Hacker News new | past | comments | ask | show | jobs | submit login
Wikileaks Releases New 'Insurance' Files (facebook.com)
187 points by jlgreco on Aug 17, 2013 | hide | past | favorite | 106 comments



I wonder what are the risks associated with downloading and sharing such torrents.

Evidently, anyone getting them becomes a highly visible target and once the content of these torrents is known, you could become involved in the distribution of classified data.

Even if the content is not known, it could be viewed as an 'unfriendly' act and could make you become a "target of interest" to some zealous 3-letter agency...

Maybe I'm too paranoid. On the other hand, maybe not enough. Hard to know these days.


And what if I'm not a USA citizens, they are watching me anyway. Anyway, if I were on the NSA's office, watching everyday comments on Hacker-News I'd already have targeted half it's crowd potentially dangerous to the security of the country, just for being so interested in national security matters. Those Geeks!!!


"Anyway, if I were on the NSA's office, watching everyday comments on Hacker-News ..."

Wait, wait. You're saying there's a way to get paid to read HN all day? Where do I sign?


> Where do I sign?

Follow the path to the dark side [1]. They have cookies.

[1]: https://www.nsa.gov/psp/applyonline/EMPLOYEE/HRMS/c/HRS_HRAM...


Obligatory: http://xkcd.com/1223/


And for watching porn...


Ah, Rule 34, by our own cstross: https://en.wikipedia.org/wiki/Rule_34_%28novel%29


If I understand the law correctly, only military people have any prohibition about touching, reading, distributing, etc classified data.

Normal citizens agreed to no such terms.


If I understand the law correctly, U.S. citizens cannot be assassinated by its own government without the benefit of due process.


You do state the law correctly, your confusion seems instead to be with regards to the phrase "due process."

It means literally what it says: everyone is entitled to "due" (i.e. warranted) process, not judicial process. What process is "due" in any given case? It is, on its face, a context-sensitve inquiry.

If you trace the due process clause back to its origins in Clause 39 of the Magna Carta, you'll see that it is not a guarantee of a trial in every case, but rather a protection against arbitrary action: "No free man shall be seized or imprisoned, or stripped of his rights or possessions, or outlawed or exiled, or deprived of his standing in any other way, nor will we proceed with force against him, or send others to do so, except by the lawful judgment of his equals or by the law of the land." The AUMF is, for better or worse, the law of the land.

People gave Eric Holder a lot of flak when he stated that the Constitution guarantees due process and not judicial process, but his comment was a totally uncontroversial statement of the law. I'm pretty sure Greenwald knows that too, since last time I checked NYU (where he got his JD) doesn't teach some bizarro version of Constitutional Law where down is up and due process always requires a trial.


Before mentioning "due process", the Fifth Amendment states:

"No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger..."

The exclusion for "cases arising in the land or naval forces" apparently applies to members of the U.S. military, who can be tried under military law (like Bradley Manning was). [1]

Furthermore, the Sixth Amendment says:

"In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence."

So I don't understand how the Constitution allows the federal government the right to execute a citizen without judicial process. Any references would be sincerely appreciated.

[1] https://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_...


> So I don't understand how the Constitution allows the federal government the right to execute a citizen without judicial process. Any references would be sincerely appreciated.

I think you'll be waiting a long time for rayiner to give you one.


Clearly it is the "time of war."


The "time of war" clause applies to soldiers serving in the U.S. armed forces, who are subject to military law. It doesn't apply to random U.S. citizens.


That won't dissuade him. We live in strange times where people practicing cognitive dissonance want to deny others their basic rights because "terr'rists wanna blow you up!"


Nope. Even in a time of war, you are entitled to your due process rights under the Fifth Amendment of the U.S. Constitution.


Judicial process is a subset of due process. You'll notice the comment I was responding to mentioned judicial process. If a US citizen takes up arms with an enemy whom the US is at war with, then the process which he is due does not extend past accurate sighting before the trigger is pulled.

Of course it's a tragedy if a citizen is killed in time of war if it turns out they were not actually engaged in combat alongside the enemy, but war is tragic in general.


And herein lies the beauty of the war on terror, drugs, internet piracy, etc. You (the gov'nt) don't have to define who the enemy are, what actually constitutes an act of combat, or how we know the war has come to an end.

Read the Patriot Act. Read the rules of engagement for taking out U.S. citizens. It would not take a stretch of Eric Holder's imagination to think that downloading the Wikileaks file constitutes an act of aggression against the U.S.

http://en.wikipedia.org/wiki/Patriot_Act

http://reason.com/blog/2013/02/04/someone-just-leaked-obamas...


Huh. I wasn't aware of the "in the Militia" bit. Is that the same militia that lets us all have guns according to the Second Amendment?


You may be right that my understanding of the due process clause is confused. It's been over a decade since I went to law school and I'm getting up in the years, so it wouldn't be completely surprising.

However, I think you miss the point of my response in context of the comment I was responding to. The point of my comment was that our government has taken a very fluid approach to the law to fit its needs versus American citizens/non-citizens. If one feels a certain comfort that the law will protect him/her in the course of some action that seems fully protected by the law today, you might be in for a rude awakening tomorrow.

http://www.motherjones.com/kevin-drum/2011/09/obama-assassin...

http://www.theatlantic.com/politics/archive/2012/10/how-team...

http://en.wikipedia.org/wiki/Michael_Hastings_(journalist)


Please inform the people in power about this.


That's because you don't understand the law correctly. Now show me the prohibition on classified material that applies to non military members.


Your right of way will not prevent you from being run over by a tank.


Apparently having used TOR makes you a person of interest. Not that difficult.


Really?


I'm positive it will stay alive on these (b/c peers can stay anonymous): https://en.wikipedia.org/wiki/Darknet_%28file_sharing%29


"You could become involved in the distribution of classified data."

IANAL, but I believe the espionage act contains a mens rea requirement.


Mens rea is a state of intent, not knowledge.

Suppose, for example, that you discovered a locked storage box with 'property of Big Bank' on the outside. You're supposed to report found items to the police; instead you take it home. Someone sees you and the police turn up; it emerges the box contains a lot of money, and you are charged with theft. You argue at trial that no mens rea existed because you didn't know about the money; true, but the possibility that a locked box belonging to Big Bank would be full of cash was what motivated you to take it home. If, on the other hand, the both contained a brick, you could still be charged with attempt because your intent in picking up the box was impure, even if the contents were valueless.

In this case, Wikileaks 'insurance' documents have in the past contained classified information; they are meant to function as insurance because the contents would embarrass or injure someone if revealed; revelation would be contingent on Wikileaks' dissolution or disablement; and it's reasonable to suppose that only a government could bring that about. Thus, your decision to host the files, even without knowledge of their content, involves an awareness of the strong possibility that they do contain classified information. So whatever the contents actually turn out to be, you would be judged on your intent given the information available at the time.

Now you might also argue that there was some higher interest motivating your actions, eg the belief that all secrecy is evil and that nothing should be classified, ever. But such moral beliefs are normative, ie expressions of what you think the law should be; they have no bearing on what the law actually is, and it is the latter which is supposed to govern your actions. For comparison, I might hold a sincere belief that any insult to a person's honor justifies violent retaliation; but if I kill someone in defense of my honor, that won't spare my from charges of murder, because my private belief is not the law of the land, no matter how sincerely it is held.

In short, don't take deliberately engineered ignorance as equivalent to innocence.

You may find this law review article of interest: http://www.columbialawreview.org/wp-content/uploads/2012/07/... This discusses a narrower reading of mens rea than I have outlined above, but bear in mind the elevated likelihood of a public welfare argument in a case where national security turns out to be at stake. So I would be reluctant to rely on Flores-Figueroa as an escape hatch because that was a case in which the harm largely befell a single individual (the lawful possessor of the identifying information that F-F appropriated), as opposed to the general public whose collective security could be compromised by the release of classified information, personified in the form of the Untied States.


Well thank god for college kids.


only one way to find out!


So what is the chance they put out an insurance file that they know can be decrypted by the NSA and has really damaging documents in it? I mean it would be a way of showing the NSA what you have, having it already in the hands of a bunch of other people. I wonder if that would be a useful strategy. It could give the NSA time to build a counter story (parallel construction :-) which would be mitigate some of the impact, but it could also be construed as a form of "responsible disclosure" letting them know before the world knows so they can "patch their systems."

I hope some creative writer is out there doing some exploration out there in a novel. Lots of interesting questions to think about with regard to the mechanics of this whole story.


If they're releasing something that they could reasonably expect the NSA to be able to crack, there's a non-zero chance other governments would be able to read it as well. That's not really "responsible disclosure" anymore.

It would be safer to just send the decryption key directly to the NSA on a CD. ;)


Well, that also lets the NSA (or anybody who intercepts the CD) release the key to try and make it look like it came from Wikileaks.

Depending on how an adversary times that, it could be damaging for Wikileaks.


They could encrypt it using a pre-existing NSA public key.


Fair enough.


"Due to its incessant work, NSA is the largest electricity consumer in Maryland." - http://en.wikipedia.org/wiki/National_Security_Agency

So what would the carbon footprint be of WikiLeaks releasing 50 gigabytes of encrypted random data?


The NSA dedicates most of its resources to "working smarter not harder." If they have discovered a weakness in AES, it could be as little as running a single executable on a Macbook Air.


If by "working" you mean "bullying" and "strong arming" and "threatening" and "blackmailing" people. It doesn't take a lot of energy to bullying somebody into putting trojan horses into their encrypted email service, and threatening to arrest them if they shut down their company. What kind of dirt do you think they have on Obama and Pelosi and the rest of the Senate and House of Representatives, to make them so cooperative? More like "Work illegally, not smarter."


That is the FBI and the CIA.


There is not enough energy available in our universe to crack a container encrypted with AES256.


We do not know that. Using thermodynamics we can establish a limit on how much computation we can do (if I recall correctly Applied Chryptography says that a super nova does not have sufficient energy to count to 2^256 in base 2). However, we have no theoretical bases regarding how much computation is involved in breaking AES256. All we do know is that we (the public) do not know of a way to do it.


Glenn Greenwald (@ggreenwald) tweeted at 1:00 AM on Sun, Aug 18, 2013: For those asking, @MikeGrunwald's now-deleted tweet: "I can't wait to write a defense of the drone strike that takes out Julian Assange" (https://twitter.com/ggreenwald/status/368885133803143168)


That's just horrible.


why on earth is this a link to Facebook of all things?


I don't understand why they don't post it on their own site.. but well.. here is twitter: https://twitter.com/wikileaks/status/368426845735120896


Thanks, I can't access Facebook from here. Might as well post the direct torrent URLs:

3,6GiB (20130815-A):

    http://wlstorage.net/torrent/wlinsurance-20130815-A.aes256.torrent
    magnet:?xt=urn:btih:e0a092ac0f9b56c886c41335ca36f34aaed6b80c&dn=wlinsurance-20130815-A.aes256&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.istole.it%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.ccc.de%3A80%2Fannounce
49GiB (20130815-B):

    http://wlstorage.net/torrent/wlinsurance-20130815-B.aes256.torrent
    magnet:?xt=urn:btih:95381785c3fb446df35c5b4a8e5ef167dcb72011&dn=wlinsurance-20130815-B.aes256&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.istole.it%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.ccc.de%3A80%2Fannounce
349GiB (20130815-C):

    http://wlstorage.net/torrent/wlinsurance-20130815-C.aes256.torrent
    magnet:?xt=urn:btih:091eed7793fdb48c5bd8488431e888dde41a889f&dn=wlinsurance-20130815-C.aes256&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.istole.it%3A80%2Fannounce&tr=udp%3A%2F%2Ftracker.ccc.de%3A80%2Fannounce


Partially because it is a primary source, and partially because I didn't think to look for the less obnoxious twitter source.

I'm a little curious why they aren't using magnet links though.


I agree. I see Facebook in a URL and I won't visit it, regardless of what it is.


And why is that, exactly?


Can't speak for the OP, but I often find myself reacting in a similar way. The reason is that in the past, more often than not all I got when clicking on such a link was a page asking me to login to see the actual content. I don't have a fb account, hence there's nothing to see for me.

This is not always the case because as far as I know you can see some pages without having to login first, but they seem to be a minority and so I learned simply to ignore such links.

It has nothing to do with dis-/liking fb or not, it's just a matter of practicality.


If a Facebook post is public it can be seen without an fb login


So make an account without personal information. What's the big deal?


HN, reddit, digg et al. would have failed long long ago if half the websites required a login before you could see the linked content. I see no good reason to make an exception for just one particular website.


This entire discussion is moot since Facebook does not, in fact, require you to log in to see content. At least not the content linked in this thread.


Facebook does, in fact, require you to log in to see a lot of content. This may be due to mistaken settings on the content by its uploader, but that's more or less irrelevant. When I follow a link to a Facebook page about a person or event or something, the chances are about 50/50 that I'll simply see a "please log in" box.


The thread started off with hnha asking, "why on earth is this a link to Facebook of all things?" followed by RexRollman responding, "I agree. I see Facebook in a URL and I won't visit it, regardless of what it is.", followed by you asking, "And why is that, exactly?". None of which were asking, "can I access this link without logging into facebook", so positing that the discussion can be ended simply because this link can be accessed is a non-sequitur.

Interestingly, in the same thread that hnha started, there is also a posting by brokenparser about NOT being able to access the linked content - https://news.ycombinator.com/item?id=6228750 So, not only is your position a non-sequitur, it is also based on inconsistent evidence.


I appreciate your well-thought out reply, but I was simply referring to the tree of comments responding to my own original comment. Asserting that further discussion was (and is) moot was neither a non-sequitur nor based on inconsistent evidence.


Faceebook's abiolity to track you does not reqquire you to loginn. Yore y vewing pages with lick bittons preevids a rabust seat of indieacktor variaabbles. This why some cuntry mek illegal teh luke bouton.

Also, all the text you type on your smartphone goes to the fbi. You can probably be id'd by what you mosspell. It.s a question of whether they give a fuck.

Resistance is poodle!


because it may be the source of the news ?


I wonder what could be 349GB worth of data. Probably not text. Video?


[flagged]


If you want that domain to die please continue to spam this forum. Of all the places on the web this is probably the least smart to pull stunts like this.


Does anyone actually fall for this stuff ?


ROI: if nobody would fall for it they wouldn't do it...


That's funny hijackson, because My roomate's mother makes $87 hourly on the laptop. She has been fired for 7 months but last month her pay was $21739 just working on the laptop for a few hours. Read more here=====>>>>>=====w­w­w.j­o­b­s­3­4.c­o­m


I almost thought this comment was going to be a parody of the other!

I'm kinda curious though. At $87/hour, she worked about 250 hours, which works out to be about 57 hours a week. If she only works a few hours at her laptop, the fuck is she doing the rest of the time?


Working on her desktop?

Or maybe, to paraphrase a sibling comment, she's working on the blacktop?


Living the high life and spending it all!


No, no, I meant the 3 hours per month on her laptop, and the 57 hours per week she's working, but not on her laptop. Maybe she's a ho (a busy one at that!) that does her own bookkeeping and accounting!


Hm, is there a market there? Tracking of tricks, scheduling hoes, budgeting, tracking money in drug/alcohol funds, and oversight dashboards for pimps? I mean, they need software too, right?


Can't do it as iOS app (would never get through AppStore, and I bet most pimps can't jailbreak their phones), so it's either Android or HTML5, but it might get a decent market.

The real problem is that the target demographic is hard to monetize. Can't sign 'em up with a trackable CC, they're not a good target for advertisers, and your service is likely to attract a made-in-NSA parallel construction from FBI and friends.


I'm sure there is! Just don't host it in the cloud...!

Edit: I think I accidentally hit the down arrow instead of the up arrow! Apologies!


Here on Brazil.recently.the justice.caught a.group.that stole.several millions that way..one third of a certain state.population here signed up.

Most depressingly,.after the justice shut the thing down, they asked it to allow it to.continue, because they were still.profitable... ( it was a ponzi )


This seems like a good plan to me, but can any crypto pros poke holes in it?


Clearly, just use a standard solution (PGP). Don't do this with a weak passphrase, and use key-strengthening (bcrypt etc.) just in case. Assange is pretty good at crypto, so I'd expect Wikileaks to broadly get this right.

Also, they already got in trouble for reusing a password (http://boingboing.net/2011/08/31/wikileaks-guardian-journali...), so I'm pretty sure they won't do that again...


> Assange is pretty good at crypto

Not really. He gave a moron the password to a publicly distributed insurance file instead of making a new encrypted file just for him.



No, I wasn't aware of it. The concept looks similar to TrueCrypt's plausible deniability.


Yes, basically; RubberhoseFS helped bring the idea into more-mainstream tools.


I think he is suggesting you read up on the authors.


I've done that, but the project is long dead and it doesn't really showcase the technical chops of its authors. It's more about good intentions.


No, the key strengthening is probably built-in.

Also, most likely it doesn't use a passphrase, but a big generated gpg key (with a passphrase protecting it, of course)


At least for symmetric encryption, gpg defaults (defaulted?) to SHA-1'ing the passphrase 2^16 times, which is not a very large number - http://passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Crac... [pdf] talks of ~2^36 operations per second.

This isn't the worst thing ever, but using GPG for passphrase-protected encryption is not as strong as you might expect - just use a slightly longer/better one.

(Obviously, don't switch to another tool if you can't evaluate it in depth - GPG isn't perfect, but picking a random other tool won't be an improvement.)


When you're up against the US government with all of their cracking hardware, your passphrase won't be simple.


Unless the insurance files are bluffs, you may as well give the US government the keys yourself so that they know you are not bluffing.

The threat that makes the insurance files work is that the public/press and/or foreign governments may get the keys.


The problem with doing that is that the US government might release the information themselves, just dampened a bit with some PR, so the insurance files aren't worth anything and so WikiLeaks don't get the credit.


I'm not sure WikiLeaks would find that to be a problem. Isn't the whole goal to eventually convince governments to release things themselves?


Which would generally imply that they're not very good insurance files.

I had the last one for a bit, and deleted it just now because I'm seriously doubtful these things are anything more then /dev/urandom piped into a file.


What gives you any indication of that? There's no way of telling a ciphertext from random bytes.


Well, obviously, there's no way of telling or he'd simply crack the file and say it was random.

His point is based more on softer considerations like "they never used the previous insurance file yet, have they?" and "Wikileaks pulls a lot of stunts" and "this is just the sort of thing that would appeal to a cryptogeek like Assange whose avowed purpose is to throw sand into the gears of secretive organizations" and "so how did they get 300GB+ of leaked stuff since the site has been half-inactive for years and Assange completely distracted by his legal issues? Who would trust them with it? eg. Snowden didn't go to Wikileaks".


If these ever did get released and were damaging, the media/propaganda machines around the targeted governments would be doing dampening/PR anyway. So if that can largely stop the damage, they certainly wouldn't be any good as insurance, whoever releases them.


Under most circumstances I imagine I would want my opponent to be uncertain of what I have. Letting them know the contents gives them the ability to accurately assess damages and prepare responses.


Sure. I'll get back to you in a few trillion years.


Psh, everyone knows that it only takes the span of a commercial break to crack military-grade double-layered crypto if you use a logic bomb.


I don't know VB though. On a serious note I wonder if there are guys out there that treat this tease as a challenge and try to poke holes themselves. Must be a thrill.


Hey guys and gals, I just found an FTP server FULL of secret NSA files! Its IP address is 127.0.0.1 -- check it out!!!

http://www.cryonet.org/cgi-bin/dsp.cgi?msg=6289


So why don't you do it then? You would be famous for sure.


I would, but I don't know how to write a GUI interface in Visual Basic :(


Decrypting [====______]


I wonder what specific eventuality they're actually insuring against. Capture of Julian Assange?


I would expect that they are going to be releasing something big in the next couple of weeks/months.


Can be related to both Snowden and Assange or even Manning. Sure thing is that these documents must be a sort of time-bombs: 10 years from now even if we crack them, won't have a meaning, but now... apparently they do.


Frankly, given what is going on, I would bet on this being the Snowden's NSA data


Part of Wikileaks' manifest is a promise to the leakers to release the information eventually, and they have proven track record of doing so.

Aware of this, I wonder if new insurance files will have any influence on the actions of their enemies.


| I wonder if new insurance files will have any influence on the actions of their enemies.

Even without that, no effect. Blackmailing a bureaucracy... it's not like dealing with a single rational actor. That's the Hollywood version of Washington.

It's like coming upon a traffic jam and deciding you should bribe those responsible so you can go on your way.


> It's like coming upon a traffic jam and deciding you should bribe those responsible so you can go on your way.

This is officially my new favoritest analogy.


Reading those comments on that Facebook page make me cry. Where is this thing called humanity heading to?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: