Slashdot Mirror
Tech Forensics Take Center Stage in Manning Pre-Trial
smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself."
The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.
Come one, for a person who do the work he was doing, he have known better! He should only blame himself for these mistakes.
The military justice system is a whole different world than that of civilians, it will be interesting to see if any of the circumstantial evidence will even matter.
Have a squat over at the hobo house.
You do realize, that unlike your football and basketball stars, you actually have a real hero, don't you? He is in your prison - a political prisoner, because he dared to challenge the government and its illegal activities.
You can't handle the truth.
Anything into a computer is a file. Which can be created, deleted and changed at your will.
Do you really think you can put someone in jail because of a bunch of files in his computer?
Ah!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
From the first article...
So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Maybe it's the usual journalist dumbing-down, but the forensics info doesn't add up:
Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.
So it's "only" zero-filled.
Mark Johnson, a digital forensics contractor for ManTech International who works for the Army’s Computer Crime Investigative Unit, examined an image of Manning’s personal MacBook Pro...
How is that contractor able to decode the original data from a zero-filled disk from a mere image?
He attempted to delete the information by zero-filling the disk. The same password issue stems from being the default on the operating system (Mac OS X). I guess the forensics contractor reversed the hash from the login information and retrieved the password that way. This requires some serious computing power for the password used.
I guess 11 digits can be considered mightily unsafe now. Obligatory xkcd reference.
and he is no real hero nor the people who dispensed the information. A real hero would have taken the time to scrub names of people who are informants and such in hostile areas. A real hero would always be on the look out for the the little guy, not simply acting out of anger or spite. A real hero does not act as Manning did.
Yes, there were some good outcomes from what he is accused of doing, however we will never know how many lives were lost because of it. Granted we may not know of lives saved, but I am pretty sure those lost are real.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I'm very curious about this, because as far as I was aware, the debate on "how much do you need to overwrite data to securely delete it?" raged quite a bit a few years ago, but nobody could actually prove that it was possible to recover data that was overwritten just the once? There was even a website set up, the Great Zero challenge (Which has now been pulled, supposedly nobody ever accepted it) to try and prove or disprove the myth.
Does anyone have any information on where that really stands? Is it actually possible to recover overwritten data by any known means? I realise that the DOD don't see single-overwrites of zeros as enough, but what's that based on?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
So if Assange was interacting with him to get the data I think that may "stick the fork" in Assange, and the fact he used the same password on his Macbook as he did on his encrypted files is a warning to everyone, don't reuse user names or passwords, ever.
"If any question why we died, Tell them because our fathers lied."
A real hero would have taken the time to scrub names of people who are informants and such in hostile areas.
Whoever passed the information did so unto the entity that did the scrubing for him. It's unreasonable to expect that he parsed reams of documents to remove stuff.
A real hero would always be on the look out for the the little guy, not simply acting out of anger or spite.
Whoever leaked the docs, was looking out for the helpless and wanted to defend them from US military assholes acting out of infantile anger, spite and sadism.
A real hero does not act as Manning allegedly did.
FTFY, idiot.
we will never know how many lives were lost because of it. Granted we may not know of lives saved, but I imagine those lost are real.
FTFY. That's just your imagination/wishful thinking/bad will/brainwashing.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
You can plead the 5th amendment is some cases to keep from giving your password, not sure that applies in a military trial but there it is for the record...you know in hopes of keeping the FUD down.
I do agree here: "Even though I respect his ideals his methods are joke" Yes he was definitely not savvy enough to get into what he got into and one wonders from the chats if he fancied himself a "hacker".
"If any question why we died, Tell them because our fathers lied."
There is a residual charge in a platter when set to 0. Basically, you can tell what the previous charge was because it isn't quite as strong as it would have been if you wrote a 1 twice. A hard disk platter isn't truly digital. It is actually an analog storage medium. If the magnetic field strength is above or below a certain value, it is considered a one or a zero. However, if you write a 1 twice in a row, then that 1 will be minutely stronger and if you have a one and then write it to a 0, the 0 may be slightly less strong. It is at least theorized (and likely practical fact) that this slight difference is enough to be detected by sensitive instrumentation. Writing 0s and 1s multiple times increases the noise enough that it conceals the original data. A perhaps even more ideal approach would be to write random data to the drive multiple times as this would cause further entropy on the drive and make it even harder to determine the useful data from a particular wipe.
AJ Henderson
In fairness;
-He was assured that the names of sensitive peoples would be scrubbed. Or rather, the truly sensitive cables would not be leaked. And Wikileaks actually did not release many documents purely because of that.
-Wikileaks was using agencies like TheGuardian for the leaks, which assured them that they would properly vet the cables
-The last, drastic and total leak was the result of general incompetence in regards to the total file and the security passcode for it having been posted online by different people, unawares. Oops.
Really, his duty is to the US constitution, and if he believed that there was cause for the leaks - that the army or military or diplomats were treasonous in their duty and that the cables were proof needed to bring this to light - then it's quite understandable that he tried to expose them.
His main mistake was pure naivety or pure dumbassery in trusting a random foreigner with such sensitive data - he had NO way of knowing that this information wasn't going straight into enemy hands - and not trying to bring this data to a local news agency like the NYT (just an example).
Interesting, that certainly makes a lot of sense. Does that mean that Flash memory isn't as susceptible to such techniques, or does it also have some form of residual data?
Also, does that mean that writing zeros numerous times is also likely not to be effective since (theoretically, at least) there will still be a difference in charge between what was once a 0 (before it was overwritten) and what was a 1? Similarly, overwriting with all zeroes and then all 1's would likely be a waste of time? Hence why you say random data would be more secure.
What I'm trying to ask is, is overwriting with zeroes multiple times less effective than overwriting with random data once?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Modern Mac OS X uses a single SHA-1 hash (salted) to store passwords. Older versions of OS X uses somewhat less-secure hashes, and if you've interacted with a Windows network you may have things like an NTLM hash to work with.
While the password is 11 characters, it's well within the set of passwords that a good dictionary attack generator will hit -- a word, a year, and some symbols. SHA-1 is cheap to crack.
This is a good example of why operating systems storing passwords should use key strengthening. A 1024-round HMAC is still trivially cheap to compute for a single password. Even if cracking this password took them only a month (a reasonable time for a long, guessable password), increasing the difficulty by 1024 would render it impossible to crack.
It's not that simple. That's a reasonable description of an MFM disk, an old technology that isn't used any more. MFM disks were the topic of the Gutmann paper. Basically all claims that you can recover data from a zeroed drive are based on this paper. Gutmann has since repudiated it. Modern disks are substantially more complicated in terms of how a block of data gets turned into a collection of magnetizations, such that it's no longer reasonable to ever expect to get any useful information out of hysteresis (residual magnetization).
Nonetheless, the myth persists that somehow, magically, the government can read erased hard drives. What actually turns out to be the case is that people don't bother erasing hard drives.
(Also, it's not charge, it's moment. You can't add and remove magnetic charge because we haven't found any magnetic monopoles.)
Thanks for that info. I did not know the tech had changed. I don't follow hard disk tech that closely and only had knowledge of the original reasoning behind the multi-wipe recommendation. It is still interesting that the government recommendation is still on the books though and from what another poster said, the number of cycles has been increased from 7 to 35. Perhaps there is some other type of residual information that we don't know about but they do, or perhaps it is just fear that someone may discover something.
AJ Henderson
I know flash has burn in issues where they get a limited number of writes before they can't be written anymore. What I don't know is if there is any practical means by which this could be used to reconstruct part of a previous state of the card. That's beyond my level of understanding of flash technology, but I would hazard that it probably isn't as I think the mechanism of failure is actually the ability to switch the state of a circuit and there wouldn't be much of an effective means to measure the deterioration of the physical circuit. That is really just a best guess though and isn't terribly informed, so I wouldn't rely on it for anything.
AJ Henderson
Obviously, but Manning's not-having-his-shit-together was way deeper than technical. His situation was one where you don't even want to be a suspect or "person of interest." Once you have determined investigators looking at you, it's like having a determined burglar specifically interested in your house. He was one of tens (hundreds?) of thousands of people with access to these supposedly-sensitive documents, safely lost in a totally unmanageable crowd, and he told someone "look at me! look at me!"
I don't know if it even makes sense to "blame" him for getting caught, because at some point he apparently decided it was ok to get caught.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Maybe it was not meant to be splashed over the world's newspapers, but they obviously had someone in mind that they wanted to indirectly influence.
Now they have to be seen to be shocked and horrified by the leaks, and Manning is the chosen sacrificial lamb. He may actually be responsible, but I doubt that it matters much.
but I am pretty sure those lost are real.
Really? Why? None of the informants actually named in the documents has been killed yet...
Hey AC,
I actually looked around for articles from some other source before I posted this, but couldn't find any. Most of the other sources talked about the non-tech (or non-nerd if you will) aspects of the case. I just wanted to focus on the stuff I thought would be interesting to the /. crowds.
smitty777
"Before God we are all equally wise - and equally foolish"
Albert Einstein
So do you believe that the editorial staff of the New York Times should be prosecuted as enemies of the US? They are the ones who actually published the leaks in the US, not Manning.
Of course not, did you utterly miss the point of what he was writing? He said for example: "The calls to go after Assanage seems foolish to me". The person who PUBLISHES a leak to my mind is not at issue, once a leak is out it is out. A leak is wholly on the person who decided to break a vow or oath and release information they felt was important to release.
In the case of Manning, I think he should be punished to the full extent of the law (up to and including execution). Not just because he was sworn to secrecy and violated that oath but also because there was simply NO WAY to release the volume of information he did and at the same time ensure information that truly could harm real people was not released. In theory yes he was promised some people would scrub the data but how did he really know they could be trusted? The fact remains he leaked a huge volume of data and some of it could well have gotten people killed, especially informants...
The argument about what manning did being worth his life is a good one to have, but since he was the leaker and knew the possible punishment he should without hesitation be OK with giving his life to release the data he did, if he felt strongly enough that it was important to leak it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Whoever passed the information did so unto the entity that did the scrubing for him.
That is a BULLSHIT excuse. Perhaps being a Slashdot reader you remember the phrase "information wants to be free". Well that applies for ANY information leaked. No-one Manning leaked to had a security clearance, so why should he trust them to scrub out sensitive information and not feed some in side channel?
Either information is leaked or it is not, just as you cannot be only a little bit pregnant. Manning chose to leak everything without consideration for what information truly should not be released, and now he must face the consequences of what he chose to do.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The DoD actually stipulates 7-pass still. (However, physical destruction seems to be required for classified material.) 35-pass is the recommendation Gutmann made as so is often available in disk-wiping software.
The appeal of the multi-pass wipe is that it provides some degree of future-proofing (if people figure out a new technology for drive recovery, you may still be protected against it) and it's basically free if you're dealing with enough drives and have proper workflow.
He was assured that the names of sensitive peoples would be scrubbed
And why should he trust them not to send any of it elsewhere? As it turned out in fact the trust was totally misplaced so my question is really more hypothetical since the concern is proven to be totally valid. That's what happens when you give secure information to people without security clearances (or, as it turned out, sometimes to people with them). You must as a leaker assume all information given will be published somewhere.
I just don''t get the backward bending apologetics of claiming that Manning is OK because he gave people he hardly knew sensitive data (and no training to know what is really sensitive information) with thin assurances as to handling.
The last, drastic and total leak was the result of general incompetence
No, it was inevitable. Information wants to be free. Once information was in the hands of multiple people it was going to get out one way or another.
It wasn't bad luck or a twist of fate. It was the most likely outcome of giving sensitive data to a wide variety of people including people more inclined to publish potentially harmful information than not.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Fuck you sideways.
Ellsberg.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Not a study, but an interesting data point: http://hostjury.com/blog/view/195/the-great-zero-challenge-remains-unaccepted.
(1) Net Centric Diplomacy database
Appears to have been trivially downloadable. Manning used Wget to automate the capture of cables from this database. Manning had access to secure networks (SIPRNet) and it was this, rather than any technical expertise, that allowed him to pull all the cables.It seems as if the Net Centric Diplomacy database and its interface (presumably a web front end) lacked any functionality to inhibit automated / bulk downloads, to track or log downloads or to alert operators to suspicious or anomalous patterns of access.
Contrast this with the logging that was available in IntelLink (the SIPRnet internal search engine) that helped link incriminating keywords (Assange, Wikileaks etc) to the IP address assigned to Manning's computer. The defense cannot refute that, while they may be able to undermine the (very poorly gathered) computer forensics from Manning's computer.
(2) Microsoft Share Point server
Appears, also, to have been wide open to anyone on SIPRnet and to have permitted automated (scripted) bulk downloading of files. And, like (1), appears to have lacked any functionality to alert operators to suspicious behaviour.
Contrast this, also, with the logging that was available in IntelLink.
(3) Manning is no expert
First, he used the same password for both his operating system (presumably, his Windows username/password) as for his encryption. Second, he claims to have "zero-filled" his hard disk but had not done so. Third, he used his own computer for the IntelLink searches thereby leaving a trail of evidence.
(4) Lack of expertise seems quite widespread...
The computer environment at the FOB where Manning worked was risible. In testimony, an officer described how "soldiers would store movies and music in their shared drive on the SIPRnet. The shared drive, called the “T Drive” by soldiers, was about 11 terabytes in size, and was accessible to all users on SIPRnet who were given permission to access it, in order to store data that they could access from any classified computer." In other words, in practise, no distinction between storage for movies and music and the storage for classified materials. While the officer told soldiers not to use it for music and movies (and used to delete same as well as reporting the abuse), the practise was prevalent. And despite the 11 terabytes (that is 11 thousand Gigabytes) available for music and movies, this officer cites lack of storage as the reason that some logs (that may have contained evidence) were not maintained. This officer, Capt. Thomas Cherepko, received a "letter of admonishment" for the lax enviroment at this base.
Has the buck stopped at the Captain? I believe that points 1, 2 and 3 suggest a culture of information security so poor as to merit serious enquiry in its own right. Manning probably did break several laws in gathering and communicating the cables to WikiLeaks and, if convicted, must face the music. But the ease with which he did this ought to be cause for far more concern than we are seeing in the media. The US Army appears to be throwing Manning under a bus, but only a slap on the wrist for Cherepko. That is unjust. Lets see how this unfolds...
Backward%20compatibility%20is%20over-rated
Plus Manning didn't know what he was doing. He did not read all of the information and then decide that it was important enough to make public. People are still sifting through all the data he grabbed to figure it out, and we still haven't learned anything new about illegal activities instead we learn about a lot of diplomatic trivialities. Instead he saw a bunch of files and grabbed them wholesale, sort of like wheeling out a filing cabinet without looking inside first.
Should we trust Wired to report honestly on this case?
To be fair, his system was probably completely protected from the threat vector of a 20-something carrying a blank CD labelled "Lady Gaga".
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});