| Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present |
22 June 2010. A sends:
Now if I was going to leak such video footage there are a few things that I would NOT DO:1. Identify myself and provide my email address in the Keyid
2. Upload my key to a public key server
3. Cryptographically sign the fileThe basics of identity protection when handling sensitive files.
In terms of multiple signatures on user keys, this does not signify an extensive web of trust.
The ultimate trust level is acheived when the parties meet and generate and sign their key pairs during the meeting and exchange keys.
These guys just crave attention, and are basically media whores. If WIKILEAKS really protects its sources, then they should have provided similar advice.
Cryptome: Valid points. However, Manning may not have been advised by WL on security before getting in touch. It could have been someone else or himself looking into comsec. The key may be a deliberate diversion. Note that all the Wikileaks keys are by pseudonyms, none are co-signed, thus none are trustworthy -- keys generated to protect Wikileaks not those who communicate with it. However there may be other keys generated by Manning and/or Wikileaks not on a public keyserver which are notorious holes in comsec.
Keyservers are purposefully leaky about co-signers of keys, supposedly to assure credibility of a key but also linking and thus implicating the mutual assurers. As shown for Clark, keyservers also compile all a user's keys and link them, thus extending the implication. Thus, the means devised to make a PK available and assured to an unknown and distant party can also tie parties into a web of implication. And the key owners may not be aware of a web created by a co-signer, at the time of co-signing or later. Note that Clark's co-signers include some of the earliest proponents of PGP who freely co-signed to encourage use of PGP. Whether any of those enthusiasts use those venerable keys is doubtful.
There are ways around this, as A suggests, all somewhat comsec risky and difficult: Generate a key for private use, do not send to a keyserver and meet personally to co-sign; or exchange a key on a disk or by snail mail for co-signing; generate a key with a phony email address (never generate on your own computer), use once and abandon and/or revoke (never encrypt or decrypt on your own computer); use a non-generated secret-key, termed "conventional"; and others developed with paranoia about comsec of digital encryption uppermost, i.e., Cryptome.
YMMV for PGP implementation trustworthiness. For play, check the keyservers and Google for the Cryptome administrator, jya[at]pipeline.com, and the Wikileaks keyid pseudonyms. Expect to be deceived, and, as always, spied on by Google, the hosts of the keyservers and PGP itself -- to authenticate a secure handshake by SKs and PKs and to protect itself against those who want to use it to entrap.
Lucky Green, an encryption expert once a PGP high officer, reminded at the CFP conference on June 16, 2010, that there is no truly safe means to communicate between two persons. One of the persons will betray the other under sufficient incentive to self-protect. Trust only yourself, and be wary of one's capacity to self-deceive through pride, arrogance, stupidity, and most of all, paranoia. Mea culpa.
21 June 2010
Bradley Mannning PGP Key
Bradley Manning is reported to have encrypted materials allegedly provided to Wikileaks. AES-256 ZIP was allegedly used to encrypt the Iraq video. Whether Manning used PGP has not been disclosed. PGP key servers show one Bradley Manning user, below, whose key was generated on January 29, 2010. It is not clear if the Bradley Manning shown for the PGP key below is the alleged leaker to Wikileaks.
Manning, the alleged leaker, allegedly claims in the Lamo chat to have provided the US State Department Iceland cable to Wikileaks in February 2010, shortly after the date of this key generation. Wired reported that Manning was allegedly in the US during January and discussed the secret material with a friend.
Daniel JB Clark, apparently a Manning key signer on the day the key below was made, is a prominent freedom of information proponent. Clark's many keys shows dozens of signers. If Clark's signing of this key is valid, it indicates an extensive web of trust for the key.
Key source: http://keys.niif.hu:11371/pks/lookup?op=vindex&search=0x0A88B658CE022889
Search results for '0x0a88b658ce022889'
Type bits/keyID cr. time exp time key expir
pub 2048R/CE022889 2010-01-29 uid Bradley Manning <bradley.e.manning@gmail.com> sig sig3 CE022889 2010-01-29 __________ __________ [selfsig] sig sig3 AA95C349 2010-01-29 __________ __________ Daniel JB Clark (http://pobox.com/~dclark)
<dclark@pobox.com> sub 2048R/CA585F3B 2010-01-29 sig sbind CE022889 2010-01-29 __________ __________ []
Wikileaks PGP Keys
Type bits/keyID Date User ID
pub 3744R/6969D6FA 2010-01-02 WikiLeaks Tech <wl-tech@sunshinepress.org>
pub 4096R/B914A026 2009-07-27 l <latam@wikileaks.org>
pub 1024D/012BA447 2008-08-02 Simon Templar (L-A-T-A-M-W-I-K-I-L-E-A-K-S) <latam@wikileaks.org>
pub 1024D/B3A1DC5B 2008-08-02 Simon Templar <latam@wikileaks.org>
pub 1024D/7A80037F 2008-06-27 Michael Schmidt (wikileaks) <MchlSchmdtGPG@gmail.com>
pub 1024D/17290C1C 2007-11-01 WikiLeaks (Encryption Key) <wikileaks@wikileaks.org>
pub 1024D/11015F80 2006-11-02 WikiLeaks (Encryption Key) <wikileaks@wikileaks.org>
Julian Assange PGP Key
Type bits/keyID cr. time exp time key expir
pub 1024D/9751FF26 2006-03-15 uid Julian Assange (Julian Assange / nntpcache.com / ACNF) <ja@nntpcache.com> sig sig3 9751FF26 2006-03-15 __________ __________ [selfsig] sig sig 690AAAF1 2006-03-15 __________ __________ Julian Assange <proff@iq.org> sub 1024g/4EAD5BBE 2006-03-15 sig sbind 9751FF26 2006-03-15 __________ __________ []
pub 1024R/159B44ED 1994-10-13 __________
pub 1024R/690AAAF1 1993-02-02 __________ uid Julian Assange <proff@iq.org> sig sig 690AAAF1 1993-02-02 __________ __________ [selfsig]
An oddity appeared during this Bradley Manning key search on Google. The search produced a mysterious string,
"3923d2781a569a8da2c824cbdb06336e"
which produced the Bradley Manning public key. The string is not part of the key. No other information on this string could be found. Why it is linked to the Manning key is unknown.
Source: http://gpg-keyserver.de/pks/lookup?op=hget&search=3923D2781A569A8DA2C824CBDB06336E
Public Key Server -- Get ``3923d2781a569a8da2c824cbdb06336e ''
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.0 mQENBEtjDWQBCADG1i8Kf13ranebw7tp97674vDrYyz5cOFQzurfKj+6cS0SOh4ZGFwNtOnA ayDPGzt0cEn4rZ6fRpSBDwnI13M3rxkOioewQAetCgtauvO3IquAGih8ZxIFrB5e+hr0G+/3 4LHVDKlCGVuZVAEQyiP4g2bpfmYqAB6OHSbFwiHweBi/4IoJ8GuvNHgWqSNfEksBLVwcy1Mc IwG7de9nyPXyylIUa/w+kuHJRCFeJXw3DTXpHViimfr60wM1sjBoYHE5vCV798jRt/Y9CXHL cEmIaey8ForFUgH/d5RWEDJwyBPYa0hthiCK//T+tO7MjCy01qDEy0YMplgCfjPpEeBJABEB AAG0LUJyYWRsZXkgTWFubmluZyA8YnJhZGxleS5lLm1hbm5pbmdAZ21haWwuY29tPohGBBMR AgAGBQJLYxSjAAoJECTTK/mqlcNJAHIAni9kGY/EvzV7Kk5PSXaqyRBx2/SkAKC179QXWjHF J3MFMaoddZpp25egmokBOAQTAQIAIgUCS2MNZAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC F4AACgkQCoi2WM4CKInp8Qf7BOuj046e2CekQUmn+rkJWBOIxtYHKBzfG9DBhPulvNUUIX0l aopcoSIEt0xXadSE84qCa1hXQHAlAvl6ee1x6Iq0rv6WXa465dUppBWclsKYTv4mxbHJdbkG RdbqQPnVV0HhVFSdsoJxJenF8VXpwicRcAb927z69M+SVN0VS0HleIug7N/1d19MNnNTreRy EfinMjsWQuJeBx8/mZg8z4kmnGFND9Bh7d21DW2uqcpsAkFyX30P8Wb2+R/QrLALpGkIkxFO qSWQTC8kMvP6i8UcL3Bq5RkZxrnNQOC3ukL5QFFervZk3HCrtvC1iseJ14BxiqKYOE4PjFZH A7GZQ7kBDQRLYw1kAQgA1whUdpNNg+TZ6N8X7NLDIU0acFjN0bebvSA6CF3gH8V2wjkvnxPQ s6u+Q2mxJ8O3OhfwtGXyNqkaEsZqw7jjWfKS10vntMsq3XVeZ8ZXFSmjX+ZHOXMkBdfcYLj2 kPKqfYMr0o0bN5Dqa88513qK4XUj+j9PTFAUV+5NoUSK/qVRvyzZ6fvoxP4qZz3X3JbXVNCc UBUQvz9QqVY62WognkMoWqEHr/wwWPA/QdYaUTi7256m3MokDUcD3k3NwwPI87MQrwByS7nO 4NDcTQC9yBtreMs9VYII1wwRdRJBFwD1eZsvdY4krYvmIW6G4VXkkJnyqeLyE+7oea0C7B/6 5QARAQABiQEfBBgBAgAJBQJLYw1kAhsMAAoJEAqItljOAiiJxu4IALhJr4DqJjWAJI4+CXY3 ik88jPUwdPr20rUVF7IIcJDGq6fJRyX0cQHgbYUYAfFPsNxueb5lURiTdd7aLsbelNynNNVA 8NramsJfSVCm1NwxlE1qM8c3EL9fqKSWwv+ngqwccMzA0vbHkwMudIxPfhGo1L8VsOCogiZw fy4Dv1+JTwoOgNDMRJwQ0xCI21+blSqxV6348HU95w0cm+7aFhDBTWOadMzwByCljwAwXxwU 6Plz+/w66EqOc543DaBweF6YA8rcBvpPHFPP4FfBSdwWNFk//bNgKaMIf0Yd/y0rPgkiXjlI p7P1IE1bA+eams+3miKMsbYbY/8FZgVeVkk= =GCLR -----END PGP PUBLIC KEY BLOCK-----