Why Did Bradley Manning Allegedly Leak WikiLeaks Two Things before He Verified Assange’s Identity?

To return to the work I was doing yesterday, there’s something odd about the timeline of Bradley Manning’s alleged leaks to WikiLeaks: he appears to give WikiLeaks at least two things–the Rejkjavik 13 cable and the Collateral Murder video–before he verified Julian Assange’s identity.

In the chat logs, Manning explains he first started working with WikiLeaks after they released the 9/11 pager messages.

(12:46:17 PM) Adrian: how long have you helped WikiLeaks?

(12:49:09 PM) bradass87: since they released the 9/11 “pager messages”

(12:49:38 PM) bradass87: i immediately recognized that they were from an NSA database, and i felt comfortable enough to come forward

(12:50:20 PM) bradass87: so… right after thanksgiving timeframe of 2009

That would date it November 24 or 25. Interestingly, the government says Manning’s alleged activities began somewhat earlier, November 19. That may suggest they have reason to believe he may have first accessed materials he was not authorized to access on November 19.

There’s a curious break in the chat logs (where Lamo makes his first efforts to get Manning to talk about operation security, while Manning loses it), after which Manning seems to correct Lamo’s suggestion that he’s a WL volunteer. But that does lead Manning to discuss communicating directly with Assange.

(2:04:29 PM) Manning: im a source, not quite a volunteer

(2:05:38 PM) Manning: i mean, im a high profile source… and i’ve developed a relationship with assange… but i dont know much more than what he tells me, which is very little

(2:05:58 PM) Manning: it took me four months to confirm that the person i was communicating was in fact assange

(2:10:01 PM) Lamo: how’d you do that?

(2:12:45 PM) Manning: I gathered more info when i questioned him whenever he was being tailed in Sweden by State Department officials… i was trying to figure out who was following him… and why… and he was telling me stories of other times he’s been followed… and they matched up with the ones he’s said publicly

(2:14:28 PM) Lamo: did that bear out? the surveillance?

(2:14:46 PM) Manning: based on the description he gave me, I assessed it was the Northern Europe Diplomatic Security Team… trying to figure out how he got the Reykjavik cable…

(2:15:57 PM) Manning: they also caught wind that he had a video… of the Gharani airstrike in afghanistan, which he has, but hasn’t decrypted yet… the production team was actually working on the Baghdad strike though, which was never really encrypted

As I suggested yesterday, that would mean that Manning had not verified Assange’s identity until roughly March 24. That would coincide exactly with the Wikileak Twitter account’s discussion of US and Icelandic surveillance. Of potential note, on March 23, WL said, “We know our possession of the decrypted airstrike video is now being discussed at the highest levels of US command,” which might be information Manning had access to. While not definitive, all of that suggests the public discussion was one way Manning verified “that the person i was communicating was in fact assange.”

But there were at least two things Manning had already allegedly leaked to WikiLeaks: the Collateral Murder video and the Rejkjavik 13 cable. A possible third which I will not deal with here is the intelligence report naming WikiLeaks as a threat to the military, which was released March 18, 2010, but which is not definitely attributable even hypothetically to Manning.

Collateral Murder Timing

WL first reported getting what appear to be the Collateral Murder and Gharani videos on January 8, 2010.

Have encrypted videos of US bomb strikes on civilians http://bit.ly/wlafghan2 we need super computer time http://ljsf.org/

On February 20, it claimed to have cracked the encryption code of what appears to be the Collateral Murder video.

Finally cracked the encryption to US military video in which journalists, among others, are shot. Thanks to all who donated $/CPUs.

For his part, Manning describes just stumbling upon the Collateral Murder video, did some research into what it was, then stewed on it for a month and a half before forwarding to WL.

(03:07:53 PM) Manning: i watched that video cold, for instance

(03:10:32 PM) Manning: at first glance… it was just a bunch of guys getting shot up by a helicopter… no big deal… about two dozen more where that came from right… but something struck me as odd with the van thing… and also the fact it was being stored in a JAG officer’s directory… so i looked into it… eventually tracked down the date, and then the exact GPS co-ord… and i was like… ok, so thats what happened… cool… then i went to the regular internet… and it was still on my mind… so i typed into goog… the date, and the location… and then i see this http://www.nytimes.com/2007/07/13/world/middleeast/13iraq.html

(03:11:07 PM) Manning: i kept that in my mind for weeks… probably a month and a half… before i forwarded it to [WikiLeaks]

He dates uploading the video sometime in February.

(02:47:07 PM) Manning: the CM video came from a server in our domain! and not a single person noticed

(02:47:21 PM) Lamo: CM?

(02:48:17 PM) Manning: Apache Weapons Team video of 12 JUL 07 airstrike on Reuters Journos… some sketchy but fairly normal street-folk… and civilians

(02:48:52 PM) Lamo: How long between the leak and the publication?

(02:49:18 PM) Manning: some time in february

(02:49:25 PM) Manning: it was uploaded

(02:50:04 PM) Lamo: uploaded where? how would i transmit something if i had similarly damning data

(02:51:49 PM) Manning: uhm… preferably openssl the file with aes-256… then use sftp at prearranged drop ip addresses

(02:52:08 PM) Manning: keeping the key separate… and uploading via a different means

(02:52:31 PM) Lamo: so i myself would be SOL w/o a way to prearrange

(02:54:33 PM) Manning: not necessarily… the HTTPS submission should suffice legally… though i’d use tor on top of it…

Now, those are seemingly contradictory sets of dates: WL boasts it has Gharani, at least, in January, though the February reference to decrypting it seems to mean Collateral Murder was included in the January announcement. But note that if Manning had first accessed the Collateral Murder video on November 19, a month and a half might put it close to the New Year.

In any case, however, both WL and Manning seem to agree the video was in hand by February, a month before (assuming Manning’s description of the verification process is accurate) Manning verified Assange’s identity.

Rejkjavik 13 Cable Timing

Which brings us to the Rejkjavik 13 cable, which was released first but may have been leaked after the videos, during the period when WL was working on prepping the Collateral Murder video for publication. The Rejkjavik cable obviously had to have been leaked between the time it was written on January 13, 2010 and when it was released on February 18, 2010.* Manning describes the Rejkjavik 13 cable as a test:

(1:48:50 PM) Lamo: give me some bona fides … yanno? any specifics.

(1:49:40 PM) Manning: this one was a test: Classified cable from US Embassy Reykjavik on Icesave dated 13 Jan 2010

(1:50:30 PM) Manning: the result of that one was that the icelandic ambassador to the US was recalled, and fired

(1:51:02 PM) Manning: thats just one cable…

I’m particularly interested in what Manning might mean by test. For a more cautious person, it might have been a test of the security of WL’s submission system. WL had just revamped its submission system as of January 12. And critics of WikiLeaks used this very cable to explain some security problems with the submission and release process.

But it seems likely that, if Manning is the only source for the Collateral Murder video, then he was already using the submission system and presumably was comfortable with its security. Whether or not the January 8 date is accurate, after all, if they were announcing they had decrypted the video on February 20, just days after the Rejkjavik cable was released, then they surely had received it some time earlier.

So it seems clear that Manning wasn’t waiting, generally, to submit material until this test.

But consider the possibility it was a test for both sides?

What’s interesting about the cable is how much it fed directly into WL’s then very active campaign to build support for Iceland’s Modern Media Initiative, making Iceland a kind of free speech haven, and its opposition to IceSave, the “bailout” that Iceland wisely refused via referendum. WL appears not to have announced the release of the cable itself on Twitter. WL did, however, trumpet the release of details of the negotiations between Iceland and the British and Dutch on IceSave. That must explain why, out of all the cables accessible to Manning at that point, he allegedly chose to leak one on Iceland, which would be fairly unspectacular to American readers, but played right into WL’s objectives of the moment. Effectively, what Manning appears to have proven is that he had live access to whatever diplomatic discussions were going on, including the IceSave negotiations WL was following so closely.

Or did he?

If I’m not mistaken, the most recent creation dates for cables released thus far appears to be February 2010 (and there are a good deal of those, dated right up through the end of the month). It’s possible the government reacted immediately to the release of the Rejkjavik cable and restricted access; it’s possible that Manning did a download of the cables shortly after the Rejkjavik one was successfully released and never accessed the cables again. But it’s worth noting that the State Department database appears to end shortly after that first test cable.

Just as interesting, though, is how Manning’s reported verification of Assange’s identity appears to correlate with his leaks. If his estimate that it took him four months to verify Assange’s identity is correct, then it appears he had already leaked at least the Collateral Murder and Gharani videos, the Rejkjavik cable, and possibly the intelligence report.

That is, he didn’t wait to verify Assange’s identity before he leaked material. Though he may have waited before he leaked the big databases: the Afghan and Iraq War logs, and the State Department cables.

The Alleged Software

So did he wait to do something else until he had verified Assange’s identity?

First of all, note that Manning tied having privileged submission ability to a time after two items of big PR interest were hypothetically leaked.

02:56:35 PM) Manning: long term sources do get preference… i can see where the “unfairness” factor comes in

(02:56:53 PM) Lamo: how does that preference work?

(02:57:47 PM) Manning: veracity… the material is easy to verify…

(02:58:27 PM) Manning: because they know a little bit more about the source than a purely anonymous one

(02:59:04 PM) Manning: and confirmation publicly from earlier material, would make them more likely to publish… i guess…

(02:59:16 PM) Manning: im not saying they do… but i can see how that might develop

(03:00:18 PM) Manning: if two of the largest public relations “coups” have come from a single source… for instance

It’s unclear whether he (hypothetically, of course) means the cable and the Collateral Murder video, the cable and the intelligence report, or what. If it was the latter, then it would place this privileged time period sometime in March. If it were the former, that time would be slightly later in April.

Which brings me back to my discussion yesterday: the government’s allegation that Manning introduced software onto his computer some time between November 19, 2009 and April 3, 2010.

SPECIFICATION 4: In that Private First Class Bradley E. Manning, U.S. Army, did, between on or about 19 November 2009 and on or about 3 April 2010, at or near Contingency Operating Station Hammer, Iraq, violate a lawful general regulation, to wit: Paragraph 4-5(a)(3), Army Regulation 25-2, dated 24 October 2007, by wrongfully adding unauthorized software to a Secret Internet Protocol Router network computer.

It’s the date I find so interesting. Whereas the other final dates are, at least in theory, tied to the actual release of a particular item, this one is not (unless it’s tied to the Collateral Murder release just days later).

The relationship between WL and Manning he appears to describe in the chat logs seems to suggest it evolved over time. Given the timing, it appears that several submissions came first. Then came a tailored submission–a cable relating to the IceSave negotiations WL was targeting–and Manning working to verify Assange’s identity. But it appears the bulk of the alleged leaks, the databases, may have come after that.

And note most of that is not currently noted in Manning’s charge sheet. While Manning is charged with passing on 50 cables (possibly during the time period when Lamo was working with authorities), he is only charged with accessing and obtaining information from the 150,000 State cables, not passing them on. And there is absolutely no mention of the Iraq and Afghan War Logs.


*Note: The government lists February 19 as the last possible date when Manning could have leaked the cable, but when the document itself was released it specified,

This document, released by WikiLeaks on February 18th 2010 at 19:00 UTC, describes meetings between embassy chief Sam Watson (CDA) and members of the Icelandic government together with British Ambassador Ian Whiting.

I’m trying to figure out the discrepancy.

image_print
  1. WilliamOckham says:

    Why is the date range for delivering the 50 or more cables to unauthorized persons (Charge 2 – Specification 4) 19 Nov 2009 – 24 May 2010 but the charge for having them on his personal computer 19 Nov 2009 – 27 May 2010?

    BTW, I think the discrepancy on the publication date of the Iceland cable has to do with time zones. By February 18th 2010 at 19:00 UTC it would have already been February 19th in Iraq.

    • emptywheel says:

      It’s not 3 hours? I thought I had done that math, but i guess I needed more coffee.

      I think I posted my speculation once that Manning either gave Lamo 50 cables (which might explain why he’s so squeamish about when he reached out to authorities) or had him replicate the transfer process so someone else did. So I think the recipient of these 50 cables is someone aside from WL proper.

      • WilliamOckham says:

        Nope, you are right. It is only three hours. I made the dumb mistake (misread 19:00 as 9pm or 21:00). But I’m wondering what time zone is important, the one where Manning was when the crime was committed or the one where he was charged. Maybe the U.S. military, as a world-wide organization is smart enough to include the extra day, just in case.

        • emptywheel says:

          Or it may be that WL didn’t release the document at the precise moment they did. Wouldn’t be the first time a release was delayed, though you’d wonder why they had that intro on it.

      • piehole says:

        Emptywheel, I read the post and I am unable to determine what your explanation is vis a vis your title: Why Did Bradley Manning Allegedly Leak WikiLeaks Two Things before He Verified Assange’s Identity?.

        For those of us who are less well-acquainted with all the meta-details, can you give us a fast and dirty summary of what your thesis is here?

        • emptywheel says:

          I don’t have a real explanation. Mostly, it seems that the “test” period between Manning and WL is a tentative one that may have led to a deeper relationship, and that may be what the govt is trying to get at.

          Originally I thought Lamo was TOTALLY making up some of what he said about Manning having help. It’s clear he was wrong (and therefore the govt, from whom I’ve always assumed he heard that theory) on some points. But I do think something happened in Feb or March that may have left more bread crumbs for the govt than before.

          • piehole says:

            Clarification questions, Emptywheel: so you are suggesting that Manning had help from a Wikileaks insider — which is in keeping with what seems to be the DOJ angle?

            Does that negate the theory that Manning also had help from double-dealing operatives who lured Manning for a dubious purpose — and/or, an ultimately nefarious purpose, like strong-arming Manning to testify against Wikileaks?

          • piehole says:

            Emptywheel, now I see that you clearly have some degree of confidence in the credibility of Lamo, and the DOJ version of events. Is it fair to say that you are very much at odds with Glenn Greenwald on this aspect of the matter? IMO, you are grasping at straws to make a muddled case — to what end, I still can not see.

            Furthermore, what do you have in mind when you say:

            But I do think something happened in Feb or March that may have left more bread crumbs for the govt than before.

            I find it extraordinarily odd that you are being so oblique.

  2. MadDog says:

    …(03:10:32 PM) Manning: at first glance… it was just a bunch of guys getting shot up by a helicopter… no big deal… about two dozen more where that came from right… but something struck me as odd with the van thing… and also the fact it was being stored in a JAG officer’s directory

    (My Bold)

    I know that WO, like I do, has a computing background, and since you’re here at the moment, I’d like your thoughts about Manning having access to stuff like that JAG officer’s directory.

    Either the military’s security is seriously lacking or Manning had serious administrator privileges, or both.

      • MadDog says:

        On a related note, I’ve been wondering all last night if the Twitter subpoena had to do with the following scenario:

        Assume that both Wikileaks/Assange and Manning were using strong encryption that has not been decrypted by the government (probable).

        Their communication via Twitter however was not encrypted. It was in plain English.

        The government sees millions of encrypted messages that they haven’t got the resources for and do not bother trying to decrypt.

        The government seeks to use the results by the Twitter subpoena to identify these Wikileaks-associated folks’ IP addresses.

        The government then can use these IP addresses to identify which of the millions of encrypted communications they hoover up were relevant to these parties and focuses their decryption efforts on just those.

        Another possible reason for the Twitter subpoena is again identify their IP addresses, and then link those IP addresses to “community of interest” IP addresses of others associated with Wikileaks.

        Identifying who else is in the Wikileaks organization would be a traditional tactic used in both US intelligence and law enforcement operations.

        Just like US intelligence works to penetrate foriegn intelligence organizations like Russia’s SVR and just like the FBI works to penetrate organized crime.

        One of the tactics in both these efforts is to identify “weak links” in the security perimeters of these organizations.

        “Weak links” include low-level functionaries that can be turned or pressured to give up information on higher-level individuals and their activities and secrets.

        It would not surprise me at all if these very same tactics were being employed to target Wikileaks functionaries.

        If, for example, the government wanted to acquire the keys to decrypt Wikileaks encrypted communications, targeting low-level Wikileaks functionaries for pressure and/or turning might lead them to those keys.

        • emptywheel says:

          I don’t buy it.

          First, bc as Chris Soghoian notes, Appelbaum, Rop, and Assange have likely hidden their IP addresses beyond discovery.

          2. Three of the individuals named in the order, Jacob Appelbaum, Rop Gonggrijp, and Julian Assange are computer security experts – Appelbaum has worked with the Tor project, and has co-authored some pretty awesome encryption research, Assange co-authored a deniable encrypted filesystem, and Rop has worked for several years to create mobile phone encryption software. All three likely use strong encryption to store and transmit sensitive communications and use Tor to mask their IP addresses. As such, I’m not really sure what DOJ hopes to gain by asking Twitter for this data — as it is doubtful that these individuals have entrusted Twitter with anything private.

          But I also think your theory might work for 1) a corporation, or 2) a cell-based organization where the desired information was not technical. But that’s not the case here. It’s presumably a cell-based organization. And it’s not like the low-level people are going to have the technical know-how–or have been compartmented in–to give investigators the info they wanted.

          Now, there ARE technical whizzes who have been former associates of WL (Adrian Lamo is on the edge of that group, I’d say). So that may be the route you go. But those networks are, AFAIU, fairly small and fairly well-known.

  3. WilliamOckham says:

    I’ve been looking at the dates in the charge sheet. Here’s what I think:

    19-Nov-2009 The day Manning first had access to SIPRnet. He got to Iraq in late October. It probably took that long to get him setup properly (the U.S. military is the world’s largest bureaucracy). Based on conversations I had (7-10 years ago) with a guy who ran a SIPR network on a U.S. aircraft carrier, it wouldn’t surprise me if it took that long to get somebody in position.

    Ignoring the obvious dates for the “Reykjavik 13” cable, the next date is 3-Apr-2010. This one is hard, so let’s come back to it.

    5-Apr-2010 This is the date that the CM video was published (in edited form) by WikiLeaks. Three of the charges relating to the video have that as the end date.

    24-May-2010 This is the date on Charge II-4, relating to the 50+ cables. This is where it helps to cross-reference the violation being charged. The statute Manning is charged with violating is 18 U.S. Code Section 1030(a)(1). That’s a computer fraud charge that requires 1) unauthorized accessing of classified data, and 2a) transmitting or attempting to transmit it to unauthorized persons or 2b) retaining and failing to deliver it to an officer or employee of the USG who is entitled to receive it. The other two charges of this law are II-2, for the CM video and II-3 for the “Reykjavik 13”. In both of those cases, the end date was the WikiLeaks publication date. These cables weren’t published on that date, so what’s up with this charge? Given the date, maybe Manning sent these to Lamo.

    27-May-2010 The date Manning was detained.

    I’ll deal with 3-Apr-2010 in my next comment

  4. alan1tx says:

    puravida

    If there was one thing FDL stands for, from Scooter Libby to W up through the Obama administration is rule of law.

  5. WilliamOckham says:

    3-Apr-2010 Here is the regulation (Paragraph 4-5(a)(3), Army Regulation 25-2) Manning is charged with violating for Charge I-4,

    (4-5(a)In addition to the prohibited activities listed in AR 25–1, the following activities are specifically prohibited by any authorized user on a Government provided IS or connection:

    (3)Modification of the IS or software, use of it in any manner other than its intended purpose, or adding user–configurable or unauthorized software such as, but not limited to, commercial instant messaging, commercial Internet chat, collaborative environments, or peer-to-peer client applications. These applications create exploitable vulnerabilities and circumvent normal means of securing and monitoring network activity and provide a vector for the introduction of malicious code, remote access, network intrusions or the exfiltration of protected data.

    [Emphasis in the original]

    I have a lot of questions about this charge. As far as I can tell, nothing that Manning is accused of requires any software to be installed on his work computer. Now, if the SIPRNet computer being referred to is his personal machine, then all bets are off (that could be the case if it had a SIPRNet connection). Also, how do they know he had the software (whatever it was) installed on his computer by the date in question. It could be as simple as they have restored a back up of his work computer and discovered the software was installed on or before that date. After thinking through a lot of scenarios, the best guess I have at the moment is that Manning installed something on his work computer to help him hide his tracks and there is some evidence of its use by 3-Apr-2010.

    • emptywheel says:

      One thing to keep an eye on as you look at charges is the different computers specified. The rest of the specifications on that charge pertain to Manning’s “personal computer” whereas that last one pertains to a SIPRnet computer.

  6. Denn says:

    “…just a bunch of guys shot up by a helicopter…no big deal…about two dozen more where that came from right…”
    Seriously, what’s wrong with this picture? The banality of evil.

  7. WilliamOckham says:

    Btw, the place in Afghanistan that Manning refers to as Gharani is actually called Garani or Granai or Gerani. You have to google all three if you want to find all the links.

  8. PeasantParty says:

    I still think Lamo was hacking US Govt sites and ran across Manning. It was not until after Lamo realized that Manning was looking at this stuff that they “met up virtually”. The connection between Lamo and Manning does not make sense unless Lamo was hacking and saw Manning in Iraq looking at the same items.

  9. lsls says:

    Maybe Lamo’s the hacker and Manning’s the patsy. Lamo could have made all of this up. Could Lamo have created the log script? He had Manning’s information.

  10. lsls says:

    Why would Manning have access to Jag officer’s directory…Lamo, the hacker, could have hacked into it too or instead of..

  11. croghan27 says:

    “…just a bunch of guys shot up by a helicopter…no big deal…about two dozen more where that came from right…”

    I thought I had seen the totality of that video …. where did these, “about two dozen more…..” come from …. they are in nothing I have seen.

    Have I missed the finale?

  12. kgb999 says:

    Something else isn’t adding up here. According to Manning, they’d open ssl the data with aes-256 and drop the key separately. Two major points to this. First, it seems amazingly unlikely Assange broke AES-256. Even the fastest solutions right now are in the billions of years at as-yet-not-reached computing speeds. If he had to break encryption, it was very likely something else.

    But that aside, Manning describes watching the video. This means he originally had it decrypted. Any encryption added would have been at the point between Manning and Wikileaks. If the process was really as described, Wikileaks would have received the key from Manning and wouldn’t have needed to crack the file in the first place.

    Also, the “introducing software” charge is something hackers are often charged with. Changing logs or adding a backdoor account can get a person charged with it as can stashing unauthorized data files on a server for later retrieval. Software in this regard is construed as anything saved to disk.

    • emptywheel says:

      Thanks–didn’t know this was that common.

      Elsewhere in the chats, Manning actually says the CM video WASN’T encrypted. That’s one of the inconsistencies between what Manning said in chat and what WL was saying publicly that I’ve long been puzzling over.

      • bmull says:

        As kgb999 pointed out WL’s claim that the CM video was encrypted doesn’t makes sense, unless they had two sources for the video–one encrypted and one not. I guess that’s possible since the existence of the video was widely known at the time. The other possibility is that WL lied to try to obfuscate where they got the video.