“ur submission form is too fucking slow, spent the whole day uploading 1 gb.”

As I noted, one of the Roger Stone-related warrant applications released last week includes more details on the communications between the Guccifer 2.0 persona and WikiLeaks leading up to the DNC release. Emma Best examines the filing from a perspective of how someone, purportedly with no prior relationship to WikiLeaks, would go about transferring even a marginally significant submission to WikiLeaks. Almost a month of back-and-forth transpires between the first contact with Guccifer 2.0 and the successful transfer of the DNC files.

A key exchange, however, happened on July 6, 2016. After Guccifer 2.0 inquires whether WikiLeaks received some documents Guccifer 2.0 sent, the persona gets cranky because it took so long to upload a 1 GB file to WikiLeaks submission system. [I’m using Best’s conversion of this filing into a nifty transcription.]

Guccifer 2.0: “fuck, [I] sent 4 docs on brexit on jun 29, an archive in gpg[.] ur submission form is too fucking slow, [I] spent the whole day uploading 1 gb”

WikiLeaks: “We can arrange servers l00x as fast. The speed restrictions are to anonymise the path. Just ask for custom fast upload point in an email.”

Guccifer 2.0: “will u be able to check ur email?”

WikiLeaks: “We’re best with very large data sets. e.g. 200gb. these prove themselves since they’re too big to fake”

Almost two weeks into this exchange, WikiLeaks says they can arrange for a custom server to transfer larger data sets — of around 200 GB.

These exchanges should, to a significant extent, be considered theater. Both sides of this conversation knew that the FBI would be watching all DMs between WikiLeaks and the Guccifer 2.0 persona. So it can’t be taken as a definitive indication of how any files get sent.

Still, it shows how WikiLeaks would respond, using the public communication accounts, to a request to submit data in July 2016.

That’s significant because it shows how things might have proceeded, two months earlier, when Joshua Schulte allegedly sent 1TB of data to WikiLeaks on May 1, 2016.

While the prosecution in Schulte’s case provided forensic evidence to explain when he stole the CIA files and sent them to WikiLeaks, key gaps remain (perhaps most notably, how he got the files out of his building, though that may be because of certain classification decisions). And because Schulte used Tails and wiped his devices afterwards, there’s no record of him actually sending the files.

Here’s how prosecutor Matthew Laroche described that process in his closing arguments.

Just as a general matter, you know this information was transmitted to WikiLeaks because they posted it on the internet. They obviously got it, and the question is when did he send it?

And that’s answered by what he did on the 30th and May 1. Let’s look at the evening of the 30th.

At 6:47 p.m., he is searching for Google history and Google view browsing history. He is concerned about what he’s been searching for. On the evening, that night, he is searching for digital disk-wipe utility on several occasions, and at 10:52 p.m., he visits a website Kill Your Data Dead With These Tips and Tools. The defendant is interested in finding out how to securely delete information that might connect him to the leak, anything that he might’ve brought home with the leak on it, anything that he might’ve used to transfer it.

And at 10:55 p.m., he runs a similar search for SSD wipe utility. And you’ll remember all those hard drives that were recovered from his home. He was wondering how to wipe them to make sure that there was no evidence of his activities.

Now, overnight, he continues working.

At 12:19 a.m., the defendant mounted his D drive onto his virtual machine, the same D drive that had those encrypted files, data2.bkp through data6.bkp. They’re in his D drive. He mounts his D drive.

Then, overnight, he is constantly looking at his computer. On at least four occasions, he is unlocking his virtual machine in the middle of the night: 1:57 a.m.; 2:34 a.m.; 2:56 a.m.; 3:18 a.m. He is doing that because he is transferring data and he wants to make sure it’s happened correctly. And you know that is the case because of the Google searches he runs at of the end the night and the early morning.

At 3:18 a.m., just after he unlocks his screen saver, the defendant searches for How Long Does It Take to Calculate MD5?

Remember, calculating an MD5 is a way to confirm that what you transferred from one place to another is the same, that it went correctly, that there were no errors. You calculate an MD5 to confirm that what you transferred transferred correctly, and that’s what he’s looking for at 3:18 a.m.

Then at 3:21 a.m., the defendant visits a website, How Can I verify That a 1TB File — one terabyte file — transferred correctly?

That description is based off this forensic testimony from Michael Berger.

Prosecutors described this as happening overnight. Overnight transmission of a 1TB file using WikiLeaks’ public submission site would be utterly impossible given the state of it at the time and the volume of data Schulte was transferring, and probably impossible regardless of how much time someone spent. Overnight transmission of 1TB of data using Tails, even to a dedicated server, would be difficult enough. Best describes that, “1 TB over Tor in one night is unlikely.”

The government timeline does have Schulte in possession of the data earlier than that, potentially giving him a week to transfer the data, with this process describing just the end of the process.

Still, the way this would happen, normally, would be for WikiLeaks to set up a dedicated server to accept the files. And that would take prior communication. Such communication likely would have happened over Jabber, not Twitter (Schulte’s opsec was piss poor in many ways but he did use Jabber).

Such a prior conversation is entirely consistent with testimony provided elsewhere, where prosecutors focused on the website’s alternative submission process.

But the seeming necessity for prior communication before this transfer happened suggests Schulte’s alleged theft and transfer of the files might not have been as reactive a decision as portrayed in his prosecution.

It would take premeditation to send WikiLeaks a 1TB file, whatever the timing. Prosecutors may know that, and have an explanation for when such prior communications happened, but they’re withholding those details for any of a number of reasons. Or it may be a big hole in this story. Schulte insists he didn’t do it and a jury failed to convict.

One way or another, however, the state of the WikiLeaks’ submission system as it existed in 2016 presents a big gap in prosecutors’ current story.

Update: Two important details for those trying to figure out how long this transfer would really take. First, Schulte ran a commercial server specifically focused on video streaming at the time, so his upload speeds would not limit the transfer time at all. Second, Schulte at least claimed that hiding data for exfiltration was his speciality. That by itself wouldn’t help him send stuff to WikiLeaks, at least not without prior contact. But it does mean that the means by which he transferred this file relied on tools he has developed at CIA.

image_print
12 replies
  1. drouse says:

    I did some back of the envelope calculations and assuming a 25 down and 10 megabit up connection, it would take about 24 hours to transfer a terabyte. If nothing went wrong. The roughly 6 hour span in the closing could correspond to generating the MD5 hash, waking the computer at 30 minute interval to check on progress. I scrolled through the transcript and and saw nothing that would show signs of very large file transfers even if they were broken into 200GB chunks.I think Joshua Schulte might have shipped a copy of his D: drive to a dead drop and what the prosecutor described was simply confirming the integrity of the transfer.

    • it's complicated says:

      I tried, too, coming to different results. Used a greyish recycling paper envelope, though.
      Download speed won’t be a limiting factor unless really really small.
      Upload speed 10MBit/sec = 10*2^20/8 bytes/sec
      For one honest terabyte (2^40 bytes) I get:
      2^40/(10*2^20/8) = 838860.8 sec
      One day being 24*60*60=86400 sec, I end up with ~9.7 days.
      Assuming 10^12 bytes for a marketing terabyte, I get ~8.8 days.
      Please tell me that I’m wrong, and where I miscalculated. I lack caffeine.

      Calculating an md5 with a PC from 2009 (I tried) is definitely not limited by the CPU (328MB/sec) but by disk transfers. 6 hours sounds in the plausible range to me.

      • P J Evans says:

        I don’t think your calculations are far wrong – I would download 30 GB of images from Ancestry, and it would take 3 to 4 days (if the system didn’t reboot).

      • drouse says:

        I think you have the right of it. Looking at my numbers, it seems like I had a misplaced 8 in there somewhere.

      • Legonaut says:

        Don’t forget the TCP protocol’s packet overhead — at best, only 80% of a connection’s raw bandwidth is user data. There’s more overhead for poor connections, retries, etc.

        I think that makes it 12.1/11 days for a real/marketing terabyte at 10Mbps.

    • emptywheel says:

      Somewhere in the trial transcript, we have an idea of Schulte’s connection speed, but it was far higher than that. He was running a commercial server for others, including for streaming videos.

      It would not be the upload speeds that would slow him down, it would be the Tor network.

  2. drouse says:

    I got curious about whether it possible that Schulte possibly copied the drive and shipped it. I went back and read the forensic testimony a little closer to see if there was any mention of copying the drive at some point. There wasn’t but Michael Berger emphasized how everything is logged under Linux and how root privilege was required for certain actions. Then I got to where they covered the SATA adapter that Schulte ordered from Amazon. This little bit jumped out at me.

    Berger – Direct

    Q.What are we looking at?
    A.This is an order confirmation e-mail from Amazon sent to Josh Schulte.

    Q.And what’s the date of it?
    A.Sunday, April 24, 2016, at 12:39 a.m.

    Q.What’s the product that’s referred to here?
    A.The product listed is an Inatek USB 3.0 SATA.

    Q.You see the name am is cut off there a little bit.
    A.Yes.

    Q.Let’s go to the next slide and see if we can expand that.What’s this?
    A.those order details.

    Q.Do you see an item description?
    A.Yes.

    Q.Could you read that description.
    A.Sure.docking station with offline clone function for 2.5-inch and 3.5-inch HDD SSD SATA (SATA 1/2/3).

    Q.Do you know what that is?
    A.Yes.

    Q.What is it?
    A.So this is what’s referred to as a docking station.
    a small device that you would be able to hook up to your
    computer and insert hard drives into it.

    The adapter had the ability to clone the drive without being connected to his computer. Without, I might mention, being logged by the operating system.

    • emptywheel says:

      One thing Alexa O’Brien has noted is that Andrew Muller-Maguhn, made several trips to the US during 2016. It was speculated (including in the Mueller Report) that he might have been the mule for the stolen DNC files. But he would be much more suited to carry stolen CIA files, not least because he would have been one of the people who would have analyzed those files.

  3. earlofhuntingdon says:

    A few thoughts on Jay Rosen’s, “The plan is to have no plan.” I agree. What is an administration of dunces to do when it is desperate for re-election, but is confronted by a problem it cannot comprehend or fix (other than to profit from it)?

    One solution is the Big Lie. Lie about the dead, spread false blame around like liquid manure, and let people become fatigued by the scale of death. What, then, are a few more deaths when it comes to implementing radical change? Like, say, keeping our god-emperor in the White House, where the gods intended him to be? Works well when you are too ignorant to comprehend a problem, not competent to do anything about it, and determined not to let government escape the shitbag neoliberals have tied it in since Ronald Reagan recited his catechism, “Government’s not the cure, it’s the problem.”

    There is no plan fits the Trump moment. It does not require a plan, it requires a carrion feeder’s opportunism. It does not require confidence, judgment, political skill, or guts. It does require unwavering support, a burson-marsteller quality PR campaign, and an ignorant, lazy, sociopathic narcissist of epic proportions. That describes Trump’s character and resources in a nutshell.

    https://pressthink.org/2020/05/the-plan-is-to-have-no-plan/

    • Ginevra diBenci says:

      I just read Rosen’s piece too. I agree that Trump himself has no plan, just the goal of re-election, driven by inchoate fear and whatever calculation he’s still capable of. The GOP, however, does have a plan; it did not include Trump, until expediency called, and it will not be derailed when he goes. They will claim to have shared our dismay. Don’t believe it. If anything, he has left them stronger.

Comments are closed.