Leak Investigations Archives - Page 32 of 59

On the Timing of the Nghia Hoang Pho Plea

December 4, 2017/6 Comments/in Cybersecurity, Leak Investigations /by emptywheel

Last Friday, the guy responsible for getting a bunch of NSA hacking tools stolen from his home computer, 67-year old Nghia Hoang Pho, pled guilty to willful retention of classified information. His plea hearing was held in secret; according to the NYT which broke the story, “one courtroom official described the charges against Mr. Pho as ‘super-sealed’ before the hearing.”

According to the information supporting his guilty plea, Pho had been bringing NSA files home for 5 years, from 2010 to 2015.

I want to note something about the timing of the plea. The actual plea deal is dated October 11. It states that “if this offer has not been accepted by October 25, 2017, it will be deemed withdrawn.” The information itself was actually signed on November 29. Friday, the actual plea, was December 1.

So while there’s not a substantial cooperation component in the plea deal, certainly a substantial amount of time took place in that window, enough time to cooperate.

And consider the news coverage that has happened during that period. The initial plea offer was made in the week following a big media blitz of stories blaming Pho (and through him Kaspersky) for the Russian theft of NSA tools. In the interim period between the offer and the acceptance of the plea deal, Kaspersky confirmed both verbally and then in a full incident report that his AV had found the files in question, while noting that a third party hacker had compromised Pho’s machine during the period he had TAO’s tools on it.

In other words, after at least an 18 month investigation, Pho finally signed a plea agreement as the media started blaming him for the compromise of these tools.

During much of that period, Harold Martin was in custody and under investigation for a similar crime: bringing a bunch of TAO tools home and putting them on his computer. Only, unlike Pho, Martin got slammed with a 20-count indictment, laying a range of files, and not just files from NSA. Indeed, the Pho plea notes,

This Office and the Defendant agree that the Defendant’s conduct could have been charged as multiple counts. This Office and the Defendant further agree that had the Defendant been convicted of additional counts, … those counts would not group with the count of conviction, and the final offense level would have increased by 5 levels.

That is, the government implicity threatened Pho to treat him as Martin had been, with a separate charge tied to the individual files he took.

Since April, Martin’s docket has featured continuation after continuation that might reflect cooperation with the government.

All this leads me to believe that these two investigations may have worked in tandem. Whereas the government originally insinuated Martin had provided the files that Shadow Brokers started leaking in August 2016, the Martin cooperation may have led the government to understand the Pho compromise differently. That is, it’s possible that Pho was the source for Shadow Brokers’ tools (or rather, that both men were), but the government didn’t come to understand that until Martin started cooperating.

It’s not clear whether, between the two of them, it would account for all the files that Shadow Brokers had (nor is it clear that Shadow Brokers ever had all the files made available by one or the other of them by loading them onto their home machine). For example, it’s not clear either would have had the San Antonio files at the center of the Second Source theory.

Whatever the details, the timing of the Nghia Hoang Pho plea may suggest that the government only belatedly came to understand how, by loading a bunch of TAO tools running on his Kaspersky-running computer, made the tools available to a third party hack. Certainly, that would explain why Kaspersky has a better understanding of the timing of all this than the government does.

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

December 3, 2017/in Cybersecurity, Drones, EO 12333, Leak Investigations, Terrorism, Torture, Unitary Executive /by emptywheel

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing 4 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

Putting together these posts has been a remarkable experience to see where we’ve been and the breadth of what we’ve covered, on top of mainstays like surveillance. I’m really proud of the work I’ve done, and proud of the community we’ve maintained over the years.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2013

What a Targeted Killing in the US Would Look Like

Amid now-abandoned discussions about using the FISA court to review targeted killing, I pointed out that a targeted killing in the US would look just like the October 28, 2009 killing of Imam Luqman Abdullah.

Article II or AUMF? “A High Level Official” (AKA John Brennan) Says CIA Can Murder You

When the second memo (as opposed to the first 7-page version) used to authorize the killing of Anwar al-Awlaki, it became clear that OLC never really decided whether the killing was done under Article II or the AUMF. That’s important because if it’s the latter, it suggests the President can order anyone killed.

John Brennan Sworn in as CIA Director Using Constitution Lacking Bill of Rights

I know in the Trump era we’re supposed to forget that John Brennan sponsored a whole lot of drone killing and surveillance. But I spent a good deal of the Obama Administration pointing that out. Including by pointing out that the Constitution he swore to protect and defend didn’t have the First, Fourth, Fifth, and Sixth amendment in it.

2014

The Day After Government Catalogs Data NSA Collected on Tsarnaevs, DOJ Refuses to Give Dzhokhar Notice

I actually think it’s unreasonable to expect the government’s dragnets to prevent all attacks. But over and over (including with 9/11), NSA gets a pass when we do reviews of why an attack was missed. This post lays out how that happened in the Boston Marathon case. A follow-up continued that analysis.

A Guide to John Rizzo’s Lies, For Lazy Journalists

Former CIA General Counsel John Rizzo lies, a lot. But that doesn’t seem to lead journalists to treat his claims skeptically, nor did it prevent them from taking his memoir as a statement of fact. In this post I summarized all the lies he told in the first 10 pages of it.

Obama to Release OLC Memo after Only 24 Congressional Requests from 31 Members of Congress

Over the year and a half when one after another member of Congress asked for the OLC memos that authorized the drone execution of Anwar al-Awlaki, I tracked all those requests. This was the last post, summarizing all of them.

The West’s Ideological Vacuum

With the rise of Trump and the success of Russia intervening in US and European politics, I’ve been talking about how the failures of US neoliberal ideology created a vacuum to allow those things to happen. But I’ve been talking about the failures of our ideology for longer than that, here in a post on ISIS.

KSM Had the CIA Believing in Black Muslim Convert Jihadist Arsonists in Montana for 3 Months

There weren’t a huge number of huge surprises in the SSCI Torture Report for me (indeed, its scope left out some details about the involvement of the White House I had previously covered). But it did include a lot of details that really illustrate the stupidity of the torture program. None was more pathetic than the revelation that KSM had the CIA convinced that he was recruiting black Muslim converts to use arson in Montana.

2015

The Jeffrey Sterling Trial: Merlin Meets Curveball

A big part of the Jeffrey Sterling trial was CIA theater, with far more rigorous protection for 10 year old sources and methods than given to 4 year old Presidential Daily Briefs in the Scooter Libby trial. Both sides seemed aware that the theater was part of an attempt, in part, to help the CIA gets its reputation back after the Iraq War debacle. Except that the actual evidence presented at trial showed CIA was up to the same old tricks. That didn’t help Sterling at all. But neither did it help CIA as much as government prosecutors claimed.

The Real Story Behind 2014 Indictment of Chinese Hackers: Ben Rhodes Moves the IP Theft Goal Posts

I’ve written a lot about the first indictment of nation-state hackers — People’s Liberation Army hackers who compromised some mostly Pittsburgh located entities, including the US Steel Workers. Contrary to virtually all the reporting on the indictment, the indictment pertained to things we nation-state hack for too: predominantly, spying on negotiations. The sole exception involves the theft of some nuclear technology from Westinghouse that might have otherwise been dealt to China as part of a technology transfer arrangement.

Obama’s Terrorism Cancer Speech, Carter’s Malaise Speech

In response to a horrible Obama speech capitulating to Republican demands he treat the San Bernardino attack specially, as Islamic terrorism, I compared the speech to Jimmy Carter’s malaise speech. Along the way, I noted that Carter signed the finding to train the mujahadeen at almost the exactly moment he gave the malaise speech. The trajectory of America has never been the same since.

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

December 3, 2017/25 Comments/in automobiles, Intelligence, Leak Investigations, state secrets, Torture /by emptywheel

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing probably 3 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2008

We Are All Flint, MI Now

During the bailout, I did a post trying to imagine the worst that could happen if GM went bankrupt. One of my biggest worries — that China would start importing Buicks, making it far harder for US manufacturers to compete, has already happened.

This was, of course, before Republican mismanagement poisoned the entire city of Flint, MI. Perhaps the post is even more true now.

2009

Khalid Sheikh Mohammed Was Waterboarded 183 Times in One Month

While most of DC was busily engaged in both sides journalism on the impact of Obama’s decision to release the torture memos in 2009, I (and readers here!) was reading closely. Which is how I noted the reference to the 183 waterboards CIA administered to KSM in one month.

“Affordable” Health Care

Bill Supporters Still Can’t Say “Affordable”

In a series of posts at the end of 2009, I laid out how ObamaCare still required participants to spend too much of their income on health insurance and care, which would lead to lots of people to not use it. That has turned out to be one of the biggest problems with ObamaCare (and one of the reason it wasn’t all that popular until Trump tried to take it away). If Democrats ever wrest control from the Republicans again, this is a problem that still needs to be fixed.

2010

Abu Zubaydah’s To rturers Relied on July 13 Yoo Fax, not Bybee Memo

I found a lot of things (including Gul Rahman’s ID, but I waited on that to protect the identity of the CIA officer who oversaw his killing) in the Office of Professional Management report on John Yoo’s torture memos released in 201. One that remains important — and poorly understood — is that the first torture actually operated under authorization from a freelance fax from Yoo issued weeks before the famous August 1 Bybee memo, rather than the full OLC memo itself.

FDL Book Salon Welcomes Steven Rattner, Author of Overhaul

There were two or three of Bev’s badly missed book salons I hosted that I particularly enjoyed (Bob Woodward is another). But none was better than hosting Steven Rattner, for his very blinkered view of his own role in the auto bailout. The comment thread in it was epic, too, but sadly gone.

Hatfill and Wen Ho Lee and Plame and al-Awlaki and Assange

After a panel on the Scooter Libby case, I meditated on how those with the secrets increasingly use journalists as a stand in for due process. This is not a post I’ve returned to a lot, but particularly given everything that has transpired since, particularly given where Assange has gone since, it strikes a nerve.

The Slow Death of Neoliberalism: Part 2

October 7, 2017/62 Comments/in emptywheel, Leak Investigations, Left Theory /by Ed Walker

The Slow Death of Neoliberalism Part 1.

This post focuses on the failings of neoliberal economic theory. Neoliberalism arises out of positivist philosophy, defined in Part 1. Positivism is the theory that the only true knowledge comes from the scientific process.

There are five main principles behind Positivism:

1. The logic of inquiry is the same across all sciences (both social and natural).

2. The goal of inquiry is to explain and predict, and thereby to discover necessary and sufficient conditions for any phenomenon.

3. Research should be empirically observable with human senses, and should use inductive logic to develop statements that can be tested.

4. Science is not the same as common sense, and researchers must be careful not to let common sense bias their research.

5. Science should be judged by logic, and should be as value-free as possible. The ultimate goal of science is to produce knowledge, regardless of politics, morals, values, etc.

Economists created a group of sayings which they put in their introductory textbooks and teach as laws and principles to their students at all levels. For example, N. Gregory Mankiw, economics professor at Harvard, starts his introductory economics textbook Principles of Macroeconomics with a list of ten Principles he claims almost all economists agree are true. Any thoughtful person reading this list will see that these ten statements are either tautological (you can’t do two things at once) or are mere rules of thumb. The idea that you could build a positivist science on this foundation is absurd. But Mankiw disagrees, and so does everyone who took Econ 101 and stopped, and especially so do the elites from our top schools.

It’s not surprising, then, that this version of economics is failing. It cannot perform the basic goal of a scientific theory, making accurate predictions. Economic models have failed and will continue to fail to predict disasters; and there isn’t much hope that they will ever be able to predict anything of interest.

In Part 1 I pointed out that the positivist program can’t be easily adapted to the social sciences. David Andolfatto of the St. Louis Fed agrees, and tells us what we can expect from economics:

But seriously, the delivery of precise time-dated forecasts of events is a mug’s game. If this is your goal, then you probably can’t beat theory-free statistical forecasting techniques. But this is not what economics is about. The goal, instead, is to develop theories that can be used to organize our thinking about various aspects of the way an economy functions. Most of these theories are “partial” in nature, designed to address a specific set of phenomena (there is no “grand unifying theory” so many theories coexist). These theories can also be used to make conditional forecasts: IF a set of circumstances hold, THEN a number of events are likely to follow. The models based on these theories can be used as laboratories to test and measure the effect, and desirability, of alternative hypothetical policy interventions (something not possible with purely statistical forecasting models).

This obvious straw man at the beginning of this quote is typical of the arrogant economist described by Marion Fourcade. But let’s see how well the economist business does at the weak test of effectiveness offered by Andolfatto.

For decades economists taught the Kuznets Curve which they said shows that as industrialization proceeds, economic inequality first rises and then falls.
Thomas Piketty takes up this theory in Capital In The Twenty-First Century, and extends the data forwards and backwards from the early 1950s. Here’s a graph of top decile income share from 1910 to 2010 from Wikipedia.

Looking at that graph through the time Kuznets wrote, the early 50s, it might be read to support that hypothesis. The sudden rise, starting under Reagan and continuing ever since, completely contradicts the hypothesis. That didn’t stop people from teaching it.

The Phillips Curve asserts that there is a connection between inflation and unemployment: as the unemployment rate drops, inflation increases. It’s one of Mankiw’s 10 principles; and it’s deeply embedded in the models used by the Fed to decide interest rates. It’s mostly wrong. Here’s a recent debunking from the Philadelphia Fed, concluding that the Phillips Curve might help forecast inflation in a weak economy, but does not work in an expanding economy.

The Wikipedia Page for Phillips Curve says that:

The original Phillips curve literature was not based on the unaided application of economic theory. Instead, it was based on empirical generalizations. After that, economists tried to develop theories that fit the data.

A 2008 paper, The History of the Phillips Curve: Consensus and Bifurcation, Economica (2008), P. 10, lays out the history in detail. Roughly speaking, it begins with the observation by William Phillips that in the UK there was a stable relation between the rate of wage growth and inflation over a substantial period of time, and deviations could be explained reasonably. This paper was picked up by Paul Samuelson and Robert Solow and turned into the earliest mathematical formula in 1958. Since then there have been a number of occasions where the Phillips Curve failed, and each time economists just grab some more of their existing tools and try to fix it or explain the failure, in each case after policy-makers have gone on as if it were right and forced bad results on the economy and especially the wages of workers.

Here’s a third example. Economists say that the reason wages are stagnant is that productivity is flat, as if there were a relation between wages and productivity. Anyone who looks at this chart and reads this article from the Economic Policy Institute will have a huge question about that.

And that isn’t just the right-wing. Plenty of centrist Democrats make the same argument. And by the way, what does this say about the central theory of free market economics that supply and demand for labor set prices?

As I say here and here, neoliberal economists used their ideology of free markets to influence policy and to change the entire way we think about society without having the slightest idea of the consequences of their meddling because their models aren’t designed to deal with changes in societies or economies. As my examples show, they just keep on regardless of the success or failure of their predictions, and politicians and rich people ignore the failings and continue to follow their foolish advice.

Neoliberal economics obviously fails to measure up to the standards of positivism. It can’t predict anything useful, and it barely is able to explain itself coherently. That’s a problem with positivism too. People are slowly, slowly coming to grips with these failures and the damage they have done. It’s adherents are dying off, and their replacements are into it for the money and the power. Stupid ideas never die, but maybe they will lose their influence.

Updated to correct link to EPI article and chart.

702 Reauthorization: The Anti-Leak Package

October 7, 2017/7 Comments/in FISA, Leak Investigations /by emptywheel

As part of the draft Section 702 Reauthorization released this week, the House Judiciary Committee included what I’ll call the anti-leak package. They’re not actually presented in the same Title, but I want to consider them as a group as a way to consider whether they’ll do anything to make leaking less useful than internal whistleblowing.

The package consists of three things:

Increased penalties for improperly handling classified information
New protections for FBI whistleblowers and contractor whistleblowers
A GAO report on whether classification works

Increased penalties for improperly handling classified information

The first part of the package changes 18 USC 1924, which criminalizes unauthorized retention of classified documents, to make knowingly retaining classified information a felony, while creating a new misdemeanor for negligently retaining classified information.

SEC. 302. PENALTIES FOR UNAUTHORIZED REMOVAL AND RETENTION OF CLASSIFIED DOCUMENTS OR MATERIAL.

Section 1924 of title 18, United States Code, is amended—

(1) in subsection (a), by striking ‘‘one year’’ and inserting ‘‘five years’’;

(2) by redesignating subsections (b) and (c) as subsections (c) and (d), respectively; and 13 (3) by inserting after subsection (a) the following new subsection (b):

(b) Whoever, being an officer, employee, contractor, or consultant of the United States, and, by virtue of his office, employment, position, or contract, becomes possessed of documents or materials containing classified information of the United States, negligently removes such documents or materials without authority and knowingly retains such documents or materials at an unauthorized location shall be fined under this title or imprisoned for not more than one year, or both.

I think this was done to make what Hillary Clinton did a clear felony, so Republicans can squawk about it, rather than solving any real problem.

Which is a pity. Because those who want to write new laws criminalizing the retention and leaking of classified information (something I’m not advocating, but I understand the sentiment), it might be useful to write laws that address the problems we’re actually seeing.

For example, the Espionage Act should be rewritten to make it clear it only applies to real Espionage — the secret sharing of “national defense information” (which should be better defined) with an adversary for some kind of personal benefit. By all means, create something else that applies to the Edward Snowdens and Chelsea Mannings of the world, if you feel the need to. But in that law, do something to ensure that the David Petraeuses of the world — who leaked information to get laid and tell nice stories about himself — don’t get a wrist slap, while people who at least believe their acts to be benefitting the country face life imprisonment.

The degree to which the Espionage statute specifically, and leak prosecutions generally, have become the means to pursue arbitrary retaliation against people who don’t hew a party line undermines the legitimacy of the classification system, which (in my opinion, as someone who has covered most recent leak prosecutions) just leads to more leaking.

In related news, one of the reasons why magistrate Brian Epps Cobb denied Reality Winner bail yesterday is because she admires Snowden and Assange.

In addition, this week’s news that an NSA TAO hacker brought files home and used them on his machine running Kaspersky, thereby alerting Russia to them, suggests the need to consider the impact of even negligent improper handling, because it can have an impact akin to that of Snowden if it is compromised.

Finally, there should be some controls over abuse of Original Classification Authority, both in Prepublication Reviews, to prevent the selective censorship of important stories. And there should be some recognition that OCAs are often not the only source of information (which is one of the problems with the Hillary emails — her staffers were reporting widely known facts that the CIA later claimed a monopoly on, thereby making the information “classified”).

Perhaps the GAO review, below, can go some distance to making this happen.

New protections for contractor whistleblowers

There’s a section that extends the (still inadequate) whistleblower protections of the National Security Act to contractors, while adding protection (just for contractors!) for the reporting of “evidence of another employee or contractor employee accessing or sharing classified information without authorization.” It also adds additional reporting vehicles for FBI contractors (to DOJ or FBI’s Office of Professional Responsibility, to FBI’s Inspection Division, or to the Office of Special Counsel).

The bill also adds contractors to those you can’t retaliate against by stripping of security clearance if they’ve made a protected disclosure.

Contractor is defined as “an employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor, of a covered intelligence community element.”

As I said, this is just the protection extended to intelligence community employees, with enforcement by the President, the same guy who orders up the illegal activities (such as torture or domestic spying) of the IC.

Plus, I’m not sure the language protects against two other problems that have happened with contractors. First, the loss of a contract, which doesn’t seem to be included in the definition of personnel decisions. So an agency could retaliate not by denying a promotion, but simply denying a contract. And, for similar reasons, I’m not sure the language prevents a contractor from retaliating against one of their employees directly, particularly if they’re threatened with losing work.

As I said, I’m not sure on this. I await analysis from the people who work whistleblower issues all the time.

That said, while this is an important improvement that will extend the same inadequate protection that IC employees get to IC contractors, I think it doesn’t necessarily protect against some known kinds of retaliation.

A GAO report on whether classification works

Perhaps most interestingly, the bill asks GAO to conduct on a story on why we’re having so much leakage.

SEC. 303. COMPTROLLER GENERAL STUDY ON UNAUTHORIZED DISCLOSURES AND THE CLASSIFICATION SYSTEM.

(a) STUDY.—The Comptroller General of the United States shall conduct a study of the unauthorized disclosure of classified information and the classification system of the United States.

(b) MATTERS INCLUDED.—The study under subsection (a) shall address the following:

(1) Insider threat risks to the unauthorized disclosure of classified information.

(2) The effect of modern technology on the unauthorized disclosure of classified information, including with respect to—

(A) using cloud storage for classified information; and

(B) any technological means to prevent or detect such unauthorized disclosure.

(3) The effect of overclassification on the unauthorized disclosure of classified information.

(4) Any ways to improve the classification system of the United States, including with respect to changing the levels of classification used in such system.

(5) How to improve the authorized sharing of classified information, including with respect to sensitive compartmented information.

(6) The value of polygraph tests in determining who is authorized to access classified information.

(7) Whether each element of the intelligence community (as defined in section (4) of the National Security Act of 1947 (50 U.S.C. 3003(4))—

(A) applies uniform standards in determining who is authorized to access classified information; and

(B) provides proper training with respect to the handling of classified information.

(c) COOPERATION.—The heads of the intelligence community shall provide to the Comptroller General information the Comptroller General determines necessary to carry out the study under subsection (a).

(d) REPORT.—Not later than 180 days after the date of the enactment of this Act, the Comptroller General shall submit to the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on the Judiciary and the Select Committee on Intelligence of the Senate a report containing the study under subsection (a). (e) FORM.—The report under subsection (d) shall be submitted in unclassified form, but may include a classified annex.

I really like the idea of doing such a report (though am not sure GAO can get it done in just 6 months, especially since I’m sure some agencies will filibuster any cooperation). And what a novelty, to finally consider whether polygraphs actually do what they’re claimed to do (rather than get people to confess to dirt that can later be used against them or leaked to China in an OPM hack).

As mentioned above, a really thorough such study should also look specifically at the Prepublication Review process, which is one of the most notorious forms of arbitrary use of classification.

It should also try to quantify how much classification does (abusively) hide mismanagement or law-breaking, especially in the FOIA process.

A truly thorough study would have to include leaks by members of Congress, up to and including the Gang of Four — but that’s never going to happen and so that means of leakage will remain untouched.

A study should also not only review recent leak prosecutions, with a particularly focus on the selectivity with which they’ve been taken, but compare leak prosecutions with the efficacy of internal measures (like stripping someone of clearance), which ODNI has been using more in recent years, at least before Reality Winner.

And a study should do a macro review of the initiatives put in place since Chelsea Manning’s leaks, to review overall compliance (we know NSA and CIA had not fully complied as of last year), and to measure whether those initiatives have done any good.

Finally, for the classified version, the report should include a full measure of how much internal spying is being targeted at government employees and contractors in various CI programs, and whether those are overseen adequately (they’re absolutely not).

Will this all do any good?

As I said, I’m the one lumping these together into a package, not the bill’s authors. I did so, though, to better weigh whether this will do any good — whether we’ll move the balance on necessary discussions for democracy being weighed against genuine need to protect secrets. I think an actual assessment is worthwhile.

But ultimately, I suspect our leak problem stems, in large part, from the degree to which classification (and clearances and leak prosecutions) have all been designed to give the Executive Branch unfettered ability to run an arbitrary system of secrets that does as much to serve nexuses of power as it does to keep the country safe. Secrets, in DC, have become the coin of power, not the necessary tool to ensure a vibrant and secure democracy.

And I’m not sure this effort will do much to change that.

In Reality Winner Case, Government Warns of Recruitment by Media Outlets that “Procure the Unauthorized Disclosure of Classified Info”

September 29, 2017/6 Comments/in emptywheel, Leak Investigations, Russian hacks /by emptywheel

As I’ve reported recently Reality Winner has claimed both that her interview with the FBI was not consensual and that she should be released on bail like people who’ve leaked more sensitive documents, including David Petraeus. Significantly, Winner made claims about her interview and DOJ’s lack of related accusations to suggest the leak of the single document to the Intercept is all they’ve got on her.

The government responded to Winner’s claims — in their response to her request for bail — with a whole new set of claims not included in other documents (on top of making fairly ridiculous claims to suggest Winner should be detained when those who had access — and in the case of David Petraeus, leaked — far more classified information were not).

In the response itself, they raise issues that are fair and significant. But they all seem designed to suggest that Winner must be treated more harshly than Petraeus because she’s more likely to be “recruited” by “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.”

At the same time, the Defendant is an attractive candidate for recruitment by well-funded foreign intelligence services and non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.

Consider how the government treats different media outlets.

The Washington Post

First, the government’s description of Winner’s phone searches suggest Winner sent the document to a “print news outlet” in addition to the Intercept, and kept looking at both to see if they published the document.

On May 9, the Defendant searched for the secure mailing address of a Print News Outlet, viewed a document called “How to Share Documents and News Tips with [Print News Outlet] Journalists” on the Print News Outlet’s website, searched for an Online News Outlet and “secure drop,” and viewed the Online News Outlet’s page containing instructions for the anonymous transmission of leaked information.
On May 12, a few days after she mailed the leaked document, the Defendant searched online for the Print News Outlet referenced on May 9, as well as the Online News Outlet to which she transmitted the leaked document, and viewed the homepages of both publications.
On May 13, the Defendant searched for the Print News Outlet, viewed its homepage, and then searched “[IC component] leak” and “[IC component] leak [Foreign Country]” on multiple occasions.
On May 14, the Defendant searched for and viewed the Print News Outlet’s homepage, and then searched within the Print News Outlet’s website for the name of the relevant IC component. She also searched for and viewed the Online News Outlet’s homepage.
On May 22, the Defendant viewed both the Print News and Online News Outlets’ websites, and she searched for the name of the relevant IC component within both websites.

The Washington Post’s “confidential tips” page comes up on a search for “How to Share Documents and News Tips” (though the page does not now have that name). That suggests Winner shared a copy of this document with the WaPo as well as the Intercept. But the focus in these materials on a completed crime is exclusively focused on the Intercept (which also is not named).

The interview transcript released with this filing does not, apparently, discuss Winner’s leak to what appears to be the WaPo, aside from asking if she sent the leaked document anywhere else, to which she said “no.” The agents interviewing her tipped her that the document had been sent to an online news source that she “subscribes” to. So FBI may not have mentioned WaPo because WaPo did nothing with the story — or at least nothing with a source who then informed the government, which is how the Intercept got exposed — meaning the FBI did not yet know about it. Or perhaps the FBI was just far more interested in the fact that Winner leaked to the Intercept.

Wikileaks and Anonymous

The filing does its most significant damage in repeating Winner’s support for WikiLeaks, Edward Snowden, and Anonymous. According to the filing, at the same time she was looking for clearance jobs in November 2016 (at the end of her deployment), she was researching anonymous and Wikileaks.

The Defendant’s duplicity is starkly illustrated by the fact that she researched opportunities to access classified information (multiple searches for jobs requiring a security clearance on ClearanceJobs.com) at the same time in November 2016 that she searched for information about anti-secrecy organizations (Anonymous and Wikileaks).

And in March, she told her sister she was “on Assange’s [and Snowden’s] side.”

On March 7, 2017, the Defendant searched for online information about Vault 7, Wikileaks’s alleged compromise of classified government information. Later on March 7, 2017, the Defendant engaged in the following Facebook chat with her sister in which she expressed her delight at the impact of the alleged compromise reported by Wikileaks:

SISTER: OMG that Vault 7 stuff is scary too

WINNER: It’s so awesome though. They just crippled the program.

SISTER: So you’re on Assange’s side

WINNER: Yes. And Snowden

It’s not just that Winner is reading Wikileaks and Snowden-leaked documents (which the government would be happy to use to villainize a leaker in any case). She’s cheering the destruction of CIA (and by association, NSA) capabilities. Which is not something the more prolific leaker David Petraeus did.

The curious declassification of an FBI interview about leaking

Before I get into how these materials treat the Intercept, let me take a detour to talk about the declassification of Winner’s interview which, because it discusses her work at NSA, includes a lot of information that must be classified.

As a number of outlets noted (I believe Politico reported it first), when the transcript of her FBI interview was first released, it included Winner’s social security number and date of birth — a no-no for PACER documents. It included her home computer password. It also revealed Winner worked on collection targeting Iranian Aerospace Forces Group, a remarkable disclosure given that the government says Winner can’t be released because she’ll be targeted by foreign governments (in addition to “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information”); they’ve just put a bullseye on her back for Iran. It also reveals she used to work for a drone mission. It includes the code name and the street name of her NSA location.

For either privacy and security reasons, those are remarkable disclosures.

Now consider what they did redact.

There’s a reference to Russian hacking (or the election), and Winner’s description of something akin to that. There’s a few more references, perhaps on the election, again redacted.

Perhaps the most interesting (and understandable) redaction is her explanation for why she thought the collection points on Russian hackers were already compromised.

[sigh] I had figured that, uhm, [half line redacted] that it didn’t matter anyway. Uhm honestly, uh, I just figured that whatever we were using had already been compromised, and this report was just going to be like a – one drop in the bucket.

All of which is to say the classification decisions here are pretty random.

Which is all the more interesting given the fact that the document has no declassification notes, describing who declassified it and for what purpose. If I’m Winner’s lawyers, I’m on the phone with former ISOO head Bill Leonard (who has served as an expert witness in past leak cases), asking him to testify that in a case about mishandling classified information, the government didn’t handle this document in rigorous fashion.

The Intercept: hiding the name, the motive, and a few more details

Which brings me to the decisions about redactions on parts of the transcript that pertain to the Intercept.

It hides the Intercept’s name, but also several references to her motive, including one very long description (on PDF 69)

More interesting, it redacts details about how she mailed it to the Intercept.

And redacts another passage where she describes how she found the address to send it to the Intercept — the actual details of which are included in the passage on her phone searches, above.

It redacts another passage asking whether she included anything in the envelope to the Intercept.

All of which is to say that in submissions that claim Winner is a particular risk because she might be “recruited” by NGOs and “media outlets that advocate and procure the unauthorized disclosure of classified information,” it is still hiding key details about Winner’s descriptions of her actions with respect to the Intercept.

After reading this transcript, I’m actually surprised the government hasn’t (yet) taken a harsher approach, perhaps charging her for a leak to the WaPo or for lying, initially, to the FBI (not charging her for lying to the FBI is one way, I guess, where she is getting the treatment David Petraeus got).

That may suggest they’re entertaining going after the Intercept here, for “recruiting” Reality Winner — a replay of the tactic they tried with Chelsea Manning years ago, only this time with an Attorney General and a Congress rushing to invent new categories of non-state hostile intelligence services to criminalize some kinds of publishing.

Government Decides Reality Winner Leaked Just One Document After All

September 27, 2017/3 Comments/in emptywheel, Leak Investigations /by emptywheel

Back in June, I noted that one of the reasons the government convinced a judge to deny Reality Winner bail was that she had leaked documents, plural.

There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents. [my emphasis]

I showed that Winner actually leaked two documents to the Intercept.

Curiously, it appears the prosecutor in this case, Jennifer Solari, has changed her mind. Attached to a motion to reconsider bail, Winner’s lawyers have noted that weeks after claiming Winner had to be jailed because she told her mom she had stolen multiple documents, Solari listened to the transcript and decided Winner only referred to a document, singular.

The following is new evidence that was not available at the time of the initial detention hearing (and could not have reasonably been available given the mere three days between the initial appearance and detention hearing), all of which have a material bearing on the issue of release. • While repeatedly alleging that Ms. Winner disclosed numerous “documents” at the initial detention hearing—a fact that the Court specifically noted in its findings to support detention the Government has, via email to this Court, retracted those assertions. The Government now alleges there was only one document, rather than numerous documents, at issue. [See Exhibit A (email correspondence from Assistant United States Attorney Jennifer Solari to defense counsel and the Court dated June 29, 2017); Doc. 29 p. 105; see also Doc. 72].

In her email informing the defense of this, Solari explained,

Before the hearing, I had only heard a portion of the call in which the defendant asked her mother to “play that angle” regarding the alleged circumstances of her FBI interview. I proffered information about the other jail calls based upon verbal summaries I was provided by the FBI just before the hearing. Now that I’ve heard the recordings myself, I’d like to clarify some of the information for the court and counsel.

Solari goes on to suggest that another correction — regarding why Winner had her mom transfer money — came from an inference the FBI agent made.

I’m glad Solari corrected these issues — prosecutors often double down in such instances. I’d certainly scrutinize the other claims made by the FBI agents in the case after this.

Apparently, the government also left other details out of its story when painting Winter as an opsec genius to deny her bail. For example, in addition to pointing out how many people use Tor, her lawyers revealed that she had used it to access Wikileaks once.

The Government failed to explain, however, that Ms. Winner told the Government during her interrogation on June 3, 2017, that she used Tor once for looking at WikiLeaks.

It also notes that the superseding indictment still just charges Winner for the one document.

Finally, it compares her treatment with all of the other alleged leakers who got bail (including David Petraeus).

It’s unclear whether this will win her release. But it certainly suggests the government overstated her threat in her bail hearing.

The Mark Zaid Materials from the Jeffrey Sterling Trial

September 26, 2017/15 Comments/in emptywheel, Leak Investigations /by emptywheel

Because he just formed a new whistleblower group with John Napier Tye, there as been renewed interest in allegations an FBI Agent made during the Jeffrey Sterling case about attorney Mark Zaid. But there was actually a second detail regarding Zaid released just after the trial that has not been publicly reported: Zaid was interviewed by the FBI, twice, and was even interviewed before Sterling himself was.

I asked Zaid whether he was obligated to do the FBI interviews on Twitter but got no response. I think it’s possible FBI asked to interview him as much because the Senate Intelligence Committee was refusing to cooperate in the investigation as anything else; at the time, FBI considered SSCI staffer Bill Duhnke a more likely suspect than Sterling (and it’s not clear they ever ruled him out).

Let me be clear: I’m posting these materials to make the full context of them accessible. Zaid has not explained these, but he has promised repeatedly there is an explanation for them. As noted, there may be a perfectly logical explanation that has as much to do with Senate privileges as it does with attorney-client.

In any case, these materials are just what was directly related to the criminal case. The criminal investigation actually interacted with events in Sterling’s EEO lawsuit — which is what Zaid was primarily representing Sterling on in 2003 — in even more interesting ways I may return to.

Special Agent Ashley Hunt’s accusations

The following accusation came in prosecutor Eric Olshan’s redirect of Ashley Hunt, the FBI witness in the trial, after Sterling’s lawyers had demonstrated that the investigation was narrowly focused on Sterling without questioning some of the other possible witnesses in the case.

Q. When you initiated the investigation, I believe you testified it was in April of 2003?

A. That’s correct.

Q. At the time when you initiated your investigation concerning unauthorized disclosure of classified information to James Risen, did you learn any information regarding Mark Zaid and Mr. Krieger that, that directed your investigation?

A. I did.

MR. MAC MAHON: Your Honor, objection. That door was not opened as to Mr. Sterling’s prior lawyers.

MR. OLSHAN: Your Honor, this is about why —

THE COURT: Again, the scope of the investigation, what was done and not done, was clearly part of the cross. I’m going to allow it, excuse me, on redirect; and if there needs to be recross on that, you’ll be allowed to. Go ahead.

MR. MAC MAHON: Thank you, Your Honor.

BY MR. OLSHAN: Q. What did you learn at the outset of your investigation about information from Mr. Krieger and Zaid that helped you direct your investigation and focus it?

A. When I opened my investigation on April 8, 2003, my investigation was based on a report I received from the CIA dated April 7, 2003. In that report, the CIA provided information about the fact —

MR. MAC MAHON: Your Honor, that’s hearsay.

THE COURT: Wait.

MR. OLSHAN: Your Honor, this is not for the truth. It’s why she took the actions.

THE COURT: It explains why she is acting, takes the investigative tacks that she does, so I’m going to overrule the objection. It’s not hearsay.

BY MR. OLSHAN: Q. You may continue, Special Agent Hunt.

A. The CIA advised that on February 24, 2003, it was contacted by Mark Zaid and Roy Krieger. They told the CIA on February 24 that a client of theirs had contacted them on February 21, 2003, and that that client, that unnamed client at the time voiced his concerns about an operation that was nuclear in nature, and he threatened to go to the media.

Q. Did you later learn who that client was from Mr. Zaid and Mr. Krieger in the course of your investigation?

A. I did.

Q. Did those facts help you focus the direction of your investigation?

A. They did.

Q. And who did you learn was the client of Mr. Krieger and Mr. Zaid?

A. Jeffrey Sterling.

On recross, Sterling lawyer Edward McMahon worked to undercut the revelation by having Hunt describe how, when she wrote up a memo on the case on April 12, 2003, she believed it unlikely he was the leaker.

Q. Okay. And you had written about Mr. Sterling in 2003, hadn’t you, the same time you’re telling in answer to Mr. Olshan’s questions that you were hearing some hearsay about Mr. Sterling’s lawyers?

A. I’m sorry, what’s the question?

Q. You said you had heard some hearsay that Mr. Sterling’s lawyers were talking about him at the CIA, correct?

A. What I said is that his attorneys went to the CIA on February 24. At that time, they did not name Jeffrey Sterling.

Q. All right. But on April 12 of 2003, you wrote a memo about Mr. Sterling, and you said that it was unlikely that it was Mr. Sterling who was the leak, correct?

A. If I wrote that at that time, then that was based on the information I had at that time.

Q. Right. You said that it’s unlikely that someone who has already attempted to settle an EEO lawsuit for a few hundred thousand dollars would choose to attack and enrage the organization from which he seeks but has not yet received a settlement. That’s your writing, isn’t it?

A. I don’t know. You haven’t shown me the document.

Q. And you also in the same document dismiss your concerns about Mr. Zaid and Krieger, correct? You don’t remember that?

A. I don’t know. It was 12 years ago.

Q. And in the last 12 years, you still haven’t come up with any proof that Mr. Sterling ever talked to Mr. Risen about Classified Program No. 1 or Merlin, right?

A. Correct.

Thus far, the timeline looks like this:

February 21: Alleged contact between Sterling and Zaid (not stated whether this is phone call or email, which would show up in call records available with a relevance standard)

February 24: Alleged call from Zaid and his partner warning that one of their clients would leak

April 7: CIA referral includes their claim about Zaid call

April 8: Hunt opens investigation

April 12: Hunt writes memo dismissing likelihood that Sterling is leaker

The FBI Interview Dates

Now consider the dates of the 2003 FBI 302s included in these two CIPA letters (the names with the first initial last name are CIA witnesses; it’s unclear whether that’s true of the entirely redacted names).

April 12: Redacted name

April 12: Robert J. E

April 12: Bob S

April 13: Redacted name

April 13: Redacted name

April 14: Bill H (almost certainly Bill Harlow, CIA’s then spox)

April 18: Mark Zaid (three page 302)

April 28: Bill H (again, almost certain Harlow)

May 7: Redacted name

May 9: Redacted name

June 19: Sterling

June 26: Bob S (Sterling’s supervisor)

July 18: Redacted name

July 21: Thomas H

August 1: David C

August 13: Redacted name

August 14: Diane F

That is, the memo where Hunt said she didn’t think Sterling was the leaker was written either before she had done any interviews, or after she had done just the first CIA ones (including with Sterling’s boss, who definitely blamed Sterling). The first round of interviews appear to be primarily or all CIA witnesses.

And the next interview — at least among those that Sterling’s defense thought they might use at trial — was Zaid. Zaid’s interview, in fact, was months before Sterling’s. The second letter shows a second Zaid interview on September 2, 2010.

To emphasize: Sterling’s lawyers requested these FBI interviews be available for trial, not the prosecution. It’s unclear whether they did that because the interviews would have helped them, or because (as was the case with virtually all the other witnesses) they thought they might need to draw on those interviews for cross-examination.

But unless there’s some wildly egregious error in these files, Mark Zaid did two interviews with the FBI before he — obligated by subpoena, he said repeatedly — testified before the grand jury on September 22, 2010.

SSCI Plays Hardball with Michael Cohen’s Attempt to Distract from Trump Tower Deal

September 19, 2017/3 Comments/in 2016 Presidential Election, Leak Investigations, Mueller Probe /by emptywheel

Just before it was supposed to start, SSCI canceled Michael Cohen’s private interview with the committee. They did so, per a statement from Richard Burr and Mark Warner, because Cohen broke an agreement not to talk to the press by releasing what has generally been described as “his statement” to the press beforehand.

We were disappointed that Mr. Cohen decided to pre-empt today’s interview by releasing a public statement prior to his engagement with Committee staff, in spite of the Committee’s requests that he refrain from public comment. As a result, we declined to move forward with today’s interview and will reschedule Mr. Cohen’s appearance before the Committee in open session at a date in the near future. The Committee expects witnesses in this investigation to work in good faith with the Senate.

But in point of fact, what got published as his “statement” was not the entirety of it. Close to the end of the “statement” is this paragraph, alluding to a further two page statement on the Trump Tower deal that somehow didn’t get leaked.

I assume we will discuss the rejected proposal to build a Trump property in Moscow that was terminated in January of 2016; which occurred before the Iowa caucus and months before the very first primary. This was solely a real estate deal and nothing more. I was doing my job. I would ask that the two-page statement about the Moscow proposal that I sent to the Committee in August be incorporated into and attached to this transcript.

Other than that paragraph, mind you, Cohen’s statement closely parallels the letter to HPSCI Cohen released last month after spending a week distracting from and pre-empting the Trump Tower story. Both deny the allegations in the Christopher Steele dossier, and try to suggest that if he is found innocent of those allegations, then HPSCI and/or SSCI must issue a statement exonerating him.

In other words, with both committees, Cohen has manipulated the press so as to set a narrative about his testimony, a narrative that treats the Steele dossier as the entirety of his expose, rather than the now far more interesting (and interestingly time) real estate deal.

Four days ago, Michael Cohen (or the Trump Organization) pre-empted revelations that would leak as soon as he turned over a third tranche of documents to the House Intelligence Committee by revealing a seemingly damning detail from it: along with Trump’s associate Felix Sater, Cohen was pursuing a Trump Tower deal in Moscow well after Trump’s campaign was in full swing. Sure enough, more damning information was still to come: Sater somehow imagined the deal — whatever it was — would get Trump elected. Then still more damning information: in January 2016, Cohen reached out to trusted Putin aide Dmitry Peskov to push for help on the deal. That’s when Cohen began to not recall precisely what happened, and also ignore questions about why he hadn’t told Trump about this call, unlike the other actions he took on this deal.

[snip]

All that said, the way in which Cohen has orchestrated this disclosure — up to and including his failures to recall and answer obvious questions — is either great lawyering and/or sign that this earlier deal making is a real problem.

Of course, Burr and Warner were having none of this narrative scene setting and so now will force Cohen to testify publicly.

Cohen is sure spending a lot of time orchestrating distractions from this property deal. A pity for him his second attempt didn’t work as well as the first one.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

September 15, 2017/3 Comments/in Cybersecurity, emptywheel, Leak Investigations, WikiLeaks /by emptywheel

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):

TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so #shadowbrokers helping out…you having big mouth for former #equationgroup member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing #equationgroup members but had make exception for big mouth, keep talking shit @msuiche your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.