July 2010 Archives

Are WikiLeakS.org starting to pay heed to the criticisms that there is actually information in some of their whistleblower leaked documents which may cause death or injury if published to the world immediately ?

The raw Afghan War Diary data has been given to The Guardian in the UK , The New York Times in the USA and Der Spiegel in Germany to analyse. and to publish at the same time.

Each of these mainstream media publications and WikiLeakS.org themselves has published extracts and summaries of the data, including "value added" conversions of the data, glossaries of obscure military acronyms and jargon and conversion of the latitude and longitude data into formats easy to feed into mapping software such as Google Earth.

WikileLeakS.org have decided to actually publish this large amount of data on the actual WikiLieakS.org website itself this time, unlike the separate Apache helicopter video www.collateralmurder.com website.

25th July 2010 5:00 PM EST WikiLeaks has released a document set called the Afghan War Diary, an extraordinary compendium of over 91,000 reports covering the war in Afghanistan from 2004 to 2010.

[...]

We have delayed the release of some 15,000 reports from the total archive as part of a harm minimization process demanded by our source. After further review, these reports will be released, with occasional redactions, and eventually in full, as the security situation in Afghanistan permits.

The US Military will, of course, not be happy that they are not in control of any such redaction and review process.

However, for WikiLeakS.org, this is a revolutionary change to their previous "information must be set free, for maximum hype and impact, regardless of the consequences to individual people" policy.

WikileakS.org also seem to have abandoned, for these Afghan War Diary pages at least, the BitTorrent and Magnet links, which they added to previous leaked document pages.

You can only download the compressed files directly over an unencrypted web connection (still no SSL/TLS or Tor Hidden Service fro reading and downloading from the website like they used to have).

There is still no way of discussing or analysing this whistleblower leak on the relevant Discussion page, which is still switched off.

WikIleakS.org still have a lot to do to protect their readers and potential analysts from being snooped on and identified by governments and other investigators.

WikiLeakS.org has a new IRC chat setup https://chat.wikileaks.org

[hat tip to IRC user "Odin" for spotting a typo in a previous reference to the old IRC system]

The new WikiLeakS.org Chat Page still claims that this is

(also good for safe interviews with anonymous sources).

which is simply not true of IRC or any other "live" chat or messaging system which is likely to be subjected to Communications Traffic Data Analysis by intelligence or law enforcement agencies.

Unless the anonymous whistleblower or potential whistleblower, takes extra precautions, then all of these systems could easily betray his or her identity, regardless of the fact that the content of what they type has been strongly encrypted.

The new IRC chat URL is now

https://chat.wikileaks.org/

or

ircs://chat.wikileaks.org:9999/wikileaks

Instead of the old self-signed Digital Certificate, which they used from January 2010 on httpps://secure.wikileaks.org:9999, they have now installed one from the same commercial Certificate Authority (GlobalSign nv-sa ) which is used for the htps://sunshinepress.org Wikileaks Upload web form

To be consistent and to help too establish trust in this Digital Certificate in case of Man--in-the-Middle attacks, WikiLeakS.org should really publish the cryptographic hash fingerprints
for this certificate, as they have done with the httpps://sunshinepess.org web pages

N.B. they should also have published the hash fingerprints on an actual WikiLeakS.org web page, since very few people will have heard of sunshinepress.org.and some of them will, correctly, be suspicious of it.

Since WikIleakS.org have not yet done so, here are the hash fingerprints for the benefit of web search engines queries:

https://chat.wikileaks.org
Serial Number: 1000000000129DC536192
SHA1: 8E:15:E9:2E:39:6F:F8:32:8B:49:A1:F3:E2:E3:14:AF:10:2A:B4:42
MD5: 43:EB:23:08:AF:E2:14:87:FC:DA:A3:43:F0:60:93:AD

IRC should not really be the primary method of contacting the WiiKiLeakS.org technical staff.

WikiLeakS.org again has a Tor Hidden Service for encrypted anonymised uploads - http://suw74isz7wqzpmgu.onion/ over 7 months after the previous one was abandoned.

The Official Tor "Blog" , which does not accept any comments or feedback from the public, has this report of the Keynote Speech given on behalf of Julian Assange at the HOPE hackers' conference in New York, by Jacob Appelbaum.

The usual rumours abound that there were FBI or other US Government Agents waiting to arrest / "talk" to him at this conference, but why they would wait until then and not do so as he came through US Passport Control is never explained by the media.

There is also a very rare, very brief, status report about the WikiLeakS.org website infrastructure:

HOPE 2010 Talk / Current status

Hello,

Jacob Appelbaum is speaking today on behalf of the project at the HOPE2010 conference. He will cover past, present and future developments of the project. For further information please visit the conference website: http://www.thenexthope.org/.

Now some general NEWS.

The submission system is up and running again (yes also reachable via Tor for those that do not trust SSL). Some important changes that you should be aware of:

* we moved the location of the submission system to https://sunshinepress.org/

Without telling anybody and without establishing a link of trust between the two domain names (see our previous blog article)

* The tor submission path uses a new hidden service address located at http://suw74isz7wqzpmgu.onion/

Some good news at last !

Although slow, a Tor enabled session (download and install the software from https://www.torproject.org/easy-download.html.en) does End to End Encryption between your Web Browser and three randomly chosen Tor relay servers in the Tor anonymity cloud, almost certainly some or all of which will be in foreign countries.

The final 4th hop to the Tor Hidden Service is also encrypted.

More importantly Tor makes Communications Traffic Data Analysis very much harder , even for well resource opponents like Government intelligence agencies (who obviously also make use it themselves)

SSL for the other services like the websites will take some more time until it is available.

What is so difficult about purchasing and installing another Digital Certificate to replace the old one, before making other changes to the infrastructure ?

Those users that do not like to install a generic IRC client can use the webchat again which is located at https://chat.wikileaks.org/ and connects to our internal IRC server. We added some additional means of protection to the IRCd to prevent the leakage of users identities.

This IRC chat system is all very well for reporting errors on the website etc. but is is absolutely not suitable for preserving the anonymity of potential whistleblowers.

The archive is now back for some time and we are still working on it. The most visible changes so far are the support for torrents and magnet links for files referenced in the archive, a facelift of the design, content cleanup. Public edits are still disabled but will be enabled again. Public comments will be disabled until we have an appropriate solution in place. We removed some stuff to hide the identities of the users working on the wiki as well as protecting the identity of people visiting the site. For example external links always use a trampoline now to make sure that 3rd party sites do not know where you came from. Furthermore we deleted all accounts not used for a year as part of the cleaning process.

We have meant to comment on the "trampoline" before. Why did they waste their time with this feature ?

It just looks and feels like another creepy hidden visitor tracking system, even if it is not meant to be that.

If they had not disabled the SSL version of the website, then there would already have protection against sending HTTP_REFERER environment variables to the external web pages which are linked to in the WIkI. Similarly if people do not simply click on a link, but Open in a New Tab or New Window, especially in the Private Browsing modes of most modern web browsers, then this information is not sent anyway.

Generally the technical staff is pretty busy putting the resources you granted us to good use. We are still extending the network with new machines, but will provide a dedicated interface for this type of help soon (email just does work for this kind of task).

Should this read "email just does not work for this kind of task" ?

Please do not make it a Twitter interface !

We have switched the complete system to a new architecture.

What was wrong with the old one ? Did it not scale properly ?

Why not publish a high level description of this architecture, so that WikiLeakS.org can be advised on how not to make elementary mistakes, again.

Until they do so, their hopes for lots of local versions of WikiLeakS.org to spring up organically around the world in parallel, will be still born.

If you notice that something does not work as expected please drop into the chat and talk to the staff there.

WikiLeakS.org has a world wide audience.

Is there really someone lurking in the IRC chat room 24 / 7 ?

They will be able to either relay your message or get you in contact with someone who can look at the problem.

The WL teams want to thank everybody for their support and patience.

By WikiLeaks on July 17, 2010

We are glad that someone is trying to sort out the technological mess that the WikiILeakS.org project deteriorated into.

We can dream that they will publish some PGP keys....

There is also the whole question of anonymous Mobile Phone Communications. Many more people have access to these than to fast computers and internet connections.

Surely the WikiLeakS.org technical team should be creating or promoting mobile phone SMS text and MMS message anonymous submissions systems ?

Perhaps as a result of the recent publicity in Wired magazine about their broken security technology promises and systems, which this blog has been commenting on for a while, WikiLeakS.org now appear to have brought back their SSL / TLS session encrypted web form, for "secure" Uploads of electronic documents to the website..

No announcement or explanation or apology

Typically this has been done without any explanation or apology, on the main web site or via the Wikileaks Twitter propaganda broadcasts or press release emails.

Neither has there been any announcement or discussion of this major development on the as yet unused new Official Wikileaks Blog:

This blog is to discuss technical or community issues related to WikiLeaks and Sunshine Press that do not have a natural fit on the main WikiLeaks pages.

Note that the word "blog", like the word "wiki", has been redefined in WikiLeakS.org's Orwellian newspeak - they really mean "another channel for propaganda broadcasts, which does not allow any feedback via comments from the public", the very opposite of their usual meanings.

As always with WikiLeakS.org, there is still no clear explanation of the advantages and disadvantages or actual risks to your anonymity of using this re-launched and modified document submission method, if you are a potential whistleblower.

Worryingly, there could also be hidden tracking of the IP addresses and other web browser details of each upload submission with this new Upload Form. (see below)

Still no SSL encryption for Downloads, as there used to be

There still does not appear to be any re-introduction of the SSL / TLS encrypted web session Download option on the couple of thousand whistleblower leaked document pages, as there used to be. The only options are still the unencrypted "File" and the bittorrent Peer to Peer options "Torrent | Magnet ", which are likely to be blocked in many places.

N.B. despite the hype, there has never been "over a million" documents published on WikiLeakS.org as various media reports have claimed,
a misconception which WikiLeakS.org have deliberately never corrected.

The new Wikileaks Upload form

The new web submission form links from the main WikiLeakS.org website, as before, but instead of going to https://secure.wikileaks.org the new web form is at

https://sunshinepress.org

A positive point is that they do publish the Digital Signature hashes which correspond to this
correspond to the new Digital Certificate:

Before submitting anything verify that the fingerprints of the SSL certificate match!
SHA256 85:C3:77:8E:7F:BC:96:42:CF:EE:03:B0:AC:4A:2A:26:15:18:CB:50:41:EC:7A:2A:CC:9F:56:60:67:94:04:7E
SHA1 68:C3:4B:3D:05:7A:53:E3:8C:FE:71:F1:30:3D:8A:AD:8E:33:0A:76
MD5 4B:6F:6A:D8:A2:29:7F:06:F3:4F:33:EE:74:32:1C:F8

The laudable intention is to provide some sort of authentication that this data file upload form is being run by WikiLeakS.org, but not for the first time, WikiLeakS.org have made a mistake with the fundamental trust model.

However WikiLeakS.org are establishing the chain of trust from the wrong place - the new Digital Certificate and its cryptographic hash "fingerprints" help to verify that this is a sunshinepress.org web page, but they do not verify that it is a wikileaks.org one.

The Upload Form almost certainly is being run by WikiLeakS.org, only because those of us who are familiar with the history of WikiLeakS.org and who have carefully explored that website, will notice that that the WikiLeakS.org Contact Page now exclusively publishes contact email addresses using

@sunshinepress.org

The sunshinepress.org domain name has been a "cover name" since the beginning of the project and has been used to help collect financial donations.

Given the risks of DNS poisoning or Man-in-the-Middle attacks, WikiLeakS.org should have published these hash values on a WikiLeaks.org web page, certainly not just on the unfamiliar to most people, sunshinepress.org one.

Anyone familiar with fake internet banking "phishing" websites should have noticed this error.

The web form retains what may be the the original submission system's delayed publication / embargo request facility.

The old scheme used to explain that there was a deliberate, random delay between submission and publication, in order to help to confuse Communications Data Traffic Analysis, but perhaps, like so much else, this was not true, and just relied on the editorial approval process to introduce a delay.

It is unclear if any of this still applies with the new Upload Form.

Making a hash of the footnote

The footnote which repeats the SHA1 cryptographic hash of the Web Server's Digital Certificate, which appears on each of the subsequent pages during the data file upload process, is a bit confusing.

Each of the Leaked Document pages publishes, from the previous "secure" submission system is published with a cryptographic hash of the file which was uploaded e.g.

Cryptographic identity SHA256 27b41de6409afc666abd12e65de417439a78b94dbe37bfd601f02e531a2f15a3

but without giving or pointing the website visitor or the original whistleblower to any tools to use this "fingerprint" to actually verify that the file being downloaded has not been tampered with or corrupted.

Similarly, the weaker but still adequate SHA1 hash on the footnote of Upload Form pages does not actually prove that the content of each web page it appears on has not been tampered with or corrupted - it would have to be a Digital Signature for each individual page to do that, using something like PGP (which WikiLeaks.org are stupidly still boycotting).

Courage is contagious.
SHA1 68:C3:4B:3D:05:7A:53:E3:8C:FE:71:F1:30:3D:8A:AD:8E:33:0A:76

At first glance it appears to be a hash of the words "Courage is contagious", which it is not. (it is debatable if the slogan is true or not).

GlobalSign Digital Certificate

The new Digital Certificate is from a recognised commercial Certificate Authority, GlobalSign nv-sa unlike the self signed one used by the WikiLeakS.org IRQ IRC chat server.

CN = GlobalSign Domain Validation CA
O = GlobalSign nv-sa
OU = Domain Validation CA
C = BE

[...]

CN = sunshinepress.org
O = sunshinepress.org
OU = Domain Control Validated
C = SE

The GlobalSign Certificate Authority is based in Belgium, which may make it a little more resilient against a US or UK court order attempt to force them to revoke this Digital Certificate.

Lawyers have already gone after the equally neutral and illegal content free wikileaks.org domain name, so it is only a matter of time before they try the same sort of legal trickery and threat of expensive court costs, even if you win the case, with SSL Certificate Authorities as they have done with Internet Service Providers and with Domain Name registrars.

See our censorship threats from Lawyers category archive

Whether this Belgium based CA will secretly hand over the private de-cryption keys for this sunshinepress.org / wikileaks.org upload web server when faced with a Mutual Legal Aid Agreement or European Evidence Warrant from foreign intelligence or police agencies or a Belgian police warrant or Court order, remains to be seen.

At least now, this current Digital certificate from a commercial Certificate Authority is, by default, trusted by the vast majority of web browser software, which will therefore not pop up warning messages, which would certainly put off some or all sensible or paranoid whistleblowers.

Like all modern Digital Certificates it uses SHA1 and does not rely on the potentially foregable MD5 cryptographic hash, which the old WikileakS.org Digital Certificate used to.

This Digital Certificate is valid from Friday 16th July 2010 for a year:

Not Before:
16/07/2010 10:47:50
(16/07/2010 10:47:50 GMT)

Not After:
17/07/2011 10:47:46
(17/07/2011 10:47:46 GMT)

It covers 3 possible domain name aliases:

sunshinepress.org
www.sunshinepress.org
submit.sunshinepress.org

All of these domain names resolve to the same IP address that the wikileaks.org ones do i.e. to

IP address: 88.80.2.32
Host name: wikileaks.org

IP address: 88.80.2.32
Host name: sunshinepress.org

They all appear to use the same kind of Reverse Proxy Server:

Via: 1.1 https-www
Server: Sun-Java-System-Web-Server/7.0
Proxy-agent: Sun-Java-System-Web-Server/7.0
X-powered-by: Servlet/2.4

With this new Digital Certificate, WikiLeakS.org is back to the situation it was between its May re-launch and 12th June , when the old Digital Certificate was unprofessionally allowed to expire with any rollover to a new one.

Still no return of the Tor Hidden Service

There is still no Tor Hidden Service end to end encryption through the Tor anonymity cloud, like there used to be before the self-imposed shutdown of the website last Christmas 2009.

UPDATE:

http://suw74isz7wqzpmgu.onion/

has been announced on the Official Wikileaks Blog and by Jacob Applebaum standingin for Julian Assange at the HOPE hackers' conference in New York.

Potential snooping via the WikiLeaks.org Upload form

If you click on the link on the WikiLeakS.org Upload Form to the Disclaimer link, or actually selct a local file from your computer and press the Submit button, or if you read the HTML source code of the form, you will see something like

https://sunshinepress.org/upload/A52CFA2183C87B6B2AC792FC535EC83EB9DBA669/meta

in your web browser address bar.

i.e. a dynamically generated URL, which is different for each visitor or visit to the Upload Form.

If we took a charitable view, this could simply be a badly configured database driven web page Content Management System, which is producing human unfriendly URLs.

This might make sense, if WikIleakS.org was selling the content of its web pages and wanted to track each visitor's viewing habits or if they were trying to make it more difficult for valuable digital content to be indexed by web search engines.

To have this feature only on the supposedly "secure" and document file upload web form, to a supposedly "anonymous" whistleblower website makes no sense at, unless either incompetence or deliberate snooping are involved.

How can sceptical, suspicious people like us or any sane , cautious whistleblower, be assured that the 40 character 0-9, A-F, probably hexadecimal string, is not being logged by the web server hosting infrastructure e.g. the web server(s), proxy server(s) , etc. ?

Because this "unique identifier" appears in the URL path of the multi-page web form, it is visible as Communications Traffic Data to your local Internet Service Provider and other commercial and government snoopers, regardless of the fact that the rest of the web page and your actual upload is encrypted via TLS / SSL using the web server's Digital Certificate. In the European Union, for example, this Communications Data is, by law, retained for up to 3 years.

This "unique identifier" reduces the chances of the "plausible deniability" excuse during any "leak investigation" i.e. the claim that the computer used to upload some leaked document or other was not yours, but must have been someone else's within the same organisation or another customer of the same Internet Service Provider etc.

Coupled with the lack of any explicit statement by WikilLeakS.org that no web server or firewall or intrusion detection or anti-virus scanning or reverse proxy server or traffic management or load balancer etc. infrastructure at the PRQ web hosting company in Stocholm , Sweden, does not retain any IP address or other details in their log files (as all of these internet components tend to do by default) , any cautious whistleblower should assume that their supposedly secure SSL encrypted web upload session will leave electronic traces which may very well betray their identity, especially to the Swedish police and intelligence agencies and to WikiLeakS.org insiders.

Unless and until WikIleakS.org either clearly explain these unique identifiers in the web pages, or , better still, simply remove them, then we will advice people not to use this new, supposedly secure and anonymous, whistleblower document data file upload form.

[UPDATE 12:00 GMT - the missing PGP page and Discussion page are now back online, but comment additions or editing are still not allowed]

Either through carelessness, or through deliberate censorship WikiLeakS.org now appear to have deleted the Discussion page, which was online for a couple of years, which discussed their (lack of) PGP public encryption keys.

[via Cryptome.org: Wikileaks Support Initiative]

2. Second encryption to Wikileaks of the encrypted submission. Wikileaks keys (Wikileaks Talk on PGP Keys, downloaded 4 July 2010, now apparently removed.)

Surely this polite, constructive criticism and helpful suggestions is rather less worthy of censorship than some of the other stuff which WikiLeakS.org is still allowing to be published on its website ?

Judge for yourselves:

This IDG interview of Julian Assange should worry potential whistleblowers:

Wikileaks founder reflects on Apache helicopter video

The mainstream media ignored some of the other material Wikileaks published, says Julian Assange

By Jeremy Kirk, IDG News Service
July 12, 2010 12:22 PM ET

[...]

Assange spoke on Friday at the Center for Investigative Journalism at City University in London,

[...]

The second half of the article contains this extraordinary claim:

Assange said about one in six people affiliated with the U.S. military who enter Wikileaks' secure chat room end up passing information to the Web site. He said those who come to the chat room often possess evidence of something that is making them angry.

"At that point, they come to us, and maybe we can help them," Assange said.

But turning those visitors into sources is delicate, and different approaches have to be used. "You really have to establish a connection at that moment," Assange said.

Is the WikiLeakS.org "secure chat" system effectively a honey pot trap for US Military whistleblowers ?

It is unclear just how many "people affiliated with the U.S. military who enter Wikileaks' secure chat room" there have been.

Why would any real whistleblowers "affiliated with the U.S. military " or not, be stupid enough to contact WIkiLeakS.org , or anybody else, via Internet Relay Chat ?

WIkiLeakS.org Chat web page gives instructions on how to connect to their Internet Relay Chat (IRC) chat system.

There are no warnings and no advice about how to use this Internet Relay Chat system anonymously, even though that web page claims

Whistleblower? Journalist? Citizen journalist? WikiLeaks writer, volunteer, supporter or techie? Get advice and talk with people like you on the WikiLeaks secure chat (also good for safe interviews with anonymous sources).

"also good for safe interviews with anonymous sources" ???

Not if they expect to remain anonymous for long if there is any sort of "leak investigation" !

It is irrelevant whether or not the chat system is "encrypted" using SSL - that does not protect the Communications Traffic Data i.e. IP address, time, date and how much data has been transferred in a session.

The SSL encryption certificate for secure.wikileaks.org:9999 is a self signed one, apparently issued by WIkiLeakS.org itself, but there is no explanation of why this should be trusted on the website.

There is no mention of how , for example, to use Tor to connect to this IRC system to try to protect your Communications Traffic Data from snoopers.

The IDG article continues

Assange said Wikileaks is currently re-engineering its submissions engine, an important security tool that can help protect sources who are passing sensitive information to the site. The submissions engine has been described as having military-grade encryption.

Assange contested a Wired magazine story from June 30 titled "With World Watching, Wikileaks Falls Into Disrepair." The story said that the submission engine has been degraded for months and that its SSL (Secure Sockets Layer) certificate had expired. Assange contended he told Wired magazine that it was being redesigned but that article said that he declined comment.

So why have neither Julian Assange nor any of the other WikiLeakS.org activists bothered to update any of their website pages with this news ? Even now the website still gives the impression that there is a working "secure" submission service.

Is that incompetence or deliberate deceit ?

Perhaps the WikiLeakS.org people are in the process of changing, or mending, their currently useless website.

The IP address of their main web servers, which are still hosted by PRQ internet in Stockholm, Sweden, has changed

IP address: 88.80.2.32
Host name: wikileaks.org

IP address: 88.80.2.32
Host name: www.wikileaks.org

IP address: 88.80.2.32
Host name: secure.wikileaks.org

There is still no Digital Certificate for https://secure.wikileaks.org

You may catch glimpses of the home page or the submissions page etc. from their reverse web cache, or from your own browser or ISP caches, but the main WikiLeakS.org site is currently non-functional.