Unredacted U.S. Diplomatic WikiLeaks Cables Published

It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don’t expect.

Near as I can tell, this is what happened:

In order to send the Guardian the cables, WikiLeaks encrypted them and put them on its website at a hidden URL. WikiLeaks sent the Guardian the URL. WikiLeaks sent the Guardian the encryption key. The Guardian downloaded and decrypted the file. WikiLeaks removed the file from their server. Somehow, the encrypted file ends up on BitTorrent. Perhaps someone found the hidden URL, downloaded the file, and then uploaded it to BitTorrent. Perhaps it is the “insurance file.” I don’t know. The Guardian published a book about WikiLeaks. Thinking the decryption key had no value, it published the key in the book. A reader used the key from the book to decrypt the archive from BitTorrent, and published the decrypted version: all the U.S. diplomatic cables in unredacted form.

Memo to the Guardian: Publishing encryption keys is almost always a bad idea. Memo to WikiLeaks: Using the same key for the Guardian and for the insurance file — if that’s what you did — was a bad idea.

EDITED TO ADD (9/1): From pp 138-9 of WikiLeaks:

Assange wrote down on a scrap of paper: ACollectionOfHistorySince_1966_ToThe_PresentDay#. “That’s the password,” he said. “But you have to add one extra word when you type it in. You have to put in the word ‘Diplomatic’ before the word ‘History’. Can you remember that?”

I think we can all agree that that’s a secure encryption key.

EDITED TO ADD (9/1): WikiLeaks says that the Guardian file and the insurance file are not encrypted with the same key. Which brings us back to the question: how did the encrypted Guardian file get loose?

EDITED TO ADD (9/1): Spiegel has the detailed story.

Posted on September 1, 2011 at 12:56 PM • 83 Comments