Posts

How Did Reality Winner Know to Look for the Russian Hack Document?

There’s a detail about the Reality Winner case that I’ve been thinking about. She appears to have known to look for the report she ultimately leaked to The Intercept. From the SW affidavit:

On or about May 9. 2017. four days after the publication of the classified report, WINNER conducted searches on the U.S. Government Agency’s classified system for certain search terms, which led WINNER to identify the intelligence reporting. On or about May 9, 2017, WINNER also printed the intelligence reporting. A review of WINNER’S computer history revealed she did not print any other intelligence report in May 2017.

And the complaint:

On June 3, 2017, your affiant spoke to WINNER at her home in Augusta, Georgia. During that conversation, WINNER admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a “need to know,” and with knowledge that the intelligence reporting was classified.

So days after a report for which she didn’t have the need to know was completed, she knew the search terms to use to find it.

How did she learn about it?

I assume she heard about it from chatter among colleagues (I wonder whether anyone else who didn’t have a need to know searched for the report as well, perhaps only to read it to leak its substance?). But I find it striking that a somewhat innocuous report generated enough chatter for her to go looking for it.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Sources for Some Russian Voting Hack Stories Will Not Be Prosecuted

Yesterday, former Homeland Security Secretary Jeh Johnson spent 90 minutes meeting with the Senate Intelligence Committee’s Russian investigators.

Today, Bloomberg reports that Russian probes of election-related targets was far more extensive than previously reported, reaching into 39 states. It relies on three unnamed sources for the story, either including, or in addition to, at least one former senior US official.

In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

[snip]

Another former senior U.S. official, who asked for anonymity to discuss the classified U.S. probe into pre-election hacking, said a more likely explanation is that several months of hacking failed to give the attackers the access they needed to master America’s disparate voting systems spread across more than 7,000 local jurisdictions.

[snip]

One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks. [my emphasis]

The report also uses the document allegedly leaked by Reality Winner as corroboration and confirmation of one of the companies targeted, rather curiously included as a parenthetical comment.

(An NSA document reportedly leaked by Reality Winner, the 25-year-old government contract worker arrested last week, identifies the Florida contractor as VR Systems, which makes an electronic voter identification system used by poll workers.)

The Bloomberg story is critically important, as it should provide pressure on the Republicans for real protections for voting systems, even if they’ll probably ignore that pressure. It provides far more details than the Winner document did. That said, much of this information might come out formally in Jeh Johnson testimony before the House Intelligence Committee.

I raise all this to note that the treatment of Bloomberg’s sources will be dramatically different than that of Winner. I’d bet there won’t even be a referral for this story, especially if it relies on (as is likely) information shared by people protected by the speech and debate clause and/or people who might have been original classification authorities (OCAs — the people who get to decide whether something is classified or not) for this information in the past.

Perhaps that is as it should be. Perhaps our democracy has unofficially agreed that OCAs and congressional staffers should serve as kind of a relief valve, the place where classified information may be leaked without criminal penalty. Perhaps we believe those kinds of people have a better read on whether the interests of leaking outweigh the sensitivity of an issue. Though obviously, when OCAs like David Petraeus become impossible to punish (or former SSCI staff director Bill Duhnke, who was the FBI’s primary suspect for the Merlin leak, but who was protected by the Senate’s refusal to cooperate), that creates a profoundly unequal system of justice. Reality Winner can be prosecuted even while people leaking similar — perhaps even more sensitive — information within weeks might not even be investigated.

To be clear, I don’t want Bloomberg’s sources to be investigated. But we need to acknowledge the double standards for leakers in this country.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Which Was a More Sensitive Open Secret Revealed as a Result of the Reality Winner Story: Details on Russian Hacks of Voting Equipment, or Invisible Printer Dots?

Mr. EW doesn’t follow my work all that closely. He’s most apt to read something I wrote if it gets cited in TechDirt, a fact that occasionally makes me fantasize about getting Mike Masnick to publish secret messages about fixing leaky toilets or broken screen doors.

So I was pretty interested in Mr. EW’s take on the Reality Winner story. He believes, as many people do, that Winner was caught using the printer dot technology that Rob Graham laid out here.

I don’t doubt that the FBI or NSA used the printer dot technology to confirm that they had gotten the right person before they charged Winner. But it’s not mentioned at all in DOJ’s narrative of how they caught Winner (who, remember, pled not guilty even though she confessed to the FBI). They cite the following steps (search warrant affidavit, complaint affidavit):

  1. May 30: The Intercept contacts NSA and provides a copy of the document. NSA confirms for itself that it is real and classified.
  2. June 1: NSA makes a leak referral to the FBI.
  3. Undated:
    1. NSA notes that the document has been folded, suggested it was printed off.
    2. NSA checks who has accessed and printed the document.
    3. NSA checks the work computers of the six people who have printed the document, including Winner.
    4. NSA finds a direct email, from March, from Winner’s work computer to The Intercept using her personal Gmail account pertaining to TI’s podcast.
  4. June 1: For the second time, The Intercept contacts a contractor to validate the document (he or she had told them it was fake on May 24), telling the contractor that the NSA has confirmed its authenticity. The contractor provided a document number to The Intercept, and on the same day, the contractor informed the NSA about the May 24 and June 1 interactions, probably also passing on the detail that the document had been sent from Augusta, GA.
  5. June 2: FBI verifies Winner’s residence for a search warrant.
  6. June 3: FBI interviews Winner, who admits to “removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia.”

Winner was arrested on June 3; her arrest was unsealed on June 5, just after The Intercept published the document.

On June 5, Graham posted a piece explaining how the hidden dots on the hard copy of the document would have told NSA that the document had been printed out on May 9, making it even easier for the NSA to pinpoint who had printed out the document.

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

As I explained to Mr. EW last night, nothing in the official record says the NSA used this hidden dot technology in its hunt for the leaker. I explained that while my friends started talking about the hidden dots almost immediately, there was nothing in the public record about it.

Clearly, the government didn’t exactly want that (and no doubt a number of other investigative methods, presumably including at a minimum checks on the non-government computer communications of the six people who printed out the document, and potentially also a check of postal records) detail to become public.

Yet, as a result of the reporting on this, people like Mr. EW not only know about the dot technology, but believe it was the key factor in identifying Winner. If they follow Rob Graham closely, they’ll also know that (in response to my question) another presumed leaker to The Intercept had managed to pass on a printed (and frankly far more important leaked) document — FBI’s Domestic Investigations and Operations Guidewithout including the telltale dots (I told Mr. EW about the follow-up but he’s more likely to read it if TechDirt links so…) So they would have learned that the dots are an operational security issue, but there are as yet unknown ways to mitigate that problem.

As I’ve stated several times, while the document Winner leaked to The Intercept provides new details about Russian attempts to hack the election, it simply adds to the widely known narrative already in the public (though the redacted details would no doubt be even more interesting). The secret dots though! — that was news to most people (including me).

Which secret do you think the government is most grumpy about having been made public?

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Reality Winner Appears to Have Already Leaked “Documents” Plural

There appears to be a misunderstanding about details revealed at the bail hearing for Reality Winner last week, where Magistrate Judge Brian Epps denied her bail. Epps did so because she allegedly said she said wanted to burn the White House down and because prosecutor Jennifer Solari — who sounds like she made some pretty inflated claims — suggested Winner might have more to leak. There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents.

While the Intercept article describes a document, singular, what they actually appear to have gotten are two documents — the report on the Russian hacking, and one page of a two-page document laying out the hacks. The Intercept calls the second document “an overview chart.”

But the “chart” actually has its own separate pagination (indeed, its own separate pagination format). The “document” paginates by page number,

Whereas the “chart” paginates by pages out of total.

Moreover, the “chart” also uses a different title than the report.

That’s not to say they’re not related. It’s just two say that we already appear to have documents, plural, from Winner.

Moreover, are we really led to believe that 3 years after Edward Snowden succeeded in loading a bunch of documents onto a flash drive because he was in a remote facility where insider threat programs hadn’t yet been fully implemented, had SysAdmin access, and had pulled some strings to retain an outdated computer that had a port, a translator in an NSA or other military facility could use a flash drive without a very close accounting of what she downloaded?

Mind you, her attorney should have argued as much in the detention hearing if Winner really thinks these are multiple documents. But appears they are.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.