WikiLeaks Posts Mysterious 'Insurance' File

reply to post by sjrily


AES keys are technically strong, but that doesn't fix a weak password. Password complexity is not really a concern of the AES algorithm itself as much as software that implements the algorithm. There are also likely differences in password salting techniques amongst various crypto apps as well. In other words, there's no well-defined answer regarding your password complexity question, but as a general rule, I expect that even software for high encryption will still let you supply a crappy password.

reply to post by bikeshedding


I see the problem as the key and password stay the same size because the encryption doesn't change the length of the password or key just the charcters. So if you can pick out the password encrypted you can make out how long of a word it is. But they tried to make it harder by using longer charcter sets for encrypting the password and key but its still lets you know how long the word is. A basic flaw.

reply to post by JBA2848


At which point, it all comes down to password complexity. If you picked a crappy word like "car," it isn't going to take long for someone to run through the possible three-character combinations. But if you have, say, chosen a string of 20 randomly generated characters, it is going to be much harder to deduce or brute force the password simply by knowing its length. That's all I was saying.

[edit on 6-8-2010 by bikeshedding]

Fox News just did another piece on the Pentagon and Wikileaks, this time it was on the now infamous 'insurance file', now I suspect every Tom Dick and Harry will be downloading that file...lol

reply to post by sjrily


Yes:

$ echo ATS is plagued with thread derailing > cleartext
$ openssl enc -aes256 -in ./cleartext -pass pass:ATS > megaencryption
$ hexdump -C megaencryption
00000000 53 61 6c 74 65 64 5f 5f 65 42 9d 0f 88 de 25 07 |Salted__eB....%.|
00000010 11 ba 89 bc 7e e6 2f 60 e2 47 43 1a 39 e1 96 dd |....~./`.GC.9...|
00000020 27 2c d1 75 7e d7 33 b4 e7 d7 f7 97 fa b6 4e 0d |',.u~.3.......N.|
00000030 56 af cd ce bf bc 9e 54 39 a1 67 b8 37 6d 4f d5 |V......T9.g.7mO.|
00000040
$ openssl enc -d -aes256 -in ./megaencryption -pass pass:ATS
ATS is plagued with thread derailing

here you see a file with a simple string encrypted with password "ATS" using AES-256 which results in a file starting with Salted_ and then decrypted and printed back.

reply to post by the.krio


A question: does the complexity of the password matters in any way, besides a brute force attack?

From my tests there's no way of knowing if the password used was strong or weak, so we have to try it first. Is that right?

DEVELOPING: Wikileaks threatens to release "insurance" file code

Originally posted by bikeshedding
reply to post by sjrily

 

AES keys are technically strong, but that doesn't fix a weak password.... In other words, there's no well-defined answer regarding your password complexity question, but as a general rule, I expect that even software for high encryption will still let you supply a crappy password.

Originally posted by the.krio
reply to post by sjrily

 

Yes:

...here you see a file with a simple string encrypted with password "ATS" using AES-256 which results in a file starting with Salted_ and then decrypted and printed back.

Thank you both! So crappy passwords are allowed; crappy keys, not so much. Since you need both to decrypt, you don't gain much with a crappy password - the key's still a ...crapshoot *lol* (sorry)

And all the lines beginning with zeros - those represent the encrypted text ATS is plagued with thread derailing? Where's the key in all that?

PS - Don't feel obligated to explain all that to me; I'll just end up down another rabbit hole...Kids: "Where's mom?" Dad: "She saw something shiny down another rabbit hole; she's decrypting it."

Swedish web hosting firm conforms Wikileaks leak

Solna, Sweden (AP) - A Swedish Internet company linked to file-sharing hub The Pirate Bay says it's helping online whistle-blower WikiLeaks release classified documents from servers located in a Stockholm suburb.

reply to post by sjrily


The key might be generated from a password with a key-derivation function. Here is where the salt is used. So basically a weak key and a weak password used to generate it is the same thing if one has a file encrypted with it. This is if OpenSSL is used and what you saw happen on the fly in the quoted string encryption-decryption.

reply to post by the.krio


But what is the real importance of a weak or strong password?

Just by looking at the file we cannot know if a weak or strong password was used, right?

Also, a weak password is only important if an attack in which all possible passwords are tried is done, right?

reply to post by ArMaP


Right.
I'm looking through a four char bruteforce right now which took an hour on my crappy mac book.
So your point is?..

reply to post by the.krio


My point was just to make things clearer, at least for me (not a native English speaker) the words used were a little confusing.

Insurance file....?

Insurance you say? I wonder what it is about insurance Wikileaks might be keeping back as their ace up their sleeve should something happen to Assange and Wikileak's contributors?

Let's see....

Larry Silverstein

From the link:

In January 2001, Silverstein, via Silverstein Properties and Westfield America, made a $3.2 billion bid for the lease to the World Trade Center. Silverstein was outbid by $50 million by Vornado Realty, with Boston Properties and Brookfield Properties also competing for the lease. However, Vornado withdrew and Silverstein's bid for the lease to the World Trade Center was accepted on July 24, 2001.[14] This was the first time in the building's 31-year history that the complex had changed management.

The lease agreement applied to One, Two, Four, and Five World Trade Center, and about 425,000 square feet (39,500 m2) of retail space. Silverstein put up $14 million of his own money to secure the deal.[15] The terms of the lease gave Silverstein, as leaseholder, the right and the obligation to rebuild the structures if destroyed.[16]

Upon leasing the World Trade Center towers, along with 4 World Trade Center and 5 World Trade Center, Silverstein insured the buildings. The insurance policies on these four buildings were underwritten by 24 insurance companies for a combined total of $3.55 billion per occurrence in property damage coverage.

More...

Insurance dispute

The insurance policies obtained in July 2001 for World Trade Center buildings 1, 2, 4 and 5 had a collective face amount of $3.55 billion. Following the September 11, 2001 attack, Silverstein sought to collect double the face amount (~$7.1 billion) on the basis that the two separate airplane strikes into two separate buildings constituted two occurrences within the meaning of the policies. The insurance companies took the opposite view. Based on differences in the definition of "occurrence"--the insurance policy term governing the amount of insurance-- and uncertainties over which definition of "occurrence" applied, the court split the insurers into two groups for jury trials on the question of which definition of "occurrence" applied and whether the insurance contracts were subject to the “one occurrence” interpretation or the “two occurrence” interpretation.

Link


And let's remember WTC Building 7. It stood some hours after the Twin Towers fell. No plane had hit it.

Larry Silverstein made the decision, he says, to "pull it", and WTC 7 came tumbling down.

Silverstein had the WTC insured just a few months before September 11th 2001, which was very fortunate and good timing, and when he claimed for insurance, sought to collect double the amount.





Assange has said that he does not believe in any September 11th 2001 conspiracy, but perhaps that's a tactic he has wisely employed for the time being.

You don't want to reveal the ace up your sleeve until the moment is right, after all. Such as in the event of the threat of something sinister immenently happening to you.

[edit on 7-8-2010 by Regensturm]

> Assange has said that he does not believe in any September 11th 2001 conspiracy, but perhaps that's a tactic he has wisely employed for the time being.

Assange is a smart guy and I have no doubt that all his moves are very well calculated.

If I had the mother load of facts that can expose corrupt institutions and powerful individuals, I would use that as leverage to slowly get them to acquiesce and institute the kind of reform that they have sworn an oath to uphold.

I also can't help to think that all of this is just a piece on the chess board, part of a much greater plan to restore the American Republic. Perhaps the patriots inside the Military provided WL w/ very important info they WANT to be disclosed at a specific time.

Back the corrupt, criminals into a corner, flush them out, and restore the American Republic back to De Jure government "of, for, and by" the people instead of - "of, for, and by money" FOR the US (foreign owned) corporation, that pretends to be a legitimate government.

The Military has stated clearly that when the abounded American Republic is re-inhabited, they will give the real President, commander in chief, their full support as they were sworn by oath to do.

The American people will soon be blind sided and shocked and awaken from their slumber and cultural amnesia and once again start to remember WHO THEY ARE.

Onion Router is interesting. Doesn't TOR stand for 'The Onion Router' or something? Maybe it's a clue.

Originally posted by MemoryShock
Chess begins...second line.

LOL!

I don't think wikileaks is an insider, i honestly think he's just a propagandist who manipulates information to further his agenda.

He's already admitted, publicly, to doing so.

He's no hero. He's no villian. He's just another greasy stain on the facade of journalistic integrity.

This whole thing reminds me of The Bank Job.


To the one speaking about this being blackmail...

When your out in the open like he is, blackmail is the only "insurance" you have. They'll gather enough intel on how the file will and/or could be released in the event of his demise/arrest and they'll make him "go away".

Originally posted by Chris McGee
Onion Router is interesting. Doesn't TOR stand for 'The Onion Router' or something? Maybe it's a clue.

It is and it does. The onion router is a network that uses the now open source code for onion routing, a protocol I believe that was developed by the US navy but dropped. A simple google will give you plenty of information.

There are concerns that the TOR network has been compromised to some extent, which on the face of it does not seem that hard to do, a big part of the integrity of the network are the the exit routers (again google for better information) - they are run mainly by volunteers and of course run the open source code... How hard would it be for the unscrupulous to modify that code slightly in order to capture the packets now exiting the network (of course the contents of the packets are not encrypted by the onion routing process, only the layered routing instructions - if you wan't the contents of the packets encrypted then that's entirely your responsibility.

So it has been suggested that enough information could be gleaned this way to reconstruct whole documents or whatever. Nothing quite so efficient as a false sense of security hey

Security expert Jacob Appelbaum works for TOR and WikiLeaks. He was detained at an airport by FBI on July 29th. It is probably just coincidence that ONION and ROUTER (all caps) decrypt the entire file using Blowfish. Any password will decrypt, but only 1 in 256 will do so without generating a padding error.