The FBI Downloaded CIA’s Hacking Tools Using Starbuck’s WiFi
One of the most interesting details from the yesterday’s Joshua Schulte trial involved how the FBI obtained the Vault 7 and Vault 8 materials they entered into evidence yesterday. Because the FBI did not want to download the files onto an existing FBI computer (in part, out of malware concerns) and because they didn’t want to use an FBI IP address, they got a new computer and downloaded all the files at Starbucks.
Q. What were some of the parts of that plan?
A. So, one of the parts would be to obtain a separate computer that wasn’t connected, that wasn’t a previous government computer or connected to our network.
Another component was to just use public wi-fi and not a government-attributable internet connection. And the third part would be to find the best way to store this unique piece of evidence in the best way possible.
Q. Let’s talk about each of those steps. I think you said that you got a nongovernment computer, is that correct?
A. Correct.
Q. Why is that?
A. Just so that when we entered it into evidence, we wouldn’t be taking something from the network and essentially putting it aside indefinitely. And then also, we did not want to download information from the internet, which could potentially contain viruses or malware, to an FBI system.
Q. Do you have an understanding of what was contained within the disclosures made by WikiLeaks?
A. I do.
Q. And what is that information?
A. They were information about CIA hacking tools and cyber-exploitation tools.
Q. What, if any, impact did that have on your decision to use a nongovernment computer?
A. Anytime you download something from the internet, you take a risk. And then given what type of information we were going to acquire, we wanted to take an extra — many extra steps of security to maintain the integrity of our systems as well as be able to get the information and then store it properly.
Q. I think the second part of the plan was using public space to download the leak. Is that correct?
A. Correct.
Q. Why didn’t you download the leak from an FBI facility?
A. So, anytime actions on the internet are traceable as well as downloads, and we didn’t want to use an FBI system. And given the type of information we were going to acquire, we didn’t want to use an FBI system to download the information which could then be traced back to us and potentially implicate the IP address and potentially other investigations.
Q. And why would that be problematic for the FBI?
A. So, anytime actions on the internet are traceable as well as downloads, and we didn’t want to use an FBI system. And given the type of information we were going to acquire, we didn’t want to use an FBI system to download the information which could then be traced back to us and potentially implicate the IP address and potentially other investigations.
Q. And why would that be problematic for the FBI?
The explanation is interesting for more than the seeming validation of Starbuck’s WiFi quality.
It’s also interesting given details of timing and download method.
Q. When did you first go to Starbucks to download the leak?
A. In March of 2018.
Q. And how did you download the leak once you were there?
A. I went to the — used an internet browser, went to the WikiLeaks website first. Didn’t really see a quick way to download all the — the large volume of information, so WikiLeaks had also provided a torrent website, which is essentially just — it was about 15 hyperlinks that connected to zip files to download the bulk of the information that they released.
Q. What is a torrent website?
A. It’s a — it looked — just a blank website, but it had 15 hyperlinks, and each time you clicked on one of the links, it asked if you wanted to save the associated zip file. And then I saw there were 15 of those, and then I just downloaded it that way.
Q. And what is a zip file?
A. Zip file is just a way to compress information. So if you want to send a ton of files over an email or kind of website to website, you can use software to compress that information in a more easily storable format.
Q. Why did you go to the torrent instead of downloading it directly from the website?
A. I did — I tried — I perused the website for a little and didn’t see — given the volume of the information, there wasn’t, to my appearance, a good way to capture all of it. And I knew of this — from our investigation I knew of this torrent address, which had been provided by WikiLeaks too, if you wanted to essentially bulk download all the information.
Q. Did you download those zip files to the computer?
A. I did.
Q. And were you able to unzip those zip files?
A. I was.
Q. Were you able to download any of WikiLeaks’s public statements on that computer?
A. I was.
Q. And how did you do that?
A. Via screenshots.
Q. And you said you downloaded the zip files to the computer?
A. Correct.
Q. How long did that downloading process take?
A. Around an hour.
Q. And approximately how much data was found on those zip
files?A. Approximately 1.4 gigabytes.
One thing this does is explain that it took an hour to download just what got published on WikiLeaks. This will become a critical detail in proving that the files had to have been stolen from inside CIA — basically the “download speed” argument thrown back at the Russian hack denialists.
By revealing that that amounted to just 1.4GB of material, prosecutors have revealed that what WikiLeaks published was just a fraction of the 1TB of material that, per his contemporaneous Google searches, Schulte stole.
The other thing this description reveals is that WikiLeaks did not include Vault 8, the one case (beyond Marble, the obfuscation tool Schulte wrote) where they published source code, in their Torrent download of the files.
Q. Did there come a time when you went back to Starbucks to download additional materials?
A. I did.
Q. Approximately when did that happen?
A. In May of 2018.
Q. And why did you go back to download additional materials?
A. Through the investigation, we determined that the zip files which I had downloaded contained Vault 7, but it did not contain the Vault 8 release, and we wanted to capture the entirety of what WikiLeaks had put out there from March 2017 to November of 2017.
Q. Were you able to download Vault 8 when you went back?
A. I was.
Q. How did you do that?
A. So, it was a lot less information. I was able to just go to the release that WikiLeaks specified as Vault 8 and download the singular files in that way. It’s just — it’s a kind of like right click, save as.
Q. And did you download the Vault 8 leak on the same computer that you downloaded the Vault 7 leaks?
I’m not sure why WikiLeaks wouldn’t include Vault 8, but I find the decision very curious.
Finally, this story is really interesting from an investigative standpoint. The FBI didn’t download the files they were going to enter into evidence in this trial until March and May of 2018, a year after the leak and a year after they identified Schulte as the leaker. Someone — possibly the CIA, which started to investigate the leak even before the first dump — had done a forensic comparison of the first release within days after the leak. The FBI had access to that.
But they went back a year later and prepared the evidence for that trial.
During the entire period of the Schulte prosecution, prosecutors made it clear the case may involve classified information (so his attorneys needed to be able to get clearance). Starting in January 2018, they made clear the leak would be charged.
But — particularly given the child porn charges he faces would have the same kind of prison sentence that the Espionage charges against him will — they could have forgone the trial (I had heard discussion that just the porn would be charged, so it’s possible that was the initial plan). Yes, they want to make an example of him, but the CIA has had to declassify an unbelievable amount of sensitive information to put Schulte on trial. Plus, the cost for prosecuting this crime is enormous. So I wonder whether they didn’t make the final decision to do this prosecution until 2018.
If so, that would parallel the timing of the Julian Assange prosecution in interesting ways. He was charged in December 2017, then indicted in March 2018, literally the same month that FBI obtained the Vault 7 files to enter into evidence.
Who is speaking?
For the curious:
Q = Matthew Laroche, assistant US attorney
A = FBI special agent Steven Deck
I’m surprised they didn’t have regular ISP accounts for this kind of thing. It’s pretty standard for web developers and testers to have external accounts for doublechecking work to make sure it works on different commercial networks, and I’d think the FBI’s hacking investigators would want to be able to work outside their networks too.
Going to starbucks is free though. No need to use anything that can be traced back to the FBI.
But you’re running the risk of someone looking over your shoulder, spilling their latte grande with oatmilk and just a hint of cinnamon on your laptop, or maybe even compromising the Wi-Fi.
I’d bet that they were sitting against a wall, so someone would have had to make an effort to see it – assuming anyone was that curious. (Most of the time when I’ve been somewhere where people are using computers over WiFi, it’s ignored.)
There’s also the risk of overexposure to Norah Jones. I mean, one song every once in a while is OK, but at Starbucks concentrations she can break the toughest G-Man.
Be grateful for the possiblity of Norah Jones, there was a time when it would have been Kenny G
Sting.
I thought that was interesting, they are well aware that wifi keys are trivial to crack and while TLS will encrypt traffic there’s still a bunch of privacy risks for DNS traffic and such.
Really interesting to think about why they took this step
I feel SO MUCH SAFER now, don’t you?
Maybe some people really like Starbucks coffee.
Their tea is OK. Some of the pastries and sandwiches are good.
I dislike the coffee prep’d in the store – it always tastes burned. I’ve a relative who is an ass’t manager/barista, so I get a lot of bagged beans. Grind ’em and drip at home it’s really good stuff, in lots of flavors. Keeps me awake when I’m surfin’ …
I worked in Seattle for years, and drank the coffee at the Starbucks cafe at the Starbucks headquarters. “Surely” I told myself, “this coffee here will be the Mott’s Juice of Starbucks coffee, made just right!”
It tasted burnt, and somewhat bitter.
now i can’t stop picturing the FBI agent opening up the wifi to see “FBI Surveillance Van” as an option.
HAHAHA!
There’s a _really_ funny one that shows up in my neighborhood that I wish I could share.
Is it the white cube van that says Flowers By Innez on it?
My WiFi is FBI SURVEILLANCE VAN, and my WiFi extender is FBI COUNTER SURVEILLANCE VAN
[Welcome back to emptywheel. Please use the same username each time you comment so that community members get to know you. This is your second user name. Thanks. /~Rayne]
I named my wifi “NSA Listening Post”
It’s good theater. Downloading it that way tells jurors that anyone with a laptop from the local box store could just pop in to a Starbucks and download it all.
Red Scare Drug addict Joe McCarthy would be in “pigs heaven,”with all the dirt, obtained in this manner.
Think “Hoover” and sucking it all up for partisan political purposes?
So why would the “Law” hide their tracks as a criminal would try to hide their footprints?
Derrrrr…
Big Brothers are used to mentor children to be better people, not snoop like a gestapo, then hide the snooping??????
No mentor in the Whitehouse, just a maniac getting ready for more dysfunction and lies, like Benito.
“The words of the Prophets are written on the subway walls and tenement halls.”
Q. Why didn’t you download the leak from an FBI facility?
A. So, anytime actions on the internet are traceable as well as downloads, and we didn’t want to use an FBI system. And given the type of information we were going to acquire, we didn’t want to use an FBI system to download the information which could then be traced back to us and potentially implicate the IP address and potentially other investigations.“
Derrrrr
Curious why Trump’s audit still isn’t complete so I googled how long it can take.
“The IRS usually has three years after you file to audit you. But there are many exceptions that give the IRS six years or longer. IRS Audit report and calculator on a desk. The three years is doubled to six if you omitted more than 25% of your income.Oct 29, 2018”
Since it’s at least 4 years since Trump said he would release his taxes after the audit, can we assume IRS found commission or other problems leading to the delay.? Anyone ?
The audit had nothing to do with releasing his taxes – the IRS pointed out, several times, that *they* can’t, but its okay for *him* to do it.
I don’t expect the IRS to release Trump’s returns. I do expect them to confirm the audit is complete. Not happening , huh?
“The audit” is Trmp’s excuse for not releasing any of his taxes. The IRS cannot legally release taxes. The taxpayer can, whether there’s an audit or not.