Putin Discovers He Needs to Indict Another Russian Hacker

Back when Russian hacker Yevgeniy Nikulin got arrested in Prague in association with US charges of hacking Linked in and DropBox, Russia quickly delivered up its own, far more minor indictment of him to set off a battle over his extradition. Months alter, Nikulin’s legal team publicized a claim that an FBI Agent had discussed a deal with him, related to the hack of the DNC — a claim that is not as nuts as it seems (because a number of the people hacked had passwords exposed in those breaches). Whatever the reason, Russia clearly would like to keep Nikulin out of US custody.

And not long after Russian hacker Alexander Vinnik got detained in Greece related to the Bitcoin-e charges, Russia dug up an indictment for him too. Russia has emphasized crypto-currencies of late, so it’s understandable why they’d want to keep a guy alleged to be an expert at using crypto-currencies to launder money out of US hands.

What’s a more interesting question is why Russia waited so long to manufacture a Russian indictment for Pyotr Levashov, the alleged culprit behind the Kelihos bot, who is currently facing extradition to the US from Spain. Levashov was detained in April, but Russia only claimed they wanted him, too, a few weeks ago, around the same time Levashov started claiming he had spied on behalf of Putin’s party.

Perhaps it’s harder to manufacture a Russian indictment on someone the state had had no problem with before. Perhaps Russia has just decided this ploy is working and has few downsides. Or perhaps other events — maybe the arrest of Marcus Hutchins in August or the extradition back to the UK of Daniel Kaye in September — have made Levashov’s exposure here in the US even more problematic for Russia.

But I find it really curious that it took five months after Levashov got arrested for the Russians to decide it’d be worth claiming they want to arrest him too.

Update: Spain has approved Levashov’s extradition to the US.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Facebook Anonymously Admits It IDed Guccifer 2.0 in Real Time

The headline of this story focuses on how Obama, in the weeks after the election, nine days before the White House declared the election, “free and fair from a cybersecurity perspective,” begged Mark Zuckerberg to take the threat of fake news seriously.

Now huddled in a private room on the sidelines of a meeting of world leaders in Lima, Peru, two months before Trump’s inauguration, Obama made a personal appeal to Zuckerberg to take the threat of fake news and political disinformation seriously. Unless Facebook and the government did more to address the threat, Obama warned, it would only get worse in the next presidential race.

But 26 paragraphs later, WaPo reveals a detail that should totally change the spin of the article: in June, Facebook not only detected APT 28’s involvement in the operation (which I heard at the time), but also informed the FBI about it (which, along with the further details, I didn’t).

It turned out that Facebook, without realizing it, had stumbled into the Russian operation as it was getting underway in June 2016.

At the time, cybersecurity experts at the company were tracking a Russian hacker group known as APT28, or Fancy Bear, which U.S. intelligence officials considered an arm of the Russian military intelligence service, the GRU, according to people familiar with Facebook’s activities.

Members of the Russian hacker group were best known for stealing military plans and data from political targets, so the security experts assumed that they were planning some sort of espionage operation — not a far-reaching disinformation campaign designed to shape the outcome of the U.S. presidential race.

Facebook executives shared with the FBI their suspicions that a Russian espionage operation was in the works, a person familiar with the matter said. An FBI spokesperson had no immediate comment.

Soon thereafter, Facebook’s cyber experts found evidence that members of APT28 were setting up a series of shadowy accounts — including a persona known as Guccifer 2.0 and a Facebook page called DCLeaks — to promote stolen emails and other documents during the presidential race. Facebook officials once again contacted the FBI to share what they had seen.

Like the U.S. government, Facebook didn’t foresee the wave of disinformation that was coming and the political pressure that followed. The company then grappled with a series of hard choices designed to shore up its own systems without impinging on free discourse for its users around the world. [my emphasis]

But the story doesn’t provide the details you would expect from such disclosures.

For example, where did Facebook see Guccifer 2.0? Did Guccifer 2.0 try to set up a Facebook account? Or, as sounds more likely given the description, did he/they use Facebook as a signup for the WordPress site?

More significantly, what did Facebook do with the DC Leaks account, described explicitly?

It seems Facebook identified, and — at least in the case of the DC Leaks case — shut down an APT 28 attempt to use its infrastructure. And it told FBI about it, at a time when the DNC was withholding its server from the FBI.

This puts this passage from Facebook’s April report, which I’ve pointed to repeatedly, in very different context.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

In other words, Facebook had reached this conclusion back in June 2016, and told FBI about it, twice.

And then what happened?

Again, I’m sympathetic to the urge to blame Facebook for this election. But this article describes Facebook’s heavy handed efforts to serve as a wing of the government to police terrorist content, without revealing that sometimes Facebook has erred in censoring content that shouldn’t have been. Then, it reveals Facebook reported Guccifer 2.0 and DC Leaks to FBI, twice, with no further description of what FBI did with those leads.

Yet from all that, it headlines Facebook’s insufficient efforts to track down other abuses of the platform.

I’m not sure what the answer is. But it sounds like Facebook was more forthcoming with the FBI about APT 28’s efforts than the DNC was.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

How to Read the DHS Targeted States Information

Yesterday, DHS informed the states that had their registration databases targeted by Russian hackers last year. There has been an outright panic about the news since states started revealing they got notice, so I thought it worthwhile to describe what we should take away from the notice and subsequent reporting:

  • “Most” of the 21 targeted states were not successfully hacked
  • Some targeted states were successfully hacked
  • Not all swing states were targeted, not all targeted states are swing states
  • These hacks generally do not involve vote tallying
  • These hacks do not involve hacking voting machines
  • These hacks do not involve other voter suppression methods — whether by GOP or Russians
  • Notice needs to improve

The AP has done good work tracking down which states got notice they were targeted, identifying the 21 targeted states. Those targeted states were:

  1. Alabama
  2. Alaska
  3. Arizona
  4. California
  5. Colorado
  6. Connecticut
  7. Delaware
  8. Florida
  9. Illinois
  10. Iowa
  11. Maryland
  12. Minnesota
  13. North Dakota
  14. Ohio
  15. Oklahoma
  16. Oregon
  17. Pennsylvania
  18. Texas
  19. Virginia
  20. Washington
  21. Wisconsin

 

“Most” of the 21 targeted states were not successfully hacked

This list of 21 states does not mean that Russians successfully hacked 21 states. All it means is Russians probed 21 states. And the AP says “most” were not successful. WI, WA, and MN have said the attacks on them were not successful.

Thus, for “most” of these states, the impact is the same as the reports that Russians were attempting, unsuccessfully, to phish engineers in the energy industry: it is cause for concern, but unless new intelligence becomes available, it means that for those “most” states these probes could not affect the election.

Some targeted states were successfully probed

Of course, by saying that “most” attacks were not successful, you’re admitting that “some” were. We only know IL and AZ to have successfully been breached.

This means this story may not be done yet: reporters, especially state based ones, are going to have to get their voting officials to provide details about the attacks and it may take some FOIA work.

Mind you, a successful hack still doesn’t mean that the election was affected (as I believe to be the understanding with respect to AZ, though there is more dispute about IL). It might be that the hackers just succeeded in getting into the database. It may be that they succeeded only in downloading the voter registration database — which in many states, is readily available, and which is nowhere near the most interesting available data for targeting in any case.

In my opinion, the most effective way to affect the outcome of the election via voter registration databases is not to download and use it for targeting, but instead, to alter the database, selectively eliminating or voiding the registration of voters in targeted precincts (which of course means the hackers would need to come in with some notion of targets). Even changing addresses would have the effect of creating lines at the polls.

Altering the database would have the same effect as an existing GOP tactic does. In many states, GOP secretaries of state very aggressively purge infrequent voters. Particularly for transient voters (especially students, but poorer voters are also more likely to move from year to year), a voter may not get notice they’ve been purged. This has the effect of ensuring that the purged voter cannot vote, and also has the effect of slowing the voting process for voters who are registered.  In other words, that’s the big risk here — that hackers will do things to make it impossible for some voters to vote, and harder for others to do so.

Not all swing states were targeted, not all targeted states are swing states

The list of targeted states is very curious. Some targeted states are obvious swing states — WI, PA, FL, and VA were four of the five states where the election was decided. But MI is not on there, and NC, another close state, is not either.

In addition, a lot of these states are solidly red, like AL and OK. A lot of them are equally solidly blue, like CA and CT. So if the Russians had a grand scheme here, it was not (just) to flip swing states.

These hacks generally do not involve vote tallying

DHS has said that these hacks do not involve vote tallying. That means these disclosed probes, even assuming they were successful, are not going to explain what may seem to be abnormalities in particular states’ tallies.

These hacks do not involve hacking voting machines

Nor do these hacks involve hacking voting machines (which is covered, in any case, by the denial that it involves vote tallying).

Yes, voting machines are incredibly vulnerable. Yes, it would be child’s play for a hacker — Russian or American — to hack individual voting machines. With limited exceptions, there been no real assessment of whether individual machines got hacked (though it’d generally be easier to affect a local race that way than the presidential).

These hacks do not involve other voter suppression methods — whether by GOP or Russians

This list of 21 targeted states does not represent the known universe of Russian voting-related hacking.

It does not, for example, include the targeting of voting infrastructure contractors, such as VR Systems (which Reality Winner faces prison for disclosing). There’s good reason to at least suspect that the VR Systems hack may have affected NC’s outcome by causing the most Democratic counties to shift to paper voting books, resulting in confusion and delays in those counties that didn’t exist in more Republican ones.

And they don’t include any Russian social media-related support or suppression, which we’re getting closer to having proof of right now.

Importantly, don’t forget that we know Republicans were engaging in all these techniques as well, with far better funding. Russians didn’t need to hack WI and NC given how much organized suppression of voters of color took place. Republican secretaries of state had the power to purge voters on trumped up excuses without engaging in any hacking.

Do not let the focus on Russian tampering distract from the far more effective Republican suppression.

Notice needs to be improved

Finally, the other big story about this is that some states only got notice they were targeted yesterday, some even after having partnered with DHS to assess their voting infrastructure.

DHS has used classification, in part, to justify this silence, which is an issue the Intelligence Committees are trying to address in next year’s authorization. But that’s particularly hard to justify that many of these same states have run elections since.

Mind you, we’re likely to see this debate move to the next level — to demanding that state officials disclose full details about their state’s infrastructure to citizens.

In any case, if we’re to be able to use democratic pressure to ensure the infrastructure of democracy gets better protected, we’re going to need more notice.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Can Congress — or Robert Mueller — Order Facebook to Direct Its Machine Learning?

The other day I pointed out that two articles (WSJ, CNN) — both of which infer that Robert Mueller obtained a probable cause search warrant on Facebook based off an interpretation that under Facebook’s privacy policy a warrant would be required — actually ignored two other possibilities. Without something stronger than inference, then, these articles do not prove Mueller got a search warrant (particularly given that both miss the logical step of proving that the things Facebook shared with Mueller count as content and not business records).

In response to that and to this column arguing that Facebook should provide more information, some of the smartest surveillance lawyers in the country discussed what kind of legal process would be required, but were unable to come to any conclusions.

Last night, WaPo published a story that made it clear Congress wanted far more than WSJ and CNN had suggested (which largely fell under the category of business records and the ads posted to targets, the latter of which Congress had been able to see but not keep). What Congress is really after is details about the machine learning Facebook used to identify the malicious activity identified in April and the ads described in its most recent report, to test whether Facebook’s study was thorough enough.

A 13-page “white paper” that Facebook published in April drew from this fuller internal report but left out critical details about how the Russian operation worked and how Facebook discovered it, according to people briefed on its contents.

Investigators believe the company has not fully examined all potential ways that Russians could have manipulated Facebook’s sprawling social media platform.

[snip]

Congressional investigators are questioning whether the Facebook review that yielded those findings was sufficiently thorough.

They said some of the ad purchases that Facebook has unearthed so far had obvious Russian fingerprints, including Russian addresses and payments made in rubles, the Russian currency.

Investigators are pushing Facebook to use its powerful data-crunching ability to track relationships among accounts and ad purchases that may not be as obvious, with the goal of potentially detecting subtle patterns of behavior and content shared by several Facebook users or advertisers.

Such connections — if they exist and can be discovered — might make clear the nature and reach of the Russian propaganda campaign and whether there was collusion between foreign and domestic political actors. Investigators also are pushing for fuller answers from Google and Twitter, both of which may have been targets of Russian propaganda efforts during the 2016 campaign, according to several independent researchers and Hill investigators.

“The internal analysis Facebook has done [on Russian ads] has been very helpful, but we need to know if it’s complete,” Schiff said. “I don’t think Facebook fully knows the answer yet.”

[snip]

In the white paper, Facebook noted new techniques the company had adopted to trace propaganda and disinformation.

Facebook said it was using a data-mining technique known as machine learning to detect patterns of suspicious behavior. The company said its systems could detect “repeated posting of the same content” or huge spikes in the volume of content created as signals of attempts to manipulate the platform.

The push to do more — led largely by Adam Schiff and Mark Warner (both of whom have gotten ahead of the evidence at times in their respective studies) — is totally understandable. We need to know how malicious foreign actors manipulate the social media headquartered in Schiff’s home state to sway elections. That’s presumably why Facebook voluntarily conducted the study of ads in response to cajoling from Warner.

But the demands they’re making are also fairly breathtaking. They’re demanding that Facebook use its own intelligence resources to respond to the questions posed by Congress. They’re also demanding that Facebook reveal those resources to the public.

Now, I’d be surprised (pleasantly) if either Schiff or Warner made such detailed demands of the NSA. Hell, Congress can’t even get NSA to count how many Americans are swept up under Section 702, and that takes far less bulk analysis than Facebook appears to have conducted. And Schiff and Warner surely would never demand that NSA reveal the extent of machine learning techniques that it uses on bulk data, even though that, too, has implications for privacy and democracy (America’s and other countries’). And yet they’re asking Facebook to do just that.

And consider how two laws might offer guidelines, but (in my opinion) fall far short of authorizing such a request.

There’s Section 702, which permits the government to oblige providers to provide certain data on foreign intelligence targets. Section 702’s minimization procedures even permit Congress to obtain data collected by the NSA for their oversight purposes.

Certainly, the Russian (and now Macedonian and Belarus) troll farms Congress wants investigated fall squarely under the definition of permissible targets under the Foreign Government certificate. But there’s no public record of NSA making a request as breathtaking as this one, that Facebook (or any other provider) use its own intelligence resources to answer questions the government wants answered. While the NSA does draw from far more data than most people understand (including, probably, providers’ own algorithms about individually targeted accounts), the most sweeping request we know of involves Yahoo scanning all its email servers for a signature.

Then there’s CISA, which permits providers to voluntarily share cyber threat indicators with the federal government, using these definitions:

(A) IN GENERAL.—Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

(B) EXCLUSION.—The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

(6) CYBER THREAT INDICATOR.—The term “cyber threat indicator” means information that is necessary to describe or identify—

(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;

(B) a method of defeating a security control or exploitation of a security vulnerability;

(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;

(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;

(E) malicious cyber command and control;

(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;

(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or

(H) any combination thereof.

Since January, discussions of Russian tampering have certainly collapsed Russia’s efforts on social media with their various hacks. Certainly, Russian abuse of social media has been treated as exploiting a vulnerability. But none of this language defining a cyber threat indicator envisions the malicious use of legitimate ad systems.

Plus, CISA is entirely voluntary. While Facebook thus far has seemed willing to be cajoled into doing these studies, that willingness might change quickly if they had to expose their sources and methods, just as NSA clams up every time you ask about their sources and methods.

Moreover, unlike the sharing provisions in 702 minimization procedures, I’m aware of no language in CISA that permits sharing of this information with Congress.

Mind you, part of the problem may be that we’ve got global companies that have sources and methods that are as sophisticated as those of most nation-states. And, inadequate as they are, Facebook is hypothetically subject to more controls than nation-state intelligence agencies because of Europe’s data privacy laws.

All that said, let’s be aware of what Schiff and Warner are asking for, however justified it may be from a investigative standpoint. They’re asking for things from Facebook that they, NSA’s overseers, have been unable to ask from NSA.

If we’re going to demand transparency on sources and methods, perhaps we should demand it all around?

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Domestic Communications NSA Won’t Reveal Are Almost Certainly Obscured Location Communications

The other day, I laid out the continuing fight between Director of National Intelligence Dan Coats and Senator Ron Wyden over the former’s unwillingness to explain why he can’t answer the question, “Can the government use FISA Act Section 702 to collect communications it knows are entirely domestic?” in unclassified form. As I noted, Coats is parsing the difference between “intentionally acquir[ing] any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States,” which Section 702 prohibits, and “collect[ing] communications [the government] knows are entirely domestic,” which this exchange and Wyden’s long history of calling out such things clearly indicates the government does.

As I noted, the earlier iteration of this debate took place in early June. Since then, we’ve gotten two sets of documents that all but prove that the entirely domestic communication the NSA refuses to tell us about involves communications that obscure their location, probably via Tor or VPNs.

Most Entirely Domestic Communications Collected Via Upstream Surveillance in 2011 Obscured Their Location

The first set of documents are those on the 2011 discussion about upstream collection liberated just recently by Charlie Savage. They show that in the September 7, 2011 hearing, John Bates told the government that he believed the collection of discrete communications the government had not examined in their sampling might also contain “about” communications that were entirely domestic. (PDF 113)

We also have this other category, in your random sampling, again, that is 9/10ths of the random sampling that was set aside as being discrete communications — 45,000 out of the 50,0000 — as to which our questioning has indicataed we have a concern that some of the about communications may actually have wholly domestic communications.

And I don’t think that you’ve really assessed that, either theoretically or by any actual examination of those particular transactions or communications. And I’m not indicating to you what I expect you to do, but I do have this concern that there are a fair number of wholly domestic communications in that category, and there’s nothing–you really haven’t had an opportunity to address that, but there’s nothing that has been said to date that would dissuade me from that conclusion. So I’m looking there for some convincing, if you will, assessment of why there are not wholly domestic communications with that body which is 9/10s of the random sample.

In a filing submitted two days later, the government tried to explain away the possibility this would include (many) domestic communications. (The discussion responding to this question starts at PDF 120.) First, the NSA used technical means to determine that 41,272 of the 45,359 communications in the sample were not entirely domestic. That left 4,087 communications, which the NSA was able to analyze in just 48 hours. Of those, the NSA found just 25 that were not to or from a tasked selector (meaning they were “abouts” or correlated identities, described as “potentially alternate accounts/addresses/identifiers for current NSA targets” in footnote 7, which may be the first public confirmation that NSA collects on correlated identifiers). NSA then did the same kind of analysis it does on the communications that it does as part of its pre-tasking determination that a target is located outside the US. This focused entirely on location data.

Notably, none of the reviewed transactions featured an account/address/identifier that resolved to the United States. Further, each of the 25 communications contained location information for at least one account/address/identifier such that NSA’s analysts were able assess [sic] that at least one communicant for each of these 25 communications was located outside of the United States. (PDF 121)

Note that the government here (finally) drops the charade that these are simply emails, discussing three kinds of collection: accounts (which could be both email and messenger accounts), addresses (which having excluded accounts would significantly include IP addresses), and identifiers. And they say that having identified an overseas location for the communication, NSA treats it as an overseas communication.

The next paragraph is even more remarkable. Rather than doing more analysis on those just 25 communications it effectively argues that because latency is bad, it’s safe to assume that any service that is available entirely within the US will be delivered to an American entirely within the US, and so those 25 communications must not be American.

Given the United States’ status as the “world’s premier electronic communications hub,” and further based on NSA’s knowledge of Internet routing patterns, the Government has already asserted that “the vast majority of communications between persons located in the United States are not routed through servers outside the United Staes.” See the Government’s June 1, 2011 Submission at 11. As a practical matter, it is a common business practice for Internet and web service providers alike to attempt to deliver their customers the best user experience possible by reducing latency and increasing capacity. Latency is determined in part by the geographical distance between the user and the server, thus, providers frequently host their services on servers close to their users, and users are frequently directed to the servers closest to them. While such practices are not absolute in any respect and are wholly contingent on potentially dynamic practices of particular service providers and users,9 if all parties to a communication are located in the United States and the required services are available in the United States, in most instances those communications will be routed by service providers through infrastructure wholly within the United States.

Amid a bunch of redactions (including footnote 9, which is around 16 lines long and entirely redacted), the government then claims that its IP filters would ensure that it wouldn’t pick up any of the entirely domestic exceptions to what I’ll call its “avoidance of latency” assumption and so these 25 communications are no biggie, from a Fourth Amendment perspective.

Of course, the entirety of this unredacted discussion presumes that all consumers will be working with providers whose goal is to avoid latency. None of the unredacted discussion admits that some consumers choose to accept some latency in order to obscure their location by routing it through one (VPN) or multiple (Tor) servers distant from their location, including servers located overseas.

For what it’s worth, I think the estimate Bates did on his own to come up with a number of these SCTs was high, in 2011. He guessed there would be 46,000 entirely domestic communications collected each year; by my admittedly rusty math, it appears it would be closer to 12,000 (25 / 50,000 comms in the sample = .05% of the total; .05% of the 11,925,000 upstream transactions in that 6 month period = 5,962, times 2 = roughly 12,000 a year). Still, it was a bigger part of the entirely domestic upstream collection than those collected as MCTs, and all those entirely domestic communications have been improperly back door searched in the interim.

Collyer claims to have ended “about” collection but admits upstream will still collect entirely domestic communications

Now, if that analysis done in 2011 were applicable to today’s collection, there shouldn’t be a way for the NSA to collect entirely domestic communications today. That’s because all of those 25 potentially domestic comms were described as “about” collection. Rosemary Collyer has, according to her IMO apparently imperfect understanding of upstream collection, shut down “about” collection. So that should have eliminated the possibility for entirely domestic collection via upstream, right?

Nope.

As she admits in her opinion, it will still be possible for the NSA to “acquire an MCT” (that is, bundled collection) “that contains a domestic communication.”

So there must be something that has changed since 2011 that would lead NSA to collect entirely domestic communications even if that communication didn’t include an “about” selector.

In 2014 Collyer enforced a practice that would expose Americans to 702 collection

Which brings me back to the practice approved in 2014 in which, according to providers newly targeted under the practice, “the communications of U.S. person will be collected as part of such surveillance.”

As I laid out in this post, in 2014 Thomas Hogan approved a change in the targeting procedures. Previously, all users of a targeted facility had to be foreign for it to qualify as a foreign target. But for some “limited” exception, Hogan for the first time permitted the NSA to collect on a facility even if Americans used that facility as well, along with the foreign targets.

The first revision to the NSA Targeting Procedures concerns who will be regarded as a “target” of acquisition or a “user” of a tasked facility for purposes of those procedures. As a general rule, and without exception under the NSA targeting procedures now in effect, any user of a tasked facility is regarded as a person targeted for acquisition. This approach has sometimes resulted in NSA’ s becoming obligated to detask a selector when it learns that [redacted]

The relevant revision would permit continued acquisition for such a facility.

It appears that Hogan agreed it would be adequate to weed out American communications after collection in post-task analysis.

Some months after this change, some providers got some directives (apparently spanning all three known certificates), and challenged them, though of course Collyer didn’t permit them to read the Hogan opinion approving the change.

Here’s some of what Collyer’s opinion enforcing the directives revealed about the practice.

Collyer’s opinion includes more of the provider’s arguments than the Reply did. It describes the Directives as involving “surveillance conducted on the servers of a U.S.-based provider” in which “the communications of U.S. person will be collected as part of such surveillance.” (29) It says [in Collyer’s words] that the provider “believes that the government will unreasonably intrude on the privacy interests of United States persons and persons in the United States [redacted] because the government will regularly acquire, store, and use their private communications and related information without a foreign intelligence or law enforcement justification.” (32-3) It notes that the provider argued there would be “a heightened risk of error” in tasking its customers. (12) The provider argued something about the targeting and minimization procedures “render[ed] the directives invalid as applied to its service.” (16) The provider also raised concerns that because the NSA “minimization procedures [] do not require the government to immediately delete such information[, they] do not adequately protect United States person.” (26)

[snip]

Collyer, too, says a few interesting things about the proposed surveillance. For example, she refers to a selector as an “electronic communications account” as distinct from an email — a rare public admission from the FISC that 702 targets things beyond just emails. And she treats these Directives as an “expansion of 702 acquisitions” to some new provider or technology.

Now, there’s no reason to believe this provider was involved in upstream collection. Clearly, they’re being asked to provide data from their own servers, not from the telecom backbone (in fact, I wonder whether this new practice is why NSA has renamed “PRISM” “downstream” collection).

But we know two things. First: the discrete domestic communications that got sucked up in upstream collection in 2011 appear to have obscured their location. And, there is now a means of collecting bundles of communications via upstream collection (assuming Collyer’s use of MCT here is correct, which it might not be) such that even communications involving no “about” collection would be swept up.

Again, the evidence is still circumstantial, but there is increasing evidence that in 2014 the NSA got approval to collect on servers that obscure location, and that that is the remaining kind of collection (which might exist under both upstream and downstream collection) that will knowingly be swept up under Section 702. That’s the collection, it seems likely, that Coats doesn’t want to admit.

The problems with permitting collection on location-obscured Americans

If I’m right about this, then there are three really big problems with this practice.

First, in 2011, location-obscuring servers would not themselves be targeted. Communications using such servers would only be collected (if the NSA’s response to Bates is to be believed) if they included an “about’ selector.

But it appears there is now some collection that specifically targets those location-obscuring servers, and knowingly collects US person communications along with whatever else the government is after. If that’s right, then it will affect far more than just 12,000 people a year.

That’s especially true given that a lot more people are using location-obscuring servers now than on October 3, 2011, when Bates issued his opinion. Tor usage in the US has gone from around 150,000 mean users a day to around 430,000 users.

And that’s just Tor. While fewer VPN users will consistently use overseas servers, sometimes it will happen for efficacy reasons and sometimes it will happen to access content that is unavailable in the US (like decent Olympics coverage).

In neither of Collyer’s opinions did she ask for the kind of numerical counts of people affected that Bates asked for in 2011. If 430,000 Americans a day are being exposed to this collection under the 2014 change, it represents a far bigger problem than the one Bates called a Fourth Amendment violation in 2011.

Finally, and perhaps most importantly, Collyer newly permitted back door searches on upstream collection, even though she knew that (for some reason) it would still collect US person communications. So not only could the NSA collect and hold location obscured US person communications, but those communications might be accessed (if they’re not encrypted) via back door searches that (with Attorney General approval) don’t require a FISA order (though Americans back door searched by NSA are often covered by FISA orders).

In other words, if I’m right about this, the NSA can use 702 to collect on Americans. And the NSA will be permitted to keep what they find (on a communication by communication basis) if they fall under four exceptions to the destruction requirement.

The government is, once again, fighting Congressional efforts to provide a count of how many Americans are getting sucked up in 702 (even though the documents liberated by Savage reveal that such a count wouldn’t take as long as the government keeps claiming). If any of this speculation is correct, it would explain the reluctance. Because once the NSA admits how much US person data it is collecting, it becomes illegal under John Bates’ 2010 PRTT order.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The (Thus Far) Flimsy Case for Republican Cooperation on Russian Targeting

A number of credulous people are reading this article this morning and sharing it, claiming it is a smoking gun supporting the case that Republicans helped the Russians target their social media, in spite of this line, six paragraphs in.

No evidence has emerged to link Kushner, Cambridge Analytica, or Manafort to the Russian election-meddling enterprise;

Not only is there not yet evidence supporting the claim that Republican party apparatchiks helped Russians target their social media activity, not only does the evidence thus far raise real questions about the efficacy of what Russia did (though that will likely change, especially once we learn more about other platforms), but folks arguing for assistance are ignoring already-public evidence and far more obvious means by which assistance might be obtained.

Don’t get me wrong. I’m acutely interested in the role of Cambridge Analytica, the micro-targeting company that melds Robert Mercer’s money with Facebook’s privatized spying (and was before it was fashionable). I first focused on Jared Kushner’s role in that process, which people are gleefully discovering now, back in May. I have repeatedly said that Facebook — which has been forthcoming about analyzing and sharing (small parts) of its data — and Twitter — which has been less forthcoming — and Google — which is still channeling Sargent Schultz — should be more transparent and have independent experts review their methodology. I’ve also been pointing out, longer than most, of the import of concentration among social media giants as a key vulnerability Russia exploited. I’m particularly interested in whether Russian operatives manipulated influencers — on Twitter, but especially in 4Chan — to magnify anti-Hillary hostility. We may find a lot of evidence that Russia had a big impact on the US election via social media.

But we don’t have that yet and people shooting off their baby cannons over the evidence before us and over mistaken interpretations about how Robert Mueller might get Facebook data are simply degrading the entire concept of evidence.

The first problem with these arguments is an issue of scale. I know a slew of articles have been written about how far $100K spent on Facebook ads go. Only one I saw dealt with scale, and even that didn’t do so by examining the full scale of what got spent in the election.

Hillary Clinton spent a billion dollars on losing last year. Of that billion, she spent tens of millions paying a 100-person digital media team and another $1 million to pay David Brock to harass people attacking Hillary on social media (see this and this for more on her digital team). And while you can — and I do, vociferously — argue she spent that money very poorly, paying pricey ineffective consultants and spending on ads in CA instead of MI, even the money she spent wisely drowns out the (thus far identified) Russian investment in fake Facebook ads. Sure, it’s possible we’ll learn Russians exploited the void in advertising left in WI and MI to sow Hillary loathing (though this is something Trump’s people have explicitly taken credit for), but we don’t have that yet.

The same is true on the other side, even accounting for all the free advertising the sensationalist press gave Trump. Sheldon Adelson spent $82 million last year, and it’s not like that money came free of demands about policy outcomes involving a foreign country. The Mercers spent millions too (and $25 million total for the election, though a lot of that got spent on Ted Cruz), even before you consider their long-term investments in Breitbart and Cambridge Analytica, the former of which is probably the most important media story from last year. Could $100K have an effect among all this money sloshing about? Sure. But by comparison it’d be tiny, particularly given the efficacy of the already established right wing noise machine backed by funding orders of magnitude larger than Russia’s spending.

Then there’s what we know thus far about how Russia spent that money. Facebook tells us (having done the kind of analysis that even the intelligence community can’t do) that these obviously fake ads weren’t actually focused primarily on the Presidential election.

  • The vast majority of ads run by these accounts didn’t specifically reference the US presidential election, voting or a particular candidate.
  • Rather, the ads and accounts appeared to focus on amplifying divisive social and political messages across the ideological spectrum — touching on topics from LGBT matters to race issues to immigration to gun rights.
  • About one-quarter of these ads were geographically targeted, and of those, more ran in 2015 than 2016.

That’s not to say sowing discord in the US has no effect, or even no effect on the election. But thus far, we don’t have evidence showing that Russia’s Facebook trolls were (primarily) affirmatively pushing for Trump (though their Twitter trolls assuredly were) or that the discord they fostered happened in states that decided the election.

Now consider what a lot of breathless reporting on actual Facebook ads have shown. There was the article showing Russia bought ads supporting an anti-immigrant rally in Twin Falls, ID. The ad in question showed that just four people claimed to attend this rally in the third most Republican state. Another article focused on ads touting events in Texas. While the numbers of attendees are larger, and Texas will go Democratic long before Idaho does, we’re still talking relatively modest events in a state that was not going to decide the election.

To show Russia’s Facebook spending had a measurable impact on last year’s election, you’d want to focus on MI, WI, PA, and other close states. There were surely closely targeted ads that, particularly in rural areas where the local press is defunct and in MI where there was little advertising (WI had little presidential advertising, but tons tied to the Senate race) where such social media had an important impact; thus far it’s not clear who paid for them, though (again, Trump’s campaign has boasted about doing just that).

Additionally, empiricalerror showed that a number of the identifiably Russian ads simply repurposed existing, American ads.

That’s not surprising, as the ads appear to follow (not lead) activities that happened on far right outlets, including both Breitbart and Infowars. As with the Gizmo that tracks what it claims are Russian linked accounts and thereby gets credulous journalists to claim campaigns obviously pushed by Americans are actually Russian plots, it seems Russian propaganda is following, not leading, the right wing noise machine.

So thus far what we’re seeing is the equivalent of throwing a few matches on top of the raging bonfire that is the well established, vicious, American-funded inferno of far right media. That’s likely to change, but that’s what we have thus far.

But as I said, all this ignores one other key point: We already have evidence of assistance on the election.

Except, it went the opposite direction from where everyone is looking, hunting for instances where Republicans helped Russians decide to buy ads in Idaho that riled up 4 people.

As I reminded a few weeks back, at a time when Roger Stone and (we now know) a whole bunch of other long-standing GOP rat-fuckers were reaching out to presumed Russian hackers in hopes of finding Hillary’s long lost hacked Clinton Foundation emails, Guccifer 2.0 was reaching out to journalists and others with close ties to Republicans to push the circulation of stolen DCCC documents.

That is, the persona believed to be a front for Russia was distributing documents on House races in swing states such that they might be used by Republican opponents. Some of that data could be used for targeting.

Now, I have no idea whether Russia would risk doing more without some figure like Guccifer 2.0 to provide deniability. That is, I have no idea whether Russia would go so far as take more timely and granular data about Democrats’ targeting decisions and share that with Republicans covertly (in any case, we are led to believe that data would be old, no fresher than mid-June). But we do know they were living in the Democrats’ respective underwear drawers for almost a year.

And Russia surely wouldn’t need a persona like Guccifer 2.0 if they were sharing stolen data within Russia. If the FSB stole targeting data during the 11 months they were in the DNC servers, they could easily share that data with the Internet Research Association (the troll farm the IC believes has ties to Russian intelligence) so IRA can target more effectively than supporting immigration rallies in Idaho Falls.

Which is a mistake made by many of the sources in the Vanity Fair article everyone keeps sharing, the assumption that the only possible source of targeting help had to be Republicans.

We already know the Russians had help: they got it by helping themselves to campaign data in Democratic servers. It’s not clear they would need any more. Nor, absent proof of more effective targeting, is there any reason to believe that the dated information they stole from the Democrats wouldn’t suffice to what we’ve seen them do. Plus, we’ve never had clear answers whether or not Russians weren’t burrowed into far more useful data in Democratic servers. (Again, I think Russia’s actions with influencers on social media, particularly via 4Chan, was far more extensive, but that has more to do with HUMINT than with targeting.)

So, again, I certainly think it’s possible we’ll learn, down the road, that Republicans helped Russians figure out where to place their ads. But we’re well short of having proof of that right now, and we do have proof that some targeting data was flowing in the opposite direction.

Update: This post deals with DB’s exposure of a FB campaign organizing events in FL, which gets us far closer to something of interest. Those events came in the wake of Guccifer 2.0 releasing FL-based campaign information.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):


TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of  reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so  helping out…you having big mouth for former  member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing  members but had make exception for big mouth, keep talking shit  your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Companies Victimized by Repurposed NSA Tools Don’t Share Those Details with Government

Reporting on an appearance by acting DHS undersecretary for the National Protection and Programs Directorate Christopher Krebs, CyberScoop explains that the government only heard from six victims of the WannaCry and NotPetya ransomware outbreaks (two known major victims are Maersk shipping, which had to shut down multiple terminals in the US, and the US law firm DLA Piper).

Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.

The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.

Collecting data from victim organizations was important, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses

The rest of the story explains that private companies are generally reluctant to share details of being a ransomware victim (particularly if a company pays the ransom, there are even legal reasons for that).

But it doesn’t consider another factor. If a cop left his gun lying around and some nutjob stole the gun and killed a kid with it, how likely is that family going to trust the cop in question, who indirectly enabled the murder?

The same problem exists here. Having proven unable to protect its own powerful tools (this is more a factor in WannaCry than NotPetya, though it took some time before people understood that the latter didn’t rely primarily on the NSA’s exploit), the government as a whole may be deemed less trustworthy on efforts to respond to the attack.

Whether that was the intent or just a handy side benefit for the perpetrators of WannaCry (and of Shadow Brokers, who released the exploit) remains unclear. But the effect is clear: attacking people with NSA tools may undermine the credibility of the government, and in the process, its ability to respond to attacks.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

UNITEDRAKE and Hacking under FISA Orders

As I noted yesterday, along with the encrypted files you have to pay for, on September 6, Shadow Brokers released the manual for an NSA tool called UNITEDRAKE.

As Bruce Schneier points out, the tool has shown up in released documents on multiple occasions — in the catalog of TAO tools leaked by a second source (not Snowden) and released by Jacob Appelbaum, and in three other Snowden documents (one, two, three) talking about how the US hacks other computers, all of which first appeared in Der Spiegel’s reporting (one, two, three). [Update: See ElectroSpaces comments about this Spiegel reporting and its source.]

The copy, as released, is a mess — it appears to have been altered by an open source graphics program and then re-saved as a PDF. Along with classification marks, the margins and the address for the company behind it appears to have been altered.

The NSA is surely doing a comparison with the real manual (presumably as it existed at the time it may have been stolen) in an effort to understand how and why it got manipulated.

I suspect Shadow Brokers released it as a message to those pursuing him as much as to entice more Warez sales, for the observations I lay out below.

The tool permits NSA hackers to track and control implants, doing things like prioritizing collection, controlling when an implant calls back and how much data is collected at a given time, and destroying an implant and the associated UNITEDRAKE code (PDF 47 and following includes descriptions of these functions).

It includes doing things like impersonating the user of an implanted computer.

Depending on how dated this manual is, it may demonstrate that Shadow Brokers knows what ports the NSA will generally use to hack a target, and what code might be associated with an implant.

It also makes clear, at a time when the US is targeting Russia’s use of botnets, that the NSA carries out its own sophisticated bot-facilitated collection.

Finally of particular interest to me, the manual shows that UNITEDRAKE can be used to hack targets of FISA orders.

To use it to target people under a FISA order, the NSA hacker would have to enter both the FISA order number and the date the FISA order expires. After that point, UNITEDRAKE will simply stop collecting off that implant.

Note, I believe that — at least in this deployment — these FISA orders would be strictly for use overseas. One of the previous references to UNITEDRAKE describes doing a USSID-18 check on location.

SEPI analysts validate the target’s identity and location (USSID-18 check), then provide a deployment list to Olympus operators to load a more sophisticated Trojan implant (currently OLYMPUS, future UNITEDRAKE).

That suggests this would be exclusively EO 12333 collection — or collection under FISA 704/705(b) orders.

But the way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In any case, Shadow Brokers may or may not have UNITEDRAKE among the files he is selling. But what he has done by publishing this manual is tell the world a lot of details about how NSA uses implants to collect intelligence.

And very significantly for anyone who might be targeted by NSA hacking tools under FISA (including, presumably, him), he has also made it clear that with the click of a button, the NSA can pretend to be the person operating the computer. This should create real problems for using data hacked by NSA in criminal prosecutions.

Except, of course, especially given the provenance problems with this document, no defendant will ever be able to use it to challenge such hacking.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers’ Persistence: Where TSB Has Signed, Message, Hosted, and Collected

Back in April, Shadow Brokers boasted about his operational security.

TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue. Guessing so called global surveillance is not being as good as @snowden is claiming?

I started thinking about this boast again after TSB deleted all his Twitter feed in June (which served to hide the truly moronic failed doxing of @DRWolfff, which he then followed with an even more moronic post claiming he hadn’t failed). Good to know being an asshole on Twitter will keep you alive for more than a year after dumping NSA tools all over the InterWebs.

Still, since then TSB hasn’t tweeted at all. And his September dump — which given the normal pattern, would have been released in the last days of August — didn’t come out until September 6 (just a few days after a bunch of us were wondering if he had finally snuck off to join Snowden in Sheremetyevo). On that day, TSB dumped the files he claims to have dumped in his Warez of the Month club since June, as well links for twice-monthly dumps going through November.

While we were chatting about TSB running off to Sheremetyevo, Matt Suiche raised a point I had been thinking about too: TSB’s key. By now, that key must be set to loud alarms in Fort Meade, such that any time it appears transiting across the InterTubes, lights flash in an attempt to ID TSB’s location.

Of course, all that’s done for the next three months, because everything is safely loaded on Mega’s servers in one fell swoop.

Suiche noted that TSB hadn’t signed a post since June; he actually had in July (but over at ZeroNet rather than on Steemit), but not the for the late June post tied to the July dump.

In other words, since June, TSB has been either not signing posts, or signing them somewhere else, away from the Steemit account that (in the wake of his Twitter demise) has now become his persistent identity, where people can follow him.

Anyway, because I’m a loser, I decided to track what he had done for the entire year plus to be able to sustain a persistent identity while still avoiding drone strikes. A draft table of what TSB has done to sustain persistence with 1) key-signing, 2) stable messaging identity, 3) file-hosting, and 4) payment since August 2016 is here. In addition to increasingly signing remotely, and shifting from Twitter to Steemit to alert followers, TSB has also moved away from stable, public cryptocurrency addresses, and encrypted emails with individual buyers, instead relying on the security of Zcash and its memo line.

  • Zcash only, no Monero, delivery email in encrypted memo field
  • Delivery email address clearnet only, recommend tutanota or protonmail, no need exchange secret, no i2p, no bitmessage, no zeronet

In any case, this is just a draft. I’m sure I fat-fingered some stuff, and I’m sure I didn’t understand some of what I was looking at. But please take a look and see what I’m missing/gotten wrong.

There are some interesting bits even from what’s here. I hadn’t realized, for example, that TSB cashed out his BTC wallets the same day, May 29, he posted the new ZEC and XMR sales. Also, TSB posted “Don’t Forget Your Base” at his old-school haunts — Medium and Reddit — as well as Zero and Steemit (he was transitioning from one to another that day), I guess to reinvigorate his fan base after claiming he was done in January.

 

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.