Day 14: Julian Assange's extradition hearing. Today we expect testimony from Patrick Eller, digital forensics expert, on the computer crime charge and the alleged agreement between Assange & Chelsea Manning to crack a password in 2010. #AssangeCase
Mark Summers for the defense says the prosecution provided its bundle for Eller, challenging claims in his statements, at 11:30pm last night. He has gotten up at 5:00am to testify and has had about 5 minutes to review these documents... Defense asks for an hour for him to review.
Patrick Ellers will argue, Summers says, that the allegation against Assange regarding the password cracking issue is not possible, and if it were it was not used for the purpose the government alleges.
Judge grants 50 more minutes for Ellers to review.
Judge grants 50 more minutes for Ellers to review.
Discussion over whether to release Assange's medical report (includes his family's history) to the press. Defense and prosecution agree that they should be withheld for privacy but are making the case to the judge. Judge speaking to a member of Press Association in court.
Will decide that issue at the end of today's proceedings. Now discussing defense request for time between the end of testimony and closing arguments. Would be willing to not make oral arguments and just submit in writing if they get more time to prepare.
The other option, the judge says, is to make oral arguments on the Thurs and Fri of the 5th week (2 weeks from now). Prosecution says it would be fine with just written arguments, would ask for just 1 or 2 weeks.
Judge says this case has already gone 18 months, the defense can't ask for so much time, and your client is in confinement.
Ed Fitzgerald: if the court were to grant him bail that would solve that problem
Ed Fitzgerald: if the court were to grant him bail that would solve that problem
Defense notes an initial option was to resume this hearing in November but the defense asked for September, so we are still within that timeframe. Defense also notes the surprise 2nd superseding indictment (>4 months after the hearing began)
Judge notes this would mean closing arguments at the end of October, and a ruling wouldn't come until 2021.
Judge also picks up a prosecution argument that the defense can't bring up more evidence. Fitzgerald says it would have to be something quite dramatic, "if President Trump says he's going to execute all journalists" we would have to make comment on that
Judge: what impact would the U.S. presidential election have on your case?
Fitzgerald: There could be some impact. (cont'd)
Fitzgerald: There could be some impact. (cont'd)
Fitzgerald: Much of what we say about Mr Trump personally goes to why this was initiated, that will all remain. Much of what we say about the US prison systems will remain because it's systemic. But we do feel the situation would be worse if Trump were to win.
Judge grants the defense the 4 weeks to give written closing arguments, the prosecution 2 weeks to then reply with theirs, and a final 72 hours for limited defense reply.
Defense now reading a statement from Jakob Augstein, journalist at Der Freitag in Sept 2011, when the German weekly published the article indicating that the Guardian book releasing the password + mirrored encrypted files could be put together to find the unredacted cables.
Augstein: the encrypted Cablegate file published online came from Daniel Domscheit-berg's trove that he had taken away from Assange/WikiLeaks' control when he left and started OpenLeaks
It was Domscheit-berg's copy of the encrypted file that appears to have been mirrored.
It was Domscheit-berg's copy of the encrypted file that appears to have been mirrored.
Now discussing prospective evidence from US prison psychologist. Prosecution "strongly objects" to these 2 reports on the same issues already addressed by other witnesses. If the judge accepts them, prosecution would request adjournment to prepare.
Prosecution complaining about late evidence, "enough is enough." [Yes the same prosecution which brought a 2nd superseding indictment halfway through the case.]
Defense says they haven't been able to cross-examine prosecution affidavits from Gordon Kromberg, others, so the prosecution shouldn't complain about this. Defense just wants its witnesses to be allowed to referred to these reports.
Includes report from Dr Thomas Kucharski which defense says directly contradicts prosecution arguments on US prison conditions
Judge saying she received files from defense last night, she's warned both parties previously about late evidence. "A line must be drawn" judge says on filing timing, these issues (US prison conditions) have already been covered, so the defense submissions will not be accepted.
Patrick Eller now taking the stand by remote video. #AssangeCase
Eller, who served in the US Army for 20 years as a criminal investigator, is president of Metadata Forensics, which provides digital investigation and forensic examination in both civil and criminal cases.
Eller has been asked to examine a jabber chat regarding a password hash from March 2010
Eller: the chat didn't tell him anything about the computer to which it related, or even whether it related to a government computer.
Any indication to 'Nathaniel Frank' that the password hash they were told about referred to a government computer?
No
Any indication to 'Nathaniel Frank' that the password hash they were told about referred to a government computer?
No
Explaining hash values: encryption programs "hashes the password", turning plaintext into hash value and stores it.
To change it back to plaintext, in this instance, you would need both the SAM file and the system file.
To change it back to plaintext, in this instance, you would need both the SAM file and the system file.
Based on this chat and the Manning court transcripts: Manning did not have the entire portion required, could not obtain the password
2010, computer was running Windows XP.
Defense: Assume that what you just said is not the case, hypothetically if the hash cracking *was* successful -- want to talk about what intent was if it was successful
Defense: Assume that what you just said is not the case, hypothetically if the hash cracking *was* successful -- want to talk about what intent was if it was successful
Manning had a username on this government computer. Had a local account specific to the computer, not the domain, no access to the wider network within the SCIF (Sensitive Compartmented Information Facility)
By March 2010, Manning had used her own domain to access and download materials later leaked and in this case -- the GTMO detainee assessment briefs, the war diaries, the rules of engagement
This is important ^ -- the government alleges a conspiracy to access and download more information, but Manning had already sent most of the releases to WikiLeaks by the time of this conversation.
If the hash cracking was successful, it would have given 'FTP access', local computer account. No access to the T-drive.
Eller: "govt allegation that there was an attempt to gain anonymity is greatly undermined by the tracking system which identified users. Databases like the Net Centric Diplomacy database & Intelink could be accessed from any account on the computer, including local user accounts"
"But the account on the computer that the user logged into was not used in any way to identify the user to the database. Instead, access was tracked using IP addresses."
"Firstly, many databases were accessible to anyone with a SIPRNet connection. These databases did not require any additional log in information or account based access control. Access was not controlled with accounts."
The Cables and the Detainee Assessment Briefs "were databases that anyone with SIPRNet access could use without any further authentication or login at that time."
If Manning had been able to access the ftpuser account, it would not have given her access to the CIDNE database (where the war logs were held)
If you were trying not to be traced, there were other means available to Chelsea Manning. Defense wants to unpack this - again establishes even with the 'ftp username' (instead of her own personal login), downloading docs would've been traceable by IP address
Manning booted a Linux CD to access the SAM file in the first place, before this jabber chat, to actually be anonymous. So she knew of ways to use computer anonymously that did not require hash cracking (which she knew wouldn't anonymize her)
Films/music files/computer games were on the T-drive. These were unauthorized programs. Users did not have local access to this drive (this is why Manning would want to crack a password, to download programs like *this* from an account other than her own)
Defense established Manning's computer was reimaged: "The consequences of reimaging would be that unauthorized files and programs may have been lost. Soldiers would have to go through the same processes again in order to reinstall them.
It may be notable that this reimaging took place a few days before the portion of the Jabber chat log in which Manning sent a password hash."
End of defense questioning, now James Lewis cross-examining for the prosecution.
Lewis challenges Eller's claim that the password was not cracked -- Eller deduces that from the conversations he's seen, saw no evidence that it was. Lewis says but you don't have evidence that it wasn't
Lewis reading from jabber chats:
Manning "any good at lm hash cracking?"
He replied “we have rainbow tables for lm”.
Manning sent hexadecimal string she found in SAM file
Assange: “passed it on to our lm guy”, “any more hints about this lm hash?”, “no luck so far”.
Manning "any good at lm hash cracking?"
He replied “we have rainbow tables for lm”.
Manning sent hexadecimal string she found in SAM file
Assange: “passed it on to our lm guy”, “any more hints about this lm hash?”, “no luck so far”.
Lewis is running through complex technical background of LM hashes and how encrypted passwords work
Lewis picks up on phrase "at the time" from Eller sentence: "At the time, it would not have been possible to crack an encrypted password hash such as the one Manning obtained." Lewis wants to show him evidence to see if he changes his mind
Lewis reads from a Microsoft announcement about hashes, "LM hash is an old and weak" system because password length is only 14-characters, breaks into 2 separate files "so if your password is less than 7 characters it should be a breeze" to crack by penetrative attacks
Asks Eller about his sentence "at the time" would have been impossible. Better to say "very difficult" or "might not have been possible" or still say "impossible"?
Eller: In 1999 (time of Microsoft announcement) there was a patch this vulnerability, makes it computationally impossible to use brute force when Sys key has been applied.
Lewis: Right. Well rather than debate the issue with you on this...
Lewis: Right. Well rather than debate the issue with you on this...
Lewis (cont'd): Manning and Assange *thought* they could crack the password and agreed to try to password?
Eller: it never said where the hash if from, and I didn't get to finish my previous answer
Eller: it never said where the hash if from, and I didn't get to finish my previous answer
Eller (cont'd): The government witness in the Manning court martial said it was not feasible
Aware Assange described himself as a 'fantastic hacker'? (allegedly said this as a teenager)
No
And agree even the strongest encryption can be cracked by an expert hacker?
Yes - Eller wants to add a comment but Lewis moves on
No
And agree even the strongest encryption can be cracked by an expert hacker?
Yes - Eller wants to add a comment but Lewis moves on
Lewis: we agree an IP address will only identify a computer, not a user?
Yes
And on computer you can log on as a domain user or a local user?
Yes
Yes
And on computer you can log on as a domain user or a local user?
Yes
Evidence at Manning's trial was she logged on as a user in her name?
Yes
In fact the user profile contained forensic evidence used against her at her trial?
That is correct
Yes
In fact the user profile contained forensic evidence used against her at her trial?
That is correct
(Lewis reading from Manning trial transcript, working to establish the above. Cites page 8,300 within the appendix, shows massive scale of the material in the case)
Lewis on program 'wget' found in Manning's profile, scripted to automate downloading. Lots of discussion of wget in Manning trial
Lewis: use of Manning's profile was used to prove what she had done?
Yes
If you use the same computer with a ftpuser account, you could hide all that activity from your domain user account?
That is correct
Yes
If you use the same computer with a ftpuser account, you could hide all that activity from your domain user account?
That is correct
Can access SIPRNet from ftp user account?
Yes (his statement says didn't require any log in details)
Any forensic evidence from a ftp user account would not be available on an image of the bradley.manning user account?
No, it would be available on the computer
Yes (his statement says didn't require any log in details)
Any forensic evidence from a ftp user account would not be available on an image of the bradley.manning user account?
No, it would be available on the computer
Lewis: the defense argument is one reason she'd want to access ftp account is to download video games/similar programs?
Yes
Yes
Lewis: You said it could be assumed that an ftp account had administrative privileges, but how do you know that?
Eller: Local accounts tend to have admin privileges
Lewis: But you don't know, and we'd say it didn't
Eller: Don't see how you could say it didn't
Eller: Local accounts tend to have admin privileges
Lewis: But you don't know, and we'd say it didn't
Eller: Don't see how you could say it didn't
Lewis: If it did not have local admin privileges, it could not be used to install programs/computer games?
Eller: That is correct
Lewis: So it's essential to know that
End of cross-examination, 10-minute recess to see if the defense has more questions
Eller: That is correct
Lewis: So it's essential to know that
End of cross-examination, 10-minute recess to see if the defense has more questions
They'll need more time to confer about defense re-examination questioning, so we'll start the lunch break now and return at 2:00pm London time. #AssangeCase
Back from recess. Mark Summers for the defense re-examining Patrick Eller.
The jabber chat has one user as 'Nobody', we know that's Manning because she said so at her trial, right?
Yes
Were you asked to determine who 'Nathaniel Frank' is?
No
So why attribute that name to 'Assange' in your statement?
That was just assumed
Yes
Were you asked to determine who 'Nathaniel Frank' is?
No
So why attribute that name to 'Assange' in your statement?
That was just assumed
So can't know whether that's Assange?
No
Or whether multiple users were behind that username?
Can't know that
No
Or whether multiple users were behind that username?
Can't know that
Do you stand by your assessment that cracking the hash as alleged would have been impossible?
Yes I do
Yes I do
Microsoft's assessment was that it was computationally infeasible for a password hash to be cracked as such?
That is correct
Because of a patch on that vulnerability?
Yes
That software remained in place on all MS Windows applications for the next 2 decades?
Correct
That is correct
Because of a patch on that vulnerability?
Yes
That software remained in place on all MS Windows applications for the next 2 decades?
Correct
Would a skilled hacker be able to achieve something that is computationally infeasible?
I would assume no.
I would assume no.
Do you resile [deviate] from your opinion that this would have been impossible?
No, and I note this is in line with the government's own expert in Manning's trial
No, and I note this is in line with the government's own expert in Manning's trial
Confirmed that SIPRNet is an intranet, not 'the internet'?
Yes
How many people had access to SIPRNet?
Anyone tasked with using a secret government database/computer
Can you give a number?
Probably in the millions
Yes
How many people had access to SIPRNet?
Anyone tasked with using a secret government database/computer
Can you give a number?
Probably in the millions
(Judge seems surprised, "in the millions?" Mark Summers: yes)
Establishing that wget is a common program. If she'd logged in with ftp user account she wouldn't access any domain (like the T-drive, CIDNE database)?
Correct
Access to wget?
Not the wget in her bradley.manning profile
Correct
Access to wget?
Not the wget in her bradley.manning profile
Summers: Lewis confirmed, and everyone agreed, accessing Intellink and the like -- that's tracked by IP address?
Yes
Would ID the specific computer being used?
That is correct
How many people used each SCIF computer terminal?
Day shift and night shift, so 2 on each computer
Yes
Would ID the specific computer being used?
That is correct
How many people used each SCIF computer terminal?
Day shift and night shift, so 2 on each computer
So it would specify the computer and the time, from which one could work out who was on shift.
Linux CD provided anonymity -- so the benefit that Kromberg suggests (from using ftpuser account) was already available to Chelsea Manning because she already had the Linux CD
Would ftpuser benefits achieve anything by disguising activity of accessing documents from the databases originally?
No it would not - because the IP trail would have led back to the same computer anyway
No it would not - because the IP trail would have led back to the same computer anyway
ftpuser account was found on which machine? Both machines, both of Chelsea Manning's computers
Defense establishes: Computer placed on a domain that has local accounts installed on it would have administrative privileges. Also establishes that FTP stands for file transfer protocol.
End of re-examination, end of Patrick Eller's testimony. #AssangeCase
Now returning to discussing potential release of medical report to the press. "Open justice would not be advanced" by the disclosure of this information, Ed Fitzgerald says, we've already had several days of testimony on it
Dialogue b/w representative of Press Association and judge over release of medical records. PA speaking for the press at large, would accept a redacted report, wants to understand this key plank of defense case. Judge says she (PA) needs to show legal basis to release
No more witness statements today -- end of proceedings, adjourned until Monday at 10:00am London time. #AssangeCase
• • •
Missing some Tweet in this thread? You can try to
force a refresh
