Posts

Joshua Schulte’s Hot and Cold Snowden Views

I’ve been tracking the government’s claims that the Vault 7 leaks “relate” to earlier WikiLeaks leaks — including Chelsea Manning’s and Anonymous‘ — Edward Snowden, and Shadow Brokers.

With respect to Snowden, specifically, in a warrant application submitted in 2017 (PDF 150) the government cited Schulte’s search for a specific Snowden tweet on August 4, 2016, just as he started searching for WikiLeaks information.

In a November filing laying out their theory of the crime, the government cited his searches on WikiLeaks and “related” topics in that same time period.

Around this time, Schulte also began regularly to search for information about WikiLeaks. In the approximately six years leading to August 2016, Schulte had conducted one Google search for WikiLeaks. Beginning on or about August 4, 2016 (approximately three months after he stole the Classified Information), Schulte conducted numerous Google searches for WikiLeaks and related terms and visited hundreds of pages that appear to have resulted from those searches. For example, in addition to searching for information about WikiLeaks and Julian Assange, its primary leader, Schulte also conducted searches using the search terms “narcissist snowden,” “wikileaks code,” “wikileaks 2017,” “shadow brokers,” and “shadow broker’s auction bitcoin.” “Snowden” was presumably a reference to Edward Snowden, the former NSA contractor who disclosed information about a purported NSA surveillance program, and “Shadow Brokers” was a reference to a group of hackers who disclosed online computer code that they purportedly obtained from the NSA, beginning in or about August 2016. Indeed, in contrast to the period before August 4, 2016, between that date and March 2017 (when the first of the Leaks occurred), Schulte conducted searches for Wikileaks and related information on at least 30 separate days.

Many of these searches, particularly the Snowden ones, could have been innocuous.

When Schulte’s lawyers tried to complain that Paul Rosenzweig’s inclusion of Manning, Anonymous, and Snowden in his expert testimony on WikiLeaks falsely assumed that Schulte knew of those earlier leaks, the government revealed that in contemporaneous chats, Schulte had commented on both Manning and Snowden.

Moreover, even setting aside the dubious assertion that a member of the U.S. intelligence community could have been completely unaware of WikiLeaks’ serial disclosures of classified and sensitive information and the resulting harm, the Government’s proof at trial will include evidence that the defendant himself was well aware of WikiLeaks’ actions and the harms it caused. For example, WikiLeaks began to disclose classified information Manning provided to the organization beginning in or about April 2010, including purported information about the United States’ activities in Afghanistan. In electronic chats stored on the defendant’s server, the defendant discussed these disclosures. For example, on August 10, 2010, the defendant wrote in a chat “you didn’t read the wikileaks documents did you?” and, after that “al qaeda still has a lot of control in Afghanistan.” In addition, on October 18, 2010, the defendant had another exchange in which he discussed Manning’s disclosures, including the fact that the information provided was classified, came from U.S. military holdings, and that (according to the defendant) it was easy for Manning to steal the classified information and provide it to WikiLeaks. Similarly, in a June 9, 2013 exchange, the defendant compared Manning to Edward Snowden, the contractor who leaked classified information from the National Security Agency, and stated, in substance and in part, that Snowden, unlike Manning, “didnt endanger in [sic] people.”

As I noted, that exchange the very day Snowden came forward might suggest Schulte had a much less critical view of Snowden’s leak than Manning’s.

But that’s not what he told his former CIA colleague, who testified this week under the pseudonym Jeremy Weber. To Weber, Schulte condemned Snowden’s behavior in the strongest terms, arguing Snowden was a traitor who should be executed.

A. I don’t believe so, no.

Q. You don’t remember him ever discussing leakers with you?

A. I, I do remember talking about leakers.

Q. Okay. What do you recall?

A. There was discussion around Snowden.

Q. Okay. And?

A. Schulte felt that Snowden was a — had betrayed his country.

Q. That doesn’t, you know, he seems to have strong opinions on everything. You sure he didn’t say more?

A. He probably would have call him a traitor. Said he should be executed for sure. I don’t remember specific verbiage, but he did express his typical strong opinions.

Q. Right. Then he had those same opinions about Chelsea Manning, correct?

A. Possibly. I don’t remember conversations about Chelsea Manning.

Q. And when he was talking about Snowden, it was clear to you that he strongly believed in the mission of the CIA, correct?

A. Yes.

Q. And he strongly believed that you should do nothing against America, correct?

A. Yes.

Q. And he thought Snowden should be executed, correct?

A. I believe I recall specifically him saying that.

Remarkably, Schulte’s lawyer Sabrina Shroff didn’t seem to expect this answer, even though she made much of the prior interviews Weber had had with what she called prosecutors, but which instead probably reflects having gotten 16 302s for Weber, many of them probably interviews with just FBI agents conducting early interviews as part of the investigation.

Q. You met with each one of these prosecutors, correct?

A. I don’t know if I talked to all of them, but, yes.

Q. You’ve talked to them somewhere between 11 and 15 times?

A. I have no idea what the number was.

Q. March 22, 2017, March 27, April 5, May 8th, May 22, June 1st, August 31. This was all in 2017.

A. Okay.

Q. Do you have any idea how many hours you spent with them in 2017?

A. No, I don’t.

Q. 2018, you met with them on January 12, June 1st, June 11, August 6, November 12, December 12, Any idea how many hours you spent with them?

MR. LAROCHE: Objection.

A. No.

THE COURT: Overruled.

Q. Then you met with them in January. Correct?

A. Yes.

Q. January 14, January 21, and January 29. Correct?

A. Possibly, yes.

Still, if Shroff has 16 302s from Weber and she didn’t know how he would answer this question, whether he and Schulte had ever spoken about Snowden’s leaks, it suggests the FBI and prosecutors never thought to ask someone who had worked side by side with Schulte for 6 years, starting around the same time as the Manning leaks and continuing through the Snowden leaks. Which is pretty remarkable.

The government responded by getting Weber to read from Schulte’s prison notebook where he seemingly advocated for sending top secret documents to WikiLeaks.

Q. Can you please read what the defendant wrote here?

A. “This is a huge wake-up call to U.S. intelligence officers. The Constitution you fight to defend will be” —

MS. SHROFF: Denied.

A. — “denied to you if, God forbid, you are ever accused of a crime. If your government has no allegiance in you, why do you have any allegiance towards your government or associates provided info to the NYT.”

MR. LAROCHE: Can we go up to the next, to the top of this page, please.

Q. Again, is this the defendant’s handwriting?

A. Yes.

Q. Can you please read what the defendant wrote?

A. “Your service in” — defense, maybe, “in” — I don’t recognize that word — “security investigations and pristine criminal history can’t even get you bail. As Joshua Schulte has said, you are denied a presumption of innocence. Ironic, you do your country’s dirty work, but when you — when your country accuses you of a crime, you are arrested and presumed guilty. And” — I don’t — “and” something, “your service. Send all of your secrets here: WikiLeaks.”

The chats from 2013 are not yet in evidence, so the government simply relied on what they had already entered with Weber based off his familiarity with Schulte’s handwriting.

But Shroff will — and already has — argued that you can’t argue the views Schulte expressed after he had been in jail for months were the same ones that motivated his actions in 2016, when he allegedly stole all these files. Weber couldn’t place his conversations about Snowden in time, so his views could have also changed before he leaked the files. But the 2018 prison notebooks cannot be said to reflect Schulte’s views in 2016.

The government seems intent on using Snowden et al to prove a level of mens rea that’s more than they need to prove to get convictions on the Espionage Act charges — that Schulte intended to do harm rather than had reason to know, based off his understanding of classification and the import of those hacking tools, that it would do harm. The varying things Schulte has said about Snowden and others may or may not support that, at least for the Espionage charges tied to the 2016 leaks.

That said, if and when Schulte is sentenced for all this, the testimony that he once claimed to believe leakers like Snowden should be executed may not help him avoid a life sentence.

Calyx Institute has generously funded obtaining these Schulte trial transcripts. Please consider a tax deductible donation to support that effort.

“What is the root user?” Joshua Schulte Set Up the Shared “root” Password He’ll Use in His Defense

In a full day of testimony yesterday, one of Joshua Schulte’s former colleagues, testifying under the name Jeremy Weber (which may be a pseudonym of a pseudonym under the protective order imposed for the trial) introduced a ton of detail about how the engineering group he and Schulte worked in was set up bureaucratically, how the servers were set up, and how relations between Schulte and the rest of the group started to go south in the months and weeks leading up to the date when, the government alleges, he stole CIA’s hacking tools. He also described how devastating the leak was for the CIA.

In that testimony, the government began to lay out their theory of the case: When Schulte lost SysAdmin access to the servers hosting the malware they were working on — and the same day the unit announced they’d soon be moving the last server to which Schulte had administrator privileges under the official SysAdmin group — Schulte went back to the back-up file of the server from the day the fight started blowing up, March 3, 2016, and made a copy of it.

But the government also started previewing what will likely be Schulte’s defense: that some of these servers were available via a shared root password accessible to anyone in their group.

Prosecutor Matthew LaRoche walked Weber through a description of how a “root” user for the ESXi server was used.

Q. What is the root user?

A. The root user, in this situation, “root” was kind of Linux term for the administrative account on the machine, like the default administrator account.

Q. You also mentioned there was a password for the ESXi server?

A. That’s correct.

Q. Was that password stored anywhere?

A. Yes, it was.

Q. Where?

A. It was stored on OSB’s passwords page for some of our services.

Q. What do you mean by OSB’s passwords page?

A. OSB had a lot of virtual machines outside of the Atlassian products that had passwords on them solely because the technology required to have a password and not for security practices, so that — these were often like test machines, and these passwords we kept on a page so that if somebody was leveraging that VM they would have the credentials they needed to log in to it.

Q. Where was that passwords page located?

A. Confluence.

Q. Was it restricted in any way?

A. It was.

Q. How?

A. It was to OSB.

This detail has been public since WikiLeaks first published the documents. I pointed it out here:

Among the pages that got exposed in this week’s Wikileaks dumps of CIA’s hacking tools was a page of Operational Support Branch passwords. For some time the page showed the root password for the network they used for development purposes.

These passwords, as well as one (“password”) for another part of their server, were available on the network site as well.

Throughout the period of updates, it included a meme joking about setting your password to Incorrect.

[snip]

A discussion ensued about what a bad security practice this was.

2015-01-30 14:30 [User #14588054]:

Am I the only one who looked at this page and thought, “I wonder if security would have a heart attack if they saw this.”?

2015-01-30 14:50 [User #7995631]:

Its locked down to the OSB group… idk if that helps.

2015-01-30 15:10 [User #14588054]:

I noticed, but I still cringed when I first saw the page.

I have no idea whether these passwords exacerbated CIA’s exposure. The early 2015 discussion happened well before — at least as we currently understand it — the compromise that led to Wikileaks’ obtaining the files.

It turns out that Schulte himself moved this password onto the ESXi passwords page on or before March 31, 2015, almost a year before he allegedly stole the files.

MR. LAROCHE: Ms. Hurst, can you please publish Government Exhibit 1003, and please just zoom in on the top of the email, the to-from.

Q. Is this another email from the CIA, Mr. Weber?

A. Yes, it is.

Q. When was this email sent?

A. It was sent on March 31, 2015, at 8:20 p.m.

Q. Who sent it?

A. It was sent by Josh Schulte.

Q. Who was it sent to?

A. It was sent to the OSB email group.

Q. How do you know that?

A. The string NCS-IOC-EDG-AED-OSB is a user group and it’s explicit in its naming. NCS was in the org chart above IOC, the rest of those are the groups that we have previously talked about.

Q. It’s a lot of acronyms.

A. It is.

Q. Below that, what’s the subject line?

A. OSB.DevLAN.net VM credentials.

Q. What’s OSB.DevLAN.net?

A. That was the OSB ESXi server.

MR. LAROCHE: Ms. Hurst, if you could please zoom out and then on to the text of the email.

Q. Can you read the first sentence, please?

A. “I’ve modified the OSB’s ESXi server page to contain the passwords and other information directly instead of through the OSB’s passwords page; also updated the permissions to be restricted to everyone outside of OSB.”

Q. Do you understand what he’s referring to by OSB’s ESXi server page?

A. Yes.

Q. What’s he referring to?

A. It was a second page created later to contain information specifically to the ESXi server and the administration of that.

Q. And do you understand what he means by updated the permissions to be restricted to everyone outside of OSB?

A. This was him saying that only people within the OSB — within OSB would have access to read this page.

Q. Now, is this the same ESXi server that as of 2015 was running Confluence and Bamboo?

A. Yes, it was.

I think this is what that page would have looked like, in part, in the March 3, 2016 files, with the same root password set to “mysweetsummer:”

Schulte will eventually argue that he not only recognized that this arrangement — which he set up, per this email — was insecure, but that he warned people about it repeatedly. Weber says that didn’t happen, because if Schulte had complained, he would have told Schulte to fix it.

Q. Are you sure that the defendant never made any complaints that DevLAN was vulnerable to theft?

A. Yes.

Q. Why?

MS. SHROFF: Objection.

THE COURT: Overruled.

A. If he had complained to me about the Atlassian products being vulnerable to theft, I would have told him to fix it. The Atlassian products were our responsibility, and if he had highlighted an issue with that, I would have made it our primary focus to fix that.

The government has already begun showing forensics suggesting the files were stolen via other means.

More importantly, they showed that if Schulte thought the shared root password was insecure, he’s got no one but himself to blame for it.

It’s certainly possible he will point to things he’ll argue are proof that he raised concerns about this arrangement — rather than just joking about it on the development pages (it won’t take too long before we learn which numbered ID WikiLeaks used for Schulte). But there’s already evidence that he’s the one who set it up that way.

Calyx Institute has generously sprung for Schulte transcripts. If you’d like to support the effort, you can make a tax deductible donation to them here.