Is the Government Alleging Bradley Manning Loaded Encryption Software onto DOD Computers?

I’ve been revisiting the timeline revealed in Bradley Manning’s charging document. Here’s a short version of what that shows:

November 1, 2009: Earliest date for which government subpoenas Wikileaks related twitter accounts

November 19, 2009: Earliest possibly date for all charges except accessing the Rejkjavik 13 cable (which was dated January 13)

November 24, 2009: Per chat logs, Manning said he first started working with WL after release of 9/11 pager messages, which was first announced on November 24, 2009

January 13, 2010: Earliest possible date for accessing the Rejkjavik 13 cable (the date is obviously taken from the date of the cable)

January 21, 2010: Manning leaves for US

February 11, 2010: Manning returns to Baghdad from US

February 19, 2010: Latest possible date for obtaining and communicating the Rejkjavik 13

March 24, 2010: In chat, Manning suggests it took him four months to verify Assange was who he said he was

April 3, 2010: Latest possible date for “wrongfully adding unauthorized software to a Secret Internet Protocol Router network computer”

April 5, 2010: Latest possible date for having unauthorized possession of photos related to the national defense, knowingly exceeding his authorized access on SIPRnet, willfully transmitting it, and intentionally exceeding his authorized access, all in relation to the Collateral Murder video

May 24, 2010: Latest possible date for knowingly exceeding his authorized access to obtain “more than 50 classified United States Department of State cables” and willfully transmitting them

May 27, 2010: Latest possible date for “introducing” classified information onto his personal computer and obtaining “more then 150,000 diplomatic cables;” this date is two days before, according to the charging sheet, Manning’s pre-trial confinement began and presumably ties to the date when they first assessed what they had on Manning’s seized computer

June 17, 2010: Iceland passes Modern Media Initiative

Now, I’m going to have say to more about this (and will add to this timeline), but I wanted to start with this question: what software did Manning allegedly add to a computer on the SIPRNet on April 3, 2010?

Back when the charging document originally came out, I don’t think I made much sense of specification 4 of charge 1, which reads:

SPECIFICATION 4: In that Private First Class Bradley E. Manning, U.S. Army, did, between on or about 19 November 2009 and on or about 3 April 2010, at or near Contingency Operating Station Hammer, Iraq, violate a lawful general regulation, to wit: Paragraph 4-5(a)(3), Army Regulation 25-2, dated 24 October 2007, by wrongfully adding unauthorized software to a Secret Internet Protocol Router network computer.

I noted it this time because it made no sense to me that the government had listed April 5 as last possible day when Manning allegedly leaked the Collateral Murder video, given that Wikileaks publicly claimed–and Manning did too, sort of–that the video had been passed on in February. So why this April date?

But recall how, since that time, Adrian Lamo has repeatedly claimed to know a person or people in Boston who helped Manning by giving him encryption software to help him send classified data in small enough bits to avoid detection.

Adrian Lamo, the California computer hacker who turned in Pte Manning to military authorities in May, claimed in a telephone interview he had firsthand knowledge that someone helped the soldier set up encryption software to send classified information to Wikileaks.

Mr Lamo, who is cooperating with investigators, wouldn’t name the person but said the man was among a group of people in the Boston area who work with Wikileaks. He said the man told him “he actually helped Private Manning set up the encryption software he used”.

Mr Lamo said the software enabled Pte Manning to send classified data in small bits so that it would seem innocuous.

“It wouldn’t look too much different from your average guy doing his banking on line,” Mr Lamo said.

If someone allegedly gave Manning encryption software that would help download documents to pass onto Wikileaks, then presumably Manning deployed that in Iraq. And if someone from Wikileaks allegedly gave Manning software that subsequently got loaded onto DOD computers in Iraq, then it might explain their current theory of prosecution for conspiracy to leak this information.

The article (as well as a few others like it) on hackers who may have helped Manning came out on August 2, 2010, just days after Jacob Appelbaum had been stopped at the border and his computers–which he refused to decrypt–confiscated.

Appelbaum, of course, is one of the people whose Twitter account was subpoenaed last December. Only, unlike two of the other people listed on the document request (the two who are not US persons), Appelbaum was not named by name. He was named only by his Twitter handle, “ioerror.” Appelbaum was also apparently not–as Birgitta Jónsdóttir was–told by Twitter that DOJ wanted his twitter information. Both of those details have made me wonder whether there is another, still-sealed, warrant pertaining to Appelbaum, which the government would require for some uses since he is a US person.

After the subpoena was revealed, Appelbaum tweeted,

Motivation: …”I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear.”…

He is now on his way back to the US from Iceland; the ACLU plans to meet him at his flight (perhaps to make it harder to detain him as they did in July).

So what does the government think Manning loaded onto his computer, and how do they know the timing of it?

  1. JTMinIA says:

    If Appelbaum insists on quoting Frank Herbert, he should use Whipping Star or Dosadi Experiment, not Dune.

  2. earlofhuntingdon says:

    Would Mr. Herbert be amused or saddened? But I agree with Glennzilla today, the manner of this attack on Applebaum and WikiLeaks is about intimidating government critics, specifically whistleblowers who might reveal embarrassing acts or crimes committed by the government, not simply to enhance legitimate security interests.

    • emptywheel says:

      Dunno. If someone provides software that will intentionally compromise defense department computers, is that just about free flow of info? To me it depends. Once the software is there, what else becomes exposed?

      • pdaly says:

        Since this is all hypothetical, what if the change was a patch to a backdoor? i.e., preventing the NSA from getting in or monitoring activity?

        Was reading this Q&A at Nova with Bamford from 2009

        Q: Recently, did the NSA intentionally create a secret backdoor in a cryptographic algorithm that is now apart of an official government standard?


        Bamford: It is certainly possible, but I have no direct knowledge of it.

        • Jane Hamsher says:

          Since this is all hypothetical, what if the change was a patch to a backdoor? i.e., preventing the NSA from getting in or monitoring activity?

          Well, that certainly would be interesting.

        • MadDog says:

          Speaking of pdaly’s backdoor “hypothetical” (or not), from his Bamford link:

          Q: With the dramatic increase of VoIP [Voice over Internet Protocol], how is the NSA handling this technology? Skype, for instance, is encrypted in 128- or 256-bit form point-to-point if the call is over the Internet. Even if they did decrypt the calls, how could they pick which calls to encrypt from the shear volume of calls?

          Richard H., Toronto, Ontario, Canada

          Bamford: As I discuss in my book The Shadow Factory, VoIP presents a problem for NSA, but there are indications that NSA may have gotten secret cooperation from some of the VoIP companies. With cooperation, intercept and analysis becomes much easier…

          (My Bold)

          Backdoors are likely real, but patching them so the NSA couldn’t peek, assuming one could even find them, that is probably a lot less likely.

          Without the source code, tis hard for even top techies to make sense of bits and bytes.

        • jerryy says:

          Backdoors are likely real, but patching them so the NSA couldn’t peek, assuming one could even find them, that is probably a lot less likely.

          Funny you should mention that. A while back, when VOIP was getting going, a lot of traffic was routed through other countries (they had the unused network capacity to handle the traffic). Since this meant though that even more ears could hear what folks were talking about, encryption was added to the mix, which caused some of the listening ears to get upset, very upset, because the encryption was pretty decent (not impossible to crack, just resource intensive, read lots of money, which small governments did not want to spend).

          One country (Costa Rica) got so upset about not being able to listen in, they were going to ban outsiders using their network to route the VOIP traffic. This would have, of course, been a major problem for the internet in many different ways, not to mention a problem for those listening to conversations routed outside the county — which the Patriot Act calls for. Rumor has it that there were a few folks suddenly sent to talk to Costa Rica and then objections to VOIP were stopped.

          Some background link:

          One thing to keep in mind, if you use a land line, a warrant is needed to listen to you. Odd thing with technology, that phone conversation can be digitized and routed outside of the county, listened to, routed back into the country, un-digitized and sent on to your conversation partner and you will not even notice anything has happened. The tech has ben that good for some time. Your congress critter will also get very uncomfortable discussing this use of the Patriot Act for warrant bypassing.

      • earlofhuntingdon says:

        That’s why I focused on the manner of this prosecution and the apparent priorities involved with it.

        Given this government’s excessive fetish for secrecy, for spying, for unrestrained ability to imprison and punish, especially those who publicly and effectively disagree with it, and its anti-whistleblower priorities, it’s hard to distinguish legitimate security interests from actions that are merely politically self-protective. Given its actions over the past ten years, by both Democratic and Republican leaders, it seems prudent to deny the government the benefit of doubt that might ordinarily run in its favor.

        • WilliamOckham says:


          There are a couple of interesting things about this that I hadn’t noticed before. In the chat logs, Manning mentions having two govt. laptops, one connected to SIPRnet and one connected to JWICS. SIPRnet is only for information classified up to secret and JWICS can be used for top secret/sci. None of the charges refer to JWICS.

          Also, if Manning’s description of the activities of his colleagues is truthful (d/ling music, etc.), there is no doubt that there are hundreds of soldiers guilty of installing unauthorized software on their SIPRnet computers.

  3. emptywheel says:

    Note, in the Charlie Savage article largely depending on Lamo, he says something quite different than he said in the article cited in my post: he says Manning relied on physical drops in the US, not the encryption software allegedly given to Manning.

    “At some point, he became satisfied that he was actually talking to Assange and not some unknown third party posing as Assange, and based on that he began sending in smaller amounts of data from his computer,” Mr. Lamo said. “Because of the nature of his Internet connection, he wasn’t able to send large data files easily. He was using a satellite connection, so he was limited until he did an actual physical drop-off when he was back in the United States in January of this year.”

  4. WilliamOckham says:

    Totally OT good news: Tom DeLay gets 3 years in Texas state prison. Sure, he’s still out on appeal, but man I’ve been waiting for this day.

  5. MadDog says:

    …So what does the government think Manning loaded onto his computer, and how do they know the timing of it?

    Assuming that the government has Manning’s laptop with the unauthorized software still installed, both tasks you identify seem to be nothing more than a minor technical chore.

    Should Manning have uninstalled the unauthorized software, depending on the thoroughness of the uninstallation process, there may still be tracks left behind that identify both the program and its installation date and time.

    Lastly, the government may have SIPRnet logs (and in a nod to WO, JWICS logs which seem highly likely) and/or SIPRnet traffic capture that allow them to identify both the unauthorized software in use as well as when it originally was used.

    • MadDog says:

      Given the background of Julian Assange, I’m thinking what Manning was given was something a wee bit more secure than Winzip:

      …Starting around 1997, he co-invented the Rubberhose deniable encryption system, a cryptographic concept made into a software package for Linux designed to provide plausible deniability against rubber-hose cryptanalysis; he originally intended the system to be used “as a tool for human rights workers who needed to protect sensitive data in the field…”

  6. Synoia says:

    Our top secret computers are not locked down from unauthorized installation of software?

    That is:

    PFCs in the field have administrator rights to computers in a MS Domain? What next, they also have domain administrator rights as well?

    None of my customers ever allowed normal users of computer the permission to install software. As soon as MS domains were installed they then set the rights (permissions) to not allow ordinary users to modify their machine. That’s a know security issue (Security 101).

    There’s something very wrong here.

  7. bmull says:

    I think the Powerpoint presentation was probably a set-up. Nowhere else is a Powerpoint mentioned as being among the leaks, and it’s the last specification on the charge sheet.

  8. puppethead says:

    As a software/computer professional, that reads an awful like like lawyer-ese for something that could be as simple as changing some config files to allow access through a computer (like enabling IP forwarding between network devices). “Software” in legal speak can mean just about any computer-based file, not necessarily a program itself. From the excerpts it doesn’t sound to me like the “Secret Internet Protocol Router network computer”* was rootkitted.

    *(Another odd phrase for what could be a simple desktop machine that was connected to SIPRNet.)

  9. sagesse says:

    Who else in the military worked in the same place as Manning? Are there night and day shifts doing the work Manning was doing?

    • emptywheel says:


      But my question is, if you’ve got chat logs from Manning saying he gave it to WL in February, and you’ve got WL tweets from February saying they had decrypted it, then why do you think it possible Manning hasn’t handed it over yet?

      • bmull says:

        I’m not a lawyer but maybe they use April 5 in case some or all the evidence for February gets thrown out.

  10. burnt says:

    I haven’t been paying super-close attention lately but if nobody else has mentioned it Jacob Applebaum is one of the developers of Tor a nifty piece of software that every good firepup should be running. It anonymizes your web traffic, chats, remote logins, etc. The nitty gritty is here:

    And here is an article about incorporating Tor into home routers with a quote from Mr. Applebaum:

    I can’t believe Tor could be installed on Bradley Manning’s government computers but then I can’t believe one could use a USB drive on them either so what do I know?

  11. bittersweet says:

    I remember hearing about TOR during the Iranian protests last year. At the time, TOR was considered a righteous program because it helped enable Iranian protesters to be able to communicate without Iranian government detection. I remember something about how we could help make our ISP’s available to protesters by using TOR ourselves. But I never really understood how this would work. Could you please explain it for a nearly computer illiterate blog reader?

      • bittersweet says:

        It looks as though, according to your linked article, that the problem was fixed with a patch, and “No data on user identities or IP information appeared to be compromised”. My tech support is always railing on me to install my updates! This is an excellent example of why.
        Tor’s home page has bullet points that explain its uses, including: “Activists use Tor to anonymously report abuses from danger zones. Whistleblowers use Tor to safely report on corruption.” Also of note, it claim’s that the military uses it to, “protect their communications, investigations, and intelligence gathering online”.

  12. ondelette says:

    Installed software to break the video into bits that could be moved without detection? That isn’t necessarily encryption software. There’s lots of image spanning software that is used to pirate DVDs that does that. There are also compression programs that do that. Suffice it to say that anything that does that probably isn’t already on the machine he was working on, so he would need to install it. He might even need to do that to get his stuff on to his Lady Gaga disk. But the way some of them work is that they pose as other kinds of files, or distort the lengths of fields in the files. The reverse tool takes the multiple files and stitches them back together again.

    Some of them arose from legitimate tools, zip files that spanned multiple floppy disks. Some of them are just piracy tools: DVDs that look like a directory of pictures of the kids.

  13. jdmckay0 says:

    Got a kick out of this comment, from 11/29/10 BBC article:

    href=”″>Siprnet: Where
    the leaked cables came from

    However, Siprnet is not recommended for distribution of
    top-secret information.

    From what I’ve read, topography of Siprnet is described publicly in
    obscure (non-illuminating) terms. The acronymn itself doesn’t really
    say much… garbles distinct terms (router network). Given this (at
    least as publicly stated) was expanded after 9/11 w/intention to be
    accessible to “coalition” partners, I can’t fathom where vulnerabilities
    lie given available descriptions.

    re: Tor… this is ongoing, for a long time now, cat and mouse game. IP
    masking “masks”, then gets unmasked, rinse & repeat. In our shop, we stopped putting (even encrypted) distros online for customers, as cost/time/effort of blocking dishonest (thieving) competitors just wasn’t worth it. We just delivered disks… period. Through that time (’98-2004), however, keeping up w/this game… just on tech end (eg: NOT legal), it was full time job for 1.5 people.

    This stuff, given time and access to resources (DNS service archives, access logs, etc), no matter how “deep” or how circuitous the routing… source is *always* decipherable.

    However… I know for a fact (having done work for them) that offshored banking networks posthumously (eg. after confirmation of completed transaction) destroys necessary logged data necessary for successful forensic work. And this timer period after BushCo famously proclaiming their enhanced ability to monitor “terrorist” money transfers.

    Just saying…

    Given (at least according to descriptions) everything accessed from Siprnet has audit trail, hard to imagine anyone even remotely tech savy would have confidence (as ondelette mentions @ 37) that spanning (really just sub-packeting… eg. packing large files in small packages) would go
    undetected eventually. No matter how circuitous the route, unless deliberately left untraceable (destroy routing info), this stuff should *always* be traceable.

    Also seems non-requiter that any encryption software would be installed anywhere other then disseminating (last stop) computer.

    Maddog @ 29:

    Backdoors are likely real, but patching them so the NSA couldn’t peek, assuming one could even find them, that is probably a lot less likely.

    “Backdoor” is fancy term for routing through an unauthorized (or non-commonly used) port. Monitoring all of ’em a pretty straight forward task, even for remedially trained admin. Hard to imagine Pentagon not monitoring *all* port activity.

    EW @ 31:

    But my question is, if you’ve got chat logs from Manning saying he gave it to WL in February, and you’ve got WL tweets from February saying they had decrypted it, then why do you think it possible Manning hasn’t handed it over yet?

    Exactly… doesn’t make any sense.

    If Assange is being truthful in describing his WL’s “firewall” between sources WL, this suggestion WL’s offering tech assistance makes even less sense.

    Not enough pieces to create coherent whole IMO.

  14. jdmckay0 says:

    Just one other thing, tangentially related…

    Can’t say about DOD systems, but over the years I’ve known quite a few people who worked @ fed labs… engineers/physicists, tech people and others. Access through systems to data needed to do the engineering/physics has been notoriously bad, forever. System lockups, “cutting edge” hardware going down… all common occurrences.

    To simply get their work done, it was common practice at both Livermore/Los Alamos for the science guys doing the lab’s actual work to download “secret” stuff locally (their own computers), regardless of guidelines/security protocols. They just had to in order to get work done.

    This was one of most offensive aspects of Wen Ho Lee treatment BTW… what Lee was accused of, all kinds of people were doing exact same thing and practically none of ’em came to his defense.