As I noted in my earlier post on Wikileaks leaker Bradley Manning’s charging document, there’s an apparent discrepancy between the timing Wired gives for Manning’s arrest and what the charging document shows. Wired said that the FBI told Adrian Lamo on May 27 that Manning had been arrested the previous day–that is, May 26.

At their second meeting with Lamo on May 27, FBI agents from the Oakland Field Office told the hacker that Manning had been arrested the day before in Iraq by Army CID investigators.

But the charging documents actually says Manning’s alleged activities continued until “on or about 27 May 2010,” and it says his pretrial detention started on May 29 (though see scribe’s comments on a possible explanation).

And as I pointed out in comments, there’s also a problem with the story Lamo gave Wired as to why he turned in Manning. He claimed he turned in Manning because he had told him he had already leaked 260,000 cables to Wikileaks.

Lamo decided to turn in Manning after the soldier told him that he leaked a quarter-million classified embassy cables. Lamo contacted the Army, and then met with Army CID investigators and the FBI to pass the agents a copy of the chat logs from his conversations with Manning.

But the charging document only accuses Manning of leaking [more than] 50 cables; it alleges he got information from [more than] 150,000 cables, but did not even load the cables onto his own computer. Now, Wired has repeatedly published a quote from Manning telling Lamo that he had leaked the quarter-million cables.

But the most startling revelation was a claim that he gave Wikileaks a database of 260,000 classified U.S. diplomatic cables, which Manning said exposed “almost-criminal political back dealings.”

“Hillary Clinton and several thousand diplomats around the world are going to have a heart attack when they wake up one morning, and find an entire repository of classified foreign policy is available, in searchable format, to the public,” Manning told Lamo in an online chat session.

But they didn’t include that quote in their publication of what they claimed to be all the chat logs, save those that revealed personal information about Manning or classified information. Note, WaPo published a longer version of the same quote after Wired first published it. It appears that such a quote would have fit in the chat logs on May 22 (Manning says, “Everywhere there’s a U.S. post, there’s a diplomatic scandal that will be revealed”–note the WaPo includes an ellipses here Wired does not that may indicate IM breaks–and in the May 22 log Lamo asks “what kind of scandal”), but for some reason, Wired didn’t include it there. He may well have said it and said it on May 22, but out of context, we don’t know whether Manning was talking about around 50 cables–what he is accused of leaking–or all 260,000, or the [more than] 150,000 that he is accused of having accessed. And we don’t know whether Manning really did claim to have already leaked the cables–the context doesn’t say he did (though Manning’s list of things he leaked in the very last IMs seem to include some State Department cables).

Which is why I find another oddity of the Wired publication of the chat logs so funky.

Look at the chat logs for May 25–according to Wired, the day before Manning was arrested. They start at 2:03:10 AM (you can tell from the May 23 chat logs that the times are for Lamo, presumably in CA) and go through 2:32:53 AM. They start again at 2:26:01 PM, then go through 3:12:16 PM. Then–at least as Wired presents them–they start again at 1:52:30 PM and go in spurts through 4:46:29 PM. That is, though Wired has presented the IM logs for all other days in straight chronological order, they have no done so for May 25. The chronology starts, goes through 3:12:16 PM, then goes back in time and starts again at 1:52:30. The time sequences overlap.

Now even assuming there’s nothing funky about that, if Lamo were in CA, an IM he received at almost 5 PM on May 25 would be 3 AM Iraq time on May 26, very early on the day Lamo says Manning was arrested.

But the only way that would be true is if Wired segmented and rearranged the IM chats for some reason of narrative. I’ve shown what all the overlapping IM logs in question would look like below the fold (the “parts” refer to the order in which they first appear in the Wired post). But the following chunks of IM discussion–combining the section that Wired presents 5th with that it presents 2nd–would be combined as follows (everything from part 2 is underlined):

Part 2 (underlined)/Part 5 continued
(02:26:01 PM) Manning:
i dont believe in good guys versus bad guys anymore… i only a plethora of states acting in self interest… with varying ethics and moral standards of course, but self-interest nonetheless
(02:26:18 PM) Manning:
s/only/only see/
(02:26:18 PM) Manning:
because another state would just take advantage of the information… try and get some edge
(02:26:47 PM) Lamo:
the tm meant i was being facetious
(02:26:55 PM) Manning:
if its out in the open… it should be a public good
(02:26:59 PM) Manning:
(02:27:04 PM) Manning:
*do the
(02:27:23 PM) Manning:
rather than some slimy intel collector
(02:27:47 PM) Manning:
i mean, we’re better in some respects… we’re much more subtle… use a lot more words and legal techniques to legitimize everything
(02:28:00 PM) Manning: its better than disappearing in the middle of the night
(02:28:19 PM) Manning:
but just because something is more subtle, doesn’t make it right
(02:29:04 PM) Manning:
i guess im too idealistic
(02:29:18 PM) Manning:
im crazy like that

This order is not implausible–everything sort of flows. But there are signs that Part 5 and Part 2 did not happen simultaneously. Manning’s good versus evil comment at 2:26:01 is not entirely out of place, but it’s a big non sequitur from the comment less than 2 minutes earlier. This order would require Manning to have typed two IMs in one second at 2:26:18 which seems unlikely if not impossible for reasons of computer speed and human typing skills. Lamo’s “tm” comment at 2:26:19 appears to refer to a comment Wired didn’t replicate in any case. Furthermore, elsewhere Manning always corrects typos in the IM directly after the one in which he makes an error. But the typo “it should be a public good” at 2:26:55 and the correction “it should do the public good” at 2:27:04 would be split by the interjection “gotchya.” Plus those two comments with the interjection “gotchya” at 2:26:59 are quicker–all three in nine seconds–than almost any other series that Wired published (aside from the two IMs in one second already noted).

In other words, I can’t prove it, but it is likely those 2 chunks of IM were not simultaneous, suggesting those 5 chunks of text did not happen on the same day or their timestamps are wrong. Which in turn suggests they didn’t all come from May 25. And if they didn’t, one likely possibility is that Wired did publish the IM chats in sequence, but simply didn’t label ones from a different day–most likely, either the first series came form May 24 or the second series came from May 26–with that different day.

Now, that introduces two problems into the narrative as captured by CJR. If the IMs starting with what I’ve labeled as part 1 were actually sent May 24, it would mean Lamo was asking whether Manning suspected Army CID of investigating before–apparently–he ever talked to Kevin Poulsen about Manning. That’s not fatal for the story–but it does seem to show Lamo asking probing questions in the service of law enforcement before he first talks to Poulsen about Manning.

The other alternative is even more problematic for their story. If the second series of IMs labeled as May 25 actually came from May 26, it would mean the latest ones–which appear to have reached Lamo in late afternoon on May 26–would have been sent in Iraq in the early hours of May 27, suggesting that the story that Manning was arrested on May 26 was not correct (though that does seem to correlate better with the charging document).

All this may not be a big deal. It may be that the full series of the IMs make sense in full context. It may be that the apparent discrepancy between the Wired report and the charging document are either not discrepancies at all or not very interesting to the story.

But there does appear to be something funky here.

Update: “More than” added to references to numbers of cables per scribe.

Part 1

(02:03:10 AM) Manning: amazing how the world works
(02:03:27 AM) Manning: takes 6 degrees of separation to a whole new level
(02:04:12 AM) Lamo: hey, vacaville
(02:04:18 AM) Lamo: er
(02:04:23 AM) Lamo: vacaville
(02:05:12 AM) Manning: its almost bookworthy in itself, how this played
(02:07:41 AM) Manning: event occurs in 2007, i watch video in 2009 with no context, do research, forward information to group of FOI activists, more research occurs, video is released in 2010, those involved come forward to discuss event, i witness those involved coming forward to discuss publicly, even add them as friends on FB… without them knowing who i am
(02:08:37 AM) Manning:they touch my life, i touch their life, they touch my life again… full circle
(02:08:58 AM) Lamo: Life’s funny.
(02:09:24 AM) Lamo: *random* are you concerned aboutCI/CID looking into your Wiki stuff? I was always paranoid.
(02:09:40 AM) Manning: CID has no open investigation
(02:10:28 AM) Manning: State Department will be uber-pissed… but I dont think they’re capable of tracing everything…
(02:10:44 AM) Lamo: what about CI?
(02:10:51 AM) Manning: might be a congressional investigation, and a joint effort to figure out what happened
(02:11:23 AM) Manning: CI probably took note, but it had no effect on operations
(02:11:48 AM) Manning: so, it was publicly damaging, but didn’t increase attacks or rhetoric…
(02:12:10 AM) Lamo: *nod*
(02:12:34 AM) Manning: re: joint effort will be purely political,”fact finding”… “how can we stop this from happening again”
(02:12:46 AM) Manning: regarding State Dept. cables
(02:13:12 AM) Lamo: Would the cables come from State?
(02:13:21 AM) Manning: yes
(02:13:25 AM) Manning: State Department
(02:13:29 AM) Lamo: I was always a commercial intruder.
(02:13:51 AM) Lamo: Why does your job afford you access?
(02:13:59 AM) Lamo: except for the UN.
(02:14:03 AM) Manning: because i have a workstation
(02:14:15 AM) Lamo: and World Bank.
(02:14:17 AM) Manning: *had*
(02:14:36 AM) Lamo: So you have these stored now?
(02:14:54 AM) Manning: i had two computers… one connected to SIPRNET the other to JWICS…
(02:15:07 AM) Manning: no, they’re government laptops
(02:15:18 AM) Manning: they’ve been zerofilled
(02:15:22 AM) Manning: because of the pullout
(02:15:57 AM) Manning: evidence was destroyed… by the system itself
(02:16:10 AM) Lamo: So how would you deploy the cables? If at all.
(02:16:26 AM) Manning: oh no… cables are reports
(02:16:34 AM) Lamo: ah
(02:16:38 AM) Manning: State Department Cable = a Memorandum
(02:16:48 AM) Lamo: embassy cables?
(02:16:54 AM) Manning: yes
(02:17:00 AM) Manning: 260,000 in all
(02:17:10 AM) Manning: i mentioned this previously
(02:17:14 AM) Lamo: yes
(02:17:31 AM) Lamo: stored locally, or retreiveable?
(02:17:35 AM) Manning: brb latrine =P
(02:17:43 AM) Manning: i dont have a copy anymore
(02:17:59 AM) Lamo: *nod*
(02:18:09 AM) Manning: they were stored on a centralized server…
(02:18:34 AM) Lamo: what’s your endgame plan, then?
(02:18:36 AM) Manning: it was vulnerable as fuck
(02:20:57 AM) Manning: well, it was forwarded to WL
(02:21:18 AM) Manning: and god knows what happens now
(02:22:27 AM) Manning: hopefully worldwide discussion, debates, and reforms
(02:23:06 AM) Manning: if not… than we’re doomed
(02:23:18 AM) Manning: as a species
(02:24:13 AM) Manning: i will officially give up on the society we have if nothing happens
(02:24:58 AM) Manning: the reaction to the video gave me immense hope… CNN’s iReport was overwhelmed… Twitter exploded…
(02:25:18 AM) Manning: people who saw, knew there was something wrong
(02:26:10 AM) Manning: Washington Post sat on the video… David Finkel acquired a copy while embedded out here
(02:26:36 AM) Manning: [also reason as to why there's probably no investigation]
(02:28:10 AM) Manning: i want people to see the truth… regardless of who they are… because without information, you cannot make informed decisions as a public
(02:28:10 AM) Lamo : I’m not here right now
(02:28:50 AM) Manning: if i knew then, what i knew now… kind of thing…
(02:29:31 AM) Manning: or maybe im just young, naive, and stupid…
(02:30:09 AM) Lamo: which do you think it is?
(02:30:29 AM) Manning: im hoping for the former
(02:30:53 AM) Manning: it cant be the latter
(02:31:06 AM) Manning: because if it is… were fucking screwed
(02:31:12 AM) Manning: (as a society)
(02:31:49 AM) Manning: and i dont want to believe that we’re screwed
(02:32:53 AM) Manning: food time… ttys

Part 4

(01:52:30 PM) Manning: funny thing is… we transffered so much data on unmarked CDs…
(01:52:42 PM) Manning: everyone did… videos… movies… music
(01:53:05 PM) Manning: all out in the open
(01:53:53 PM) Manning: bringing CDs too and from the networks was/is a common phenomeon
(01:54:14 PM) Lamo: is that how you got the cables out?
(01:54:28 PM) Manning: perhaps
(01:54:42 PM) Manning: i would come in with music on a CD-RW
(01:55:21 PM) Manning: labelled with something like “Lady Gaga”… erase the music… then write a compressed split file
(01:55:46 PM) Manning: no-one suspected a thing
(01:55:48 PM) Manning: =L kind of sad
(01:56:04 PM) Lamo: and odds are, they never will
(01:56:07 PM) Manning: i didnt even have to hide anything
(01:56:36 PM) Lamo: from a professional perspective, i’m curious how the server they were on was insecure
(01:57:19 PM) Manning: you had people working 14 hours a day… every single day… no weekends… no recreation…
(01:57:27 PM) Manning: people stopped caring after 3 weeks
(01:57:44 PM) Lamo: i mean, technically speaking
(01:57:51 PM) Lamo: or was it physical
(01:57:52 PM) Manning: >nod<
(01:58:16 PM) Manning: there was no physical security
(01:58:18 PM) Lamo: it was physical access, wasn’t it
(01:58:20 PM) Lamo: hah
(01:58:33 PM) Manning: it was there, but not really
(01:58:51 PM) Manning: 5 digit cipher lock… but you could knock and the door…
(01:58:55 PM) Manning: *on
(01:59:15 PM) Manning: weapons, but everyone has weapons
(02:00:12 PM) Manning: everyone just sat at their workstations… watching music videos / car chases / buildings exploding… and writing more stuff to CD/DVD… the culture fed opportunities
(02:01:44 PM) Manning: hardest part is arguably internet access… uploading any sensitive data over the open internet is a bad idea… since networks are monitored for any insurgent/terrorist/militia/criminal types
(02:01:52 PM) Lamo: tor?
(02:02:13 PM) Manning: tor + ssl + sftp
(02:02:33 PM) Lamo: *nod*
(02:03:05 PM) Lamo: not quite how i might do it, but good
(02:03:22 PM) Manning: i even asked the NSA guy if he could find any suspicious activity coming out of local networks… he shrugged and said… “its not a priority”
(02:03:53 PM) Manning: went back to watching “Eagle’s Eye”

Part 5

(02:12:23 PM) Manning: so… it was a massive data spillage… facilitated by numerous factors… both physically, technically, and culturally
(02:13:02 PM) Manning:: perfect example of how not to do INFOSEC
(02:14:21 PM) Manning: listened and lip-synced to Lady Gaga’s Telephone while exfiltratrating possibly the largest data spillage in american history
(02:15:03 PM) Manning: pretty simple, and unglamorous
(02:16:37 PM) Manning: *exfiltrating
(02:17:56 PM) Manning: weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis… a perfect storm
(02:19:03 PM) Manning: >sigh<
(02:19:19 PM) Manning: sounds pretty bad huh?
(02:20:06 PM) Lamo: kinda :x
(02:20:25 PM) Manning: :L
(02:20:52 PM) Lamo: i mean, for the .mil
(02:21:08 PM) Manning: well, it SHOULD be better
(02:21:32 PM) Manning: its sad
(02:22:47 PM) Manning: i mean what if i were someone more malicious
(02:23:25 PM) Manning: i could’ve sold to russia or china, and made bank?
(02:23:36 PM) Lamo: why didn’t you?
(02:23:58 PM) Manning: because it’s public data
(02:24:15 PM) Lamo: i mean, the cables
(02:24:46 PM) Manning: it belongs in the public domain
(02:25:15 PM) Manning: information should be free
(02:25:39 PM) Manning: it belongs in the public domain

Part 2 Continued

(02:31:02 PM) Manning: i think the thing that got me the most… that made me rethink the world more than anything
(02:35:46 PM) Manning:
was watching 15 detainees taken by the Iraqi Federal Police… for printing “anti-Iraqi literature”… the iraqi federal police wouldn’t cooperate with US forces, so i was instructed to investigate the matter, find out who the “bad guys” were, and how significant this was for the FPs… it turned out, they had printed a scholarly critique against PM Maliki… i had an interpreter read it for me… and when i found out that it was a benign political critique titled “Where did the money go?” and following the corruption trail within the PM’s cabinet… i immediately took that information and *ran* to the officer to explain what was going on… he didn’t want to hear any of it… he told me to shut up and explain how we could assist the FPs in finding *MORE* detainees…
(02:35:46 PM) Lamo :
I’m not here right now
(02:36:27 PM) Manning:
everything started slipping after that… i saw things differently
(02:37:37 PM) Manning:
i had always questioned the things worked, and investigated to find the truth… but that was a point where i was a *part* of something… i was actively involved in something that i was completely against…
(02:38:12 PM) Lamo:
That could happen in Colombia.
(02:38:21 PM) Lamo:
Different cultures, dude.
(02:38:28 PM) Lamo:
Life is cheaper.
(02:38:34 PM) Manning:
oh im quite aware
(02:38:45 PM) Lamo:
What would you do if your role /w Wikileaks seemed in danger of being blown?
(02:38:48 PM) Manning:
but i was a part of it… and completely helpless…
(02:39:01 PM) Lamo:
sometimes we’re all helpless
(02:39:34 PM) Manning:
try and figure out how i could get my side of the story out… before everything was twisted around to make me look like Nidal Hassan
(02:40:15 PM) Manning:
i dont think its going to happen
(02:40:26 PM) Manning:
i mean, i was never noticed
(02:41:10 PM) Manning:
regularly ignored… except when i had something essential… then it was back to “bring me coffee, then sweep the floor”
(02:42:24 PM) Manning:
i never quite understood that
(02:42:44 PM) Manning:
felt like i was an abused work horse…
(02:43:33 PM) Manning:
also, theres god awful accountability of IP addresses…
(02:44:47 PM) Manning:
the network was upgraded, and patched up so many times… and systems would go down, logs would be lost… and when moved or upgraded… hard drives were zeroed
(02:45:12 PM) Manning:
its impossible to trace much on these field networks…
(02:46:10 PM) Manning:
and who would honestly expect so much information to be exfiltrated from a field network?
(02:46:25 PM) Lamo:
I’d be one paranoid boy in your shoes.
(02:47:07 PM) Manning:
the CM video came from a server in our domain! and not a single person noticed
(02:47:21 PM) Lamo:
(02:48:17 PM) Manning:
Apache Weapons Team video of 12 JUL 07 airstrike on Reuters Journos… some sketchy but fairly normal street-folk… and civilians
(02:48:52 PM) Lamo:
How long between the leak and the publication?
(02:49:18 PM) Manning:
some time in february
(02:49:25 PM) Manning:
it was uploaded
(02:50:04 PM) Lamo:
uploaded where? how would i transmit something if i had similarly damning data
(02:51:49 PM) Manning:
uhm… preferably openssl the file with aes-256… then use sftp at prearranged drop ip addresses
(02:52:08 PM) Manning:
keeping the key separate… and uploading via a different means
(02:52:31 PM) Lamo:
so i myself would be SOL w/o a way to prearrange
(02:54:33 PM) Manning:
not necessarily… the HTTPS submission should suffice legally… though i’d use tor on top of it…
(02:54:43 PM) Manning:
but you’re data is going to be watched
(02:54:44 PM) Manning:
(02:54:49 PM) Manning:
by someone, more than likely
(02:54:53 PM) Lamo:
submission where?
(02:55:07 PM) Manning: submission system
(02:55:23 PM) Lamo:
in the massive queue?
(02:55:54 PM) Manning:
lol, yeah, it IS pretty massive…
(02:55:56 PM) Manning:
(02:56:04 PM) Manning:
i see what you mean
(02:56:35 PM) Manning:
long term sources do get preference… i can see where the “unfairness” factor comes in
(02:56:53 PM) Lamo:
how does that preference work?
(02:57:47 PM) Manning:
veracity… the material is easy to verify…
(02:58:27 PM) Manning:
because they know a little bit more about the source than a purely anonymous one
(02:59:04 PM) Manning:
and confirmation publicly from earlier material, would make them more likely to publish… i guess…
(02:59:16 PM) Manning:
im not saying they do… but i can see how that might develop
(03:00:18 PM) Manning:
if two of the largest public relations “coups” have come from a single source… for instance
(03:02:03 PM) Manning:
you yeah… purely *submitting* material is more likely to get overlooked without contacting them by other means and saying hey, check your submissions for x…

Part 3

(03:07:26 PM) Manning: i recognized the value of some things…
(03:07:33 PM) Manning: knew what they meant… dug deeper
(03:07:53 PM) Manning: i watched that video cold, for instance
(03:10:32 PM) Manning: at first glance… it was just a bunch of guys getting shot up by a helicopter… no big deal… about two dozen more where that came from right… but something struck me as odd with the van thing… and also the fact it was being stored in a JAG officer’s directory… so i looked into it… eventually tracked down the date, and then the exact GPS co-ord… and i was like… ok, so thats what happened… cool… then i went to the regular internet… and it was still on my mind… so i typed into goog… the date, and the location… and then i see this
(03:11:07 PM) Manning: i kept that in my mind for weeks… probably a month and a half… before i forwarded it to [Wikileaks]
(03:11:54 PM) Manning: then there was the Finkel book
(03:12:16 PM) Manning: im almost certain he had a copy

Part 6

(03:38:07 PM) Manning: its not much of a pic, but here’s harry ponting the man who’s mission it is to sell the benefits of NCD throughout the State Department, Military, and IC
(03:38:18 PM) Manning: i feel terribly, terribly sorry for the guy :(
(03:39:17 PM) Manning: im not a bad person, i keep track of everything
(03:39:30 PM) Manning: i watch the whole thing unfold… from a distance
(03:40:07 PM) Manning: i read what everyone says… look at pictures… keep tabs… and feel for them
(03:40:18 PM) Manning: since im basically playing a vital role in their life
(03:40:29 PM) Manning: without ever meeting them
(03:40:53 PM) Manning: i was like that as an intelligence analyst as well
(03:41:09 PM) Lamo: i know the feeling, in a way.
(03:41:44 PM) Manning: most didnt care… but i knew, i was playing a role in the lives of hundreds of people, without them knowing them… but i cared, and kept track of some of the details, make sure everybody was okay
(03:42:07 PM) Manning: them knowing me
(03:43:27 PM) Manning: i dont think of myself as playing “god” or anything, because im not… im just playing my role for the moment… i dont control the way they react
(03:44:15 PM) Manning: there are far more people who do what i do, in state interest, on daily basis, and dont give a fuck
(03:45:01 PM) Manning: thats how i try to separate myself
(03:45:13 PM) Manning: from my (former) colleagues

