Who Accessed the Rove Email Search on July 26, 2005?

As I explained in my last post, one of the documents turned over to CREW shows evidence of email searches done in 2004, presumably as part of the Plame investigation (and kudos, again, to WO for noticing these searches). Pages 44 through 46 show a search conducted on November 9, 2004 for Cooper and Rove and NSC emails. This search is almost certainly in response to a Fitzgerald request after Rove turned over his email to Hadley before he testified on October 15, 2004. Presumably, after Fitz got an email that hadn’t been turned over as evidence, he asked the White House to redo the search, which they got around to doing after making sure Bush won the election.

Interestingly, it appears there were almost no results for NSC files on July 14, 2003, the day Novak’s column came out.

There are two more interesting details about this search.


On the bottom of page 45, in the last column, it shows three files were last opened on different dates than others.

Two files named WHO_2003_0309_26272829.pst and WHO_2003_930+923.pst were both last opened on July 28, 2004. This was a search for email mentioning Matt Cooper, apparently.

And a file named Rove Final.pst was opened on July 26, 2005.

Now, as to the first two searches last opened in July 2004, they may have been searches done in response to Judge Hogan’s decision that Matt Cooper would have to testify. Or, just as likely, they might be searches in response to Colin Powell’s testimony on July 16; recall the story of a Principals meeting in late September at which the leak was discussed. But both of those stories would be weird: if the files were in preparation for Cooper’s testimony, then why search on September 23 and 30, specifically–particularly since both of those dates come after Cooper’s welfare article (for which Rove was a source) was published earlier in September? Alternately, if the search was a response to Powell’s testimony, then why focus on Cooper in particular? And were those files just renamed later that year when the more expansive searches were done?

Then there’s the other file: a search for Rove’s emails completed in November 2004, but last opened on July 26, 2005. That says the search was done, but someone went back to see what the search was. The file was opened a few weeks after Matt Cooper testified about the leak from Rove. It was also just days before Rove aides Susan Ralston and Israel Hernandez testified and was in the same month that Robert Luskin offered to have Rove testify again (for what would be the fourth time). Now it doesn’t make sense that the file would be opened in response to a Fitz request–presumably he already had that file, right? So did someone check that file to see what had come up in the search?

Also note–it was also around the same time that the ability to access the email server was discovered.

In mid-2005, prior to the discovery of the potential email issues, a critical security issue was identified and corrected. During this period it was discovered that the file servers and the file directories used to store the retained email .pst files were accessible by everyone on the EOP network.

So the file was available for anyone in the White House to look at.

The question is–who was looking?

30 replies
    • MadDog says:

      Remember in Barton Gellman’s Angler on page 189:

      …And then Bellinger found out something that, in three years as a top advisor to Rice, he had never known. Every time he wrote a memo to his boss, a blind copy was routed to the vice president’s office. Libby, according to one official, made the arrangement with Steve Hadley, Rice’s deputy…

      (My Bold)

      I’ve often tried to figure out just what this paragraph really meant.

      Did it mean that Hadley himself had “Systems Administrator” access to the Microsoft Exchange Server system used by the White House for their email, and was somehow able to configure it so that all the NSC staffers’ emails sent BCC (blind carbon copy) emails to the OVP?

      Did it mean that Hadley knew the folks in Office Administration (OA) who controlled the Microsoft Exchange Server system, and that they did Hadley the “favor”?

      Additionally, we should remember that there were in fact 2 separate email systems in use at the White House.

      One was the Microsoft Exchange Server system run by the OA folks for use by all White House staff.

      The other was a separate system used by National Security Council staff, for obvious security reasons, and controlled and managed by the White House Communications Agency (WHCA).

      The WHCA is primarily a military-staffed organization, and is lead by uniformed officers.

      I find it hard to believe that the WHCA could be influenced by Hadley to “compromise” their most Top Secret email security by sending copies of all NSC staff emails to the OVP.

      In any event, if Hadley himself had “Systems Administrator” access to the Microsoft Exchange Server system, that would suggest he also had sufficient technical computer expertise to go mucking around in the Outlook archive PST files.

      I’d always figured Addington for this role, but Hadley might fit too.

    • Leen says:

      I thought that announcement by El Baradei would have been all over the front pages of the MSMedias newspapers or airwaves…not

      • MadDog says:


        Note I did stop in yesterday evening for a bit, but it was mostly quiet.

        As to Thursday’s developments , I did have a really good excuse for my absence.

        I was attending a going away party for me on the occasion of my “early retirement”.

        I’m now officially retired free!

        Now I can inflict my presence on you and the Hotwheelers all day long! *vbg*

        • newtonusr says:

          Not renaming the joint “MadDog & emptywheel”, are you.

          OK, I am so terribly sorry for that…

              • MadDog says:

                …I guess with all the rain this summer the ’squitoes are making fishing a lot less interesting?

                Actually, here in the Twin Cities, all of the storms and rainfall for the last couple of months went either north or south of us, so almost no ’sqeets in the TCs.

                That isn’t the case moving north where all the really good lakes are, but I’ve yet to drop a line in those this season. Though I’ve got the maps spread out and picking ‘em now. *g*

  1. Rayne says:

    Damn, I’ve spent all afternoon/evening poking around with WaPo traffic stats and this place busts wide open!!

    MadDog (RETIRED!) — instead of admin level access, how about a distlist which looks like Rice’s internal email address? I seriously doubt any of the non-IT folks would have been given sysadmin status, no matter who the contractor might be which handled directory and access issues.

    • MadDog says:

      Yes, Free, Free at last! *g*

      …instead of admin level access, how about a distlist which looks like Rice’s internal email address? I seriously doubt any of the non-IT folks would have been given sysadmin status, no matter who the contractor might be which handled directory and access issues.

      A couple things jump out at me:

      1. With Outlook/Exchange Server, the sender controls the BCC (blind carbon copy) function. I’m willing to admit that this could be hard-coded, and made invisible to the sender, but some sneaky programmer-type would have to had admin level access to do it, and Hadley (or Libby or Addington) would have to have involved said sneaky programmer thereby leaving tracks/witnesses to “breach of security” fookin’ felonies.

      That is, unless PapaDick was waving his magic pixie dust wand again.

      2. Remember that the NSC staffers totaled a whole bunch of folks (hundreds to a thousand?), and it wouldn’t have been just Bellinger that the OVP would want to monitor.

      How about Rice herself? And a whole lot of other NSC folks. Thus, a BCC to OVP monitoring operation would tend to generate a ton of emails to review. I wonder just who in the OVP got that assignment?

      • Rayne says:

        They could have simply asked whichever mystery contractor had access to the backend of the system — especially since it was wide, wide open — to create the distlist-cum-email-account.

        Here’s another, perhaps better variant to consider, and one you may recognize from other situations. Let’s say that there is a “conversion” between two different email systems, the EOP-OA system and the WHCA-NSC system; persons emailing Rice’s address on the EOP side would not notice anything unusual about her account.

        But all mail to that address is intercepted, duplicated and routed with one copy to the WHCA-NSC system, the other to OVP. It could be completely transparent to persons at either end of the email system.

        The tactic is called a kingpin or man-in-the-middle. Sound familiar?

        • MadDog says:

          And I’m still wondering who in the OVP got to be the recipient of these BCC emails of NSC staffers.

          Got to be either or both Libby and Addington, and I bet they printed out the hot ones for PapaDick.

          • readerOfTeaLeaves says:

            Yeah, it made me wonder, “Who got tasked with reading all those emails…?” Maybe Eric Edelman? He was quoted in ‘Angler’ as the guy who was reading NSA intercepts of Richard Haass, who was talking to someone **in Dubai** about finding ‘common ground’ with the Iranians when OVP intercepted him.

            But on a related topic, at least as far back as 2003, on numerous occasions someone remoted my machine(s) for one thing or another. It seems entirely possible that a machine could have been ‘remoted’; maybe someone was sitting in [name your world capital here] ‘remoting’ in to the WH/OVP files and directories?

            But why is everyone assuming that someone inside OVP was opening and massaging files? It’s true that it could have been someone inside the US government doing this kind of background, out-of-sight ‘research’, but it could just as well be some other entity screwing with files, no…?
            It seems like a fair guess that it was some Israeli, or Russian, or Chinese, or punk kid who found their way inside the firewall. Or some rogue NSA group?

            And was someone tampering with evidence?
            Or was Rove trying to ferret out what someone else had told the grand jury, so that he could give a similar version of the story and thereby save his ass?

            If it ties in with the Ghorabanifar Timeline, we’d have these two data points:

            May 3, 2005: Franklin charged with espionage in sealed complaint

            August 2005: Feith leaves DOD

  2. iceAxe says:

    Interestingly, it appears there were almost no results for NSC files on July 14, 2003, the day Novak’s column came out


    If memory serves, that was either the first day back from Africa trip or the day after, i.e. Fleischer’s last day.

    Did it mean that Hadley himself had “Systems Administrator” access

    This is almost certainly the case. Cheney’s office, i.e. Libby used Hadley to bypass Rice. NSC technically had (has) responsibility for vetting presidential speeches,but pre-invasion, Cheney was micro-managing everything. Richard Clarke has said Libby gave Powell a ’sample speech’, “the kind of speech the [the White House] would like you to give at the U.N.” and Libby and Rove wrote Tenet’s statement in response to the furor over the SoTU bogus Niger claims. The infamous Cincinnati speech before the SoTU was almost certainly written by Libby and passed through Hadley to CIA. When the ’speechwriter’ at the WH kept refusing to remove the Niger references, Tenet finally intervened personally and called Hadley to insist. Hadley is a heavy hitter who’s flown largely under the radar compared to others. He worked for Wolfowitz and Cheney at the Pentagon, and as counsel to the Tower Commission.

    As far as “remoting” to behind Capitol Hill firewalls, security is a joke in that regard. Private vendors who work on congressional IT projects have VPN access and work directly with HIR’s proprietary code base.

    • emptywheel says:


      “Rove and Libby” did not write Tenet’s statement in response to teh SOTU claim.

      Libby was involved, as was Hadley and Cheney, but ultimately Mclaughlin and Tenet wrote it (by all appearances Rove was not involved). The day it went out, Cheney declared it “unacceptable.”

      All of this was introduced as evidence at the trial.

      The claim that Rove was involved appears to have been part of Rove’s disinformation campaign during the summer 2005.

    • Rayne says:

      I’ll reiterate my strong doubt that any IT person would ever grant a non-IT person administrative access. This just isn’t done, especially in settings like the White House. It would be far more likely that Hadley was a point person who contacted IT personnel or contractors to make changes to the system, whether those persons are on site or remote.

      Hadley rubbed shoulders with former Booz Allen Hamilton folks all the time (like ret. Adm. John McConnell and James Woolsey); BAH also worked closely with contractors like Lockheed-Martin, whom Hadley once represented as a lobbyist. It was very incestuous and likely easy for Hadley to simply snap his fingers and tell one of the BAH-selected contractors to get him what he wanted in the way of IT services.

        • Rayne says:

          Well, no need to do all that nasty, time-consuming administrative security stuff if the back door is left wide, wide open. Any contractor can enter and do the work immediately, and they probably have some sort of wink-wink-nod understanding of how to operate without stepping on each other’s toes since the same contract personnel will likely shift from one subcontractor/employer to another while the master contract between the administration and the main contractor remains in place and unchanged.

          So BAH specs out the contractors which do the work, employs other subcontractors on an as-needed basis, and there may be little difference between the contractors and subs.

          Look at the info about Chenega in thread upstairs; guess which firms subcontract telecom/IT infrastructure/data work to Chenega? You’ll be able to spit out the names quite readily.

    • Rayne says:

      If I gave you administrative access to my blog, you could get into the backend. But it would not assure that you have the ability to safely use the right utilities/applications to make changes at code level without detection, and without crashing the system, particularly during production hours.

      For the same reasons Hadley himself would not get administrative access. He doesn’t know jack about IT and would be a fricking danger to himself and the entire organization if left to his own devices to make the changes we’re talking about. But given the wide-open nature of the system, Hadley only has to call a friendly contractor/subcontractor and ask them to do it; the contractor or sub already has all the clearance and access they need to get it done, and Hadley has all the authority he needs based on his role.

      We just can’t wrap up a ribbon and tie a bow on Hadley about this, though, because this surely took at least one other point of contact to get it done.

  3. rincewind says:

    WRT Bellinger’s email to Rice and Hadley sending ‘em to OVP — I’m pretty clueless about Outlook, but some years back when I HAD to use it for a client, I seem to recall being able to set a “rule” to automatically ‘redirect’ or ‘forward’ mail from that account to my regular email, yet still keep the original in Outlook? Wouldn’t that be invisible to Bellinger, and maybe even to Rice if she didn’t bother to look at her options/rules? Hadley might even have told her he was setting up her email to automatically forward to HIM (”for her convenience”) in case she noticed mail being forwarded?

Comments are closed.