Leigh vs. Assange: Goof Meets the Geek

A huge controversy has been going around on who is responsible for the release of the unredacted version of more than 250,000 diplomatic cables. Guardian has claimed that it was Wikileaks and Julain Assange's “chaotic mistakes” and “poor security” that was responsible for the files becoming public. Wikileaks has sqarely blamed Guardian for the leak of a password that allowed the unredacted version of the cables to be accessed.

Two journalists from Guardian – the investigative editor David Leigh and Guardian's Moscow correspondent Luke Harding – wrote a book called ‘Wikileaks – Inside Julian Assange’s War on Secrecy' which was published early 2011. The password for the  unredacted Cablegate file was printed as a chapter heading there. Obviously, the two journalists had no clue that the file could still be accessed and this password would crack open the file.

For 7 months, the publication of the book did not create any controversy. In August, rumours started circulating on the blogosphere that the Cablegate files were available on the net and could be cracked by using a certain password. Once these rumours started circulating, it was only a matter of time before somebody would locate the file and try Guardian's published password on it. Finally, by August end the secret was out of the bag that Guardian's published password was indeed the key. Finally, realising that the files were already circulating on various sites, Wikileaks put all the cables in public domain.

For the uninitiated, a whole bunch of issues is involved. Let us start with the easier question –  why is the publication of unredacted files a major issue. One of the major charges against Wikileaks is that names of informers become public,  such people would face threat to their lives. Admiral Michael Mullen, the highest ranking military commander in the United States, declared that Julian Assange, founder of the Sweden-based WikiLeaks whistleblower group may have blood on his hands for the leak of classified military documents. This was the basis on which hate against whipped up by the American right, including calls for his assassination.

Assange and the newspapers working with Wikileaks had agreed that such names would be removed from the published text thus ensuring the safety of the informants. Now that the original text of the cables is out, the names are also publicly available, making all the effort of redacting names from the public cables useless.

The souring of relations – and this took place well before the current blow-up on password – has also created its own problems. For people like us, who find Guardian one of the better papers in the main-stream media today and are also sympathetic to Wikileaks and Assange, we have to constantly be on guard whether statements made by either parties is a result of this souring or is an objective statement of facts. Leigh claims Assange was not concerned about the fate of the people whose name might come out if the cables became public. Therefore, his cavalier attitude to  security of the  unredacted files. Assange has termed this “libellous.” In his view, we must make a distinction between those who are taking US money to mouth US propaganda in the media and those who are providing information that is sensitive. It is his remark about the first group that Leigh has quoted out of context.

The current spat on the password is difficult for most lay persons to understand. Encryption is not something that is in common knowledge. Reading accounts of the public spat, it is quite clear that Guardian had no clue about it either. That by itself may be forgiven. What is inexcusable is that before before publishing the book, Guardian and the two authors made no attempt to ask Assange whether such a publication had any possible impact. What is worse now is that they are unwilling to accept any part of the blame and pretending that all the problems lay with Assange and his “chaotic” work habits.

Whatever the problems with Assange might be, cyber security is not one of them. Wikileaks has been able to withstand a virtual cyber war by the US and a host of others who wanted to take down Wikileaks after the publication of the Afghan and Iraq war logs. It is simply unbelievable that Julian Assange, who had cut his eye-teeth on cryptography and has been paranoid about security would carelessly let the files become public.

There is no question that Leigh and his co-author were completely innocent about matters computer. Reading his book makes that clear. What seems to have happened is that Leigh and company had strayed into a territory eminently not theirs and had no clue about the kind of issues that they were dealing with.

Let us look at the sequence of events. When David Leigh met Julian Assange in July 2010, Assange wrote down a password for Leigh, and told him to remember a word to insert into the password later. The account is given in pages 138-139 of the book and the 58 character password – “ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#” – is printed as a chapter sub-heading.  Assange had told Leigh that the file would be available on the main Wikileaks server for a short time and could be downloaded by Leigh after which it could be de-encrypted using this password. Leigh did this and was able to de-encrypt the file. He still could not read the file as it was compressed using Ez7z. There is the amusing sidelight in Leigh's account – he put his laptop in his car, hotfooted to Asasange, who finally uncompressed the file for him.

Why did Assange pass Leigh the file in this way, using a fairly public server? The answer is that once a file is encrypted, it is almost impossible to break this without a key. Assange's 58 character key would have been very difficult for anybody to break. Yes, NSA could perhaps have the computing power to break the encryption, but they in any case had the unencrypted file. It certainly was well beyond the powers of any stray groups or even countries to break this encryption. A public file therefore did not pose any danger unless the password becomes public.

The account we have between Assange and Leigh differ in what was told by Assange to Leigh. Leigh claims that Assange told him that the file would have password which would be temporary, which Assange denies. It is highly unlikely that Assange would have told Leigh that the password is temporary as once a file is encrypted, the password is permanent and will work on all copies of the file as well. This is what Leigh may well have understood, but Assange would in all likelihood said that the file would temporarily be available on the Wkileaks server. For Assange, the protection came from the encryption key, for Leigh, he thought security was through the file being available only temporarily.

Obviously, Leigh has very little idea of the difference between a password being temporarily being given for a log-in account on a site and a password for an encrypted file. He therefore believed that the password was temporary and therefore was safe to publish. By itself, this error of judgement would not have been so serious. It is the other circumstances that made this a major blunder.

 When Wikileaks was under attack, its contents were mirrored on a number of other sites. Assange was trying to ensure that all the material available to him would not be lost if his server was taken down. The concerned Cablegate file was in a hidden directory and therefore accessible on the mirrored sites.

How did the fact that both the hidden files and the secret password become known? Hereby hangs another tale. Daniel Domscheit-Bergt, a German technology activist, was a part of Wikileaks initially. He later fell out with Assange and started his own organisation OpenLeaks, with very similar objectives as Wikileaks. He appears to be the one who informed some of his German media contacts about the availability of the secret cables, as well as the password. First Der Freitag , a German weekly, then Techcrunch and then Der Speigel reported in detail in the last week of August about the encrypted 1.73 gigabyte-sized file of cables now being available on the net and easy to crack using a known password. From that to its public cracking was just a step away. Finally, various people with the necessary skills, searched the net, located the files and used Leigh's published password. By 31st August, the files were public for anybody with a net connection and willing to spend a little time on the blogosphere. Wikileaks took a decision then that if the unredacted files were in any case public, no purpose was served by keeping them secret any more – they roundly condemned Guardian for the mammoth screw-up and publicly released the files.
The two sides have been completely unevenly matched on the wars that erupted after this publication. Guardian and the newspaper consortium that have been using the Wikileaks extensively – Guardian, Newe York Times, Der Spiegel, etc – all got on to their respective high-horses blaming Assange and Wikileaks for this complete contempt for the safety of the informants and Assange's chaotic life style. Either of these were not the issue – Assange had agreed not to publish the unredacted files and the cables becoming public had nothing to do with his life style – chaotic or otherwise. And without Guardian publishing the password, none of this would have happened. What was missing from Guradian was even a minor mea culpa – we are sorry we did not check up with Assange before publishing the password.

David Leigh is a journalist I respect enormously. He was the one whose investigations cracked open the News-of-the-World hacking of telephones and Murdoch's can of worms. Nevertheless, in this case, he and his paper Guardian goofed up big time. What is worrying is that in defending the indefensible, they also have joined the very powerful chorus against Assange and Wikileaks.

Leigh in his book, paints a picture of Assange as a Neanderthal Aussie, unfamiliar with the more sophisticated Swedish sexual mores, falling foul of laws of Sweden, which define withdrawal of consent as rape. Ironically, it is Leigh's ignorance of matters technical that has caused the current monumental cock-up. The goof meeting the geek, with unforeseen consequences.