Maddow’s Forgery and Mistaken Timing

Much of Rachel Maddow’s reporting on the Russian scandal has been overly drawn out and breathless. But you should watch this piece (which is not only overly drawn out and breathless, but doesn’t emphasize the most important point).

Rachel describes how, on June 7, her tip line received a smoking gun document, appearing to be a Top Secret NSA document, laying out collusion between a Trump campaign official she doesn’t name (I’m going to wildarseguess, for a lot of reasons, it is Mike Flynn) and the Russians who hacked the election. She describes multiple reasons her team determined the document to be a fake: some misspellings, a declassification date that is wrong, some spacing weirdness, and that the campaign official is actually named, rather than masked as US Citizen 1.

But she also describes how the printer dots and a seeming crease on the document appear to replicate those that appear in the document Reality Winner is alleged to have provided to the Intercept.

Which is interesting, because as she shows about 14 minutes in (but doesn’t emphasize enough), the document sent to her tip line appears to have been created between the time Reality Winner went to jail and the time the Intercept published the document (unless I missed it, she doesn’t say precisely when they got the document, just that it was the same week as the Intercept published it Update: Corrected above). The creation date appears to be three and a half hours before the publication date at the Intercept. [Update: but not the creation date for the document, see below.]

Rachel surmises, correctly, I think, that the person sent the document both to discredit her own reporting (in much the same way reliance on fake documents discredited Dan Rather’s reporting of George Bush’s real Air National Guard scandal) as well as to discredit the notion that the Trump campaign, and the person named in particular, colluded with the Russians. This was an attempt to undercut potentially real news with deliberately faked news, fed through a selected outlet.

That would mean one of two things. Either the person who created the document faked the metadata (or created the document from Alaska or someplace west of there). Or the person received a copy of the very same document, including the crease, either from Reality Winner or from the Intercept or one of their sources, and then used it as a template to create a fake NSA document (or had visibility into the FBI’s investigation about this document). If it’s the latter, then the number of people who might be involved is rather small.

I’ve suggested there are reasons to wonder whether Winner was directed towards this document. I’d say there are more questions now about whether that’s the case.

Update: as PaulMD notes on Twitter, the document Rachel received actually has the very same creation time as the document the Intercept uploaded.

Update: Glenn Greenwald is pretty pissed about Rachel’s insinuations.

Update: Changed the title given the mistaken timing in the Rachel story.

The Complexities of Reality Winner’s Case

I suggested in this post that some of the coverage of Reality Winner’s arraignment was less than stellar.

Case in point: I didn’t see any reporting of the hearing that the government had moved to declare her case complex because they intended to use the Classified Information Procedures Act (CIPA, which governs how the government uses or substitutes classified information to be used in a trial); Winner’s attorney did not object. The court formally approved that on June 14. Then, on June 19, the government moved for a CIPA pretrial conference, which (credit where due) the Augusta press covered on Friday.

Perhaps this is just formality. At the end of its CIPA motion, the government refers to the “fast-moving nature of this case” even while admitting that it may not need some (or most?) of the CIPA procedures it had just laid out.

Given that this investigation concerns the disclosure of classified material and that the government’s evidence includes classified information, the government respectfully moves for a pretrial conference, pursuant to Section 2 of CIPA, to establish a discovery and motion schedule relating to any classified information. The government notes that some of the CIPA sections outlined above may not be invoked or need to be addressed.

Further, dependent upon future events and potential pretrial resolutions and proceedings, there may be no need for hearings pursuant to CIPA. Because of the fast-moving nature of this case, the precise amount of classified information that may be discoverable or used as evidence is still being determined.

Claims of thumb drives inserted into Air Force computers last year notwithstanding, on its face, this appears to be a cut-and-dry case: out of a pool of six potential leakers, one — Winner — has already confessed to the FBI. So perhaps the government is just doing this to ensure it has a Court Information Security Officer involved and a hefty protection order imposed on Winner’s defense team.

But in the same motion, the government makes it clear that it collected classified material beyond the document that Winner is alleged to have leaked to The Intercept.

The indictment in this case charges the defendant with unlawfully retaining and transmitting classified national defense information in violation of 18 U.S.C. § 793(e). Classified material, including but not limited to the document which the defendant is charged with unlawfully retaining and transmitting, was collected as part of the underlying investigation and will be the subject of certain procedures set forth in CIPA, as well as in other applicable rules, statutes, and case law. The disclosure of such material will raise issues of national security that the Court must address before the material is provided to the defense. [my emphasis]

That might just refer to data the NSA and FBI used to hone in on Winner. Or it may mean there’s more to the case than meets the eye.

And whatever that is will remain out of eyesight, behind CIPA.

How Did Reality Winner Know to Look for the Russian Hack Document?

There’s a detail about the Reality Winner case that I’ve been thinking about. She appears to have known to look for the report she ultimately leaked to The Intercept. From the SW affidavit:

On or about May 9. 2017. four days after the publication of the classified report, WINNER conducted searches on the U.S. Government Agency’s classified system for certain search terms, which led WINNER to identify the intelligence reporting. On or about May 9, 2017, WINNER also printed the intelligence reporting. A review of WINNER’S computer history revealed she did not print any other intelligence report in May 2017.

And the complaint:

On June 3, 2017, your affiant spoke to WINNER at her home in Augusta, Georgia. During that conversation, WINNER admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a “need to know,” and with knowledge that the intelligence reporting was classified.

So days after a report for which she didn’t have the need to know was completed, she knew the search terms to use to find it.

How did she learn about it?

I assume she heard about it from chatter among colleagues (I wonder whether anyone else who didn’t have a need to know searched for the report as well, perhaps only to read it to leak its substance?). But I find it striking that a somewhat innocuous report generated enough chatter for her to go looking for it.

The Sources for Some Russian Voting Hack Stories Will Not Be Prosecuted

Yesterday, former Homeland Security Secretary Jeh Johnson spent 90 minutes meeting with the Senate Intelligence Committee’s Russian investigators.

Today, Bloomberg reports that Russian probes of election-related targets was far more extensive than previously reported, reaching into 39 states. It relies on three unnamed sources for the story, either including, or in addition to, at least one former senior US official.

In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.


Another former senior U.S. official, who asked for anonymity to discuss the classified U.S. probe into pre-election hacking, said a more likely explanation is that several months of hacking failed to give the attackers the access they needed to master America’s disparate voting systems spread across more than 7,000 local jurisdictions.


One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks. [my emphasis]

The report also uses the document allegedly leaked by Reality Winner as corroboration and confirmation of one of the companies targeted, rather curiously included as a parenthetical comment.

(An NSA document reportedly leaked by Reality Winner, the 25-year-old government contract worker arrested last week, identifies the Florida contractor as VR Systems, which makes an electronic voter identification system used by poll workers.)

The Bloomberg story is critically important, as it should provide pressure on the Republicans for real protections for voting systems, even if they’ll probably ignore that pressure. It provides far more details than the Winner document did. That said, much of this information might come out formally in Jeh Johnson testimony before the House Intelligence Committee.

I raise all this to note that the treatment of Bloomberg’s sources will be dramatically different than that of Winner. I’d bet there won’t even be a referral for this story, especially if it relies on (as is likely) information shared by people protected by the speech and debate clause and/or people who might have been original classification authorities (OCAs — the people who get to decide whether something is classified or not) for this information in the past.

Perhaps that is as it should be. Perhaps our democracy has unofficially agreed that OCAs and congressional staffers should serve as kind of a relief valve, the place where classified information may be leaked without criminal penalty. Perhaps we believe those kinds of people have a better read on whether the interests of leaking outweigh the sensitivity of an issue. Though obviously, when OCAs like David Petraeus become impossible to punish (or former SSCI staff director Bill Duhnke, who was the FBI’s primary suspect for the Merlin leak, but who was protected by the Senate’s refusal to cooperate), that creates a profoundly unequal system of justice. Reality Winner can be prosecuted even while people leaking similar — perhaps even more sensitive — information within weeks might not even be investigated.

To be clear, I don’t want Bloomberg’s sources to be investigated. But we need to acknowledge the double standards for leakers in this country.

Which Was a More Sensitive Open Secret Revealed as a Result of the Reality Winner Story: Details on Russian Hacks of Voting Equipment, or Invisible Printer Dots?

Mr. EW doesn’t follow my work all that closely. He’s most apt to read something I wrote if it gets cited in TechDirt, a fact that occasionally makes me fantasize about getting Mike Masnick to publish secret messages about fixing leaky toilets or broken screen doors.

So I was pretty interested in Mr. EW’s take on the Reality Winner story. He believes, as many people do, that Winner was caught using the printer dot technology that Rob Graham laid out here.

I don’t doubt that the FBI or NSA used the printer dot technology to confirm that they had gotten the right person before they charged Winner. But it’s not mentioned at all in DOJ’s narrative of how they caught Winner (who, remember, pled not guilty even though she confessed to the FBI). They cite the following steps (search warrant affidavit, complaint affidavit):

  1. May 30: The Intercept contacts NSA and provides a copy of the document. NSA confirms for itself that it is real and classified.
  2. June 1: NSA makes a leak referral to the FBI.
  3. Undated:
    1. NSA notes that the document has been folded, suggested it was printed off.
    2. NSA checks who has accessed and printed the document.
    3. NSA checks the work computers of the six people who have printed the document, including Winner.
    4. NSA finds a direct email, from March, from Winner’s work computer to The Intercept using her personal Gmail account pertaining to TI’s podcast.
  4. June 1: For the second time, The Intercept contacts a contractor to validate the document (he or she had told them it was fake on May 24), telling the contractor that the NSA has confirmed its authenticity. The contractor provided a document number to The Intercept, and on the same day, the contractor informed the NSA about the May 24 and June 1 interactions, probably also passing on the detail that the document had been sent from Augusta, GA.
  5. June 2: FBI verifies Winner’s residence for a search warrant.
  6. June 3: FBI interviews Winner, who admits to “removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia.”

Winner was arrested on June 3; her arrest was unsealed on June 5, just after The Intercept published the document.

On June 5, Graham posted a piece explaining how the hidden dots on the hard copy of the document would have told NSA that the document had been printed out on May 9, making it even easier for the NSA to pinpoint who had printed out the document.

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

As I explained to Mr. EW last night, nothing in the official record says the NSA used this hidden dot technology in its hunt for the leaker. I explained that while my friends started talking about the hidden dots almost immediately, there was nothing in the public record about it.

Clearly, the government didn’t exactly want that (and no doubt a number of other investigative methods, presumably including at a minimum checks on the non-government computer communications of the six people who printed out the document, and potentially also a check of postal records) detail to become public.

Yet, as a result of the reporting on this, people like Mr. EW not only know about the dot technology, but believe it was the key factor in identifying Winner. If they follow Rob Graham closely, they’ll also know that (in response to my question) another presumed leaker to The Intercept had managed to pass on a printed (and frankly far more important leaked) document — FBI’s Domestic Investigations and Operations Guidewithout including the telltale dots (I told Mr. EW about the follow-up but he’s more likely to read it if TechDirt links so…) So they would have learned that the dots are an operational security issue, but there are as yet unknown ways to mitigate that problem.

As I’ve stated several times, while the document Winner leaked to The Intercept provides new details about Russian attempts to hack the election, it simply adds to the widely known narrative already in the public (though the redacted details would no doubt be even more interesting). The secret dots though! — that was news to most people (including me).

Which secret do you think the government is most grumpy about having been made public?

Reality Winner Appears to Have Already Leaked “Documents” Plural

There appears to be a misunderstanding about details revealed at the bail hearing for Reality Winner last week, where Magistrate Judge Brian Epps denied her bail. Epps did so because she allegedly said she said wanted to burn the White House down and because prosecutor Jennifer Solari — who sounds like she made some pretty inflated claims — suggested Winner might have more to leak. There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents.

While the Intercept article describes a document, singular, what they actually appear to have gotten are two documents — the report on the Russian hacking, and one page of a two-page document laying out the hacks. The Intercept calls the second document “an overview chart.”

But the “chart” actually has its own separate pagination (indeed, its own separate pagination format). The “document” paginates by page number,

Whereas the “chart” paginates by pages out of total.

Moreover, the “chart” also uses a different title than the report.

That’s not to say they’re not related. It’s just two say that we already appear to have documents, plural, from Winner.

Moreover, are we really led to believe that 3 years after Edward Snowden succeeded in loading a bunch of documents onto a flash drive because he was in a remote facility where insider threat programs hadn’t yet been fully implemented, had SysAdmin access, and had pulled some strings to retain an outdated computer that had a port, a translator in an NSA or other military facility could use a flash drive without a very close accounting of what she downloaded?

Mind you, her attorney should have argued as much in the detention hearing if Winner really thinks these are multiple documents. But appears they are.