A former CIA intelligence officer who is suspected by the government of leaking classified information to WikiLeaks appears to have uploaded at least some CIA-related source code to a personal website linked to his real name, files reviewed by Motherboard show. For years, the site was available to anyone on the internet and the server that hosted it was seized by the government in an ongoing child pornography case against him.
Quite simply, Schulte has some of the worst opsec and messiest online presence of anyone I’ve ever reported on. The amount of sensitive personal information he uploaded to a publicly available website while employed by the CIA is mind-boggling.
Last year, the FBI raided Joshua Schulte’s Manhattan apartment with a search warrant that apparently tied him to leaking the CIA’s “Vault 7” files to WikiLeaks. But he has not been charged with mishandling classified information; instead, the feds found more than 10,000 images of child porn on an encrypted virtual machine on his personal computer. We don't yet know if the government has enough evidence to charge Schulte with any national security-related crimes, and he is innocent until proven guilty on the child porn charges.
However, it's worth pointing out that regardless of whether he leaked classified information to WikiLeaks or is guilty of any crime, he was sloppy in a way that we'd probably prefer intelligence officials with security clearances to not be.
The Daily Beast reported Wednesday that Schulte posted snippets of CIA code—called OSB Project Wizard—to his GitHub account in 2013, before it was posted to WikiLeaks. The government’s complaint also notes that it seized a server that hosted a website called “The Crypt.” The Crypt was a series of open directories that an IRC group Schulte was a part of used to store files.
A version of The Crypt hosted by the Internet Archive's Wayback Machine shows that, in February 2014, Schulte uploaded at least five copies of Project Wizard to the site, which was available on the public internet and was not password protected; its contents could be accessed by anyone who had the URL. As the Daily Beast noted, it is unknown whether Schulte wrote the code for Project Wizard in his free time and brought it to the CIA, took it from the CIA and uploaded it to public channels, or otherwise obtained it and uploaded it to both The Crypt and Github.
The government’s criminal complaint says that Schulte went by “Josh” on The Crypt, but it doesn’t take a computer forensics investigator to learn suss out that Schulte was the person who uploaded content there. Schulte used the Crypt like one might use their own personal hard drive or Google Drive, except it was available—and remains available in various archived forms—to literally anyone on the internet.
Schulte’s website allows us to easily connect many of his online personas and accounts to his real identity, discern his politics, his places of residence, and identify his friends and family members. This all came from someone who should, in theory, know better as someone who had access to highly sensitive information.
In addition to Project Wizard, Schulte also uploaded screenshots of his Gmail inbox, which have his name as well as emails that show information about his bank, his OKCupid account, his cell phone provider, his friends’ and families’ names, and more.
There’s a selfie he took of himself holding a “FUCK OBAMA” pint glass, and a shirtless mirror selfie he took in a hotel bathroom. There’s a folder called “facebook_convos” that are just a series of screenshots of him beefing with his Facebook friends and family about politics. He uploaded a resume, group projects and homework from college, and design files for a 3D printed gun called "The Liberator."
There are narrated video tours of the inside of his house, screenshots of emails he sent to activists advocating for concealed handgun carry permits in Texas, saved IRC chats of "Josh" saying the n-word over and over, and yet more screenshots of his Gmail inbox, which—in the same screenshot—prove that we are looking at “Joshua Schulte’s” inbox and also reveal the pseudonym he used on several different websites. Other files he uploaded tie this pseudonym to a Blogger where he wrote extensively about his libertarian politics. The pseudonym is also present in logged-in screenshots he took of an online quiz that tested his “Brain Performance Index” on a site called Lumosity; he also uploaded a screenshot of the score he got on a MENSA practice test.
On his Blogger, he writes extensively about “the naive left,” excerpts extensively from Ayn Rand’s Atlas Shrugged, and writes that universal healthcare is a privilege (“Do not allow the looters to spread their filth, and contaminate everything they touch; this is just the beginning. Why do we have a right to a service? Who are we to demand that the doctors exist for our own need? The thought is utterly despicable.”)
In another post, he writes that “pornography promotes freedom of speech and liberty.”
It’s worth reiterating that Schulte’s apartment was raided for probable cause of committing the crime of leaking information, but that he was arrested because FBI agents stumbled upon more than 10,000 images of child porn on his personal computer. They were able to access the encrypted portion of his computer where he stored it because he reused a password from his bank account. “Don’t reuse passwords” is among the most basic cybersecurity rules that exist; that “security through obscurity” is not effective has been a tenet of information security dating back to the 1800s.
It’s easy to pile on after someone’s personal website is exposed in a criminal complaint. Clearly, Schulte didn’t intend for his personal website to become widely disseminated. But Schulte had access to—and is suspected of leaking—classified information and dangerous and powerful hacking tools, which are now in the wild for anybody to use. It’s worth remembering that any power we allow the NSA or CIA to develop is a power that will inevitably be given to people like Schulte.