Recently in Communication Data Traffic Analysis Category

Back in December 2011:

So where exactly is the promised new WikiLeakS.org whistleblower leak submission system ? Nowhere to be seen

Now, via @a_greenberg at Wired:

WikiLeaks Finally Brings Back Its Submission System for Your Secrets

[...]

On Friday, the secret-spilling group announced that it has finally relaunched a beta version of its leak submission system,
a file-upload site that runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their
identity from any network eavesdropper, and even from WikiLeaks itself. The relaunch of that page--which in the past served as the
core of WikiLeaks' transparency mission--comes four and a half years after WikiLeaks' last submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers.

[...]

The long hiatus of WikiLeaks' submission system began in October of 2010, as the site's administrators wrestled with disgruntled staff members who had come to view Assange as too irresponsible to protect the group's sources.

After 5 years of broken promises, WikiLeakS have now re-launched something which is similar to the more widely deployed open source @SecureDrop or @GlobaLealeaks platforms which several media organisations and couple of individual journalists offer, as one of the channels to contact
them securely, with or without actual leak documents.

N.B. you have to hunt for the "Submit" button link in a drop down menu on the WikiLeakS.org home page

This WikiLeakS system also relies on Tor, something which their previous efforts only used sporadically and inconsistently.

The Tor Hidden Service .onion address (which only works if you are using a Tor enabled web browser) is:

http://wlupld3ptjvsgwqw.onion

wlsubpage.png

The optional Questions on the submission form, imply that publication of the leaked data or documents can be delayed e.g. until after the
whistleblower has left their current employer, but there are no guarantees as to if, or when a document will ever be published by wikiLeakS.org.

The neglect of small scale, limited audience leaks, in favour of meglomaniacal mega leaks, is what led in part, to the revolt of so many of the early WikiLeakS volunteers against the dictatorial and cultish Julian Assange 5 years ago.

Until WikiLeakS explain in detail what happens next to a leaked document, once it has been uploaded, and exactly who has access to it, or to any
correspondence with the whistleblower, nobody, especially not "national security" whistleblowers should use this system.

Who owns the leaked documents & what is the redaction policy?

Given the previous attempts by Assange & WikiLeakS to claim exclusive ownership and copyright of, essentially, other people's stolen information,
the fact that there is no policy statement about the ownership of leaked material, is telling.

Do whistleblowers automatically hand over all rights and control over the release and any censorship or redaction of innocent 3rd parties personal details which may be in the leaked documents to Assange or to WikiLeakS ?

8192 bit GPG Key

Over 7 years after letting their first public GPG key 0x11015f8 expire without replacement,nging that there were some fake keys on (insecure) public keyservers, and whinging that some people were using PGP/GPG insecurely
(without any detailed guidance from the supposed experts at WikiLeakS.org themselves), they have now published a new 8192 bit GPG Public encryption Key:

https://wikileaks.org/index.en.html#submit_wlkey

pub   8192R/92318DBA 2015-04-10 [expires: 2016-04-09]
uid                  WikiLeaks Editorial Office High Security Communication Key (You can contact WikiLeaks at http://wlchatc3pjwpli5r.onion and https://wikileaks.org/talk) 
sub   8192R/D6DFD684 2015-04-10 [expires: 2016-04-09]

Fingerprint: A04C 5E09 ED02 B328 03EB 6116 93ED 732E 9231 8DB

They have not explained why they have chosen to publish a non-standard 8192 bit key.

The normal user interfaces to GPG software defaults to 2048 bits or a maximum of 4096 bits).

It is possible to create 8192 bit keys (or longer) using GPG command line batch mode options.

There is no cryptographic reason to use 8192 bit key - it is not in practice any stronger than an already unbreakable 2048 or 4096 bit key.

So few people have or use 8192 bit keys, that its use makes it a characteristic marker, likely providing circumstantial evidence linking, on the balance of probabilities, any seized or stolen encrypted documents on a whistleblower's computer or USB media to WikiLeakS, regardless of the use of "throw-keyids" or the fact that the encrypted file cannot be de-crypted by the authorities or thieves.

There is no advice on the WikiLeakS.org website about how whistleblowers should use the GPG software properly, on different plaformse.g.
password lengths, extra hash protection of their private keys in the keyring, physical protection of the keyring, the use of throw-keyids etc. etc.,

Link to our copy of this Public Key

Chat system

Unlike SecureDrop, there is no leak submission contact messaging channel within the submission system workflow

WikiLeakS have added a .onion Tor Hidden Service to their existing web chat system

http://wlchatc3pjwpli5r.onion and https://wikileaks.org/talk

N.B. the customised / branded first few digits of the chat system's Tor Hidden Service (presumably done using a GPU based hash generator like Scallion
which they did not bother with for the leaked document submission system.

They also publish a non-Tor Hidden Service url for this chat system, so it may be ok for general chat with WikiLeakS staff or volunteers,
but any "national security" whistleblower should steer clear of it, even via Tor as the chat servers can be tracked down (for potential seizure or man in the middle attacks) via the non-Tor users

Using any form of real time communications either encrypted chat or phone calls is too risky between genuine "national security" whistleblowers and a heavilly surveilled target like WikiLeakS.org
- there is no scope for "plausible deniability" or an alibi, unlike with e.g. programmatic ally time delayed sending of encrypted emails or other online publications

Arrogance & Obscurity

Julian Assange is still claiming that

https://wikileaks.org/Some-notes-on-the-new-WikiLeaks.html

Other submission technologies inspired by WikiLeaks, such as the European-based GlobaLeaks and the US-based Secure Drop, while both excellent in many ways, are not suited to WikiLeaks'
sourcing in its national security and large archive publishing specialities. The full-spectrum attack surface of WikiLeaks' submission system is significantly lower than other systems and is optimised for our secure deployment and development environment. Our encrypted chat system is integrated into this process because sources often need custom solutions.

No ! The "full-spectrum attack surface" of WikiLeakS's system is no better than that of any other Tor Hidden Service.

Potential whistleblowers have no way of judging whether WikiLeakS' secret internal computer and human systems are
any better or worse than those of SecureDrop or GlobaLeaks or other submission systems.

The next paragraph shows that Assange et al are still creating solutions to straw man problems, whilst ignoring the real risks to potential whistleblowers

For example, one of the problems with public-facing submission systems is bootstrapping. The fact that a source is looking at instructions that are telling them how to submit material could be used as evidence against them if there is an SSL key break. To prevent this, we deploy the full bootstrap instructions and keys on millions of WikiLeaks pages across our full server network. When the "Submit" button is pressed, there is literally zero network traffic as a result, because all these details are downloaded everytime anyone looks at nearly any page on WikiLeaks. We cover the source bootstrap process with our millions of page views by readers.

These "millions of web pages" are a red herring and do nothing to obscure the traffic generated by the whistleblower, especially when they choose to hit the Submit button.

The time, date and the number of bytes of data which the whistleblower uploads to WikiLeaks is still observable, regardless of the fact that it is encrypted.

If anyone on a government or military network visits any part of the WikiLeakS.org website from work, that is likely to be flagged as suspicious behaviour regardless of how innocuous the content of a web page may be.

Their submission system provides no tools and not even any advice or instructions on splitting up or combining or padding out documents
so as to hide their potentially characteristic size from ISP or state state communications data traffic analysis.


https://wikileaks.org/index.en.html#submit_help_tips

3. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection - it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly.

This includes other media organisations

The claim that "We are the global experts in source protection", is, of course, exaggerated.

WikiLeakS.org has not proved to be any better at avoiding infiltration and surveillance than other media organisations or activist groups or intelligence agencies .

Given how the main WikiLeakS source Bradley now Chelsea Manning (now serving 35 years in prison) was not handled properly as a source by Assange (publication seems to have been more important to him than the welfare of Manning) it seems unlikely that WikiLeakS will ever again be handed large scale leaks or any "national security" leaks via this submission system.

It is very telling that despite the help that Sarah Harrison later gave to Edward Snowden between Hong Kong and Moscow, he did not trust WikiLeakS or Julian Assange with his revelations.

Assange is still in self exile in the Ecuadorian Embassy in London, trying to evade extradition to Sweden on alleged sex offences.

As such, given the millions of pounds UK taxpayers' money & the Metropolitan Police Service overtime being wasted on him he is likely a very high profile target for GCHQ and other signals and human intelligence agencies.

If, as we suspect, he is still heavily involved in the WikiLeakS editorial process, he himself is probably the greatest risk to the anonymity and safety of any "national security" whistleblowers stupid enough to contact WikiLeakS.org


The increasingly Julian Assange centered WikiLeakS.org project recieved a media hype and publicity boost before Christmas 2011, when they appear to have been handed some or all of the hacked emails from the pretentious "private intelligence agency" company Stratfor.

Some of the "Anonymous" / "LulzSec" gang of hackers, who were under the influence and perhaps the control of an FBI coerced informant and agent provocateur (Hector Xavier Monsegur supposedly the LulzSec twit "Sabu") have been arrested and charged with this computer crime. They even stored the alleged millions of emails from Stratfor on a server under the control of the FBI.

See The Register: Stratfor email hackers were tricked into using Feds' server

There has been no noticable support for any of them by Julian Assange, even though at least two of them (Ryan Ackroyd "Kayla", Jake Davis "Topiary") have been indicted in the USA and could be facing extradition from the United Kingdom, unlike Assange himself, who is fighting an unjust European Arrest Warrant extradition to Sweden on sexual offences charges.

See Public Intelligence (a website which, unlike WikiLeaks.org anymore, does actually allow comments from the public on the censored or restricted documents it publishes) Anonymous/LulzSec Sabu, Kayla, Topiary, Anarchaos, Palladium, Pwnsauce Indictment and Criminal Complaints

All the above is background information relevant to the question in the title of this blog post: Why has WikiLeakS.org not published any Stratfor email headers ?

WikiLeakS.org has been milking a very small selection of Strafor emails for "maximum publicity", but with almost zero political impact, since 27th February, when they launched a subection of their main website (not, this time, chossing to use a subdomain or a different domain name like they did for collateralmurder.com)

The Stratfor emails are being touted as The Global Intelligence Files, using similar hype to that which the notorious and obviously cyber security inept Texas based private think tank likes to puff itself up with.

Julian Assange / @wikileaks twitter feed has been claiming that the formerly private rumours and speculation by Stratfor employees such as Fred Burton, who used to be employed by the US Government, are somehow actually official US Government policy or the "truth", even when other Stratfor employees have, sensibly, tagged such rumours as "single source" or "unverified".

The claim by WikiLeakS.org is that they are publishing 5 million emails, but they have not actually done so.

They have published 935 extracts in just under a month. At that rate it will be about 96 years before they publish 5 million email extracts. Surely even the second (or third) division media partners listed by WikiLeakS.org, since Julian Assange has lost the trust of The Guardian, the New York Times, Der Spiegel etc. etc., will have moved on to other stories by then ?

Despite claiming to have somehow invented "scientific journalism", whereby the original document sources of information for a story are made available to the public for expert analysis, Julian Assange has not done this with the Strafor emails, since the extracts do not contain any actual email header information, listing email clients, mailservers and IP addresses etc.

Why not ?

  • What is Assange hiding ?

  • Did the FBI controlled "Sabu" make sure that WikiLeakS.org only got a censored version of the Stratfor emails ?

  • Since there is no WikiLeakS.org secure document submission system, or published PGP Public Encryption Key, how did the Anonymous / Lulzsec/ FBI contact Julian Assange / WikiLeakS.org ?

  • Did WikiLeakS.org / Julian Assange actively reach out to the pompous "Sabu" over IRC and or Twitter ?

  • Is the Stratfor email "leak" an attempt to drag Julian Assange and other WikiLeakS.org people into the credit card fraud and computer intrusion criminal cases which are currently in motion regarding Stratfor and other Anonymous/Lulzsec targets ?

Even though Julian Assange could very well be extradited from the UK to Sweden next week, to face non-wikleaks related sexual offences allegations

https://twitter.com/#!/JudiciaryUK/status/129846526171287552

Julian Assange appeal against extradition - the High Court will hand down judgment on Wednesday 2 November.

10:06 AM Oct 28th 2011

he has announced a new, re-engineered WikiLeakS.org submission system to be launched on November 28th 2011.

https://twitter.com/#!/wikileaks/status/128455207490293762

@wikileaks WikiLeaks
Assange: On November 28th WikiLeaks will launch new generation submissions system http://www.ustream.tv/recorded/18082417

1:58 PM Oct 24th 2011

http://www.ustream.tv/recorded/18082417

Julian Assange speaking at the Frontline international press club in London, on Tuesday 24th October 2011

Approx 1 hour 5 minutes near the end of the video clip:

The fallout from that was the we viewed that our submission system could not be trusted any more

So did everyone else with any clues about computer security and anonymity, including Daniel Domscheit-Berg and the "Architect", which is partly why they left in the first place.

As a result we have had to completely re-engineer, from scratch, a new generation submission system.

On November 28th, the one year anniversary of CableGate, we will

Now, wikileaks has never had only the one submission system. We've received information in a wide variety of means, just like intelligence agencies and professional, mainstream media organisations, receive their information from a wide variety of means.

It has been important to us, to always have a wide variety of means, so no one mean becomes the sole, the sole subject of infiltration or investigation.

However, for the last, for the last 12 months, for the last 12 months, you haven't been able to go through the front door to submit wikileaks sensitive, information

You've had to establish, contacts, with the organisation and transmit us the material through other mechanisms.

Is Assange claiming that people have actually been stupid enough to submit sensitive material to him in the last 12 months, through other means ?

Why has he not bothered to publish any of this new, "non-Bradley Manning" sourced stuff then ?

How exactly are these "other means" actually Anonymous or Secure ?

Remember that wikileaks stopped publishing a PGP Public Encryption Key years ago and their incompetence in using PGP as a means of symmetric encryption and then stupidly publishing their CableGate archive online around the world and the re-using the same pass phrase with Guardian journalist David Leigh, was an

Similarly, they stopped publishing a Tor Hidden Service even before they stopped accepting new submissions.

On November 28th, the one year anniversary of CableGate, we will launch our new generation submission system.

That includes, not just, a public interface, but also several other mechanisms that are necessary to deal with an attack on the entire internet security system, that has been established over the last few years, by intelligence agencies and criminal groups.

Right now, it is not possible to trust any https:// connection on the internet.

Utter rubbish !

Even wikileaks.org itself has, at various times, published a Self Signed Digital Certificate and has published the MD5 and SHA-1 cryptographic hash fingerprints, without relying on any built in web browser trust of Certificate Authorities.

It is not possible your banking system, it is not possible to trust any, regular, web based secure encryption system

What about banks which use SSL v3 Client Side Digital Certificates for mutual client / server authentication, without the need for any external Certificate Authority ?

That is because, intelligence agencies have infiltrated , a number of Certificate Authorities. Certificate Authorities are those authorities which
sign the cryptographic keys that are used for secure internet communication.

On November 28th, we will release our alternative to that system, which is independent of all Certificate Authorities

Is the something which Julian and his cult have created from scratch, or will they just steal / borrow the work of Moxie Marlinspike and SSLLabs etc. with Convergence ?

Remember that SSL / TLS encryption only provides Secrecy about most of the contents of an encrypted session, it does not provide any Anonymity, and, may in fact provide less anonymity than a non-SSL connection via a shared proxy server.

A question from the floor:

"I understand that you may be limited in what you can say, but how have you manage to get around the fact, that in your eyes, Certificate Authorities can't be trusted, with this particular submission system ?"

01:08:57

We will give full details here, on a conference, on November 28th

Full details ?? Don't hold your breath.

Will they publish the source code of their system, or even a detailed security architecture of what is is intend to actually do and protect against ?

On past performance, this is extremely unlikely.

I would like to say, that in that, this problem has been brewing over a number of years, and we were aware of it before, back in 2010, and we had a number of mechanisms to ameliorate that, ahh, thousands of robots that went out over the internet, to simulate being sources, to check to see, whether these "men-in-the-middle" or fabricated certificates existed.

So we had a number of different mechanisms to try to ameliorate that problem, but it is our view that the problem has now gone so severe, that even those attempts to ameliorate it, can no longer be trusted to the degree, that our sources expect us, to be able to solve the problem

More nonsense from the deliberately deceptive Julian Assange:

"thousands of robots" ??

At the time they claimed that this was to provide "cover traffic" to help to confuse Communications Traffic Analysis and thereby to improve the Anonymity of the submission system

This could not and would not have tested for any SSL "man-in-the-middle" attacks on the Security / Privacy of submissions.

Neither could it have detected compromised Certificate Authorities around the world, especially in places where the Government also controls international internet access.

Even if it was meant to do so, they obviously failed to detect a single example of such an attack aimed at wikileaks, or if they did, they must have covered it up.

Regardless of the technical merits of this new submission system, any whistleblower with really sensitive, life threatening information to publish, would have to be suicidal to trust Julian Assange and his WikiLeakS.org cult followers with it.

Given the popularity of Peer to Peer (P2P) networks for file sharing and the close links between WikiLeakS.org original web hosts in Sweden and their former links with The Pirate Bay "The world's most resilient bittorrent site", WikiLeakS.org leaked documents have always been available on P2P networks.

The recent Bloomberg news agency story

WikiLeaks May Have Exploited Music, Photo Networks to Get Data

gives prominence to some dubious claims by a US based Peer to Peer Network spying company called Tiversa.

Bloomberg and Tiversa provide no evidence of any direct link between the alleged
appearance of the US Military files on incompetently configured personal computer systems running P2P software (in contravention of the applicable computer security policies) and the publication of re-named files on Wikileaks, months or even years later.

The Bloomberg article itself lists the months or sometimes years between the alleged appearance of a few US military documents on P2P networks open to the entire internet, and the publication of what is alleged to be copies of the same versions of those documents on the old, no longer functioning, WikiLeakS.org wiki system.

They cannot have it both ways.

Either it is legal for everyone, including firms like Tiversa to monitor such networks (for money) in bulk, in real time, all over the world, "1.8 billion times a day" by running "rogue" monitoring nodes joined to these P2P networks, or it is not.

To attempt to claim that just because they monitored "4 IP address in Sweden", that this is somehow evidence that WikiLeakS.org themselves were trawling for documents on P2P networks, is an incredible double standard, given the amount of such trawling which originates from the USA and even from Tiversa itself.

Tiversa's cause célèbre. was their discovery of the US Presidential helicopter documents, something which strongly implies that they themselves also downloaded copies of such documents, both from the useless US Defense Contractor and from the alleged computer in Iran.

Such activity is itself certainly illegal in many countries and would probably amount to espionage according to the evil Iranian authorities.

Remember there is no proof that the discovery of an alleged download by a particular computer IP address actually means that any human has even noticed or read any such documents, in all likelihood they have not, simply due to the volumes involved - see the various internet snooping projects derived from Echelon by intelligence agencies like the NSA and GCHQ etc and their rivals.

Initially the WikiLeakS.org website just assumed that people would "seed" copies of their published documents into P2P networks. They later started to formally provided Magnet URI links to such documents on their download pages, but of course these are now no longer functional.

Perhaps OpenLeaks.org or any other successors to WikiLeakS.org, if they ever get off the ground, will also seed P2P networks and provide Magnet links as well.

There is a link on the current WikiLeakS.CH website and on its hundreds of risky mirror websites, to a compressed archive of BitTorrent index files, which can be used to download around 20,000 documents which have been published on WikiLeakS.org i.e. not the big "Bradley Manning" disclosures, which got their own dedicated web sites.

However, if you are planning to "research" these for your forthcoming blog or mainstream media article, tv documentary, book, film etc. remember your IP address will be tracked by Tiversa and other private sector and government spies.

Given the legally toxic nature of some of these WikiLeakS.org documents, depending on the legal jurisdiction you fall under, you may be breaking various laws by downloading or possessing copies of these documents e.g. government official secrecy, espionage, lèse majesté, copyright, contempt of court etc. . You should probably keep any files you download in an encrypted volume using, for example TrueCrypt

WikiLeakS.org has never bothered to provide any such warnings or advice to its readers.

We have criticised the wikileaks.org propensity to use the social media networking service Twitter, to broadcast short (140 characters maximum) "tweets" without any accompanying full page press releases or web page detailed explanations. - https://twitter.com/wikileaks

To their credit, Twitter , which parts of the US government have praised and supported, when it has been used by say Iranian, Burmese, Zimbabwean or Chinese political dissidents has notified some, but not yet all, of its subscribers, who have been named on a Court Order which demands their private Communications Data details i.e. subscription names and addresses and phone numbers, as well as any credit card details and any IP address details.

This applies to the half a dozen or so twitter account named in the Subpoena.

However this Subpoena is not narrowly targeted against specific criminal communications, it is a generalised "fishing expedition" / data trawling exercise.

[UPDATE 9th January 2011: it turns out that this is not actually a Subpoena, but a 18 USC 2703(d) order, a controversial legal power introduced by the anti-terrorism "PATRIOT Act, which is, inevitably,,just as was pointed out at the time it was rubber stamped into law, now being abused for non-terrorism purposes.

See this blog article by Chris Soghoian Thoughts on the DOJ wikileaks/twitter court order

The order, issued under 18 USC 2703(d) is not a subpoena (even though the AP, New York Times, Salon and many other outlets have reported that it is). Subpoenas are essentially letters written by law enforcement officers, on official agency letterhead, and have not been reviewed or signed by a judge. The 2703(d) order in question was issued by a magistrate judge.

It also attempts to demand "All records and other information" including "user name and source and destination IP Protocol address(es);" of all of the other Twitter accounts which these named accounts have communicated with from November 2009 to mid December 2010, including all non wikileaks related matters.

The https://twitter.com/wikileaks account currently broadcasts to at least 634,892 followers.

There may have been a few thousand fewer such followers on the 14th December 2010, when the Subpoena was signed, but snooping on hundreds of thousands of innocent people, worldwide, is unethical and entirely disproportionate. and will provoke even more bad publicity for the United States government.

Which other social networking and email providers have been served with similar Subpoenas, for similar wikileaks related "fishing expeditions" ?

Which US Government investigative agency actually got the US Department of Justice to apply for the initially secret "sealed" Subpoena ?

If only there was a working Anonymous Whistleblower website where such information could be published - unfortunately that does not include either WikiLeakS.org nor OpenLeakS.org at the moment, or for the foreseeable future.

WikiLeakS.org has a new IRC chat setup https://chat.wikileaks.org

[hat tip to IRC user "Odin" for spotting a typo in a previous reference to the old IRC system]

The new WikiLeakS.org Chat Page still claims that this is

(also good for safe interviews with anonymous sources).

which is simply not true of IRC or any other "live" chat or messaging system which is likely to be subjected to Communications Traffic Data Analysis by intelligence or law enforcement agencies.

Unless the anonymous whistleblower or potential whistleblower, takes extra precautions, then all of these systems could easily betray his or her identity, regardless of the fact that the content of what they type has been strongly encrypted.

The new IRC chat URL is now

https://chat.wikileaks.org/

or

ircs://chat.wikileaks.org:9999/wikileaks

Instead of the old self-signed Digital Certificate, which they used from January 2010 on httpps://secure.wikileaks.org:9999, they have now installed one from the same commercial Certificate Authority (GlobalSign nv-sa ) which is used for the htps://sunshinepress.org Wikileaks Upload web form

chat_wikileaks_org_dc.jpg

To be consistent and to help too establish trust in this Digital Certificate in case of Man--in-the-Middle attacks, WikiLeakS.org should really publish the cryptographic hash fingerprints
for this certificate, as they have done with the httpps://sunshinepess.org web pages

N.B. they should also have published the hash fingerprints on an actual WikiLeakS.org web page, since very few people will have heard of sunshinepress.org.and some of them will, correctly, be suspicious of it.

Since WikIleakS.org have not yet done so, here are the hash fingerprints for the benefit of web search engines queries:

https://chat.wikileaks.org
Serial Number: 1000000000129DC536192
SHA1: 8E:15:E9:2E:39:6F:F8:32:8B:49:A1:F3:E2:E3:14:AF:10:2A:B4:42
MD5: 43:EB:23:08:AF:E2:14:87:FC:DA:A3:43:F0:60:93:AD

IRC should not really be the primary method of contacting the WiiKiLeakS.org technical staff.

WikiLeakS.org again has a Tor Hidden Service for encrypted anonymised uploads - http://suw74isz7wqzpmgu.onion/ over 7 months after the previous one was abandoned.

The Official Tor "Blog" , which does not accept any comments or feedback from the public, has this report of the Keynote Speech given on behalf of Julian Assange at the HOPE hackers' conference in New York, by Jacob Appelbaum.

The usual rumours abound that there were FBI or other US Government Agents waiting to arrest / "talk" to him at this conference, but why they would wait until then and not do so as he came through US Passport Control is never explained by the media.

There is also a very rare, very brief, status report about the WikiLeakS.org website infrastructure:

HOPE 2010 Talk / Current status

Hello,

Jacob Appelbaum is speaking today on behalf of the project at the HOPE2010 conference. He will cover past, present and future developments of the project. For further information please visit the conference website: http://www.thenexthope.org/.

Now some general NEWS.

The submission system is up and running again (yes also reachable via Tor for those that do not trust SSL). Some important changes that you should be aware of:

* we moved the location of the submission system to https://sunshinepress.org/

Without telling anybody and without establishing a link of trust between the two domain names (see our previous blog article)

* The tor submission path uses a new hidden service address located at http://suw74isz7wqzpmgu.onion/

Some good news at last !

Although slow, a Tor enabled session (download and install the software from https://www.torproject.org/easy-download.html.en) does End to End Encryption between your Web Browser and three randomly chosen Tor relay servers in the Tor anonymity cloud, almost certainly some or all of which will be in foreign countries.

The final 4th hop to the Tor Hidden Service is also encrypted.

More importantly Tor makes Communications Traffic Data Analysis very much harder , even for well resource opponents like Government intelligence agencies (who obviously also make use it themselves)

SSL for the other services like the websites will take some more time until it is available.

What is so difficult about purchasing and installing another Digital Certificate to replace the old one, before making other changes to the infrastructure ?

Those users that do not like to install a generic IRC client can use the webchat again which is located at https://chat.wikileaks.org/ and connects to our internal IRC server. We added some additional means of protection to the IRCd to prevent the leakage of users identities.

This IRC chat system is all very well for reporting errors on the website etc. but is is absolutely not suitable for preserving the anonymity of potential whistleblowers.

The archive is now back for some time and we are still working on it. The most visible changes so far are the support for torrents and magnet links for files referenced in the archive, a facelift of the design, content cleanup. Public edits are still disabled but will be enabled again. Public comments will be disabled until we have an appropriate solution in place. We removed some stuff to hide the identities of the users working on the wiki as well as protecting the identity of people visiting the site. For example external links always use a trampoline now to make sure that 3rd party sites do not know where you came from. Furthermore we deleted all accounts not used for a year as part of the cleaning process.

We have meant to comment on the "trampoline" before. Why did they waste their time with this feature ?

It just looks and feels like another creepy hidden visitor tracking system, even if it is not meant to be that.

If they had not disabled the SSL version of the website, then there would already have protection against sending HTTP_REFERER environment variables to the external web pages which are linked to in the WIkI. Similarly if people do not simply click on a link, but Open in a New Tab or New Window, especially in the Private Browsing modes of most modern web browsers, then this information is not sent anyway.

Generally the technical staff is pretty busy putting the resources you granted us to good use. We are still extending the network with new machines, but will provide a dedicated interface for this type of help soon (email just does work for this kind of task).

Should this read "email just does not work for this kind of task" ?

Please do not make it a Twitter interface !

We have switched the complete system to a new architecture.

What was wrong with the old one ? Did it not scale properly ?

Why not publish a high level description of this architecture, so that WikiLeakS.org can be advised on how not to make elementary mistakes, again.

Until they do so, their hopes for lots of local versions of WikiLeakS.org to spring up organically around the world in parallel, will be still born.

If you notice that something does not work as expected please drop into the chat and talk to the staff there.

WikiLeakS.org has a world wide audience.

Is there really someone lurking in the IRC chat room 24 / 7 ?

They will be able to either relay your message or get you in contact with someone who can look at the problem.


The WL teams want to thank everybody for their support and patience.


By WikiLeaks on July 17, 2010

We are glad that someone is trying to sort out the technological mess that the WikiILeakS.org project deteriorated into.

We can dream that they will publish some PGP keys....

There is also the whole question of anonymous Mobile Phone Communications. Many more people have access to these than to fast computers and internet connections.

Surely the WikiLeakS.org technical team should be creating or promoting mobile phone SMS text and MMS message anonymous submissions systems ?


[UPDATE 12:00 GMT - the missing PGP page and Discussion page are now back online, but comment additions or editing are still not allowed]

Either through carelessness, or through deliberate censorship WikiLeakS.org now appear to have deleted the Discussion page, which was online for a couple of years, which discussed their (lack of) PGP public encryption keys.

[via Cryptome.org: Wikileaks Support Initiative]

2. Second encryption to Wikileaks of the encrypted submission. Wikileaks keys (Wikileaks Talk on PGP Keys, downloaded 4 July 2010, now apparently removed.)

Surely this polite, constructive criticism and helpful suggestions is rather less worthy of censorship than some of the other stuff which WikiLeakS.org is still allowing to be published on its website ?

Judge for yourselves:

This IDG interview of Julian Assange should worry potential whistleblowers:

Wikileaks founder reflects on Apache helicopter video

The mainstream media ignored some of the other material Wikileaks published, says Julian Assange

By Jeremy Kirk, IDG News Service
July 12, 2010 12:22 PM ET

[...]

Assange spoke on Friday at the Center for Investigative Journalism at City University in London,

[...]

The second half of the article contains this extraordinary claim:

Assange said about one in six people affiliated with the U.S. military who enter Wikileaks' secure chat room end up passing information to the Web site. He said those who come to the chat room often possess evidence of something that is making them angry.

"At that point, they come to us, and maybe we can help them," Assange said.

But turning those visitors into sources is delicate, and different approaches have to be used. "You really have to establish a connection at that moment," Assange said.

Is the WikiLeakS.org "secure chat" system effectively a honey pot trap for US Military whistleblowers ?

It is unclear just how many "people affiliated with the U.S. military who enter Wikileaks' secure chat room" there have been.

Why would any real whistleblowers "affiliated with the U.S. military " or not, be stupid enough to contact WIkiLeakS.org , or anybody else, via Internet Relay Chat ?

WIkiLeakS.org Chat web page gives instructions on how to connect to their Internet Relay Chat (IRC) chat system.

There are no warnings and no advice about how to use this Internet Relay Chat system anonymously, even though that web page claims

Whistleblower? Journalist? Citizen journalist? WikiLeaks writer, volunteer, supporter or techie? Get advice and talk with people like you on the WikiLeaks secure chat (also good for safe interviews with anonymous sources).

"also good for safe interviews with anonymous sources" ???

Not if they expect to remain anonymous for long if there is any sort of "leak investigation" !

It is irrelevant whether or not the chat system is "encrypted" using SSL - that does not protect the Communications Traffic Data i.e. IP address, time, date and how much data has been transferred in a session.

The SSL encryption certificate for secure.wikileaks.org:9999 is a self signed one, apparently issued by WIkiLeakS.org itself, but there is no explanation of why this should be trusted on the website.

secure_wikileaks_org_9999_450.jpg

There is no mention of how , for example, to use Tor to connect to this IRC system to try to protect your Communications Traffic Data from snoopers.

The IDG article continues

Assange said Wikileaks is currently re-engineering its submissions engine, an important security tool that can help protect sources who are passing sensitive information to the site. The submissions engine has been described as having military-grade encryption.

Assange contested a Wired magazine story from June 30 titled "With World Watching, Wikileaks Falls Into Disrepair." The story said that the submission engine has been degraded for months and that its SSL (Secure Sockets Layer) certificate had expired. Assange contended he told Wired magazine that it was being redesigned but that article said that he declined comment.

So why have neither Julian Assange nor any of the other WikiLeakS.org activists bothered to update any of their website pages with this news ? Even now the website still gives the impression that there is a working "secure" submission service.

Is that incompetence or deliberate deceit ?


The lack of any published high level security architecture for the WikiLeakS.org project
has been an ongoing failure, which reduces the level of trust and confidence which people can have in it.

Not all of the technical details of how they are trying to achieve the best mix of anonymity, security , scalability and usability techniques need to be made public, however a formal statement of what exactly they are trying to do, would help people outside the project to point out potential problems, or improvements, or to see that these have already been recognised and are work in progress.

In the absence of anything but the most hand waving salespeak from WikiLeakS.org, observers of the project have to critically examine the writings of their central politburo, and read between the lines,

The recently published Wikileaks:Investigator's guide page has some vaguely reassuring legal warnings about journalist / source legal protection in Sweden and Belgium and the USA.

Wikileaks:Investigator's guide

From Wikileaks

This document is for judges, investigating magistrates, judicial officers and investigators. It explains issues and evidence that you may see in an investigation relating to Wikileaks.

This is not, therefore, a discussion document, soliciting ideas or feedback on proposed future project features, it appears to be a fait accompli.

However, the Investigator's Guide also contains some technical inaccuracies or, perhaps, deliberate misinformation, and a description of a very worrying "phone home" spyware "feature".

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The WikiLeakS.org Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

WikiLeakS.org Twitter feed via SSL encrypted session: https://twitter.com/wikileaks

WikiLeakS.org unencrypted Twitter feed http://twitter.com/wikileaks

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Recent Comments

  • James Hyams: I'm writing a thesis on Public Trust in WikiLeaks, the read more
  • rich kaplan: Hello Wikeleaks vrew. In Turkey , the islamist goverment just read more
  • wikileak: Cryptome have a few more extracts from this book http://cryptome.org/0003/ddb-book/ddb-book.htm read more
  • wikileak: OpenLeaks.org have now launched their website with some details of read more
  • wikileak: Bahnhof Internet seem to be hosting two Wikileaks servers in read more
  • teresa: I THANK THEY JUST TO SHUT HIM UP. THEY THINK read more
  • wikileak: Clay Shirky has posted a rough transcript of Daniel Domscheit-Berg's read more
  • wikileak: @ N - you can still see the "1.2 million read more
  • N: @wikileak - Exactly, these cables are _from_ the United States, read more
  • wikileak: Openleaks.org is now displaying this meassage: Coming soon! While we read more

November 2018

Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30