Three Things: This Matin, Think Latin

I have three things cluttering up my notes — just big enough to give pause but not big enough for a full post. I’ll toss them out here for an open thread.

~ 3 ~
Aluminum -> Aeronautics -> Stock Market and Spies
I’ve spent quite a while researching the aeronautics industry over the couple of years, trying to make sense out of a snippet in the Buryakov spy case indictment. The three spies were at one point digging into an aeronautics company, but the limited amount of information in the indictment suggested they were looking at a non-U.S. company.

You can imagine my surprise on December 6, 2016, when then-president-elect tweeted about Boeing’s contract for the next Air Force One, complaining it was too expensive. Was it Boeing the spies were discussing? But the company didn’t fit what I could see in the indictment, though Boeing’s business is exposed to Russia, in terms of competition and in terms of components (titanium, in particular).

It didn’t help that Trump tweeted before the stock market opened and Boeing’s stock plummeted after the opening bell. There was plenty of time for dark pool operators to go in and take positions between Trump’s tweet and the market’s open. What an incredible bonanza for those who might be on their toes — or who knew in advance this was going to happen.

And, of course, the media explained this all away as Trump’s “Art of the Deal” tactics, ignoring the fact he wasn’t yet president and he was renegotiating the terms of a signed government contract before he took office. (Ignoring also this is not much different than renegotiating sanctions before taking office…)

I was surprised again only a couple weeks later about Boeing and Lockheed; this time I wasn’t the only person who saw the opportunity, though the timing of the tweet and market opening were different.

Again, the media took note of the change in stock prices before rolling over and playing dead before the holidays.

There have been a few other opportunities like this to “take advantage of the market,” though they are a bit more obscure. Look back at the NYSE and S&P trends whenever Trump has tweeted about North Korea; if one knew it was coming, they could make a fortune.

A human would only need the gap as long as that between a Fox and Friends’ mention of bad, bad North Korea and a corresponding Trump tweet to make the play (although one might have to watch that vomit-inducing program to do this). An algorithm monitoring FaF program and Trump tweets would need even less time.

Yesterday was somebody’s platinum opportunity even if Trump was dicking around with U.S. manufacturers (including aeronautics companies) and global aluminum and steel producers. His flip-flop on tariffs surely made somebody beaucoup bucks — maybe even an oligarch with a lot of money and a stake in one of the metals, assuming he knew in advance where Trump was going to end up by the close of the market day. The market this morning is still trying to make sense of his ridiculous premise that trade wars are good and winnable; too bad the market still believes this incredibly crappy businessman is fighting a war for U.S. trade.

Just for the heck of it, go to Google News, search for [trump tariffs -solar], look for Full Coverage, sort by date and not relevance. Note how many times you see Russia mentioned in the chronologically ordered feed — mine shows exactly zero while China, Korea, Germany are all over the feed. I sure hope somebody at the SEC is paying as much attention to this as cryptocurrency.

I suppose I have to spell this out: airplanes are made of aluminum and steel, capisce?

~ 2 ~
Italian Son
One niggling bit from Glenn Simpson’s testimony for Fusion GPS before the Senate Intelligence Committee has stuck with me. I wish I could time travel and leave Simpson a note before testimony and tell him, “TELL US WHAT YOU SEE, GLENN!” when he is presented with Paul Manafort’s handwritten notes. The recorder only types what was actually said and Glenn says only the sketchiest bit about what he sees. Reading this transcript, we have only the thinnest amount of context to piece together what he sees.

Q. Do any of the other entries in here mean anything to you in light of the research you’ve conducted or what you otherwise know about Mr. Browder?

A. I’m going to — I can only speculate about some of these things. I mean, sometimes —

MR. LEVY: Don’t speculate.

A. Just would be guesses.

Q. Okay.

A. I can skip down a couple. So “Value in Cyprus as inter,” I don’t know what that means.”Illici,” I don’t know what that means. “Active sponsors of RNC,” I don’t know what that means. “Browder hired Joanna Glover” is a mistaken reference to Juliana Glover, who was Dick Cheney’s press secretary during the Iraq war and associated with another foreign policy controversy. “Russian adoptions by American families” I assume is a reference to the adoption issue.

Q. And by “adoption issue” do you mean Russia prohibiting U.S. families from adopting Russian babies as a measure in response to the Magnitsky act?

A. I assume so.

Bold mine, to emphasis the bit which has been chewing away at me. “Illici” could be an interrupted “illicit”; the committee and Simpson use the word or a modifier, illicitly, eight times during the course of their closed door session. It’s not a word we use every day; the average American Joe/Josie is more likely to use “illegitimate” or the even more popular “illegal” to describe an unlawful or undesirable action or outcome.

(I’m skeptical Manafort was stupid enough to begin scratching out “illicit” and catch himself in time, but then I can’t believe how stupid much of this criminality has been.)

But the average American Joe/Josie doesn’t travel abroad, speak with Europeans often, or speak second languages. The average white Joe/Josie may be three or more generations from their immigrant antecedents.

Not so Mr. Manafort, who is second generation Italian on both sides of his family. He may speak some Italian since his grandfather was an immigrant — and quite likely Catholic, too. Hello, Latin masses in Italian American communities.

Did Manafort mean “illici,” a derivative of Latin “illicio,” which means to entice or seduce? Or was it a corrupted variant of Latin “illico,” which means immediately?

Or is Manafort a bad speller who really meant either “elici”, “elicio,” or “elicit,” meaning to draw out or entice?

Like Simpson, these are just guesses. Only Manafort really knows and I seriously doubt he’ll ever tell what he meant.

~ 1 ~
If you haven’t checked your personal online privacy and cybersecurity recently, give Privacy Haus’s checklist a look. Nearly all of the items I’ve already addressed but I tried one of the items suggested as a fix to an ongoing challenge. Good stuff!

~ 0 ~
That’s it, have at it in this open thread! One last thing: if you didn’t read Marcy’s op-ed, Has Jared Kushner Conspired to Defraud America? in Wednesday’s NYT, you should. You’re going to need it as part of a primer going forward.

NBC’s Broken Story about Mueller Charging the DNC Hackers

NBC has a BROKEN story reporting that Robert Mueller is contemplating charges against the people who carried out the hack of the DNC (and other targets) in 2016.

Special Counsel Robert Mueller is assembling a case for criminal charges against Russians who carried out the hacking and leaking of private information designed to hurt Democrats in the 2016 election, multiple current and former government officials familiar with the matter tell NBC News.

Much like the indictment Mueller filed last month charging a different group of Russians in a social media trolling and illegal-ad-buying scheme, the possible new charges are expected to rely heavily on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS), several of the officials say.

Mueller’s consideration of charges accusing Russians in the hacking case has not been reported previously. Sources say he has long had sufficient evidence to make a case, but strategic issues could dictate the timing. Potential charges include violations of statutes on conspiracy, election law as well as the Computer Fraud and Abuse Act. One U.S. official briefed on the matter said the charges are not imminent, but other knowledgeable sources said they are expected in the next few weeks or months. It’s also possible Mueller opts not to move forward because of concerns about exposing intelligence or other reasons — or that he files the indictment under seal, so the public doesn’t see it initially.

As they have frequently of late, they misunderstand the story they’re telling. They misunderstand this sentence, entirely.

Mueller’s consideration of charges accusing Russians in the hacking case has not been reported previously.

It’s not news, at all, that DOJ was considering charges against those who carried out the hack. Nor is it news that DOJ had enough evidence to charge people in it.

Here’s what WSJ reported on those two topics in November, almost exactly four months ago.

The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.

Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.

[snip]

The pinpointing of particular Russian military and intelligence hackers highlights the exhaustive nature of the government’s probe. It also suggests the eagerness of some federal prosecutors and Federal Bureau of Investigation agents to file charges against those responsible, even if the result is naming the alleged perpetrators publicly and making it difficult for them to travel, rather than incarcerating them. Arresting Russian operatives is highly unlikely, people familiar with the probe said.

So: not news that DOJ had pinpointed Russians responsible, not news they were planning on charges “next year” last year, which would mean, “this year” this year.

What is news is that this reporting from the WSJ report is no longer operative.

Federal prosecutors and federal agents working in Washington, Pittsburgh, San Francisco and Philadelphia have been collaborating on the DNC investigation. The inquiry is being conducted separately from Special Counsel Robert Mueller’s investigation of alleged Russian meddling in the 2016 election and any possible collusion by President Donald Trump’s associates.

[snip]

The Justice Department and FBI investigation into the DNC hack had been under way for nearly a year, by prosecutors and agents with cyber expertise, before Mr. Mueller was appointed in May. Rather than take over the relatively technical cyber investigation, Mr. Mueller and the Justice Department agreed that it would be better for the original prosecutors and agents to retain that aspect of the case, the people familiar with the Justice Department-FBI probe said. [my emphasis]

Mind you, we’ve since learned that Ryan Dickey got added to Mueller’s team … oh, in November. And contrary to what NBC says about the heavy reliance, in the Internet Research Agency indictment, “on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS),” it really wasn’t all that sophisticated from a cybersecurity standpoint. Especially not once you consider the interesting forensics on it (aside from IDing the IRA’s VPNs) would have come from Facebook and Twitter.

You don’t need Dickey’s talents for the IRA indictment. You need him for something that is technical.

I’ll leave it for you to consider what it means that Mueller subsumed this part of the investigation even as WSJ was reporting he wasn’t going to do that. I’ll leave you to consider, too, what it means that they brought in a prosecutor with the ability to try these things.

But understand that the news here is not that DOJ is contemplating indicting the people behind the DNC hack. WSJ already scooped that story. It’s that Mueller, not prosecutors in Pittsburgh, San Francisco and Philadelphia, are going to charge it.

What Lies Beneath the Gates

[NB: Note the byline; this post is speculative. /~Rayne]

It’s amazing what a simple internet search can reveal. Take, for instance, a search using the rather innocuous parameters, [“rick gates” iii “press release”].

A little scrolling and presto — some interesting things surface.

Did you know that Rick Gates had served on the board of ID Watchdog, a “consumer-facing identity theft protection and resolution services” firm for use in safeguarding personal credit? But that’s not the entire story; take a look at this timeline:

2010 — Gates, along with his business partner Paul Manafort, worked as an unregistered agent for Victor Yanukovych (who would take office as Ukraine’s president in 2010) and Yanukovych’s political parties. Gates and Manafort represented Yanukovych from at least 2006 through 2015, laundering Yanukovych’s payments through scores of U.S. and foreign entities and bank accounts, using foreign nominee companies and bank accounts created/opened by them and their accomplices in nominee names and in various foreign countries (see DOJ’s indictment dated 27-OCT-2017).

19-APR-2011 — Gates joined the board of publicly-listed credit monitoring firm ID Watchdog. Gates bio from the press release:

Mr. Gates has over 15 years of international political, finance and business development experience working for multinational firms. Currently, he is the managing partner of Pericles LP, a private equity fund, that focuses on technology, infrastructure, and real estate targets. Much of his work focuses on investment, business development and deal structures in Europe.

Mr. Gates has worked on several US presidential campaigns and has participated in many international political campaigns in Europe and Africa. Mr. Gates graduated with a M.A. in Public Policy from George Washington University and a B.A. in Government from The College of William & Mary. He also completed the Executive Management Programme in Brussels and London.

26-JUL-2011 — 2010 tax filing (assume Gates filed his taxes on/about this time in the absence of confirmation by image of tax return); a fraudulent tax return was filed.

11-OCT-2012 through 14-OCT-2015 — Gates under-reported his income, filing fraudulent tax returns during this period which did not reflect full amount of payments from Yanukovych and parties. Gates also did not file Foreign Bank and Financial Accounts (FBAR) reports disclosing offshore bank accounts from which cash was wired after being laundered through numerous shell businesses.

21-JUN-2016 — When Paul Manafort was elevated by Donald Trump to campaign chair after firing Corey Lewandowski, Gates worked as Manafort’s deputy. He would remain deputy after Manafort resigned on August 19.

09-NOV-2016 — Gates stepped down from his role at ID Watchdog, a day after the 2016 presidential election. He then became deputy chairman of the inaugural committee.

??-DEC-2016 — A security researcher notified credit reporting company Equifax that an employee portal was open to the internet and vulnerable.

07-MAR-2017 — A patch was issued for the Apache Struts (CVE-2017-5638) vulnerability.

??-MAR-2017 — Equifax was hacked for the first known time; it contacted Mandiant for assistance. It did not notify the government or consumers.

…the company said it experienced a security incident involving a payroll-related service during the 2016 tax season earlier this year. Equifax said the incident was reported to customers, affected individuals and regulators.

??-JUN-2017 — Equifax closed the vulnerable employee portal

16-JUN-2017 — ID Watchdog announced it had agreed to be acquired by Equifax.

13-MAY/30-JUL-2017 — From Equifax’s press release dated September 15:

Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.

29-JUL-2017 — Date which Equifax’s CEO said a breach was first noticed.

01/02-AUG-2017 — Four Equifax executives who sold a combined $2 million in company stock over these two days claimed they did not know about the breach at the time they traded their shares.

02-AUG-2017 — Equifax contacted Mandiant to conduct a forensic investigation into the breaches. The fourth of four Equifax executives sold a portion of his company stock on the same day.

10-AUG-2017 — Equifax announced it had acquired ID Watchdog.

07-SEP-2017 — Equifax notified the public that it has been breached and 145.5 million consumers’ credit data has been exposed.

18-SEP-2017 — Equifax’s earlier breach in March was made public.

27-SEP-2017 — Consumer Financial Protection Bureau’s then-Director Richard Cordray said regulators would be embedded within credit reporting companies to prevent future breaches of consumers’ data.

15-OCT-2017 — About this time, local news reported Gates was still working for Tom Barrack, CEO of Colony Capital and a member of the Presidential Council of Economic Advisers, prior to the indictment.

27-OCT-2017 — Gates was indicted for the first time.

15-NOV-2017 — Cordray stepped down as CFPB’s director.

25-NOV-2017 — Trump named Office of Budget and Management’s director Mick Mulvaney to succeed Cordray, to hold two offices concurrently.

18-JAN-2018 — Mulvaney allotted zero dollars for CFPB in the federal budget.

05-FEB-2018 — Mulvaney “pulled back from a full-scale probe” into Equifax’s breach.

This chain of events raises so many questions.

— Why Gates? Of all the people a public-listed company like ID Watchdog could pick, why this particular person with weak credentials in technology, let alone identity management or credit monitoring? Does Gates have a special relationship to ID Watchdog in some way?

— As a board member, what kind of access did Gates have to ID Watchdog’s systems? Did ID Watchdog have any ties or links to Equifax before the breaches?

— Did ID Watchdog provide any services to Gates — and possibly his partner, Paul Manafort — related to identity validation and monitoring? Did Gates acquire his second passport while serving on ID Watchdog’s board? What of his partner Manafort, who had at least 10 passports and possibly more identities?

— If ID Watchdog provided services to Gates, did any of Gates’ many bank accounts ever trigger alerts?

Gates “frequently changed banks and opened and closed bank accounts,” prosecutors said. In all, Gates opened 55 accounts with 13 financial institutions, the prosecutors’ court filing said. Some of his bank accounts were in England and Cyprus, where he held more than $10 million from 2010 to 2013.

— Doesn’t it seem odd Gates would serve on the board of an identity-monitoring firm located in Denver, CO while he was working frequently on lobbying-related contracts overseas and on the Trump campaign? Was he compensated by ID Watchdog and was this income reported accurately on tax filings?

— Did Equifax begin acquisition negotiations with ID Watchdog before or after Gates’ departure from the board? If before, did Gates play any role in the negotiations? Or does the timing of the acquisition simply look bad because of the breaches?

— Did Mick Mulvaney pull back on the CFPB’s investigation and oversight measures into Equifax as well as the other credit reporting bureaus to prevent any review of Trump campaign or administration members’ relationships with Equifax, or their data reported by Equifax and ID Watchdog? Did Mulvaney suppress the Equifax investigation and starve CFPB because he’s a misogynist ass and just wants to be a dick to Senator Elizabeth Warren? Or did Mulvaney merely toss ethics in his handling of CFPB including the Equifax investigation as payback for campaign contributors when he represented South Carolina as a congressman?

Perhaps it’s simply an interesting coincidence that a former Trump campaign team member who has been charged with multiple counts of bank and tax fraud, just happened to sit on ID Watchdog’s board of directors while he committed aforementioned fraud.

Maybe it’s just a weird quirk of fate that Equifax bought ID Watchdog around the same time it was being hacked a second time, potentially exposing Rick Gates’ credit records (and Paul Manafort’s) along with those of +145.5 million other consumers.

But it seems a massive stretch for us not to look a little further when Trump’s OMB director commits the CFPB to a slow death by budgetary starvation before icing the Equifax investigation and ID Watchdog’s role along with it.

Government Won’t Be Able to Hide Its Informant in MalwareTech Case

While Paul Manafort was busy getting charged with 32 new charges (more on that tomorrow), I was in Milwaukee at a motion hearing in MalwareTech (Marcus Hutchins’) case.

Hutchins was asking for five things from the government:

  1. More information on his surveillance in Vegas, partly to challenge the claim he wasn’t drunk or exhausted when he waived Miranda rights, partly to understand whether he really understood how Miranda works in the US, and partly for probably unstated other reasons
  2. Information on Tran, his co-defendant, who remains at large in some other country, that he would have gotten if Tran were in custody facing the same charges with Hutchins
  3. More information on “Randy,” the informant who provided chat logs and a copy of the Kronos malware while trying to proffer his way out of his own cyber-crimes
  4. The instructions provided to the grand jury, to see if the importance of intentionality to the charges was properly emphasized
  5. Both the MLAT request used to get information on Tran and the search warrant used to search Randy’s home

Here are my pieces on the motion, the government’s response, and Hutchins’ reply.

At Thursday’s hearing, Judge Nancy Johnson made the following decisions:

  1. Based on the government’s representation that it had no more information on surveillance of Hutchins, she denied that motion barring any further evidence that it exists (though she did make the prosecution check again to make sure there weren’t text messages between Agents)
  2. Based on the government’s representation that there was nothing Hutchins would get about Tran were he in custody that he hasn’t already gotten, she denied that without prejudice
  3. Required the government to provide “Randy’s” identity 30 days before trial
  4. Took the request for grand jury instructions under advisement
  5. Denied the request for the search warrant for “Randy’s” house, but asked for more briefing on other cases pertaining to MLAT requests

While the discussion about materials pertaining to Tran were uninteresting, my comments about the other requests follow:

What surveillance happens in Vegas stays in Vegas

Much of this discussion pertained to clarifications that the defense wasn’t looking for the FBI Agents’ lunch place recommendations, though Hutchins’ lawyer Brian Klein said he’d take them if he got them. Klein admitted, however, that they want the surveillance materials, in part, because they think the government intentionally waited to arrest Hutchins until after he had been partying with other hackers for a week. “[W]e have our reasons to believe they arrested him at very end of Vegas trip, there was maybe a very pointed reason to believe they chose to wait until the end.” Note, I’m not sure they’re after (just) the exhaustion of DefCon, or even the government’s desire to hold off on a real rebellion if they had arrested Hutchins just as everyone was arriving to Las Vegas. 

The government claims it only has active surveillance from July 26, and August 2, as he headed for the airport. Prosecutor Michael Chmelar described the July 26 date as Hutchins’ arrival, though I think that’s incorrect as I noted here.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

Chmelar also seemed to describe a discussion about “certain preparations put in place if he did travel to the US,” which is curious given that Hutchins was publicly talking about his trip to Vegas for some time, and given the apparently weird start date of the surveillance. Chmelar also described, for the first time, a 302 on his unrecorded comments on the way to the detention facility. Chmelar made it clear that they want to force Hutchins to take the stand if he’s going to challenge his Miranda warning.

One more comment about this: Black Hat and DefCon are among the most spooked up conventions going. There would have been tons of law enforcement types wandering around unassociated with Hutchins, specifically. Would he get any surveillance from those guys?

FBI finally dug through its AlphaBay loot to find materials supporting a six month old arrest

Hutchins’ co-defendant, Tran, allegedly sold the Kronos malware at issue on AlphaBay. FBI, working with international partners (and probably using the Tor exception), took AlphaBay down on July 20, even before Hutchins’ arrest, and immediately started using those materials to prosecute crimes that, unlike Hutchins’ alleged crime, have actual American victims.

Out of the “several hundred” investigations cited by Phirippidis, other publicly known active US prosecutions arising out of AlphaBay sales involve clear American victims and perpetrators: a person in California suspected of paying an Israeli teenagerto phone and email bomb threats to Jewish Community Centers around the country;a group that fulfilled over 78,000 marijuana orders over the last two yearsmaking them largest vendor on AlphaBay; a transaction that led to the fentanyl overdose death of an 18-year old girl in Oregon; another transaction that led to a fentanyl overdose death, this time of a 24-year old Orlando woman; a fentanyl vendor suspected of making over $120,000 in profits who is tied to a non-lethal overdose; an investigation out of Atlanta into a still unidentified American who worked for AlphaBay. Other, earlier prosecutions, include the sales of heroin,fentanyl, and marijuana laid out in the indictment of AlphaBay’s head, Alexandre Cazes.

In Chmelar’s explanation that the government really doesn’t have any materials on Tran, he revealed what he (incorrectly) thought had been revealed in the government response: an unencrypted copy of AlphaBay material pertaining to the Kronos sale “just became available,” and they have put in a request for the material. “If anything is produced in that request,” Chmelar said he’d turn it over.

Again, the lackadaisical approach to establishing evidence of the sale of Kronos as compared to other AlphaBay prosecutions suggests the sale of Kronos really wasn’t that big of a priority.

As Klein noted, the government had spent three pages of their response arguing that Hutchins couldn’t have any material pertaining to Tran; at the hearing Chmelar represented nothing existed. Based on that representation, Johnson denied any further discovery.

“Randy” is not just a tipster

Michael Chmelar is a well-spoken guy. But he stumbled a lot, umming and uhing, during his discussion of “Randy,” the government informant who reportedly had chats with Hutchins about Kronos.

He received Kronos from Mr. Hutchins, before he was acting as a government , um um source, we’ve produced the malware that was received. As Mr. [Benjamin] Proctor and I noted, if we determine that uh this individual would be called as a witness, we would disclose him as district court requires.

The government really, really wants to hide certain details about “Randy” (and as Chmelar admitted, the 302 in which he proffered up Hutchins and others includes pages and pages of redacted details of “Randy’s” own crimes.

As Johnson pointed out, even if the government uses Hutchins’ own statements to admit “Randy’s” testimony, Hutchins’s team can decide to call “Randy” themselves.

In any case, while she said “Randy” wasn’t fully a transactional witness, he is closer to that than to the tipster the government is claiming. So while the defense won’t get his identity, yet, they will before trial.

The government seems to have dropped its enthusiasm for a superseding indictment

Hutchins wants the instructions given to the grand jury because two of the charges don’t include the necessary language about the required intentionality. Chmelar used one of the charges, where in parallel ones in the indictment the intentionality language is correct, to suggest this was just a scrivener’s error — something he could disappear away with a stipulation — to suggest both were. But Klein argued “These are not just little nits or typos, it goes to mens rea, [Hutchins’] alleged mental state.”

There was also an interesting subtext about whether the grand jury instructions exist. Chmelar claimed that normally he doesn’t instruct the grand jury. Klein noted the government had claimed, ‘We’re not required to instruct them.’ “Well, they did.” And it seems that Chmelar did, indeed, admit that the jury had gotten instructions on this point (I’d have to look at the transcript to make sure).

Ultimately, Johnson said she’d take the request under advisement and do more research on what constituted a compelling need to obtain grand jury instructions, but wouldn’t rule until the defense submitted their challenges to the indictment.  

But what was just as interesting about this discussion is that, whereas previously there had been discussion about the government obtaining a superseding indictment (perhaps to lard on charges that might be easier to defend), Chmelar seemed unenthused about doing so here.

The government continues to insist documents sent to other countries are internal documents

Because privacy rights are not transitive in the United States (meaning, the Fourth Amendment only protects the privacy of the person whose premise is being searched, not those who might be implicated by the search), Hutchins is not going to get the search warrant for “Randy’s” house that led to chat logs involving Kronos to be discovered.

But the question of whether he’ll get the MLAT request to whatever foreign country had information on his co-defendant, Tran (but may not be arresting him), is still a matter Johnson is weighing. The government at first argued that they didn’t have to turn over the request because it was written by lawyers, not law enforcement officers. In the hearing, Chmelar defended withholding the request because the request, which was sent to a foreign country, was an internal document.

Both sides will submit more caselaw on when and whether such requests get turned over (and the open file discovery here may make turning it over more likely).

2018 Senate Intelligence Global Threat Hearing Takeaways

Today was the annual Senate Intelligence Committee Global Threat Hearing, traditionally the hearing where Ron Wyden gets an Agency head to lie on the record.

That didn’t happen this time.

Instead, Wyden gave FBI Director Christopher Wray the opportunity to lay out the warnings the FBI had given the White House about Rob Porter’s spousal abuse problems, which should have led to Porter’s termination or at least loss of access to classified information.

The FBI submitted a partial report on the investigation in question in March. And then a completed background investigation in late July. That, soon thereafter, we received request for follow-up inquiry. And we did that follow-up and provided that information in November. Then we administratively closed the file in January. And then earlier this month we received some additional information and we passed that on as well.

That, of course, is the big takeaway the press got from the hearing.

A follow-up from Martin Heinrich shortly after Wyden’s question suggested he had reason to know of similar “areas of concern” involving Jared Kushner (which, considering the President’s son-in-law is under investigation in the Russian investigation, is not that surprising). Wray deferred that answer to closed session, so the committee will presumably learn some details of Kushner’s clearance woes by the end of the day.

Wray twice described the increasing reliance on “non-traditional collectors” in spying against the US, the second time in response to a Marco Rubio question about the role of Chinese graduate students in universities. Rubio thought the risk was from the Confucius centers that China uses to spin Chinese culture in universities. But not only did Wray say universities are showing less enthusiasm for Confucius centers of late, but made it clear he was talking about “professors, scientists, and students.” This is one of the reasons I keep pointing to the disproportionate impact of Section 702 on Chinese-Americans, because of this focus on academics from the FBI.

Susan Collins asked Mike Pompeo about the reports in The Intercept and NYT on CIA’s attempts to buy back Shadow Brokers tools. Pompeo claimed that James Risen and Matt Rosenberg were “swindled” when they got proffered the story, but along the way confirmed that the CIA was trying to buy stuff that “might have been stolen from the US government,” but that “it was unrelated to this idea of kompromat that appears in each of those two articles.” That’s actually a confirmation of the stories, not a refutation of them.

There was a fascinating exchange between Pompeo and Angus King, after the latter complained that, “until we have some deterrent capacity we are going to continue to be attacked” and then said right now there are now repercussions for Russia’s attack on the US.

Pompeo: I can’t say much in this setting I would argue that your statement that we have done nothing does not reflect the responses that, frankly, some of us at this table have engaged in or that this government has been engaged in both before and after, excuse me, both during and before this Administration.

King: But deterrence doesn’t work unless the other side knows it. The Doomsday Machine in Dr. Strangelove didn’t work because the Russians hadn’t told us about it.

Pompeo: It’s true. It’s important that the adversary know. It is not a requirement that the whole world know it.

King: And the adversary does know it, in your view?

Pompeo: I’d prefer to save that for another forum.

Pompeo later interjected himself into a Kamala Harris discussion about the Trump Administration’s refusal to impose sanctions by suggesting that the issue is Russia’s response to cumulative responses. He definitely went to some effort to spin the Administration’s response to Russia as more credible than it looks.

Tom Cotton made two comments about the dossier that Director Wray deferred answering to closed session.

First, he asked about Christopher Steele’s ties to Oleg Deripaska, something I first raised here and laid out in more detail in this Chuck Grassley letter to Deripaska’s British lawyer Paul Hauser. When Cotton asked if Steele worked for Deripaska, Wray said, “that’s not something I can answer.” When asked if they could discuss it in a classified setting, Wray said, “there might be more we could say there.”

Cotton then asked if the FBI position on the Steele dossier remains that it is “salacious and unverified” as he (misleadingly) quoted Comey as saying last year. Wray responded, “I think there’s maybe more we can talk about this afternoon on that.” It’s an interesting answer given that, in Chuck Grassley’s January 4 referral, he describes a “lack of corroboration for [Steele’s dossier] claims, at least at the time they were included in the FISA applications,” suggesting that Grassley might know of corroboration since. Yet in an interview by the even better informed Mark Warner published 25 days later, Warner mused that “so little of that dossier has either been fully proven or conversely, disproven.” Yesterday, FP reported that BuzzFeed had hired a former FBI cybersecurity official Anthony Ferrante to try to chase down the dossier in support of the Webzilla and Alfa bank suits against the outlet, so it’s possible that focused attention (and subpoena power tied to the lawsuit) may have netted some confirmation.

Finally, Richard Burr ended the hearing by describing what the committee was doing with regards to the Russian investigation. He (and Warner) described an effort to bring out an overview on ways to make elections more secure. But Burr also explained that SSCI will release a review of the ICA report on the 2016 hacks.

In addition to that, our review of the ICA, the Intel Committee Assessment, which was done in the F–December of 06, 16–we have reviewed in great detail, and we hope to report on what we found to support the findings where it’s appropriate, to be critical if in fact we found areas where we found came up short. We intend to make that public. Overview to begin with, none of this would be without a declassification process but we will have a public version as quickly as we can.

Finally, in the last dregs of the hearing, Burr suggested they would report on who colluded during the election.

We will continue to work towards conclusions  on any cooperation or collusion by any individual, campaign, or company with efforts to influence elections or create societal chaos in the United States.

My impression during the hearing was that this might refer to Cambridge Analytica, which tried to help Wikileaks organize hacked emails — and it might well refer to that. But I wonder if there’s not another company he has in mind.

Media Criticism: The Press Needs to Get Far More Rigorous about Reporting on Cybersecurity

Four days ago, NBC reported, as BREAKING news, that in an exclusive interview, Jeanette Manfra had confirmed that the voter rolls of 21 states were targeted in 2016.

Russians penetrated U.S. voter systems, top U.S. official says

The U.S. official in charge of protecting American elections from hacking says the Russians successfully penetrated the voter registration rolls of several U.S. states prior to the 2016 presidential election.

In an exclusive interview with NBC News, Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, said she couldn’t talk about classified information publicly, but in 2016, “We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated.”

The headline stated and this video (which has been viewed online by 50,000 people) stated explicitly that 21 states were “penetrated.”

I criticized all the breathless retweeting of the report in a subtweet.

Today, DHS did more than subtweet the report and the irresponsible sharing of it. It released a scathing complaint, in Jeanette Manfra’s (the woman NBC interviewed) name, about NBC’s reporting, specifically complaining that NBC reported the number as “breaking” news.

Recent NBC reporting has misrepresented facts and confused the public with regard to Department of Homeland Security and state and local government efforts to combat election hacking. First off, let me be clear: we have no evidence – old or new – that any votes in the 2016 elections were manipulated by Russian hackers. NBC News continues to falsely report my recent comments on attempted election hacking – which clearly mirror my testimony before the Senate Intelligence Committee last summer – as some kind of “breaking news,” incorrectly claiming a shift in the administration’s position on cyber threats. As I said eight months ago, a number of states were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure. In the majority of cases, only preparatory activity like scanning was observed, while in a small number of cases, actors were able to access the system but we have no evidence votes were changed or otherwise impacted.

NBC’s irresponsible reporting, which is being roundly criticized elsewhere in the media and by security experts alike, undermines the ability of the Department of Homeland Security, our partners at the Election Assistance Commission, and state and local officials across the nation to do our incredibly important jobs. While we’ll continue our part to educate NBC and others on the threat, more importantly, the Department of Homeland Security and our state and local partners will continue our mission to secure the nation’s election systems.

To our state and local partners in the election community: there’s no question we’re making real and meaningful progress together. States will do their part in how they responsibly manage and implement secure voting processes. For our part, we’re going to continue to support with risk and vulnerability assessments, offer cyber hygiene scans, provide real-time threat intel feeds, issue security clearances to state officials, partner on incident response planning, and deliver cybersecurity training. The list goes on of how we’re leaning forward and helping our partners in the election community. We will not stop, and will stand by our partners to protect our nation’s election infrastructure and ensure that all Americans can have confidence in our democratic elections.

In response to my observation that NBC should never have presented it as “breaking” news and my subsequent suggestion that it’d be far more useful to educate people about what “compromise” can mean, Ken Dilanian got pissy, suggesting I don’t do reporting.

When I retweeted the video above (h/t K), suggesting maybe Dilanian could educate viewers about what both “compromise” and “penetrate” mean, he responded “Or you could focus on your own reporting.”

Only, we don’t need NBC to do that. We can go back to Manfra’s testimony from June, where she distinguished between “compromise,” unsuccessful compromise,” and “scanning.”

One comprehensive intelligence report published by the Office of Intelligence and Analysis in early October, cataloged suspicious activity we observed on state government networks across the country. This initial look, largely based on suspected malicious tactics and infrastructure, helped inform a body of reporting directly related to election infrastructure. While not a definitive source in identifying individual activity attributed to Russian government cyber actors, it established that Internet-connected election-related networks, including websites, in 21 states were potentially targeted by Russian government cyber actors. Although we’ve refined our understanding of individual targeted networks, supported by classified reporting, the scale and scope noted in that October 2016 report still generally characterizes our observations: a small number of networks were successfully compromised, there were a larger number of states where attempts to compromise networks were unsuccessful, and there were an even greater number of states where only preparatory activity like scanning was observed.

Admittedly, we’d all be better served if Manfra had provided more detail about precisely what these terms mean.

But absent that, the press should be far more cautious reporting on various degrees of hacking, as most people don’t understand the difference between a scan, a compromise, and damage from such compromise.

And lest Dilanian think I wrote this up just to document what a horse’s ass he was in response to well-earned criticism, I should note I’m supposed to be working on this issue in conjunction with a fellowship I’ve got — it turns out I’ve got a meeting this week where this example will come in very handy, thus the value of documenting it.

The explanation for Russia’s 2016 election-related hacking that everyone will agree on is that they did it to sow distrust in democracy. But shitty reporting on attempts to hack our democracy does that just as well.

Under Cover of the Nunes Memo, Russian Spooks Sneak Openly into Meetings with Trump’s Administration

On December 17, Vladimir Putin picked up the phone and called Donald Trump.

Ostensibly, the purpose of the call was to thank Trump for intelligence the US provided Russia that helped them thwart a terrorist attack. Here’s what the White House readout described.

President Vladimir V. Putin of Russia called President Donald J. Trump today to thank him for the advanced warning the United States intelligence agencies provided to Russia concerning a major terror plot in Saint Petersburg, Russia. Based on the information the United States provided, Russian authorities were able to capture the terrorists just prior to an attack that could have killed large numbers of people. No Russian lives were lost and the terrorist attackers were caught and are now incarcerated. President Trump appreciated the call and told President Putin that he and the entire United States intelligence community were pleased to have helped save so many lives. President Trump stressed the importance of intelligence cooperation to defeat terrorists wherever they may be. Both leaders agreed that this serves as an example of the positive things that can occur when our countries work together. President Putin extended his thanks and congratulations to Central Intelligence Agency (CIA) Director Mike Pompeo and the CIA. President Trump then called Director Pompeo to congratulate him, his very talented people, and the entire intelligence community on a job well done!

Putin, of course, has a history of trumping up terrorist attacks for political purposes (which is not to say he’s the only one).

In Trump’s Russia, top spooks come to you

That call that Putin initiated serves as important background to an event (or several — the details are still uncertain) that happened earlier this week, as everyone was distracted with Devin Nunes’ theatrics surrounding his memo attacking the Mueller investigation into whether Trump has engaged in a conspiracy with Russia. All three of Russia’s intelligence heads came to DC for a visit.

The visit of the sanctioned head of SVR, Sergey Naryshkin — Russia’s foreign intelligence service — was ostentatiously announced by Russia’s embassy.

SVR is the agency that tried to recruit Carter Page back in 2013, and which has also newly been given credit for the hack of the DNC in some Dutch reporting (and a recent David Sanger article). It’s clear that SVR wanted Americans to know that their sanctioned head had been through town.

As the week went on, WaPo reported that FSB’s Alexander Bortnikov and GRU’s Colonel General Igor Korobov had also been through town (GRU has previously gotten primary credit for the hack and Korobov was also sanctioned in the December 2016 response, and FSB was described as having an assisting role).

Pompeo met with Sergey Naryshkin, the head of Russia’s Foreign Intelligence Service or SVR, and Alexander Bortnikov, who runs the FSB, which is the main successor to the Soviet-era security service the KGB.

The head of Russia’s military intelligence, the GRU, also came to Washington, though it is not clear he met with Pompeo.

A senior U.S. intelligence official based in Moscow was also called back to Washington for the meeting with the CIA chief, said a person familiar with the events, who, like others, spoke on the condition of anonymity to discuss the sensitive meeting.

Treasury defies Congress on Russian sanctions

These visits have been associated with Trump’s decision not to enforce congressionally mandated sanctions, claiming that the threat of sanctions is already working even as Mike Pompeo insists that Russia remains a threat. In lieu of providing a mandated list of Russians who could be sanctioned, Treasury basically released the Forbes list of richest Russians, meaning that the sanction list includes people who’re squarely opposed to Putin. In my opinion, reporting on the Forbes list underplays the contempt of the move. Then, today, Treasury released a memo saying Russia was too systematically important to sanction.

Schumer’s questions and Pompeo’s non-answers

Indeed, Chuck Schumer emphasized sanctions in a letter he sent to Dan Coats, copied to Mike Pompeo, about the Naryshkin visit (the presence of the others was just becoming public).

As you are well aware, Mr. Naryshkin is a Specially Designated National under U.S. sanctions law, which imposes severe financial penalties and prohibits his entry into the U.S. without a waiver. Moreover, the visit of the SVR chief occurred only days before Congress was informed of the president’s decision not to implement sanctions authorized the Countering America’s Adversaries Through Sanctions Act (CAATSA), which was passed with near unanimous, bipartisan support. CAATSA was designed to impose a price on Russian President Vladimir Putin and his cronies for well-documented Russian aggression and interference in the 2016 election. However, the administration took little to no action, even as Russia continues its cyberattacks on the U.S.

Certainly, that seems a fair conclusion to draw — that by emphasizing Naryshkin’s presence, Russia was also boasting that it was immune from Congress’ attempts to sanction it.

But Mike Pompeo, who responded to Schumer, conveniently responded only to Schumer’s public comments, not the letter itself.

I am writing to you in response to your press conference Tuesday where you suggested there was something untoward in officials from Russian intelligence services meeting with their U.S. counterparts. Let me assure you there is not. [my emphasis]

This allowed Pompeo to dodge a range Schumer’s questions addressing Russia’s attacks on the US.

What specific policy issues and topics were discussed by Mr. Naryshkin and U.S. officials?

    1. Did the U.S. officials who met with Mr. Naryshkin raise Russia’s interference in the 2016 elections?  If not, why was this not raised? If raised, what was his response?
    2. Did the U.S. officials who met with Mr. Naryshkin raise existing and congressionally-mandated U.S. sanctions against Russia discussed? If not, why was this not raised? If raised, what was his response?
    3. Did the U.S. officials who met with Mr. Naryshkin raise ongoing Russian cyber attacks on the U.S. and its allies, including reported efforts to discredit the Federal Bureau of Investigation and law enforcement investigations into Russian interference in the 2016 U.S. elections? If not, why was this not raised? If raised, what was his response?
    4. Did the U.S. officials who met with Mr. Naryshkin make clear that Putin’s interference in the 2018 and 2020 elections would be a hostile act against the United States? If not, why was this not raised? If raised, what was his response?

Instead of providing responses to questions about Russian tampering, Pompeo instead excused the whole meeting by pointing to counterterrorism, that same purpose, indeed — the same attack — that Putin raised in his December phone call.

We periodically meet with our Russian intelligence counterparts — to keep America safe. While Russia remains an adversary, we would put American lives at greater risk if we ignored opportunities to work with the Russian services in the fight against terrorism. We are proud of that counterterror work, including CIA’s role with its Russian counterparts in the recent disruption of a terrorist plot targeting St. Petersburg, Russia — a plot that could have killed Americans.

[snip]

Security cooperation between our intelligence services has occurred under multiple administrations. I am confident that you would support CIA continuing these engagements that are aimed at protecting the American people.

The contempt on sanctions makes it clear this goes beyond counterterrorism

All this together should allay any doubt you might have that this meeting goes beyond counterterrorism, if, indeed, it even has anything to do with counterterrorism.

Just as one possible other topic, in November, WSJ reported that DOJ was working towards charging Russians involved in the hack after the new year.

The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.

Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.

If filed, the case would provide the clearest picture yet of the actors behind the DNC intrusion. U.S. intelligence agencies have attributed the attack to Russian intelligence services, but haven’t provided detailed information about how they concluded those services were responsible, or any details about the individuals allegedly involved.

Today, Russia issued a new warning that America is “hunting” Russians all over the world, citing (among others) hacker Roman Seleznev.

“American special services are continuing their de facto hunt for Russians all over the world,” reads the statement published on the ministry’s website on Friday. The Russian diplomats also gave several examples of such arbitrary detentions of Russian citizens that took place in Spain, Latvia, Canada and Greece.

“Sometimes these were actual abductions of our compatriots. This is what happened with Konstantin Yaroshenko, who was kidnapped in Liberia in 2010 and secretly taken to the United States in violation of Liberian and international laws. This also happened in 2014 with Roman Seleznyov, who was literally abducted in the Maldives and forcefully taken to American territory,” the statement reads.

The ministry also warned that after being handed over to the US justice system, Russian citizens often encounter extremely biased attitudes.

“Through various means, including direct threats, they attempt to coerce Russians into pleading guilty, despite the fact that the charges of them are far-fetched. Those who refuse get sentenced to extraordinarily long prison terms.”

And, as I noted earlier, Trey Gowdy — one of the few members of Congress who has seen where Mueller is going with this investigation — cited the import of the counterintelligence case against Russia in a Sunday appearance.

CHRIS WALLACE: Congressman, we’ll get to your concerns about the FBI and the Department of Justice in a moment. But — but let me begin first with this. Do you still trust, after all you’ve heard, do you still trust Special Counsel Robert Mueller to conduct a fair and unbiased investigation?

REP. TREY GOWDY, R-SC, OVERSIGHT COMMITTEE CHAIRMAN: One hundred percent, particularly if he’s given the time, the resources and the independence to do his job. Chris, he didn’t apply for the job. He’s where he is because we have an attorney general who had to recuse himself. So Mueller didn’t raise his hand and say, hey, pick me. We, as a country, asked him to do this.

And, by the way, he’s got two — there are two components to his jurisdiction. There is a criminal component. But there’s also a counterintelligence component that no one ever talks about because it’s not sexy and interesting. But he’s also going to tell us definitively what Russia tried to do in 2016. So the last time you and I were together, I told my Republican colleagues, leave him the hell alone, and that’s still my advice.

Schumer and other Democrats demanding answers about this visit might think about any ways the Russians might be working to undermine Mueller’s investigation or transparency that might come of it.

Three weeks of oversight free covert action

The timing of this visit is particularly concerning for another reason. In the three week continuing resolution to fund the government passed on January 22, the House Appropriations Chair Rodney Frelinghuysen added language that would allow the Administration to shift money funding intelligence activities around without telling Congress. It allows funds to,

“be obligated and expended notwithstanding section 504(a)(1) of the National Security Act of 1947.”

Section 504(a)(1) is the piece of the law that requires intelligence agencies to spend money on the program the money was appropriated for. “Appropriated funds available to an intelligence agency may be obligated or expended for an intelligence or intelligence-related activity only if those funds were specifically authorized by the Congress for use for such activities; or …”

The “or” refers to the intelligence community’s obligation to inform Congress of any deviation. But without any obligation to spend funds as specifically authorized, there is no obligation to inform Congress if that’s not happening.

Since the only real way to prohibit the Executive is to prohibit them to spend money on certain things, the change allows the Trump Administration to do things they’ve been specifically prohibited from doing for the three week period of the continuing resolution.

Senators Burr and Warner tried to change the language before passage on January 22, to no avail.

This year’s Defense Authorization included a whole slew of limits on Executive Branch activity, including mandating a report if the Executive cooperates with Russia on Syria and prohibiting any military cooperation until such time as Russia leaves Ukraine. It’s possible the Trump Administration would claim those appropriations-tied requirements could be ignored during the time of the continuing resolution.

Which just happened to cover the period of the Russian visit.

Our friends are getting nervous

Meanwhile, both before and after the visit, our allies have found ways to raise concerns about sharing intelligence with the US in light of Trump’s coziness with Russia. A key subtext of the stories revealing that Netherlands’ AIVD saw Russian hackers targeting the Democrats via a hacked security camera was that Rick Ledgett’s disclosure of that operation last year had raised concerns about sharing with the US.

President elect Donald Trump categorically refuses to explicitly acknowledge the Russian interference. It would tarnish the gleam of his electoral victory. He has also frequently praised Russia, and president Putin in particular. This is one of the reasons the American intelligence services eagerly leak information: to prove that the Russians did in fact interfere with the elections. And that is why intelligence services have told American media about the amazing access of a ‘western ally’.

This has led to anger in Zoetermeer and The Hague. Some Dutchmen even feel betrayed. It’s absolutely not done to reveal the methods of a friendly intelligence service, especially if you’re benefiting from their intelligence. But no matter how vehemently the heads of the AIVD and MIVD express their displeasure, they don’t feel understood by the Americans. It’s made the AIVD and MIVD a lot more cautious when it comes to sharing intelligence. They’ve become increasingly suspicious since Trump was elected president.

Then, the author of a book on Israeli’s assassinations has suggested that the intelligence Trump shared with the Russians goes beyond what got publicly reported, goes to the heart of Israeli intelligence operations.

DAVIES: So if I understand it, you know of specific information that the U.S. shared with the Russians that has not been revealed publicly and that you are not revealing publicly?

BERGMAN: The nature of the information that President Trump revealed to Foreign Minister Lavrov is of the most secretive nature.

Finally, a piece on the Nunes memo out today suggests the British will be less likely to share intelligence with Trump’s administration after the release of the memo (though this is admittedly based on US congressional claims, not British sources).

Britain’s spy agencies risk having their intelligence methods revealed if Donald Trump releases a controversial memo about the FBI, congressional figures have warned.

The UK will be less likely to share confidential information if the secret memo about the Russian investigation is made public, according to those opposing its release.

Clearly, this meeting goes beyond counterterrorism cooperation. And given the way that both Treasury and CIA have acted contemptuously in the aftermath of the visit, Schumer and others should be far more aggressive in seeking answers about what this visit really entailed.

Update: I’ve added the section on Section 504.

FBI Decided Four Months after They Arrested MalwareTech that He Told Them He Hadn’t Been Drinking before the Arrest

Marcus Hutchins’ (AKA MalwareTech) defense team has replied to the government’s response to their motion to compel discovery; they are seeking evidence pertaining to his arrest and about the people (his co-defendant, Tran, and an informant, “Randy”) on whom Hutchins was incidentally collected. Here’s my post on the original defense motion, and the one on the government response showing that this case is all about incidental collection.

FBI’s discussions about what to do about a drunken MalwareTech

As I laid out, the defense claims that Hutchins was intoxicated and exhausted when he was arrested awaiting a transatlantic flight after a week of partying at hacker conferences in Las Vegas. The government claims they asked Hutchins if he had been drinking, and (they claim) he said no.

This latest filing shows that the FBI was concerned about just that. FBI Agents had an email discussion the day Hutchins was arrested discussing what they should do if he was drinking.

That production included one e-mail, dated August 2, 2017 (the day of Mr. Hutchins’ arrest), discussing what the agents should do if Mr. Hutchins started drinking at the airport (the plan: “pull him out of terminal”). This shows the agents’ contemporaneous awareness of, and concern about, the possibility of Mr. Hutchins being impaired. There surely might be other communications, including e-mails and text messages on agents’ phones, touching on the voluntariness of Mr. Hutchins’ supposed proper waiver of his Miranda rights, as well as the voluntariness of the resulting statement.

The government claims that the Agents asked Hutchins if he had been drinking as part of their interview (only part of which was recorded). Except they didn’t memorialize that contemporaneously. They wrote it up into a 302 “over four months after the arrest” — so sometime after December 2.

The government makes much of the fact that Mr. Hutchins was asked by FBI agents if he had been drinking. But even if the FBI 302 (which was written over four months after the arrest) is accurate, it does not mention exhaustion or other possible forms of intoxication (it only mentions drinking).

Consider how this looks, given another detail from the defense reply: that the FBI didn’t turn over that 302 (or the email showing the FBI was concerned that Hutchins might be drinking) until the day they submitted their response on January 19.

The government’s response neglects to mention that these records that the government references as being disclosed “recently” were produced to the defense earlier on the same day the response was filed.

Incorporating the details provided in this status report produces this timeline:

November 21: Defense and prosecution lawyers try to resolve these issues including questions about whether Hutchins was intoxicated, and conclude they weren’t going to be able to resolve them.

[C]ounsel for the government and counsel for Mr. Hutchins participated in a conference call in an attempt to resolve open issues related those discovery requests. Despite our best efforts, we have been unable to resolve those issues.

After December 2: FBI creates 302 memorializing claim that they asked Hutchins whether he had been drinking.

December 7: Hutchins’ lawyers tell the government they’re going to file a motion compelling this discovery.

[C]ounsel for Mr. Hutchins informed the government they intend to file a motion for an order that compels the government to produce certain materials to the defense.

January 5: Defense files motion to compel.

January 19: Government turns over 302 claiming they asked if Hutchins had been drinking when they arrested him and response to motion to compel.

In spite of the fact that FBI itself was worried on the day they arrested him about whether Hutchins would be sober enough for an interrogation, they never got around to claiming that they had made sure he was until after some time, potentially months, of discussions about that question and after they had decided they couldn’t get the defense to stop asking for it.

I’d say that’s pretty sketchy.

Government didn’t get around to surveilling Hutchins until July 26

In my post on the government response, I wondered why there would be a surveillance report from July 26, but not one from when Hutchins first arrived in Las Vegas on July 21.

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The defense reply explains it: for whatever reason, Agents in Wisconsin didn’t get around to asking Las Vegas FBI to start surveillance on Hutchins until July 26.

Since the agents started surveillance on July 26, 2017 and it ran through August 2, 2017, it is inconceivable that the agents actively surveilling him exchanged nothing but a single e-mail right before Mr. Hutchins’ arrest.1

1 The only other e-mail disclosed by the government appears to have been sent from an FBI agent in Milwaukee on July 26, 2017, and requests FBI Las Vegas assistance to conduct surveillance of Mr. Hutchins.

For some reason, the FBI either didn’t realize the guy they had just indicted on July 11 was coming to the US until well after he got here in spite of the fact that 1) he had been to Black Hat the year before 2) he was talking about coming again on Twitter 3) he tracked his flight into the country on Twitter, or they didn’t decide they were going to arrest him until after he had been here for a while.

So arresting Hutchins was so urgent they had to do it before he left the country (to avoid extradition), even if he had been drinking (and interviewing him while he was still confused and without counsel was such a priority they couldn’t let him just catch up on his sleep in jail).

But not so urgent they had prepared enough for his well-advertised arrival in the weeks before he arrived to have Las Vegas’ FBI ready to surveil him.

The Government Built Its Criminal Case against MalwareTech Off Incidental Collection

The government has responded to MalwareTech’s (Marcus Hutchins) demand for more evidence by refusing everything. Along the way, they reveal that the bulk of the case against Hutchins arises from him being incidentally collected off two other criminal suspects, Tran (his co-defendant) and Randy (an informant who provided testimony against him in conjunction with his own criminal exposure).

Twenty-somethings claiming they’re not drunk occifer

As for rebuttals of the points made in his demand, the government has two rebuttals as to the substance of Hutchins’ argument, versus the law. First, they claim that Hutchins told the FBI he wasn’t drunk when they arrested him, contrary to the claim made to support a demand for materials on the surveillance of him leading up to his arrest.

Before the interview started, Hutchins told agents that he was not under the influence of alcohol.

Apparently they made a separate 302 (of unknown date) to memorialize their claim he told them he wasn’t drunk.

In addition to those materials, the government recently disclosed an additional FBI 302 report memorializing the defendant’s statement that he was not under the influence of alcohol at the time of his arrest,

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The government’s “intentional” fuckups may lead to superseding indictments

The government seems to cede Hutchins’ suggestion that it flubbed the language on “intention” versus “knowledge” on at least one and maybe a second charge against him.

Hutchins claims that the indictment is defective because Count Two of the indictment states that the defendant acted “knowingly” instead of “intentionally.” 3 Likewise, despite the fact that Count Six charges an attempt, Hutchins argues Count Six fails to allege that defendant “intentionally” attempted to cause damage to a protected computer.4 This, however is not an allegation of “error in the grand jury proceedings” under Rule 12(b)(3)(A)(v). It is an allegation of a defect in the indictment under Rule 12(b)(3)(B)(v). Thus, if Hutchins truly believes Counts Two and Six are facially defective, he can file a motion dismiss those counts under Rule 12(b)(3)(B)(v).

3 Count Two appears to contain a drafting error because Counts Three and Four, which also allege violations of 18 U.S.C. § 2512, state that the defendant acted “intentionally” rather than “knowingly.” This further undermines Hutchins’ speculation that the grand jury was erroneously instructed.

4 According to Seventh Circuit jury instructions, an attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” Therefore, because Count Six is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” would be unnecessary and redundant.

But they generously offer to fix that problem in a superseding indictment.

The government has already explained to the defense that it will likely seek a superseding indictment in this case. That superseding indictment would address any possible drafting errors noted by the defense.

Given that elsewhere they say the informant, Randy, who provided information against Hutchins, discussed “involvement in creating the Kronos banking Trojan, among other criminal conduct” [my emphasis] with him in online chats, they seem to be suggesting that if the defense makes too big a deal about this they’ll add charges against Hutchins.

Incidentally collected defendants get nothing

Perhaps most interesting, this filing demonstrates the degree to which Hutchins’ prosecution stems from his incidental collection in investigative efforts targeting Tran and Randy. In fact, precisely because he was incidentally collected and not personally targeted, the government claims it doesn’t have to provide affidavits that might explain how — and more importantly, why — they decided to arrest Hutchins.

For example, the government argues Hutchins can’t have the MLAT requests, which are used to ask other countries to provide information for a criminal prosecution. In this case, MLATs obtained  information on Tran, the guy who sold the Kronos malware Hutchins is alleged to have helped write. The government refuses to hand these over, in part, because they don’t get signed by FBI Agents, but instead get signed by lawyers.

Here, the defendant relies on Rule 16(a)(1)(E)(i) in seeking disclosure of MLATs and search warrant applications. But that Rule is inapplicable. With regard to MLATs, they are not signed or attested to by law enforcement agents. Instead, they are signed by an attorney representing the United States. Information received in response to an MLAT that is subject to disclosure under Rule 16 has been, and will continue to be, turned over to the defense in this case. Indeed, the defendant acknowledges that he has received materials responsive to an MLAT request. Doc. #44 at 17. The MLAT request itself, however, is not subject to production. In fact, MLAT requests (rather than the responsive materials) are explicitly excluded from production under Rule 16(a)(2).

Moreover, because the MLAT was targeted at Hutchins’ co-defendant, and not him, he doesn’t get it.

Moreover, the MLAT request submitted in this case related to Hutchins’s codefendant and not Hutchins. As noted above, the government has disclosed materials received in response to the MLAT, but the MLAT itself is not subject to production under Rule 16, Giglio, Brady, or § 3500.

There is one still undisclosed search warrant affidavit in the case. But because that was used to incriminate Randy, the informant, Hutchins won’t get that either.

With regard to search warrant materials, the government has explained to Hutchins that no search warrants were executed that focused on Hutchins’ activities. There was a search warrant executed in an unrelated case that revealed statements made by Hutchins to CS-1, and those statements were turned over in discovery under Rule 16. But, there is no authority supporting the production of that search warrant affidavit or other documents relating to that warrant. The warrant was executed at a residence in the United States and did not involve Hutchins’ property or privacy interests. The affidavit is not subject to disclosure under 18 U.S.C. § 3500 because it was made in connection with an unrelated investigation. Given the separation between this case and the other investigation, the government does not believe at this time that the affiant’s statements in the affidavit supporting that warrant “relate to the subject matter of the testimony” to be presented in this case. 18 U.S.C. § 3500.

The government seems pretty lackadaisical towards Hutchins’ co-defendant

The government’s unwillingness to turn over information on the other alleged criminals in this case is particularly interesting given how uninterested they seem in him. The filing reveals that someone working undercover for the FBI did have discussions with Tran about Kronos (again, this is malware that had no significant US victims in the form Hutchins is alleged to have been involved in it), and they collected postings on it off the Darkode forum.

In support of this request, Hutchins asserts that such items “must be material to preparing Mr. Hutchins’ defense” because the indictment alleges a conspiracy; that “the government may be withholding information that could exculpate Mr. Hutchins”; and that he has a right to “locate the codefendant.” Doc. #44 at 8-9. Because the government has disclosed information relating to the codefendant, and there is no authority supporting the defendant’s request for additional information, his motion to compel the production of this information should be denied.

Of note, Hutchins’ codefendant has not yet been arrested in connection with this case. And, the government has disclosed certain information relating to the codefendant to Hutchins. This includes (1) the codefendant’s name; (2) materials responsive to an MLAT request that included a redacted copy of the codefendant’s passport; (3) undercover chats between the codefendant and the FBI related to the marketing, sale, and distribution of Kronos; and (4) various Internet postings related to Kronos that are attributable to one of the aliases used by the codefendant, including on the now shuttered Darkode forum.

But the government hasn’t obtained any information about the other things Tran was selling on dark markets.

Hutchins’ speculation that “the government must be withholding substantial additional information in its possession,” including information that may show the codefendant acted independently of Hutchins, is not supported. Doc. #44 at 8. While it might be true that the codefendant was involved in criminal activity in addition to distributing Kronos with Hutchins, the government is not suppressing that information. It simply does not possess such information. If additional records in the government’s possession are identified and deemed material, the government will provide those records to the defendant.1

That suggests he’s not really the target here.

More interesting still, the government claims it hasn’t yet identified any records from its AlphaBay seizure pertaining this malware they claim is so important they’ve arrested the guy who stopped the WannaCry malware attack.

1 In his motion, Hutchins states that “the government likely has records of the codefendant’s activities on AlphaBay.” Doc. #44 at 9. The government is still pursing information from the AlphaBay marketplace, but it has not yet located any materials subject to disclosure.

It seems virtually impossible that they wouldn’t find information in the seized servers,  if it was, at all, a priority. Which seems to suggest the opposite — not finding anything — may be a priority.

By providing evidence that suggests the government simply isn’t all that interested in Tran (if, as his name suggests, he’s Vietnamese, he may be beyond any extradition treaty), the government dismisses the possibility that Hutchins or his friends could find Tran (not an unreasonable possibility, because that’s how hackers roll).

[Hutchins] told agents that he knew his codefendant only by various online aliases; his dealings with his codefendant were all online; and he has never met his codefendant in person or even seen a photograph of the codefendant. It therefore makes no sense for Hutchins to claim that, if provided the requested “materials and communications,” he will be able to locate the fugitive codefendant and obtain exculpatory information from that individual.

But along the way, this prevents Hutchins from arguing that this case is all trumped up to go after him, for some reason.

Hiding Randy and the carding charges he’s working off

More interesting, still, the government is going to some lengths to hide Randy, the informant they call CS-1 who provided information on Hutchins.

The list of what they have provided in discovery provides some outline of how they got to Randy.

In reality, the government has produced the following materials related to CS-1: (1) A redacted proffer letter between the government and CS-1; (2) undercover chats between a government cooperator and CS-1 regarding the sale of stolen credit card numbers; (3) chats between CS-1 and Hutchins regarding Hutchins’ involvement in creating the Kronos banking Trojan, among other criminal conduct; and (4) a redacted FBI 302 report (which Hutchins refers to in his motion) memorializing a FBI interview of CS-1 regarding Hutchins and others.

It seems that a third part (the “government cooperator,” who himself may be an informant working off criminal charges) provided the FBI chats showing discussions with Randy of carding activity. This led to the FBI to go after Randy. He, in turn, made a proffer to the government offering to cooperate, presumably in exchange for leniency in his own case. That led to an interview with the FBI where Randy provided information on Hutchins “and others.”

Note that the government doesn’t tell us when all this happened?

The government argues that Randy is a mere tipster who wasn’t (yet) being controlled by the FBI at the time, and so they won’t have to let Hutchins question Randy about these underlying circumstances unless they put Randy on the stand, even though they concede he might (as someone working off his own criminal exposure) might actually be a transactional witness.

CS-1’s position in this case is more of a like a “mere tipster” than a transactional confidential informant. Hutchins sent a copy of the Kronos malware to CS-1 in 2015, but CS-1 was not acting as an agent for the government at that time. If the government called CS-1 as a witness at trial, his/her primary role would be to testify about the third-party admissions Hutchins made during chats with CS-1. Even if the Court found CS-1 acted more like a transactional witness, that finding does not automatically justify disclosure of CS-1’s identity. United States v. McDowell, 687 F.3d 904, 911 (7th Cir. 2012). The defendant would still need to establish that knowing CS-1’s identity is “relevant and helpful to his defense or is essential to a fair determination of a cause,” Wilburn, 581 F.3d at 623. Here, his request for disclosure of CS-1’s identity is based on speculation, which is insufficient. See Valles, 41 F.3d at 358 (“The confidential informant privilege ‘will not yield to permit a mere fishing expedition, nor upon bare speculation that the information may possibly prove useful.’” (quoting Dole, 870 F.2d at 373)).

The government argues that Hutchins is only speculating that learning who Randy is would be material to his defense, and uses that to argue that they don’t have to reveal Randy’s name so Hutchins can test whether it’s material to his defense.

The government generously agrees to give Hutchins Randy’s real name if they call him to testify, but then boast that Hutchins’ jail phone calls mitigate the need to put Randy on the stand.

Nonetheless, the government agrees to disclose CS-1’s identity to the defense if it determines that CS-1 will be a testifying witness at trial.2

2 To be sure, it might not be necessary to call CS-1 as a witness at trial because the defendant was shown the chats he had with CS-1 during his post-arrest interview and the defendant admitted that he was one of the parties in those conversations. Later, the defendant made phone call from jail in which he described the chats as “undeniable.” Therefore, the admissions Mr. Hutchins made to CS-1 are admissible non-hearsay statements, which Mr. Hutchins previously identified as accurate.

There are a slew of reasons Randy’s identity is of particular interest. Not least, that unknown entities engaged in serial credit card fraud to try to disrupt Hutchins’ defense fundraisers. As I’ve suggested, that means that entities engaged in probable criminal credit card fraud made a concerted effort to thwart Hutchins’ ability to mount the most robust defense.

Is the FBI even investigating who disrupted Hutchins’ defense fundraising efforts? Would they do so if it would hurt their case?

All of which leaves the distinct impression that the government isn’t all that interested in the two suspected criminals implicated in the case against him, but are very interested in ratcheting up the pressure on Hutchins himself.

And because they got to Hutchins via incidental collection — and not direct targeting — they might succeed in doing so.

 

Let the Pro-Oprah Resistance Beware: Scam in Progress?

A majority of Americans are really frustrated right now but they shouldn’t let their guard down at the first sign of hope. Tapping someone’s anger is an easy way for scammers and other hostile agents to get access to personal information and in some cases, money.

One likely example of opportunism is the National Committee to Draft Oprah Winfrey for President of the United States 2020. There have been emails sent to folks soliciting their support to recruit Oprah Winfrey to run for president in 2020 — except the entity sending the emails looks like vaporware.

There’s a simple yet attractive website with a countdown clock to Election Day 2020 and a sign up form as well as a donate button, along with a means to share the website across social media.

A press release announcing this effort is published as a separate page at the website, too.

Except that the press release — unlike authentic press releases — gives zero information about the organization except for an email address.

The website itself has no About Us, no Directors or Founders or Managers or Team page. There’s no information about a nonprofit or other political entity behind this, only an organization name, a claim to copyright, and the two pages — Home and Press Release.

And absolutely no Privacy Policy or Terms of Use provided, nor is the page set up for Hyper Text Transfer Protocol Secure (HTTPS) protocol (for this reason I am not providing a link to the site).

The website’s domain registration is masked, only showing DomainsByProxy as the registrar. Do a WhoIs lookup on the Democratic Party’s domain for comparison; you’ll find the domain isn’t masked at all and both a physical address as well as contact information are readily available.

The worst part of this is the repeated use of a quote by Winfrey’s long-time partner, Stedman Graham, as a justification for this ‘movement’. Yet nowhere on the site does Graham appear as a founder, director, manager, team member, or even an endorser.

If one of these emails should show up in my inbox, I’m going to treat it as a spearphishing attempt and mark it spam. Because I haven’t received and looked at one of these emails, I can’t rule out these emails are, in fact, phishing attempts of some kind.

The website itself should be treated with suspicion; without more evidence of a legitimate organization behind it, it’s merely a pretty address harvesting tool and an opportunity for a scam artist to pick up some easy liberal cash.

How easily could an outfit like Cambridge Analytica match up these harvested addresses against Facebook and voters’ records, to identify which voters to suppress with Oprah-flavored micro-targeted messaging via social media? It’d be worth a pretty penny to an opponent (and their sponsors) facing stiff headwinds in 2020.

If there is a real movement which is serious about recruiting Oprah, for goodness sake show up at local Democratic Party meetings and learn how to do this correctly. Don’t let Oprah get turned unknowingly and without her consent into another Russian tool to fragment the party by drafting her from outside the party.

P.S. Hey Tom Perez and Keith Ellison — perhaps a little tighter control on domains.democrat addresses is worth your time, to prevent Democratic Party supporters? Didn’t the DNC learn anything from the past two years about cybersecurity?

[Image on home page via National Committee to Draft Oprah Winfrey for President of the United States 2020, published here under Fair Use.]