Scott Balber’s Latest Narrative on Trump Tower

For some weeks, I’ve been tracking how sometime Trump and current Agalarov family lawyer Scott Balber has actively crafted a story about the June 9, 2016 Trump Tower meeting. Prior efforts to craft the story include:

  1. meeting between Rinat Akhmetshin and Ike Kaveladze (the latter of whom Balber represents as an employee of Agalarov) in Moscow in June 2017, just as Jared Kushner and Paul Manafort were both belatedly disclosing the meeting to various authorities; this story appears to have been an attempt to pre-empt the damage that would be done when Akhmetshin’s involvement became public
  2. Balber trip sometime before October to Russia to coordinate a story with and get documents from Natalia Veselnitskaya to back her version of the talking points she reportedly shared with Trump’s people
  3. Another October story, this “revealing” that Veselnitskaya’s research came from (or actually was shared with) Russian prosecutor Yuri Chaika, but insisting (per Balber) that Agalarov had no ties with the prosecutor
  4. Balber filled in a hole in the story for Goldstone: he told the Daily Beast that after his client Ike Kaveladze saw an email (from whom he doesn’t describe) indicating that Jared Kushner, Paul Manafort, and Don Jr would be at the meeting, he called a close associate of Goldstone’s (and a former employee of Balber’s client), Roman Beniaminov, to find out what the meeting was about. That’s the first he learned — at least as far as he told congressional investigators — that the meeting was about dealing “dirt” on Hillary.

Balber is back again in this CNN story. The story reveals two things.

First, Rob Goldstone tried to get the Trump campaign to establish a presence on VKontakte. The move is presented as some kind of marketing gimmick by CNN’s sources, but it would also establish an easy communications vehicle that would be harder for US intelligence services to wiretap.

More interesting, however, is the revelation that Goldstone forwarded this story to Scott Balber’s clients and observed that it was eerily weird given what had transpired at Trump Tower earlier.

In one email dated June 14, 2016, Goldstone forwarded a CNN story on Russia’s hacking of DNC emails to his client, Russian pop star Emin Agalarov, and Ike Kaveladze, a Russian who attended the meeting along with Trump Jr., Trump’s son-in-law Jared Kushner and Manafort, describing the news as “eerily weird” given what they had discussed at Trump Tower five days earlier.

One of the sources familiar with the content of the email downplayed the interaction, saying news of the DNC hack was surprising because in the run-up to the Trump Tower meeting, the Russian participants had promised information on illicit Russian funding of the DNC. But that dirt was not provided to Trump Jr., Kushner and Manafort during the meeting, according to accounts from the participants.

The DNC hacking was not brought up at the meeting, another source said, explaining it would not be ‘oddly weird’ if the topic had been broached.

Which is where Balber comes in, trustworthy as always, insisting that hacked emails were not consistent with what was discussed at the meeting.

Scott Balber, the attorney for, confirms his client received the email but viewed it as odd because hacking was never discussed in the meeting and it was not consistent with what was discussed.

Balber, of course, has already intervened four times in this story to lay out a narrative — one I’m virtually certain is absolutely false — about what might be consistent with what was discussed. Given that both his clients received this email, he would have known about the email from the very start — certainly by June 2017 when he was coordinating a meeting in Moscow to limit the damage of this story. This email would have been central to his prior four efforts to craft a story in which emails would never come up.

But Goldstone — who curiously didn’t mention this email in his “I hate the word guilty” narrative of events, who has been hiding out in Thailand since this story broke and who expressed worry that Russian goons might take him out, who will be in DC next weeks for a bunch of interviews — seemed to think at the time the report of the stolen emails was eerily weird given what he had heard just days earlier.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Two (Three) Possibilities on the “WikiLeaks” Archive Story

Don Jr’s testimony to Congress yesterday has brought out several new details on the evidence he was provided. In this post I want to look at the report that someone sent key Trump figures a link to a Wikileaks archive and an encryption key.

Candidate Donald Trump, his son Donald Trump Jr. and others in the Trump Organization received an email in September 2016 offering a decryption key and website address for hacked WikiLeaks documents, according to an email provided to congressional investigators.

The September 14 email was sent during the final stretch of the 2016 presidential race.

CNN originally reported the email was released September 4 — 10 days earlier — based on accounts from two sources who had seen the email. The new details appear to show that the sender was relying on publicly available information. The new information indicates that the communication is less significant than CNN initially reported.

After this story was published, The Washington Post obtained a copy of the email Friday afternoon and reported that the email urged Trump and his campaign to download archives that WikiLeaks had made public a day earlier. The story suggested that the individual may simply have been trying to flag the campaign to already public documents.

CNN has now obtained a copy of the email, which lists September 14 as the date sent and contains a decryption key that matches what WikiLeaks had tweeted out the day before.

First, note there’s no explanation in the story why these are described as Wikileaks emails, aside from the fact that Julian Assange has on occasion posted archives with a key. Indeed, it sounds like this archive is more closely related to the DC Leaks side of the house, given the reference to Colin Powell emails in the larger story. So absent a more fulsome explanation of what makes these WikiLeaks documents, I wouldn’t necessarily bet that these documents are related to Wikileaks.

Second, one possible explanation for this archive is that it’s the same one that is the center of the skeptics’ theory. They focus on an archive called NGP/VAN (but which is not NGP/VAN), which was curated on September 1. In public form, the archive was pointed to by Guccifer 2.0 on September 12, but never posted on his site.

the files were posted during a speech given in London by another hacker as a proxy for G2.0 on that day. The Forensicator relies on a copy posted by NatSecGeek. And while on Twitter G2.0 pointed to the speech the day before it was given, he never actually pointed back to the data on his WordPress site.

It’s true that the “speech” that was read for G2.0 relied on and posted a link to these files at the conference.

This scheme shows how NGP VAN is incorporated in the DNC infrastructure. It’s for detailed examination, if you are interested. And here are a couple of NGP VAN’s documents from their network. If you r interested in their internal documents, you can have them via the link on the screen. The password is usual. It’s also on the screen. You may also ask the conference producers for them later.

But at the very least, it seems any analysis of these forensics needs to account for the hand-off and proxy involved.

The timing of this would suggest that (if this is the same archive) three days after the archive was curated but over a week before it was posted publicly, top campaign officials got a link.

But there is another possibility, a detail I’ve often alluded to but never laid out publicly. There is or was a grand jury investigation into some script kiddies that tried to hijack Guccifer 2.0’s password or ID or something like that. It is or was in Philadelphia, based on the location of an archive involved. As I understand it the thought was that this effort was unrelated to the chief Russian info op, but was a lead the FBI had to chase down. I’ve been waiting to see if that grand jury investigation was ever going to show up publicly, and it’s one possible explanation for this email.

Update: I should make clear, I lay out three possibilities here:

  1. These are actually DC Leaks emails, not WikiLeaks ones; this is consistent with what recipients of those emails say about timing.
  2. This is the NGP/VAN archive released in mid-September, associated with Guccifer 2.0.
  3. This is an effort from the unknown skiddies being investigated in Philly.

Update: By description, WaPo makes it clear that this was an email sending the Trumps to this material, though using a different link and password.

That means it is, in fact, the NGP/VAN materials at the heart of the skeptics’ counterarguments about Guccifer being Russian (number 2, above), being sent under an apparently Anglo name (albeit with a few errors; making number 3 possible), but branded as Guccifer 2.0 materials, not WikiLeaks materials (sort of, 1).

In other words, the emails are much more interesting for all these other related theories than for the fact that the Trump folks received it, apparently unsolicited.

Update: I’ve subbed in the corrected language from CNN confirming that this was a September 14 email.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Cognitive Rot and the Steele Dossier

One reason I write so much on the Steele dossier is because the cognitive rot it has fostered among Democrats is really dangerous. Often, they’ll point to a confirmed event — such as that Carter Page met Arkadiy Dvorkovich and Andrey Baranov on a Russian trip that was otherwise publicly reported contemporaneously — and claim it “proves” a dossier claim claiming something else — in this case that he met Igor Sechin and Igor Diveykin. Out of some need to see the larger dossier “confirmed,” its fans claim over and over again that Not-A = A. As a result, rather than asking why the dossier is so full of narrow misses and why it doesn’t report any of the big known events — starting with the Trump Tower meeting attended by Fusion GPS researcher Rinat Akhmetshin — Democrats instead keep seeing “truth” in the dossier in the tea leaves that, in actuality, are really just dregs. And, in the process, they become willing to argue that Not-A = A, arguing that claims that don’t match known reality actually are reality, just like the Trump boosters we claim to abhor.

Josh Marshall engages in a bit of the same today, then Jonathan Chait piggy backs on Marshall and (as is his wont) exacerbates the error.

Marshall starts by laying out the claim from the dossier — that Trump lawyer Michael Cohen had a meeting 1) in Prague 2) in August to clean up the Manafort scandal (and the burgeoning Russia scandal generally).

I wanted to focus specifically on what the Steele Dossier alleges was a meeting with Russian intelligence agents in Prague in August 2016.

He spends the rest of the paragraph correctly noting that this is raw intelligence, so if the Cohen detail is wrong, it doesn’t mean the rest of the dossier is.

Marshall then lays out what had been known before today: that Cohen’s known travel to the EU was (like so much else in the dossier) close, but no cigar.

Cohen’s passport did show a trip to Italy in July. July isn’t August. But that’s the kind of dating issue that might get mixed up in the chain of information transition.

In any case, point being: Cohen was in the EU zone, relatively close to the Czech Republic only a couple weeks before August. So his passport by no means rules out a visit to Prague. Since most press coverage has seemed to take Cohen’s denial at face value, I had assumed or left open the possibility that he’d provided investigators with other evidence we’re not aware of.

Note, it is true that someone might mistake a July meeting for an August one. Except if you consider the actual claims about the Cohen meeting: that he was cleaning up after events that occurred in July and even (Manafort’s resignation) August.

That is, it would be darn near impossible for Cohen to clean up the scandal created by — for example — Page’s Moscow speech on July 7 and the platform change made on July 11 and 12 and first reported on July 18 on a trip to Europe from July 9 through 17. The mess hadn’t started yet! Manafort’s troubles, especially, were only just beginning to break out publicly.

Marshall then links to this story and argues that it is still an open question whether Cohen had “this meeting” described in the dossier.

Politico has this passage …

Cohen’s passport would not show any record of a visit to Prague if he entered the EU through Italy, traveled to the Czech Republic, and then returned to his point of EU entry. A congressional official said the issue is “still active” for investigators.

Reading the article it seems clear that Cohen simply denied ever being in Prague and majority Republicans saw no basis to disbelieve him and thus would not require him to provide items like credit card records and other documents which might confirm his account.

This seems very much an open question whether Cohen did in fact have this meeting.

The article — on top of making it clear it is reporting on the dysfunctional HPSCI investigation which (among other things) has shown members not asking about discussions that might be related to the larger Middle East aspect of this operation and is clearly inadequate for other reasons — includes this language before the passage Marshall quotes.

Cohen has come under close scrutiny for several Trump-Russia controversies, including emailing Putin’s spokesman two weeks before the first GOP primary to ask for his help in advancing a proposal to build a Trump Tower development project in Moscow. He also was linked to a proposed pro-Russian peace plan for Ukraine involving Felix Sater, a former Trump business associate with Russian government connections.

Cohen has strenuously denied that a Prague meeting occurred, and he provided a copy of his passport to BuzzFeed in May. The passport was stamped for entry and exit to the United Kingdom and Italy — but not the Czech Republic, whose capital is Prague. “I have never been to Prague in my life. #fakenews,” Cohen tweeted on Jan. 10.

His passport stamps show that he traveled twice to London in 2016 and once to Italy, from July 9 to July 17.

Yes, the article supports Marshall’s point: HPSCI (both Democrats and Republicans have shown to be ineffective, but he blames just the Republicans) did not demand more information from Cohen to disprove a meeting (though it’s not clear how they’d refute the only possibility that “this meeting” is “this meeting” — that Cohen, like Manafort and Rick Davis, has more than one passport).

But the theory posed is not that he has a second passport he might have used to travel to Prague, but that “this meeting” would instead be a July meeting, not an August one. That is, it couldn’t be “this meeting” because it couldn’t accomplish what the meeting reportedly accomplished. It might be another meeting, in which case the report of it as “this meeting” would be wrong or disinformation, not truth.

The article also notes HPSCI is investigating Cohen’s other European travel, to London (one trip in October and one at Thanksgiving), which for the reasons I note here, might be more promising. If any meetings of interest happened there, they’d be interesting. But they’d also be other meetings, occurring just before the flurry of Cohen reporting as journalists were beginning to chase down this story or after all but the last dossier report.

But there is no evidence presented in the article that supports a claim that “this meeting” took place, nothing to change the conclusion that public evidence does not support the claim that any possible meeting is “this meeting.” Not A might = A, Marshall argues.

When I tweeted to him about this, he observed that he thinks the dossier “has been borne out in a broad sense,” which is a great way to claim that Not-A = A without getting your PhD pulled.

Then, along comes Chait.

Ah, Chait.

He starts by hanging previous doubts about the dossier on the pee tape and Cohen’s strong denials.

Two details in particular made the dossier seem suspect. First, its report that Trump had paid Russian prostitutes to urinate on a bed that had been used by Barack Obama. And second, the report alleged that Michael Cohen, a Trump crony with Russian contacts, had met in Prague with Russian intelligence officials. The golden-showers detail, while unconfirmed, seemed too bizarre to be plausible. And Cohen shot down the Prague allegation forcefully. The report of his meeting was “totally fake, totally inaccurate,” Cohen said, “I’m telling you emphatically that I’ve not been to Prague, I’ve never been to Czech [Republic], I’ve not been to Russia.”

Cohen’s denials helped shape skeptical coverage of the dossier.

That is, before, because these two details were doubtful, the entire dossier might be doubtful.

He then points to the same Politico report on the dysfunctional HPSCI investigation considering the Prague question “still active” (without doing the math to figure out that a July Prague meeting could not be the meeting reported in the dossier) to argue that Cohen should not be trusted more than Steele.

[T]his hardly settles the question. A congressional investigation is digging into whether Cohen is telling the truth about the alleged visit to Prague. “Cohen’s passport would not show any record of a visit to Prague if he entered the EU through Italy, traveled to the Czech Republic, and then returned to his point of EU entry,” reports Politico, in a passage that’s received less attention than merited. “A congressional official said the issue is ‘still active’ for investigators.”

Most reporters have treated the say-so of Cohen, a Trump hanger-on laden with extremely shady associations, as implicitly more credible than the reporting of a British intelligence agent with years of expertise. That is probably a mistake.

I’m fine with assuming Cohen is a liar, especially given how carefully he parsed his denial, not to mention the way he orchestrated turning over documents to distract attention from the previously undisclosed and far more inflammatory details of earlier negotiations with Russians tied to the getting Trump elected. But that doesn’t mean Steele is correct either. They could both be telling non-truths.

Chait then says “we don’t have any idea whether” the pee tape is real, but says that because Brian Beutler has argued Trump has a pathological jealousy of Obama, then … I’m not sure what he’s arguing here.

And what about the bit about the prostitutes? The detail has been endlessly described as “salacious,” placing it in the category of National Enquirer–type gossip of dubious veracity. We don’t have any idea whether that detail is true. However, Brian Beutler made a fairly persuasive case that Trump has displayed during his presidency the exact same kind of pathological, self-destructive jealousy of Barack Obama (who had publicly humiliatedTrump two years before the alleged incident).

I mean, sure, Trump hates that a black man was more competent as President than he has been. But does that affect the specifics of how the Russians might compromise him?

Finally, Chait points to one more article that argues Not-A = A, then links to the shitty Sipher defense of the dossier.

As time goes by, more and more of the claims first reported by Steele have been borne out. In general, there is a split between the credibility afforded the dossier by the mainstream media and by intelligence professionals. The former treat it is gossip; the latter take it seriously.

We can’t expect Chait, a paid pundit, to actually test such claims on his own because he’s not paid to be smart but instead to repeat warmed over conventional wisdom, so I guess I’ll have to forgive Chait for not noticing the glaring holes in Sipher’s piece.

Which brings us to the best example of the cognitive rot the dossier creates. In the same breath where Chait admits he should not take the dossier as gospel truth and parts of it (he’s not going to do the work, mind you, because he’s not paid for that kind of actual labor) are “no doubt” false.

Unverified private reporting should not be taken as gospel truth, and no doubt some of the tips Steele picked up are false. But we should probably be giving far more weight to the possibility that the darkest interpretation of Trump’s relations with Russia is actually true.

But from that, he assumes (wrongly, in my opinion) that the “darkest interpretation of Trump’s relations” are what the dossier reports, and that those are possibly true.

Chait has abdicated any need to verify individual claims out of which he builds his larger truths.

As I’ve said repeatedly, we don’t need the dossier to believe dark things about Trump’s relations with Russians; public reports substantiate that darkness, and darker things are to come.

The desire to find tea leaves that prove the worst about Trump — rather than to do the work to look at the actual evidence and/or wait for Robert Mueller to do his work — has led Democrats to excuse themselves of insisting on tying claims to actual reality, in varying degrees of the same kind of thing that makes Trump so dangerous. It’s okay if claims are “borne out in a general sense,” rather than being proven true piece by piece.

We used to believe that justice was not about truth being “borne out in a general sense” but about discrete evidence. Too many seem to believe we can skip that step with Trump. That’s true, even though we have facts and evidence and they’re accumulating to be even more damning than anything in the Steele dossier. Just as important, we need to retain the habit of facts and evidence.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Three Things: Mit Handelsblatther

Let’s get some more pressing business out of the way and then we’ll get down to this alleged subpoena.

~ 3 ~

Calls — make them. We should all simply get used to making calls or sending faxes to our members Congress and other government officials on a regular basis. Our democracy has now shown us the error of believing in the vote alone; voting is the very minimum democracy requires. We simply have to do more.

Today we need to do more to protect Net Neutrality. We have less than two weeks to make an impression on the Federal Communications Commission, leaving them with no doubt the public wants Net Neutrality.

Contact the FCC — need a script? See @Celeste_pewter.

Contact your Senators — need a script for that too? Here you go.
The odds may not be in our favor given the intransigence of FCC chair Ajit Pai and two of the commissioners, but we can’t curl up and give in.

~ 2 ~

NBC’s Today Show won morning ratings after firing accused sexual harasser and abuser Matt Lauer this past week. Good fucking riddance to bad baggage.

Ah, but NBC only terminated him because Lauer represented a threat to the corporation’s bottom line. They really don’t give a flying fig about women, proved with their donations.

No corporation that gives a campaign donation to pedophile and political hack Roy Moore really cares about women. NBC and its parent corporation Comcast care far more about ending Net Neutrality and being on the prospective GOP senator’s good side. What flexible ethics — get rid of an abuser because he violates policy then donate money to another abuser.

Polling shows the race between pedophile Roy Moore and Democratic Party candidate Doug Jones is far too tight to feel comfortable. It’s within margin of error which is too easily gamed by voter suppression or other tactics. But I hope Jones kicks Moore’s ass on election day.

Sen. Jeff Flake kicked in a $100 donation to Jones, writing “Country above party” on the description line. It’s chump change but he’ll take some crap from the GOP over this now that the RNC has lost whatever remained of its spine and returned to financing their pedo candidate.

~ 1 ~

Now for Handelsblathering —

The first report I read Tuesday morning was by Bloomberg, which offered very little detail about the subpoena allegedly served on Deutsche Bank. Where was the subpoena served? The article didn’t say; it only said,

Mueller issued a subpoena to Germany’s largest lender several weeks ago, forcing the bank to submit documents on its relationship with Trump and his family, according to a person briefed on the matter, who asked not to be identified because the action has not been announced.

Caveat: Bloomberg has a nasty habit of updating their articles without leaving adequate evidence of the changes made. The graf excerpted above may not be exactly the same as the one I read on Tuesday morning.

We’ll assume service was made on Deutsche Bank in Berlin. When was the subpoena served? “Several weeks ago” the article said, which is horribly non-specific. I would personally guess this was less than a month ago or the journalists would have said “more than a month” or offer some other framing to extend the time beyond a month. “Several weeks ago” might fit the period of roughly 20 weeks since Trump was asked about special prosecutor Robert Mueller looking into his family’s finance’s (July 9) — but that’s a big stretch at nearly five months.

What niggled at me was the sourcing of Bloomberg’s piece — it relied almost wholly on German financial news outlet Handelsblatt. Its editor Daniel Schaefer referred to the story as “our scoop” on Twitter. Every report after Handelsblatt’s relied on the same story — or at least it isn’t clear in much later stories whether secondary news outlets called Deutsche Bank in Berlin and confirmed there was a subpoena served on them, or if they contacted Handelsblatt to confirm what their source had told them.

The sourcing looked too damned thin.

It didn’t help matters that the article is partially behind a paywall and in English at their global site and in German at their domestic site; nor did it help that the German language article is difficult to find.

Looking at Handelsblatt’s article on the global site, the wording seems odd; it might be due to differences between German and English but this first graf doesn’t seem like it.

Deutsche Bank has been served. US investigators are demanding that it provide information on dealings linked to the Trumps, sources familiar with the matter told Handelsblatt. The subpoena is part of a probe by special counsel Robert Mueller and his team to determine whether the president’s campaign was involved in Russian efforts to influence the US election.

“…[Has] been served. When have you last seen a statement as bald as this yet as unclear? ‘Served’ what — pie? The word ‘subpoena’ appears in the third sentence, and even at that point its use is odd. “…[part] of a probe” suggests there has been more going on in Berlin than just the handing over of documents on request.

And then Trump’s lawyer Jay Sekulow came out later in the day and denied there had been any subpoena served.

Reporters contacted Handelsblatt but by then it was well after business hours in Germany.

A reader at TalkingPointsMemo speculates that Deutsche Bank may not have been able to disclose any subpoena to Trump or his lawyer if a grand jury orders them not to do so, and that Sekulow may not have been told there was a subpoena for this reason.

I don’t know; do German banks follow U.S. grand jury instructions to the letter? Maybe this one does since it has been in trouble with the U.S. for money laundering and it wants to improve its credibility while reducing its exposure.

I have a another theory, though, thanks to researching the Volkswagen dieselgate scandal. VW’s executives used some weaselly language to imply they were not involved in decision making; the language used relied on American’s limited grasp of German and the ways in German could be manipulated to misrepresent the truth.

What I want to know is whether Germans use the word “subpoena” in the same way we do, or if they rely on either an EU legal term, or a German word equivalent. In other words, if someone asked the bank if a subpoena had been served, they may say no — but if they were asked if document production had been ordered (Dokumentenproduktion, perhaps?), they might say something very different.

This entire story seems off kilter, as if it were intended for a very narrow audience. Why did the Deutsche Bank leaker talk with Handelsblatt, the fourth largest Germany daily subscription newspaper and the biggest business news paper, versus a Sun-like tabloid Bild or the weekly Der Spiegel? Why was there a specific indication that both Melania and Ivanka as well as Jared Kushner had accounts with Deutsche Bank?

Something isn’t quite right. But then nothing’s been quite right since January 21.

~ 0 ~

That’s a wrap. Treat this like an open thread.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.

Via What Surveillance Intercepts Is the Government Chasing Manafort’s Ghost-Writing?

In this post on The Bail Fight that Manafort and Gates Can’t Win, I suggested,

I feel like Mueller’s prosecutors are playing with these two men as cats play with balls, just patiently batting them around, waiting for the inevitable admission that they can’t make bail because they don’t have assets they can put up because everything they own has been laundered. At which point, after getting the judge rule over and over that they’re flight risks, I suppose the government will move to throw them in the pokey, which will finally get them to consider flipping.

Mueller’s team is still engaging in this play.

The day after Manafort finally submitted his bid for bail on November 30, the government said it couldn’t respond right away because “information … has come to the government’s attention … which the government is still examining.”

The government seeks the Court’s leave to have until Monday, December 4, 2017, to file its submission, in light of information that has come to the government’s attention only after defendant’s Motion was filed, which the government is still examining. Undersigned counsel has been unable to obtain defendant Manafort’s position on this motion by the time of this filing, despite efforts to do so. 1

1 Counsel for the government has been in contact with counsel for defendant Manafort about the newly-acquired information described above.

That information, as was widely reported yesterday, is that Manafort was drafting an op-ed with someone deemed to have ties to Russian intelligence.

As late as November 30, 2017, Manafort and a colleague were ghostwriting an editorial in English regarding his political work for Ukraine. Manafort worked on the draft with a long-time Russian colleague of Manafort’s, who is currently based in Russia and assessed to have ties to a Russian intelligence service.

The government argued that the effort to ghost write a defensive op-ed violated the Court’s prohibition on trying the case in the press. It also made it clear that the op-ed was not “entirely accurate, fair, and balanced.” Having thus violated one of the Court’s rules, the government argued, Manafort would need to put up more as bail.

Because Manafort has now taken actions that reflect an intention to violate or circumvent the Court’s existing Orders, at a time one would expect particularly scrupulous adherence, the government submits that the proposed bail package is insufficient reasonably to assure his appearance as required.

The government was already going to ask that the Court “make the bond forfeitable upon a breach of any condition of the defendant’s release, not just his failure to appear (a provision that is on the Court’s standard form but is not checked off in the submission made by the defense),” something that, it seemed, Manafort was already trying to pull a fast one to avoid.

In other words, there’s a good chance that the next time Manafort violates the Courts conditions, he’ll lose a house.

But that’s not the part I’m most amused about here. It’s the way in which the government revealed it knew about the op-ed, with first the call to his counsel, the notice it was rethinking the adequacy of his bail proposal, the with this description in the court filing (which predictably instantly lit up cable news).

As a surveillance wonk, this is the question I most want answered: how did the government find out about this op-ed, and what thought process went into revealing that it had found out? After all, if it was to be ghost-written, Manafort intended to hide that he had written it. But he has to know he’s wired up with surveillance like a Christmas tree. So via what means was Manafort collaborating with his Russian intelligence friend?

Effectively, on top of tattling to the judge that Manafort was breaking her rules, demanding Manafort risk a home or two next time he pulls this kind of stunt, and asking him to find more liquid assets if he wants off of house arrest, the government is also telling Manafort that whatever communication method he believed to be hidden from government view actually is not.

Which means he now knows that any other communications he’s been having with this Russian intelligence person also aren’t hidden from view.

Update: Yanukovych’s flack Oleg Voloshyn has IDed himself as the named author of the op-ed, but he says Manafort only provided a bit of input. Voloshyn said he passed the op-ed to Manafort through Konstantin Kilimnik, the same guy Manafort was reporting back to during the campaign.

Voloshyn said that he sent his unpublished editorial last week to Konstantin Kilimnik, a longtime associate of Manafort in Ukraine, who then forwarded it on to Manafort.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Unmasking Panic and the Flynn Plea

Yesterday, Eli Lake was the first person to confirm the identity of the “very senior” official who “directed FLYNN to contact officials from foreign governments, including Russia, to learn where each government stood on the resolution” condemning Israel’s illegal settlements.

At the time, the U.N. Security Council resolution on Israeli settlements was a big deal. Even though the Obama administration had less than a month left in office, the president instructed his ambassador to the United Nations to abstain from a resolution, breaking a precedent that went back to 1980 when it came to one-sided anti-Israel resolutions at the U.N.

This was the context of Kushner’s instruction to Flynn last December. One transition official at the time said Kushner called Flynn to tell him he needed to get every foreign minister or ambassador from a country on the U.N. Security Council to delay or vote against the resolution. Much of this appeared to be coordinated also with Israeli prime minister Benjamin Netanyahu, whose envoys shared their own intelligence about the Obama administration’s lobbying efforts to get member states to support the resolution with the Trump transition team.

Lake was also the reporter who got the earliest “scoops” on the unmasking panic earlier this year.

There’s a reason for that. They’re the same story.

In April, I laid out how Devin Nunes was at the center of both the January unmasking panic and the panic on behalf of a bunch of Republicans, during the Iran deal negotiations, who got their collusion with Bibi Netanyahu to kill the deal sucked up.

Throughout his ongoing information operation to claim the Obama White House spied on the Trump transition team, Devin Nunes has pointed to what he claimed was a precedent: when, in December 2015, members of Congress suddenly copped on that their conversations with Bibi Netanyahu would get picked up incidentally. In his March 22 press conference, he explained,

We went through this about a year and a half ago as it related to members of Congress, if you may remember there was a report I think it was in the Wall Street Journal and but then we had to have we had a whole series of hearings and then we had to have changes made to how Congress is informed if members of Congress are picked up in surveillance and this looks it’s like very similar to that.

Eli Lake dutifully repeated it in the second of his three-post series pitching Nunes’ information operation.

A precedent to what may have happened with the Trump transition involved the monitoring of Israel’s prime minister and other senior Israeli officials. The Wall Street Journal reported at the end of 2015 that members of Congress and American Jewish groups were caught up in this surveillance and that the reports were sent to the White House. This occurred during a bitter political fight over the Iran nuclear deal. In essence the Obama White House was learning about the strategy of its domestic political opposition through legal wiretaps of a foreign head of state and his aides.

But Lake didn’t apparently think through what the implications of Nunes’ analogy — or the differences between the two cases.

Here’s the WSJ report and CBS and WaPo versions that aren’t paywalled. All make it very clear that Devin Nunes took the lead in worrying about his conversations with Bibi Netanyahu being sucked up (I don’t remember Republicans being as sympathetic when Jane Harman got sucked up in a conversation with AIPAC).

It’s clear now that it’s all one panic.

The most public confirmed unmasking involved Susan Rice discovering that Sheikh Mohammed bin Zayed al-Nahyan had a secret meeting with Flynn, Kushner, and Bannon in NY.

Former national security adviser Susan Rice privately told House investigators that she unmasked the identities of senior Trump officials to understand why the crown prince of the United Arab Emirates was in New York late last year, multiple sources told CNN.

The New York meeting preceded a separate effort by the UAE to facilitate a back-channel communication between Russia and the incoming Trump White House.
The crown prince, Sheikh Mohammed bin Zayed al-Nahyan, arrived in New York last December in the transition period before Trump was sworn into office for a meeting with several top Trump officials, including Michael Flynn, the president’s son-in-law, Jared Kushner, and his top strategist Steve Bannon, sources said.

But we now know that there would be intercepts between Netanyahu and Kushner leading up to it.

I wouldn’t even be surprised if the Republicans are so certain they’ve been unmasked because Israel has their own way of discovering such things.

I’ve laid out how Jared Kushner’s “peace” “plan” really is just an attempt to remap the Middle East to the interests of Israel and Saudi Arabia, interests which require significantly more belligerence against Iran than Obama showed. The unmasked discussions would include the ones that preceded Kushner’s order to Flynn to try to undercut the resolution, as well as whatever else Kushner discussed with Netanyahu at the time.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Next Stop: Jared

This morning at 8, I was on Democracy Now talking about how then reported and now completed Flynn plea agreement would focus attention directly on Jared.

Since then, Mike Flynn indeed pled guilty to one charge of false statements to the FBI about various conversations with Sergei Kislyak, promising he’d fully cooperate with Mueller’s inquiry. Reports describe that Flynn spoke with an unnamed senior advisor who was at Mar A Lago at the time about his December 29 conversations with Kislyak, which pertained to Russian sanctions. They also say Flynn will testify against Trump and members, plural, of his family, particularly regarding the orders he had to reach out to Russia.

The other lie charged about conversations with Kislyak involves a request that Russia try to delay or shut down a vote on condemning Israel’s illegal settlements.

That’s a key lie, because we know who was pushing that: Jared Kushner (though the court filing suggests it might be someone even more senior).

Robert Mueller’s investigators are asking questions about Jared Kushner’s interactions with foreign leaders during the presidential transition, including his involvement in a dispute at the United Nations in December, in a sign of the expansive nature of the special counsel’s probe of Russia’s alleged meddling in the election, according to people familiar with the matter.

The investigators have asked witnesses questions about the involvement of Mr. Kushner, President Donald Trump’s son-in-law and a senior White House adviser, in a controversy over a U.N. resolution passed Dec. 23, before Mr. Trump took office, that condemned Israel’s construction of settlements in disputed territories, these people said.

Israeli officials had asked the incoming Trump administration to intervene to help block it. Mr. Trump posted a Facebook message the day before the U.N. vote—after he had been elected but before he had assumed office—saying the resolution put the Israelis in a difficult position and should be vetoed.

[snip]

Israeli officials said at the time that they began reaching out to senior leaders in Mr. Trump’s transition team. Among those involved were Mr. Kushner and political strategist Stephen Bannon, according to people briefed on the exchanges.

So that second lie — and almost certainly the first — involves Kushner directing Flynn.

I noted yesterday CNN’s report that in the last few weeks — so during the window when Mueller was in close discussions about Flynn flipping — Mueller’s team interviewed Kushner asking if he had any exonerating information on Flynn.

Mueller’s team specifically asked Kushner about former national security advisor Michael Flynn, who is under investigation by the special counsel, two sources said. Flynn was the dominant topic of the conversation, one of the sources said.

[snip]

The conversation lasted less than 90 minutes, one person familiar with the meeting said, adding that Mueller’s team asked Kushner to clear up some questions he was asked by lawmakers and details that emerged through media reports. One source said the nature of this conversation was principally to make sure Kushner doesn’t have information that exonerates Flynn.

The meeting took place around the same time the special counsel asked witnesses about Kushner’s role in the firing of former FBI Director James Comey and his relationship with Flynn, these people said.

Mueller was, effectively, locking in Kushner’s testimony before Flynn flipped. As I said this morning, speaking of that meeting,

The Kushner meeting was reported as kind of one of the last things that Mueller had to put into place before this plea agreement that people have been talking about with Mike Flynn. And that suggests that there is more news about to drop regarding Mike Flynn that I think is going to really dramatically change how Republicans take the Russian investigation.

Flynn had been avoiding discussing plea agreements for months and months and months, and then really in the last two weeks, all of a sudden it seems like it’s about to happen. Mueller has more leverage over Flynn in the last couple of weeks. It may be Turkey, because a key witness in New York has turned state’s evidence and apparently has information on Flynn. I think there’s some other information.

And so, Flynn, we expect, is moving towards a plea agreement. We expect, or I expect, that’s going to add a lot more pressure on Trump. And I have been saying for months that the way to get to Kushner is through Flynn. Because a lot of the events in which Flynn was involved, such as meeting with Sergei Kislyak in December, they connect very closely with activities that Kushner is known to be involved with.

Kushner may now be hoping he’ll be in a he-said he-said with Flynn, except it’s unlikely Mueller would give Flynn this easy plea without a whole lot more to know that Flynn would be telling the truth. Remember, Kushner is one of the few people aside from Flynn himself who has a very appropriate lawyer for this kind of issue.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Throwing H2O on the Pompeo to State Move

I could be totally wrong, but I don’t think the reported plan for Rex Tillerson to step down, to be replaced by Mike Pompeo, who in turn will be replaced by Tom Cotton (or maybe Admiral Robert Harward because Republicans can’t afford to defend an Arkansas Senate seat), will really happen.

The White House has developed a plan to force out Secretary of State Rex W. Tillerson, whose relationship with President Trump has been strained, and replace him with Mike Pompeo, the C.I.A. director, perhaps within the next several weeks, senior administration officials said on Thursday.

Mr. Pompeo would be replaced at the C.I.A. by Senator Tom Cotton, a Republican from Arkansas who has been a key ally of the president on national security matters, according to the White House plan. Mr. Cotton has signaled that he would accept the job if offered, said the officials, who insisted on anonymity to discuss sensitive deliberations before decisions are announced.

I say that for two reasons.

First, because of all the evidence that Mike Flynn is working on a plea deal. Particularly given that Mueller has decided he doesn’t need any more evidence of Flynn’s corrupt dealings with Turkey, I suspect his leverage over Flynn has gone well beyond just those crimes (which, in turn, is why I suspect Flynn has decided to flip).

I think that when the plea deal against Flynn is rolled out, it will be associated with some fairly alarming allegations against him and others, allegations that will dramatically change how willing Republicans are to run interference for Trump in Congress.

If I’m right about that, it will make it almost impossible for Pompeo to be confirmed as Secretary of State. Already, Senate Foreign Relations Committee Chair Bob Corker, who’d oversee the confirmation, is sending signals he’s not interested in seeing Pompeo replace Tillerson.

“I could barely pick Pompeo out of a lineup” Sen. Bob Corker (R-Tenn.), chairman of the Senate Foreign Relations Committee, said Thursday morning.

Already, Pompeo’s cheerleading of Wikileaks during the election should have been disqualifying for the position of CIA Director. That’s even more true now that Pompeo himself has deemed them a non-state hostile intelligence service.

Add in the fact that Pompeo met with Bill Binney to hear the skeptics’ version of the DNC hack, and the fact that Pompeo falsely suggested that the Intelligence Community had determined Russia hadn’t affected the election. Finally, add in the evidence that Pompeo has helped Trump obstruct the investigation and his role spying on CIA’s own investigation into it, and there’s just far too much smoke tying Pompeo to the Russian operation.

All that will become toxic once Mike Flynn’s plea deal is rolled out, I believe.

So between Corker and Marco Rubio, who both treat Russia’s hack of the election with real seriousness (remember, too, that Rubio himself was targeted), I don’t see how Pompeo could get out of the committee.

But there’s another reason I don’t think this will happen. I suspect it — like earlier threats to replace Jeff Sessions — is just an attempt to get Tillerson to hew the Administration line on policy. The NYT cites Tillerson’s difference of opinion on both North Korea and Iran.

Mr. Trump and Mr. Tillerson have been at odds over a host of major issues, including the Iran nuclear deal, the confrontation with North Korea and a clash between Arab allies. The secretary was reported to have privately called Mr. Trump a “moron” and the president publicly criticized Mr. Tillerson for “wasting his time” with a diplomatic outreach to North Korea

It’s Iran that’s the big issue, particularly as Jared frantically tries to finish his “peace” “plan” before he gets arrested himself. The fact that Trump has floated Cotton as Pompeo’s replacement is strong support for the notion that this is about forcing Tillerson to accept the Administration lies about Iran and the nuclear deal: because Cotton, more than anyone else, has been willing to lie to oppose the deal.

Trump is basically saying that unless Tillerson will adopt the lies the Administration needs to start a war with Iran, then he will be ousted.

But Tillerson’s claim that he doesn’t need to replace all the people who’ve left state because he thinks a lot of domestic issues will be solved soon seems to reflect that he’s parroting the Administration line now.

Obviously, there’s no telling what will happen, because Trump is completely unpredictable.

But he also likes to use threats to get people to comply.

Update: CNN now reporting I’m correct.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On the Jared and Flynn Stories

Amid reports that Mike Flynn is flipping like a pancake, CNN reported (in addition to a report that Mueller’s team canceled a grand jury appearance for former Flynn business associates) that Jared Kushner was asked a bunch of questions about Flynn in an interview earlier this month.

Before reading the details CNN provides, however, consider this line in the story:

It’s not clear that this is the only time that Kushner will meet with the special counsel’s team.

That is, the subtext here is that, even as Mueller’s team preps a plea deal with Flynn, he’s well aware that he remains a key target in conjunction with Flynn events, and may get hauled back before Mueller’s team for all the other stuff. Effectively, they were locking in Kushner’s testimony — including, presumably, about what kind of permission/instructions Flynn had to engage in the corrupt foreign deals he was pushing — from Kushner and his pop-in-law before flipping Flynn.

So here’s how CNN describes the Flynn questions:

Mueller’s team specifically asked Kushner about former national security advisor Michael Flynn, who is under investigation by the special counsel, two sources said. Flynn was the dominant topic of the conversation, one of the sources said.

[snip]

The conversation lasted less than 90 minutes, one person familiar with the meeting said, adding that Mueller’s team asked Kushner to clear up some questions he was asked by lawmakers and details that emerged through media reports. One source said the nature of this conversation was principally to make sure Kushner doesn’t have information that exonerates Flynn.

The meeting took place around the same time the special counsel asked witnesses about Kushner’s role in the firing of former FBI Director James Comey and his relationship with Flynn, these people said.

That means, as we speak, Flynn is providing his side of this story, and explaining why Jared was so intent on firing Mueller because Mueller was actively investigating Flynn.

As I’ve long said, you get to Jared through Flynn. It seems like Jared’s team is now hoping he gets a second chance at testimony before he gets busted himself.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Russian Metadata in the Shadow Brokers Dump

When I first noted, back in April, that there was metadata in one of the Shadow Brokers dumps, I suggested two possible motives for the doxing of several NSA hackers. First (assuming Russia had a role in the operation), to retaliate against US indictments of Russian hackers, including several believed to be tied to the DNC hack.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

But leaving the metadata in the documents might also make the investigation more difficult.

[F]our days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

With that in mind, I want to look at a Brian Krebs piece that makes several uncharacteristic errors to get around to suggesting a Russian-American might have been the guy who leaked the files in question.

He sets out to read the metadata I noted (but did not analyze in detail, because why make the dox worse?) in April to identify who the engineer was that had NSA files discovered because he was running Kaspersky on his home machine.

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

He links to the WSJ and cites, but doesn’t link, this NYT story on the Kaspersky related breach.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

Then he turns to NYT’s magnum opus on Shadow Brokers to substantiate the claim the government has investigations into three NSA personnel, two of whom were related to TAO.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

[snip]

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

He then turns to the Shadow Brokers’ released metadata to — he claims — identify the two “unnamed” NSA employees and the contractor referenced in The Times’ reporter.”

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting?

From there, he points to a guy that few reports that analyzed the people identified in the metadata had discussed, A Russian! Krebs decides that because this guy is Russian he’s likely to run Kaspersky and so he must be the guy who lost these files.

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Krebs further suggests Sidelnikov must be the culprit for losing his files in the Kaspersky incident because the guy who first pointed him to this metadata, a pentester named Mike Poor, said a database expert like Sidelnikov shouldn’t have access to operational files.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

There are numerous problems with Krebs’ analysis — which I pointed out this morning but which he blew off with a really snotty tweet.

First, the NYT story he cites but doesn’t link to notes specifically that the Kaspersky related breach is unrelated to the Shadow Brokers leak, something that I also  pointed out was logically obvious given how long the NSA claimed Hal Martin was behind the Shadow Brokers leak after the government was known to be investigating the Kaspersky related guy.

It does not appear to be related to a devastating leak of N.S.A. hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online.

Krebs also misreads the magnum opus NYT story. The very paragraph he quotes from reads like this:

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

That is, there aren’t “two unnamed NSA employees and [a] contractor referenced in The Times’ reporting.” The paragraph he refers to names two of the targets: Hal Martin (the other TAO employee) and Reality Winner. Which leaves just the Kaspersky related guy.

Krebs seemed unaware of the WaPo versions of the story, which include this one where Ellen Nakashima (who was the first to identify this guy last year) described the engineer as a Vietnamese born US citizen. Not a Russian-American, a Vietnamese-American.

Mystery solved Scoob! All without even looking at the Shadow Brokers’ metadata. There’s one more part of the Krebs story which is weird — that he takes the same non-response he got from the known NSA guys doxed by Shadow Brokers from Sidelnikov as somehow indicative of anything, even while if he had been “arrested” as Krebs’ headline mistakenly suggests, then you’d think his phone might not be working at all.

There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to.

But the reason I went through the trouble of pointing out the errors is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia”?

Update: After the Vietnamese-American’s guilty plea got announced, Krebs unpublished his doxing post.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.