NOTE: “Participating in a botnet with the intention of shutting down a Web site violates the Computer Fraud and Abuse Act,” said Jennifer Granick, a lawyer at Zwillinger Genetski who specializes in Internet law and hacking cases. “The thing people need to understand is that even if you have a political motive, it doesn’t change the fact that the activity is unlawful.” Also, LOIC protesters’ IP addresses are not masked, so attacks can be traced back to the computers launching them.
WikiLeaks supporters disrupt Visa and MasterCard sites in ‘Operation Payback’
by Esther Addley and Josh Halliday / 9 December 2010
It is, according to one breathless blogger, “the first great cyber war”, or as those behind it put it more prosaically: “The major shitstorm has begun.” The technological and commercial skirmishes over WikiLeaks escalated into a full-blown online assault yesterday when, in a serious breach of internet security, a concerted online attack by activist supporters of WikiLeaks succeeded in disrupting MasterCard and Visa. The acts were explicitly in “revenge” for the credit card companies’ recent decisions to freeze all payments to the site, blaming illegal activity. Though it initially would acknowledge no more than “heavy traffic on its external corporate website”, MasterCard was forced to admit last night that it had experienced “a service disruption to the MasterCard directory server”, which banking sources said meant disruption throughout its global business. Later, Visa’s website was also inaccessible. A spokeswoman for Visa said the site was “experiencing heavier than normal traffic” and repeated attempts to load the Visa.com site was met without success. MasterCard said its systems had not been compromised by the “concentrated effort” to flood its corporate website with “traffic and slow access”. “We are working to restore normal service levels,” it said in a statement. “There is no impact on our cardholders’ ability to use their cards for secure transactions globally.”
In an attack referred to as Operation Payback, a group of online activists calling themselves Anonymous said they had orchestrated a DDoS (distributed denial of service) attack on the site, and issued threats against other businesses which have restricted WikiLeaks’ dealings. Also targeted in a dramatic day of internet activity was the website of the Swedish prosecution authority, which is currently seeking to extradite the WikiLeaks founder, Julian Assange, on sex assault charges, and that of the Stockholm lawyer who represents them. The sites of the US senator Joe Lieberman and the former Alaska governor Sarah Palin, both vocal critics of Assange, were also attacked and disrupted, according to observers. Palin last night told ABC news that her site had been hacked. “No wonder others are keeping silent about Assange’s antics,” Palin emailed ABC. “This is what happens when you exercise the First Amendment and speak against his sick, un-American espionage efforts.”
An online statement from activists said: “We will fire at anything or anyone that tries to censor WikiLeaks, including multibillion-dollar companies such as PayPal … Twitter, you’re next for censoring #WikiLeaks discussion. The major shitstorm has begun.” Twitter has denied censoring the hashtag, saying confusion had arisen over its “trending” facility. A Twitter account linked to the activists was later suspended after it claimed to have leaked credit card details online. Though DDoS attacks are not uncommon by groups of motivated activists, the scale and intensity of the online assault, and the powerful commercial and political critics of WikiLeaks ranged in opposition to the hackers, make this a high-stakes enterprise that could lead to uncharted territory in the internet age. A spokesman for the group, a 22-year-old from London who called himself Coldblood, told the Guardian it was acting for the “chaotic good” in defence of internet freedom of speech. It has been distributing software tools to allow anyone with a computer and an internet connection to join in the attacks. The group has already succeeded this week in bringing down the site of the Swiss bank PostFinance, which was successfully attacked on Monday after it shut down one of WikiLeaks’ key bank accounts, accusing Assange of lying. A PostFinance spokesman, Alex Josty, told Associated Press the website had buckled under a barrage of traffic. “It was very, very difficult, then things improved overnight, but it’s still not entirely back to normal.”
Other possible targets include Amazon, which removed WikiLeaks’ content from its EC2 cloud on 1 December, and EveryDNS.net, which suspended dealings with the site two days later. PayPal has also been the subject of a number of DDoS attacks – which often involve flooding the target site with requests so that it cannot cope with legitimate communication – since it suspended all payments to WikiLeaks last week. A PayPal spokesman told the Guardian that while a site called ThePayPalBlog.com had been successfully silenced for a few hours, attempts to crash its online payment facilities had been unsuccessful. The site suggested today its decision to freeze payments had been taken after it became aware of the US state department’s letter saying WikiLeaks’s activities were deemed illegal in the US. Tonight PayPal said that it was releasing the money held in the WikiLeaks account, although it said the account remains restricted to new payments. A statement from PayPal’s general counsel, John Muller, sought to “set the record straight”. He said that the company was required to comply with laws around the world and that the WikiLeaks account was reviewed after “the US department of state publicised a letter to WikiLeaks on November 27, stating that WikiLeaks may be in possession of documents that were provided in violation of US law. PayPal was not contacted by any government organisation in the US or abroad. We restricted the account based on our Acceptable Use Policy review. Ultimately, our difficult decision was based on a belief that the WikiLeaks website was encouraging sources to release classified material, which is likely a violation of law by the source. “While the account will remain restricted, PayPal will release all remaining funds in the account to the foundation that was raising funds for WikiLeaks. We understand that PayPal’s decision has become part of a broader story involving political, legal and free speech debates surrounding WikiLeaks’ activities. None of these concerns factored into our decision. Our only consideration was whether or not the account associated with WikiLeaks violated our Acceptable Use Policy and regulations required of us as a global payment company. Our actions in this matter are consistent with any account found to be in violation of our policies.” PayPal did not explain how WikiLeaks violated this policy in their statement and requests for further information went unanswered.
There have been accusations that WikiLeaks is being targeted for political reasons, a criticism repeated yesterday after it emerged that Visa had forced a small IT firm which facilitates transfers made by credit cards including Visa and MasterCard, and has processed payments to WikiLeaks, to suspend all of its transactions – even those involving other payees. Visa had already cut off all donations being made through the firm to WikiLeaks. DataCell, based in Iceland, said it would take “immediate legal action” and warned that the powerful “duopoly” of Visa and MasterCard could spell “the end of the credit card business worldwide”. Andreas Fink, its chief executive, said: “Putting all payments on hold for seven days or more is one thing, but rejecting all further attempts to donate is making the donations impossible. “This does clearly create massive financial losses to WikiLeaks, which seems to be the only purpose of this suspension. This is not about the brand of Visa, this is about politics and Visa should not be involved in this … It is obvious that Visa is under political pressure to close us down.”
Operation Payback, which refers to itself “an anonymous, decentralised movement that fights against censorship and copywrong”, argues that the actions taken by Visa, MasterCard and others “are long strides closer to a world where we cannot say what we think and are unable to express our opinions and ideas. We cannot let this happen. This is why our intention is to find out who is responsible for this failed attempt at censorship. This is why we intend to utilise our resources to raise awareness, attack those against and support those who are helping lead our world to freedom and democracy.” The MasterCard action was confirmed on Twitter at 9.39am by user @Anon_Operation, who later tweeted: “We are glad to tell you that http://www.mastercard.com/ is down and it’s confirmed! #ddos #WikiLeaks Operation: Payback (is a bitch!) #PAYBACK”. The group, Coldblood said, is about 1,000-strong. While most of its members are teenagers who are “trying to make an impact on what happens with the limited knowledge they have”, others include parents and IT professionals, he said. Anonymous was born out of the influential internet messageboard 4chan in 2003, a forum popular with hackers and gamers. The group’s name is a tribute to 4chan’s early days, when any posting to its forums where no name was given was ascribed to “Anonymous”. But the ephemeral group, which picks up causes “whenever it feels like it”, has now “gone beyond 4chan into something bigger”, its spokesman said. There is no real command structure; membership of the group has been described as being “like a flock of birds” – the only way you can identify members is by what they are doing together. Essentially, once enough people on the 4chan message boards decide some cause is worth pursuing in large enough numbers, it becomes an “Anonymous” cause. “We’re against corporations and government interfering on the internet,” Coldblood said. “We believe it should be open and free for everyone. Governments shouldn’t try to censor because they don’t agree with it. Anonymous is supporting WikiLeaks not because we agree or disagree with the data that is being sent out, but we disagree with any from of censorship on the internet.” Last night WikiLeaks spokesman Kristinn Hrafnsson said: “Anonymous … is not affiliated with WikiLeaks. There has been no contact between any WikiLeaks staffer and anyone at Anonymous. We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets.”
Hacker toolkits attracting volunteers to defend WikiLeaks
by Vanja Svajcer / December 9, 2010
The attacks are coordinated through the AnonOps webpages, IRC server infrastructure as well as several Twitter accounts. The operation of the voluntary botnet is very simple but it seems to be quite effective. Yesterday, Twitter decided to shut down some of the Twitter accounts inviting users to join the attacks. However, the attack on the main VISA website after the attacks on Mastercard, PayPal and Swiss Bank Post Finance was successfully launched. Following these initial attacks, which seriously influenced the operation of the sites under attack, another attack on Mastercard Securecode card verification program was launched. This attack seriously affected payment service providers and the financial damage for Mastercard still needs to be determined.
Immediately after the AnonOps attacks on the payment processing companies started, a retaliation DDoS attack on AnonOps hosting infrastructure has been launched. Their main site anonops.net is unresponsive at the time of writing this post. It looks like there is an outright war going on. However, contrary to many discussions following the discovery of Stuxnet, the sides in the conflict are not sovereign states but groups of internet users spread around the globe proving that warfare on internet brings out a whole new dimension to the term. Participation in DDoS attacks is illegal in many countries and users accepting the invite by AnonOps are under a serious risk of litigation. Many people believe that privacy on the internet can be somewhat protected, but beware, the source IP addresses of attackers, which will inevitably end up in the target’s website log files, can easily be matched with user’s accounts if ISPs decide to cooperate with the law enforcement agencies.
The workflow of an AnonOps attack is quite simple:
- Visit the AnonOps website to find out about the next target
- Decide you are willing to participate
- Download the required DDoS tool – LOIC
- Configure LOIC in Hive Mind mode to connect to an IRC server
- The attack starts simultaneously, when the nodes in the voluntary botnet receive the command from the IRC server
Since the principle of the operation is already well known I wanted to take a look at the main weapon used to conduct DDoS attacks – LOIC (Low Orbit Ion Cannon). LOIC is an open source tool, written in C# and the project is hosted on the major open source online repositories – Github and Sourceforge. The main purpose of the tool, allegedly, is to conduct stress tests of the web applications, so that the developers can see how a web application behaves under a heavier load. Of course, a stress application, which could be classified as a legitimate tool, can also be used in a DDoS attack. LOIC main component is a HTTP flooder module which is configured through the main application window. The user can specify several parameters such as host name, IP address and port as well as the URL which will be targeted. The URL can also be pseudo-randomly generated. This feature can be used to evade the attack detection by the target’s intrusion prevention systems. The Hive Mind option is responsible for connecting to the IRC server used for attack coordination. Using the Hive Mind mode, AnonOps can launch attacks on any site, not just the one you voluntarily agreed to target. The connection uses a standard HTTP GET request with a configurable timeout and a delay between the attempted connections. Most of the web servers will have a configurable limit on the number of connections they accept and when that limit is reached the server will stop serving all following request which has the same effect as the server being offline. The IRC communication protocol is implemented using the free C# IRC library SmartIRC4Net. There is a Java version of the tool – JavaLoic, which uses a Twitter account as the command and control channel. However, the Java version is much easier to detect using intrusion prevention systems as the attack uses fragmented HTTP requests forming a static string “hihihihihihihihihihihihihihihihihihihihihihi”. Sophos products have been detecting LOIC as a potentially unwanted application since 14 February 2008.
“mastercard.com is currently under a distributed denial of service (DDoS) attack, making the site unavailable from some locations.
The attack is being orchestrated by Operation Payback and forms part of an ongoing campaign by Anonymous. They announced the attack’s success a short while ago on their Twitter stream:
Operation Payback is announcing targets via its website, Twitter stream and Internet Relay Chat (IRC) channels. To muster the necessary volume of traffic to take sites offline, they are inviting people to take part in a ‘voluntary’ botnet by installing a tool called LOIC (Low Orbit Ion Cannon – a fictional weapon of mass destruction popularised by computer games such as Command & Conquer). The LOIC tool connects to an IRC server and joins an invite-only ‘hive’ channel, where it can be updated with the current attack target. This allows Operation Payback to automatically reconfigure the entire botnet to switch to a different target at any time.
Yesterday, Operation Payback successfully brought down the PostFinance.ch website after the Swiss bank decided to close Julian Assange’s bank account. Later in the day, they also launched an attack against the Swedish prosecutor’s website, www.aklagare.se. The attack was successful for several hours, but now appears to have stopped. The Director of Prosecution, Ms. Marianne Ny, stated yesterday that Swedish prosecutors are completely independent in their decision making, and that there had been no political pressure. The same group also successfully took down the official PayPal blog last week, after WikiLeaks’ PayPal account was suspended. As more companies distance themselves from WikiLeaks, we would not be surprised to see additional attacks taking place over the coming days. Concurrent attacks against the online payment services of MasterCard, Visa and PayPal would have a significant impact on online retailers, particularly in the run up to Christmas. Although denial of service attacks are illegal in most countries, Operation Payback clearly has a sufficient supply of volunteers who are willing to take an active role in the attacks we have seen so far. They are a force to be reckoned with. A real-time performance graph for www.mastercard.com can be viewed here.”
“Because none of us are as cruel as all of us.” – Anonymous
One of the many side stories in the ongoing WikiLeaks media circus is that ofAnonymous. Trying to explain Anonymous to the general public is like trying to explain the actions of a schizophrenic sociopathic genius to the average Joe, and expecting him to empathize. Anonymous, and 4chan by extension, have been in the national and world news several times, but most recently due to their support of Julian Assange in the form of orchestrating DDoS attacks on PayPal, VISA and MasterCard, who have all refused to process donations for his organization, WikiLeaks.
This article isn’t trying to make a moral judgment of their actions, but simply tries to explain what Anonymous is. Anonymous can’t be called an organization, because it isn’t organized. One could almost refer to it as a ‘disorganization’, if such a noun existed, due to its decentralized nature and lack of leadership. It’s more like a school of piranha which travel along with no leader or particular direction, until something attracts the school and they attack in unison. The first fish to see the target might momentarily lead the pack, but once the rest of the school becomes aware of the target, that leader becomes just another fish in the school. The concept of Anonymous is extremely difficult to explain, due to most people having a clear understanding of the usual structure of an organization. Companies have a CEO. Armies have generals. Countries have presidents or prime ministers or kings. In any case, there is always someone in charge; someone at the top with whom a face can be associated, and likewise credited or blamed.
Anonymous has no leader. It doesn’t even have sub-leaders. It has no face. It is an army comprised completely of foot soldiers, but each soldier knows the mission through a general pervasive awareness. It is also quite usual for not all of Anonymous to agree, and some members simply choose to not participate in whatever ongoing project the group is engaged in. There have even been times where Anonymous is split and attack both sides of an issue, and each other in the process. In his novel Prey, Michael Crichton wrote about the concept of decentralized groups, using nanobots as an example, and how they can be used to solve problems, or wreak havoc. It’s an entertaining and informative way to learn about decentralized systems. If you’re interested in understanding the concept, it’s a good place to start.
As for the motives of Anonymous, it is ostensibly for the laughs. Their targets range from Scientology to Iran to Habbo Hotel. They are just as likely to use their abilities to attack a children’s website as they are to help track down a pedophile. While it is tempting to attribute good intentions to the group, as most of their exploits are often on the side, or at least towards the side of what the majority considers ‘right’, if they had an alignment, it would be chaotic neutral. They usually don’t care if the end results are good or bad, they just care that there are results.
Their main Internet social site is the /b/ channel of 4chan. It is an imageboard where the posting of anything is permissible, aside from child pornography. However, that third rail of the site is regularly stepped on. If you go there, be prepared to see things you don’t want to see. Anonymous have been referred to as the “first Internet-based superconsciousness”, which is an apt description. Think of them as a brain, and the participating members as firing synapses. No one synapse controls the thought process, but when enough of a certain type fire in a particular pattern, the brain forms a thought, which is then acted on.
Anonymous have squarely come down on the side of WikiLeaks in their current dustup. While they can be a powerful ally or dreadful enemy, they generally lose interest when another topic which piques their interest comes along. It is hard to like or dislike them, since in a given year they are equally likely to do something which either outrages you, or makes you want to cheer them on. I view them as one would a coin toss; equally likely to elate or disappoint, and truly not caring about the outcome.
Pro-WikiLeaks Attacks Sputter After Counterattacks, Dissent Over Tactics
by Ryan Singe / December 10, 2010
The attacks by pro-WikiLeaks supporters against companies that cut off services to the secret-spilling website have fallen into disrepair Friday, as the attackers attempt to decide the future of the so-called “Operation Payback.” Much of the organization and communication among the group, which calls itself Anonymous, was taking place on chat rooms hosted on anonops.net. On Thursday, one room hosted more than 2,000 participants, while on Friday most of the rooms seem to have been shut down due to counterattacks. The few protestors able to connect — less than 100 on Friday – appear to be devoting their energies to combat a counter-protester who keeps blasting the message: “WHAT YOU’RE DOING IS ILLEGAL. STOP NOW AS YOU SUCK AT IT. WIKILEAKS SUCKS AS WELL.”
Adding to the confusion, the site anonops.info is reporting that their DNS provider ENOM has cut services to the domain hosting the chat channels, and that the operation is suffering from its own popularity and outside attacks. Still the group is struggling on, and in a chatroom that was still operable, one member requested that protesters register their vote for the next target, using an embeddable Google form to collect the info.
The group made headlines around the world Wednesday when the ragtag band of computer activists successfully overwhelmed both Visa.com and MasterCard.com, the homepages of the two giant payment processors. The attack cut off the ability to make donations to WikiLeaks using those companies’ cards. The companies said they made the decision after deciding that WikiLeaks’ publication of secret U.S. diplomatic cables provided to it by a whistleblower violated their terms of service, though the site has not been charged with a crime. The companies’ payment systems were not affected by the flood of traffic. Anonymous then shifted their focus to PayPal — which had also shut off the ability to donate to WikiLeaks — where they briefly disrupted the popular online payment firm by targeting the company’s payment system directly.
The attacks aren’t hacks in the real sense of the word, since they don’t penetrate the companies’ computer systems and leave no lasting damage. They simply overwhelm servers with web requests, in an attempt to make a site inaccessible to real users. The attacks on Visa.com and MasterCard.com were, in effect, an internet-age version of taking over a college campus building as a protest — potentially illegal, but leaving no lasting damage. That distinction was lost on many, and even the august New York Times used the word “cyberwar” in its lead sentence in its report on the attacks Thursday.
Parts of Anonymous seemed to realize that it was losing in the propaganda war, which was exacerbated by media reports that the group would be attacking Amazon.com, which cut off WikiLeaks from Amazon’s robust web-hosting service. In a press release, someone purporting to speak for the group tried to explain that the purpose of the attacks were to raise awareness, not mess with Christmas shopping: “[T]he point of Operation: Payback was never to target critical infrastructure of any of the companies or organizations affected. Rather than doing that, we focused on their corporate websites, which is to say, their online public face’. It is a symbolic action — as blogger and academic Evgeny Morozov put it, a legitimate expression of dissent.”
As for the reported attacks on Amazon.com, the press release said the group refrained because they didn’t want to be seen as disrupting Christmas. (An attack would not likely have a chance against Amazon, whose infrastructure is so good that it rents it out to other companies.) “Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste. The continuing attacks on PayPal are already tested and preferable: while not damaging their ability to process payments, they are successful in slowing their network down just enough for people to notice and thus, we achieve our goal of raising awareness.”
While these are smart public relations sentiments, the Anonymous attacks on PayPal that started on Wednesday night and continue (albeit in much smaller volume) on Friday morning, went after PayPal’s payment infrastrucure (technically, its payment API, which merchants use to communicate with PayPal.com), not the website. Anonymous members made it clear in one heavily used chat room Thursday that they were gunning to shut PayPal down, not simply “slow down” the service.
Another communique, perhaps unofficial, re-published by BoingBoing Thursday night, announced that Anonymous would be halting the denial of service attacks and instead turning their attention to the leaked cables. The idea was for Anonymous to spend its time looking for little reported revelations in the cables, create videos and stories about them, and bombard sites, including YouTube, with links to them. The FBI has said they are looking into the attacks, and already Dutch police have arrested a 16 year-old boy in connection with the attacks. Two people involved in Anonymous’s previous attacks on Scientology were convicted on jailed on charges of violating federal computer crime statutes. Those who join in the attacks using their own computers and IP addresses that can be traced back to them are making themselves very vulnerable to similar prosecutions. Few who are part of Anonymous are actual “hackers,” and instead join in the attacks by running specialized software provided by more technically adept members. Instruction for which sites to target and when are passed around dedicated online chat channels and websites, creating a sort of online insurgency.
Elizabeth Cook’s artist impression of WikiLeaks founder Julian Assange’s appearance at Westminster Magistrates Court in London, where he was denied bail after appearing on an extradition warrant.
How Secure Is Julian Assange’s Insurance File?
by Dan Nosowitz / 12.07.2010
Once your leader has been compared to a Bond villain, you might as well go all the way, right? A few months back, Wikileaks released a giant file that’s been referred to as the “thermonuclear” option, should the organization’s existence be threatened: A huge compendium of some of the most damaging secrets Wikileaks has collected, protected with an intense brand of secure encryption–for use as insurance. With Assange now in police custody on sex crimes charges, the “poison pill” is on everyone’s mind. The pill in question is a 1.4GB file, circulated by BitTorrent. It’s been downloaded tens of thousands of times, no mean feat for what, at the moment, is a giant file with absolutely no use whatsoever. It’s waiting on the hard drives of curious Torrenters, Wikileaks supporters, and (you can bet) government agents worldwide, awaiting the password that’ll open the file to all. Although no one is sure of its contents, the file is speculated to contain the full, un-redacted documents collected by the organization to date (including, some are guessing, new documents on Guantanamo Bay or regarding the financial crisis). It has yet to be cracked, at least not publicly, though there is a hefty amount of activity from those trying, at least a little, to break into it before Assange releases the key.
What makes this so pressing is Assange’s recent arrest in London, on, to say the least, somewhat controversial sex crimes charges in Sweden. There’s been speculation that this could be the lead-up to more severe prosecution–certain American politicians have called for prosecuting Assange for “treason,” apparently not realizing or caring that Assange is an Australian national–and could in turn lead to his releasing of the password for these documents. The file is titled “insurance.aes256,” implying that it’s protected with an AES 256-bit key, one of the strongest in the world. The thing is, there’s no actual way to figure out the type of encryption used. Though there’s no particular reason for Assange to lie about the security he used, it’s something to keep in mind. Let’s assume for the moment that it is indeed an AES-256 encryption, which begs the question: What is AES?
Advanced Encryption Standard
Advanced Encryption Standard, or AES, is a cipher standard which came into wide use in 2001. AES is a block cipher rather than a stream cipher, meaning “blocks” of data are converted into encrypted gibberish, 128 bits at a time. It’s perhaps the most-used block cipher in the world, used by, for example, the Wi-Fi protection known as WPA2. But it came to prominence in 2001 as a result of winning a contest held by the National Institute of Standards and Technology to find a new standard encryption. That led to its adoption by the NSA. That’s right, Assange’s “poison pill” is secured by the U.S. government’s own standard. Though AES is an open and public cipher, it’s the first to be approved by the NSA for “Top Secret” information, the term used for the most dangerous classified information. It is, in short, a tremendously badass form of protection. An AES encryption doesn’t work like, say, a login. The keys are just strings of binary (in the case of AES-256, 256 binary symbols) rather than words or characters, and entering the wrong key won’t simply disallow access — it’ll produce elaborately encoded gibberish. There are three variants of AES, which differ in the size of their keys (128, 192, or 256 bits), though they all use the same 128-bit block size. The size of the key has other implications within the algorithm itself (and slightly increases the encoding time), but mostly, it increases the amount of time needed to break it with what’s called a “brute force attack” (more on that in a bit). The three variants also carry different numbers of “rounds” protecting their keys. Each round is sort of like a layer of further obscurity, making the original data all the more disguised. AES-128 has ten rounds, AES-192 has twelve, and AES-256 has fourteen. Those rounds make it effectively impossible to compare the ciphered data with its key and divine any sort of pattern, since the data has been so thoroughly mangled by, in this case, 14 rounds of highly sophisticated manipulation that it’s unrecognizable. The rounds make an already secure algorithm that much more secure.
There are a few different ways of cracking a code like this. Many rely on some other information besides the code given. Side-channel attacks, for example, require an observation of the actual decoding: This might include data like the timing of deciphering, the power it takes to run the computer doing the deciphering, or even the noise a computer makes while deciphering. There are measures you can take to spoof this kind of thing, but even if Assange hasn’t, side-channel attacks won’t work in this case. Another kind of attack, the one that’s come closest, is the related-key attack. This method requires multiple keys, somehow related, working on the same cipher. Cryptographers have actually had some very limited success with related-key attacks, managing to greatly reduce the amount of possible correct passwords–but there are huge caveats to that. Related-key attacks require an advanced knowledge of the cipher and key that cryptographers never really have in the real world, like, say, a ciphered text and a deciphered text. Most modern key generation tools, like TrueCrypt and WPA2, have built-in protections against related-key attacks. And, worst of all, that success, which broke a 256-bit code, required a handicap: an altered encryption with less rounds. A related-key attack won’t work on Assange’s jacket-full-of-dynamite.
The time it takes to crack a code is thought of in terms of how many possible correct passwords there could be. If you’re looking at a 256-bit password with no knowledge of anything, trying to just enter every conceivable combination of 0s and 1s, you’d have a “time” of 2^256. Nobody measures the time it would take to crack one of these codes in hours, months, years, or centuries–it’s too big for all of that, so they just use combinations. Trying to crack all of those combinations manually is called, aptly, a brute force attack, and in a 256-bit instance like this one, it’d take, roughly, a bajillion years to succeed (that being the scientific estimation). Even with all the supercomputers in the world working in concert, with a flawless algorithm for trying the different combinations, it would take hundreds of thousands of years. Your average dude with an Alienware? Forget about it. In the case of the successfully cracked 256-bit code above, the cryptographers only managed to narrow it down to 2^70 possibilities–and they only got through the 11th round. Besides, 2^70 combinations is, in real world terms, not really much closer to cracked than 2^256. It’s still dramatically unfeasible.
The best possible method of cracking the code might be the simplest: Beat it out of him. This is, I swear to God, a real technique, called rubber-hose cryptanalysis. Assange is already in custody–the most efficient way to get his password is, by far, torture. It’s also authentic in that it’s the only type of cracking you’d actually see in a Bond movie. Sure as hell better than waiting several million years for a brute-force attack, right?
DUTCH TEEN ARRESTED for DDoS
Dutch police arrest 16-year-old WikiLeaks avenger
by Dan Goodin / 9th December 2010
Dutch police said they have arrested a 16-year-old boy for participating in web attacks against MasterCard and Visa as part of a grassroots push to support WikiLeaks. A press release issued on Thursday (Google translation here) said the unnamed boy confessed to the distributed denial-of-service attacks after his computer gear was seized. He was arrested in The Hague, and is scheduled to be arraigned before a judge in Rotterdam on Friday. It is the first known report of an arrest in the ongoing attacks, which started earlier this week. The arrest came shortly after anonops.net, a Netherlands-hosted website used to coordinate attacks against companies perceived as harming WikiLeaks, was taken offline. A Panda Security researcher said the website was itself the victim of DDoS attacks, but the investigation by the Dutch High Tech Crime Team has also involved “digital data carriers,” according to the release. It didn’t specify the crimes the boy was charged with or say exactly what his involvement in the attacks was. According to researchers, the Low Orbit Ion Cannon tool, which thousands of WikiLeaks sympathizers are using to unleash the DDoS attacks, takes no steps to conceal their IP addresses. It wouldn’t be surprising if attackers who used the application from internet connections at their home or work also receive a call from local law enforcement agencies.
Why WikiLeaks hackers are a glitch, not a cyberwar
by Douglas Rushkoff / December 10, 2010
Like a momentary glitch on a flat-panel display, the attacks by hackers calling themselves “Anonymous” came and went. Visa, PayPal, MasterCard and Amazon report no significant damage, and business goes on as usual. The corporations acting to cut off WikiLeaks remain safe. Although many are unsettled by the thought of a site such as WikiLeaks revealing state secrets or a group of anonymous hackers breaking the security of the banking system, events of the past week reveal that such threats are vastly overstated. If anything, the current debacle demonstrates just how tightly controlled the net remains in its current form, as well as just what would have to be done to create the sort of peer-to-peer network capable of upending corporate and government power over mass communication and society itself. While in the short term, WikiLeaks managed to create a public platform for a massive number of classified cables, the site itself was rather handily snuffed out by the people actually in charge of the internet. That’s because however decentralized the net might feel when we are posting to our blogs, it was actually designed around highly centralized indexes called domain name servers. Every time we instruct our browsers to find a web page, they ping one of these authorized master lists in order to know where to go. Removing WikiLeaks or any other site, group, top-level domain or entire nation is as easy as deleting it from that list.
The durability of WikiLeaks’ disclosures rests less in the willingness of many rogue websites to attempt to host them in WikiLeaks’ stead than in the sanctity of traditional news outlets such as The New York Times and Guardian of London, which were also sent the complete package of classified documents and can’t be turned off with the online equivalent of a light switch. Likewise, the server space on which our websites appear is owned by corporations that have the power — if not the true right — to cut anyone off for any reason they choose. It’s private property, after all. Similarly, our means of funding WikiLeaks is limited to companies such as Visa and PayPal, which immediately granted government requests to freeze payments and donations to WikiLeaks. It’s the same way a rogue nation’s assets can be frozen by the banks holding them.
Hackers, angered at this affront to the supposed openness of the internet, then went on the attack. They used their own computers — as well as servers they had been able to commandeer — to wage “denial of service” attacks on the websites of the offending companies. Most of those companies, already armed with defensive capabilities designed to fend off intrusions from the likes of the Russian mob or the Red Army, survived unscathed. Only MasterCard was noticeably, if only temporarily, disrupted. Meanwhile, Facebook and Twitter quickly disabled accounts traced to those using the services to organize their minions.
And all this tamping down occurred on today’s purportedly “net neutral” internet, which offers no real advantage to one corporate-owned server over any other. We can only imagine the effect of these events on those who will decide on whether to maintain net neutrality or give in to the corporations that argue the internet’s distributive capabilities should be reserved for those who can pay for such distribution, by the byte. No, the real lesson of the WikiLeaks affair and subsequent cyberattacks is not how unwieldy the net has become, but rather how its current architecture renders it so susceptible to control from above.
It was in one of the leaked cables that China’s State Council Information office delivered its confident assessment that thanks to “increased controls and surveillance, like real-name registration … The Web is fundamentally controllable.” The internet’s failings as a truly decentralized network, however, merely point the way toward what a decentralized network might actually look like. Instead of being administrated by central servers, it would operate through computers that pinged one another, instead of corporate-owned server farms, and deliver web pages from anywhere, even our own computers. The FCC and other governing bodies may attempt to defang the threat of the original internet by ending net neutrality. But if they did, such a new network — a second, “people’s internet” — would almost certainly rise in its place. In the meantime, the internet we know, love and occasionally fear today is more of a beta version of modeling platform than a revolutionary force. And like any new model, it changes the way we think of the way things work right now. What the internet lacks today indicates the possibilities for what can only be understood as a new operating system: a 21st century, decentralized way of conducting political, commercial and human affairs.
This new operating system, even in its current form, is slowly becoming incompatible with the great, highly centralized institutions of the 20th century, such as central banking and nation states, which still depend on top-down control and artificial monopolies on power to maintain their authority over business and governance. The ease with which PayPal or Visa can cut off the intended recipient of our funds, for example, points the way to peer-to-peer transactions and even currencies that allow for the creation and transmission of value outside the traditional banking system. The ease with which a senator’s phone call can shut down a web site leads network architects to evaluate new methods of information distribution that don’t depend on corporate or government domain management for their effectiveness.
Until then, at the very least, the institutions still wielding power over the way our networks work and don’t work have to exercise their power under a new constraint: They must do so in the light of day.
INSIDE the WIKILEAKS BUNKER
Going underground at the Wikileaks nerve centre
by Stephen Evans / 10 December 2010
To enter the old nuclear bunker in Stockholm where the Wikileaks secrets are stored is like passing into another surreal world, half way between planet Earth and cyberspace. The entrance on the street is non-descript. It is just a door in a face of rock. Steam billows from pipes alongside into the bitterly cold Swedish air. If you press the bell and get invited in, glass doors open and you walk into a James Bond world of soft lighting. There is the high security of doors which only open when the door behind you has closed, and which need special passes for every few steps of the journey into the inner cavern. But there is also falling water in fountains and pot plants, because people work here, watching monitors from a control room. One of the carpets has the surface of the moon on it to give an added surreal effect.
And then there are the computer servers in a cave, with bare rock walls underneath the wooden houses of Stockholm. In the inner cavern are rows and rows of computer storage cases. And on one of them are the files of Wikileaks, only a fraction of which have so far been made public to the immense embarrassment of politicians who once said something indiscreet to an American diplomat, never dreaming the words would bite back in public. The data centre is owned by a company called Bahnhof, and its founder, Jon Karlung, gave the BBC a tour. Mr Karlung took over the remnant from the Cold War in 2007 and had to dynamite out a further 4,000 cubic metres of rock to make it big enough. It is ultra-secure and needs submarine turbines – just inside the entrance – to generate enough power to maintain a moderate temperature even in the vicious Swedish winter.
But the threat to data is not from physical theft – not from robbers with guns – though they would have a hard job – but from cyber attack. Mr Karlung said they monitored the traffic into and out of the centre. But he said he would be naive to think that people would not try so they had given Wikileaks a separate channel in – its own pipe for data as it were. Does he fear the wrath of the United States because his facility stores such embarrassing information? “Our role must be to keep this service up. We are in Sweden and this service is legal in Sweden and therefore we must stand up for our client,” he said. “We must do everything in our power to keep the service up. I believe in the freedom of speech”. He said his data centre was like the postal service. You do not blame the postman for the content of the letter – nor do you open the letter if you are a postal delivery person. So it is with servers, he thinks: “We should be able to help Wikileaks operate their servers as long as they are not violating any laws. “That principle is the most important thing to stand for”.
“At the moment, for example, we are sitting on 5GB from Bank of America, one of the executive’s hard drives…”
U.S. BANKERS NEXT?
An Interview With WikiLeaks’ Julian Assange
by Andy Greenberg / Nov. 29 2010
Admire him or revile him, WikiLeaks’ Julian Assange is the prophet of a coming age of involuntary transparency, the leader of an organization devoted to divulging the world’s secrets using technology unimagined a generation ago. Over the last year his information insurgency has dumped 76,000 secret Afghan war documents and another trove of 392,000 files from the Iraq war into the public domain–the largest classified military security breaches in history. Sunday, WikiLeaks made the first of 250,000 classified U.S. State Department cables public, offering an unprecedented view of how America’s top diplomats view enemies and friends alike. But, as Assange explained to me earlier this month, the Pentagon and State Department leaks are just the start.
Forbes: To start, is it true you’re sitting on trove of unpublished documents?
Julian Assange: Sure. That’s usually the case. As we’ve gotten more successful, there’s a gap between the speed of our publishing pipeline and the speed of our receiving submissions pipeline. Our pipeline of leaks has been increasing exponentially as our profile rises, and our ability to publish is increasing linearly.
Q. You mean as your personal profile rises?
A. Yeah, the rising profile of the organization and my rising profile also. And there’s a network effect for anything to do with trust. Once something starts going around and being considered trustworthy in a particular arena, and you meet someone and they say “I heard this is trustworthy,” then all of a sudden it reconfirms your suspicion that the thing is trustworthy. So that’s why brand is so important, just as it is with anything you have to trust.
Q. And this gap between your publishing resources and your submissions is why the site’s submission function has been down since October?
A. We have too much.
Q. Before you turned off submissions, how many leaks were you getting a day?
A. As I said, it was increasing exponentially. When we get lots of press, we can get a spike of hundreds or thousands. The quality is sometimes not as high. If the front page of the Pirate Bay links to us, as they have done on occasion, we can get a lot of submissions, but the quality is not as high.
Q. How much of this trove of documents that you’re sitting on is related to the private sector?
A. About fifty percent.
Q. You’ve been focused on the U.S. military mostly in the last year. Does that mean you have private sector-focused leaks in the works?
A. Yes. If you think about it, we have a publishing pipeline that’s increasing linearly, and an exponential number of leaks, so we’re in a position where we have to prioritize our resources so that the biggest impact stuff gets released first.
Q. So do you have very high impact corporate stuff to release then?
A. Yes, but maybe not as high impact… I mean, it could take down a bank or two.
Q. That sounds like high impact.
A. But not as big an impact as the history of a whole war. But it depends on how you measure these things.
Q. When will WikiLeaks return to its older model of more frequent leaks of smaller amounts of material?
A. If you look at the average number of documents we’re releasing, we’re vastly exceeding what we did last year. These are huge datasets. So it’s actually very efficient for us to do that. If you look at the number of packages, the number of packages has decreased. But if you look at the average number of documents, that’s tremendously increased.
Q. So will you return to the model of higher number of targets and sources?
A. Yes. Though I do actually think… [pauses] These big package releases. There should be a cute name for them.
A. Megaleaks. That’s good. These megaleaks… They’re an important phenomenon, and they’re only going to increase. When there’s a tremendous dataset, covering a whole period of history or affecting a whole group of people, that’s worth specializing on and doing a unique production for each one, which is what we’ve done. We’re totally source dependent. We get what we get. As our profile rises in a certain area, we get more in a particular area. People say, why don’t you release more leaks from the Taliban. So I say hey, help us, tell more Taliban dissidents about us.
Q. These megaleaks, as you call them, we haven’t seen any of those from the private sector.
A. No, not at the same scale as for the military.
Q. Will we?
A. Yes. We have one related to a bank coming up, that’s a megaleak. It’s not as big a scale as the Iraq material, but it’s either tens or hundreds of thousands of documents depending on how you define it.
Q. Is it a U.S. bank?
A. Yes, it’s a U.S. bank.
Q. One that still exists?
A. Yes, a big U.S. bank.
Q. The biggest U.S. bank?
A. No comment.
Q. When will it happen?
A. Early next year. I won’t say more.
Q. What do you want to be the result of this release?
A. [Pauses] I’m not sure. It will give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms, I presume. Usually when you get leaks at this level, it’s about one particular case or one particular violation. For this, there’s only one similar example. It’s like the Enron emails. Why were these so valuable? When Enron collapsed, through court processes, thousands and thousands of emails came out that were internal, and it provided a window into how the whole company was managed. It was all the little decisions that supported the flagrant violations. This will be like that. Yes, there will be some flagrant violations, unethical practices that will be revealed, but it will also be all the supporting decision-making structures and the internal executive ethos that cames out, and that’s tremendously valuable. Like the Iraq War Logs, yes there were mass casualty incidents that were very newsworthy, but the great value is seeing the full spectrum of the war. You could call it the ecosystem of corruption. But it’s also all the regular decision making that turns a blind eye to and supports unethical practices: the oversight that’s not done, the priorities of executives, how they think they’re fulfilling their own self-interest. The way they talk about it.
Q. How many dollars were at stake in this?
A. We’re still investigating. All I can say is it’s clear there were unethical practices, but it’s too early to suggest there’s criminality. We have to be careful about applying criminal labels to people until we’re very sure.
Q. Can you tell me anything about what kind of unethical behavior we’re talking about?
Q. You once said to one of my colleagues that WikiLeaks has material on BP. What have you got?
A. We’ve got lots now, but we haven’t determined how much is original. There’s been a lot of press on the BP issue, and lawyers, and people are pulling out a lot of stuff. So I suspect the material we have on BP may not be that original. We’ll have to see whether our stuff is especially unique.
Q. The Russian press has reported that you plan to target Russian companies and politicians. I’ve heard from other WikiLeaks sources that this was blown out of proportion.
A. It was blown out of proportion when the FSB reportedly said not to worry, that they could take us down. But yes, we have material on many business and governments, including in Russia. It’s not right to say there’s going to be a particular focus on Russia.
Q. Let’s just walk through other industries. What about pharmaceutical companies?
A. Yes. To be clear, we have so much unprocessed stuff, I’m not even sure about all of it. These are just things I’ve briefly looked at or that one of our people have told me about.
Q. How much stuff do you have? How many gigs or terabytes?
A. I’m not sure. I haven’t had time to calculate.
Q. Continuing then: The tech industry?
A. We have some material on spying by a major government on the tech industry. Industrial espionage.
Q. U.S.? China?
A. The U.S. is one of the victims.
Q. What about the energy industry?
Q. Aside from BP?
Q. On environmental issues?
A. A whole range of issues.
Q. Can you give me some examples?
A. One example: It began with something we released last year, quite an interesting case that wasn’t really picked up by anyone. There’s a Texas Canadian oil company whose name escapes me. And they had these wells in Albania that had been blowing. Quite serious. We got this report from a consultant engineer into what was happening, saying vans were turning up in the middle of the night doing something to them. They were being sabotaged. The Albanian government was involved with another company; There were two rival producers and one was government-owned and the other was privately owned. So when we got this report; It didn’t have a header. It didn’t say the name of the firm, or even who the wells belonged to.
Q. So it wasn’t picked up because it was missing key data.
A. At the time, yeah. So I said, what the hell do we do with this thing? It’s impossible to verify if we don’t even know who it came from. It could have been one company trying to frame the other one. So we did something very unusual, and published it and said “We’ve got this thing, looks like it could have been written by a rival company aiming to defame the other, but we can’t verify it. We want more information.” Whether it’s a fake document or real one, something was going on. Either one company is trying to frame the other, which is interesting, or it’s true, which is also very interesting. That’s where the matter sat until we got a letter of inquiry from an engineering consulting company asking how to get rid of it. We demanded that they first prove that they were the owner.
Q. It sounds like when Apple confirmed that the lost iPhone 4 was real, by demanding that Gizmodo return it.
A. Yes, like Apple and the iPhone. They sent us a screen capture with the missing header and other information.
Q. What were they thinking?
A. I don’t know.
Q. So the full publication is coming up?
Q. Do you have more on finance?
A. We have a lot of finance related things. Of the commercial sectors we’ve covered, finance is the most significant. Before the banks went bust in Dubai, we put out a number of leaks showing they were unhealthy. They threatened to send us to prison in Dubai, which is a little serious, if we went there.
Q. Just to review, what would you say are the biggest five private sector leaks in WikiLeaks’ history?
A. It depends on the importance of the material vs. the impact. Kaupthing was one of the most important, because of the chain of effects it set off, the scrutiny in Iceland and the rest of Scandinvia. The Bank Julius Baer case was also important. The Kaupthing leak was a very good leak. The loanbook described in very frank terms the credit worthiness of all these big companies and billionaires and borrowers, not just internal to the bank, but a broad spectrum all over the world, an assessment of a whole bunch of businesses around the world. It was quite an interesting leak. It didn’t just expose Kaupthing, it exposed many companies. The bank Julius Baer exposed high net worth individuals hiding assets in the Cayman Islands, and we went on to do a series that exposed bank Julius Baer’s own internal tax structure. It’s interesting that Swiss banks also hide their assets from the Swiss by using offshore bank structuring. We had some quite good stuff in there. It set off a chain of regulatory investigations, possibly resulting in some changes. It triggered a lot of interesting scrutiny.
Q. Regulation: Is that what you’re after?
A. I’m not a big fan of regulation: anyone who likes freedom of the press can’t be. But there are some abuses that should be regulated, and this is one. With regard to these corporate leaks, I should say: There’s an overlap between corporate and government leaks. When we released the Kroll report on three to four billion smuggled out by the former Kenyan president Daniel arap Moi and his cronies, where did the money go? There’s no megacorruption–as they call it in Africa, it’s a bit sensational but you’re talking about billions–without support from Western banks and companies. That money went into London properties, Swiss banks, property in New York, companies that had been set up to move this money. We had another interesting one from the pharmaceutical industry: It was quite self-referential. The lobbyists had been getting leaks from the WHO. They were getting their own internal intelligence report affecting investment regulation. We were leaked a copy. It was a meta-leak. That was quite influential, though it was a relatively small leak–it was published in Nature and other pharma journals.
Q. What do you think WikiLeaks mean for business? How do businesses need to adjust to a world where WikiLeaks exists?
A. WikiLeaks means it’s easier to run a good business and harder to run a bad business, and all CEOs should be encouraged by this. I think about the case in China where milk powder companies started cutting the protein in milk powder with plastics. That happened at a number of separate manufacturers. Let’s say you want to run a good company. It’s nice to have an ethical workplace. Your employees are much less likely to screw you over if they’re not screwing other people over. Then one company starts cutting their milk powder with melamine, and becomes more profitable. You can follow suit, or slowly go bankrupt and the one that’s cutting its milk powder will take you over. That’s the worst of all possible outcomes. The other possibility is that the first one to cut its milk powder is exposed. Then you don’t have to cut your milk powder. There’s a threat of regulation that produces self-regulation. It just means that it’s easier for honest CEOs to run an honest business, if the dishonest businesses are more effected negatively by leaks than honest businesses. That’s the whole idea. In the struggle between open and honest companies and dishonest and closed companies, we’re creating a tremendous reputational tax on the unethical companies. No one wants to have their own things leaked. It pains us when we have internal leaks. But across any given industry, it is both good for the whole industry to have those leaks and it’s especially good for the good players.
Q. But aside from the market as a whole, how should companies change their behavior understanding that leaks will increase?
A. Do things to encourage leaks from dishonest competitors. Be as open and honest as possible. Treat your employees well. I think it’s extremely positive. You end up with a situation where honest companies producing quality products are more competitive than dishonest companies producing bad products. And companies that treat their employees well do better than those that treat them badly.
Q. Would you call yourself a free market proponent?
A. Absolutely. I have mixed attitudes towards capitalism, but I love markets. Having lived and worked in many countries, I can see the tremendous vibrancy in, say, the Malaysian telecom sector compared to U.S. sector. In the U.S. everything is vertically integrated and sewn up, so you don’t have a free market. In Malaysia, you have a broad spectrum of players, and you can see the benefits for all as a result.
Q. How do your leaks fit into that?
A. To put it simply, in order for there to be a market, there has to be information. A perfect market requires perfect information. There’s the famous lemon example in the used car market. It’s hard for buyers to tell lemons from good cars, and sellers can’t get a good price, even when they have a good car. By making it easier to see where the problems are inside of companies, we identify the lemons. That means there’s a better market for good companies. For a market to be free, people have to know who they’re dealing with.
Q. You’ve developed a reputation as anti-establishment and anti-institution.
A. Not at all. Creating a well-run establishment is a difficult thing to do, and I’ve been in countries where institutions are in a state of collapse, so I understand the difficulty of running a company. Institutions don’t come from nowhere. It’s not correct to put me in any one philosophical or economic camp, because I’ve learned from many. But one is American libertarianism, market libertarianism. So as far as markets are concerned I’m a libertarian, but I have enough expertise in politics and history to understand that a free market ends up as monopoly unless you force them to be free. WikiLeaks is designed to make capitalism more free and ethical.
Q. But in the meantime, there could be a lot of pain from these scandals, obviously.
A. Pain for the guilty.
Q. Do you derive pleasure from these scandals that you expose and the companies you shame?
A. It’s tremendously satisfying work to see reforms being engaged in and stimulating those reforms. To see opportunists and abusers brought to account.
Q. You were a traditional computer hacker. How did you find this new model of getting information out of companies?
A. It’s a bit annoying, actually. Because I cowrote a book about [being a hacker], there are documentaries about that, people talk about that a lot. They can cut and paste. But that was 20 years ago. It’s very annoying to see modern day articles calling me a computer hacker. I’m not ashamed of it, I’m quite proud of it. But I understand the reason they suggest I’m a computer hacker now. There’s a very specific reason. I started one of the first ISPs in Australia, known as Suburbia, in 1993. Since that time, I’ve been a publisher, and at various moments a journalist. There’s a deliberate attempt to redefine what we’re doing not as publishing, which is protected in many countries, or the journalist activities, which is protected in other ways, as something which doesn’t have a protection, like computer hacking, and to therefore split us off from the rest of the press and from these legal protections. It’s done quite deliberately by some of our opponents. It’s also done because of fear, from publishers like The New York Times that they’ll be regulated and investigated if they include our activities in publishing and journalism.
Q. I’m not arguing you’re a hacker now. But if we say that both what you were doing then and now are both about gaining access to information, when did you change your strategy from going in and getting it to simply asking for it?
A. That hacker mindset was very valuable to me. But the insiders know where the bodies are. It’s much more efficient to have insiders. They know the problems, they understand how to expose them.
Q. How did you start to approach your leak strategy?
A. When we started Suburbia in 1993, I knew that bringing information to the people was very important. We facilitated many groups: We were the electronic printer if you like for many companies and individuals who were using us to publish information. They were bringing us information, and some of them were activist groups, lawyers. And some bringing forth information about companies, like Telstra, the Australian telecommunications giant. We published information on them. That’s something I was doing in the 1990s. We were the free speech ISP in Australia. An Australian Anti-church of Scientology website was hounded out of Victoria University by legal threats from California, and hounded out of a lot of places. Eventually they came to us. People were fleeing from ISPs that would fold under legal threats, even from a cult in the U.S. That’s something I saw early on, without realizing it: potentiating people to reveal their information, creating a conduit. Without having any other robust publisher in the market, people came to us.
Q. I wanted to ask you about [Peiter Zatko, a legendary hacker and security researcher who also goes by] “Mudge.”
A. Yeah, I know Mudge. He’s a very sharp guy.
Q. Mudge is now leading a project at the Pentagon’s Defense Advanced Research Projects Agency to find a technology that can stop leaks, which seems pretty relative to your organization. Can you tell me about your past relationship with Mudge?
A. Well, I…no comment.
Q. Were you part of the same scene of hackers? When you were a computer hacker, you must have known him well.
A. We were in the same milieu. I spoke with everyone in that milieu.
Q. What do you think of his current work to prevent digital leaks inside of organizations, a project called Cyber Insider Threat or Cinder?
A. I know nothing about it.
Q. But what do you of the potential of any technology designed to prevent leaks?
Q. What do you mean?
A. New formats and new ways of communicating are constantly cropping up. Stopping leaks is a new form of censorship. And in the same manner that very significant resources spent on China’s firewall, the result is that anyone who’s motivated can work around it. Not just the small fraction of users, but anyone who really wants to can work around it. Censorship circumvention tools [like the program Tor] also focus on leaks. They facilitate leaking. Airgapped networks are different. Where there’s literally no connection between the network and the internet. You may need a human being to carry something. But they don’t have to intentionally carry it. It could be a virus on a USB stick, as the Stuxnet worm showed, though it went in the other direction. You could pass the information out via someone who doesn’t know they’re a mule.
Q. Back to Mudge and Cinder: Do you think, knowing his intelligence personally, that he can solve the problem of leaks?
A. No, but that doesn’t mean that the difficulty can’t be increased. But I think it’s a very difficult case, and the reason I suggest it’s an impossible case to solve completely is that most people do not leak. And the various threats and penalties already mean they have to be highly motivated to deal with those threats and penalties. These are highly motivated people. Censoring might work for the average person, but not for highly motivated people. And our people are highly motivated. Mudge is a clever guy, and he’s also highly ethical. I suspect he would have concerns about creating a system to conceal genuine abuses.
Q. But his goal of preventing leaks doesn’t differentiate among different types of content. It would stop whistleblowers just as much as it stops exfiltration of data by foreign hackers.
A. I’m sure he’ll tell you China spies on the U.S., Russia, France. There are genuine concerns about those powers exfiltrating data. And it’s possibly ethical to combat that process. But spying is also stabilizing to relationships. Your fears about where a country is or is not are always worse than the reality. If you only have a black box, you can put all your fears into it, particularly opportunists in government or private industry who want to address a problem that may not exist. If you know what a government is doing, that can reduce tensions.
Q. There have been reports that Daniel Domscheit-Berg, a German who used to work with WikiLeaks, has left to create his own WikiLeaks-type organization. The Wall Street Journal described him as a “competitor” to WikiLeaks. Do you see him as competition?
A. The supply of leaks is very large. It’s helpful for us to have more people in this industry. It’s protective to us.
Q. What do you think of the idea of WikiLeaks copycats and spinoffs?
A. There have been a few over time, and they’ve been very dangerous. It’s not something that’s easy to do right. That’s the problem. Recently we saw a Chinese WikiLeaks. We encouraged them to come to us to work with us. It would be nice to have more Chinese speakers working with us in a dedicated way. But what they’d set up had no meaningful security. They have no reputation you can trust. It’s very easy and very dangerous to do it wrong.
Q. Do you think that the Icelandic Modern Media Initiative [a series of bills to make Iceland the most free-speech and whistleblower-protective country in the world] would make it easier to do this right if it passes?
A. Not at the highest level. We deal with organizations that do not obey the rule of law. So laws don’t matter. Intelligence agencies keep things secret because they often violate the rule of law or of good behavior.
Q. What about corporate leaks?
A. For corporate leaks, yes, free speech laws could make things easier. Not for military contractors, because they’re in bed with intelligence agencies. If a spy agency’s involved, IMMI won’t help you. Except it may increase the diplomatic cost a little, if they’re caught. That’s why our primary defense isn’t law, but technology.
Q. Are there any other leaking organizations that you do endorse?
A. No, there are none.
Q. Do you hope that IMMI will foster a new generation of WikiLeaks-type organizations?
A. More than WikiLeaks: general publishing. We’re the canary in the coalmine. We’re at the vanguard. But the attacks against publishers in general are severe.
Q. If you had a wishlist of what industries or governments, what are you looking for from leakers?
A. All governments, all industries. We accept all material of diplomatic, historical or ethical significance that hasn’t been released before and is under active suppression. There’s a question about which industries have the greatest potential for reform. Those may be the ones we haven’t heard about yet. So what’s the big thing around the corner? The real answer is I don’t know. No one in the public knows. But someone on the inside does know.
Q. But there are also industries that just have more secrecy, so you must know there are things you want that you haven’t gotten.
A. That’s right. Within the intelligence industry is one example. They have a higher level of secrecy. And that’s also true of the banking industry. Other industries that are extremely well paid, say Goldman Sachs, might have higher incentives not to lose their jobs. So it’s only the obvious things that we want: Things concerning intelligence and war, and mass financial fraud. Because they affect so many people so severely.
Q. And they’re harder leaks to get.
A. Intelligence particularly, because the penalties are so severe. Although very few people have been caught, it’s worth noting. The penalties may be severe, but nearly everyone gets away with it. To keep people in control, you only need to make them scared. The CIA is not scared as an institution of people leaking. It’s scared that people will know that people are leaking and getting away with it. If that happens, the management loses control.
Q. And WikiLeaks has the opposite strategy?
A. That’s right. It’s summed up by the phrase “courage is contagious.” If you demonstrate that individuals can leak something and go on to live a good life, it’s tremendously incentivizing to people.