Serving as Julian Assange’s Unwitting Data Mule to Israel Shamir Is Not Journalism

/21 Comments/in , , , /by

It’s a testament to how effective WikiLeaks’ propaganda is that almost none of the people implicated by things Julian Assange did years ago and almost none of the people who brainlessly repeat Julian Assange’s propaganda now know about this May 16, 2022 filing, submitted last year in the Josh Schulte case, which I wrote about here.

The redacted bits of the filing almost certainly describe things obtained in an ongoing investigation of WikiLeaks that pertain to how the data stolen by Schulte was used. The unredacted parts, however, describe that what must be the WikiLeaks investigation is both ongoing and has a scope that, “is neither known to the public nor to all of the targets of the investigation.”

“All of the targets.” That phrase is telling. At least one target — Assange — knows he is a target. The other targets (and DOJ uses the jargon to describe people who almost certainly will be charged, not just people who might be) don’t know.

The WikiLeaks investigation — which is ongoing and not just, as many boosters claim, an attempt to shore up the case against Assange — is not an investigation into Assange, exclusively. There are other targets.

Key WikiLeaks people almost certainly know about this filing, because they treated Schulte’s second trial — where he defended himself and repeatedly tried to publicly share classified information, almost certainly including details of the discovery about the ongoing WikiLeaks investigation he had received — differently than the first.

They’re just not telling you that there are other targets of the WikiLeaks investigation.

They’re not telling you, in part, because it ensures that when the Met or FBI or other investigators approach people to obtain information about those other targets, they’ll refuse, because they don’t want to be part of a prosecution of Julian Assange for what they’re telling themselves is journalism.

James Ball is the latest person describing how that happened.

In a Rolling Stone post describing the two year effort to obtain his cooperation, he claims journalists are being asked to cooperate against Assange.

And he claims he’s being approached — for information that clearly pertains to Israel Shamir — as a journalist.

He asserts that he’s being approached as a journalist by claiming that DOJ wants to talk to him about this 2013 article, rather than about his own conduct described in the article.

As the article described, in 2010, he unwittingly served as Assange’s data mule, handing off 90,000 State Cables to Israel Shamir, who then exploited them — by sharing them with Belarusian dictator Alexandr Lukashenko and/or selling them — before the entire Cable set was released.

Shamir is an anti-Semitic writer, a supporter of the dictator of Belarus, and a man with ties and friends in Russian security services. He and Julian—unknown to us—had been in friendly contact for years. It was a friendship that would have serious consequences.

Introduced to WikiLeaks staff and supporters under a false name, Shamir was given direct access to more than 90,000 of the U.S. Embassy cables, covering Russia, all of Eastern Europe, parts of the Middle East, and Israel. This was, for quite some time, denied by WikiLeaks. But that’s never a denial I’ve found convincing: the reason I know he has them is that I gave them to him, at Assange’s orders, not knowing who he was.

Why did this prove to be a grave mistake? Not just for Shamir’s views, which are easy to Google, but for what he did next. The first hints of trouble came through contacts from various Putin-influenced Russian media outlets. A pro-Putin outlet got in touch to say Shamir had been asking for $10,000 for access to the cables. He was selling the material we were working to give away free, to responsible outlets.

Worse was to come. The NGO Index on Censorship sent a string of questions and some photographic evidence, suggesting Shamir had given the cables to Alexander Lukashenko of Belarus, Europe’s last dictator. Shamir had written a pro-Belarus article, shortly before photos emerged of him leaving the interior ministry. The day after, Belarus’s dictator gave a speech saying he was establishing a WikiLeaks for Belarus, citing some stories and information appearing in the genuine (and then unpublished) cables. [my emphasis]

As he admits, at least by 2013, Ball was aware that Shamir had ties to Russian spooks.

What Ball describes in the piece is that he entered into an agreement with Assange to provide data to someone, Shamir, that Shamir did not publish, but instead shared with a repressive dictator and, probably, with Russian intelligence services.

That’s not journalism. That’s spying.

To be sure: as Ball describes, he realized his error and promptly left WikiLeaks (and, as he described in the 2013 article, refused to sign some of the NDAs Assange was pushing). That’s why he was approached as a witness and not a subject, because he made affirmative efforts to leave the conspiracy that has already been charged against Assange and almost certainly will be charged against Shamir, if it hasn’t already been, under seal.

After having served as an unwitting data mule for Assange in a handoff that would result in Lukashenko (and possibly Russian spies) getting advance access to the content of the Cables, Ball subsequently became a journalist. But that does not retroactively change what happened in 2010. Nor does that mean FBI approached him as a journalist. They approached him as a guy who once unwittingly served as a data mule for the part of the Cable releases that undermines all the claims that Assange is nothing but a publisher.

Here’s what people miss about the publication charges against Julian Assange, including the Cable count. They charge him for, “distributing them and then by publishing them.” Proving that Assange distributed the State Cables via unwitting data mule James Ball to Shamir is all DOJ would have to do to prove that charge against Assange, to prove that Assange shared them with someone not authorized to receive them. At a hypothetical trial of Assange (and whoever else gets charged), they’ll undoubtedly explain that after first giving privileged access to the Cables to Shamir, who handed them onto people who would use them to suppress dissent, Assange published all of them. That’s part of the cover. That’s part of what leads people like Ball to imagine he was involved in journalism when he shared the Cable files with Shamir.

For a number of WikiLeaks releases, there’s some story like this, about how before publication, files were either removed from the publication set or provided exclusively to someone in advance. The publication is, in part, cover for that earlier sharing. Schulte even described how if Russia got the source code he shared with WikiLeaks but which WikiLeaks, with limited exceptions, did not publish, they would never publish it, because it would be more useful to reverse engineer what the CIA had been doing.

These tools are MUCH more valuable undiscovered by the media or the nation that lost them. Now, you can secretly trace and discover every operation that nation is conducting.

Schulte is one of the people that anyone charged in a larger WikiLeaks conspiracy would be charged with conspiring with.

That’s the tough thing about US conspiracy law: Once you enter into a conspiracy, you’re on the hook for the actions of anyone who later enters into that conspiracy — like Shamir or Schulte — whether or not you know about it personally. You’re on the hook unless and until you take affirmative actions to leave the conspiracy. Lots of people with ties to WikiLeaks want no tie to Assange’s relationship with Shamir, but if DOJ adds him as a co-conspirator, then they’re not going to have much choice in the matter.

In any case, because so few of WikiLeaks’ boosters know that there are other targets in this investigation, they seem to be getting unfortunate legal advice, such as regarding the import of the detail that FBI obtained a statement from Shamir — whose statements, if and when he is charged as a co-conspirator, can be entered at trial — stating that Ball provided Cables, which he claimed to be about “the Jews,” to him.

The U.S. government cannot make much use of what I revealed in the article in a court of law unless I testify to it — and it is not hard to see how I could be useful if they were trying to strengthen the political case against Assange. In the article, I admit that I was the one who gave Shamir the material, albeit on Assange’s orders, without knowing who he was. If I testified to all this, it could, at least in theory, open me to criminal charges of my own.

[snip]

When, after months of delaying tactics had run out of road, we said a final “no”, there was a small sting in the tale from a DOJ prosecutor to my lawyers. Sending a statement in which Shamir had falsely claimed I had provided him with cables on “the Jews,” the prosecutor noted:

“Upon seeing those words from Shamir, I cannot help but ask whether Mr. Ball would reconsider his decision about speaking to the investigators, even if only just to respond to Shamir’s allegations.”

Yeah, it was a sleazy tactic, but also one designed to alert his lawyer that Ball does not currently have exposure but at a trial in which Shamir is a co-conspirator, Ball’s own conduct will be introduced at trial as part of proving that Cable charge and can be introduced without the article Ball wrote in 2013. Ball was advised they can’t use his article without his testimony — and because he had already left any agreement with Assange that’s probably right — but FBI can certainly introduce Shamir’s claims that he got the Cables from Ball, along with whatever other evidence they have about what Shamir did with them afterwards.

One more reason the fact that this is an ongoing investigation into targets not publicly identified matters: DOJ may or may not  or may already have gotten the UK to approve superseding the existing indictment against Assange, the one that has led people to believe he is the only target of it. But they certainly have the ability to charge a conspiracy in which Assange is an uncharged co-conspirator, showing a seven year conspiracy involving Russian spooks — starting no later than that handoff of cables to Shamir — charging everyone else that entered into a conspiracy via Assange with Russian spooks. Back in 2020, prosecutors implied to Jeremy Hammond that the long extradition process of Assange would provide the opportunity to charge Assange’s involvement in the 2016 Russian hack-and-leak. And because at least one of the people who would be charged in such a conspiracy, Josh Schulte, appears to have continued his efforts to leak through last year, any statute of limitations might go through 2027. That’s why they’re in no rush to charge Shamir publicly: because the way conspiracy law works in the US, they can charge everyone who didn’t affirmatively leave the WikiLeaks conspiracy so long as the conspiracy remains ongoing.

Ball may well be right that the other people the FBI has approached are being approached for coverage of WikiLeaks they did, as journalists (though there are some edge cases). But of the descriptions I’ve seen, there’s always another as yet uncharged target about whom the FBI is asking. That may not change their calculus about whether they want to cooperate, but it means, whether they know it or not, that their refusals are not limited to a bid to protect Assange’s conduct.

I think the people approached for their coverage of WikiLeaks should definitely tell the FBI to fuck off.

But there’s more going on here, particularly with the request to Ball.

Between the Annual Release of FISA Statistics and the Release of the FISA 702 Opinion, FBI Rolled Up Turla

/3 Comments/in , /by

I’m curious about the timing of the release of the FISC 702 opinion, dated April 21, 2022, approving Section 702 certificates that would last until April 21, 2023. I laid out a Modest Proposal in response to that opinion here.

In the past, the government has often released the prior year’s FISC opinion around the same time as it releases all the FISA transparency reports, which it released this year on April 28, 2023. But ODNI didn’t release the opinion itself until May 19, eight days after the FBI released a FISA-related audit that covers many of the same violative queries laid out in the FISC opinion and three weeks after the other transparency filings. The delayed release resulted in the release of significantly overlapping bad news twice, a week apart, at a time when the spooks already face an uphill climb to get 702 reauthorized before the end of the year.

One possible explanation for the delayed release is that there was a one-month delay in reapproval of new 702 certificates, meaning that ODNI held back the opinion until such time as a new opinion had replaced the old one.

But as I read, especially, a separate opinion released along with the 702 one, I couldn’t help but note that between the date when ODNI would customarily release the prior FISC authorization and the date it did, FBI rolled up the Turla malware.

May 4, 2023: Search warrant affidavit

May 8, 2023: Planned operation

May 9, 2023: DOJ Press releaseNSA press releaseJoint Cybersecurity Advisory

When I wrote my post on the operation, I laid out how, starting in 2016, the FBI had learned how Turla worked via voluntary monitoring of US-based victims from whose servers the malware was launching attacks in other countries.

A key part of the affidavit’s narrative describes that monitoring process. The FBI discovered that Turla compromised computers at US Victim A in San Jose, which let the FBI monitor how the malware worked. Using US Victim A, Turla compromised US Victim B in Syracuse, which in turn let the FBI monitor what happened from there. Using both US Victims A and B, Turla compromised US Victim D in Columbia, SC, which in turn let the FBI monitor traffic. Using Victim B, Turla compromised US Victim C, in Boardman, OR, which in turn let the FBI monitor traffic.

Over seven years, then, the FBI has been monitoring communications traffic from a growing number of US victim companies that Turla used as nodes. The affidavit emphasizes that these sites were used to attack overseas targets — like the presumed German and French targets mentioned in the affidavit. Aside from the journalist working for a US outlet (who could be stationed overseas), the affidavit doesn’t mention any US collection targets. Nor does it explain whence Turla targets US collection targets.

But there were two or three companies that refused to allow the FBI to engage in consensual monitoring of their victimized servers: Victim-E, Victim-F, and Victim-G, all of which were discovered in 2021 or 2022 (Victim-F went defunct and destroyed its computers).

According to the FBI search warrant, then, it launched a global operation to roll up the Turla Snake’s many nodes around the world without the benefit of at least two US-based nodes from which it could discover other victims. That didn’t make sense to me.

The other FISA opinion released with the 702 one sought authorization to conduct physical surveillance of two locations in the US used by an agent of a foreign power; the government uses physical surveillance to obtain data in rest on a server. DOJ first submitted the application in early 2021. FISC appointed former cybersecurity prosecutor and current tech attorney Marc Zwillinger and retired EDNY Magistrate James Orenstein as amici and conducted several rounds of briefing and a hearing. Orenstein would have still been a Magistrate in EDNY when the grand jury behind this operation was seated there in 2018; he retired in 2020.

The heavily redacted opinion itself is pretty short — just 6 pages. It explains that “the Court has little difficulty finding probable cause to believe that the intended targets … are agents of a foreign power.” It had a harder time with two other issues, though: proving that the premises to be searched “is or is about to be owned, used, possessed by … that foreign power.” Suggestions from Zwillinger and Orenstein provided limits to the order such that FISC presiding Judge Rudolph Contreras could meet that standard.

The government also noted that the data in the targeted location “might not be owned or used by” the agents of the foreign power in question. Contreras imposed a 60-day deadline for the government to destroy everything that was not.

With those limitations, Contreras approved the FISC order on September 27, 2021.

Both of these issues are common ones in cybersecurity surveillance. Hackers hijack others’ servers, and from that sanctuary, victimize others. And then hackers transport data that are the fruits of theft, not communications about such a crime, via these nodes. So one way or another, the opinion sounds like it could pertain to cybersecurity surveillance. The timing is what makes me wonder whether the order was withheld until the end of the Turla operation.

Zwillinger and Orenstein were appointed as amici in 2022 as well.

Note, there’s a technique that got authorized in the 702 opinion, first proposed in March 2021, which involved two different amici, Georgetown Professor Laura Donohue, who asked for the assistance of Dr. Wayne Chung, the Chief Technology Officer of BlueVoyant, a cybersecurity company. That discussion is even more heavily redacted. But the issues debated appear to include:

  • Whether the thing obtained using 702 was included in the definition of intelligence permitted for collection
  • Whether the assistance required in the US came from an Electronic Communications Service Provider (Victim A from the Turla operation was located in San Jose, and the Victim G that refused to cooperate was described as a cloud service provider located in Gaithersberg)
  • Whether the assistance from the ECSP is covered by 702
  • Whether the intended use of the information fit the definition of querying
  • Whether NSA should have used another provision of FISA
  • Whether all the targets were overseas
  • What kind of minimization procedures the kind of information that would be obtained required

The 702 application is even more obscure than the physical search one. But if the latter pertains to Turla, it’s not inconceivable that the former does too.

Peter Baker Discovers that Russia Sows Partisan Antagonism and Then Helps Them Do So!

/30 Comments/in , , , /by

I laughed yesterday when Peter Baker tweeted about how “striking” it is that Vladimir Putin is adopting Trump’s perceived enemies as his own.

But then Baker wrote up his laughably naive observation into a NYT story.

Baker, you’ll recall, is one of NYT’s crack journalists who buried Trump’s admission that he had spoken to Putin about adoptions before writing a false explanation about the June 9, 2016 Trump Tower meeting emphasizing adoptions. Baker and Maggie Haberman chose instead to emphasize Trump’s scripted attack on Jeff Sessions. The Mueller Report showed that NYT’s willingness to dumbly repeat Trump’s script proved even more useful to Trump’s efforts to undermine the Rule of Law than his covert effort to get Corey Lewandowski to ferry orders to Jeff Sessions.

And here we are, almost five years later, and Baker still naively plays into obvious Russian efforts to sow division in the US, in significant part by playing to Trump’s narcissism and the feral loyalty of Trump’s supporters, to say nothing of playing up racial division. Baker picks out three names from among 500 newly added to Russian sanctions: Tish James, Brad Raffensperger, and Michael Byrd, the Black cop who prevented Ashli Babbitt from breaching the hallway through which Members of Congress were fleeing by shooting her.

Among the 500 people singled out for travel and financial restrictions on Friday were Americans seen as adversaries by Mr. Trump, including Letitia James, the state attorney general of New York who has investigated and sued him. Brad Raffensperger, the secretary of state of Georgia who rebuffed Mr. Trump’s pressure to reverse the outcome of the 2020 election, also made the list. And Lt. Michael Byrd, the Capitol Police officer who shot the pro-Trump rioter Ashli Babbitt on Jan. 6, 2021, was another notable name.

Reviewed more broadly, however, the sanctions were an attack on US Rule of Law generally, or certainly the notion that Trump’s people should be subject to it. They include the current or former Attorneys General of California, Colorado, Connecticut, Delaware, Illinois, Maryland, Minnesota, Nevada, New Hampshire, New Mexico, New York, Oklahoma, Oregon, Rhode Island, Vermont, Virginia, Washington, Washington, DC, Wisconsin. Aside from former Oklahoma AG John O’Connor, which may be a mistake, it almost seems like they worked from an outdated membership list from the Democratic Attorneys General Association. Though for some reason, Putin missed Michigan’s Attorney General Dana Nessel, maybe because she’s a badass lesbian who makes Putin afraid.

The sanctions list does include every US Attorney who has presided over the January 6 investigation.

  • Michael Sherwin (who as Acting US Attorney in DC oversaw the beginning of the January 6 investigation)
  • Channing Phillips (who, as Acting US Attorney for DC in 2021 oversaw the early parts of the January 6 investigation)
  • Michael Graves (currently US Attorney for DC overseeing the January 6 investigation)
  • Jack Smith (Special Counsel)

But it also includes other senior legal officials, some of whom have gotten more attention for investigating Russia than Trump.

The inclusion of Kohler, who played a key role in the Trump stolen documents case but who also presided over the Charles McGonigal and other Oleg Deripaska cases that came through SDNY, is particularly notable. This is, in significant part, an attempt to suggest that if either Russia or Trump is held accountable legally, it will harm Russia. It is a transparent effort — no different than dozens of similar efforts going back to 2016, and to the extent that this plays to racism, goes back a half century — to lead Trump supporters to believe their interests are more aligned with Putin’s than those of the United States, or at least the United States when led by Joe Biden.

In addition to Brad Raffensperger, Putin also included Mark Esper, who got fired as Defense Secretary because he undercut Trump’s authority to attack the US government by invoking the insurrection act.

A broad swathe of the list includes members of NGOs, particularly those NGOs that fascists are attempting to discredit with claims that attempts to combat disinformation equate to censorship. Nina Jankewicz got sanctioned in her own right.

Of two members of the Open Society Fund, Leonard Benardo is included; his name may become prominent if John Durham’s abusive attempt to investigate Benardo, which may be detailed in the classified section of the Durham Report, begins to leak.

Along with all those defenders of truth and justice, Putin included Stephen Colbert and Heather Cox Richardson.

Again, this is a transparent effort, one that continues past efforts that extend to sheltering members of the far right and stoking US racism, to supplant the allegiance of Trump’s supporters to the United States with an affiliation, through Trump, to Russia. Trump’s narcissism might lead him to magnify these sanctions. His campaign advisors likely will try to prevent that.

But Putin won’t need to rely on Trump to magnify this statement of a shared allegiance.

He has Peter Baker for that.

Baker somehow could not distinguish language as transparent truth from language as an attempt to manipulate, and so stated as fact that “Trump’s perceived enemies” are Putin’s own. Aside from the law enforcement officials who’ve targeted both Russian hackers and Trump, they’re not. Rather, this is an attempt — an utterly transparent one!! — to make Trump’s followers believe that, and so regard Russia more favorably.

Because Baker thought his banal observation about these sanctions was worth a story in the NYT, he called up the Russian Foreign Ministry for comment. That’s how the claim that the people who attacked democracy on January 6 are simply dissidents got inserted into the NYT.

None of those three has anything to do with Russia policy and the only reason they would have come to Moscow’s attention is because Mr. Trump has publicly assailed them. The Russian Foreign Ministry offered no specific explanation for why they would be included on the list but did say that among its targets were “those in government and law enforcement agencies who are directly involved in the persecution of dissidents in the wake of the so-called storming of the Capitol.”

You got played, Peter Baker, into serving as a mouthpiece for Russian propaganda.

You got played into contributing to Russia’s efforts to undermine US democracy.

Russia’s Snakes Got DePlaned

/28 Comments/in , /by

The US Attorney’s Office in Brooklyn, EDNY, had a busy day on Tuesday. In addition to indicting George Santos for various kinds of fraud, EDNY’s US Attorney, Breon Peace, got to take credit for the “remediation” of a peer-to-peer network of compromised computers exploited by Russian hacking group “Turla” to hack collection targets around the world.

For geeks, the claimed effect of the operation was pretty cool. The FBI developed code (or had a contractor do it for them) that would exploit the very thing that makes the Snake malware so tricky — the proprietary communications sessions it uses to run a global network of relay nodes through which it launches collection attacks.

The majority of compromised systems serve as relay nodes (referred to as “hop points”) in the Snake network, that route traffic from the FSB’s ultimate target systems (referred to as “endpoints”) through the network back to Turla operators in Russia.

The FBI code was designed to command Snake to overwrite its operational components.

[A]n FBI-created tool named PERSEUS [] issued commands that caused the Snake malware to overwrite its own vital components.

[snip]

[T]hrough analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications. With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool named PERSEUS which establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer.

[snip]

Specifically, the FBI has developed a technique that exploits some of Snake’s built-in commands, discussed above, which, when transmitted by PERSEUS from an FBI-controlled computer to the Snake malware on the Subject Computers, will terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the Subject Computers..

We’ll see whether the operation was as successful as DOJ and NSA claimed. But the government at least claims to have significantly neutralized a hacking platform that has been a complex challenge for two decades.

A quote from a specialist on this hacking group made me want to look closer to understand what DOJ did, both technically and legally. Juan Andres Guerrero-Saade complained to CNN that the FBI had taken down the peer-to-peer network, rather than just sat on it to continue to observe what Russia’s FSB was doing.

Turla operatives are “genuine professionals,” Juan Andres Guerrero-Saade, a researcher who has tracked Turla for years, told CNN.

“They’re not traipsing around breaking things or calling attention to themselves in stupid ways,” said Guerrero-Saade, who is senior director of SentinelLabs, the research arm of security firm SentinelOne. He said that’s what you’d “expect from the GRU,” referring to Russia’s military intelligence agency, whose hackers are generally more conspicuous. “You don’t see that out of Turla.”

[snip]

While the FBI touted the action as another example of the bureau’s strategy to protect hacking victims, Guerrero-Saade wondered what visibility the FBI might have lost into Turla’s operations by exposing the network of hacked computers.

“The FBI has a hammer and they’ve decided this is just another nail,” Guerrero-Saade said. “And I don’t think espionage operations should be handled the same way that criminal operations are.”

But the search warrant affidavit suggests that’s what the FBI has been doing since 2016.

The materials released by the government provide a very selective narrative both of the hacking group and the intervention:

May 4, 2023: Search warrant affidavit

May 8, 2023: Planned operation

May 9, 2023: DOJ Press release; NSA press release; Joint Cybersecurity Advisory

The narrative starts in 2004, when investigators first started tracking Turla, ignores a 2008 Turla compromise of DOD computers, only names one collection target (a journalist) that might be in the US, and only describes likely German and French collection targets in passing.

As the affidavit describes, the FBI’s understanding of Turla derived from both “sensitive sources” and the monitoring of victims.

[T]hrough existing legal authorities, the cooperation of several U.S. victims[,] and sensitive sources, the FBI and U.S. Intelligence Community have obtained significant insight into the FSB’s cyberespionage activities against the United States and its allies using Snake.

A key part of the affidavit’s narrative describes that monitoring process. The FBI discovered that Turla compromised computers at US Victim A in San Jose, which let the FBI monitor how the malware worked. Using US Victim A, Turla compromised US Victim B in Syracuse, which in turn let the FBI monitor what happened from there. Using both US Victims A and B, Turla compromised US Victim D in Columbia, SC, which in turn let the FBI monitor traffic. Using Victim B, Turla compromised US Victim C, in Boardman, OR, which in turn let the FBI monitor traffic.

Over seven years, then, the FBI has been monitoring communications traffic from a growing number of US victim companies that Turla used as nodes. The affidavit emphasizes that these sites were used to attack overseas targets — like the presumed German and French targets mentioned in the affidavit. Aside from the journalist working for a US outlet (who could be stationed overseas), the affidavit doesn’t mention any US collection targets. Nor does it explain whence Turla targets US collection targets.

2004: Investigation begins

2008: Turla compromises US military computer via thumb drive (not mentioned in affidavit)

2015 to 2017: FBI monitored communication between US-compromised computer and Minister of Foreign Affairs in NATO member-state, collected and decrypted

Turla operators used Snake in an attempt to exfiltrate a large volume of what they believed to be internal United Nations and NATO documents sent from the NATO Victim-1

By description — particularly the reference to what hackers thought they were getting — this is likely Germany, as described in this report on the group.

It was Tuesday, Dec. 19, 2017, when German security officials received the tipoff. A foreign intelligence service informed the Bundesnachrichtendienst (BND), Germany’s foreign intelligence service, that somebody had hacked into the IT system belonging to Germany’s Foreign Ministry.

[snip]

And the hackers hadn’t actually stolen all that much by the beginning of 2018 – a total of six documents, only one of which was classified. Nevertheless, the BSI decided to throw the hackers out of the network. A short time later, public prosecutors launched an official investigation into the cyberintrusion.

2016: After finding IP address in Queue File on computers belonging to US Victim A in San Jose, CA, victim permitted FBI to do custom scan and monitor communication traffic to ID other hop points and victims

2017: FBI provides victim notification of earlier version of Snake on US Victim E computers in Van Nuys, CA

2017 to 2020: FBI monitored communications between US-compromised computer and NATO Victim-2 (possibly France)

2018: EDNY grand jury seated

2018: FBI observed communications between US Victim A and computers in Syracuse, NY, owned by US Victim B and performed custom scan and monitored traffic

2018 to 2022: FBI identified traffic between US Victims A and B and computers in Columbia, SC owned by US Victim D; FBI performed a scan and monitored traffic

January 2020: FBI identified communication between US Victim B and cloud provider US Victim C in Boardman, OR; FBI performed custom scan and monitored ongoing traffic

2020 to 2021: FBI identified traffic between US Victim A and computer located in Hicksville, NY owned by US Victim F

2021 to 2022: FBI observes traffic between US Victims D and US Victim E; FBI provided custom scan but Victim E did not permit ongoing monitoring

2022: By the time FBI alerts US Victim E, it had ceased operation and discarded the computers

February to March 2022: FBI identified communication between US Victim A and computers in Gaithersburg, MD owned by US Victim G, which refused to cooperate with the FBI

nd: Turla used Snake to target journalist for US news media company (country location not stated)

As this timeline lays out, in the last two years, Turla exploited three US victim companies — US Victim E and G, both of which refused full cooperation, as well as the defunct one, US Victim F, in Hicksville, NY, that might be how EDNY would claim to establish venue if you ignore that that hack happened after the grand jury that conducted this investigation was seated in 2018 — from which the FBI was unable to get the kind of voluntary cooperation that US Victims A, B, C, and D offered. At first I mistakenly thought that FBI might have acted now because they were finding less success with the monitoring approach they’ve used since 2016.

But those computers are a different set (though possibly overlapping) than the set of computers targeted by this warrant. While Subject Computers 2 and 3 listed in the affidavit, both located in Columbia, SC, could be owned by US Victim D, US Victims E and G are not targeted. The additional targeted computers are located in Portland (Subject Computers 1 and 2), Atlanta (Subject Computer 4), Windsor, CT (Subject Computer 5), and Rancho Cordova, CA (Subject Computers 6, 7, and 8). If Subject Computers 2 and 3 do belong to US Victim D, including them might serve primarily to qualify this for remote search under 41(b)(6)(B) (which requires 5 districts).

For US purposes, the more important part of the operation may be parallel efforts done overseas. The affidavit suggests that the FBI will only execute the search within the US and foreign governments will only execute the search within their jurisdictions.

On or about May 8, 2023, the FBI, in coordination with certain foreign governments acting outside of the United States, intends to execute a technical operation, codenamed MEDUSA, to disable Snake malware on numerous computers worldwide. Specifically, at a chosen time, FBI personnel will use PERSEUS to authenticate and establish sessions with the Snake malware on the Subject Computers, and send to the Snake implants on the Subject Computers built-in commands that will terminate the Snake application and, in addition, permanently disable the Snake malware by overwriting vital components of the Snake implant without affecting any legitimate applications or files on the Subject Computers. At the same time that the FBI executes the remote search technique described in this Affidavit to disable the Snake malware on computers located in the United States, certain foreign government authorities will take action to remediate Snake-compromised computers within their territories.

The press release is a bit more vague about that (and there are probably nodes in countries that the US IC would not trust enough to coordinate such an operation).

For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance.

[snip]

The FBI and U.S. Department of State are also providing additional information to local authorities in countries where computers that have been targeted by the Snake malware have been located.

As the affidavit described it, the FBI used a Rule 41(b)(6)(B) warrant permitting the government to search remotely in more than one District at a time so as to allow for the simultaneous worldwide operation.

The FBI believes that use of the remote search technique described in this Affidavit is necessary to ensure the success of the coordinated technical operation to disrupt the Snake malware network worldwide. As detailed above, the Subject Computers are located in geographically disparate locations throughout the United States. There are not sufficient FBI personnel available who possess the specialized training and experience with the sophisticated Snake malware to physically travel to each location to disable the Snake malware on each of the Subject Computers simultaneously. Thus, without authorization to use the remote search technique requested in this Affidavit, the FBI would not be able to timely disable the Snake malware on the Subject Computers as part of a coordinated operation against the worldwide Snake network.

Whatever the case, the press release speaks in fairly expansive terms about neutralizing the entire network, not just some nodes in it.

To cycle back to Guerrero-Saade’s complaint, then, it seems that FBI has been monitoring this network for years. Indeed, one wonders how much of the roll-up of Russian spying in recent years has benefitted from doing so.

But it seems that the US and its partners decided they had the capability and the will to attempt to shut down this network now (at a time, it should be said, when Russia is ratcheting up attacks on Ukraine and in advance of Ukraine’s planned counterattack). Perhaps it is just part of the larger response rolled out in the wake of Russia’s attack on Ukraine.

How the Government Proved Their Case against John Podesta’s Hacker

/4 Comments/in , , , , /by

We’re almost seven years past the hack of the DNC, and self-imagined contrarians are still clinging to conspiracy theories about the attribution of that and related hacks. In recent weeks, both Matt Taibbi and Jeff Gerth dodged questions about the attribution showing Russia’s role in the hack-and-leak by saying that the Mueller indictment of twelve GRU officers would never be tested in court (even while, especially in Gerth’s case, relying on unsubstantiated claims in John Durham indictments from his two failed prosecutions).

And while’s it’s likely true that DOJ will never extradite any of those twelve men to stand trial, DOJ did successfully convict one of their co-conspirators on a different hack: the hack-and-trade conspiracy involving Vladimir Klyushin and accused John Podesta hacker, Ivan [Y]Ermakov.

(The Mueller indictment and Ermakov’s second US indictment, for hacking anti-doping agencies, transliterated his name with a Y, the Boston one does not.)

That trial provides a way to show how DOJ would prove the 2018 indictment if one of the twelve men charged ever wandered into a jurisdiction with an extradition treaty with the US.

As laid out at trial, between 2018 and 2020, the co-conspirators hacked two securities filing agencies, Toppan Merrill and Donnelly Financial, to obtain earnings statements in advance of their filing, then traded based off advance knowledge of earnings. Klyushin was one of seven people (two charged in a separate indictment, three who were clients of Klyushin’s company M-13) who did the trading. Ermakov didn’t trade under his own name. He may have been compensated for Klyushin’s side of the trades with a Moscow home and a Porsche. But at least as early as May 9, 2018, forensic evidence introduced at trial shows, an IP address at which Ermakov’s iTunes account had just gotten updates was used to steal some of the filings.

Ermakov did not show up in a courtroom in Boston to stand trial and Klyushin has launched a challenge to his conviction that rests entirely on a challenge to venue there. But the jury did convict Klyushin on the hacking charge along with the trading charges, meaning a jury has now found DOJ proved Ermakov’s hacking beyond a reasonable doubt.

And they did it using the same kind of evidence cited in the Mueller indictment.

The crime scene

Start with the crime scene: the servers of the two filing agencies victimized in the hack-and-trade, Toppan Merrill and Donnelly Financial.

According to the trial record, neither figured out they had been hacked on their own. As the FBI had tried to do for months beforehand in the case of the DNC, a government agency, the SEC, had to tell them about it. The SEC had seen a number of Russians making big, improbable stock trades from clients of the two filing agencies, all in the same direction, and wanted to know why. So it sent subpoenas to both companies.

As the DNC did with CrowdStrike in 2016, both filing agencies hired an outside incident response contractor — Kroll Cyber in the case of Toppan Merrill, Ankura in the case of Donnelly Financial — to conduct an investigation.

The lead investigators from those two contractors were the first witnesses at trial. Each explained how they had been brought in in 2019 and described what they found as they began investigating the available logs, which went back six months, a year, and two years, depending on the type and company. The witness from Kroll described finding signs of hacking in Toppan Merrill’s logs:

The Ankura witness described how they first found the account of employee Julie Soma had been compromised, then used the IP addresses associated with that compromise to find other employees whose accounts were used to download reports or other unauthorized activity.

In sum, the two incident response witnesses described providing the FBI with the forensic details of their investigation — precisely the same thing that CrowdStrike provided to FBI from the DNC hack. There’s not even evidence that they shared a full image of the filing agencies’ servers (though an FBI agent described going back to Donnelly to search for the domain names behind the intrusions that Kroll had found at Toppan Merrill), which was one of the first conspiracy theories about the DNC hack Republicans championed: that the FBI failed to adequately investigate the DNC hack because it didn’t insist on seizing the actual victim servers during the middle of an election.

The forensic evidence wasn’t the only evidence submitted at trial from the crime scene. One after another of the employees whose credentials had been misused testified. Each described why they normally accessed customer records, if at all, how and when they would normally access such records, and from what locations they might access corporate servers remotely, including their use of the corporate VPN. Julie Soma — the Donnelly employee whose credentials were used most often to download customer filings — described that she would never have done what was done in this case, download one after another filing from Donnelly customers in alphabetical order.

Q. Would you ever go from client to client and alphabetically access those types of documents?

A. No.

Both interview records from the Mueller investigation (one, two, three) and documents from the Michael Sussmann case show that the FBI did similar interviews in the DNC hack. The Douglass Mackey trial, too, featured witnesses describing how the Hillary campaign identified that attack on the campaign as well.

In proving their case against John Podesta’s hacker, DOJ presented witness testimony that eliminated insiders as the culprit.

Fingerprinting

Having established the forensic data tied to intruders through the incident response contractors, prosecutors then called FBI agents as witnesses to describe how — largely through the use of IP addresses obtained using subpoenas or pen registers and the materials found in the suspects’ iCloud accounts — they tied Klyushin’s company, M-13, to both the hacking and the trading.

The trading was fairly easy: the co-conspirators accessed the two online brokers used to execute the trades under their own names and from IP addresses tied to M-13. An SEC witness described in detail how trades always shortly followed hacks but preceded the public filing of earnings statements.

Tying M-13 to the hacking took a few more steps.

For the hacking conducted via the domains Kroll identified, the FBI first found the account that registered the domains. Each was registered under a different name, but each of the names were based on a Latvian-based email service and used similar naming conventions. Each had been accessed from the same set of 3 IP addresses.

For IPs that Kroll identified, the FBI found BitLaunch servers created by an account in the name of Andrea Neumann, which was controlled from one of the same IP addresses that had registered the domain names. The FBI got search warrants to obtain images of those BitLaunch servers.

Another IP address used to steal filings, several FBI agents explained, was from an Italian-run VPN, AirVPN. The FBI used a pen register to show that someone accessed AirVPN from the M-13 IP address during the same period when the AirVPN IP was stealing records from the filing companies. The FBI also showed that Klyushin had accessed his bank at the same time from that same IP address. The FBI also showed that eight common IP addresses had accessed Ermakov’s iTunes account and the AirVPN IP address (in this case, the access was not at the same time because the FBI only had a pen register on the VPN for two months in 2020). While FBI witnesses couldn’t show that the specific activity tied to an AirVPN IP at the victim companies tied back to M-13, they did show that both Klyushin and Ermakov routinely used AirVPN.

Plus there were the filing thefts — noted above — that were done on May 9, 2018 using the same IP address that, four minutes earlier, had downloaded an Apple update from Ermakov’s iTunes account. As I’ve noted repeatedly, before Ermakov was first indicted by Mueller, he had already left a smoking gun in the servers at Donnelly in the form of IP activity that the FBI obtained over a year later inside the US.

In fact, much of the evidence used to prove this case (particularly establishing the close relationship between the conspirators) came from Apple, including WhatsApp chats saved in Klyushin and other co-conspirators’ iCloud accounts. We know Mueller used the same source of evidence. In March of this year, emails stolen by hacktivists revealed, Apple informed another of the GRU officers charged in the DNC hack that the FBI had obtained material from his Apple account in April 2018, in advance of the Mueller indictment.

The indictment likely also relied on warrants served on Google, especially on Ermakov’s account. The Mueller indictment (as well as the later anti-doping one) attributes much of the reconnaissance conducted in advance of the hacks to Ermakov: the names of some victims; information on the DNC, the Democratic Party, and Hillary; how to use PowerShell (which would be used against Toppan Merrill); and CrowdStrike’s reporting on GRU tools. If he did this research via Google, it would all be accessible with a warrant served on the US tech company.

The getaway car

One pervasive conspiracy theory about the Mueller indictment stems from testimony that Shawn Henry gave to the House Intelligence Committee in December 2017, describing that Crowdstrike did not see the data exfiltrated from the DNC servers. Denialists claim that is proof that the information was never exfiltrated by the GRU hackers. The conspiracy theory is ridiculous in any case, since there were so many other Russian hacks involving so many other servers, including servers run by Google and Amazon that had a different kind of visibility on the hack (something that Henry alluded to in his testimony), and since the indictment describes that the DNC hackers destroyed logs to cover their tracks.

But the Klyushin trial featured testimony about a tool used in the hack-and-trade conspiracy that has a parallel in the DNC hack: the AMS panel, hidden behind an overseas middle server, which the Mueller indictment described this way:

X-Agent malware implanted on the DCCC network transmitted information from the victims’ computers to a GRU-leased server located in Arizona. The Conspirators referred to this server as their “AMS” panel. KOZACHEK, MALYSHEV, and their co-conspirators logged into the AMS panel to use X-Agent’s keylog and screenshot functions in the course of monitoring and surveilling activity on the DCCC computers. The keylog function allowed the Conspirators to capture keystrokes entered by DCCC employees. The screenshot function allowed the Conspirators to take pictures of the DCCC employees’ computer screens.

[snip]

On or about April 19, 2016, KOZACHEK, YERSHOV, and their co-conspirators remotely configured an overseas computer to relay communications between X-Agent malware and the AMS panel and then tested X-Agent’s ability to connect to this computer. The Conspirators referred to this computer as a “middle server.” The middle server acted as a proxy to obscure the connection between malware at the DCCC and the Conspirators’ AMS panel. On or about April 20, 2016, the Conspirators directed X-Agent malware on the DCCC computers to connect to this middle server and receive directions from the Conspirators.

[snip]

For example, on or about April 22, 2016, the Conspirators compressed gigabytes of data from DNC computers, including opposition research. The Conspirators later moved the compressed DNC data using X-Tunnel to a GRU-leased computer located in Illinois.

In the hack-and-trade conspiracy, the hackers set up a similar structure, using the servers given names like “developingcloud” and “finshopland” as reverse proxies, with a final server behind them all executing orders on the hacked servers at Toppan Merrill (and the implication is, Donnelly, though the forensics came from Toppan Merrill via Kroll). The “computers numbered 1 through 7” in what follows are the servers identified by Kroll stealing earnings filings from Toppan Merrill.

A. So this is a digital depiction of the servers that I examined on the right there, so they each have a number on them, 1 through 9.

Q. Let me focus you first on the computers numbered 1 through 7. Do you see them there?

A. Yes.

Q. Are they kind of in a sideways V configuration?

A. Yes.

Q. Okay. And what do computers 1 through 7 show on this Exhibit DDD?

A. They functioned as gatekeepers for the furthest machine to the right, server number 8.

Q. And when you say “gatekeeper,” is there a technical term for that?

A. Yes. So the technical term is a “reverse proxy.”

Q. Can you explain to the jury, in a easy for me to understand way, what a reverse proxy or gatekeeper is in this chart, 1 through 7.

A. Yes. So in this chart, it would function — so the seven that are in that V formation, they would pass traffic to server number 8, if it was coming from an infected machine; and if it was something else, it would send the traffic to some other website.

This structure would have made it impossible for Toppan Merrill to understand the source or function of the anomalous traffic on its servers because any attempt to do so would be redirected away from the control server.

But not the FBI, because they obtained images of the servers with a warrant.

The forensic witness describing this structure showed, command by command, that the forensic clues identified by Kroll on the Toppan Merrill servers were controlled via that final server running PowerShell (the same tool that Mueller alleged Ermakov researched during the DNC hacks in 2016).

Q. And is there something on this log that you found that tells you the name of the program that was running on the victim’s computer at Toppan Merrill?

A. Yes, the process name line, and that reads rdtevc.

Q. And is process another name for computer program?

A. Yes.

Q. So this is a log that shows that a program named RDTEVC was running on a Toppan Merrill computer, right?

A. Yes.

Q. But it’s stored in the hacker computer?

[snip]

Q. And what does PowerShell do? You can call it anything, right? You can call it RDTEVC?

A. That’s probably a randomly chosen name.

Q. But no matter what it’s called, what does it do?

A. So it allows it to be remotely controlled and accessed.

Q. Allows what to be remotely controlled and accessed?

A. The infected machine.

The same forensic expert explained that he didn’t find any downloads of stolen files.

But he also explained why.

He had also found secure tunnels, readily available but similar in function to a proprietary GRU tool Crowdstrike found in the DNC server. As he described, these would be used to transfer data in encrypted form, making it impossible to identify the content of the data while it was in transit.

Q. Mr. Uitto, are you familiar with the concept of exfiltration?

A. Yes.

Q. Big word, but what does it mean?

A. It means to steal data, take data.

Q. And in your review, did you find evidence — you told Mr. Nemtsev you didn’t find evidence of the taking of data from the victim computers to these particular hacker servers; is that right?

A. That’s right, but I did see secure tunnels that were created.

Q. So when you say there were secure tunnels, were you able to tell what was going through those secure tunnels?

A. No.

Q. Those were encrypted, right?

A. Yes.

Q. So you actually don’t know whether or not there was financial information in those tunnels?

A. That’s correct.

Q. Or sports scores or anything?

A. That’s correct.

Q. It’s encrypted.

A. Yes.

[snip]

Q. What role does encryption serve in this hacker architecture?

[snip]

A. Yes, so it can be used to hide data or information.

Q. So if it’s encrypted, we can’t know what’s being passed?

To prove the hack, you would have to — and FBI did, in both cases — prove that the stolen data made it to the end point.

This testimony is important for more than explaining where you’d need to look to find proof of a hack (at the end points). It shows the import of understanding not just the crime scene and those end points, but the infrastructure used to control the hack and exfiltrate the data. With both the hack-and-trade conspiracy and the hack of the DNC, the FBI got forensics about the victim from the incident response contractors, but they obtained the data from these external servers directly, with warrants.

The denialists looking for proof in the DNC server were focused on just the crime scene, but not what I’ve likened to a getaway car, one to which the FBI had direct access but Crowdstrike did not.

Follow the money

Another specialized kind of fingerprint prosecutors used to prove the case against Klyushin parallels the one in the Mueller indictment (and, really, virtually all hacking cases these days): the cryptocurrency trail. As the Mueller indictment explained, the hackers who targeted the DNC used the same cryptocurrency account to pay for different parts of their infrastructure, thereby showing they were all related.

The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected]. The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.

[snip]

For example, between on or about March 14, 2016 and April 28, 2016, the Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks.

By following the money, prosecutors were able to show the jury how these pieces of infrastructure fit together.

In the case of the hack-and-trade, the conspirators did nothing fancy to launder the cryptocurrency used in the operation. The servers obtained in the name of Andrea Neumann were paid using three successive cryptocurrency accounts, each with different names but accessed from the same IP address. The third name was Wan Connie. An interlocked Wan Connie email account had been accessed from M-13’s IP address. So while the cryptocurrency itself couldn’t tie the conspirators to the hack, the interlocked infrastructure did.

The conspiracy

To prove the hack, prosecutors at trial showed how the FBI had used evidence from the crime scene, the “getaway” car, the money trail, and evidence obtained at the end point from iCloud accounts to tie the hack back to Ermakov personally and M-13 more generally. The biggest smoking gun came from matching the IP addresses to which Ermakov got his iTunes updates to the infrastructure used in the hack (or, in the case of the May 9, 2018 thefts, directly to someone exploiting Julie Soma’s stolen credentials.

All that was left in the Klyushin case was proving the conspiracy, showing that Klyushin and others had used this stolen information to make millions by trading in advance of earnings announcements. This would be the functional equivalent of tying the records stolen from Democrats (and some Republicans) to their release via Guccifer 2.0, dcleaks, and WikiLeaks.

At Klyushin’s trial, the government proved the conspiracy via two means: an SEC analyst presented a bunch of coma-inducing analysis showing how the trades attributed to online brokerage accounts that Klyushin and others had in their own names lined up with the thefts. The analyst explained that odds of seeing those trading patterns would be virtually impossible.

More spectacularly, prosecutors introduced Klyushin’s role with a bunch of pictures establishing that he was “besties” with Ermakov (and, eventually, that there were unencrypted and encrypted communications, along with a picture of Klyushin’s yacht, sent via Ermkaov to two guys in St. Petersburg who didn’t work for M-13 but who were making the same pattern of trades); I looked at some of that evidence here. One picture found in Klyushin’s account showed Ermakov, crashed on a chair, wearing an M-13 sticker, taken in the same period as some of the logs provided by Kroll showed hacking activity. About the only thing the FBI found in Ermakov’s iCloud account was the online brokerage account used to execute the insider trading, in Klyushin’s name, but that tied him to the trading side of the conspiracy.

As their trades began to attract attention, Ermakov and another M-13 employee attempted to craft cover stories, evidence of which prosecutors found via Apple. Prosecutors even introduced Threema chats in which Ermakov told Klyushin, his boss, not to share details about their trading clients or he might end up a defendant in a trial.

He did.

And at that trial, prosecutors were able to prove a hacking conspiracy against Klyushin using evidence and victim testimony from the crime scene, but also from other data readily available with a subpoena or warrant inside the US.

Update: Tweaked language describing secure tunnels.

On Joshua Schulte’s Alleged Substantial Amount of CSAM … and Other Contraband

/20 Comments/in , , /by

Yesterday, Judge Jesse Furman docketed a letter, impossibly dated March 23, updating him on the investigation into the Child Sexual Abuse Material allegedly found on WikiLeaks Vault 7 source, Josh Schulte’s discovery computer, six months ago (see this post for an explanation).

It described more about the CSAM material found on Schulte’s computer: The FBI had found “at least approximately 2,400 files on the laptop … likely containing CSAM.”

With respect to assertions that Joshua Schulte, the defendant, has made about the discovery laptop—that the laptop does not contain CSAM, that any CSAM appears only in thumbnails, or that the CSAM was maliciously or inadvertently loaded onto the laptop by the Government. See, e.g., D.E. 998 at 3 (pro se letter to the Court dated Dec. 21, 2022), 5 (pro se letter to the Court dated Jan. 5, 2023)—the Government is able to confirm the following: at least approximately 2,400 files on the laptop have been identified to date as likely containing CSAM. Those files include full images, and are not limited to thumbnail images. Moreover, the Government did not copy discovery materials onto the defendant’s laptop. In 2021, former defense counsel copied discovery and trial materials onto the laptop, which was then reviewed by personnel from the U.S. Attorney’s Office for security compliance before making a file index and providing the laptop to the Metropolitan Correctional Center (“MCC”), where the defendant was then in custody. The CSAM on the laptop was not provided by the Government or the result of Government action.

That, by itself, doesn’t tell us a lot more than we learned in an October filing, which explained that the FBI had found, “a substantial amount” of suspected CSAM.

Indeed, the letter focuses on debunking two counterarguments Schulte has made since, which is one of the reasons Furman docketed it after DOJ submitted it ex parte: “[T]his letter responds directly to assertions by Mr. Schulte,” Furman observed.

The government was debunking a claim made by Schulte that the government had caused the CSAM — but only thumbnails — to be loaded onto his discovery computer by “connect[ing] a child pornography drive to the laptop during setup.”

Schulte repeated and expanded — at great, great length — that theory in a set of filings dated March 1 but just loaded to the docket today.

The government response, effectively, was that they made an index of the files as the computer existed when it was turned over to MCC in 2021, calling Schulte on his claim that he was framed with CSAM.

Ultimately both sides will be able to present their claims to a jury.

But there are several other reasons I’m interested in the letter and related issues.

The government’s working theory when they first revealed this last fall, was that Schulte got a thumb drive into the SCIF and from that accessed the CSAM allegedly found on his home computer six years ago, presumably just to have it in his cell for his own further exploitation of children.

there is reason to believe that the defendant may have misused his access to the SCIF, including by connecting one or more unauthorized devices to the laptop used by the defendant to access the CSAM previously produced.

That’s because in August, they found a thumb drive attached to the SCIF laptop.

On or about August 26, 2022, Schulte was produced to the Courthouse SCIF and, during that visit, asked to view the hard drive containing the Home CSAM Files from the Home Desktop. The hard drive was provided to Schulte and afterwards re-secured in the dedicated safe in the SCIF. The FBI advised the undersigned that, while securing the hard drive containing the Home CSAM Files, they observed that an unauthorized thumb drive (the “Thumb Drive”) was connected to the SCIF laptop used by Schulte and his counsel to review that hard drive containing the Home CSAM Files. On or about September 8, 2022, at the Government’s request, the CISO retrieved the hard drive containing materials from the Home Desktop from the SCIF and returned it to the FBI so that it could be handled pursuant to the normal procedures applicable to child sexual abuse materials. The CISO inquired about what should be done with the Thumb Drive, which remained in the dedicated SCIF safe.

But in a little noticed development, during the period when FBI has been investigating how a defendant held under SAMs managed to get (we’re now told) 2,400 CSAM files onto his discovery computer, CNN reported that the network of FBI’s NY Field Office focused on CSAM had been targeted in a hacking attempt.

The FBI has been investigating and working to contain a malicious cyber incident on part of its computer network in recent days, according to people briefed on the matter.

FBI officials believe the incident involved an FBI computer system used in investigations of images of child sexual exploitation, two sources briefed on the matter told CNN.

“The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”

FBI officials have worked to isolate the malicious cyber activity, which two of the sources said involved the FBI New York Field Office — one of the bureau’s biggest and highest profile offices. The origin of the hacking incident is still being investigated, according to one source.

DOJ still insists that former CIA hacker Josh Schulte found a way to access a whole bunch of CSAM. And in the same period, reportedly, the servers involved with CSAM investigation in the NYFO were hacked.

And while the letter released yesterday doesn’t tell us — much — that’s new about what Schulte allegedly had on his laptop, it does tell us, by elimination, which of the sealed filings in his docket are not related to the CSAM investigation.

Since the October update on the investigation into Schulte, sealed documents have been filed in Schulte’s docket on the following days:

  • December 15: Sealed document
  • January 19: Ex parte update on CSAM investigation
  • January 26: Sealed document
  • March 9: Sealed document
  • March 13: Sealed document

Only the January 19 letter — along with yesterday’s letter — have been unsealed. That, plus the flurry of filings in September and October, are it for the CSAM investigation. There’s something else going on in this docket, four sealed documents worth.

Indeed, in those very long set of filings mentioned above, both dated February and finalized March 1, both docketed today, Schulte alluded to something beyond CSAM.

Judge Furman has begun claiming that there are other vague misuses or misbehavior on the laptop.

He must not have read the September and October letters very closely, because they describe there was a warrant that preceded the discovery of the CSAM.

The warrants that we know of include the following:

Since late September, this investigation was about the “substantive” amounts of CSAM found on a computer possessed by Schulte.

But before that it was based on suspicions of contraband.

That stems, in significant part, from a search of the computer DOJ did in June, when Schulte turned it over claiming it had been dropped.

It hadn’t been dropped. It needed to be charged. Indeed, in the interminable motions filed today, Schulte treated plugging in a laptop as some kind of due process violation.

Plugging in a laptop should in no way compromise the privacy of a laptop. But it did raise real questions about the excuse Schulte offered in an attempt to get a second laptop (one he effectively got once trial started anyway).

Needless to say, his description of what happened with the BIOS password differs from the government’s, as provided last June.

First, with respect to the defendant’s discovery laptop, which he reported to be inoperable as of June 1, 2022 (D.E. 838), the laptop was operational and returned to Mr. Schulte by the end of the day on June 3, 2022. Mr. Schulte brought the laptop to the courthouse on the morning of June 3 and it was provided to the U.S. Attorney’s Office information technology staff in the early afternoon. It appears that the laptop’s charger was not working and, after being charged with one of the Office’s power cords, the laptop could be turned on and booted. IT staff discovered, however, that the user login for the laptop BIOS1 had been changed. IT staff was able to log in to the laptop using an administrator BIOS account and a Windows login password provided by the defendant. IT staff also discovery an encrypted 15-gigabyte partition on the defendant’s hard drive. The laptop was returned to Mr. Schulte, who confirmed that he was able to log in to the laptop and access his files, along with a replacement power cord. Mr. Schulte was admonished about electronic security requirements, that he is not permitted to enable or use any wireless capabilities on the laptop, and that attempting to do so may result in the laptop being confiscated and other consequences. Mr. Schulte returned to the MDC with the laptop. [my emphasis]

Here’s more background on all the funky things that happened with this laptop that led me to suspect something was going on last summer.

Anyway, the government claims it found a whole bunch of CSAM on Schulte’s computer. But there’s also something else going on.

We may find out reasonably soon. The impossibly dated filing from this week promised an update in a week, which (if the impossibly dated filing was actually dated March 21) might be Tuesday.

The Government expects to provide the Court with a supplemental status letter in approximately one week.

At the same time that CIA hacker Josh Schulte was allegedly finding a way to load CSAM onto his discovery laptop, the local FBI office’s CSAM servers were hacked.

That might be a crazy coincidence.

Update: DOJ filed an ex parte update today, which may or may not have to do with the CSAM investigation.

Alleged DNC Hacker’s Co-Conspirator, Vladislav Klyushin, Convicted of Cheating Elon Musk and Others

/22 Comments/in , /by

One article of faith of “Russiagate” propagandists is that DOJ couldn’t convict any of the hackers involved in the 2016 Russian operation if one happened to wander into a friendly jurisdiction and get arrested.

Today in Boston, a jury convicted Vladislav Klyushin, the co-conspirator and boss of one of the men charged in the 2016 hack of the DNC. Klyushin was arrested and extradited from Switzerland two years ago.

The jury found Klyushin guilty on charges of hacking, wire fraud, securities fraud, and a conspiracy to hack.

Here’s how I described the hack-and-insider trade scheme after Klyushin’s extradition.

The insider trader scheme works like this: Klyushin (the guy in US custody) and Yermakov (a key person involved in the 2016 DNC hack, described in DOJ’s press release as a “former” GRU officer), along with one other guy from M-13, are[] accused of hacking at least two US filing agents to obtain earnings reports before they were officially released. They conducted trades for a handful of clients — along with Borodaev and Uryadov, Boris Varshavskiy is mentioned. Klyushin also conducted trades for himself.

As noted, one guy the jury found that Klyushin conspired with — in fact, the guy who hacked two US filing companies to obtain the information to use in insider trading — is Ivan Yermakov [Ermakov]. Before he went to work for Klyushin, he worked for Russian military intelligence, where he is alleged to have phished Democratic targets in 2016 and then exfiltrated data. Among other things, Mueller accused Yermakov of being one of two people who stole John Podesta’s emails.

According to court filings, the FBI didn’t get involved in this case until one of the filing companies that were targeted reported a hack in 2020. But the investigation relied on information that dated back years earlier.

Of particular note, Yermakov got a smart phone update on May 9, 2018 at the same IP address used to steal some earnings reports used in the insider trading scheme on that same day.

Based on a review of records obtained from a U.S.-based technology company (the “Tech Company”), I have learned that on or about May 9, 2018, at 3:44 a.m. (ET), an account linked to ERMAKOV received an update for three native applications associated to the Tech Company. Records show that the May 9, 2018 application updates were associated to IP address 119.204.194.11 (the “119 IP Address”).

Based on my review of a log file from FA 2, I learned that on or about that same day, May 9, 2018, starting at 3:46 a.m. (ET)–approximately two minutes after ERMAKOV received application updates from the Tech Company–the FA 2 employee’s compromised login credentials were used to gain unauthorized access to FA 2’s system from the same 119 IP Address, and to view and/or download earnings-related files of four companies: Cytomx Therapeutics, Horizon Therapeutics, Puma Biotechnology, and Synaptics.7 All four companies reported their quarterly earnings later that day.

Two months later, in July 2018, Mueller would charge Yermakov and others in the DNC hack.

Three months after that, on October 24, 2018, the co-conspirators targeted Tesla’s earnings announcement.

Klyushin bragged about knowing that Tesla would spike in value after its earnings statement. “Pay attention to shares of Tesla now and tomorrow after 16:30 and on how much they go up,” Klyushin advised some guys he let in on the racket. After the earning statement came out, Klyushin noted,

It was 288 but after the close it was already 308, and tomorrow will most likely hit 330 that’s 10. And with a shoulder 2-3 times its almost 25. But such deals don’t happen often in a quarter.

In precisely that time period, Elon Musk was consolidating his 20% ownership stake in Tesla. He bought $30 million in Tesla stock in the days and weeks after Klyushin and his co-conspirators front-loaded Tesla.

The following year, Klyushin and Yermakov would joke about how much cash they were accumulating by insider trading on companies like Tesla.

Below are photographs that the defendant shared with his co-defendant and employee, Ermakov, in August 2019. The pictures, taken at different times, show a single safe containing an increasing amount of U.S. one hundred dollar bills. Based on the amount of currency in the safe on the right, and a comment that the defendant made to Ermakov that the amount in the safe is about “3,” investigators believe that safe—whose exact location is unknown—may have contained as much as $3 million in cash

To add insult to injury, these are the cars that Klyushin and Yermkov bought with the proceeds they made from from insider trading on Tesla and other companies.

The picture was submitted at trial to prove the tie between Yermakov and Klyushin, demonstrated by the reference to their company incorporated into the vanity plates.

It’s absolutely the case that Ivan Yermakov is not going to arrive for prosecution in the United States any time soon. In fact, prosecutors found both WhatsApp chats between the two men, in 2019, describing Yermakov’s inability to leave Russia — and Klyushin’s promises to try to help — as well as a screen shot of the FBI wanted poster for Yermakov, taken in October 2020.

But a guy just convicted of conspiring with him did. And a jury found him guilty of hacking US targets.

Leaving Las Birdas

/25 Comments/in , , /by

[NB: check the byline, thanks. /~Rayne]

Marcy asked Sunday about a checklist of actions:

It’d be useful for someone to put together a checklist for journalists to prepare for the inevitable banning: download archive, delete DMs and phone number, update Masto follows… What else?

I started drafting one but as I was doing so, Elmo was changing the rules. I had to toss some parts, rewrite others, do more research than I expected all because Elmo decided he was going to ban a journalist permanently (WaPo’s Taylor Lorenz) and ban all references to certain other social media platforms.

And then Musk did a 180-degree turn and deleted a bunch of the new rules late Sunday evening.

A flood of new users over the weekend combined with increased posting volume flooded Mastodon servers again, making everything a bit slow. It will speed up again once everything settles down into a new stasis.

Anyhow, here’s the list journalists probably could have used already.

1) Get your Archive — Do not pass go, do not collect $200 until you have requested an archive of your Twitter history which includes all your tweets, retweets, quote tweets, media, more.

— Select Settings and privacy.
— Choose Your account.
— Select Download an archive of your data.
— Confirm your password, then select Request archive.
— Watch for notice in your Settings within the next 2-5 days that your archive is ready to download. Don’t count on an email notification as those appear to be spotty.

This archive will not be readily readable to folks who don’t code, but there are tools to format it into readable structure.

2) Obtain 2FA backup passcodes — you need a way to access your account if Twitter’s 2FA service crashes. It has in Ukraine and India and spottily in the US since November 1.

Once you have your 2FA backup passcodes, make sure you have 2FA set up on your account. Next step will help a lot with 2FA.

3) Remove your phone number from your Twitter account. Lifehacker published a how-to. If you must keep a phone number attached, consider either switching it to a dedicated cheap burner or leave the existing number but get a new number wholly separate from Twitter for everything else.

Unauthorized use and sale of phone numbers may violate the FTC’s consent decree, but Musk has already proven repeatedly he doesn’t care what the FTC’s consent decree says, having violated it multiple times since taking control of Twitter. Don’t assume regulation can restrain him or that regulatory bodies in the U.S. or EU can act before the damage is done.

4) Leave contact information as to where else you can be found.

Musk is now suspending accounts for sharing Mastodon, Facebook, Instagram, Post, Tribel, TruthSocial, Nostr addresses and links. To ensure readers can still obtain addresses at these platforms, try these alternatives:

— There are three open source link shorteners available which can mask an underlying link. See https://opensource.com/article/17/3/url-link-shortener for information about Lessn More, Polr, and Yourls; or

— Use Glitch.com to cite all your social media addresses and identities in one link. You can ‘hide’ your Mastodon address in it and use the URL on your Twitter profile;

— Another approach is to collect your identities and put them in an image file and add it to a pinned tweet (do not include any text referring to the image’s content). So far I haven’t seen any indication Twitter is using OCR to detect ‘forbidden’ addresses except perhaps in profile header images;

— If you already have a blog, you can draft a post or a page with all your contact information in it and link to that page/post. (I’ve done this, it’s very easy.)

5) Delete your Direct Messages (DMs) — this may take some time if you haven’t had a practice of deleting them as you go along. In the future use Signal for private messages with auto-deletion so you don’t have this albatross to deal with if you need to leave another social media platform.

Protect your sources and ask them to make sure they’ve deleted on their end as well.

6) Delete your Tweets — this is not a necessity and may actually cause problems if others have relied on your tweets in their reporting. Unlike DMs, tweets are assigned a unique URL; deleting one can create a 404 error for anyone who cited one of your tweets. Think long and hard about doing this.

It may be difficult to delete more than your last 3200 tweets. I couldn’t; the service I used choked on the copy of my archive for one of my accounts. So I left it as it was.

If you have sensitive tweets which could end up deleted by Twitter’s current or future regime, consider archiving them in the Wayback Machine at the Internet Archive.

7) Pull a list of follows/followers if you’re headed to Mastodon — technically speaking, this information is in your archive copy but without the right tool it can be difficult for the non-coder to read. Use tools like Fedifinder or Twitodon to pull a list of follows/followers identifying those who’ve migrated to Mastodon already. Log into your Mastodon account and follow the emigres as desired.

8) Nuclear Options: a) Lock your account, or b) Deactivate/Delete your account.

a) Locking your account means it is only visible to your existing followers at the time it is locked. You won’t get spammed/trolled by non-following accounts while you’re locked. Other accounts may try to follow you but you’ll have to approve them and at this point most may be spammers or troll/bot accounts not worth your time to screen let alone approve.

b) Deactivating/Deleting your account will freeze your username for 30 days but after that the username is available for use by another new user. I do NOT recommend this; if your name is your brand, you don’t want someone misusing it. Just make sure the account is secured by 2FA and walk away.

Between my two accounts I have less than 3000 followers and I’d informed them the account was going on hiatus and left info on how to find me. I locked my accounts and haven’t logged back in.

9) Prep your other social media/future social media home — I’m not going to assume journalists are headed to Mastodon though many are. Some media figures are heading elsewhere.

— Make sure to update your other/new media accounts with new addresses as appropriate;

— Make sure you’ve activated 2FA or MFA secured logins on your other/new accounts;

— If you’re leaving Twitter, remove buttons and links from your social media accounts and — blog/website which take readers to your Twitter account;

— Share a post as soon as possible on your alternate platform(s) advising your status, and then make sure to sustain some level of consistency in posting there to develop audience.

10-a) If you are moving to Mastodon — find the circulating lists of journalists who’ve opened a Mastodon account. Follow your peeps from that list, have yourself added to that list.

an ongoing Google Doc of journalists prepared by Tim Chambers, administrator of indie.social (@[email protected]):

https://docs.google.com/spreadsheets/d/13No4yxY-oFrN8PigC2jBWXreFCHWwVRTftwP6HcREtA/htmlview

The list is at least 1280 entries long. When clicking through the link above, note the link at the top to a form to collect new entry’s personal information.

an ongoing active list of verified journalists prepared by Dave Lee of the Financial Times (@[email protected]):

https://www.presscheck.org/

Caveat: Dave is swamped, there’s a backlog of requests by new accounts.

10-b) If you are moving to Mastodon — you have a lot to learn in a short period of time; make sure you understand how Mastodon’s culture differs from Twitter’s, and how the lack of algorithms and nominal analytics may change your mode of operation.

— YouTube video introduction by Jeff Jarvis (@[email protected]), journalism prof at CUNY Newmark School:

https://www.youtube.com/watch?v=Xnbct41Sxnk

— Introduction to Mastodon at Washington Post:

A guide to getting started with Twitter alternative Mastodon (gift link)

There was another intro at Wall Street Journal this weekend as well — which says something interesting, doesn’t it? I don’t have a link to it, though, as I don’t have a subscription.

~ ~ ~

Now, a note about reporting on Elmo and Twitter going forward: ARCHIVE TWEETS BEFORE REPORTING ABOUT THEM. Make this an automatic practice.

I’ve run in to a number of situations where journalists have posted in Mastodon about Twitter rules and Elmo’s tweets, sharing links to the Twitter-based content. Because I refuse to give Twitter traffic I copy the URL of the tweet and check the Internet Archive first for an archived copy instead.

I can’t tell you how many times the shared tweet url had NOT been archived, even this Sunday during the height of Musk-ian confusion about the new rule regarding mentions of social media competitors.

Do not trust Elmo not to delete content whether tweets or administrative content under Help, Twitter Support, or other Twitter organization account. Take a screenshot, document the hell out of it. Add any links to the Wayback Machine at the Internet Archive.

Polititweet had been archiving Musk’s tweets including tracking those deleted, but I can’t be certain it’s up to date.

Just don’t trust him or the business he runs because it’s not the Twitter you once knew.

~ ~ ~

Go. Remember you’re supposed to afflict the comfortable and comfort the afflicted. Do it from a better place than the circus Twitter has become.

Held Hostage by the Barmy Bird

/36 Comments/in , , , /by

[NB: check the byline, thanks. /~Rayne]

Of all the journalists suspended by Elmo on the bird site, I was bothered most by that of Voice of America’s Steve Herman.

I mentioned before he’s a straight news kind of guy. I’d followed his account at Twitter so far back I can’t remember which of us had a Twitter account first. He was one of the few early Twitter sources I could rely on for news about earthquakes in Japan. His coverage of the Fukushima nuclear power plant in 2011 was invaluable.

But the most important factor about Herman’s suspension is that he is a U.S. government employee.

Herman works for us. He’s paid with our tax dollars.

And a single foreign-born billionaire offering weak excuses after the fact had OUR public employee suspended for doing their job.

Once again, I’ll point out that Elmo was exercising his own free speech rights by suspending journalists on the social media platform he owns.

Popehat said it better, of course:

Remember: Twitter is Elon’s company, he has the free speech and free association right to run it pretty much however he wants and to ban people for petty narcissistic reasons.

And we have the right to laugh and point at his ridiculousness and at the free-speech pretenses of his gullible fans.

But even Popehat said that on Mastodon.

Elmo may be within his rights to capriciously decide to suspend journalists, but in suspending VOA’s Herman it became crystal clear that the U.S. government should not allow its resources to be subject to the whim of a single individual when the entire country relies on those resources.

Thankfully, Herman was already on Mastodon before the suspension and has been ramping up posting on that open platform since he launched his account.

But it’s who else is NOT on Mastodon which is now a problem.

Every member of Congress who has an account on Twitter is vulnerable to suspension.

Every U.S. government department and agency still on Twitter is likewise at risk.

Let’s say Musk becomes annoyed with the Federal Aviation Administration because of its regulations on airspace and planes, commercial and private. Could he suspend the FAA’s account?

Or perhaps Musk gets his pants in a knot about National Aeronautics and Space Administration because he and NASA don’t see eye to eye about a SpaceX-related matter. Could he suspend NASA accounts (there are multiple for this agency).

One might say, “Surely Musk wouldn’t be stupid/crazed enough to do that.”

Except he’s already suspended one employee of a U.S. government agency, and holding that person’s account hostage until content is deleted from that person’s account.

Elmo might have the right to do this, but the U.S. should not be held hostage by a pasty excessively-monied git with an unmanaged ego.

Look at this situation from another angle: this is ransomware denying service to a user until a specific deliverable has been provided.

In VOA’s case, Musk by way of Twitter Safety has demanded Herman delete a tweet before service will be resumed.

How should a government agency respond to demands for ransom like this, when an open platform is ready and waiting to provide alternative service?

There’s no good reason why each department and agency is still on Twitter but not on Mastodon, nor is there any good reason why each member of Congress doesn’t have an account on Mastodon.

None of the work government departments, agencies, and employees do should be impeded by the private sector let alone by a single butt-hurt billionaire.

Contact your members of Congress and tell them this needs to be fixed going into the next session of Congress. Each of them and their caucuses need to have a non-commercialized open social media platform account.

Congressional switchboard: (202) 224-3121 or use Resist.bot (which has a Mastodon account, by the way).

After the Deluge: What’s Next on Mastodon for Journalism? [UPDATE-2]

/81 Comments/in , , /by

[NB: check the byline, thanks. Updates at the bottom of this post. /~Rayne]

After Thursday’s Musk-ian tantrum booting off more than eight journalists from Twitter, there was a stampede of new users opening accounts on the open social media platform Mastodon.

It bogged down performance considerably on the largest servers. My timelines lagged by nearly three hours at one point on mstdn.social. But that was Friday; there wasn’t a lot of urgent news. We could afford the lag.

Though service improved greatly over 24 hours later, servers may still be throttled a bit. They’ll likely be upgraded over the next week or two depending on the instance and if traffic continues to level out over the next 48 hours.

The lag will be more obvious than some of the corporate-owned commercial platforms, but we’ve all seen now what the price is for the responsiveness of commercial Big Tech.

Besides, we’ve been here before during early rapid growth of a platform.

We’ll get through this.

~ ~ ~

Now that journalists have finally been confronted by the reality their go-to social media platform is run by an erratic narcissist, it’s time to ask what’s next.

Some of the outlets employing these journalists are already turning a blind eye to what happened now that Musk has lifted the suspension on several journalists. The selective approach should be yet another signal to media outlets that there is no return to normal. The big name outlets like CNN, NYT, NBC saw the ban on their journalists lifted, but the smaller independent outlets and freelance journalists are still suspended.

Among them are the only woman of color who was banned (Linette Lopez) and a commentator who’s retired from political commentary (Keith Olbermann). Hello racism, misogyny, ageism, and not a single complaint from the big media outlets about this because they’re not affected (wow, if that doesn’t say something else).

Not only is the Musk-ian problem of throttled journalism continuing, it will happen again. It’s just a matter of time before some other issue arises which trips Musk’s hair trigger and a journalist or outlet will be suspended.

(While I was writing this piece, Washington Post’s Taylor Lorenz was suspended from Twitter without explanation. Her account also happens to be on the so-called antifa list circulated last month — surely just a coincidence, hmm?)

There’s purpose to this beyond an expression of Musk’s shallowness. It’s now a means to change the subject and redirect journalists’ attention — even away from some of the journalism being throttled.

What was it that Lopez reported which triggered Musk? Why isn’t that getting more attention?

And as I asked in my previous post, what really tripped the suspension of Matt Binder? Was it about Tesla’s performance?

This is among the what’s next actions: journalists and their employers need to stop getting played by Musk the same damned way they were played by another malignant narcissist who mastered undermining and marginalizing the media.

Stop navel gazing and start doing more and better reporting about Musk and his effect on free speech and press freedom.

Publish it on an open social media platform, which the narcissist’s platform isn’t.

Do that with all reporting.

~ ~ ~

Consultant Dan Hon has posted a few observations, assessments, and recommendations of media outlets’ next steps. He began writing about news organizations moving to open web platform Mastodon back in October just before Musk took ownership of Twitter, before journalists were banned:

— News outlets need a Mastodon instance;
— Instances should be associated with organization’s existing website URL to ease discovery while building on and enhancing brand;
— Instances should verify its journalists’ (and opinion columnists’) identities through the Mastodon instance;

Thursday’s journalists’ suspensions emphasize the importance of Hon’s recommendations. News media shouldn’t be held hostage by a single billionaire with an attitude, especially if these outlets don’t have financial relationship with that billionaire and his social media business.

It’s possible the big name media outlets whose journalists’ suspensions were lifted have or have had advertising purchases with Twitter which influenced Musk’s handling of the suspensions.

No outlet so far has copped to this though it’s certain some participate in Twitter’s video monetization program Amplify. We only know that some of the outlets begged for mercy *cough* asked for reconsideration of the suspensions.

The New York Times asked its reporters not get into confrontations with Musk in public view on Twitter.

In one case the news outlet has punished the journalist for their coverage of Musk. NBC dressed down Ben Collins and pulled him off coverage of Twitter for his tweets earlier in the month which were characterized as “not editorially appropriate.”

NBC’s behavior may have emboldened Musk.

Entities pleading with Musk like the American Foreign Service Association on behalf of VOA’s Steve Herman may only have fed Musk’s ego.

FreePress.net’s insistence Musk step aside as Twitter’s CEO is laughable given how much of his own wealth is invested in the business, not to mention Musk was exercising his own free speech rights suspending journalists.

None of these actions deal with the problem, which is that a media platform has been taken over by a billionaire fascist narcissist with no genuine interest in free speech and a free press.

Dealing with this effectively means building a better mousetrap which can’t be overtaken by a single person’s whims.

There have been some instances established on open platform Mastodon for some media outlets listed below:

— USA —
https://c.im/@ABC (bot)
https://c.im/@CNN (bot)
https://c.im/@NBC (bot)
https://journa.host/@onthemedia
https://journa.host/@[email protected]
https://mstdn.social/@RollingStone
https://newsie.social/@TheConversationUS
https://newsie.social/@themarkup
https://newsie.social/@Chalkbeat
https://newsie.social/@STAT
https://newsie.social/@ProPublica
https://newsie.social/@damemagazine
https://mastodon.world/@FAIR
https://mastodon.world/@foreignpolicy
https://mastodon.world/@theprospect
https://mastodon.social/@niemanlab
https://mastodon.social/@GovTrack

— US Local —
https://mastodon.social/@gbhnews
https://mastodon.social/@KCStar (bot)
https://texasobserver.social/@TexasObserver
https://newsie.social/@Chron
https://mastodon.tucsonsentinel.com/@TucsonSentinel
https://journa.host/@msfreepress
https://journa.host/@berkeleyscanner
https://sfba.social/sfchronicle
https://sfba.social/@sfgate
https://sfba.social/@sfstandard
https://sfba.social/@thevallejosun
https://verified.mastodonmedia.xyz/@theoregonian
https://mas.to/@sltrib

— Technology —
https://c.im/@Mashable (bot)
https://c.im/@Engadget (bot)
https://geeknews.chat/@arstechnica
https://mastodon.social/@macrumors
https://restof.social/@restofworld

— Sports —
https://c.im/@NBA (bot)
https://c.im/@NFL (bot)
https://c.im/@MLB (bot)
https://c.im/@NHL (bot)
https://c.im/@Soccer (bot)

— International —
https://botsin.space/@bbcworld (bot)(UK)
https://bylines.social/@BylinesNetwork (UK)
https://bylines.social/@BylinesScotland (Scot)
https://bylines.social/@BylinesCymru (Wales)
https://bylines.social/@YorksBylines (UK)
https://bylines.social/@NEBylines (UK)
https://bylines.social/@BylinesEast (UK)
https://bylines.social/@CentralBylines (UK)
https://bylines.social/@NWBylines (UK)
https://bylines.social/@KentBylines (UK)
https://bylines.social/@SussexBylines (UK)
https://bylines.social/@WEBylines (UK)
https://c.im/@BBC (bot)(UK)
https://c.im/@DW (bot)(German)
https://mastodon.social/@riffreporter (German)
https://mamot.fr/@lesjoursfr (France)
https://mamot.fr/@mdiplo (France)
https://piaille.fr/@Vert_le_media (France)
https://piaille.fr/@politis (France)
https://amicale.net/@lemondefr (bot)(France)
https://masto.ai/@linforme (France)
https://mastodon.social/@Reporterre (France)
https://mastodon.social/@Mediapart (France)
https://mastodon.social/@citizenlab (Canada)
https://mastodon.social/@rferl (International, Ukraine)

Note those marked (bot) — these may not have been established by the news organization but instead by some other entity whose identity is not clear. They are cross-posting news headlines from somewhere, possibly Twitter. Each (bot) is a failure; it may share the organization’s news articles faithfully, but the site isn’t verified and its posts will never answer any questions from readers. It’s a loss of control over IP and branding, at a minimum.

The real successes are those which set up their own instances, like the Texas Observer. Best in class is the Bylines Network which has not only established an instance but accounts for each of its local news subsidiaries. Ideally this is what news organizations like Gannett or McClatchy would do with their network of local papers.

Of course these are all news outlets which still focus on print; television news should take the same approach.

And all of the journalists who report for these entities should have verified accounts with their employers’ instance.

Not a single thin dime need be spent on Twitter Blue to achieve verification.

Every instance is an opportunity to develop a closer relationship with readers in ways Twitter couldn’t provide. Because Mastodon is RSS friendly, every one of the news outlets above can be followed with an RSS reader by simply adding .rss to each address and then adding the address to a preferred RSS reader.

~ ~ ~

Why haven’t or won’t media outlets migrate to an instance on open platform Mastodon? As Don Hon wrote, it’s a bunch of work! It needs maintenance not unlike a website, and it needs a level of creative thinking which Twitter/Facebook/Instagram haven’t required because they’ve been fairly stable for years. The open web and the Fediverse is terra nova for news organizations, and it will take some craftiness to develop an new media ecosystem with measures to determine success of any invested effort.

It’s also too tempting to look at another billionaire-funded closed platform like Post.news and assume from its polished finish that this might return media outlets to normalcy.

Sadly, no. Many users are turned off by what has been characterized as a hollow echo chamber effect with little community building.

There are still more opportunities but each has has major drawbacks. Hive.social has had a major security problem; Jimmy Wales’ WT.social in beta phase is based in the UK and subject to entirely different laws regulating speech and intellectual property; no one wants to go back to relying on Facebook or Instagram, and LinkedIn wasn’t designed for the kind of community usage Twitter has had.

I have yet to hear anyone express interest in Jack Dorsey’s BlueSky which is still in development.

At some point media outlets need to face reality, as UCLA Associate Professor of Information Studies Dr. Sarah T. Roberts explained:

As people are leaving Bird for good, I find that many are engaged in what I believe is a dangerous and misguided game of mixing apples and oranges. After what just happened, and all that it has revealed about reliance on for-profit corporate entities for interpersonal and community interaction, why advocate for another such environment? Substack is already known garbage, and Post provides no future-proofing. When I say, “seize the means of your social media production,” this is why.

Seize the means, indeed.

~ ~ ~

UPDATE-1 — 12:15 P.M. ET 18-DEC-2022 —

Community member Laura Hoey informed us The Oregonian (OregonLive.com) has a Mastodon account. I’ve added it to the list of local news outlets above.

It’s a particularly interesting addition because the host instance, https://verified.mastodonmedia.xyz, is a dedicated server for use by journalists or media personalities. The owner/operator is Matt Karolian, who describes himself as “Boston Globe by day, Mastodon Admin by night.”

If you know of a local news outlet which has a Mastodon account but isn’t on the list above, let me know in comments and I’ll add it as long as comments are open on this post. Thanks!

UPDATE-2 — 3:50 P.M. ET 18-DEC-2022 —

Another local news outlet added to the list, courtesy of community member Katrina Katrinka. See Salt Lake Tribune at https://mas.to/@sltrib.

If you are a newer user of Mastodon and find the site laggy, it’s because of a crush of new accounts and more posts. I’m trying to write yet another post which should address the reason for this influx.

image_print