Source: http://www.freitag.

de/politik/1134-nerds-ohnenerven Leak at WikiLeaks

WikiLeaks has a security problem. And its bigger than known until now. How secure are leaking platforms?
They had the same goal: transparency. And they have been friends. Now Julian Assange, the eccentric Australian, and Daniel Domscheit-Berg, the peculiar German, are only connected by mistrust and hate. The idea both once represented is endangered to be damaged. Assange and Domscheit-Berg started a mudslinging which both WikiLeaks, the mother of all whistleblower platforms, and Openleaks, the follow-up project of the German, brings into danger. The war of nerds raises doubts about how responsible the self-proclaimed transparency guards are handling the data they receive. Because WikiLeaks has a leak. And that is bigger than known before.

Friday evening last week the phone of Freitag-publisher Jakob Augstein rang. It was Julian Assange. The WikiLeaks-boss sits in a Mansion in the English shire Norfolk since December 2010. He has an electronic tag around his ankle and has to report regularly to the police. Assange fights his extradition to Sweden where he might face a court hearing about rape. But this evening hes worried about a publication coming up in Freitag about the dispute between WikiLeaks and OpenLeaks about the US cables, so the 250 000 documents of the US state agency which were leaked to WikiLeaks last year. Assange was concerned about the safety of informants. Augstein assured Assange that Freitag wont publish any information endangering the informations of the Americans and asked Assange to publicly answer to the events. Assange declined. The concern of the WikiLeaks-boss wasnt unjustified though. The Freitag discovered a file with unedited US cables in the internet. The password for the decoding of this file is also findable online. The file with the name cables.csv is about 1.73 GB big and contains both already published cables and numerous unpublished reports, such as conversations of US embassy employees with informants or alleged Intelligence members from Israel, Jordania, Iran and Afghanistan with their names or other possibilities to identify them. An informant from Iran, who is described very closely, is quoted with the words, that the people in Iran always try to create the impression that they follow these stupid crazy mullahs.

If the file is a complete unedited copy of the diplomatic cables could not be confirmed by Freitag till editorial deadline. The password for this file is out in the open and easily to identify by experts. Its not unlikely that interested people and agencies didnt detect it and gained access to the complete data set. Danger for bystanders? With that obviously something happened that actually should have been avoided: an uncontrolled opening of highly sensitive data. Last year WikiLeaks collaborated with big international media on the publishing of the embassy cables. Spiegel, Guardian and New York Times should have guaranteed that there will be no misuse of the sensitive informations. Till now only redacted data were published where the informations about people, who could be possibly in danger, were removed. Due to the leak at WikiLeaks this protection is now lapsed. Who is responsible? The answer for this question lies in the maze of the past of WikiLeaks. In autumn 2010 Daniel Domscheit-Berg left the whistleblower platform together with other activists. As so often the reasons for this division become blur after such events: Confirmed is that there was a dispute about alleged safety breaches, about the public reputation of WikiLeaks, about the question of which conclusions Assange will draw regarding the rape allegations against him. With them they took the electronic mail box including content amongst other things also ca 3000 unpublished documents leaked by whistleblowers. According to WikiLeaks these contained data from Bank of America, internals of around 20 Nazi organizations and the socalled No-Fly-list, a list of those people who are not allowed to set foot into an aircraft in USA due to safety reasons. It is a data treasure of immense value for every leaking platform potentially of course also for OpenLeaks, the project with which the WikiLeaks-dropouts want to prove what they learned from Assanges mistakes they claimed to know about. Julian Assange accuses his number two of sabotage and fired him. Domscheit-Berg offered to WikiLeaks the return of the data if they can provide a secure way to store them. And so the fight between these two both talented and difficult characters Assange and Domscheit-Berg started in which, to make it even more complicated, a third jumps in who can compete easily with the two nerds-in-chief: Andy Mller-Maguhn, board member of the hacker association Chaos Computer Club (CCC) claims to have tried to intermediate between the opponents. In autumn 2010 he achieved a partial success: the dropouts give him a safety copy of the WikiLeaks data server, so a data set of fully or partly published documents. Shortly after that these files were available for download online. Its not known who uploaded them. Mller-Maguhn doesnt want to make a statement about this situation. In February 2011 Domscheit-Berg published his reckoning-book Inside WikiLeaks. My Time with Julian Assange at the World's Most Dangerous Website. In that he wrote: Till today we wait for Julian to restore the security. On behalf of Assange the Berlin based lawyer Johannes Eisenberg stated at that time: The material is of course save with WikiLeaks. Domscheit-Berg however refused to return them. The mudslinging started. Then in august the huge hacker meeting of the CCC took place in Finowfurt (Brandenburg). Daniel Domscheit-Berg presented there for the first time in public the submission platform of Openleaks and asked hackers and other users to infiltrate his electronic mail box. Five

partners accompanied the test, amongst them the Freitag. It should have been a huge step forward for the project as Domscheit-Berg hoped. He stated in an interview with Freitag No, I didnt take any documents with me from WikiLeaks. And we dont have a treasure chest which we can use. Andy Mller-Maguhn foams. The board of the CCC expels Daniel Domscheit-Berg, allegedly for damaging the reputation of the hacker club by announcing said test. Mller-Maguhn tells the Spiegel: The CCC is not the TV (ed's note: a German safety certification organization). We won't allow ourselves to be co-opted like this. Furthermore he stops his intermediation because of the untruthful statement of Domscheit-Berg. Domscheit-Berg says: We told Mller-Maguhn months ago that we dont accept him anymore as intermediator. But his wording in the interview of Freitag was really not very precise and slipped through when he authorized it. Human as element of uncertainty After that things get chaotic. As a consequence of the incidents at the hacker meeting Domscheit-Berg announces that the WikiLeaks-dropouts want to destroy the electronic keys and also the data they took with them. And he wants to provide an affidavit about that. Julian Assange reacts with a statement in which he talks about direct and indirect contacts of Domscheit-Berg and his wife to different intelligence agencies, although always with additions which might be added to prevent law suits. It says I do not know if DDB was complicit
with the reported contact. or This may not be significant.

Only now the full power of this dispute between the former companions is unleashed. In the internet open letters begin to circulate, written by acquaintances of Domscheit-Berg who now doubt his integrity. Via the short message service Twitter WikiLeaks supporter battle with the remaining OpenLeaks -sympathisers. Obviously its even for theoretically like-minded supporters of social openness impossible to stay neutral. The Freitag too has to face this problem. After all the newspaper spoke up very early, in December 2010, against the criminalization of WikiLeaks and now accompanies the testing phase of OpenLeaks. Can one under such circumstances publish an article that on the one hand warns whistleblowers and third parties about a security breach at WikiLeaks, but on the other hand could get the project OpenLeaks into trouble? The answer is: It has to be done. Freitags Editor-in-chief Philip Grassmann: The leaking could be a revolution of journalism and a huge progress for the net democracy but the risk of human failure is enormous. The secret password necessary for the decryption of the data is said to be passed on by Assange himself. The person claiming to have received the password from Assange indicates of having no knowledge at all about the file being in the hands of Freitag. The person thought that the phrase passed on by Assange was a temporary password losing validity after some time. We dont censor our publications but sometimes it happens that we remove identifiable informations from the original documents or that we delay the publication in order to keep innocent people safe from harm. (Translators note: sorry, no time to find the right quoting ;D) WikiLeaks describes in one of the two core promises: the guaranty of anonymity and safety of sources and persons not involved. Indeed until today there is no whistleblower known to be endangered by a technical mistake. But as the safety leak revealed by Freitag

shows that the protection of persons named for whatever reason in leaked documents cant be protected by the activists around Assange. Since WikiLeaks seems to be jointly responsible for unedited embassy cables being online and a password for decrypting being findable in the internet it is more understandable why Domscheit-Berg refused to return the documents he took along. But if he knew about that, the question comes up if the WikiLeaks-dropout has ever been willing to return them to his former companion. After all a file circulating in the internet cant be deleted anymore. And so the revelation of the security leak of WikiLeaks could also backfire to OpenLeaks. Because the dispute between Assange and Domscheit-Berg shows the weak point of every whistleblower platform. For the future of leaking this is an essential question: which organizational structures can ensure that internal disputes wont endanger lifes in the end?