DOJ’s Minor Desperation with MalwareTech

/10 Comments/in /by

Best as I can tell (this is way not my forté — this was done with the help of S — so please recreate my work), this screen shot shows “auroras” selling UPAS Kit 1.0.0.0 on June 14, 2012.

June 14, 2012 was before Marcus Hutchins turned 18.

Some of the Russian translates as:

Upas is a modular http bot, which was created for the sole purpose – to save you from a headache. This is an advanced ring3 rootkit that has something in common with SpyEye and Zeus. Thus, the installation is “quiet” without recognition by antiviruses.Currently it works on the following versions of Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. In addition, it is “compatible” with all service packs.

[snip]

The Upas Kit was created to identify vulnerabilities in information systems of individuals and organizations.

Upas Kit has never been used to commit cyber crimes and it can not be so.

Buying this product, you agree not to violate the laws of the Russian Federation and other countries.

Buying this product, you use it at your own risk. Before downloading the application to the user’s PC, you must obtain its consent.

The support address is [email protected]. This matches the UPAS Kit described in Marcus Hutchins’ superseding indictment.

“UPAS Kit” was the name given to a particular type of malware that was advertised as a “modular HTTP bot.” UPAS Kit was marketed to “install silently and not alert antivirus engines.” UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit allowed for the unauthorized exfiltration of information from protected computers. UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.

All of which is to say that when the superseding indictment describes the following as overt acts in the conspiracy to violate CFAA and to wiretap, it describes code placed on sale before Hutchins turned 18.

On or about July 3, 2012, [VinnyK], using the alias “Aurora123,” sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 digital currency.

Now, as I said yesterday, it’s not clear what UPAS Kit is doing in the superseding indictment. Alone, the coding behind the listing above necessarily happened while Hutchins was a minor and the sale itself happened over five years ago. So the government can only present it as part of a conspiracy sustained by more recent overt acts, like the sale of Kronos in 2015, arguing they’re part of the same conspiracy, which extends the tolling (but doesn’t change Hutchins’ birthday).

Given the claim that he lied to the FBI in his Las Vegas interrogation, however, I think they’re suggesting that when he admitted to coding a form grabber, but not the one in Kronos, he was lying about knowing that this earlier code got used in Kronos.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

In other words, to get this admission into trial, the government is going to claim he was lying about knowing there was continuity between UPAS and Kronos in a way to deny any more recent involvement, even though they’re on the record (though Dan Cowhig’s statements to the court) that he had admitted that.

Which further suggests the evidence they have that he actually coded Kronos itself isn’t that strong, and need to rely on code that Hutchins coded when he was a minor to be able to blame this malware on him.

To Pre-empt an Ass-Handing, the Government Lards on Problematic New Charges against MalwareTech

/55 Comments/in , /by

When last we checked in on the MalwareTech (Marcus Hutchins) case, both FBI agents involved in his arrest had shown different kinds of unreliability on the stand and in their written assertions, and Hutchins’ defense had raised a slew of legal challenges that, together, showed the government stretching to use wiretapping and CFAA statutes to encompass writing code so as to include Hutchins in the charges. It looked like the magistrate in the case, Nancy Joseph, might start throwing out some of the government’s more expansive legal theories.

That is, it looked like the government’s ill-advised decision to prosecute Hutchins in the first place might be mercifully put out of its misery with some kind of dismissal.

But the government, which refuses to cut its losses on its own prosecutorial misjudgments, just doubled down with a 10-count superseding indictment. Effectively, the superseding creates new counts, first of all, by charging Hutchins for stuff that 1) is outside a five year statute of limitations and 2) he did when he was a minor (that is, stuff that shouldn’t be legally charged at all), and then adding a wire fraud conspiracy and false statements charge to try to bypass all the defects in the original indictment. [See update below — I actually think what they’re doing is even crazier and more dangerous.]

The false statements charge is the best of all, because for it to be true a Nevada prosecutor would have to be named as Hutchins’ co-conspirator, because his representations in court last summer directly contradict the claims in this new indictment.

Wherein financial criminals VinnyK and Randy become bit players in criminal mastermind Marcus Hutchins’ drama

To understand how they’re doing this, first understand there are two criminals Hutchins is alleged to have had interactions with three-plus years ago:

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With this superseding indictment, the government has turned these two criminals into the bit players in a scheme in which Hutchins is now the targeted criminal.

Interestingly, unlike in the original indictment, VinnyK is not charged in this superseding indictment. I’m not sure what that means — whether the government has decided they like him now, they’ll never get him extradited and he won’t show up at DefCon because he’s learned Hutchins’ lesson, or maybe even they’ve gotten him to flip in a bid to avoid embarrassment with Hutchins. So there’s one guy the government admits is a criminal — Randy — and another guy they believed was a serious enough criminal they had to arrest the guy who saved the world from WannaCry to help find, VinnyK. Neither is charged in this indictment. Hutchins is.

Conspiracy to violate minors outside the statute of limitations

As I said, one way the government gets from 6 to 10 counts is by identifying a second piece of software — allegedly written by Hutchins — that VinnyK sold, so as to charge the same legally suspect crimes twice.

This is a comparison of the old versus new indictment.

As I understand it (though the indictment is damned vague on this point) the additional wiretapping and CFAA charges come from a second piece of software.

Here’s what that second alleged crime looks like:

a. Defendant MARCUS HUTCHINS developed UPAS Kit and provided it to [VinnyK], who was using alias “Aurora123” at the time.

b. On or about July 3, 2012, [VinnyK], sold and distributed UPAS Kit to an individual located in the Eastern District of Wisconsin in exchange for $1,500 in digital currency.

c. On or about July 20, 2012, [VinnyK], distributed an updated version of UPAS Kit to an individual in the Eastern District of Wisconsin.

First of all, notice how Hutchins’ activities in this second crime aren’t listed with any date? Wikipedia says Hutchins was born in June 1994 and I’ve confirmed that was when he was born. Which means either he coded UPAS Kit in a few weeks or less, or the actions he’s accused of here happened when he was a minor.

Now look at your calendar. July 2012 was 6 years ago, so outside a 5  year statute of limitations; for some reason the government didn’t even try to include the July 20, 2012 action when they first charged this last year. One way or another, the SOL has tolled on these actions.

The time periods for this new alleged crime, though, is listed as July 2014 to August 2014. Except all new actions listed in that time period are tied to Kronos, not UPAS. In other words, unless I’m missing something, the government has tried to confuse the jury by charging Kronos twice, all while introducing UPAS, which is both tolled and on which Hutchins’ alleged role occurred while he was a minor.

[See update below,]

Criminalizing malware research

The effort against Hutchins always threatened to criminalize malware research. But the government (perhaps in an effort to substantiate a second crime associated with Kronos) has gone one step further with this claim:

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government doesn’t explain this (and I guarantee you they didn’t explain this to the grand jury — I mean they put the word “hacked” right there so it must be EVIL), but they’re claiming this article talking about how to thwart Phase Bot malware via vulnerabilities in its command and control module — that is, a post about how to defeat malware!!!! — is really a devious plot to undercut the competition.

Again, the original indictment was dangerous enough. But now the government is claiming that if you write about how to thwart malware, you might be doing it for criminal purposes.

Charging the other bad guys with wire fraud conspiracy

As a reminder, the charges in the original indictment (which remain largely intact here) were problematic because selling Kronos fit neither the definition of wiretapping nor CFAA (the latter because it doesn’t damage computers). In an apparent attempt to get out of that problem (though not the venue one, which best as I can tell remains a glaring problem here), they’ve added a conspiracy to commit wire fraud, arguing that Hutchins “knowingly conspired and agreed with [VinnyK] and others unknown to the Grand Jury, to devise and participate in a scheme to defraud and obtain money by means of false and fraudulent pretenses and transmit by wire in interstate and foreign commerce any writing, signs, and signals for the purpose of executing the scheme.”

I’ll let the lawyers explain whether this charge will hold up better than the wiretapping and CFAA ones. But at least as alleged, all VinnyK has ever done (even assuming Hutchins can be shown to have agreed with this) is to sell Kronos to an FBI agent in Wisconsin.

The only one in this entire indictment described as actually making money off using Kronos is Randy, the guy the US government isn’t prosecuting because he narced out Hutchins. Meaning the guy with whom Hutchins would most credibly be claimed to have conspired to commit wire fraud is the one guy not mentioned in the charge.

But for some reason the government decided the just thing to do when faced with these facts was charge only the guy who saved the world from WannaCry.

Charging false statements after both FBI agents have been shown to be unreliable

Which brings us, finally, to what is probably the point of this superseding indictment, the government’s effort to salvage their authority. They’ve charged Hutchins with lying to the FBI about knowing that his code was part of Kronos.

On August 2, 2017, the Federal Bureau of Investigation was conducting an investigation related to Kronos, which was a matter within the jurisdiction of the Federal Bureau of Investigation.

On or about August 2, 2017, in the state of Eastern District of Wisconsin and elsewhere,

[Hutchins]

knowingly and willfully made a materially false, fictitious, and fraudulent statement and represented in a matter within the jurisdiction of the Federal Bureau of Investigation when he stated in sum and substance that he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016, when in truth and fact, as HUTCHINS then knew, this statement was false because as early as November 2014, HUTCHINS made multiple statements to Individual B in which HUTCHINS acknowledged his role in developing Kronos and his partnership with Individual A.

Whoo boy.

First of all, as I’ve noted, one agent Hutchins allegedly lied to had repeatedly tweaked his Miranda form, without noting that she did that well after he signed the form. The other one appears to have claimed on the stand that he explained to Hutchins what he had been charged with, when the transcript of Hutchins’ interrogation shows the very same agent admitting he hadn’t explained that until an hour later.

So the government is planning on putting one or two FBI agents who have both made inaccurate statements — arguably even lied — to try to put Hutchins in a cage for lying. And they’re claiming that they were “conducting an investigation related to Kronos,” which is 1) what they didn’t tell Hutchins until over an hour after his interview started and 2) what they had already charged him for by the time of the interview.

Oh wait! It gets better. See how they describe that Hutchins lied in Wisconsin?

The interrogation happened in Las Vegas, which last I checked was not anywhere near Eastern District of Wisconsin. I mean, I’m sure there’s a way to finesse these things wit that “and elsewhere” language, but this indictment simply asserts that an interrogation room in the Las Vegas airport was in Milwaukee.

And there’s more!!!

On top of the fact that one or another agent who themselves have credibility problems would have to go on the stand to accuse Hutchins of lying, and on top of the fact that they say this thing that happened in Las Vegas didn’t stay in Las Vegas but was actually in Milwaukee, there’s the fact that AUSA Dan Cowhig, on August 4, 2017, in a bid to deny Hutchins bail, represented to a judge that,

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he sold that code to another.

We don’t have the full transcript of Hutchins’ interrogation yet (parts released by the defense show him admitting to underlying code, which may be what this UPAS stuff is about, though denying Kronos itself). But for it to be true that Hutchins lied about knowing that “his computer code was part of Kronos until he reverse engineered the malware,” then Cowhig would have had to be lying last year.

So to sum up: the government’s bid to save face, on top of some jimmying with dates and using Randy to accuse Hutchins of something that Randy is far more guilty of, is to put two agents who have real credibility problems on the stand to argue that their colleague in Nevada, which apparently spends its summers in Wisconsin, lied last year when he claimed that Marcus admitted “he was the author of the code that became the Kronos malware.”

Update: It has been suggested those 2012 UPAS Kit actions got included because they are part of the conspiracy, which is how they get beyond tolling (though not Hutchins’ age). If the government is arguing that UPAS is the underlying code that Hutchins contributed to Kronos, then that might make sense. Except that then the false statements charge becomes even more ridiculous, because we know that Hutchins admitted to that bit.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Also note, at least according to Hutchins’ jail call to his boss, GCHQ vetted this earlier activity and found it to be unproblematic.

Update: On fourth read (this indictment makes no sense), I think the new charges are not the 2012 sales, but a vague crime based on the marketing, but no sale, of malware in 2014. In other words, they’re accusing Hutchins of wiretapping and CFAA crimes because someone else posted a YouTube. Note, the YouTube in question has already been litigated, as the government is trying hard to get venue because of that — because YouTube is based in the US.

This is such an unbelievably dangerous argument; it’s a real testament to the sheer arrogance of this prosecution at this point, that they’ll stop at nothing to avoid the embarrassment of admitting how badly they fucked up.

The Government Refuses to Name FBI Agent Accused of Deceit in MalwareTech Case

/44 Comments/in /by

Here’s the basic argument that Marcus Hutchins’ (AKA MalwareTech) lawyers are making in an effort to get his post-arrest interview suppressed.

[D]espite Mr. Hutchins’ multiple direct questions to the FBI agents who arrested him about the nature of his circumstance (e.g., “Can you please tell me what this is about?,” asked at the outset of the interrogation) and notwithstanding his frequent expressions of uncertainty about the agents’ focus of inquiry, the agents intentionally concealed from him the true and pertinent nature of his then-existing reality (e.g., “We’re going to get to it,” then somewhat revealing things 75 minutes later). Under these circumstances, bolstered by his known-to-the-agents exhaustion and status as a foreigner (among other things), Mr. Hutchins “full awareness of both the nature of the right being abandoned and the consequences of the decision to abandon it” was fatally compromised.

For its part, the government largely dodges the question of whether the agents misled (or refused to inform) Hutchins why he was being questioned, arguing (incorrectly — deception is mentioned twice in the first motion) that Hutchins didn’t raise deceit until after learning more details about the process, and focusing on the law in isolation from the facts. Ultimately, though, they argue that the substance of the crimes of which Hutchins was accused doesn’t matter because he knew he was arrested. To substantiate that, they present claims that go to the heart of the deceit question — the circumstances surrounding Special Agent Lee Chartier informing Hutchins that he had been indicted in Wisconsin.

Like the defendant in Serlin, Hutchins was aware of the nature of the FBI inquiry. Hutchins knew that the FBI’s interview on August 2, 2017, related to a criminal inquiry because Hutchins was handcuffed with his hands placed behind his back and told that he was under arrest based on federal arrest warrant. Doc. #82 at 20. And as if that was not enough, the questions posed to Hutchins, like the questions in Serlin, “would have alerted even the most unsuspecting [individual] that he was the . . . focus of the [criminal inquiry].”

[snip]

Unlike the defendant in Giddins, Hutchins was never misled about the criminal nature of the FBI investigation. There is no dispute that Hutchins was placed in handcuffs and told he was under arrest based on an arrest warrant issued from the Eastern District of Wisconsin, and that before any questioning, Hutchin was advised of his rights and waived those rights.

On that bolded bit, there very much is a dispute. Tellingly, the government never once mentions the name of the agent, Lee Chartier, who claims to have done this, the same agent that Hutchins accuses of deceit. That’s interesting, not least, because even after the agents “colluded” (curse you for using that term, Hutchins’ legal team!!!) about their story, whether and how Chartier informed Hutchins of his indictment while he had Hutchins in a stairwell is one of the matters on which their sworn testimony differed.

At the outset, it is very important for the Court to remember the agents’ pre-hearing collusion. As Agent Butcher revealed, she and Agent Chartier got together to “mak[e] sure that we were on – you know, that our facts were the same.” (Id. 112:4-5.) Their synchronization of their testimony calls into question their entire characterization of events, and any benefit of any doubt the Court has regarding what happened should accrue to Mr. Hutchins’ favor.

[snip]

Agent Chartier testified that he revealed he was with the FBI and told Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant just after Mr. Hutchins had been detained, when he and the customs officers took Mr. Hutchins from the lounge to a stairwell. (Hearing Tr. 19:8-23.) By his own admission, however, Agent Chartier did not explain the charges or what was going on, despite Mr. Hutchins’ numerous questions in the hallway. (Id. at 19:25- 20:4; 58:25-59:1.)4

In addition, Agent Chartier claimed that after he escorted Mr. Hutchins to the (pre-arranged) interrogation room, he and Agent Butcher again advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. (Id. 20:25-21:1.) Notably, they did not explain anything else. Agent Chartier acknowledged that Mr. Hutchins was not told that the arrest warrant flowed from an indictment, much less that the indictment charged six felony offenses stemming from the development and sale of Kronos. (Id. 56:22-24.)

Further, although the agents tried to coordinate their testimony, Agent Butcher’s testimony about these meaningful events was quite different from Agent Chartier’s. She did not testify that he (Agent Chartier) advised Mr. Hutchins that he was under arrest pursuant to a federal arrest warrant. Only Agent Chartier makes this claim, one that is undermined by Agent Butcher and otherwise lacks any support in the record. [my emphasis]

There’s actually a very good reason why Butcher didn’t describe Chartier doing this. He did so, if he did, in the stairwell; Butcher wouldn’t have been a witness.

Ordinarily, an FBI agent would get the benefit of the doubt on this point, but for two reasons, the public records suggests they shouldn’t in this case.

First, the time that Jamie Butcher estimated Hutchins was given his Miranda warning, 1:18PM, would only allow for a minute to transpire between the time Hutchins exited the airport lounge and his interview started post-waiver.

Despite the fact that Mr. Hutchins was escorted out of the lounge at 1:17 p.m. and the audio recording started at approximately 1:18 p.m. (see Exhibits 14 and 9), Agent Chartier claimed that he read Mr. Hutchins the Advice of Rights form (Exhibit 9) and Mr. Hutchins read and signed it. (Hearing Tr. 24:25-25:6.)

Further, as an excerpt from the transcript reveals, Butcher told Chartier he (the more experienced agent on questioning witnesses of the two) was all over the place just minutes after he would have given such a warning.

5:05-5:22

Chartier: Okay. And I don’t know if we did this in the beginning. Sorry, my brain is like—

Butcher: You’re like a mile a minute. Go ahead.

Chartier: Did you—did we have a passport for you? I didn’t have—we didn’t take one off of you. Did you have a passport.

Hutchins: It’s in the bag.

Chartier: It’s in your bag? Okay. All right. Well just for the record, could you go ahead and state your full name and then give your date of birth?

Again, this would have happened just minutes after Chartier would have given Hutchins his Miranda warning. Whatever the verdict on Hutchins’ competence to waive his rights, it does raise questions about the carefulness of the warning that Chartier gave.

Ultimately, both these motions have the feeling of rushed filings, with some errors and imprecisions. Ultimately, the judge is likely to rule against Hutchins here (though it will form important background as she considers much more substantial challenges to the charges against him). As I’ve said, though, the entire process has undermined both agents’ credibility if this ever goes to trial.

Hutchins’ motion is also interesting for the evidence it gives that this was still ultimately about getting Hutchins to cooperate against people the government was certain he was still communicating with, something I’ve been maintaining from the start.

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

Chartier: I understand, I understand, I understand. But you see why we’re here?

Hutchins: Yep. I can definitely see.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving–

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

This is what the entire case is about: the government used a trumped up claim of really attenuated criminal liability to try to get Hutchins to provide information on “these guys.” And they didn’t decide to do so until after Hutchins came back to their attention after he saved the world from WannaCry.

If this ever goes to trial, that should be the central issue. And going forward, too, that should be the central issue: that the government got itself into a very deep hole on a legally deficient claim because they did a back door search on the guy who saved the world and decided arresting him was the best way to coerce his cooperation moving forward.

But I’m still betting this doesn’t go to trial.

Did the FBI Have a Chance to Fix Their Lies about Encryption in 2016?

/15 Comments/in /by

The WaPo reports that the FBI has been presenting grossly inflated numbers describing how many devices it can’t open because of encryption. The error stems, the FBI claims, to a “programming” error that actually sounds like an analytical error: the double or triple counting of the same encrypted phones.

Over a period of seven months, FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls “Going Dark” — the spread of encrypted software that can block investigators’ access to digital data even with a court order.

The FBI first became aware of the miscount about a month ago and still does not have an accurate count of how many encrypted phones they received as part of criminal investigationslast year, officials said. Last week, one internal estimate put the correct number of locked phones at 1,200, though officials expect that number to change as they launch a new audit, which could take weeks to complete, according to people familiar with the work.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

I find the April 2016 failed test suspicious.

To know why, consider this bit of history. Back in 2015, in the wake of Apple making encryption standard, Jim Comey and Sally Yates made a big pitch for back doors. But when Al Franken asked them, they admitted the FBI didn’t actually know how big the problem is.

Over an hour and a quarter into the SJC hearing, Al Franken asked for actual data demonstrating how big of a problem encryption really is. Yates replied that the government doesn’t track this data because once an agency discovers they’re targeting a device with unbreakable encryption, they use other means of targeting. (Which seems to suggest the agencies have other means to pursue the targets, but Yates didn’t acknowledge that.) So the agencies simply don’t count how many times they run into encryption problems. “I don’t have good enough numbers yet,” Comey admitted when asked again at the later hearing about why FBI can’t demonstrate this need with real data.

Nevertheless, in spite of Congress’ request for real numbers in July 2015, in January 2016 — just as some at FBI were trying to create an excuse to force Apple to open Syen Rizwan Farook’s phone — Comey and Yates admitted they still hadn’t started tracking numbers.

Around January 26, 2016 (that’s the date shown for document creation in the PDF) — significantly, right as FBI was prepping to go after Syed Rizwan Farook’s phone, but before it had done so — Comey and Yates finally answered the Questions for the Record submitted after the hearing. After claiming, in a response to a Grassley question on smart phones, “the data on the majority of the devices seized in the United States may no longer be accessible to law enforcement even with a court order or search warrant,” Comey then explained that they do not have the kind of statistical information Cy Vance claims to keep on phones they can’t access, explaining (over five months after promising to track such things),

As with the “data-in-motion” problem, the FBI is working on improving enterprise-wide quantitative data collection to better explain the “data-at-rest” problem.”

[snip]

As noted above, the FBI is currently working on improving enterprise-wide quantitative data collection to better understand and explain the “data at rest” problem. This process includes adopting new business processes to help track when devices are encountered that cannot be decrypted, and when we believe leads have been lost or investigations impeded because of our inability to obtain data.

[snip]

We agree that the FBI must institute better methods to measure these challenges when they occur.

[snip]

The FBI is working to identify new mechanisms to better capture and convey the challenges encountered with lawful access to both data-in-motion and data-at =-rest.

Grassley specifically asked Yates about the Wiretap report. She admitted that DOJ was still not collecting the information it promised to back in July.

The Wiretap Report only reflects the number of criminal applications that are sought, and not the many instances in which an investigator is dissuaded from pursuing a court order by the knowledge that the information obtained will be encrypted and unreadable. That is, the Wiretap Report does not include statistics on cases in which the investigator does not pursue an interception order because the provider has asserted that an intercept solution does not exist. Obtaining a wiretap order in criminal investigations is extremely resource-intensive as it requires a huge investment in agent and attorney time, and the review process is extensive. It is not prudent for agents and prosecutors to devote resources to this task if they know in advance the targeted communications cannot be intercepted. The Wiretap Report, which applies solely to approved wiretaps, records only those extremely rare instances where agents and prosecutors obtain a wiretap order and are surprised when encryption prevents the court-ordered interception. It is also important to note that the Wiretap Report does not include data for wiretaps authorized as part of national security investigations.

These two answers lay out why the numbers in the Wiretap Report are of limited value in assessing how big a problem encryption is.

Significantly, Comey and Yates offered these answers in response to a Chuck Grassley question about whether they believed, as the corrupt Cy Vance had claimed in Senate testimony, that “71% of all mobile devices examined…may be outside the reach of a warrant.”

The number FBI is now trying to correct was “more than half,” inching right up towards that 71% Vance floated years ago. In other words, this faulty methodology got them to where they needed to go.

I find that all the more suspicious given something that happened later in 2016. As soon as Jim Comey started providing numbers in August 2016, back when they showed 13% of phones could not be accessed, I asked how FBI came up with the number. At the time, a spox admitted that the number included more than encrypted phones — it also included deleted or destroyed phones.

It is a reflection of data on the number of times over the course of each quarter this year that the FBI or one of our law enforcement partners (federal, state, local, or tribal) has sought assistance from FBI digital forensic examiners with respect to accessing data on various mobile devices where the device is locked, data was deleted or encrypted, the hardware was damaged, or there were other challenges with accessing the data. I am not able to break that down by crime type.

That is, in September 2016, five months after FBI failed to find their flawed methodology, an FBI spox told me the number used was not an accurate count of how many phones couldn’t be accessed because of encryption.

When then FBI General Counsel James Baker used the same 13% a few months later, claiming all were encrypted, I checked back. The same spox said the number at that point was just encrypted phones.

It is true that damaged devices are provided to CART and RCFL for FBI assistance, but the 886 devices in FY16 that the FBI was not able to access (which is the number that GC Baker provided last week), does not include those damaged devices. It includes only those devices for which we encountered a password we were not able to bypass.

Now, it’s possible that the methodological problem I identified in 2016 — that their “Going Dark” number actually included phones they couldn’t access for entirely different reasons — was a different problem than the one just identified a month ago (just before Baker retired). Certainly, it doesn’t sound like the same problem (though as I reminded someone from DOJ’s IG some time ago, the forensics labs sending in these numbers have a history of unreliable numbers). That said, given the proliferation of chat apps with disappearing messages that amount to “destroyed” evidence — which under the flawed methodology used in 2016 would be counted as an encryption problem — it could be.

Still, what I identified in September 2016 was a methodological problem. It should have triggered a closer look at the time.

Instead, the FBI has been lying about how bad the Going Dark problem is for another year and a half.

The He Said, She Said That May Render MalwareTech’s Arresting Agents Useless on the Stand at Trial

/24 Comments/in /by

Back when Marcus Hutchins (MalwareTech) moved to suppress the statements he made in his first custodial interview after his arrest, I suggested the challenge itself was unlikely to succeed, but that it would “serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial.”

While I still generally think the effort is unlikely to succeed (though it may never come to that, as I lay out below), an evidentiary hearing on the issue yesterday may have rendered both his arresting agents largely useless for testimony at trial.

As a reminder, Hutchins originally challenged his statements because:

  • As a Brit, he couldn’t be expected to understand that US Miranda works in the opposite way as British Miranda does without specific explanation
  • He waived his Miranda rights after being arrested after over a week of partying at DefCon, and was exhausted and possibly high
  • The FBI’s own records were sketchy; they hadn’t recorded that he had been asked if he was drunk (but not high) until over four months after his arrest (yesterday we learned that 302 was dated December 8 or 9)

Then, just before the originally scheduled evidentiary hearing on April 19, the government told Hutchins that the multiple crossed out times on his waiver had not been corrected until at least five days after his arrest, something the FBI agent in question, Jamie Butcher, didn’t formally explain anywhere.

Hutchins lawyers got a continuance to understand the implications of that; yesterday was the rescheduled opportunity to grill the FBI agents about when he was really Mirandized.

From the get-go, Hutchins attorney Brian Klein set a contentious tone for the hearing by suggesting at the outset that they might need to call one or the other of the prosecutors to testify to impeach the agents, something that almost never happens (for mostly good reasons). After some preliminaries in which judge Nancy Joseph laid out how she’d be assessing the issues, first Lee Chartier and then Butcher took the stand to explain how the post-arrest interview and subsequent paperwork had gone down.

Chartier, almost a sterotypical-looking FBI agent — tall and white, beefy, with a goatee — had the more experience of the two: he’s been working cyber since 2011 and in 2016 Jim Comey gave him the Director’s Medal of Excellence for being one of the top performing cyber agents. Still, he testified he had only done around 50 interviews, of which 20 were custodial interviews, over those years. Butcher, a short white woman, has been at FBI nine years, moving from an admin position to a staff operations specialist to her current cyber special agent position, where she’s been for three years. When prosecutor Benjamin Proctor walked her through her background, he didn’t ask how many interviews, custodial or no, she had done, which given Chartier’s surprisingly low number, probably means she’s done very few interviews, particularly custodial ones. When Proctor asked about her involvement in this case, he described it as “becom[ing] involved in the investigation that resulted in arrest of Marcus Hutchins,” which suggests a curious agency behind the investigation.

Between them, the agents described how they flew out to Vegas the night before the arrest. Surveilling agents tracked Hutchins as he went to the airport and got through TSA then sat down at a first class lounge. As soon as Hutchins ordered a drink that turned out to be Coke but that the agents worried might be booze, Chartier, wearing business casual civvies, and two CBP agents wearing official jackets pulled Hutchins away from the lounge, placed him under arrest and cuffed him in a stairwell inside the secure area, and walked him to a CBP interview room, where Chartier and Butcher Mirandized him, then interrogated him for 90 to 100 minutes.

Even in telling that story, Chartier and Butcher’s stories conflicted in ways that are significant for determining when Hutchins was Mirandized. He said it took “seconds” to get into the stairwell and then to the interview room. She noted that the “Airport is rather large. Would have taken awhile.” to walk from place to place (it was 36 minutes between the time Hutchins cleared TSA, walked to the lounge, ordered a Coke, and the time Chartier first approached Hutchins). There seems to be a discrepancy on how many CBP agents were where when (that is, whether one or two accompanied Chartier and Hutchins all the way to to the interrogation room). Those discrepancies remained in spite of the fact that, as Butcher admitted, they had spoken, “Generally, about the interview, and Miranda, and making sure that we were on, that our facts were the same.”

Chartier described that the CBP recording equipment in the room “wasn’t functional that day,” which is why they relied on Butcher pressing a record button herself, which she didn’t do until (she said) Chartier started asking “substantive” questions, but after the Miranda warning.

It sounds like Chartier did most of the questioning and the dick-wagging, even though Butcher was the lead agent. He offered up the term “Liquid Courage” to describe Hutchins’ description of having to drink to network. He gave Hutchins a list of 80 online monikers, of which Hutchins recognized a handful; “Vinny,” who has shown up in public reporting on Hutchins’ background, was apparently one of those, so he may actually be the co-defendant after all (or the informant the government is hiding). Chartier had Hutchins review a string of code; Hutchins only recognized that it listed Kronos (which is the first he figured out that’s what the interview was about, and which is what the FBI claim he inculpated himself as the coder of Kronos is based off).

Chartier’s more dominant role in the questioning is interesting given the dynamic yesterday. Butcher, who was questioned second, seemed to know her multiple fuck-ups on the basic parts of this interview (failing to note the Miranda time, starting the recording late, offering unconvincing claims about what she did when she realized she had entered the time wrong on the consent form) make her an FBI short-timer. I’d honestly be surprised if she were still at FBI by the time this goes to trial, if it does. At times, she seemed not to recognize the dangers of the answers she was giving. Chartier, on the other hand, has his Director’s award career to protect, and perhaps for that reason was openly hostile and seemed ready to throw Butcher under the bus for the fuck-ups that had gotten him sucked in.

Except it was Chartier’s responses that seemed to reflect deceit, and it was Chartier that Brian Klein accused of lying. Chartier seemed to be aware that he had to ensure three details:

  • That he explained to Marcus the circumstances of his arrest, which allegedly happened in the stairwell (I think it shows up in the 302, which Butcher wrote, but she wouldn’t have witnessed it. Also, her response to the judge on how she reconstructed the time of the waiver hinted that there are other sources of time stamps she doesn’t want to reveal — I bet there is surveillance footage from the stairwell).
  • That WannaCry only came up at the end.
  • That Hutchins should have known the interview was about Kronos.

Except even the prosecution made clear that’s not what happened. Prosecutor Michael Chmelar described how Hutchins first realized the case was about Kronos when he was shown the code.

Do you recall certain point Hutchins asked if case was about Kronos, looking for developer. What did you respond. I said I don’t think we’re looking anymore. Our belief that Mr Hutchins was developer of Kronos.

Note, I suspect the full 302 will also show that Chartier had absolutely no reason to make this claim, which is probably why within days of Hutchins’ arrest it became clear the FBI had way oversold their proof from this interview that Hutchins had admitted to contributing to Kronos.

Also at issue is when Hutchins first got to see the arrest warrant, something that Chartier’s testimony appears dodgy on. More importantly, Chartier’s testimony did make it clear Hutchins started asking immediately what the arrest was about, and 30 seconds after the recording started (therefore, after he had just signed the waiver) he asked again. Except it wasn’t until an hour later that Chartier explained that this stop wasn’t about WannaCry, as Klein laid out.

It’s not until 1 hour into the interview that they show him arrest warrant. Here’s what happens. Chartier. What you’ll hear him say, okay, well, here’s the arrest warrant, and just to be honest. If i’m being honest with you this has absolutely nothing to do with WannaCry.

Plus, the arrest warrant apparently did not lay out the charges in the indictment, instead listing “conspiracy to defraud the US” as the crime (good old ConFraudUs!) which is remarkable for reasons I may return to if and when the warrant is docketed.

Effectively, the government explains that the reason they didn’t arrest Hutchins until just before he boarded his plane is because they feared he’d dodge off, open a computer, and shut down the WannaCry sinkhole, re-releasing the global malware. (Yeah, that’s dumb.) Everything they did they did because of WannaCry.

But it wasn’t until an hour into their interrogation of Hutchins that they told him it wasn’t really about WannaCry.

Frankly, I don’t think this thing is going to trial. When Klein asked for more time, given what they discovered yesterday, before arguing the suppression motion, Joseph said she had all the other motions briefed and she wanted to decide them together. As I have laid out, the 5 motions work together, showing (for example) that the CFAA charge is improper, but also showing that the government refuses to point to any computers that were damaged by the Kronos malware Hutchins wrote.

If she’s thinking of all those motions together, then she’s seeing how, together, they show how pointless this prosecution is.

But if not — if this case actually does go to trial — either one of these FBI agents will be very easy to impeach on the stand.

Update: Fixed spelling of Chartier’s last name.

Update, 5/31: Turns out I had Chartier’s last name right the first time, and have now fixed this back.

Update: In talking to a physical surveillance expert who followed the hearing, the stairwell may actually be one place in the secure space that wouldn’t be on surveillance footage, with cameras instead capturing the entry and exit. If that’s right, it would mean the stairwell is all the more curious a place to have some of the key events in this arrest and interrogation go down. h/t DO

The FBI Has No Idea What Time MalwareTech Waived Miranda

/10 Comments/in /by

Here’s the signature line of the FBI Agent who says that Marcus Hutchins waived his Miranda rights when he was arrested on August 2 of last year.

As I noted here, in addition to not memorializing that they asked him whether or not he was drunk (but not if he was high or exhausted) until four months after his arrest, the FBI wrote three different times down on his consent form, with the last being just a minute after he was arrested. In a new filing, Hutchins’ lawyers disclose that the Agent didn’t make those changes until a week after he was arrested — and didn’t note the delay on either the form or the 302 of the interview.

Hours before the scheduled April 19 evidentiary hearing, the government revealed to the defense for the first time how the handwritten times listed on the form came about. Since receiving the form from the government in discovery last fall, the defense had assumed that one of the agents had added the times contemporaneously with the interrogation. But that was not so. One of the two agents who interrogated Mr. Hutchins, Agent Butcher, disclosed to the prosecutors that:

The header information on the advice of rights form was entered after the interview. [She] realized the time she entered on the form was incorrect when she was drafting the 302 and attempted to reconstruct the time based on information available to her.

Agent Butcher wrote that 302, which is the FBI’s official report of the interrogation, five days after the interrogation, when she was presumably back in Milwaukee. The agent did not note her alteration of the form in the 302 or anywhere else.

It almost seems like the Agent was just as confused, possibly regarding the two hour time zone change from Wisconsin, as Hutchins was.

Hutchins’ lawyers want the form thrown out and the FBI’s claim that he was warned to be treated with a negative inference.

Evidence crucial to determining whether law enforcement honored Mr. Hutchins’ constitutional rights in connection with custodial interrogation is spoiled, at law enforcement’s hands. The form, as it existed whenever Mr. Hutchins signed it, apparently no longer exists. In its place is an altered version, and the government should not be permitted to introduce and rely on altered evidence in defending against Mr. Hutchins’ suppression motion.

[snip]

And the Court should also draw from the circumstance an inference adverse to the government’s position that Mr. Hutchins was warned of and waived his constitutional rights before making a post-arrest statement.

Hutchins team also suggests — though doesn’t explain — that the Agents deceived Hutchins as to why they they were interviewing him or that he was under arrest or what waiving Miranda entails.

Deception, as an independent basis for suppression, requires that the defense produce clear and convincing evidence that the agents affirmatively mislead the defendant as to the true nature of their investigation, and that the deception was material to the decision to talk. United States v. Serlin, 707 F.2d 953, 956 (7th Cir. 1983). Importantly, as the Seventh Circuit explained:

Simple failure to inform defendant that he was the subject of the investigation, or that the investigation was criminal in nature, does not amount to affirmative deceit unless defendant inquired about the nature of the investigation and the agents’ failure to respond was intended to mislead.

Id. (emphasis added).

They haven’t explained this, but perhaps it will come out on the stand when the Agent testifies next week.

There’s one more fuck-up revealed in this motion.

The government wants to use two calls Hutchins made to his boss from jail, in which he apparently discussed the issues he did in the interrogation, as proof that he was willing to discuss those issues. Whether that helps their case or not, apparently the transcript the government made of those calls has some discrepancies with the actual recording.

The calls were audio-recorded and the government has disclosed those recordings, along with draft transcripts reflecting what was said. The defense’s review of the draft transcripts reveals minor discrepancies between the transcripts and the actual conversations. If, over Mr. Hutchins’ objection, the Court chooses to consider the calls, that consideration should be based on listening to the actual calls, not just reviewing the transcripts.

The defense wants to prevent the government from using the calls (because they were made hours after his arrest and can’t really reflect on his state of mind), as well.

Recording the time you gave someone their Miranda warning is pretty basic stuff. Noting that you screwed that up is also pretty basic stuff.

None of that happened properly. Normally, it’s really hard to get interrogations thrown out. But the fuck-ups pertaining to this one keep mounting.

After Reiterating Orin Kerr’s Arguments, MalwareTech Asks for the Indictment to be Dismissed with Prejudice

/5 Comments/in , /by

In a post explaining that MalwareTech (Marcus Hutchins) had gotten a last minute continuance before an evidentiary hearing last month, I linked to my thread on the government’s weak responses to a bunch of motions he had submitted. Here’s how I described the original motions:

The five filings are:

  1. motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
  2. motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
  3. motion to dismiss the indictment, arguing on three different grounds that,
    • The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
    • The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
    • The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
  4. motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
  5. motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Yesterday, Hutchins submitted his replies to the government’s arguments, in which he argues:

1.The government needs to explain what kind of proof of damage to 10 computers that Hutchins and his co-defendant conspired to damage it will offer and provide discovery on it.

2. [Hutchins offered no new response to the government’s Miranda response]

4. Because the government didn’t include the legitimate (purchase by an FBI Agent of the malware) and specious (sharing a binary with someone in CA and discussing the malware in online forums) bases that tie Hutchins’ activities to Eastern District of Wisconsin or even the US in the indictment itself, the indictment is an improper extraterritorial application of the law and lack venues in EDWI.

5. Because the government doesn’t include intentionality where the statute requires it, it should dismiss the related counts with prejudice (note, this argument has evolved from a grand jury error to a more fundamental problem assault on the indictment).

While I’m not sure all of these will succeed on their own (indeed, I think the motion on venue with respect to CFAA might fail in the absence of the rest of this), these motions form an interlocking argument that there’s no there there.

Which the defense argues at most length is the motion reiterating that selling software does not amount to either CFAA (damaging 10 computers) or wiretapping (which requires a device), an argument Orin Kerr made just after the charges were released in August. I get the feeling the defense thought that, having had access to Kerr’s argument all these months, the government might have responded better. The two substantive parts of their argument are here, addressing the point that CFAA violations require doing (or attempting to do) actual damage to computers, not just code that has the ability to damage them.

[T]he government suggests that its characterization of Kronos as “malware” should satisfy the pleading standard, claiming that it is “common knowledge” that malware is “written with the intent of being disruptive or damaging.” (Gov’t Response at 4 (citing Oxford English Dictionary 2018).) But the CFAA does not make so-called malware illegal—it is not some form of contraband. In fact, the term “malware” does not appear anywhere in the statute. The CFAA is not concerned with what software is called, but what an actor uses it to do. Artificial labels aside, the question before the Court is whether the indictment adequately pleads a case that Mr. Hutchins and his co-defendant conspired or attempted to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” 18 U.S.C. §§ 371 & 1030(a)(5)(A).

The only definition of “malware” relevant to that question is one offered in the indictment. The indictment, at paragraph 3(d), defines “malware” as “malicious computer code installed on protected computers without authorization that allowed unauthorized access to the protected computer.” Nothing in this definition involves “intentionally caus[ing] damage without authorization, to a protected computer,” which is necessary to violate § 1030(a)(5)(A). The indictment’s “unauthorized access” language seems to be borrowed from other provisions of the CFAA that have not been charged in this case, such as §§ 1030(a)(2), (5)(B), and (5)(C)—all of which include additional elements beyond “unauthorized access.” Even if Kronos precisely meets the definition of “malware” offered by the government in the indictment, that functionality alone would not constitute a violation of § 1030(a)(5)(A) or any other provision of the CFAA.

There are, I think, cases where malware sellers have been convicted — but only after their customers were busted doing damage. Here, the only customer mentioned in the legal case thus far was an FBI Agent that no one has alleged actually used the malware (the malware was used in other countries, including Hutchins’ home in the UK, about which the government has been completely silent since the initial indictment).

Here’s the language arguing that software, sold without a computer, is not a device as defined in the wiretapping statute charged.

[T]hose cases all involved claims that the defendants acquired communications using software running on a computer. Under those circumstances, a court has no reason to draw a distinction between the two because the software and computer are working together: the operation of one depends on the other. Indeed, the cases cited by the government discuss computers and the software installed on them as one unit. See, e.g., Zang, 833 F.3d at 633 (“[O]nce installed on a computer, WebWatcher automatically acquires and transmits communications to servers”); Klumb, 884 F. Supp. 2d at 661 (“The point is that a program has been installed on the computer which will cause emails sent at some time in the future through the internet to be re-routed[.]”); see also Shefts, 2012 WL 4049484, **6-10 (variously referring to servers, email accounts, software, and BlackBerry smartphones as interception devices).

For purposes of the § 2512 charges in this case, however, the distinction between software and computer is important. In Counts Two through Four, there is no computer, which would not be true in any scenario involving an actual interception. As noted in Potter, software alone is incapable of intercepting anything. 2008 WL 2556723, at *8. “It must be installed in a device, such as a computer, to be able to do so.” protected computer,” which is necessary to violate § 1030(a)(5)(A).

In both cases, the defense is basically arguing that not only do Hutchins’ actions not meet the terms of the statute, but the indictment was also badly written in an unsuccessful attempt to make those statutes apply.

These are alleged crimes for which the government has refused to identify victims, provided none of the requisite evidence of intentionality, applied to software that doesn’t obviously qualify under either of the charged laws. Some of that is a problem with the indictment, as written. Much about this case suggests the government assumed Hutchins would plead quickly, obviating the need to write an indictment that could hold up to a trial. As I noted, in its response a few weeks ago, the government claimed (after threatening that it might) it was planning on obtaining a superseding indictment.

The government plans to seek a superseding indictment in this case, and in doing so will correct this drafting error and moot Hutchins’s argument.

Two weeks later, there’s still no sign of the indictment that fixes the aspects the government admits are flawed, much less the other scope issues. And so now Hutchins is asking for the indictment — all counts of it, between one challenge or another — be dismissed with prejudice.

I’m not sure that will happen — judges have proven the ability to interpret CFAA to include all manner of bad hacker stuff. But an outright dismissal might put the government out of the misery it brought on itself with a case it should never have charged.

 

Continuance in MalwareTech’s Case

/9 Comments/in /by

I thought that while I was out traveling the continent last week, I’d miss a key hearing on Thursday in MalwareTech’s (Marcus Hutchins’) case. This thread lays out the government’s responses to his challenges to his indictment; the short version is, while the government would likely defeat his Miranda challenge, they still had to put their Agents on the stand for discovery. On the other issues, the government seems to have more serious problems (notably with trying him on charges for which there are no victims). So I thought it might be a really interesting hearing that would provide a glimpse of whether the judge thinks the government has a case.

That didn’t happen. After he and his lawyers got out to Milwaukee for the hearing, they asked for and got a one month continuance.

In light of new information, defendant requests a continuance of the evidentiary hearing. Parties agree to conduct evidentiary hearing on May 16, 2018 at 1:30 P.M.

So something’s up in his case, but it’s totally unclear what it is. All of the following are possibilities:

  • As noted, the government has been going back and forth about whether they’d get a superseding indictment. Last week they said they would. That’s probably the worst case scenario to explain the new information that would lead to a continuance: new charges that might pose a more serious risk.
  • In one of last week’s filings, the government revealed that he shared a binary with someone in CA (alleging, dangerously, that that amounts to wiretapping). That must be the informant the government has been trying to hide by calling a tipster. It may be the government provided information on this guy, and the defense wants a year to research him.
  • The government had finally found the dark web materials related to the sale of the malware. They may have provided that or more details on Hutchins’ alleged co-conspirator.
  • Defendants that the government might have have been trying to coerce Hutchins to share information on — most notably Peter Levashov, who was arrested for making Kelihos (which uses a successor to Kronos) — are now in US custody. That may change the status of his case somehow.
  • The government may finally realize that it’s got real problems with its case, and is finally offering a plea that better reflects the potential legal pitfalls of their case.

As I said, it could be any of these issues, or a combination of them. All we know is something’s up in his case, and we may not find out for another month.

How Yevgeniy Nikulin Might Play into the Mueller Investigation

/57 Comments/in , , , /by

For three reasons, Yevgeniy Nikulin, the Russian hacker alleged to be behind massive breaches of the LinkedIn and MySpace hacks, is in the news of late.

  • The report that Michael Cohen was tracked traveling from Germany to Czech Republic in 2016 has raised questions about whether both Cohen and Nikulin were in Prague at the same time, Mohammed Atta-like
  • Nikulin was suddenly extradited from Prague some weeks ago
  • His (Russian-provided) lawyer says he’ll entertain a plea deal

All of which provides a good opportunity to lay out what role he may have (or may be said to have) played in the DNC hack-and-leak.

The Michael Cohen in Prague story

The McClatchy report describing Robert Mueller receiving evidence of Cohen traveling from Germany to Czech Republic and some unknown date in 2016 seems to derive from outside investigators who have shared information with Mueller, not from Mueller’s team itself (which is consistent with his locked down shop). As such, it falls far short of being a confirmation of a meeting, or even validation that Mueller has confirmed any intelligence shared with his investigators. Moreover, the report has little detail as to timing, either of the visit or when Mueller actually got this intelligence.

And while it took a bit of time (Cohen can be forgiven for the delay because he apparently has very urgent business hanging with his homies smoking cigars), he did deny this report, offering the same partial story he offered last year.

That said, given the claimed timing, any coincidental presence in Prague by both Cohen and Nikulin is unlikely. Cohen’s presence in Prague is said to have roughly aligned with that reported in the dossier, so August or September. According to the FBI’s arrest affidavit for Nikulin he passed from Belarus into Poland on October 1, 2016, and probably was still there when posting from Warsaw on October 3; Nikulin was arrested in Prague on October 5. So unless Cohen went to Prague during his known October 2016 trip to England (definitely a possibility, but inconsistent with the dossier reporting), then they would no more have met in Prague (or planned to) than Mohammed Atta and Iraq’s Ahmad Samir al-Ani did.

The sudden Nikulin extradition

That said, I do think the sudden Nikulin extradition, even as pro-Russian Czech President Milos Zeman fought with Czech Justice Minister Robert Pelikan over it — even to the point of threatening to replace him — is worth noting. That’s true, first of all, because it appears Paul Ryan — purportedly on vacation with his family, but making appearances with everyone but Zeman — had a hand in it.

During a visit to the Czech Republic, U.S. House Speaker Paul Ryan said on March 27 that “we have every reason to believe and expect that Mr. Nikulin will be extradited to America.”

“The United States has the case to prevail on having him extradited, whether it’s the severity of the crime, which is clearly on the side of U.S., or the timing of the request for the extradition,” he told reporters.

In an interview with RFE/RL in Prague on March 26, Ryan said that the “case for extraditing [Nikulin] to America versus Russia is extremely clear.”

Ryan, who met with Prime Minister Andrej Babis and other Czech officials during his visit, told RFE/RL that he would raise the issue in those talks.

“He did violate our laws, he did hack these companies…. So the extradition claim is very legitimate,” he said. “And I just expect that the Czech system will go through its process, and at the end of that process, I am hopeful and expecting that he’ll be extradited.”

Nikulin was extradited just days later, even as the decision looked like it would be reviewed.

Zeman has since made very bizarre comments criticizing Ryan for his involvement.

Zeman said he had a different view of the Nikulin case than Justice Minister Robert Pelikan (ANO), who had given consent to the extradition of this Russian citizen to the USA, but that he fully respected the minister’s right to decide on this matter.

Apart from the United States, Russia was seeking Nikulin’s extradition, too, based on a suspected online theft.

“When Donald Trump was elected American president, (U.S. House of Representatives Speaker Paul) Ryan wore a black tie. The same Mr Ryan arrived in the Czech Republic (last week). He publicly stated that he had arrived basically in order to get Mr Nikulin to the United States, in which he succeeded. Well, one of the versions is that Mr Nikulin may in some way serve as a tool of the internal American political fight – to which the black tie served as well,” Zeman said.

“I do not consider this a very good solution if Czechs were to meddle in the American political situation,” Zeman added.

Ryan, who appreciated the Czech government for the extradition of Nikulin, did not meet Zeman during his recent visit to Prague without citing the reasons.

It may be that Ryan was doing the bidding of Trump. Or, more likely, Ryan may have made the move in what appears to be fairly unified NATO response to the attempted Sergei Skripal assassination.

Nikulin’s Russian-provided lawyer makes it clear they will negotiate

That said, I find it very interesting that Nikulin’s lawyer, whom the Russians asked to get involved, is explicitly already talking about a plea deal.

The legal team for Yevgeniy Nikulin, the Russian hacker accused of stealing data from LinkedIn and other American tech firms, will explore a plea deal with the U.S. government, according to Nikulin’s lawyer, Arkady Bukh.

“The likelihood of a trial is not very high,” Bukh said. The U.S. District Court for the Northern District of California, where Nikulin’s trial would occur, “has over a 99 percent conviction rate. We are not throwing clients under the bus,” Bukh said.

[snip]

Bukh was first contacted by the Russian consulate and asked to help on the case. He  was approved on Wednesday to act as a lawyer for Nikulin by the court. Although Bukh has been in regular and sustained contact with both Nikulin’s family and the Russian consulate, he had yet to speak with his client as of Wednesday night.

The Russian consulate has expressed concerns about Nikulin’s mental condition, and Bukh said he “appears to be depressed.”

Perhaps Bukh is taking this route because the Feds have Nikulin dead to rights and a plea is the most logical approach. Perhaps Russia has learned its lesson from Roman Seleznev, the son of a prominent Duma member, who has been shipped around to different jurisdictions to have additional onerous sentences added to his prison term; I’m fairly certain there are other sealed indictments against Nikulin besides the one he was charged under that DOJ could use similarly.

Or perhaps Russia has reason to want to bury any public airing of evidence regarding what Nikulin has done or could be said to have done.

How Nikulin might be involved in the 2016 operation

I’ve long suggested that Nikulin may have had a facilitating role in the 2016 operation. That’s because credentials from his LinkedIn hack were publicly sold for a ridiculously small amount just before May 18, 2016, rather inexplicably making them available outside the tight-knit group of Russians who had been using the stolen credentials up to that point.

Almost all of the people whose email boxes were sent to Wikileaks were affected by the LinkedIn (and/or MySpace) breach, meaning passwords and emails they had used became publicly available in the middle of the Russian operation. And those emails were exfiltrated in the days immediately following, probably May 19-25, the public release of those credentials.

In other words, it is possible that stolen credentials, and not GRU hacks, obtained the emails that were shared with WikiLeaks.

None of that is to say that Russia didn’t steal the emails shared with Wikileaks or arrange that handoff.

Rather, it’s to say that there is a counter-narrative that would provide convenient plausible deniability to both the Russians and Wikileaks that may or may not actually be how those emails were obtained, but also may be all wrapped up ready to offer as a narrative to undercut the claim that GRU itself handed off the emails.

Note, too, how that timing coincides with the public claims Konstantin Kozlovsky made last year, which I laid out here.

April 28, 2015: FSB accesses Lurk servers with Kaspersky’s help.

May 18, 2016: LinkedIn credentials allegedly stolen by Yevgeniy Nikulin made widely available.

May 18, 2016: Kozlovsky arrest.

May 19-25, 2016: DNC emails shared with WikiLeaks likely exfiltrated.

October 5, 2016: Yevgeniy Nikulin arrest in Prague.

October 20, 2016: Nikulin indictment.

November 1, 2016: Date of Kozlovsky confession.

December 5, 2016: Arrest, for treason, of FSB officers Dmitry Dokuchaev and Sergey Mikhailov.

February 28, 2017: Indictment (under seal) of FSB officers, including Dmitry Dokuchaev, Alexey Belan, and Karim Bartov for Yahoo hack.

March 15, 2017: Yahoo indictment unsealed.

August 14, 2017: Kozlovsky posts November 1 confession of hacking DNC on Facebook.

November 28, 2017: Karim Baratov (co-defendant of FSB handlers) plea agreement.

December 2, 2017: Kozlovsky’s claims posted on his Facebook page.

March 30, 2018: Extradition of Nikulin.

April 2, 2018: Report that Dokuchaev accepted a plea deal.

April 17, 2018: Scheduled court appearance for Nikulin.

With each new hacker delivered into US custody, something happens in Russia that may provide an alternate narrative.

And consider that in the wake of Nikulin’s extradition, Dmitry Dokuchaev and another of the people accused of treason in Russia have made a partial confession that will, like any Nikulin plea, serve to bury much of the claimed evidence against them.

Two of the four suspects in a Russian treason case, including a former agent in the FSB’s Information Security Center, have reportedly signed plea bargains where they confess to transferring data to foreign intelligence agencies. Three sources have confirmed to the magazine RBC that former FSB agent Dmitry Dokuchaev and entrepreneur Georgy Fomchenkov reached deals with prosecutors.

One of RBC’s sources says the two suspects claim to have shared information with foreign intelligence agencies “informally,” denying that there was anything criminal about the exchange. Dokuchaev and Fomchenkov say they were only trying to help punish cyber-criminals operating outside Russia and therefore outside their jurisdiction. Lawyers for the two suspects refused to comment on the story.

As a result of the plea bargains, the two men’s trials will be fast-tracked in a special procedure where the evidence collected against them isn’t reviewed. Dokuchaev and Fomchenkov will also face lighter sentences — no more than two-thirds of Russia’s maximum 20-year sentence for treason, says one of RBC’s sources.

The other two suspects in the treason case, former FSB Information Security Center agent Sergey Mikhailov and former Kaspersky Lab computer incidents investigations head Ruslan Stoyanov, have reportedly turned down plea bargains, insisting on their innocence.

All of which is to say that Nikulin offers at least a plausible counter-explanation for the DNC hack-and-leak, one that might shift blame for the operation to non-state actors rather than GRU, which is something Vladimir Putin has been doing since Nikulin’s extradition first became likely, even if he has changed his mind about whether such non-state Russians will be celebrated or demonized upon their roll-out.

Rolling out plea deals here and in Russia may be an effort to try to sell that counter-narrative, before Robert Mueller rolls out whatever he will about the hack-and-leak in coming days.

Update: A reader notes correctly that all the dossier’s reporting on Cohen, especially that describing a meeting in Prague, post-dates the Nikulin arrest. See this post for more on the timing of the Cohen reporting, piggy-backing off of PiNC’s analysis.

Facebook, Hot Seat, Day Two — House Energy & Commerce Committee Hearing

/30 Comments/in , , , /by

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the House Energy & Commerce Committee today.

After these two hearings my head is swimming with Facebook content, so much so that I had a nightmare about it overnight. Today’s hearing combined with the plethora of reporting across the internet is only making things more difficult for me to pull together a coherent narrative.

Instead, I’m going to dump some things here as food for further consideration and maybe a possible future post. I’ll update periodically throughout the day. Do share your own feedback in comments.

Artificial Intelligence (AI) — every time Mark Zuckerberg brings up AI, he does so about a task he does not want to employ humans to do. Zuckerberg doesn’t want to hire humans even if it means doing the right thing. There are so many indirect references to creating automated tools that are all substitutions for labor that it’s obvious Facebook is in part what it is today because Facebook would rather make profits than hire humans until it is forced to do otherwise.

Users’ control of their data — this is bullshit whenever he says it. If any other entity can collect or copy or see users’ data without explicit and granular authorization, users do not have control of their data. Why simple controls like granular read/not-read settings on users’ data operated by users has yet to be developed and implemented is beyond me; it’s not as if Facebook doesn’t have the money and clout to make this happen.

Zuckerberg is also evasive about following Facebook users and nonusers across the internet — does browsing non-Facebook website content with an embedded Facebook link allow tracking of persons who visit that website? It’s not clear from Zuckerberg’s statements.

Audio tracking — It’s a good thing that Congress has brought up the issue of “coincident” content appearing after users discuss topics within audible range of a mobile device. Rep. Larry Buschon (R-Indiana) in particular offered pointed examples; we should remain skeptical of any explanation received so far because there are too many anedotes of audio tracking in spite of Zuckerberg’s denials.

Opioid and other illegal ads — Zuckerberg insists that if users flag them, ads will be reviewed and then taken down. Congress is annoyed the ads still exist. But at the hear of this exchange is Facebook’s reliance on users performing labor Facebook refuses to hire to achieve the expected removal of ads. Meanwhile, Congress refuses to do its own job to increase regulations on opioids, choosing instead to flog Facebook because it’s easier than going after donors like Big Pharma.

Verification of ad buyers — Ad buyers’ legitimacy based on verification of identity and physical location will be implemented for this midterm election cycle, Zuckerberg told Congress. Good luck with that when Facebook has yet to hire enough people to take down opioid ads or remove false accounts of public officials or celebrities.

First Amendment protections for content — Congressional GOP is beating on Facebook for what it perceives as consistent suppression of conservative content. This is a disinfo/misinfo operation happening right under our noses and Facebook will cave just like it did in 2016 while news media look the other way since the material in question isn’t theirs. Facebook, however, has suppressed neutral to liberal content frequently — like content about and images featuring women breastfeeding their infants — and Congress isn’t uttering a peep about this. Congress also isn’t asking any questions about Facebook’s assessments of content

Connecting the world — Zuckerberg’s personal desire to connect humans is supreme over the nature and intent of the connections. The ability to connect militant racists, for example, takes supremacy (literally) over protecting minority group members from persecution. And Congress doesn’t appear willing to see this as problematic unless it violates existing laws like the Fair Housing Act.

More to come as I think of it. Comment away.

UPDATE — 2:45 PM EDT — I’m gritting my teeth so hard as I listen to this hearing that I’ve given myself a headache.

Terrorist content — Rep. Susan Brooks (R-Indiana) asked about Facebook’s handling of ISIS content, to which Zuckerberg said a team of 200 employees focus on counterintelligence to remove ISIS and other terrorist content, capturing 99% of materials before they can be see by the public. Brooks further asked what Facebook is doing about stopping recruitment.

What. The. Fuck? We’re expecting a publicly-held corporation to do counterintelligence work INCLUDING halting recruitment?

Hate speech — Zuckerberg used the word “nuanced” to describe the definition while under pressure by left and right. Oh, right, uh-huh, there’s never been a court case in which hate speech has been defined…*head desk*

Whataboutism — Again, from Michigan GOPr Tim Walberg, pointing to the 2012 Obama campaign…every time the 2012 campaign comes up, you know you are listening to 1) a member of Congress who doesn’t understand Facebook’s use and 2) is working on furthering the disinfo/misinfo campaign to ensure the public thinks Facebook is biased against the GOP.

It doesn’t help that Facebook’s AI has failed on screening GOP content; why candidates aren’t contacting a human-staffed department directly is beyond me. Or why AI doesn’t interact directly with campaign/candidate users at the point of data entry to let them know what content is problematic so it can be tweaked immediately.

Again, implication of discrimination against conservatives and Christians on Facebook — Thanks, Rep. Jeff Duncan, waving your copy of the Constitution insisting the First Amendment is applied equally and fairly. EXCEPT you’ve missed the part where it says CONGRESS SHALL MAKE NO LAW respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press…

The lack of complaints by Democratic and Independent representatives about suppression of content should NOT be taken to mean it hasn’t happened. That Facebook allowed identified GOP-voting employees to work with Brad Parscale means that suppression happens in subtle ways. There’s also a different understanding between right and left wings about Congress’ limitation under the First Amendment AND Democrats/Independents aren’t trying to use these hearings as agitprop.

Internet service — CONGRESS NEEDS TO STOP ASKING FACEBOOK TO HELP FILL IN THE GAPS BETWEEN NETWORKS AND INTERNET SERVICE PROVIDERS THEY HAVE FAILED TO REGULATE TO ENSURE BROADBAND EVERYWHERE. Jesus Christ this bugs the shit out of me. Just stop asking a corporation to do your goddamned jobs; telcos have near monopoly ensured by Congress and aren’t acting in the best interest of the public but their shareholders. Facebook will do the same thing — serve shareholders but not the public interest. REGULATE THE GAP, SLACKERS.

3:00 PM thank heavens this beating is over.

Three more thoughts:

1) Facial recognition technology — non-users should NEVER become subjected to this technology, EVER. Facebook users should have extremely simple and clear opt-in/opt-out on facial technology.

2) Medical technology — absolutely not ever in social media. No. If a company is not in the business of providing health care, they have no business collecting health care data. Period.

3) Application approval — Ask Apple how to do it. They do it, app by app. Facebook is what happens when apps aren’t approved first.

UPDATE — 9:00 PM EDT — Based on a question below from commenter Mary McCurnin about HIPAA, I am copying my reply here to flesh out my concerns about Facebook and medical data collection and sharing:

HIPAA regulates health data sharing between “covered entities,” meaning health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers. Facebook had secretly assigned a doctor to work on promoting a proposal to some specific covered entities to work on a test or beta; the program has now been suspended. The fact this project was secret and intended to operate under a signed agreement rather than attempting to set up a walled-off Facebook subsidiary to work within the existing law tells me that Facebook didn’t have any intention of operating within HIPAA. The hashing concept proposed for early work but still relying on actual user data is absurdly arrogant in its blow off of HIPAA.

Just as disturbing: virtually nothing in the way of questions from Congress about this once-secret program. The premise which is little more than a normalized form of surveillance using users’ health as a criteria is absolutely unacceptable.

I don’t believe ANY social media platform should be in the health care data business. The breach of U.S. Office of Personnel Management should have given enough Congress enough to ponder about the intelligence risks from employment records exposed to foreign entities; imagine the risks if health care data was included with OPM employment information. Now imagine that at scale across the U.S., how many people would be vulnerable in so many ways if their health care information became exposed along with their social records.

Don’t even start with how great it would be to dispatch health care to people in need; we can’t muster the political will to pay for health care for everybody. Why provide monitoring at scale through social media when covered entities can do it for their subscriber base separately, and apparently with fewer data breaches?

You want a place to start regulating social media platforms? Start there: no health care data to mingle with social media data. Absolutely not, hell to the no.