26 September 2020 — The Dissenter
“At the time, it would not have been possible to crack an encrypted password hash, such as the one Manning obtained,” testified Patrick Eller, a digital forensic expert
When the first indictment against WikiLeaks founder Julian Assange was disclosed by the United States Justice Department, the response from some attorneys and advocates was mixed. It was viewed as “narrowly tailored” to avoid “broader legal and policy implications.”
Assange was charged with “conspiracy to commit computer intrusion” and accused of “agreeing” to assist Pfc. Chelsea Manning in “cracking a password.”
At the end of the third week of an extradition trial, allegations related to this were entirely discredited by Patrick Eller, who was a command digital forensic examiner responsible for a team of more than 80 examiners at U.S. Army Criminal Investigation Command headquarters in Quantico, Virginia.
Eller analyzed court martial records in Manning’s case that contained Jabber chat logs relevant to the allegations. He considered testimony from the U.S. military’s own forensic expert that contradicted presumptions at the core of this charge against Assange.
Manning never provided the two files necessary to “reconstruct the decryption key” for the password hash, Eller testified. “At the time, it would not have been possible to crack an encrypted password hash, such as the one Manning obtained.”
Or put another way, Eller declared, “What Manning sent was insufficient to be able to crack the password in the way that the government [has] described.”
The U.S. Justice Department charged Assange with 17 counts of violating the Espionage Act in May 2019. But prior to that, a 2018 indictment alleging Assange engaged in a “conspiracy to commit a computer intrusion” was unsealed after he was arrested and expelled from the Ecuador embassy in April 2019.
The computer charge has morphed over more than two years from a specific charge under provisions of the Computer Fraud and Abuse Act (CFAA) into a vague and inexact assortment of general allegations about conduct Assange may or may not have engaged in from 2009 to 2015. But the alleged agreement to “crack a password” remains in the 2020 indictment announced in June.
Password hashes are generally used to help authenticate users and passwords on a computer.
Lead prosecutor James Lewis asked Eller if he agreed that Manning and Assange “thought they could crack a password and agreed to attempt to crack a password.” He told Lewis a hash was provided and the account the U.S. government associates with Assange said they had “rainbow tables for it,” but Manning never shared where she obtained the hash. (Using “rainbow tables” is one decryption method for cracking the hash by guessing different password values.)
Contradicted By U.S. Government’s Own Expert Witness In Manning Court Martial
“The government’s own expert witness in the court martial stated that was not enough for them to actually be able to do it,” Eller added. He specifically meant to crack the password.
On June 12, 2013, David Shaver, who was a special agent for the Army Computer Crimes Investigating Unit, testified the “hash value” was included in the chat, but it was not the “full hash value.”
Major Thomas Hurley, who was on Manning’s defense team, asked if Manning would’ve needed more of the hash value to crack the password. Shaver answered, “I mentioned the system file, you would need that part as well.” (This is one of the two files Eller said are necessary for decryption.)
“So the hash value included in the chat wouldn’t be enough to actually gain any passwords or user information?” Hurley asked.
Shaver replied, “Correct.”
Furthermore, Eller was asked multiple times by defense attorney Mark Summers on re-examination whether he saw evidence that linked Assange to the “Nathaniel Frank” identity, which the government believes is Assange. He said, “No, I did not.”
Summers asked if he was aware of who sat at the other end of whatever computer terminal “Nathaniel Frank” used. “Of course not. I could not have that personal knowledge,” Eller added.
This tracks with evidence in the Manning trial. The government had no clear evidence in 2013 that Assange was the one communicating with Manning through that Jabber username, and they still do not have proof it was Assange in 2020.
Casting Doubt On the Prosecution’s Conspiracy Theory
Eller’s testimony explicitly cast doubt on the conspiracy theory that underpinned this initial charge.
Manning had already downloaded the Reykjavik cable, Guantanamo Files, Iraq War Logs, and Afghanistan War Logs. “Routinely in the course of work,” she downloaded war log documents to have “offline backups” in the event of “connectivity issues” with the Secret Internet Protocol Router Network (SIPRNet) that was used.
“The only set of documents named in the indictment that Manning sent after the alleged password cracking attempt were the State Department cables.” But Eller noted, “Manning had authorized access to these documents.”
The government argues Assange agreed to help Manning crack a password for an FTP user account partly because it had administrative access privileges.
Eller showed soldiers at Forward Operating Base Hammer in Iraq, where Manning was stationed, were constantly trying to crack administrative passwords to install programs that were not authorized for their computers.
Jason Milliman, a computer engineer contracted to manage laptops at the base, told a military court “soldiers cracked his password in order to install a program and then deleted his administrator account.”
To Eller, Manning never would have tried to use a password hash to exfiltrate files for submission to WikiLeaks. She had a Linux CD that allowed her to access files on her computer and bypass Windows security features. It is known she used this CD.
Sgt. David Sadtler testified during Manning’s court martial that Manning proposed starting “some sort of hash cracking business.”
From the court martial record:
Q. During your conversations with PFC Manning, did you ever have a conversation about setting up a hash table software?
A. He had brought me to the side to have what seemed to be a private conversation and he fielded the idea to me that he wanted to generate hash tables on a computer and market that in some fashion.
Q. What are hash tables?
A. Hash tables are mathematical calculations of passwords that are supposed to be in a one-way fashion so that you can’t reverse that sequence into the original password, thereby securing that password from release.
Q. And the idea that PFC Manning was talking to you about from what you heard, did you believe that was a marketable idea?
A. It had already been accomplished in the open-source world. Or it was generally already known to exist. So for reimplementing it, it did make sense to me.” (Exhibit 13, p.9854)
Eller wrote in his statement to the court, “While she was discussing rainbow tables and password hashes in the Jabber chat, she was also discussing the same topics with her colleagues. This, and the other factors previously highlighted, may indicate that the hash cracking topic was unrelated to leaking documents.”
Computer Crime Charge Always Targeted Journalism
It is far-fetched to argue the computer charge against Assange was never about journalism.
The charge specifically criminalizes Assange for allegedly knowing Manning had made unauthorized disclosures of classified information to WikiLeaks, as if he was supposed to reject documents from a source because she was breaking the law.
At the time, Assange agreed to receive and received from Manning for the purpose of public disclosure on WikiLeaks the classified Guantanamo Bay detainee assessment briefs, the U.S. Department of State Cables, and the Iraq rules of engagement files, Assange knew that Manning was unlawfully taking and disclosing them, and at the time Assange agreed to assist Manning in cracking the encrypted password hash, Assange knew that Manning was taking and illegally providing WikiLeaks with classified documents and records containing national defense information from classified databases.
This language is directly from the Espionage Act, not any law against computer crimes or defrauding the U.S. government.
FBI Special Agent Megan Brown, who was assigned to the “counterespionage squad” at the Washington Field Office in the District of Columbia, focused on the publication of the Iraq and Afghanistan War Logs in an affidavit she submitted on this charge in December 2017.
The affidavit confirmed the Justice Department was alleging a computer crime as a way of targeting the publication of information that exposed evidence relating to U.S. torture and war crimes.
The Ever-Shifting Charge Intended To Smear Assange As A Hacker
Unfortunately for Assange’s legal team, Eller’s testimony is dated because the charge has shifted dramatically in the latest indictment.
Prosecutors no longer believe they have to prove anything related to Manning to convince Judge Vanessa Baraitser there was a “conspiracy to commit a computer intrusion.”
It seems like payback for embarrassing the U.S. government by unraveling their password-cracking conspiracy theory with their own digital forensic expert’s testimony.
Assange is accused in the 2020 indictment of conspiring with a hacktivist group known as LulzSec, who were convicted of offenses several years ago. He is accused of making speeches at conferences to recruit systems administrators at U.S. intelligence agencies as WikiLeaks sources, like NSA whistleblower Edward Snowden who WikiLeaks helped leave Hong Kong.
Snowden was never a WikiLeaks source, but it does not matter. This charge is a mishmash of anything hacking-related that they can fling at Assange with alleged unindicted co-conspirators suddenly included.
The judge refused a defense request to remove this conduct from the fresh extradition request, which was served against Assange weeks before the extradition trial. Assange’s legal team will have to find a way to address it in their closing argument, even though they have no witness to appropriately deal with the allegations.