May 2015 Archives

WikiLeakS re-launch a closed source submission system after 5 years - Tor Hidden Service & 8192 bit GPG Key

By
WikiLeak
on May 3, 2015 5:42 PM |

Back in December 2011:

So where exactly is the promised new WikiLeakS.org whistleblower leak submission system ? Nowhere to be seen

Now, via @a_greenberg at Wired:

WikiLeaks Finally Brings Back Its Submission System for Your Secrets

[...]

On Friday, the secret-spilling group announced that it has finally relaunched a beta version of its leak submission system,
a file-upload site that runs on the anonymity software Tor to allow uploaders to share documents and tips while protecting their
identity from any network eavesdropper, and even from WikiLeaks itself. The relaunch of that page--which in the past served as the
core of WikiLeaks' transparency mission--comes four and a half years after WikiLeaks' last submission system went down amid infighting between WikiLeaks' leaders and several of its disenchanted staffers.

[...]

The long hiatus of WikiLeaks' submission system began in October of 2010, as the site's administrators wrestled with disgruntled staff members who had come to view Assange as too irresponsible to protect the group's sources.

After 5 years of broken promises, WikiLeakS have now re-launched something which is similar to the more widely deployed open source @SecureDrop or @GlobaLealeaks platforms which several media organisations and couple of individual journalists offer, as one of the channels to contact
them securely, with or without actual leak documents.

N.B. you have to hunt for the "Submit" button link in a drop down menu on the WikiLeakS.org home page

This WikiLeakS system also relies on Tor, something which their previous efforts only used sporadically and inconsistently.

The Tor Hidden Service .onion address (which only works if you are using a Tor enabled web browser) is:

http://wlupld3ptjvsgwqw.onion

wlsubpage.png

The optional Questions on the submission form, imply that publication of the leaked data or documents can be delayed e.g. until after the
whistleblower has left their current employer, but there are no guarantees as to if, or when a document will ever be published by wikiLeakS.org.

The neglect of small scale, limited audience leaks, in favour of meglomaniacal mega leaks, is what led in part, to the revolt of so many of the early WikiLeakS volunteers against the dictatorial and cultish Julian Assange 5 years ago.

Until WikiLeakS explain in detail what happens next to a leaked document, once it has been uploaded, and exactly who has access to it, or to any
correspondence with the whistleblower, nobody, especially not "national security" whistleblowers should use this system.

Who owns the leaked documents & what is the redaction policy?

Given the previous attempts by Assange & WikiLeakS to claim exclusive ownership and copyright of, essentially, other people's stolen information,
the fact that there is no policy statement about the ownership of leaked material, is telling.

Do whistleblowers automatically hand over all rights and control over the release and any censorship or redaction of innocent 3rd parties personal details which may be in the leaked documents to Assange or to WikiLeakS ?

8192 bit GPG Key

Over 7 years after letting their first public GPG key 0x11015f8 expire without replacement,nging that there were some fake keys on (insecure) public keyservers, and whinging that some people were using PGP/GPG insecurely
(without any detailed guidance from the supposed experts at WikiLeakS.org themselves), they have now published a new 8192 bit GPG Public encryption Key:

https://wikileaks.org/index.en.html#submit_wlkey

pub   8192R/92318DBA 2015-04-10 [expires: 2016-04-09]
uid                  WikiLeaks Editorial Office High Security Communication Key (You can contact WikiLeaks at http://wlchatc3pjwpli5r.onion and https://wikileaks.org/talk) 
sub   8192R/D6DFD684 2015-04-10 [expires: 2016-04-09]

Fingerprint: A04C 5E09 ED02 B328 03EB 6116 93ED 732E 9231 8DB

They have not explained why they have chosen to publish a non-standard 8192 bit key.

The normal user interfaces to GPG software defaults to 2048 bits or a maximum of 4096 bits).

It is possible to create 8192 bit keys (or longer) using GPG command line batch mode options.

There is no cryptographic reason to use 8192 bit key - it is not in practice any stronger than an already unbreakable 2048 or 4096 bit key.

So few people have or use 8192 bit keys, that its use makes it a characteristic marker, likely providing circumstantial evidence linking, on the balance of probabilities, any seized or stolen encrypted documents on a whistleblower's computer or USB media to WikiLeakS, regardless of the use of "throw-keyids" or the fact that the encrypted file cannot be de-crypted by the authorities or thieves.

There is no advice on the WikiLeakS.org website about how whistleblowers should use the GPG software properly, on different plaformse.g.
password lengths, extra hash protection of their private keys in the keyring, physical protection of the keyring, the use of throw-keyids etc. etc.,

Link to our copy of this Public Key

Chat system

Unlike SecureDrop, there is no leak submission contact messaging channel within the submission system workflow

WikiLeakS have added a .onion Tor Hidden Service to their existing web chat system

http://wlchatc3pjwpli5r.onion and https://wikileaks.org/talk

N.B. the customised / branded first few digits of the chat system's Tor Hidden Service (presumably done using a GPU based hash generator like Scallion
which they did not bother with for the leaked document submission system.

They also publish a non-Tor Hidden Service url for this chat system, so it may be ok for general chat with WikiLeakS staff or volunteers,
but any "national security" whistleblower should steer clear of it, even via Tor as the chat servers can be tracked down (for potential seizure or man in the middle attacks) via the non-Tor users

Using any form of real time communications either encrypted chat or phone calls is too risky between genuine "national security" whistleblowers and a heavilly surveilled target like WikiLeakS.org
- there is no scope for "plausible deniability" or an alibi, unlike with e.g. programmatic ally time delayed sending of encrypted emails or other online publications

Arrogance & Obscurity

Julian Assange is still claiming that

https://wikileaks.org/Some-notes-on-the-new-WikiLeaks.html

Other submission technologies inspired by WikiLeaks, such as the European-based GlobaLeaks and the US-based Secure Drop, while both excellent in many ways, are not suited to WikiLeaks'
sourcing in its national security and large archive publishing specialities. The full-spectrum attack surface of WikiLeaks' submission system is significantly lower than other systems and is optimised for our secure deployment and development environment. Our encrypted chat system is integrated into this process because sources often need custom solutions.

No ! The "full-spectrum attack surface" of WikiLeakS's system is no better than that of any other Tor Hidden Service.

Potential whistleblowers have no way of judging whether WikiLeakS' secret internal computer and human systems are
any better or worse than those of SecureDrop or GlobaLeaks or other submission systems.

The next paragraph shows that Assange et al are still creating solutions to straw man problems, whilst ignoring the real risks to potential whistleblowers

For example, one of the problems with public-facing submission systems is bootstrapping. The fact that a source is looking at instructions that are telling them how to submit material could be used as evidence against them if there is an SSL key break. To prevent this, we deploy the full bootstrap instructions and keys on millions of WikiLeaks pages across our full server network. When the "Submit" button is pressed, there is literally zero network traffic as a result, because all these details are downloaded everytime anyone looks at nearly any page on WikiLeaks. We cover the source bootstrap process with our millions of page views by readers.

These "millions of web pages" are a red herring and do nothing to obscure the traffic generated by the whistleblower, especially when they choose to hit the Submit button.

The time, date and the number of bytes of data which the whistleblower uploads to WikiLeaks is still observable, regardless of the fact that it is encrypted.

If anyone on a government or military network visits any part of the WikiLeakS.org website from work, that is likely to be flagged as suspicious behaviour regardless of how innocuous the content of a web page may be.

Their submission system provides no tools and not even any advice or instructions on splitting up or combining or padding out documents
so as to hide their potentially characteristic size from ISP or state state communications data traffic analysis.


https://wikileaks.org/index.en.html#submit_help_tips

3. Do not talk about your submission to others

If you have any issues talk to WikiLeaks. We are the global experts in source protection - it is a complex field. Even those who mean well often do not have the experience or expertise to advise properly.

This includes other media organisations

The claim that "We are the global experts in source protection", is, of course, exaggerated.

WikiLeakS.org has not proved to be any better at avoiding infiltration and surveillance than other media organisations or activist groups or intelligence agencies .

Given how the main WikiLeakS source Bradley now Chelsea Manning (now serving 35 years in prison) was not handled properly as a source by Assange (publication seems to have been more important to him than the welfare of Manning) it seems unlikely that WikiLeakS will ever again be handed large scale leaks or any "national security" leaks via this submission system.

It is very telling that despite the help that Sarah Harrison later gave to Edward Snowden between Hong Kong and Moscow, he did not trust WikiLeakS or Julian Assange with his revelations.

Assange is still in self exile in the Ecuadorian Embassy in London, trying to evade extradition to Sweden on alleged sex offences.

As such, given the millions of pounds UK taxpayers' money & the Metropolitan Police Service overtime being wasted on him he is likely a very high profile target for GCHQ and other signals and human intelligence agencies.

If, as we suspect, he is still heavily involved in the WikiLeakS editorial process, he himself is probably the greatest risk to the anonymity and safety of any "national security" whistleblowers stupid enough to contact WikiLeakS.org


« May 2014 | Main Index | Archives | April 2019 »

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail or Protonmail etc. accessible via the Tor anonymity cloud.

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The WikiLeakS.org Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

WikiLeakS.org Twitter feed via SSL encrypted session: https://twitter.com/wikileaks

WikiLeakS.org unencrypted Twitter feed http://twitter.com/wikileaks

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Search

N.B. there are no copies of wikileakS.org leaked documents here on this blog.

Thanks for all your interesting IP addresses etc. - some of you really should know better !

Recent Comments

  • James Hyams: I'm writing a thesis on Public Trust in WikiLeaks, the read more
  • rich kaplan: Hello Wikeleaks vrew. In Turkey , the islamist goverment just read more
  • wikileak: Cryptome have a few more extracts from this book http://cryptome.org/0003/ddb-book/ddb-book.htm read more
  • wikileak: OpenLeaks.org have now launched their website with some details of read more
  • wikileak: Bahnhof Internet seem to be hosting two Wikileaks servers in read more
  • teresa: I THANK THEY JUST TO SHUT HIM UP. THEY THINK read more
  • wikileak: Clay Shirky has posted a rough transcript of Daniel Domscheit-Berg's read more
  • wikileak: @ N - you can still see the "1.2 million read more
  • N: @wikileak - Exactly, these cables are _from_ the United States, read more
  • wikileak: Openleaks.org is now displaying this meassage: Coming soon! While we read more

Recent Entries

Categories

Monthly Archives

April 2019

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        

Tag Cloud