[Infowarrior] - Schneier on Wikileaks

[Richard Forno]

Schneier on Security

http://www.schneier.com/blog/archives/2010/12/wikileaks_1.html

December 9, 2010

WikiLeaks

I don't have a lot to say about WikiLeaks, but I do want to make a few points.

1. Encryption isn't the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and -- so it seems -- put into an archive on SIPRNet, where lots of people had access to them.

2. Secrets are only as secure as the least trusted person who knows them. The more people who know a secret, the more likely it is to be made public.

3. I'm not surprised that these cables were available to so many people. We know that access control is hard, and that it's impossible to know beforehand what information someone will need to do their job. What is surprising is that there wasn't any audit logs kept about who accessed all these cables. That seems like a no-brainer.

4. This has little to do with WikiLeaks. WikiLeaks is just a website. The real story is that "least trusted person" who decided to violate his security clearance and make these cables public. In the 1970s he would have mailed them to a newspaper. Today he uses WikiLeaks. Tomorrow he will have his choice of a dozen similar websites. If WikiLeaks didn't exist, he could have put them up on BitTorrent.

5. I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it's trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don't know what those new models will be, but they will be different.