Slashdot Mirror
Tech Forensics Take Center Stage in Manning Pre-Trial
smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself."
The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.
Come one, for a person who do the work he was doing, he have known better! He should only blame himself for these mistakes.
The military justice system is a whole different world than that of civilians, it will be interesting to see if any of the circumstantial evidence will even matter.
Have a squat over at the hobo house.
You do realize, that unlike your football and basketball stars, you actually have a real hero, don't you? He is in your prison - a political prisoner, because he dared to challenge the government and its illegal activities.
You can't handle the truth.
Anything into a computer is a file. Which can be created, deleted and changed at your will.
Do you really think you can put someone in jail because of a bunch of files in his computer?
Ah!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
From the first article...
So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Maybe it's the usual journalist dumbing-down, but the forensics info doesn't add up:
Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.
So it's "only" zero-filled.
Mark Johnson, a digital forensics contractor for ManTech International who works for the Army’s Computer Crime Investigative Unit, examined an image of Manning’s personal MacBook Pro...
How is that contractor able to decode the original data from a zero-filled disk from a mere image?
Johnson testified that he found two attempts to delete data on Manning’s laptop. Sometime in January 2010, the computer’s OS was re-installed, deleting information prior to that time. Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option. All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.
Assuming they did their best, if they didn't use any hidden magical tech to recover data from Manning then I guess unless you're the world's most wanted for terrorism, genocide and squashing puppies then any other criminal or civilian should feel safe with only one pass of zeros. I'm deliberating ignoring the whole "exposure of techniques on lesser things" argument because if they aren't going to do it for Manning they're not going to do it for anyone or anything less then him.
He attempted to delete the information by zero-filling the disk. The same password issue stems from being the default on the operating system (Mac OS X). I guess the forensics contractor reversed the hash from the login information and retrieved the password that way. This requires some serious computing power for the password used.
I guess 11 digits can be considered mightily unsafe now. Obligatory xkcd reference.
and he is no real hero nor the people who dispensed the information. A real hero would have taken the time to scrub names of people who are informants and such in hostile areas. A real hero would always be on the look out for the the little guy, not simply acting out of anger or spite. A real hero does not act as Manning did.
Yes, there were some good outcomes from what he is accused of doing, however we will never know how many lives were lost because of it. Granted we may not know of lives saved, but I am pretty sure those lost are real.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
From the looks of his password I'd say he did not fit well with Army life.
So if Assange was interacting with him to get the data I think that may "stick the fork" in Assange, and the fact he used the same password on his Macbook as he did on his encrypted files is a warning to everyone, don't reuse user names or passwords, ever.
"If any question why we died, Tell them because our fathers lied."
A real hero would have taken the time to scrub names of people who are informants and such in hostile areas.
Whoever passed the information did so unto the entity that did the scrubing for him. It's unreasonable to expect that he parsed reams of documents to remove stuff.
A real hero would always be on the look out for the the little guy, not simply acting out of anger or spite.
Whoever leaked the docs, was looking out for the helpless and wanted to defend them from US military assholes acting out of infantile anger, spite and sadism.
A real hero does not act as Manning allegedly did.
FTFY, idiot.
we will never know how many lives were lost because of it. Granted we may not know of lives saved, but I imagine those lost are real.
FTFY. That's just your imagination/wishful thinking/bad will/brainwashing.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Law enforcement can get a court order requiring you to surrender all passwords, so they might as well all be the same. You are required to legally comply or they get you for obstructing justice in addition to whatever else you are going to likely be convicted of(which certainly, they already have some 'evidence' against you). So encrypting disks and all of that other bunk may be great at preventing your work from being stolen by a competitor, but not so useful against the man. The only real protection here is if you use something like TrueCrypt and can actually obscure filesystems, or make relevant data/folders look like junk. If they do not know you store the data in that file then as long as it's not named "stolen documents" you're probably ok. Some of the methods used by TC would probably fall victim to a good sector editor, but if they don't know they're there they probably aren't looking. Let's recap why this guy became a suspect: 1) Speaking on the phone to a person who has been the subject of several government shit storms due to being public and controversial. (He is nearly always watched, recorded, or whatever.) 2) Keeping stolen documents on a computer in your work area/possession for no reason. If they were disposed of after use then there would be nothing to recover especially if you used a tool like BCWipe or something else that wipes with random noise. 3) Using tools like wget are not discrete. The network engineers just had a heart attack the minute this goof started beating the crap out of every server they had. They would have easily had IP's and access times because all the military clocks are synced up. All they'd have to do is figure out what IP was accessing and what station -- and sure as hell they knew who was doing this. It's very easy to log sessions with firewalls and network intrusion detection systems, and the military no doubt logs almost everything. So basically, I think despite what he did.. He was sloppy, and amateurish and that's why he got caught... Even though I respect his ideals his methods are joke.
One of Manning's defenses is his "gender issues"/homosexuality is a mental illness.
WTF?
You can plead the 5th amendment is some cases to keep from giving your password, not sure that applies in a military trial but there it is for the record...you know in hopes of keeping the FUD down.
I do agree here: "Even though I respect his ideals his methods are joke" Yes he was definitely not savvy enough to get into what he got into and one wonders from the chats if he fancied himself a "hacker".
"If any question why we died, Tell them because our fathers lied."
In fairness;
-He was assured that the names of sensitive peoples would be scrubbed. Or rather, the truly sensitive cables would not be leaked. And Wikileaks actually did not release many documents purely because of that.
-Wikileaks was using agencies like TheGuardian for the leaks, which assured them that they would properly vet the cables
-The last, drastic and total leak was the result of general incompetence in regards to the total file and the security passcode for it having been posted online by different people, unawares. Oops.
Really, his duty is to the US constitution, and if he believed that there was cause for the leaks - that the army or military or diplomats were treasonous in their duty and that the cables were proof needed to bring this to light - then it's quite understandable that he tried to expose them.
His main mistake was pure naivety or pure dumbassery in trusting a random foreigner with such sensitive data - he had NO way of knowing that this information wasn't going straight into enemy hands - and not trying to bring this data to a local news agency like the NYT (just an example).
'cos when you want sex, you have to buy it.
It's a far greater crime to classify a document as secret when it should not be.
And there is not one case of leaking of any information that put ANYONE'S life in danger, except if you include the NYT (?) who dumped the whole lot out in error, which is hardly Manning's fault, is it.
Modern Mac OS X uses a single SHA-1 hash (salted) to store passwords. Older versions of OS X uses somewhat less-secure hashes, and if you've interacted with a Windows network you may have things like an NTLM hash to work with.
While the password is 11 characters, it's well within the set of passwords that a good dictionary attack generator will hit -- a word, a year, and some symbols. SHA-1 is cheap to crack.
This is a good example of why operating systems storing passwords should use key strengthening. A 1024-round HMAC is still trivially cheap to compute for a single password. Even if cracking this password took them only a month (a reasonable time for a long, guessable password), increasing the difficulty by 1024 would render it impossible to crack.
Can we get a non-Wired reliable news source on this please!
Obviously, but Manning's not-having-his-shit-together was way deeper than technical. His situation was one where you don't even want to be a suspect or "person of interest." Once you have determined investigators looking at you, it's like having a determined burglar specifically interested in your house. He was one of tens (hundreds?) of thousands of people with access to these supposedly-sensitive documents, safely lost in a totally unmanageable crowd, and he told someone "look at me! look at me!"
I don't know if it even makes sense to "blame" him for getting caught, because at some point he apparently decided it was ok to get caught.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Maybe it was not meant to be splashed over the world's newspapers, but they obviously had someone in mind that they wanted to indirectly influence.
Now they have to be seen to be shocked and horrified by the leaks, and Manning is the chosen sacrificial lamb. He may actually be responsible, but I doubt that it matters much.
but I am pretty sure those lost are real.
Really? Why? None of the informants actually named in the documents has been killed yet...
There's lots of 'might be's, 'person believed to be's, etc. Wired has a vested interest in this since it was one of their employees who turned Manning in. Wired goes on to provide stenographer services for a spokesperson from the prosecution. This is sloppy misleading reporting at its worst. There is a reason the gov't psychologically tortured Manning for months, its because they don't have a leg to stand on. Go ahead and swallow whatever spiel they spew if you want.
The first tab listed scripts for Wget, a program used to crawl a network and download large numbers of files, that would allow someone to go directly to the Net Centric Diplomacy database where the State Department documents were located on the military’s classified SIPRnet and download them easily; the second tab listed message record identification numbers of State Department cables from March and April 2010; the third tab listed message record numbers for cables from May 2010. The spreadsheet included information about which U.S. embassy originated the cable. The earliest indications on Manning’s computer that he was using the Wget tool was March 2010.
That's from wired. And I demand all laptops at airports being checked for this "Wget tool"! Pirates! Spies! Everywhere!!
So do you believe that the editorial staff of the New York Times should be prosecuted as enemies of the US? They are the ones who actually published the leaks in the US, not Manning.
Of course not, did you utterly miss the point of what he was writing? He said for example: "The calls to go after Assanage seems foolish to me". The person who PUBLISHES a leak to my mind is not at issue, once a leak is out it is out. A leak is wholly on the person who decided to break a vow or oath and release information they felt was important to release.
In the case of Manning, I think he should be punished to the full extent of the law (up to and including execution). Not just because he was sworn to secrecy and violated that oath but also because there was simply NO WAY to release the volume of information he did and at the same time ensure information that truly could harm real people was not released. In theory yes he was promised some people would scrub the data but how did he really know they could be trusted? The fact remains he leaked a huge volume of data and some of it could well have gotten people killed, especially informants...
The argument about what manning did being worth his life is a good one to have, but since he was the leaker and knew the possible punishment he should without hesitation be OK with giving his life to release the data he did, if he felt strongly enough that it was important to leak it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Whoever passed the information did so unto the entity that did the scrubing for him.
That is a BULLSHIT excuse. Perhaps being a Slashdot reader you remember the phrase "information wants to be free". Well that applies for ANY information leaked. No-one Manning leaked to had a security clearance, so why should he trust them to scrub out sensitive information and not feed some in side channel?
Either information is leaked or it is not, just as you cannot be only a little bit pregnant. Manning chose to leak everything without consideration for what information truly should not be released, and now he must face the consequences of what he chose to do.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
He was assured that the names of sensitive peoples would be scrubbed
And why should he trust them not to send any of it elsewhere? As it turned out in fact the trust was totally misplaced so my question is really more hypothetical since the concern is proven to be totally valid. That's what happens when you give secure information to people without security clearances (or, as it turned out, sometimes to people with them). You must as a leaker assume all information given will be published somewhere.
I just don''t get the backward bending apologetics of claiming that Manning is OK because he gave people he hardly knew sensitive data (and no training to know what is really sensitive information) with thin assurances as to handling.
The last, drastic and total leak was the result of general incompetence
No, it was inevitable. Information wants to be free. Once information was in the hands of multiple people it was going to get out one way or another.
It wasn't bad luck or a twist of fate. It was the most likely outcome of giving sensitive data to a wide variety of people including people more inclined to publish potentially harmful information than not.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Don't go strutting around in another guy's country unless you're ready for some action, jack.
Fuck you sideways.
Ellsberg.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Not a study, but an interesting data point: http://hostjury.com/blog/view/195/the-great-zero-challenge-remains-unaccepted.
(1) Net Centric Diplomacy database
Appears to have been trivially downloadable. Manning used Wget to automate the capture of cables from this database. Manning had access to secure networks (SIPRNet) and it was this, rather than any technical expertise, that allowed him to pull all the cables.It seems as if the Net Centric Diplomacy database and its interface (presumably a web front end) lacked any functionality to inhibit automated / bulk downloads, to track or log downloads or to alert operators to suspicious or anomalous patterns of access.
Contrast this with the logging that was available in IntelLink (the SIPRnet internal search engine) that helped link incriminating keywords (Assange, Wikileaks etc) to the IP address assigned to Manning's computer. The defense cannot refute that, while they may be able to undermine the (very poorly gathered) computer forensics from Manning's computer.
(2) Microsoft Share Point server
Appears, also, to have been wide open to anyone on SIPRnet and to have permitted automated (scripted) bulk downloading of files. And, like (1), appears to have lacked any functionality to alert operators to suspicious behaviour.
Contrast this, also, with the logging that was available in IntelLink.
(3) Manning is no expert
First, he used the same password for both his operating system (presumably, his Windows username/password) as for his encryption. Second, he claims to have "zero-filled" his hard disk but had not done so. Third, he used his own computer for the IntelLink searches thereby leaving a trail of evidence.
(4) Lack of expertise seems quite widespread...
The computer environment at the FOB where Manning worked was risible. In testimony, an officer described how "soldiers would store movies and music in their shared drive on the SIPRnet. The shared drive, called the “T Drive” by soldiers, was about 11 terabytes in size, and was accessible to all users on SIPRnet who were given permission to access it, in order to store data that they could access from any classified computer." In other words, in practise, no distinction between storage for movies and music and the storage for classified materials. While the officer told soldiers not to use it for music and movies (and used to delete same as well as reporting the abuse), the practise was prevalent. And despite the 11 terabytes (that is 11 thousand Gigabytes) available for music and movies, this officer cites lack of storage as the reason that some logs (that may have contained evidence) were not maintained. This officer, Capt. Thomas Cherepko, received a "letter of admonishment" for the lax enviroment at this base.
Has the buck stopped at the Captain? I believe that points 1, 2 and 3 suggest a culture of information security so poor as to merit serious enquiry in its own right. Manning probably did break several laws in gathering and communicating the cables to WikiLeaks and, if convicted, must face the music. But the ease with which he did this ought to be cause for far more concern than we are seeing in the media. The US Army appears to be throwing Manning under a bus, but only a slap on the wrist for Cherepko. That is unjust. Lets see how this unfolds...
Backward%20compatibility%20is%20over-rated
Manning left a sloppy mess and he will certainly be convicted on multiple counts. The only questions left open are 1) will others be dragged down with him, and 2) will he be executed? The death penalty is an option in this case and Manning knew it when he did his crimes. That, BTW, adds some weight to the "is an hero" viewpoint.
Moving right along: How to do what Manning did, but do it correctly. Bearing in mind that development and deployment of advanced spyware specifically designed to identify "pre-leak" activity on corporate/USG/military computers is ongoing at a frantic pace. The rules of this game are about to change radically. But as things sit today, here's how to do the job right:
1. Work from an encrypted Live USB operating system. Do NOTHING that is connected with collecting, processing, or transmitting leak data using a computer's "natively installed" operating system. Tails, Libre, and Privatix are good candidate operating systems. Physically destroy your USB stick after each use - they are cheap and restoring a "clean, safe" image to a blank one only takes minutes.
2. Use a Truecrypt formatted partition on removable read/write media (USB flash or HD) for all data storage, including scripts, logs and etc.. Use Diceware to create your pass phrase, and assure that its entropy equals or exceeds the keyspace of the cipher used. Use the "hidden container" option, leaving tons of embarrassing but legal pr0n in the "outer" layer, just in case the rubber hose comes out.
3. Where/as possible, change the MAC address of your network card and access the network via an open (or cracked) wireless router. Use TOR to conceal the content and destination of your out-of-LAN traffic from surveillance on the LAN.
This leaves you wide open to hardware keyloggers and other hardware level attacks (hey, where did this huge flash memory chip come from?), and to surveillance on the LAN itself. If what you are collecting really is considered "sensitive and valuable" you will have to rely on incompetence or malfeasance on the part of the organization to get your job done right. Fortunately, hiring and assignment in IT at corporate/USG/military sites is driven by "vendor certifications acquired and asses kissed", so you should only rarely encounter any real obstacles.
Plus Manning didn't know what he was doing. He did not read all of the information and then decide that it was important enough to make public. People are still sifting through all the data he grabbed to figure it out, and we still haven't learned anything new about illegal activities instead we learn about a lot of diplomatic trivialities. Instead he saw a bunch of files and grabbed them wholesale, sort of like wheeling out a filing cabinet without looking inside first.
Should we trust Wired to report honestly on this case?
No, it was the same password ("TWink1492!!") that Bradley gave to that Lamo asshole.
(I get "twink", but Columbus?)
To be fair, his system was probably completely protected from the threat vector of a 20-something carrying a blank CD labelled "Lady Gaga".
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});