Saturday 3 September 2011

A sinking feeling

I'm watching the wikileaks Twitter account with great interest right now. As I type this, there is a steady stream of accusations aimed at the Guardian newspaper streaming up my screen.

One of the things which has been linked to is this. It is Arus Rusbridger confirming the terms of receipt of 'package 3', agreeing to 3 requirements Julian Assange placed on them in return for the Guardian being able to review the documents.

It is being used to demonstrate that the Guardian have broken embargoes and agreements. But it doesn't say what the @wikileaks account seems to think it says.

It doesn't, for example, specifically prohibit publication of a password which was given to the Guardian in order for them to access the data. It doesn't, for example, explain that after a certain period of time, the password will no longer work, because it will have been changed. It doesn't for example, specifically state that passwords should never ever be published in written documents as even if the password has been changed, revealing someone's very personal MO for choosing passwords can be fatal, especially when messing with foreign intelligence documents. And for those of you who don't use the same schema to pick your passwords - either you only need one password for your work and home machine or neither of those places enforce secure passwords using a combination of letters and numbers blah blah blah.

What I'm trying to say here, I think, is that David Leigh was an idiot to publish a password. He was. Sorry. You just don't do that. When people say don't write passwords down, they're not messing about. You can read more about what the consequences of that decision by Leigh was here. But the fundamental crux of this matter, to me, is that Wikileaks and Julian Assange screwed up and they screwed up because they made a fundamental mistake - they assumed everyone at the Guardian who came into contact with this story understood technology well enough, understood implications well enough, understood the intricacies of computer security well enough to not accidentally completely screw up. And because they didn't spell it out in black and white, I am afraid I don't believe the Guardian can be blamed for doing what they've allegedly done. I don't believe Wikileaks should be playing in computer security related playgrounds if they don't understand that not everyone is comfortable in the same playground, and indeed that each different playground has a different rule set posted on the entrance gate.

The simple fact is, Wikileaks made an assumption. It was the wrong assumption. And the sad and sorry thing is, it wont be anyone at the Guardian or Wikileaks who pays the price of that. And none of us civilians may ever know what the price was that was paid.

I believe in government transparency. I do not, any more, believe in blanket transparency. There's too much at stake and we do not yet live in a world where media, or indeed any other sector apart from the computer tech sector, understand security.

No comments:

Post a Comment