Posts

FBI’s Hacker-Informants

The Guardian uses an eye-popping stat from a hacker journalist–that a quarter of all hackers are FBI moles–to cement a a story about the FBI infiltrating hacker groups.

The underground world of computer hackers has been so thoroughly infiltrated in the US by the FBI and secret service that it is now riddled with paranoia and mistrust, with an estimated one in four hackers secretly informing on their peers, a Guardian investigation has established.

Cyber policing units have had such success in forcing online criminals to co-operate with their investigations through the threat of long prison sentences that they have managed to create an army of informants deep inside the hacking community.

[snip]

So ubiquitous has the FBI informant network become that Eric Corley, who publishes the hacker quarterly, 2600, has estimated that 25% of hackers in the US may have been recruited by the federal authorities to be their eyes and ears. “Owing to the harsh penalties involved and the relative inexperience with the law that many hackers have, they are rather susceptible to intimidation,” Corley told the Guardian.

The number is eye-popping. But there are two details about the story I want to note. First, it suggests that the FBI is recruiting its hacker-informants after catching them hacking. Oddly, though they consider Adrian Lamo among the hackers-moles they describe (indeed, the only one they name), they don’t question whether he just turned Bradley Manning in, or whether he was a more formal informant. Moreover, they don’t note that drug abuse, not hacking, would have been the potential crime Lamo committed in the weeks preceding his turning Manning in.

Also, note what kind of recruiting the story doesn’t address? DOD recruiting. Are all these hackers going straight from FBI to work in DOD’s cyberwars? Or is DOD recruiting a different set of hackers?

Bradley Manning’s New Charges: “Bringing Discredit upon the Armed Forces”

Aside from learning that we–the recipients of a bunch of information Bradley Manning is alleged to have leaked–are the enemy, what did we learn from the new charges the government filed against Bradley Manning yesterday? Most of the charges say the information Manning allegedly leaked were of a nature that they would bring discredit upon the armed forces. Heh.

Here’s a summary of the charges, with my comments (note, these are all allegations–I won’t repeat that remind with each charge, but please keep it in mind):

Charge I; Article 104: Between November 1, 2009 and May 27, 2010, giving intelligence to the enemy, through indirect means.

Note, here’s how that article defines “enemy:”

“Enemy” includes (not only) organized opposing forces in time of war, (but also any other hostile body that our forces may be opposing) (such as a rebellious mob or a band of renegades) (and includes civilians as well as members of military organizations). (“Enemy” is not restricted to the enemy government or its armed forces. All the citizens of one belligerent are enemies of the government and the citizens of the other.)

As I’ll discuss in a follow-up, I think they may be refusing to say who they consider the enemy in one more effort to tie Manning to Julian Assange. But since they don’t specify who the enemy is, we can just assume it is us.

Charge II, Article 134, Specification 1: “Wrongfully and wantonly” causing intelligence to be published in the internet.

This one, it seems to me, might be broad enough to trouble the newspapers that have published the cables.

Charge II, Specification 2: Between February 15 and April 5, 2010, transmitting the Collateral Murder video to someone not entitled to receive it.

The date on this is interesting: WikiLeaks was already boasting of having a video on January 8, and they announced decrypting it (which was a ruse–it was not encrypted) on February 20, which correlates with the timing Manning described in the chat logs. I wonder if the government hasn’t been able to pinpoint when this was transmitted?

Charge II, Specification 3: Between March 22 and 26, 2010, transmitting more than one classified memo to someone not entitled to receive it.

On March 23, the WL twitter feed announced, “We know our possession of the decrypted airstrike video is now being discussed at the highest levels of US command.” This was the time period when it appears Manning, according to the chat logs, was tracking the surveillance of Assange. I suspect this reference pertains to this information.

Charge II, Specification 4: Between December 31, 2009 and January 5, 2010, getting the “Combined Information Data Network Exchange Iraq database” of more than 380,000 records.

This suggests the government believed Manning had this by the first few days of 2010.

Read more

Chet Uber Contacted HBGary before He Publicized His Role in Turning in Bradley Manning

A reader found a very interesting email among the HBGary emails: Chet Uber emailed–after having tried to call–HBGary CEO Greg Hoglund on June 23, 2010.

> Sir,

>

>

>

> I would like to speak to Mr. Hoglund. My name is Chet Uber

> and I was given his name by common associates as someone I should speak with.

> The nature of our work is highly sensitive so no offense but I cannot explain

> the details of my call. I was given a URL and a phone number. I was not given

> his direct line and every time I try to get an attendant you phone system

> disconnects me. Would you please forward him this email to him. The links below

> are new and as much information as we have ever made public.

>

>

>

> Sorry for the mystery but in my world we are careful about

> our actions and this is something interpreted as rudeness. I am being polite,

> so any cooperation you can provide is greatly appreciated.

Uber copies himself, Mark Rasch, George Johnson, and Mike Tomasiewicz, and sends links to two stories about Project Vigilant, which had been posted on the two proceeding days.

In response to the email, Hoglund asks Bob Slapnick to check Uber out with someone at DOD’s CyberCrime Center.

Chet Uber, as you’ll recall, is the guy who held a press conference at DefCon on August 1 to boast about his role in helping Adrian Lamo turn Bradley Manning in to authorities. Mark Rasch is the former DOJ cybercrimes prosecutor who claims to be Project Vigilant’s General Counsel and who says he made key connections with the government on Manning.

Mind you, the multiple versions of Uber’s story of his involvement in turning in Manning are inconsistent. At least a couple versions have Lamo calling Uber in June, after Manning had already been arrested.

So there are plenty of reasons to doubt the Lamo and Uber story. And security insiders have suggested the whole Project Vigilant story may be nothing more than a publicity stunt.

Furthermore, this email may be more of the same. Uber may have been doing no more than cold-calling Hoglund just as he was making a big publicity push capitalizing on the Manning arrest.

But consider this.

Lamo’s conversations with Manning have always looked more like the coached questions of someone trying to elicit already-suspected details than the mutual boasting of two hackers. Because of that and because of the inconsistencies and flimsiness of the Project Vigilant story, PV all looked more like a cover story for why Lamo would narc out Bradley Manning than an accurate story. And Uber’s email here and his DefCon press conference may well be publicity stunts. But then, that’s what Aaron Barr’s research on Anonymous was supposed to be: a widely publicized talk designed to bring new business. But a key part of the PV story was the claim that Adrian Lamo had volunteered with the group working on “adversary characterization.”

Uber says Lamo worked as a volunteer research associate for Project Vigilant for about a year on something called adversary characterization, which involved gathering information for a project on devising ways to attribute computer intrusions to individuals or groups. He helped define the roles, tools and methods intruders would use to conduct such attacks.

While it is described as more technical, that’s not all that different from what Aaron Barr was doing with social media on Anonymous.

One more thing. Consider what DOJ has been doing since the time Lamo turned in Manning and now: asking social media providers for detailed information about a network of people associated with Wikileaks. That is, DOJ appears to have been doing with additional legal tools precisely what Barr was doing with public sources.

That’s likely all a big coinkydink. But these security hackers all seem to love turning their freelance investigations into big publicity stunts.

Why Did Bradley Manning Allegedly Leak WikiLeaks Two Things before He Verified Assange’s Identity?

To return to the work I was doing yesterday, there’s something odd about the timeline of Bradley Manning’s alleged leaks to WikiLeaks: he appears to give WikiLeaks at least two things–the Rejkjavik 13 cable and the Collateral Murder video–before he verified Julian Assange’s identity.

In the chat logs, Manning explains he first started working with WikiLeaks after they released the 9/11 pager messages.

(12:46:17 PM) Adrian: how long have you helped WikiLeaks?

(12:49:09 PM) bradass87: since they released the 9/11 “pager messages”

(12:49:38 PM) bradass87: i immediately recognized that they were from an NSA database, and i felt comfortable enough to come forward

(12:50:20 PM) bradass87: so… right after thanksgiving timeframe of 2009

That would date it November 24 or 25. Interestingly, the government says Manning’s alleged activities began somewhat earlier, November 19. That may suggest they have reason to believe he may have first accessed materials he was not authorized to access on November 19.

There’s a curious break in the chat logs (where Lamo makes his first efforts to get Manning to talk about operation security, while Manning loses it), after which Manning seems to correct Lamo’s suggestion that he’s a WL volunteer. But that does lead Manning to discuss communicating directly with Assange.

(2:04:29 PM) Manning: im a source, not quite a volunteer

(2:05:38 PM) Manning: i mean, im a high profile source… and i’ve developed a relationship with assange… but i dont know much more than what he tells me, which is very little

(2:05:58 PM) Manning: it took me four months to confirm that the person i was communicating was in fact assange

(2:10:01 PM) Lamo: how’d you do that?

(2:12:45 PM) Manning: I gathered more info when i questioned him whenever he was being tailed in Sweden by State Department officials… i was trying to figure out who was following him… and why… and he was telling me stories of other times he’s been followed… and they matched up with the ones he’s said publicly

(2:14:28 PM) Lamo: did that bear out? the surveillance?

(2:14:46 PM) Manning: based on the description he gave me, I assessed it was the Northern Europe Diplomatic Security Team… trying to figure out how he got the Reykjavik cable…

(2:15:57 PM) Manning: they also caught wind that he had a video… of the Gharani airstrike in afghanistan, which he has, but hasn’t decrypted yet… the production team was actually working on the Baghdad strike though, which was never really encrypted

As I suggested yesterday, that would mean that Manning had not verified Assange’s identity until roughly March 24. That would coincide exactly with the Wikileak Twitter account’s discussion of US and Icelandic surveillance. Of potential note, on March 23, WL said, “We know our possession of the decrypted airstrike video is now being discussed at the highest levels of US command,” which might be information Manning had access to. While not definitive, all of that suggests the public discussion was one way Manning verified “that the person i was communicating was in fact assange.”

But there were at least two things Manning had already allegedly leaked to WikiLeaks: the Collateral Murder video and the Rejkjavik 13 cable. A possible third which I will not deal with here is the intelligence report naming WikiLeaks as a threat to the military, which was released March 18, 2010, but which is not definitely attributable even hypothetically to Manning.

Collateral Murder Timing

WL first reported getting what appear to be the Collateral Murder and Gharani videos on January 8, 2010.

Have encrypted videos of US bomb strikes on civilians http://bit.ly/wlafghan2 we need super computer time http://ljsf.org/

On February 20, it claimed to have cracked the encryption code of what appears to be the Collateral Murder video.

Finally cracked the encryption to US military video in which journalists, among others, are shot. Thanks to all who donated $/CPUs.

For his part, Manning describes just stumbling upon the Collateral Murder video, did some research into what it was, then stewed on it for a month and a half before forwarding to WL.

(03:07:53 PM) Manning: i watched that video cold, for instance

(03:10:32 PM) Manning: at first glance… it was just a bunch of guys getting shot up by a helicopter… no big deal… about two dozen more where that came from right… but something struck me as odd with the van thing… and also the fact it was being stored in a JAG officer’s directory… so i looked into it… eventually tracked down the date, and then the exact GPS co-ord… and i was like… ok, so thats what happened… cool… then i went to the regular internet… and it was still on my mind… so i typed into goog… the date, and the location… and then i see this http://www.nytimes.com/2007/07/13/world/middleeast/13iraq.html

(03:11:07 PM) Manning: i kept that in my mind for weeks… probably a month and a half… before i forwarded it to [WikiLeaks]

He dates uploading the video sometime in February.

(02:47:07 PM) Manning: the CM video came from a server in our domain! and not a single person noticed

(02:47:21 PM) Lamo: CM?

(02:48:17 PM) Manning: Apache Weapons Team video of 12 JUL 07 airstrike on Reuters Journos… some sketchy but fairly normal street-folk… and civilians

(02:48:52 PM) Lamo: How long between the leak and the publication?

(02:49:18 PM) Manning: some time in february

(02:49:25 PM) Manning: it was uploaded

(02:50:04 PM) Lamo: uploaded where? how would i transmit something if i had similarly damning data

(02:51:49 PM) Manning: uhm… preferably openssl the file with aes-256… then use sftp at prearranged drop ip addresses

(02:52:08 PM) Manning: keeping the key separate… and uploading via a different means

(02:52:31 PM) Lamo: so i myself would be SOL w/o a way to prearrange

(02:54:33 PM) Manning: not necessarily… the HTTPS submission should suffice legally… though i’d use tor on top of it…

Now, those are seemingly contradictory sets of dates: WL boasts it has Gharani, at least, in January, though the February reference to decrypting it seems to mean Collateral Murder was included in the January announcement. But note that if Manning had first accessed the Collateral Murder video on November 19, a month and a half might put it close to the New Year.

In any case, however, both WL and Manning seem to agree the video was in hand by February, a month before (assuming Manning’s description of the verification process is accurate) Manning verified Assange’s identity. Read more

Lamo’s Two (?!) Laptops

In the original story about Adrian Lamo’s involuntary hospitalization, he loses his medication and calls the cops.

Last month Adrian Lamo, a man once hunted by the FBI, did something contrary to his nature. He picked up a payphone outside a Northern California supermarket and called the cops.

Someone had grabbed Lamo’s backpack containing the prescription anti-depressants he’d been on since 2004, the year he pleaded guilty to hacking The New York Times. He wanted his medication back. But when the police arrived at the Safeway parking lot it was Lamo, not the missing backpack, that interested them. Something about his halting, monotone speech, perhaps slowed by his medication, got the officers’ attention.

But in Ryan Singel’s telling of it, Lamo lost his laptop.

For instance, you make it sound creepy that Poulsen wrote a long profile about Lamo. Huh. Read the story again. Basically, it goes like this. A convicted hacker, now gone legit, calls the police to report a stolen laptop. When the police arrive, instead of focussing on the crime, they 5150 the victim.

I find that rather interesting for several reasons.

First, because the larger story ends with Lamo losing his laptop, too.

Agents from the Army’s criminal and counter-intelligence units and the Diplomatic Security Service met with Lamo on Friday night, Lamo said. The agents asked for files related to the communications between him and Manning, Lamo said, and he gave them a laptop and the hard drive from another laptop, as well as encrypted e-mails that had been stored on a remote server. Lamo said he is scheduled to give a sworn statement to authorities on Sunday.

So is the laptop the authorities took (and the hard drive from another one) a new laptop, purchased to replace the one that got taken? Another one that Lamo had lying about at home?

And then there’s this detail: the PGP key Lamo “no longer had access to” when Bradley Manning first tried to contact Lamo via encrypted email.

GREENWALD: And so the first contact he made with you, was that be email or was that some other way?

LAMO: [Sound of rustling papers] First contact was by email.

GREENWALD: And can you tell me generally what he said?

LAMO: I can’t unfortunately. It’s cryptographically impossible since he encrypted it to an outdated PGP key of mine.

GREENWALD: So were you unable to understand what he said in that first email?

LAMO: Correct. First, second, and third at the very least. I get a lot of random email and the hassle of decrypting it even if I had the key would be enough to push it back about a week or so in my “to read” stack.

GREENWALD: Right. So when you got this email that you were incapable of deciphering did you respond to him in some way, or what did you do?

LAMO: I ignored it for the first couple of hours and then I received a few subsequent emails and then I finally replied, “Hey I can’t read your emails encrypted to a PGP key I no longer have access to. Why don’t we chat via AOL IM instead?”

And finally there are the number of hackers who have had their laptops confiscated (though usually as part of a border crossing) of late.

It’s just a data point. But the story of Lamo being involuntarily hospitalized in response to reporting having his laptop taken is a whole lot different than it is if he has just had his drugs taken away.

Pulling Some Threads on Lamo’s Inconsistencies

In her post laying out the many inconsistencies in Adrian Lamo’s account of turning in Bradley Manning, Jane says:

I only see two possibilities.  One, Wired had the chat logs before Lamo made any calls to authorities, and was a party to whatever subsequently happened.  Or two, the copies of the chat logs that have been given to the press have been done so at the instigation of the US government, and with their full approval.

Of course there’s always c) all of the above, which is what I’m guessing is the most likely scenario.

I’m not entirely sure those are the only possibilities.

To my mind, there are several questions that remain entirely unanswered:

  • When did Lamo and Manning start communicating?
  • When and through whom did Lamo contact authorities (or, did authorities find him and not vice versa)?
  • How does that relate to other dates, such as Manning’s arrest, and when did the arrest happen?

Just as a threshold issue, I think the only source dating the beginning of the Lamo-Manning conversation to May 20 is Lamo, claimed in his conversation with Glenn and with the NYT. Particularly given his squirreliness about the encrypted emails Manning sent him before they started chatting on AIM, not to mention some odd details about their earliest chats, I see no reason to treat that claim uncritically.

Then there’s Manning’s arrest date, which Lamo claimed to be May 26 based on a conversation he described to Wired having with the FBI on May 27. But Manning’s charging documents seem to say Manning’s alleged actions continued until May 27 and he was arrested on May 29. Moreover, the time lapse on the chat logs may well suggest that Lamo and Manning were chatting past the time Lamo claims the FBI told him Manning had been arrested. If, as seems almost certain, Lamo was wrong about Manning’s arrest date, we need to ask whether he is hiding his own actions (perhaps, at the direction of the Feds, Lamo got Manning to send him classified documents on May 27, but he doesn’t want to admit that publicly) or whether the Feds misled Lamo.

There seem to be at least four or five versions of how and through whom Manning contacted authorities:

Version 1: Lamo told his father that Manning was the source for the Collateral Murder video (not the diplomatic cables) and his father pressured him to contact the government (the subsequent contact may or may not have been done through Chet Uber).

Version 2: In response to learning about the 260,000 State cables (which the chat logs portray as happening on May 22), Lamo reached out to his “ex” who “worked” for Army counterintelligence.

Version 3: In response to learning about the 260,000 cables, Lamo contacted Chet Uber (as one of a number of people he contacted) one or two days before he first met with the Feds on May 25. CJR’s timeline based on conversations with Kevin Poulsen dates Lamo’s first contact with the Feds before May 24, his first meeting with them on May 25, and his second meeting on May 27.

Version 4: Another version of Uber’s story says Lamo first contacted him in early June, which would have placed it after Manning’s arrest.

Version 5: Lamo contacted Timothy Webster (who is not explicitly identified as Lamo’s ex and who is portrayed as formerly, not currently, working in counterintelligence) on May 26 and told him that Manning was the source for the Collateral Murder video. Of course this scenario would put his Webster contact after his first contacts with the Feds, per Wired.

And none of these versions make any mention of the top secret ongoing op that Manning reportedly leaked to Lamo.

Now, I lay all these versions out not to impugn anyone’s reporting. After all, only Webster claims to be certain when his contact with Lamo happened. Uber admits he is uncertain (though the May and June dates obviously conflict significantly). And Lamo has been careful to note he had contacts with people outside of the Project Vigilant chain, which presumably includes but may not be limited to Webster.

But it does open up the possibility that there were several levels of contact here: a first one from his father, encouraging him to go to the Feds about the Collateral Murder video, a second one–of indefinite time frame–that went through Project Vigilant, and a third (and possibly fourth) that went through counterintelligence people. Furthermore, remember there are at least four investigative agencies: Army counterintelligence, Army CID, which is reported to have the lead on the Manning investigation, Diplomatic Security, which according to Manning was investigating the Rejkjavik cable going back to February, and the FBI. Note, too, that another version of Lamo’s story describes him worried about the FBI agents “knocking at the door” and implication in obstruction of justice; if any of these investigative agencies were investigating Lamo, the FBI would seem to be the most logical one.

So let’s just imagine another scenario. Read more

When Did Adrian Lamo Start Working with Federal Investigators?

The first suspicious moment in the chats between Adrian Lamo and Bradley Manning occurred at 12:54 on May 22–ostensibly the second day of chat communication between them (though Manning had sent Lamo encrypted emails for an unspecified period of time before that point). The BoingBoing version of the logs shows that Manning had just referenced 260,000 cables that, he went on to say, would give Hillary Clinton and other diplomats a heart attack when they were released. The chat was seemingly plagued by 3 minute delays in message transmission, with Lamo’s side reporting resource issues. Lamo tells Manning he’s going for a cigarette–“brb”–but that he should “keep typing.”

(12:54:47 PM) Adrian: What sort of content?
(12:56:36 PM) Adrian: brb cigarette
(12:56:43 PM) Adrian: keep typing <3

It is over 45 minutes before Lamo returns from his “cigarette” at 1:43:51. In the meantime, Manning did as he was told, typing out agonized confessions about how isolated he was. After Lamo returned from his “cigarette,” all the resource issues appear to be fixed and the delay in transmission appears to be gone, with response time in the 9 to 20 second range. It seems likely that Lamo did something other than smoke a cigarette in those 45 minutes. It appears he altered something technical on his side of the chat, chats that Lamo had directed Manning to use instead of encrypted emails.

Upon returning, Lamo immediately reverts back to Manning’s comment just after he left for his “cigarette,” picking up on the reference to diplomatic scandals. Using that as a segue, Lamo asks Manning to prove his bona fides.

(1:43:51 PM) Lamo: back
(1:43:59 PM) Manning: im self medicating like crazy when im not toiling in the supply office (my new location, since im being discharged, im not offically intel anymore)
(1:44:11 PM) Manning: you missed a lot…
(1:45:00 PM) Lamo: what kind of scandal?
(1:45:16 PM) Manning: hundreds of them
(1:45:40 PM) Lamo: like what? I’m genuinely curious about details.
(1:46:01 PM) Manning: i dont know… theres so many… i dont have the original material anymore
(1:46:26 PM) Lamo: play it by ear
(1:46:29 PM) Manning: the broiling one in Germany
(1:47:36 PM) Manning: im sorry, there’s so many… its impossible for any one human to read all quarter-million… and not feel overwhelmed… and possibly desensitized
(1:48:20 PM) Manning: the scope is so broad… and yet the depth so rich
(1:48:50 PM) Lamo: give me some bona fides … yanno? any specifics.

So Manning mentions the cables, Lamo leaves and fixes technical issues on the chat, and Lamo returns to demand specifics about what the 260,000 cables include.

Over the course of that allegedly first substantial conversation, Lamo’s attitude towards Wikileaks varies. He first asks a generic question.

(12:46:17 PM) Adrian: how long have you helped WIkileaks?

He then makes what–from the context of the logs thus far released, at least–appears to be an unsupported insinuation (and one that, given current reports about the Administration’s prosecution strategy, is a critical issue): that Manning “answers to” Julian Assange.

(1:51:14 PM) Lamo: Anything unreleased?
(1:51:25 PM) Manning: i’d have to ask assange
(1:51:53 PM) Manning: i zerofilled the original
(1:51:54 PM) Lamo: why do you answer to him?
(1:52:29 PM) Manning: i dont… i just want the material out there… i dont want to be a part of it

So, in spite of the fact that just two days before this exchange, Lamo had solicited donations for Wikileaks, he still suggested it was a problem if Manning “answered to Julian Assange.”

Lamo then immediately presses a point he would return to numerous times in their chats–a probe about their operational security.

(1:52:54 PM) Adrian: i’ve been considering helping wikileaks with opsec
(1:53:13 PM) bradass87: they have decent opsec… im obviously violating it

Then there’s a gap of about 10 minutes in the published chat logs during which–from the context–further conversation about Assange personally appears to have taken place. Such content is suggested from the way the chat moves from Manning reporting he is a “total fucking wreck” to returning to Manning’s relationship with Assange, with Manning seemingly correcting what appears to have been a Lamo suggestion that he–Manning–is a “volunteer” (remember, Lamo was pretending he wanted to “volunteer” to help Wikileaks with operational security).

(2:04:29 PM) Manning: im a source, not quite a volunteer
(2:05:38 PM) Manning: i mean, im a high profile source… and i’ve developed a relationship with assange… but i dont know much more than what he tells me, which is very little

Again, note how this exchange–Manning’s apparent correction regarding his relationship with Assange–actually hurts the reported current prosecution strategy of painting the Assange-Manning relationship as something other than a journalistic one.

Now, one of the many narratives he would tell about his role in turning Manning in,  Lamo suggested he contacted the military when he heard that Manning had accessed the 260,000 cables (though Lamo’s story varies on what day he contacted the Feds). Which is why I find this sequence–which Wired summarized but did not publish in its own publication of the chat logs–so interesting. All of the narratives about how Lamo came to out Manning to investigators start a day or two after this curious day of activity.

Yet already on this first substantive day of chat logs, Lamo appears to be fixing technical issues in the chat, demanding specific evidence about the cables, and–most suspiciously–presenting seemingly contradictory opinions about Wikileaks and Assange that had the effect of eliciting information about operational specifics and details on Assange’s own role in Wikileaks’ operations.

Did Adrian Lamo Have Two Days Worth of IM’s with Bradley Manning on May 25?

As I noted in my earlier post on Wikileaks leaker Bradley Manning’s charging document, there’s an apparent discrepancy between the timing Wired gives for Manning’s arrest and what the charging document shows. Wired said that the FBI told Adrian Lamo on May 27 that Manning had been arrested the previous day–that is, May 26.

At their second meeting with Lamo on May 27, FBI agents from the Oakland Field Office told the hacker that Manning had been arrested the day before in Iraq by Army CID investigators.

But the charging documents actually says Manning’s alleged activities continued until “on or about 27 May 2010,” and it says his pretrial detention started on May 29 (though see scribe’s comments on a possible explanation).

And as I pointed out in comments, there’s also a problem with the story Lamo gave Wired as to why he turned in Manning. He claimed he turned in Manning because he had told him he had already leaked 260,000 cables to Wikileaks.

Lamo decided to turn in Manning after the soldier told him that he leaked a quarter-million classified embassy cables. Lamo contacted the Army, and then met with Army CID investigators and the FBI to pass the agents a copy of the chat logs from his conversations with Manning.

But the charging document only accuses Manning of leaking [more than] 50 cables; it alleges he got information from [more than] 150,000 cables, but did not even load the cables onto his own computer. Now, Wired has repeatedly published a quote from Manning telling Lamo that he had leaked the quarter-million cables.

But the most startling revelation was a claim that he gave Wikileaks a database of 260,000 classified U.S. diplomatic cables, which Manning said exposed “almost-criminal political back dealings.”

“Hillary Clinton and several thousand diplomats around the world are going to have a heart attack when they wake up one morning, and find an entire repository of classified foreign policy is available, in searchable format, to the public,” Manning told Lamo in an online chat session.

But they didn’t include that quote in their publication of what they claimed to be all the chat logs, save those that revealed personal information about Manning or classified information. Note, WaPo published a longer version of the same quote after Wired first published it. It appears that such a quote would have fit in the chat logs on May 22 (Manning says, “Everywhere there’s a U.S. post, there’s a diplomatic scandal that will be revealed”–note the WaPo includes an ellipses here Wired does not that may indicate IM breaks–and in the May 22 log Lamo asks “what kind of scandal”), but for some reason, Wired didn’t include it there. He may well have said it and said it on May 22, but out of context, we don’t know whether Manning was talking about around 50 cables–what he is accused of leaking–or all 260,000, or the [more than] 150,000 that he is accused of having accessed. And we don’t know whether Manning really did claim to have already leaked the cables–the context doesn’t say he did (though Manning’s list of things he leaked in the very last IMs seem to include some State Department cables).

Which is why I find another oddity of the Wired publication of the chat logs so funky.

Look at the chat logs for May 25–according to Wired, the day before Manning was arrested. They start at 2:03:10 AM (you can tell from the May 23 chat logs that the times are for Lamo, presumably in CA) and go through 2:32:53 AM. They start again at 2:26:01 PM, then go through 3:12:16 PM. Then–at least as Wired presents them–they start again at 1:52:30 PM and go in spurts through 4:46:29 PM. That is, though Wired has presented the IM logs for all other days in straight chronological order, they have no done so for May 25. The chronology starts, goes through 3:12:16 PM, then goes back in time and starts again at 1:52:30. The time sequences overlap.

Now even assuming there’s nothing funky about that, if Lamo were in CA, an IM he received at almost 5 PM on May 25 would be 3 AM Iraq time on May 26, very early on the day Lamo says Manning was arrested.

But the only way that would be true is if Wired segmented and rearranged the IM chats for some reason of narrative. I’ve shown what all the overlapping IM logs in question would look like below the fold (the “parts” refer to the order in which they first appear in the Wired post). But the following chunks of IM discussion–combining the section that Wired presents 5th with that it presents 2nd–would be combined as follows (everything from part 2 is underlined):

Part 2 (underlined)/Part 5 continued

(02:26:01 PM) Manning: i dont believe in good guys versus bad guys anymore… i only a plethora of states acting in self interest… with varying ethics and moral standards of course, but self-interest nonetheless

(02:26:18 PM) Manning: s/only/only see/

(02:26:18 PM) Manning: because another state would just take advantage of the information… try and get some edge

(02:26:47 PM) Lamo: the tm meant i was being facetious

(02:26:55 PM) Manning: if its out in the open… it should be a public good

(02:26:59 PM) Manning: gotchya

(02:27:04 PM) Manning: *do the

(02:27:23 PM) Manning: rather than some slimy intel collector

(02:27:47 PM) Manning: i mean, we’re better in some respects… we’re much more subtle… use a lot more words and legal techniques to legitimize everything

(02:28:00 PM) Manning: its better than disappearing in the middle of the night

(02:28:19 PM) Manning: but just because something is more subtle, doesn’t make it right

(02:29:04 PM) Manning: i guess im too idealistic

(02:29:18 PM) Manning: im crazy like that

This order is not implausible–everything sort of flows. But there are signs that Part 5 and Part 2 did not happen simultaneously. Manning’s good versus evil comment at 2:26:01 is not entirely out of place, but it’s a big non sequitur from the comment less than 2 minutes earlier. This order would require Manning to have typed two IMs in one second at 2:26:18 which seems unlikely if not impossible for reasons of computer speed and human typing skills. Lamo’s “tm” comment at 2:26:19 appears to refer to a comment Wired didn’t replicate in any case. Furthermore, elsewhere Manning always corrects typos in the IM directly after the one in which he makes an error. But the typo “it should be a public good” at 2:26:55 and the correction “it should do the public good” at 2:27:04 would be split by the interjection “gotchya.” Plus those two comments with the interjection “gotchya” at 2:26:59 are quicker–all three in nine seconds–than almost any other series that Wired published (aside from the two IMs in one second already noted).

In other words, I can’t prove it, but it is likely those 2 chunks of IM were not simultaneous, suggesting those 5 chunks of text did not happen on the same day or their timestamps are wrong. Which in turn suggests they didn’t all come from May 25. And if they didn’t, one likely possibility is that Wired did publish the IM chats in sequence, but simply didn’t label ones from a different day–most likely, either the first series came form May 24 or the second series came from May 26–with that different day.

Now, that introduces two problems into the narrative as captured by CJR. If the IMs starting with what I’ve labeled as part 1 were actually sent May 24, it would mean Lamo was asking whether Manning suspected Army CID of investigating before–apparently–he ever talked to Kevin Poulsen about Manning. That’s not fatal for the story–but it does seem to show Lamo asking probing questions in the service of law enforcement before he first talks to Poulsen about Manning.

The other alternative is even more problematic for their story. If the second series of IMs labeled as May 25 actually came from May 26, it would mean the latest ones–which appear to have reached Lamo in late afternoon on May 26–would have been sent in Iraq in the early hours of May 27, suggesting that the story that Manning was arrested on May 26 was not correct (though that does seem to correlate better with the charging document).

All this may not be a big deal. It may be that the full series of the IMs make sense in full context. It may be that the apparent discrepancy between the Wired report and the charging document are either not discrepancies at all or not very interesting to the story.

But there does appear to be something funky here.

Update: “More than” added to references to numbers of cables per scribe.


Read more

Wikileaks Leaker Bradley Manning Finally Charged

The government has finally charged Bradley Manning, the Wikileaks leaker. He is charged with two counts of violating the UCMJ, one related to loading onto his own unsecure computer a set of information and adding unauthorized software to a military network computer, and the other related to accessing and passing information onto someone not entitled to have it.

I find the charge sheet particularly interesting for two reasons. What the government says that Manning did with the material he accessed, and an apparent discrepancy between the government’s depiction of the timing and Wired’s depiction of it.

What the government knows about what Manning did with the information

First, it describes the information he accessed differently as follows:

  • The video of the July 12, 2007 Apache killing of Reuters journalists (obtained via unauthorized access, loaded onto his unsecured computer, transmitted to someone unauthorized to receive it)
  • The Rejkjavik State Department cable leaked by WikiLeaks (obtained via unauthorized access, transmitted to someone unauthorized to receive it)
  • 50 State Department cables (loaded onto his unsecured computer, transmitted to someone unauthorized to receive them)
  • 150,000 State Department cables (obtained information from them via unauthorized access)
  • A classified Microsoft Powerpoint presentation (obtained via unauthorized access, loaded onto his computer)

Now, these details are interesting for more than the way they add up to what might be a 52-year sentence if convicted of all of them. They may reflect what the government knows about Manning’s activities.

Note, first of all, the absence of any reference to the Gharani video, which Wikileaks also claims to have but has not yet released, and which Manning claimed to have passed onto Wikileaks. That may suggest that the government doesn’t have evidence tying Manning to the leak of that video (as opposed to the Iraqi one). It may suggest someone entirely different leaked it to Wikileaks. Or it may simply suggest the video wasn’t successfully leaked (which I raise because of the possibility that the government may have managed to sabotage an attempted leak).

Next, note how the charge sheet treats the diplomatic cables differently. The charge sheet traces the Rekjkjavik cable via Manning’s alleged unauthorized access, loaded onto his computer, and transmitted to someone unauthorized to receive it. It alleges 50 State Department cables (which may or may not include the Rejkjavik one) were loaded onto Manning’s computer and transmitted to someone unauthorized to receive them.That means the government has some kind of proof that 50 cables were transmitted. That’s particularly curious given that, on May 22, Manning told Adrian Lamo that he would have to ask Julian Assange to learn if he had leaked anything beyond the Rejkjavik cable.

(1:44:11 PM) Manning: you missed a lot…

(1:45:00 PM) Lamo: what kind of scandal?

(1:45:16 PM) Manning: hundreds of them

(1:45:40 PM) Lamo: like what? I’m genuinely curious about details.

(1:46:01 PM) Manning: i dont know… theres so many… i dont have the original material anymore

(1:46:18 PM) Manning: uhmm… the Holy See and its position on the Vatican sex scandals

(1:46:26 PM) Lamo: play it by ear

(1:46:29 PM) Manning: the broiling one in Germany

(1:47:36 PM) Manning: im sorry, there’s so many… its impossible for any one human to read all quarter-million… and not feel overwhelmed… and possibly desensitized

(1:48:20 PM) Manning: the scope is so broad… and yet the depth so rich

(1:48:50 PM) Lamo: give me some bona fides … yanno? any specifics.

(1:49:40 PM) Manning: this one was a test: Classified cable from US Embassy Reykjavik on Icesave dated 13 Jan 2010

(1:50:30 PM) Manning: the result of that one was that the icelandic ambassador to the US was recalled, and fired

(1:51:02 PM) Manning: thats just one cable…

(1:51:14 PM) Lamo: Anything unreleased?

(1:51:25 PM) Manning: i’d have to ask assange

So if the government charged that Manning leaked 50 cables, it presumably didn’t come from his own confession, unless he leaked those cables to someone after May 22. That means they either got proof from Wikileaks that it received the cables, Manning leaked the cables after May 22, or someone else (Lamo?) received the cables and therefore offered proof they got leaked.

So there are 50 cables that got leaked, which have not yet been released to the public yet which the government is sufficiently certain have been leaked so as to charge Manning with that leak.

Then the charge sheet alleges that Manning obtained information from 150,000 State Department cables. Read more

Cables on Church Sex Scandal among those Sent to Wikileaks

Threat Level posted a quarter of the chat logs between alleged Wikileaks leaker Bradley Manning and hacker Adrian Lamo (it didn’t post those with particularly personal or potentially dangerous national security information).

While the logs don’t provide many details about what was in the 260,000 State Department cables that has the government so spooked, they do reveal that some of the cables pertain to the Vatican’s position on the Church’s sex scandals.

(1:45:16 PM) Manning: hundreds of them
(1:45:40 PM) Lamo: like what? I’m genuinely curious about details.
(1:46:01 PM) Manning: i dont know… theres so many… i dont have the original material anymore
(1:46:18 PM) Manning: uhmm… the Holy See and its position on the Vatican sex scandals
(1:46:26 PM) Lamo: play it by ear
(1:46:29 PM) Manning: the broiling one in Germany

Sort of makes you wonder why the State Department is discussing what the Vatican thinks about its pedophile priests, doesn’t it? Unless of course our government is tapping the Pope to keep tracks on the Church’s pedophiles…