So after being locked out of a system he somehow restored a backup to that sytem to give himself access to the backups?
I hope he gets a very good jury that can follow the complicated discussions that his trial will consist of.
Typically, your lawyer is on your side. Which is why it was a little unusual that on the first day of the trial of ex-CIA sysadmin Joshua Schulte – accused of leaking classified information to WikiLeaks – that his attorney, Sabrina Shroff, went out of her way to explain what an asshole he is. “When he worked for the CIA, he …
This post has been deleted by its author
From the viewpoint of a forensic lab I started with the assumption that "somebody probably knows what actually happened but that's not me". I'd find it difficult to decide how "accurate" a judge's opinion or a jury's might be. An interesting experiment would be to pick a shadow jury and see if they agreed with the real jury. That still has limitations - they don't carry the responsibility of the real jury. I suppose you'd really need two shadow juries and see how often they agree.
I rather think that a large amount of hand-waving and systematic bullshit will be used to try to baffle the jury into accepting the prosecution view of things.
Were I in charge of setting up a system to hold secrets, I would make very sure that the security of the system was based around centralised tokens and preferably several separated central token-issuing servers to get into any particular secure vault. I would also try my best to ensure that as little as possible was kept on the client machines as possible, using encrypted network filesystems and encrypted local disks. Thus when I lock out a client, I simply void all their central tokens and force them to re-authenticate to get back in, and with a lower security clearance they aren't going to get at very much. With next to nothing stored on the client machine stealing data is going to be challenging.
The CIA are trying to imply that far from being a masterful agency of computer security experts, they are actually really quite stunningly stupid, and rely on client-side authentication to control access. Furthermore, their client-side tokens don't seem to be time-stamped thus when the accused rolled back his workstation to an earlier version, the changed timestamp on the authentication tokens wasn't noticed! The CIA argument may well be on the lines of "Yes, our security sucks and we trusted a man we shouldn't have trusted, and we may have accused the wrong man, but we're the good guys so trust everything we say whilst we frame this possibly-innocent but very unlovable man".
It will therefore be rather interesting to see how this one pans out; I doubt that the CIA will come out of this one smelling entirely of roses.
"I hope he gets a very good jury that can follow the complicated discussions that his trial will consist of."
Rest assured the prosecution will ensure the jury will be composed of blue collar workers who don't have enough knowledge to program a ringtone on their phone. They don't want people who know IT and can see the flaws. They want patriotic 'mericans who will believe their version of events and put a "traitor" in jail.
He may also not get a jury at all and have just a federal judge deciding his fate.
"Rest assured the prosecution will ensure the jury will be composed of blue collar workers who don't have enough knowledge to program a ringtone on their phone."
From watch some episodes of Bull, it seems both sides get a number of chances to approve or reject jurors. Assuming that's the usual process in this type of trial, then the CIA would have to either "nobble" the selected jurors or have pre-arranged the type of jurors they wanted so only "their type" are in the pool to start with.
@John Brown (NB): "... the CIA would have to either "nobble" the selected jurors or have pre-arranged the type of jurors they wanted so only "their type" are in the pool to start with."
Neither of which are outside the skill set of the CIA. Any guilty verdict will be difficult to believe.
Also, to save time later - child porn on a server is to the early 21st century as tax evasion was to the early 20th century, don't you think? Of course, the tax evasion was easier to believe.
In the (rather distant) past, I had a girlfriend who was a practicing lawyer in the criminal courts for both state and federal and I was told I would never be an active member of a jury simply because I have a degree level education.
Well educated? Off you go.
The reason is that there are a number of pre-emptions permitted (so the lawyers can get rid of a juror for virtually any reason at all).
He may also not get a jury at all and have just a federal judge deciding his fate.
The right to trial by jury for serious offences is a constitutional right so there will be a jury trial; it is in the lawyers interests (on both sides although in this case I would love to see tech pros but I won't hold my breath) that those jurors are not particularly well educated.
I was told I would never be an active member of a jury simply because I have a degree level education
This is simply false. I've served on a jury in a criminal case, and I hold three degrees. I have friends with doctorates who have served on criminal and civil juries. I've seen other jurors selected (when I was in the pool) who admitted to bachelor or advanced degrees.
My neighbor is a lawyer and law professor who specializes in aspects of trial process, and she tries to keep as many well-educated candidates in the jury as possible.
US voir dire is a complex process. Counsel typically get a handful of peremptory challenges (the right to remove a candidate from the jury for no expressed reason), but beyond that they have to present cause. And they don't know what the rest of the pool contains. Basically, it's a generalized secretary problem.
It would be really, REALLY hard to convince me "beyond reasonable doubt" that a person who had lower access to systems was not set up by someone with higher access if the person with higher access was pissed off enough at them. The fact that the government is using such "evidence" at all suggests that the rest of their case is weak.
Further more, if the reporting is precisely accurate, the feds are feeding a line of BS to the jury. We are to believe that a computer on the inside, assigned to a former disgruntled employee, was left sitting running for more than four months? How else would there be anything at all in the "memory" of the computer to leave the tracks as claimed?
Equally tough to believe is that he was successful in deleting the logs off the target system, but failed to delete them on his own?
If I were on the jury, this alone is almost enough for me to acquit, and I'm no fan of Wikileaks.
This case looks like it is going to be an epic romp into Ultra Secret information. A digital Fort Knox ? I would tend to believe the sysadmin when he says it was wide open. Management typically believe things are much better than they actually are when it comes to IT security.
In any case, in this cat fight, the fur is going to fly, of that I'm sure.
And, of course, we have the mandatory kiddie pic. What a surprise. A top-level security expert is obviously going to leave a kiddie pic lying around on a CIA computer, yeah, sure. Apparently, everyone agrees he's an asshole. Nobody is saying that he's stupid. That is stupid, ergo it's not him. And that is a very basic mistake for the CIA. Nobody's going to believe the CIA didn't plant that pic.
From the article - ...child sex abuse images the FBI claimed it had found on a server he ran.
This wasn't a picture, rather multiple images. And they were (allegedly) on a server that Schulte ran, nothing to do with the CIA.
Edit : from the earlier article : " Schulte was in charge of a server that contained 54GB of illegal content"
It may well have been 54GB of kiddie porn, but the weasel words here are "in charge of". What does this mean exactly? Was he running some kind of hosting service that anybody could put any crap on? Or was he the only user? There's a hell of a difference - ask any hosting service.
As an example: I understand Condoleeza Rice is now "in charge of" Dropbox. I'm sure a bit of Dropbox trawling could turn up any amount of dodgy content. Should Condy therefore be in the dock with this joker?
If the dodgy content had been encrypted and the "good guys" had stumbled across the password, I might be inclined to believe he wasn't being setup. If he was hosting material for others and the CIA haven't attempted to identify who put the material there, I would think that maybe a red flag. The lack of evidence around the computer logs also seems to be a red flag - while it may indicate someone is hiding something, it doesn't necessarily indicate who is doing the hiding, so there's another red flag. I'd also be interested to find out what happened with the first defence lawyer - were they offering to plea bargain him down to life in prison to avoid the death sentence for treason? Were they just not willing to defend him or had they been told not to try too hard by the CIA? Another red flag...
While the use of a mobile in prison is undoubtedly an offence, if you think it is the only way you may get your side of the story out there after the first lawyers tried to ditch you, it's not necessarily a sign of guilt.
The lack of hard evidence, the long time frames and the CIA playing hard ball all the way and the forest of red flags growing in the evidence suggests they have very little but plan to make it stick regardless of actual guilt or innocence.
"For over an hour, from the computer sitting at his desk at CIA, Schulte was in that system secretly restoring his super access, giving himself back all the control he had before it was taken away. Restoring his access to the backups that stored copies of the entire system. [...] After stealing the backup, Schulte tried to cover his tracks. During that hour on April 20, when he took the system back in time, Schulte started carefully deleting every log file that kept track of what he had done while he was in the system. After destroying that evidence, he unwound the reversion. Schulte restored the system to how it had been just before he hacked in, [...]"
So that's gaining access through an undetected backdoor, running a system restore, accessing and copying the material, deleting or editing all relevant log files and finally run a second system restore? All that in little over an hour? That seems a bit tight, time-wise.
Also, if he restored the system to the original state, surely that'd reintroduce whatever backdoor he'd used to gain access so that it could be found?
With that much access, he could have modified the data for the second restore, to restore it without the backdoor; and for that matter, the second restore could be what wound the log files back, so it's not that many separate stages. And it would make sense for him to have scripted at least most of it.
That being said, it does like they're just out to get him.
"Also, if he restored the system to the original state, surely that'd reintroduce whatever backdoor he'd used to gain access so that it could be found?"
And if he restored the system back to its original state why would he need to edit the logs? Surely he'd have the wit to restore the original logs.
That would depend on how logs are kept and what's covered by the system restore or not.
(While I'm not _surprised_ that it doesn't, considering how muddled IT security is at all levels of the industry, there's really no excuse for computer systems like these to not have some kind of tamper-resistant logging in place.)
The timeline and details, to me, implies a physical server or desktop.
But the question then is: why would super secret stuff be on a single physical server or desktop, as opposed to a centrally managed cloud device?
This matters because the evidence talked about all appears to be endpoint - there is hardly any, if any, network data.
Whatever superuser access the defendent may or may not have had - surely he didn't have the ability to access and modify network logs?
Im no sysadmin... Or even near the level of dreaming of such competence..
So perhaps my question sounds dumb and someone can shed some light....
Shirley there would be one last log that would remain as he would just keep going around in circles trying to remove the last log..?
Can you script a reversal, copy, re-reverse a privileged state and wipe the logs without leaving a log.
If they can prove without a doubt it was him (proper evidence) he should be given some kind of award,
Thats solid brass balls right there...
The company... In the company office... On the company's time...
He may or may not have knowingly hosted child porn pics. It certainly wouldn't be the first time something was unknowingly embedded in a large archive of stuff.
However that is not relevant to the CIA charges which, on the face of it, appear to be somewhat contrived and if they are to be believed make him out to be some sort of super BoFH,able to remotely restore systems to previous configurations, exfiltrating all sorts of data, hacking files then restoring the systems to a previous state whilst nobody noticed and moving his fingers on he keyboard at several times the speed of light. They may have other evidence which they are unwilling to disclose at the trial and what is being described is the remainder left over from it but if they don't up their game then he is likely to get off whilst everyone is laughing at what they are presenting.
Why does it feel a little like what is going on between HPE and Lynch? They got upset with him having bought a pup then spent their time trying to find reasons to sue him and eventually managed to cook up something that the US DOJ could use to start extradition proceedings with whilst there was an ongoing civil trial ongoing.
I think both stories have a long way to run and look forward to watching them develop.
I'm going to guess that he will be convicted.
Most (if not all) of us here would be asking some very hard questions about this, were we in the jury. However, we do this for a living, and the vast majority of people do not. There are even a hell of a lot of people in the IT industry who wouldn't have a clue about the dark arts of a sysadmin.
So, statistically speaking, they're going to get a jury full of laypersons. The CIA are going to come in and say "He's a computer whiz! He did all sorts of secret computery things that none of you understand! Of course he must've dun it!". And the said laypersons are going to think "I don't understand any of this. The prosecution say that he's such a computer genius he could work computery magic. Sounds feasible to me. Guilty!".
Even the simple stuff in the case, like the weasel words of "he was in charge of a server with kiddie porn" will sail right past most people.
You summer's child. The jury selection process is specifically designed to keep experts out. While this is sounds outrageous, it is really important. Expert witnesses must be cross-examined for a trial to be fair, and an expert in the jury room cannot be cross-examined.
Having said that, I will repeat what I said in the Microsoft anti-trust case: "Better to have a jury full of experts." For cases with national (or international) significance, we need to spend the money to have these things decided by people who actually have the ability to call BS on the lawyers.
But the lawyers are not about to give up their power. <sigh>
There are two ways to get kicked out of the jury pool...
Wear a nice suit and work my CV into the conversation...both counsels will move to strike immediately.
...or go unshaven, wear a MAGA hat (bonus points for an American flag with an M-16 emblazoned on it) Interrupt a counselor and stare at him intently while saying, "yet honor, I sho' wan' be in dis here jury! I can TELL when a man is guilty. Jes' by LOOKIN at em!". Both counsels will move to strike.
So this dude was so clever to gain back access to a highly seecured system after been revoked, steal a backup, cover all tracks, upload all to wikileaks without getting caught.
But he was not clever enough to conceal (or even to run to start with) a public system full of pedo material ?
Doesn't make sense to me. Not saying it is not possible though.
And why was he revoked in april that he had to roll back to get superuser rights back ? Dodgy people don't last for long in there ...
But yes, as was commented already, the technicality is very high here, will surely interest El Reg + readers than jury + judge who certainly don't get a thing here.
For over an hour, from the computer sitting at his desk at CIA, Schulte was in that system secretly restoring his super access, giving himself back all the control he had before it was taken away.
Do the CIA not use any sort of File Integrity Monitoring then? Or perhaps he turned that off first...
I know the other day I made a change to a config file on a server of ours, and got bombarded with warning emails and a phone call asking what the hell I was doing...
The ability to do what it has been claimed that he did within 1 hour seems deeply implausible but what stood out in my mind is the claim that he modified the logs. If it is actually possible to modify a log in a way that is not instantly detectable on such a hyper secure system then whoever designed it and considered it suitable is massively incompetent.
As a Juror i would not believe a single word the prosecution spouted.
I would expect that the events were probably as follows....
CIA realises they have been PWND because of lax security and the conversations goes.....
"We need to save face who can we stick this on, if congress finds out we are actually shit at security our budget will get cut"
"What about that guy that quit last month, the one thats a complete asshole?"
"yeah he will do, he runs a web server, set some bods putting a load of kiddie porn on it to help set up his image as a bastard in the media"
"set some other people on coming up with a suitable complicated story to confuse a jury into convicting him"
"Already on it boss"
"ok tip off the FBI over the kiddie porn then we will also arrest him with our story about how hes magic and theres noone who could have stopped him unless we had more budget"
And while we use the fake kiddie porn to keep him out of circulation, we can gin up all the necessary fake logs needed to convict him of the espionage crimes. It wouldn't do to have him on the loose, interfering with that.
Things like this create something like Maxwell Smart saying "ah yes 99, the old kiddie porn trick".
Sure, it's believable that some wackos are into that - but the percentage of people who have offended
the government that also have kiddie porn seems like it's way, way too high to reflect reality.
I rather doubt that near 100% of criminals are into kiddie porn - that seems to be the specialty of
politician-criminals and enablers who didn't kill themselves.
and yet still has an account on a super secret CIA computer?
Did I read that right?
yet my account at work would be locked down 5 secs after I leave the building with P45 in hand... gone over and then deleted within a week.....
Something smells here...... and it aint the content of my underpants
The Oncoming Scorn,
You are correct.
In a previous role, as the one who did the 'locking down', I would be told the day before at the latest !!!
The soon to be 'Ex-employee' would find they could not log in, usually after being intercepted by a manager on the way in and told the 'good news'.
Not nice to be involved but I was the senior Techie/Manager and was able to lock out *any* user, if needed.
This covered all internal & remote access and HR would 'kill' all company credit cards/Fuel Cards etc.
All outstanding claims for expenses etc would be submitted on 'Paper based' forms, so NO computer access would be necessary.
Don't piss off the CIA/NSA/Mossad/etc. because they don't have to kill you in a dark alley. They merely need to put child porn on your computer or phone and you'll wish you were dead once you get to prison.
Yes yes I have no idea if he really was a pervo or not, but it seems suspicious how many similar cases also involve child porn. Unless there's some correlation we're all missing, that just doesn't pass the smell test given the (hopefully as low as it appears) percentage of pedophiles in the overall population.
Not just that they're shit at basic It security by the accountants presented above and in the article...
Question is are yours big and brassy enough to take a crack at it and find out? Would hate for your server to suddenly have gross indecent material appear on it....
.... this could not have happened within that architecture, and while I required some level of security clearance, the contents were not as important.
So, our secure environment was VPNd off from the regular network and I had a separate credentials to authenticate to the VPN, and that was provided by a system I didn't have admin rights to, the network team managed that, so I wouldn't have been able to cover my tracks there, my access would have been time stamped. 2nd, the bit I looked after was in multiple tiers, and some servers could only be accessed from others, there would be three levels of access logs to clear. A lack of a login here would be a gaping hole when compared against the VPN logs. 3rd, we monitored the systems and got automated alerts if anything rebooted, stopped responding, etc.
So we're supposed to buy into the notion that the system that was compromised was monolithic, and could be rolled back in it's entirety, and that it's not monitored, it could reboot or go offline and nobody would notice?
Biting the hand that feeds IT © 1998–2021