US government charges that Julian Assange conspired with former soldier Chelsea Manning to crack a password to give Manning anonymous access to government sensitive government documents have been called into question by a computer forensics expert.
Patrick Eller, a former criminal investigator in the US Army, told the Old Bailey that cracking the password was not technically possible and even if it had been, it would not have helped Manning download sensitive documents without being tracked.
Eller was giving evidence on the 13th day of the hearing. Judge Vanessa Baraitser announced that she would not rule on the case until next year – after the US election – following requests from Assange’s defence team for a further four weeks to prepare their closing submissions.
The US accuses Assange of conspiring with Manning in March 2020 to attempt to crack a password hash based on a conversation using the Jabber instant messaging service.
Manning provided WikiLeaks with hundreds of thousands of US State Department cable reports on the wars in Iraq and Afghanistan and reports on the detainees in Guantanamo, marked up to secret level.
The US claims in an indictment that had the attempt to crack the password been successful, Manning may have been able to log on to computers under a different username in an attempt to cover her tracks.
“Such a measure would have made it more difficult for investigators to identify Manning as the source of unauthorised disclosures of classified information,” stated the indictment.
Assange is charged with one count under the US Computer Fraud and Abuse Act (CFFA) and 17 counts under the US Espionage Act, which carry a maximum prison sentence of 175 years.
Any good at hash cracking?
According to a Jabber chat log, Manning asked a person called Nathaniel Frank – alleged to be Assange – whether he was any good at cracking a password hash. Manning sent Assange a hexadecimal string that she had found on her computer network.
The discussion ended after “Frank” passed the hash to an expert to look at and later reported that he had “no luck so far” in decrypting it.
The password hash contained an encrypted hash of half a password.
The US claims that if Manning had been able to crack the encryption and had retrieved the other part of the password, it would have given her access to an ftp user account on the network.
Eller, CEO of Metadata Forensics, said in written submissions to the court that Manning did not need access to the ftp account to access any of the material she passed on to WikiLeaks.
“Manning already had legitimate access to all of the databases from which she downloaded data,” he said. “Logging into another user account would not have provided her with more access than she already possessed.”
The former soldier had authorised access to SIPRNet, a secure government network, air gapped from the internet. She was able to access the network from a sensitive compartmented information facility (SCIF) where she worked with other intelligence analysts.
The network, which Ellis estimated was used by millions of government employees, gave Manning access to databases which included US diplomatic cables and Guantanamo detainee assessment briefs, which she passed to WikiLeaks, without having to log into them.
“She already had authorisation [to access the datasets],” Eller wrote in a 23-page witness statement. “It is unclear to me that any anonymity would be gained by cracking the password to gain access to the ftp user account.”
The army tracked who accessed these databases by recording the IP address of the computer used to access them, he said. Gaining access to the ftp account would not have provided Manning with anonymity when downloading documents to leak to WikiLeaks.
Cracking password not technically possible
Eller said it would have been technically impossible at that time for Assange or Manning to decrypt the password.
He said he had not changed his view in the light of evidence by the prosecution today that security vulnerabilities had previously been found in the Windows passwords software in use at the time.
“No, I don’t change my opinion,” he said, adding that his opinion was shared by a government expert in Manning’s court martial.
Eller told James Lewis for the prosecution that Microsoft issued a patch which fixed the problem in December 1999 to protect against an attack by strongly encrypting the password.
Cracking password would not help Manning access anonymous files
There was no advantage in Manning using the ftp account if she wanted to hide her identity, Eller told the court.
“Even if Manning was in fact logged into the ftp user account rather than her own normal account, this would have no effect on tracking,” he said in his witness statement.
“Merely logging into a different local user account on the computer (such as ftp user) would not anonymise Manning at all because the IP address of the computer would remain the same regardless of what user account is in use.”
If Manning had wanted access from an account that wasn’t her own, she could have done so without cracking any passwords because she had access to the accounts of other soldiers in the SCIF, said Eller.
Eller said that in his view, the allegation that Manning was trying to crack the password to access sensitive data was not tenable.
Before allegedly chatting with Assange on Jabber, Manning had already downloaded and leaked hundreds of thousands of documents using her normal account on two secure computers that she used regularly.
These included the Iraq and Afghan war logs, the rules of engagement and “Collateral murder” video, and the Guantanamo detainee assessment briefs.
There was no evidence that Manning had attempted to download these documents anonymously and no indication that she was trying to crack the ftp user account password, said Eller.
“The technical impossibility of using the ftp user account to download data anonymously, combined with Manning’s past behaviour of downloading hundreds of thousands of documents from her own account, indicate that it is highly unlikely that Manning’s attempt to crack the ftp user password had anything to do with leaking documents,” he wrote.
Manning already knew how to access data on her own local computer anonymously by booting it with a Linux CD and reading the files, bypassing the access controls of the Windows operating system.
Soldiers used computers for watching films and playing games
Eller said it was common practice for soldiers working with Manning to take breaks to listen to music or play computer games.
Soldiers had used unauthorised software, stored on the T-drive of the SCIF, or on their work computers to play games, listen to music or conduct chat.
Evidence that emerged from Manning’s court martial showed that soldiers attempted to crack administrator passwords to download unauthorised software.
Manning was regarded as a technical expert and was often asked by other soldiers to help them install unauthorised software.
Eller said there were many potential reasons why Manning would want to crack a password, including installing software for her colleagues.
The case continues.