December 3, 2022 / by 

 

Three Things: Twitter Death Watch in Progress

[NB: check the byline, thanks. /~Rayne]

This could be hyperbole but it’s difficult to imagine a social media platform the size of Twitter surviving nearly 90% loss of employees across the organization inside a three-week time frame.

I certainly wouldn’t bet any of my money on it.

~ 3 ~

Thursday was the deadline Twitter’s owner Elon Musk set for remaining Twitter employees to commit to being “hardcore” for Elmo.

They were supposed to have clicked/not clicked by 5:00 p.m. to take an offer of termination with severance.

Many are choosing to walk away, their goodbyes recorded in this ongoing thread (link active at time of posting but no guarantees how long it will stay up):

Kylie Robison for Fortune Magazine reported in a Twitter thread that as much as 88% of the staff Twitter had when Musk took over on October 27 has either been fired or opted to leave.

There were employees on vacation, on medical leave, and under H1-B visa who have questions which haven’t been answered; they will not have been able to make a fair election of hardcore for Elmo or nope, thanks.

The number of employees which may fall under this category could be about 1000.

At one point it was said Musk was negotiating with a handful of key engineers critical to keeping Twitter running.

Zoe Schiffer at Platformer reported at 6:52 p.m. ET badge access had been suspended and the Twitter office buildings closed.

Her tweets leave open the possibility some of the employees who opted to leave may yet be asked to remain.

I wouldn’t hold my breath after reading BusinessInsider’s Kali Hays.

How does a company operate without payroll?

If Twitter has virtually no information security personnel, likely has no documented plan in place for dealing with this scenario, let alone failures all along the way for handling roll out of the Twitter Blue verification system which was a mess of violations all on its own, Twitter could be hammered hard by the Federal Trade Commission for failing to meet the terms of the 2011 consent agreement.

I don’t think it’d be unreasonable to say FTC has grounds to shut Twitter down right now if no users’ or advertisers’ data is secure; the FTC has shut down businesses before. Taking any money from advertisers at this point let alone users for Twitter verification or Twitter Blue would shortchange them if they expected data security.

As Alex Stamos, Facebook’s former CISO notes in this Twitter thread, it’s not just the FTC with whom Musk and Twitter will be in trouble. Twitter’s former outside counsel Riana Pfefferkorn agrees there are big problems and has more to add.

And Elmo’s response to all of this is shitposting.

Not even his own shitposting; he stole the meme from another user.

With total staffing and capabilities up in the air, will Twitter survive into the World Cup which begins on this coming Sunday November 20?

I won’t even put money on that.

~ 2 ~

Marcy wrote recently about Elmo’s forced marriage. Looking at the timeline of events leading up to the closing of the Twitter acquisition, there was certainly something iffy in the way Elmo avoided a background check and due diligence when offered a seat on the board of directors in April, and in the way he hustled out of Delaware’s Chancery Court in October where discovery might have revealed all that wasn’t back in April.

@capitolhunters found some embarrassing information about Elmo which might explain his skittishness. It’s public record but unless one is determined to find it, it won’t surface readily.

Read the entire thread at the Internet Archive; I wouldn’t count on it being available at Twitter. It may have been shadow banned at one point earlier Thursday evening as I couldn’t pull it up.

Is it possible the lack of qualifications and credentials as well as his former status as an illegal immigrant are the reasons why Musk appeared to avoid a background check and due diligence?

Is this a compelling reason he should not have been able to purchase Twitter to begin with — because he could be compromised because of repeated misrepresentations about his background?

~ 1 ~

If you’re a regular Twitter user, you may wish to see something constructive done and soon. There are entire communities of people who can’t just switch to another platform because they’ve had small businesses built up around their Twitter presence. There are minority groups who have difficulty switching to different platforms; without Twitter they lose contact with others in their minority community.

One only need look at the mass shooting at University of Virginia last weekend and the confusion about verification on Twitter to realize how serious the loss of Twitter’s integrity as a utility is to much of the U.S. — and it’s not just the U.S.

I recommend checking @Celeste_pewter’s Twitter thread for action items including calling your senator.

(There’s a copy of her thread at the Internet Archive just in case the original one at Twitter becomes unavailable.)

~ 0 ~

I can’t help think of two things:

— Oil producing countries Saudi Arabia, Qatar, and UAE financed a considerable portion of Musk’s purchase of Twitter, with Prince al Waleed being the second largest investor. Did they do it for an investment, for access to a media space to promote their agenda, or because they saw a way to screw with one of the most popular electric car manufacturers by giving its compromised CEO the means to fuck himself?

— Text messages produced as part of discovery in Twitter’s lawsuit against Musk included messages between Musk and his ex-wife Talulah (Jane) Riley in which she begged him to buy Twitter and delete it because Twitter had banned conservative satire site Babylon Bee. Riley had discussed the banning with her close friend Raiyah Bint Al-Hussein, wife of British journalist Ned Donovan, and half-sister to King Abdullah II of Jordan. Why would a British actress like Riley be so upset about an American conservative website’s banning by a U.S. social media platform?


Three Things: The Early Bird Got Wormed

[NB: Check the byline, thanks. /~Rayne]

The self-ownage continues at Twitter. I don’t even know where to start because there’s just so much damage in the bird app’s debris field.

Let’s go with the problems closest to deaths.

~ ~ ~

The brilliant billionaire who overpaid for Twitter, who thought his Tesla engineers were qualified to determine staffing levels on software created over 16 years they didn’t write, had another brilliant idea.

He played Jenga with code within the platform because the application was too slow.

(I haven’t heard anyone complain about Twitter’s speed in ages, and when there’ve been complaints they’re usually in tandem with a major event flooding the network and system with user requests and tweets.)

Twitter’s speed hasn’t been a bottleneck to increasing users or profitability.

In the process of unplugging stuff to see if the platform would speed up, a worker who actually knew something about all the legacy code criticized Musk’s absurd efforts.

Free speech absolutist Musk fired him, egged on by his fanboi trolls.



And then users began to experience problems with Two-Factor Authentication (2FA) over Short Message Service (SMS), otherwise know as text messages.

The security system which allows users to ensure their account can’t be accessed by unauthorized persons was broken, preventing users from accessing their accounts.

This also prevented users from checking their accounts to make sure they weren’t hacked and their verification worked.

~ ~ ~

Which is why during Sunday’s night’s mass shooting at University of Virginia, students as well as the public following the story were reportedly confused about UVA’s emergency message. They couldn’t be sure after Elon Musk’s back-and-forth changes to its verification system whether the message they read in Twitter from UVA-Emergency Management was legitimate.

Fortunately students used their own student-developed thread in a mobile app called Yik Yak to validate the emergency. Yik Yak has been problematic in the past, pulled from app stores because of unmoderated toxic behavior, but it was relaunched in 2021 and valuable to students during the shooting lockdown at UVA because Yik Yak limits reach to five miles. In other words, the students knew whoever was using the app was local to campus.

It’s possible the students could have deduced the UVA-Emergency Management tweet was legitimate because it displayed the source of the message – Rave Mobile Safety, an emergency messaging system. Had UVA-Emergency Management’s account been spoofed, a phone or desktop might have appeared instead of Rave.

This detail may not be available for much longer. Musk thinks identifying the source of tweets by device or application is just inconvenient bloatware.

Should we ask UVA students and their parents about Twitter’s bloatware problem?

~ ~ ~

As I noted in my previous Twitter acquisition timeline post, the company has been subject to a Federal Trade Commission consent decree since 2011 because of its failures to assure users’ personal data was secure.

From the FTC’s 2011 statement:

…The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.

A $150 million penalty had been levied by the FTC only a month after Twitter and Musk agreed on terms for the acquisition.

And yet Musk noodled around with Twitter Blue and the blue check verification system, affecting the verification status of organizations as well as individuals – none of the changes done with documentation prepared in advance, or with red team testing for quality assurance.

Musk’s ham-handed mucking around in microservices temporarily affecting 2FA SMS – some accounts are apparently still affected – was likewise done without advance preparation, and in the face of criticism by seasoned employees who understood the system.

It’s worth noting in that same statement by the FTC these last two paragraphs:

NOTE: A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics. “Like” the FTC on Facebook and “follow” us on Twitter.

Though the FTC might want to rethink that last Follow, persons who felt their personal data was at risk over the last three weeks might want to drop the FTC a note.

~ ~ ~

After reading about the acquisition and the subsequent mass terminations along with the manifold fuck-ups like verification and 2FA SMS, I wonder if Musk and Twitter executives ever notified the FTC of the change in ownership as required by the consent decree.


The Tanking of Twitter

[NB: Check the byline, thanks. /~Rayne]

First, before the rest of this post, a warning: if you have a Twitter account, active or inactive, go turn on 2FA.
Do it on a desktop or laptop, not your phone.
Be sure to obtain a single-use backup code for secure login in case you’re unable to use 2FA.*

There are too many reports right now of quirky things going on at Twitter. Just play it safe and protect your account.

~ ~ ~

It’s amazing how little drag billions of dollars provides in the face of gravity — and by gravity I mean the force hubris and ignorance may exert when they meet reality.

This observation is spot on after Thursday’s conference call with Twitter’s current owner, Elon Musk:

I don’t even dare embed the original tweet because it may disappear if the worst should come to pass and swaths of Twitter are shuttered to outside access.

How the hell did Musk, the head of SpaceX and Tesla, manage to burn up so much goodwill inside 16 days?

Let’s take a look at the timeline of events since Musk began buying stock in Twitter.

Date

Description

31-JAN-2022

Musk begins accumulating shares of Twitter

14-MAR-2022

Musk now owns 5% of Twitter

25-MAR-2022

Musk polls Twitter users, “Free speech is essential to a functioning democracy. Do you believe Twitter rigorously adheres to this principle?” 70% of 2 million participants said no.

26-MAR-2022

Reuters: Elon Musk giving ‘serious thought’ to build a new social media platform

Musk makes contact with former Twitter CEO Jack Dorsey as well as Twitter board members to discuss the platform

04-APR-2022

Musk filed a Schedule 13G with the Securities and Exchange Commission, revealing his acquisition of a 9% stake in Twitter.

The SEC acknowledged receipt of the 13G and asked Musk for clarification of several points including how Musk determined March 14 was the date which triggered a need for the 13G filing, and why he didn’t file within 10 days of March 14.

04-APR-2022

Twitter’s board offers Musk a seat on the board if he accumulates no more than 14.9% of the company’s stock. The offer includes a background check and completion of a D&O questionnaire.

https://www.sec.gov/Archives/edgar/data/1418091/000119312522095651/d342257dex101.htm

05-APR-2022

CEO Parag Agrawal welcomes Musk to the board via tweet.

09-APR-2022

Including a list of the Twitter accounts with the most followers, Musk tweets, “Most of these “top” accounts tweet rarely and post very little content. Is Twitter dying?

Agrawal replied that the tweets were unhelpful. It isn’t known until much latter via released text messages that Musk and Agrawal had been talking up to this point.

09+10-APR-2022

AP: Musk suggests Twitter changes, including accepting Dogecoin; Musk tweeted these ideas over the weekend.

11-APR-2022

AP: Tesla CEO Elon Musk won’t join Twitter’s board after all; Agrawal tweeted this news on Monday.

13-APR-2022

Musk files Amendment 2 to his Schedule 13D/A

The amendment includes his offer — a non-binding proposal — to Twitter’s Chairman of the Board Bret Taylor to acquire Twitter at $54.20/share and take it private.

15-APR-2022

Twitter adopted a rights agreement which included a poison pill.

20-APR-2022

Musk obtained $46.5 billion in financing commitments according to exhibits to amended 13D filed with the SEC.

25-APR-2022

Twitter’s board unanimously approved an offer by Musk to buy Twitter for $44 billion.

29-APR-2022

Reuters: Musk sells Tesla shares worth $8.5 billion ahead of Twitter takeover

02-MAY-2022

In 10-Q filing to SEC, Twitter estimated spam accounts as 5% or less of active users.

Musk tweeted, “Free speech is the bedrock of a functioning democracy, and Twitter is the digital town square where matters vital to the future of humanity are debated. I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans. Twitter has tremendous potential — I look forward to working with the company and the community of users to unlock it.”

04-MAY-2022

Amendment 6 to Schedule 13D showed Musk obtained commitments amounting to more than $7 billion in funding for the acquisition of Twitter.

10-MAY-2022

NPR: Elon Musk says he’ll reverse Donald Trump Twitter ban

12-MAY-2022

Twitter CEO announced a hiring freeze and cost cutting along with releasing two executives. They were:

– Kayvon Beykpour, general manager

– Bruce Falck, general manager for revenue

13-MAY-2022

WaPo: Elon Musk says Twitter deal is on hold, putting bid on shaky ground — Musk expressed concern that spam/accounts were in actuality more than 5% of users in spite of Twitter’s 10-Q statement.

25-MAY-2022

Federal Trade Commission and Dept of Justice Order Twitter to Pay $150 Million Penalty for Violating 2011 FTC Order and Cease Profiting from Deceptively Collected Data

06-JUN-2022

WaPo: Elon Musk threatens to back out of Twitter deal over withholding data – he claimed Twitter was “actively resisting” requests for information though his April agreement to purchase Twitter waived the right to look more deeply at the company’s data.

08-JUL-2022

WaPo: Elon Musk files to back out of Twitter deal – Musk’s letter to Twitter filed with the SEC said he was “terminating their merger agreement” but Twitter replied the same day saying it would sue Musk.

12-JUL-2022

NYT: Twitter Sues Musk After He Tries Backing Out of $44 Billion Deal – the company filed suit in Delaware’s Chancery Court.

19-JUL-2022

Chancellor Kathaleen St. Jude McCormick set a trial date for October 17 in Delaware’s Chancery Court.

29-JUL-2022

Bloomberg: Musk Files Defense Under Seal as Twitter Trial Set for Oct. 17

09-AUG-2022

A former Twitter employee was found guilty of spying on behalf of Saudi Arabia.

23-AUG-2022

USNews: Peiter Zatko, Twitter’s former security chief July 2020-January 2022, claimed in a whistleblower complaint filed in July with the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice that Twitter was not straightforward with regulators about its information security and its handling of disinformation.

13-SEP-2022

Twitter’s former security chief Zatko testified before the Senate Judiciary Committee about Twitter’s problematic information security.

03-OCT-2022

Musk tweets Vladimir Putin’s “peace plan”; it’s alleged this tweet occurred after Musk had a conversation with Putin.

04-OCT-2022

Twitter disclosed in an SEC filing that Musk agreed to complete the purchase of Twitter for $44 billion according to the terms established in April.

06-OCT-2022

WaPo: Twitter-Musk trial delayed as sides argue over money and trust

20-OCT-2022

Report: Musk explained to prospective investors that he will cut Twitter staffing by 75%

26-OCT-2022

Musk arrives at Twitter’s corporate offices carrying a bathroom sink. “Let that sink in!” he tweeted along with a video of his entrance.

27-OCT-2022

Musk takes control of Twitter, firing uppermost management including

– Parag Agrawal, Chief Executive Officer

– Ned Segal, Chief Financial Officer

– Vijaya Gadde, Global Lead of Legal Policy, Trust, and Safety

– Sean Edgett, General Counsel

30-OCT-2022

The Verge: Twitter is planning to start charging $20 per month for verification – Musk threatened to fire employees building this verified user system.

30-OCT-2022

Musk tweeted, “The whole verification process is being revamped right now

01-NOV-2022

Departure of more Twitter officials revealed, top management gutted; exits include

– Sarah Personette, Chief customer officer

– Dalana Brand, Chief People and Diversity Officer

– Nick Caldwell, General manager for core technologies

– Leslie Berland, Chief marketing officer

– Jay Sullivan, Head of product

– Jean-Philippe Maheu, vice president of global sales

01-NOV-2022

Major brands pause advertising on Twitter, including Audi, General Mills, General Motors, Ad rep Interpublic Group, Mondelez International, Pfizer, Volkswagen

01-NOV-2022

Twitter to deny Blue subscribers access to ad-free articles

01-NOV-2022

Musk mixed it up with author Stephen King over the proposed $20/month fee for Twitter Blue verified status

01-NOV-2022

CNET: Twitter Will Charge $8 a Month for Verified Accounts, Elon Musk Suggests

04-NOV-2022

Half of Twitter’s workforce is pink slipped.

Included are personnel who were building the new verification system.

04-NOV-2022

CNN: Elon Musk said Twitter has seen a ‘massive drop in revenue’ as more brands pause ads

04-NOV-2022

Entire departments were gutted:

– Human Rights

– Communications

– Accessibility Experience Team

– META (Machine learning ethics, transparency and accountability)

– Curation

04-NOV-2022 through 08-NOV-2022

CNN: Elon Musk sold nearly $4 billion worth of Tesla stock since Twitter deal closed

05-NOV-2022

Engadget: Twitter starts testing paid account verification on iOS

06-NOV-2022

Bloomberg: Twitter Now Asks Some Fired Workers to Please Come Back – some were fired “by mistake”

06-NOV-2022

Actor Kathy Griffin suspended by Twitter after mocking Musk by changing her account name and avatar to copy Musk’s.

07-NOV-2022

CBS: Musk says Twitter account holders who impersonate others will be banned

08-NOV-2022

Guardian: Twitter to offer ‘official’ label for select verified accounts – “Accounts that will receive [the label] include government accounts, commercial companies, business partners, major media outlets, publishers and some public figures,” Twitter’s Early Stage Products manager Esther Crawford tweeted.

08-NOV-2022

Reuters: Twitter engineer says he was fired for helping coworkers who faced layoffs — several employees are now filing a lawsuit against Twitter for firing them while engaged in protected work per the National Labor Relations Board.

09-NOV-2022

1:45 p.m. ET – Twitter users note there are two Twitter Blue services at different prices.

2:00 p.m. ET – Engadget: Twitter’s $8 a month Blue subscription with verification is rolling out; available on iOS only relying on Apple’s identity verification.

2:52 p.m. ET – Twitter users receive a notice there will be a change in Twitter Blue service; the service is being revamped with current subscriptions to be canceled at the end of the month.

09-NOV-2022

5:26 p.m. ET – Twitter Support tweets, “We’re not currently putting an “Official” label on accounts but we are aggressively going after impersonation and deception.

10-NOV-2022

Several high-level technical executives resigned, including

– Yoel Roth, Lead, Integrity and Safety

– Lea Kissner, CISO

– Damien Kieran, Chief Privacy Officer

10-NOV-2022

Internal communications about separations and outstanding compensation are a mess.

10-NOV-2022

With little advance notice, Musk hosts an Ask Me Anything-type of meeting with employees. Topics included:

– turning Twitter into a banking services business-news

– insufficient cash flow with bankruptcy a possibility

– elimination of remote/work from home with mandatory return to the office

– offering short-form video in competition with TikTok (like Twitter’s now-defunct Vine service)

10-NOV-2022

Multiple outlets note that Twitter may be in violation of the FTC’s 2011 Consent Decree by not developing a security program documented in writing within days of rolling out new services.

A former outside counsel to Twitter warned of FTC fines for lack of compliance, but Twitter is apparently requiring its engineers to “self certify” while failing to put new services through full red team review before implementation in production environment.

10-NOV-2022

A U.S. Senator, a major pharmaceutical company, a major aerospace and defense company, and Chiquita are among the noted individuals and organizations whose identities have been spoofed by accounts using the new Twitter Blue verification service.

10-NOV-2022

Twitter paused its Twitter Blue verification service on Thursday night after the new service had been abused with misinformation.

11-NOV-2022

NYT: Insiders report as much as 80% of engineering staff have been fired, leaving little more than a skeleton crew to manage key portions of the platform.

11-NOV-2022

Twitter’s remaining Human Resource team sent laid-off workers an email acknowledging delays sending their separation agreements and release of claims documents. But HR sent it CC: not BCC: with a Reply-All barrage following.

Stories of badly handled terminations are becoming public.

12-NOV-2022

Thread: “Scoop from within Twitter: small things are breaking, not enough engineers to fix them. Noticed that notification counts are not showing? The BE service powering it is down since Thursday. A bug was filed, but the team that would fix it is full on with verification work.

12-NOV-2022

More personnel are being terminated overnight, without warning. Managers are learning as their reports including contract personnel suddenly disappear from resources.

The last couple of items were added late Saturday night. I’m afraid to look and see what might have transpired since I checked last.

There’s no nice way to put this: this entire situation is fucked up and it’s all on Elon Musk.

He’s done immense damage to Twitter’s brand as well as his own personal brand. He seems to think branding isn’t important though advertising customers like Eli Lilly, Lockheed Martin, and Chiquita offer evidence brand damage from sloppy management actually costs money.

The FTC is likely to punctuate this even further because of the egregious manner in which Twitter under Musk’s ownership has failed to comply with the 2011 consent decree. Musk ought to talk with Facebook’s Zuckerberg about how expensive this can be.

And there are humans who are going to pay for Musk’s cavalier behavior — families who might be expecting a child who are now dealing with COBRA, remote workers who are being forced back to the office in areas with severe housing shortages (that’d be Ireland, not just the U.S.). Musk has tweeted about this but this issue didn’t come up out of thin air, and like everything else so far has been handled badly.

There’s some question whether Twitter has adequate staffing related to compliance with EU regulations and GDPR and are they in Ireland.

Three points about Musk’s Twitter acquisition really boggle my mind after reading all this material. First,

Mr. Musk had brought his own advisers, many of whom had worked at his other businesses, such as the digital payments company PayPal and the electric carmaker Tesla. They parked themselves in the “war room,” on the second floor of a building attached to Twitter’s headquarters. The area, which Twitter used to fete big-spending advertisers and dignitaries, was stocked with company memorabilia. …

The advisers included the venture capitalists David Sacks, Jason Calacanis and Sriram Krishnan; Mr. Musk’s personal lawyer Alex Spiro; his financial manager Jared Birchall; and Antonio Gracias, a former Tesla director. Joining in were engineers and others from Tesla; from Mr. Musk’s brain interface start-up, Neuralink; and from his tunneling company, the Boring Company.

Musk is relying on the expertise of people in disparate businesses which have nothing to do with social media — unless Musk is already thinking he’s going to Johnny Mnemonic users’ heads with their Twitter accounts using Neuralink, a product which is likely to go nowhere since it is technically a medical device and it’s not ready for testing in humans.

The Boring Company, though. Really? Name a successful, profitable installation. Don’t mind me not holding my breath waiting, though.

There have been rumors Musk is surrounded by yes men and sycophants. We may now know who they are.

The  second questionable point:

The scope of layoffs was a moving target. Twitter managers were initially told to cut 25 percent of the work force, three people said. But Tesla engineers who reviewed Twitter’s code proposed deeper cuts to the engineering teams. Executives overseeing other parts of Twitter were told to expand their layoff lists.

Tesla. Engineers.

The people who engineer electric cars, the software of which is not safe for autonomous self driving, somehow understand enough about social media software used by hundreds of millions of accounts globally, 7/24/365, to make an assessment of staffing requirements.

They somehow understand the issues consumers, governments, industries, nonprofits/NGOs have had using and relying on this social media application since it was launched 16 years ago.

Clearly not since they missed the part about the FTC’s consent decree which might shape how any code is written, tested, rolled out, operates, and maintained.

The third doozy:

Twitter executives also suggested assessing the lists for diversity and inclusion issues so the cuts would not hit people of color disproportionately and to avoid legal trouble. Mr. Musk’s team brushed aside the suggestion, two people said.

This is the same Elon Musk whose businesses have been sued more than once for discriminatory practices, pointedly choosing to ignore federal and state employment law.

It’s a pattern of behavior and it’s not acceptable, particularly if Musk’s corporations are beneficiaries of federal incentives.

~ ~ ~

We’re long overdue to regulate social media, not just because they are monopolistic and oligopolistic.

Our businesses, our personal lives have become dependent on some of these platforms. So has our government. It should not be possible to spoof the identity of a U.S. member of Congress let alone any other government employee or entity. It should not be easy to trash businesses’ reputations for the lulz.

Nor should we as individuals be waiting for the moment we learn our personal data has been breached because a billionaire was sloppy and indifferent about its security though it’s a key facet of the business he bought for the lulz.

Democrats may have a majority in both houses of Congress next year. But they already have one now and they should use it immediately learn why Elon Musk thinks his new toy is above the law and beyond regulatory oversight.

__________
* I meant to add you should seriously consider deleting the Twitter app from your phone. I suspect there will be attempts to hack users’ accounts using the cell phone information Twitter has on record. Protecting this data was at the heart of the FTC’s consent decree.


Lasciando il matrimonio di Elmo

[NB: check the byline, thanks. /~Rayne]

My moderation team counterpart bmaz is a bit put out at people who are flouncing Twitter dramatically. We don’t see eye to eye about the topic of departing Twitter now. I’m among those who are unwinding their accounts now that Elmo has been forced into marrying Twitter, Inc.

Elmo’s turbulent management style is one reason I’d like to leave. Who knows what any given day will yield – will a new policy pop up out of the blue insisting users must pay for services to which they’ve become accustomed for years?

Security is another matter of concern, and in saying security I mean I have my doubts about personal data security now that Elmo has capriciously announced he’s going to fire 75% of Twitter’s personnel…and now 50% this Friday…and maybe with or without compliance with state or federal WARN Act.

Does anyone really think Twitter personnel are at top form right now when they’re looking over their shoulder for their pink slip? Could you blame them if they aren’t?

But my biggest single reason for wanting to leave Twitter is this: I do not want to be Elmo’s product.

~ ~ ~

Artist Richard Serra said of his experience viewing the painting Las Meninas (c. 1656) by Diego Velázquez:

“I was still very young and trying to be a painter, and it knocked me sideways. I looked at it for a long time before it hit me that I was an extension of the painting. This was incredible to me. A real revelation. I had not seen anything like it before and it made me think about art and about what I was doing, in a radically different way. But first, it just threw me into a state of total confusion.”

When one first sets eyes upon the painting, it appears to be one of the young Infanta Margaret Theresa of Spain and her ladies in waiting, standing next to a portraitist at work. It takes a moment to realize that the portraitist isn’t painting the Infanta but whomever the Infanta is observing, and yet another moment to realize the subject of the portrait and the Infanta’s gaze can be seen in the mirror behind them.

The painting’s observer will then realize they are standing in for the Infanta’s parents who are being painted by the portraitist — and the painting is a self portrait of Velázquez at work. The painting’s observer is a proxy who has not fully consented to their role but nonetheless becomes the subject of the painter at work.

It is this same inversion which must be grasped to understand why I refuse to be Elmo’s product.

I know that I am not Twitter’s customer. I’m not the consumer.

If I remain I am the consumed in Elmo’s forced marriage scenario.

~ ~ ~

Serra and director Carlota Fay Schoolman produced a short film in 1973 entitled, “Television Delivers People.” It was considered video art, using a single channel with a text scroll to critique television.

This excerpt explains the relationship between the audience and television:

Commercial television delivers 20 million people a minute.
In commercial broadcasting the viewer pays for the privilege of having himself sold.
It is the consumer who is consumed.
You are the product of t.v.
You are delivered to the advertiser who is the customer.
He consumes you.
The viewer is not responsible for programming —
You are the end product.

What television did in the 1970s, social media does today. It consolidates access to disparate individuals over distances into audiences of varying sizes and offers them to advertisers.

Social media is mass media.

Social media, however, doesn’t serve audiences to advertisers alone. Given the right kind of incentives and development, audiences can be bought for other purposes.

There are almost no regulatory restrictions on audiences being identified, aggregated, bought, and resold, and very little comprehensive regulation regarding data privacy.

Elmo so far doesn’t appear to understand any of this between his uneducated blather about free speech and his ham handedness about Twitter’s business model.

I do not want to be sold carelessly and indifferently by Elmo.

~ ~ ~

If you are a social media user, even if validated or a celebrity with millions of followers, you are the product. You are being sold by the platform to advertisers.*

There may even be occasions when you’re not sold but used – recall the access Facebook granted to researcher Aleksandr Kogan in 2013 as part of experimentation, which then underpinned the work of Cambridge Analytica ahead of the 2016 election.

Facebook was punished by the Federal Trade Commission for violating users’ privacy, but there’s still little regulatory framework to assure social media users they will not be similarly abused as digital chattel.

What disincentives are there to rein in a billionaire with an incredibly short attention span and little self control now that he’s disbanded Twitter’s board of directors? What will prevent Elmo from doing what Facebook did to its users?

I’ve raised a couple kids with ADD. I don’t want to be on the other end of the equation, handled as digital fungible by an adult with what appears to be ADD weaponized with narcissism.

I deserve better.

I’m only going to get it if I act with this understanding, attributed again to Serra:

If something is free, you’re the product.

~ ~ ~

By now you should be used to hearing this, but I’m leaving this marriage, Elmo.

Treat this as an open thread.

__________

* We do not sell data about our community members.


FBI Allegedly Found Child Sexual Abuse Material When It Searched Josh Schulte’s Discovery Laptop

For the past several weeks — since his attorney, Sabrina Shroff, filed a letter on September 28 asking why he hadn’t been delivered to the SCIF as expected on September 26 — there has been something weird going on in the docket for Josh Schulte — who in July was convicted of stealing and leaking the CIA’s hacking tools to Wikileaks. She noted there was a probable request that he be withheld from the SCIF in the docket and wanted access to it. Today, the government unsealed three filings explaining what happened: They allegedly caught Schulte with Child Sexual Abuse Material again. Almost four years to the day after he was found using contraband phones in MCC, the government did another search of his cell to figure out whether and how he got the CSAM (which probably came from his discovery pertaining to the files allegedly on his home computer in 2017).

The filings are:

What happened is this:

July 27: The government obtained a warrant for Schulte’s discovery laptop covering contempt and contraband with search run by filter AUSA.

As the Court is aware, on July 27, 2022, United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York signed a warrant authorizing the seizure and search of the laptop previously provided to the defendant for his use in the Bureau of Prisons for reviewing unclassified discovery and preparing litigation materials in this case (the “Laptop Warrant”), which was at that time located at the Metropolitan Detention Center (“MDC”) in Brooklyn, New York. Pursuant to the terms of the Laptop Warrant, the initial search and review of the contents of the defendant’s laptop for evidence of the subject offenses set forth therein, specifically violations of 18 U.S.C. §§ 401(3) (contempt of court) and 1791(a) (possessing contraband in a correctional facility), is being conducted by agents from the Federal Bureau of Investigation (“FBI”) who are not part of the prosecution team, supervised by an Assistant U.S. Attorney who is also not part of the prosecution team and is experienced in privilege matters (the “Wall Team”), to segregate out any potentially privileged documents or data.

August 26: The FBI discovered an extra thumb drive in the SCIF.

On or about August 26, 2022, Schulte was produced to the Courthouse SCIF and, during that visit, asked to view the hard drive containing the Home CSAM Files from the Home Desktop. The hard drive was provided to Schulte and afterwards re-secured in the dedicated safe in the SCIF. The FBI advised the undersigned that, while securing the hard drive containing the Home CSAM Files, they observed that an unauthorized thumb drive (the “Thumb Drive”) was connected to the SCIF laptop used by Schulte and his counsel to review that hard drive containing the Home CSAM Files. On or about September 8, 2022, at the Government’s request, the CISO retrieved the hard drive containing materials from the Home Desktop from the SCIF and returned it to the FBI so that it could be handled pursuant to the normal procedures applicable to child sexual abuse materials. The CISO inquired about what should be done with the Thumb Drive, which remained in the dedicated SCIF safe. The Government requested that the Thumb Drive remain secured in the SCIF while the Government completed its review of the defendant’s laptop and continued to investigate the defendant’s potentially unauthorized activities.

September 22: FBI discovers “a substantial amount” of suspected CSAM on his discovery laptop with review run by a second AUSA.

[O]n September 22, 2022, the Wall Team contacted one of the FBI case agents handling this matter to inform him that, during the Wall Team’s review of the defendant’s MDC laptop, they had discovered a substantial amount of what appeared to be child sexual abuse materials (the “Laptop CSAM Files”) and to request guidance about how to proceed.

[snip]

[A]nother Assistant U.S. Attorney was assigned to the Wall Team at the request of the undersigned to be able to review the material and assist in obtaining that additional warrant, which this Court issued on September 23, 2022 (the “CSAM Expansion Warrant”).

October 5: FBI executes a search on Schulte’s cell, the SCIF, and electronics in the SCIF.

One warrant, which was issued on October 4, 2022 by United States Magistrate Judge Robert M. Levy of the Eastern District of New York, authorized the search of the defendant’s cell at the MDC and the seizure of certain materials contained therein, including electronic devices (the “MDC Cell Warrant”). The second warrant, which was also issued on October 4, 2022 by this Court, authorized the seizure and search of three specified electronic devices previously used by the defendant in the Courthouse Sensitive Compartmented Information Facility (“SCIF”) in connection with his review of CSAM obtained from the defendant’s home computer equipment and produced in discovery for review in the SCIF (the “CSAM Devices Warrant”). Both the MDC Cell Warrant and the CSAM Devices Warrant contain substantially the same procedures as the CSAM Expansion Warrant for initial review of the seized materials by the Wall Team. Both warrants were executed by the FBI on October 5, 2022.

DOJ is still investigating the discovery laptop for both the contraband and the CSAM. But they’re ready to give Schulte a typewriter so he can write his post-trial motions.

As the Government previously informed defense counsel and the Court, the Government cannot at this point consent to providing the defendant with a replacement laptop under any conditions (D.E. 950), in light of both his convictions of a variety of computer-related offenses and the additional evidence of his misconduct with regard to the previous MDC laptop that was seized. The Government has conferred with legal counsel at the MDC to request that the defendant have access to a typewriter for purposes of drafting these post-trial motions, similar to that available to inmates in general population. MDC legal counsel has indicated that this would likely be possible, subject to approval from the senior management of the MDC.


Trust: In Bid for Stay, DOJ Likened Trump to Catastrophic Intelligence Compromise

There’s a detail in DOJ’s request for a stay of Judge Aileen Cannon’s injunction on using stolen Trump documents to investigate Trump that hasn’t gotten enough attention.

A footnote modifying a discussion about the damage assessment the Intelligence Community is currently doing referenced a letter then-NSA Director Mike Rogers wrote in support of Nghia Pho’s sentencing in 2018. [This letter remains sealed in the docket but Josh Gerstein liberated it at the time.]

[I]n order to assess the full scope of potential harms to national security resulting from the improper retention of the classified records, the government must assess the likelihood that improperly stored classified information may have been accessed by others and compromised. 4

4 Departments and agencies in the IC would then consider this information to determine whether they need to treat certain sources and methods as compromised. See, e.g., Exhibit A to Sentencing Memorandum, United States v. Pho, No. 1:17-cr-631 (D. Md. Sept. 18, 2018), D.E. 20-1 (letter from Adm. Michael S. Rogers, Director, National Security Agency) (“Once the government loses positive control over classified material, the government must often treat the material as compromised and take remedial actions as dictated by the particular circumstances.”).

Even on its face, the comment suggests the possibility that the Intelligence Community is shutting down collection programs because Trump took documents home.

But the analogy DOJ made between Trump and Pho, by invoking the letter, is even worse.

I’ve written about Pho, who with Hal Martin, is believed to be the source of the files leaked by Shadow Brokers and, with them, two devastating global malware attacks, WannaCry and NotPetya.

Over a month ago, I suggested that the IC likely had Pho and Martin in mind as they considered the damage Trump may have done by doing the same thing; taking highly classified files home from work.

[T]he lesson Pho and Martin offer about how catastrophic it can be when someone brings classified files home and stores them insecurely, no matter their motives — are the background against which career espionage prosecutors at DOJ will be looking at Trump’s actions.

But with the footnote, I’m no longer the only one to make such an analogy. DOJ did so too, in an unsuccessful effort to get Judge Cannon to understand the magnitude of the breach she was coddling.

As you read this letter, replace Pho’s name with Trump’s. It reads almost seamlessly.

That’s the analogy DOJ made between Trump and someone his own DOJ prosecuted aggressively.

Pho retained classified information outside of properly secured spaces and by doing so caused very significant and long-lasting harm to the NSA, and consequently to the national security of the United States.

[snip]

[T]he exposure of the United States’ classified information outside of secure spaces may result in the destruction of intelligence-gathering efforts used to protect this nation. Mr. Pho, who voluntarily assumed this responsibility, ignored his oath to his country and the NSA by taking classified information outside of secure spaces, thereby placing that information in significant jeopardy.

[snip]

Mr. Pho’s conduct in improperly and unlawfully retaining national defense information, which included highly classified information, outside of secure space had significant negative impacts on the NSA mission.

[snip]

Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of national security topics. Compromise of one technique can place many opportunities for intelligence collection and national security at risk.

By removing such highly classified materials outside of secure space, Mr. Pho subjected those materials to compromise. It is a fundamental mandate in the Intelligence Community that classified material must be handled and stored in very specific and controlled ways. If classified material is not handled or stored according to strict rules, then the government cannot be certain that it remains secret. Once the government loses positive control over classified material, the government must often treat the material as compromised and take remedial actions as dictated by the particular circumstances. Depending on the type and volume of compromised classified material, such reactions can be costly, time consuming and cause a shift in or abandonment of programs. In this case, the fact that such a tremendous volume of highly classified, sophisticated collection tools was removed from secure space and left unprotected, especially in digital form on devices connected to the Internet, left the NSA with no choice but to abandon certain important initiatives, at great economic and operational cost.

In addition, NSA was faced with the crucial and arduous task of accounting for all of the exposed classified materials, including TOP SECRET information, the unauthorized disclosure of which, by definition, reasonably could be expected to cause exceptionally grave damage to the national security. Accounting for all of the exposed classified material was necessary so that NSA could attempt to assess the damage that resulted from the classified and diverted critical resources away from NSA’s intelligence-gathering mission.

The detrimental impacts of Mr. Pho’s activities are also felt in other less tangible ways, including a loss of trust among colleagues and essential partners who count on NSA to conduct its mission.

[snip]

Trust is an essential component of all of the work that is done by NSA employees. It is affirmed by our sworn oath to uphold and defend the Constitution, sealed by our signed obligations to protect national defense information.

[snip]

This trust extends to a circle with other U.S. intelligence agencies, who share valuable intelligence insights; military personnel, who share details of their operational plans; and international partners, who share their sovereign secrets with us, all for common objectives.

[snip]

Future decisions about sharing will be weighted with considerations of the breach of trust by one party.

There’s little that distinguishes Pho’s compromise from Trump’s. While Trump didn’t load all this stuff online like Pho did, he brought it to a thinly-protected country club aggressively targeted by foreign intelligence services — a more obvious target than Pho’s desktop computer.

And whether the IC knows about the extent of the compromise right now, or whether something he made available will shut down shipping and hospitals and drug manufacturing in two years time, as Pho’s compromises did, the IC has to act as if these files have already been compromised.

That’s what the footnote says.

As I said, Trump’s own DOJ ratcheted up prosecutions in the wake of the Pho and Martin compromises. And now Trump — along with a judge he appointed — are trying to make sure he evades the same justice that his own DOJ demanded of others.

Update: Clarified that Martin and Pho are believed to be the source of the files leaked by Shadow Brokers, but not the leakers themselves.

Go to emptywheel resource page on Trump Espionage Investigation.


18 USC 793e in the Time of Shadow Brokers and Donald Trump

Late last year, a Foreign Affairs article by former Principal Deputy Director of National Intelligence Sue Gordon and former DOD Chief of Staff Eric Rosenbach asserted that the files leaked in 2016 and 2017 by Shadow Brokers came from two NSA officers who brought the files home from work.

In two separate incidents, employees of an NSA unit that was then known as the Office of Tailored Access Operations—an outfit that conducts the agency’s most sensitive cybersurveillance operations—removed extremely powerful tools from top-secret NSA networks and, incredibly, took them home. Eventually, the Shadow Brokers—a mysterious hacking group with ties to Russian intelligence services—got their hands on some of the NSA tools and released them on the Internet. As one former TAO employee told The Washington Post, these were “the keys to the kingdom”—digital tools that would “undermine the security of a lot of major government and corporate networks both here and abroad.”

One such tool, known as “EternalBlue,” got into the wrong hands and has been used to unleash a scourge of ransomware attacks—in which hackers paralyze computer systems until their demands are met—that will plague the world for years to come. Two of the most destructive cyberattacks in history made use of tools that were based on EternalBlue: the so-called WannaCry attack, launched by North Korea in 2017, which caused major disruptions at the British National Health Service for at least a week, and the NotPetya attack, carried out that same year by Russian-backed operatives, which resulted in more than $10 billion in damage to the global economy and caused weeks of delays at the world’s largest shipping company, Maersk. [my emphasis]

That statement certainly doesn’t amount to official confirmation that that’s where the files came from (and I’ve been told that the scope of the files released by Shadow Brokers would have required at least one more source). But the piece is as close as anyone with direct knowledge of the matter — as Gordon would have had from the aftermath — has come to confirming on the record what several strands of reporting had laid out in 2016 and 2017: that the NSA files that were leaked and then redeployed in two devastating global cyberattacks came from two guys who brought highly classified files home from the NSA.

The two men in question, Nghia Pho and Hal Martin, were prosecuted under 18 USC 793e, likely the same part of the Espionage Act under which the former President is being investigated. Pho (who was prosecuted by Thomas Windom, one of the prosecutors currently leading the fake elector investigation) pled guilty in 2017 and was sentenced to 66 months in prison; he is processing through re-entry for release next month. Martin pled guilty in 2019 and was sentenced to 108 months in prison.

The government never formally claimed that either man caused hostile powers to obtain these files, much less voluntarily gave them to foreign actors. Yet it used 793e to hold them accountable for the damage their negligence caused.

There has never been any explanation of how the files from Martin would have gotten to the still unidentified entity that released them.

But there is part of an explanation how files from Pho got stolen. WSJ reported in 2017 that the Kaspersky Anti-Virus software Pho was running on his home computer led the Russian security firm to discover that Pho had the NSA’s hacking tools on the machine. Somehow (the implication is that Kaspersky alerted the Russian government) that discovery led Russian hackers to subsequently target Pho’s computer and steal the files. In response to the WSJ report, Kaspersky issued their own report (here’s a summary from Kim Zetter). It acknowledged that Kaspersky AV had pulled in NSA tools after triggering on a known indicator of NSA compromise (the report claimed, and you can choose to believe that or not, that Kaspersky had deleted the most interesting parts of the files obtained). But it also revealed that in that same period, Pho had briefly disabled his Kaspersky AV and downloaded a pirated copy of Microsoft Office, which led to at least one backdoor being loaded onto his computer via which hostile actors would have been able to steal the NSA’s crown jewels.

Whichever version of the story you believe, both confirm that Kaspersky AV provided a way to identify a computer storing known NSA hacking tools, which then led Pho — someone of sufficient seniority to be profiled by foreign intelligence services — to be targeted for compromise. Pho didn’t have to give the files he brought home from work to Russia and other malicious foreign entities. Merely by loading them onto his inadequately protected computer and doing a couple of other irresponsible things, he made the files available to be stolen and then used in one of the most devastating information operations in history. Pho’s own inconsistent motives didn’t matter; what mattered was that actions he took made it easy for malicious actors to pull off the kind of spying coup that normally takes recruiting a high-placed spy like Robert Hanssen or Aldrich Ames.

In the aftermath of the Shadow Brokers investigation, the government’s counterintelligence investigators may have begun to place more weight on the gravity of merely bringing home sensitive files, independent of any decision to share them with journalists or spies.

Consider the case of Terry Albury, the FBI Agent who shared a number of files on the FBI’s targeting of Muslims with The Intercept. As part of a plea agreement, the government charged Albury with two counts of 793e, one for a document about FBI informants that was ultimately published by The Intercept, and another (about an online terrorist recruiting platform) that Albury merely brought home. The government’s sentencing memo described the import of files he brought home but did not share with The Intercept this way:

The charged retention document relates to the online recruitment efforts of a terrorist organization. The defense asserts that Albury photographed materials “to the extent they impacted domestic counter-terrorism policy.” (Defense Pos. at 37). This, however, ignores the fact that he also took documents relating to global counterintelligence threats and force protection, as well as many documents that implicated particularly sensitive Foreign Intelligence Surveillance Act collection. The retention of these materials is particularly egregious because Albury’s pattern of behavior indicates that had the FBI not disrupted Albury and the threat he posed to our country’s safety and national security, his actions would have placed those materials in the public domain for consumption by anyone, foreign or domestic.

And in a declaration accompanying Albury’s sentencing, Bill Priestap raised the concern that by loading some of the files onto an Internet-accessible computer, Albury could have made them available to entities he had no intention of sharing them with.

The defendant had placed certain of these materials on a personal computing device that connects to the Internet, which creates additional concerns that the information has been or will be transmitted or acquired by individuals or groups not entitled to receive it.

This is the scenario that, one year earlier, was publicly offered as an explanation for the theft of the files behind The Shadow Brokers; someone brought sensitive files home and, without intending to, made them potentially available to foreign hackers or spies.

Albury was sentenced to four years in prison for bringing home 58 documents, of which 35 were classified Secret, and sending 25 documents, of which 16 were classified Secret, to the Intercept.

Then there’s the case of Daniel Hale, another Intercept source. Two years after the Shadow Brokers leaks (and five years after his leaks), he was charged with five counts of taking and sharing classified documents, including two counts of 793e tied to 11 documents he took and shared with the Intercept. Three of the documents published by The Intercept were classified Top Secret.

Hale pled guilty last year, just short of trial. As part of his sentencing process, the government argued that the baseline for his punishment should start from the punishments meted to those convicted solely of retaining National Defense Information. It tied Hale’s case to those of Martin and Pho explicitly.

Missing from Hale’s analysis are § 793 cases in which defendants received a Guidelines sentence for merely retaining national defense information. See, e.g., United States v. Ford, 288 F. App’x 54, 61 (4th Cir. 2008) (affirming 72-month sentence for retention of materials classified as Top Secret); United States v. Martin, 1:17-cr-69-RDB) (D. Md. 2019) (nine-year sentence for unlawful retention of Top Secret information); United States v. Pho, 1:17-cr-00631 (D. Md. 2018) (66-month sentence for unlawful retention of materials classified as Top Secret). See also United States v. Marshall, 3:17-cr-1 (S.D. TX 2018) (41-month sentence for unlawful retention of materials classified at the Secret level); United States v. Mehalba, 03-cr-10343-DPW (D. Ma. 2005) (20-month sentence in connection with plea for unlawful retention – not transmission – in violation of 793(e) and two counts of violating 18 U.S.C. 1001; court departed downward due to mental health of defendant).

Hale is more culpable than these defendants because he did not simply retain the classified documents, but he provided them to the Reporter knowing and intending that the documents would be published and made available to the world. The potential harm associated with Hale’s conduct is far more serious than mere retention, and therefore calls for a more significant sentence. [my emphasis]

Even in spite of a moving explanation for his actions, Hale was sentenced to 44 months in prison. Hale still has almost two years left on his sentence in Marion prison.

That focus on other retention cases from the Hale filing was among the most prominent national references to yet another case of someone prosecuted during the Trump Administration for taking classified files home from work, that of Weldon Marshall. Over the course of years of service in the Navy and then as a contractor in Afghanistan, Marshall shipped hard drives of classified materials home.

From the early 2000s, Marshall unlawfully retained classified items he obtained while serving in the U.S. Navy and while working for a military contractor. Marshall served in the U.S. Navy from approximately January 1999 to January 2004, during which time he had access to highly sensitive classified material, including documents describing U.S. nuclear command, control and communications. Those classified documents, including other highly sensitive documents classified at the Secret level, were downloaded onto a compact disc labeled “My Secret TACAMO Stuff.” He later unlawfully stored the compact disc in a house he owned in Liverpool, Texas. After he left the Navy, until his arrest in January 2017, Marshall worked for various companies that had contracts with the U.S. Department of Defense. While employed with these companies, Marshall provided information technology services on military bases in Afghanistan where he also had access to classified material. During his employment overseas, and particularly while he was located in Afghanistan, Marshall shipped hard drives to his Liverpool home. The hard drives contained documents and writings classified at the Secret level about flight and ground operations in Afghanistan. Marshall has held a Top Secret security clearance since approximately 2003 and a Secret security clearance since approximately 2002.

He appears to have been discovered when he took five Cisco switches home. After entering into a cooperation agreement and pleading guilty to one count of 793e, Marshall was (as noted above) sentenced to 41 months in prison. Marshall was released last year.

Outside DOJ, pundits have suggested that Trump’s actions are comparable to those of Sandy Berger, who like Trump stole files that belong to the National Archives and after some years pled guilty to a crime that Trump since made into a felony, or David Petraeus, who like Trump took home and stored highly classified materials in unsecured locations in his home. Such comparisons reflect the kind of elitist bias that fosters a system in which high profile people believe they are above the laws that get enforced for less powerful people.

But the cases I’ve laid out above — particularly the lesson Pho and Martin offer about how catastrophic it can be when someone brings classified files home and stores them insecurely, no matter their motives — are the background against which career espionage prosecutors at DOJ will be looking at Trump’s actions.

And while Trump allegedly brought home paper documents, rather than the digital files that Russian hackers could steal while sitting in Moscow, that doesn’t make his actions any less negligent. Since he was elected President, Mar-a-Lago became a ripe spying target, resulting in at least one prosecution. And two of the people he is most likely to have granted access to those files, John Solomon and Kash Patel, each pose known security concerns. Trump has done the analog equivalent of what Pho did: bring the crown jewels to a location already targeted by foreign intelligence services and store them in a way that can be easily back-doored. Like Pho, it doesn’t matter what Trump’s motivation for doing so was. Having done it, he made it ridiculously easy for malicious actors to simply come and take the files.

Under Attorneys General Jeff Sessions and Bill Barr, DOJ put renewed focus on prosecuting people who simply bring home large caches of sensitive documents. They did so in the wake of a costly lesson showing that the compromise of insecurely stored files can do as much damage as a high level recruited spy.

It’s a matter of equal justice that Trump be treated with the same gravity with which Martin and Pho and Albury and Hale and Marshall were treated under the Trump Administration, for doing precisely what Donald Trump is alleged to have done (albeit with far fewer and far less sensitive documents). But as the example of Shadow Brokers offers, it’s also a matter of urgent national security.


The Discovery Refrigerator: When Joshua Schulte Social Engineered His Cellmate’s Brother

In advance of some other things, I want to look at the time that Joshua Schulte, who was convicted last week on nine counts related to stealing and leaking CIA files to WikiLeaks, social engineered the brother of his cellmate.

One of the charges on which the jury found Schulte guilty was sending WaPo reporter Shane Harris a warrant affidavit from the investigation into him, along with Schulte’s own narrative purportedly debunking the allegations made in the warrant. The jury found that Schulte’s description of two hundred people who might have access to the DevLAN backups and the network setup that would allow them that access was National Defense Information. Effectively, prosecutors argued and the jury agreed, Schulte was revealing CIA’s organizational structure and numbers of classified employees to a journalist. It’s a picayune Espionage count that because it likely won’t be treated as the same leak as the charge for sending CIA’s hacking tools, could add years to Schulte’s sentence.

Schulte sent the warrant affidavits along with a dangle, a promise to tell Harris some dirt about Russian oligarchs’ ties to Marc Kasowitz and Rudy Giuliani.

We have decided to share with you an initial exposé (depending on how the first one goes with you we will share up to nine more) involving Russian oligarchs, business ties and wire transfers involving hundreds of millions of dollars to Donald Trump’s closest advisers and law firms, including Giuliani and Mark Kasowitz firms. Trump’s self-reported best friend plays a starting role.

In cross-examination of FBI Agent Evan Schlessinger, Schulte suggested, credibly, that this dangle came from his cellmate, Omar Amanat.

Q. Well, you remember the ProtonMail email that referenced Marc Kasowitz, right?

A. Yes.

Q. OK. And there’s no relation between me and Marc Kasowitz, right?

A. No. You’re — not that I’m aware of.

Q. OK. Let’s talk about the cell search at the MCC. Now, in the cell search at the MCC, did you know what cell I was in?

A. Yes.

Q. And just real quick, you did know that there was a relationship between Mr. Amanat and Marc Kasowitz, right?

A. I know it was a — it’s connected to Mr. Amanat. I don’t know exactly how.

Q. OK.

A. Or how it relates to Mr. Amanat.

Of course, Schulte wasn’t charged for leaking information about Trump’s once and future lawyers. He was charged for sharing information about the CIA that — even if Amanat were the one who sent the email to Harris — would still mean Schulte shared it with Amanat, someone else who wasn’t cleared to receive it.

Plus, the record now shows that Schulte had been working with Omar Amanat and his brother, Irfan, to get these documents out.

An FBI interview of Schulte’s cousin, Shane Presnall, conducted just days before his first trial on January 13, 2020 but only released in April, explains that the Amanats were participating in the effort to publicize Schulte’s case starting as soon as Schulte and Amanat ended up in a cell together in December 2017. In fact, Presnall handed off Schulte’s warrants (it’s not clear whether this includes Schulte’s response, which is where the classified information was) to Amanat’s brother, Irfan, by leaving them in the fridge at the apartment he had shared with Schulte. (At the time, Irfan had been charged in the same fraud as Omar, but he was still out on pretrial release; since these events in 2018, both Omar and Irfan have been sentenced, served their time, and released.)

JS’s idea to get to press was to get court documents to get more attention to his case. JS told SP he was trying to create public outrage. When arrested in December 2017, another inmate in MCC, named Omar Amanat, told JS that Omar had media comments [sic] and that JS should send documents out and Omar will get them out. SP expressed skepticism about having a stranger do this. Then Omar’s cousin (Iffy) reaches out to SP via WhatsApp and says they have media contacts and can get documents out. When moving everything out of the apartment, SP put the documents in the bottom of the fridge in his apartment and informed Iffy where the where the documents would be. Iffy came and got the documents at JS’s apartment. Iffy confirmed to SP that Iffy got the documents. Iffy had the key because SP handed it to him.

Presnall was also communicating with reporters via Signal and a ProtonMail account, JohnGalt. But after he handed off the documents, he never heard from Irfan again.

But Schulte and the Amanats continued to work closely to get the documents out.

Just days before the ProtonMail dangle with the warrants was sent to Harris on September 24, the Samsung phone primarily used by Schulte texted Irfan on Signal. [This is a version of the Signal report, GX 822-1 as submitted in the first trial, but in which I replaced phone numbers with names and eliminated extraneous data; the righthand-most column shows who sent a particular text, the second-from-right is who received it.]

Schulte claimed to be Omar. He said that J — Schulte — needed “screen shots of Romania hack and Moscow.”

Irfan was understandably confused because, at the same time as someone claiming to be his brother was texting from the Samsung, someone else was calling him on what must be the iPhone that Omar primarily used.

Nevertheless, Irfan sent the files and only then did Schulte tell Omar’s brother he had pretended to be Omar to get Irfan to send files he had been trying to get from his cellmate.

Irfan and Schulte had a good laugh together about “master airhead” Omar, and then they got back to work on the documents they were working on.

Over the next two days Irfan and Schulte chatted away as they worked on various files, at several points, switching to group chat. At one point, Omar asked who “anonymous badger” is. “My bro?”

Here’s a picture of Omar’s side of that conversation, working on the Google doc via his iPhone while Schulte and Irfan worked from other locations, from one of the 2018 warrant affidavits tied to this part of the investigation.

On September 26, Schulte texted Irfan to say that Omar broke a screen (perhaps an exacerbation of the crack seen above) but that everything was still a go.

That’s the day when jailhouse informant Carlos Betances narced them out to the guard before they could do … something … in the law library.

Q. Mr. Betances, did there come a time when you learned of an effort to take the Samsung somewhere else in the jail?

A. Yes.

Q. And what did you learn about that?

A. That they were going to pay this friend of mine, Flaco, 200 bucks to take it down to the library that day.

Q. And who wanted to pay to bring the phone to the library?

MR. SCHULTE: Objection. Hearsay.

THE COURT: How did you learn about that information?

THE WITNESS: Because Flaco told me.

[snip]

BY MR. LOCKARD: Q. Mr. Betances, did you observe anything about Mr. Schulte’s or Omar’s behavior around that time?

A. Yes. They were very wary. They wanted to go down to the library then, and — so once I realized that they wanted to go down there, I threw this little piece of paper at the guard who was right there, and letting him know that something was going to happen in the library, that he could — he should —

THE INTERPRETER: Interpreter correction. A. — that he should conduct a search or everybody should go down and figure out what was about to happen. So that is what happened. When Josh and Omar came up, they said something had happened, that there was a search, there had been a search in the library, but they never found out that I was the one who had prevented that from happening.

Q. And did you hear Mr. Schulte or Omar discuss why they wanted the phone in the library?

MR. SCHULTE: Objection.

THE COURT: Overruled.

A. They wanted to send something very important. I don’t know what it was, but it was important. They had spent a week, a long time with the phones. They would give me the phone back very late at night with a very low charge.

Over the course of the next few days, as one after another of the detainees in on the contraband phone gig got caught and put into the SHU, it seemed that Omar came to rely on the Samsung (the first of the contraband phones was seized on September 26) to send Irfan gloomy texts. What appears to be Omar asks Irfan to call Carlos’ son to let the son know they’d put $500 in his father’s commissary fund, something that Betances testified to at the second trial, claiming he newly remembered just last month being offered a $5,000 bribe through the air conditioning pipes to stay quiet.

So as the brothers allegedly discussed arranging paying off the guy who narced them out, they also discussed what Harris has received. “How much to carlo,” Irfan asked about the payment. “Washpo has em,” Omar discussed the documents.

The very last Signal text sent on the phone, on a day when Schulte was definitely in SHU but Omar was not yet, was a text from Omar to Harris, asking if they could shift to a different ProtonMail address, [email protected]

It’s a point Schulte made at trial: When that last text was sent, he was in SHU. He couldn’t have sent it.

According to Agent Schlessinger, there was no activity on the ProtonMail account Schulte had described in his notebook setting up on August 21, Annon1204, after Schulte was put in SHU. While Schulte pointed to a follow-up, on Annon1204, on September 26 that he suggested must have come from Omar, the switch to a different ProtonMail account after Schulte was moved overnight on October 1 is consistent with Omar not having the password for Annon1204, and so moving the ongoing conversation with Harris to another ProtonMail account, psalms100.

The entire (resumed) conversation with Shane Harris started with Schulte pretending to be Anonymous, partly in an effort to get Harris to send documents that Schulte’s family had already been warned, by the FBI, not to release publicly. Along the way, Schulte pretended to be Omar and then Omar pretended to be Schulte pretending to be Anonymous.

It was a grand scheme across contraband cell phones and Google docs to send out a bunch of documents. One of which, the jury has now issued their verdict, constituted a very costly crime.


How Josh Schulte Got Judge Jesse Furman to Open a File in Internet Explorer

Something puzzles me about both Josh Schulte trials (as noted yesterday, the jury found Schulte guilty of al charges against him yesterday).

In both, the government introduced a passage from his prison notebooks advocating the use of the tools he has now been found guilty of sharing with WikiLeaks in an attack similar to NotPetya. [This is the version of this exhibit from his first trial.]

Vault 7 contains numerous zero days and malware that could be [easily] deployed repurposed and released onto the world in a devastating fashion that would make NotPetya look like Child’s play.

Neither time, however, did prosecutors explain the implications of this passage, which proved both knowledge of the non-public files released to WikiLeaks and a desire that they would be used, possibly by Russia, as a weapon.

Here’s how AUSA Sidhardha Kamaraju walked FBI Agent Evan Schlessinger through explaining it on February 26, 2020, in the first trial.

Q. Let’s look at the last paragraph there.

A. “Vault 7 contains numerous zero days and malware that could easily be deployed, repurposed, and released on to the world in a devastating fashion that would make NotPetya look like child’s play.”

Q. Do you know what NotPetya is?

A. Yes, generally.

Q. What is it?

A. It is a version of Russian malware.

Here’s how AUSA David Denton walked Agent Shlessinger through that same exact script this June 30 in the second trial.

Q. And the next paragraph, please.

A. “Vault 7 contains numerous zero days and malware that could easily be deployed,” struck through “repurposed and released onto the world in a devastating fashion that would make NotPetya look like child’s play.”

Q. Sir, do you know what NotPetya is?

A. Yes, generally.

Q. Generally, what is a reference to?

A. Russian malware.

The placid treatment of that passage was all the more striking in this second trial because it came shortly after Schulte had gone on, at length, mocking the claim from jail informant Carlos Betances that Schulte had expressed some desire for Russia’s help to do what he wanted to do, which in context (though Betances wouldn’t know it) would be to launch an information war.

Q. OK. Next, you testified on direct that I told you the Russians would have to help me for the work I was doing, right?

A. Yes, correct.

Q. OK. So the Russians were going to send paratroopers into New York and break me out of MCC?

MR. LOCKARD: Objection.

THE COURT: Sustained.

BY MR. SCHULTE: Q. What is your understanding of how the Russians were going to help?

A. No, I don’t know how they were going to help you. You were the one who knew that.

Q. What work was I doing for Russia?

A. I don’t know what kind of work you were doing for Russia, but I know you were spending long periods of time in your cell with the phones.

Q. OK.

A. With a sheet covering you.

Q. OK. But only Omar ever spoke about Russia, correct?

A. No. You spoke about Russia.

Q. Your testimony is you never learned anything about Omar and Russian oligarchs?

A. No.

Denton could easily have had Schlessinger point out that wanting to get a CIA tool repurposed in Russian malware just like the Russians had integrated stolen NSA tools to use in a malware attack of unprecedented scope would be pretty compelling malicious cooperation with Russia. It would have made Schulte’s mockery with Betances very costly. But Denton did not do that.

In fact, the government entirely left this theory of information war out of Schulte’s trial. In his closing argument for the second trial, for example, Michael Lockard explicitly said that Schulte’s weapon was to leak classified information, not to launch cyberattacks.

Mr. Schulte goes on to make it even more clear. He says essentially it is the same as taking a soldier in the military, handing him a rifle, and then begin beating him senseless to test his loyalty and see if you end up getting shot in the foot or not. It just isn’t smart.

Now, Mr. Schulte is not a soldier in the military, he is a former CIA officer and he doesn’t have a rifle. He has classified information. That is his bullet.

To be sure, that’s dictated by the charges against Schulte. Lockard was trying to prove that Schulte developed malicious plans to leak classified information, not that he developed malicious plans to unleash a global cyberattack that would shut down ports in the United States. But that’s part of my point: The NotPetya reference was superfluous to the charges against Schulte except to prove maliciousness they didn’t use it for.

I may return to this puzzle in a future post. For now, though, I want to use it as background to explain how, that very same day that prosecutors raised Schulte’s alleged plan to get CIA hacking tools used to launch a global malware attack, Schulte got Judge Jesse Furman to open a document in Internet Explorer.

One of the challenges presented when a computer hacker like Schulte represents himself (pro se) is how to equip him to prepare a defense without providing the tools he can use to launch an information war. It’s a real challenge, but also one that Schulte exploited.

In one such instance, in February, Schulte argued the two MDC law library desktops available to him did not allow him to prepare his defense, and so he needed a DVD drive to transfer files including “other binary files,” the kind of thing that might include malware.

Neither of these two computers suffices for writing and printing motions, letters, and other documents. The government proposes no solution — they essentially assert I have no right to access and use a computer to defend myself in this justice system.

I require an electronic transfer system; printing alone will not suffice, because I cannot print video demonstratives I’ve created for use at trial; I cannot print forensics, forensic artifacts, and other binary files that would ultimately be tens of thousands of useless printed pages. I need a way to transfer my notes, documents, motion drafts, demonstrative videos, technical research, analysis, and countless other documents to my standby counsel, forensic expert, and for filing in this court.

The government had told Schulte on January 21 that he could not have a replacement DVD drive that his standby counsel had provided in January because it had write-capabilities; as they noted in March, not having such a drive was not preventing him from filing a blizzard of court filings. Ultimately, in March, the government got Schulte to let them access the laptop to add a printer driver to his discovery laptop. Schulte renewed his request for a write-capable DVD, though, in April.

Schulte continued to complain about his access to the law library for months, sometimes with merit, and other times (such as when he objected to the meal times associated with his choice to fast during Ramadan) not.

The continued issues, though, and Schulte’s claims of retaliation by prison staffers, are why I was so surprised that when, on June 1, Sabrina Shroff reported that a guard had broken Schulte’s discovery laptop by dropping it just weeks before trial, she didn’t ask for any intervention from Judge Furman. Note, she attributes her understanding of what happened to the laptop to Schulte’s parents (who could only have learned that from Schulte) and the prison attorney (who may have learned of it via Schulte as well). In response, as Shroff had tried to do with the write-capable DVD, she was just going to get him a new laptop.

We write to inform the Court that a guard at the MDC accidently dropped Mr. Schulte’s laptop today, breaking it. Because the computer no longer functions, Mr. Schulte is unable to access or print anything from the laptop, including the legal papers due this week. The defense team was first notified of the incident by Mr. Schulte’s parents early this afternoon. It was later confirmed in an email from BOP staff Attorney Irene Chan, who stated in pertinent part: “I just called the housing unit and can confirm that his laptop is broken. It was an unfortunate incident where it was accidentally dropped.”

Given the June 13, 2022 trial date, we have ordered him a new computer, and the BOP, government, and defense team are working to resolve this matter as quickly as possible. We do not seek any relief from the Court at this time.

Only, as I previously noted, that’s not what happened to the laptop, at all. When DOJ’s tech people examined the laptop, it just needed to be charged. As they were assessing it, though,  they discovered he had a 15GB encrypted partition on the laptop and had been trying to use wireless capabilities.

First, with respect to the defendant’s discovery laptop, which he reported to be inoperable as of June 1, 2022 (D.E. 838), the laptop was operational and returned to Mr. Schulte by the end of the day on June 3, 2022. Mr. Schulte brought the laptop to the courthouse on the morning of June 3 and it was provided to the U.S. Attorney’s Office information technology staff in the early afternoon. It appears that the laptop’s charger was not working and, after being charged with one of the Office’s power cords, the laptop could be turned on and booted. IT staff discovered, however, that the user login for the laptop BIOS1 had been changed. IT staff was able to log in to the laptop using an administrator BIOS account and a Windows login password provided by the defendant. IT staff also discovery an encrypted 15-gigabyte partition on the defendant’s hard drive. The laptop was returned to Mr. Schulte, who confirmed that he was able to log in to the laptop and access his files, along with a replacement power cord. Mr. Schulte was admonished about electronic security requirements, that he is not permitted to enable or use any wireless capabilities on the laptop, and that attempting to do so may result in the laptop being confiscated and other consequences. Mr. Schulte returned to the MDC with the laptop.

1 The BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS settings can determine, for example, whether external ports and wireless capabilities are enabled or disabled.

This had all the markings of a hacker — someone who had once envisioned launching a cyberattack as part of his information war from jail — trying to prepare just such an attack.

Weeks later, during the trial, the government intimated that they might punish Schulte for that stunt, but were just trying to get through trial.

We have not taken any action in response to that, because we’re in the middle of trial and we’re loath to do things that would disrupt the trial at this point.

Along the way, though, Schulte’s laptop access continued to grow — for perfectly justifiable reasons tied to the trial, but which appears to have resulted in the discovery laptop (the one with the encrypted partition that he had apparently tried to access WiFi on) being in the same place as a second exhibit laptop, perhaps the very laptop originally intended to replace the one that wasn’t really broken at all. On June 13, Judge Furman ordered the Marshals to let Schulte keep his laptop at breaks. On June 15, Schulte got Furman to order the Marshals to let him use his second laptop, “just like the discovery laptop.”

MR. SCHULTE: OK. So the first thing is I think the marshals just need permission or authorization from you for me to be able to use the second laptop for my exhibits.

THE COURT: Use in the courtroom?

MR. SCHULTE: Yeah, be able to access and use it likeI use the other. I think there was court order for me to be able to use this laptop so they need authorization from you for me to use the second laptop.

THE COURT: And the second laptop is something that standby counsel procured? What is it?

MR. SCHULTE: Yes.

THE COURT: Any objection, Mr. Denton? Any concerns?

MR. DENTON: I think as long as it is something that’s used just here in the courtroom, that’s fine, your Honor. I think to the extent that it was going with the defendant anywhere else other than the courtroom, we would want to make sure that we applied the same security procedures that were applied to his original laptop.

THE COURT: Is it just to be used in this courtroom?

MR. SCHULTE: Yes. That’s correct. It is being locked, I think, in the FBI marshal’s room by the SCIF.

On June 17, Schulte asked Furman to issue a specific order to MDC to ensure he’d be able to “go to the law library and access the laptop.” Again, these are generally understandable accommodations for a defendant going pro se. But they may have placed his discovery laptop (normally used in MDC in Brooklyn) in close proximity to his exhibit laptop used outside of a SCIF in Manhattan.

With that in the background, on June 24, prosecutors described that just days earlier, Schulte had provided them code he wanted to introduce as an exhibit at trial. There were evidentiary problems — this was a defendant representing himself trying to introduce his own writing without taking the stand — but the real issue was his admission he was writing (very rudimentary) code on his laptop. As part of that explanation, the government also claimed that MDC had found Schulte tampering with the law library computer.

The third, however, and most sort of problematic category are the items that were marked as defense exhibits 1210 and 1211, which is code and then a compiled executable program of that code that appear to have been written by the defendant. That raises an evidentiary concern in the sense that those are essentially his own statements, which he’s not entitled to offer but, separately, to us, raises a substantial security concern of how the defendant was able to, first, write but, more significantly, compile code into an executable program on his laptop.

You know, your Honor, we have accepted a continuing expansion of the defendant’s use of a laptop that was originally provided for the purpose of reviewing discovery, but to us, this is really a bridge too far in terms of security concerns, particularly in light of the issues uncovered during the last issue with his laptop and the concerns that the MDC has raised to us about tampering with the law library computer. We have not taken any action in response to that, because we’re in the middle of trial and we’re loath to do things that would disrupt the trial at this point. The fact that defendant is compiling executable code on his laptop raises a substantial concern for us separate from the evidentiary objections we have to its introduction.

THE COURT: OK. Maybe this is better addressed to Mr. Schulte, but I don’t even understand what the third category would be offered for, how it would be offered, what it would be offered for.

MR. DENTON: As best we can tell, it is a program to change the time stamps on a file, which I suppose would be introduced to show that such a thing is possible. I don’t know. We were only provided with it on Tuesday. Again, we think there are obvious issues with its admissibility separate and apart from its relevance, but like I said, for us, it also raises the security concern that we wanted to bring to the Court’s attention.

[snip]

MR. SCHULTE: But for the code, the government produced lots of source code in discovery, and this specific file is, like, ten, ten lines of source code as well as —

THE COURT: Where does it come from? Did you write it?

MR. SCHULTE: Yes, I wrote it. That’s correct.

Schulte didn’t end up introducing the script he wrote. Instead, he asked forensics expert Patrick Leedom if he knew that Schulte had used the “touch” command in malware to alter file times.

Q. Do you know about the Linux touch command?

A. Yes.

Q. This command can be used to change file times, right?

A. Yes, it can.

Q. That includes access times, right?

A. Yes.

Q. And from reviewing my workstation, you know that I developed Linux malware tools for the CIA, right?

A. I know you worked on a few tools. I don’t know if they were Linux-specific or not, but —

Q. And you knew from that that I wrote malware that specifically used the touch command to change file times, right?

In the end, then, it turned out to be just one of many instances during the trial where Schulte raised the various kinds of malware he had written to hide his tracks, infect laptops, and jump air gaps, instances that appeared amidst testimony — from that same jail informant, Carlos Betonces — that Schulte had planned to launch some kind of key event in his information war from the (MCC) law library.

Q. That we — you testified that we were going to do something really big and needed to go to the law library, right?

A. You were paying $200 to my friend named Flaco to go to the library, yes.

Q. I paid someone money?

A. No. They were paying. And Flaco refused to take it downstairs. And the only option left was that they had to go down and take it themselves.

Q. OK. So Omar offered to pay money for Flaco to take some phone down, right?

A. That’s not how Flaco told me. That’s not the way Flaco described it. He said that both of them were offering him money.

Q. All right. But there were cameras in the law library, correct?

THE INTERPRETER: I’m sorry. Can you repeat the question?

Q. There were cameras in the law library, correct?

A. I don’t know.

Q. OK. But your testimony on direct was that me and Omar needed to send some information from the phone, right?

A. Let me explain it to you again. Not information. It’s that you had to do something in the, in the library. That’s what I testified about.

Q. OK. What did I have to do in the law library, according to you?

A. Well, you’re very smart. You must know the question. There was something down there that you wanted to use that you couldn’t use upstairs.

Q. OK. You also testified something about a USB drive, right?

A. Yes.

Q. You testified, I believe, that me and Omar wanted a USB device, right?

A. Yeah. You asked me all the time when the drive was going to arrive. When was it coming? When was it coming?

Q. OK. But there were already USB hard drives given to prisoners in the prison, right?

A. Not to my understanding.

Q. You don’t — you never received or saw anyone using a USB drive with their discovery on it?

A. No, because I — no, I hardly ever went down to the law library.

Q. All right. And then you said, you testified that you slipped a note under the guard’s door?

A. Yes.

Q. And that was about, you said something was going to happen in the law library, right?

THE INTERPRETER: Could you repeat the question, please?

MR. SCHULTE: Yes.

Q. You said that the note said something was going to happen in the law library, right?

A. Yes.

Which finally brings us to the Internet Explorer reference. During his cross-examination of FBI Agent Schlessinger on June 30, Schulte attempted to introduce the return from the warrant FBI served on WordPress after discovering Schulte was using the platform to blog from jail. The government objected, which led to an evidentiary discussion after the jury left for the weekend. The evidentiary discussion pertained to how to introduce the exhibit — which was basically his narrative attacking the criminal justice system — without also disclosing the child porn charges against Schulte referenced within them.

Schulte won that discussion. On the next trial day, July 6, Furman ruled for Schulte, and Schulte said he’d just put a document that redacted the references to his chid porn and sexual assault charges on a CD to share with the government.

MR. SCHULTE: Yes. I just — if I can get the blank CD from them or something I can just give it to them and they can review it.

But back on June 30, during the evidentiary discussion, Judge Furman suggested that the 80- or 90-page document that the government was looking at was something different than the file he was looking at.

That was surprising to Furman.

So was the fact that his version of the document opened in Internet Explorer.

MR. DENTON: Your Honor, on Exhibit 410 we recognize the Court has reserved judgment on that. I want to put sort of a fourth version in the hopper. At least in the version we are looking at, it is a 94-page 35000-word document. To the extent that the only thing the Court deems admissible is sort of the fact that there were postings that did not contain NDI, we would think it might be more appropriate to stipulate to that fact rather than put, essentially, a giant manifesto in evidence not for the truth. So I want to put that option out there given the scope of the document.

[snip]

MR. DENTON: Understood, your Honor. I think at that point, even if we get past the hearsay and the not for the truth problems, then there is a sort of looming 403 problem in the sense that it is a massive document that is essentially an manifesto offered for a comparatively small point. I think at that point it is risk of confusing the jury and potentially inflaming them if people decide to sit down and to read his entire screed, it significantly outweighs the fairly limited value it serves. But, we recognize the Court has reserved on this so I don’t need to belabor the point now.

THE COURT: Unless I am looking at something different, what I opened as Defendant’s Exhibit 410 — it opened for me in Internet Explorer, for some reason and I didn’t even think Internet Explorer existed anymore — and it does not appear to be 84 pages. So, I don’t even know if I am looking at what is being offered or not. But, let me add another option, which is if the government identifies any particular content in here that it thinks should be excluded under 403, then you are certainly welcome to make that proposal as well in the event that I do decide that it should come in in more or less its entirety with the child porn redacted. And if you think that there is something else that should be redacted pursuant to 403, I will consider that. All right?

MR. DENTON: We will make sure we are looking at the same thing and take a look at it over the weekend, your Honor.

To be clear: The reason this opened in IE for Furman is almost certainly that the document was old — it would date to October 2018 — and came in a proprietary form that Furman’s computer didn’t recognize. So for some reason, his computer opened it in IE.

That said, it’s not clear that the discrepancy on the page numbers in the file was ever addressed. Schulte just spoke to one of the prosecutors and they agreed on how it would be introduced.

And if a developer who had worked on malware in 2016 wanted an infection vector, IE might be one he’d pick. That’s because Microsoft stopped supporting older versions of IE in 2016, the year Schulte left the CIA. And WordPress itself was a ripe target for hacking in 2018. Schulte himself might relish using a Microsoft vector because the expert in the trial, Leedom, has moved onto Microsoft since working as a consultant to the FBI.

I have no idea how alarmed to be about all this. The opinions from experts I’ve asked have ranged from “dated file” to “he’d have to be lucky” to “unlikely but potentially terrifying” to “no no no no!” And Schulte is the kind of guy who lets grudges fester so badly that avenging the grudge becomes more important than all else.

So I wanted to put this out there so smarter people can access the documents directly — and perhaps so technical staff from the courthouse can try to figure out why that document opened in Internet Explorer.

Note: As it did with the first trial, Calyx Institute made the transcripts available. This time, however, they were funded by Germany’s Wau Holland Foundation. WHF board member Andy Müller-Maguhn has been named in WikiLeaks operations and was in the US during some of the rough period when Schulte is alleged to have leaked these documents. 


Joshua Schulte Found Guilty on All Counts

The jury has returned guilty verdicts in all nine charges against Joshua Schulte. While I expected guilty verdicts on the revamped CFAA charges, I wasn’t sure about the far more circumstantial Espionage charges. DOJ must be breathing a sigh of relief.

I have no doubt Schulte will appeal. He has been setting up appeals on a Sixth Amendment SAMS challenge and on a Van Buren challenge to the CFAA charges; plus I imagine he’ll challenge some of the instructions and other decisions Judge Jesse Furman made (though I thought Furman was more favorable to Schulte than Paul Crotty before him).

I’m as interested in what happens with WikiLeaks after this.

WikiLeaks has been spamming references to the misleading Yahoo story about the response to WikiLeaks’ publication (and, more importantly, non-publication) of the stolen CIA files. And I know Assange’s US defense attorney has been getting transcripts from the case.

The WikiLeaks team surely recognizes what I have for years: The existing charges against Assange are all teed up to expand the CFAA count to incorporate the Vault 7 release and Vault 8 non-release (and, possibly, WikiLeaks’ role in the 2016 Russian effort). And Schulte was given discovery on an ongoing investigation into what is almost certainly WikiLeaks.

So while this closes the known part of the case against Schulte, it likely represents further headaches for Assange.

Update: SDNY’s statement calls this, straight up, Espionage.

Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history.

Copyright © 2022 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/cybersecurity/