I have done professional IT work (mostly database administration work) on all levels of government (city, county, state, and federal). All of them had security policies which wee personally inconvenient. I remember in one case I was living in the southwest suburbs of Chicago when a city department database ran into a storage issue around 10 PM, something that would normally take maybe 5 minutes of busy work to resolve. They did not permit remote work for security reasons, which meant that I had to drive into downtown (40 minutes away) and I had to deal with building security once I got there. Nope, I couldn't bill my time to the client. I've been a professional Oracle DBA for roughly 26 years. In most cases, I've had non-disclosure agreements, private or public, I avoid connecting with current or prior professional contacts on social media (almost all Facebook friends are relatives). I carefully scrutinize my resume to focus on generic technical duties and accomplishments. I have never, and will never, disclose security vulnerabilities or other critiques regardless of circumstances; it's part of my professional ethics.
Have I been victimized during my professional career? Yes. I've built a reputation on getting things done; quite often, you run into petty/jealous opposition, people running hidden agendas. I wasn't interested in revenge; karma is a bitch. In a way I was carrying a weight on my shoulders, and being relieved of that burden was a blessing. I remember in one case at a Chicago project where I had been unfairly scapegoated, I heard from a frustrated Indian developer colleague who complained that the project had slowed to a crawl since I left, and he knew if I were still there, the project would have been completed already. It was true.
Wikileaks has notoriously exposed scandalous information about US military operations in the Bush/Obama/Trump era (including a Baghdad video showing the US shooting of journalists and/or civilians), Gitmo, Climategate, and the Clinton/Dem campaign of 2016, just to mention a few prominent exposes. There is little doubt that Wikileaks is a journalism portal in the Internet Age; it has partnered with high-profile media (like the Gray Lady) on news stories; it has earned several peer journalist awards.
I wrote a series of tweets Saturday (see below). I don't have all the pieces, but Ecuador, which has been sponsoring Assange in its London embassy about 6 years back, may have cut a deal with the US, which wants to try Assange. One of the reasons Assange sought asylum was dubious "rape" charges against him in Sweden by two consenting women upset over an allegedly torn condom or suspicion of unprotected sex. These charges were eventually dropped during Assange's embassy stay, although there are rumors Sweden may seek to resurrect the charges. There's little doubt, however, that in the end, Assange will be extradicted to the US.
Let's be clear: what the Trump Administration is doing here is resurrecting the case of Bradley/Chelsea Manning from 2010; among the related exposes was a Baghdad video of American soldiers shooting defenseless news reporters and civilians. The US is going out of its way to avoid identifying Assange as a journalist; it seems to be arguing that Manning and Assange conspired to work around government security policies and that Assange was a de facto computer hacker who blatantly disregarded government warnings.
Note that the Obama Administration, which did prosecute Manning, never filed charges against Assange. So what "new evidence" has led to this hacking charge? In my view, it has more to do with a new POTUS which has been in constant war with the media since he took office.
Manning had access to a huge treasure trove of secret files simply by virtue of his/her position. I cannot speak as to how it happened, because usually there is a need-to-know component to security design. So he probably had administrative privileges (and/or got access to administrative passwords though social engineering or other means) but for example, the network folks could control what servers his CAC/smartcard could access.
It's difficult because of sparse context of the charges to piece together what exactly is being charged, but this seems to be the context: Manning, after delivering a large amount of files to Wikileaks, says that there's likely more, but he doesn't have the necessary account privileges to access the material. There is some vague discussion of a software tool that gets "part of the password", and in some way, Manning is asking for assistance in cracking the password(s). (I don't know if this is from an intercepted communication, Manning's own testimony, etc.)
Now usually today's computers don't store passwords in human-readable form. Usually there's a hashing routine in addition to salt (some random data) to convert a password to some obscure value. So, for example, in Linux, password hashes may be stored in /etc/shadow. So when you try to logon, your password is converted via hashing algorithm, salt, etc., and compared to stored values (e.g., /etc/shadow).
Notice that even if you have access to /etc/shadow, this doesn't give you the password, and most facilities require frequent password rotation. Now given enough time and context (hashing algorithm, salt, etc.), a cracker program may be able to generate a password that computes to the observed hash, but it's nontrivial with today's technology.
If you read the charges, the US doesn't even assert Assange cracked a password for Manning. possessed relevant resources, attributed any loss of data to the matter under question, etc. They simply suggested what could have happened, that Assange himself had not been cleared, etc. It could be there's more to the case than they're showing, but if there was, why wait until now?
This looks to me as a deliberate attack on the press using Assange as a show trial target of an example. It's unconscionable and a violation of the principles underlying the founding of this republic.
Watching the US government trying to go after Assange on a ticky-tacky computer hacking charge reminds me of how they finally got Al Capone on tax charges and also got Martha Stewart on a technicality.— Ronald Guillemette (@raguillem) April 12, 2019
The most recent Internet kerfuffle is whether Assange is a journalist. Yes, he is. Certainly, he claims to be, and WikiLeaks has won many peer journalism awards, https://t.co/zIGlN4SPJf— Ronald Guillemette (@raguillem) April 12, 2019
Even libertarians like Michael Malice and Tom Woods are participating in the Statist conspiracy against recognizing Assange's bona fides as a journalist; freedom of the press is a widely acknowledged, accepted principle. Note how the sham rationale for Assange's arrest avoids it.— Ronald Guillemette (@raguillem) April 12, 2019
All libertarians and the press should be outraged by US government's pathetic case against Assange. Not even the Obama Administration brought up this charge. This is nothing short of a Trumpian attack on the free press, there is no chance of convicting Assange on what I've read— Ronald Guillemette (@raguillem) April 14, 2019
If you read the government charge against Assange, you'll notice (point 10), "cracking the password would have allowed Manning", not "Assange cracked the password for Manning". https://t.co/nIRQaM8KzI— Ronald Guillemette (@raguillem) April 14, 2019
From what I've read, Manning was attempting to access ADDITIONAL information but needed an administrative password he didn't have. He found hash values for administrative account passwords. It's all but impossible to derive an original complex password from a hash. Charge is BS.— Ronald Guillemette (@raguillem) April 14, 2019
The federal government is engaging in some circular reasoning. Yes, Assange got unauthorized access to classified information, but anyone with a classified background knows that you cannot use classified status to mask evidence of government wrongdoing.— Ronald Guillemette (@raguillem) April 14, 2019
Some of the government's case against Assange is beyond preposterous. Do they expect WikiLeaks or traditional media to issue a disclaimer that disclosures of government information may be unauthorized, & we don't condone such activities? Would you look a gift horse in the mouth?— Ronald Guillemette (@raguillem) April 14, 2019
The fact of the matter is Manning and Snowden had access to information they had no need to know, not that nefarious journalists helped them hack into the system. The government can ensure your account never touches a sensitive server. This is government security failure.— Ronald Guillemette (@raguillem) April 14, 2019
If the Trump regime could criminalize requests for help from someone helping another person facing a technical issue, a lot of us would be in trouble. What if a nefarious former student says he learned SQL from Dr. Guillemette, and he used SQL in the commission of a crime?— Ronald Guillemette (@raguillem) April 14, 2019
I've seen no evidence that Assange has had access to SIPRnet. In fact, SIPRnet is isolated from NIPRnet. That's part of the reason that Hillary Clinton's personal email server to store classified information was such a big deal.— Ronald Guillemette (@raguillem) April 14, 2019
The US charges against Assange are so vague that I think LP leader Nicolas Sarwick got it wrong. Sarwick seems to think Assange was trying to decrypt an encrypted file that Manning downloaded. No, Manning didn't know the password for a server account.https://t.co/YXWvGjbUQo— Ronald Guillemette (@raguillem) April 14, 2019
My last tweet (re: /etc/passwd) is an oversimplified discussion. Most likely, account password hashes are stored in /etc/shadow, not /etc/passwd. For more specifics, cf, e.g., https://t.co/18pyDR0Zio— Ronald Guillemette (@raguillem) April 14, 2019
Sarwick's post is mostly spot on, but I (as an ancillary Linux SA) think the issue is more like this: an input password is hashed and compared against say a related password hash in /etc/shadow. Maybe Manning had access to /etc/shadow but he couldn't go from hash to adm password.— Ronald Guillemette (@raguillem) April 14, 2019
I can't speak for Assange, but the first thing I would do is renounce his Ecuadorian citizenship.— Ronald Guillemette (@raguillem) April 14, 2019
There are rumors that Sweden is looking to reinstate dropped "rape" charges on Assange after his recent arrest. Note that the 2 women did not report sex against their will but concerns over allegedly unprotected sex. https://t.co/ICKrnvMkcI— Ronald Guillemette (@raguillem) April 14, 2019
