DOJ Says It Never Offered Accused Vault 7 Leaker Joshua Schulte a Plea Deal

As the Joshua Schulte prosecution has inched along against the backdrop of the Julian Assange indictment, I’ve heard chatter about his plans: that the two sides might prosecute the child porn charges and leave the leak untried; that the government was trying to get him to cooperate against Assange.

In the former case, the opposite now seems more likely. Last week, Judge Paul Crotty granted Schulte’s motion to sever his child porn and copyright charges from his Espionage ones. But the minute order states that the Espionage charges will be tried first, in November, with the child porn charges tried some time after that. That’s true, even though the Espionage charges are far more complex to try than the child porn ones. If the government wanted to use the child porn charges to put Schulte away indefinitely and avoid the difficulties of an Espionage trial, they’d try those first. (Update: at the hearing where this was decided, the defense said they wanted the Espionage trial to go first, and all other parties agreed.)

As to the latter, Schulte himself has sown the belief he was being offered a plea deal. In one version of his “Presumption of Innocence” blog, for example, he claimed (falsely, given the warrants he himself released) the government never obtained any evidence implicating him in the leak, and was just pursuing the child pornography charges to “break” him so he’ll cooperate against WikiLeaks.

I’m arrested and charged with a crime that had nothing to do with the initial search warrant and that I was completely innocent. The U.S. Attorney unethically and immorally misleads the court regarding what the initial investigation was about, when they found the illicit materials, and the fact that they did not think I was involved for 5 months until their initial investigation came up empty. I’m denied bail and thrown into prison immediately and they use the situation as leverage telling my attorney every day that he can make this huge embarrassment and misunderstanding all go away if only I would agree to cooperate on the WikiLeaks investigation and admit to it. They admit, unabashedly that these entire charges are nothing more than a ruse, an attempt at leverage to break me.

A version of this claim was repeated in a piece the Intercept did yesterday claiming to track how (a select group of) leakers got identified by the FBI.

Of the four Espionage Act cases based on alleged leaks in the Trump era, the most unusual concerned Joshua Schulte, a former CIA software developer accused of leaking CIA documents and hacking tools known as the Vault 7 disclosures to WikiLeaks. Schulte’s case is different from the others because, after the FBI confiscated his desktop computer, phone, and other devices in a March 2017 raid, the government allegedly discovered over 10,000 images depicting child sexual abuse on his computer, as well as a file and chat server he ran that included logs of him discussing child sexual abuse images and screenshots of him using racist slurs. Prosecutors initially charged Schulte with several counts related to child pornography and later with sexual assault in a separate case, based on evidence from his phone. Only in June 2018, in a superseding indictment, did the government finally charge him under the Espionage Act for leaking the hacking tools. He has pleaded not guilty to all charges.

Schulte was identified as the suspect just like all the other people profiled in the story were: because he was one of the few people who had access to the files that got leaked and his Google searches mapped out a damning pattern of research involving the leak, among other things. In his case, WikiLeaks itself did several things to add to the evidence he was the source. It is true that Schulte was charged with the porn charges first and that it took 15 months for the government to ultimately charge the leak, but the theory of Schulte’s role in the leak has remained largely unchanged since a week after the first files were dropped.

Schulte again suggested he might get a plea deal in his lawsuit against then Attorney General Jeff Sessions for imposing Special Administrative Measures against him when he raised 5K1 letters that might allow someone to avoid mandatory minimum sentencing.

But in last week’s opposition to Schulte’s motion to suppress most of the warrants against him — including some on the grounds that they relied on poisonous fruit of attorney-client privileged material — the government denies ever offering a plea deal.

Schulte claims that the FBI read his thoughts on severance (which the Government has consented to) or a plea offer (which the Government has not made), but none of those “thoughts” are referenced in any subsequent search warrant.

The claim that the government left unredacted a reference to Schulte’s views on a plea deal does not appear in the unredacted version of Schulte’s motion to suppress, but given his lawyers’ claim that his journals were intended to be a discussion of his legal remedies, it may be an attempt to suppress the Presumption of Innocence notes cited above (even though Schulte made the same notes public).

Mr. Schulte’s narrative writings and diary entries contain information he “considered to be relevant to his potential legal remedies.”

There’s lot of room for a discussion short of a plea offer that might be true even given the government claim that “the Government has not made” any offer (such as that one of the series of attorneys who have represented Schulte has recommended that he seek a deal).

But the detail is particularly interesting given the timing of his trial and something the government claimed the last time Chelsea Manning and her lawyers tried to get her out of jail. It insisted they want Manning’s testimony for subjects and charges not included in Assange’s current indictment, and said the submission of the extradition request against Assange does not preclude future charges based on those offenses.

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019).

Barring a delay because of Classified Intelligence Protect Act proceedings, Schulte will face trial on the Espionage charges in November, three months before the next hearing in Assange’s extradition. And while there’s no hint in Schulte’s case that WikiLeaks played a role in the front end of Schulte’s alleged leak, there’s abundant evidence that they continued to cooperate with him in the aftermath and even in the initial release itself. Indeed, that’s some of the most damning evidence against Schulte.

Schulte seems to think he could cooperate against Assange and face lesser charges. If the government told the truth last week, he may have little prospect to diminish what would amount to a life sentence if he’s found guilty.

The Dance between Joshua Schulte and WikiLeaks

Way back when Joshua Schulte was first charged for leaking the CIA’s hacking tools to WikiLeaks, I noted a loose coincidence between WikiLeaks’ release, for the first time, of some of CIA’s hacking source code rather than just development notes and the activity on Tor that led to Schulte getting his bail revoked. Since then, however, court documents have laid out a number of other interactions between Schulte and WikiLeaks. This post lays all of those out.

The government currently maintains that Schulte stole the CIA’s hacking tools in late April 2016 and sent them (it’s unclear whether they believe he sent them directly to WikiLeaks or not), using Tails, in early May. In court documents (the most informative warrant affidavit starts at PDF 129, though the FBI would revise some of its understanding of events after that time), that timeline is based off the searches Schulte did in Google (!!!) mapping out his actions.

April 24, 2016: Schulte searches for a SATA adapter (which lets you connect a computer hard drive via a USB connection); Schulte searches how to partition a drive

April 28, 2016: Schulte searches, for a second time, on how to restrict other admins from seeing parts of a LAN

April 30, 2016: Schulte researches how to delete Google history, Western Digital disk wipe, and Samsung ssd wipe (the search of Schulte’s apartment would find both Western Digital and Samsung drives)

May 1, 2016, 3:20AM: Schulte searches on “how can I verify that a 1 tb file transferred correctly?”

May 4, 2016: Schulte searches on “can you use dban on ssd,” referring to a wiping software called Darik’s Boot and Nuke

May 6, 2016: Schulte researches Tor

May 8, 2016: Schulte researches how to set up a Tor bridge

In August 2016, Schulte for the first time started tracking WikiLeaks coverage via a number of Google searches, but without visiting the site. He also researched Tails for a second time, as well as throwaway email.

Schulte’s first trackable visit to the WikiLeaks site itself was on March 7, 2017, the day of the first Vault 7 release (though WikiLeaks had started hyping it earlier, starting in February 2017).

From that first release on March 7 through September 7, WikiLeaks would release another Vault 7 release fairly regularly, often every week, other times at two week intervals and, at one point in June, releasing files on consecutive days. WikiLeaks then released the one and only Vault 8 file — source code rather than development notes — on November 9.

In general, that rhythm of releases is not obviously remarkable, though of course it took place against the background of serial efforts to get Julian Assange a pardon in the US.

But it intersects with the investigation of Schulte laid out in search warrant applications and other filings in a few key ways. As I’ll show in a follow-up, it’s clear that Schulte provided WikiLeaks with a story about the files to offer a rationale for their publication, so it’s clear that he did more than provide the files as a dead drop. After the first files dropped, he realized he’d be the prime suspect. Court filings reveal that he contacted a number of his former colleagues (using Google!), trying to find out what they knew about the investigation, acknowledging that he would be a key suspect, and denying he had done the leak.

Then, between the first and the second Vault 7 release, on March 15, the FBI interviewed Schulte as they were searching his apartment. As part of that interview, Schulte lied to the FBI so as to be able to leave his apartment with the CIA diplomatic passport he had never returned (he had plane tickets to leave the country the following day). When he left his apartment, he told FBI Agents he’d be back in roughly an hour. He went to Bloomberg (where he still worked), stashed his passports there, and got on his work computer. 45 minutes after the time he said he’d return, the FBI found him leaving the lobby of Bloomberg, and on threat of arrest, got him to surrender his passports. After all this happened, Bloomberg did an analysis of what Schulte had done on his work computer and phones in this period; FBI seized his work hard drive in May 2017. If Schulte had on-going communications with WikiLeaks, this would have provided an opportunity to reach out to them to tell them he was under imminent threat of arrest.

From that point forward, the FBI asked Schulte new questions based off what had been released by WikiLeaks. Most notably, on June 29, they asked Schulte whether he altered Brutal Kangaroo, a file released by WikiLeaks just a week earlier, outside the CIA.

The rhythm of WikiLeaks’ regular releases continued through August 24, when Schulte was arrested for child porn, with a file released that day, and another file released on September 7, while he was in jail. But after Schulte was released on bail after a September 13 hearing, WikiLeaks released no more Vault 7 files.

An April 2019 Bill of Particulars released last month strongly suggests there may be a tie between Schulte’s Tor activities starting on November 16, 2017. The document suggests that Schulte may have met with someone on November 8, 2017, then lied to the FBI or prosecutors about it 8 days later. Among the four lies the government described to substantiate False Statements and Obstruction charges in his indictment, it explains,

On or about November 16, 2017, Schulte falsely described his trip to a court appearance from the vicinity of Grand Central Terminal to the vicinity of the courthouse, and also falsely claimed to have been approached on the way to that court appearance by an unknown male who allegedly stated, in substance and in part, that he knew that Schulte had been betrayed and bankrupted by the U.S. Government.

This incident almost certainly happened on November 8. As noted, he was arrested on August 24, 2017. He was denied bail at first (so remained in jail). But when he was arraigned on the first (child porn) indictment on September 13, he was granted bail, including house arrest. While he would have had to check in with Parole Officers, the next “court appearance” he had (because the first status hearing got delayed a few times) — and the only court appearance before November 16 — was on November 8. He’d have gone to his first and second arraignment from jail; he was only out on bail to travel to a court appearance from his home for that first status conference.

It seems likely that an FBI surveillance team tracked Schulte on that day doing something suspect between the time he left his home and arrived at the courthouse. The mention of Grand Central suggests he may have met someone there, though that’s not dispositive because his apartment was just a few blocks away. But Schulte’s description of meeting a man he didn’t know, which the government alleges is false, seems like the kind of lie you’d tell if you were covering for meeting a man you did know. As noted, that probably happened on November 8.

On November 9, WikiLeaks released their single Vault 8 file.

Then, Schulte was asked, by some “law enforcement agents and/or prosecutor[] at the U.S. Attorney’s Office” about the incident on November 16.

That same day that he was interviewed about the incident on the way to the courthouse, November 16, he got on Tor for the first of five times, as laid out in his detention memo.

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network.

When it ultimately came time to explain away this use of Tor, Schulte pointed to a series of posts that would form part of what the government claims Schulte called an “information war” attempting to discredit the US government. That was first made broadly available when WikiLeaks posted it on June 19, 2018, the day after Schulte was charged with leaking the Vault 7 files.

The government alleges that a copy posted to Facebook later that year, on September 25, 2018, was posted by Schulte from his jail cell himself, using a contraband cell phone, which makes the WikiLeaks tweet part of Schulte’s deliberate information campaign from jail.

And around the same time Schulte posted his diaries from jail, the government claims, Schulte was prepping to send Wikileaks materials from a fake FBI agent attesting that the Bureau had framed Schulte by planting child porn on his computer.

iii. A document that appears to be an article for release by WikiLeaks.org (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

[snip]

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

As I’ll show, Schulte gave WikiLeaks several claims it used to introduce the series in March 2017.

Then, several key events — an incident that probably occurred on November 8 which the government accuses Schulte of trying to cover up, WikiLeaks’ sole release of source code from the CIA, the interview at which Schulte allegedly lied about the November 8 incident, and some activity on Tor — makes it more likely the events are more than a coincidence.

And then WikiLeaks contributed early to Schulte’s “Information War,” and Schulte may have expected he could get WikiLeaks to cooperate again, with even more blatant disinformation.

That’s a fairly remarkable degree of coordination at a time when WikiLeaks was trying to coerce an Assange pardon and Schulte was (according to the government) trying to lie his way out of a great deal of legal trouble.

After Two Years, MalwareTech Is a Free Man

If you’ve been following my Twitter account, you already know the Happy Ending: Marcus Hutchins just walked out of Milwaukee’s Federal Courthouse a free man. While he might have faced up to fourteen months in prison, Judge JP Stadtmueller sentenced Hutchins to time served and a year of probation.

The legal battle, by Brian Klein and Marcia Hofmann, was won in sealed sentencing motions and a short exchange at the beginning of the hearing, significantly an exchange persuading the judge there should be no sentencing enhancement for the damage done. In spite of the fact that the government’s sentencing memo confirmed what had been clear all along: virtually all the identified victims were overseas, especially in Hutchins’ home in the UK, which made it pretty crazy the US was prosecuting him and Britain was not. Nevertheless, the government tried to substantiate a claim of $47 to $60,000 by scraping one of the dark web sites where malware based on the code he wrote had been sold. “The loss exists but it’s very difficult to pin down,” prosecutor Ben Proctor admitted.

Hofmann insisted it’s the government’s burden to substantiate loss, and what they had done in an attempt to do so was too speculative.

Stadtmueller agreed.  But his views on loss focused more on comparing the government’s uncertain numbers with the known damage of WannaCry, which Hutchins had managed to tame by creating a sinkhole for it. “When it comes to matter of loss or gain,” Judge Stadtmeuller said, “the most striking is comparison between you passing Kronos and WannaCry, if one looks at loss & numbers of infections, over 8B throughout world w/WannaCry, and >120M in UK.”

And that decision made Hutchins eligible for probation. In any case, Stadtmeuller noted in a comparison from the single other CFAA charged he presided over in his 30+ year career as a judge, sentencing guidelines are no longer mandatory.

When Stadtmueller noted that had this case been tried closer to the time when Hutchins stopped WannaCry, he’d have gotten cooperation credit for that act, and when he noted that this case shouldn’t have proceeded for 17 months, it became clear (as had the single order he had submitted in the case before today) he was really struggling to understand why the hell the government had decided to prosecute the guy who had shut down WannaCry.

Stadtmueller, a 77-year old senior judge, several times described how insecure everything digital is, how the protocols for security cyberspace are woefully inadequate. Stadtmueller repeatedly noted that everyone agreed that Hutchins had given up criminal hacking well before these charges. That helped Stadtmueller to ignore the government’s claims about needing a deterrent. The judge described the community of people who love and support Hutchins — not just his family but also the cybersecurity community (some of whom submitted letters in support describing what a great person he is and the import of his actions on WannaCry). He noted how many of those people also, like Hutchins, worked to secure the Internet.

Hutchins gave a statement that went roughly like this:

Your honor when I was a teenager I made series of bad decisions. I deeply regret the conduct and the harm which resulted. I eventually discontinued but wish I could go back. I now work in cybersecurity stopping same kinds of malware. [Comment about creating training videos] I do this in hopes i can steer people away from my mistakes. Future reinforces that I have no plan to go back, I’d like to dedicate more time to teaching next generation of security experts. I’d like to apologize to victims, those who learned of my past, my family.

After a half-hearted attempt from Proctor to emphasize the theft enabled by Hutchins’ malware, Stadtmueller then started a long speech, one that started by noting that of the 2,200 defendants whose sentencing he had overseen in 32 years, Hutchins’ was unique because, “one might view ignoble conduct against backdrop as work a hero, a true hero. That is, at the end of the day, what gives this case it’s uniqueness.” He emphasized we need people like Hutchins to help secure the Internet. “It’s going to take individuals like yourself who have skillset to come up with solutions, bc that is the only way we’re going to eliminate this subject of woefully inadequate security protocols for entire panoply of infotech systems.”

The judge them emphasized that, on top of everything else, Hutchins had been away from home for two years.

That’s when what every lawyer watching in the courtroom I spoke with called unprecedented. The Judge suggested Hutchins should get a pardon, which would enable him to come back to the US to work. “While court has no pardon power, matter reserved to the executive. Truly left for another day.”

He then imposed Hutchins’ sentence. “We reach a point in balancing these considerations, court left to make final call. Final call is a sentence of time served with one year of supervised release.” He went on to make it clear that, once Hutchins finishes packing up his life in LA, he wanted to be sure that Immigration doesn’t get custody. “Nothing in this judgement requires he stay in the United States. I’m seeking to avoid him being taken into custody by Immigration and Customs. We don’t need any more publicity or another statistic.”

“Thank you your honor,” said as the rest of the bureaucratic details of probation were discussed.

This case should never have been prosecuted in the first place. And when Hutchins tried to challenge the details of the case — most notably the one largely ceded today, that the government really doesn’t have evidence that 10 computers were damaged by anything Hutchins did — the government doubled down and issued a superseding indictment that, because of the false statements charge, posed a real risk of conviction.

Thankfully, one judge saw exercised justice the way it’s supposed to work, even if it took two years to get here.

Update: I made a very significant error in this when I was writing it on a bus, saying that sentencing guidelines were mandatory rather than not mandatory. I’ve fixed that.

FaceApp and Its Targeted Audience

[NB: Please check the byline, thanks! /~Rayne]

You may have seen the buzz earlier this week across social media when cellphone users loaded and used a mobile app which applied an aging filter to a selfie photo so users could see a predictive image of their future face.

Except the vain and foolish downloaded an app developed in Russia — an app with the most ridiculous terms of service. More at this Twitter thread by @PrivacyMatters:

The app doesn’t make it easy to find their Terms of Service (TOS) or Privacy Policy, which to me is a red flag.

Russia does not fall under the EU’s Global Data Privacy Regulation, meaning users cannot have expectations of privacy and government oversight protecting their data. Russia ratified the Council of Europe’s Data Protection Convention 108 in 2013 but this appears to be little more than a head fake when Russians have taken Facebook data and used it for adverse micro-targeting against U.S. citizens in 2016. If the convention had been taken seriously, Russia’s government would also have investigated the Internet Research Agency for abusing personal data without users’ consent after the Department of Justice indicted IRA members.

The app’s developers say users’ data isn’t hosted in Russia, clarifying after initial inquiries that only a limited amount of each users’ data was hosted on Amazon Web Services and Google Cloud — but how would the average user be able to validate this claim? The question of hosting seems at odds with the developers’ explanation that

The Democratic National Committee issued a warning to 2020 campaigns that FaceApp should not be used and should be removed from devices.

It’s ridiculous that after the DNC was hacked and state election systems breached or targeted by Russia in 2016 that any sentient Democrat working or volunteering for a Democratic candidate’s campaign would be stupid enough to download and use this app, if they even read the TOS. But the  viral popularity of the application and the platforms on which its output was most often shared likely propelled its dispersion even among those who should know better.

Which brings up the app’s targeted audience: younger people who share images frequently in social media.

The app required users’ social media identity; it captured the IMEI address of the device they were using. Imagine being able to TREASUREMAP all these users over the internet and LANs.

Finally, the app captured the users’ image for editing. Imagine this data linked to all of a user’s Facebook data, matched to their DMV records including their photo, validated by phone number if recorded by DMV.

It’d be insanely easy to ‘clone’ these users in both content and in photos and in videos using Deep Fake technology.

It’d be a snap to micro-target them for political messaging and to make threats using manufactured kompromat.

All of this should be particularly worrying since the audience for this application is the youngest voter age groups which are least likely to vote for Trump and the GOP.

And they are the largest portion of the U.S. military. Think of what the FitBit app disclosed to any snoopers watching military bases. How many users who downloaded FaceApp were active duty or their family members?

Imagine FaceApp and all the other social data, public and private, synced with their phone which reveals their physical location. These users are entirely touchable.

There’ve been quite a few rebuttals to those worried about FaceApp; most complain that such concerns are merely Russia-as-boogeyman fearmongering and that U.S. Big Tech and Chinese apps like TikTok are just as bad (or worse) about collecting too much personal data and misusing it without users’ consent. Or they minimize the risk by theorizing the estimated 150 million selfies collected may train a Russian facial recognition app without users’ consent.

Except Europeans can rely on the GDPR for recourse and Americans have recourse through U.S. laws; they can also press for changes in legislation (assuming the obstructive Senate Majority Leader pulls his thumb out of his backside and does something constructive for once).

One other concern not touched upon is that we don’t know what this particular app can do over the long run even if deleted.

Researchers looking at it now may find it is rather inert apart from the invasive collection of personal photos.

But what about future updates? Can this app push malware which can collect other information from users’ devices?

And what about the photos themselves, once captured and stored. Could the developers embed detailed tracking in the images just as Facebook has?

Bottomline: FaceApp is a huge security risk. It may not be the only one but it’s one we know about now.

We need to regulate not only personal data collection but applications which collect data — their developers must be more transparent and upfront with what the app does with data before the app is downloaded.

We also need to work with Big Tech platforms through which apps like FaceApp are downloaded. We’re back to the question whether they’re publishers or utilities and what role they play in enabling dispersion of apps which can be weaponized against users.

And we may need to institute some kind of watchdog to detect risks before they reach the public. Perhaps as part of the regulation of personal data collection a licensing or clearinghouse process should be established before apps are permitted access to the marketplace. Apple has done the best job of the Big Tech so far in policing which apps are permitted in its market. Should gatekeeping for national security interests rest solely on a few corporations, though?

 

This is an open thread.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Hal Martin Sentencing Leaves All Questions Unanswered

Hal Martin was sentenced Friday. He received the nine years agreed upon as part of his plea agreement. But — as the many reports of his sentencing emphasize — closure on this case still doesn’t offer closure on the Shadow Brokers case. Of course the sentencing hasn’t solved the Shadow Brokers case, which has been true since Martin was charged in 2018 but was recently reiterated by AP.

But it also hasn’t provided much clarity on some of the other issues about this case. For example, his lawyer Jim Wyda seems to have confirmed that the cryptic DMs sent to some Kaspersky researchers in advance of the original Shadow Brokers release were his, denying that Martin intended the “Shelf life, three weeks,” DM to be an offer to sell the NSA’s exploits that would be offered for sale less than an hour later. [Note: this sentencing was difficult to cover remotely because the filings weren’t released in PACER, so I’m particularly grateful for other’s coverage, especiall this excellent CyberScoop story on it.]

Jim Wyda, Martin’s public defender, said Friday there was no indication Martin intended for any transaction to take place by that tweet.

I had noted that, given the lack of 2FA at the time of the DMs, hacking Martin’s Twitter account to send the DMs would have been child’s play, something an account claiming to be Shadow Brokers responded to fairly aggressively.

The government, however, offered no comment on those DMs. In response to Judge Richard Bennett’s reminder that the Tweets had been the subject of a Martin challenge to the warrants searching his house, prosecutor Zachary Myers refused to comment, even though classification wouldn’t prevent comment.

Bennett reminded U.S. attorneys of the tweet and the timeline on Friday in court. Assistant U.S. Attorney Zachary Myers said the U.S. government would not be commenting further than noting that the timeline is, indeed, in the facts of the case.

Then there’s the question of whether Martin was a hoarder or a thief. His attorneys insisted his collection of documents was an expression of mental health issues. But the government pointed to how organized it all was (which is hard to square with the descriptions of the chaos of his house from the time of the arrest).

“This is not a case of hoarding, this is stealing,” Myers said Friday at a federal court house in Baltimore. The stolen information “was not in a disorganized manner,” he said, adding what the government found was “logical” and “repetitive.”

Bennett noted Friday he had concerns about the case regarding whether Martin’s alleged hoarding problem, noting that for someone who is a hoarder, he seemed well organized.

Martin’s wife described to CBS how he had recognized his illness before his arrest, but was afraid that if he sought treatment, he would lose clearance and his job.

Mental illness may explain why parts of Martin’s statement expressing remorse make no sense. WaPo:

Martin spoke for about 20 minutes, his voice calm, soft and sometimes difficult to hear as he read nearly verbatim from a letter he’d written earlier this month to the judge.

He made clear that what he’d done was wrong.

“The manner and method of my approach was unorthodox, unconventional, uncanny,” he wrote. “But also unauthorized, illegal and just plain wrong. One step beyond black. Please do not copy this. It is not the easy or correct path. I took shortcuts, went backwards, sideways and around things, crossing major borders and boundaries. It is not good, it’s very, very BAD.”

NYT:

He stood in a striped jersey labeled “Inmate” and read for nearly 30 minutes a rambling statement apologizing to family, friends and his former colleagues at the N.S.A.

“I have been called a walking encyclopedia,” he said, describing himself at another point as “an intellectually curious adventurer.” His words were often cryptic, at one point addressed to “that cool dude in a loose mood” and at another citing the N.S.A. motto, “They serve in silence.”

All that said, one of the most telling details from coverage of yesterday’s sentencing is in the the government’s press release on the sentencing. It emphasizes the resources diverted to investigating Martin’s activities, which sure makes it sound like they don’t think he’s the culprit behind the Shadow Brokers leak.

In court documents and at today’s sentencing hearing, the government noted that crimes such as Martin’s not only create a risk of unauthorized disclosure of, or access to, highly classified information, but often require the government to treat the stolen material as compromised, resulting in the government having to take remedial actions including changing or abandoning national security programs.  In addition, Martin’s criminal conduct caused the government to expend substantial investigative and analytical resources.  The diversion of those resources resulted in significant costs.

Bennett believes the nine year sentence will serve as deterrent for other intelligence personnel. But it’s not clear whether those are the people who need to be deterred.

The Commander-in-Chief Keeps Instructing His National Security Officials Not to Protect the Country

One of the most alarming passages in the Mueller Report describes how, in an effort to get Corey Lewandowski to convince Jeff Sessions to reverse his recusal in the Russian investigation, Trump suggested that Mueller could be limited to investigating future election hacks. (h/t to TC who has been emphasizing this passage)

During the June 19 meeting, Lewandowski recalled that, after some small talk, the President brought up Sessions and criticized his recusal from the Russia investigation.605 The President told Lewandowski that Sessions was weak and that if the President had known about the likelihood of recusal in advance, he would not have appointed Sessions.606 The President then asked Lewandowski to deliver a message to Sessions and said “write this down.” 607 This was the first time the President had asked Lewandowski to take dictation, and Lewandowski wrote as fast as possible to make sure he captured the content correctly.608 The President directed that Sessions should give a speech publicly announcing:

I know that I recused myself from certain things having to do with specific areas. But our POTUS . .. is being treated very unfairly. He shouldn’t have a Special Prosecutor/Counsel b/c he hasn’t done anything wrong. I was on the campaign w/ him for nine months, there were no Russians involved with him. I know it for a fact b/c I was there. He didn’t do anything wrong except he ran the greatest campaign in American history.609

The dictated message went on to state that Sessions would meet with the Special Counsel to limit his jurisdiction to future election interference:

Now a group of people want to subvert the Constitution of the United States. I am going to meet with the Special Prosecutor to explain this is very unfair and let the Special Prosecutor move forward with investigating election meddling for future elections so that nothing can happen in future elections.610

The President said that if Sessions delivered that statement he would be the “most popular guy in the country.”6 11 Lewandowski told the President he understood what the President wanted Sessions to do.612

In June 2017, the Commander-in-Chief of the United States suggested that the FBI should not investigate a historic cyberattack by an adversary on the United States. The investigation Trump was obstructing was not just of his own conduct, but also that of Russia.

That revelation puts two other events in dramatically different light.

First, recall that when Congress was considering bills to ensure election integrity last year, Trump pre-empted the effort with an Executive Order imposing a two step review, after the fact, to see if foreign adversaries had attempted to interfere in the election. First, ODNI does a report on the election, then he delivers it to other Executive Branch Officials. Then DHS Secretary and the Attorney General deliver a report based on that describing whether the effort to interfere had had a material effect. That report, too, just gets delivered to Executive Branch officials.

Section 1. (a) Not later than 45 days after the conclusion of a United States election, the Director of National Intelligence, in consultation with the heads of any other appropriate executive departments and agencies (agencies), shall conduct an assessment of any information indicating that a foreign government, or any person acting as an agent of or on behalf of a foreign government, has acted with the intent or purpose of interfering in that election. The assessment shall identify, to the maximum extent ascertainable, the nature of any foreign interference and any methods employed to execute it, the persons involved, and the foreign government or governments that authorized, directed, sponsored, or supported it. The Director of National Intelligence shall deliver this assessment and appropriate supporting information to the President, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, and the Secretary of Homeland Security.

(b) Within 45 days of receiving the assessment and information described in section 1(a) of this order, the Attorney General and the Secretary of Homeland Security, in consultation with the heads of any other appropriate agencies and, as appropriate, State and local officials, shall deliver to the President, the Secretary of State, the Secretary of the Treasury, and the Secretary of Defense a report evaluating, with respect to the United States election that is the subject of the assessment described in section 1(a):

(i) the extent to which any foreign interference that targeted election infrastructure materially affected the security or integrity of that infrastructure, the tabulation of votes, or the timely transmission of election results; and

(ii) if any foreign interference involved activities targeting the infrastructure of, or pertaining to, a political organization, campaign, or candidate, the extent to which such activities materially affected the security or integrity of that infrastructure, including by unauthorized access to, disclosure or threatened disclosure of, or alteration or falsification of, information or data.

The report shall identify any material issues of fact with respect to these matters that the Attorney General and the Secretary of Homeland Security are unable to evaluate or reach agreement on at the time the report is submitted. The report shall also include updates and recommendations, when appropriate, regarding remedial actions to be taken by the United States Government, other than the sanctions described in sections 2 and 3 of this order.

Predictably, when the deadlines for these reports came due after the mid-term elections last year, the Trump Administration balked at sharing all this reporting with the Senate Intelligence Committee.

Then there’s this NYT report revealing that the Mick Mulvaney told DHS Secretary Kirstjen Nielsen not to involve the Commander-in-Chief in any effort to keep this country’s elections safe, which (the report implicitly suggests) made it far more difficult for Nielsen to make protecting elections a priority.

Ms. Nielsen left the Department of Homeland Security early this month after a tumultuous 16-month tenure and tensions with the White House. Officials said she had become increasingly concerned about Russia’s continued activity in the United States during and after the 2018 midterm elections — ranging from its search for new techniques to divide Americans using social media, to experiments by hackers, to rerouting internet traffic and infiltrating power grids.

But in a meeting this year, Mick Mulvaney, the White House chief of staff, made it clear that Mr. Trump still equated any public discussion of malign Russian election activity with questions about the legitimacy of his victory. According to one senior administration official, Mr. Mulvaney said it “wasn’t a great subject and should be kept below his level.”

Even though the Department of Homeland Security has primary responsibility for civilian cyberdefense, Ms. Nielsen eventually gave up on her effort to organize a White House meeting of cabinet secretaries to coordinate a strategy to protect next year’s elections.

[snip]

Ms. Nielsen grew so frustrated with White House reluctance to convene top-level officials to come up with a governmentwide strategy that she twice pulled together her own meetings of cabinet secretaries and agency heads. They included top Justice Department, F.B.I. and intelligence officials to chart a path forward, many of whom later periodically issued public warnings about indicators that Russia was both looking for new ways to interfere and experimenting with techniques in Ukraine and Europe.

[snip]

A second senior administration official said Ms. Nielsen began pushing after the November midterms for the governmentwide efforts to protect the 2020 elections, but only after it became increasingly clear that she had fallen out of Mr. Trump’s favor for not taking a harder line against immigration.

That official said Ms. Nielsen wanted to make election security a top priority at meetings of Mr. Trump’s principal national security aides, who resisted making it a focus of the discussions given that the 2020 vote was, at the time, nearly two years away.

Trump’s refusal to protect elections accompanies a de-emphasis — one enforced by John Bolton — on cybersecurity generally.

This is, quite literally, a case where the Commander-in-Chief is refusing to take the action necessary to protect the country from being attacked in the same way were most recently were attacked.

Update: Earlier this week Politico reported on the effects of a reorganization in Office of Management and Budget’s cybersecurity office before Mulvaney left OMB to become Chief of Staff.

Few Americans may have heard of the Office of the Federal Chief Information Officer, but the unit inside the Office of Management and Budget coordinates tech improvements across the government, helping agencies boost cybersecurity and manage technology and cybersecurity budgets that totaled $105 billion in the past fiscal year.

But many OFCIO employees are overwhelmed by unclear and changing priorities, while others are simply checked out or feeling increasingly marginalized, according to an internal February staff survey that POLITICO obtained, along with data from an annual governmentwide report and interviews with a current OMB employee, five former OFCIO employees and three former senior federal officials familiar with the office.

The unit is grappling with “high turnover,” “a lot of infighting,” a “crushing workload” and “inaction from leadership,” said the current employee, who — like others interviewed for this story — requested anonymity to discuss sensitive personnel matters.

“Things do slip through the cracks,” the OMB employee said. OFCIO’s guidance “impacts the long-term implementation strategy out in the agencies,” and if that’s lacking, there will be “a debilitating effect on overall cybersecurity in the long run,” the person said, adding that there was “real concern at the staff level that if this continues, something bad will happen and we won’t be ready for it.”

[snip]

“This organization looks like it’s in free fall,” said a former senior federal IT official who worked closely with the office.

[snip]

[A] November reorganization appeared to cause significant confusion and discontent among employees. It replaced a structure built around three core units — agency oversight, cybersecurity and policy development — with one centered on “workstreams” for activities such as cybersecurity risk and data strategy.

But the reorganization was “built on the fly” and poorly explained, said a former staffer. More than 80 percent of survey respondents said it was unclear how the reorganization improved office communication.

Adding to these woes is significant frustration with OFCIO’s senior leaders, especially Kent, a former Ernst & Young consultant who took over the office in March 2018 after the team went more than a year without a leader.

Kent, who lacks a cybersecurity or IT background, has fostered “a closed-door culture,” the current OMB employee said.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

MalwareTech Pleads Guilty

Marcus Hutchins signed a plea agreement that was entered today. He pleads guilty to two charges of conspiracy, and the other eight charges are dismissed. If I’m doing the math on the sentencing guidelines correctly, he may be facing 6-12 months, though the government has the option of making a significant upward departure.

I’m still buried in the Mueller Report, so won’t have more on this now. It’s a sad result. And testament that justice is a lot different for people like MalwareTech than for Don Jr.

Three Things: Boeing Boing

[NB: The byline – check it. /~Rayne]

That U.S. flights of Boeing’s model 737 Max aircraft were suspended is a good thing, I think we can agree though perhaps not all for the same reasons. I’ve had suspicions about Boeing for some time now and not because of the company’s products or its management. Three things have bothered me and the deadly crash on March 10 has only added to previous concerns.

~ 3 ~

I’ve noted before that Boeing has been a possible target for stock manipulation; in fact I wrote about my suspicions a year ago:

You can imagine my surprise on December 6, 2016, when then-president-elect tweeted about Boeing’s contract for the next Air Force One, complaining it was too expensive. Was it Boeing the spies were discussing? But the company didn’t fit what I could see in the indictment, though Boeing’s business is exposed to Russia, in terms of competition and in terms of components (titanium, in particular).

It didn’t help that Trump tweeted before the stock market opened and Boeing’s stock plummeted after the opening bell. There was plenty of time for dark pool operators to go in and take positions between Trump’s tweet and the market’s open. What an incredible bonanza for those who might be on their toes — or who knew in advance this was going to happen. …

And while Boeing 737 Max equipment safety was under public debate after Sunday March 10th crash, Trump tweeted this Luddite position on contemporary aircraft complexity on March 12:

How interesting that he avoided naming Boeing specifically, but at the same time he managed to post the first of these two tweets at exactly 10:00 a.m.; the second tweet didn’t publish for another 12 minutes, leaving those following his tweets closely to assume he was going to discuss Boeing specifically during the interim.

I can’t help think Trump has an ulterior motive with regard to Boeing considering how often he has stepped into their business one way or another since December 6, 2016.

It’d be nice to know who’s been shorting NYSE:BA before his tweets and in which stock exchanges.


[Graphic: NYSE:BA moving average and trading volume from midday Monday 11-MAR-2019 to midday Tuesday 12-MAR-2019 via Barron’s.]

~ 2 ~

Trump’s personal demands have also affected Boeing directly with regard to system updates. The government shutdown delayed for five weeks work by the Federal Aviation Administration toward certification of a software “fix” for the 737 Max flight control system.

In other words, eight more American citzens traveling on the doomed flight this past weekend may have paid the ultimate price for Trump’s gross incompetence and corruption, not to mention the other truly marvelous human beings lost to the world when that flight met the earth two weeks ago.

Boeing’s business model needs to be revisited, though, if the flight control system “fix” wasn’t treated with adequate urgency based on feedback from Boeing to the FAA. There’s a fundamental question of a product’s safety for its intended purpose if it must have a software update to fly safely but that update is an additional feature outside the product’s purchase agreement and must bought before it can be added. Smells like product liability with a whiff of extortion.

Would we tolerate this business model in other situations where so much is at stake? Imagine your computer’s operating system needs a patch before you can use it — and you must pay for the patch, it’s not included in the licensing agreement for the operating system. Oh, and the computer runs your insulin pump or your pacemaker wihout which you are likely to die.

~ 1 ~

The FAA as well as Boeing need to be reevaluated based on complaints the government agency is too closely linked to the aerospace company to provide appropriate oversight. The FAA has been relying on Boeing to self-monitor via component safety inspections because the FAA doesn’t have adequate personnel or resources.

Recall recent reports of supply chain vulnerabilities — is it at all possible Boeing components have been as compromised as other military suppliers have been? How would the public know if it has relied on the FAA’s self-inspection “designee program”?

This sounds eerily familiar, like the claims related to firmware updates needed on servers when it was possible the Supermicro motherboard hardware had been compromised.

~ 0 ~

Treat this as a open thread. We could use a break from what will continue to be a flood of news relate to the Special Counsel’s Office report, especially after the Golfer-in-Chief parks his cart for the weekend and begins shit posting on Twitter in earnest again.

The Future of Regulation in the Perma-Cyber-Infowar

[NB: Check the byline, thanks! /~Rayne]

Looks like we could use an open thread to discuss all the stuff not directly related to the Trump-Russia investigation.

I do want to toss out a topic we should visit given the transition of power in the House from one political party to another and the sea change over the last several years in public awareness about information security.

Most regular readers here have been aware of the dynamic tension between civil liberties and national security, individuals’ rights to privacy and autonomy too frequently falling victim to the state’s efforts to surveil and control.

This site has wrestled with the threats to privacy and security posed by hardware (like cell phones and servers) and software (like vulnerabilities, ransomware, cyberweapons).

But how do we address the threats social media and other information platforms pose? Can we really ignore that Facebook has been weaponized against its country of origin let alone other host nations from the U.K. to Myanmar? Does Sen. Elizabeth Warren’s proposal to break up the largest social media platforms and label them ‘platform utilities’ under a new regulatory structure adequately address users’ privacy rights, information security, and national security?

How far should we push for disclosure of proprietary intellectual property like the platforms’ algorithms? How do we regulate the operation of these without jeopardizing their viability?

Do we need a mandatory ethical standard to which startups must build and existing platforms must comply? Facebook’s iffy interpretation of user consent to use in academic research, for example, was key to its weaponization. What regulatory standard would have prevented the abuse of users’ trust and their data?

Does the likely permanence of cyber warfare as well as information warfare require more or less than Warren has proposed?

Hash it out here in comments. Bring all the stray dog-and-cat issues as well.

MalwareTech’s Judge Seems More Sympathetic to Hutchins about the Intent of Prosecution than the Law

JP Stadtmueller, the judge who will preside over MalwareTech (Marcus Hutchins’) case, last week denied his pretrial motions to get his post-arrest interview and all the charges of his indictment thrown out. The order starts this way:

On March 30, 2018, Hutchins filed a motion to suppress the statement that he made to Federal Bureau of Investigation (“FBI”) agents immediately following his arrest, as well as any evidence the government may have obtained as a result. (Docket #55)

We are almost 11 months into the pre-trial process and we’re virtually the same place we started. Just two things have happened in that time: the FBI Agents who arrested Hutchins had badly damaged their credibility, and Stadtmueller has given a read of how he views the case.

Stadtmueller scolds the already discredited FBI Agents for violating Federal Rule of Criminal Procedure

As to the first issue, in ruling against Hutchins on his Miranda claim (which I’ve always suggested was a way to discredit Hutchins’ incriminating comments at trial), Stadtmueller makes it clear he finds the conduct of the FBI agents problematic. He sides with Hutchins on the dispute whether Agent Chartier showed him an arrest warrant in a stairwell exchange that appears to have been improperly referenced in his 302.

The Court notes that the agents’ testimony is somewhat contradictory on this point. Chartier stated that they showed Hutchins the warrant before the interrogation was recorded. By contrast, Butcher stated that they first showed Hutchins the warrant over an hour into the interrogation. The recording of the interrogation suggests that Butcher is correct. Specifically, over an hour into the recording, Chartier says: “Okay. Well, here’s the arrest warrant. And just to be honest—just to be honest, hey, now I’m going to tell you the truth…If I’m being honest with you, Marcus, this has absolutely nothing to do with WannaCry.” The balance of the evidence strongly suggests that Hutchins was not shown the arrest warrant until over an hour into the interrogation.

More importantly, he criticizes the Agents for what he calls an “abject failure of the agents to abide by the Federal Rules of Criminal Procedure.”

At one point in the interrogation, he made a comment that showed that he did not realize he had even been indicted. There is no reason why the government could not have told him exactly why he was arrested, as he requested, and as was required of them by Federal Rule of Criminal Procedure 4(c), unless they were concerned that he would not be cooperative with them. There is certainly an element of deception to this set of events that the Court does not endorse.

[snip]

The Court is concerned by the abject failure of the agents to abide by the Federal Rules of Criminal Procedure 4(c), but their obvious interest in Kronos—including providing Hutchins with a string of code related to Kronos—leads the Court to conclude that there is not clear and convincing evidence that they acted with intent to deceive.

[snip]

Hutchins does not argue the effect of the violation of Federal Rule of Criminal Procedure 4(c)(3)(A), which governs execution of a warrant:

Upon arrest, an officer possessing the original or a duplicate original warrant must show it to the defendant. If the officer does not possess the warrant, the officer must inform the defendant of the warrant’s existence and of the offense charged and, at the defendant’s request, must show the original or a duplicate original warrant to the defendant as soon as possible.

Few courts have had moment to consider whether a violation of this rule would warrant exclusion of evidence, though it certainly might, for deterrent purposes, if the violation compromised a substantive constitutional right and the officers acted bad faith. Bryson v. United States, 419 F.2d 695, 701–02 (D.C. Cir. 1969); Murray v. United States, 855 P.2d 350, 353–56 (Wyo. 1993); United States v. Hamilton, 2017 WL 9476881, at *5 (N.D. Ga. Jan. 3, 2017). However, Hutchins did not raise this issue, so the Court will not consider it. Additionally, even if his statements were excluded, it is likely that the physical evidence still would be admissible. See United States v. Patane, 542 U.S. 630, 637–38 (2004) (failure to give Miranda warnings requires suppression of voluntary statements, but does not require suppression of physical evidence acquired as a result of those voluntary statements).

Taking Stadtmueller’s hint, Hutchins’ lawyers have renewed their motion to suppress the statements on that ground, but it may be too late. Whatever happens, though, this adds to the list of the things the FBI agents whose credibility will be deployed to enter Hutchins’ statements fucked up during his arrest. And that’s before you get into their technical knowledge.

Stadtmueller shows sympathy for the stupidity of prosecuting the guy who killed WannaCry

Along the way, Stadtmueller seems to get how stupid prosecuting the guy who killed WannaCry is.

However, Hutchins’s recent triumph with WannaCry had vaulted him into the public eye as a “white hat” hacker. Thus, Hutchins could have been reasonably confused about the FBI’s interest in him. In assessing whether he voluntarily waived his rights, some consideration must be given to the fact that white hat hacking is a complex and relatively novel field that can toe an already blurry line vis-à-vis online criminal activity. The agents did not tell Hutchins why he was under arrest, and did nothing to explain the nature of the charges against him until the end of his interrogation. Hutchins, who had no cause for concern regarding his role in WannaCry, and who had distanced himself from nefarious internet activity, cooperated.

And, having reviewed the interrogation, he seems to regard Hutchins’ attempts to help the FBI Agents identify the real criminals they are pursuing as good faith.

Almost eighty minutes into the recorded interrogation, the agents finally provided him with the warrant, and told him that it had “nothing to do with WannaCry.” The interrogation continued for about twenty minutes after that. Throughout the remainder of the interrogation, Hutchins tried to be helpful but noted that he had been “out” of so-called “black hat” hacking for so long that he did not have any helpful connections.

In comments throwing out the statutory challenges, Stadtmueller generally favors the prosecution

That said, in his language rejecting Hutchins’ attempt to throw out his indictment charge by charge, Stadtmueller significantly sides with the prosecution, as follows:

Counts One and Seven: Whether the malware in question damaged computers

Stadtmueller argues the requisite details are there for the CFAA damage charges, but suggests the government may not be able to prove their case.

These terms are sufficient to allege intent to cause damage. The burden will be on the government to prove this at trial.

Counts One Through Six: Whether software counts as a device

Perhaps Stadtmueller’s most troubling ruling is that the wiretapping charges were sound (I say that because some very smart lawyers had suggested this was problematic from the start). He argues that the Seventh Circuit precedent doesn’t cite case law and a bunch of cases (from other circuits) do.

The majority of courts to consider this issue have entertained the notion that software may be considered a device for the purposes of the Wiretap Act. See Luis v. Zang, 833 F.3d 619, 630 (6th Cir. 2016) (accepting that a software could be a “device” for the purpose of the Wiretap Act); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1087 (N.D. Cal. 2015) (concluding that a software was an “electronic, mechanical or other device”); Klumb v. Goan, 884 F. Supp. 2d 644, 661–62 (E.D. Ten. 2012) (analyzing spyware software as a device under Wiretap Act); Rene v. G.F. Fishers, Inc., 817 F. Supp. 2d 1090, 1094 (S.D. Ind. 2011) (holding that keystrokes are not electronic communications for the purpose of the Wiretap Act, but accepting the notion that software could be a device); Shefts v. Petrakis, 2012 WL 4049484, at *8–9 (C.D. Ill. 2012) (analyzing software as a device under the Wiretap Act); see also United States v. Barrington, 648 F.3d 1178, 1203 (11th Cir. 2011) (accepting that a keylogger software could be considered a scanning receiver, or a device, under 18 U.S.C. § 1029(e)(8)).

The Court is in accord with the majority of courts to consider this issue. The Court also agrees with the government’s position that Section 2510(5)’s reference to “mechanism,” which is commonly defined as a “process, technique, or system for achieving a result” seems to encompass software. Mechanism, Merriam-Webster Dictionary, https://www.merriamwebster.com/dictionary/mechanism (accessed Jan. 22, 2019); see also United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005) (acknowledging that general technology statute should be read broadly in order to accommodate new developments).

Counts One, Four Through Eight, and Ten: Whether malware researcher MalwareTech intended to hack and wiretap

There are a bunch of problems with the way prosecutors claim Hutchins intended to do something it’s not clear he did. To this complaint, Stadtmueller basically punts to trial, without hinting how he feels about the issue.

These are arguments that go to the merits of the case, i.e., whether Hutchins had the requisite intent to commit the crimes charged.

Counts Two and Three: Whether you can charge wiretapping left and right

In its superseding indictment, the government tried to cover itself by charging both of two advertising related wiretapping charges. Hutchins challenged this, arguing they were trying to do the same thing (they are, practically). Stadtmueller ruled they weren’t, legally.

Each count contains an element required to prove the offense that is not required in the other count, and the counts require proof of different facts. There is no multiplicity.

Count Seven: Whether aid and abet without intent counts

This challenge is another intent based one, arguing that you can’t aid and abet a crime that you didn’t intend to accomplish in the first place. Stadtmueller seems skeptical but finds it passes this level of muster.

Hutchins argues that he cannot be charged with attempt to aid and abet an attempt to violate the CFAA because Count Seven is pled “without reference to the intentional causing of damage,” as stated in the statute. (Docket #92 at 5). The superseding indictment alleges that Hutchins attempted to cause damage, which encompasses the intent element. Whether the government can actually prove this at trial is a question for another time.

Counts Two and Three: Whether Hutchins can be charged in the UK for a YouTube

Stadtmueller dismisses Hutchins’ extraterritoriality challenge by saying that the government has at least alleged facts that meet this bar. In some of these details he gets the facts wrong, such as when he says that Hutchins himself pushed Kronos on YouTube.

It also alleges that Hutchens used a YouTube video to promote the sale of Kronos, and referred interested purchasers of Kronos to Individual A.

This YouTube ploy by prosecutors was a key complaint by Hutchins’ lawyers. Nevertheless, Stadtmueller rules that the government has at least alleged activities in EDWI.

However, as stated, the charges sufficiently allege activity in the United States, specifically in the Eastern District of Wisconsin. There is no extraterritorial activity at issue.

That said, Stadtmueller lays this marker, disputing the government’s view of extraterritoriality.

However, because there is confusion about the proper standard to apply in the extraterritorial analysis, the Court takes this opportunity to clarify the issue in case it should arise in the future. There is a presumption against applying statutes extraterritorially because “Congress generally legislates with domestic concerns in mind.” Small v. United States, 544 U.S. 385, 388 (2005) (quotations and citations omitted). This broad presumption applies in all cases, “preserving a stable background against which Congress can legislate with predictable effects.” Morrison v. Nat’l Australian

Therefore, the proper rule to apply is that of RJR Nabisco: if Congress has not evinced an affirmative intent to apply the statute extraterritorially, the Court must assess the focus of the statute, and determine whether the conduct relevant to the focus occurred in the United States. Under RJR Nabisco, some conduct could occur outside of the United States as long as the conduct relevant to the focus of the statute occurred inside the United States. However, as stated above, the conduct that the superseding indictment alleges took place in the United States. Therefore, the Court need not evaluate Sections 2512, 1343, or 1001 for extraterritorial application.

For example, if, as it is alleged, Hutchins promoted his malware to individuals in the Eastern District of Wisconsin, then he could reasonably foresee being haled before this Court for trial on that issue.

Counts One Through Eight and Ten: Whether Hutchins can be charged in EDWI

Similarly, Stadtmueller dismisses another jurisdictional claim based on language that may get back to the intent issue.

For example, if, as it is alleged, Hutchins promoted his malware to individuals in the Eastern District of Wisconsin, then he could reasonably foresee being haled before this Court for trial on that issue.

Count Nine: He’s fucked on false statements until the other challenges work

This one, claiming that he can’t be charged with false statements if he shouldn’t be under FBI’s jurisdiction in the first place, unsurprisingly fails so long as those Stadtmueller other charges.

The Court finds that the FBI was properly within its jurisdiction to investigate these claims. Therefore, the charge that Hutchins lied to the FBI must also go forward.

It’s hard to read what to take from all this. Stadtmueller clearly views some of these charges as flimsy. His views on the wiretap charge are the most surprising to me, and probably the most legally problematic for Hutchins (because of the advertising charges).

That said, Stadtmueller seems to have read this appropriately for what it is, the government effort to use any means available to punish Hutchins for being unable or unwilling to become the FBI’s informant solely because he came to their attention for killing WannaCry.

image_print