Posts

Rat-Fucker Rashomon: Trolling for Russia

/23 Comments/in , , /by

With one exception, the SSCI Report does a tremendous job cataloging how people with a stake in the 2016 hack-and-leak operation undermined the Russian attribution of it. It includes an entire section on Russia’s efforts to undermine the Russian attribution, in which Konstantin Kilimnik plays a starring role and Manafort significantly follows. It describes WikiLeaks’ false attribution, mentioning the Seth Rich hoax explicitly. It includes several paragraphs describing the campaign’s claimed ignorance about the source of the stolen emails, framing it in terms of the October 7 DHS/ODNI assessment.

The Campaign tried to cast doubt on the October 7 joint DHS/ODNI assessment formally attributing the activity to Russia, and was indifferent to the significance of acquiring, promoting, or disseminating materials from a Russian intelligence services hack-and-leak campaign.1436

1436 (U) In contrast to the Campaign’s decision, other lawmakers refused to engage in such exploitation of the stolen material. For example, in an October 2016 interview, Senator Marco Rubio said that he would “not discuss any issue that has become public solely on the basis of WikiLeaks,” noting that “these leaks are an effort by-a foreign government to interfere with our electoral process, and I will not indulge it.” Jonathan Karl and Benjamin Siegel, “Exclusive: Rubio Won’t Talk About WikiLeaks, and Neither Should Donald Trump,” ABC News, October 19, 2016.

[snip]

(U) While the Campaign was using the WikiLeaks documents, Trump cast doubt on the assessment that Russian government hackers were responsible for the hack-and-leak campaign. At the second presidential debate on October 9, Trump asserted: “maybe there is no hacking.” 1704 In testimony to the Committee, Stephen Miller claimed that the Campaign did not know who was responsible for the hacks “one way or the other.”1705 But this uncertainty did not stop Trump or Campaign officials from minimizing Russian involvement at other times, suggesting that it was an “absurd claim” to say that the Kremlin was promoting the Trump Campaign1706; that “the DNC did the ‘hacking”‘ as a distraction1707; that the Democrats were “putting [it] out” that the Russians were responsible; and that it was “unlikely” that the Russians did it1708 or that nobody knew it was Russia, and it “could also be China” or “lots of other people.”1709 According to Gates, the Campaign was “not concerned with how or who hacked” the documents, but just sought to release emails as quickly as possible. 1710

(U) Among the theories espoused by Trump Campaign officials, Manafort expressed a belief that the Ukrainians were responsible, not the Russians. 1711 Gates said that this “parroted a narrative [Konstantin] Kilimnik often supported.” 1712 According to Gates, Kilimnik also asserted that the hack could have been done by “Russian operatives in Ukraine.” 1713 Gates was not aware of Manafort asking Kilimnik “to reach out to his Russian contacts” about the source of the leaked materials, and was not himself asked to contact Kilimnik about it. 1714 The Committee has determined that this theory espoused by Kilimnik and Manafort has no factual basis.1715 Gates and others also decided to promote the story that a DNC insider had been involved in the hacks.1116

SSCI’s invocation of the doubts Trump aired in the October 9, 2016 debate is of particular note, coming as it did just days after the John Podesta release. Trump’s comment was something that Mueller’s team asked numerous witnesses about.

Yet SSCI doesn’t include a focused discussion of all the ways Roger Stone — who appears to have met with Trump on October 8, 2016 — undermined the Russian attribution. As noted in this post of this series, one of the affidavits targeting Stone suggests Stone optimized the release of the John Podesta emails to overwhelm any attention to that October 7 attribution statement.

Perhaps the closest the SSCI Report comes to describing Stone’s efforts to troll for Russia is where — in entirely different sections of the report — the SSCI Report documents Stone’s flip flop on the Russian role in hacking the DNC. On page 224 of the SSCI Report, it describes how Stone told Gates (in July 2016) that the stolen files may have come from Russia.

In one call during that period, Stone also told Gates that the WikiLeaks information could be from the Russians. However, Gates did not recall Stone suggesting a connection between WikiLeaks and Russia. Gates also thought that Stone could have based his theory of Russian involvement on publicly available information. 1452

On pages 194-195, the SSCI Report describes how days later, Stone started claiming that Guccifer 2.0, whom he did not treat as Russian, had hacked the DNC.

On August 5, 2016, Stone penned an opinion piece asserting that Guccifer 2.0, not the Russians, had hacked the DNC, and repeating the false claims made by the GRU on the Guccifer 2.0 website and Twitter account. 1250 On August 12, the GRU released DCCC records, including the cell phone numbers and email addresses of almost all Democrats in the House of Representatives through the Guccifer 2.0 persona, 1251 and tweeted publicly at Stone: “thanks that u believe in the real #Guccifer2.”1252 When Twitter then suspended the Guccifer 2.0 account, WikiLeaks complained: “@Guccifer _ 2 has account completely censored by Twitter after publishing some files from Democratic campaign #DCCC.”1253 Stone also tweeted at WikiLeaks and the Guccifer 2.0 persona in response to the suspension, calling it “outrageous”1254 and referring to Guccifer 2.0 as a “HERO.”1255

Yet even though it includes this flip flop across two places thirty pages apart without noting it, the SSCI report doesn’t describe how, in the same period, Stone started pushing the Seth Rich hoax. Nor does it describe how long he continued to argue there was no proof that Guccifer 2.0 was Russian.

Perhaps the SSCI Report’s silence about Stone’s efforts to undermine the Russian attribution is a focus adopted from the Mueller Report. Like the SSCI Report, the Mueller Report describes WikiLeaks’ efforts to undermine the Russian attribution of the hack by pinning it on Seth Rich.

Beginning in the summer of 2016, Assange and WikiLeaks made a number of statements about Seth Rich, a former DNC staff member who was killed in July 2016. The statements about Rich implied falsely that he had been the source of the stolen DNC emails. On August 9, 2016, the @WikiLeaks Twitter account posted: “ANNOUNCE: WikiLeaks has decided to issue a US$20k reward for information leading to conviction for the murder of DNC staffer Seth Rich.” 180 Likewise, on August 25, 2016, Assange was asked in an interview, “Why are you so interested in Seth Rich’s killer?” and responded, “We’re very interested in anything that might be a threat to alleged Wikileaks sources.” The interviewer responded to Assange’s statement by commenting, “I know you don’t want to reveal your source, but it certainly sounds like you’re suggesting a man who leaked information to WikiLeaks was then murdered.” Assange replied, “If there’s someone who’s potentially connected to our publication, and that person has been murdered in suspicious circumstances, it doesn’t necessarily mean that the two are connected. But it is a very serious matter … that type of allegation is very serious, as it’s taken very seriously by us.”181

But neither describes Stone’s parallel and in many ways far more systematic efforts to sow the Rich hoax, efforts which extended well beyond the election and recruited involvement from the likes of Sean Hannity (who will be deposed by Joel Rich’s lawyers on this subject on October 30) and Alex Jones.

On this point as most others, the Stone prosecution unsurprisingly adopts the same general scope as the Mueller Report; like it, the indictment did not touch on Stone’s role in fostering the Seth Rich conspiracy. That said, prosecutors expended significant effort preventing Stone from using the prosecution to sow propaganda in the court room about Russian attribution (as Yevgeniy Prigozhin’s trolls succeeded in doing).

But the affidavits in the Stone investigation (as we’ve seen elsewhere) break from the pattern. They focus closely on Stone’s social media activity — activity which would ultimately get Stone gagged by Amy Berman Jackson, the judge presiding over his trial, and activity that would get fake accounts created for him starting during the election removed by Facebook. At least eight of the warrants obtained towards the end of the Stone investigation targeted Internet infrastructure used to support social media campaigns.

It’s unclear exactly what investigators were looking for, though. After all, using fake accounts, while a violation of social media terms of service, is not illegal by itself.

For some of these accounts, investigators were collecting forensic data in an effort to tie Stone’s known online activity to very damning Google searches — indicating knowledge of the Russian hack-and-leak while the hackers were still in DNC servers — they believed to be Stone. In addition, the warrant where the investigation started to incorporate evidence and testimony from Steven Bannon listed wire fraud among the crimes under investigation, which prosecutors sometimes charge if someone raises money for one purpose — say, purporting to fund a PAC supporting one cause — and use it for another purpose (this is precisely what got Bannon indicted by SDNY).

But some of investigators’ focus appears to pertain to the content Stone pushed, his efforts to undermine the Russian attribution, including his sustained claims that Guccifer 2.0 wasn’t Russian. After one of the guys who did social media for him provided details of the effort, investigators started incorporating Stone’s social media activity into affidavits.

Based on search warrant returns for STONE’s account [redacted], between on or about October 31, 2016 and November 3, 2016, [redacted] received receipts from Facebook for the purchase of a number of advertisements associated with the Target Account, including advertisements with the following excerpted titles (as set forth in the receipts):

  • “BREAKING: New #Wikileaks emails prove that Team … “
  • “Roger Stone talked about WikiLeaks, Donald Trump, … “

90. Additionally, on or about March 31, 2017, STONE received a Facebook receipt at his Hotmail account for advertisements associated with Target Account 1, with the following excerpted titles (as set forth in the receipt):

  • “Stone Rebuts Charge of Russian Collusion”
  • “I am not in touch with any Russians, don’t have … ,”
  • “The charge that I am working for Russian … ,”
  • “In fullest statement yet on DNC hacking … “
  • “ROGER STONE – NO consensus that Guccifer 2.0 is a … “

Mueller’s investigators might simply have been tracking the Podesta effort and the later cover-up (though, again, none of it showed up in a trial on the cover-up). But some of the later warrants that included gags, including the one that specifically said prosecutors were trying to keep Stone in the dark about the scope of their investigation, targeted social media, too.

Whatever the point of that investigative focus, Stone at least believed that his efforts to optimize the stolen files could make the difference in getting Trump elected. Moreover, he played a role at key moments in how others understood the provenance of the documents, possibly even in Trump public doubts in the second debate. Stone had more incentive than anyone to claim that Russia wasn’t behind the hack, his efforts to push that narrative were in many ways more sustained than other efforts, and the way in which he tried to rebrand Guccifer 2.0 as something other than a Russian persona was a key claim in his false HPSCI testimony. Indeed, Trump appears to have picked up some of the attacks on Russian attribution that his rat-fucker first pushed, which has since snowballed into a systematic effort to dismantle any part of the government with expertise in Russian operations and organized crime.

And yet the SSCI Report, completed in the wake of and incorporating the affidavits, which incorporated some of the Ukrainian based disinformation still being chased by Republicans, makes little mention of Stone’s campaign to undermine the Russian attribution, and how closely it tied to WikiLeaks’ own such campaign.

The movie Rashomon demonstrated that any given narrative tells just one version of events, but that by listening to all available narratives, you might identify gaps and biases that get you closer to the truth.

I’m hoping that principle works even for squalid stories like the investigation into Roger Stone’s cheating in the 2016 election. This series will examine the differences between four stories about Roger Stone’s actions in 2016:

As I noted in the introductory post (which lays out how I generally understand the story each tells), each story has real gaps in one or more of these areas:

My hope is that by identifying these gaps and unpacking what they might say about the choices made in crafting each of these stories, we can get a better understanding of what actually happened — both in 2016 and in the investigations. The gaps will serve as a framework for this series.

SSCI Confirms that Mueller Considered CFAA Charges for Don Jr.

/28 Comments/in , , /by

One of the most useful things about the SSCI Report is how much content from the interviews and redacted portions of the Mueller Report it made public.

I’ll have several follow-ups talking about what it shows (beyond that DOJ is badly abusing the FOIA process to suppress damaging information) and what the difference choices about story-lines say about the investigation into Trump.

But for now, this disclosure is predictable, but important. Mueller considered CFAA charges for Don Jr’s use of a password obtained from WikiLeaks to access a non-public website.

WikiLeaks contacted the Trump Campaign directly, through Donald Trump Jr., on sev:eral occasions. On September 21, WikiLeaks used a direct message on Twitter to reach out to Trump Jr. for a comment about a website, “putintrump.org,” and provided Trump Jr. a password to access the website before it launched.1725 Trump Jr. responded, “Off the record I don’t know who that is, but I’ll ask around.”1726 He then forwarded the message to senior Campaign officials in an email, and asked for their thoughts, indicating that he had visited the website:

Guys I got a weird Twitter DM.from wikileaks. See below. I tried the password and it works and the about section they reference contains the next pie in terms of who is behind it. Not sure if this is anything but it seems like it’s really wikileaks asking me as /follow them and itis a DM Do you know the people mentioned and what the conspiracy they are looking for could be? These are just screen shots but it’s a fully built out page claiming to be a PAC let me know your thoughts and if we want to look into it. 1727

Trump Jr. expressed concern about the webpage, though not about WikiLeaks itself: “The way they asked the question it almost seemed like there was some connection we should be aware of though. Do any of the political people recognize the names there?”1728 Some members of the Campaign responded to Trump Jr., but he did not communicate further with Wik1Leaks on the topic. 1729

(U) Email, Trump Jr. to Conway, Bannon, Kushner, Bossie, and Parscale, September 21, 2016 (DJTFP00023909-23911) (attaching screenshots of Twitter direct message from WikiLeaks). The email garnered some responses. Brad Parscale suggested setting up a competing website so that “searches come to us.” Email, Parscale to Trump Jr. et al., September 21, 2016 (DJTFP00023912). Jared Kushner forwarded the email to Hope Hicks without comment. Email, Kushner to Hicks, September 21, 2016 (DJTFP00023916-23918). The SCO declined to charge Trump Jr. for violating the Computer Fraud and Abuse Act based on his unauthorized use of the password to access the website. See SCO Report, Vol. I, p. 179.

Let me be clear: It would have been a gross abuse of the CFAA to charge this, the kind of thing DOJ has tried in rare instances, to be rightly rebuked in legal commentary. Mueller made the right decision not to charge this.

But, as SSCI’s success at releasing this information makes clear, there’s no reason to redact this information (or other information discussing the various criminal theories used with the failson). Don Jr is not — as Billy Barr claimed when he described his privacy redactions — in any way a tangential third party to his father’s campaign. And the underlying conduct here has long been public. There’s no reason to hide the discussion of why Mueller (correctly) decided not to charge this conduct.

“ur submission form is too fucking slow, spent the whole day uploading 1 gb.”

/12 Comments/in , , /by

As I noted, one of the Roger Stone-related warrant applications released last week includes more details on the communications between the Guccifer 2.0 persona and WikiLeaks leading up to the DNC release. Emma Best examines the filing from a perspective of how someone, purportedly with no prior relationship to WikiLeaks, would go about transferring even a marginally significant submission to WikiLeaks. Almost a month of back-and-forth transpires between the first contact with Guccifer 2.0 and the successful transfer of the DNC files.

A key exchange, however, happened on July 6, 2016. After Guccifer 2.0 inquires whether WikiLeaks received some documents Guccifer 2.0 sent, the persona gets cranky because it took so long to upload a 1 GB file to WikiLeaks submission system. [I’m using Best’s conversion of this filing into a nifty transcription.]

Guccifer 2.0: “fuck, [I] sent 4 docs on brexit on jun 29, an archive in gpg[.] ur submission form is too fucking slow, [I] spent the whole day uploading 1 gb”

WikiLeaks: “We can arrange servers l00x as fast. The speed restrictions are to anonymise the path. Just ask for custom fast upload point in an email.”

Guccifer 2.0: “will u be able to check ur email?”

WikiLeaks: “We’re best with very large data sets. e.g. 200gb. these prove themselves since they’re too big to fake”

Almost two weeks into this exchange, WikiLeaks says they can arrange for a custom server to transfer larger data sets — of around 200 GB.

These exchanges should, to a significant extent, be considered theater. Both sides of this conversation knew that the FBI would be watching all DMs between WikiLeaks and the Guccifer 2.0 persona. So it can’t be taken as a definitive indication of how any files get sent.

Still, it shows how WikiLeaks would respond, using the public communication accounts, to a request to submit data in July 2016.

That’s significant because it shows how things might have proceeded, two months earlier, when Joshua Schulte allegedly sent 1TB of data to WikiLeaks on May 1, 2016.

While the prosecution in Schulte’s case provided forensic evidence to explain when he stole the CIA files and sent them to WikiLeaks, key gaps remain (perhaps most notably, how he got the files out of his building, though that may be because of certain classification decisions). And because Schulte used Tails and wiped his devices afterwards, there’s no record of him actually sending the files.

Here’s how prosecutor Matthew Laroche described that process in his closing arguments.

Just as a general matter, you know this information was transmitted to WikiLeaks because they posted it on the internet. They obviously got it, and the question is when did he send it?

And that’s answered by what he did on the 30th and May 1. Let’s look at the evening of the 30th.

At 6:47 p.m., he is searching for Google history and Google view browsing history. He is concerned about what he’s been searching for. On the evening, that night, he is searching for digital disk-wipe utility on several occasions, and at 10:52 p.m., he visits a website Kill Your Data Dead With These Tips and Tools. The defendant is interested in finding out how to securely delete information that might connect him to the leak, anything that he might’ve brought home with the leak on it, anything that he might’ve used to transfer it.

And at 10:55 p.m., he runs a similar search for SSD wipe utility. And you’ll remember all those hard drives that were recovered from his home. He was wondering how to wipe them to make sure that there was no evidence of his activities.

Now, overnight, he continues working.

At 12:19 a.m., the defendant mounted his D drive onto his virtual machine, the same D drive that had those encrypted files, data2.bkp through data6.bkp. They’re in his D drive. He mounts his D drive.

Then, overnight, he is constantly looking at his computer. On at least four occasions, he is unlocking his virtual machine in the middle of the night: 1:57 a.m.; 2:34 a.m.; 2:56 a.m.; 3:18 a.m. He is doing that because he is transferring data and he wants to make sure it’s happened correctly. And you know that is the case because of the Google searches he runs at of the end the night and the early morning.

At 3:18 a.m., just after he unlocks his screen saver, the defendant searches for How Long Does It Take to Calculate MD5?

Remember, calculating an MD5 is a way to confirm that what you transferred from one place to another is the same, that it went correctly, that there were no errors. You calculate an MD5 to confirm that what you transferred transferred correctly, and that’s what he’s looking for at 3:18 a.m.

Then at 3:21 a.m., the defendant visits a website, How Can I verify That a 1TB File — one terabyte file — transferred correctly?

That description is based off this forensic testimony from Michael Berger.

Prosecutors described this as happening overnight. Overnight transmission of a 1TB file using WikiLeaks’ public submission site would be utterly impossible given the state of it at the time and the volume of data Schulte was transferring, and probably impossible regardless of how much time someone spent. Overnight transmission of 1TB of data using Tails, even to a dedicated server, would be difficult enough. Best describes that, “1 TB over Tor in one night is unlikely.”

The government timeline does have Schulte in possession of the data earlier than that, potentially giving him a week to transfer the data, with this process describing just the end of the process.

Still, the way this would happen, normally, would be for WikiLeaks to set up a dedicated server to accept the files. And that would take prior communication. Such communication likely would have happened over Jabber, not Twitter (Schulte’s opsec was piss poor in many ways but he did use Jabber).

Such a prior conversation is entirely consistent with testimony provided elsewhere, where prosecutors focused on the website’s alternative submission process.

But the seeming necessity for prior communication before this transfer happened suggests Schulte’s alleged theft and transfer of the files might not have been as reactive a decision as portrayed in his prosecution.

It would take premeditation to send WikiLeaks a 1TB file, whatever the timing. Prosecutors may know that, and have an explanation for when such prior communications happened, but they’re withholding those details for any of a number of reasons. Or it may be a big hole in this story. Schulte insists he didn’t do it and a jury failed to convict.

One way or another, however, the state of the WikiLeaks’ submission system as it existed in 2016 presents a big gap in prosecutors’ current story.

Update: Two important details for those trying to figure out how long this transfer would really take. First, Schulte ran a commercial server specifically focused on video streaming at the time, so his upload speeds would not limit the transfer time at all. Second, Schulte at least claimed that hiding data for exfiltration was his speciality. That by itself wouldn’t help him send stuff to WikiLeaks, at least not without prior contact. But it does mean that the means by which he transferred this file relied on tools he has developed at CIA.

The State of Play: Joshua Schulte and Julian Assange

/39 Comments/in , , , /by

Last year, it looked like the Joshua Schulte trial, rescheduled in the fall to start January 13, would be done before the extradition hearing for Julian Assange started. Two things changed since then: Schulte got a delay until February 3, and then last month, Assange convinced Judge Vanessa Baraitser to split his extradition hearing into two, the first part lasting a week starting Monday, and then resuming on May 18 for three more weeks.

As a result, both men are in court during the same week, intersecting in interesting ways.

Thus far, Assange’s argument is threefold:

  1. His prosecution is hopelessly political, merely retaliation by the hated President that Assange helped elect, Donald Trump
  2. The evidence in the case against Assange is so weak as to be abusive
  3. A person cannot be extradited for political crimes like the Espionage Act

The first argument is a load of horseshit covering up the fact that the timing of the treatment of WikiLeaks as a non-state hostile intelligence service, the increased surveillance of Assange, and the initial December 21, 2017 charge all stem from WikiLeaks’ burning the CIA by publishing all its hacking tools. It’s horseshit, but it garners a lot of enthusiasm among WikiLeaks supporters who like to conveniently forget that, whatever Assange’s motivations were in 2010 (when he engaged in the acts he is charged with), he nevertheless helped Russia help Trump get elected. That said, even though the claims about what changed in 2017 are horseshit, it doesn’t change that the existing charges against Assange pose a real danger to journalism.

The second argument is far stronger. For each of the theories of prosecution under which Assange is charged — attempting to help Chelsea Manning crack a password, soliciting certain files via WikiLeaks’ wish list, and publishing a bunch of files in which the names of US and British sources were later revealed — Assange has at least a credible defense. Assange never succeeded, and could not have succeeded, in cracking that password. Manning didn’t leak the precise files that WikiLeaks had on its wish list (though did leak some of the same sets). WikiLeaks originally went to some effort to redact the names of sources, only to have a Guardian journalist release the password revealing them. Mind you, the extradition hearing is not the trial itself, so for these defenses to be relevant, WikiLeaks has to prove that the case against Assange is abusively weak.

The third argument, which is being argued today, is a more interesting legal question. Assange claims that the existing Anglo-US extradition treaty, passed in 2003, still prohibits extradition for political offenses like theEspionage Act. The US argues that Assange’s extradition is governed by the Extradition Act of 2003, which did not include such a bar (and also disagrees that these are political crimes). The lawyers are even arguing about the Magna Carta! Judge Vanessa Baraitser seems inclined to side with the US on this point, but the question will surely be appealed. Mind you, one of the charges against Assange, CFAA, is in no way a political offense, and the UK has not barred its own citizens, much less foreign citizens hanging out in foreign embassies, from being extradited on the charge (though several hackers, most recently Lauri Love, have challenged their extradition to the US for CFAA on other grounds).

Yesterday, Assange’s defense spent a good deal of time making the second argument. The US didn’t respond. Rather, it said it would deal with those issues in the May hearing.

Meanwhile, the Schulte trial is wrapping up, with Schulte doing little to mount a defense, but instead preparing an appeal. Yesterday, Schulte asked that an instruction on the defendant not testifying be added to the jury instructions (normally, these are included from the start, but Schulte has been claiming he would testify all this time). Today, Schulte told the court that Steve Bellovin won’t testify because he never got access to all the data Judge Paul Crotty ruled he couldn’t have access to (not mentioning, however, that the restrictions stemmed from Crotty’s own CIPA judgment).

I’m still unclear on the status of the witness, Michael. Schulte is trying to submit his CIA investigative report in lieu of finishing cross-examination (which is where things had left off). But it still seems possible that Crotty would require his testimony to be resumed, giving the government another opportunity to redirect his testimony. This is all likely happening today, but given that there’s so little coverage of the trial, we won’t know until Thursday.

Before all this happened, however, the jailhouse informant provided very damning testimony against Schulte, not only describing how Schulte obtained a phone (swapping an iPhone for a Samsung that he could load all the apps he wanted on it), but also claiming that Schulte said, “Russia had to help him with what he was doing,” launching an information war.” I had learned of similar allegations of ties or willingness to forge them with Russia via several sources in the past. And Schulte’s own jailroom notebooks include hints of the same, such as a bullet point describing how Russia could help the US “destroy itself.”

And his final plan — which the informant alerted his handlers to just before Schulte launched it — included some “Russia pieces.”

As part of the same plan to get fellow SysAdmins to leak all their secrets to WikiLeaks, then, Joshua Schulte was also hoping to encourage Russia to attack the US.

I’ve long said the Vault 7 case, if it were ever added to Julian Assange’s charges (including an extortion charge, which would also not be a political crime), would be far more damning and defensible than the ones currently charged. Filings from November suggested that the government had come to think of Schulte’s leaks to WikiLeaks as the last overt act in an ongoing conspiracy against the United States.

And by 2018, Schulte had come to see leaking to WikiLeaks as part of the same plan encouraging Russian attacks on the US, precisely the allegation WikiLeaks has spent years trying to deny, especially in the wake of Assange’s cooperation in Russia’s election year operation.

It’s not clear whether the US will add any evidence to the original 2010 charges against Assange before May (though Alexa O’Brien has pointed to where additional evidence might be), but the statement they’re waiting until then to rebut the solid defense that WikiLeaks is now offering suggests they might. That might reflect a hope that more coercion against Chelsea Manning will produce that additional evidence (she has renewed her bid to be released, arguing that such coercion has obviously failed). Or it might suggest they’ve got plans to lay out a broader conspiracy if and when Schulte is convicted.

Assange’s lawyers pushed for the delay to May in the first place. If the US government uses the extra time to add charges related to Vault 7, though, the delay may make a significant difference in the posture of the case.

Why Roger Stone Threatened to Sue emptywheel!

/25 Comments/in /by

Remember when Roger Stone threatened to sue me? It was in response to this post, in which I noted that Don McGahn had been helping Stone rat-fuck for Trump for years.

Well, it turns out that that’s the topic of something the government would like to introduce as evidence about why he lied to HPSCI.

As I noted, a debate over whether the government can introduce 404(b) evidence at trial — often used to show motive — has been going on under seal. But a snippet of the topic got aired in yesterday’s hearing on such issues. And one of the things the government wants to introduce under 404(b) is that, in addition to all the lies Stone told HPSCI laid out in his indictment, he also told further lies about his coordination with the Trump campaign.

Separately, Jackson also held off in ruling on Stone’s bid to block DOJ from talking about other alleged false statements he made before the House committee during the September 2017 testimony that led Mueller to press charges.

During Wednesday’s hearing she fretted that raising Stone’s statements could prolong the trial and confuse jurors over allegations that the government didn’t choose to prosecute.

DOJ attorney Michael Marando argued that the government’s allegations needs to be heard in the context of Stone’s overall motivations.

“He went in with a calculated plan to lie, to separate himself from the campaign in order to shield the lie about his connections to WikiLeaks. He had to create that space,” Marando said.

One of those lies pertains to Stone’s communication with the campaign about the activities of his PAC.

Assistant U.S. Attorney Michael J. Marando argued that Stone falsely denied communicating with Trump’s campaign about his political-action-committee-related activities, and that the lie revealed his calculated plan to cover up his ties to the campaign and obstruct the committee’s work.

Rogow disagreed, calling the allegation more prejudicial than revealing and saying that it would divert jurors into a matter that Stone was not charged with.

Note, this is likely why he wants to call Steve Bannon, which other news outlets are inexplicably quite surprised about; Stone asked Bannon for funding from Rebekah Mercer for this stuff. And, as I noted in the post in question, Don McGahn helped Stone avoid charges for voter intimidation for his PAC activities. So I guess Stone wanted to sue me because I laid out proof that he lied to HPSCI about something that served the larger purpose of distancing his rat-fucking from the campaign.

Amy Berman Jackson ruled on most of the motions in limine as follows:

Government motion to introduce two categories of 404(b) evidence: Under advisement

Government motion to introduce two newspaper articles related to such evidence: Denied, with the opportunity to submit redacted versions if the evidence is submitted

Government motion to exclude claims of prosecutorial misconduct: Granted, but Stone can introduce impeachment information

Government motion to exclude evidence of Russian interference: Granted

Stone motion to introduce evidence challenging claims that WikiLeaks obtained stolen documents from Russia: Denied

Stone motion to subpoena Crowdstrike for its reports to the DNC: Denied

Stone motion for a recording of his HPSCI testimony: Moot

Government motion to introduce upload dates for videos: Granted

Government motion to introduce an excerpt of Godfather II: Deferred

Government motion to partially redacted a grand jury transcript: Granted, along with permission to file a motion in limine to limit the same witnesses’ court testimony

ABJ ordered the two sides to figure out what portion of the HPSCI report they need to submit at trial, as well as what communications between Randy Credico and Stone should be excluded

DOJ Says It Never Offered Accused Vault 7 Leaker Joshua Schulte a Plea Deal

/7 Comments/in , /by

As the Joshua Schulte prosecution has inched along against the backdrop of the Julian Assange indictment, I’ve heard chatter about his plans: that the two sides might prosecute the child porn charges and leave the leak untried; that the government was trying to get him to cooperate against Assange.

In the former case, the opposite now seems more likely. Last week, Judge Paul Crotty granted Schulte’s motion to sever his child porn and copyright charges from his Espionage ones. But the minute order states that the Espionage charges will be tried first, in November, with the child porn charges tried some time after that. That’s true, even though the Espionage charges are far more complex to try than the child porn ones. If the government wanted to use the child porn charges to put Schulte away indefinitely and avoid the difficulties of an Espionage trial, they’d try those first. (Update: at the hearing where this was decided, the defense said they wanted the Espionage trial to go first, and all other parties agreed.)

As to the latter, Schulte himself has sown the belief he was being offered a plea deal. In one version of his “Presumption of Innocence” blog, for example, he claimed (falsely, given the warrants he himself released) the government never obtained any evidence implicating him in the leak, and was just pursuing the child pornography charges to “break” him so he’ll cooperate against WikiLeaks.

I’m arrested and charged with a crime that had nothing to do with the initial search warrant and that I was completely innocent. The U.S. Attorney unethically and immorally misleads the court regarding what the initial investigation was about, when they found the illicit materials, and the fact that they did not think I was involved for 5 months until their initial investigation came up empty. I’m denied bail and thrown into prison immediately and they use the situation as leverage telling my attorney every day that he can make this huge embarrassment and misunderstanding all go away if only I would agree to cooperate on the WikiLeaks investigation and admit to it. They admit, unabashedly that these entire charges are nothing more than a ruse, an attempt at leverage to break me.

A version of this claim was repeated in a piece the Intercept did yesterday claiming to track how (a select group of) leakers got identified by the FBI.

Of the four Espionage Act cases based on alleged leaks in the Trump era, the most unusual concerned Joshua Schulte, a former CIA software developer accused of leaking CIA documents and hacking tools known as the Vault 7 disclosures to WikiLeaks. Schulte’s case is different from the others because, after the FBI confiscated his desktop computer, phone, and other devices in a March 2017 raid, the government allegedly discovered over 10,000 images depicting child sexual abuse on his computer, as well as a file and chat server he ran that included logs of him discussing child sexual abuse images and screenshots of him using racist slurs. Prosecutors initially charged Schulte with several counts related to child pornography and later with sexual assault in a separate case, based on evidence from his phone. Only in June 2018, in a superseding indictment, did the government finally charge him under the Espionage Act for leaking the hacking tools. He has pleaded not guilty to all charges.

Schulte was identified as the suspect just like all the other people profiled in the story were: because he was one of the few people who had access to the files that got leaked and his Google searches mapped out a damning pattern of research involving the leak, among other things. In his case, WikiLeaks itself did several things to add to the evidence he was the source. It is true that Schulte was charged with the porn charges first and that it took 15 months for the government to ultimately charge the leak, but the theory of Schulte’s role in the leak has remained largely unchanged since a week after the first files were dropped.

Schulte again suggested he might get a plea deal in his lawsuit against then Attorney General Jeff Sessions for imposing Special Administrative Measures against him when he raised 5K1 letters that might allow someone to avoid mandatory minimum sentencing.

But in last week’s opposition to Schulte’s motion to suppress most of the warrants against him — including some on the grounds that they relied on poisonous fruit of attorney-client privileged material — the government denies ever offering a plea deal.

Schulte claims that the FBI read his thoughts on severance (which the Government has consented to) or a plea offer (which the Government has not made), but none of those “thoughts” are referenced in any subsequent search warrant.

The claim that the government left unredacted a reference to Schulte’s views on a plea deal does not appear in the unredacted version of Schulte’s motion to suppress, but given his lawyers’ claim that his journals were intended to be a discussion of his legal remedies, it may be an attempt to suppress the Presumption of Innocence notes cited above (even though Schulte made the same notes public).

Mr. Schulte’s narrative writings and diary entries contain information he “considered to be relevant to his potential legal remedies.”

There’s lot of room for a discussion short of a plea offer that might be true even given the government claim that “the Government has not made” any offer (such as that one of the series of attorneys who have represented Schulte has recommended that he seek a deal).

But the detail is particularly interesting given the timing of his trial and something the government claimed the last time Chelsea Manning and her lawyers tried to get her out of jail. It insisted they want Manning’s testimony for subjects and charges not included in Assange’s current indictment, and said the submission of the extradition request against Assange does not preclude future charges based on those offenses.

As the government’s ex parte submissions reflect, Manning’s testimony remains relevant and essential to an ongoing investigation into charges or targets that are not included in the superseding indictment. See Gov’t’s Ex Parte Mem. (May 23, 2019). The offenses that remain under investigation are not time barred, see id., and the submission of the government’s extradition request in the Assange case does not preclude future charges based on those offenses, see Gov’t’s Supplement to Ex Parte Mem. (June 14, 2019).

Barring a delay because of Classified Intelligence Protect Act proceedings, Schulte will face trial on the Espionage charges in November, three months before the next hearing in Assange’s extradition. And while there’s no hint in Schulte’s case that WikiLeaks played a role in the front end of Schulte’s alleged leak, there’s abundant evidence that they continued to cooperate with him in the aftermath and even in the initial release itself. Indeed, that’s some of the most damning evidence against Schulte.

Schulte seems to think he could cooperate against Assange and face lesser charges. If the government told the truth last week, he may have little prospect to diminish what would amount to a life sentence if he’s found guilty.

The Dance between Joshua Schulte and WikiLeaks

/10 Comments/in , /by

Way back when Joshua Schulte was first charged for leaking the CIA’s hacking tools to WikiLeaks, I noted a loose coincidence between WikiLeaks’ release, for the first time, of some of CIA’s hacking source code rather than just development notes and the activity on Tor that led to Schulte getting his bail revoked. Since then, however, court documents have laid out a number of other interactions between Schulte and WikiLeaks. This post lays all of those out.

The government currently maintains that Schulte stole the CIA’s hacking tools in late April 2016 and sent them (it’s unclear whether they believe he sent them directly to WikiLeaks or not), using Tails, in early May. In court documents (the most informative warrant affidavit starts at PDF 129, though the FBI would revise some of its understanding of events after that time), that timeline is based off the searches Schulte did in Google (!!!) mapping out his actions.

April 24, 2016: Schulte searches for a SATA adapter (which lets you connect a computer hard drive via a USB connection); Schulte searches how to partition a drive

April 28, 2016: Schulte searches, for a second time, on how to restrict other admins from seeing parts of a LAN

April 30, 2016: Schulte researches how to delete Google history, Western Digital disk wipe, and Samsung ssd wipe (the search of Schulte’s apartment would find both Western Digital and Samsung drives)

May 1, 2016, 3:20AM: Schulte searches on “how can I verify that a 1 tb file transferred correctly?”

May 4, 2016: Schulte searches on “can you use dban on ssd,” referring to a wiping software called Darik’s Boot and Nuke

May 6, 2016: Schulte researches Tor

May 8, 2016: Schulte researches how to set up a Tor bridge

In August 2016, Schulte for the first time started tracking WikiLeaks coverage via a number of Google searches, but without visiting the site. He also researched Tails for a second time, as well as throwaway email.

Schulte’s first trackable visit to the WikiLeaks site itself was on March 7, 2017, the day of the first Vault 7 release (though WikiLeaks had started hyping it earlier, starting in February 2017).

From that first release on March 7 through September 7, WikiLeaks would release another Vault 7 release fairly regularly, often every week, other times at two week intervals and, at one point in June, releasing files on consecutive days. WikiLeaks then released the one and only Vault 8 file — source code rather than development notes — on November 9.

In general, that rhythm of releases is not obviously remarkable, though of course it took place against the background of serial efforts to get Julian Assange a pardon in the US.

But it intersects with the investigation of Schulte laid out in search warrant applications and other filings in a few key ways. As I’ll show in a follow-up, it’s clear that Schulte provided WikiLeaks with a story about the files to offer a rationale for their publication, so it’s clear that he did more than provide the files as a dead drop. After the first files dropped, he realized he’d be the prime suspect. Court filings reveal that he contacted a number of his former colleagues (using Google!), trying to find out what they knew about the investigation, acknowledging that he would be a key suspect, and denying he had done the leak.

Then, between the first and the second Vault 7 release, on March 15, the FBI interviewed Schulte as they were searching his apartment. As part of that interview, Schulte lied to the FBI so as to be able to leave his apartment with the CIA diplomatic passport he had never returned (he had plane tickets to leave the country the following day). When he left his apartment, he told FBI Agents he’d be back in roughly an hour. He went to Bloomberg (where he still worked), stashed his passports there, and got on his work computer. 45 minutes after the time he said he’d return, the FBI found him leaving the lobby of Bloomberg, and on threat of arrest, got him to surrender his passports. After all this happened, Bloomberg did an analysis of what Schulte had done on his work computer and phones in this period; FBI seized his work hard drive in May 2017. If Schulte had on-going communications with WikiLeaks, this would have provided an opportunity to reach out to them to tell them he was under imminent threat of arrest.

From that point forward, the FBI asked Schulte new questions based off what had been released by WikiLeaks. Most notably, on June 29, they asked Schulte whether he altered Brutal Kangaroo, a file released by WikiLeaks just a week earlier, outside the CIA.

The rhythm of WikiLeaks’ regular releases continued through August 24, when Schulte was arrested for child porn, with a file released that day, and another file released on September 7, while he was in jail. But after Schulte was released on bail after a September 13 hearing, WikiLeaks released no more Vault 7 files.

An April 2019 Bill of Particulars released last month strongly suggests there may be a tie between Schulte’s Tor activities starting on November 16, 2017. The document suggests that Schulte may have met with someone on November 8, 2017, then lied to the FBI or prosecutors about it 8 days later. Among the four lies the government described to substantiate False Statements and Obstruction charges in his indictment, it explains,

On or about November 16, 2017, Schulte falsely described his trip to a court appearance from the vicinity of Grand Central Terminal to the vicinity of the courthouse, and also falsely claimed to have been approached on the way to that court appearance by an unknown male who allegedly stated, in substance and in part, that he knew that Schulte had been betrayed and bankrupted by the U.S. Government.

This incident almost certainly happened on November 8. As noted, he was arrested on August 24, 2017. He was denied bail at first (so remained in jail). But when he was arraigned on the first (child porn) indictment on September 13, he was granted bail, including house arrest. While he would have had to check in with Parole Officers, the next “court appearance” he had (because the first status hearing got delayed a few times) — and the only court appearance before November 16 — was on November 8. He’d have gone to his first and second arraignment from jail; he was only out on bail to travel to a court appearance from his home for that first status conference.

It seems likely that an FBI surveillance team tracked Schulte on that day doing something suspect between the time he left his home and arrived at the courthouse. The mention of Grand Central suggests he may have met someone there, though that’s not dispositive because his apartment was just a few blocks away. But Schulte’s description of meeting a man he didn’t know, which the government alleges is false, seems like the kind of lie you’d tell if you were covering for meeting a man you did know. As noted, that probably happened on November 8.

On November 9, WikiLeaks released their single Vault 8 file.

Then, Schulte was asked, by some “law enforcement agents and/or prosecutor[] at the U.S. Attorney’s Office” about the incident on November 16.

That same day that he was interviewed about the incident on the way to the courthouse, November 16, he got on Tor for the first of five times, as laid out in his detention memo.

Separately, since the defendant was released on bail, the Government has obtained evidence that he has been using the Internet. First, the Government has obtained data from the service provider for the defendant’s email account (the “Schulte Email Account”), which shows that the account has regularly been logged into and out of since the defendant was released on bail, most recently on the evening of December 6, 2017. Notably, the IP address used to access the Schulte Email Account is almost always the same IP address associated with the broadband internet account for the defendant’s apartment (the “Broadband Account”)—i.e., the account used by Schulte in the apartment to access the Internet via a Wi-Fi network. Moreover, data from the Broadband Account shows that on November 16, 2017, the Broadband Account was used to access the “TOR” network, that is, a network that allows for anonymous communications on the Internet via a worldwide network of linked computer servers, and multiple layers of data encryption. The Broadband Account shows that additional TOR connections were made again on November 17, 26, 30, and December 5.

[snip]

First, there is clear and convincing evidence that the defendant has violated a release condition—namely, the condition that he shall not use the Internet without express authorization from Pretrial Services to do so. As explained above, data obtained from the Schulte Email Account and the Broadband Account strongly suggests that the defendant has been using the Internet since shortly after his release on bail. Especially troubling is the defendant’s apparent use on five occasions of the TOR network.

When it ultimately came time to explain away this use of Tor, Schulte pointed to a series of posts that would form part of what the government claims Schulte called an “information war” attempting to discredit the US government. That was first made broadly available when WikiLeaks posted it on June 19, 2018, the day after Schulte was charged with leaking the Vault 7 files.

The government alleges that a copy posted to Facebook later that year, on September 25, 2018, was posted by Schulte from his jail cell himself, using a contraband cell phone, which makes the WikiLeaks tweet part of Schulte’s deliberate information campaign from jail.

And around the same time Schulte posted his diaries from jail, the government claims, Schulte was prepping to send Wikileaks materials from a fake FBI agent attesting that the Bureau had framed Schulte by planting child porn on his computer.

iii. A document that appears to be an article for release by WikiLeaks.org (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

[snip]

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

As I’ll show, Schulte gave WikiLeaks several claims it used to introduce the series in March 2017.

Then, several key events — an incident that probably occurred on November 8 which the government accuses Schulte of trying to cover up, WikiLeaks’ sole release of source code from the CIA, the interview at which Schulte allegedly lied about the November 8 incident, and some activity on Tor — makes it more likely the events are more than a coincidence.

And then WikiLeaks contributed early to Schulte’s “Information War,” and Schulte may have expected he could get WikiLeaks to cooperate again, with even more blatant disinformation.

That’s a fairly remarkable degree of coordination at a time when WikiLeaks was trying to coerce an Assange pardon and Schulte was (according to the government) trying to lie his way out of a great deal of legal trouble.

The Parts of the Mueller Report withheld from Roger Stone Show the Centrality of His WikiLeaks Activities to Trump’s Obstruction

/116 Comments/in , , /by

Along with denying most of Roger Stone’s frivolous challenges to his prosecution, Amy Berman Jackson also partly granted his motion to get some of the redacted Mueller Report. As she laid out, she permitted the government to withhold grand jury information, sources and methods, stuff that would harm the reputation of others, and prosecutorial deliberations.

But the Court was of the view that the Report of the Special Counsel should receive separate consideration since a great deal of deliberative material within the Report had already been released to the public.

[snip]

Having considered the defendant’s motion, the government’s response and supplemental submissions, and the Report itself, the Court has determined that the defense should have the limited access he requested to some, but not all, of the redacted material.32 Insofar as defendant’s motion to compel seeks any material that was redacted from the public report on the basis that its release would infringe upon the personal privacy of third parties or cause them reputational harm; pursuant to Federal Rule of Criminal Procedure 6(e); or on the basis of national security or law enforcement concerns, including information that if revealed, could potentially compromise sensitive information gathering sources, methods, or techniques or harm ongoing intelligence or law enforcement activities, the Court will deny the motion.33 With respect to material that was withheld solely on the basis that its release could affect the ongoing prosecution of this case, the Court has concluded that the material to be specified in the order issued with this opinion should be provided to counsel for the defendant subject to the terms and conditions of the Protective Order in this case.

As she described, the government “submit[ed] unredacted portions of the Report that relate to defendant ‘and/or “the dissemination of hacked materials.”‘” Then she and the government conducted a sealed discussion about what could be released to Stone. In addition to her opinion, she submitted an order describing which specific pages must now be released to Stone.

We can compare what the government identified as fitting her order — this includes anything that fits the order, whether redacted or not — with what she has ordered released to Stone (note, the government either did not include Appendix D, showing referrals, or ABJ didn’t mention it, because in addition to an unredacted reference to Stone, there are referrals that the FOIA copies show to be related to Stone; nor did it include questions to Trump).

ABJ has not ordered the government to turn over anything pertaining to how GRU got stolen documents to WikiLeaks. This is precisely the kind of thing Stone is trying to get with his demands for Crowdstrike reports; after ABJ pointed out if they really wanted the reports, they would have tried subpoenaing Crowdstrike and they are now launching an attempt to do that. That ABJ has not ordered the government to turn this material over does not bode well for Stone’s plans to make this trial about the hack-and-leak rather than his lies. I would not be surprised if Stone made a second effort to get this information.

She has permitted the government to withhold all the prosecutorial decisions covered by her order except the one pertaining to Stone’s own lies. In addition, she let the government withhold one line about how they hadn’t determined whether or not Stone and Corsi had managed to optimize the release of the Podesta emails in October (though she did give Stone the more detailed discussion of that).

But ABJ has not included any of the references in the main part of Volume II in her order (presumably to protect Trump’s reputation!). That Volume includes three references to Trump and the campaign’s enthusiasm for or attempts to optimize the WikiLeaks releases through Stone, the reference to Richard Burr leaking news of the targets of the investigation (including Stone) to the White House before Jim Comey got fired, and three instances describing Trump floating pardons to Stone or otherwise encouraging him to remain silent.

It also includes the page on which this passage appears:

After Flynn was forced to resign, the press raised questions about why the President waited more than two weeks after the DOJ notification to remove Flynn and whether the President had known about Flynn’s contacts with Kislyak before the DOJ notification.244 The press also continued to raise questions about connections between Russia and the President’s campaign.245 On February 15, 2017, the President told reporters, “General Flynn is a wonderful man. I think he’s been treated very, very unfairly by the media.”246 On February 16, 2017, the President held a press conference and said that he removed Flynn because Flynn “didn’t tell the Vice President of the United States the facts, and then he didn’t remember. And that just wasn’t acceptable to me.” 247 The President said he did not direct Flynn to discuss sanctions with Kislyak, but “it certainly would have been okay with me if he did. I would have directed him to do it if I thought he wasn’t doing it. I didn’t direct him, but I would have directed him because that’s his job.”248 In listing the reasons for terminating Flynn, the President did not say that Flynn had lied to him.249 The President also denied having any connection to Russia, stating, “I have nothing to do with Russia. I told you, I have no deals there. I have no anything.”250 The President also said he “had nothing to do with” WikiLeaks’s publication of information hacked from the Clinton campaign.251 [my emphasis]

Clearly, it was included for Trump’s public denials — at the moment he fired Flynn in an attempt to stop the Russian investigation — of having anything to do with WikiLeaks’ publication of materials stolen from Hillary’s campaign. It is, on its face, a reference to the publication of the stolen emails, and as such qualifies under ABJ’s order. At that level, it is unremarkable.

But the government is treating it not as Trump making empty denials, but instead to make a claim specifically disavowing any involvement in WikiLeaks’ publication of stolen emails. Mueller’s team put the claim right next to a claim we know to be false, a claim designed to hide his Trump Tower deals. And he put all that amid a discussion of why he first did not, and then did, fire Mike Flynn.

Now consider something else: While it doesn’t appear in the Mueller Report at all, one thing Flynn told prosecutors was that after WikiLeaks started dumping John Podesta’s emails, he took part in conversations during which the campaign discussed reaching out to WikiLeaks.

The defendant also provided useful information concerning discussions within the campaign about WikiLeaks’ release of emails. WikiLeaks is an important subject of the SCO’s investigation because a Russian intelligence service used WikiLeaks to release emails the intelligence service stole during the 2016 presidential campaign. On July 22, 2016, WikiLeaks released emails stolen from the Democratic National Committee. Beginning on October 7, 2016, WikiLeaks released emails stolen from John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign. The defendant relayed to the government statements made in 2016 by senior campaign officials about WikiLeaks to which only a select few people were privy. For example, the defendant recalled conversations with senior campaign officials after the release of the Podesta emails, during which the prospect of reaching out to WikiLeaks was discussed.

There’s nothing in the public record that suggests Flynn knew of Trump’s efforts, during the campaign, to build a Trump Tower. But he did know about Trump’s efforts to optimize WikiLeaks’ releases of stolen emails. And Trump would have known that when he considered the impact of Flynn’s ties to Russia being investigated by the FBI.

And the treatment of that references as a real denial — as Trump evincing guilt even as he fired Flynn — sure makes the Flynn firing more interesting.

Federal Judge Destroys the Hopes of RICO Salvation in DNC Lawsuit

/54 Comments/in , /by

Yesterday, Clinton-appointed Judge John Koeltl dismissed with prejudice the DNC’s lawsuit against Russia, Trump’s flunkies, and WikiLeaks alleging they conspired against the party in 2016. He also ruled against a Republican demand to sanction the DNC for sustaining their claim in the wake of Robert Mueller finding that he “did not establish” a conspiracy between Trump and Russia. Koeltl’s decision is unsurprising. But his decision is interesting nevertheless for what it reveals about his legal assessment of the events of 2016, not least because of the ways it does and does not parallel Mueller’s own decisions.

The scope of the two analyses is different: The Democrats alleged RICO and some wiretapping charges, as well as the theft of trade secrets; Mueller considered campaign finance crimes and a quid pro quo. A short version of the difference and similarity in outcome is that:

  1. Mueller charged the GRU officers who hacked the DNC for the hack (which DOJ has been doing for five years, but which has never been contested by a state-hacker defendant); by contrast, Judge Koeltl ruled that Russia’s hackers could not be sued under the Foreign Sovereign Immunities Act (which is what the Mystery Appellant tried to use to avoid responding to a subpoena); notably, Elliot Broidy’s attempt to blame Qatar for his hack serves as precedent here. For the DNC, this meant the key players in any claimed conspiracy could not be sued.
  2. While Democrats made a bid towards arguing that such a conspiracy went beyond getting Trump elected to getting Trump to enact policies that would benefit Russia, Koeltl treated any Trump role as just that, attempting to get Trump elected. This meant that (for example) Stone’s alleged criminal obstruction after Trump got elected was not deemed part of any conspiracy.
  3. As Mueller did with both the hack-and-leak itself but also with any campaign finance violation associated with getting hacked documents as assistance to a campaign, Koeltl ruled that the Supreme Court’s decision in Bartnicki meant the First Amendment protected everyone besides the Russians from liability for dissemination of the stolen documents.
  4. DNC’s RICO fails because, while the Trump campaign itself was an association, the DNC claim that there was an Association in Fact under RICO fails because the ties between individuals were too scattered and their goals were not the same. Moreover, the goal of the Trump associates — to get Trump elected — is in no way illegal.

The most important part of the decision — both for how it protects journalism, what it says about the EDVA charges against Julian Assange, and what it means for similar hack-and-leak dumps going forward — is Koeltl’s First Amendment analysis, in which he argued that even WikiLeaks could not be held liable for publishing documents, even if they knew they were stolen.

Like the defendant in Bartinicki, WikiLeaks did not play any role in the theft of the documents and it is undisputed that the stolen materials involve matters of public concern. However, the DNC argues that this case is distinguishable from Bartnicki because WikiLeaks solicited the documents from the GRU knowing that they were stolen and coordinated with the GRU and the Campaign to disseminate  the documents at times favorable to the Trump Campaign. The DNC argues that WikiLeaks should be considered an after-the-fact coconspirator for the theft based on its coordination to obtain and distribute the stolen materials.

As an initial matter, it is constitutionally insignificant that WikiLeaks knew the Russian Federation had stolen the documents when it published them. Indeed, in Bartnicki the Supreme Court noted that the radio host either did know, or at least had reason to know, that the communication at issue was unlawfully intercepted.

[snip]

And, contrary to the DNC’s argument, it is also irrelevant that WikiLeaks solicited the stolen documents from Russian agents. A person is entitled [sic] publish stolen documents that the publisher request from a source so long as the publisher did not participate in the theft. … Indeed, the DNC acknowledges that this is a common journalistic practice.

[snip]

WikiLeaks and its amici argue that holding WikiLeaks liable in this situation would also threaten freedom of the press. The DNC responds that this case does not threaten freedom of the press because WikiLeaks did not engage in normal journalistic practices by, for example, “asking foreign intelligence services to steal ‘new material’ from American targets.” … The DNC’s argument misconstrues its own allegations in the Second Amended Complaint. In the Second Amended Complaint, the DNC states that “WikiLeaks sent GRU operatives using the screenname Guccifer 2.0 a private message asking the operatives to ‘[s]end any new material (stolen from the DNC] her for us to review.'” … This was not a solicitation to steal documents but a request for material that had been stolen. [citations removed]

Koeltl analyzes whether the Democratic claim that GRU also stole trade secrets — such as their donors and voter engagement strategies — changes the calculus, but judges that because those things were newsworthy, “that would impermissibly elevate a purely private privacy interest to override the First Amendment interest in the publication of matters of the highest public concern.”

Koeltl goes on to note that the analysis would be the same for Trump’s associates, even though they make no claim (as WikiLeaks does) to being part of the media.

[E]ven if the documents had been provided directly to the Campaign, the Campaign defendants, the Agalarovs, Stone, and Mifsud, they could  have published the documents themselves without liability because they did not participate in the theft and the documents are of public concern. … Therefore, the DNC cannot hold these defendants liable for aiding and abetting publication when they would have been entitled to publish the stolen documents themselves without liability. [citations removed]

That analysis is absolutely right, and even while Democrats might hate this outcome and be dismayed by what this might portend about a repeat going forward, it is also how this country treats the First Amendment, both for those claiming to be journalists and those making no such claim.

All that said, there are several aspects of this analysis worth noting.

This is a DNC suit, not a suit by all harmed Democrats

First, this is a suit by the DNC. Neither Hillary nor John Podesta are parties. “Podesta’s emails had been stolen in a different cyberattack,” Koeltl said, “there is not allegation they were taken from the DNC’s servers.” Had they been, they would have had to have been prepared to submit to discovery by Trump and his associates.

Including Podesta might have changed the calculus somewhat, though Koeltl does not deal with them (though he does suggest they would not have changed his calculus).

They might change the calculus, however, because (as Emma Best has noted) WikiLeaks did solicit something — the transcripts of Hillary’s speeches — that was subsequently obtained in the Podesta hack. The DNC did not include that in their complaint and that might have changed Koeltl’s analysis or, at a minimum, tested one of the theories the government is currently using in the Assange prosecution.

Similarly, while there is now evidence in the record that suggests Stone may have had advanced knowledge even of the July 2016 DNC dump, the allegations that would show him having had an impact on the release of documents pertains to the release of the Podesta emails. Jerome Corsi (who was added in the DNC’s second complaint but not as a conspirator) claimed that he had helped Stone optimize the Podesta release in an attempt to drown out the Access Hollywood video, but Mueller was not able to corroborate that.

More tantalizingly, a filing in Stone’s case shows that in at least one warrant application, the government cited some conversation in which he and others — possibly Corsi and Ted Malloch — were discussing “phishing with John Podesta.” That’s not something that will be public for some time. But even if it suggested that Stone may have had more knowledge of the Podesta hack then let on, it would be meaningless in a suit brought by the DNC.

No one knows why Manafort shared polling data and his plans to win the Rust Belt (indirectly) with Oleg Deripaska

The second DNC complaint mentions, but does not explain, that Paul Manafort had Rick Gates send polling data to Konstantin Kilimnik intended to  be share with oligarchs including Oleg Deripaska.

At some point during the runup to the 2016 election, Manafort “shar[ed] polling data . . . related to the 2016 presidential campaign” with an individual connected to Russian military intelligence. This data could have helped Russia assess the most effective ways to interfere in the election, including how best to use stolen Democratic party materials to influence voters.

[snip]

In March 2016, the Trump Campaign also hired Manafort. As noted above, Manafort was millions of dollars in debt to Deripaska at the time. He was also broke.55 Yet he agreed to work for the Trump Campaign for free. A few days after he joined the Trump Campaign, Manafort emailed Kilimnik to discuss how they could use Manafort’s “media coverage” to settle his debt with Deripaska.56 Manafort had multiple discussions with Kilimnik in the runup to the 2016 election, including one in which Manafort “shar[ed] polling data . . . related to the 2016 presidential campaign.”57 This data could have helped Russia assess the most effective ways to interfere in the election, for instance, by helping it determine how best to utilize information stolen from the DNC .

[snip]

Manafort lied about sharing polling data with Kilimnik related to Trump’s 2016 campaign.226

The Mueller Report’s further details on the sharing, including Manafort’s review of his strategy to win the Rust Belt, came too late for the complaint. And as such, Koeltl doesn’t really deal with that allegation (which would likely require naming others as conspirators in any case), and instead treats any conspiracy as limited to the hack-and-leak.

Thus, he does not treat the hints of further coordination, nor is there currently enough public evidence for the DNC to get very far with that allegation. This is a ruling about an alleged hack-and-leak conspiracy, not a ruling about any wider cooperation to help Trump win the election.

No one knows what happened to the stolen DNC analytics

Finally, while the DNC complaint extensively described the September hack of its analytics hosted on AWS servers — a hack that took place after Stone scoffed at the analytics released to date by Guccifer 2.0 — Koeltl doesn’t treat that part of the hack in detail because it was never publicly shared with anyone.

The Second Amended Complaint does not allege that any materials from the September 2016 hack were disseminated to the public and counsel for the DNC acknowledged at the argument of the current motions that there is no such allegation.

The DNC included the analytics in their trade secret discussion, but given that Russia had FSIA immunity, and given that the GOP is not known to have received any of this, Koeltl did not consider the later theft (which is not known to have had the same public interest value as the claimed trade secrets that got leaked).

The SAC asserts: “The GRU could have derived significant economic value from the theft of the DNC’s data by, among other possibilities, selling the data to the highest bidder.” There is no allegation that the Russian Federation did in fact sell the DNC’s data, and any claims against the Russian Federation under the federal and state statutes prohibiting trade secret theft are barred by the FSIA.

Finally, given that it was not released publicly Koeltl does not consider how the GRU hack of analytics after Stone’s discussion of analytics with Guccifer 2.0 might change the analysis on whether Stone was involved prior to any hacks.

Similarly, Stone is alleged to have contacted WikiLeaks through Corsi for the first time on July 25, 2016 and spoke to GRU officers in August 2016 — months after the April 2016 hack. Stone is not alleged to have discussed stealing the DNC’s documents in any of these communications, or to have been aware of the hacks until after they took place.

[snip]

DNC does not raise a factual allegation that suggests that any of the defendants were even aware that the Russian Federation was planning to hack the DNC’s computers until after it had already done so.

Again, there’s too little know about the purpose of this part of the hack (which virtually no one is aware of, but which would have been particularly damaging for the Democrats), and as such the DNC would not be in a position to allege it in any case. But it is a key part of the hack that shifts the timeline Koeltl addressed.

Which ultimately leaves Koeltl’s final judgment about the DNC attempt to obtain some kind of remedy for having Trump welcome and capitalize on a foreign state’s actions to tamper in the election. “Relief from the alleged activities of the Russian Federation,” Koeltl said, “should be sought from the political branches of the Government and not from the courts.”

One of the few ways to do that is to impeach.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Accused Vault 7 Leaker Joshua Schulte Planned to Have WikiLeaks Publish Disinformation to Help His Defense

/23 Comments/in /by

When WikiLeaks announced its publication of the CIA’s hacking tools in March 2017, the first tool it highlighted was an effort called Umbrage, which it claimed the CIA used to “misdirect attribution.”

UMBRAGE

The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

Experts noted at the time that Umbrage served mostly to save time by reusing existing code. Nevertheless, the representation that the CIA would sometimes use other nation’s tools was immediately integrated into conspiracy theories denying that Russia carried out the 2016 hacks on Democrats. Because the CIA sometimes obscured its own hacks, denialists have said since, the CIA must have been behind the 2016 hacks, part of a Deep State operation to frame Russia and in so doing, undermine Trump.

Documents released this week reveal that Joshua Schulte, who is accused of leaking those documents to WikiLeaks, believed he could get WikiLeaks to publish disinformation to help his case.

Several documents submitted this week provide much more clarity on Schulte’s case. On Monday, the government responded to a Schulte effort to have his communications restrictions (SAMs) removed; their brief not only admitted — for what I believe to be the first time in writing — that the CIA is the victim agency, but described an Information War Schulte attempted to conduct from jail using contraband phones and a slew of social media accounts.

Yesterday, in addition to requesting that Schulte’s child porn charges be severed from his Espionage ones, his defense team moved to suppress the warrants used to investigate his communication activities in jail based on a claim the FBI violated Schulte’s attorney-client privilege. During the initial search, agents reviewed notebooks marked attorney-client with sufficient attention to find non-privileged materials covered by the search warrant, and only then got a privilege team to go through the notebooks in more detail. The privilege team confirmed that 65% of the contents of the notebooks was privileged. In support of the suppression motion, Schulte’s lawyers released most of the warrants used to conduct those searches, including the downstream one used to access three ProtonMail accounts discovered by the government and another downstream one used to access his ten social media accounts (see below for a list of all of Schulte’s accounts). Effectively, they’re arguing that the FBI would have never found this unbelievably incriminating communications activity, which will make it fairly easy for the government to prove that Schulte is the Vault 7 leaker without relying on classified information, without accessing those notebooks marked privileged.

But along the way, the documents released this week show that the guy accused of leaking that Umbrage file that denialists have relied on to claim the 2016 hack was a false flag operation framing Russia himself planned false flag activities to proclaim his innocence.

The government’s SAMs response describes in cursory fashion and the affidavits for the warrants as a whole describe in more detail how Schulte planned to adopt two fake identities — a CIA officer and an FBI Agent — to proclaim his innocence. The idea behind the latter was to corroborate two claims Schulte posted on his JoshSchulte WordPress sites on October 1, 2018 — that the FBI had planted the child porn discovered on his computer.

i. “I now believe the government planted the CP after their search warrants turned up empty-not only to save their jobs and investigation, but also to target and decimate my reputation considering my involvement in significant information operations and covert action.”

As noted above, in the Fake FBI Document in the Schulte Cell Documents, a purported FBI “whistleblower” claimed that the FBI had placed child pornography on Schulte’s computer after its initial searches of the device were unsuccessful in recovering evidence. See supra~ 14(a)(iii).

ii. “So who’s responsible for Vault 7? The CIA’s own version of the FBI’s Peter Strzok and Lisa Page,”

As noted above, in the September Tweet in the Schulte Cell Documents, a purported former CIA colleague of Schulte (but who was in fact simply Schulte himself) claimed that two other CIA former colleagues, one of whom Schulte described as the “Peter Strzok of the CIA,” had conspired to blame Schulte for Vault 7, WikiLeaks’ disclosure of the CIA material.

As noted above, two of the documents found in Schulte’s cell mixed in with the attorney-client material show how Schulte planned to create false identities to spread the same stories. One was an article he planned to send to WikiLeaks, claiming to be from an FBI whistleblower describing how Schulte was framed.

iii. A document that appears to be an article for release by WikiLeaks.org (“WikiLeaks”), in which a purported FBI “whistleblower” claimed to have provided the discovery in this case to WikiLeaks and that the FBI had planted evidence of child pornography on Schulte’s computer to frame him (the “Fake FBI Document”).

The documents also include his plans to release a fake CIA tweet claiming he was framed for the Vault 7 leak.

iv. Drafts of a tweet (the “Fake CIA Tweet”) that appear to have been drafted around August 30, 2018,3 in which Schulte pretending to be a former CIA colleague claimed that two other former CIA colleagues, both of whom Schulte referred to by full name and one of whom he described as the “Peter Strzok of the CIA,” had “set up” Schulte and used him as a “scapegoat” for “Vault 7,” which is the name of WikiLeaks serial disclosures of CIA material that began on or about March 7, 2017 and which forms the basis of some of the current charges against Schulte. On the following page of the Schulte Cell Documents appears the text “Just to authenticate me fast” followed by other apparent draft tweets that discussed the CIA’s alleged activities and methods, some of which appear to be classified (the “Fake Authentication Tweets”).4 . . I believe that Schulte planned to potentially publish the Fake Authentication Tweet before the Fake CIA Tweet in an effort to purportedly verify the author’s employment with the CIA and knowledge of the information in the Fake CIA Tweet.

Finally, the FBI also found Schulte’s to do list of how he planned to share both the fake FBI document and his discovery with WikiLeaks.

What appears to be a “to-do” list dated September 12, 2018, in which Schulte wrote that on September 17 and 18, he would “DL Disc. UL WL,” and.that on September 19, 20, and 21, he would “schedule tweets[.]” I believe that here, “DL Disc. UL WL” means that Schulte planned to download his discovery (”DL Disc.”) from the Schulte Laptop and upload that discovery to WikiLeaks (“UL WL”). As noted above, in another place in the Schulte Cell Documents, Schulte drafted the Fake FBI Document, a purported statement by a supposed FBI “whistleblower” who provided Schulte’s discovery to WikiLeaks and claimed that the FBI had planted evidence of child pornography on Schulte’s computer.

From a legal standpoint, Schulte’s lawyers have disclosed all these warrant materials in an urgent effort to suppress everything the government found after first accessing his notebooks from jail. The FBI investigation proceeded from those notebooks to the WordPress site showing him claiming something identical to disinformation he was packaging up to share with WikiLeaks. They also got from those notebooks to ProtonMail accounts where Schulte offered to share what may or may not be classified information with a journalist. The reason why the defense is pushing to suppress this — one of the only challenges they’re making in his prosecution thus far — is because the stuff Schulte did in prison is utterly damning and seems to confirm both his familiarity with WikiLeaks and his belief that he needed to create disinformation to claim to be innocent.

We’ll see whether this Fourth and Sixth Amendment challenge works.

But along the way, the defense has released information — the provenance of which they’re not disputing in the least — that shows that Schulte planned to use WikiLeaks to conduct a disinformation campaign. But it wouldn’t be the first time Schulte had gotten WikiLeaks to carry out his messaging. A year ago today — in the wake of Schulte being charged with the Vault 7 leak — WikiLeaks linked to the diaries that Schulte was writing and posting from his jail cell, possibly showing that Schulte continued to communicate with WikiLeaks — either via a family member or directly — even after he had been put in jail. Those diaries are among the things seized in the search.

In a follow-up, I think I can show that Schulte did succeed in using WikiLeaks as part a disinformation campaign.

Social media accounts Joshua Schulte accessed from jail

ProtonMail: annon1204, presumedguilty, freejasonbourne

Twitter: @freejasonbourne (created September 1, 2018 and used through October 2, 2018)

Buffer (used to schedule social media posts): (created September 3, 2018, used through September 7, 2018)

WordPress: joshschulte.wordpress.com, presumptionofslavery.wordpress.com, presumptionofinnocence.net (all created August 14, 2018)

Gmail: [email protected], [email protected] (created April 15, 2018), [email protected],

Outlook: [email protected]

Facebook: ‘who is JOHN GALT? (created April 17, 2018)

Update: The government also believed at the time that an account in the name Conj Khyas was used by Schulte to receive classified information at his annon1204 account. It was not listed in these warrants, but would amount to a 14th account.