WikiLeaks tweets 83GiB Insurance torrent link

originally posted by: Morrad
a reply to: MuonToGluon

Thanks for the info. To be honest I have never looked at the file batches on WikiLeaks. I wait to read them on here.

My experience lies more in server-side encryption and file encryption. My understanding of PGP (from knowledge acquired approx 5 years ago) is that a pair of keys is generated by the user, a private key and a public key. The user (call him Fred) gives all his contacts the public key which allows them to encrypt messages and files to send to Fred who is the only one who can read these messages as he has the private key to decrypt it. For two-way encrypted communication Fred would need each contacts public key.

I recall around 2007 that Assange was criticised for trying to use PGP in a way it was not designed to be used. If I remember correctly he stopped trying to use it.

When a supposed key was published on Twitter and posted on ATS I was one of the first posters and I said it was a SHA256 hash. Can you link where the public key is please so I take a look? My server's public key is 4096 bit RSA and the characters take up nearly a third of a sheet of A4.

At least someone in this thread is making sense. You're correct about PGP, it basically functions with the idea you have a circle of communications. When you encrypt a message, along with the message you include the public keys of the people that you want to allow to decrypt it. If the message has the public key inside of it at encryption time, that recipient can decrypt it using their private key.

It's a good system for 1 to 1 communication but it doesn't work well for 1 to many.

originally posted by: Morrad
Files sent over email encrypted with PGP cannot be decrypted with a password, you need the private key file as well as the password. Even the sender cannot decrypt a file once they have encrypted it.

The only thing I can think of is if the insurance file is a container file with the encrypted archive and also a key file enclosed (the container file may also be encrypted). You probably know that .AES256 is not a file extension. It is fairly easy to require both a password and a key file to open and encrypted file. This is just a random key, not a signing key for verification.

Since encryption is your hobby, you likely know much more about the subject than me but I've been under the impression that one of the standard tricks these days is to use two layers of encryption, this way even if the first layer is breached, the file still looks like it's a bunch of gibberish and it becomes very difficult to figure out what the valid decrypted file is.

In fact, with a little bit of thinking about this, as long as you never publish a valid SHA to compare against for the internal container, there's no external method of verifying the encryption, short of an exponentially difficult brute force attack (growing based on layers of encryption used).

That said, WIkileaks aren't masters of tech security. You posted the article earlier, but the wikileaks book even leaked the password to one of their files, then you have the misuse of PGP. I think Assange is a smart guy, but he's clearly not capable of doing everything perfect, and his organization has some holes in it.

Personally, if it were me, what I would do is when the file container is opened, I would have it send a signal to my server alerting me it was opened. This would be the ultimate security because it would inform you if a government or someone else broke in. Considering there's some valid speculation over if the US government has actually broken AES or not.

Lots of kids behind the scenes playing around with blocks.

WL hid things in places

New groups are getting on board and closer. People have been working on this for months now.

With PGP, a message encrypted with a private key can be decrypted by anyone with the matching public key. If it is encrypted to a public key then only that person can decrypt it with their private key.

The first is also how signing works as the signature is verified with the signer's public key. In other words it's encrypted to a person's public key but a message digest is signed with the sender's private key so the recipient can verify the sender is correct because the sender would only have the private key matching the public key for the signature.

Part of the issue is trust when something is encrypted/signed, knowing that the keys are really that of the said to be sender/recipient. That is the idea of the trust network with the keys on the key rings.

With these symmetric insurance files, one has to trust that the password key that would work is from Assange or WL. That a new file has not been made and a new key made and said to be the real one.

If there exists an accepted PGP public key, the file could be signed which would verify the file as the actual, original file. But there are questions about WL PGP key(s) and of course if someone gets their key ring then all bets off. There doesn't seem to ever have been a published Assange PGP public key.

The symmetric version eliminates the need for future decryption parties to obtain a PGP key but trust the file/key.

Has anyone confirmed the hashes match on these new insurance files?

Latest hashes not matching latest files. WL saying the hashes are for the unencrypted data. People saying that previous hashes were for encrypted files. The idea was that the starting file was the proper one.

Something seems to have changed at WL. Many feel it means a compromise.

Given the election hoopla caused over the emails, my gut says that WL was finally dealt with. We can't be sure it was found some newer info was sent there that was deemed need to be stopped. And as always, why not not keep confusion surrounding it to keep people from have a clearer view.

The Hannity interview, IMO, makes no sense other then disinformation.

Indeed.

And with technology like this:



We can never be sure if Assange himself actually is speaking in any interview he gives.

Photoshop for speech. Create spoken words in someone's voice from whatever text someone writes.

It'll be interesting to see if the newest round of key hunters get closer than the last.

Many think he was taken on a rendition flight to Smithfield airbase the night of the embassy outage.

I wouldn't be surprised if he's still alive, but unable to actually be doing these interviews.

I personally think Russia somehow got their meathooks into WL and compromised it. I think the strange shift in the kinds of leaks leading up to the election were an early warning sign. We know that Assange didn't like Hillary -- but the out and out praise he's supposedly giving Russia for their "openness" is bizare.

His latest interview said something to the effect of, "not needing to leak info about Russia, as they're having those conversations there already". Wut?

Journalists are killed in Russia all the time! That place is incredibly repressive. Hell, more Russians learn to use VPNs/Darknet sites than Americans because of the censorship!

That's weird. Really weird. That reeks of Russian influence peddling.

There's some weird crap going on between USA/Russia in their intelligence orgs.

I'm not sure how Russia defends against xkeyscore and TAO. I assume they keep a tight lid on what goes in/out of Russian via fiber lines.

I tend to think the blame would be on the US side, especially after the election cycle. If Russia was behind it because of the US data, why would they cripple it.

Could be someone isn't go to wait their turn to be leaked information or the site is now deemed unacceptable.

Long shot but I bet Trump, with his ego, isn't happy about any upcoming leaks about himself. Probably too soon for his team but who knows what is going on in political back rooms.

a reply to: Kettu

From Assange's point of view, it's a good thing that more people in Russia use the dark net, it means they're speaking "freely" about these issues. In the US we don't give them serious discussion. Assange's message is about informing people and letting them do what they'll do from there. Not about getting onto official news distribution networks where governments just recognize his points as part of a debate.

a reply to: Aazadan

Anyone in the USA can use "alternative" networks. They choose not to.

The NSA's reach doesn't end at the shores of the USA. Anyone using fiber cables owned or managed by L3 can be xkeyscored. This includes Russian nationals.

It is far more dangerous in Russia to investigate, discuss or report on "the truth" -- as the FSB/syndicates can be called in to make someone "disappear".

Does Assange want the USA to turn into that? Does Assange want America's 1st Amendment rights eviscerated so that Americans are forced into dark corners of the internet like in Russia?

Things aren't more free in Russia, and the "conversations" aren't happening by anyone of importance there. Large scale protests aren't happening and forward progress isn't being made.

It's a laughable, almost insulting comment that Russia doesn't need leaks compared to the USA.

originally posted by: Kettu
Anyone in the USA can use "alternative" networks. They choose not to.

That's Assange's point. He wants them to. It's not just discussing leaks... he wants a world where people have the skills to threaten leaks, and protect themselves while doing so. Essentially, he wants to use the threat of "see something, say something" that governments use to control the people, as a way for people to control governments and corporations.

Since the US has very little in the way of whistleblower protections, that means that until that changes, Assange wants to see other outlets where people discuss the subject.

Since encryption is your hobby

a reply to: Aazadan

Not per se, I have two VPS Linux servers which I use as a web server/mail server and a VPN/online encrypted backups. I have always looked at security as an ongoing process rather than a set and forget action.

I've been under the impression that one of the standard tricks these days is to use two layers of encryption, this way even if the first layer is breached, the file still looks like it's a bunch of gibberish and it becomes very difficult to figure out what the valid decrypted file is.

It is very easy to do this but I am not sure what the advantage would be in relation to the Assange scenario. The only advantage with double encryption is for the purpose of encrypting a hard drive and then creating a hidden encrypted drive inside it. ie for plausible deniability if you are coerced or tortured into handing over the password. The now defunct app TrueCrypt offered this. With a new hard drive that has not been randomly overwritten it is easily detected.

In fact, with a little bit of thinking about this, as long as you never publish a valid SHA to compare against for the internal container, there's no external method of verifying the encryption.

Please correct me if I have misread this. As I understand it, If someone managed to open the encrypted container and replace the encrypted file inside, it would be easy to encrypt the container again with the same password. The problem would be with the file container, the SHA checksum would be different to the original. If the original file container checksum had previously been published it would arouse suspicion.

Personally, if it were me, what I would do is when the file container is opened, I would have it send a signal to my server alerting me it was opened. This would be the ultimate security because it would inform you if a government or someone else broke in.

The problem would be with a file that is opened on a system which is not connected to the internet. Another issue is manually set or automated permissions as you need a port on the host system (where the file is opened) to communicate with the internet ie the ability to pass through a firewall undetected.

Having an encryption program notify some central point as to it's action probably isn't a good idea. It would allow a compromised central point to be used to track activity by a group that wants to know who has a opened a target file. Makes it easier to find a starting point for some release of prohibited information. It goes against the purpose for what cryptography is often used.

a reply to: EightAhoy

That's all we need is bigger files to lag our PCs

Consume $laves

a reply to: Morrad

Do you PFSense and/or Snort bro?

What kind of encryption, is it FIPS?

And VPNS...Even ones with shared IP's. If you use a VPN provider you're always at the mercy of them, trusting that they don't keep logs. Then there's the jurisdictional issues that arise from where their business is based out of and who they're using in other countries for servers. . .

Just sayin'...

Anyway...back on topic:

Everyone's missing the point. The point is, these new insurance files are suspect. The DM switch already was flipped and the keys are out there right now being chased down for the older insurance files.

originally posted by: Morrad
Please correct me if I have misread this. As I understand it, If someone managed to open the encrypted container and replace the encrypted file inside, it would be easy to encrypt the container again with the same password. The problem would be with the file container, the SHA checksum would be different to the original. If the original file container checksum had previously been published it would arouse suspicion.

That's true.

The problem would be with a file that is opened on a system which is not connected to the internet. Another issue is manually set or automated permissions as you need a port on the host system (where the file is opened) to communicate with the internet ie the ability to pass through a firewall undetected.

It doesn't have to pass undetected, it just has to pass at all. That said, having a non networked device would bypass that.

originally posted by: roadgravel
Having an encryption program notify some central point as to it's action probably isn't a good idea. It would allow a compromised central point to be used to track activity by a group that wants to know who has a opened a target file. Makes it easier to find a starting point for some release of prohibited information. It goes against the purpose for what cryptography is often used.

In this case, the starting point is already known. What it would reveal, if the central point were compromised is where the file was opened.

In this case, I don't think that's a concern since the intent is mass distribution.