This article is more than 1 year old
Alleged Vault 7 leaker trial finale: Want to know the CIA's password for its top-secret hacking tools? 123ABCdef
Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings
Analysis The fate of the man accused of leaking top-secret CIA hacking tools – software that gave the American spy agency access to targets' phones and computer across the world – is now in the hands of a jury. And, friend, do they have their work cut out for them.
Joshua Schulte stands accused of stealing the highly valuable materials directly from the CIA’s innermost sanctum and slipping them to WikiLeaks to share with the rest of the planet. Federal prosecutors have spent the past four weeks explaining exactly why they believe that to be the case. And Uncle Sam's lawyers have developed a compelling case to send Schulte away for virtually the rest of his life.
But Schulte’s lawyer, Sabrina Shroff, has picked away at that seemingly watertight case, and pointed out, countless times, that the evidence against her client is dangerously thin. Schulte is the fall guy, she argues; the victim of an agency that decided he was responsible, and then used its extraordinary analytical focus to nail him regardless of his innocence.
The CIA may have wished the trial never happened, because, in the course of events, the picture of what actually happens in the darkest corners of what may be the most powerful institution on Earth is not one of the highest caliber of professionals working in their nation’s best interests. Instead, the leak of the world’s most dangerous hacking tools, code-named Vault 7, may have stemmed from a rubber-band fight that got out of hand.
We reported earlier that Schulte’s lawyer started her defense of him by stressing how much of an asshole he is. Just as incredibly, she closed her argument for his innocence in the same way: “I told you that Mr Schulte was a difficult man. He was a difficult employee, and I told you that there was no doubt about that. I told you that the evidence would show that, and that's what the government showed you. For four weeks, that's what they showed you.”
She’s not lying. Schulte came across as an impossible, arrogant, and vindictive co-worker. When he ended up in a dispute with another employee, Amol, Schulte lodged a formal complaint saying Amol had threatened to kill him, knowing that would put Amol in a very difficult position. It did, though a CIA probe concluded Amol hadn’t done any such thing. But such was the value of these two difficult but brilliant men to the agency that they kept them both, simply moving them to different departments and floors.
Employee after employee, all the way up to Schulte’s boss’s boss’s boss, testified Josh was a royal pain in the ASCII. But let’s let his own lawyer Shroff tell you in literally her closing words: “They proved to you that, yes, you can properly call him Voldemort or Vault Asshole or Asshole or Jason Bourne or John Galt. They have given you evidence of all of that. But one thing that you cannot call him, after four full weeks, because the evidence isn't there, you cannot call him guilty. Please acquit.”
Those names, incidentally, were chosen by Schulte himself for various aliases he used. One that Shroff didn’t mention but the government’s lawyer did was also telling: King Josh.
“Josh Schulte is no patriot. Far from it. He's vengeful and he's full of rage, and he's committed crimes that have been devastating to our national security,” prosecutor Matthew Laroche told the federal district court, in New York City, in his closing arguments [PDF]. “King Josh. That's what the defendant thinks of himself. Well, King Josh got caught. And all of his lies, all of his deceptions have come crashing down in this case.”
To be fair, it wasn’t King Josh, it was “KingJosh3000” – one of many names he used in his job as a CIA sysadmin. The handle KingJosh3000 proved critical in the case because it was the one username the government found that, allegedly, connected Schulte to the theft of the hacking tools. He had, according to the prosecution, carefully and methodically deleted all the logs that showed his removal of gigabytes of data from the CIA’s server. But KingJosh3000’s session was missed from the data wipe, and it was that ID that he used to access a backdoor into the system after he had been officially booted off, we were told.
Sysadmin and out
The fact Schulte had been actively blocked and had his admin rights revoked on several servers was used by both the prosecution and defense as evidence of their arguments. The prosecution noted Schulte had previously been kicked off systems as an admin and in response, both out of spite and in order to demonstrate his superiority, he found his way back in and set up new accounts.
Schulte was formally warned that in the aftermath of Edward Snowden's disclosures, this type of behavior was viewed extremely poorly, and he was made to sign a statement apologizing and promising not to do it again. But in that very same interview, his superior told the court, Schulte made it plain that he could, and would, do it again.
That behavior painted a big red target on Schulte's back: one that led the CIA to believe it was definitely him who stole the files when they were publicly distributed one year later by WikiLeaks, long after he had left the agency. But his defense argued that same red target caused the CIA and FBI to decide he was the guilty party and then build a case around proving it, rather than looking at all the evidence and figuring out who the real culprit was.
All this raises a question, though: just how bad is the CIA’s security that it wasn’t able to keep Schulte out, even accounting for the fact that he is a hacking and computer specialist? And the answer is: absolutely terrible.
The password for the Confluence virtual machine that held all the hacking tools that were stolen and leaked? That’ll be
123ABCdef. And the root login for the main DevLAN server?
It actually gets worse than that. Those passwords were shared by the entire team and posted on the group’s intranet. IRC chats published during the trial even revealed team members talking about how terrible their infosec practices were, and joked that CIA internal security would go nuts if they knew. Their justification? The intranet was restricted to members of the Operational Support Branch (OSB): the elite programming unit that makes the CIA’s hacking tools.