Forgot your password?
typodupeerror
Security The Military United States

Tech Forensics Take Center Stage in Manning Pre-Trial 172

Posted by Unknown Lamer
from the next-time-use-a-better-passphrase dept.
smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself." The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.
This discussion has been archived. No new comments can be posted.

Tech Forensics Take Center Stage in Manning Pre-Trial

Comments Filter:
  • by zero.kalvin (1231372) on Tuesday December 20, 2011 @09:07AM (#38433166)
    Come one, for a person who do the work he was doing, he have known better! He should only blame himself for these mistakes.
    • Not so fast... (Score:4, Insightful)

      by neokushan (932374) on Tuesday December 20, 2011 @09:14AM (#38433226)

      From the first article...

      In those chats, Manning told Lamo that he had “zero-filled” his laptops, referring to a way of securely removing data from a disk drive by repeatedly filling all available space with zeros. The implication from Manning was that any evidence of his leaking activity had been erased from his computers. But Shaver’s testimony would seem to indicate that either the laptops weren’t zero-filled after all, or that it had been done incompletely.

      So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

      • Re:Not so fast... (Score:4, Interesting)

        by vlm (69642) on Tuesday December 20, 2011 @09:27AM (#38433340)

        Or he most certainly did, or at least he set up an automated system to do it, etc.

        But, no one can/will publicly admit the truth, that either the automated system to do that can be selectively remotely subverted on command (perhaps a routine investigation into him "fishing expedition" found more than expected?) OR the secret truth that cannot be discussed is that classified data recovery operations can read overwritten data much better than public recovery operations.

        Most likely this is one of those "lawyers approach the bench" undocumented moments where both sides were informed that public discussion of these classified projects in this trial will be prosecuted, etc... The less this seemingly important topic is discussed during the trial, the more likely they're covering up some interesting technical means.

        Having worked in a Army reserve unit in the early 90s in an IT-like capacity, we were told if we were overrun, the ammo depot's records had to be wiped by thermite, not "writing zeros" or whatever. This is public knowledge, read the public TMs. There is probably a very good reason when going up against "the bad guys" you only trust thermite, and going up against internal investigators and auditors, "trust us, writing zeros is good enough"

        • Re:Not so fast... (Score:4, Interesting)

          by Alranor (472986) on Tuesday December 20, 2011 @10:12AM (#38433884)

          Having worked in a Army reserve unit in the early 90s in an IT-like capacity, we were told if we were overrun, the ammo depot's records had to be wiped by thermite, not "writing zeros" or whatever. This is public knowledge, read the public TMs. There is probably a very good reason when going up against "the bad guys" you only trust thermite, and going up against internal investigators and auditors, "trust us, writing zeros is good enough"

          Of course, that might have something to do with the fact that zeroing out the hard drives takes a not insignificant amount of time compared with just blowing them up. I've never been in the military myself, but I would hazard a guess that you might be under some time pressures if your base is being overrun by the enemy.

          • You do not take chances with classified data. It's just not done. Every media ever labeled anything other than unclassified is destroyed once it has served it's purpose.

        • Re: (Score:3, Informative)

          by VortexCortex (1117377)
          The magnetic data is analog. so, it's less 1's and 0's than 1.0031 and 0.073...
          Overwriting with zeros could leave some evidence of the previous data eg (w/ a 1/100th retention: 0.010031 and 0.0073).
          Amplify those by 100 and you get back your 1.0031 and 0.073. It takes a very sensitive head, multiple reads, and a totally different drive enclosure, but you get the basic idea.

          So, what if you write over the data with pseudo random noise? That's better, but not quite good enough. The problem is
          • Hammer isnt going to destroy the magnetic domains. Someone with really good gear could in theory make a digital reconstruction of the drives by reading off the broken pieces of the platter.

            If you are going to destroy the drive anyways, throw it in an incinerator or degauss it, or else take a grinder to the platters (id like to see someone reconstruct the drive from abraded dust).

            • by Khyber (864651)

              "Hammer isnt going to destroy the magnetic domains"

              Umm, with the right impact, the heat and force imparted via thermodynamics to the platter can indeed change magnetic domains.

              • Thank You.

                And don't the kind of data that could get you in trouble on a disk. When I say trouble, I don't mean the common pirated software / songs / movies, but the kind of stuff that disappears people.

                Put in a USB key chain drive. They're arguably easier to destroy in a jiff, assuming you know what you're doing. One blowtorch, one USB key chain drive -> coming to a Youtube near you.

                     

          • by Joce640k (829181)

            The magnetic data is analog. so, it's less 1's and 0's than 1.0031 and 0.073...
            Overwriting with zeros could leave some evidence of the previous data eg (w/ a 1/100th retention: 0.010031 and 0.0073).

            Hasn't this myth been put to bed yet?

          • by PiSkyHi (1049584)
            I think if you expect people to go to this effort to manage their own information destruction process, perhaps they should have circumvented all of it with hard disk encryption - even buying a new drive and starting again with encryption is better advice - then physically destroy the original to your own personal level of paranoia satisfaction.
        • OR the secret truth that cannot be discussed is that classified data recovery operations can read overwritten data much better than public recovery operations.

          Which is why when people talk about the theoretical difficulties and the implausibility of recovering data off of overwritten sectors, its a worthless assurance. Noone has demonstrated a mathematical impossibility, they just say "we dont think anyone can do this".

          If you want data really, truly, for realsies gone, degauss the disk, or raise it to the curie point.

        • by Trixter (9555)

          There is probably a very good reason when going up against "the bad guys" you only trust thermite, and going up against internal investigators and auditors, "trust us, writing zeros is good enough"

          It depends on the drive technology. If you were in the service in the 1970s/1980s, where hard drive tech was MFM or RLL or similar, then yes, thermite was the correct option. For 2011-era SATA drives, zeros are almost good enough, and overwriting with a random data stream is most definitely good enough (the amount of time and equipment needed to try to recover a modern drive that has been overwritten with a random data stream is so prohibitive that it is usually easier and cheaper to just threaten someone

        • by blueg3 (192743)

          It's because writing zeroes takes time and is easy to screw up -- power loss, drive failures, etc. will stop the erasure process. Thermite is fast, reliable, and gives visual feedback that the operation has completed successfully.

        • The standard recommendation I've seen is to overwrite at least 3, perhaps 5, 7, or even 9 times[0], often with a final all-zero overwrite[1] at the end (since an all-zero nominal image might discourage someone from looking harder, while a disk full of random-looking data can only result from a random overwrite or a full-disk encryption system).

          The "kill it with fire" technique is more a question of speed and when you can afford to destroy disks. I've heard the NSA burns their disks, and Google physically m

          • by PiSkyHi (1049584)
            There is also the assumption that each write layer is perfectly uniform despite reads being close to error. Even if there is localised uniformity in a single pass, I doubt there is any reason to assume it is purely a function of locality given manufacturers are pushing the limits of what is physically possible to make more money. If they choose to make a barely accurate reader at a given density to maximise profit, would the write process be orders of magnitude more accurate ?
        • by UBfusion (1303959)

          Using thermite on my hard drive would be perceived by the interested parties as a confession of my guilt. If I were in his shoes I'd never use it, I'd just use non-destructive methods like the ones he did.

      • Re:Not so fast... (Score:4, Insightful)

        by jimicus (737525) on Tuesday December 20, 2011 @09:35AM (#38433438)

        So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

        Extremely easy.

        Any modern operating system uses swap space - and while there's usually a way to ask the OS never to swap a program out, it's seldom exposed to the user. It normally relies on the program itself requesting this, and not everything will. Though a program may be exited later, the area of swapfile it used to use is not necessarily freed from disk.

        On top of that, a few programs (eg. Gimp) deal with their own memory management to a certain extent and so operate their own swap independently of the OS - they may also keep other temporary files floating around and don't always delete them. Or they may not save a file in the way you expect - when you hit "save", it's not unusual for a program to:

          - Create a new file.
          - Dump the data into the new file.
          - Rename the old file.
          - Rename the new file so it has the same name as the old one.
          - Delete the old file.

        This drastically reduces the risk of the app dying part way through the save process resulting in a corrupted file. It may result in a file that hasn't been saved, so some work may be lost, but it won't lose the lot. Of course this has the side-effect that there's an old file sat on the disk somewhere containing much the same data.

        On top of that, very small files will be stored directly in the MFT on Windows. Now the size of file we're talking about is probably not big enough to contain any serious information, but it may well give a forensic investigator a clue as to what's been done.

        I can think of a few scenarios in which Manning could easily mess up:

        1. Several "secure delete" utilities offer the option to securely delete individual files. Which they will, but as discussed above that may not achieve much.
        2. Using a tool to wipe all free space - these usually work by creating a file and filling it with zeroes until the OS eventually returns a disk full error, then deleting the file. I have no idea what - if anything - they'll do with any data still sitting around the MFT. Not to mention the fact that they won't help if there's any incriminating files sitting around that weren't deleted in the first place - and as we've established, it's quite possible for an application to do this totally invisibly to the end user.

        Realistically Manning would need to run DBAN or something similar on the entire disk. This will wipe the OS, so the affected computer would need to be reimaged.

        • by Qzukk (229616)

          there's usually a way to ask the OS never to swap a program out, it's seldom exposed to the user.

          This is why I don't use PuTTY's pageant on windows without disk encryption. It specifically states in it's faq that even with the functions it has available, it cannot guarantee that windows won't swap it to disk [greenend.org.uk].

        • Re:Not so fast... (Score:4, Informative)

          by Sloppy (14984) on Tuesday December 20, 2011 @10:19AM (#38433980) Homepage Journal

          Any modern operating system uses swap space - and while there's usually a way to ask the OS never to swap a program out, it's seldom exposed to the user. It normally relies on the program itself requesting this, and not everything will. Though a program may be exited later, the area of swapfile it used to use is not necessarily freed from disk.

          Yeah, there are lots of ways to screw up, but swap is one of the easiest things to get right. Since the user doesn't need to know a key, the machine can pick a totally random one (256 real bits, no guessable passphrase with less actual entropy) for it at every boot. Swap can be as solid as your best symmetric cipher, and that's pretty damn good. All the PK used on the internet will fail long before this level of tech does. Set things up right and swap may be the #1 safest place on your disks, the catch being that your lose it every time your reboot. ;-)

        • <quote>2. Using a tool to wipe all free space - these usually work by creating a file and filling it with zeroes until the OS eventually returns a disk full error, then deleting the file. I have no idea what - if anything - they'll do with any data still sitting around the MFT. Not to mention the fact that they won't help if there's any incriminating files sitting around that weren't deleted in the first place - and as we've established, it's quite possible for an application to do this totally invisi
          • by jimicus (737525)

            HAHAHA. POSIX states that writing zeros doesn't actually have to do anything but remember that it's supposed to return zeros for those blocks. Thus, you can store a file that's 1TB of zeros on a 100GB drive... Morons everywhere.

            One would hope that anyone writing such a utility would have the good sense to fill the file up with something other than zeroes for precisely this reason.

            Personally, I wouldn't stake my freedom on a gamble like that. You would be amazed how many applications are written with so little knowledge of the operating system's core API...

        • by huge (52607)

          it's not unusual for a program to:

          - Create a new file.
          - Dump the data into the new file.
          - Rename the old file.
          - Rename the new file so it has the same name as the old one.
          - Delete the old file.

          This. Some of the more recent applications may replace last three steps with atomic rename so that new file replaces the old one. Linux has supported atomic rename already for a good while and so do Vista and later versions of Windows. Even after this data from the old file and new file are still retained on disk, even though space used for the old file will be marked 'free'.

      • by alen (225700)

        when i worked for Uncle Sam the only sure way was to scrub the hard drive with wire brushes. a lot of the people that worked on Top Secret data would do that to their old hard drives when getting rid of old computers. for less sensitive data the standard was five complete passes over a hard drive to flip the bits. once or twice and a pro can still get data off it.

        • by guruevi (827432)

          BS. Even if you just flip the bits twice (once to 0, once to 1) the data is virtually unrecoverable. There is not a single disk recovery company that can recover a deleted disk. Also, scrubbing with brushes would require you to open it and the particles you release by scrubbing the plates may be dangerous to your health. Use a magnet, fire or thermite.

          • BS. Even if you just flip the bits twice (once to 0, once to 1) the data is virtually unrecoverable.

            This is speculation. Every time this comes up on slashdot, people talk about how difficult it is, without ever demonstrating why its not possible (note the "VIRTUALLY unrecoverable"). There is no physical or mathematical reason why it cannot be done, just speculation on what level of sophistication the would-be attackers have.

            • by Toonol (1057698)
              There is no physical or mathematical reason why it cannot be done,

              Yes there is. You don't know whether a relative voltage level of 0.01 indicates that this was a 1 overwritten with a zero twice, or a 0 overwritten with a 1 then with two zeros. You cannot know. The voltage level is set by the cumulative (lessening) effect of every write that ever occurred on that spot on the platter, and you do not know how many writes occurred.
        • by kcitren (72383)
          Can you find me a study showing that even after 1 or 2 overwrites that a professional can retrieve the data? NISPOM now states that for fixed magnetic media, the clear method is " Overwrite all addressable locations with a single character." while the sanitation method is "Degauss with Type I, II, or III degausser."
      • by blueg3 (192743)

        The evidence suggests that the disk was partially zeroed, then that operation was cancelled and the disk was simply reformatted without first erasing it.

      • So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

        Well,

        Johnson testified that he found two attempts to delete data on Manning’s laptop. Sometime in January 2010, the computer’s OS was re-installed, deleting information prior to that time. Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough delet

      • by Joce640k (829181)

        >

        So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

        Depends on the method used.

        If you just "cat /dev/null >dummy.txt" then there'll be a bit of data at the end of each incomplete file cluster which isn't overwritten.

    • by am 2k (217885)

      He attempted to delete the information by zero-filling the disk. The same password issue stems from being the default on the operating system (Mac OS X). I guess the forensics contractor reversed the hash from the login information and retrieved the password that way. This requires some serious computing power for the password used.

      I guess 11 digits can be considered mightily unsafe now. Obligatory xkcd reference [xkcd.com].

      • by blueg3 (192743)

        Modern Mac OS X uses a single SHA-1 hash (salted) to store passwords. Older versions of OS X uses somewhat less-secure hashes, and if you've interacted with a Windows network you may have things like an NTLM hash to work with.

        While the password is 11 characters, it's well within the set of passwords that a good dictionary attack generator will hit -- a word, a year, and some symbols. SHA-1 is cheap to crack.

        This is a good example of why operating systems storing passwords should use key strengthening. A 102

    • by Sloppy (14984)

      He should only blame himself for these mistakes.

      Obviously, but Manning's not-having-his-shit-together was way deeper than technical. His situation was one where you don't even want to be a suspect or "person of interest." Once you have determined investigators looking at you, it's like having a determined burglar specifically interested in your house. He was one of tens (hundreds?) of thousands of people with access to these supposedly-sensitive documents, safely lost in a totally unmanageable crowd, and

  • The military justice system is a whole different world than that of civilians, it will be interesting to see if any of the circumstantial evidence will even matter.

    • by Xest (935314)

      I was going to ask, in a military trial, does the evidence even matter? Isn't the case basically just decided on by some high ranking military personnel? Is there any law or repercussions that would convince them to give a toss what the evidence says anyway?

      If this was a civilian trial it'd all be rather interesting to hear the arguments and see how they justify the decided punishment in the face of given evidence (or in the face of his unlikely acquittal), but in a military trial I don't think it all even

      • by blizz017 (1617063) on Tuesday December 20, 2011 @09:27AM (#38433346)
        1. He's not at trial yet; this is an Article 32 hearing.. basically a grand jury hearing/pre-trial. 2. At Trial, he would have a jury of his peers; far more so than you'd find in a civilian courtroom. He's and enlisted soldier, so if his defense team opted, they can have a jury full of enlisted soldiers. 3. Contrary to what you wish to believe; military court martials aren't show trials. I'd argue that they're ultimately far more fair and impartial than you'll ever find in a civilian courtroom where a DA and/or Judge may have a political agenda to fulfill.
        • by Xest (935314)

          "Contrary to what you wish to believe;"

          You know, not everyone on Slashdot has their viewpoints set in stone. There are at least one or two of us here still that are capable of taking in new information and changing our viewpoint based on the balance of evidence, rather than posting asserting that some preconceived notion is correct, despite not actually knowing that to be the case with some degree of accuracy.

          I don't know a lot about US military trials, which is why I phrased my post largely as a question,

          • by jbeaupre (752124)

            I'm not in the military, but found this interesting article that gives details on what you are asking: http://usmilitary.about.com/od/justicelawlegislation/l/aacmartial2.htm [about.com]

            As for a show trial, all trials are show trials to the extent they are intended to serve as a deterrent to others. From traffic court to murder trials. It's the fairness of the trial you're really wondering about.

            It'll be as fair as any other high-profile case you've ever seen. Which is to say most of those involved know they are bein

            • by Xest (935314)

              I've had a search and can't find much to answer the question as to why military trials are separate in the first place. Part the reason I assumed military trials were separate was because it meant it allowed the military to deal with things in their own way. As part of this I was under the impression it meant without the need for as much rigour as the civilian system. I've previously heard the reason for this is based on the argument that if you're in a warzone for example, that if you suspect with a high d

              • Many of the safeguards that exist in US civilian courts, existed in the Military Courts, well before the civilian's.

          • An Article 32 hearing is a proceeding under the United States Uniform Code of Military Justice, similar to that of a preliminary hearing in civilian law. Its name is derived from UCMJ section VII ("Trial Procedure") Article 32 (10 U.S.C. 832), which mandates the hearing.
            While stating re the prosecution 'no charge or specification may be referred to a general court-martial for trial until a thorough and impartial investigation of all the matters set forth therein has been made', Article 32 currently provid

        • by Hatta (162192) on Tuesday December 20, 2011 @10:16AM (#38433948) Journal

          3. Contrary to what you wish to believe; military court martials aren't show trials. I'd argue that they're ultimately far more fair and impartial than you'll ever find in a civilian courtroom where a DA and/or Judge may have a political agenda to fulfill.

          Bradley Manning was held in solitary confinement for almost a year before he was even indicted. How is that consistent with your even handed, non-political picture of military justice?

          • He got 3 hots and a cot, got paid and accrued leave time, Hard labor at United States Disciplinary Barracks at Fort Leavenworth [wikipedia.org] is going to make that seem like a vacation.

      • by vlm (69642)

        From having been in the military although not involved in the justice system, there are two reasons why military trials tend toward pointlessness.

        1) Dumb people and addicts and nuts more or less can't get in the military. Most civilian trials, from talking to jury members, tend to involve some level of comedy, like how stupid / arrogant / high did the defendant have to be to think he'd not get picked up by the cops. Easy, trivial, to catch. But the smart military crooks (most stories I heard were about f

      • by wygit (696674)

        I remember Heinlein saying If you're guilty, you're better off in a civilian trial. If you're innocent, you're better off in a military trial.
        From "Starship Troopers", I believe.

      • by Sepodati (746220)

        Where did you get the idea that this is all a show from? It's as much a trial as it would be in the civilian system. If there is any prejudgement, it's wrong. I can't say whether this exact trial will be fair or not, but it is supposed to be.

        • by Hatta (162192)

          The fact that Bradley Manning has suffered almost a year of solitary confinement and only now getting a hearing would lead one to believe that this is all a show.

  • Hero (Score:5, Insightful)

    by roman_mir (125474) on Tuesday December 20, 2011 @09:13AM (#38433210) Homepage Journal

    You do realize, that unlike your football and basketball stars, you actually have a real hero, don't you? He is in your prison - a political prisoner, because he dared to challenge the government and its illegal activities.

    • by Sepodati (746220)

      A hero would have exposed corruption, wrongdoing, etc. and not just released a database hoping others would figure it all out. The hero in this scenario would have no need to be anonymous.

      • A hero would have exposed corruption, wrongdoing, etc. and not just released a database hoping others would figure it all out. The hero in this scenario would have no need to be anonymous.

        The alleged hero in this scenario was 22 years old at the time of the event. A 22 year old witness to his "brothers" in arms commiting atrocities.

        • by Darinbob (1142669)

          And yet he produced no evidence of these atrocities. Instead we hear about what diplomats think about world leaders. He didn't go searching for evidence of these atrocities he just grabbed a bunch of files and hoped there was something hidden inside them that was worthwhile.

      • by AdamJS (2466928)

        You really think he would have even had the time to have scoured the cables?

    • Re:Hero (Score:4, Insightful)

      by AJH16 (940784) <aj AT gccafe DOT com> on Tuesday December 20, 2011 @11:01AM (#38434558) Homepage

      Yes, because heroes leak information on what the government considers sensitive sites that could be vulnerable to terrorist attacks. You have a warped and naive view of what a hero is. Certainly some small amount of the information that came out indicated distasteful activity, however a large portion of it had no possible political purpose other than to try to hurt the US or give "bragging rights". The actions of whoever leaked the documents is not that of a hero trying to protect, but of an arrogant child trying to show off what they could do.

      Even if the goal had been to see what they saw as atrocities stopped, it was not the correct forum to do so by and even if the correct forums had been taken, bragging about it demonstrates the true motivations. I hate corruption and abuse as much as anyone, but that doesn't even make the beginning of an excuse for the vast majority of the type of information that was leaked. What possible whistle is being blown by exposing that many neighbors and "allies" of Iran are secretly terrified of them getting nukes and begging for it to be stopped. All it does is make the situation more dangerous, less likely to be resolved peacefully and accomplishes nothing. There is no point to it.

      The calls to go after Assanage seems foolish to me as he isn't a US citizen and I don't see how US law applies to him, but he could reasonably be considered a person non grata. Whoever leaked the documents however, did so from the US and is an enemy of the US and in fact world peace, whether intentionally or not and should be prosecuted as such. Arguably doing some small amount of good (in the wrong way) does not make up for the huge amount of inexcusable, irresponsible harm which was done.

      • by miro2 (222748)

        Whoever leaked the documents however, did so from the US and is an enemy of the US and in fact world peace

        So do you believe that the editorial staff of the New York Times should be prosecuted as enemies of the US? They are the ones who actually published the leaks in the US, not Manning.

        • So do you believe that the editorial staff of the New York Times should be prosecuted as enemies of the US? They are the ones who actually published the leaks in the US, not Manning.

          Of course not, did you utterly miss the point of what he was writing? He said for example: "The calls to go after Assanage seems foolish to me". The person who PUBLISHES a leak to my mind is not at issue, once a leak is out it is out. A leak is wholly on the person who decided to break a vow or oath and release information th

        • by AJH16 (940784)

          SuperKendall did a great job of explaining it, but I will too. The fact is that the NY Times simply brought to light what had been leaked. The information was already publicly available and distributing the type of information that was released to the US population isn't really a risk. The risk is that the information was already out there for people who wanted to find it. All the NY Times did was bring that fact to light.

          The one who actually does the leaking is responsible. In the case of the list I m

        • by AJH16 (940784)

          Oh, I perhaps see what you were thinking after I re-read my post. What I meant by that line was referring to someone in Manning's position. Not someone who reprints it. I try to avoid saying Manning did it though as he is accused and not yet convicted. I don't know the evidence against him and am not in a position to stipulate that he did or did not actually leak the information. Prosecuting someone for the leak however is certainly more than fair and not going after a hero, but rather a criminal.

      • by TubeSteak (669689)

        The actions of whoever leaked the documents is not that of a hero trying to protect, but of an arrogant child trying to show off what they could do.

        Sounds like you've already made up your mind.
        If you read the chat logs, you'll discover that Manning says why he's leaking this stuff, and "arrogant child trying to show off" isn't really in the cards.

        But carry on. Don't let facts get in your way.

        • by AJH16 (940784)

          I will re-read the chat logs, but my impression of them on first read was that the fact the conversation even occurred in the first place was looking for a pat on the back. Either way, even if that part of the argument isn't valid, the fact remains that he was irresponsible in the type of information released. It was at best criminally negligent while committing a crime and at worst willfully harmful. Either way, it disqualifies him from even remotely resembling a hero working on his ideals.

      • by Mitreya (579078)
        Yes, because heroes leak information on what the government considers sensitive sites that could be vulnerable to terrorist attacks.

        Any idiot could figure this out. There are too many sensitive sites, most of which cannot well protected. You sound like a shill.

        I hate corruption and abuse as much as anyone, but that doesn't even make the beginning of an excuse for the vast majority of the type of information that was leaked.

        Interestingly, some people (even you) recognize that some of the information wa

        • by AJH16 (940784)

          Any idiot could figure out what vulnerable sites are if they did a lot of surveying and went looking to figure out where things are, what isn't sufficiently guarded, etc, but that kind of recon is going to draw attention. Letting someone shortcut that process has no possible benefit and can only cause problems.

          I don't know if I would agree that the people who classified distasteful information should be prosecuted necessarily, so long as those responsible for the actions were prosecuted. I can see the rea

          • by Mitreya (579078)
            Ok, you don't seem to be a troll, so let's continue

            Any idiot could figure out what vulnerable sites are if they did a lot of surveying and went looking to figure out where things are, what isn't sufficiently guarded, etc, but that kind of recon is going to draw attention.

            Maybe you and I differ on definition of "vulnerable site". Are you talking about poorly defended military bases? Because to me obvious vulnerable sites are bus/train stations. Any tall building during business hours, most of them aren

            • by AJH16 (940784)

              The listing I am talking about as vulnerable sites is the one described here "http://www.cbsnews.com/stories/2010/12/06/eveningnews/main7123658.shtml." It is a listing of sites deemed critical to our infrastructure that are currently under-protected and open to attack. Determining at least a fair number of those locations would be non-trivial. I see no possible benefit in their release and only possible harm. I would also agree that much of the recent TSA regulation is ridiculous. Body scanners do noth

    • by couchslug (175151)

      He's not more than an attention whore who could have, as any G.I. who has had access to even low-level classified knows, pursued his agenda via legal channels over time and built a case if his evidence was sufficient.

      That appears to have been too much work compared to doing a data dump.

      He violated tregulations. That was an adult choice.

  • Info Doesn't Add Up (Score:3, Interesting)

    by am 2k (217885) on Tuesday December 20, 2011 @09:15AM (#38433230) Homepage

    Maybe it's the usual journalist dumbing-down, but the forensics info doesn't add up:

    Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.

    So it's "only" zero-filled.

    Mark Johnson, a digital forensics contractor for ManTech International who works for the Army’s Computer Crime Investigative Unit, examined an image of Manning’s personal MacBook Pro...

    How is that contractor able to decode the original data from a zero-filled disk from a mere image?

    • by Alranor (472986) on Tuesday December 20, 2011 @09:31AM (#38433384)

      Somehow you missed the very next line of the article ....

      All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.

      • by am 2k (217885)

        Zero-filling the disk should write over the whole disk, not just parts of it. Why is there unallocated space with data?

    • by blueg3 (192743)

      The actual procedure as it was explained to me is that he used the OS X install-disk option to overwrite his disk and chose the Gutmann erasure option, which is a 35-pass wipe. It also takes forever and gives you a helpful progress bar indicating that it will take forever. Apparently he cancelled this and chose the zero-pass wipe -- also known as "just format the drive and install a new OS without actually erasing the disk".

      Pro tip: zero-pass wipe is not secure.

  • by Demerara (256642) on Tuesday December 20, 2011 @03:24PM (#38438552) Homepage

    (1) Net Centric Diplomacy database
    Appears to have been trivially downloadable. Manning used Wget to automate the capture of cables from this database. Manning had access to secure networks (SIPRNet) and it was this, rather than any technical expertise, that allowed him to pull all the cables.It seems as if the Net Centric Diplomacy database and its interface (presumably a web front end) lacked any functionality to inhibit automated / bulk downloads, to track or log downloads or to alert operators to suspicious or anomalous patterns of access.

    Contrast this with the logging that was available in IntelLink (the SIPRnet internal search engine) that helped link incriminating keywords (Assange, Wikileaks etc) to the IP address assigned to Manning's computer. The defense cannot refute that, while they may be able to undermine the (very poorly gathered) computer forensics from Manning's computer.

    (2) Microsoft Share Point server
    Appears, also, to have been wide open to anyone on SIPRnet and to have permitted automated (scripted) bulk downloading of files. And, like (1), appears to have lacked any functionality to alert operators to suspicious behaviour.

    Contrast this, also, with the logging that was available in IntelLink.

    (3) Manning is no expert
    First, he used the same password for both his operating system (presumably, his Windows username/password) as for his encryption. Second, he claims to have "zero-filled" his hard disk but had not done so. Third, he used his own computer for the IntelLink searches thereby leaving a trail of evidence.

    (4) Lack of expertise seems quite widespread...
    The computer environment at the FOB where Manning worked was risible. In testimony, an officer described how "soldiers would store movies and music in their shared drive on the SIPRnet. The shared drive, called the “T Drive” by soldiers, was about 11 terabytes in size, and was accessible to all users on SIPRnet who were given permission to access it, in order to store data that they could access from any classified computer." In other words, in practise, no distinction between storage for movies and music and the storage for classified materials. While the officer told soldiers not to use it for music and movies (and used to delete same as well as reporting the abuse), the practise was prevalent. And despite the 11 terabytes (that is 11 thousand Gigabytes) available for music and movies, this officer cites lack of storage as the reason that some logs (that may have contained evidence) were not maintained. This officer, Capt. Thomas Cherepko, received a "letter of admonishment" for the lax enviroment at this base.

    Has the buck stopped at the Captain? I believe that points 1, 2 and 3 suggest a culture of information security so poor as to merit serious enquiry in its own right. Manning probably did break several laws in gathering and communicating the cables to WikiLeaks and, if convicted, must face the music. But the ease with which he did this ought to be cause for far more concern than we are seeing in the media. The US Army appears to be throwing Manning under a bus, but only a slap on the wrist for Cherepko. That is unjust. Lets see how this unfolds...

  • Should we trust Wired to report honestly on this case?

How many NASA managers does it take to screw in a lightbulb? "That's a known problem... don't worry about it."

Working...