"WikiLeaks . . . is accused of searching hard drives for classified documents," asserts Michael Riley at Bloomberg’s Business Week (Feb 3 2001)[1]. "Is WikiLeaks Hacking for Secrets?" the headline asks breathlessly. "Internet security company Tiversa says WikiLeaks may be exploiting a feature in peer-to-peer file-sharing applications to search for classified data," proclaims the subhead. "The possibility that the site is systematically ransacking computers may offer prosecutors an alternate path to get the group and its founder into a U.S. courtroom," Riley gloats.
Too bad, Mikey: your ‘evidence’ has already been refuted by your Tiversa source, and your claim that your ‘evidence’ could lead to charges of computer fraud against WikiLeaks have already been debunked by your legal-advice source. And guess what else? Some people are already beginning to notice that your articles point to the fact that the DOD’s failure to secure its classified data against peer-to-peer (P2P) filesharing has given away truly vital secrets to "every nation" in the world.
Oops, Mikey. Oops.
[Note: Links to cited articles are below text.]
THE ACCUSATIONS
Riley’s accusation -- that WikiLeaks "may seek out secret data itself, using so-called "peer-to-peer" networks" -- was immediately refuted by Andy Greenberg at Forbes[3] after it was first published (Jan 20 2001) by Bloomberg News [2]. Riley’s Business Week article is more sharply honed, but both articles contain much of the same information, including this quote: " "WikiLeaks is doing searches themselves on file-sharing networks," says Robert Boback, Tiversa's chief executive officer," writes Riley [1,2].
The CEO of Tiversa Inc -- the company Riley cites as providing ‘evidence’against WikiLeaks -- has already backed away from Riley’s quotes. So who is doing the accusing? Apparently, Bloomberg (through Michael Riley’s poison pen) is the accuser, and Riley isn’t afraid to bend the facts substantially to achieve a baseless character assassination.
Riley’s two Bloomberg-published articles present no solid evidence that WikiLeaks acquired any documents through P2P trawling. Neverthless, Riley leaves even a careful reader with the strong, although misleading, impression that WikiLeaks did actively seek and acquire documents through P2P trawling, and that this scurrilous (although unproven) activity is illegal under the Computer Fraud And Abuse Act (CFAA).
Andy Greenberg at Forbes has debunked Riley’s manufactured assertion that Tiversa has ‘evidence’ proving that WikiLeaks trawled P2P networks for classified data. We’ll come to that in a moment, along with Paul Ohm’s rebuttal to Riley’s assertions about P2P trawling’s illegality under the CFAA. But there’s a much more serious matter underlying Riley’s misleading accusations against WikiLeaks: Although the USG/DOD have known for years that classified information has been captured by a myriad of international actors, DOD has failed to secure its classified information from P2P access.
Let’s say that again. It’s important:
The DOD has known for years that a myriad of international actors have been accessing its classified networks, yet DOD HAS FAILED TO SECURE ITS CLASSIFIED DATA FROM WORLDWIDE P2P ACCESS.
DEBUNKING RILEY: GREENBERG AND OHM
What, exactly, are Bloomberg/Riley accusing Wikileaks of doing? The accusation is concisely stated in the Business Week article [1]:
. . . WikiLeaks, according to Internet security company Tiversa . . . may have exploited a feature of file-sharing applications such as LimeWire and Kazaa . . . If, for example, a Pentagon employee were to log on to such a peer-to-peer network (an array of disparate computers with no central hub) to download a movie, he could possibly expose every last e-mail and spreadsheet on his PC to prying eyes. That's because some peer-to-peer, or P2P, applications may scan users' hard drives for shareable files. Not turning that feature off, or specifying which parts of the hard drive may be searched, leaves the door wide open.
Tiversa’s position (as stated by Riley) is that four servers in Sweden have downloaded some shared classified files. Some of those files have appeared, months later, on WikiLeaks. Therefore, according to Riley’s interpretation of Tiversa’s statements, WikiLeaks must be using those Swedish servers to actively seek and acquire documents.
The flaws in Tiversa’s logic are obvious, and within hours of the publication of Bloomberg/Riley’s Jan 20 story, Andy Greenberg of Forbes.com’s ‘The Firewall’ had made a phone call that effectively refuted Riley’s claims. Here’s Greenberg [3]:
The source of those claims: A small company . . . known as Tiversa. "WikiLeaks is doing searches themselves on file-sharing networks," the company’s chief executive, Robert Boback, told Bloomberg. "It would be highly unlikely that someone else from Sweden is issuing those same types of searches resulting in that same type of information."
Let’s be clear about what facts Tiversa is putting together: Someone stole secrets from the U.S. government via filesharing networks using four computers based in Sweden, including files that outlined a new naval sensor system and another that tracked Taliban leaders. Those files ended up on WikiLeaks. What’s missing in this story, crucially, is any evidence showing that those Swedish hackers are directly working for WikiLeaks . . ..
In fact, in a phone interview with me today, Boback sounded distinctly less sure of his firm’s deductions than he did in the Bloomberg piece. "What we saw were people who were searching [computers connected to filesharing networks] for .xls, .doc, .pdf, and searching for those generic terms over and over again," says Boback. "They had multiple Swedish IPs. Can I say that those are WikiLeaks? I can’t. [...]
So on the same day, have Bloomberg/Riley publishing a ‘quote’ from Tiversa’s CEO saying, "WikiLeaks is doing searches themselves on file-sharing networks,"[1,2] and then, mere hours later, telling Greenberg that "What we saw were people who were searching [computers connected to filesharing networks] . . . They had multiple Swedish IPs. Can I say that those are WikiLeaks? I can’t."[3] Did Tiversa’s Boback talk out of both sides of his mouth, or did Bloomberg’s Riley cherry-pick the quote that would let him fabricate a baseless assertion of scurrilous activity against WikiLeaks?
During his interview with Greenberg, Tiversa’s CEO Boback knew -- but apparently did not mention -- that many nations have been using P2P filesharing networks for years to download sensitive US/DOD information. Boback ought to know. He has testified to Congress about P2P military data harvesting on more than one occasion (2007 & 2009). This harvesting of sensitive US/DOD data is so widely known that Riley felt constrained to mention it in his Business Week article: "Boback says it's an open secret among researchers, financial fraudsters, and intelligence agencies that many of these networks are rich sources of confidential documents the networks' users accidentally share . . .."[2]. We’ll return to this subject, but first let’s lay to rest Bloomberg/Riley’s assertion [1,2] that harvesting P2P data could, if proven, expose WikiLeaks to legal action for ‘computer fraud’.
Paul Ohm, of Princeton’s Center for Information Technology Policy was quoted in Bloomberg/Riley’s first article (Jan 20) in regard to whether P2P trawling would be considered illegal as ‘computer fraud’. Ohm was apparently uncomfortable with the way Riley had used his words, and posted the following clarification on his blog:[4]
[According to] Tiversa [per Riley], "computers in Sweden" have been searching the files shared on p2p networks like Limewire for sensitive and confidential information, and the firm supposedly has proof that some of the documents found in this way have ended up on the Wikileaks site. [...]
I have no idea whether these accusations are true, but I am interested to learn from the story that if they are true they might provide "an alternate path for prosecuting WikiLeaks," most importantly because the reporter attributes this claim to me. . . . I think what I said to the reporter is a few shades away from what he reported, so I wanted to clarify what I think about this.
In the interview and in the article, I focus only on the Computer Fraud and Abuse Act ("CFAA"), the primary federal law prohibiting computer hacking. [...]
The question presented by the reporter to me (though not in these words) was: is it a violation of the CFAA to systematically crawl a p2p network like Limewire searching for and downloading files that might be mistakenly shared, like spreadsheets or word processing documents full of secrets?
I don't think so. With everything I know about the text of this statute, the legislative history surrounding its enactment, and the cases that have interpreted it, this kind of searching and downloading won't "exceed the authorized access" of the p2p network. This simply isn't a crime under the CFAA.
I will note that Ohm goes on to explain that the case law is not yet settled, and that a judge that wanted to make an example of WikiLeaks might possibly interpret the statue overbroadly. But Ohm and his (apparently very knowledgable) commentors agree that P2P harvesting would not be a crime under CFAA.
So far, Bloomberg/Riley have distorted their sources’ ‘evidence’ of P2P harvesting by WikiLeaks and the ‘illegal nature’ of the P2P harvesting they groundlessly ascribe to WikiLeaks. But what have they neglected to mention in regard to sensitive data and P2P harvesting?
DOD’S FAILURE TO SECURE CLASSIFIED DATA AGAINST P2P SEARCHES
In both his Jan 20 and his Feb 3 Bloomberg articles, Riley describes four sensitive US documents which were released to the P2P network, and which eventually showed up on WikiLeaks (from two months to over a year later). Riley also includes information about a 2009 finding of detailed information about Marine One, the President’s helicopter, on an network in Iran -- although Riley does not connect this document to WikiLeaks.
A little searching on the Marine One incident made it plain that the USG and DOD have known for years that USG/DOD classified networks are regularly harvested by international actors. DOD’s failure to secure sensitive information from P2P access has led to truly breathtaking and egregious levels of access.
Let’s start with some coverage of the Marine One helicopter. The incident was covered by Reuters on Mar 2, 2009 [4]. A few days later it was more extensively covered by Defense Industry Daily [5].
[In Oct-Nov 2008, Tiversa found Marine One plans on a P2P network. The plans had been harvested from a "high-level executive’s" computer at home. "On Feb 25/09, the file was found on the IP address of an Iranian computer. "]
[...]
Peer-to-Peer (P2P) file-sharing programs are in use within a number of organizations that deal in highly classified data. The problem is that unless centralized configuration and management of all of those programs is in place, and the programs are customized to be usable only with authenticated peers or within a completely walled-off private network, the probability of a security breach grows rapidly. As new computers hosting P2P programs are added by members of the organization, the odds of a misconfigured computer, or use outside safe networks, approaches 100% without these kinds of layered safeguards.
[...]
In July 2007, Gen. Clark testified to the US House Committee on Oversight and Government Reform that Tiversa had found a myriad of serious P2P leaks. These leaks extended across all government departments. In the military sphere, the [sic] included the Pentagon’s entire backbone network infrastructure diagram, complete with IP addresses and password change scripts; contractor data on radio frequency manipulation to beat remotely-triggered IED land mines in Iraq; physical terrorism threat assessments for 3 major U.S cities; and information on 5 separate U.S. Department of Defense information security system audits.
Let’s make sure we’ve noticed this: Before July 2007, the DOD, by its failure to secure its computers (including contractor’s computers) against P2P access, had lost control of, at minimum: (1) the Pentagon’s entire backbone network infrastructure diagram, complete with IP addresses and password change scripts; (2) contractor data on radio frequency manipulation to beat remotely-triggered IED land mines in Iraq; (3) physical terrorism threat assessments for 3 major U.S cities; and (4) and information on 5 separate U.S. Department of Defense information security system audits.
And those breaches described are only four out of over two thousand such breaches brought before Congress in July 2007. According to Computerworld [7]--
Information about the breach came during a hearing on inadvertent file sharing over P2P networks held by the House Committee on Oversight and Government Reform chaired by Rep. Henry Waxman, (D-Calif.). One of those testifying was retired Gen. Wesley Clark, who is currently a board member of Tiversa Inc. [...]
Clark described how "in a matter of hours" he was able to lay hands on over 200 documents containing classified and secret government data from P2P networks using Tiversa's search engine . . . while preparing for the hearing.
Some of the data appears to have come from the system of a contract worker at the Pentagon who installed P2P software on her computer, Clark said. The data included everything from Iraq status reports to a list of soldiers with their Social Security numbers. "They are the complete documents. They are not faxed copies. They are not smudged. They are as fresh as if they were printed off the computer" of the organization they came from," he said.
"There's all kind of data leaking out inadvertently," Clark told the committee, noting that the documents he cited were "simply what we found when we put the straw in the water. The American people would be outraged if they are aware of what is being inadvertently being disclosed on P2P networks."
The 2007 Congressional Committee meeting was also covered by InfoWorld [8], which added these details--
Among the files shared: Physical threat assessments for multiple cities, including Philadelphia and Miami; a physical security attack assessment for a U.S. Air Force base; a detailed report from a government contractor on how to connect two secure Department of Defense (DOD) networks; a document titled, "NSA (National Security Agency) Security Handbook."
[...]
In another scan, on July 17, Tiversa found a defense contractor employee sharing 1,900 files, including 534 sensitive files, from what was apparently a home computer. The contractor, an IT expert, supported 34 U.S. government agencies including the DOD and intelligence agencies, Tiversa said.
Among the files shared from the contractor's computer: The infrastructure diagram for the entire Pentagon secret backbone network; password change scripts for secret Pentagon network servers; Secure Sockets Layer instructions and certificates allowing access to the contractor's IT systems; a contract issued by the U.S. Army Contracting Agency authorizing $1.5 million in fees from the contractor.
The contractor's shared files also included a letter from the U.S. White House Office of Management and Budget warning about the risks of P-to-P networks.
So there you go -- ONE contractor (and an IT expert, at that!) supporting 34 USG agencies, sharing close to 2000 files. Your tax dollars at work.
So, who is out there in the intertubes sucking up all those conveniently-shared documents? Is it WikiLeaks, the big bad boogeyman, from those mysterious ‘four servers in Sweden’ that Bloomberg/Riley is trying to sell you? Nope. According to Tiversa’s CEO Boback and its chief tech officer Hopkins, it’s "every nation" -- or, at the very least, all the bad guys.
Tiversa’s Boback was interviewed by his hometown media, WXPI [9]. Who’s doing those nasty P2P searches, Mr. Boback?
"We've noticed it out of [Iran], Pakistan, Yemen, Qatar and China. They are actively searching for information that is disclosed in this fashion because it is a great source of intelligence," Boback said.
And then there’s this interchange from an interview by CNET’s Charles Cooper [10], speaking with Tiversa’s Chief Technical Officer, Hopkins:
"Q[Cooper]: So your team concluded that the materials fell into the hands of Iran. Is it possible that other actors also are trying to take advantage of similar openings in the system?
Hopkins: Heck yeah. Every nation does that. We see information flying out there to Iran, China, Syria, Qatar--you name it. There's so much out there that sometimes we can't keep up with it."
"Q[Cooper]: I would have assumed military contractors would use more secure networks to communicate.
Hopkins: Everybody uses (P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.'s who wanted to listen to music would install software on secure computers and it got compromised."
Sure, blame it on the GIs. Blame it on WikiLeaks. But the real problem here is the USG/DOD’s failure to secure its classified data against peer-to-peer file sharing.
Could it be possible that DOD’s negligent failure to secure its classified data is the real reason behind the US’s sustained, concerted attacks against WikiLeaks? Sorry, DOD, but destroying the boogeyman WikiLeaks won’t call back all those negligently shared documents or magically seal your unprotected computers.
Links cited:
[1] Michael Riley, Feb 3 2001 -- http://www.businessweek.com/...
[2] Michael Riley, Jan 20 2001 --http://www.businessweek.com/print/magazine/content/11_07/b4215046290051.htm
[3] Andy Greenberg, Forbes, Jan 20 2011 -- http://blogs.forbes.com/...
[4] Paul Ohm Jan 20 2011 -- http://www.freedom-to-tinker.com/...
[5] -- Reuters on Mar 2, 2009. 'W.House helicopter data found on Iranian computer' -- http://www.reuters.com/...
[6] Defense Industry Daily, ‘P2P Network Leaks: The VH-60N Helicopter’ (Mar 8 2009) -- http://www.defenseindustrydaily.com/...
[7] Computerworld 'Classified U.S. military info, corporate data available over P2P,' Jul 25 2007 -- http://www.computerworld.com/...
[8] Infoworld 'P-to-P users expose U.S. government secrets' Jul 27 2007 -- http://www.infoworld.com/...
[9] http://www.wpxi.com/...
[10] CNet -- http://news.cnet.com/...