligence gathering,” Hossein Mohammadi told FNA on Wednesday.

The expert added that the file will attract US opponents and Washington experts can identify their enemy centers by monitoring individuals’ or organizations’ tendency and enthusiasm for the file.

Posted on August 4, 2010 at 7:52 AMView Comments

WikiLeaks

Long, but interesting, profile of WikiLeaks’s Julian Assange from The New Yorker.

Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive catalogue of secret material, ranging from the Standard Operating Procedures at Camp Delta, in Guantánamo Bay, and the “Climategate” e-mails from the University of East Anglia, in England, to the contents of Sarah Palin’s private Yahoo account.

This is only peripherally related, but Bradley Manning—an American soldier—has been arrested for leaking classified documents to WikiLeaks.

Another article from The Guardian, directly related to Manning.

EDITED TO ADD (7/13): More links.

Posted on June 24, 2010 at 1:13 PM

Guide to Microsoft Police Forensic Services

The “Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)” (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here’s a good summary of what’s in it:

The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft’s stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.

I call it “quasi-comprehensive” because, at a mere 22 pages, it doesn’t explore the nitty-gritty of Microsoft’s systems; it’s more like a data-hunting guide for dummies.

When it was first leaked, Microsoft tried to scrub it from the Internet. But they quickly realized that it was futile and relented.

Lots more information.

Posted on March 9, 2010 at 6:59 AMView Comments

Leaked 9/11 Text Messages

Wikileaks has published pager intercepts from New York on 9/11:

WikiLeaks released half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 attacks in New York and Washington.

[…]

Text pagers are usualy carried by persons operating in an official capacity. Messages in the archive range from Pentagon, FBI, FEMA and New York Police Department exchanges, to computers reporting faults at investment banks inside the World Trade Center.

Near as I can tell, these messages are from the commercial pager networks of Arch Wireless, Metrocall, Skytel, and Weblink Wireless, and include all customers of that service: government, corporate, and personal.

There are lots of nuggets in the data about the government response to 9/11:

One string of messages hints at how federal agencies scrambled to evacuate to Mount Weather, the government’s sort-of secret bunker buried under the Virginia mountains west of Washington, D.C. One message says, “Jim: DEPLOY TO MT. WEATHER NOW!,” and another says “CALL OFICE (sic) AS SOON AS POSSIBLE. 4145 URGENT.” That’s the phone number for the Federal Emergency Management Agency’s National Continuity Programs Directorate—which is charged with “the preservation of our constitutional form of government at all times,” even during a nuclear war. (A 2006 article in the U.K. Guardian newspaper mentioned a “a traffic jam of limos carrying Washington and government license plates” heading to Mount Weather that day.)

FEMA’s response seemed less than organized. One message at 12:37 p.m., four hours after the attacks, says: “We have no mission statements yet.” Bill Prusch, FEMA’s project officer for the National Emergency Management Information System at the time, apparently announced at 2 p.m. that the Continuity of Operations plan was activated and that certain employees should report to Mt. Weather; a few minutes later he sent out another note saying the activation was cancelled.

Historians will certainly spend a lot of time poring over the messages, but I’m more interested in where they came from in the first place:

It’s not clear how they were obtained in the first place. One possibility is that they were illegally compiled from the records of archived messages maintained by pager companies, and then eventually forwarded to WikiLeaks.

The second possibility is more likely: Over-the-air interception. Each digital pager is assigned a unique Channel Access Protocol code, or capcode, that tells it to pay attention to what immediately follows. In what amounts to a gentlemen’s agreement, no encryption is used, and properly-designed pagers politely ignore what’s not addressed to them.

But an electronic snoop lacking that same sense of etiquette might hook up a sufficiently sophisticated scanner to a Windows computer with lots of disk space—and record, without much effort, gobs and gobs of over-the-air conversations.

Existing products do precisely this. Australia’s WiPath Communications offers Interceptor 3.0 (there’s even a free download). Maryland-based SWS Security Products sells something called a “Beeper Buster” that it says let police “watch up to 2500 targets at the same time.” And if you’re frugal, there’s a video showing you how to take a $10 pager and modify it to capture everything on that network.

It’s disturbing to realize that someone, possibly not even a government, was routinely intercepting most (all?) of the pager data in lower Manhattan as far back as 2001. Who was doing it? For that purpose? That, we don’t know.

Posted on November 26, 2009 at 7:11 AMView Comments

UK Defense Security Manual Leaked

Wow. It’s over 2,000 pages, so it’ll take time to make any sense of. According to Ross Anderson, who’s given it a quick look over, “it seems to be the bureaucratic equivalent of spaghetti code: a hodgepodge of things written by people from different backgrounds, and with different degrees of clue, in different decades.”

The computer security stuff starts at page 1,531.

EDITED TO ADD (10/6): An article.

Posted on October 5, 2009 at 3:10 PMView Comments

Choosing a Bad Password Has Real-World Consequences

Oops:

Wikileaks has cracked the encryption to a key document relating to the war in Afghanistan. The document, titled “NATO in Afghanistan: Master Narrative”, details the “story” NATO representatives are to give to, and to avoid giving to, journalists.

An unrelated leaked photo from the war: a US soldier poses with a dead Afghani man in the hills of Afghanistan

The encrypted document, which is dated October 6, and believed to be current, can be found on the Pentagon Central Command (CENTCOM) website.

Posted on March 9, 2009 at 1:19 PMView Comments

BNP Database Leaked

This is a big deal.

British National Party (BNP, a far-right nationalist party) membership and contacts list. 12,801 individuals are represented. Contains contact details and notes on selected party members and (possibly) other individuals. The list has been independently verified by Wikileaks staff as predominantly containing current or ex-BNP members, however other individuals who have donated to the BNP or who have had other contact (not necessarily supportive) with the BNP or one of its fronts may also be represented.

Says BBC:

Occupations ascribed to the listed names include teachers, a doctor, nurse, vicar and members of the armed forces.

While there is no ban on many of those professions joining the BNP, its right-wing political stance and whites-only membership policy are seen by many as incompatible with frontline public service.

Police officers, on the other hand, are formally banned from joining, a policy which is recognised in the list.

Alongside the name of a serving officer, the document states that there is “Discretion required re. employment concerns”.

Seems that the BNP database wasn’t hacked from the outside, but that someone on the inside leaked the list.

There’s a lot more leaked BNP documents on the Wikileaks website.

Posted on November 24, 2008 at 6:26 AMView Comments

1 11 12 13 14 15

Sidebar photo of Bruce Schneier by Joe MacInnis.