April 2010 Archives

Could this alleged Denial of Service attack through a forged complaint have been prevented if WikiLeakS.org bothered to publish a PGP Public Key on their website and elsewhere and used it to Digitally Sign their Press Releases and official correspondence ?

https://twitter.com/wikileaks/status/12614364183

Facebook says it will restore WikiLeaks fan page. Says someone posing as us asked for it to be deleted.

Thu Apr 22 02:35:32 +0000 2010

and

https://twitter.com/wikileaks/status/12593625175

Facebook pulls WikiLeaks fan page for being "inauthentic", but we never complained about it. http://bit.ly/aywGHU

Wed Apr 21 19:28:39 +0000 2010

http://bit.ly/aywGHU translates to http://techpresident.com/blog-entry/wikileaks-fan-page-pulled-down-being-inauthentic-says-facebook

We have had an email pointing out that:

Wikileaks still uses a broken MD5 hash function for its supposedly
secure SSL connection, that is used to upload sensitive documents to them.

In an attack on MD5 published in December 2008, a group of researchers
used a new technique to fake the validity of SSL certificates. US-CERT
of the U.S. Department of Homeland Security said MD5 "should be
considered cryptographically broken and unsuitable for further use, and
most U.S. government applications will be required to move to the SHA-2
family of hash functions after 2010. This broken md5 hash function is
however still in use by the https://secure.wikileaks.org/ SSL connection.

Take a look by going to: https://secure.wikileaks.org/ and
highlight their certificate, and click View certificate under the
security tab.

Then choose the Details tab and check the Certificate Signature
Algorithm, this will show the use of MD5.

Background information:
http://blogs.zdnet.com/security/?p=2339

secure_wikileaks_org_digital_certificate_1_450.jpg

secure_wikileaks_org_digital_certificate_MD5_450.jpg

We did welcome this Digital Certificate back in 2008, before the MD5 weakness was demonstrated in public.

See: New SSL digital certificate for secure.wikileaks.org - not before time

There really is no excuse for using a relatively weak cryptographic hash algorithm in the Digital Certificate which is supposed to protect the encrypted SSL/TLS communications internet sessions of the WikiLeakS.org whistleblower leak submission web pages.

Since the the resources of several Government intelligence agencies are very likely to have been deployed against this encrypted traffic, surely WikiLeakS.org can afford to pay for a proper Digital Certificate using an as yet currently unbroken secure cryptographic hash function e.g. SHA-1 or the forthcoming SHA-2 ?

Surely they can spend a few tens or hundreds of dollars , out of the $360,000 raised out of the the target of / $600.000 this year on some proper Digital Certificates ?

Interestingly, the parallel computing resources used to create the MD5 signatures and fake example Digital Certificates, are probably not too different to that used by WikiLeakS.org and their friends to supposedly password guess and decrypt the Iraq Apache helicopter attack video.

If an attacker duplicated the secure.WikiLeakS.org Digital Certificate, something which is obviously possible with the current MD5 hash, but not with the stronger versions which most other SSL/TLS protected websites now use, then they could do a Man in the middle attack on the WikiLeakS.org "secure" content submission system.

One of the potential weakness of this system has always been its vulnerability to Communications Traffic Analysis, since SSL/TLS encryption does not hide the source and destination IP addresses.

SSL/TLS encryption does not hide the amount of data which is transmitted.,so it can be sometimes be very obvious, which IP address uploaded a particular whistleblower leak document, if it is of a characteristic size, on a particular date, which may narrow down the list of suspects for a "leak" investigation.

To be fair to WikiLeakS.org, they used to also offer a much more Communications Traffic analysis resistant encrypted submission method via a Tor Hidden Service:

http://gaddbiwdftapglkq.onion/

but this has not been publicised (presumably as it no longer works) since last Christmas, when the WikiLeakS.org main website was shut down, to beg for money.

Since the WikiLeakS.org activists still refuse to publish a new PGP Public Encryption key, it seems that WikiLeakS.org is now less secure than they used to be.

If your life or even if just your career, might be threatened by exposure as a WikiLeakS.org whistleblower, you should think very carefully before submitting any "whistleblower leak" documents via the currently crippled WikiLeakS.org website.

WikiLeakS.org have now, after a couple of weeks of media hype / teaser campaign via Twitter and via email press release, finally released some de-crypted footage, from a US Military Apache helicopter Target Acquisition Designation Sight (TADS) video recording, showing 30mm cannon fire and Hellfire missile strikes on civilians in Baghdad in 2007.

Interestingly this shocking video footage has not been released via the WikiLeakS.org main website, but via a specially created one:

http://collateralmurder.com [88.80.28.193] which is also hosted by PRQ Internet in Stockholm, Sweden, like the main WikiLeakS.org website is.

This website does has background links to the original mainstream media reports about the deaths of the two Reuters journalists.

It is interesting to note in the end credits, that the famous hacker / entrepreneur Rop_Gonggrijp is credited as the co-producer of this video.

There are versions of this video available initially via YouTube etc. (although these will probably be censored soon, as any slightly politically controversial videos seem to be)

Our impression of the video:

The first 30mm cannon attack seems to have killed about 11 unarmed people, including 2 Reuters photojournalists. The Hellfire missile attack might have killed none of its intended targets, but several innocent passersby and "Good Samaritan" rescuers were caught in the 3 missile blasts.

The Apache pilot somehow managed to mistake their telephoto lens SLR cameras for, initially AK-47 assault rifles, but then , incredibly, the same camera was mistaken for an RPG anti-tank rocket launcher.

Their video footage clearly shows that the rest of the group of civilians in the open street were not carrying any such items, but they still shot them all.

9_unarmed_people_about_to_get_shot_450.jpg

9_unarmed_people_getting_shot_1_450.jpg

One person was wounded and crawling away, but the helicopter crew kept him in their sights, urging him to reach for a weapon, so that they could open fire again.

urging_wounded_man_to pick_up_a_weapon_450

There were no US military or Iraqi forces or who could possibly be under any threat from this wounded man, crawling on the ground, even if he actually had a gun, which he did not.

When a mini-van turned up, and a couple of unarmed "Good Samaritans" came to this unarmed wounded man's aid, the Apache crew got "permission" from someone who obviously did not have direct visual or video sight of the scene. They then blasted the mini-van with armour piercing cannon fire as well.

minivan_unarmed_wounded_450.jpg<br />

minivan_30mm_cannon_attack_450.jpg

They used up about 200 rounds of 30mm cannon shells out of 252. Were any of these Depleted Uranium rounds ?

A second Apache helicopter also participated in the cannon fire as well.

When the US ground forces arrived in Bradley armoured fighting vehicles, they reported 11 dead and two wounded children.

11_KIA_1_wounded_small_child_450.jpg

This incident resulted in 2 Reuters journalists killed, 2 children wounded, probably at least 10 other unarmed civilians dead.

Some 20 minutes later, after still circling the area, the Apache helicopters decided somehow that half a dozen armed people had entered an abandoned / still under construction building, some distance away from the original incident. There is no video footage of anyone carrying any weapons.

Again, without any clarification from forward air observers or ground troops with an actual line of sight onto the building, they decided to attack it with Hellfire anti-tank missiles.

They watched and commented on another man entering the building, although he was clearly carrying no weapon, but they decided to fire their missile anyway. Another innocent passerby could be seen walking along the pavement outside the building (this is a city not some remote desert outpost), when the missile exploded.

hellfire_1_passerby_450.jpg

hellfire_1_passerby_explosion_450.jpg

A few minutes later, although their TADS video showed a couple unarmed civilians picking their way past the debris, presumably to look for survivors (bottom right left of the image below) , they still fired off another Hellfire missile regardless.

hellfire_2_would_be_rescuers_450.jpg

The helicopter taking the video footage fired one Hellfire missile and its partner fired two.

It is impossible to see if anyone who entered the building survived or was killed, but it is likely that the innocent passersby and attempted "Good Samaritan" rescuers were killed or injured.

There was no ground to air fire on the Apache helicopters at all, so these pilots were not acting in self defence.

Is it any wonder that so many people hate the US Military ?

Questions for the mainstream media

  • If the mainstream media do pick up on this video, will there be calls for those trigger happy US Apache helicopter pilots and their commanders to be prosecuted ?

  • How can such a disproportionate abuse of deadly force and a callous disregard for unarmed civilians, ever be justified in the middle of a city ?

  • Is there evidence of a US Military counter-propaganda spin and public relations campaign over this incident and video or are they hoping simply to try to ignore it ?

Questions for WikiLeakS.org

The Reuters news agency appear to have been shown this video privately, shortly after the incidents back in 2007. They requested copies of the video through the US Freedom of Information Act.

This rather implies that the encryption which WikiLeakS.org and its helpers claims to have broken with the help of some "supercomputer" time, is of a subsequent video tape (akin to satellite or cable tv pay channel de-cryption) rather than of an actual military real time air to air, or air to ground encrypted tactical data link, simply on the grounds of finding the correct half hour of footage, out of the thousands of hours of such data being transmitted by the US military.

  • Will WikiLeakS.org reveal any details of exactly what they de-crypted ?

  • Do WikiLeakS.org have any other Apache helicopter or Predator drone attack videos ?

  • What about the B1 bomber attack video which was going to be released by General Petraeus, which WikiLeakS.org encouraged the mainstream media to speculate was the one which they were going to release?

  • Has there been any more US Military / US Intelligence or other "cloak and dagger" surveillance / harassment of WikiLeakS.org personnel, before or after the release of this video ?

  • What is the reason for the separate http://collateralmurder.com [88.80.28.193] website, rather than the main WikiLeakS.org one ?

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The WikiLeakS.org Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

WikiLeakS.org Twitter feed via SSL encrypted session: https://twitter.com/wikileaks

WikiLeakS.org unencrypted Twitter feed http://twitter.com/wikileaks

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Recent Comments

  • James Hyams: I'm writing a thesis on Public Trust in WikiLeaks, the read more
  • rich kaplan: Hello Wikeleaks vrew. In Turkey , the islamist goverment just read more
  • wikileak: Cryptome have a few more extracts from this book http://cryptome.org/0003/ddb-book/ddb-book.htm read more
  • wikileak: OpenLeaks.org have now launched their website with some details of read more
  • wikileak: Bahnhof Internet seem to be hosting two Wikileaks servers in read more
  • teresa: I THANK THEY JUST TO SHUT HIM UP. THEY THINK read more
  • wikileak: Clay Shirky has posted a rough transcript of Daniel Domscheit-Berg's read more
  • wikileak: @ N - you can still see the "1.2 million read more
  • N: @wikileak - Exactly, these cables are _from_ the United States, read more
  • wikileak: Openleaks.org is now displaying this meassage: Coming soon! While we read more

December 2014

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31