

David Leigh publishes Cablegate password in his book - charlieok
http://nigelparry.com/news/guardian-david-leigh-cablegate.shtml

======
robhu
The blame shouldn't be laid at the Guardian's door. Yes, they intentionally
released the password - but they released the password to a file they were
told only they had a copy.

It's the fault of Wikileaks for releasing a copy of this file in to the wild,
and for (as might be implied by the article linked to) using the same
passwords repeatedly.

~~~
mentat
Assuming you have the only copy of any file that has been exposed on the
Internet is unwise. If you got a copy of it over the network using an
unsecured protocol then there's a significant chance others did too.

------
Jamiecon
A minor nitpick, but the author also breathlessly describes how he realises he
was one of the "few people in the world" to have access to this information,
in spite of the whole reason it is available in the first place being the
breadth of its distribution within the US military. It seems that no one can
avoid getting drawn in to the Le Carré-esque intrigue and excitement that
seems to infest this whole saga.

~~~
charlieok
True, that does detract from it

------
tzs
Maybe someone should explain to Wikileaks how to use GPG.

The failure here is that Wilileaks used a single password to protect a file
that was distributed to multiple parties, meaning that multiple people had to
maintain a shared secret.

------
Jamiecon
I believe that they also told the Guardian that the password was "time
limited", whatever that means. There was probably some melodramatic chat about
it self destructing in 10 seconds. I don't see The Guardian as being on the
hook for this.

~~~
charlieok
I'd guess Assange meant that the download link he was providing was "time
limited".

I don't know how you'd time limit the password itself. It isn't as if I could
send you an encrypted file, with a key that will only decrypt that file for
that day.

Even if Assange had made absolutely sure to destroy any copy he had of the
file which used that key (which would have been a Good Idea), he could not
guarantee that some router on the internet didn't store a copy of the entire
download session.

Regardless of how the blame is distributed, the decision to publish such a
sensitive password in such a public manner still stands out to me as the most
boneheaded single action in the entire saga.

~~~
Jamiecon
Yeah, when you put it like that I see your point. Publishing the password was
a silly thing to do. But I can't get angry about the reporter being non-
technical. Most people are non-technical. To me, it was the responsibility of
Wikileaks to secure the information, and to guide the Guardian to do the same.
It seems they failed in that respect which, given their record of
disorganisation and technical failures, doesn't surprise me.

~~~
charlieok
Well, Assange did try to drive home the importance of protecting the password.
He wrote down most of it and made Leigh memorize the rest, creating a
"something you have" factor and a separate "something you know" factor.

Assange didn't want to give them access to the cables at all, but relented
when they demanded it in negotiations with him. He then made them sign a
contract to protect the information [1]. Clearly this wasn't enough though.

[1]
[http://wikileaks.org/IMG/pdf/Guardian_Letter_for_Package_3.p...](http://wikileaks.org/IMG/pdf/Guardian_Letter_for_Package_3.pdf)

