Posts

US Government Reveals It Has Video Evidence of Joshua Schulte Sharing Classified Information as Ecuador Restricts Assange’s Legal Visits

In a letter sent Thursday to Paul Crotty, the judge in the case of alleged Vault 7 WikiLeaks source, Joshua Schulte, prosecutors described the investigation conducted when, “in or about early October 2018,” they discovered he had been communicating clandestinely with third parties outside of the Metropolitan Corrections Center, where he has been held since December. They described discovering a truly stupendous amount of communications gear to store in a jail cell, amounting to multiple cell phones and other devices, from which Schulte was running 13 email and social media accounts.

In or about early October 2018, the Government learned that Schulte was using one or more smuggled contraband cellphones to communicate clandestinely with third parties outside of the MCC. The Government and the FBI immediately commenced an investigation into Schulte’s conduct at the MCC. That investigation involved, among other things, the execution of six search warrants and the issuance of dozens of grand jury subpoenas and pen register orders. Pursuant to this legal process, in the weeks following the Government’s discovery of Schulte’s conduct at the MCC, the FBI has searched, among other things, the housing unit at the MCC in which Schulte was detained; multiple contraband cellphones (including at least one cellphone used by Schulte that is protected with significant encryption); approximately 13 email and social media accounts (including encrypted email accounts); and other electronic devices.

Now, the prosecutors use that word “encrypted” twice, as if it means extra spooky, but these days, a cellphone with significant encryption could mean an iPhone (though in jail Schulte might be able to get state of the art spook or crook phones) and “encrypted email accounts” often means ProtonMail.

In any case, that’s a whole lot of legal process for a one month investigation of someone sitting in a jail cell (Schulte was moved to solitary when the investigation started on October 1), but then Schulte allegedly had a shit-ton of hardware. The 6 search warrants were presumably used for Schulte’s devices, and the “dozens of grand jury subpoenas and pen registers” would probably have been used for those email and social media accounts, perhaps with both used for each account (I have a working theory that for encrypted comms it may take more than one pen register to get the data).

Schulte was using all this hardware and software, according to the prosecutors, to — among other things — do two things: send details about the search warrants to investigate him, as well as yet more classified information, to third parties.

As a result of these searches and other investigative steps, the Government discovered that Schulte had, among other things, (i) transmitted classified information to third parties, including by using an encrypted email account, and (ii) transmitted the Protected Search Warrant Materials to third parties in direct contravention of the Court’s Protective Order and the Court’s statements at the May 21 conference.

The prosecutors included a superseding indictment with their letter, adding two extra counts to his already life sentence-threatening indictment: a new Count Eleven, which is contempt of court for blowing off the protective order covering his search warrant starting in April, and a new Count Four, which is another count of transmitting and attempting to transmit unlawfully possessed national defense information (793(e)) during the period he has been in MCC.

With regards to Count Eleven, on Monday a letter Schulte sent to Judge Crotty that was uploaded briefly to PACER (I believe this is the third time Schulte has succeeded in getting such letters briefly uploaded to the docket), revealing that he had been moved to solitary, but also complaining about corrections the government had made to his original search warrant:

I beg you Judge Crotty to read the first search warrant affidavit and the government’s Brady letter; the FBI outright lied in that affidavit and now acknowledge roughly half of these lies. Literally, they [sic] “error” on seeing dates of 3/7 where there were only 3/2 dates and developing their entire predicate based on fallacious reasoning and lies. They “error” in seeing three administrators where there were “at least 5” (ie. 10). They [sic] “error” in where the C.I. was stolen who had access, and how it could be taken — literally everything.

While I absolutely don’t rule out the government either focused on Schulte back in March 2017 for reasons not disclosed in the search warrant application, or that they parallel constructed the real reasons badly (both of which would be of significant interest, but both of which his very competent public defender can deal with), the docket suggests the Vault 7 case against him got fully substantiated after the porn case, perhaps because of the stuff he did last year on Tor that got him jailed in the first place. As I noted, that Tor activity closely followed one of Julian Assange’s more pubic extortion attempts using the Vault 8 material Schulte is accused of sharing, though Assange has made multiple private extortion attempts both before and since.

Which brings me to the second new charge, transmitting and attempting to transmit national defense information to a third party, with a time span of December 2017 to October 2018. Effectively, the government claims that even after Schulte was jailed last December, he continued to share classified information.

I’m particularly interested in the government’s use of “attempted” in that charge, not used elsewhere. The time period they lay out, after all, includes a period when Ecuador restricted Julian Assange’s communication. Effectively, the government revealed on Wednesday that they have video evidence of Schulte sharing classified information with … someone.

Meanwhile, in the Ecuadoran embassy in London, things have been heating up between Assange and his hosts.

About halfway through the period after which Schulte had been put into solitary so the government could investigate a bunch of communications devices they claim they didn’t know about before around October 1, Ecuador announced what seemed to be a relaxation of restrictions on Assange, but actually was more of an ultimatum. He could have visitors, but first they’d have to apply 3 days in advance and supply their social media handles and identifying details for any devices they wanted to bring with them. Assange, too, has to register all his devices, and only use Ecuador’s wifi. If anyone uses unapproved devices, they’ll be deemed a security threat to Ecuador under the protection of the UK, basically giving the UK reason to prosecute them to protect Ecuador. Assange has to have regular medical exams; if he has a medical emergency, he’ll be treated off site. Starting on December 1, he has to start paying for food and other supplies. He has to start cleaning up the joint. He has to start taking care of his cat.

Assange immediately sued over the new rules. But he lost that suit on Monday. But even as he appeals that verdict, according to Courage Foundation, Ecuador has restricted even legal visits, something that hadn’t been the case before. Those restrictions appear to have been put in place on Wednesday, the same day the new Schulte charges were rolled out. They’ll remain in place until Monday.

A piece by Ryan Goodman and Bob Bauer renewed discussion this morning about the First Amendment limits on suing or prosecuting WikiLeaks for conspiring with Russia to swing the 2016 election; I hope to respond to it later, but wrote about the same lawsuit in this post. I think their view dangerously risks political journalism.

But I also think that you don’t necessarily need to charge WikiLeaks in the conspiracy to sustain a conspiracy charge; you can make them unindicted co-conspirators, just like Trump would be. I have long noted that you could charge Assange, instead, for his serial attempts to extort the United States, an effort that has gone on for well over 18 months using the very same files that Schulte is alleged to have leaked to WikiLeaks (extortion attempts which may also involve Roger Stone). Assange has accomplished those extortion attempts, in part, with the assistance of his lawyers, who up until this week (as far as I understand from people close to Assange) were still permitted access to him.

Say. Have I observed yet that these events are taking place in the last days before Mueller’s election season restrictions end?

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

John Solomon’s Baby Assange

There are two telling details that John Solomon left out of this story, suggesting Jim Comey blew an opportunity to prevent the damage done by WikiLeaks’ Vault 7 leak (and, purportedly, to learn the “real” source of the DNC emails), based on a “trove” of documents but posting only fragments of 5. First, Solomon doesn’t include this text, showing Adam Waldman issuing an extortion threat stating Assange “is going to do something catastrophic for the dems, Obama, CIA and national security.”

Solomon is also silent about the recent indictment of anti-Obama former CIA hacker Joshua Schulte for stealing all these CIA files. Notably, Solomon doesn’t note that as this was going on, the FBI had obtained probable cause search warrants against Schulte. Having left out those key details (and surely, a bunch of other once included in his “trove” that don’t help the latest right wing narrative), Solomon produces the convenient narrative that Jim Comey personally hurt the government.

“He told me he had just talked with Comey and that, while the government was appreciative of my efforts, my instructions were to stand down, to end the discussions with Assange,” Waldman told me. Waldman offered contemporaneous documents to show he memorialized Warner’s exact words.

Waldman couldn’t believe a U.S. senator and the FBI chief were sending a different signal, so he went back to Laufman, who assured him the negotiations were still on. “What Laufman said to me after he heard I was told to ‘stand down’ by Warner and Comey was, ‘That’s bullshit. You are not standing down and neither am I,’” Waldman recalled.

Solomon pays no consideration to the ongoing investigation, no consideration to the fact that if Comey stood down, he did so in the face of threats to the Democrats (though it’s not clear why they’d be at fault), which as always is contrary to the hoaxes against Comey. More importantly, Solomon doesn’t answer the question posed, but not answered, here: whether Assange was seeking to meet at a cafe in London, or whether he wanted to come to the US and get a pardon once he got here.

The real punchline — the one we may see come back — is the claim that Jim Comey, on top of refusing an extortion attempt directed at the Democrats, also prevented — or maybe this isn’t about the FBI at all — from learning the real story behind the DNC hack.

Not included in the written proffer was an additional offer from Assange: He was willing to discuss technical evidence ruling out certain parties in the controversial leak of Democratic Party emails to WikiLeaks during the 2016 election. The U.S. government believes those emails were hacked by Russia; Assange insists they did not come from Moscow.

[snip]

Soon, the rare opportunity to engage Assange in a dialogue over redactions, a more responsible way to release information, and how the infamous DNC hacks occurred was lost — likely forever.

In honesty, this looks like an effort to set up the next campaign to suggest that Comey prevented the “truth” about the DNC hack from coming out because it would undermine the alleged Witch Hunt into Trump. It also looks like the first of three efforts to tee up the alternate explanation for the DNC hack in exchange for a Trump pardon, which resumed by August (and therefore which wasn’t a forever thing).

It also makes it clear that Vault 7 was entirely about extortion.

Timeline

January 12: Bruce Ohr considers Waldman’s offer

February 3: Laufman reaches out to Waldman

February 4: Wikileaks first pitches Vault 7

February 15: Waldman reaches out to Warner

February 16: Waldman issues extortion threat against Democrats

February 17: Warner says he’s got important call (with Comey), relays stand down order

March 7: Wikileaks releases first Vault 7 documents

March 13, 2017: Google search warrant on Schulte

Mid-March: Waldman contacts Laufman, suggests Assange is interested

March 20, 2017: Search on Schulte (including of cell phone, from which passwords to his desktop obtained)

March 23: Second Vault 7 release

March 28: Safe passage offer not including details about hack

March 31: Third Vault 7 release

April 5: Laufman asks whether Assange wants safe passage into London or to the US

April 7: Wikileaks posts third dump, which Solomon suggests was the precipitating leak for Mike Pompeo’s declaration of Wikileaks as non-state intelligence service (these are weekly dumps by this point)

Two Days after Julian Assange Threatened Don Jr, Accused Vault 7 Leaker Joshua Schulte Took to Tor

Monday, the government rolled out a superseding indictment for former NSA and CIA hacker Joshua Schulte, accusing him (obliquely) of leaking the CIA’s hacking tools that became the Vault 7 release from Wikileaks. The filings in his docket (as would the search warrants his series of defense attorneys would have seen) make it clear that the investigation into him, launched just days after the first CIA release, was always about the CIA leak. But when the government took his computer last spring, they found thousands of child porn pictures dating back to 2009. It took the government over three months and a sexual assault indictment in VA to convince a judge to revoke his bail last December, and then another six months to solidify the leaking charges they had been investigating him from the start.

But the case appears to have taken a key turn on November 16, 2017, when he did something — it’s not clear what — on the Tor network. While there are several things that might explain why he chose to put his release at risk by accessing Tor that day, it’s notable that it occurred two days after Julian Assange tweeted publicly to Donald Trump Jr that he’d still be happy to be Australian Ambassador to the US, implicitly threatening to release more CIA hacking tools.

Schulte was, from days after the initial Vault 7 release, apparently the prime suspect to be the leaker. As such, the government was always interested in what Schulte was doing on Tor. In response to a warrant to Google served in March 2017, the government found him searching, on May 8, 2016, for how to set up a Tor bridge (Schulte has been justifiably mocked for truly abysmal OpSec, and Googling how to set up a bridge is one example). That was right in the middle of the time he was deleting logs from his CIA computer to hide what he was doing on it.

When he was granted bail, he was prohibited from accessing computers. But because the government had arrested him on child porn charges and remained coy (in spite of serial hold-ups with his attorneys regarding clearance to see the small number of classified files the government found on his computer) about the Vault 7 interest, the discussions of how skilled he was with a computer remained fairly oblique. But in their finally successful motion to revoke Schulte’s bail, the government revealed that Schulte had not only accessed his email (via his roommate, Schulte’s lawyer would later claim), but had accessed Tor five times in the previous month, on November 16, 17, 26, and 30, and on December 5, 2017, which appears to be when the government nudged Virginia to get NYPD to arrest him on a sexual assault charge tied to raping a passed out acquaintance at his home in VA in 2015.

Perhaps the most obvious explanation for why Schulte accessed Tor starting on November 16, 2017, is that he was trying to learn about the assault charges filed in VA the day before.

But there is a more interesting explanation.

As you recall, back in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

There’s a reason I think those Tor accesses may actually be tied to Assange’s implicit threat. In January of this year, when his then lawyer Jacob Kaplan made a bid to renew bail, he offered an excuse for those Tor accesses. He claimed Schulte was using Tor to research the diaries on his experience in the criminal justice system.

In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

Someone posted those diaries to a Facebook account titled “John Galt’s Defense Fund” on April 20, 2018 (in addition to being an accused rapist and child porn fan, Schulte’s public postings show him to be an anti-Obama racist and an Ayn Rand worshiping libertarian).

Yesterday, Wikileaks linked those diaries, which strikes me as an attempt to corroborate the alibi Schulte has offered for his access to Tor last November.

The government seems to have let Schulte remain free for much of 2017, perhaps in search of evidence to implicate him in the Vault 7 release. Whether it was a response to a second indictment or to Assange’s implicit threats to Don Jr, Schulte’s use of Tor last year (and, surely, the testimony of the roommate he was using as a go-between) may have been one of the keys to getting the proof the government had been searching for since March 2017.

Whatever it is, both Wikileaks and Schulte would like you to believe he did nothing more nefarious than research due process websites when he put his bail at risk by accessing Tor last year. I find that a dubious claim.


2009: IRC discussions of child porn

2011 and 2012: Google searches for child porn

April 2015: Rapes a woman (possibly partner) who is passed out and takes pictures of it

March to June 2016: Schulte deleting logs of access to CIA computer

May 8, 2016: Schulte Googles how to set up a Tor bridge

November 2016: Leaves CIA, moves to NY, works for Bloomberg

December 16, 2016: Assange DM to Don Jr about becoming Ambassador

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

February 4, 2017: Wikileaks starts prepping Vault 7

March 7, 2017: Wikileaks starts releasing Vault 7

March 13, 2017: Google search warrant

March 20, 2017: Search (including of cell phone, from which passwords to his desktop obtained)

June 2017: Interview

August 17, 2017: Dana Rohrabacher tries to broker deal for Assange with Trump

August 23, 2017: Arrest affidavit

August 24, 2017: Arraignment

THE COURT: Well, it sounds like, based on the interview, that he knew what the government was looking at.

MR. LAROCHE: That wasn’t the basis of the interview, your Honor.

 

MR. KOSS: I think it was either two or three [interviews]. I think it was three occasions. I was there on all three, including one of which where we handed over the telephone and unblocked the password to the phone, which they did not have, and gave that to them. And as I said, I have been in constant contact with the three assistant U.S. attorneys working on this matter literally on a weekly basis for the last 4, 5, 6 months. And any time Mr. Schulte even thought about traveling, I provided them an itinerary. I cleared it with them first and made sure it was okay. On any occasion that they said they might want him close so that he could speak to them, I cancelled the travel and rescheduled it so that we would be available if they needed him at any given time.

September 13, 2017: Bail hearing

MR. LAROCHE: Well, I believe there still is a danger because it’s not just computers, your Honor, but electronic devices are all over society and easy to procure and this type of defendant having the type of knowledge he has does in terms of accessing things — so he has expertise and not only just generally computers but using things such as wiping tools that would allow him to access certain website and leave no trace of it. Those can be done from not just a computer but from other electronic devices.

But the child pornography itself is located on the defendant’s desktop computer. They can be accessed irrespective of those servers. So if all the government had was this desktop computer, we could recover the child pornography. So I think this idea that numerous people had access to the serves and potentially could have put it there, is simply a red herring. This was on the defendant’s desktop computer. And the location where it was found, this sub-folder within several layers of encryption, there were other personal information of the defendant in that area. There was his bank accounts. I think there was even a resume for the defendant where he was storing this information. And the passwords that were used to get into that location, those passwords were the same passwords the defendant used to access his bank account, to access various other accounts that are related to him. So this idea that he shared them with other people, the government just strongly disagrees.

October 11, 2017: Schulte lawyer Spiro withdraws

October 24, 2017: At Trump’s request Bill Binney meets with Mike Pompeo to offer alternate theory of the DNC hack

November 8, 2017: Status hearing

SMITH: I believe the government has told us that there’s more data in this case than in any other like case that they have prosecuted.

MR. STANSBURY: Let me just clarify that part first. We proposed this just in an abundance of caution given the defendant’s former employer and the fact that — and I meant to flag this before. I apologize now for not. There’s a small body of documents that were found in the defendant’s residence that were taken from his former employer that might implicate some classified issues. We have been in the process of having those reviewed and I think we’re going to be in a position to produce those in the next probably few days. But we wanted to just make sure that we were acting out of an abundance of caution in case any SEPA [sic] issues come about in the case. I don’t expect them too at this point but we wanted to do that out of an abundance of caution.

November 9, 2017: Wikileaks publishes Vault 8 exploit

November 14, 2017: Assange posts Vault 8 Ambassador follow-up

November 14, 2017: Arrest warrant in VA

November 15, 2017: Charged in Loudon County for sexual assault

November 16, 2017: Use of Tor

November 17, 2017: Use of Tor

November 26, 2017: Use of Tor

November 29, 2017: Abundance of caution, attorney should obtain clearance

November 30, 2017: Use of Tor

December 5, 2017: Use of Tor, Smith withdraws

December 7, 2017: NYPD arrests on VA warrant for sexual assault

December 12, 2017: Move for detention, including description of email and Tor access

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network. TOR networks enable anonymous communications over the Internet and could be used to download or view child pornography without detection. Indeed, the defendant has a history of using TOR networks. The defendant’s Google searches obtained in this investigation show that on May 8, 2016, the defendant conducted multiple searches related to the use of TOR to anonymously transfer encrypted data on the Internet. In particular, the defendant had searched for “setup for relay,” “test bridge relay,” and “tor relay vs bridge.” Each of these searches returned information regarding the use of interconnected computers on TOR to convey information, or the use of a computer to serve as the gateway (or bridge) into the TOR network.

December 14, 2017: US custody in NY

MR. KAPLAN: Well, your Honor, we’ve obtained the discovery given to prior counsel, and I’ve started to go through that. In addition, there was one other issue which I believe was raised at our prior conference, which was a security clearance for counsel to go through some of the national security evidence that might be present in the case.

While most of the national security stuff does not involve the charges, the actual charges against Mr. Schulte, the basis for the search warrants in this case involve national security.

So I’m starting the process with their office to hopefully get clearance to go through some of the information on that with an eye towards possibly a Franks motion going forward. So I would ask for more time just to get that rolling.

January 8, 2018: Bail appeal hearing

MR. KAPLAN: Judge, on the last court date, when we left, the idea was that we had consented to detention with the understanding that Mr. Schulte would be sent down to Virginia to face charges based on a Virginia warrant. None of that happened. Virginia never came to get him. Virginia just didn’t do anything in this case. But before I address the bail issues, I think it’s important that this Court hear the full story of how we actually get here. At one of the previous court appearances, I believe it was the November 8th date, this Court asked why the defense attorney in this case would need security clearance. And the answer that was given by one of the prosecutors, I believe, was that there was some top secret government information that was found in Mr. Schulte’s apartment, and that out of an abundance of caution it would be prudent that the defense attorney get clearance. But I don’t think that’s entirely accurate.

While the current indictment charges Mr. Schulte with child pornography, this case comes out of a much broader perspective. In March of 2017, there was the WikiLeaks leak, where 8,000 CIA documents were leaked on the Internet. The FBI believed that Mr. Schulte was involved in that leak. As part of their investigation, they obtained numerous search warrants for Mr. Schulte’s phone, for his computers, and other items, in order to establish the connection between Mr. Schulte and the WikiLeaks leak.

As we will discuss later in motion practice, we believe that many of the facts relied on to get the search warrants were just flat inaccurate and not true, and part of our belief is because later on, in the third or fourth search warrant applications, they said some of the facts that we mentioned earlier were not accurate. So we will address this in a Franks motion going forward, but what I think is important for the Court is, in April or May of 2017, the government had full access to his computers and his phone, and they found the child pornography in this case, but what they didn’t find was any connection to the WikiLeaks investigation. Since that point, from May going forward, although they later argued he was a danger to the community, they let him out; they let him travel. There was no concern at all. That changed when they arrested him in August on the child pornography case.

[snip]

The second basis that the government had in its letter for detaining Mr. Schulte was the usage of computers. In the government’s letter, they note how, if you search the IP address for Mr. Schulte’s apartment, they found numerous log-ons to his Gmail account, in clear violation of this court’s order. But what the government’s letter doesn’t mention is that Mr. Schulte had a roommate, his cousin, Shane Presnall, and this roommate, who the government and pretrial services knew about, was allowed to have a computer.

And more than that, based on numerous conversations, at least two conversations between pretrial services, John Moscato, Josh Schulte and Shane Presnall, it was Shane’s understanding that pretrial services allowed him to check Mr. Schulte’s e-mail and to do searches for him on the Internet, with the idea that Josh Schulte himself would not have access to the computer.

And the government gave 14 pages of log-on information to establish this point. And, Judge, we have gone through all 14 pages, and every single access and log-in corresponds to a time that Shane Presnall is in the apartment. His computer has facial recognition, it has an alphanumeric code, and there is no point when Josh Schulte is left himself with the computer without Shane being there, and that was their understanding.

LAROCHE: And part of that investigation is analyzing whether and to what extent TOR was used in transmitting classified information. So the fact that the defendant is now, while on pretrial release, using TOR from his apartment, when he was explicitly told not to use the Internet, is extremely troubling and suggests that he did willfully violate his bail conditions.

 

KAPLAN: In this case, the reason why TOR was accessed was because Mr. Schulte is writing articles, conducting research and writing articles about the criminal justice system and what he has been through, and he does not want the government looking over his shoulder and seeing what exactly he is searching.

 

LAROCHE: Because there is a classified document that is located on the defendant’s computer, it is extremely difficult, and we have determined not possible, to remove that document forensically and still provide an accurate copy of the desktop computer to the defendant.

So in those circumstances, defense counsel is going to require a top secret clearance in order to view these materials. It’s my understanding that that process is ongoing, and we have asked them to expedite it. As soon as the defendant’s application is in, we believe he will get an interim classification to review this material within approximately two to three weeks. Unfortunately, that hasn’t occurred yet. So the defendant still does not have access to that particular aspect of discovery. So we are working through that as quickly as we can.

January 17, 2018: Bail appeal denied

March 15, 2018: Sabrina Shroff appointed

March 28, 2018: Initial ban of Internet access and visitors for Assange

April 20, 2018: Schulte’s diaries (ostensibly the purpose of using Tor) posted

May 10, 2018: Ecuador bans visitors for Assange

May 16, 18, 2018: Documents placed in vault

May 16, 2018: Schulte Facebook site starts legal defense fund

June 18, 2018: Schulte superseding indictment

June 19, 2018: Wikileaks posts links to diary

Dana Rohrabacher Brokering Deal for Man Publishing a CIA Exploit Every Week

Yesterday, right wing hack Charles Johnson brokered a three hour meeting between Dana Rohrabacher and Julian Assange. At the meeting, Assange apparently explained his proof that Russia was not behind the hack of the DNC. In a statement, Rohrabacher promises to deliver what he learned directly to President Trump.

Wikileaks founder Julian Assange on Wednesday told Rep. Dana Rohrabacher that Russia was not behind leaks of emails during last year’s presidential election campaign that damaged Hillary Clinton’s candidacy and exposed the inner workings of the Democratic National Committee.

The California congressman spent some three hours with the Australian-born fugitive, now living under the protection of the Ecuadorian embassy in the British capital.

Assange’s claim contradicts the widely accepted assessment of the U.S. intelligence community that the thousands of leaked emails, which indicated the Democratic National Committee rigged the nomination process against Sen. Bernie Sanders in favor of Clinton, were the result of hacking by the Russian government or persons connected to the Kremlin.

Assange, said Rohrabacher, “emphatically stated that the Russians were not involved in the hacking or disclosure of those emails.” Rohrabacher, who chairs the House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats, is the only U.S. congressman to have visited the controversial figure.

The conversation ranged over many topics, said Rohrabacher, including the status of Wikileaks, which Assange maintains is vital to keeping Americans informed on matters hidden by their traditional media. The congressman plans to divulge more of what he found directly to President Trump.

I’m utterly fascinated that Assange has taken this step, and by the timing of it.

It comes not long after Rod Wheeler’s lawsuit alleging that Fox News and the White House worked together to invent a story that murdered DNC staffer Seth Rich was in contact with WikiLeaks. Both that story and this one have been promoted aggressively by Sean Hannity.

It comes in the wake of the VIPS letter that — as I’ve begun to show — in no way proves what it claims to prove about the DNC hack.

It comes just after a very long profile by the New Yorker’s Raffi Khatchadourian, who has previously written more sympathetic pieces about Assange. I have a few quibbles with the logic behind a few of the arguments Khatchadourian makes, but he makes a case — doing analysis on what documents got released where that no one else has yet publicly done (and about which numerous people have made erroneous claims in the past) — that Assange’s claims he wasn’t working with Russia no longer hold up.

But his protestations that there were no connections between his publications and Russia were untenable.

[snip]

Whatever one thinks of Assange’s election disclosures, accepting his contention that they shared no ties with the two Russian fronts requires willful blindness. Guccifer 2.0’s handlers predicted the WikiLeaks D.N.C. release. They demonstrated inside knowledge that Assange was struggling to get it out on time. And they proved, incontrovertibly, that they had privileged access to D.N.C. documents that appeared nowhere else publicly, other than in WikiLeaks publications. The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.) All the D.N.C. documents that Guccifer 2.0 released appeared to come from those same two departments.

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published.

The Assange-Rohrabacher meeting also follows a NYT story revealing that the author of a piece of malware named in the IC’s first Joint Analysis Report of the DNC hack, Profexor, has been cooperating with the FBI. The derivative reports on this have overstated the connection Profexor might have to the DNC hack (as opposed to APT 28, presumed to be associated with Russia’s military intelligence GRU).

A member of Ukraine’s Parliament with close ties to the security services, Anton Gerashchenko, said that the interaction was online or by phone and that the Ukrainian programmer had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking.

Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. “He was a freelancer and now he is a valuable witness,” Mr. Gerashchenko said.

It is not clear whether the specific malware the programmer created was used to hack the D.N.C. servers, but it was identified in other Russian hacking efforts in the United States.

But Profexor presumably is describing to the FBI how he came to sell customized access to his tool to hackers working for Russia and who those hackers were.

In other words, this bid by Assange to send information to Trump via someone protected by the Constitution’s Speech and Debate Clause, but who is also suspected — even by his Republican colleagues! — of being on Russia’s payroll, comes at a very interesting time, as outlets present more evidence undermining Assange’s claims to have no tie to Russia.

Coming as it does as other evidence is coming to light, this effort is a bit of a Hail Mary by Assange: as soon as Trump publicizes his claims (which he’ll probably do during tomorrow’s shit-and-tweet) and they get publicly discredited, Assange (and Trump) will have little else to fall back on. They will have exposed their own claims, and provided the material others can use to attack Trump’s attempts to rebut the Russia hack claims. Perhaps Assange’s claims will be hard to rebut; but by making them public, finally, they will be revealed such that they can be rebutted.

I’m just as interested in the reporting on this, though, which was first pushed out through right wing outlets Daily Caller and John Solomon.

The story is presented exclusively in terms of Assange’s role in the DNC hack, which is admittedly the area where Assange’s interests and Trump’s coincide.

Yet not even the neutral LAT’s coverage of the meeting, which even quotes CIA Director and former Wikileaks fan Mike Pompeo,mentions the more immediate reason why Assange might need a deal from the United States. Virtually every week since March, Wikileaks has released a CIA exploit. While some of those exploits were interesting and the individual exploits are surely useful for security firms, at this point the Vault 7 project looks less like transparency and more like an organized effort to burn the CIA. Which makes it utterly remarkable a sitting member of Congress is going to go to the president to lobby him to make a deal with Assange, to say nothing of Assange’s argument that Wikileaks should get a White House press pass as part of the deal.

Dana Rohrabacher is perhaps even as we speak lobbying to help a guy who has published a CIA hack of the week. And that part of the meeting is barely getting notice.

Wikileaks Permadrip: “Other Vault 7 Documents”

WikiLeaks has released the second in what they promise to be many further releases of CIA hacking tools it calls Vault 7. This release, which it dubs Dark Matter, consists of just 12 documents, which means (if WikiLkeak’s past claims about how big this leak is are true) the releases could go on forever.

As Motherboard lays out, the tools that got released are old — they date from 2008 to 2013.

While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who’s been studying Apple computers for years.

Judging from the documents, Vilaca told Motherboard in an online chat, it “looks like CIA were very early adopters of attacks on EFI.”

“It looks like CIA is very interested in Mac/iOS targets, which makes sense since high value targets like to use [those],” Vilaca told me. “Also interesting the lag between their tools and public research. Of course there’s always unpublished research but cool to see them ahead.”

But — because I’m as interested in how Wikileaks is releasing these tools as I am in what it is releasing — it appears that WL may be sitting on more recent documents related to compromising Apple products. WL’s press release describes other Vault 7 documents, plural, that refer to more recent versions of a tool designed to attack MacBook Airs. But it includes just one of those more recent documents in this dump.

While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

That seems to suggest that there are other, more current Apple tools in WikiLeaks’ possession besides the one developmental document linked. If so it raises the same questions I raised here: is it doing so as a pose of responsible release, withholding the active exploits until Apple can fix them? Or is it withholding the best tools for its own purposes, potentially its own or others’ use? Or, given this account, perhaps Wikileaks is playing a game of chicken with the CIA, seeing whether CIA will self-disclose the newer, still unreleased exploits before Wikileaks posts them. Thus far, neither side is being forthcoming with affected tech companies, if public reports are to be believed.

In either case, I’m just as interested in what Wikileaks is doing with the files it is sitting on as I am the dated ones that have been released.

Update: In his presser the other day, Julian Assange did provide a list of tech companies he had reached out to.

In his March 23 press conference, Assange offered the following timeline relating to WikiLeaks’ communications with technology firms:

  • March 12: WikiLeaks reached out to Apple, Google, Microsoft and Mozilla.

  • March 12: Mozilla replied to WikiLeaks, agreeing to its terms. The aforementioned Cisco engineer also reached out.

  • March 13: Google “acknowledged receipt of our initial approach but didn’t address the terms,” Assange said.

  • March 15: MikroTek contacted WikiLeaks; it makes a controller that’s widely used in VoIP equipment.

  • March 17: Mozilla replied, asked for more files.

  • March 18: WikiLeaks told Mozilla it’s looking for the information.

  • March 20: First contact from Microsoft “not agreeing to the standard terms, but pointing to their standard procedures,” Assange said, including providing a PGP email key. Google also replied the same day, pointing to their standard procedures, and including a PGP email key.

Password: [email protected]

Remember how infosec people made fun of John Podesta when they learned his iCloud password — which got exposed in the Wikileaks dump of his stolen emails — was Runner4567? 4Chan used the password to hack a bunch of Podesta’s accounts.

Among the pages that got exposed in this week’s Wikileaks dumps of CIA’s hacking tools was a page of Operational Support Branch passwords. For some time the page showed the root password for the network they used for development purposes.

These passwords, as well as one (“password”) for another part of their server, were available on the network site as well.

Throughout the period of updates, it included a meme joking about setting your password to Incorrect.

At the beginning of January 2015, it included the passwords for two unclassified laptops used by the department, one of which was the very guessable [email protected]

OSB unclass laptop #1 password (tag 2005K676, Dell service tag: 7731Y32): “OSBDemoLap9W53!” (Without quotes)

OSB unclass laptop #2 password (tag 2005K677, Dell service tag: CN81Y32): “[email protected]” (no quotes, first chracter is a zero)

Remember, Assange has claimed that CIA treated its exploits as unclassified so they could be spread outside of CIA facilities.

A discussion ensued about what a bad security practice this was.

2015-01-30 14:30 [User #14588054]:

Am I the only one who looked at this page and thought, “I wonder if security would have a heart attack if they saw this.”?

2015-01-30 14:50 [User #7995631]:

Its locked down to the OSB group… idk if that helps.

2015-01-30 15:10 [User #14588054]:

I noticed, but I still cringed when I first saw the page.

I have no idea whether these passwords exacerbated CIA’s exposure. The early 2015 discussion happened well before — at least as we currently understand it — the compromise that led to Wikileaks’ obtaining the files. The laptops themselves were unclassified, and would only be a problem if someone got physical custody of them. Though shared devices like laptops were one of the things for which CIA had a multi-factor authentication problem up until at least August of 2016.

But if we’re going to make fun of John Podesta for password hygiene exposed in a Wikileaks dump, we ought to at least acknowledge that CIA’s hackers, people who spent their days exploiting hygiene sloppiness like this, had (simple) passwords lying around on a server that — as it turns out — was nowhere near as secure as it needed to be.

No More Secrets: Vault 7

Several days after Shadow Brokers first announced an auction of a bunch of NSA tools last August, Wikileaks announced it had its own “pristine” copy of the files, which it would soon release.

Wikileaks never did release that archive.

On January 7-8, Shadow Brokers got testy with Wikileaks, suggesting that Wikileaks had grown power hungry.

Shadow Brokers threw in several hashtags, two of which could be throw-offs or cultural references to a range of things (though as always with pop culture references, help me out if I’m missing something obvious). The third — “no more secrets” — in context invokes Sneakers, a movie full of devious US intelligence agencies, double dealing Russians, and the dilemma of what you do when you’ve got the power that comes from the ability to hack anything.

Moments later, Shadow Brokers called out Wikileaks, invoking (in the language of this season’s South Park) Wikileaks’ promise to release the file.

Of course, within a week, Shadow Brokers had reneged on a promise of sorts. Less than an hour before calling out Wikileaks for growing power hungry, Shadow Brokers suggested it would sell a range of Windows exploits. Four days later, it instead released a limited (and dated) subset of Windows files — ones curiously implicating Kaspersky Labs. All the “bullshit political talk,” SB wrote in a final message, was just marketing.

Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention.

And with that, the entity called Shadow Brokers checked out, still claiming to be in possession of a range of (dated) NSA hacking exploits.

Less than a month later (and over a month before Monday’s release), Wikileaks started the prep for the Vault 7 release of CIA’s hacking tools. (Given the month of lead hype and persistent attention throughout, I’m not sure why any claimed rapid and “overwhelming” response to the release should be attributed to Russian bots.)

Having been called out for sitting on the Shadow Brokers’ files (if, indeed, Wikileaks actually had them), Wikileaks this time gave the appearance of being forthcoming, claiming “the largest ever publication of confidential documents on the [CIA].”

Except …

While Wikileaks released a great deal of information about CIA’s hacking, it didn’t release the code itself, or the IP addresses that would reveal targets or command and control servers.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States.

Now, perhaps Wikileaks really is doing all this out of a sense of responsibility. More likely, it is designed to create a buzz for more disclosure that WL can use to shift responsibility for further disclosure. Yesterday, Wikileaks even did a silly Twitter poll designed to get thousands to endorse further leaks.

In reality, whether for their own PR reasons or because it reflects the truth, tech companies have been issued statements reassuring users that some of the flaws identified in the Wikileaks dump have already been fixed (and in fact, for some of them, that was already reflected in the Wikileaks documents).

Thus far, however, Wikileaks is sitting on a substantial quantity of recent CIA exploits and may be sitting on a significant quantity of dated NSA exploits. Mind you, the CIA seems to know (belatedly) precisely what Wikileaks has; while NSA has a list of the exploits Shadow Brokers was purportedly trying to sell, it’s not clear whether NSA knew exactly what was in that dump. But CIA and NSA can’t exactly tell the rest of the world what might be coming at them in the form of repurposed leaked hacking tools.

There has been a lot of conversation — most lacking nuance — about what it means that CIA uses code from other hackers’ exploits (including Shamoon, the Iranian exploit that has recently been updated and deployed against European targets). There has been less discussion about what it means that Wikileaks and Shadow Brokers and whatever go-betweens were involved in those leaks might be involved have been sitting on US intelligence community exploits.

That seems like a worthwhile question.

Update: as his delayed presser on this release, Assange stated that he would work with tech companies to neutralize the exploits, then release them.

Wikileaks Dumps CIA’s Hacking Tools

Today, Wikileaks released a big chunk of documents pertaining to CIA’s hacking tools.

People will — and already have — treated this as yet another Russian effort to use Wikileaks as a cutout to release documents it wants out there. And that may well be the case. It would follow closely on the release, by Shadow Brokers, of a small subset of what were billed as NSA hacking tools (more on that in a bit).

Wikileaks attributes the files to two sources. First, it suggests a “US government hacker and contractor … provided WikiLeaks with portions of the archive.”

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In an apparent reference to this source, Wikileaks explains,

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

It also notes that developers may steal tools without a trace (though speaks of this in terms of proliferation, not this leak).

Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them.

But Wikileaks also suggests that, because the CIA doesn’t classify its attack tools, it leaves them more vulnerable to theft.

In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.

The CIA made these systems unclassified.

Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.

Wikileaks is trying to appear more responsible than it was with recent leaks, which doxed private individuals. It explains that it has anonymized names. (It very helpfully replaces those names with numbers, which leaves enough specificity such that over 30 CIA hackers will know Wikileaks has detailed information on them, down to their favorite memes.) And it has withheld the actual exploits, until such time — it claims — that further consensus can be developed on how such weapons should be analyzed. In addition, Wikileaks has withheld targets.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in “Vault 7” part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Several comments about this: First, whether for reasonable or unreasonable purpose, withholding such details (for now) is responsible. It prevents Wikileaks’ release from expanding the use of these tools. Wikileaks’ password for some of these files is, “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds,” suggesting the motive.

Of course, by revealing that these tools exist, but not releasing them, Wikileaks could (hypothetically) itself use them. Wikileaks doesn’t explain how it obtained upcoming parts of this release, but it’s possible that someone used CIA’s tools against itself.

In addition, by not revealing CIA’s targets, Wikileaks both explicitly and implicitly prevents CIA (and the US generally) to offer the excuse they always offer for their surveillance tools: that they’re chasing terrorists — though of course, this is just a matter of agency vocabulary.

Among the list of possible targets of the collection are ‘Asset’, ‘Liason [sic] Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals.

We will no doubt have further debate about whether Wikileaks was responsible or not with this dump. But consider: various contractors (and to a much lesser degree, the US intelligence community) have been releasing details about Russian hacking for months. That is deemed to be in the common interest, because it permits targets to prevent being hacked by a state actor.

Any hacking CIA does comes on top of the simplified spying the US can do thanks to the presence of most tech companies in the US.

So why should CIA hacking be treated any differently than FSB or GRU hacking, at least by the non-American part of the world?

This leak may well be what Wikileaks claims it to be — a concerned insider exposing the CIA’s excesses. Or perhaps it’s part of a larger Russian op. (Those two things could even both be true.) But as we talk about cybersecurity, we would do well to remember that all nation-state hackers pose a threat to the digital commons.