Leaked Details of MIT Investigation
The NYT reports details that must come from MIT’s investigation–though the spokesperson insists it’s a review–of its involvement in Aaron Swartz’ arrest and conviction.
There are a few I find of particular interest.
First, MIT claims it learned that Aaron was still downloading JSTOR materials on January 3.
However, on Jan. 3, 2011, according to internal M.I.T. documents obtained by The New York Times, the university was informed that the intruder was back — this time downloading documents very slowly, with a new method of access, so as not to alert the university’s security experts.
Court documents say JSTOR informed MIT about this around Christmas.
The NYT references “a security expert” analyzing MIT’s network.
Early on Jan. 4, at 8:08 a.m., according to Mr. Halsall’s detailed internal timeline of the events, a security expert was able to locate that new method of access precisely — the wiring in a network closet in the basement of Building 16, a nondescript rectangular structure full of classrooms and labs that, like many buildings on campus, is kept unlocked.
This is a detail I’ve long wondered about: who was the expert and what tools did she or he use?
And then there’s the thoroughly unsurprising news that Michael Pickett was with MIT’s head cop when they found Aaron on January 6, 2011.
A little after 2 p.m., according to the government, Mr. Swartz was spotted heading down Massachusetts Avenue within a mile of M.I.T. After being questioned by an M.I.T. police officer, he dropped his bike and ran (according to the M.I.T. timeline, he was stopped by an M.I.T. police captain and Mr. Pickett).
Anyone want to bet they were using some fancy surveillance to find Aaron?
Marcy, you are a gem. Thanks so much for staying on this. I come daily looking for the stuff everyone else missed or doesn’t care about or whatever. Kudos.
No bets. I think that was their primary method. (How else would they find stuff that no one else noticed, or find him on his bike a mile from MIT?)
There’s a lot of background material on the MIT IS&T (Information Services and Technology) web site:
1) Their security roadmap: http://web.mit.edu/itgc/docs/ITGC%20Security%20Roadmap.pdf (pdf)
2) Their updates to their security: http://web.mit.edu/itgc/docs/ITGC%20Security%20Roadmap.pdf (pdf)
These show that MIT had reversed their previous posture about running an utterly open, unmonitored network and was in the process of acquiring industry standard tools to detect network intrusions.
Here’s an older article relating to this.
http://www.wired.com/threatlevel/2011/07/mit-webcam-swartz/
Also some details from an August 3, 2011 story in MIT’s The Tech:
http://tech.mit.edu/V131/N30/swartz.html
I haven’t been in Cambridge for 40 years, but Mass Ave runs through it into Boston. A mile radius could put that encounter somewhere across the Charles River, and encompass possibly 100,000 people. Many on Mass Ave would be on bicycles (Harvard is (IIRC) about a half mile away, and Central Square , a subway stop, is between them). To “spot” him would require a massive lookout with pictures, and possibly a clothing description.
I’d take that bet, Marcy.
The MIT Security Roadmap shows an organization well, well behind the curve in basic security infrastructure. This was a policy/idealogical choice, one that seems to have been reversed in 2009/2010, and MIT was playing catch up.
As for catching him on his bike a mile from MIT, it sounds like they tried to get to network closet while he was there and weren’t fast enough. If you’re in your car (like they were) and ask yourself “If we’re going to try and catch up with the fleeing suspect, where do we go?”, up Massachusetts Ave. is your best bet. They got lucky because Aaron took the most obvious “escape route” which is also the direct route to where he was living.
Maybe there was something else going on here, and some sort of advanced surveillance and detection going on. But there’s also a plausible explanation for this to have happened just how they say it did.
@rg: This was January 4th, 2011, the middle of winter, a winter in which we, in Cambridge, were having record snowfall and struggling to find places to put it. There wouldn’t have been a lot of people on bicycles at all, because biking was pretty treacherous.
This picture https://secure.flickr.com/photos/peter_macko/5507424823/ is of Mass Ave, in Harvard Square (a couple of miles from MIT) taken on January 9th shows what the street was like. Those large snowbanks are snow that, at the time, Cambridge had no place to put. And Harvard Square was far better cleared than the rest of Cambridge.
This also explains why Aaron took Mass Ave when leaving MIT: as a main route, it was better cleared than any of the backstreets.
@rg: After only a moment’s reflection and before seeing SB’s remark @ 7, I realized that my problem was with the term, “spotted”; a more operative term would be “found”. It occurred to me that by the time of his arrest, Swartz was a known entity, as part of a larger community of undesirables called hackers, especially a group around the “Boston area” somehow associated with Wikileaks.
When I was in that area, it was 1970, and there was a large unorganized anti-war effort underway. The Nixon government was doing all it could to infiltrate and counter that movement’s effectiveness. While massive senseless wars still go on, there are other issues being resisted as well, including efforts to undermine what seems to be called “the security state”, among which “hackers” are a particular problem. When Arron Swartz’s image appeared in that closet, that made him wanted on a trespassing charge, and vulnerable to arrest and intimidation. They definitely knew who AS was and what he looked like.
@Saul Tannenbaum: I seem to be writing while are posting. Thanks for the correction and the photos (and the memories). I do remember Jan of 1971, with Mass Ave looking like that, and stand corrected as to the traffic scene that would been extant. And are Harvard and MIT really two whole miles apart; if so memory must be some sort of wormhole that distorts time and space.
That Pickett was present at the arrest is not news. The MIT cop stopped and detained Swartz and then Picket and at least one more responded to the scene of the detention. And it was actually USSS Agent Pickett that effected the formal arrest by handcuffing Swartz. I have known this for nearly a week now, though cannot remember from what document.
@rg: Or some kind of tracker. If he had the computer with him, I would have thought they added it. But he didn’t. He had moved that elsewhere at MIT.
@bmaz: But I believe it is news that Pickett was there from the start.
@Saul Tannenbaum: He didn’t go straight from hte closet. He went to the student center first.
This NY Times article is the first I read about MIT being concerned about “the Chinese” showing up briefly in the netbook.
Is this a red herring ? especially since the next sentence goes on to state hackers from China probing the network are a commonplace occurrence.
The NY Times article mentions that Swartz has many friends at MIT and that Swartz’s father was associated with the MIT Media Lab. So is Joi Ito– a former colleague of Aaron Swartz from the Creative Commons days. Ito is the Director of the MIT Media Lab. No mention that Aaron was in contact with Ito, however.
(OT: Ito is also a godson of Timothy Leary. Timothy Leary had a connection with Lisa Rein, too, another of Aaron Swartz’s former colleagues from Creative Commons. Looks like Harvard University is receiving Leary’s psychedelic research on long term loan. http://boingboing.net/2012/11/14/timothy-learys-papers-return.html. I thought that his papers were bought in 2011 by the NY Public Library, however. http://www.nytimes.com/2011/06/16/books/new-york-public-library-buys-timothy-learys-papers.html?ref=arts )
@Saul Tannenbaum: Looking at the NYT timeline, I’m having second thoughts that the involvement of the SS was simply low level local cop butt covering and brown nosing.
Look at how fast Pickett was on site, a little over an hour from the time the MIT cops were notified. From the prior story, MIT cops called Cambridge, and they called Pickett. Seems like an awfully quick response if that was the first contact. If Pickett wasn’t already engaged, what in a low level hack of academic papers would have gotten him off his butt and out on crappy roads? What’s it look like to you?
@Saul Tannenbaum: Swartz was in the closet at 12:30. He wasn’t spotted on MassAve until 2.
@pdaly: Probably. That had come out earlier in the discussion of the data collection from his computer. I think the govt and MIT have used it after the fact to excuse their access of data on his laptop.
@Saul Tannenbaum: The new security measures were implemented after Aaron was caught–they beginning of implementation was January.
@emptywheel: No, Pickett’s presence in the wiring closet (if that’s what you mean by “from the start”) was part of the Cambridge Police arrest report (http://lawreport.org/pdf/AaronSwartz-CambridgePoliceArrestReportJan132011_text.pdf).
Rereading the report, I had forgotten that a Boston Police officer was also present in the wiring closet.
Lastly, the arrest report states that after Pierce spotted Swartz, he summoned Pickett and a Cambridge police officer. Swartz jumped off his bike and ran down Lee St (where he lived), where he was cuffed by Pickett.
That sequence is a bit odd. Where did Pickett come from that he could be there in time to pursue Swartz so quickly? It wouldn’t surprise me to learn that they were all driving around the vicinity looking for Swartz of whom, by that time, they had a good desscription.
@emptywheel: The new security measures were planned and approved in the fall, before Aaron was caught. That means that the staff was evaluating equipment and systems between then and implementation. And you evaluate that stuff by actually using it in your environment. (If you’re MIT, any vendor is going to bend over backwards to get selected so they’ll give you anything you ask for, pretty much.)
This is another explanation for the special tools and even the security expert, someone a vendor sent to help MIT evaluate some system which they tried out in a real world exercise.
@lefty665: If you’re head of the Secret Service Electronic Crimes Task Force and you get called about some sort of cyber incident at MIT, you respond. That doesn’t happen every day.
And Boston Secret Service headquarters is in Government Center, a 10 minute drive to MIT. In good weather, it’s walking distance.
@pdaly: The thing about Chinese hacker activity is that, until you look, you never know what it is.
One of the weirder moments of my professional life was a university-oriented IT conference at the welcoming reception where a guy, who said he was from a security vendor, sat down with a bunch of us and started talking about how Chinese hackers were silently stealing the intellectual property of our universities and we didn’t know it and that if we didn’t get our act together we’d wake up one day slaves to the Chinese. I’m exaggerating the slaves part, it was that sort of paranoid rant.
The thing about it is: if you’re being silently stolen from, how would you know?
So, you see that stuff and you ask yourself: signal or noise? Standard probes for vulnerabilties or active attack?
If you’re savvy, even if it’s noise and not an attack, you, as Marcy notes, keep it in your back pocket for justification of something. Because “we’re under attack by Chinese hackers” is a great motivator.
@Saul Tannenbaum: Agree that it’s a possible explanation. But I’m not convinced it is the explanation. But thanks for those links–they’re really helpful!
@Saul Tannenbaum: I meant “from the start of the arrest.” Because I’m getting at what you’re getting at–how did Pickett get there so quickly? I took the NYT to say he was with Pierce.
I didn’t know they got Swartz right by his house. THAT is rather interesting. It suggests they may have been staking out his house. But they pretend not to know it was him.
To give folks a sense of the limited geography we’re talking about, I put together a quick Google map of the sites of interest on the day of Aaron Swartz’s arrest: https://maps.google.com/maps/ms?msid=202604240933176665144.0004d3d1c75de85a1cc98&msa=0&ll=42.36441,-71.088109&spn=0.02505,0.055747
Let me know if anything needs clarification.
@Saul Tannenbaum: LOL. You and I were making the same map! Can you add 950 Mass Ave to yours? That’s where Aaron lived.
As I said, I think you’ve just answered how the head MIT cop happened to run into Aaron on Mass Ave 90 minutes after they supposedly lost his trace: he was staking out his home.
Which says if they didn’t already ID him before January 4, they did based on photo and/or fingerprint from his visit to the closet that day.
@emptywheel: There are two addresses for Aaron: 950 Mass Ave and 24 Lee Street. I’ve added 950 Mass Ave, which is just a couple of blocks from Lee Street.
@emptywheel:
Can an MIT police officer leave the MIT campus for this even if Cambridge PD and USSS are already alerted, too?
I don’t think MIT’s campus extends that far down Mass Ave. I could be wrong.
Looks like the campus buildings end between Sidney and Brookline Streets going west on Mass Ave. It’s another 8 streets going west on Mass Ave (towards Harvard, away from MIT) until you reach Lee Street.
http://whereis.mit.edu
@Saul Tannenbaum: Where’s the 24 Lee Street one come from? 950 Mass Ave is where they searched.
@pdaly: MIT’s campus, along Mass Ave, ends just a little past the Student Center.
But campus police can and do leave campus and are “deputized” by the county to have jurisdiction for “adjacent areas”. But it’s not uncommon here to have campus police arrrest someone off campus for a crime committed on campus.
Update: And there are buildings further up Mass Ave, like a dorm and the MIT Museum. But those aren’t part of the contiguous campus.
@emptywheel: It comes from the arrest report. Early reports here, if memory serves, used the address on the police report – the address at which Aaron was apprehended – as his home address. Re-reading the police report, it doesn’t say anything this being his home.
My vote’s on a cellphone used as a tracking device — do we know that Swartz did/didn’t use one, even a disposable one?
And Chinese hackers? Give me an effing break — this is an excuse. The amount of crap China took with Operation Aurora using exploits in documents generated with common commercial software, dispersed by Gmail is huge. And Google told the public about it, not DHS, SS, or any of the targeted corporate entities. Now that we all know conclusively that China followed through on the cyberspace “outreach” efforts PRC insiders warned us about years ago, China can be blamed as a universal bogeyman.
Oh, and let’s not forget the latest universal bogeyman: Red October.
Ooga-booga-boo. Be afraid.
@Rayne: Good point. He was arrested with a phone. Two more were seized during the search of his house.
@emptywheel: Though his lawyers never asked how they found him, and you’d think they would have if they even suspected of GPS phone tracking. Aaron obviously knew about that use.
@emptywheel: He was probably rotating disposables if he had that many. All it would take is a sniffer looking for cellphones used regularly around a particular address, then a later match.
Keep in mind, too, the case where a car had a tracking device attached to it by law enforcement in the driveway of the subject’s home. I think the court didn’t rule that was illegal until this past year…were they using the same techniques?
EDIT — 4:45 pm EST —
GPS tracking devices found legal 11-JAN-2010, see US v. Pineda-Moreno
Then decision reversed 23-JAN-2012, see US v. Antoine Jones
Incredible timing, as always.
@Rayne:
Interesting theory about the rotating disposable cell phones.
wrt GPS tracking, here’s a topical article (off the same website as your Red October link)
http://gizmodo.com/5977649/what-the-fbi-doesnt-want-you-to-know-about-its-secret-surveillance-techniques
@pdaly: Yeah, the Gizmodo article link you shared refers to Jones — that was exactly the situation and case I was thinking of in my edit to previous comment. Thanks.
The sniffer I was referring to doesn’t have to be as sophisticated as FBI might be/have been using in that article. Could be a sniffer just like crooks use to pick up a single phone.
I’m going to have to up my game and remember these case names to keep up with the EW crew. Popping in only occasionally is kicking my butt.
Michael Sussmann, a former fed. prosecutor said MIT had to assume any hackers were “the Chinese” http://nyti.ms/WAKQh9
What did MIT already know about the hack by the time they called in the Secret Service?
They knew the closet and the laptop. They also knew the target of the hack was JSTOR. They probably also knew that 99.9% of the coms were between the laptop and JSTOR and they also had the means to look at the packets coming from off network to the laptop, and knew there was no evidence of remote operation from China or network file transfers.
Still, the person placing the laptop could have been an agent from China but there’s no reason MIT had to assume it. When assuming the worst case scenario (which seems to be what Michael Sussmann is implying), you do so because you cannot assess the risk. The risk to that point was copying scholarly articles to the laptop. Did they know that?
Is Michael Sussmann bs rhetoric covering tracks, or does the (secret service and) justice department act out of irrational fear?
@Saul Tannenbaum: @23 Thanks, makes sense. Still smells like there was more going on than what we’ve seen. Thanks for the map too, it helps.
Swartz sure had the Feds attention with his FOIAs and history. It’s hard to shake the thought that this may have been driving from the Feds down, with national technical means targeting Swartz already deployed. But, regardless of who initiated what, Swartz gave them a gold plated opportunity to hurt him, and they took it.
Looking at a firewall log is sobering. Surprising how many not very nice people there are in the world.