I love Global Threat Hearings and curse you Richard Burr for holding the Senate Intelligence Committee’s hearing in secret.
At least John McCain had the courage to invite James Clapper for what might have been (but weren’t) hard questions in public in front of Senate Armed Services Committee Thursday.
Unpredictable instability is the new normal.The year 2014 saw the highest rate of political instability since 1992. The most deaths as a result of state-sponsored mass killings since the early 1990s. And the highest number of refugees and internally displaced persons (or IDPs) since World War II. Roughly half of the world’s currently stable countries are at some risk of instability over the next two years.
It’s a damning catalog. All the more so given that the US has been the world’s unquestioned hegemon since that period in the early 1990s when everything has been getting worse, since that period when the first President Bush promised a thousand points of light.
And while the US can’t be held responsible for all the instability in the world right now, it owns a lot of it: serial invasions in the Middle East and the coddling of Israel account for many of the refugees (though there’s no telling what would have happened with the hundred thousand killed and millions of refugees in Syria had the second President Bush not invaded Iraq, had he taken Bashar al-Assad up on an offer to partner against al Qaeda, had we managed the aftermath of the Arab Spring differently).
US-backed neoliberalism and austerity — and the underlying bank crisis that provided the excuse for it — has contributed to instability elsewhere, and probably underlies those countries that Clapper thinks might grow unstable in the next year.
We’re already seeing instability arising from climate change; the US owns some of the blame for that, and more for squandering its leadership role on foreign adventures rather than pushing a solution to that more urgent problem (Clapper, by the way, thinks climate change is a problem but unlike Obama doesn’t consider it the most serious one).
There are, obviously, a lot of other things going on. Clapper talked admiringly of China’s modernization of its military, driven by domestically developed programs, an obvious development when a country becomes the manufacturing powerhouse of the world. But China’s growing influence comes largely in the wake of, and in part because of, stupid choices the US has made.
There was, predictably, a lot of discussion about cyberthreats, even featuring Senate Intelligence Committee member Angus King arguing we need an offensive threat (we’ve got one — and have been launching pre-emptive strikes for 9 years now — as he would know if he paid attention to briefings or read the Intercept or the New York Times) to deter others from attacking us with cyberweapons.
Almost everyone at the hearing wanted to talk about Iran, without realizing that a peace deal with it would finally take a step towards more stability (until our allies the Saudis start getting belligerent as a result).
Still, even in spite of the fact that Clapper started with this inventory of instability, there seemed zero awareness of what a damning indictment that is for the world’s hegemon. Before we address all these other problems, shouldn’t we focus some analysis on why American hegemony went so badly wrong?
Admittedly, after its alarmism on encryption, one should always treat FBI claims about necessary tools skeptically. But I’m interested in the claim, made by FBI’s Assistant Director of its Cyber Division, that the Bureau relies on 215 for computer intrusion investigations.
The FBI’s cyber crime investigations would “obviously” suffer if Congress doesn’t reauthorize Section 215 of the Patriot Act, which allows the FBI to request business records from major companies.
“If that expires, obviously it’s going to impact what we do as an organization and certainly on cyber,” said Joseph Demarest, assistant director of the FBI’s Cyber Division, during a roundtable discussion with reporters Tuesday.
Congress must reauthorize the controversial portion of the law by June 1. Civil liberties advocates argue the 215 program is an invasion of privacy, granting the National Security Agency (NSA) blanket authority to spy on Americans.
But two leaders of the FBI’s digital crime unit said losing the program would reduce the bureau’s effectiveness.
The business records request program based on Section 215 allows the FBI to obtain customer records from places like major telecom companies without going through the public court system.
“We use that in working with, I’ll say major providers,” Demarest said. “And we’re looking at historical records.”
“Not having the ability to use that as a vehicle to obtain that information,” Demarest added, “that’s the problem we face.”
The FBI argues that the 215 program approach allows investigators to go after cyber crooks without tipping their hand to possible accomplices.
Let me interject and note that the reporting on this — and therefore presumably the questions asked at this little eat-the-journalists-for-lunch-event — was atrocious.
The guy in charge of hacking told a group of reporters they rely on Section 215 to investigate hacking. And several of those reporters then reported that he said they needed the phone dragnet.
If true, that would be huge news, because the phone dragnet has pretty tight controls limiting its use to terrorists and Iran. So if the NSA is now also using the phone dragnet to catch hackers, it means the government has blown up the definition of hackers even further than they obviously have.
But it’s unlikely that’s what Demarest meant, though that doesn’t mean his comment, if true, isn’t newsworthy for other reasons.
The reporters claiming the FBI uses the phone dragnet to catch hackers are — as far too many activist organizations do — probably conflating the phone dragnet, a program authorized by Section 215, with Section 215, which authorizes the collection of a lot more things — things like money transfers, explosives precursors, hotel records, probably credit card data, and Internet records – including in what you and I would call bulk, even if Bob Litt would not.
There were roughly 180 Section 215 orders last year. Only 5 of those orders supported the phone dragnet.
I’m guessing, but probably what Demarest was talking about is FBI’s (note, not NSA’s) reliance, since 2009, to collect records from Internet companies. At least during 2011 and 2012, the majority of the Section 215 orders were for Internet records.
We can say a few things about this collection. First, FBI conducted the collection using NSLs until 2009, when publication of an OLC opinion limiting the interpretation of phone records covered by NSLs led the Internet companies to successfully challenge the use of NSLs to collect that data anymore. This collection obtains “electronic communication transaction records,” but for something other than the Internet equivalent of call time and participants (because that’s what the OLC opinion excluded). These orders are probably fairly programmatic, because it can take 30 to 40 days to obtain a Section 215 order (meaning the FBI would run whatever collection on a set of standing orders, just like they do the phone dragnet). And these collections are probably substantive enough that FISC imposed minimization procedures on the collection.
And, we can now guess (assuming, of course, the FBI isn’t talking out of its arse again) that these collections support cyberinvestigations.
One reason this is important, however, is that it changes the stakes for reauthorization of Section 215. If the FBI considers this mission critical, it means activists should account for this collection when they consider the leverage they have in debates moving forward.
Back during John Brennan’s confirmation process, I noted he got zero questions about cybersecurity, in spite of the fact that that is a big part of the portfolio of the White House Homeland Security Czar (as has been made evident by Lisa Monaco’s central role in the Sony hack response).
Since then, John Brennan permitted his subordinates to hack the email accounts supposedly designated for the Senate Intelligence Committee’s designated use.
Those are both reasons you should be concerned by the news that — as part of a larger “subject matter” reorganization of CIA, Brennan wants to hack.
U.S. officials said Brennan’s plans call for increased use of cyber capabilities in almost every category of operations — whether identifying foreign officials to recruit as CIA informants, confirming the identities of targets of drone strikes or penetrating Internet-savvy adversaries such asthe Islamic State.
Several officials said that Brennan’s team has even considered creating a new cyber directorate — a step that would put the agency’s technology experts on equal footing with the operations and analysis branches that have been pillars of the CIA’s organizational structure for decades.
All the more so given that neither all of the Intelligence Committees nor NSA’s leadership knows what Brennan is up to.
Brennan provided only broad outlines of his plan in recent congressional meetings that excluded all but the four highest-ranking members of the House and Senate intelligence panels. A senior U.S. intelligence official said that some senior NSA executives remain in the dark on Brennan’s cyber ambitions.
But then, if all of SSCI knew what Brennan was up to, I guess it’d be harder for him to hack them in the future.
Judge Jeffrey White, who has been presiding over the EFF’s challenges to warrantless wiretapping since Vaughn Walker retired, just threw out part of Carolyn Jewel’s challenge to the dragnet on standing and state secrets ground (h/t Mike Scarcella).
Based on the public record, the Court finds that the Plaintiffs have failed to establish a sufficient factual basis to find they have standing to sue under the Fourth Amendment regarding the possible interception of their Internet communications. Further, having reviewed the Government Defendants’ classified submissions, the Court finds that the Claim must be dismissed because even if Plaintiffs could establish standing, a potential Fourth Amendment Claim would have to be dismissed on the basis that any possible defenses would require impermissible disclosure of state secret information.
White also does what no self-respecting judge should ever do: cite Sammy Alito on Amnesty’s “speculative” claims about Section 702 collection in Amnesty v. Clapper, which have since been proven to be based off false government claims.
In Clapper, the Court found that allegations that plaintiffs’ communications were intercepted were too speculative, attenuated, and indirect to establish injury in fact that was fairly traceable to the governmental surveillance activities. Id. at 1147-50. The Clapper Court held that plaintiffs lacked standing to challenge NSA surveillance under FISA because their “highly speculative fear” that they would be targeted by surveillance relied on a “speculative chain of possibilities” insufficient to establish a “certainly impending” injury.
Also along the way, White claims the plaintiffs had made errors in their depiction of the upstream dragnet.
But I’m fairly certain he has done the same when he claims that only specific communications accounts can be targeted under both PRISM and upstream Section 702 collection.
Once designated by the NSA as a target, the NSA tries to identify a specific means by which the target communicates, such as an e-mail address or telephone number. That identifier is referred to a “selector.” Selectors are only specific communications accounts, addresses, or identifiers. (See id; see also Privacy and Civil Liberties Oversight Board Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“PCLOB Report”) at 32-33, 36.)
Indeed, his citation to PCLOB doesn’t support his point at all. Here are what I guess he means to be the relevant sections.
The Section 702 certifications permit non-U.S. persons to be targeted only through the “tasking” of what are called “selectors.” A selector must be a specific communications facility that is assessed to be used by the target, such as the target’s email address or telephone number.113 Thus, in the terminology of Section 702, people (non-U.S. persons reasonably believed to be located outside the United States) are targeted; selectors (e.g., email addresses, telephone numbers) are tasked.
Because such terms would not identify specific communications facilities, selectors may not be key words (such as “bomb” or “attack”), or the names of targeted individuals (“Osama Bin Laden”).114 Under the NSA targeting procedures, if a U.S. person or a person located in the United States is determined to be a user of a selector, that selector may not be tasked to Section 702 acquisition or must be promptly detasked if the selector has already been tasked.115
The process of tasking selectors to acquire Internet transactions is similar to tasking selectors to PRISM and upstream telephony acquisition, but the actual acquisition is substantially different. Like PRISM and upstream telephony acquisition, the NSA may only target non-U.S. persons by tasking specific selectors to upstream Internet transaction collection.131 And, like other forms of Section 702 collection, selectors tasked for upstream Internet transaction collection must be specific selectors (such as an email address), and may not be key words or the names of targeted individuals.132
First of all, unless they’ve changed the meaning of “such as” and “for example,” PCLOB’s use of email and telephone numbers is not exhaustive (though it does mirror the party line witnesses before PCLOB used, and accurately reflects PCLOB’s irresponsible silence on the use of 702 — upstream and downstream — for cybersecurity, even after ODNI has written publicly on the topic). Indeed, the NSA uses other selectors, including cyberattack signatures, in addition to things more traditionally considered a selector.
And given the government’s past, documented, expansion of the term “facility” beyond all meaning, there’s no reason to believe the government’s use of “use” distinguishes appropriately between participants in communications.
Ah well, all that discussion probably counts as a state secret. A concept which is getting more and more farcical every year.
Update: Clarified to note this is only partial summary judgment.
A fresh spin on insider trading also made news this week, when the SEC filed a lawsuit against two Capital One fraud investigators who made 1800 percent on their investment over three years, based on their use of a Capital One credit card user database.
The two investigators, Bonan Huang and Nan Huang, grew an investment of $147,300 to $2.8 million based on thousands of searches across a database comprised of credit card customer transactions. Noting the volume of use of credit cards at a particular fast food company, they bought and traded the company’s stock based on this data.
Over time they made similar stock trades based on transactional volume and other publicly available news about three different companies.
Had the database been one for sale by a company rather than their employer’s proprietary database, the Huangs would have been lauded as investment rock stars. But because the method they used “misappropriates confidential information for securities trading purposes, in breach of a duty owed to the source of the information,” the two men are being sued for insider trading.
The Huangs’ trading experience gives pause when one considers the value of metadata, and of the data breach at JP Morgan Chase this past year.
Metadata can offer a volume of transactional activity, though it will not disclose the value of a transaction. Imagine smartphones indicating they are being used at particular devices – point-of-sale devices – at any retailer, from fast food to hard lines. An uptick in overall activity at a specific retailer indicates greater volume of business, the data fresher than that reported in a 10-Q report filed publicly with the SEC. What could an investor do with this kind of data? One could imagine success not much different than the Huangs experienced, provided they also understood other publicly available information about the retailers under observation. →']);" class="more-link">Continue reading
Bob Litt is giving a speech. In it he described what “serious crimes” FBI can use 702-derived information to investigate and prosecute. They include:
Can use for 702: Crimes involving death, kidnapping, bodily harm, v minor, infrastructure, cybersecurity, transnational crimes.
Both cybersecurity and infrastructure are big, and potentially egregiously interpreted. They surely can include a whole slew of innocent protestors who are deemed a threat to things like fracking or city infrastructure.
But also, if FBI can use 702 to investigate “transnational crime” then why isn’t Jamie Dimon in prison?
As noted, Ron Wyden used Eric Holder’s imminent departure as an opportunity to point to some secrets that he believes should be told. One of those pertains to what the 2003 OLC opinion on common commercial service agreements refers to.
Second, I have written to you on multiple occasions about a particular legal opinion from the Justice Department’s Office of Legal Counsel (OLC) interpreting common commercial service agreements. As I have said, I believe that opinion is inconsistent with the public’s understanding of the law, and should be withdrawn. I also believe that this opinion should be declassified and released to the public, so that anyone who is party to one of these agreements can consider whether their agreement should be revised or modified.
In her December 2013 confirmation hearing to be General Counsel of the CIA, the deputy head of the OLC stated that she would not rely on this opinion today. While I appreciate her restraint, I believe the wisest course of action would be for you to withdraw and declassify this opinion, so that other government officials are not tempted to rely on it in the future. I urge you to take these actions as soon as practicable, since I believe it will be difficult for Congress to have a fully informed debate on cybersecurity legislation if it does not understand how these agreements have been interpreted by the Executive Branch.
As I laid out in October 2013, Wyden has been trying to liberate this memo since before summer 2012, and he has (as he now is doing) renewed his request every time cybersecurity bills come up (and then some).
Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”
That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.
Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked againon September 26.
Since then, we’ve learned that the memo dates to 2003, and was a matter of first impression when it was written.
I’ve been writing about this memo since 2013, but I don’t have the legal support to FOIA something DOJ is obviously pretty embarrassed about.
But why hasn’t big tech? Why haven’t other companies that sign common commercial service agreements? Why hasn’t some lawyered up company — or lawyered up trade group — sued for this thing, as it clearly may affect their businesses?
Or would they just rather prefer not to know?
The NYT has a story describing the rise of the North Korean 6,000-strong hacking unit, which (the story explains) the NSA has been watching closely since 2010.
Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.
A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.
It goes on to explain why, in spite of having beacons throughout North Korea’s network, it didn’t warn Sony.
The N.S.A.’s success in getting into North Korea’s systems in recent years should have allowed the agency to see the first “spear phishing” attacks on Sony — the use of emails that put malicious code into a computer system if an unknowing user clicks on a link — when the attacks began in early September, according to two American officials.
But those attacks did not look unusual. Only in retrospect did investigators determine that the North had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems.
It even suggests that Clapper knew about North Korea’s “capabilities” even as he was having dinner with the guy in charge of it (though it does not say whether he knew about this hack).
“Because of the sensitivities surrounding the effort” to win the Americans’ release, Mr. Hale said, “the D.N.I. was focused on the task and did not want to derail any progress by discussing other matters.” But he said General Clapper was acutely aware of the North’s growing capabilities.
For the moment, I’ll set aside whether this is convincing (parts of the story — such as that North Korea’s hackers trained in China and now target China) don’t add up.
But I did want to point out two things. First, NYT relies on a document liberated by Snowden to bolster its case. It’s not clear how well it actually does bolster the case: it shows the NSA piggybacking on South Korean efforts in 2007, and then setting its own beacons. It provides a different timeline and doesn’t say how extensively the US has infiltrated North Korea. In any case, though, it is a Snowden document the secret cyber sources finally love, one that backs their immediate claims.
Finally, note what else this says: this is another example where we have intelligence but aren’t using it not because of information sharing rules, but because we’re too inattentive to make use of it. This will be useful when Congress tries to pass CISPA because of Sony.
I noted the other day how centrally James Clapper foregrounded his recent trip to North Korea in his discussion of the alleged North Korean hack of Sony. Now that the transcript is up, I see the trip was even more central in his discussion than reports had indicated. After noting that Jim Comey (whom he called “the senior expert on the investigative side of cybersecurity”) and Admiral Mike Rogers (whom he called “the senior expert on how cybersecurity ops actually happen”) would say more in following speeches, Clapper launched into a description of his trip, as if it were central to the discussion of the hack.
I’m not an expert on cyber. I guess that’s a way of saying I’m going to refer technical questions to the real experts here.
So, I was trying to think through what my contribution to this conference could possibly be. Well, I recently traveled to North Korea (and back, happily). So I thought I’d talk about that. [delayed laughter]
Yes, that’s a joke. [laughter] I learned from Father McShane that this crowd needs cuing. [laughter, applause]
I’ll talk about that and how it applies to this week’s conversation about cyber, given the Sony hack.
The first question I always get about the trip is: “Why you?” As in, “Why on earth would we send the DNI, the director of national intelligence, especially this DNI, on a diplomatic mission to get two American citizens who were imprisoned in North Korea?”
Why would they send me? The truth is, the mission had been in the works for quite a while.
I find it interesting that Clapper described such a lead-up to the meeting. At the time, it was much more closely tied to the October 21 release of Jeffrey Fowle (though that, too, could have been in the works for months).
North Korea wanted an active member of the National Security Council and a cabinet level official to come and to bring a letter from President Obama.
Note Clapper describes North Korea’s goal was that he “bring a letter” from President Obama. I find that notable given the reporting at the time about that letter — and Clapper’s unwillingness to read it during his press blitz about it.
The White House knows I’ve had a long history of working Korean issues, since I served as chief of intelligence for U.S. Forces in Korea in the mid-‘80s. So the White House put my name forward to the DPRK, the Democratic People’s Republic of Korea as they call themselves, government in Pyongyang. And I think we were all surprised, to include me, when they agreed. That’s how and why I was picked to go.
Actually, I thought the New York Times had a better explanation: Clapper is “Gruff, blunt-speaking and seen by many as a throwback to the Cold War.” [laughter]
“An unlikely diplomat, but perfect for the North Koreans.” [laughter]
Clapper is adopting the NYT’s description to pitch this as a Cold War, even though reporting at the time suggested relations with North Korea might be improving.
That’s the nicest thing the New York Times has ever written about me. [laughter, applause]
After that jokey beginning, Clapper took a long diversion to talk about how to prevent hacks and to provide some characterization of our adversaries online. Which brought him back to his discussion of the alleged North Korea hack, presented in contradistinction to what Clapper claimed was China’s objective — to break into networks to steal data that would allow it to surpass the US economically (which I don’t believe fully describes their motives or their actions).
That’s China’s primary motivation: to catch up to and then surpass Western industrial and defense capabilities and to eventually pass by the U.S. economy.
From there, Clapper claims, dubiously, that the Sony hack was the most damaging hack in the US, presenting it as stemming from an “entirely different philosophy” than he ascribes to China.
The Chinese are focused on those goals; whereas the recent cyber attack from North Korea, which by the way is the most serious cyber attack ever made against U.S. interests with potentially hundreds-of-millions of dollars and counting in damages, was driven by an entirely different philosophy.
He then launches into his own representation of North Korea as the quintessential totalitarian society, where people do mundane, labor-intensive jobs (which could be said about many countries) and where people “don’t show any emotion,” where they don’t even converse or laugh.
So, back to the weekend trip I took, which was exactly two months ago today. We flew into Pyongyang, the capital city, on Friday evening, the seventh of November. And the first thing that struck me was just how dark the city and airport were, just completely dark. We damaged a tire on the plane while taxiing in the dark, because of the poor construction of the taxiways and runways at Sunan airport.
Then, when I saw the city on Saturday, I was expecting to see drab clothes and lack of modern tools, people walking to get around, people sweeping and doing similar, mundane, labor-intensive jobs. And those expectations were met, from what I saw of Pyongyang. But I was also struck by how impassive everyone was. They didn’t show any emotion. They didn’t stop to greet each other, didn’t nod hello, and we didn’t see anyone conversing or laughing. They were just going about their business, going wherever they were going. It was almost automaton like. It was eerie.
This is James Clapper the dystopian novelist, depicting what he saw in less than 24 hours of being exposed to those whom North Korea permitted to be exposed to America’s top spy. Which Clapper then contrasts with the pleasure enjoyed by North Korea’s Generals (I’m curious how recently Clapper has considered how our menial labors’ public lives would contrast with top Generals’ festive dinners?).
And the plight of the citizens of Pyongyang stood in solemn contrast to the dinner I had the previous night, Friday the seventh, an elaborate 12-course Korean meal. Having spent time in Korea, I consider myself somewhat a connoisseur of Korean food, and that was one of the best Korean meals I’ve ever had. Unfortunately, the company was not pleasurable.
By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits — Clapper should be sanctioned along with all the others President Obama has targeted.
That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.
But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.
Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).
You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”
Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.
We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.
Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.
Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.
The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.
And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.
That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]
Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.
IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.
Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.
But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.
He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.
However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture - Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).
I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.
Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby.
Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.
But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?