The Unwritten Rule - Making Sense of the Wikileaks/Guardian Cablegate Drama
Unwittingly, David Leigh broke rule number one of the digital age's many abstruse commandments - that the only safe place for a password is in your head. Assange, however, is acting very oddly.
One of the most telling stories in the whole debacle is a passage from Leigh's book, the very same chapter in which he divulges the password he erroneously assumed to be obsolete.
Leigh set off home, and succesfully installed the GPG software. He typed in the lengthy password, and was gratified to be able to download a huge file from Assange's temporary website. Then he realised it was zipped up - using a compression format 7z which he had never heard of, and couldn't understand. He got back in his car and drove through the deserted London streets in the small hours, to Assange's headquarters at Southwick Mews. Assange smiled a little pityingly, and unzipped it for him.
Did you spot the tell? In it we get a taste of Leigh's unfamiliarity with using technology - unfamiliarity with using Google, in fact - and we get treated to an account of the moment where it all went wrong. Assange understands that you don't write passwords down, which is why he gave Leigh only most of the lengthy password on paper, and made him remember the rest - but when this revealing moment transpired later the same evening, he regrettably didn't jump on it. That the person he had just confided such sensitive information to might have misconceptions about the nature of that with which he'd been entrusted didn't register, and the rest is history. Missed opportunity this may be, but this is not the most telling clue in the passage.
Later, the book will go on to further betray Leigh's lack of technical grasp. He also misattributes Wikileaks' security measures to the Tor network and though they go on to describe Onion Routing principles correctly, this mistake "makes it seem as though somebody else wrote the technical portion". Indeed this seems very likely given the glaring error in Leigh's account above.
Critically, Leigh seems to have confused the order in which he entered the password and downloaded the file. The file was GPG encrypted, and so he would have needed to download it first, then use the GPG software in conjunction with the password to turn it into a readable binary (7zip) file. This is an important error on his part since one might understand why Leigh thought that given the file's online address was temporary, so the password that "accesses" it would become obsolete - not unreasonable. Hence he and James Ball's accusation that Assange "reused" the password [James Ball asserts that the file Leigh accessed and the one discovered online are not the same - see addendum below].
This does not, however, explain why the public dissemination of a password that decrypts a file that decompresses to 1.6GB has led Assange to release another file which he says "unpacks to 60GB of data", followed by the key. Am unpacking it as I write this and am watching my diskspace drop - will report on what it comes to.
How Assange can claim that Leigh's 1.6GB slip-up and his own subsequent release of a many times larger batch of unredacted data from the same source are cause and effect is a mystery. Perhaps Assange is merrily abusing a newfound understanding of political chess like it's a new toy. Using the cover of a moment when everyone is moved to take your side against The Guardian as an opportunity to do something far more irresponsible which was bound to attract enormous criticism from, um, The Guardian, is a classic tactic of political leadership - but even as a short-term strategy he may yet have got his methods slightly confused. The Grauniad have played their hand spectacularly badly, Twitter seems to be foaming at the mouth at them right now - we'll find out how it pans out for all concerned tomorrow morning.
My diskspace has dropped 40GB, and the file is still unpacking. What a bizarre man.
Addendum, 3rd September 2011 Since this article is in syndication, it seems fair to point out that I am not privy to the info as to what the security measures may have been on the temporary server (several have suggested that it was simply unindexed, but available to those who knew its URL). But I see evidence for Leigh confusing the server access details for those of the file in his assertion that the password was meant to be "temporary". This is only speculation, based on the quoted passage in his book. I see no reason to doubt Leigh's word on the agreed security arrangements, particularly since he is an experienced investigative journalist of some integrity. As I wrote the above piece, Assange divulged the key to the package he'd released the day before - cables.csv apparently contains the raw data which Assange expanded into a browseable HTML package, hence the inflated size of this release. However, James Ball insists that the file Leigh was given access to is totally different to the one that contains cables.csv and has tonight been undergoing some pressure from Twitter users to "prove it". That he may actually be able to do so conclusively whilst maintaining discretion seems unlikely. What does seem likely is that Assange is well aware of this, and his claim that his total unredacted release of all the cables is the direct result of Leigh's indiscretion looks increasingly to me like the actions of a confused, isolated, inexperienced individual in deep shock as to how his credibility as a trustworthy confidant could be so easily destroyed by multiple forces which he feels are outside his control - an epitome leading to a desperate bid to gain control - in doing so he clumsily risks further damaging Wikileaks and its credibility. 4th September 2011: Here is an excellent technical analysis: http://unspecified.wordpress.com/2011/09/03/wikileaks-password-leak-faq
