Getty Images

WikiLeaks published unredacted cables after password was disclosed in book

WikiLeaks published a cache of unredacted government cables after the publication of a book containing the password led to their publication on other parts of the internet, court told

WikiLeaks published hundreds of thousands of unredacted government cables only after they had been published by other people on the internet, a court heard yesterday.

Christian Grothoff, an expert in network security from the University of Applied Sciences in Bern, Switzerland, said copies of the documents came into the public domain after the password was published in a book on WikiLeaks.

He was speaking on the 10th day of an extradition hearing held against Julian Assange at the Old Bailey in London.

Assange has been indicted on 17 charges under the US Espionage Act and has been accused of publishing unredacted documents which put the lives of local Afghans and Iraqis who passed information to US forces at risk.

The WikiLeaks founder faces further allegations that he conspired with computer hackers to encourage them to obtain secret US government documents.

During the hearing, Joel Smith, representing the US government, accused Grothoff of bias after disclosing that he had signed a letter sent to US president Donald Trump calling for him to stop the prosecution of Assange.

Passphrase gave access to encrypted documents

Questioned by Mark Summers, QC for the defence, Grothoff said WikiLeaks shared a passphrase with investigative journalist David Leigh giving him access to a website containing the encrypted documents.

“It was described in David Leigh’s book as a very long password,” he said.“ One can look at the password and estimate how long it would take to attack by brute force. It could not be broken in a reasonable amount of time.”

WikiLeaks was hit by a cyber attack in November 2010 after its media partners began to publish the US diplomatic cables in redacted form, Grothoff told the court.

“The WikiLeaks site was under a denial-of-service attack, when someone – we don’t know who – tried to make the site inaccessible,” he said.

WikiLeaks’ DNS service provider later terminated the WikiLeaks DNS service to protect its other customers.

WikiLeaks website ‘mirrored’ after cyber attack

The attack led to other people making “mirrors” of the WikiLeaks site, with the encouragement of WikiLeaks, to duplicate the contents of its site, said Grothoff. Some of these mirrored sites included encrypted copies of the unredacted cables, he added.

However, journalists David Leigh and Luke Harding published a book, WikiLeaks: Inside Julian Assange’s war on secrecy, which reproduced the passphrase Leigh had been given to access encrypted files in February 2011.

Grothoff said WikiLeaks would not have been able to change the passphrase to protect the file which had been mirrored on other parts of the internet.

German newspaper revealed existence of password

Nothing happened until German weekly newspaper Der Freitag published a story saying the password had been leaked and that it could unlock copies of the encrypted files on the internet.

“Now people could easily put two and two together,” said Grothoff.

The court heard that on 31 August 2010, Nigel Parry, who ran a website, had used the passphrase to decrypt the cables.

At about the same time, the decrypted cables appeared in BitTorrent and the website Cryptome published the cables in unredacted form.

“Cryptome is a well-known site for leaking information and it inspired WikiLeaks,” said Grothoff.

One the same day, the website mrkva.eu published a searchable copy of the unredacted document, and the decrypted cables that became available on BitTorrent appeared on the Pirate Bay website.

WikiLeaks published the unredacted documents on 2 September 2010, making announcements on Twitter and on the WikiLeaks website.

“By that time, [the document file] was on the internet in a way that was impossible to stop,” said Grothoff.

Prosecution: ‘You’re biased, you are partial’

Joel Smith, for the prosecution, raised questions about Grothoff’s impartiality as an expert witness.

He asked Grothoff why he had signed a letter from WikiLeaks’ legal defence fund to president Trump.

“I do not recall when I signed it or how this signature came to be,” said Grothoff.

“You don’t remember signing an open letter to the president of the US calling for the cessation of the prosecution of Julian Assange?” said Smith. “You’re biased, you are partial.”

Grothoff said: “I believe that looking at the indictment put forward, you are confusing WikiLeaks’ attempts to hide documents with publishing them. You did not properly do your homework in finding out who published the cables first.”

The computer scientist agreed that WikiLeaks gave 50 media and human rights organisations access to 100,000 unredacted US government papers.

Grothoff said WikiLeaks’ encouragement of people to mirror its contents on the internet may have been an attempt to build a haystack to make it harder to find the encrypted file containing the unredacted documents.

“If someone did realise at WikiLeaks [that the passphrase had been published], this might have been a good way of building a haystack,” he said.

WikiLeaks put out a statement dated 1 September 2010 which cited a paragraph from Leigh’s book quoting the passphrase, and criticising the journalists for publishing it.

WikiLeaks went on to publish all the cables on 1 September 2010 in what it called a “cable bomb”.

Grothoff agreed that Wikileaks had a significant public reach.

All or nothing

Questioned by Summers, representing Assange, Grothoff said he was not aware of any newspaper being given access to the whole set of leaked documents apart from David Leigh at The Guardian.

“David Leigh was a recognised journalist for a major newspaper, so it was recognised he would be qualified to do redactions,” he said.

Leigh had to press Assange to disclose the whole set of documents. Assange initially offered 50%, but Leigh said: “All or nothing.” Assange capitulated after Leigh warned that Assange could end up in Guantanamo before the documents were published.

Grothoff said WikiLeaks had given instructions on how to create mirrors of its site, but some mirrored sites were created by people using other software.

He said that as far as he could tell, the mirrors that were set up through the encouragement of WikiLeaks did not contain encrypted or decrypted versions of the classified cables.

He said the encrypted cache of documents most likely ended up in other mirrored sites by accident. “How exactly they got there I cannot say,” he added.

Summers said that in addition to Grothoff, former US army, CIA and FBI employees had signed the letter asking for Trump to stop the prosecution against Assange.

The case continues.

Defence timeline

Summer 2010: WikiLeaks gives investigative journalist David Leigh access to the US diplomatic cables which are stored on a website as encrypted file with the filename “xyz_z.gpg”.

28 November 2010: The Guardian, El Pais, Le Monde, Der Spiegel and the New York Times begin publishing redacted cables from WikiLeaks. WikiLeaks is subjected to a denial-of-service attack.

2 December 2010: WikiLeaks service provider EveryDns.net terminates DNS hosting for WikiLeaks to protect its other customers against the denial-of-service attack on WikiLeaks.

4 December 2010: Third-party organisations begin to mirror information from WikiLeaks by creating mirrors of the information on websites and BitTorrent. Some of the mirrors include the encrypted file given to David Leigh “xyz_z.gpg”.

1 February 2011: David Leigh publishes his book WikiLeaks: Inside Julian Assange’s war on secrecy. The book disclosed the passphrase for accessing the encrypted file containing the unredacted diplomatic cables.

25 August 2011: Der Freitag reports that it has discovered a copy of the full archive on the internet and was able to decrypt it using a passphrase found on the internet.

31 August 2011: The website Cryptome publishes a report on the passphrase and which file it decrypts. A searchable copy of the decrypted cables appears on the website mrkva.eu. WikiLeaks makes a public statement about the disclosure of the passphrase in Leigh’s book.

1 September 2011: A user called “droehein” creates a BitTorrent on the Pirate Bay website sharing the decrypted cables.

2 September 2011: Wikileaks republished the unredacted cables on the WikiLeaks site.

Source: Christian Grothoff

Read more about Julian Assange’s September extradition hearing at the Old Bailey

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close