Full-Disclosure, Unredacted WikiLeaks, Security and The Guardian

It's not often that one gets to call a Guardian piece all of illiberal, misconceived and self-serving, but it seems to be what happens when one or more of their writers are backed into a corner after doing something silly. Of course it's unfair...


It's not often that one gets to call a Guardian piece all of illiberal, misconceived and self-serving, but it seems to be what happens when one or more of their writers are backed into a corner after doing something silly. Of course it's unfair to pick upon them when (as stated) the New York Times, El Pais, Der Spiegel, Le Monde and Reporters Without Borders are all equally guilty of woolly thinking - but this is an opinion piece and I don't seek to be fair, I seek to explain, so I'll just pick on the Guardian in specific.

But first, a preamble:

Twenty years ago I had a epiphany; I had authored a tool which would discover weaknesses in a computer system - ie: users who had selected guessable passwords - in order to help me and my fellow system administrators improve security. The tool deserved to be shared, and with my naive understanding of risk I released first a bowdlerised version, missing-out some fast encryption code that otherwise provided a 12x performance boost.

I thought that by this self-censorship I was being a responsible citizen but it was rapidly driven home to me that:

  • similar fast encryption code was available elsewhere

  • motivated and capable bad guys would find and utilise that

  • less-motivated and less-capable good guys would thus have inferior tools to the bad guys

Eventually I got the message and released the full program to the 'Net, an act which sedimented my opinion and was perhaps the first major victory of the philosophy of full disclosure in computer security. The battle has since been fought many times, and is still important regarding the trade in zero-day exploits - eg: a story from 2008 and it's only got worse since then - not to mention other damnable practices of the security industry.

But now WikiLeaks; the story is nicely covered at The Register, and from my experience I applaud WikiLeaks' embracing of the obvious, that:

  • If the password for a copy of the cable database is publicly known, and...

  • If that cable database itself is kicking-around on filesharing networks[1], then...

  • The only rational thing to do is release the entire, unexpurgated database in a formal fashion.

If this rationality is not obvious, allow me to spell it out: motivated bad guys would have this data anyway, because they would have swept up the database from Bittorrent and then found the password for the data had been published in Guardian assistant-editor David Leigh's WikiLeaks book, for the price of a dramatic column half-inch.

But here's the twist: people named in the unexpurgated database can now determine that they are named in it; there need no longer be doubt and they may take whatever steps they deem necessary to protect themselves from those who would do them harm. As dissidents and informers they certainly already know that they are at risk, but now they may discover whether they are under threat.

Regards password publication, the Guardian has since argued that the greater security risk was that the same data they received was reposted to file-sharing sites, using the same password, at some other date; they have a strong point in that reuse of passwords is a really bad idea, but overall I cannot agree with their position because encryption keys (ie: passwords) protect data much as door keys protect a house, the idea being that both houses and data can exist safely in public so long as nobody loses or duplicates the keys.

Only two weeks ago I presented at Hacks & Hackers London with a primary theme of the "stickiness" of digital data and how hard it is to expunge, so I'll further guess that there are spare copies of the Guardian's own cable database backed-up variously at Guardian HQ, and (again) David Leigh's publication of the key means that those files are now somewhat less defended. I'll allow that the Guardian probably employs additional security atop the original data, but still the intentional publication of passwords smacks of bad operational security.

In a summation of the The Guardian's position, James Ball - Guardian data journalist and occasional visitor to Hacks & Hackers London - has weighed in regarding the potential damage caused by unredacted, uncensored publication of the cable database.

He writes:

WikiLeaks has published its full archive of 251,000 secret US diplomatic cables, without redactions, potentially exposing thousands of individuals named in the documents to detention, harm or putting their lives in danger.

The move has been strongly condemned by the five previous media partners - the Guardian, New York Times, El Pais, Der Spiegel and Le Monde - who have worked with WikiLeaks publishing carefully selected and redacted documents.

"We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk," the organisations said in a joint statement.

Put differently, from a full-disclosure perspective I can only understand that James, The Guardian, and all the critical organisations cited within his article believe that those named in the cable database are better-off remaining ignorant of the fact.

For the reasons above, I'd disagree.

[1] NB: The password cited is not for the famous "insurance" file, but instead for another file available elsewhere on the 'Net; but this concern is now moot after unexpurgated publication - which is of course the whole point of WikiLeaks' recent action...

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.

"Recommended For You"

ACTA Update I Update: T-Mobile lost control of data on 17 million customers