I've had no success even starting it on uTorrent on windows. Transmission on my vm is happily chugging away though.

The biggest file in the torrent is FinSpy-PC+Mobile-2012-07-12-Final.zip (a hefty 33.75 gb)

Even though it's over 2 years in age, I hope that all the programmers out there, hackers, enthousiasts, employees of antivirus and antimalware companies turn this stuff inside out to see how it works and harden the world's software to make sure we can get better at protecting ourselves.

I've already found that the browser injection works either by either running a malware .jar file or installing a malware .xpi

Needless to say here on HN ofcourse, but i'm going to do it anyway: If you haven't done it already, GET THE JAVA RUNTIME OUT OF YOUR BROWSER

Unfortunately, that zip file is password protected. And it appears most of the other good stuff (minus the web framework) is gpg encrypted.

I don't understand what the point of password and pgp protecting the data is.

Typically with torrents, if they're password protected they get shunned. Most torrent downloading software is even programmed to ignore .zip files because of the frequency of password-protected zips. I understand why these show up for illegal media, but for something like a leak it doesn't make sense to me.

Is there an angle I'm missing? I mean, they said they were releasing it to get it into people's hands, it's not like they pulled a wikileaks and used it as their insurance policy.

In a couple of weeks, you won't be able to download the unencrypted data anymore without a malware scanner kicking in.

By encrypting, it's out of reach of any automation.

I'm just guessing here, but I think that they protected their website contents themselves, not the uploader of the torrent. This would be the sane thing to do : Even if the site gets hacked (...) your binaries still don't leak.

Pay the fee, get the PGP key.

These passwords don't seem to work. Do they work in your side?

looking at the file list most of the interesting stuff end with .gpg so if the key is not included it seems like a waste of bandwidth.

Unfortunately you may to be right. Nearly everything is gpg encrypted, and the massive 33gb zip is a password protected acronis true image file. So far all I have found that isn't encrypted is the web framework (posted on github) and a bunch of marketing documents.

Best practice for this kind of leak is widely distributing encrypted files and then later distributing the key.

or a dead-man's switch release if something happens to the key holder...

Use a VPN. All eyes will be on this.

So? Is it illegal to download leaked data? Or only if you're a newspaper?

I have no idea about the legality, but it could make your life difficult if you (or someone close to you) want to get a security clearance at some point, or have one and would like to keep it when the time comes to renew it.

I've had security clearance (DV in UK) and a rapist axe murderer could get it. They have virtually no info on anyone and pretty just base it on your likelihood of compliance.

Its easy to game.

Maybe so. The only person I know with security clearance says that when they have to renew it, people come and interview them, their neighbors, family members, etc. To go to that trouble without checking their internet history seems foolish, but that doesn't mean that they do it. (This is in the USA; I don't know what level of clearance they have, but I know they work on classified projects.)

They do the same in the UK but you can quite happily run anonymous accounts and be knee deep in anarchy and they wouldn't know.

Sounds more like Transmission was pre-allocating those files. At 38 gigs, even an SSD would be busy for a while.

you switched off your wifi card to stop a rogue process of some sort from using IO?