Posts

What if Julian Assange Flipped?

I’ve said this before, I’ll say it again: I hope to hell Chelsea Manning’s advisors are cognizant of the ways her attempts to avoid testifying against Julian Assange may put her in unforeseen legal jeopardy.

I’m thinking of that anew given my consideration of what I consider to be a distant, but real, possibility: that the US government would offer Assange a plea deal on the current charge he faces in exchange for testimony in a range of other issues. The idea is crazy, but perhaps not as crazy as it sounds.

As I laid out in this post, it seems the US government has been carefully orchestrating the Assange arrest since Ecuador first applied for diplomatic status for him in 2017 in an attempt to exfiltrate him, possibly to Russia. They’re now on the clock, with (depending on which expert you ask) just 44 more days to lard on the additional charges multiple outlets have reported are coming. Meanwhile, he’s being held at Belmarsh, with conflicting stories about what kind of visitors he’s been permitted — though the UN Special Rapporteur for Privacy did visit him this week. Though I’ve asked some top experts, it’s not entirely clear whether, if he were being interrogated right now, that’d be under UK law or US law; the former has fewer protections against self-incrimination for people being detained.

One passage of the Mueller Report may provide an explanation for why his prosecutors didn’t obtain Julian Assange’s testimony.

The Office limited its pursuit of other witnesses and information-such as information known to attorneys or individuals claiming to be members of the media-in light of internal Department of Justice policies. See, e.g., Justice Manual §§ 9-13.400, 13.410.

Assange would fall squarely within DOJ policy covering people who are subjects or targets of an investigation for activities related to their news-gathering activities.

Member of the news media as subject or target. In matters in which a member of the Department determines that a member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the member of the Department requesting Attorney General authorization to use a subpoena, 2703(d) order, or 3123 order to obtain from a third party the communications records or business records of a member of the news media shall provide all facts necessary to a determination by the Attorney General regarding both whether the member of the news media is a subject or target of the investigation and whether to authorize the use of such subpoena or court order. 28 C.F.R. 50.10(c)(5)(i). If the Attorney General determines that the member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the Attorney General’s determination should take into account the principles reflected in 28 C.F.R. 50.10(a), but need not take into account the considerations identified in 28 C.F.R. 50.10(c)(5)(ii) – (viii). Id. Members of the Department must consult with the PSEU regarding whether a member of the news media is a subject or target of an investigation related to an offense committed in the course of, or arising out of, newsgathering activities.

The EDVA case appears to have gotten over this policy (perhaps by distinguishing the assistance on cracking a password from newsgathering activities); but it’s not clear Mueller did (especially given the discussion of First Amendment considerations in passages relating to WikiLeaks). In any case, this calculus may change given that he’s in British, not US custody.

And there has been very little reporting on what’s going on with him — or with US investigations into him.

There are a number of investigations the government would love to get his testimony on, including:

Testimony against Joshua Schulte

Schulte is the accused Vault 7 leaker. WikiLeaks has been far less circumspect about the possibility he’s their source than with other leakers (while also engaging in far less of an effort to lay the case that he’s a whistleblower). Plus, the government has video evidence of Schulte attempting to leak classified information.

But thus far, Schulte’s prosecution has been slowed by CIA’s reluctance to share the classified information Schulte needs to defend himself. Plus, the FBI apparently bolloxed up the initial search warrants for Schulte (in what I suspect was a sloppy effort at parallel construction), which Schulte has been trying to win the ability to speak publicly about for over a year; he recently appealed a decision denying him a request to exempt those initial warrants from his protective order.

To the extent that Assange and Schulte (if he is really the Vault 7 source) communicated — and there’s good reason to believe WikiLeaks did communicate in advance of this publication — then Assange might be able to provide testimony that would get beyond the classification problems.

Testimony about the response to his pardon requests (including Roger Stone’s role in it)

I also believe that DOJ continues to investigate the long effort — an effort that includes Roger Stone, whom prosecutors say is still under investigation — in brokering a pardon for Assange, possibly in part for Assange providing disinformation about where the Democratic documents came from. Consider that, as recently as November, Mueller was trying to learn whether Trump had discussed pardoning Assange before his inauguration, a question about which Trump was especially contemptuous, even given his overall contempt for responding to questions.

Then there’s a subtle point I find really interesting. When the Mueller Report lays out all the times Don Jr magnified Russian trolls, it noted that the failson’s fondness for Russian propaganda continued after the election.

96 See, e.g., @DonaldJTrumpJr 10/26/16 Tweet (“RT @TEN_GOP: BREAKING Thousands of names changed on voter rolls in Indiana. Police investigating #VoterFraud. #DrainTheSwamp.”); @DonaldJTrumpJr 11/2/16 Tweet (“RT @TEN_GOP: BREAKING: #VoterFraud by counting tens of thousands of ineligible mail in Hillary votes being reported in Broward County, Florida.”); @DonaldJTrumpJr 11/8/16 Tweet CRT @TEN_GOP: This vet passed away last month before he could vote for Trump. Here he is in his #MAGA hat. #voted #ElectionDay.”). Trump Jr. retweeted additional @TEN_GOP content subsequent to the election.

[snip]

103 @DonaldJTrumpJr 11/7/16 Tweet (“RT @Pamela jetonc13. Detroit residents speak out against the failed policies of Obama, Hillary & democrats . . . . “) [my emphasis]

The page-long section (page 60) that lays out Don Jr’s innocuous pre-election interactions (which is how I described them when they were first published) does not, similarly, note the President’s son’s more damning interactions with WikiLeaks that took place after the election, where Assange once privately

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

And then publicly asked for an Ambassadorship that would amount to a pardon.

Given the thoroughness of the report, I find the silence about these exchanges to be notable.

Admittedly, one aspect of the pardon campaign implicates Assange far more than (at least given the public details) it does Trump: his seeming attempt at extortion using the CIA’s hacking tools. But that doesn’t mean the government wouldn’t like his testimony about the larger effort, and I have reason to suspect that is something they were pursuing via other channels as well.

WikiLeaks’ ongoing interactions with Russia

Finally, I’m sure the US government would be willing to give Assange some consideration if he offered to describe his interactions with Russia over the years. The most public aspect of that was the WikiLeaks effort to get Snowden safely out of Hong Kong, which ended unexpectedly in Russia. But there are also credible allegations WikiLeaks engaged in some catch-and-kill of damning documents, most publicly with an incriminating document from the Syria Files. Emma Best looks more closely at that incident in a longer profile of a Russian hacker, Maksym Igor Popov, who seemed to shift loyalties back and forth from the US to Russia even while cultivating Anonymous.

Simultaneously, Sabu, who had been boasting about an alleged breach of Iranian systems, pivoted to the then-pending Syria files. “We owned central syrian bank and got all their emails,” he told Popov. There were “a lot of scandals” in those emails. In the 2012 exchange, Popov is told about an alleged email revealing that Syria had secretly sent Russia billions of Euros. Sabu appears to confuse the amount, which was 2 billion, with an amount from a similar transfer involving an Austrian bank. Reporting by The Daily Dot implies that the two emails were often discussed in the same conversation, while also revealing that the email Sabu was describing to the alleged Russian contractor was omitted from WikiLeaks’ eventual release.

WikiLeaks responded to the reporting by claiming that they “either never had the data or [that it was] in some strange MIME format so it isn’t indexed,” and that the reporting was an attack on WikiLeaks that was meant “to help HRC.”

Popov was impressed by Sabu’s description of the Syria emails, though he briefly confused them with another, unspecified cache that Sabu hinted Popov helped release. “If you want real access to the emails, I can [give it to you],” Sabu offered. Popov responded ecstatically, saying he could use it to create disinformation and fabricate conspiracies. Undaunted by Popov’s intended use for the emails, Sabu said he’d “try to set it all up soon.”

This exchange occurred several months after WikiLeaks received the first batch of the Syria files and several weeks after WikiLeaks gave the LulzSec hackers private access to a search engine to help parse the Stratfor emails which the group had also provided to WikiLeaks.

19:16 <Sabu> though we did very well on syria.. we owned central syrian bank and got all their emails 19:16 <LoD> and Nepalese hack 19:16 <Sabu> a lot of scandals ... like syria sending russia 5 billion euros before civil unrest and when russia sent warsip to trait of whateves its called 19:16 <LoD> Ive actually checked it RESPECT syria gave me some things to mastermind my next operations those email accounts were of much help to improve our strategy 19:17 <LoD> i give you thumbs up 19:17 <Sabu> well we didn't realease it yet ... that was another small hack you released. if you want real access to emails I can ive you 19:17 <LoD> really? 19:17 <LoD> can you? 19:17 <LoD> man I WILL BE in DEBT 19:17 <LoD> I can utilize it in my release 19:18 <LoD> to create a conspiracy 19:18 <Sabu> ya I'll try to set it all up soon

If Popov acquired early access to the Syria files, it would have been the score of a lifetime, giving him an exclusive early inside look at corporations and governments. However, as any later logs of discussions between Popov and Sabu aren’t part of the leaked file, it’s unclear if Popov actually received early access to the Syria files.

Already by this time period in 2011, some former Anons were expressing concern that their operations were being facilitated by Russian infrastructure.

Some followers came to believe that the leaders sought only personal aggrandisement or were effectively in cahoots with the organised criminals who may have raided Sony’s credit-card hoard after Anonymous knocked down the door. Even stalwarts such as Housh are unhappy that much of Anonymous’s infrastructure is now housed on computers used by Russian criminals. “It’s not like the Russians wanted us to get HBGary, but I want to know personally why they are doing this,” he says of the chat hosts. “Where is the money coming from?”

To be sure: a tie with Anonymous is different than a tie directly with WikiLeaks, even if Anonymous was serving as one of WikiLeaks’ important source streams at the time. Further, Best notes that there’s no evidence in available files that Popov interacted directly with WikiLeaks — nor would there be, given the scope of the publicly available chat logs.

But, particularly given the allegations that Assange fed the Seth Rich hoax as part of an effort to deny that he knew he had gotten the Democratic files from Russia, I’m sure the US government would love to know from him about any ties between WikiLeaks and Russia.

Offering Assange a plea deal might be one way to close the book on WikiLeaks without the political controversy of a trial.

The question, of course, is whether Assange would take one. Admittedly, it’s highly unlikely.

Still, as noted, he repeatedly claimed he’d love to tell all if he could avoid prison altogether. But even in a best case scenario, he’s looking at a long extradition fight from Belmarsh in conditions that are reportedly pretty shitty. A plea deal might be one way to limit how much more time in custody he faces.

Which could bode poorly for people like Chelsea Manning, making significant sacrifices to protect Assange.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Is Matt DeHart Being Prosecuted Because FBI Investigated CIA for the Anthrax Leak?

Buzzfeed today revealed a key detail behind in the Matthew DeHart case: the content of the file which DeHart believes explains the government’s pursuit of him.  In addition to details of CIA’s role in drone-targeting and some ag company’s role in killing 13,000 people, DeHart claims a document dropped onto his Tor server included details of FBI’s investigation into CIA’s possible role in the anthrax attack.

According to Matt, he was sitting at his computer at home in September 2009 when he received an urgent message from a friend. A suspicious unencrypted folder of files had just been uploaded anonymously to the Shell. When Matt opened the folder, he was startled to find documents detailing the CIA’s role in assigning strike targets for drones at the 181st.

Matt says he thought of his fellow airmen, some of whom knew about the Shell. “I’m not going to say who I think it was, but there was a lot of dissatisfaction in my unit about cooperating with the CIA,” he says. Intelligence analysts with the proper clearance (such as Manning and others) had access to a deep trove of sensitive data on the Secret Internet Protocol Router Network, or SIPRNet, the classified computer network used by both the Defense and State departments.

As Matt read through the file, he says, he discovered even more incendiary material among the 300-odd pages of slides, documents, and handwritten notes. One folder contained what appeared to be internal documents from an agrochemical company expressing culpability for more than 13,000 deaths related to genetically modified organisms. There was also what appeared to be internal documents from the FBI, field notes on the bureau’s investigation into the worst biological attack in U.S. history: the anthrax-laced letters that killed five Americans and sickened 17 others shortly after Sept. 11.

Though the attacks were officially blamed on a government scientist who committed suicide after he was identified as a suspect, Matt says the documents on the Shell tell a far different story. It had already been revealed that the U.S. Army produced the Ames strain of anthrax — the same strain used in the Amerithrax attacks — at the Dugway Proving Ground in Utah. But the report built the case that the CIA was behind the attacks as part of an operation to fuel public terror and build support for the Iraq War.

Despite his intelligence training, Matt was no expert in government files, but this one, he insists, featured all the hallmarks of a legitimate document: the ponderous length, the bureaucratic nomenclature, the monotonous accumulation of detail. If it wasn’t the real thing, Matt thought, it was a remarkably sophisticated hoax. (The FBI declined requests for comment.)

Afraid of the repercussions of having seen the folder of files, Matt panicked, he claims, and deleted it from the server. But he says he kept screenshots of the dozen or so pages of the document that specifically related to the FBI investigation and the agrochemical matter, along with chat logs and passwords for the Shell, on two IronKey thumb drives, which he hid inside his gun case for safekeeping.

Is it possible DOJ would really go after DeHart for having seen and retaining part of that FBI file?

For what it’s worth, I think Bruce Ivins could not have been the sole culprit and it’s unlikely he was the culprit at all. I believe the possibility that a CIA-related entity, especially a contractor or an alumni, had a role in the anthrax attack to be possible. In my opinion, Batelle Labs in Ohio are the most likely source of the anthrax, not least because they’re close enough to New Jersey to have launched the attacks, but because — in addition to dismissing potential matches to the actual anthrax through a bunch of smoke (only looking for lone wolves) and mirrors (ignoring four of the potentially responsive samples) — Batelle did have a responsive sample of the anthrax. Though as a recently GAO report made clear, FBI didn’t even sample all the labs that had potentially responsive samples, so perhaps one of those labs should be considered a more likely source. Batelle does work for the CIA and just about everyone else, so if Batelle were involved, CIA involvement couldn’t be ruled out.

So I think it quite possible that FBI was investigating CIA or someone related to CIA in the attack. It’s quite possible, too, that someone might want to leak that information, as it has been clear for years that at least some in FBI were not really all that interested in solving the crime. Even the timing would make sense, coming as it would have in the wake of the FBI’s use of the Ivins suicide to stop looking for a culprit and even as the Obama Administration was beginning to hint it wasn’t all that interested in reviewing FBI’s investigation.

But there’s something odd about how this was allegedly leaked.

According to Buzzfeed, the anthrax investigation came in one unencrypted folder with the ag document and a document on drone targeting the source of which he thinks he knows (it would like have been a former colleague from the ANG).

How would it ever be possible that the same person would have access to all three of those things? While it’s possible the ag admission ended up in the government, even a DOJ investigation into such an admission would be in a different place than the FBI anthrax investigation, and both should be inaccessible to the ANG people working on SIPRNet.

That is, this feels like the Laptop of Death, which included all the documents you’d want to argue that Iran had an active and advanced nuclear weapons program, but which almost certainly would never all end up on the same laptop at the same time.

And, given DeHart’s belief reported elsewhere this was destined for WikiLeaks, I can’t help but remember the Defense Intelligence Agency report which noted that WikiLeaks might be susceptible to disinformation (not to mention the HB Gary plot to discredit WikiLeaks, but that came later).

This raises the possibility that the Wikileaks.org Web site could be used to post fabricated information; to post misinformation, disinformation, and propaganda; or to conduct perception management and influence operations designed to convey a negative message to those who view or retrieve information from the Web site

That is, given how unlikely it would be to find these juicy subjects all together in one folder, I do wonder whether they’re all authentic (though DeHart would presumably be able to assess the authenticity of the drone targeting documents).

And DeHart no longer has the documents in question — Canada hasn’t given them back.

Paul told the agents that his family had evidence to back up their account: court documents, medical records, and affidavits — along with the leaked FBI document Matt had found that exposed an explosive secret. It was all on two encrypted thumb drives, which Matt later pulled off a lanyard around his neck and handed to the guards.

[snip]

If Matt is, in fact, wrongly accused, answers could be on the thumb drives taken by the Canada Border Services Agency, which have yet to be returned to the DeHarts. But without access to the leaked files Matt claims to have seen, there is no way to verify whether he was actually in possession of them, and, if he was, whether they’re authentic.

Though at least one person (a friend in London? Any association with WikiLeaks?) may have a copy.

Inside a hotel room in Monterrey, Mexico, Matt says he copied the Shell files onto a handful of thumb drives. He mailed one to a friend outside London, and several others to locations he refuses to disclose. He also says he sent one to himself in care of his grandmother, which he later retrieved for himself. When the subject of the drives comes up, Matt acts circumspect because, he says, he knows that our communications are being monitored.

There’s definitely something funky about this story. Importantly, it’s not just DeHart and his family that are acting like something’s funky — the government is too.

But that doesn’t necessarily mean the FBI thinks CIA did the anthrax attack.

GCHQ DDoS Hackers Hang Out with NSA’s Audit-Free Techies

Yesterday, I noted NBC’s report that GCHQ conducted a DDoS attack against Anonymous IRC chat.

There’s a subtle point that deserves more attention: GCHQ presented the underlying Powerpoint to NSA’s SIGDEV conference.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

[snip]

In the presentation on hacktivism that was prepared for the 2012 SIGDEV conference, one official working for JTRIG described the techniques the unit used to disrupt the communications of Anonymous and identify individual hacktivists, including some involved in Operation Payback. Called “Pushing the Boundaries and Action Against Hacktivism,” the presentation lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups,” says the hacktivists’ targets include corporations and governments, and says their techniques include DDOS and data theft.

SIGDEV is NSA’s term for the agency’s efforts to develop new signals intelligence techniques and sources. Thus, GCHQ presented the attack as the cutting edge of what NSA does.

Goodie.

But remember: NSA’s SIGDEV analysts have access to raw data outside of normal channels. This shows up repeatedly in the primary orders for the dragnet. And, as Bart Gellman noted (and I elaborated on here), Obama specifically exempted these folks from his Presidential Policy Directive limiting our spying (though his PPD did say foreigners could be spied on for cybersecurity reasons).

In other words, the people GCHQ boasted of their attack on Anonymous to are the people who have some of the least oversight within NSA.

The State Monopoly on DDoS

One reason I harped on the way Ken Dilanian referred to the “official position” that hacking other governments was acceptable was because I suspected the government does what NBC just reported they do: engage in hacking against other targets, in this case, hackers like Anonymous.

[A] division of Government Communications Headquarters Communications (GCHQ), the British counterpart of the NSA, shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attack – the same technique hackers use to take down bank, retail and government websites – making the British government the first Western government known to have conducted such an attack.

As I noted on Twitter, the report that GCHQ targeted Anonymous should raise questions (that have already been raised) whether either GCHQ or NSA was behind the DDoS attack on noted publishing site WikiLeaks in 2010.

So the NSA (and GCHQ) believe some hacks are legitimate and some are not. But in addition, both are effectively asserting that the state should have a monopoly on hacking, just as it asserts a monopoly on violence. As some of the people involved have been commenting on Twitter, they got charged for DDoSing, even as the Brits were engaging in precisely the same behavior. Particularly troubling, there’s no indication NSA or GCHQ believe they need warrants to exercise their monopoly on hacks against their own citizens (FBI has in the past gotten a warrant to bring down a botnet, so there is precedent).

Of course, therein lies part of the problem: that intelligence is bleeding into law enforcement, and the tools of inter-state spying are being wielded against criminals (and dissidents).

None of this is surprising. It arises directly out of the way the government has gone after terrorists, and this treatment of an IRC channel is directly parallel to the same kind of guilt by association used against terrorists.

With What Databases Has NCTC Cross-Referenced with FBI’s 12 Million iDevice User IDs?

Update, 6/13/13: For those coming to this via my Twitter link, subverzo reminded me that this turned out to be a false claim. The data came from an Apple developer, not from FBI. 

Sorry for the confusion.

As you may have heard, Anonymous and AntiSec hacked into a database of 12 million Apple Universal Device IDs that were in an FBI officer’s laptop and released 1 million of them, ostensibly so some people could identify if their device was one of those FBI was tracking.

They claimed to have tapped into a Dell laptop owned by Special Agent Christopher K. Stangl, an FBI cyber security expert. They downloaded several files, including one that contained “12,367,232 Apple iOS devices including Unique Device Identifiers (UDID)” and other personal information, they wrote in a text file published online. “[The] personal details fields referring to people appears many times empty leaving the whole list incompleted [sic] on many parts. no other file on the same folder makes mention about this list or its purpose.”

While it’s not immediately clear what the FBI is doing with the Apple UDIDs and detailed information on device owners, Gizmodo pointed out that the acronym “NCFTA” could stand for the National Cyber-Forensics & Training Alliance, a nonprofit that acts as an information-sharing gateway between private industry and law enforcement.

These are unique identifiers for things like iPhones and iPads that have long presented the risk of tying someone’s identity to an individual device.

There are multiple ways FBI could have collected this information–either using an NSL or Section 215 request or an insecure transmissions to an ad or game server. And no one knows how the FBI was using it. Whatever you think about Anonymous, we may finally learn more about how the government is tracking geolocation.

But here’s one other concern. Assuming that’s an official FBI database, not only the FBI has it, but also the National Counterterrorism Center. And they’ve got access to whatever federal databases they want to cross-check with existing counterterrorism databases. And one of the few checks we have on the use of our data in this way is a Privacy Act SCOTUS just watered down.

This is a massive amount of data the government likely has no good excuse for having collected, much less used. But it’s likely just one tip of a very big iceberg.

Spooky AssadLeaks: The Provenance of the Emails

As I wrote in this post, I got interested in the provenance of a set of leaked Bashar al-Assad emails largely because of the way in which two of them were used to suggest, dubiously, Nir Rosen was an Assad agent.

The Guardian and Al Arabiya have both offered posts describing, in part, how they came by the emails, with the Guardian’s offering more details. The short version is:

March 15, 2011: Uprising escalates in Daraa.

Late March: “a young government worker in Damascus” handed off a slip of paper to a friend. The paper had four codes (plus or including the two email addresses, the Guardian is not clear) that would provide access to personal email accounts of Bashar al-Assad and his wife Asma. The friend was apparently supposed to pass them onto “a small group of exiled Syrians who would know what to do with them.”

June: “Two Syrian professionals in a Gulf state” obtain the emails. The Guardian doesn’t explain whether they were the original intended recipients, nor does it explain the delay. Though it does include a blurb describing their sudden awakening to politics that makes it clear the Guardian has spoken to at least one of the activists and replicated their self-narrative uncritically.

The uprising in the southern Syrian city of Deraa on 15 March had empowered them, as it had hundreds of thousands of others in the totalitarian state. They were now determined to do what they could to bring an end to more than four decades of rule by the Assad clan.

“It was clear who we were dealing with,” said one of the activists. “This was the president and his wife. There was no doubt.”

August 6: Sabu solicits Syrian MOD hacker to “disrupt govt communication systems.”

June to December: The emails are used with increasing frequency over time; Assad appears to build a PR strategy using them.

January: Anonymous (which had been infiltrated by the FBI since at least June, the same month the Syrian activists purportedly got the email codes) hacks Bashar al-Assad’s servers, accessing 78 different email accounts.

February 7: Anonymous releases the Assad emails which were published by Ha-aretz, claims the password was 12345. These are, at least in part, the very same emails being released today. Assad’s brother-in-law Firas al-Akhras emails him to tell him the inbox of the Ministry of Presidential Affairs had been leaked. All the emails are shut down.

March 15, 2012: The emails published.

In their narratives, neither the Guardian nor al Arabiya note that the FBI had been running Sabu since last June, precisely the same month the “activists” reportedly got the “secret codes” (12345?) that would allow them to access the Assad emails.

Now there are plenty of questions I have about this: Who was the mole, how did he or she get this information, who was the friend, what caused the 3-month delay. All of those questions, of course, are particularly interesting giving the coincidence of timing with the Sabu recruitment.

And why release these emails now? Just because of the one-year anniversary of Daraa, and the other events planned for the day?

Suffice it to say it feels a lot like outside entities–aside from whatever professionals-turned-activists purportedly monitored these accounts–were involved.

With that feeling in mind, two more details worth noting. First, al Arabiya’s story on how they got the emails focuses instead on what they didn’t publish: a bunch of “scandalous emails.”

Hundreds of “scandalous” emails were accordingly deleted by Al Arabiya.

By comparison, the Guardian said only it didn’t publish personal emails. Both sources, however, want people–perhaps including Assad?–to know that there were more emails that may be out there.

The other thing I find interesting is the detail the Guardian pays to Assad’s email habits.

[The Syrian activists in the Gulf state] soon noticed differences in the way the couple used their email accounts. “We had to be quick with Bashar’s emails,” one of the activists said. “He would delete most as soon as they arrived in his inbox, whereas his wife wouldn’t. So as soon as they went from unread to read we had to get them fast.”

Deleting emails as soon as they arrive shows a degree of awareness of web security. So too did the fact that Assad never attached his name or initials to any of the emails he sent. However, many of the emails that arrived in his inbox are addressed to him as president and contain intimate details of events and discussions that were not known outside of the inner sanctum and would have been very difficult to manipulate.

Even before I remembered that the same guy the Guardian claims was showing some web security used “12345” as his password, this entire passage sounded bogus, more like a way to provide cover for some other means to collect these emails that don’t involve more sophisticated wiretapping of packets, as opposed to email in-boxes.

But once you remember this is a guy who reportedly used “12345” as his password, then the entire claim Assad was practicing good security becomes laughable. Which makes this entire passage suspect.

There are two stories of how Bashar al-Assad got his emails hacked in the last year. In one version, Syrian activists managed to spy on their dictator in real time and are presumably releasing emails that lack a smoking gun (but did include “scandalous” emails) as a sort of anniversary present for Assad. The other story involves the FBI flipping at least one hacker and having him continue to hack at their command.

Or maybe there’s just one, far more intriguing story.

Spooky AssadLeaks: The Nir Rosen Connection

Something curious has happened in the last few days while I’ve been traveling. The Guardian and Al Arabiya have been publishing leaked emails from Bashar al-Assad and his wife, showing both to be callous assholes but not otherwise producing a smoking gun (though I do hope to return to what they show about how they evaded sanctions).

In the last day or so, attention has shifted to two emails (here’s a translation of the first) between Assad aides and Assad, mentioning the journalist Nir Rosen. A number of people read them to suggest Rosen was an agent of Assad’s, perhaps even exposing other Western journalists who were sneaking into Syria.

Rosen responded to the allegations here, saying in part,

I believe the trove of leaked emails from the Syrian government are indeed all real. The emails which contain my name are certainly real, I don’t mind saying. They are from people who were introduced to me and other western journalists as media and public relations advisers to the Syrian government or the president himself. They are the same people who arranged for the ABC News interview with Barbara Walters, for the Sunday Times interview with Bashar al Assad, for Agence France Presse, and for others to enter Syria. This is normal. How else does a journalist enter a country such as Syria?

In November 2011 after al Jazeera conducted a live interview with Iran’s president Ahmedinajad, I tried to persuade media advisers to the Syrian president that they should grant a similar one to al Jazeera’s English network. I sent them several emails trying to persuade them it was a good idea, including an email with my CV and biography. I also met with these media officials to try to persuade them.

And as this November email also shows, I forwarded them a link to a BBC program on Syria done by the heroic Paul Wood in order to try to persuade them that journalists are coming in anyway and they might as well let al Jazeera in formally.

Importantly, the fact that I had to send my resume and biography to establish my credentials for an interview bid with Assad and the very need for sending these things shows I was not an agent for them.

I suspect all sorts of people will continue to focus on Rosen.

If you haven’t been following his work, a number of people have pointed to Rosen as one of the very few people giving a nuanced picture of what is going on in Syria right now. As an example, in this Q&A he talks about the stalemate-degrading-into-civil-war Syria is in right now.

Only a “Hama” could change the equation. Nobody can say exactly what that would entail, because “Hama” has become an epithet, a symbol, it just means for something terrible to happen. So, until now there is no Hama-type event that the opposition or international media could use to give leaders in Turkey or the West a pretext for humanitarian intervention or to delegitimise the country’s leadership. Such an incident would have to be so grave that international opponents would use it to obliterate the Russian and Chinese veto in the United Nations, and to criminalise those two countries for their backing of the Syrian regime.

In any case, that’s the Nir Rosen background to the emails.

All of which led me to ask where the emails came from. I have no doubt they’re real (or at least most of them)–Rosen has confirmed the emails mentioning him appear to be real. Here’s the Guardian’s description of who did and did not confirm the authenticity of emails involving them.

But having the entire contents of one or two email inboxes is not the same as reliably understanding how they came to be obtained and published. That’s the question I’d like to look at in more detail in a follow-up post.

Is This What Robert Mueller Meant by Cyber Expertise?

Back on February 3, I noted what I thought was the irony that, four days after FBI Director Robert Mueller bragged about FBI’s cybersecurity expertise–including its partnerships with counterparts overseas–Anonymous released an earlier hacked call between Scotland Yard and FBI.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

We now know that at the time of both the hack and Mueller’s comment, the FBI was running Hector Xavier Monsegur–Sabu–as a confidential informant–and the Scotland Yard call is one of the hacks they busted others for with his assistance last week.

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

And meanwhile, all of the things Sabu was saying on his twitter account were closely monitored–if not written–by the FBI, including the comment about FBI’s informants, above, and the multiple “celebrations” of the Scotland Yard hack.

Read more

FBI Director Mueller Boasts of FBI’s Cyber Expertise before Anonymous Hacks Cyber Call

As you may have heard, Anonymous hacked into and released a conference call between the FBI and Scotland Yard discussing their efforts to crack down on the hackers’ group.

What makes the hack all the more ironic is its release comes just days after Robert Mueller bragged of the FBI’s cyber expertise at the Threat Assessment hearing on Tuesday (the actual call took place on January 17, which makes me wonder whether they have gotten subsequent calls as well). In response to MD (and therefore NSA’s) Senator Barbara Mikulski’s suggestion that the NSA was the only entity able to investigate cybercrime, Mueller insisted (after 2:01) the FBI can match the expertise of NSA. He even bragged about how important partnering with counterparts in other countries–like Scotland Yard–was to the FBI’s expertise.

Mueller: If I may interject, we have built up a substantial bit of expertise in this arena over a period of time, not only domestically but internationally. We have agents that are positioned overseas to work closely with–embedded with–our counterparts in a number of countries, and so we have, over a period of time, built up an expertise. That is not to say that NSA doesn’t have a substantial bit of expertise also, understanding where it’s located.

Mikulski: But it’s a different kind.

Mueller: Well, no, much of it is the same kind, much of it is the same kind, in terms of power, I think NSA has more power, in the sense of capabilities, but in terms of expertise, I would not sell ourselves short.

I don’t want to sell the FBI short or anything. But regardless of their expertise in investigating cybercrimes, it sure seems like they’ve got the same crappy security the rest of the Federal government has.

DOD Promises to Defend the Networks They Failed to Defend after 2008

There’s something hysterical about the promise a Quantico spokesperson made that DOD would take any threats to its IT networks–in this case, threats made by Anonymous–seriously.

A Quantico spokesman, Lieutenant Agustin Solivan, said officials had referred the matter to law enforcement and counter-intelligence agencies. “We are aware of the threat and any threats to defence department information systems and networks are taken seriously,” he said. “The intent or stating that you are going to commit a crime is a crime in itself,” he added.

You see, back in 2008, DOD got badly hit by malware introduced via a thumb drive or some other removable media. And in response, DOD instituted measures that–it said–would clear up the problem.

The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.

The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to “floppy disks,” is supposed to take effect “immediately.”

[snip]

Servicemembers are supposed to “cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware,” one e-mail notes.

Eventually, some government-approved drives will be allowed back under certain “mission-critical,” but unclassified, circumstances. “Personally owned or non-authorized devices” are “prohibited” from here on out.

In other words, back in 2008, an enemy force attacked DOD’s IT system using an embarrassing security vulnerability. In response DOD immediately banned all removable media. That ban was supposed to be permanent on classified networks like SIPRNet.

Just over one year later, a low-ranking intelligence analyst in Iraq brought in a Lady Gaga CD, inserted it into his computer attached to SPIRNet, and allegedly downloaded three huge databases of classified information.

Throughout the WikiLeaks scandal, DOD has been the functional equivalent of someone who, just weeks after getting cured of syphilis, went right back to his old ways and–surprise surprise!–got the clap, all the while denying he bore any responsibility for fucking around.

According to Bradley Manning’s description, there was a virtual orgy of IT security problems at his base in Iraq.

(01:52:30 PM) Manning: funny thing is… we transffered so much data on unmarked CDs…

(01:52:42 PM) Manning: everyone did… videos… movies… music

(01:53:05 PM) Manning: all out in the open

(01:53:53 PM) Manning: bringing CDs too and from the networks was/is a common phenomeon

(01:54:14 PM) Lamo: is that how you got the cables out?

(01:54:28 PM) Manning: perhaps

(01:54:42 PM) Manning: i would come in with music on a CD-RW

(01:55:21 PM) Manning: labelled with something like “Lady Gaga”… erase the music… then write a compressed split file

(01:55:46 PM) Manning: no-one suspected a thing

(01:55:48 PM) Manning: =L kind of sad

(01:56:04 PM) Lamo: and odds are, they never will

(01:56:07 PM) Manning: i didnt even have to hide anything

(01:56:36 PM) Lamo: from a professional perspective, i’m curious how the server they were on was insecure

(01:57:19 PM) Manning: you had people working 14 hours a day… every single day… no weekends… no recreation…

(01:57:27 PM) Manning: people stopped caring after 3 weeks

(01:57:44 PM) Lamo: i mean, technically speaking

(01:57:51 PM) Lamo: or was it physical

(01:57:52 PM) Manning: >nod<

(01:58:16 PM) Manning: there was no physical security

(01:58:18 PM) Lamo: it was physical access, wasn’t it

(01:58:20 PM) Lamo: hah

(01:58:33 PM) Manning: it was there, but not really

(01:58:51 PM) Manning: 5 digit cipher lock… but you could knock and the door…

(01:58:55 PM) Manning: *on

(01:59:15 PM) Manning: weapons, but everyone has weapons

(02:00:12 PM) Manning: everyone just sat at their workstations… watching music videos / car chases / buildings exploding… and writing more stuff to CD/DVD… the culture fed opportunities

Incidentally, note that no one has been fired for having left SIPRNet open to the same vulnerability that had already been targeted in a hostile attack? It’s all Bradley Manning’s fault. Sure, DOD was fucking around. But it can’t be held responsible!

So now, weeks after HBGary emails made it clear that DOD and DOJ and CIA were already investigating Anonymous, they’re telling us they’re investigating. For real now.

And don’t you worry! Ain’t no way Anonymous can hurt them. Because they know how to defend against such threats.