[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Conflicting Homework Explanations in Three Kaspersky Stories

There are now three versions of the Kaspersky story from yesterday, reporting that a TAO employee brought files home from work and used them on his laptop running Kaspersky AV, which ultimately led to Russia getting the files. I’m interested in the three different explanations for why he brought the files home.

WSJ says he brought them home “possibly to continue working beyond his normal office hours.”

People familiar with the matter said he is thought to have purposely taken home numerous documents and other materials from NSA headquarters, possibly to continue working beyond his normal office hours.

WaPo (which has been reporting on this guy since last November) says he brought files he was working on to replace ones burned by Snowden.

The employee had taken classified material home to work on it on his computer,

[snip]

The material the employee took included hacking tools he was helping to develop to replace ­others that were considered compromised following the breach of NSA material by former contractor Edward Snowden, said one individual familiar with the matter.

NYT says he brought files home to refer to as he worked on his resume.

Officials believe he took the material home — an egregious violation of agency rules and the law — because he wanted to refer to it as he worked on his résumé

While the WSJ and WaPo stories don’t conflict, they are different, with the poignant detail that NSA lost hacking files even as it tried to replace Snowden ones.

Meanwhile, none of these stories say this guy got any punishment besides removal from his job (from all his jobs? does he still work for the US government?). And while the NYT says prosecutors in Maryland are “handling” his case, they don’t believe he has been charged.

While federal prosecutors in Maryland are handling the case, the agency employee who took the documents home does not appear to have been charged.

But all of these stories go way too easy on this guy, as compared to the way sources would treat any other person (aside from James Cartwright) caught improperly handling classified information. As the WSJ makes clear, Admiral Rogers — not this guy — was supposed to lose his job as a result of this breach.

Then-Defense Secretary Ash Carter and then-Director of National Intelligence James Clapper pushed President Barack Obama to remove Adm. Rogers as NSA head, due in part to the number of data breaches on his watch, according to several officials familiar with the matter.

So I suspect there is a more complex story about why he had these files at home, if that’s in fact what he did.

Remember, NSA’s hackers don’t launch attacks sitting in Fort Meade. They launch the attacks from some other location. Both Shadow Brokers

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.

And WikiLeaks have said that’s how they got their US hacking files.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In other words, I suspect at least part of this story is an attempt to package this compromise (which is not the Shadow Brokers source, but may be the same method) in a way that doesn’t make the NSA look totally incompetent.

Update: In this thread, Jonathan Nichols points out that the Vulnerabilities Equities Process has a big loophole.

Vulnerabilities identified during the course of federally-sponsored open and unclassified research, whether in the public domain or at a government agency, FFRDC, National Lab, or other company doing work on behalf of the USG need not be put through the process. Information related to such vulnerabilities, however, does require notification to the Executive Secretariat, which shall notify process participants for purposes of general USG awareness.

That is, one way to avoid the VEP process altogether (and therefore potential notice to companies) is to conduct the research to develop the systems on unclassified systems. Which would be an especially big problem if you were running KAV.

Which might also explain why none of the stories explaining how this guy’s files got compromised make sense.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

13 replies
  1. lefty665 says:

    Section 793 paragraph (f) of the U.S. code makes mishandling of classified information a crime. Intent is intentionally not relevant. If this guy is not prosecuted, just as Hillary was not for violating the same statue, we have to wonder why we are not enforcing a law designed to encourage people to pay attention and safeguard classified information. It has been on the books for 50 years, it’s not a new concept.

    https://www.law.cornell.edu/uscode/text/18/793

    • greengiant says:

      Could be a catch – 22 like the CIA files,  if you classify it then you can not handle it and use it,  if it’s not classified,  then you can insert it.   Certainly a possibility parts of the TOA were not classified for that reason.  As EW writes,  a lot of possibilities.  I have speculated that a number of data sets and programs fall in the too secret or don’t want the hassle to be classified category.

    • Rugger9 says:

      What “classified info” did HRC personally mishandle that was actually classified at that time?  That claim has been debunked thoroughly, and don’t think for a NY minute that IF HRC had actually done anything wrong that Gowdy, Nunes, Chaffetz, Issa, McTurtle, etc. as well as Trump and Sessions would not have filed something about it in court by now.

       

      The crickets are mighty loud on this claim.  Only Republicans get freebies (Hi, Petraeus and Scooter!) on this kind of thing.

      • lefty665 says:

        TS/SCI including target approvals for drone strikes.  Comey’s July ’16 statements made the case that she clearly and repeatedly violated 793(f). In describing her actions he used language that carefully paralleled the act’s wording. He then let her off (not his call as the investigator, but that’s another story) because he did not trip over intent. Mishandling classified information is the topic of 793(f), intent is excluded. It is not relevant to a charging decision under that section of the act.

        I understand they’re going to have to pry Hillary out of your cold dead fingers, but please recognize her warts. She’s got ’em, we all do. Email was not her finest hour, unless of course you like knowing it was mixed in with Wiener’s dick pics on his computer.

        • orionATL says:

          publish or list by name or date the e-mails, lefty.

          the charges you are recirculating are based on classification after-the-fact or on derived classification based on some content, not on actual classified documents with a stamp on top.

          put differently, you are mixing e-mails which reference information that has also been put in classified docs with e-mails of actual classified documents. those two categories are not equivalent.

          produce the documents, lefty, for us to see!

    • orionATL says:

      ah, lefty. back to your old habit. you remind me of a hyena pulling flesh from a decaying carcass.

      nothing demonstrates your malintent better than the fact that you had to twist your sentence to insert the gratuitous insult to clinton. watch.

      lefty writes, prior to gratuitous criticism of clinton, :

      “…  If this guy is not prosecuted…we have to wonder why we are not enforcing a law designed to encourage people to pay attention and safeguard classified information.”

      but then, to pull at the flesh one more time, lefty inserts this clause:

      “…. , just as Hillary was not for violating the same statue,… ”

      creating a sentence that suddenly reads awkwardly:

      “… If this guy is not prosecuted, just as Hillary was not for violating the same statue, we have to wonder why we are not enforcing a law designed to encourage people to pay attention and safeguard classified information. …”

      but it’s a free country.

  2. SpaceLifeForm says:

    The attack on Kaspersky is clearly pure BS.
    As I noted months ago, some group does not like KAV because it actually does it’s job.
    The group is clear.

    But if ypu want to buy the BS, then do not use any Antivir at all. Because of how they work and how they *HAVE* to work. If you want to believe that KAV is not trustable, but say you want to trust Norton for example, well, just pick your poison of choice.

    An Antivir *increases* your attack surface because it has to have elevated privileges.

    https://www.schneier.com/essays/archives/2009/11/is_antivirus_dead.html

    [Over 4 years later, he ponders the same question]

    https://www.schneier.com/blog/archives/2014/05/is_antivirus_de_1.html

    https://arstechnica.com/information-technology/2015/06/stepson-of-stuxnet-stalked-kaspersky-for-months-tapped-iran-nuke-talks/

    https://eugene.kaspersky.com/2017/10/05/we-aggressively-protect-our-users-and-were-proud-of-it/

    • SpaceLifeForm says:

      From the 2015 Ars link:

      The company hasn’t ruled out the possibility the attackers obtained Kaspersky Lab source code, but there are no signs they tried to compromise any of Kaspersky’s 400 million users.

      [Explains why the offer from Kaspersky to allow the US government to view the source code was met by silence. Probably did not need to review it, they already had a copy]

      [And that is why the APT waits. Do not tip too early]

  3. bmaz says:

    That is a sweet comment. Would you be willing to put that in actual words the common reader can understand?

    Or is your act dependent on tech acronyms and bullshit that we can’t all understand?

    You seem to be at home here, so share your brilliance in real words with all of us instead of being oblique.

Comments are closed.