Twitter, with its very short messages, is inherently the wrong medium for publishing important security / anonymity / financial warning advice about the WikiLeakS.org project.
http://twitter.com/wikileaks/status/9495477247
Our Kenyan PO BOX is no-longer considered secure after a break in. Please use Australia or Cambodia instead.
'Mon Feb 22 22:03:11 +0000 2010
from bit.ly
The WikiLeakS.org website is still deliberately crippled, and no longer displays the PO Box address for "Cambodia".
Why anyone would trust the Cambodian Government not to snoop on foreign letters or parcels sent to such a Post Office Box address, is a mystery.
The Postal Submissions (for whistleblower leak documents) web pages, did at least offer a few words of security / anonymity advice, which the single Twitter message, obviously does not.
Astonishingly, the current WikiLeakS.org home page still gives out this allegedly insecure address for Kenya, over 24 hours after the Twitter warning was published.
Kenya
WikiLeaks ICT
PO Box 8098-00200
Nairobi
Kenya
in the section devoted to "give us your money".
- So is this address still suitable for sending cash or other financial donations, but not for whistleblower leak documents ?
- Why can they not publish a full details about this security threat in Kenya, on the WikiLeakS.org website ?
- What procedures does WikiLeakS.org employ to audit the reliability of their postal PO Box submissions, which they have suggested as a high security method of sending them whistleblower leaked documents.?
- Do they ever send test documents and / or money via these PO Boxes, to see if these are being intercepted, delayed , censored or stolen ?
- If the Kenyan PO Box can still be trusted, then the WIkiLeakS.org Twitter feed obviously cannot be trusted.
In order to reduce the chances of a Denial of Service attack via Rumour, WikiLeakS.org should have published fuller details of the reasons for no longer trusting this published method of submitting sensitive whistleblower leak documents and / or money, on their own website and via an email Press Release.
This security / anonymity warning press release should have been Digitally Signed using their (now long expired) PGP Public Encryption and Signing cryptographic Key, to vastly reduce the chance that it has been tampered with or entirely forged.
WikiLeakS.org purport to be experts in protecting their whistleblower sources, so why are such simple precautions beyond them ?
Congratulations, by the way, on being cited in the recently-leaked Secret U.S. Army report on WikileakS.org, which Julian Assenhole has decided, surprise surprise, to blow completely out of proportion by willfully misrepresenting as a ploy to "fatally marginalize" WikileakS.org. I guess he is incapable of seeing that he's the one doing all the damage to WikileakS.org's "web of trust", et cetera, and is simply letting his anti-American biases (continue to) get the best of him.
@ Nemo de Monet - the URL of the Spy Blog article which was cited three times references 39, 40 and 41] in the US Army Counter-intelligence document:
http://file.wikileaks.org/files/us-intel-wikileaks.pdf
got a bit mangled:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Should one use Wikileaks for whistle blowing? This is a good question.
And I would like to comment on this.
In the early 2000's PGPBOARD appeared on yahoogroups. This is an
encrypted message forwarding drop box. It was formed to move politically
sensitive material out of Burma and North Korea. It did not rely totally
upon technology, but on tight off line operating procedures, and in terms
of the usage of PGP keys; knowing just who you were communicating with.
Getting it wrong would result in someone getting KILLED..!!
When MD5 collisions compromised PGP 2.6.2 we had a problem. This
version of PGP was very well trusted and it had the advantage of
fitting onto a 1.44 Mb diskette. Back in 2003 developed GPG to GO
a stripped down gnupg replacement for P.G.P 2.6.2. This was
developed by:
Robert J Hansen (PGPBASICS)
John Moore 3rd (PGPNET)
The late Maxine Brandt (PGPNET)
Alan Taylor (PGPBOARD)
The package had to fit on a diskette because back in 2003 flash drives
and USB ports on PC's in internet cafes in Burma, North Korea and
the Philippines were not common place. Field trials of the package took
place in late 2003 from various locations in the Philippines..
The point here is the TECHNOLOGY HAS TO ADAPT TO THE
SITUATION. There is no one solution that will remain eternally valid.
For interests sake:
1. On many occasions traffic from NK and Burma
was carried out of the country on diskette.
2. PGP keys were created and signed during face to face
meetings in Manila with our contacts. They were NEVER
posted on any keyserver.
3. Encrypted traffic for forwarding was NEVER prepared on a computer
that had ever been connected to the internet. (Offline)
4. Incoming encrypted traffic was examined and scanned on a dedicated PC
running only virus/trojan scanners etc... BEFORE being encrypted
offline onto diskette. The diskette was transferred to an online PC and
the traffic forwarded to its destination... activist bulletin boards, email
drop boxes.
Transmission paths were usually freedom.net before it went under, mixmaster
network or was posted on PGPBOARD..
5. We NEVER courted publicity in any form…
We never knew the origin of the traffic, or the actual end destination..
I would not trust my life to WIKILEAKS. However, if you live in a Western
democracy with little chance of having the information beaten out of
you, and then being shot... Then you are OK, WIKILEAKS is for you,
all you need is the fortitude to endure the consequences if you are
discovered.
Walsh..
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.0.0 - not licensed for commercial use: www.pgp.com
Charset: utf-8
wsDYAwUBS8c2II0F20NNm+N6AQpJWQwXd/BEHp6ZHjOorUDgzNsAY3T0xVip4Aqq
zPNmbkJsRJrZZU2H9mhnWgc+6G0t4QOYBa2MA2kjhwDneCPNAWi0bFcLvcYJ+GHA
WlJbc4IxkxiPlt4MvFcyjU/mwvCGLmWKZucpdZgLdMSJGl4Hk7F0emCusxjwoGD+
R64FkUfN9OXe4ByOJ8SQkpvV82rca/RDgUZU9f4ZwMZ+axFFfON3kE/JJdb84Jl3
F4Qs3JWGQnzC6oO5SLWO8OratQGMNDKpjs9jrRs7qiiPdFFUly86x3eYichya1cj
R+4UMEFRAt9VcPOffAOkMYRh0gurWYvsgWbRPtiyPoCh3WNSQw+sWrmwmp02lynK
rkOghWhky5dVxlPBiBXHb8+8Kaj6k84LxToXlD/4DGN+eyvTxh6/OU9nZOFaP51r
VRpC95N0+x6Dg+JCH00XVvvXvGVkNBxc+OU2lvkJiYf1oh+N2K2o+WmldmxYfcxp
6tmFBy6F1tl4Hs+FcBFysnvrnhrT9yXy0irG
=cYTD
-----END PGP SIGNATURE-----