Contractors

1 2 3 6

Internet Cats, Weaponized: US Defense Contractor Consulted on Targeted Network Injection Surveillance for Commercial Sales Abroad

[photo: liebeslakritze via Flickr]

[photo: liebeslakritze via Flickr]

First, a caveat: I would not click on the links embedded in the story I’m recommending (I’m this || close to swearing off embedded links forever). I don’t trust traffic to them not to be monitored or exploited.

But as Jeremy Scahill tweeted last evening, read this piece by WaPo’s Barton Gellman on malicious code insertion. This news explains recent changes by Google to YouTube once it had been disclosed to the company that exploits could be embedded in video content as CitizenLab.org explains:

“… the appliance exploits YouTube users by injecting malicious HTML-FLASH into the video stream. …”
“… the user (watching a cute cat video) is represented by the laptop, and YouTube is represented by the server farm full of digital cats. You can observe our attacker using a network injection appliance and subverting the beloved pastime of watching cute animal videos on YouTube. …”

The questions this piece shake loose are Legion, but as just as numerous are the holes. Why holes? Because the answers are ugly and complex enough that one might struggle with them. Gellman’s done the best he can with nebulous material.

An interesting datapoint in the first graf of the story is timing — fall 2009.

You’ll recall that Google revealed the existence of a cyber attack code named Operation Aurora in January 2010, which Google said began in mid-December 2009.

You may also recall news of a large batch of cyber attacks in July of 2009 on South Korean targets.

The U.S. military had already experienced a massive uptick in cyber attacks in 1H2009, more than double the rate of the entire previous year.

And neatly sandwiched between these waves and events is a visit by a defense contractor CloudShield Technologies engineer from California, to Munich, Germany with British-owned Gamma Group. Continue reading

Bengh– Blackwater!

You should definitely read the James Risen story describing how the head of Blackwater’s operations in Iraq threatened to kill an investigator into the company’s practices in the period before the Nisour Square. It definitely confirms every concern that has been raised about mercenaries generally and Blackwater specifically.

But I want to look at the frame Risen gave the story, which I suspect few will read closely.

His memo and other newly disclosed State Department documents make clear that the department was alerted to serious problems involving Blackwater and its government overseers before the Nisour Square shooting, which outraged Iraqis and deepened resentment over the United States’ presence in the country.

[snip]

Condoleezza Rice, then the secretary of state, named a special panel to examine the Nisour Square episode and recommend reforms, but the panel never interviewed Mr. Richter or Mr. Thomas.

Patrick Kennedy, the State Department official who led the special panel, told reporters on Oct. 23, 2007, that the panel had not found any communications from the embassy in Baghdad before the Nisour Square shooting that raised concerns about contractor conduct.

“We interviewed a large number of individuals,” Mr. Kennedy said. “We did not find any, I think, significant pattern of incidents that had not — that the embassy had suppressed in any way.”

The reason this is coming out — aside from the fact the government is trying to try the Nisour Square killers again — is to show that contrary to what Patrick Kennedy said after having done a review of security practices in 2007, there had been a pattern of incidents, and they had been suppressed by the Embassy.

Now consider how that reflects on the GOP’s second favorite scandal, Benghazi. Not only was Kennedy the key judge about the events leading up to that event (which is normal — he’s been a key player in State for a very long time; I’m beginning to believe he’s State’s institutional defender in the same way David Margolis was at DOJ), but the question of security oversight is important there: Blue Mountain Group appears to have done its job inadequately (and there are some sketchy things about its contract and contractors).

Benghazi is actually not a bigger scandal than that State suppressed knowledge of Blackwater’s problems. But there does seem to be continuity.

New & Improved USA Freedumb Act, with Twice the Contractors Compensated

Somewhere Booz Allen Hamilton Vice Chairman (and former NSA Director) Mike McConnell just said, “Ka-Ching.”

As I noted, the initial manager’s amendment of HR 3361 (AKA USA Freedumb Act) added compensation language to Section 215 that didn’t originally exist.

(j) COMPENSATION.—The Government shall compensate, at the prevailing rate, a person for producing tangible things or providing information, facilities, or assistance in accordance with an order issued or an emergency production required under this section.

In this latest iteration, the compensation has been expanded beyond just the telecoms to anyone else who assists.

(j) COMPENSATION.—The Government shall compensate a person for reasonable expenses incurred for—

(1) producing tangible things or providing information, facilities, or assistance in accordance with an order issued with respect to an application described in subsection (b)(2)(C) or an emergency production under subsection (i) that, to comply with subsection (i)(1)(D), requires an application described in subsection (b)(2)(C); or

(2) otherwise providing technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.

There’s reason to believe that contractors (AKA Booz!) does some of the triage work on the data currently. So one solution to that problem might be to move those Booz contractors — with their access directly to the raw data of Americans — over to Verizon and AT&T.

Because why shouldn’t NSA contractors be in bed together, wallowing in all your raw data.

Glad to see this bill is improving Intelligence Contractors bottom line, even if it doesn’t improve the dragnet.

Unread Reports as the Big Data Dump? Not Really.

The very same week the President released his breathless report on Big! Data!, the Washington Post has a story criticizing the sheer number and types of reports Congress requires from the Federal bureaucracy.

It started out with a good idea. Legislators wanted to know more about the bureaucracy working beneath them. So they turned to a tool as old as bureaucracy itself — the interoffice memo. They asked agencies to send in written reports about specific things they were doing.

Then, as happens in government, that good idea was overused until it became a bad one.

[snip]

But as the numbers got bigger, Congress started to lose track. It overwhelmed itself. Today, Congress is not even sure how many of those 4,291 reports are actually turned in. And it does not try to save copies of all the ones that are.

So some agencies cheat and send in nothing. And others waste time and money sending in reports — such as the one on dog and cat fur — that simply disappear into the void.

To support its case, WaPo focuses on one report requiring Customs and Border Patrol to report on how much dog and cat fur products are being shipped into the US, which is probably a needless report (which is also probably why WaPo picked it out of the 4,291 it identified).

And WaPo — a member of the Fourth Estate that purportedly serves as a check on power — comes to this very dangerous conclusion.

The problem is that there is no system to sort the good ones from the useless ones. They all flow in together, which makes it hard for congressional staffers to spot any valuable information hidden in the flood.

First, the press is part of that system! Rather than throwing cat and dog fur, perhaps WaPo could have tried to distinguish those that were critical from those that are questionable and those that are clearly frivolous.

Moreover, it is the height of irresponsibility to absolve Congressional staffers — whose bosses are the only ones that can eliminate useless reports — of responsibility for reading the reports they get. Either the staffers must be held accountable for reading the reports, or for eliminating them. That’s how you fix the system. That’s why we’re paying them.

Ultimately, too, I’m not sure I buy the WaPo’s argument that these are useless reports. 4,291 seems like a not unreasonable amount of data for legislators to receive and read about the world’s biggest (perhaps now second biggest) economy, about DOD’s $526 billion budget, about the many federal benefit programs, about the expanding police state.

And if you look at the actual list (rather than WaPo’s admittedly snazzy but not very informative infographic on them), many — perhaps even most — of the reports make a lot of sense.

Consider the reports listed for General Services Administration, an entity with an annual budget of $26 billion, which has the ability to effect great change as the source of enormous spending, and one that has routinely experienced significant spending scandals.

  1. Activities and status of advisory committees in existence during the previous calendar year
  2. A report on the status of the high-performance green building initiatives under this subtitle
  3. Administration’s alternative fueled vehicle program
  4. A description of lost opportunities for waste-heat recovery from the project described in paragraph (A)
  5. A report on the use of photovoltaic energy in public buildings
  6. Violations by Federal agencies of Federal Records Act of 1950, as codified 1950
  7. Reports by Inspector General of particularly serious or flagrant problems, abuses, or deficiencies in the administration of programs and operations of the agency
  8. Activities of the Inspector General
  9. Accessibility to public buildings by the physically handicapped
  10. Prospectus proposing a building project or lease
  11. Location, space, cost, and status of each public building, the construction, alteration, or acquisition of which is to be under authority of the Act, and which was uncompleted as of the date requested
  12. Building project surveys as requested by either the Senate or House
  13. Use of underutilized public buildings and property for facilities to assist the homeless
  14. Summary of excess property disposal reports
  15. Evaluation of the operation of programs for donation of Federal surplus personal property; excess personal property transferred
  16. Excessive stocking of property, above reasonable inventory levels, by executive agencies
  17. Administration of the Federal Property and Administrative Services Act of 1949
  18. Contracts to facilitate the national defense entered into, amended, or modified
  19. Acquisition cost of surplus real or related personal property conveyed for care or rehabilitation of criminal offenders during previous fiscal year
  20. Results of investigations of the cost of travel and the operation of privately owned vehicles to Federal employees while engaged in official business
  21. Annual determination of the average actual cost per mile for the use of a privately owned motorcycle, automobile, and airplane
  22. A plan to comply with Section 432 relating to energy and water conservation at General Services Administration facilities

Reports 1, 6, 7, 8, 10, 11, 12, 17, and 18 are simply reports Congress needs to ask for to ensure there’s some visibility into the Agency, to ensure they’ll be informed if GSA finds something wrong itself. Reports 2, 3, 4, 5, 9, 13, 14, 19, and 22 measure the efficacy of efforts to use GSA’s buying power to do some social good  (and report 9, on ADA accessibility, involves significant legal compliance).  Reports 15 and 16 address an area susceptible to graft.  Reports 20 and 21 are not only key to cost-benefit analysis of how Federal employees travel, but they apparently are tied to one of GSA’s most requested links. Some of these are also reports tied to an action, like buying a building. And all that amounts to less than 1 report for every $ billion American taxpayers give to GSA. If anything, there are a few more reports — that might identify obviously politicized or excessive spending, which is a persistent problem with GSA — that are missing.

Admittedly, that’s just one random agency. But aside from some entities the Federal government runs itself (like American Samoa and DC) as well as some Commissions over which there have been political fights in the past I’m not seeing a whole lot of waste here — though there may be some inefficiency in how the information is requested. I might grant that in the era of big data we need to automate this — in effect, give Congress a better way to Big! Data! the bureaucracies it oversees (though that would be awfully susceptible to abuse), but I don’t see a lot of information that shouldn’t be required from the bureaucracy.

I’m reminded how, 2 years ago, James Clapper claimed ODNI had to produce too many reports and should be permitted to eliminate 30 of them. He tried to get rid of the annual report on how many people have security clearance (one of the few ways we can measure the ballooning secret government). He tried to get rid of reports on Department of Homeland Security’s notoriously useless intelligence agency. He tried to eliminate reports on Chinese spying on the US and nuclear lab security, both persistent security issues. He tried to eliminate a report informing Congress what the privacy staffs of intelligence agencies are doing. In short, in the guise of onerous reporting, he tried to eliminate crucial oversight  (as well as a paper trail that could be FOIAed) on several areas of great public concern.

Or consider this: DOD cannot pass an audit. The biggest military in the world still is not required to account for the money it spends, both to itself and Congress.

And yet a newspaper is saying we require too much reporting from the great big bureaucracy?

I don’t buy it.

A Key Part of RuppRoge’s Fake Dragnet Fix Reform: Pay the Telecoms

Here’s an interesting “reform” in the RuppRoge’s Fake Dragnet Fix. It pays the telecoms.

COMPENSATION AND ASSISTANCE.–The Government shall compensate, at the prevailing rate, an electronic communications service provider for providing records in accordance with directives issued pursuant to [their bill].

Section 215 does not include such a payment provision. And while the first two phone dragnet orders included provision for such payments, that was probably illegal.

Don’t get me wrong. I’m sure the government has found some way to pay the telecoms, either through added payments for AT&T’s Hemisphere program or gifts in kind. (Though given the timing of DOJ’s suit against Sprint for over-billing, I do wonder whether the government is retaliating for something.) Telecoms don’t spy for free, so I’m sure they’ve been getting paid, illegally, for the last 8 years of dragnet spying they’ve been doing.

But the lack of such provision in Section 215 should have limited the scope of the dragnet. It should have required that requests be so narrow no telecom was going to send big bills to the government every month. And it presumably made the telecoms (well, except for AT&T, which never met a spying request it didn’t love) less willing to interpret orders from the government expansively.

The inclusion of such a compensation clause in the RuppRoge “reform” makes it even more likely this dragnet will expand with the now well-oiled willingness of the telecoms to go above and beyond the letter of the request.

Which is presumably just how the NSA wants it to be.

America’s $1 Trillion Target Barge

The NYT has a story about a mock US aircraft carrier Iran is building, its sources say, so Iran can blow it up for the propaganda value.

Iran is building a nonworking mock-up of an American nuclear-powered aircraft carrier that United States officials say may be intended to be blown up for propaganda value.

This has set off chatter about how weird and dumb Iran is for building this giant toy boat, which US sources call the Target Barge.

But pretty soon after I started reading the article I found myself applying the phrases in it to America’s F-35 program which, in many ways, is an even bigger propaganda prop. See how it looks when you swap out Iran’s barge for the F-35?

Intelligence officials do not believe that the US is capable of building an actual F-35.

“Based on our observations, this is not a functioning plane; it’s a large spending program built to look like an plane,” said Cmdr. Jason Salata, a spokesman for the Navy’s Fifth Fleet in Bahrain, across the Persian Gulf from Lockheed. “We’re not sure what the US hopes to gain by building this. If it is a big propaganda piece, to what end?”

[snip]

“It is not surprising that American military forces might use a variety of tactics — including military deception tactics — to strategically communicate and possibly demonstrate their resolve in air power,” said a Chinese official who has closely followed the construction of the F-35.

[snip]

[T]he Pentagon has taken no steps to cloak from prying Chinese hackers what it is building in pork-laden building sites across several countries. “The system is often too opaque to understand who hatched this idea, and whether it was endorsed at the highest levels,” said Karim Sadjadpour, an American expert at the Carnegie Endowment for International Peace.

See what I mean?

Opacity of purpose.

Failure to provide adequate security.

Probable impossibility to bring to completion.

Abundant propaganda.

I’m not all that sure what distinguishes the F-35 except the cost: Surely Iran hasn’t spent the equivalent of a trillion dollars — which is what we’ll spend on the F-35 when it’s all said and done — to build its fake boat.

So which country is crazier: Iran, for building a fake boat, or the US for funding a never-ending jet program?

Contractors Already Have Access to the Phone Dragnet

In today’s HJC hearing on the NSA, there was extensive discussion about the risks of outsourcing the dragnet to the telecoms or — especially, to a third party holding all the data. It’s a concern I share.

That said, not a single person at the hearing seemed to be aware of this footnote, which has been in the phone dragnet primary orders since at least last April.

5 For purposes of this Order, “National Security Agency” and “NSA personnel” are defined as any employees of the National Security Agency/Central Security Service (“NSA/CSS” or “NSA”) and any other personnel engaged in Signals Intelligence (SIGINT) operations authorized pursuant to FISA if such operations are executed under the direction, authority, or control of the Director, NSA/Chief, CSS (DIRNSA).

If this language left any doubt that it permits contractors to directly query the database of every single phone-based relationship in the US, this language from Dianne Feinstein’s Fake FISA Fix bill report (which aims to codify the status quo) should eliminate them.

The Committee believes that, to the greatest extent practicable, all queries conducted to the authorities established under this section should be performed by Federal employees. Nonetheless, the Committee acknowledges that it may be necessary in some cases to use contractors to perform such queries. By using the term “government personnel” the Committee does not intend to prohibit such contractor use.

Contractors already have access to the dragnet.

If it presents a security threat to have contractors from Booz Allen Hamilton or some other intelligence contractor to have direct access to the dragnet, then we need to shut the dragnet down.

Because they’ve already got it.

Weep for the Spurned Billion Dollar Mercenary!

In what is sure to be some interesting book publicity, Erik Prince has gone sobbing to the WSJ about the shoddy treatment the government that paid him billions treated him. In the piece, he continues to reveal new details about some of the operations CIA paid him to do, including the kill team training first revealed in 2009.

A chief target of Mr. Prince’s ire is Mr. Panetta, who in 2009 shut down the covert training operation for CIA “hit teams” that former Blackwater officials said took place on Mr. Prince’s Virginia property.

The CIA had been sending officers for training at Blackwater’s North Carolina training facility. But it wanted something closer to its Langley, Va., headquarters, former company officials said. So they asked Mr. Prince to build a small shooting range on his rural Virginia land.

“They needed a place that was only 35 minutes away from work,” said Gary Jackson, the former Blackwater president. “Erik was OK with that, and he has the property, and we had the money.” The trainings, including live-fire exercises, drew some complaints over the years from neighbors, Mr. Jackson said.

[snip]

When that information became public in 2009, right after Mr. Panetta canceled the Blackwater hit-team training, the CIA director ended the company’s role in maintaining the drones.

Mr. Prince said he is convinced that Mr. Panetta outed him as a CIA “asset” at a closed congressional hearing that year, adding that it was unthinkable for a CIA director to reveal the real name of a covert operative to lawmakers.

[snip]

“No one was out to scapegoat anyone in the relationship with Blackwater, but there were some issues that arose that prompted a serious look at contracts with the company,” said one former CIA official involved in the discussions. “There was a perception that they were trying to run some of their own operations untethered from agency oversight.” [my emphasis]

Only the last bit is really new (though it is suggested in a profile of the mafia hitman involved in the program).

But remember this real point is not that Panetta outed Prince to the House Intelligence Committee, it’s that he briefed these “programs” at all. According to Jan Schakowsky, under Cheney Blackwater had been working directly with the White House on counterterrorism policy (which makes sense since Cofer Black came up with that policy in the first place).

I reminded, by the way, that Barb Milkulski told John Brennan that Panetta was the only CIA Director who didn’t “jerk around” the intelligence committees.

Imagine how sad Prince must be that his mercenary company beginning to do its own operations got cut off when Congress actually learned about it!

DiFi Fake FISA Fix Explicitly Allows Contractors to Conduct Suspicionless Searches on US Person Data

The Senate Intelligence Committee has released its report on DiFi’s Fake FISA Fix. The report makes it clearer than ever that this is not at all an improvement, but rather an attempt to use the Snowden leaks as an opportunity to make the spying programs explicitly worse, which I’ll explain at more length later.

Just as an example, however, take a look at what they do with back door searches. As I explained here, the bill describes new reporting for a tiny fraction of back door searches, those that search on a US identifier as content, presumably to trick people in thinking that does anything for the vast majority of back door searches on US identifiers as metadata (DiFi’s staffers all but admitted that, anonymously, here). Thus, it provides new reports for a tiny fraction of this practice, while endorsing the vast majority of such searches — and the far more intrusive ones — to go on with no reporting requirements. And since I laid that out, NSA General Counsel Raj De and DNI General Counsel Robert Litt made it clear that NSA does not currently require even Reasonable Articulable Suspicion to search any content collected incidentally.

Here’s what the report adds to that, explicitly.

The Committee believes that, to the greatest extent practicable, all queries conducted to the authorities established under this section should be performed by Federal employees. Nonetheless, the Committee acknowledges that it may be necessary in some cases to use contractors to perform such queries. By using the term “government personnel” the Committee does not intend to prohibit such contractor use.

The NSA just had a contractor walk off with unbelievable amounts of data.

And the Senate Intelligence Committee’s response to that is to explicitly give contractors the authority to conduct suspicionless searches through vast quantity of data to access and read the content of US person data, with no reporting requirements.

I guess when they named this the “intelligence” committee they were just making an elaborate joke.

(Note: Snoopdidoo had some more observations on the report in comments to this thread.)

The USAID vs SIGAR Pissing Contest

Reuters has a riveting exclusive today in which they have been given a treasure trove of documents from which they have reported on documentation that a contractor involved in USAID highway construction in Afghanistan is employing a subcontractor who is a member of the Haqqani network:

Much of the evidence against Zadran is classified, but the cache of documents given to Reuters by U.S. officials on condition of anonymity show that he has close business ties with the Haqqani network’s leader, Sirajuddin Haqqani.

The Haqqanis, Islamist insurgents who operate on both sides of the Afghanistan-Pakistan border, are believed to have introduced suicide bombing into Afghanistan.

The links between Zadran and the insurgency include him teaming up with Saadullah Khan and Brothers Engineering and Construction Company (SKB), believed to be one of Sirajuddin Haqqani’s companies.

Together they won a $15 million contract to help build a road between the towns of Gardez and Khost in Afghanistan’s east for the U.S. Agency for International Development (USAID) in 2011.

“The owners of these companies are facilitators and commanders of the Haqqani Network,” one U.S. government memorandum says.

This problem fits into the overall work that SIGAR has been doing recently in which they comment on the lack of control and auditing on funds once they are turned over from USAID and other agencies to the Afghan government for disbursement. And huge amounts of money are involved:

The inability over many years to stop firms believed to be supporting the insurgency from winning multi-million-dollar contracts exposes the lack of control that donors have over cash once it is handed over to the Afghan government.

Those transfers make up an increasing proportion of aid. U.S. federal agencies want more than $10.7 billion for reconstruction programs in 2014, SIGAR says, and the government has promised at least half will be granted directly to Afghan institutions to spend as they see fit.

SIGAR has clearly upset a number of folks with their work on this front. Back on October 10, the Atlantic carried a hit piece against SIGAR (I owe Marcy a huge thank you for alerting me to the article) in which we are supposed to believe that USAID has built a public health system in Afghanistan that in just a few years has added 20 years to life expectancy while dropping child mortality by half. And the article would have us believe that this wonderful new system is at risk of being shut down because of SIGAR’s campaign against funds being disbursed by the Afghan government without an audit trail:

John Sopko is the U.S. government’s chief auditor for Afghanistan and a former prosecutor with years of experience on Capitol Hill. In September, Sopko’s office—the Special Inspector General for Afghanistan Reconstruction, or SIGAR—issued a report calling for the suspension of USAID’s $236 million in aid for basic health care in Afghanistan.

Why shut down such a successful program? The short answer is that SIGAR’s is a peculiar concept of caution.

Strikingly, the auditors’ report calling for the funding freeze for the health program doesn’t claim any evidence of serious fraud or waste. Instead, it raises hypothetical concerns about the Afghan government’s ability to manage aid money well, including evidence that some salaries were paid in cash, as well as the absence of double entry bookkeeping.

There is a huge problem with the underlying premise of “such a successful program”, though. It is fabricated bullshit. Here is how the hit piece frames their argument on the successes: Continue reading

1 2 3 6
Emptywheel Twitterverse
emptywheel Why would any intruder try to invade the White House now? Don't they know Obama hugged an Ebola survivor?
27mreplyretweetfavorite
emptywheel RT @EamonJavers: Pool report says WH was on lockdown this morning, due to an "emergency," but Secret Service not saying what it was. Lockdo…
28mreplyretweetfavorite
emptywheel @puellavulnerata Also, "reality based." But that's an increasingly demonized trait these days.
33mreplyretweetfavorite
emptywheel @bmaz Don't think even Tom Brady could help the Wolvereenies today.
39mreplyretweetfavorite
emptywheel @dandrezner Are you trying to avoid taxes, too, like Chiquita?
44mreplyretweetfavorite
emptywheel @LOLGOP It's too late. Ted Cruz has already made it to TV studios from TX, I think we're all infected now.
49mreplyretweetfavorite
bmaz @walterwkatz @drjudymelinek What was done to Melinek's words was nothing short of shameful.
1hreplyretweetfavorite
bmaz Anybody seen @emptywheel running around with a Tom Brady sexy mash video or anything? #AskingForAFriend
1hreplyretweetfavorite
JimWhiteGNV Heh. The Sparty hashtag #BeatMichAgain is very well-played.
2hreplyretweetfavorite
bmaz @lucasdrayton @JoshMBlackman Sounds like a tax. // John Roberts probably
2hreplyretweetfavorite
bmaz RT @nycjim: God bless the @RollingStones. Photos from Adelaide show: http://t.co/lytdfB7FXX http://t.co/jFUXZhZpn2
2hreplyretweetfavorite
October 2014
S M T W T F S
« Sep    
 1234
567891011
12131415161718
19202122232425
262728293031