|
||||
|
29 June 2014. Correction of host offer initiation.
28 June 2014 WikiLeaks Offer and Sarah Harrison Likely a Hoax Previous: http://cryptome.org/2014/06/wikileaks-fails/wikileaks-offer-fails.htm
On 25 January 2014, by Tweet and by Twitter Direct Message, "WikiLeaks" offered to host Cryptome on its servers. Cryptome by DM asked "WikiLeaks" for preferred means to transfer a USB of the Cryptome Archives, requesting an answer by encrypted email to assure "WikiLeaks" was not an imposter. To assure the proposal was legitimate Cryptome sent an encrypted email to Jacob Appelbaum <jacob[at]appelbaum.net> asking if he could authenticate the offer. Appelbaum has not responded. The next day an encrypted email arrived from "Sarah Harrison <sarah[at]wikileaks.org>"
Date: Thu, 26 Jun 2014 14:14:19 +0000 The decrypted message: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I am writing regarding collection details. I can confirm who can do so later today. Can you please let me know where they should go and timing possibilities? Many thanks. Best Sarah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJTrCTHAAoJEAG3uohTDKQYlAEP/0Xa8DldWfbIRpfqnudj4lRf QQJCjwitC436rFV3gAvlV3Y+o+IqotXAhbhQija9+F6/sEnryhd4587kVAeYdF71 Bz/ATdiYxekR3PHWTEl4LiYqehlR1P4ruSp8V26w+q6su6IYDoivS9CcEEVoqsPk i6uDKrghAq/GsCl1aOZLN0v5MX43KqjbMnDu1BcdLP3ijZPZLrjMCtB4xbUHii8u MSyzbfXciuoHuetWVdZg2gBjNeIqDsSlnqFmLYFkRPyYTPY8xzpp8QxM9SleCO5M 7Hp9F51XXrf+qWWVUHPWjWaEtr6QMPFXCQorEn8DiDDLqlCV1gMT667nwaFQ94E3 RjKGAPqtQSj4u0gNV3PvHGhcAonzCl5OsHL4xlcj/X1P0hLVufnj+rCf0ZLuDRtV juuzzaPIb1Zoa9H68d03lJdSiMderMdK6JbQhJKkfSvX5YJX+r4JOXWu+ydpuA3l lbom3djeOTbVyYQqj62muVLASX3hnRNzYYkEJr4mJdDU9/K76LRIRdzJczaSglUl Vkl/rsVPFLEIRCpt/yaEUwfz5JodkeqfgWF+nQb7QRKXBF5dysUX+fEhY8KF4kRZ uMd56gQGXqYGGyA/XIXZD2DgxxoBzPOaBlYJD+e8i7GvWgKhjKvBDNzFZfclkygT 64c+EmjeGXoyZhux9xIH =Q8AC -----END PGP SIGNATURE----- Attached: key.asc The "key.asc" PK provided (this key was not found on keyservers) and a PGPdump analysis: -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)
mQINBFOsIUgBEAC2sl6oY5Y/6f+RR5Ze6Bh3sCZafdBzuiU0SF0s/qOnoOPvoCuy
n60xZkQxBuIocwWy7beWyZmIaWtSh7Zflq+HbEBGw0gS7Mw/QCwgEhJkxq59QPrp
Zk4MI0v+8dmhHPXP+6BAi5FlBf5V0HW/YCHPW/L05bAgDfAkRNPUyyCQNj1lA6st
B+dYcsRkKpmvMfVlYEtpkOjjM8G14Pec2H+wmEPHEG57+7iVYfwPyxPVIN1GokJW
WuQZKXd8fTvwDx+72umDwxEGWxHhecY4jbtGvWqXA7lOAjRpaAssEyw60JrdCc1c
JGzDDXeSlIi3YLzYsozRli93W3OZOAL1fxJe0c5sTAvHrVVnSjF3bNqwWI+VBOPk
+dL/7Dx2SGCSVvwqx+V/MjTwoIgaXUZaU2FPRnQDNp0mGKDu/8GlPD+A+CU+RWGh
vgcqP/4dR/MMIZ+x6WhPKYCqf0/BFlHvjXmwGgJBKjU444szdyZknc9sc3YiIU6s
9ut6SvT0/4PqU7ErEx6DbspsL2fNkUeTs6BvI7GbzvM0os70PiMfL80TOXEQck3Y
jXVZ99LNpwveOEGOdfH4DxRTwZYC78W1NPFLx+n4VZnJWXKdD6tBSrImMq7eidu7
cYxvjTspqUYpzmSKVB0GpVGx9b2wKwsUx3AVbgHIR+0dlfYqUhVH4CQb9wARAQAB
tCRTYXJhaCBIYXJyaXNvbiA8c2FyYWhAd2lraWxlYWtzLm9yZz6JAjcEEwEIACEF
AlOsIUgCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQAbe6iFMMpBjIKg//
XivxkJCpOdbmGA44tzWrI4dSe8CWvEONGZ7G+1Sv7AsDK+66cbgtocf0ZFv+zPgW
n5YBi5zdT3xaUCfOngT1SWUhuGzhkZUDpfu6v3hP2cInWBANcnlb/LhK9naYJwqp
d8yZECLjIbbWbnJ/UsW3m0IZCuY0Mt2xSOIelwOYyF/t3f6/+PbXl2RVnRkmXgXT
f0f8Bf4OzUj9KS7mdHUIjWYz8TJlGE6uBKGOV4t2g73I5GlU81FKi8dtlPrGsJTu
fV3BJ6E0Vgk9R9VaG3Z6ZlRoN5zRxA77fVvHkKApD+G9QPPHPjs0HzPenynyHzRx
PUEIra/Myn7y/KQO0QNEeIZUT7er+oh6ZKQeo90HV2hqPyODWW3O4/H0xwgpYE4l
KU0Sic/vGKzeK0yWmAeqc6ZpZPJhNOYjgr4bzNkIT52hQMyLr2+UMSnkwTiOvGGt
sf5YTX6et0Iy9YzFXnwGVTR+eqwCndHnWc78TmHNbDjY405YWFVxPZ3pvtUSlF2J
LLvkePwcfN+x6ENIg5RLXc2uCQoa8jT4K9yxIvkZggjAdgI+CZbgwTRT8z2FKaxI
M8lFE2yPF0QW4zePogHtOpJwhlxkvy2CM5FGU79h4IWb/oS6h0ZwHcOVP1BFB5BL
GEj9jptwjLdlJeTaTSaMUtPv3BpoC8+KIbLy/ufzPIS5Ag0EU6whSAEQAK/CZI15
MmTwy1hNtr0lK4NYXYBOBZXDpf04TpmKDIERDLTaPu4ucG+Bew3sJYcU647Qx5z2
vnsWbFfnfvU1wEz2g0Rzg6Kpm6h1E2pXl33ll9t/LWWswgKoRjsd3J0lWQajRI9I
bXNB2WWCUHV+8qvRnjXhqAGvKhZNSrjHUb12h73acAwo065z8IEUy3EKCP7P9mrO
OZVOoPnufPpbxL2Yy4R7L2I76mMrxHSDFWpMGUGkqr2c57kXMo+8Qg0GJjRbdM3X
6n92radow7LOFZsualoAB/L8PFfUYbt1S6tQNlXO7TR5RBRbQaLEYJUxIvisuwC5
ToVlkVtLQFf7J0PD9Ljbqid9Tp80vypvvwjJGjxfmQSllrjRhWn1PlVo4HdVmj1l
4AW7vwHFP0dLgw2a6fJMhYkQSFUVd7JJRylK8wj5KYwunYtqbwZ2wYcZFZE+vBtA
LwEUbYNKxY0YIerwBEYJCMNuL+7sUlqPwguTSs2qOzg5NzZEtXRvVKccaMnMYPfc
42crFUwGjell2aq0SUWzQ7btZSVNaMWUuBOG9xmeq11GTxCYbx3nvAm3dOltMYRJ
+iRdwdXw+fSV2+hydlLymbaf4pl33kHWqwMaN/uK1P714rtTiMC+K/pogJFeqTGI
3JAK3v2MLU0WJKRrj4IlHnFPZhFfRcj3rrq5ABEBAAGJAh8EGAEIAAkFAlOsIUgC
GwwACgkQAbe6iFMMpBjiYw//WwGoRFE79zw8H9LAPiEAnZZckvOMtcVeGO6hFt+p
NIuQffMJHPf1fGUVBnJJ0Qwyfr4dXtRUa5576TkF9gEdlXBzHdnytif91390XuCT
IDp2Puyowa9wu35UnLre/utRFgJzhA5Yy2ciHjd1SY3zz6VQ/cjOm8YJGEHFreQp
y9MAs6iwsbw1vVwmd1D+2KSg7tPjODYTH+D19yAPtYURI6RhHN4pe2UOuXOrmqBG
HiNdW/OkI32qUJfybuSewWgQMAdMat9CquIbS4Tl6QLV+zgZtWzF2zPGYYSDPYvz
AomJe284Dpimr97XKA/5bTMU1YtaPZy+SjVozqQr0nwnXX4iLU4UH1BbApch37OX
Qg4hN446ZKFcG7ZhJEcXoJldIbPntS2mhe/ibhPOj42M9MLRelggM0HfuxfsLhUY
riZ8vtIdEPCYthwqzyDiSxql6GRAFID32c7xGidV4dLckkJF09bFLEnlgNnWrr5x
5pRMhYMJ2rN0p15rE/hX/0JNyBdCf2XkOQXMTq8FQ7mQf8DBH024aZj9BTwcHOGD
8uKrUQeAJSQtd52jCbXaTyIq5HAu90aEAGolEg6s2m3kmbqVQzhOzXhVrEvCl+pf
A6E5wUqeoztBKz9iv2WJ/TgPuvDyjzI6eo1YbPy4dN4JBvfTw+DGnB4EC7FZFbes
j2o=
=cfop
-----END PGP PUBLIC KEY BLOCK-----
PGPdump Results
Old: Public Key Packet(tag 6)(525 bytes)
Ver 4 - new
Public key creation time - Thu Jun 26 13:34:00 UTC 2014
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(4096 bits) - ...
RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(36 bytes)
User ID - Sarah Harrison <sarah[at]wikileaks.org>
Old: Signature Packet(tag 2)(567 bytes)
Ver 4 - new
Sig type - Positive certification of a User ID and Public Key packet(0x13).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Thu Jun 26 13:34:00 UTC 2014
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to certify other keys
Flag - This key may be used to sign data
Hashed Sub: preferred symmetric algorithms(sub 11)(4 bytes)
Sym alg - AES with 256-bit key(sym 9)
Sym alg - AES with 192-bit key(sym 8)
Sym alg - AES with 128-bit key(sym 7)
Sym alg - CAST5(sym 3)
Hashed Sub: preferred hash algorithms(sub 21)(4 bytes)
Hash alg - SHA512(hash 10)
Hash alg - SHA384(hash 9)
Hash alg - SHA256(hash 8)
Hash alg - SHA224(hash 11)
Hashed Sub: preferred compression algorithms(sub 22)(4 bytes)
Comp alg - ZLIB <RFC1950>(comp 2)
Comp alg - BZip2(comp 3)
Comp alg - ZIP <RFC1951>(comp 1)
Comp alg - Uncompressed(comp 0)
Hashed Sub: features(sub 30)(1 bytes)
Flag - Modification detection (packets 18 and 19)
Hashed Sub: key server preferences(sub 23)(1 bytes)
Flag - No-modify
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x01B7BA88530CA418
Hash left 2 bytes - c8 2a
RSA m^d mod n(4095 bits) - ...
-> PKCS-1
Old: Public Subkey Packet(tag 14)(525 bytes)
Ver 4 - new
Public key creation time - Thu Jun 26 13:34:00 UTC 2014
Pub alg - RSA Encrypt or Sign(pub 1)
RSA n(4096 bits) - ...
RSA e(17 bits) - ...
Old: Signature Packet(tag 2)(543 bytes)
Ver 4 - new
Sig type - Subkey Binding Signature(0x18).
Pub alg - RSA Encrypt or Sign(pub 1)
Hash alg - SHA256(hash 8)
Hashed Sub: signature creation time(sub 2)(4 bytes)
Time - Thu Jun 26 13:34:00 UTC 2014
Hashed Sub: key flags(sub 27)(1 bytes)
Flag - This key may be used to encrypt communications
Flag - This key may be used to encrypt storage
Sub: issuer key ID(sub 16)(8 bytes)
Key ID - 0x01B7BA88530CA418
Hash left 2 bytes - e2 63
RSA m^d mod n(4095 bits) - ...
-> PKCS-1
The PGPDump shows the key was generated a few hours before the message was sent. Cryptome provided a location and time frame by encrypted email to "Sarah Harrison" using a public key provided by "Harrison." The decrypted message: Hi Sarah, Anytime today, 11AM to 5PM, the parcel can be picked up at our front desk. No need for face to face with us. However we would appreciate the person leaving a simple sign of receipt. Any kind will do that indicates legitimacy. Let me know what form that sign will be. This will help us avoid being spoofed by an imposter, all too common these days as you know. Address: 251 West 89th Street Northwest corner of Broadway, No. 1 subway, 86th Street stop Will be in grey envelope with material inside. Name on envelope: Margaret Mead Foundation Our tel: 212-873-8700 Regards, John There was no answer to this email and nobody came for the pick-up. Cryptome then sent an encrypted email to "Harrison" stating the handover did not occur. The decrypted message: Dear Sarah, The collection is canceled due to not receiving confirmation by encrypted email within proposed time frame. Concerned about being spoofed by an imposter. And cannot authenticate your PK. Regards, John This email was not answered. Yesterday Cryptome sent an encrypted email to Trevor Timm <trevor[at]pressfreedomfoundation.org> asking if he could request Sarah Harrision to authenticate the "Harrison" public key. He emailed he would attempt to do so. No answer has been provided by Timm. Yesterday Cryptome sent an encrypted email to Sarah Harrison <sarah.harrison[at]couragefound.org> describing the receipt of an encrypted email from a party claiming to be her, provided details of the public key provided -- email used, key ID, date and time of generation -- and asked if she could verify the key. No response has been received. The decrypted message: *** PGP SIGNATURE VERIFICATION *** *** Status: Good Signature *** Signer: Cryptome <cryptome[at]earthlink.net> (0x8B3BF75C) *** Signed: 6/27/2014 1:23:46 PM *** Verified: 6/28/2014 12:37:52 PM *** BEGIN PGP DECRYPTED/VERIFIED MESSAGE *** Dear Ms. Harrison, Yesterday we received an encrypted email from a party identified as Sarah Harrison <sarah[at]wikileaks.org> We were able to decrypt the message. However sent an encrypted response to the email address but have not received an answer. We have been unable to verify the public key provided as an attachment for responding to the email. Public key creation time - Thu Jun 26 13:34:00 UTC 2014 User ID - Sarah Harrison <sarah[at]wikileaks.org> Key ID - 0x01B7BA88530CA418 Do you recognize this email address and public key? We are concerned that the email may be a forgery. Thanks very much, John Young Cryptome.org New York, NY 212-873-8700 *** END PGP DECRYPTED/VERIFIED MESSAGE *** Today, 28 June 2014, appeared unsubstantiated allegation that Sarah Harrison has had a falling out with Julian Assange, and that she was preparing a book on the Snowden affair. http://www.wikileaks-forum.com/the-critics/632/another-assange-foot-soldier-sarah- (Cryptome is familiar with Alan Taylor's skeptical views of Assange and WikiLeaks.) Based on the lack of response to our emails to "Harrison" and Harrison and if the allegations are credible, it suggests the true Sarah Harrison did not send the encrypted email to Cryptome, that instead her identity was forged as hoax. This may also suggest the "WikiLeaks" offer to host Cryptome was forged or a hoax. A reader has warned that the hoax may have been perpetuated by Robert David Graham [at]ErrataRob (and associates) who first taunted WikiLeaks to host Cryptome (it is easy to forge Twitter Direct Messages as well as public keys):
The reader's warning message: I just read "June 26, 2014 2014-0923.htm WikiLeaks Offer to Host Cryptome Fails" http://cryptome.org/2014/06/wikileaks-fails/wikileaks-offer-fails.htm You refer to a trusted third party [Appelbaum]? I hope this is not: Robert David Graham [at]ErrataRob. I'm certain that he has very very close links with GCHQ. If you remember Full-Disclosure.pdf, he was basically the mouth piece of GCHQ at the time. I addressed his comments and opposition in the last update of Full-disclosure. http://cryptome.org/2013/12/Full-Disclosure.pdf To be continued, or not.
|
![[Image]](wl-harrison-hoax-01.jpg)
![[Image]](wl-harrison-hoax-02.jpg)
![[Image]](wl-harrison-hoax.jpg)