Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present

Natsios Young Architects

22 June 2010. A sends:

Now if I was going to leak such video footage there are a few things that I would NOT DO:

1. Identify myself and provide my email address in the Keyid
2. Upload my key to a public key server
3. Cryptographically sign the file

The basics of identity protection when handling sensitive files.

In terms of multiple signatures on user keys, this does not signify an extensive web of trust.

The ultimate trust level is acheived when the parties meet and generate and sign their key pairs during the meeting and exchange keys.

These guys just crave attention, and are basically media whores. If WIKILEAKS really protects its sources, then they should have provided similar advice.

Cryptome: Valid points. However, Manning may not have been advised by WL on security before getting in touch. It could have been someone else or himself looking into comsec. The key may be a deliberate diversion. Note that all the Wikileaks keys are by pseudonyms, none are co-signed, thus none are trustworthy -- keys generated to protect Wikileaks not those who communicate with it. However there may be other keys generated by Manning and/or Wikileaks not on a public keyserver which are notorious holes in comsec.

Keyservers are purposefully leaky about co-signers of keys, supposedly to assure credibility of a key but also linking and thus implicating the mutual assurers. As shown for Clark, keyservers also compile all a user's keys and link them, thus extending the implication. Thus, the means devised to make a PK available and assured to an unknown and distant party can also tie parties into a web of implication. And the key owners may not be aware of a web created by a co-signer, at the time of co-signing or later. Note that Clark's co-signers include some of the earliest proponents of PGP who freely co-signed to encourage use of PGP. Whether any of those enthusiasts use those venerable keys is doubtful.

There are ways around this, as A suggests, all somewhat comsec risky and difficult: Generate a key for private use, do not send to a keyserver and meet personally to co-sign; or exchange a key on a disk or by snail mail for co-signing; generate a key with a phony email address (never generate on your own computer), use once and abandon and/or revoke (never encrypt or decrypt on your own computer); use a non-generated secret-key, termed "conventional"; and others developed with paranoia about comsec of digital encryption uppermost, i.e., Cryptome.

YMMV for PGP implementation trustworthiness. For play, check the keyservers and Google for the Cryptome administrator, jya[at], and the Wikileaks keyid pseudonyms. Expect to be deceived, and, as always, spied on by Google, the hosts of the keyservers and PGP itself -- to authenticate a secure handshake by SKs and PKs and to protect itself against those who want to use it to entrap.

Lucky Green, an encryption expert once a PGP high officer, reminded at the CFP conference on June 16, 2010, that there is no truly safe means to communicate between two persons. One of the persons will betray the other under sufficient incentive to self-protect. Trust only yourself, and be wary of one's capacity to self-deceive through pride, arrogance, stupidity, and most of all, paranoia. Mea culpa.

21 June 2010

Bradley Mannning PGP Key

Bradley Manning is reported to have encrypted materials allegedly provided to Wikileaks. AES-256 ZIP was allegedly used to encrypt  the Iraq video. Whether Manning used PGP has not been disclosed. PGP key servers show one Bradley Manning user, below, whose key was generated on January 29, 2010. It is not clear if the Bradley Manning shown for the PGP key below is the alleged leaker to Wikileaks.

Manning, the alleged leaker, allegedly claims in the Lamo chat to have provided the US State Department Iceland cable to Wikileaks in February 2010, shortly after the date of this key generation. Wired reported that Manning was allegedly in the US during January and discussed the secret material with a friend.

Daniel JB Clark, apparently a Manning key signer on the day the key below was made, is a prominent freedom of information proponent. Clark's many keys shows dozens of signers. If Clark's signing of this key is valid, it indicates an extensive web of trust for the key.

Key source:

Search results for '0x0a88b658ce022889'

Type bits/keyID     cr. time   exp time   key expir

pub  2048R/CE022889 2010-01-29            

uid Bradley Manning <>
sig  sig3  CE022889 2010-01-29 __________ __________ [selfsig]
sig  sig3  AA95C349 2010-01-29 __________ __________ Daniel JB Clark (
<> sub 2048R/CA585F3B 2010-01-29 sig sbind CE022889 2010-01-29 __________ __________ []

Wikileaks PGP Keys

Type bits/keyID     Date       User ID

pub  3744R/6969D6FA 2010-01-02 WikiLeaks Tech <>

pub  4096R/B914A026 2009-07-27 l <>

pub  1024D/012BA447 2008-08-02 Simon Templar (L-A-T-A-M-W-I-K-I-L-E-A-K-S) <>

pub  1024D/B3A1DC5B 2008-08-02 Simon Templar <>

pub  1024D/7A80037F 2008-06-27 Michael Schmidt (wikileaks) <>

pub  1024D/17290C1C 2007-11-01 WikiLeaks (Encryption Key) <>

pub  1024D/11015F80 2006-11-02 WikiLeaks (Encryption Key) <>

Julian Assange PGP Key

Type bits/keyID     cr. time   exp time   key expir

pub  1024D/9751FF26 2006-03-15            

uid Julian Assange (Julian Assange / / ACNF) <>
sig  sig3  9751FF26 2006-03-15 __________ __________ [selfsig]
sig  sig   690AAAF1 2006-03-15 __________ __________ Julian Assange <>

sub  1024g/4EAD5BBE 2006-03-15            
sig sbind  9751FF26 2006-03-15 __________ __________ []

pub  1024R/159B44ED 1994-10-13 __________ 

pub  1024R/690AAAF1 1993-02-02 __________ 

uid Julian Assange <>
sig  sig   690AAAF1 1993-02-02 __________ __________ [selfsig]

An oddity appeared during this Bradley Manning key search on Google. The search produced a mysterious string,


which produced the Bradley Manning public key. The string is not part of the key. No other information on this string could be found. Why it is linked to the Manning key is unknown.


Public Key Server -- Get ``3923d2781a569a8da2c824cbdb06336e ''

Version: SKS 1.1.0