Last Updated on January 11, 2022 by Dave Farquhar
The Bradley Manning verdict came out this week, and the less I say about Manning himself the better, but one thing in the press coverage definitely bothered me, and I want to set that straight.
The prosecution attempted to tie him to Julian Assange, saying he coached Manning on the use of “hacking tool wget.”
Wget isn’t a hacking tool.
Wget is, basically, a command-line web browser. It’s most useful on machines that for whatever reason can’t have a full web browser on them, but sometimes have to download things, such as software patches, off the web. I’ve used it for exactly that many times. It’s also useful for scripts. I’ve had instances where I needed to collect data, and the only convenient way to export it was over http–not my decision, so don’t ask–so I used wget in a script to pull them in.
I’ve used it to fix WordPress web sites when things went horribly wrong, even.
For whatever reason, on long downloads, it’s frequently more reliable than using a standard web browser, and it’s better about resuming a failed download. It seems to be smarter about retrying over a bad link than standard web browsers are. That made it handy years ago for pulling down things like service packs. Internet connections are less dodgy now than they were then, so you may not notice the difference now, but I sure did in the middle of the previous decade.
It’s also sometimes used to mirror web sites. That’s probably what Manning used it for. But that’s not a hacking tool. Manning had access to all of the data he was pulling down. It was part of his job at the time. Where the model broke down was the lack of adequate data loss protection on the network Manning was using. Wget probably wasn’t supposed to be on his classified workstation, but why wasn’t that enforced with a whitelist? Worse yet, why was he allowed to write that downloaded data to his optical drive? Why did he have a writeable drive at all?
Manning could have done everything he did with or without wget. Without it, it just would have taken longer to do. He didn’t have to hack anything–the only thing stopping him from doing what he did was the threat of spending a few decades in Leavenworth.
Up until Manning, the threat of prison was enough. Eventually, that threat always ceases to be enough, which is when you have to put real preventative controls in place.
But if you want to think I’m really l337 because I know how to use wget, I guess that’s your right.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.