Minor convictions for ex-CIA coder in hacking tools case
A former CIA software engineer accused of stealing a massive trove of the agency's hacking tools and handing it over to WikiLeaks was convicted of only minor charges Monday, after a jury deadlocked on the more serious espionage counts against him.
Joshua Schulte, who worked as a coder at the agency's headquarters in Langley, Virginia, was convicted by a jury of contempt of court and making false statements after a four-week trial in Manhattan federal court that offered an unusual window into the CIA's digital sleuthing and the team that designs computer code to spy on foreign adversaries.
After deliberating since last week, the jury was unable to reach a verdict on the more significant charges. They had notified U.S. District Judge Paul A. Crotty on Friday that they had reached consensus on two counts, but were unable to reach a verdict on eight others.
Previously: Suspect Identified in C.I.A. Leak was Charged, but Not for the Breach
(Score: 2, Informative) by Anonymous Coward on Tuesday March 10 2020, @07:46PM (8 children)
Anything you say to the FBI can and will be used against you in a court of law to send you to prison, even if you are innocent of all charges.
(Score: 2, Informative) by Anonymous Coward on Tuesday March 10 2020, @08:03PM (4 children)
CP planted on your home computers is part of the severance package.
(Score: 5, Insightful) by bradley13 on Tuesday March 10 2020, @08:39PM (3 children)
You joke, but you're not wrong. Planting co is an obvious tactic, and it is just astounding how often it oh do conveniently crops up is cases where the government is unable to produce evidence for the original charges.
As for false statements to the FBI: that shouldn't be a crime in the first place. Agents are trained to trip you up and make you contradict yourself. Add in stress and fallible memory, and everyone can be prompted to say something "false".
Everyone is somebody else's weirdo.
(Score: -1, Redundant) by Anonymous Coward on Tuesday March 10 2020, @08:43PM
Schulte is facing separate federal CP charges. He will be buried on those alone.
(Score: -1, Troll) by Anonymous Coward on Wednesday March 11 2020, @12:13AM
And now we know why bradley13 is an expat. No extradition treaty, right?
(Score: 0) by Anonymous Coward on Wednesday March 11 2020, @04:08AM
I hate when you shitbags on SN say reasonable things. It's like 1 in 100 but fuck you, don't force me to read the other 99 in case it's the 1.
(Score: 2) by DannyB on Tuesday March 10 2020, @08:42PM (1 child)
Also . . .
Anything you DO NOT say to the FBI can and will be used against you in a court of law to send you to prison, even if you are innocent of all charges.
The thing to remember about the saying "you are what you are" is, that saying: is what it is.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday March 10 2020, @10:13PM
I know, ironic... (I hope). But that is what the fifth amendment means. But it does mean you say ABSOLUTELY NOTHING.
This sig for rent.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday March 10 2020, @10:12PM
And nothing you say needs to be brought forward if it exculpates you. That's the other half of that truism.
This sig for rent.
(Score: 0) by Anonymous Coward on Tuesday March 10 2020, @07:48PM
Only steal his own projects or code that he worked on?
(Score: 1, Insightful) by Anonymous Coward on Tuesday March 10 2020, @08:46PM
title
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday March 10 2020, @10:12PM (2 children)
…. can the government refile the espionage charges? And if so, will they? Or is there still such a thing as double jeopardy and does it attach if there was a conviction?
This sig for rent.
(Score: 2) by takyon on Tuesday March 10 2020, @10:14PM
No verdict was reached on those charges. They can refile/retry:
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Interesting) by Anonymous Coward on Wednesday March 11 2020, @12:09AM
What is the legal distinction between making something public and giving it to foreign powers? In my mind they are in no way the same. But I can't think of a specific precedent or legal doctrine that makes them distinct. The first amendment doesn't cover restricted speech, but outing a crime perpetrated by the state has never been restricted speech. Well, at least not since 1861. CIA == CSA? Who knew?
So in any case where the defendant could reasonably argue that the CIA violated posse commatatus, then they could argue that they weren't working against the U.S., they were in fact working for it. The claim of espionage cuts both ways if the CIA was using the software in operations on domestic soil. Which... Lets face it, there is virtually no possibility they aren't.
The most applicable precedent I can think of would be the area 51 toxic waste case, which the fed lost.
(Score: 2, Interesting) by Anonymous Coward on Wednesday March 11 2020, @01:30AM (1 child)
According to ZeroHedge:
"Trial witnesses guided jurors through a complicated maze of forensic analysis that, according to prosecutors, showed Mr. Schulte’s work machine accessing an old backup file one evening in April 2016.
"He did so, prosecutors said, by reinstating his administrator-level access that the C.I.A. had removed after his workplace disputes."
(Source: https://www.zerohedge.com/technology/trial-alleged-vault-7-cia-leaker-ends-hung-jury) [zerohedge.com]
My question: What was this "administrator-level access" that the Central Intelligence Agency (CIA) removed after Mr Schulte developed a conscience?
I've been installing, debugging, upgrading and managing single sign-on (SSO) and identity access management (IAM) infrastructures for three decades. Yellow Pages (YP), Network Information System (NIS), OpenLDAP, PowerBroker (PB), Vintela Authentication Services (VAS), Active Directory (AD), Kerberos, and one company - Oracle - that pushed /etc/passwd files out, manually, every 24 hours (tip of the hat to Don Beusee, probably the one who designed it, because he nursed it, 24x7), as well as a few outliers that I might remember with some cudgeling.
The central concept behind such systems is to render such authorization impossible. And so I infer that the organization does not use a central authentication system - although I infer that Kerberos, recompiled to disable expiration of tokens, might provide such a vulnerability.
My best guess is that some manager deleted the corresponding client-side key for the server in question from the ~schultej/.ssh/ directory - even if they don't use any central authentication mechanism on the workstations, they must still use central storage, IE, the Network File System (NFS) - not realizing that Schulte kept backups.
Separately, it is entirely possible that they DO use a central authentication mechanism, that IS tightly integrated into their Programmable Authentication Module (PAM) stack, such as Vintela - but that each user has root privileges on their own workstation, and, as a rite of passage, immediately bypasses the standard issue security mechanisms by creating a local login and root-equivalent login. Perhaps they are even allowed, even encouraged, to install the operating system themselves, from a list of approved choices, with the security mechanisms baked in.
It's not like this problem wasn't solved back in, like, 1986. I, personally, designed and deployed such a system at Network Equipment Technologies (NET), that detected, and, optionally (in the case of TAC workstations), countered, local changes to administrative files such as /etc/passwd.
Like Tripwire, but with the ability to put things back, the way they were. I concealed it in the /... directory - you read that right, quit rubbing your eyes.
Which reminds me of a story, which is not entirely irrelevant.
My system was so good that a local contractor, named Bjorn Satdeva, tried to present the scripts to the first LISA Conference, in Monterey, California, as his own work.
Man, you shoulda seen the look on his face when he recognized me, sitting in the crowd, looking at him, presenting my work.
I was working, at the time, at AMPEX R&D. Bjorn Satdeva was the contractor they'd located to fill in for me, at NET, after they fired my manager, at NET, and I had resigned.
I hear they had to hire five people to replace me. Just sayin'.
Bjorn made no attempts to contact me after I left NET; and, AMPEX was just across the freeway, there, in Redwood City - only a half a mile away.
More evidence of chicanery can be inferred from the history of Bjorn Satdeva's employment, possibly unpaid, as some sort of honcho for USENIX. He'd been elected based upon the strength of scripts that, it gradually became known, he was not the author of.
And, I think Bjorn did the same thing, a second time, presenting someone else's work and taking credit for work he had not done - although this time he positioned himself as a coauthor instead of taking it outright.
Things came to a head when the USENIX offices in Berkeley were burglarized and all the copies of the USENIX Journal that contained the scripts in question disappeared. About the same time, Bjorn was, if I recall correctly, removed from office, at USENIX. Or maybe he quit. Anyway, their relationship ended.
USENIX never contacted me. But I'm pretty sure they knew who I was. I think they could not bring themselves to stand behind someone who had dropped out of high school and didn't have a college degree. Fuck you, USENIX.
I've often wondered what ever happened to Bjorn Satdeva.
I suspect he is probably a systems administrator for the Central Intelligence Agency (CIA). There seems to be a good match there. They seem to like script kiddies.
Me? Nowadays, I'm unemployed, because everyone knows that people over 40 can't program, and have nothing to teach.
~childo
(Score: 1) by anubi on Wednesday March 11 2020, @01:49AM
You know too much. You have to start your own company. Nobody wants someone working for them which is better than they are. Who is qualified to be your boss? Getting the job done is not what they are looking for. They want an obedient subordinate, hopefully saddled under lots of family obligations and debt.
Companies rapidly grow into leadership entities. Everyone at the top gets paid like a gentleman. At that level, getting paid is top concern. Whether the thing they make met the customer's need is a minor concern to be settled among the minions.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]