Should Trump Run: Don McGahn Has Been Covering for Roger Stone’s Pro-Trump Rat-Fucking for Seven Years

It has become clear to me that today’s big puff piece in the NYT about Don McGahn was designed to hide that Mueller is challenging the White House Counsel, former FEC Commissioner, and Trump campaign finance advisor on past work he has done for Trump.

One of those things must be McGahn’s effort, while at FEC in 2011, to stymie any investigation into a PAC involving Roger Stone and Michael Cohen, called Should Trump Run.

As I’ve noted, in 2011, one of the people closely involved in Stone’s 2016 rat-fucking, Pamela Jensen, was involved in a 527 called ShouldTrumpRun that listed Michael Cohen as President.

The organization was apparently laundering Trump corporate cash into campaign spending. But when the issue came before the FEC, Commissioner Don McGahn helped kill an investigation into it.

During McGahn’s FEC tenure, one of those he helped save from enforcement action was Trump himself. In 2011, when the future president-elect was engaged in a high-profile process of considering whether to enter the 2012 race for the Republican presidential nomination, Trump was formally accused in an FEC complaint of violating agency regulations. The case was dismissed on a deadlocked vote of the FEC commissioners.

A four-page complaint filed by Shawn Thompson of Tampa, Fla., accused Trump of illegally funneling corporate money from his Trump Organization into an organization called ShouldTrumpRun.com. McGahn and fellow FEC Republicans Caroline Hunter and Matthew Petersen voted to block FEC staff recommendations that Trump be investigated in the matter—designated Matter Under Review (MUR) 6462.

Ultimately, Trump opted not to run for president in 2012. Nonetheless, FEC staff attorneys concluded his activities before that decision may have violated campaign finance rules regarding money raised to “test the waters” for a candidacy. A staff report from the FEC Office of General Counsel, based largely on news articles and other documents about Trump’s flirtation with running for president—including Trump’s own quoted statements— recommended that the commissioners authorize a full FEC investigation backed by subpoena power.

FEC Democrats voted to pursue the recommended probe, but the votes of McGahn and the other FEC Republicans precluded the required four-vote majority needed for the commission to act.

McGahn and Hunter issued a “ statement of reasons” explaining their votes in the Trump matter in 2013. The 11-page statement blasted FEC staff attorneys in the Office of General Counsel for reviewing volumes of published information regarding Trump’s potential 2012 candidacy in order to determine whether to recommend that the FEC commissioners vote to authorize a full investigation. McGahn and Hunter argued that the FEC counsel’s office was prohibited from examining information other than what was contained in the formal complaint submitted in the case.

The Office of General Counsel shouldn’t be allowed to pursue an “unwritten, standardless process whereby OGC can review whatever articles and other documents not contained in the complaint that they wish, and send whatever they wish to the respondent for comment,” the Republican commissioners wrote.

Jensen, her family, and Stone teamed up on a number of equally dubious efforts in 2016, including a 527 called Stop the Steal, which McGahn provided legal protection for in both its early (convention focused) and its late (Democratic voter suppression) incarnations. The latter effort at least paralleled Russian voter suppression efforts.

In other words, White House Counsel Don McGahn — the subject of a Maggie and Mike puff piece suggesting he would only be of interest on the obstruction investigation — has for at least seven years been right in the thick of defending Roger Stone’s legally dubious rat-fucking on behalf of Donald Trump.

And Roger Stone has been the focus of Mueller investigation for six months.

Those are the same six months during which Maggie and Mike have been pushing an increasingly absurd claim that Trump and his associates are only at risk in an obstruction investigation, not the conspiracy investigation McGahn has surely been questioned in.

What Roger Stone’s Latest Lies Tell Us about Mueller’s Investigation into Him

As I disclosed last month, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

After a puff piece in the NYT over the weekend, Roger Stone took to the Daily Caller to attack Mueller’s case against him. As bad as the Daily Caller is, it actually ends up being far more informative than the NYT because Stone is so bad at telling lies they’re informative for what they mirror.

So assuming, for the moment, that Stone’s piece reflects some kind of half-accurate reflection of what witnesses have said they were questioned about him, here’s what we learn.

Mueller is examining conduct that goes back 10 years

Obviously, statutes of limitation have probably tolled on any crimes Stone committed more than five years ago, but this suggests witnesses are being asked about conduct that goes back further, ten years.

Mueller is running a criminally abusive, constitutionally -unaccountable, professionally and politically incestuous conspiracy of ethically conflicted cronies colluding to violate my Fourth, Fifth and Sixth Amendment rights and those of almost everyone who had any sort of political or personal association with me in the last 10 years.

Given the involvement of Peter Jensen and Kristin Davis in Stone’s recent rat-fucking, perhaps as an explanation of more recent rat-fucking we’ll finally get an accounting of Stone’s role in taking out Eliot Spitzer ten years ago. (h/t Andrew Prokop for Jensen tie to Spitzer op)

Mueller is considering charging Stone with ConFraudUs

I assume this reference to ConFraudUs comes from a friendly witness passing on what a subpoena described were the crimes being investigated.

Mueller and his hit-men seek to frame some ludicrous charge of “defrauding the United States.”

This is, of course, based on a false and unproven assumption that Assange is a Russian agent and Wikileaks is a Russian front — neither of which has been proven in a court of law. Interestingly Assange himself has said, “Roger Stone has never said or tweeted anything we at Wikileaks had not already said publicly.”

As described, it looks like how I envisioned Stone might be charged with ConFraudUs back in June.

As Mueller’s team has itself pointed out, for heavily regulated areas like elections, ConFraudUs indictments don’t need to prove intent for the underlying crimes. They just need to prove,

(1) two or more persons formed an agreement to defraud the United States;

(2) [each] defendant knowingly participated in the conspiracy with the intent to defraud the United States; and

(3) at least one overt act was committed in furtherance of the common scheme.

Let’s see how evidence Mueller has recently shown might apply in the case of Roger Stone, Trump’s lifelong political advisor.

[snip]

Stone repeatedly entertained offers from foreigners illegally offering dirt that would benefit the Trump campaign — Greenberg, Guccifer 2.0, possibly Peter Smith’s Dark Web hackers. He may even have exhibited a belief that Australian Julian Assange had and could release the latter dirt, possibly with the knowledge they came from Russians.

So we’ve got Stone meeting with other people, repeatedly agreeing to bypass US election law to obtain a benefit for Trump, evidence (notwithstanding Stone’s post-hoc attempts to deny a Russian connection with Guccifer 2.0 and Wikileaks) that Stone had the intent of obtaining that benefit, and tons of overt acts committed in furtherance of the scheme.

Stone appears to address just one conspiracy with a foreigner — Julian Assange — to obtain something of value, by insisting (though less strongly than he has in the past!) that Assange is not a Russian asset. Except, foreign is foreign, whether Australian or Russian, so making a weak case that Assange is not Russian won’t get you off on ConFraudUs.

Moreover, now that I’ve reviewed some dodginess about Stone’s PACs, I suspect there may be two levels of ConFraudUs, one pertaining to depriving the US government from excluding foreign influence on the election, and the other pertaining to depriving the US government of the ability to track how political activities are being funded.

That is, Mueller’s reported focus on Stone’s finances may well pertain to a second ConFraudUs prong, one based on campaign finance violations.

Stone thinks Mueller wants him to flip, rather than to punish him for the case in chief

In spite of the abundant evidence that Stone is a key target of this investigation, Stone appears to believe that Mueller only wants to charge him to get him to flip on Trump.

Mueller’s hit team is poking into every aspect of my personal, private, family, social, business and political life — presumably to conjure up some bogus charge or charges to use to pressure me to plead guilty to their Wikileaks fantasy and testify against Donald Trump who I have known intimately for almost 40 years.

Side note: I appreciate the way Stone — an unabashed swinger — worked that word “intimately” into his description of his relationship with Trump.

Which is one of the reasons I’m so interested in how he describes hiring a new lawyer, a nationally known one who used to work for Trump.

I have been ably served by two fine lawyers Grant Smith and Rob Buschel who won dismissal of a harassment lawsuit based on the same Wikileaks/Russian conspiracy theory by an Obama directed legal foundation in D.C. last month. No evidence to support this false narrative was produced in court other than a slew of fake news clippings from lefty media sites.

I have recently reached agreement to retain a highly respected and nationally known attorney who has represented Donald Trump to join my legal team and lead my defense.

Possibly this is just a hint that some operative like Victoria Toensing or Joseph DiGenova is going to take on Stone’s propaganda case. Possibly it reflects a recognition from Trump that Stone now presents as big a risk to him as Manafort does. Whichever it is, I look forward to learning how serious a lawyer Stone has and whether — Stone claims reports that he has $20 million are false, but if he has been engaging in epic campaign finance violations, who knows? — Trump is paying for his defense going forward.

Stone doesn’t understand how stored communications work

As I pointed out the last time Stone claimed he was targeted by a FISA order, what likely happened instead is Mueller obtained the contents of his phone along with four or nine others in a probable cause warrant on March 9. But that doesn’t stop Stone from claiming he was targeted under FISA again, explaining that his emails, text messages, and (this is less credible) phone calls have been seized going back to 2016.

Even more chilling is the fact that I have learned that — in this effort to destroy me — the government began reading my e-mails and text messages and monitoring my phone calls as early as 2016.

I believe that I, like Carter Page and Paul Manafort, was subject to an illegal FISA warrant in 2016, as the New York Times reported on January 20, 2017. The New York Times published this claim in a page-one story on the same day as President Trump’s inauguration ceremony.

A whistleblower has told my lawyers where my name and the fact that application had been made for a FISA warrant on me was redacted from the stunning Carter Page FISA warrant application released by the FBI last week with 300 of 400 pages blacked out.

What Stone’s dumbass “whistleblower” was pointing to instead was a passage describing the other people being investigated in October 2016, when Page was first targeted. But being investigated is not the same as being targeted under FISA, and what Stone is really trying to obscure here is that Mueller (probably) already showed a judge, back in March, he had probable cause that Rog committed some crimes back in 2016.

Another witness Stone would like to discredit by calling an informant

Back in June, Stone tried to spin the fact that he willingly accepted a meeting with yet another Russian offering dirt on Hillary by noting (correctly, it appears) that the Russian had served as a source for the FBI on Russian organized crime before — just like Felix Sater, whom the Trump folks are all still peachy with. In spite of the fact that it was so obviously bunk the last time, he’s trying again, hinting at a second informant working against him.

We also now know that at least one FBI informant in the United States on an informant’s visa approached me in May 2016 in an effort to entrap me and compromise Donald Trump. I declined his proposal to “buy dirt on Hillary.” There is now substantial evidence that a second FBI informant may have infiltrated my political operations in 2016. Stand by.

Who knows whether this is another person — like the Russian dealing dirt on Hillary, “Henry Greenberg,” is just someone who has worked his way out of legal trouble by serving as an informant — or whether there’s some other reason Stone is calling him or her an informant. Most likely, Stone is trying to suggest a perfectly ordinary witness cooperating with the government against him is an informant, to inflame his people. Possibly, this is prepping a claim that Randy Credico set up Roger.

Jeannie Rhee is leading the questioning of Stone witnesses

In tandem with Trump’s attacks on Mueller prosecutors with Hillary ties, Stone states that Jeannie Rhee led the questioning of his witnesses, and claims it’s a conflict.

Incredibly, leading the questioning of witnesses before the Grand Jury about me is Jeannie Rhee, who in private practice represented the Clinton foundation in the Hillary e-mail scandal that is front and center in the special prosecutor’s investigation of me! Can you say conflict of interest?

Of course, he gets the attack wrong: Rhee represented the Foundation, not Hillary’s email defense, and she did so against a nutbag Republican challenge, not with DOJ.

But in telling us that Rhee is leading this inquiry, Stone is (helpfully) telling us that a person who has led the Russian side of the inquiry is leading the inquiry into … oh my! Roger Stone!

Even with all his prevarications, it turns out, a Stone column might be more informative than a NYT puff piece!

Without Integrity: The Debunking of the Metadata Debunkers

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

When people have asked me if I’ve gotten a lot of pushback since I revealed that I provided information to the FBI on a matter that became part of the Mueller inquiry, I’ve said that I’m mostly surprised by how little I’ve gotten. While I’ve had a few alarms with respect to my website or device security (which I might attribute to Russians), I’ve had almost no pushback from Republicans accusing me of gunning for the President, not even after I suggested my testimony probably changed the import of publicly available information that implicated the President.

The exception has been a group of Assange loyalists close to Adam Carter — a group of people who have spent a great deal of time trying to undermine the public case implicating Russia in the attack. I have been shocked by the persistence with which Carter loyalists flooded my timeline at certain times in recent weeks, even though nothing I’ve said publicly would indicate Carter’s efforts were put in any great danger because I went to the FBI sometime last year.

Today, Duncan Campbell released a long story on the guy behind the pseudonym Adam Carter, Tim Leonard.

Before I look at it, two comments. First, contrary to some guesses, Leonard is not the person I went to the FBI about. Second, I think there are still details in this story that are not correct (though are far closer than other work thus far); one value of Leonard’s effort was to get some people (including me!) to work through assumptions, something people are still not doing enough on this story.

Campbell’s is an important and successful effort to push back against disinformation (and to get Bill Binney and Ray McGovern to back off their support for it). It does the following:

  • Affirmatively IDs Leonard, demonstrates that he used the facilities of his employer to do some of this work, and shows how he falsely blamed a former co-worker for some of the work
  • Shows how Leonard serially adopted ever new theories, but never the one almost every expert had backed, that Russia had done the hack
  • Shows the co-travelers, including the far right, that Leonard embraced in his efforts to discredit the dominant explanation
  • Tracks some of the false identities Leonard adopted along the way (I believe, given the data in the story, he has adopted false IDs on this site as well)

This work is particularly valuable because it demonstrates how early — by May 2016 — Leonard focused attacks on Clinton before coming out with his debunking site.

As US election campaigns ramped up in May 2016, Leonard’s Defianet email address, [email protected], was used to create a new Twitter account, @with_integrity. The name, he said, was a parody of Clinton’s campaign slogan, “I’m with Hillary”. The profile displayed a WikiLeaks avatar.

For 10 days in 2016, @with_integrity trolled and attacked the Democratic Convention, accusing the Democrats of collusion, conspiracy, cheating, corruption, rigging elections and sabotage.

On 22 July 2016, @with_integrity tweeted a link to the Russian propaganda and news channel, RT, claiming that primary elections had been rigged. On 26 July, as delegates voted, @with_integrity tweeted a new RT attack on Hillary Clinton.

After Clinton was nominated, @with_integrity followed the Russian trolls’ path in supporting Donald Trump, retweeting Trump slogans, including #CrookedHillary, #LockHerUp, #MakeAmericaGreatAgain and #VoteOnlyTrump, and a third link to a “special episode” on RT.

But the core of Campbell’s debunking (and the basis of his success at persuading Binney and McGovern, to the extent he did) pertains to the Forensicator effort to claim that certain files released in September 2016 proved that Russia couldn’t have done the hack because they had been copied in the Eastern time zone. Campbell shows that shows that the data behind the Forensicator effort had been adopted uncritically by Leonard and his allies, and that the most obvious conclusion based on the evidence is that hackers manipulated the timestamps of these files, and only these files.

The team that created Forensicator, including Leonard, gave away that they were not the real authors of the analysis when they inaccurately copied a Linux “Bash” script they had been sent, breaking it. This suggested that they did not write, understand, or test the script before they published. Someone else had sent the script, together with the fake conclusion they wanted discovered and published – that DNC stolen files had been copied in the US Eastern Time zone on 5 July 2016, five days before DNC employee Seth Rich was killed.

Uncritical reporters failed to spot that the Forensicator blog gave no evidence for its conclusion, which was that the data analysed was evidence of theft by local copying happening within the eastern US. The Forensicator report avoided pointing out that the time stamps examined were present only in the special London group of documents, and not in tens of thousands of other DNC files published by WikiLeaks or Guccifer 2.0.

The files were manipulated using an unusual method of file packing, forensic checks show. Because of computer clock settings, the packing operations appeared to have created “evidence” that the stolen files had been copied in the US Eastern Time zone, which includes Washington.

US Eastern Standard Time (EST) is normally five hours behind Coordinated Universal Time (UTC) – better known in Britain as Greenwich Mean Time (GMT). In summer months, clocks are set forward, placing the US Eastern Daylight Time (EDT) four hours behind UTC. The difference between a time zone and UTC is the offset. It is trivially easy for any computer user to change their time, date and time zone offset, using standard controls.

The files released in London, we found, had first been processed in this way to show timestamps for 5 July 2016. Some 13 groups had then been compressed using WinRAR 4.2. Nine additional files were compressed using 7zip. The archive, called 7dc58-ngp-van.7z, was published in this format, as a single file of 680MB.

This dual compression method was unique to the London documents. It was not used in other file dumps released by Guccifer 2.0, WikiLeaks or other publishers of stolen DNC material. The special method used two different file compression systems, 7zip and WinRAR, and required using a four-year-old, superseded version of WinRAR to obtain the required result. The way the Russians did it, the two compression operations appeared to overlap within a single 20-minute period. The tampering may have been done on 1 September, a week before the London conference.

[snip]

The obvious, simple explanation was that hackers were manipulating computer clock settings. The observed changes would have taken seconds.

In response to Campbell’s piece, Leonard has complained that Campbell doxed him rather than debunk the evidence.

He doesn’t actually tackle what he’s framing as disinformation and instead tries to attack character and tries to dox people rather than discredit or debunk the evidence/research published. You don’t tackle disinfo with smears/distortion/character attacks yet this is what DC did.

This is where I get a little cranky — probably crankier than I otherwise would have been if Leonards fans hadn’t flooded my timelines in recent weeks.

Campbell is actually wrong when he claims that “uncritical reporters” didn’t point out that this file was a unique file. I noted this file was a proxy file back in October, and that before you got into the analysis of its forensics, you first had to account for the provenance of it. I also noted WikiLeaks’ role in sharing the file with the Trump campaign here. In this post, I noted that the files in question weren’t DNC files (nor were the earliest Guccifer 2.0 ones), so the entire exercise said absolutely nothing about who hacked the DNC, purportedly the central project of Leonard and his ilk. And all that’s before I noted, over and over, that copying of files in the US would not prove a damn thing (as the GRU’s use of staging servers in AZ and IL make clear).

I raise these posts not to challenge Campbell’s reporting, but instead to challenge Leonard’s complaint. He has claimed for over a year now that he would respond to legitimate responses to his theories. And while I vaguely recall him making a half-hearted attempt at it on his site, I can’t find it.

Even before you get into the evidence of a concerted disinformation campaign — one that paralleled if it wasn’t coordinated with at least WikiLeaks if not the Russians’ — you’ve got to be arguing facts that might address the questions you claim to. And Leonard quickly strayed from that purported effort, never to return again.

Did GRU Learn that Democrats Had Hired Christopher Steele When They Hacked DNC’s Email Server?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

According to Glenn Simpson’s SJC testimony, he hired Christopher Steele in May or June of 2016 to investigate Trump’s ties to Russia.

Q. And when did you engage Mr. Steele to conduct opposition research on Candidate Trump?

A. I don’t specifically recall, but it would 10 have been in the — it would have been May or June  of 2016.

Q. And why did you engage Mr. Steele in May or June of 2016?

Simpson is maddeningly vague (undoubtedly deliberately) on this point. In one place he suggests he hired Steele after DCLeaks was registered and amid a bunch of chatter about Democrats being hacked, which would put it after June 8 and probably after June 15.

Q. So at the time you first hired him had it been publicly reported that there had been a cyber intrusion into the Democratic National Convention computer system?

A. I don’t specifically remember. What I know was that there was chatter around Washington about hacking of the Democrats and Democratic think tanks and other things like that and there was a site that had sprung up called D.C. Leaks that seemed to suggest that somebody was up to something. I don’t think at the time at least that we were particularly focused on — well, I don’t specifically remember.

But in his more informative HPSCI testimony, he suggests he may have started talking to Steele about collecting intelligence on Trump in May.

MR. QUIGLEY: When exactly did he start working under contract?

MR. SIMPSON: My recollection is that, you know, we began talking about the — I don’t remember when we started talking about the engagement, but the work started in June, I believe.

MR. QUIGLEY: Okay.

MR. SIMPSON: Possibly late May, but –

Given one detail in Mueller’s GRU Indictment, that difference may be critical.

Recall that the DNC figured out they had been hacked in April, and brought in Perkins Coie (the same firm that would engage Fusion GPS) for help. The attorney helping them respond to the hack, Michael Sussmann, warned them not to use DNC email to discuss the hack, because it might alert hackers they were onto them.

The day before the White House Correspondents’ Association dinner in April, Ms. Dacey, the D.N.C.’s chief executive, was preparing for a night of parties when she got an urgent phone call.

With the new monitoring system in place, Mr. Tamene had examined administrative logs of the D.N.C.’s computer system and found something very suspicious: An unauthorized person, with administrator-level security status, had gained access to the D.N.C.’s computers.

“Not sure it is related to what the F.B.I. has been noticing,” said one internal D.N.C. email sent on April 29. “The D.N.C. may have been hacked in a serious way this week, with password theft, etc.”

No one knew just how bad the breach was — but it was clear that a lot more than a single filing cabinet worth of materials might have been taken. A secret committee was immediately created, including Ms. Dacey, Ms. Wasserman Schultz, Mr. Brown and Michael Sussmann, a former cybercrimes prosecutor at the Department of Justice who now works at Perkins Coie, the Washington law firm that handles D.N.C. political matters.

“Three most important questions,” Mr. Sussmann wrote to his clients the night the break-in was confirmed. “1) What data was accessed? 2) How was it done? 3) How do we stop it?”

Mr. Sussmann instructed his clients not to use D.N.C. email because they had just one opportunity to lock the hackers out — an effort that could be foiled if the hackers knew that the D.N.C. was on to them.

“You only get one chance to raise the drawbridge,” Mr. Sussmann said. “If the adversaries know you are aware of their presence, they will take steps to burrow in, or erase the logs that show they were present.”

The D.N.C. immediately hired CrowdStrike, a cybersecurity firm, to scan its computers, identify the intruders and build a new computer and telephone system from scratch. Within a day, CrowdStrike confirmed that the intrusion had originated in Russia, Mr. Sussmann said.

But it’s not clear whether Sussmann warned this small team of people against using DNC emails at all, or just those emails discussing the hack.

Previously, I had always guesstimated how long after DNC brought Crowdstrike in the emails ultimately shared with WikiLeaks got exfiltrated from this analysis, based of the last dates of stolen emails and DNC’s email deletion policies in place at the time. It was a damned good estimate — May 19 to May 25.

But according to the indictment, the theft of the DNC emails happened later: starting on May 25, not ending on it.

Between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees. During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.

The indictment doesn’t describe the entire universe of emails stolen — whether GRU stole just the 9 email boxes shared with WikiLeaks, or whether they obtained far more.

But the later date — possibly reaching as late as June 1 — means it’s possible GRU stole emails involving top DNC officials, officials involved in opposition research activities (as both Guccifer 2.0 and the DNC itself said had been a focus), including the activity of hiring a former MI6 officer to chase down Trump’s illicit ties to Russians.

Don’t get me wrong. If the Russians did, in fact, learn about the Steele effort and manage to inject his known reporting chain with disinformation, there were plenty of other possible ways they might have learned of the project: the several people overlapping between Fusion GPS’ Prevezon team and its Trump team, Rinat Akhmetshin who learned of the dossier from a chatty NYT editor, or maybe a close Trump ally like Sergei Millian. The sad thing about this disinformation project is it was so widely disseminated, any HUMINT integrity could have easily been compromised early in the process.

But the timeline laid out in the GRU indictment adds one more, even earlier possible way: that Russia learned the Democrats were seeking HUMINT from Russians about Russia’s efforts to help Trump from the Democrats’ own emails.

It’s Called a Spine, not a Conscience

I’ve been watching the media reaction to Marcy’s “Putting a Face . . .” post. The first day, there were a lot of “Wow – read this” tweets going around on twitter, but now the more reflective pieces are coming out, like yesterday’s Margaret Sullivan piece in the Style section of the Washington Post entitled “A journalist’s conscience leads her to reveal her source to the FBI. Here’s why.” On the whole, it’s a pretty good piece, but Sullivan makes two absolutely critical errors.

First, right at the top, Sullivan doesn’t seem to understand that all sources are not created equal, though Marcy tries to correct her:

It’s pretty much an inviolable rule of journalism: Protect your sources.

Reporters have gone to jail to keep that covenant.

But Marcy Wheeler, who writes a well-regarded national security blog, not only revealed a source — she did so to the FBI, eventually becoming a witness in special counsel Robert S. Mueller III’s investigation of President Trump’s possible connections to Russia.

“On its face, I broke one of the cardinal rules of journalism, but what he was doing should cause a source to lose protection,” Wheeler told me in a lengthy phone interview.

At least Sullivan put Marcy’s “should” in italics, but for the rest of the piece she seems to have forgotten that it was there.

As I read it, Marcy’s post was not primarily about the investigation into the Russian interference in the 2016 election, though that is what has gotten a lot of the attention. What she was really talking about was the practice  — or should I say “malpractice”? — of journalism. Woven into the entire post, Marcy laid out how she wrestled with a very basic question: What do you do, as a journalist, when a confidential source lies to you?

Marcy’s answer begins by distinguishing between different kinds of sources. Some tell you the truth. Some tell you something that they think is true, but it turns out to be wrong. And then there are some that tell you lies. Granting all of these sources uncritical confidentiality to protect your reputation as a journalist is as dangerous as telling a woman abused by her spouse to “protect her marriage” by staying with the abuser.  “Protecting your sources” when those sources undermine your work and reputation ought not mean “protecting your abuser.” Protecting a source uncritically is just asking to get used and abused, over and over again. See “Russert, Tim.”

The second thing that Sullivan missed is that Marcy was also talking to sources — actual and potential. From the end of Sullivan’s piece, with emphasis added:

Wheeler told me she believed herself to be “uniquely informed” about something that mattered a great deal.

In their reporting, journalists talk to criminals all the time and don’t turn them in.

Reporters aren’t an arm of law enforcement.

They properly resist subpoenas and fight like hell not to share their notes or what they know because doing so would compromise their independence and their ability to do their work in the future.

Wheeler knows all that — and believes in it. But she still came forward, not because of a subpoena but because of a conscience.

As Drezner told me, “She would not do this on a whim.”

And as Wheeler put it, “I believe this is one of those cases where it’s important to hold a source accountable for his actions.”

Marcy said it right there, but Sullivan missed it. What Marcy wrestled with, and shared in her post, was how she chose to do just that. She went to the FBI as a way of holding an unreliable source accountable AND as a way to protect her honest sources from a broad, wide-ranging governmental search that could potentially come down the road.

At its core, “Putting a Face . . .” is a journalist telling the world of potential sources two things, that I might paraphrase like this:

First, I take my work seriously, and that means protecting folks who come to me with information. If you share something with me in confidence, something that helps me do my job to get important stories out, I will protect you with all I’ve got.

Second, don’t screw with me. It’s one thing to tell me something you thought was correct that later proves not to be true. That happens. But if I learn that you deliberately lied to me in an effort to harm others, and you attacked my workplace, I am going to burn your ass. Count on it.

If burning sources that lie to you is not a cardinal rule of journalism, it damn well ought to be. I suspect that Marcy’s honest sources will respect her more for this, and her dishonest ones will be very very nervous. Isn’t that something that all journalists ought to strive for?

Think about it like this: if Devin Nunes, Trey Gowdy, and the rest of the House GOP knew that the journalists to whom they spread lies, off the record, would be willing to burn them if the journalists discovered that they were being lied to and used, do you think they’d be so eager to lie?

Sullivan lauded Marcy for being a journalist with a conscience — which she is, but that’s not the point here. The point is that Marcy is a journalist with a spine.

photo h/t to bixentro, and used under Creative Commons Attribution 2.o Generic license.

Some Issues of Timing Revealed by Manafort’s Filings

New disclosure statement: As you all know, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

On Tuesday, Mueller’s team gave Paul Manafort the contents of Rick Gates’ electronic devices for the first time. Yesterday, after receiving another large dump of evidence, Manafort moved to delay his July 25 trial, a motion the Mueller team objected to.

Those are just a few of the details revealed by a slew of filings submitted in Manafort’s EDVA case yesterday. Those filings include:

  1. The government’s opposition to a motion Manafort submitted in June trying to keep all mention of the Trump campaign, the DC case against him, and the fact he got thrown in jail in the DC case from being introduced in his EDVA trial
  2. A motion to move his trial from Alexandria to Roanoke based on some crazy claims but ultimately boiling down to Manafort’s belief that if he is tried by a jury of his sleazy political influence peddling peers, he’s more likely to go to prison
  3. A supplement to Manafort’s bid to get a hearing on leaks, which includes January and February discovery request letters and two electronic communications describing a meeting between the FBI and the AP from April 2017; all of those exhibits are worth reading but I won’t deal with them here
  4. A motion to delay his trial until sometime after the DC one

It’s the first and the fourth items that I’m interested in here.

emptywheel’s Continuing Obsession with Paul Manafort’s 404(b) Notice

Folks seem to pretty much understand my continuing obsession with Paul Manafort’s iPod habit (or rather, his efforts to deem the seizure of his eight iPods improper). Perhaps less obviously interesting is my continuing obsession with the 404(b) notices in his two cases, which are the way lawyers fight over whether evidence of related crimes can be admitted in trial. In Manafort’s case, I think this fight may reveal something about how Mueller sees the various pieces of the puzzle fitting together.

As I previously noted, the government fought to delay disclosure of 404(b) in the DC case until June 15. When they did submit the 404(b) notice in that case, the government said they want to include evidence of three other crimes, two of which happen to be New York State crimes (the apartment in question is a Trump Tower one) that might be charged in the state.

Here’s the 404(b) motion. Mueller wants to introduce three things:

  • Evidence that one reason that Manafort and others arranged for [Skadden Arps] to be retained for the de minimis sum of approximately $12,000—even though they knew at the time that Law Firm A proposed a budget of at least $4 million—was to avoid certain limitations imposed by Ukrainian public procurement law.
  • Evidence that Manafort was treating a NYC apartment as a business property with the IRS but as a personal dwelling with a lender.
  • Evidence that Manafort structured intra-Cypriot funds to hide income.

The first of those two, of course, involve crimes in NY state.

In the EDVA case, I had suspected that the government asked TS Ellis to issue a discovery order to make it clear they wouldn’t provide 404(b) notice in this case until a week before trial — I got the date wrong but I think it’d be July 18 — but can move to avoid any pretrial notice.

So maybe that’s what Mueller’s trying to get Manafort to agree to. The EDVA standard order he’s trying to get him to use would require 404(b) notice by July 17, but permits the government to request avoiding such pretrial notice.

It is further ORDERED that, no later than seven calendar days before trial, the government shall provide notice to the defendant, in accordance with FED. R. EVID. 404(b), of the general nature of any evidence of other crimes, wrongs, or acts of defendant which it intends to introduce at trial, except that, upon motion of the government and for good cause shown, the court may excuse such pretrial notice.

Yesterday’s opposition to Manafort’s bid to limit what it can say about the Trump campaign and the DC case confirms I was (at least partly) correct — the government wanted a discovery order so they can avoid telling Manafort what they want to raise at trial.

The defendant’s request to preclude evidence relating to the District of Columbia case is a premature effort to preclude evidence under Rule 404(b). See Doc. 93 at 5 n.1 (“[T]his motion is being filed in the event that the Special Counsel seeks at trial to introduce evidence or advance arguments concerning ‘other act’ evidence.”). The standard practice in the Eastern District of Virginia, as referenced in the Government’s proposed discovery order (Doc. 83 at 7), is that the government provide notice of Rule 404(b) evidence it intends to introduce at trial seven days before trial. Although the defendant has not responded to the Government’s Motion for Entry of Discovery Order, the government intends to follow the District’s standard practice with respect to Rule 404(b) notice. It nevertheless bears noting that contrary to the defendant’s characterization, there is substantial overlap between the evidence in District of Columbia case and the one before this Court. The Superseding Indictment in the District of Columbia alleges tax fraud that overlaps with the substantive tax charges in the Eastern District of Virginia.

In other words, in a filing arguing that the government should be able to bring in details about both the Trump campaign (because some of the loans he’s being tried for he only obtained by getting the banker a position on the Trump campaign) and about Gates’ guilty plea in DC (but not about the crimes that Manafort allegedly committed while on bail that got him thrown in prison), Mueller’s team makes it clear they intend to wait to tell Manafort what other crimes they might mention at the EDVA trial until July 18.

In any case, this opposition motion would seem to limit how much Mueller can mention about the collusion case in chief to a description of that loan. So it’s probably just that Mueller has some other activity, akin to the NY based crime they plan to introduce in the DC case, perhaps some criminal activity that can be charged in VA, that they plan to introduce at trial. In any case, they’re not going to release it for another 10 days or so.

The big discovery dump

Sometime after 6:28 yesterday, Manafort submitted his motion to delay his trial to sometime after his other one. Now, as Josh Gerstein noted in response to my pestering him to review Manafort’s “rocket docket” strategy of splitting this trial from his DC one, Manafort lawyer Kevin Downing always wanted to do the DC one first.

Manafort attorney Kevin Downing requested the Virginia case be set for sometime in November, after the Washington trial. Downing told Ellis the defense needs time to assemble legal motions in both cases and to prepare for the back-to-back trials.

“This is a massive indictment,” the defense attorney said. “We were envisioning a trial in this case in November, following the case in D.C.”

So effectively, what Manafort did was wait until the very last minute, and then ask for what they wanted in the first place, this trial to go second. To justify the delay, his lawyers are citing the difficulties posed by him being in jail (which is a fair reason, but one most similarly situated defendants don’t get concessions for).

But I’m interested in the depiction of the latest discovery received that they also use to make the request.

Indeed, in terms of discovery, defense counsel has continued to receive voluminous amounts from the Special Counsel up-to-the-moment. Thus far, there have been twenty-three (23) discovery productions, the most recent of which was produced to the defense at 6:28 p.m. today, July 6, 2018 (i.e., the same date that this motion for a continuance is being filed)—a mere 19 days before the scheduled trial in this case. The Special Counsel’s production today appears to contain approximately 50,000 pages of new documents. Indeed, this is despite the Special Counsel’s representations earlier this year that discovery was complete, or nearly complete.4 In fact, since May the defense has received seven discovery productions which include at least 140,000 pages of material. The Special Counsel’s next most-recent disclosure—coming on July 3, 2018 (a mere 22 days prior to the scheduled trial)—includes data obtained from the primary cooperating witness’s personal electronic devices and will require extensive review and analysis. (This is the same witness who resolved his case in the District of Columbia in February of this year.) Moreover, defense counsel’s review of the discovery produced to date has been unusually timeconsuming because discovery relevant to this case has often been co-mingled with discovery that appears relevant solely to the D.C. Case. As the Court observed at the recent motions hearing, this is primarily a documents case, and defense counsel require additional time to thoroughly review and analyze with their client the voluminous documents produced by the Special Counsel. It is critically important for the defense to have sufficient time to review the discovery with Mr. Manafort because he understands many of the relevant documents (and their context) better than anyone else.

4 See, e.g., Doc. 20 (filed Feb. 28, 2018) at 7 (“[W]e believe that almost all of the relevant discovery in this matter in our possession has already been produced in the course of the District of Columbia prosecution.”); see also D.C. Case, Doc. 146 (filed Jan. 12, 2018) at 1 (“As of the date of this filing, the government has completed a substantial portion of the discovery in this case.”).

Now, I await Mueller’s response to this, as I suspect Manafort is obscuring that, to the extent it pertains to this trial, this recent discovery has more to do with Mueller’s obligations to give Manafort discovery on incriminating evidence against people who will be witnesses at the trial. He’s also obscuring how discovery happened in this case, which started coming 20 days after he was indicted in DC in October and for which the most pertinent materials were identified as “hot.” The full context of the document he cites in that footnote reads,

In addition, we believe that almost all of the relevant discovery in this matter in our possession has already been produced in the course of the District of Columbia prosecution. The government made its first production on November 17, 2017, which included: (1) foreign bank account records for the accounts in Cyprus and Saint Vincent & the Grenadines; (2) domestic financial records; and (3) documents from Manafort’s tax preparer that were identified by the government as particularly relevant. In ensuing ten productions, the government has produced a range of emails, financial documents and other records, as well as materials obtained from a number of different devices and media. 4 As of February 28, 2018, the government had made eleven separate discovery productions to the defendant. In addition, the government also has produced for the defendant documents that it identified as “hot.”

So Manafort had 7 months to review the most important discovery in this case working from home confinement. Manafort is also, surely, obscuring how much of this discovery pertains to the DC case (which is still two months away), not this EDVA one.

These motions were due on Friday in any case, and as Gerstein pointed out, Downing always wanted to do this trial after the DC one, so it’s unlikely this request for a continuance is a response to the discovery he got last week. And the late filing might be best explained by a late edit to incorporate yesterday’s production in the motion. The motion for a continuance is far, far better drafted than the goofy venue change one.

But I do find it interesting that Mueller is just now showing Manafort what he found in Rick Gates’ electronic devices. I wonder if, in doing so, he expected Manafort to rethink his willingness to run interference for Donald Trump? If so, then the request for a continuance would be rather interesting.

Roger Stone and ConFraudUs

CNN’s David Gelles has an instructive tweet this morning showing how the rate at which Trump tweets about the Mueller “witch hunt” is accelerating.

Assuming this includes this morning’s two “witch hunt” tweets, Trump is on pace to use the phrase 28 times by the end of the month, though I bet he’ll continue to accelerate the use of it in the week remaining in the month.

The Mueller investigation is, I suspect, coming to a head.

I don’t claim I know how it will turn out. The president has an enormous amount of power and his flunkies in Congress promise they’re about to end Rod Rosenstein’s bend-don’t-break defense by impeaching him (though Rosenstein and Chris Wray have just thrown more documents out to slow the Republicans). It’s certainly possible that Trump will make a last ditch effort to undercut the Mueller investigation and that effort will be competently executed and none of the secondary fall-back defenses Mueller has put into place will work. For now, though, the Trump team seems intent on a delay and discredit strategy, which won’t stave off any imminent steps.

So we shall see whether Trump succeeds in undercutting the investigation. I keep thinking, “that’s why they play the game,” but this is no game.

There are a number of reasons I think Mueller’s investigation is coming to a head. But consider one detail. I’ve long explained that Mueller seems to be building a series of Conspiracy to Defraud the United States indictments that will ultimately incorporate the entire Russian operation (and may integrate the Trumpsters’ international self-dealing as well). As Mueller’s team has itself pointed out, for heavily regulated areas like elections, ConFraudUs indictments don’t need to prove intent for the underlying crimes. They just need to prove,

(1) two or more persons formed an agreement to defraud the United States;

(2) [each] defendant knowingly participated in the conspiracy with the intent to defraud the United States; and

(3) at least one overt act was committed in furtherance of the common scheme.

Let’s see how evidence Mueller has recently shown might apply in the case of Roger Stone, Trump’s lifelong political advisor. We already knew that Stone had communications that he did not immediately disclose with Guccifer 2.0 and Wikileaks. With both, Stone has contributed to and reinforced claims the entities were not Russian operations, though his conversion about the source of the Hillary emails was pretty sudden and curiously timed.

Now we know that in May, Stone had lunch with someone calling himself Henry Greenberg offering dirt on Hillary. His explanation — based only on the texts that Michael Caputo was asked about in a Mueller interview — is not that he didn’t entertain the offer, but that he didn’t take Greenberg up on the offer as made in late May because Greenberg was asking for big money.

Both clearly recognized Greenberg as a Russian, therefore a foreigner offering something of value during an election.

Bizarrely, in trying to rebut the import of this exchange publicly, Caputo and Stone are doing nothing more than working the public refs, claiming to assume this was an FBI sting. Mueller knows whether it was an FBI sting, and there’s virtually no way he’d be asking questions about it if it were (particularly if Stone really didn’t take the bait). In short, Stone has no justification for this he’s willing to offer publicly; instead, he’s just adopting the SpyGate narrative in an attempt to discredit the investigation. And that’s assuming there were no follow-ups or other damning texts that didn’t involve someone willing to leak them to the press.

And all that happened before Peter Smith came on the scene, someone who, unlike Donald Trump, was willing to spend money for such things, an operation Stone is suspected of being involved in but which he studiously avoids mentioning when trying to explain himself. Smith did obtain emails from people Matt Tait advised him might be part of a Russian operation, and when he couldn’t validate them, sent them on to Wikileaks.

Which is to say Stone repeatedly entertained offers from foreigners illegally offering dirt that would benefit the Trump campaign — Greenberg, Guccifer 2.0, possibly Peter Smith’s Dark Web hackers. He may even have exhibited a belief that Australian Julian Assange had and could release the latter dirt, possibly with the knowledge they came from Russians.

So we’ve got Stone meeting with other people, repeatedly agreeing to bypass US election law to obtain a benefit for Trump, evidence (notwithstanding Stone’s post-hoc attempts to deny a Russian connection with Guccifer 2.0 and Wikileaks) that Stone had the intent of obtaining that benefit, and tons of overt acts committed in furtherance of the scheme.

And all that’s without leaning on the the other stuff Mueller found on Stone’s phone, which Stone is also trying to explain away by public conspiracies (in this case that the phone content was obtained with a FISA order rather than with a probable cause warrant obtained on March 9).

This is just one of the people Mueller has publicly focused on in recent days. We could lay out similar arguments for Michael Cohen, Paul Manafort, and Brad Parscale, at a minimum. Mueller had — and acted on — probable cause warrants covering five AT&T phones in March, all of which probably had close ties to Rick Gates. Assuming those targets are distributed proportionately with the US population, he’s likely to have obtained warrants for as many as 15 phones just in that go-around.

So if Roger Stone is any indication, the Mueller investigation may soon be moving into a new phase.

What Seems to be Going on with MalwareTech’s New Charges

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

Two Days after Julian Assange Threatened Don Jr, Accused Vault 7 Leaker Joshua Schulte Took to Tor

Monday, the government rolled out a superseding indictment for former NSA and CIA hacker Joshua Schulte, accusing him (obliquely) of leaking the CIA’s hacking tools that became the Vault 7 release from Wikileaks. The filings in his docket (as would the search warrants his series of defense attorneys would have seen) make it clear that the investigation into him, launched just days after the first CIA release, was always about the CIA leak. But when the government took his computer last spring, they found thousands of child porn pictures dating back to 2009. It took the government over three months and a sexual assault indictment in VA to convince a judge to revoke his bail last December, and then another six months to solidify the leaking charges they had been investigating him from the start.

But the case appears to have taken a key turn on November 16, 2017, when he did something — it’s not clear what — on the Tor network. While there are several things that might explain why he chose to put his release at risk by accessing Tor that day, it’s notable that it occurred two days after Julian Assange tweeted publicly to Donald Trump Jr that he’d still be happy to be Australian Ambassador to the US, implicitly threatening to release more CIA hacking tools.

Schulte was, from days after the initial Vault 7 release, apparently the prime suspect to be the leaker. As such, the government was always interested in what Schulte was doing on Tor. In response to a warrant to Google served in March 2017, the government found him searching, on May 8, 2016, for how to set up a Tor bridge (Schulte has been justifiably mocked for truly abysmal OpSec, and Googling how to set up a bridge is one example). That was right in the middle of the time he was deleting logs from his CIA computer to hide what he was doing on it.

When he was granted bail, he was prohibited from accessing computers. But because the government had arrested him on child porn charges and remained coy (in spite of serial hold-ups with his attorneys regarding clearance to see the small number of classified files the government found on his computer) about the Vault 7 interest, the discussions of how skilled he was with a computer remained fairly oblique. But in their finally successful motion to revoke Schulte’s bail, the government revealed that Schulte had not only accessed his email (via his roommate, Schulte’s lawyer would later claim), but had accessed Tor five times in the previous month, on November 16, 17, 26, and 30, and on December 5, 2017, which appears to be when the government nudged Virginia to get NYPD to arrest him on a sexual assault charge tied to raping a passed out acquaintance at his home in VA in 2015.

Perhaps the most obvious explanation for why Schulte accessed Tor starting on November 16, 2017, is that he was trying to learn about the assault charges filed in VA the day before.

But there is a more interesting explanation.

As you recall, back in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

There’s a reason I think those Tor accesses may actually be tied to Assange’s implicit threat. In January of this year, when his then lawyer Jacob Kaplan made a bid to renew bail, he offered an excuse for those Tor accesses. He claimed Schulte was using Tor to research the diaries on his experience in the criminal justice system.

In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

Someone posted those diaries to a Facebook account titled “John Galt’s Defense Fund” on April 20, 2018 (in addition to being an accused rapist and child porn fan, Schulte’s public postings show him to be an anti-Obama racist and an Ayn Rand worshiping libertarian).

Yesterday, Wikileaks linked those diaries, which strikes me as an attempt to corroborate the alibi Schulte has offered for his access to Tor last November.

The government seems to have let Schulte remain free for much of 2017, perhaps in search of evidence to implicate him in the Vault 7 release. Whether it was a response to a second indictment or to Assange’s implicit threats to Don Jr, Schulte’s use of Tor last year (and, surely, the testimony of the roommate he was using as a go-between) may have been one of the keys to getting the proof the government had been searching for since March 2017.

Whatever it is, both Wikileaks and Schulte would like you to believe he did nothing more nefarious than research due process websites when he put his bail at risk by accessing Tor last year. I find that a dubious claim.


2009: IRC discussions of child porn

2011 and 2012: Google searches for child porn

April 2015: Rapes a woman (possibly partner) who is passed out and takes pictures of it

March to June 2016: Schulte deleting logs of access to CIA computer

May 8, 2016: Schulte Googles how to set up a Tor bridge

November 2016: Leaves CIA, moves to NY, works for Bloomberg

December 16, 2016: Assange DM to Don Jr about becoming Ambassador

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

February 4, 2017: Wikileaks starts prepping Vault 7

March 7, 2017: Wikileaks starts releasing Vault 7

March 13, 2017: Google search warrant

March 20, 2017: Search (including of cell phone, from which passwords to his desktop obtained)

June 2017: Interview

August 17, 2017: Dana Rohrabacher tries to broker deal for Assange with Trump

August 23, 2017: Arrest affidavit

August 24, 2017: Arraignment

THE COURT: Well, it sounds like, based on the interview, that he knew what the government was looking at.

MR. LAROCHE: That wasn’t the basis of the interview, your Honor.

 

MR. KOSS: I think it was either two or three [interviews]. I think it was three occasions. I was there on all three, including one of which where we handed over the telephone and unblocked the password to the phone, which they did not have, and gave that to them. And as I said, I have been in constant contact with the three assistant U.S. attorneys working on this matter literally on a weekly basis for the last 4, 5, 6 months. And any time Mr. Schulte even thought about traveling, I provided them an itinerary. I cleared it with them first and made sure it was okay. On any occasion that they said they might want him close so that he could speak to them, I cancelled the travel and rescheduled it so that we would be available if they needed him at any given time.

October 2, 2017: Bail hearing

MR. LAROCHE: Well, I believe there still is a danger because it’s not just computers, your Honor, but electronic devices are all over society and easy to procure and this type of defendant having the type of knowledge he has does in terms of accessing things — so he has expertise and not only just generally computers but using things such as wiping tools that would allow him to access certain website and leave no trace of it. Those can be done from not just a computer but from other electronic devices.

But the child pornography itself is located on the defendant’s desktop computer. They can be accessed irrespective of those servers. So if all the government had was this desktop computer, we could recover the child pornography. So I think this idea that numerous people had access to the serves and potentially could have put it there, is simply a red herring. This was on the defendant’s desktop computer. And the location where it was found, this sub-folder within several layers of encryption, there were other personal information of the defendant in that area. There was his bank accounts. I think there was even a resume for the defendant where he was storing this information. And the passwords that were used to get into that location, those passwords were the same passwords the defendant used to access his bank account, to access various other accounts that are related to him. So this idea that he shared them with other people, the government just strongly disagrees.

October 11, 2017: Schulte lawyer Spiro withdraws

October 24, 2017: At Trump’s request Bill Binney meets with Mike Pompeo to offer alternate theory of the DNC hack

November 8, 2017: Status hearing

SMITH: I believe the government has told us that there’s more data in this case than in any other like case that they have prosecuted.

MR. STANSBURY: Let me just clarify that part first. We proposed this just in an abundance of caution given the defendant’s former employer and the fact that — and I meant to flag this before. I apologize now for not. There’s a small body of documents that were found in the defendant’s residence that were taken from his former employer that might implicate some classified issues. We have been in the process of having those reviewed and I think we’re going to be in a position to produce those in the next probably few days. But we wanted to just make sure that we were acting out of an abundance of caution in case any SEPA [sic] issues come about in the case. I don’t expect them too at this point but we wanted to do that out of an abundance of caution.

November 9, 2017: Wikileaks publishes Vault 8 exploit

November 14, 2017: Assange posts Vault 8 Ambassador follow-up

November 14, 2017: Arrest warrant in VA

November 15, 2017: Charged in Loudon County for sexual assault

November 16, 2017: Use of Tor

November 17, 2017: Use of Tor

November 26, 2017: Use of Tor

November 29, 2017: Abundance of caution, attorney should obtain clearance

November 30, 2017: Use of Tor

December 5, 2017: Use of Tor, Smith withdraws

December 7, 2017: NYPD arrests on VA warrant for sexual assault

December 12, 2017: Move for detention, including description of email and Tor access

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network. TOR networks enable anonymous communications over the Internet and could be used to download or view child pornography without detection. Indeed, the defendant has a history of using TOR networks. The defendant’s Google searches obtained in this investigation show that on May 8, 2016, the defendant conducted multiple searches related to the use of TOR to anonymously transfer encrypted data on the Internet. In particular, the defendant had searched for “setup for relay,” “test bridge relay,” and “tor relay vs bridge.” Each of these searches returned information regarding the use of interconnected computers on TOR to convey information, or the use of a computer to serve as the gateway (or bridge) into the TOR network.

December 14, 2017: US custody in NY

MR. KAPLAN: Well, your Honor, we’ve obtained the discovery given to prior counsel, and I’ve started to go through that. In addition, there was one other issue which I believe was raised at our prior conference, which was a security clearance for counsel to go through some of the national security evidence that might be present in the case.

While most of the national security stuff does not involve the charges, the actual charges against Mr. Schulte, the basis for the search warrants in this case involve national security.

So I’m starting the process with their office to hopefully get clearance to go through some of the information on that with an eye towards possibly a Franks motion going forward. So I would ask for more time just to get that rolling.

January 8, 2018: Bail appeal hearing

MR. KAPLAN: Judge, on the last court date, when we left, the idea was that we had consented to detention with the understanding that Mr. Schulte would be sent down to Virginia to face charges based on a Virginia warrant. None of that happened. Virginia never came to get him. Virginia just didn’t do anything in this case. But before I address the bail issues, I think it’s important that this Court hear the full story of how we actually get here. At one of the previous court appearances, I believe it was the November 8th date, this Court asked why the defense attorney in this case would need security clearance. And the answer that was given by one of the prosecutors, I believe, was that there was some top secret government information that was found in Mr. Schulte’s apartment, and that out of an abundance of caution it would be prudent that the defense attorney get clearance. But I don’t think that’s entirely accurate.

While the current indictment charges Mr. Schulte with child pornography, this case comes out of a much broader perspective. In March of 2017, there was the WikiLeaks leak, where 8,000 CIA documents were leaked on the Internet. The FBI believed that Mr. Schulte was involved in that leak. As part of their investigation, they obtained numerous search warrants for Mr. Schulte’s phone, for his computers, and other items, in order to establish the connection between Mr. Schulte and the WikiLeaks leak.

As we will discuss later in motion practice, we believe that many of the facts relied on to get the search warrants were just flat inaccurate and not true, and part of our belief is because later on, in the third or fourth search warrant applications, they said some of the facts that we mentioned earlier were not accurate. So we will address this in a Franks motion going forward, but what I think is important for the Court is, in April or May of 2017, the government had full access to his computers and his phone, and they found the child pornography in this case, but what they didn’t find was any connection to the WikiLeaks investigation. Since that point, from May going forward, although they later argued he was a danger to the community, they let him out; they let him travel. There was no concern at all. That changed when they arrested him in August on the child pornography case.

[snip]

The second basis that the government had in its letter for detaining Mr. Schulte was the usage of computers. In the government’s letter, they note how, if you search the IP address for Mr. Schulte’s apartment, they found numerous log-ons to his Gmail account, in clear violation of this court’s order. But what the government’s letter doesn’t mention is that Mr. Schulte had a roommate, his cousin, Shane Presnall, and this roommate, who the government and pretrial services knew about, was allowed to have a computer.

And more than that, based on numerous conversations, at least two conversations between pretrial services, John Moscato, Josh Schulte and Shane Presnall, it was Shane’s understanding that pretrial services allowed him to check Mr. Schulte’s e-mail and to do searches for him on the Internet, with the idea that Josh Schulte himself would not have access to the computer.

And the government gave 14 pages of log-on information to establish this point. And, Judge, we have gone through all 14 pages, and every single access and log-in corresponds to a time that Shane Presnall is in the apartment. His computer has facial recognition, it has an alphanumeric code, and there is no point when Josh Schulte is left himself with the computer without Shane being there, and that was their understanding.

LAROCHE: And part of that investigation is analyzing whether and to what extent TOR was used in transmitting classified information. So the fact that the defendant is now, while on pretrial release, using TOR from his apartment, when he was explicitly told not to use the Internet, is extremely troubling and suggests that he did willfully violate his bail conditions.

 

KAPLAN: In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

 

LAROCHE: Because there is a classified document that is located on the defendant’s computer, it is extremely difficult, and we have determined not possible, to remove that document forensically and still provide an accurate copy of the desktop computer to the defendant.

So in those circumstances, defense counsel is going to require a top secret clearance in order to view these materials. It’s my understanding that that process is ongoing, and we have asked them to expedite it. As soon as the defendant’s application is in, we believe he will get an interim classification to review this material within approximately two to three weeks. Unfortunately, that hasn’t occurred yet. So the defendant still does not have access to that particular aspect of discovery. So we are working through that as quickly as we can.

January 17, 2018: Bail appeal denied

March 15, 2018: Sabrina Shroff appointed

March 28, 2018: Initial ban of Internet access and visitors for Assange

April 20, 2018: Schulte’s diaries (ostensibly the purpose of using Tor) posted

May 10, 2018: Ecuador bans visitors for Assange

May 16, 18, 2018: Documents placed in vault

May 16, 2018: Schulte Facebook site starts legal defense fund

June 18, 2018: Schulte superseding indictment

June 19, 2018: Wikileaks posts links to diary

Why Was George Papadopoulos Bitching about the UK While Working on His Presentencing Report?

The government and the lawyers for George Papadopoulos have a joint status report due on Friday. That means the lawyers are all, surely, in communication right now. Probably, Papadopoulos has already seen a draft if not the final of his presentencing report, which among other things, will talk about whether he met the terms of his plea deal. The plea deal, unlike virtually all the others we know Mueller’s team to have signed, included a list of people Papadopoulos was not permitted to contact.

That’s why I find this tweet from Papadopoulos, which TCleveland4Real caught on Twitter, to be so interesting.

TCleveland4Real noted two more things: first, this seems to be an allusion to “perfidious Albion,” the notion that the UK will sell you out in international diplomacy and spying. Perfidious Albion has also been used, repeatedly, to discuss Brexit. And shortly after TCleveland4Real noted it, Papadopoulos deleted the Tweet.

Perhaps this is all utterly unrelated to the filings that will determine whether Papadopoulos does prison time this week. But I sure do wonder whether this curse about Great Britain pertained to what he’s looking at, or even if this tweet was meant as some kind of signal to others.

Update: Here’s the release conditions language he would have violated if he compared notes with others about talking to Stefan Halper.

And he was directed not to have any contact, direct or indirect, with individuals relating to the campaign or to any of the conduct set forth in the complaint. The Government provided a list of those individuals to the Defendant and defense counsel.

Arguably, even Simona asking for a pardon constitutes indirect communication with an individual relating to the campaign, given that only Trump could be the audience for that.

Update, 9/1/18: I realize that Papadopoulos couldn’t have been reviewing his PSR. That only got done on August 1. So something else made him realize he was screwed.

image_print