[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

18 USC 793e in the Time of Shadow Brokers and Donald Trump

Late last year, a Foreign Affairs article by former Principal Deputy Director of National Intelligence Sue Gordon and former DOD Chief of Staff Eric Rosenbach asserted that the files leaked in 2016 and 2017 by Shadow Brokers came from two NSA officers who brought the files home from work.

In two separate incidents, employees of an NSA unit that was then known as the Office of Tailored Access Operations—an outfit that conducts the agency’s most sensitive cybersurveillance operations—removed extremely powerful tools from top-secret NSA networks and, incredibly, took them home. Eventually, the Shadow Brokers—a mysterious hacking group with ties to Russian intelligence services—got their hands on some of the NSA tools and released them on the Internet. As one former TAO employee told The Washington Post, these were “the keys to the kingdom”—digital tools that would “undermine the security of a lot of major government and corporate networks both here and abroad.”

One such tool, known as “EternalBlue,” got into the wrong hands and has been used to unleash a scourge of ransomware attacks—in which hackers paralyze computer systems until their demands are met—that will plague the world for years to come. Two of the most destructive cyberattacks in history made use of tools that were based on EternalBlue: the so-called WannaCry attack, launched by North Korea in 2017, which caused major disruptions at the British National Health Service for at least a week, and the NotPetya attack, carried out that same year by Russian-backed operatives, which resulted in more than $10 billion in damage to the global economy and caused weeks of delays at the world’s largest shipping company, Maersk. [my emphasis]

That statement certainly doesn’t amount to official confirmation that that’s where the files came from (and I’ve been told that the scope of the files released by Shadow Brokers would have required at least one more source). But the piece is as close as anyone with direct knowledge of the matter — as Gordon would have had from the aftermath — has come to confirming on the record what several strands of reporting had laid out in 2016 and 2017: that the NSA files that were leaked and then redeployed in two devastating global cyberattacks came from two guys who brought highly classified files home from the NSA.

The two men in question, Nghia Pho and Hal Martin, were prosecuted under 18 USC 793e, likely the same part of the Espionage Act under which the former President is being investigated. Pho (who was prosecuted by Thomas Windom, one of the prosecutors currently leading the fake elector investigation) pled guilty in 2017 and was sentenced to 66 months in prison; he is processing through re-entry for release next month. Martin pled guilty in 2019 and was sentenced to 108 months in prison.

The government never formally claimed that either man caused hostile powers to obtain these files, much less voluntarily gave them to foreign actors. Yet it used 793e to hold them accountable for the damage their negligence caused.

There has never been any explanation of how the files from Martin would have gotten to the still unidentified entity that released them.

But there is part of an explanation how files from Pho got stolen. WSJ reported in 2017 that the Kaspersky Anti-Virus software Pho was running on his home computer led the Russian security firm to discover that Pho had the NSA’s hacking tools on the machine. Somehow (the implication is that Kaspersky alerted the Russian government) that discovery led Russian hackers to subsequently target Pho’s computer and steal the files. In response to the WSJ report, Kaspersky issued their own report (here’s a summary from Kim Zetter). It acknowledged that Kaspersky AV had pulled in NSA tools after triggering on a known indicator of NSA compromise (the report claimed, and you can choose to believe that or not, that Kaspersky had deleted the most interesting parts of the files obtained). But it also revealed that in that same period, Pho had briefly disabled his Kaspersky AV and downloaded a pirated copy of Microsoft Office, which led to at least one backdoor being loaded onto his computer via which hostile actors would have been able to steal the NSA’s crown jewels.

Whichever version of the story you believe, both confirm that Kaspersky AV provided a way to identify a computer storing known NSA hacking tools, which then led Pho — someone of sufficient seniority to be profiled by foreign intelligence services — to be targeted for compromise. Pho didn’t have to give the files he brought home from work to Russia and other malicious foreign entities. Merely by loading them onto his inadequately protected computer and doing a couple of other irresponsible things, he made the files available to be stolen and then used in one of the most devastating information operations in history. Pho’s own inconsistent motives didn’t matter; what mattered was that actions he took made it easy for malicious actors to pull off the kind of spying coup that normally takes recruiting a high-placed spy like Robert Hanssen or Aldrich Ames.

In the aftermath of the Shadow Brokers investigation, the government’s counterintelligence investigators may have begun to place more weight on the gravity of merely bringing home sensitive files, independent of any decision to share them with journalists or spies.

Consider the case of Terry Albury, the FBI Agent who shared a number of files on the FBI’s targeting of Muslims with The Intercept. As part of a plea agreement, the government charged Albury with two counts of 793e, one for a document about FBI informants that was ultimately published by The Intercept, and another (about an online terrorist recruiting platform) that Albury merely brought home. The government’s sentencing memo described the import of files he brought home but did not share with The Intercept this way:

The charged retention document relates to the online recruitment efforts of a terrorist organization. The defense asserts that Albury photographed materials “to the extent they impacted domestic counter-terrorism policy.” (Defense Pos. at 37). This, however, ignores the fact that he also took documents relating to global counterintelligence threats and force protection, as well as many documents that implicated particularly sensitive Foreign Intelligence Surveillance Act collection. The retention of these materials is particularly egregious because Albury’s pattern of behavior indicates that had the FBI not disrupted Albury and the threat he posed to our country’s safety and national security, his actions would have placed those materials in the public domain for consumption by anyone, foreign or domestic.

And in a declaration accompanying Albury’s sentencing, Bill Priestap raised the concern that by loading some of the files onto an Internet-accessible computer, Albury could have made them available to entities he had no intention of sharing them with.

The defendant had placed certain of these materials on a personal computing device that connects to the Internet, which creates additional concerns that the information has been or will be transmitted or acquired by individuals or groups not entitled to receive it.

This is the scenario that, one year earlier, was publicly offered as an explanation for the theft of the files behind The Shadow Brokers; someone brought sensitive files home and, without intending to, made them potentially available to foreign hackers or spies.

Albury was sentenced to four years in prison for bringing home 58 documents, of which 35 were classified Secret, and sending 25 documents, of which 16 were classified Secret, to the Intercept.

Then there’s the case of Daniel Hale, another Intercept source. Two years after the Shadow Brokers leaks (and five years after his leaks), he was charged with five counts of taking and sharing classified documents, including two counts of 793e tied to 11 documents he took and shared with the Intercept. Three of the documents published by The Intercept were classified Top Secret.

Hale pled guilty last year, just short of trial. As part of his sentencing process, the government argued that the baseline for his punishment should start from the punishments meted to those convicted solely of retaining National Defense Information. It tied Hale’s case to those of Martin and Pho explicitly.

Missing from Hale’s analysis are § 793 cases in which defendants received a Guidelines sentence for merely retaining national defense information. See, e.g., United States v. Ford, 288 F. App’x 54, 61 (4th Cir. 2008) (affirming 72-month sentence for retention of materials classified as Top Secret); United States v. Martin, 1:17-cr-69-RDB) (D. Md. 2019) (nine-year sentence for unlawful retention of Top Secret information); United States v. Pho, 1:17-cr-00631 (D. Md. 2018) (66-month sentence for unlawful retention of materials classified as Top Secret). See also United States v. Marshall, 3:17-cr-1 (S.D. TX 2018) (41-month sentence for unlawful retention of materials classified at the Secret level); United States v. Mehalba, 03-cr-10343-DPW (D. Ma. 2005) (20-month sentence in connection with plea for unlawful retention – not transmission – in violation of 793(e) and two counts of violating 18 U.S.C. 1001; court departed downward due to mental health of defendant).

Hale is more culpable than these defendants because he did not simply retain the classified documents, but he provided them to the Reporter knowing and intending that the documents would be published and made available to the world. The potential harm associated with Hale’s conduct is far more serious than mere retention, and therefore calls for a more significant sentence. [my emphasis]

Even in spite of a moving explanation for his actions, Hale was sentenced to 44 months in prison. Hale still has almost two years left on his sentence in Marion prison.

That focus on other retention cases from the Hale filing was among the most prominent national references to yet another case of someone prosecuted during the Trump Administration for taking classified files home from work, that of Weldon Marshall. Over the course of years of service in the Navy and then as a contractor in Afghanistan, Marshall shipped hard drives of classified materials home.

From the early 2000s, Marshall unlawfully retained classified items he obtained while serving in the U.S. Navy and while working for a military contractor. Marshall served in the U.S. Navy from approximately January 1999 to January 2004, during which time he had access to highly sensitive classified material, including documents describing U.S. nuclear command, control and communications. Those classified documents, including other highly sensitive documents classified at the Secret level, were downloaded onto a compact disc labeled “My Secret TACAMO Stuff.” He later unlawfully stored the compact disc in a house he owned in Liverpool, Texas. After he left the Navy, until his arrest in January 2017, Marshall worked for various companies that had contracts with the U.S. Department of Defense. While employed with these companies, Marshall provided information technology services on military bases in Afghanistan where he also had access to classified material. During his employment overseas, and particularly while he was located in Afghanistan, Marshall shipped hard drives to his Liverpool home. The hard drives contained documents and writings classified at the Secret level about flight and ground operations in Afghanistan. Marshall has held a Top Secret security clearance since approximately 2003 and a Secret security clearance since approximately 2002.

He appears to have been discovered when he took five Cisco switches home. After entering into a cooperation agreement and pleading guilty to one count of 793e, Marshall was (as noted above) sentenced to 41 months in prison. Marshall was released last year.

Outside DOJ, pundits have suggested that Trump’s actions are comparable to those of Sandy Berger, who like Trump stole files that belong to the National Archives and after some years pled guilty to a crime that Trump since made into a felony, or David Petraeus, who like Trump took home and stored highly classified materials in unsecured locations in his home. Such comparisons reflect the kind of elitist bias that fosters a system in which high profile people believe they are above the laws that get enforced for less powerful people.

But the cases I’ve laid out above — particularly the lesson Pho and Martin offer about how catastrophic it can be when someone brings classified files home and stores them insecurely, no matter their motives — are the background against which career espionage prosecutors at DOJ will be looking at Trump’s actions.

And while Trump allegedly brought home paper documents, rather than the digital files that Russian hackers could steal while sitting in Moscow, that doesn’t make his actions any less negligent. Since he was elected President, Mar-a-Lago became a ripe spying target, resulting in at least one prosecution. And two of the people he is most likely to have granted access to those files, John Solomon and Kash Patel, each pose known security concerns. Trump has done the analog equivalent of what Pho did: bring the crown jewels to a location already targeted by foreign intelligence services and store them in a way that can be easily back-doored. Like Pho, it doesn’t matter what Trump’s motivation for doing so was. Having done it, he made it ridiculously easy for malicious actors to simply come and take the files.

Under Attorneys General Jeff Sessions and Bill Barr, DOJ put renewed focus on prosecuting people who simply bring home large caches of sensitive documents. They did so in the wake of a costly lesson showing that the compromise of insecurely stored files can do as much damage as a high level recruited spy.

It’s a matter of equal justice that Trump be treated with the same gravity with which Martin and Pho and Albury and Hale and Marshall were treated under the Trump Administration, for doing precisely what Donald Trump is alleged to have done (albeit with far fewer and far less sensitive documents). But as the example of Shadow Brokers offers, it’s also a matter of urgent national security.

112 replies
  1. OldTulsaDude says:

    Reading this I sense an echo of the overly simplistic Reagan-like worldview that capitalism rather than democracy is the driver of freedom which would explain the faith placed in the nascent capitalistic turn when the USSR failed and later allowed a stealth bug sold by a Russian capitalist to infect so many. But perhaps that is my bias.

      • KM Williams says:

        Americans, especially our media, often seem to equate Capitalism with Christianity with Democracy. The conservative holy trinity.

    • Ravenclaw says:

      Urgh. I have overheard a business professor teaching her students the contrast between democracy and socialism. Obviously having conflated concepts exactly as you say.

  2. joberly says:

    Agreed that the search for documents at Mar-a-Lago citing a violation of 18 US Code 793e is not the same as the cases of Berger and Petraeus. Berger pleaded guilty to violating 18 US Code 1924 (“Unauthorized Removal and Retention of Classified Documents or Material”). Interesting that the DOJ press release from 2005 announcing Berger’s guilty plea lists “Assistant Attorney General Christopher Wray” as the supervising official on the case. Berger was not charged with violating Section 1519 (“Destruction…of records”) although he did tear into little pieces three copies of a document he had stolen from the National Archives. Petraeus, too, was charged under Section 1924. Both men had signed nondisclosure agreements regarding the handling of classified information as part of their employment.

    • emptywheel says:

      I suspect that if Trump moved to cooperate and plead to 2701 or even 1924 right away, he could avoid a 793 charge.

      But that’s not going to happen.

      • BobCon says:

        I agree Trump cooperation is a moonshot. But since I put strong odds on a growing chorus among pundits calling for a deal with Trump — much bigger than pardon calls in late ’20 to early ’21 — I’d be curious what a reasonable position on cooperation would be.

        I think anyone pitching a deal for Trump is going to offer the lamest terms possible — a rote apology, maybe an unenforceable promise not to run again. So I’d think it would make sense to have a broad outline of a counterposition in place. Full cooperation with intelligence agencies on Russian plans? Testimony against coconspirators?

        I don’t think Trump will take a deal. But I think there is value to outlining a reasonable deal and not leave the whole discussion up to the worst people.

        • MattyG says:

          Of course any talk now of a deal is contingent on the extent of the violations themselves, an unknown at this point. However, if “transmission” is involved in any of this I don’t see a chance of skating.

      • I Never Lie and am Always Right says:

        Trump may eventually come to believe that he should not himself run in 2024 but that he should instead try to reach a “deal” with the eventual Republican nominee where Trump provides “support” for that nominee in return for a later pardon. But Trump’s narcissism may prevent him from going there.

        • Yorkville Kangaroo says:

          That may be all he has left but when it comes to stupid The Donald often finds new ways of having a bomb go off in his own face.

  3. Duke says:

    Since when has there been an action of Trump which possesses a lack of malice or grift?

    He chum in the water rather than shark. He is attractant for the feeding frenzy of great white sharks. Keep your toes out the water. I hope Garland recognizes the sharks and is hunting for them.

  4. GSH says:

    Long time reader, 1st time poster. Thank you MW for your tireless efforts to explain the squealing wheels of justice to all of us who want to know what all the noise is about. My question relates to your story about the legal implications of high security documents ending up in the wrong places. Many conservative pundits and right-leaning commentators use “Hillary’s emails” as a cudgel to counter the latest developments in this Trump-MAR document DOJ/FBI search news that captivated the news cycles all last week. Whatever happened to the investigations into Clinton’s alleged illegal use of her personal computers that stored government security documents? GOP whataboutisms abound with charges of liberal hypocrisy; are they justified or full of it?

    • bmaz says:

      Uh, that was ended officially in June 2018 when the DOJ IG issued a report finding that the DOJ determination not to prosecute was absolutely proper. That fact is easily able to be Googled. So they are full of it. But, if you have really been reading here all along, you would have known that four years ago. But here you are “just asking questions”.

      The analogy between the two cases is ludicrous. So, welcome, but if you want to contribute to the discussion, that’s great, but don’t roll in with bogus and barely disguised far right talking points.

      • Sheri says:

        He may have read the David French piece in The Dispatch today. I was floored when I read it. He tried to say the cases against Hillary and Trump are equivalent.

        [Welcome to emptywheel. Please use a more differentiated username when you comment next as we have several community members named “Sheri,” “Cheri,” and variants spelled with an e. Thanks. /~Rayne]

        • bmaz says:

          Heh, well, never take David French at face value, he is as big of a shill at heart as Andy McCarthy.

        • Eliza Jo says:

          Still, if there is a current article making the equating the two as the same, then it is appropriate to restate the argument why they are not.

          [Welcome back to emptywheel. Please use the same username each time you comment so that community members get to know you. This is your second user name; the system recognizes a difference between “ElizaJo” which you have used for previous comments here and “Eliza Jo.” I recommend reverting to the previous variant. Thanks. /~Rayne]

        • John Gurley says:

          The Hillary email escapade was one of the worst examples of media malpractice in living memory.

          The previous Bush administration “lost” 22 million emails and used the RNC(!) server. Hillary interfaced to the State Department’s non-classified email system with her home computer, just like Colin Powell, but when Clinton pointed that out, she was accused of attempting to tarnish Powell’s reputation.

        • John Gurley says:

          The Hillary email escapade was one of the worst examples of media malpractice in living memory.

          The previous Bush administration “lost” 22 million emails and used the RNC(!) server. Hillary interfaced to the State Department’s non-classified email system with her home computer, just like Colin Powell, but when Clinton pointed that out, she was accused of attempting to tarnish Powell’s reputation…

    • Spank Flaps says:

      Article from 2018:


      “ WASHINGTON (Reuters) – A U.S. State Department investigation of Hillary Clinton’s use of a private email server while she was secretary of state has found no evidence of deliberate mishandling of classified information by department employees.”

      (Much quicker to Google search than asking questions on blogs)

      • Rayne says:

        Much quicker to Google or other search engines than asking questions on blogs assuming one is acting in good faith.

        *side eyeing GSH*

    • earlofhuntingdon says:

      Your opening comment sounds like a line from Grosse Pointe Blank. Had you been reading here for long, you would recognize that references to “But Hillary’s e-mails!” are almost always snark. They use false GOP claims about her e-mails to make fun of other false GOP talking points.

      There are other search engines besides giggle that don’t permanently track your searches.

    • Rugger9 says:

      Investigations were done and the charges were found to be utter BS. FWIW, when the SDNY Feebs pressured Comey into playing footsie on the email story with the NYT, they hadn’t even asked to look at the computer much less gotten a warrant or had any evidence whatsoever the HRC had lost any emails. None.

      So, this whataboutism is GQP / RWNM bullshit (as well as Hunter Biden’s laptop and Benghazi). In the future, please be sure the questions asked don’t cover ground already examined thoroughly. I do find it interesting that the RWNM has to dredge HRC up because they really do have nothing else to try.

    • Yorkville Kangaroo says:

      I may be mistaken (and stand to be corrected) but weren’t there SEVEN separate (and equally fruitless) investigations into HRC?

      In response to your question about ‘conservative pundits and right-leaning commentators’ anything they say should immediately be relegated to the status of propaganda unless they provide a verifiable FACT that ACTUALLY supports their spurious talking points.

      Read the recent post regarding DARVO:


  5. Pragmatic Progressive says:

    It has been a while since I chimed in, but I’ve just got to hop in and say that the scope of the alleged/actual conduct is MUCH MUCH more closely aligned with the charges in the Joshua Schulte case than any of the other cases you mentioned.

    #2- Consider the following as reported by NYT:

    “Shortly before Mr. Garland made the announcement, a person close to Mr. Trump reached out to a Justice Department official to pass along a message from the former president to the attorney general. Mr. Trump wanted Mr. Garland to know that he had been checking in with people around the country and found them to be enraged by the search.

    The message Mr. Trump wanted conveyed, according to a person familiar with the exchange, was: “The country is on fire. What can I do to reduce the heat?'”

    So to be clear, this Country is
    grappling with a disgruntled former POTUS who actually went out of his way to threaten the current Attorney General of the United States.

    #2- There is no need to speculate on why 45 took such a massive trove to Florida when he left. In short, he cannot read. The whole world just saw the video of this man saying “yesterday” is a hard word for him and it’s well known he actively refuses reading. In order for a narcissist who cannot read to ensure they have a chance to use whatever info they take, whether as blackmail, insurance, leverage, etc., the only option is to take everything and hope to sort it out later.

    #3- Expect things to get a lot more dramatic or intense soon. Don’t be surprised if 45’s camp ratchets things up and eventually claims something to effectively say that the FBI only got “some” of the “copies” of what 45 took and reproduced.

    • Rugger9 says:

      The thing about #3 is that Individual-1 was not allowed to do that very action. By law, and pixie dust doesn’t eliminate the crime.

      • Pragmatic Progressive says:

        Hi Rugger, that’s kind of my point- expect individual 1 to continue to escalate the situation and expect him to make it more obvious that he knows he transgressed.

    • earthworm says:

      reply to PragProg:
      “The message Mr. Trump wanted conveyed, according to a person familiar with the exchange, was: “The country is on fire. What can I do to reduce the heat?’””

      IMO, that is a barely concealed threat to AG Garland.

      • Pragmatic Progressive says:

        Yup, particularly in the context of a national security investigation, the contact to the AG is extraordinarily contumacious and brazen.

      • Yorkville Kangaroo says:

        Can also mean, “What can I do to get you guys off my orange ass?”

        The Donald is always full of such double-speak.

    • Pragmatic Progressive says:

      Correction: #3 that I described above basically already happened right before I posted this.

      Directly from the man himself around 8:00 A.M. this very morning:

      “Oh great! It has just been learned that the FBI, in its now famous raid of Mar-a-Lago, took boxes of privileged ‘attorney-client’ material, and also ‘executive’ privileged material, which they knowingly should not have taken. By copy of this TRUTH, I respectfully request that these documents be immediately returned to the location from which they were taken. Thank you!”

      • Yorkville Kangaroo says:


        Or maybe he’s run out of legal counsel and has no way of knowing how to make such legal requests.

  6. Cosmo Le Cat says:

    Kash Patel on Faux News: “On the way out of the White House he issued further declassification orders declassifying whole sets of documents.” Patel added: “He can literally stand over a set of documents and say these are now declassified and that is done with definitive action immediately.”

    • P J Evans says:

      It isn’t official without the paperwork going through the agencies that classified the stuff in the first place.

    • QuadrantFive says:

      Wouldn’t this fit under the category of an oral “contract” worth the paper it’s written on? It would be a rather unbelievable and unsubstantiated defense absent some better evidence of declassification. BTW long time lurker and first time commenter. Love what you all do!

      • bidrec says:

        Donald Trump might agree with you: “In March 1980, according to the M.T.A., Marc S. Intriligator, an attorney for Mr. Trump, sent to transit officials a proposed written agreement for the easement grant. [for an escalator from The Grand Hyatt to Grand Central Station below]

        Unfortunately for transit officials, they never signed the contract Mr. Trump sent them. Ostensibly the reason was that they wanted to negotiate further over some other contiguous space. Now, Mr. Trump says, such an oral promise is unenforceable, and he is expected to seek dismissal of the complaint soon in State Supreme Court in Manhattan.”

      • earlofhuntingdon says:

        You can establish an enforceable contract, in some circumstances, without a writing signed by both parties. One way is if both parties performed as if that contract were in force.

        What’s at issue regarding the treatment of government docs, however, is that they are governed by the relevant statutes, not contract law.

    • Pragmatic Progressive says:

      These type of talking points are not just trash, they reveal how really desperate 45 and his gang are.

      The nonsense that 45 somehow confidentiality declassified material is just an uprovable hypothetical theory. In this alternative universe, Biden could have just reclassified everything that was previously classified the moment he took office. Using Kash Patel’s interpretation of the law, all that is needed is for any random lawyer to swear they heard POTUS give an order.

      Of course that is not how things actually work. This type of legal theory is almost as brilliant as the idea that U.S. law gives the Vice President the magical power to throw out national elections when he doesn’t like the result.

      • bjet says:

        Patel may be alluding to something that is not the kind of funny I feel confident dismissing as flailing clownery, not under current conditions of our Supreme Court, and something about what Pence‘s council relayed about his conversation with Eastman, during the J6 hearings:

        I don’t think ‘it will be a jump ball, decided in the streets’ is what was conveyed, but rather, a distraction from what was relayed.

        According to Pence’s counsel, he said we would lose by 9 to 1, and Eastman said 7 to 2, BUT IT DOESN’T MATTER because they won’t vote on it.

        Was this not a reference to the shadow docket, as ‘procedural’ means of deciding by not deciding?

        Not certain, but pretty sure it was Eastman, in that or another conversation with Pence counsel, who not only delivered a veiled threat by reference to “more palatable option to Pence” (than less palatable WHAT was rather open-ended at the time), but assured (Pence) that Ginni Thomas had resoundingly assured him/them of this; that they would not vote on it (by shadow docket?)

        I don’t know if it’s true, but someone said Alito was scheduled or ‘on call’ to handle such ‘emergency’ decisions on J6.

        In the context of this ‘affadavit’ etc, and ‘magical thinking’ that ‘Trump’ can “think” declassification (or whatever) into existence, more information about how that scheduling works would be awfully nice.

    • Yorkville Kangaroo says:

      Patel, by his own statement, is, clearly, a moron.

      But when did that ever stop The Donald from hiring someone?

      • earlofhuntingdon says:

        Patel has little demonstrated competence. Ordinarily, he would be a ne plus ultra example of the Peter Principle. But he is a superb gofer and somebody up there likes him a lot.

  7. phred says:

    LOL, as if Kash is an authority. Where do these nightcrawlers come from? More to the point, why does anyone ask their opinion?

  8. klynn says:

    This is the best tweet:

    @emptywheel’s elephant in room tracer —> “It’s..matter of equal justice that Trump be treated with same gravity with which Martin and Pho and Albury and Hale and Marshall were treated under the Trump Administration, for doing precisely what Donald Trump is alleged to have done…”

    …elephant in the room tracer…”

    I absolutely love this phrase describing this post!

  9. Mister Sterling says:

    Marcie you need to be praised again for pivoting to this case. You’ve been covering Trump-adjacent investigations for 7 years and now the biggest Trump case has been dropped in our laps. And somehow you are two or three steps ahead of the mainstream press in comprehending it.

    A lot of pundits have predicted that Trump wouldn’t be ruined by his financial crimes, nor his crimes in office, nor his participation in a wild seditious conspiracy. He would eventually be brought down by some clear-cut case. I think this is it. This is the “they got Capone for tax evasion” stage of Trump’s grand 50 year story arc.

    I find it a commentary on our nation that the coordinated attack on Capitol Hill will not bring down Trump. I’m being facetious, but the January 6 committee could pivot to writing their report now and be done with it. In the end, the only thing that was going to bring down Trump was a blatant violation of our imperial national security state. Inciting a riot to attack the Vice President is no biggie. But stealing documents stamped Top Secret is an unforgivable crime. And all national security experts on cable news on both sides of the aisle would agree.

    This makes me sound like a certain New York based lawyer-journalist I admired 18 years ago. But I think he would make the same argument. Trump’s crimes against the people didn’t bring him down. It was his crimes against the US empire that did.

  10. Tech Support says:

    I missed the linked article about the Kapersky stories the first time around. Learning how the Shadow Brokers files were leaked/obtained is a real gut punch.

    The notion that someone would violate security policies and move critical data into a wildly insecure environment for trivial personal reasons isn’t necessarily shocking. It’s corrupt, unprofessional, and short-sighted, but not terribly surprising.

    It’s the sheer laziness that boggles my mind. Apparently zero effort to do anything to keep the data secure. Functionally equivalent to what Trump did. How easy is it for someone in his field to sandbox the code using a VM or even just an old laptop that’s off the LAN. I tend to favor the adage to “not blame on malice what can be explained more easily by stupidity” but the degree of stupid involved does make me wonder if “being stupid” is a cover story.

    If we stick with the stupid theory for a bit though, it leads me to another question. Did it not occur to him that the code he brought home would potentially be heuristically detected and exfiltrated for analysis by commercial AV software? Even putting Kapersky aside for a moment you’d think that would be a risk for any of the common packages out there. Did that not occur to him? Or did he have specific reason to believe that Kapersky wouldn’t be able to detect the software? If you’re looking for malice, you might ask if Kapersky is coded to “play dumb” under certain circumstances, or conversely if Pho’s installation had the all the knobs turned to 11 remotely.

    • Yorkville Kangaroo says:

      As a former IT security manager it’s a well-worn adage that the weakest link in any security chain is each person in the chain. You would not believe just how stupid even smart people can be.

      The comments about Pho are telling. Here is an NSA operative downloading pirated software (are we in 1998 again?) onto his personal computer and then bringing highly sensitive documents out of their secure eenvironment and into an unsecure one.

      It’s simply mind-boggling how many people will countervene basic security procedures even when told that they’re doing it, to fix it only to do it again. I would REGULARLY close out an account holder for using unsecure passwords (1234 anyone?), tell the person to adhere to the guidelines, reinstate their account with a temporary password only to have them use another ridiculously easy to hack password. And these were engineers with security clearances!

      The comments about The Donald being told to ‘secure’ the material by DoJ and the installation of a padlock on the door would be in no way contiguous. If the material is SCI (and according to the receipts they are) then they would have to immediately be placed in SCIF not behind the same door in the same room with another simple lock in place.

      Yet another breach of the law but I stopped counting long ago.

      • jdmckay says:

        I had significant security experience coding for our product serving HIPAA II in 2000. In the soft/hardware domains, clearly *secure* is achievable. Human element is another thing altogether.

        In my mind, I make distinction between those with intent to defraud/profit vs. people who were simply negligent. I’m not familiar with the Pho case, so no opinion there.

        My dad worked at the Livermore lab for 38+ yrs. He was an ME. When I was in High School, he spent months almost every year in Las Vegas working on design of “containment vessels” purposed with design capabilities to capture specified data for underground nuke tests. He made several trips each year to New Mexico working with people at Sandia/Los Alamos in collaboration on these projects.

        Years later, I remember talking with Dad when Wen Ho Lee was arrested. My impression at the time was Lee was scapegoated, an easy target (eg. Asian bigotry). Dad did not agree explicitly. But Dad did say the NM (Sandia/Los Alamos) computer systems their science people used was so poor, unable to produce all kinds of needed information people working on projects needed (some of this was very poorly conceived security measures that succeeded in keeping the bad guys, but also the good guys out). Dad said almost everyone he worked with there took secure data they needed off the system, sometimes always staying in the lab and sometimes taking home, just to keep up with their work.

        According to Dad, this was quite common place.

        After Lee’s imprisonment in shackles and solitary, it was proven he could not have been the source of China’s “stolen” nuke designs.

        Obviously, Trump (if these documents turn out to be critical) is not in this category: Trump’s a crook. But I just make the point within context you describe.

  11. Badger Robert says:

    Ms. Wheeler did not mention any of these criminal defendants making money off their mishandling of document. Berger and Petraus stand out as clearly messing up for their selfish reasons.
    But Mar-a-:Largo is a business. People pay to have access there and get close to the documents. It appears that Justice has some CCTV data to show how close others came to the documents. To me, that puts Mar-a-Largo at risk. I think Justice would now be looking for membership lists and money paid.

    • BobCon says:

      I wouldn’t assume any money traded hands. It’s possible, but there are other possibilities.

      They may involve being squeezed by Putin or others with dirt on Trump. They may involve efforts to hurt Biden or other political rivals.

      It’s not that Trump isn’t a greedy freak, but reductionist diagnoses can cause people to miss other major issues. It’s worth keeping an open mind until more details are in. He may have done this because it involved issues that didn’t involve money no matter how much he wanted to buy his way out.

      • bmaz says:

        Good grief, is it simply impossible to wait for some…any…facts before going down these paths? Could be aliens from Area 51! And there is as much evidence and support for aliens as much of what is being blithely blown around.

        • BobCon says:

          Right, like I said I think it’s worth keeping an open mind until more details are in.

          Trump’s got a lot more wrinkles and weird issues than I think people always accept. We can’t assume we know all of them.

    • Rwood says:

      Isn’t MAL under the umbrella of the Trump Org? If so it’s subject to the current case the NY AG is running.

      Could it be subject to dissolution?

      • Yorkville Kangaroo says:

        They would all be separate legal entities but many of their Directors would be the same (The Donald, Weisselberg, Jr., the pretty one, the dumb one, etc.).

        Dun & Bradstreet list it as belonging to Mar-A-Lago Club, L.L.C.

        Of course you may also have to wade through swamps full of off-shore tax havens to find the end of the line on any of his ‘business’ ventures.

  12. Badger Robert says:

    The likelihood of getting a plea deal from Trump increases if there is a credible civil case that will pick him up by the heels and empty his pockets.
    The Republican side will inevitably advocate that Garland has to offer a non conviction deal. But since Garland has referenced the Reconstruction origins of the Justice Dept, I don’t anticipate he can accept a deal which doesn’t begin with the criminal law equivalent of Lee’s surrender.
    Thanks Ms. Wheeler,

    • bmaz says:

      No, come on, the civil case, as currently extant, has absolutely nothing whatsoever to do with any potential criminal cases, or pleas thereon.

      • Charles Wolf says:

        Yea, but don’t touch that dial.
        In addition to the NYS AG civil case WRT T****’s business:
        Weasleberg’s tax evasion trial is scheduled to begin in Oct. and it doesn’t look like he can orchestrate any delays. What could go right?

      • Badger Robert says:

        18 USC sec 981, linked to 18 USC 1956 which references sec 793 at (c)(7)(2). The Justice Dept has many means of going after financial crimes.
        The crimes against 793 occurred at Mar-a-Largo so it is a property involved as described in 981.
        And I wasn’t going to post.

        • Yorkville Kangaroo says:

          I agree with bmaz.

          Though if I wanted to be REAL ballsy I’d declare The Donald part of Putin’s oligarchy and then seize away!

  13. obsessed says:

    OT, and I don’t know how much credibility Sidney Blumenthal or The National Memo are afforded around here. This is the first I’ve encountered either, so apologies if this is like citing Maggie Haberman, but Blumenthal’s list of ten Mar-a-Lago questions is fascinating and I’d love to hear the answers to any of them: https://www.nationalmemo.com/mar-a-lago

    • bidrec says:

      He asks, “Does the resort maintain a copying machine near the classified documents that Trump hid?”

      I worked at a secure facility with a copier that was serviced by an external vendor. The technician had to be debriefed after every visit, he was escorted the whole time, blankets were put over other equipment in the room, etc. I also worked for a company that supplied office equipment to the Israeli Consulate in NYC. It was understood that the tech going to service the equipment would be there all afternoon to allow time for the security rigmarole.

      • P J Evans says:

        Friend who’s a now-retired systems programmer would have to work in secure areas, and he never could pass the lie-detector tests required for that level of clearance. So he’d have to have an escort telling people there was an uncleared person in the area. He thought about wearing a large kiddie fire helmet, with the flashing red light, and also using a handbell (“Uncleared! Uncleared!”).

    • Yorkville Kangaroo says:

      I particularly liked 5) regarding the Stone document:

      “…Do the files contain secret pardons for Trump himself, members of his family, members of the Congress, and other co-conspirators?”

      And 10) regarding the networked surveillance systems of MaL, Bedminster and Trump Tower raises a LOT of questions (and potential answers) about not only surveillance of Trump, inc. being available but the strong potential for what our friends over in Central Europe like to call ‘kompromat’ on visitors (read ‘supplicants’) to The Donald.

  14. WilliamOckham says:

    The Kaspersky version of the story is almost certainly true. That’s exactly how their software works and, based on their descriptions of other significant malware incidents, that’s how they would have reacted. Obviously, the Russian government became aware of the existence of the computer in question because they hacked within a month. Did Eugene Kaspersky give the Russian government that archive? Maybe. Or maybe the Russian government found it because they were spying on Kaspersky (if the Russian state security apparatus wasn’t spying on Kaspersky, they’re way more incompetent than I thought).

    In any event, ask yourself this: what would have been easier, hacking Pho’s computer or burglarizing Mar-A-Lago? Seems like six of one, half a dozen of the other to me (at least for the Russian government). There are certainly far more organizations who were aware of the Mar-A-Lago opportunity AND with the motive and capability of pulling off a burglary job than there were similarly situated for the Pho hack.

    Even though I know why they didn’t, the “correct” counter-intelligence play would have been to execute a dawn raid the day after NARA found classified docs in the 15 boxes Trump returned.

    • earlofhuntingdon says:

      Both sound more likely. Two lines of attack and information, one would confirm the other, establishing a surer foundation for a further op.

    • Yorkville Kangaroo says:

      The ‘correct’ play was to see exactly how much net they could let out to see how much more they could catch. My feeling is not that there was some sort of immediate urgency about the material and its movement (though it’s a possibility) just that they had enough in the net and it was time to haul it in.

      I’m pretty sure they’re not simply looking at individual crimes but they’re looking for conspiracy. If all they get are individuals (The Donald, Patel, etc.) they’ll take it.

  15. gmoke says:

    There is also the case of John Deutch during the Clinton administration:

    “Deutch left the CIA on December 15, 1996, and soon after it was revealed that several of his laptop computers contained classified information wrongfully labeled as unclassified. In January 1997, the CIA began a formal security investigation of the matter. Senior management at CIA declined to pursue fully the security breach. Over two years after his departure, the matter was referred to the Department of Justice, where Attorney General Janet Reno declined prosecution. She did, however, recommend an investigation to determine whether Deutch should retain his security clearance. Deutch had agreed to plead guilty to a misdemeanor for mishandling government secrets on January 19, 2001, but President Clinton pardoned him in his last day in office, two days before the Justice Department could file the case against him.”
    Source: https://en.wikipedia.org/wiki/John_M._Deutch#CIA_Director_tenure

    I was in an elevator with Deutch at MIT during the “but her emails” brouhaha and asked him about his experience. He started talking about the topic generally in a professorial disquisition until I said, “I was asking about YOUR experience” whereupon his face changed and he shut up.

  16. stancat says:

    “Under Attorneys General Jeff Sessions and Bill Barr, DOJ put renewed focus . . . ” I think about Sessions each time I see another light DOJ sentencing recommendations and even lighter sentence for Jan 6 offenders. (Looking at you Judge McFadden) Trump’s defenders seem to have completely forgotten that the initial Trump/Session DOJ ordered US Attorneys to employ a maximalist approach in charging decisions and sentencing recommendations. Will never happen but I fantasize that DOJ can honor this contribution by Trump to the US justice system by announcing it will give him a taste of his own medicine.

    • bmaz says:

      “Light DOJ sentencing recommendations”. Can you explain what you mean specifically, with references to the Federal Sentencing Guidelines? Because if you can’t, you are just blowing shit. By the way, you realize this is not Jeff Sessions’ DOJ, right?

      It is funny how supposedly reasonable people go completely fascist out of their minds and forget everything else when it comes to January 6. Off with their heads because it will make me feels good!

  17. WilliamOckham says:

    I would argue that Trump violated 793(d) in this way:

    President Trump, having lawful access to NDI, knowingly caused that to be delivered to ex-President Trump, someone who didn’t have lawful access. He literally delivered that stuff to Mar-A-Lago.

    • Cosmo Le Cat says:

      WilliamOckham made a fine point. In addition, according to Section 793, part d, it’s illegal to knowingly retain information that one believes could do damage to the US or aid another country and fail “to deliver it on demand to the officer or employee of the United States entitled to receive it.”

      In June the DOJ demanded the documents and failed to deliver them. The NYT reported that a Trump attorney attested that no such documents remained. The unsealed court docs indicate that was not true, not all documents were delivered as demanded..

  18. ira says:

    Does anyone not find it strange that a former employee of the NSA, Nghia Pho, would use a pirated copy of Microsft Office ? Surely he must have had sufficient money to buy a legitimate copy. The only thing I can think of — and this is pure speculation — is that he had information that Office had backdoors, and the pirated copy he bought closed them. But this seems exteremely unlikely.

    • P J Evans says:

      I got a legal copy of MS 2010 through my workplace – they had a deal with MS. Still not using 2007, though, and if the computer would run 2003, I’d use that..

    • timbo says:

      Not sure why you think it might be unusual. Pirated software is endemic to the Internet. Hackers and crackers use bootleg software all the time, frequently have access to such software, etc. They’re programmers. Heck, if you look at all the businesses in the US large and small who use pirated software, it is not as unusually a practice as some squeeky-clean types might imagine. Often times, employees are using bootleg software because their bosses are too cheap to buy it “when you can just download it for free—here’s a link”.

      • grennan says:

        Funniest April Fools joke I ever saw was at a small/medium sized commercial software firm in the early ’90s. Head programmer got receptionist to give president a message from the Software Publishers Association that per member agreement a copyright team would be arriving the next day to audit all the computers.

        Even in those DOS and floppy days, he had to be scraped off the ceiling.

        • ChrisH says:

          I worked in IT for a >100 market multinational that had to go through a ***full*** software audit a bunch of years ago… that was months of pain.

          The widespread use of Adobe products + commercial fonts combined with a subset of staff who didn’t go through proper channels to requisition software made that whole situation pretty spicy tbh.

    • Spank Flaps says:

      Trump’s lawyers have advised him to stop talking to Meadows.
      The conjecture is that this is because Meadows has flipped.

      • Barb says:

        No idea. Just a thread he posted that I questioned.

        I want to know how he got a blue check mark with only 163K followers vs. @emptywheel w/ 300K who still doesn’t have one??

        [Welcome back to emptywheel. SECOND REQUEST: Please use a more differentiated username when you comment next as we have several community members named “Barb” or “Barbra” or “Barbara.” Thanks. /~Rayne]

        • Kurt K says:

          You may not enjoy it, but I, as a pleb here, appreciate someone with experience in the legal system to temper expectations (in addition to the other great contributors to this site). This site is a great resource in an age where media amplifies misinformation, unwittingly or not. I think most people who make emptywheel a daily stop in their news intake believe that Trump committed many crimes. But in the end, if/when DOJ decides to seek an indictment, they better be sure to have their case all buttoned up. In the end its not what you think happened, but what you can prove happened. Thank you for keeping us rooted in reality in an increasingly surreal time.

  19. taluslope says:

    Sentencing appears to have gotten more strict. In a meth lab search-turned-FBI-counterintelligence investigation, Jessica Lynn Quintana, 23, a former worker at Los Alamos National Laboratory, pleaded guilty to knowingly removing classified information. Maximum sentence was up to one year in jail and a $100,000 fine; she ultimately received two years probation.

    Fun bits of this story was that Jessica was under pressure to complete work by the contractor she worked for so she just up and took the classified data home on a thumb drive to work on. Unfortunately for her, later her boyfriend was busted for selling drugs which led the discovery of the classified documents.

    Note to bmaz: Apparently Jessica first got her top secret clearance at the age of 18. I only mention this because you had questioned (in an earlier posting) the clearance of Cassidy Hutchinson because of her age.

    • Yorkville Kangaroo says:

      My understanding is that the issuance of a TS clearance is only dependent upon someone passing a Single Scope Background Investigatio (SSBI).

      To my knowledgge there is no age restriction on SSBI’s though a person that lacked fundamental intellectual ‘maturity’ might have some difficulty in obtaining one. This might include matters such as being able to recognise and counter social engineering efforts and the like.

  20. arj says:

    Marcy, thanks for the additional reference on the ShadowBrokers case. I had not known about the likely origins—two guys bringing tailored access tools home, combined with a Kaspersky alert. Thank you. It’s an object lesson in what can go wrong when we find corporate networks too confining. That’s especially notable here, given that it was done by somebody in the TAO group. Downloading pirated Office software qualifies as extra stupid too.

    That Kaspersky has ties to the Russian government is not surprising. I’ve always wondered. Years ago, I received an invitation to tour their command center outside Moscow. Eugene was quite proud that it was based in a rehabilitated underground missile silo. (I declined the offer.)

  21. Willis Warren says:

    I have a hard time believing anyone would unwittingly download anything to a computer holding hacking materials… he was groomed

  22. Cryptome says:

    Excellent reporting as usual. Loose threads:

    1. The unreleased majority of the Edward Snowden public gift of Top Secret NSA digital files in June 2013 still held by several recipients, Glenn Greenwald, Laura Poitras, Barton Gellman, New York Times (via The Guardian), Washington Post (via Gellman), perhaps the party or parties who assisted Poitras and Gellman in Snowden transactions. None of these recipients are known to have necessary security measures to protect their digital holdings. Greenwald in particular has been determined by Bruce Schneier, a US cybersecurity expert, to have inadequate security at his home in Brazil. Nicole Perlroth has reported that the NY Times stores its NSA files in a closet of the publisher’s office in the Times high-rise which is far from being a cybersecure facility. Gellman has written about the WaPo’s struggle to protect the NSA material while deciding on what to publish.

    2. The transition from paper to digital documents has led to an outpouring of digital take-homes, thefts, leaks, malwares, prosecutions, imprisonments, exile, journalistic opportunism and distortions, not overlooking the WikiLeaks tsunami and its emulators, with Assange being accused and detained of what Trump is allegedly facing. Digital technology for information processing has led to huge increase in diminished security and concomitant volcano of reportage, much misinformed but fair game in garnering attention and aiding political and monetary advancement.

    3. Encryption and anonymization have failed in their promise to provide secure means to handle classified data by unskilled but credulous users. Reality Winner and Edward Manning are hardly the only perpetrators betrayed by third parties, others exposed by press-privileged vetting material or NDA-cleared parties covering their butts for failure to report or by informers coerced into snitching on friends after being targeted for bragging in chat rooms or social media.

    4. Boxes of material allegedly stashed at Mar-a-Lago sounds nostalgic for vestigial paper credibility unless some of the crates held digital files and were deliberately mislabeled in the FBI listing. If all paper, that would be weird, especially with the claim that Trump does not read. Could be some files are audio, or video, or film, even dramatic recreations for enjoying with burgers and fries, or borscht and vodka.

    5. Speculation of what next in legal world is not as interesting to technologists as what next in information security. What next for assuring those in charge of handling classified information are capable to fulfill their mission, in particular so long as violating security is far more rewarding than enforcing it. Strange tension between press freedom and official secrecy may bring forth surprising means to satisfy both.

    • Yorkville Kangaroo says:

      Do you really believe The Donald is AT ALL motivated, on any level, to be interested in Snowdon, Assange, Manning, et al?

      IF he has SCI materials (and he does according to the receipts) then the most likely thing he could want here would be information on nuclear reactors which he could deal to MbS or anything else that portrays himself to be a ‘big man’ in respect to his own comments about owning a ‘new weapons system’ as mentioned by Bob Woodward.

  23. Elstun Lauesen says:

    All excellent points as to the general insecurity of the documents, digital or otherwise. I am listening with my mind’s ear to Tucker Carlson running through your list posing his famous beady-eyed socratic wonderment: “Why is the Justice Department not equally concerned with the New York Times’ and the Washington Post’s unauthorized position and insecure maintenance of classified documents? Why isn’t the FBI kicking down the doors of Barton Gellman or Laura Poitras and seizing THEIR unauthorized documents? Well we know, don’t we? They are the enablers of the FBI and the NSA and the deep state masters who are going after President Trump.”

    But, of course, we KNOW the difference, don’t we? Trump deliberately and intentionally STOLE the fucking documents. They weren’t handed to him over the transom. His motives weren’t high-minded anarchy of the Snowden variety (Snowden’s act actually was motivated by good intentions); Trump stole the most valuable documents to sell them. As the evidence bears this out, we need to quit conflating conflicts of conscience with the acts of a petty thief selling out his nation for bags of Benjamins–or their electronic equivalent. When I think of Julia and Ethel Rosenberg being put to death in part thanks to the influence of Roy Cohn, one of Trump’s heroes, I cannot help but wish for a similar conclusion to Trump’s case.

  24. Mark B. says:

    One tidbit in the search/seizures is Trump’s assertion that the FBI took his three passports (two valid, one expired) during the search.


    This raises a couple of questions. One, if true, why were the passports not listed in the inventory of seized objects. And second, if the passports were taken, does this mean that Trump has been put on notice that he must not leave the country. Or is Trump just BSing it again, and claiming something that never really happened.

    [Welcome back to emptywheel. Please use the same username each time you comment so that community members get to know you. This is your second user name; it’s been a while since you commented last when you used what I believe is your name in RL. Please stick with Mark B. here forward. Thanks. /~Rayne]

Comments are closed.