Reuters Confirms Krebs’ Supposition on Russian Treason Charges

Earlier this month, I noted Brian Krebs’ supposition on the source of the Russian treason charges against some FSB officers. He suggested the charges arose from an old grudge that spam businessman Pavel Vrublevsky had against two of the guys who got charged. Vrublevsky has long wanted to prove that they leaked information on his operations.

[T]he accusations got me looking more deeply through my huge cache of leaked ChronoPay emails for any mention of Mikhaylov or Stoyanov — the cybercrime investigators arrested in Russia last week and charged with treason. I also looked because in phone interviews in 2011 Vrublevsky told me he suspected both men were responsible for leaking his company’s emails to me, to the FBI, and to Kimberly Zenz, a senior threat analyst who works for the security firm iDefense (now owned by Verisign).

In that conversation, Vrublevsky said he was convinced that Mikhaylov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies and to Zenz. Vrublevsky told me then that if ever he could prove for certain Mikhaylov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”

As it happens, an email that Vrublevsky wrote to a ChronoPay employee in 2010 eerily presages the arrests of Mikhaylov and Stoyanov, voicing Vrublevsky’s suspicion that the two men were closely involved in leaking ChronoPay emails and documents that were seized by Mikhaylov’s own division — the Information Security Center (CDC) of the Russian Federal Security Service (FSB).

Today, Reuters confirms Vrublevsky’s role in the arrest (as well as identifies the fourth person, Georgy Fomchenkov, arrested in the case).

The source connected to the investigation said the arrests were a result of accusations first made in 2010 by Pavel Vrublevsky, a Russian businessman and founder of ChronoPay, an online payments company. Vrublevsky told Reuters he had also learned that the arrests were a response to his allegations: that Stoyanov and Mikhailov had passed secrets on to American firms.

This makes a lot of sense. Notably, it explains why Kaspersky attributes Ruslan Stoyanov’s charges to actions that precede his time at the firm.

Reuters does not, however, pursue the other connection Krebs made — the long-term association between the operator of King Servers, Vladimir Fomenko, who has been named in association with the hack — and Vrublevsky.

My suspicion is that the King Servers connection identified other associations that were far more sensitive for Russia than just an old spam business grudge. And that’s why Vrublevsky is finally getting his revenge.

Update: Just to add two bits to this, because people are reading the Reuters story to suggest there’s no tie to the DNC hack. Not even Reuters states that. On the contrary, a source “connected to the investigation” states sometimes Russia uses old charges to go after people on new ones (actually we do this too, especially where the old charges can be prosecuted without exposing classified information).

Neither Vrublevsky nor the source connected with the investigation offered an explanation as to why they believe the Russian authorities would resurrect such an old case seven years after the allegations were first made.

However, the source said he believed the case may not be the sole reason why Russian authorities had decided to arrest the men now: in his experience, he said, Russian authorities at times use old cases as a way of charging people suspected of later crimes.

And Krebs made the connection to Vrublevsky because his company translated the denial for King Servers.

Fomenko issued a statement in response to being implicated in the ThreatConnect and FBI reports. Fomenko’s statement — written in Russian — said he did not know the identity of the hackers who used his network to attack U.S. election-related targets, but that those same hackers still owed his company USD $290 in unpaid server bills.

A English-language translation of that statement was simultaneously published on ChronoPay.com, Vrublevsky’s payment processing company.

“The analysis of the internal data allows King Servers to confidently refute any conclusions about the involvement of the Russian special services in this attack,” Fomenko said in his statement, which credits ChronoPay for the translation. “The company also reported that the attackers still owe the company $US290 for rental services and King Servers send an invoice for the payment to Donald Trump & Vladimir Putin, as well as the company reserves the right to send it to any other person who will be accused by mass media of this attack.” [italics mine]

Krebs suggested the complaint about unpaid bills sounded like Vrublevsky humor.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Four Details about Surveillance and the Flynn Ouster

It turns out Trump is on pace to fire a person every week, just like in his reality show. As you surely know, Mike Flynn has been ousted as National Security Advisor, along with his Deputy, KT McFarland.

There has been some confusion about what intelligence the spooks who just caused Flynn to be fired relied on. So let’s start with this detail from last night’s WaPo story:

After the sanctions were rolled out, the Obama administration braced itself for the Russian retaliation. To the surprise of many U.S. officials, Russian President Vladimir Putin announced on Dec. 30 that there would be no response. Trump praised the decision on Twitter.

Intelligence analysts began to search for clues that could help explain Putin’s move. The search turned up Kislyak’s communications, which the FBI routinely monitors, and the phone call in question with Flynn, a retired Army lieutenant general with years of intelligence experience.

From that call and subsequent intercepts, FBI agents wrote a secret report summarizing ­Flynn’s discussions with Kislyak.

That is, in response to questions elicited by Putin’s response, analysts actually read the intercepts of the Flynn-Kislyak call, which led to further monitoring of the conversations. And contrary to what HPSCI Chair Devin Nunes is whining, FBI would have access to Flynn’s side of the call right away, because they would own the tap (and in any case, they’d get unminimized copies of anything from NSA).

Some have pointed to this passage to suggest that the FBI was always listening in.

U.S. intelligence reports during the 2016 presidential campaign showed that Kislyak was in touch with Flynn, officials said. Communications between the two continued after Trump’s victory on Nov. 8, according to officials with access to intelligence reports on the matter.

It’s quite likely that’s not the case. After all, even Michael McFaul (who served as Ambassador to Russia at the beginning of the Obama Administration) said it was normal to have such calls before inauguration. Moreover, the FBI wouldn’t need to access the content of communications to learn that they were taking place. The metadata would be enough. And the actual content of the contacts would remain in some server in Utah.

Also, some have suggested that Flynn must be the Trump associate against whom a single FISA order was obtained in October. That’s unlikely, first of all, because if there were a FISA order on Flynn, then the FBI wouldn’t have needed the weird Putin response to lead them to read the actual content of calls (not to mention, the WaPo is clear that the contacts were collected as a result of normal monitoring of a foreign diplomat). Furthermore, most reports of that FISA order suggest the FBI first asked for four orders (in June and July) but only got one, in October. So it’s likely that FISA order covers another of Trump’s Russian buddies.

Finally, remember that for a great deal of SIGINT, FBI wouldn’t need a warrant. That’s because Obama changed the EO 12333 sharing rules just 4 days after the IC started getting really suspicious about Flynn’s contacts with Russia. That would make five years of intercepts available to FBI without a warrant in any counterintelligence cases, as this one is.

Update: Corrected KT McFarland instead of KC. Also, I’ve been informed she’ll stick around until Trump names a new NSA.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

How Hal Martin Stole 75% of NSA’s Hacking Tools: NSA Failed to Implement Required Security Fixes for Three Years after Snowden

The other day, Ellen Nakashima reported that Hal Martin, the Booz Allen contractor who has been in custody for months based on allegations he stole terabytes of NSA’s hacking tools, may be indicted this week. The story raises some interesting questions — such as how, absent some proof that Martin leaked this information to a third party, prosecutors intend to distinguish Martin’s hoarding from David Petraeus’ sharing of code word information with his girlfriend Paula Broadwell. One detail Nakashima included — that Martin had stolen “operational plans against ‘a known enemy’ of the United States” — may suggest prosecutors plan to insinuate Martin stole the information to alert that known enemy (especially if the known enemy is Russia).

All that said, the detail in Nakashima’s story that has attracted the most notice is the claim that Martin stole 75% of NSA’s hacking tools.

Some U.S. officials said that Martin allegedly made off with more than 75 percent of TAO’s library of hacking tools — an allegation which, if true, would be a stunning breach of security.

Frankly, this factoid feels a lot like the claim that Edward Snowden stole 1.5 million documents from NSA, a claim invented at least in part because Congress wanted an inflammatory detail they could leak and expand budgets with. That’s especially true given that the 75% number comes from “US officials,” which sometimes include members of Congress or their staffers.

Still, the stat is pretty impressive: even in the wake of the Snowden leak, a contractor was able to walk out the door, over time, with most of NSA’s most dangerous hacking tools.

Except it should in no way be a surprise. Consider what the House Intelligence Report on Snowden revealed, which I mentioned here. Buried way back at the end of the report, it describes how in the wake of Snowden’s leaks, NSA compiled a list of security improvements that would have stopped Snowden, which it dubbed, “Secure the Net.” This initiative included the following, among other things:

  • Imposing two person control for transferring data by removable media (making it harder for one individual to put terabytes of data on a thumb drive and walk out the door with it)
  • Reducing the number of privileged and authorized data transfer agents (making it easier to track those who could move terabytes of data around)
  • Moving towards continuous evaluation model for background investigations (which might reveal that someone had debt problems, as Martin did)

By July 2014, the report reveals, even some of the most simple changes included in the initiative had not been implemented. On August 22, 2016 — nine days after an entity calling itself Shadow Brokers first offered to auction off what have since been verified as NSA tools — NSA reported that four of the initiatives associated with the Secure the Net remained unfulfilled.

All the while, according to the prosecutors’ allegations, Martin continued to walk out of NSA with TAO’s hacking tools.

Parallel to NSA’s own Secure the Net initiative, in the intelligence authorization for 2016 the House directed the DOD Inspector General to assess NSA’s information security. I find it interesting that HPSCI had to order this review and that they asked DOD’s IG, not NSA’s IG, to do it.

DOD IG issued its report on August 29, 2016, two days after a search of Martin’s home had revealed he had taken terabytes of data and the very day he was arrested. The report revealed that NSA needed to do more than its proposed fixes under the Secure the Net initiative. Among the things it discovered, for example, is that NSA did not consistently secure server racks and other sensitive equipment in data centers, and did not extend two-stage authentication controls to all high risk users.

So more than three years after Snowden walked out of the NSA with thousands of documents on a thumb drive, DOD Inspector General discovered that NSA wasn’t even securing all its server racks.

“Recent security breaches at NSA underscore the necessity for the agency to improve its security posture,” The HPSCI report stated dryly, referring obliquely to Martin and (presumably) another case Nakashima has reported on.

Then the report went on to reveal that CIA didn’t even require a physical token for general or privileged users of its enterprise or mission systems.

So yes, it is shocking that a contractor managed to walk out the door with 75% of NSA’s hacking tools, whatever that means. But it is also shocking that even the Edward Snowden breach didn’t lead NSA to implement some really basic security procedures.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

BuzzFeed Now Looking to Institutional Dems to Police a Phantom Surge of Lefty Fake News

One of my many concerns about the fake fake news scare is that it provides a way to discredit alternative voices, as the PropOrNot effort tried to discredit a number of superb outlets that don’t happen to share PropOrNot’s Neocon approach to Syria. BuzzFeed, in its seemingly unquenchable desire to generate buzz by inflating the threat of fake news, takes that a step further by turning to institutional Democratic outlets — outlets whose credibility got damaged by Hillary’s catastrophic loss — to police an alleged surge of fake news on the left.

First, consider its evidence for a surge in Democrats embracing fake news.

There are new cases daily. Suspicions about his 2020 reelection filing. Theories about the “regime’s” plan for a “coup d’état against the United States” (complete with Day After Tomorrow imagery of New York City buried in snow). Stories based on an unverified Twitter account offering supposed “secrets” from “rogue” White House staffers (followed by more than 650,000 people). Even theories about the Twitter account (“Russian disinformation”).

Since the election, the debunking website Snopes has monitored a growing list of fake news articles aimed at liberals, shooting down stories about a new law to charge protesters with terrorism, a plan to turn the USS Enterprise into a floating casino, and a claim that Vice President Mike Pence put himself through gay conversion therapy.

[snip]

Panicky liberal memes have cascaded across the internet in recent weeks, like an Instagram post regarding Steve Bannon’s powers on the National Security Council shared by a celebrity stylist and actress. Some trolls have even found success making fake news specifically aimed at tricking conservatives.

Let’s take the purported “fake news” story BuzzFeed bases its argument on, one by one:

  • debunking of a Twitter thread (not a finished news piece) of the conclusions about a discovery that Trump, very unusually for a President, filed for reelection immediately after inauguration. There’s no debunking that Trump filed his candidacy, nor that it is unusual, nor, even, that Trump is fundraising off it. That’s not fake news. It’s an attempt to figure out why Trump is doing something unusual, with a fact-checking process happening in the Twitter discussion.
  • An admittedly overblown Medium post about some of the shady things Trump has done, as well as the much rumored claim that the reported sale of 19% of Rosneft confirms the Trump dossier claim that Carter Page would get part of Rosneft if he could arrange the lifting of US sanctions on Russia. The story’s treatment — and especially it’s use of the word “coup” — is silly, but the underlying question of whether Trump will instruct agencies to ignore the law, as already happened in limited form at Dulles over the first weekend of the Muslim ban, as well as the question of how Trump intends to target people of color, is a real one.
  • A story basically talking about the formation of the RoguePotusStaff Twitter account that notes prominently that “there’s no way to verify the authenticity of the newly minted Twitter channel.” BuzzFeed provided no evidence this was being preferentially shared by people on the left.
  • A Twitter thread speculating, based off linguistic analysis, that the RoguePotusStaff account might be Russian disinformation. Again, BuzzFeed made no claims about who was responding to this thread.
  • A debunking of a claim posted in November on a conservative fake news site claiming that protestors would get charged with terrorism.
  • A “debunking” of a satirical story from November posted in the Duffel Blog claiming Trump was going to repurpose an aircraft carrier.
  • A debunking of a fake news story from November claim that Mike Pence had put himself through gay conversion therapy that notes Pence did, indeed, push gay conversation therapy.
  • A liberal trolling effort aimed at conservatives, which started in December, claimed that Trump had removed symbols of Islam from the White House.
  • An instagram post that (BuzzFeed snottily notes) got shared by an actress and a stylist reporting the true fact that Bannon had been added to the National Security Council and noting the arguably true fact that the NSC reviews the kill list including the possibility of targeting Americans (technically, the targeted killing review team installed by Obama is not coincident with the NSC, but it does overlap significantly, and Anwar al-Awlaki was targeted by that process).

Most of these things are not news! Most are not pretending to be news! The only single thing included among BuzzFeed’s “proof” that lefties are resorting to fake news that would support that claim is the Mike Pence story. And to get there, BuzzFeed has to pretend that the Duffel Blog is not explicitly satire, that multiple cases of conservative fake news are lefty fake news, that well-considered discussions on Twitter are fake news, and that we all have to stop following RoguePotusStaff because we don’t know whether its writers are really Rogue POTUS staffers or not.

It’s a shoddy series of claims that BuzzFeed should be embarrassed about making. Effectively, it is calling discussion and satire — including correction — fake news.

To BuzzFeed’s credit, after months of mis-stating what a poll it did revealed — BuzzFeed had been claiming that 75% of people believe fake news, but in reality the poll showed that 75% of those who recall fake news believe it — BuzzFeed finally got that, at least, correct. Bravo BuzzFeed!

But other than that, they’ve got almost nothing here.

Believe it or not, that’s not the most offensive part of this story. Having invented a lefty fake news problem out of satire and Twitter discussions, BuzzFeed then decided it’s important what official Democratic sources thing about it. While one Bernie source said it was best to ignore these things (another said it was a real problem), BuzzFeed framed other responses in terms of left protests of elected officials.

Democratic operatives and staffers at left-leaning media outlets predict that viral anti-Trump conspiracy theories will ultimately distract from real reporting about the administration, undermining legitimate causes for outrage on the left over what the administration is actually doing.

Still, for now, it’s a conversation that exists almost entirely outside the political class itself. Elected officials are not hawking phony stories as true, like Trump’s calls to investigate widespread voter fraud during the election. But that remove poses its own problems for leaders with no obvious way to dismantle widely shared false stories.

“It exists on the left and that’s a problem because it misinforms people,” said Judd Legum, editor in chief of progressive news site ThinkProgress. “That’s harmful in other ways because the time you’re spending talking about that, you could spend talking about other stuff.”

“It contributes to a broader environment of distrust, and it sort of accelerates the post-factual nature of our times,” said Teddy Goff, co-founder of Precision Strategies and a former senior aide to Barack Obama and Hillary Clinton. “Fake news is pretty damaging no matter who it benefits politically. No one on the left should think we ought to be replicating the fake news tactics on the right.”

[snip]

The online energy also raises questions about the party’s relationship with its base. In recent weeks, progressives have pressured lawmakers to adopt a tougher stance toward Trump and join ranks with the millions of protesters who marched over inauguration weekend.

The two top-ranking Democrats in Washington, Chuck Schumer in the Senate and Nancy Pelosi in the House, have both signaled an openness to working on legislation with Trump. Last week, protests formed outside Schumer’s home in Brooklyn. And among progressive activists online, Pelosi was met with vehement push-back after saying the party has a “responsibility to the American people to find our common ground.”

“Elected Democrats are stuck struggling to keep ahead of the anger that the base is feeling right now,” said [Jim] Manley, the former Reid adviser. “It’s very palpable.”

First, BuzzFeed is wrong in saying elected officials are not hawking phony stories as true. One reason the claim that Wikileaks doctored Democratic emails got so much traction is because Dems repeatedly made that claim (and as I’ve noted, Hillary quickly escalated the Alfa News story that most media outlets rejected as problematic).

Worse, BuzzFeed deems Democratic operatives and staffers as somehow chosen to decide what are “legitimate causes for outrage on the left over what the administration is actually doing.” It further suggests there’s a connection between people protesting elected leaders and fake news.

Finally, BuzzFeed shows absolutely no self-awareness about the people it seeks about and the stories they’ve pitched. Consider: Manley is in the very immediate vicinity of the people who got the WaPo to push the claim that CIA had decided Russia hacked the DNC in order to get Trump elected, a conclusion that — we’ve subsequently learned — is the single one any agency in the IC (in this case, the NSA) expressed less confidence in. Moreover, we know that Harry Reid spent months trying to get the FBI to reveal details included in the Trump dossier that no one has been able to confirm. And when the dossier was released, Judd Legum magnified it himself, in much the same way the Medium post did the Rosneft claim.

Oh, and as a reminder: BuzzFeed was the entity that decided it was a good idea to publish an unverified intelligence dossier in the first place!

I mean, if the institutional Dems that BuzzFeed has deemed the arbiters of what is “legitimate” to talk about think the unproven Russian dossier counts, then BuzzFeed has even less in its claim about fake news.

Nevertheless, it thought it was a good idea to assign two journalists to make thinly substantiated claims about a lefty news problem that it then used to police whether lefty protestors are doing the right thing.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

John Yoo Wishes Trump Abused Executive Authority More Effectively

At the end of a John Yoo critique of Donald Trump’s abuses that a lot of people are mis-reading, he says this:

A successful president need not have a degree in constitutional law. But he should understand the Constitution’s grant of executive power. He should share Hamilton’s vision of an energetic president leading the executive branch in a unified direction, rather than viewing the government as the enemy. He should realize that the Constitution channels the president toward protecting the nation from foreign threats, while cooperating with Congress on matters at home.

Otherwise, our new president will spend his days overreacting to the latest events, dissipating his political capital and haphazardly wasting the executive’s powers.

John Yoo is not stating that, across the board, Trump has overstepped his authority. Indeed, the areas where Yoo suggests Trump has or will overstep his authority — exiting NAFTA and building a wall — are things Trump has not yet put into place. His concern is prospective. The only thing Trump has already done that Yoo believes abused power was firing Sally Yates, and that because of his explanation for firing her.

Even though the constitutional text is silent on the issue, long historical practice and Supreme Court precedent have recognized a presidential power of removal. Mr. Trump was thus on solid footing, because attorneys general have a duty to defend laws and executive orders, so long as they have a plausible legal grounding. But the White House undermined its valid use of the removal power by accusing Ms. Yates of being “weak on borders and very weak on illegal immigration.” Such irrelevant ad hominem accusations suggest a misconception of the president’s authority of removal.

Yoo doesn’t, for example, complain about Trump’s Executive Order on Dodd-Frank, which may have little effect.

But what Yoo is worried about is not abuse, per se, but that Trump will “waste the executive’s powers.”

That’s important given Yoo’s critique of Trump’s Muslim ban.

Immigration has driven Mr. Trump even deeper into the constitutional thickets. Even though his executive order halting immigration from seven Muslim nations makes for bad policy, I believe it falls within the law. But after the order was issued, his adviser Rudolph Giuliani disclosed that Mr. Trump had initially asked for “a Muslim ban,” which would most likely violate the Constitution’s protection for freedom of religion or its prohibition on the state establishment of religion, or both — no mean feat. Had Mr. Trump taken advantage of the resources of the executive branch as a whole, not just a few White House advisers, he would not have rushed out an ill-conceived policy made vulnerable to judicial challenge.

Yoo is saying that Trump could have implemented this policy if only he had gotten better advice about how to hide the fact that it was a Muslim ban, in the same way firing Yates would have been fine had Trump offered another explanation for it.

There’s a big rush among those who’ve abused executive authority in the past to rehabilitate themselves by seeming to criticize Trump. Many of them — including Yoo — are mostly complaining that Trump’s bad execution of abuse of executive power might give it a bad name.

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Problems with Pompeo: A Willingness to Use Information on Americans Russia Hacked and Shared with Trump

On Friday, the Senate confirmed the first two of President Trump’s nominees: Generals Mattis and Kelly to run DOD and DHS, respectfully. But it did not confirm the third nominee slotted for that day, Mike Pompeo. In part because the nomination was not dealt with in regular fashion in the Senate Intelligence Committee (which did not vote out his nomination), Ron Wyden managed to force Mitch McConnell to hold 6 hours of debate tomorrow on his nomination.

Wyden has suggested we need to have more debate because Pompeo hasn’t answered all the questions posed to him. And it is true that Wyden has concerns about the following issues. But perhaps most of all, Wyden’s questions suggest he is concerned that the Trump administration will use information the Russians hacked against Americans.

In follow-up questions posed to Pompeo, Wyden expressed concern about Pompeo’s:

  • Enthusiasm for using bulk collections of “lifestyle” information on Americans
  • Willingness to have the CIA engage in activities the Ambassador or other Chief of Mission disagrees with
  • Squirminess about when the CIA can kill a US person
  • Dodginess on classifying torture information that reveals illegal, embarrassing, competitive, or otherwise unclassified information

But as I said, Wyden’s chief concern appears that Pompeo will use information the Russians have or will give the Trump administration against Americans.

Enthusiasm for using bulk collections of “lifestyle” information on Americans

A big point of concern for Wyden and Martin Heinrich throughout Pompeo’s confirmation process is this op-ed he wrote at the beginning of last year. Based in part on the fact that the intelligence community didn’t find the Tashfeen Malik’s anti-American statements on non-public social media, and in part on the demonstrably false claim that the IC didn’t find the Garland attackers beforehand (in reality, the FBI was cheering them on), Pompeo argued we need to collect still more data. “Congress should pass a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database,” he wrote.

Pompeo has dodged questions about precisely what “lifestyle” information he wants to collect — though it surely includes Twitter’s firehose of data from Dataminr. Sadly, he repeatedly pointed to executive orders in his answers, and the new EO 12333 sharing rules permit the access of “public” information, which can include information from data brokers (though Pompeo claims ignorance of what he might want to use). So while Wyden is concerned that Pompeo will start dragnetting Americans, sadly he has been enabled to do so by one of the last things Obama did.

Willingness to have the CIA engage in activities the Ambassador or other Chief of Mission disagrees with

Another concern Wyden raised pertains to disagreements between the Chief of Mission (the top diplomat in a country) and the CIA Station Chief. This has been an issue in the past at least as it pertains to drone strikes in Pakistan and the torture program, where the Ambassador was either not informed or not properly consulted on CIA activities within a country.

When asked a yes or no question whether he would permit CIA to conduct activities even while an outstanding disagreement remained, Pompeo refused to answer, stating instead that he would seek an expeditious decision from the President. Effectively, he suggested if he were losing a disagreement with State, he’d get Trump to override State.

Squirminess about when the CIA can kill a US person

Wyden, who has long sought guidelines on when the US can kill an American citizen, returned to pre-hearing questions on this topic. After citing the Drone Rule Book requirement that DOJ be involved before taking action against a US person, he asked whether Pompeo agreed with the requirement. Pompeo basically said the US “must consider an American citizen’s constitutional rights prior to targeting him” and “CIA attorneys frequently consult with” DOJ (though left open the possibility of relying on less formal analysis). Ultimately, Pompeo dodged laying out any additional checks he’d following before killing an American.

Dodginess on classifying torture information that reveals illegal, embarrassing, competitive, or otherwise unclassified information

Wyden asked Pompeo if he disagreed with the prohibitions on classifying information to “(1) conceal violations of law, inefficiency, or administrative error; (2) prevent embarrassment to a person, organization, or agency; (3) restrain  competition; or ( 4) prevent or delay the release of information that does not require protection in the interest of national security,” prohibitions that existed in Clinton’s, George W. Bush’s, and Obama’s EOs on classified information. Pompeo said he did not. However, immediately in that context, Wyden asked about the Torture Report, and Pompeo dodged all questions about declassifying the torture report.

Willingness to use information obtained by Russians hacking Americans

But as I said, Wyden’s persistent concerns in his post-hearing questions pertained to whether and how Pompeo would be willing to cooperate with the Russians. Raising a Pompeo hearing comment that if a foreign partner gave the CIA information on US persons “independently,” “it may be appropriate of CIA to collect [that] information in bulk,” Wyden raised Trump’s encouragement of Russian hacking and asked what circumstances would make foreign collection so improper that CIA should not receive such information. Pompeo responded, “information obtained through such egregious conduct may be appropriate for the CIA to use or disseminate.”

Wyden then listed out a bunch of conditions, such as information coming from an adversary, to disrupt US democracy, information implicating First Amendment protected political activity, or information affecting thousands or millions of Americans. “The listed conditions could all be relevant,” Pompeo responded, remaining non-committal.

Wyden raised a Pompeo comment suggesting rules for accessing US person communications under EO 12333 and asked if that was true of information known to include significant US person information. Pompeo said he would consult experts and AGG guidelines (which, arguably, are this flexible).

Wyden raised Pompeo’s promise to expand intelligence cooperation with state and non-state partners, and asked specifically whether this included Russia, and if so how Pompeo planned on dealing with the counterintelligence risks of doing so. Pompeo said he as not referring to “any specific partners,” said, “CIA already has a strong counterintelligence program,” and said anything he did would comply with law and standard practices and be noticed to Congress.

Wyden then asked if “it is legal or appropriate for the White House to obtain from a foreign partner…information that includes the communications of U.S. persons” and if he learned that they were doing so, whether he would inform Congress of it. Pompeo responded “I am not aware of a DCIA role in supervising White House activities or providing legal counsel to the White House on its activities,” apparently committing only to informing Congress of CIA’s own activities.

In short, there are a lot of reasons to be worried about Pompeo as Director of CIA. But Wyden seems most worried that CIA (and the White House) will use information Russia gives them against American citizens.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Democrats Newfound Love for Russian Intelligence Product

As you know, Buzzfeed published a dossier laying out Donald Trump’s ties to Russia last night. The dossier is described as oppo research done by a former MI6 agent first for a GOP rival (which doesn’t make a ton of sense as the dossier starts in June 2016) and then picked up by Hillary. There are competing reports on whether this dossier was included in the briefing on the Russian hack intelligence provided to Trump the other day (and I and others falsely claimed that this dossier is what some Senate Dems have pointed to as evidence they’ve been briefed about Trump’s ties to Russia).

I wanted to make a few points about the dossier.

First, note that this is not the complete dossier. There are references to reports that are not included with this dump. That means, even assuming the provenance on all else is solid, this is a cherry picked version of what the former MI6 consultant reported to Hillary.

Second, ask yourself why Hillary didn’t leak this dossier during the election (besides sharing the contents of it with David Corn). I don’t know the answer to that, but I’d sure like to know it (and I’ve got some theories that don’t raise my confidence about the dossier generally).

Third, as a number of people have noted, there are errors in this report, down to the spelling of Alfa Bank. That’s not itself discrediting, but it should caution people not to take this as finished intelligence.

For what it’s worth, I find some of it very credible. Some of it accords with stuff I know. Others of it conflicts in material ways with well-sourced information I know. I find other claims transparently silly (such as the report that anyone believed Trump didn’t have serious business ties to Russia). That may simply speak to the credibility of the individual underlying sources, or it may speak to the dossier generally. I don’t yet have an opinion on that.

Which brings me to the sources. Trump’s team has claimed that these reports come from Russian intelligence, which ought to raise the very good question of why we’d take as Gospel something Russian intelligence said now when we’re supposed to disdain known accurate information (Hillary emails) leaked on behalf of Russian intelligence. Trump’s claim is — as regards the most sensational of the claims in the report, that Trump had prostitutes urinate on a bed that Barack and Michelle Obama had used while in Moscow, as well as a few more of the claims — true. It is not true for others of the claims.

Which is to say, I’m not entirely sure what to make of this dossier yet. It is more interesting to me as an artifact — as something that Hillary had but chose not to leak but that got leaked yesterday of all days — than as a source of information, but I do think some of the information in the dossier might, with far more vetting, turn out to be somewhat accurate. There are reports FBI is investigating this document that I’m not 100% sure I believe.

I’ll come back to this analysis when I can print out the document, but here’s a list of all of the sources used in the report. Remember, before you get to these embedded sources (most are described as a “compatriot” of the actual source), you’ve got to remember the former MI6 agent paid to do opposition research (and perhaps directing his agents to look for opposition research). So everything here is Hillary’s surrogates to former MI6 agent to (usually) a “compatriot” to the underlying source. Also, some of these sources are obviously repetitive (such as the source close to Ivanov), so the entire dossier likely relies on closer to 10 underlying sources than the 31 listed here.

  1. Source A: Senior Russian Foreign Ministry figure with knowledge of intelligence the Kremlin was feeding Trump [via trusted compatriot]
  2. Source B: Former top level Russian intelligence officer still active insider the Kremlin, who says the Russians have enough material to blackmail Trump [via trusted compatriot]
  3. Source C: Senior Russian financial official
  4. Source D: A close associate of Trump who knows that the Ritz Carlton is under control by FSB
  5. Source E: redacted, possibly a staffer at the Ritz Carlton, which is reportedly controlled by FSB
  6. Source F: A female staffer at the Ritz, which is reportedly controlled by FSB
  7. Source G: A senior Kremlin official
  8. Unlabeled senior government official claiming the Russians had had only limited success penetrating foreign governments we know they’ve penetrated (like the US) but explaining RU had had increasing problems with its own hackers
  9. A Russian IT specialist with direct knowledge of FSB’s coercion and blackmail used to recruit hackers
  10. An IT operator inside a leading Russian State Owned Entity familiar with FSB penetration of a foreign director
  11. An FSB cyber operative
  12. Source E2: An ethnic Russian close associate of Trump who claims Trump has a minimal investment profile in Russia
  13. A Russian source close to Rosneft President Igor Sechin
  14. A compatriot of an official close to Presidential Admin Head Sergei Ivanov
  15. A trusted associate of a Russian émigré figure
  16. A Kremlin source close to Sergei Ivanov
  17. A Kremlin source close to Dmitri   Medvedev
  18. A close colleague of Sergei Ivanov
  19. A Kremlin official involved in US relations
  20. An ethnic Russian associate of Trump, who had spoken to Carter Page
  21. A compatriot of a Kremlin insider discussing Duma Head of Foreign Relations Committee Konstantin Kosachev
  22. A well-placed Russian figure
  23. An American political figure associated with Trump
  24. A trusted compatriot of a senior member of Presidential Administration and of a senior Minister of Foreign Affairs official
  25. A former top level Russian intelligence officer
  26. A trusted compatriot of a top level Russian government official
  27. A trusted compatriot of a St. Petersburg member of the political/business elite and another involved in the services/tourist industry
  28. A trusted compatriot of a senior Russian leadership figure and a foreign ministry official
  29. A trusted compatriot of a close associate of Rosneft President Igor Sechin, a senior member of Sechin’s staff, and a Kremlin insider with direct access to the leadership
  30. A longstanding compatriot friend of a Kremlin insider
  31. [Redacted]

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Shadow Brokers: “A Nice Little NSA You’ve Got Here; It’d Be a Shame If…”

When President Obama discussed how to retaliate against Russia for hacking the DNC last Friday, he described the trick of finding “an appropriate response that increases costs for them for behavior like this in the future, but does not create problems for us.” Aside from questions of efficacy, Obama raised something that a number of people looking for a big explosive response seem to have forgotten: that any response may create problems for us.

Which is why I find it curious that — aside from this one piece by Krypt3ia — no one factored in another cyber-attack on the US in discussions about retaliation, one that is, at least in execution, on-going: the release of NSA tools by a group calling itself the Shadow Brokers.

I’ve put a rough timeline (!) below. But as it shows, several weeks after the initial release of the DNC emails led to Debbie Wasserman Schultz’s resignation, the Shadow Brokers posted the first of what have thus far been 6 messages. Especially recently, the timing of the Shadow Brokers releases correlates in interesting ways with developments in the DNC hack. At the very least, the coincidence suggests the threat of further exposure of NSA’s hacking may be a factor in discussions about a response.

Release One: Burning US firewall providers

The first Shadow Brokers post announced an auction of Equation Group (that is, NSA offensive hacking) files. It released enough files to make it clear that a number of firewall companies, including several American companies, had been targeted by the NSA. Accompanying the release was a rant that indirectly pointed to the Clintons — discussing blowjobs and running for President — but at that point, there was not much focus about whether these files were related to the Russian hacking and, more importantly, not a ton of focus on the files in discussions of the Russian hacking. That is, while many people assumed Russia might be the culprit, that it might fell out of the discussion.

Two weeks later, the FBI arrested Hal Martin, a(nother) Booz Allen contractor that — the NYT story that revealed his arrested — served as a ready scapegoat for the files.

The very next day, Shadow Brokers posted its second message, the first of several proving that it was not, personally, Hal Martin. It was basically a play on Team America’s Kim Jong Il character, asking why everyone was so stupid.

A few days later, on September 5, President Obama gave Vladimir Putin the first of several warnings about the hacking — understood to be the DNC hacking (reportedly, no one knew about the Podesta hack yet, even though the emails had been stolen in March).

Almost a month passed before Shadow Brokers posted again, on October 1, basically whining about no one playing in the auction. The following two weeks are critical in the DNC hack rollout.

On October 7, two leaks distract from the IC attribution announcement

On October 7, three things happen (well, more, but I’ll come back to that): First, ODNI and DHS released their statement blaming Russia for the hack. The WaPo published the Access Hollywood “Grab them by the pussy” video. And WikiLeaks started releasing the Podesta emails.

Side note: This weekend, Podesta complained about the latter two events, describing how they came out just an hour apart. People even disputed the claim. But in neither Podesta’s comment nor the fact-check are people mentioning that it’s not so much the Podesta emails distracted from the Trump video (which I don’t think to be the case anyway, because the GrabThemByThePussy really did distract us for a while), but both — and especially the video — distracting from the Russia implication.

A week later, the same NBC team that has been the recipient of other DNC hack related leaks published a dick-wagging story promising that the CIA was about to cyber-retaliate for the hacks.

The next day, Shadow Brokers released message number 4 calling off the auction. The Shadow Brokers post also crassly spoofs airplane Loretta Lynch’s meeting with Bill Clinton (there a cultural reference here I don’t get), bringing the message content of the SB series still closer to the context of the Hillary emails.

Release Two: ID alleged NSA targets and threaten the election

Thus far, mind you, Shadow Brokers had just released enough to seriously compromise America’s firewall companies and their relationship with the NSA — but had mostly just been making noise since the first release. That changed on October 30, less than two weeks before the election.

Most of the focus on this release has been on the data released: a set of IP addresses seemingly showing the addresses NSA had hacked or used as a proxy. The IP addresses were dated, so the release wasn’t exposing ongoing operations, probably. But it did reveal a significant number of academic targets. It also showed that, several years before we drummed up the Iraq War, we were targeting the Organization for the Prohibition of Chemical Weapons. Unlike the first release, then, this one didn’t so much help anyone hack. Instead, it identified who had been hacked, and the degree to which these were not obvious targets.

But the message from that release is, in retrospect, just as important. It includes a reference to the NBC dick-wagging story about CIA hacking Russia. It questions why the focus has been on the DNC hack and not the Shadow Brokers release, “hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed.” It invited people to hack the election.

On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016.

And then it demanded payment or the bleeding would continue. “How bad do you want it to get? When you are ready to make the bleeding stop, payus,”

The next day, according to NBC, for the first time in his Administration, President Obama used the “Red Phone” communication system with Russia and discussed war, albeit in muddled terms.

Now, even aside from this timing, it makes more sense that Obama was reacting to the Shadow Brokers release than the DNC ones. Though Dems have suggested Russia kept hacking after the spring, that appears to have been more phishing attempts, not known theft of documents. As for the DNC and Podesta files, as Obama said on Friday, those files had already been stolen. Short of stopping WikiLeaks (and Ecuador had cut off Julian Assange’s wifi access by then, presumably in response to US pressure, though it had little impact on the release of the Podesta files), there was nothing that a call could do about the ongoing leaks pertaining to Hillary. There were, admittedly, the probes of state voter registration sites, but the IC has consistently stopped short of attributing those to Russia.

But a response to a threat to hack Russia?

Which would seem to suggest the IC believes that these Shadow Brokers files are coming from Russia.

Release Three: A broad array of alleged tools, including those that hacked Belgacom

Then things went quiet again for a while, until the leakapalooza starting on December 9, which was basically an effort by the Dems and some spooks to pressure Trump and/or delegitimize his election. Significantly, however, the December 9 WaPo story also reported, for the first time, that CIA knew who the cut-outs between Russia’s hackers and Wikileaks were, something James Clapper said the IC didn’t have as late as November 17. In addition, the NYT published its long piece describing the hack, told in a way to put the Dems in the best possible light (which is a polite way of saying it is not hard-hitting news).

So on December 14, a Motherboard post from a persona named Bocefus Cleetus points to a ZeroNet site with a set of files listed for individual sale (and aggregating all the past messages).

With regards to the files, here is HackerHouse’s analysis, here is the Grugq’s post on the technical aspect of the files, and a few of Shadow Brokers’ most recent tweets allegedly describe what some of the files are. The short version though is, like the original release, these are dated files, some of them triggering known interests of commentary on NSA’s hacking. There’s a good deal of variety in tools, some of which sound cool. One of them, at least according to Hacker House, is likely one of the tools used to hack Belgacom.

Interestingly, HackerHouse and the Grugq disagree as to what this array suggests about the source of the files. The Grugq argues that these files must come from inside the NSA, because there’d be no other explanation for all of them to be in the same place.

Why High Side?

The easiest way to tell this is high side [inside NSA’s classified networks] gear, not a back hack from an ops box is that there is simply too much here. Its hard for me to explain because it requires a level of information security knowledge combined with understanding how cyber operations are conducted (which is different from pen tests or red teaming.)

The TAO of Cyber

Cyber operations are basically designed with operational security in mind. The operators create a minimal package of tooling needed for conducting exactly, only and specifically the operation they are doing. This means, for example, if they are hitting a telco Call Data Records (CDR) box, they will plan for what they are going to do on that specific computer and prepare the tools for only that plan and that computer. If those tools are captured, or there is a back hack up to their staging point, the loss is compartmented.

But HackerHouse argues they must be from a staging site (that is, external to the NSA) because they are binary files.

The bulk of these projects are not provided in source code form and instead appear to be binary files, which further strengthens the hypothesis that these files were compromised from an operational staging post or actively obtained from a field operation. If they had been in source code format then this would suggest an insider leak is more likely, binary files are often used in operations over their source code counterpart.

For what it’s worth, in the first post, Shadow Brokers claims it tracked EG’s traffic. “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.” But it is worth noting that, 4 months after the first leak, tech folks are still disputing whether these must have come from inside our outside the NSA.

Assuming no one buys these files, then, the release has done several things. First, it provided Belgacom and other potential targets of US hacking more evidence they might use to identify an NSA hack. As such, it seems consistent with the earlier releases: not so damaging for current operations as it is for the exposure of who and how the US targets civilian targets.

But it also tells the NSA more about what Shadow Brokers has — at least some of the tools it has (in the first post, SB claimed NSA didn’t know what it had), but also where they were obtained.

Cleetus’ close commentary on recent events

Which brings me to the message (post one, post two) of presumed Shadow Brokers persona, Bocefus Cleetus (as others have argued, a possible allusion to “ventriloquist dummy of FSB”), which the Grugq wrote about here. I suspect (this is a wildarseguess) Cleetus may serve as a temporally contingent way to alert the public to files that may have been out there for a while.

As the Grugq notes, the first message is interesting for its invocation of Rage against the Machine’s “People of the Sun” juxtaposed against a background and fake discourse targeting caricatured Neo-Nazi Trump voters. He reads the former as a warning about invading brown people, but I think — given the stylistic fluidity across the six Shadow Brokers’ messages — it might better be understood as mixed metaphors. RATM where one has been led to expect Hank Williams Jr.

There’s also a reference to fake news. As with the October 30 release (assuming Cleetus is a persona of Shadow Brokers), this is also a piece responding to very current events.

But Cleetus’ second message that is a far more interesting comment on immediate events. For example, from the first, it invokes NYT’s blockbuster (which is remarkably favorable to the DNC) story on the hack, which has now been translated into Russia. Here’s Cleetus’ first line:

After my shadow brokers tweet I was contacted by an anonymous source claiming to be FBI. Yep I know prove it? I wasn’t able to get’em to verify their identity.

Here’s an early line from the NYT story:

“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

This line from Cleetus:

The NSA has the global surveillance capabilities to intercept all the DNC and Podesta emails.

Seems to reflect Bill Binney’s theory, which is that the NSA would know if there were really a hack because it would have seen the traffic.

In other words, any data that is passed from the servers of the Democratic National Committee (DNC) or of Hillary Rodham Clinton (HRC) – or any other server in the U.S. – is collected by the NSA.  These data transfers carry destination addresses in what are called packets, which enable the transfer to be traced and followed through the network.

[snip]

The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.

There’s the reference to the now-forgotten stink when Trump interviewed Mike Rogers.

Clapper and Carter tried to get Rogers fired. They also called for the breakup of NSA.

That was first reported by the same folks who set off this leakapalooza.

The heads of the Pentagon and the nation’s intelligence community have recommended to President Obama that the director of the National Security Agency, Adm. Michael S. Rogers, be removed.

The recommendation, delivered to the White House last month, was made by Defense Secretary Ashton B. Carter and Director of National Intelligence James R. Clapper Jr., according to several U.S. officials familiar with the matter.

Action has been delayed, some administration officials said, because relieving Rogers of his duties is tied to another controversial recommendation: to create separate chains of command at the NSA and the military’s cyberwarfare unit, a recommendation by Clapper and Carter that has been stalled because of other issues.

What ever happened to Trump’s imminent plan to replace James Clapper with Mike Rogers amidst a big rearrangement of the spook desk chairs, I wonder? Has he completely forgotten Clapper is out of here on January 20, at noon sharp, Clapper said?

In any case, those bits directly echo very current news. But the rest of the post posits a fight between DOD and CIA, some of it rooted in equally real, if more dated, pissing contests.

Look it up for yerself! DOD and CIA have had a turf war going back to the Afghanistan and Iraq Wars bout whose job it was to run paramilitary operations. A turf war over the next “domain of battle” with all the government cheese.

One reason Shadow Brokers’ positing of a NSA-CIA spat — which the Grugq argues could not be real — is so interesting is because most of the recent reporting has forgotten NSA’s centrality in all this and instead focused on an FBI-CIA split, which was artificially resolved by pre-empting the President’s press conference on Friday.

I don’t think there’s really an NSA-CIA pissing contest, though there may be an interesting detail here or there I’ll return to.

But it brings us full circle. President Obama, in urging calm, invoked the kind of retaliation that might, “create problems for us.” Those comments took place as if only the DNC and Podesta hacks were at issue (indeed, he made Martha Raddatz qualify what leaks the IC had blamed on Russia, and that’s what she said). But it appears likely that the IC connects Shadow Broker to the other two. And the whole time we’ve been talking about retaliating, the Shadow Brokers has not so much been undercutting the NSA’s bread and butter, but letting our allies and other neutral parties see precisely whom we conduct this dragnet on.

That sounds like something that might “create problems for us.”

On October 30, Shadow Brokers taunted, “When you are ready to make the bleeding stop, payus, so we can move onto the next game.” I think we’re still in that first game.


Shadow Brokers Timeline

August 13: Message 1 Equation Group Warez Auction Invitation

The name, in general, is a play on the villain from Mass Effect.

GitHub, Reddit, Tumblr (see note), with takedowns as stolen property

Message on Pastebin

Claims files obtained by following EG traffic, claims EG doesn’t know what it lost

We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.

[snip]

Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.

Rant about wealthy elites who don’t get blowjobs who run for President

We have final message for “Wealthy Elites”. We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? “Do you feel in charge?” Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?

August 27: Hal Martin arrested

August 28: Message 2 “Why is everyone so fucking stupid”

A play on Team America’s “I’m so ronery

Additional details on auction, Pastebin

September 1: Message 6 files signed

September 5: Obama and Putin discuss DNC hacks at G-20

September 25: Sam Adams Award presentation; Craig Murray meets intermediary tied to Podeseta leak

October 1: Message 3 “Why you no like?”

More details on the auction. Medium

Q: Why saying “don’t trust us”?

A: TheShadowBrokers is making comment on trust-less exchanges. TheShadowBrokers is thinking is no thing now as trust-less. “Don’t Trust” is not equal to “Is Scam”. TheShadowBrokers is thinking no way to exchange secrets (auction files) without one party trusting other. If seller trust buyer and buyer no pay, then no more secrets. If buyer trust seller and seller no deliver, the no more sales. TheShadowBrokers is having more things to sell. Reputation is being another benefit of public auction.

October 7: IC Attribution of DNC hack to Russia, Podesta email release starts, Access Hollywood video

October 14: NBC story, CIA Prepping for Possible Cyber Strike Against Russia

Vice President Joe Biden told “Meet the Press” moderator Chuck Todd on Friday that “we’re sending a message” to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.”

October 15: Message 4 “Yo Swag Me Out”

Calls off auction and provides spoof (I’m missing what this is a reference to) of Loretta Lynch/Bill Clinton plane conversation

October 17: Ecuador cuts off Assange’s Internet access

October 30: Message 5 Trick or Treat for Amerikanskis

Medium announcement

A reference to October 14 NBC story and Biden’s threat to Putin, mocking relative focus on DNC hacks over Equation Group hacks

Why is DirtyGrandpa threating CIA cyberwar with Russia? Why not threating with NSA or CyberCommand? CIA is cyber B-Team, yes? Where is cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures.

A challenge about whether the DNC hack is more important that the EG hack

But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed?

[snip]

Maybe political hacks is being more important?

A call for people to hack the elections

TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016. If peoples is not being hackers, then #disruptelection2016, #disruptcorruption2016. Maybe peoples not be going to work, be finding local polling places and protesting, blocking , disrupting , smashing equipment, tearing up ballots? The wealthy elites is being weakest during elections and transition of power.

A threat that it will get worse

How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out!

October 31: Obama contacts Putin on Red Phone for first time in presidency, reportedly warns he’ll treat an attack on the election as an act of war.

November 26: Anonymous White House statement on election integrity

December 9: Obama calls for a review of hacking; WaPo releases releases story claiming CIA believes Russia did the hack to elect Trump

December 13: NYT story on DNC hack that leads with detail that FBI called DNC but staffer didn’t believe he was FBI.

December 14 (?): Message 6 “Black Friday/Cyber Monday Sale” (file signed September 1; Mustafa al-Bassam seemed to know they were coming if not already out there)

December 14: Message 6B Bocefus Cleetus 1 “Are the Shadow Brokers selling NSA tools on ZeroNet?”

Reference to Rage Against the Machine People of the Sun

Possible reference to Hank Williams Jr, Dukes of Hazard (perhaps ventriloquist doll for FSB)

Reference to fake news

December 15: Shadow Brokers interview with Motherboard

December 16, 5:21 AM(?): Message 6A Bocefus Cleetus 2, ““New Theory: Shadow Brokers Incident is a Deep State Civil War between CIA vs NSA”

Reference to NYT story on how DNC got hacked

Reference to Bill Binney theory on hack

Seeming rewriting of perceived FBI-CIA feud

Reference to (now forgotten) Trump interview with Mike Rogers

Reference to larger discussions of bureaucratic organization

DOD and CIA have had a turf war going back to the Afghanistan and Iraq Wars bout whose job it was to run paramilitary operations. A turf war over the next “domain of battle” with all the government cheese.

December 16, 2:40PM: Obama press conference

January 1, 2017 [Update} Shadow Brokers complains it did not get included in Obama’s sanctions list

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

“Jim Comey thinks he was handed a shit sandwich”

Upon this rock Comey’s reputation stands—or it did until this past July.

That sentence appears deep inside a long Tim Weiner article suggesting, as I did on November 9, that Democrats might be better off if Jim Comey stayed on as FBI Director under Donald Trump.

Before Weiner gets there, he lays out the tradition of FBI Directors standing up to Presidential power (!), leading up to a truly epic rendition of the Comey hospital stairs myth, in which Comey ran up some hospital steps in March 2004, with seconds to spare, to save the Constitution.

The number of people who knew about Stellar Wind was vanishingly small at the start, but by early 2004 it was growing. Comey was read into the program’s secret protocols. He became convinced that Stellar Wind was unworkable—and, worse, unconstitutional. (As the Supreme Court would later rule in a pivotal case, a state of war does not make a president king.) In turn, Comey converted Mueller. They agreed that the FBI could not continue to go along with the program. The scope of the searches had to be constrained to protect Americans’ rights.

Bush disagreed, of course. So did his White House lawyers. The NSA was a military agency, and therefore, they said, Congress’s authorization of military force gave the president the right to electronically eavesdrop on anyone, anywhere in America—free from the constraints of the Fourth Amendment’s protections against warrantless searches and seizures.

Comey and Mueller were caught between the president’s command and the law of the land. Neither man had seen evidence that the surveillance program had saved a life, stopped an imminent attack, or unveiled an Al Qaeda member in the United States. They also thought it foolhardy that Bush was flouting the Foreign Intelligence Surveillance Court, which had been created after Watergate to oversee national-security wiretapping.

[snip]

The FBI agents who were guarding Ashcroft’s room alerted Comey and Mueller that a showdown was imminent. The two men raced to the intensive-care unit in their black cars, sirens blaring. Comey, who is six foot eight, leaped up the stairs two steps at a time and got there first. Ashcroft was fading in and fading out. “I immediately began speaking to him,” Comey later testified, “to see if he could focus on what was happening. And it wasn’t clear to me that he could. He seemed pretty bad off.”

Having presented how Acting Attorney General Comey saved the Constitution by refusing to reauthorize Stellar Wind, Weiner skips some details, most notably about how Comey then turned around and strong-armed FISA into authorizing most parts of the program, including the metadata dragnet that Comey had refused to approve on his own, arguing that DOJ couldn’t go to Congress as the Constitution required.

Weiner’s myth has no room in a long form article to explain that Comey needed to shred the Constitution’s separation of powers to save the Constitution, it seems. After all, if he presented those details, the claim that Comey’s reputation still stood unblemished on a noble rock back in July would look silly.

Having, nevertheless, argued that Comey has consistently stood up to presidential powers on a scale never before seen, Weiner then tries to spin Comey’s July decision to violate the norms of DOJ just a case of standing up to power gone bad. Weiner provides almost no explanation of what a big deal it was to make derogatory comments about Hillary even while he cleared her, to be followed by several sworn hearings before Congress in which he provided even more details.

Indeed, in a key paragraph, Weiner’s hagiography gets muddled, with statements Comey made in July conflated with actions he then felt obliged to take in October, without much discussion of how one led to the other.

Clearly Comey’s remark about Clinton being “extremely careless” was a blunder—carelessness is a sin of omission, not a federal crime—but the awful truth is that he thought he had no choice, or at least no good choice. When he sent the October 28 letter, Comey broke a long-standing Justice Department rule against meddling in presidential politics on the eve of an election. But if, as seems likely, Comey believed with everyone else that Clinton was on track to become the next commander in chief, he may have felt compelled by a custom of equally potent provenance. For decades the FBI has checked and confronted the power of the president. This tradition runs from our own time of political torment back through Bill Clinton’s presidency all the way to the days of J. Edgar Hoover.

Having thus obscured how unprecedented the first decision was, Weiner then goes on to — I kid you not! — permit a Comey associate to claim that he (!!!!) and not Hillary Clinton got dealt a shit sandwich.

In November, I put a question to Comey through the FBI’s chain of command: Why did he feel obliged to tell Congress about the cache of unopened emails at the end of October, before his agents had a warrant to look at them? Comey declined to respond directly, but an FBI official familiar with his thinking explained the gist of the dilemma: The director stood at the fork of two bad roads. Route one: Comey sends the letter to Capitol Hill. A congressman hell-bent on harming Hillary Clinton leaks it. The evidence reveals no crime. Clinton is defeated. Route two: Comey doesn’t send the letter. The existence of the emails leaks. Comey is doomed. Another official who works closely with the director put the conundrum in a pithy phrase: “Jim Comey thinks he was handed a shit sandwich.”

Even the most Comey-friendly narrative of his actions this year has, up to this point, argued that Comey’s choices in October were limited because of stupid, even unforgivable things, he did in July. But not here. Here, some entity that shall not be named handed poor Jim Comey a shit sandwich.

Weiner’s piece ends with the promise that, this unfortunate incident behind him, Jim Comey will still get up for the next six plus years to protect our country and our Constitution.

For the next seven years, if he serves through the end of his statutory term, Comey will rise before dawn, read through overnight reports about threats to the United States, ride a black car to the White House, and brief the president, if the president will listen. He will report to congressional committees on life-and-death issues of national security. The FBI is fighting battles across the nation and the world, surrounded by real and imagined enemies everywhere you look, and in places you can’t see. There are terrorists and cyberwarriors. There are crooks and thieves. There are two houses of Congress. And then there’s the White House. Our new president has a history of bending the law nearly to the breaking point. Trump might not like the cut of Jim Comey’s jib. But the FBI director must stand up and say no to a president when the Constitution requires it. It’s the law, and it’s a tradition. We could do worse than having Comey in charge.

Look. As I noted at the beginning, I have made a version of this argument. I have argued that whoever Donald Trump would appoint to be FBI Director would be far worse than Comey, and Comey — not because he has great respect for the Constitution but because he’s self-righteous and knows how to work the press — might stand up to the first or second Trump abuse of power. I don’t expect many Democrats (the ones who rushed through Comey’s appointment with very little scrutiny) to agree, but I have made that argument.

But spare me the misleading hagiography in making that case, please? If we would be better off if Comey stayed on, it would be as much because of Comey’s flaws (and more importantly Trump’s knack for finding the worst nominee for any given position) than any great deeds of the past.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Why Is CIA Avoiding the Conclusion that Putin Hacked Hillary to Retaliate for Its Covert Actions?

The most logical explanation for the parade of leaks since Friday about why Russia hacked the Democrats is that the CIA has been avoiding admitting — perhaps even considering — the conclusion that Russia hacked Hillary in retaliation for the covert actions the CIA itself has taken against Russian interests.

Based on WaPo’s big story Friday, I guessed that there was more disagreement about Russia’s hack than its sources — who seemed to be close to Senate Democrats — let on. I was right. Whereas on Friday WaPo reported that it was the consensus view that Russia hacked Hillary to get Trump elected, on Saturday the same journalists reported that CIA and FBI were giving dramatically different briefings to Intelligence Committees.

The question the Republicans and Democrats in attendance wanted answered was whether the bureau concurred with the conclusions the CIA had just shared with senators that Russia “quite” clearly intended to help Republican Donald Trump defeat Democrat Hillary Clinton and clinch the White House.

For the Democrats in the room, the FBI’s response was frustrating — even shocking.

During a similar Senate Intelligence Committee briefing held the previous week, the CIA’s statements, as reflected in the letter the lawmakers now held in their hands, were “direct and bald and unqualified” about Russia’s intentions to help Trump, according to one of the officials who attended the House briefing.

[snip]

“The FBI briefers think in terms of criminal standards — can we prove this in court,” one of the officials said. “The CIA briefers weigh the preponderance of intelligence and then make judgment calls to help policymakers make informed decisions. High confidence for them means ‘we’re pretty damn sure.’ It doesn’t mean they can prove it in court.”

The FBI is not sold on the idea that Russia had a particular aim in its meddling. “There’s no question that [the Russians’] efforts went one way, but it’s not clear that they have a specific goal or mix of related goals,” said one U.S. official.

Subsequent leaks have continued to make it clear there’s a dispute both about what motive Russia had to target Hillary (to destabilize the US? to get Trump elected?) and how much evidence there is (the FBI thinks it is circumstantial, the CIA thinks it a  smoking gun). In addition, there have been unanswered questions about why CIA only briefed that Russia affirmatively supported Hillary this week, when reportedly they have had the evidence that conclusion is based on for months.

Remarkably, only secondary commenters (including me, in point 13 here) have suggested the most obvious explanation: The likelihood that Russia targeted the former Secretary of State for a series of covert actions, all impacting key Russian interests, that at least started while she was Secretary of State. Those are:

  • Misleadingly getting the UN to sanction the Libya intervention based off the claim that it was about protecting civilians as opposed to regime change
  • Generating protests targeting Putin in response to 2011 parliamentary elections
  • Sponsoring “moderate rebels” to defeat Bashar al-Assad
  • Removing Viktor Yanukovych to install a pro-NATO government

Importantly, the first three of these happened on Hillary’s watch, with her active involvement. And Putin blamed Hillary, personally, for the protests in 2011.

Never mind the relative merit of these covert operations. Never mind that Putin has not, yet, released any evidence to support his claim that Hillary (or CIA) supported the 2011 protests targeting him personally; there is no doubt he believes it. During the primary Hillary as much as confirmed that when her diplomats negotiated the UN voted in 2011, they had regime change in mind the whole time. The US has acknowledged its covert operations against Assad in Congressional testimony. And hackers released a call from Victoria Nuland acting like she was in charge of deciding what post-Yanukovych Ukraine would look like.

In other words, whatever the merits and evidence behind these four events, there is no doubt Putin sees them as a threat to Russian interests and blames the US for all of them, with merit in at least some of the cases.

And yet, this most obvious motive has not been leaked to the press, creating the impression that it has never been considered by the people who carried out these covert actions.

To admit this possible motive publicly, of course, would require admitting that the US still tampers in other governments, including some that are elected (even if in elections of dubious fairness). It would also require admitting that our own government got targeted as a response to these covert interventions, which would make concerns about how novel this intervention was a lot less convincing.

Finally, if this motive were the real reason Putin tampered in our election, it might explain why Obama has been reluctant to respond. Perhaps the US believes that Putin has evidence that might prove — or at least create a convincing case that — that the US did intervene to try to weaken him in 2011. And again, the US has already stated on the record they’ve got a covert operation to topple Assad.

Update: I’ll add that DC Leaks, which has always been conflated with Guccifer 2 (which released only Democratic files) and the DNC and Podesta leaks to Wikileaks, started by releasing documents with very clear ties to Ukraine, including a great many targeted at George Soros. If DC Leaks is considered part of the same operation, it is all the more unbelievable that CIA has not considered this explanation.

Update: At an October 18 event, Michael Hayden said (after 20:30) Putin did this because he believes that we do this to him all the time, citing the Rose Revolution, 2011 protests, and Maidan, but not mentioning Libya and Syria. Hayden did claim that the US doesn’t actually do those things (again, not mentioning Libya and Syria), but earlier he said he had done similar things to the actual hack while Director of NSA.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.