SWIFT and the Bangladeshi Bank Heist

I’ve been following the story of how what are described to be criminal hackers tried to steal $1 billion from Bangladesh’s national bank, in part because of the tie to SWIFT, the financial transfer company (as of now, $81 million are still missing, but Sri Lanka and the Fed managed to reverse or prevent the remainder of the theft attempt). As part of the hack, the thieves stole Bangladesh’s SWIFT credentials (it appears they did this after Bangladesh connected the server running SWIFT transactions to 3 other servers).

“Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers,” the interim report said. Those servers are operated by the bank but run the SWIFT interface, and the report makes it clear the breach stretches into other parts of the bank’s network as well. “The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation.”

SWIFT is a member-owned cooperative that provides international codes to facilitate payments between banks globally. It can’t comment on the investigation, according to Charlie Booth from Brunswick Group, a corporate advisory firm that represents SWIFT.

“We reiterate that the SWIFT network itself was not breached,” Booth said in an e-mail. “There is a full investigation underway, on what appears to be a specific and targeted attack on the victim’s local systems.” SWIFT said last week its “core messaging services were not impacted by the issue and continued to work as normal.”

Dedicated servers running the SWIFT system are located in the back office of the Accounts and Budgeting Department of Bangladesh Bank. They are connected with three terminals for payment communications.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

In separate news, a local security researcher who had been working on the hack disappeared last week.

In a weird turn of events, one of the security researchers who voiced their criticism at the central bank’s security measures disappeared on Wednesday night.

Family members are saying that Zoha met with a friend at 11:30 PM on Wednesday night, March 16. While coming home, a jeep pulled in front of their auto-rickshaw, and men separated the two, putting them in two different cars.

Zoha’s friend was dumped somewhere in the city (Dhaka) and was able to get home by 02:00 AM, the next day. He then contacted Zoha’s family, who said the security researcher never came home.

The next day, family members tried to report the researcher missing, but police officers just kept redirecting them from one police station to another until the family gave up and contacted the media for help.

[snip]

According to BDNews24, Zoha was a former collaborator of Bangladesh’s ICT (Information and Communication Technology) Division and worked with various government agencies in the past. It appears that his comments about the Bangladesh central bank cyber-heist were made working as a “shadow investigator” for a security company that family members declined to name.

Answering questions about his own investigation into the central bank’s cyber-heist, Zoha said that the “database administrator of the [Bangladesh Bank] server cannot avoid responsibility for such hacking” and that he “noticed apathy about the [server’s] security system.”

From this description and those based on the FireEye report, it seems like Bangladeshi authorities, and not SWIFT, would be the powerful people who might want to make this guy disappear. But I find it interesting that someone who was presumably mirroring FireEye’s work has apparently been kidnapped.

Remember: NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

While we don’t have enough detail to assess, it does sound like the NSA got in through vulnerabilities at the member bank level, like these thieves did.

Again, I assume the kidnapping is best explained by Bangladeshi efforts to cover up their own incompetence. But I do find the possibility that SWIFT might be vulnerable due to vulnerabilities at its member banks, too.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

How Hillary Helped Banks Foreclose on 5 Million Families

Let me be clear at the outset: I think what follows is a bullshit argument. But I think it is less unfair of an argument than Hillary’s claim that, by voting to withhold the second tranche of TARP funding on January 15, 2009, Bernie Sanders voted against the auto bailout.

As you’ll recall, in October 2008, the Bush Administration threw some vaguely laid out plans on some cocktail napkins over the wall to Congress and got it to release $700 billion dollars to bail out the banks. Between the time the new Congress got sworn in but before Obama became President, Republicans in the Senate wrote a bill to withhold the second tranche, or $350 billion, of those funds. In the days before the vote, Larry Summers threw two more cocktail napkins of promises to Congress. Bernie was one of seven Democrats who voted not to release the funds based on a series of what were effectively ideas on cocktail napkins.

One of the things on those cocktail napkins, though, was a promise from the Obama Administration that actual human persons facing a crisis, rather than just banks, would get some of the second tranche of money.

The Obama Administration will commit substantial resources of $50-100B to a sweeping effort to address the foreclosure crisis.  We will implement smart, aggressive policies to reduce the number of preventable foreclosures by helping to reduce mortgage payments for economically stressed but responsible homeowners, while also reforming our bankruptcy laws and strengthening existing housing initiatives like Hope for Homeowners. Banks receiving support under the Emergency Economic Stabilization Act will be required to implement mortgage foreclosure mitigation programs.

Of course, it was just a cocktail napkin, and by voting to release the funds without tying them to actual legislation requiring the Administration actually use the funds in a such a way as to help homeowners, Hillary — and all the other Democrats who voted to give their new President funds without real limits on how they could spend it — gave away any leverage they had to actually force the Administration to implement such a plan.

Last year David Dayen described how the Administration not only never spent $50 billion — they only ever spent $12.8 billion — but the number of people helped was far lower than promised, and most people “helped” actually weren’t helped at all.

On January 15, 2009, Obama’s chief economic policy adviser, Larry Summers, wrote to convince Congress to release the second tranche of TARP funds, promising that the incoming administration would “commit $50-$100 billion to a sweeping effort to address the foreclosure crisis … while also reforming our bankruptcy laws.” But the February 2009 stimulus package, another opportunity to legislate mortgage relief, did not include the bankruptcy remedy either; at the time, the new administration wanted a strong bipartisan vote for a fiscal rescue, and decided to neglect potentially divisive issues. Having squandered the must-pass bills to which it could have been attached, a cramdown amendment to a housing bill failed in April 2009, receiving only 45 Senate votes.

Senate Majority Whip Dick Durbin, who had offered the amendment, condemned Congress, declaring that the banks “frankly own the place.” In fact, the administration had actively lobbied Congress against the best chances for cramdown’s passage, and was not particularly supportive when it came up for a vote, worrying about the impacts on bank balance sheets. Former Treasury Secretary Timothy Geithner admitted in his recent book, “I didn’t think cramdown was a particularly wise or effective strategy.” In other words, to get the bailout money, the economic team effectively lied to Congress when it promised to support cramdown.

[snip]

According to a recent Government Accountability Office report, 64 percent of all applications for loan modifications were denied. Employees at Bank of America’s mortgage servicing unit offered perhaps the most damning revelations into servicer conduct. In a class-action lawsuit, these employees testified that they were told to lie to homeowners, deliberately misplace their documents, and deny loan modifications without explaining why. For their efforts, managers rewarded them with bonuses—in the form of Target gift cards—for pushing borrowers into foreclosure.

Because of all this, HAMP never came close to the 3–4 million modifications President Obama promised at its inception. As of August 2014, 1.4 million borrowers have obtained permanent loan modifications, but about 400,000 of them have already re-defaulted, a rate of about 30 percent. The oldest HAMP modifications have re-default rates as high as 46 percent.

Effectively, because Congress didn’t force the Administration to adopt cramdown (which would have resulted in real modifications which would have mean more people kept their homes and didn’t lose their wealth), Treasury could instead use the promise to “foam the runways” to help the banks string out losses and therefore avoid accountability for their recklessness.

This was a direct result of voting to give the Executive continued free rein on what to do with massive amounts of bailout money. So was bailing out the car industry, but the vote in January was primarily about whether to continue letting the Executive spend billions without clear guidelines.

So Hillary, according to her own logic, voted to help banks foreclose on 5 million people, which resulted in a tragic loss of wealth for American families.

Again, I think this is a bullshit argument. I assume Hillary intended to get real foreclosure relief (indeed, one domestic policy on which she was better than Obama in 2008 did just that). Though for someone who claims to know how to “get things done,” she showed no awareness of how to do that here. Nevertheless, it is the kind of bullshit argument she is making.

And having gone there — having permitted herself to engage in this kind of bullshit argument — she makes such arguments fair game for Donald Trump to make about her in June.

Ultimately, I think this vote was about whether the Executive should be able to operate without real limits. Bernie voted against that, Hillary voted for it (which makes it similar, in many ways, to the Iraq War vote in 2003, and had equally foreseeably bad results). Hillary will never make such votes for freeing the Executive of meaningful restraints again. But it’s pretty clear she’s a fan of letting the Executive operate without them.

That, to me, is the meaningful, non-bullshit, takeaway from that vote.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

How Hillary Turned Her Support for Welfare for Banks into an Auto Bailout Attack

For a campaign that has spent days insisting Bernie Sanders should not launch attacks against her, the Hillary Clinton campaign sure engaged in some dishonest hackery last night.

During the debate in Flint, Hillary attacked Bernie for “vot[ing] against the money that ended up saving the auto industry.” She was talking about a January 15, 2009 attempt to withhold the second $350 billion of TARP funding that failed (here’s the resolution); Bernie voted not to release those funds. But the vote was not directly about auto bailout funding. It was about bailing out the banks and funding what turned out to be completely ineffective efforts to forestall foreclosures.

It is true that Bush’s failure to fund an auto-specific bailout meant that TARP funds got used to fund the $85 billion auto rescue (Bush had already spent some money on the auto companies — basically just enough to ensure they’d go under on Obama’s watch, but not enough to do anything to save them). But that’s not what the vote was (and there might have been enough money for the auto bailout in any case).

Larry Summers’ two letters in support of the additional funding (January 12Janaury 15) in support of the additional funding certainly didn’t describe it as an auto bailout bill. He mentioned “auto” just three times between the two of them. In the January 12 letter, in support of auto loans to consumers, and in the January 15 letter, limits on what I believe is a reference to GM Finance (now Ally)’s Christmas holiday move to turn into a bank so it could access funding. Contemporary reporting on the vote also did not mention the auto bailout (though there had been discussion that it might be used the previous month).

Moreover, there had been an auto bailout vote in the Senate (on a bill already passed by the House) on December 11, which failed. Both Bernie and Hillary voted in support.

So while Hillary’s attack was technically correct — Bernie did vote against giving Jamie Dimon more free money, which had the side effect of voting against the second installment on the fund that would eventually become the auto bailout — he did not vote against the auto bailout.

But Hillary’s attack did its work, largely because national reporters appeared completely unaware that they were fighting about TARP much less aware that there had been votes in December that directly pertained to the auto bailout. Even some local reporters now appear unaware of what went down in 2008-9. John Podesta helped matters along by sowing confusion in post-debate speeches.

Here’s one of what will end up being several exceptions to the shitty reporting on this that will come too late for people to figure out what actually happened.

During the testy exchange over the auto bailout, Clinton called Sanders a “one-issue candidate” for voting against the release of $350 billion in Jan. 15, 2009, to continue funding the bailout of the nation’s banks and mortgage lenders.

Sanders joined seven Democratic senators in voting against the second wave of TARP funds. President Barack Obama ended up using some of TARP to fund the $85 billion rescue of GM, Chrysler and their auto lending arms.

“If everybody had voted the way he did, I believe the auto industry would have collapsed, taking 4 million jobs with it,” Clinton said.

[snip]

David Axelrod, a former top adviser to President Barack Obama, questioned Clinton’s attack on Sanders’ voting record in the middle of the debate.

“It wasn’t explicitly a vote about saving auto industry,” Axelrod wrote on Twitter.

U.S. Sen. Debbie Stabenow, a Clinton supporter, said after the debate that senators, including Sanders, were aware the TARP money would be used to aid the domestic auto industry.

“A lot of folks said we shouldn’t do it because somehow it was helping the banks,” said Stabenow, D-Lansing. “It was the auto bailout we were talking about. I was very clear with colleagues that we had to do this.”

Stabenow’s comment, incidentally, is proof that the money shouldn’t have been granted as it was (it wasn’t spent on auto companies until much later). While she’s right that there had been public discussion of spending some money on the auto bailout, there obviously was still so little limiting what the Executive could do with the money that there needed to be nothing explicit supporting the auto bailout to make it happen. The flimsiness of the guidelines is one of the things that enabled the Obama Administration to avoid providing real foreclosure relief, choosing instead to “foam the runway” for banks.

Don’t get me wrong. Bernie did a number of other things at the debate that hurt him last night, such as his comment about ghettos that suggested all African Americans are poor and no whites are. I think, too, the optics of his efforts to stop Hillary from interrupting him as well as his own gesticulating while she was making responses will go over poorly.

But the auto bailout attack was a pretty shameful ploy, one that otherwise would make it fair game to really hit on Hillary’s own actions in a way Bernie has not yet done. That said, it was also a probably perfectly timed attack, because it will ensure victory for Hillary on Tuesday, eliminating one of the last possibilities that Bernie might really challenge Hillary.

Update: As it turns out, Hillary should be attacking Stabenow according to her own standards, because Stabenow voted no on the first TARP vote that actually paid for the first tranche of funding to the auto companies. (Here’s the second, January 2009 one.)

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Why Isn’t Jim Comey Crusading against This Tool Used to Hide Terrorist Secrets?

Several times over the course of Jim Comey’s crusade against strong encryption, I have noted that, if Comey wants to eliminate the tools “bad guys” use to commit crimes, you might as well eliminate the corporation. After all, the corporate structure helped a bunch of banksters do trillions of dollars of damage to the US economy and effectively steal the homes from millions with near-impunity.

It’d be crazy to eliminate the corporation because it’s a tool “bad guys” sometimes use, but that’s the kind of crazy we see in the encryption debate.

Yesterday, Ron Wyden pointed to a more narrow example of the way “bad guys” abuse corporate structures to — among other things — commit terrorism: the shell corporation.

In a letter to Treasury Secretary Jack Lew, he laid out several cases where American shell companies had been used to launder money for crime — including terrorism, broadly defined.

Screen Shot 2016-02-26 at 9.51.49 AM

He then asked for answers about several issues. Summarizing:

  • The White House IRS-registration for beneficial information on corporations probably won’t work. Does Treasury have a better plan? Would the Senate and House proposals to have states or Treasury create such a registry provide the ability to track who really owns a corporation?
  • FinCen has proposed a rule that would not only be easily evaded, but might weaken the existing FATCA standard. Has anyone review this?
  • Does FinCen actually think its rule would identify the natural person behind shell companies?
  • Would requiring financial institutions to report balances held by foreigners help information sharing?

They’re good questions but point, generally, to something more telling. We’re not doing what we need to to prevent our own financial system from being used as a tool for terrorism. Unlike encryption, shell companies don’t have many real benefits to society. Worse, it sounds like Treasury is making the problem worse, not better.

Of course, the really powerful crooks have reasons to want to retain the status quo. And so FBI Director Jim Comey has launched no crusade about this much more obvious tool of crime.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

DOJ’s Double Standard on Osama Bin Laden Trophy Photos

Two and a half years ago, I first started pointing to the evidence that several of the guys on the Osama bin Laden operation took trophy photos.

[O]n February 15, 2013, DOJ informed Judicial Watch that CIA had found 7 more photos responsive to their FOIA. That happened just 4 days after Esquire published a splashy story about the guy who claimed to have been the SEAL who actually killed OBL. The current version includes this line.

In the compound, I thought about getting my camera, and I knew we needed to take pictures and ID him.

I had made the connection at the time, and I have a distinct suspicion the language was slightly different in the original (Esquire was making factual corrections along the way but the original is not on Internet Archive), making it clear that the Shooter and possibly others did take pictures, though perhaps not for operational purposes.

What kind of amped up warrior who had just helped kill the bogeyman could resist taking souvenir pictures? Could you blame them, if so?

In any case, I suspected at the time that the reason CIA “located” new photos was because they read about another set of photos in the possession in one of the guys who participated in the op, if not shot the lethal bullet. The ambiguity in the description of McRaven’s order seems to support that.

That is, what SOCOM and CIA appear to be protecting are — in significant part — the personal photos taken by the guys who did the operation.

The Intercept has a story describing how Matt Bissonnette — the guy who wrote No Easy Day — is under continued investigation as a result of having done just that.

It appears the government went after Bissonnette after he published his book, and demanded a cut of his profits and that he turn over a hard drive that had an “unauthorized” picture of OBL.

The retired SEAL voluntarily provided investigators with a copy of his hard drive as part of an agreement not to prosecute him for unlawfully possessing classified material, according to the two people familiar with the deal.

[snip]

Luskin said that he had negotiated a deal in 2014 with the Pentagon and the Justice Department to hand over to the government some of the millions of dollars in book profits Bissonnette had received.

He would not confirm Bissonnette’s possession of the bin Laden photo or whether any investigation still remains open.

But once DOJ got Bissonnette’s hard drive — which according to the Intercept was technically turned over voluntarily (meaning there’d be no warrant to limit the scope of what the government could do with it), they found evidence he may have had side deals associated with his procurement role for the team.

During their search of his hard drive, investigators subsequently found emails and records dealing with Bissonnette’s work as a consultant while he was on active duty at SEAL Team 6. Those records, which were not part of the non-prosecution agreement, led to the widening probe. Federal investigators then became interested in whether Bissonnette’s business ventures with companies that supply military equipment — including companies whose products were used by SEAL Team 6 — were helped by his role in the elite unit’s procurement process, according to one of the people familiar with the case.

Element Group, a company Bissonnette helped set up in Virginia Beach about five years ago, is among the companies NCIS is said to be investigating. According to a former SEAL Team 6 operator familiar with Element Group’s business arrangements, the firm, which has since been shut down, designed prototypes for, and advised, private companies that make sporting and tactical equipment.

According to several former SEAL Team operators familiar with the company, Element Group also did business with at least one Defense Department contractor that sold equipment to SEAL Team 6. The defense contractor, Atlantic Diving Supply, or ADS, has military supply and equipment contracts with SEAL Team 6, according to several former SEAL Team 6 operators, as well as other parts of the departments of Defense and Homeland Security. Federal investigators have been looking into the business relationship between Element Group and ADS.

I don’t defend Bissonnette if his side deals were corrupt. But this is bullshit on several levels.

Of course, many people, including me, have noted that Bissonnette’s book was an attempt to push back on the information asymmetry — and with it, propaganda — that the government uses classification to pull off.

Prosecuting Bissonnette would require admitting that the government used its unilateral authority over the nation’s secrets to tell a fiction–not an egregious one, but still one that served a significant political objective.

Now there are probably legal ways around that problem (they could prosecute Bissonnette for revealing obscure details that no one really cares about, for example). But probably not political ways around it, because at best, it would seem like retaliation for exposing the Administration’s fluffing of the facts.

It appears that Bissonnette has shown that the Administration used its control over secrecy as a political tool, not just an operational one, and to prosecute him, they’d have to make that point even more clear.

In addition, as I noted in a series of posts, DOD did a lot of things that arguably violate classification laws to hide those trophy photos by retroactively classifying them and sending them over to CIA where they’d be further hidden from Judicial Watch and other FOIAs that had already been filed.

[I]f the photos were classified after their FOIA, they would have had to have been classified on a photo by photo basis by the Director of CIA, Deputy Director, or a Senior Agency Official in charge of classifications, the CIA responded by saying that, after the CIA got the photos (which by all appearances happened after the FOIA), they were derivatively classified in accordance with the SAO’s guidance.

CIA doesn’t say whether that official reviewed the photos individually or not. Nor does it explain who wrote “TOP SECRET” on them, without adding all the other required classification markers.

And note how the CIA claims these photos “were always considered to be classified” by them — but not necessarily by SOCOM, which originally had the photos. But they don’t even claim they were always considered to be Top Secret.

If I’m right about the DOD’s efforts to avoid its obligation under FOIA, then it basically went after Bissonnette for improperly handling classified information while it was doing the same thing (albeit to withhold previously unclassified information). Plus, if these photos were unauthorized, classifying them to hide them would amount to classification to hide misconduct.

Finally, whatever the ethical conflicts with Bissonnette’s side deals (they remain under investigation and it’s not clear there was a conflict, in which case this feels like DOJ’s pursuit of NSA whistleblowers Bill Binney et al for their effort to start a business), they’re being investigated at a time when the Intelligence Community has just eliminated some measures designed to facilitate oversight of precisely this kind of conflict. I sure take from that that the powers that be in our IC want to continue to engage in the kind of conflicted business deals that Bissonnette is being investigated for.

Here’s the irony though: I noted James Clapper had pushed that conflict change through, in part because it is so much work to ride herd on conflicts, even while accepting a requirement that his office increase its surveillance of line personnel. I concluded that Clapper has some really funny ideas about insider threats, finding abusive incompetents trading on their position to be less of a problem than leakers.

Clapper’s perfectly willing to expand his bureaucracy to look for leakers, but not to weed out the dangerously incompetent people ordering potential leakers around.

Bissonnette’s problem, I guess, is he was allegedly both, someone who shared information that undercut official propaganda, and someone who traded on his position.

Had he just done the latter everything would have been fine, I guess.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Chapo Secrets the Press Should Be Squealing About

Update: For those who haven’t already read it, this post, Sean Penn, Intelligence Dangle, will help explain this one. 

The frenzy among journalists about Sean Penn’s Chapo Guzmán story has continued over two days now. As is typical of press frenzies, it is largely divorced from the actual details involved.

So I’d like to revisit the question of what Penn may have withheld from his story — because the press is frenzying over the wrong thing.

The Rolling Stone says “Some names have had
 to be changed, locations not named.” As with the rest of the disclosure statement, the language here is notable, as the passive voice avoids saying not only whose names got withheld, but who made the decision to withhold them.

Subsequent reporting, handed over from Mexican intelligence, makes clear that authorities know those details pertaining to Chapo’s side. Kate del Castillo and Penn first went to Guadalajara, where they stayed in Villa Ganz. From there they were driven to an air strip in Tepic, Nayarait, where they were flown in a private plane to Cosalá, Sinaloa and then driven to a location on the border of Durango. Del Castillo’s primary interlocutor is named as Andrés Granados Flores, though she also met with Óscar Manuel Gómez Núñez (the latter of whom was arrested weeks after the Penn meeting as the mastermind of Chapo’s escape last year).

Penn’s own narrative makes it clear that both Alfredo and Iván Guzmán, Chapo’s sons, attended the meeting. The only Sinaloans whose names he may have changed were “Alonzo” (who is likely to be Granados)  and, possibly, some bodyguard type in Chapo’s presence, Rodrigo. He may have protected the identity of others, but not by changing their name, as the disclosure describes.

In other words, the key players in this story whose names were changed were not Chapo’s men, but the two men who linked him with del Castillo in the first place, Espinoza (whom I call Spiny) and El Alto. It is true Rolling Stone did not name locations; at it turns out, Mexican authorities were following so closely, with cameras, anyway, hiding the locations didn’t help Chapo much.

Curiously, those two men, Spiny and El Alto, don’t show up in the pictures released to the press, even though the caption on one describes them as del Castillo, Penn, and “their companions.”

So the Rolling Stone protected these mysterious interlocutors more religiously than they did Chapo’s family. As Jann Wenner described to the NYT (which, of course, played a complicit role in magnifying all this), Chapo didn’t actually have an interest in “editing” Penn’s work.

Mr. Guzmán, he said, did not speak English and seemed to have little interest in editing Mr. Penn’s work. “In this case, it was a small thing to do in exchange for what we got,” Mr. Wenner said.

But there is one detail, in addition to the locations, that Penn did withhold, purportedly at the request of Chapo, one which I haven’t seen any participant in the press frenzy complain about.

He cites (but asks me not to name in print) a host of corrupt major corporations, both within Mexico and abroad. He notes with delighted disdain several through which his money has been laundered, and who take their own cynical slice of the narco pie.

This is particularly odd, given that the complicity of Americans, including our banks, is one theme of Penn’s own framing of this adventure.

The laws of conscience, which we pretend to be derived from nature, proceed from custom.” —Montaigne

[snip]

Still, today, there are little boys in Sinaloa who draw play-money pesos, whose fathers and grandfathers before them harvested the only product they’d ever known to morph those play pesos into real dollars. They wonder at our outrage as we, our children, friends, neighbors, bosses, banks, brothers and sisters finance the whole damn thing.

If Penn is sincere in his stated desire to end the war on drugs, ending the profits for American banks tied to illicit trafficking would need to be one of the first steps.

But he doesn’t name those companies that are laundering Chapo’s money, which will continue to be laundering Sinaloa cartel money even as Guzmán gets removed from the network.

Of course, Spiny and El Alto probably share Chapo’s desire to keep those names out of print, in part because they’re part of the power structure that the banks bolster, in part because banks sometimes narc on their customers to save their own hides.

But it’s funny how the press, too, seems uninterested in learning the names of the banks that continue to prop up both our own country’s power structure as well as facilitate traffickers like Guzmán.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

An Important Battlefield after Paris: US Counterterrorism Hegemony

Last week, I suggested that most commentators were misinterpreting a speech John Brennan made, assuming he intended to implicate just encryption and Edward Snowden in the Paris attack. Given that he repeatedly invoked changes the Europeans have to make, I think he was also complaining about European efforts to reclaim some data (or Internet software) sovereignty, with the effect that US counterterrorism programs are not as comprehensive. For example, to the extent terrorists use non-US based Internet services, they will elude PRISM, with its easy access to metadata and often content. In the wake of the Paris attack, Berlin-based Telegram shut down a bunch of channels ISIS was using, which suggests that may have been what Brennan was complaining about.

Yet that highlights a key issue: before the Snowden revelations, the US (with the UK and other Five Eyes members) largely could claim to exercise counterterrorism hegemony, in part because of our preferential position on the global telecommunications fiber network, in part because our tech companies served much of the world, and in part because many of our allies preferred to have us do the job. Some of the Snowden revelations — and the German investigation into BND’s partnership with NSA — have shown the cost of that: that the US gets European spooks’ help to spy on European targets of interest solely to the US.

It’s probably most effective to have one hegemonic dragnet, but it’s not clear whether it’s healthy (and now that US hegemony is beginning to crack, the dragnet will likely become less effective).

Given the comments of French Finance Minister Sapin today, US dragnet hegemony will continue to crumble. Along with a call to change certain laws on asset seizures and pre-paid bank cards, Sapin called for Europe to develop its own capability to access and analyze SWIFT data.

Sapin said that the SWIFT system had two computer servers, one in Europe and one in the United States, but that Europe currently relied on U.S. authorities to collect and analyze the vast amounts of data flowing through it to detect security issues.

“We Europeans don’t have the capacity to exploit our own data. I don’t think this can carry on this way,” Sapin told a news conference. “Since we do not have the means to analyze the data located in Europe, we transfer all of this data to the Americans, who have the capacity to analyze it.”

As a reminder, access to SWIFT — Society for Worldwide Interbank Financial Telecommunication, the international bank transfer system through which most international transactions take place — has been a contentious issue for some time. Europe tried to demand more equitable access in 2009-2010 when one of the servers for the system got moved to Brussels, only to find the US was cheating on the spirit of the agreement in 2011. What Sapin describes — Europe just sending all its data to the US in bulk — is what came out of that effort to reclaim some control over the data. In the last few years, it has become clear how US control of SWIFT makes it easier to dictate policy, especially regarding sanctions, to allies (I suspect, too, it has been used to collect embarrassing details about EU elite ties to unsavory characters, like Qaddafi). Obviously, having exclusive access to records of who is transferring money to whom can be incredibly valuable for the US, in ways that go well beyond terrorism.

From his comments, it’s unclear whether Sapin says Europe doesn’t have the technical capability or bureaucratic/legal authority to access and analyze this data. Given his explicit comment that the Paris terrorists used pre-paid bank cards to plan their attack (which would probably be adequate to transfer money between Belgium and France), it’s also not clear that the attackers used international transfers that would have shown up on SWIFT. But he’s going to use this opportunity to demand equitable access to the data.

The US would surely love to maintain a monopoly on omniscience. In the name of counterterrorism efficacy, they might be able to make an argument to do so. But either because they’ve already lost that omniscience — or because their dragnet failed to keep France safe — they’re likely to continue to lose that monopoly. It’s not clear that has any benefit for privacy (redundant dragnets are more invasive than single ones). It will likely have consequences for US hegemony more generally.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

The Financial Services Roundtable Wants to Terrify You into Giving Them More Immunity

The policy discussion about the many ways that the Cyber Information Sharing Act not only doesn’t do much to prevent the hacking of public and private networks, but in key ways will make it worse, must be making its mark. Because the Financial Services Roundtable, one of the key corporatist groups backing the bill, released this YouTube full of scary warnings but absolutely zero explanation about what CISA might do to increase cybersecurity.

Indeed, the YouTube is so context free, it doesn’t note that Susan Collins, the first person who appears in the video, has called for mandatory reporting from some sectors (notably, aviation), which is not covered in the bill and might be thwarted by the bill. Nor does it mention that the agency of the second person that appears in the video, Department of Homeland Security Secretary Jeh Johnson, has raised concerns about the complexity of the scheme set up in CISA, not to mention privacy concerns. It doesn’t note that the third person shown, House Homeland Security Chair Michael McCaul, favored an approach that more narrowly targeted the information being shared and reinforced the existing DHS structure with his committee’s bill.

Instead of that discussion … “Death, destruction, and devastation!” “Another organization being hacked!” “Costing jobs!” “One half of America affected!” “What is it going to take to do something?!?!?!”

All that fearmongering and only one mention of the phrase “information sharing,” much less a discussion of what the bill in question really does.

In August, the head of the FSR, Tim Pawlenty, was more honest about what this bill does and why his banks like it so much: because it would help to hide corporate negligence.

“If I think you’ve attacked me and I turn that information over to the government, is that going to be subject to the Freedom of Information Act?” he said, highlighting a major issue for senators concerned about privacy.

“If so, are the trial lawyers going to get it and sue my company for negligent maintenance of data or cyber defenses?” Pawlenty continued. “Are my regulators going to get it and come back and throw me in jail, or fine me or sanction me? Is the public going to have access to it? Are my competitors going to have access to it? Are they going to be able to see my proprietary cyber systems in a way that will give up competitive advantage?”

That is, the banks want to share information with the government so it can help those private corporations protect themselves (without paying for it, really, since banks do so well at dodging taxes), without any responsibility or consequences in return. “Are my regulators going to get [information about how banks got attacked] and come back and throw me in jail, or fine me, or sanction me?” the banks’ paid lobbyist worries. As the author of this bill confirmed last week, this bill will undercut regulators’ authority in case of corporate neglect.

The example of banks dodging responsibility in the past — possibly aided by a similar (albeit more rigorous) information sharing regime under the Bank Secrecy Act — provides all the evidence for how stupid this bill would be. We need corporations to start bearing liability for outright negligence. And this bill provides several ways for them to avoid such liability.

Don’t succumb to bankster inciting fear. America will be less safe if you do.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

What Is the Point of the SEC ECPA-Reform Power Grab?

Last week, the Senate Judiciary Committee had a hearing on Electronic Communication Privacy Act reform, the main goal of which is to provide protection for content served on a third party’s server. Because reform is looking more inevitable in Congress (the House version of the bill has more sponsors than any other), government agencies used the hearing as an opportunity to present their wish list for the bill. That includes asking for an expansion of the status quo for civil agencies, with witnesses from SEC, DOJ, and FTC testifying (DOJ also made some other requests that I hope to return to).

Effectively, the civil agencies want to create some kind of court order that will provide them access to stored content. A number of the agencies’ witnesses — especially SEC’s Andrew Ceresney — claimed that a warrant is the same as an order, which culminated in Sheldon Whitehouse arguing (after 45:30) that an order requiring court review is actually less intrusive than a warrant because the latter is conducted ex parte.

It took until CDT policy counsel (and former ACLU lawyer) Chris Calabrese to explain why that’s not true (after 2:08):

We have conflated two really different and very different things in this committee today. One is a court, some kind of court based on a subpoena and one is a probable cause warrant. These are not the same thing. A subpoena gives you access to all information that is relevant. As pursuant, relevant to a civil investigation, a civil infraction. So if you make a mistake on your taxes, that’s a potential civil infraction. Nothing that has been put forward by the SEC would do anything but be a dramatic expansion of their authority to get at ordinary people’s in-boxes. Not just the subjects of investigation, but ordinary folks who may be witnesses. Those people would have the–everything in their in-boxes that was relevant to an investigation, so a dramatic amount of information, as opposed to probable cause of evidence of a crime. That’s a really troubling privacy invasion.

I’m utterly sympathetic with Calabrese’s (and the EFF’s) argument that the bid for some kind of civil investigative order is a power grab designed to bypass probable cause.

But I wonder whether there isn’t another kind of power grab going on as well — a bid to force banks to be investigated in a certain kind of fashion.

It was really hard, to begin with, to have former and (presumably) future Debevoise & Plimpton white collar defense attorney Andrew Ceresney to talk about how seriously SEC takes it job of  “the swift and vigorous pursuit of those who have broken the securities laws through the use of all lawful tools available to us,” as he said in his testimony and during the hearing. There’s just been no evidence of it.

Moreover, as Ceresney admitted, SEC hasn’t tried to obtain email records via an order since the US v. Warshak decision required a warrant in the 6th Circuit, even though SEC believes its approach — getting an order but also providing notice to the target — isn’t governed by Warshak. As SEC Chair Mary Jo White (another revolving door Debevoise & Plimpton white collar defense attorney) said earlier this year,

“We’ve not, to date, to my know­ledge, pro­ceeded to sub­poena the ISPs,” White said. “But that is something that we think is a crit­ic­al au­thor­ity to be able to main­tain, done in the right way and with suf­fi­cient so­li­cit­ous­ness.”

For five years, the SEC hasn’t even tried to use this authority, all while insisting they needed it — even while promising they would remain “solicitous,” if there were any worries about that.

Claims that the SEC needed such authority might be more convincing if SEC was actually pursuing crooks, but there’s little evidence of that.

Which is why I’m interested in this passage, from a letter White sent to Pat Leahy in April 2013 and appended to Ceresney’s testimony, explaining why SEC can’t have DOJ obtain orders for this material.

DOJ only has authority to seek search warrants to advance its own investigations, not SEC investigations. Thus, the Commission cannot request that the DOJ apply for a search warrant on the SEC’s behalf. Second, many SEC investigations of potential civil securities law violations do not involve a parallel criminal investigation, and thus there is no practical potential avenue for obtaining a search warrant in those cases. The large category of cases handled by the SEC without criminal involvement, however, have real investor impact, and are vital to our ability to protect- and, where feasible, make whole – harmed investors.

The only times when SEC would need their fancy new order is if the subject of an investigation refuses to turn information voluntarily, and the threat that they could obtain an order anyway is, according to Ceresney, they key reason SEC wants to maintain this authority (though he didn’t argue the apparent absence of authority has been responsible for SEC’s indolence over the last 5 years). But that act, refusing to cooperate, would get companies more closely into criminal action and — especially under DOJ’s purportedly new policy of demanding that companies offer up their criminal employees — into real risk of forgoing any leniency for cooperation. But White is saying (or was, in 2013, when it was clear Eric Holder’s DOJ wasn’t going to prosecute) that SEC can’t ask DOJ to subpoena something because that would entail a potentially criminal investigation.

Well yeah, that’s the point.

Then add in the presumption here. One problem with prosecuting corporations is they hide their crimes behind attorney-client and trade secret privileges. I presume that’s partly what Sally Yates meant in her new “policy” memo, noting that investigations require a “painstaking review of corporate documents … which may be difficult to collect because of legal restrictions.” SEC’s policy would be designed for maximal privilege claims, because it would involve the subject in the process.

 

If the legislation were so structured, an individual would have the ability to raise with a court any privilege, relevancy, or other concerns before the communications are provided by an ISP, while civil law enforcement would still maintain a limited avenue to access existing electronic communications in appropriate circumstances from ISPs.

 

Other criminals don’t get this treatment. Perhaps the problems posed by financial crime — as well as the necessity for broader relevancy based evidence requests — are unique, though I’m not sure I buy that.

But that does seem to be a presumption behind this SEC power grab: retention of the special treatment financial criminals get that has thus far resulted in their impunity.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

Under What Jurisdiction Did DHS Send Out an Army of Agents Against RentBoy?

The NYT had a great editorial that echoes my amazement that the Department of Homeland Security sent an army of agents to take down RentBoy.com this week.

It’s somewhat baffling, though, that taking down a website that operated in plain sight for nearly two decades suddenly became an investigative priority for the Department of Homeland Security and federal prosecutors in Brooklyn. This week, the website’s founder and six employees were charged with violating federal law by facilitating paid sexual encounters.

Kelly Currie, the acting United States attorney for the Eastern District of New York, trumpeted the case against Rentboy.com, calling it an “Internet brothel” that “made millions of dollars from the promotion of illegal prostitution.” The website pulled in $10 million over the past five years, charging escorts for publishing their profiles, according to prosecutors. That’s less revenue than an average McDonald’s franchise generates.

[snip]

Prosecutors can credibly argue that the site’s operators were breaking the law. But they have provided no reasonable justification for devoting significant resources, particularly from an agency charged with protecting America from terrorists, to shut down a company that provided sex workers with a safer alternative to street walking or relying on pimps. The defendants have not been accused of exploiting sex workers, featuring minors on the website, financial crimes or other serious offenses that would warrant a federal prosecution.

DHS doesn’t seem to know why DHS was involved either. In a statement to the NYT, ICE’s spokesperson, Khaalid Walls, suggests ICE’s jurisdiction arises because this involves the illegitimate movement of people, goods and currency in domestic and foreign transactions, which suggesting the things moved were prostitutes.

Mr. Walls said: “As the investigative arm of the Department of Homeland Security, ICE is responsible for the enforcement of laws that promote the legitimate movement of people, goods and currency in domestic and foreign transactions. Our allegation with this case is that the business and its principals purported itself to be an escort service while promoting criminal acts, namely illegal prostitution.”

I’m rather curious that DHS claims jurisdiction over the movement of goods domestically. But I’m also not sure how a website constitutes moving anything.

But the claim this is about prostitution seems to conflict with ICE’s description of the bust on its website, which claims it’s a financial crime.

Screen Shot 2015-08-29 at 10.19.00 AM

As I’ve suggested, I wouldn’t be surprised if ICE used all those hard drives they seized this week to put together the money laundering case they leaked to some outlets. But they haven’t charged it yet. Which would mean they used the prostitution claim to take down an advertising site to be able to get the evidence to charge something that might be more squarely in ICE’s jurisdiction.

Add in the fact that NY DA Cy Vance — the entity that would have direct jurisdiction over prostitution headquartered in NYC — took his office off this release, and I’m genuinely confused about what DHS is doing.

None of that will mean the RentBoy defendants will be able to challenge this on jurisdictional grounds. But it does raise questions about what DHS is really doing.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.