Posts

Networks of Insurrection: “Trump is literally calling people to DC in a show of force”

This will be another of those posts where I catalog a few of the developments in the January 6 investigation that show how — Jocelyn Ballantine’s involvement notwithstanding — the many parts of the investigation are crystalizing around associations between rioters.

Michael Rusyn witnesses the initial East door break

First, in my continuing focus on the statements that DOJ obtains from those pleading guilty to trespassing charges, I’d like to look at the statement of offense from Michael Rusyn, who pled guilty Monday.

Rusyn was first IDed to FBI the day after the riot, interviewed by the FBI on February 17, and then arrested back in April, probably because he showed up in two key locations, obviously recording what happened on his phone. But after they arrested him and started pulling surveillance footage and exploiting his cell phone, they realized he was always accompanied by the same woman, about whom they had gotten a separate tip on January 7.

At least per Deborah Lee’s arrest affidavit, that’s how the FBI determined that Rusyn was the “Michael Joseph” she had tagged in her own Facebook posts from the riot, and that — as described in his statement of offense — he had lied when he told the FBI he didn’t know anyone on the bus he took to the riot.

On February 17, 2021, the defendant was interviewed by a Task Force Officer and an FBI Special Agent. During that interview, the defendant said the he traveled to Washington, D.C. by boarding a bus in Jessup, Pennsylvania at approximately 5:00 a.m., and that he did not personally know anyone on the bus. This was untrue: the defendant and Deborah Lynn Lee rode to Washington, D.C. together on the same bus. And, indeed, the defendant’s phone contained numerous photographs and video fo Lee outside the Capitol building, which it appeared had been recorded by the defendant, as well as numerous text messages between the defendant and Lee.

The rest of his statement of offense liberally implicates Lee in his actions, including by noting that she entered via the East doors first, and then reached out her hand and pulled him into the building (which also contradicts his initial claims).

At approximately 2:27 p.m., Deborah Lynn Lee entered the Capitol building through the breached door. She turned back across the threshold and extended her hand to the defendant, who took her hand and pulled himself through the crowd, across the threshold and into the Capitol. The two were among the first thirty to forty people to enter the Capitol after the breach of this door.

DOJ could have wired Rusyn’s plea, requiring that he wait until Lee pled guilty before they’d let him plea. Instead, though, they’ve acquired evidence against someone who made false claims about Antifa in the days after the riot.

Lee is also one of the John Pierce clients who has decided to stick with him — and so, presumably, with her false claims — after his bout with COVID.

In addition to making it much harder for his friend to sustain her lies about Antifa, though, Rusyn also provided witness testimony describing how the East doors got broken.

By approximately 2:10 p.m., the defendant stood on the East Side of the Capitol building, near the eastern, double doors at the top of the Capitol steps, leading to the rotunda. He was in a crowd of people, close enough to the crowd to see the front of the doors. A video that the defendant uploaded to Facebook at 2:10 p.m, and a photo that the defendant uploaded to Facebook at 2:16 p.m.,, capture these doors, including the windowpanes that would–shortly thereafter–be smashed in by members of the crowd.

Beginning at approximately 2:20 p.m., and continuing through at least approximately 2:24 p.m., members of the crowd began smashing several of the windowpanes of these doors. At approximately 2:25 p.m., another rioter opened one of the double doors from the inside; thereafter, that person and several other rioters opened this door widely enough to allow members of the crowd to breach the door and enter the Capitol.

This is straight witness testimony and validation of Rusyn’s own video, but it also debunks claims that a bunch of other rioters have tried to make in their own defense.

Rusyn’s statement of offense includes similar language describing the mob that tried to push their way into the House shortly thereafter.

Rusyn was allowed to plead to the less serious of the two trespassing charges. But his testimony and validated video will be quite useful for prosecutors to go after more serious defendants, including the details of how rioters opened a second front at the East doors.

Gary Wilson makes Brady Knowlton’s obstruction more obvious

In a similar case where DOJ arrested someone’s co-rioter months later, the government arrested a guy from Salt Lake City named Gary Wilson. Wilson is the guy who showed up in the photos used to arrest Brady Knowlton on April 7, who himself was arrested long after his buddy Patrick Montgomery was arrested on January 17.

The FBI used Wilson’s arrest warrant as an opportunity to fill in the details behind the earlier indictment of Montgomery and Knowlton, which added an assault charge against Montgomery and obstruction charges against both.

For example, it shows an exchange captured in Daniel Hodges’ Body Worn Camera just before Montgomery allegedly assaulted Hodges, as described in Wilson’s arrest affidavit.

At around 2:00 p.m. co-defendant Brady Knowlton confronted MPD officers who were making their way through the crowd and yelled at them saying, “You took an oath! You took an oath!” and “Are you our brothers?” Co-defendant Patrick Montgomery came up from behind Knowlton and said something to the officers, but it was hard to tell what he said. Officer Hodges then moved forward a few steps through the crowd. Wilson can be seen on Hodges’ video standing in the crowd (see screenshot above)—not far from where Montgomery and Knowlton were standing. In fact, Officer Hodges and Wilson collided as Officer Hodges tried to make his way through the crowd.

At approximately 2:02 p.m., Montgomery assaulted MPD Officer Hodges. An FBI special agent interviewed Officer Hodges on February 24, 2021. Officer Hodges told the FBI agent that at about 2:00 p.m. on January 6, 2021, he was making his way toward the west side of the Capitol to assist other officers. He was part of a platoon of about 35-40 officers. Officer Hodges said that right before 2:02 p.m., a very agitated crowd cut-off the platoon’s progress and split the group of 35-40 officers into smaller groups. Officer Hodges and a small group of officers ended up encircled by the crowd and the crowd was yelling at them “remember your oaths.”

Officer Hodges said that he was at the front of the group and attempted to make a hole through the crowd for himself and the other officers to continue their movement toward the Capitol. He yelled “make way” to the crowd. While trying to get through the crowd, he looked back to see other officers being assaulted by members of the crowd, which was yelling “push” while making contact with the officers. Hodges immediately turned back and started pulling assaulting members of the crowd off the other officers by grabbing their jackets or backpacks. After pulling a few people away from the officers, a man—later identified as Patrick Montgomery—came at Officer Hodges from his side and grabbed Officers Hodges’ baton and tried to pull it away from him. Officer Hodges immediately started to fight back and the two of them went to the ground, at which time Montgomery kicked Officer Hodges in the chest.

As Officer Hodges went down to the ground, his medical mask covered his eyes, which temporarily blinded him. He was laying on the ground, could not see, and was fighting to retain his weapon while surrounded by a violent and angry crowd. In that moment, he was afraid because he was in a defenseless position because of the assault. He was able to break Montgomery’s grip on the baton and get free.

The Wilson affidavit then shows how the three of them then entered the Capitol through the Upper West Terrace door, went to the Rotunda, witnessed Nate DeGrave and Ronnie Sandlin allegedly assaulting officers outside the Senate, then entered the Senate Gallery, all movements described in earlier filings but now documented with pictures.

From there, the threesome entered another hallway and had another confrontation with some MPD officers. Here again, the Wilson affidavit provides more detail (and a picture) of a confrontation explained in sketchy form in earlier filings.

Knowlton: “All you gotta do is step aside. You’re not getting in trouble. Stand down. For the love of your country.”

Unidentified rioter: “What happens if we push? Do you back up? We’re not gonna push hard.”

Knowlton: “This is happening. Our vote doesn’t matter, so we came here for change.”

Unidentified rioter: “We want our country back. You guys should be out arresting the Vice President right now.”

Wilson: “We came all the way from our jobs to do your job and the freaking senators’ job.”

The three men had one more confrontation with officers before they left the building around 2:54.

All this is important because, even aside from the possibility that these additional conflicts expose Montgomery and Knowlton to additional civil disorder or resisting charges, it all makes Knowlton’s obstruction much easier to show.

And that’s important because, as of right now, Knowlton is mounting the most mature (and best funded) challenge to the way DOJ has used obstruction charges against January 6 defendants. In a hearing overseeing that challenge, Judge Randolph Moss expressed concern (as Judge Amit Mehta similarly did in an Oath Keeper challenge of the application) of limiting principles, what distinguishes the actions of those charged with obstruction for January 6 from protestors complaining about the nomination of Brett Kavanaugh to the Supreme Court. This arrest affidavit doesn’t change the legal issues, but it does make it a lot easier to see that Brady Knowlton was no mere protestor.

There’s probably more that will come with this arrest — at the very least an opportunity to supersede Montgomery and Knowlton to add Wilson.

But we also may learn whether there’s a tie between these three guys (there’s a fourth who posed with Montgomery and Knowlton outside the Capitol, but he’s not known to have entered the Capitol) and two other Utahns who entered the Senate Gallery at almost the exact same time as these three, Janet Buhler (pictured just behind Knowlton and Wilson) and her step-son Michael Hardin.

After all, we’re still waiting to learn the identities of the Utahns that John Sullivan’s brother, James, discussed with Rudy Giuliani shortly after the riot. These four people (just four are Utahns — Montgomery lives in Colorado) are among just eight Utahns charged to date, and they all made it to the Senate Gallery at roughly the same time.

“It’s the only time hes ever specifically asked for people to show up”

The last recent arrest involving networks of people who rioted together charged Marshall Neefe and Brad Smith with conspiracy to obstruct the vote, assault, civil disorder, and the trespassing while armed that can carry a stiff sentence. Their charges under 18 USC 1512(k) marks at least the third time January 6 defendants were charged with conspiracy under that clause (as opposed to 18 USC 371, like most militias), with the two others being Eric “Zip Tie Guy” Munchel and his mom, and the SoCal 3%er conspiracy.

If DOJ’s application of obstruction to the vote count survives judicial review, charging a conspiracy under 1512(k) offers several things that 371 doesn’t offer: notably, very steep sentencing enhancements for threats of violence.

And these men did threaten violence. As early as December 22, Neefe talked of “wanna crack some commie skulls.” That day, too, Smith described getting axe handles to which he’d nail an American flag “so we can wave the flag but also have a giant beating stick just in case.” Like most of the 3%ers, Smith didn’t enter the Capitol, and for the same reason: because he believed entering the Capitol while armed would risk arrest. “I was the people crawling up the side of the building. I wasn’t going to jail with my KA BAR,” which he had described as his “Military killin knife” when he got it in December.

It’s tempting to think this conspiracy, like that of Munchel and his mom, is mostly tactical, a way to implicate both in the acts of one.

But there are references to efforts to “encourage[] others to join him and NEED to travel to Washington,” so it’s possible we’ll see later arrests similar to those of people networked with the 3%ers (for example, the Telegram Chat that Russell Taylor started is mentioned in the arrest affidavits for Ben Martin and Jeffrey Brown).

More interesting still is that this conspiracy might work like the (still-uncharged) one promised against Nate DeGrave and Ronnie Sandlin, two random guys who took action in direct response to Trump’s directions.

Charging this as a conspiracy focuses on the lead-up to the riot. It shows how these men started planning for war on November 4, “Why shouldnt [sic] we be the ones to kick it off?” It describes how they responded to Trump’s calls for attendance.

The call to action was put out to be in DC on January 6th from the Don himself. The reason is that’s the day pence counts them up and if the entire city is full of trump supporters it will stop the for sure riots from burning down the city at least for a while.

It emphasizes the import these men ascribed to Trump’s calls for attendance.

SMITH wrote another Facebook user on December 22, 2020, “Hey man if you wanna go down to DC on the 6th Trump is asking everyone to go. That’s the day Pence counts up the votes and they need supporters to fill the streets so when they refuse to back down the city doesnt [sic] burn right away. It’s the only time hes [sic] ever specifically asked for people to show up. He didn’t say that’s why but it’s obviously why.”

It shows how, in advance of the riot, both men came to understand that they might join militias in storming the Capitol.

On December 31, 2020, SMITH continued to message other Facebook users, encouraging them to go to Washington, D.C., on January 6, 2021. For example, he told one user, “Take off the 6th man! It’s the Big one!!! Trump is literally calling people to DC in a show of force. Militias will be there and if there’s enough people they may fucking storm the buildings and take out the trash right there.”

That same day — the same day Smith got his military knife — Smith talked with Neefe about how easy storming the Capitol would be.

“I cant wait for DC! Apparently it’s going to be WAY bigger lol. If it’s big enough we should all just storm the buildings. . . . Seriously. I was talking to my Dad about how easy that would be with enough people.”

By January 5, that turned into Smith’s call to “Sacrifice the Senate!!!!”

All that’s important background to Smith narrating their arrival by describing their actions as, “literally storming the Capitol.” Shortly thereafter, Neefe was involved in using a Trump sign as a battering ram against MPD officers. This may be the assault currently charged against Jose Padilla and others.

Even in retrospect, these conspirators spoke in terms that tie Trump’s actions to their own violence and threats of violence, bragging about responding to Pence’s refusal to fulfill Trump’s illegal demands by literally chasing members of Congress out of their chambers.

From January 6-7, SMITH posted, “Got Gassed so many times, shit is spicy but the Adrenaline high and wanting to ‘Get’ Pelosi and those fucks, it was bearable.” He also admitted, “Oh yeah. The time will come for some of them. But today’s mission was successful! Remember how they said today was the final day & that Biden would be certified? Well we literally chased them out into hiding. No certification lol [. . .]. Pence cucked like we knew he would but it was an Unbelievable show of force and it did its job.”

As far as we can tell, Marshall Neefe and Brad Smith are just bit players in this story, two guys who went to the Capitol and joined in the violence.

But that’s what makes them so useful, for showing how two bit players, believing they were taking orders directly from the President, armed themselves and helped implement a deliberate attempt to “literally chase[]” Congress away from the task of certifying the vote.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers Gets Results! Congress Finally Moves to Oversee Vulnerabilities Equities Process

Since the Snowden leaks, there has been a big debate about the Vulnerabilities Equities Process — the process by which NSA reviews vulnerabilities it finds in code and decides whether to tell the maker or instead to turn it into an exploit to use to spy on US targets. That debate got more heated after Shadow Brokers started leaking exploits all over the web, ultimately leading to the global WannaCry attack (the NotPetya attack also included an NSA exploit, but mostly for show).

In the wake of the WannaCry attack, Microsoft President Brad Smith wrote a post demanding that governments stop stockpiling vulnerabilities.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

But ultimately, the VEP was a black box the Executive Branch conducted, without any clear oversight.

The Intelligence Authorization would change that. Starting 3 months after passage of the Intel Authorization, it would require each intelligence agency to report to Congress the “process and criteria” that agency uses to decide whether to submit a vulnerability for review; the reports would be unclassified, with a classified annex.

In addition, each year the Director of National Intelligence would have to submit a classified list tracking what happened with the vulnerabilities reviewed in the previous year. In addition to showing how many weren’t disclosed, it would also require the DNI to track what happened to the vulnerabilities that were disclosed. One concern among spooks is that vendors don’t actually fix their vulnerabilities in timely fashion, so disclosing them may not make end users any safer.

There would be an unclassified report on the aggregate reporting of vulnerabilities both at the government level and by vendor. Arguably, this is far more transparency than the government provides right now on actual spying.

This report would, at the very least, provide real data about what actually happens with the VEP and may show (as some spooks complain) that vendors won’t actually fix vulnerabilities that get disclosed. My guess is SSCI’s mandate for unclassified reporting by vendor is meant to embarrass those (potentially including Microsoft?) that take too long to fix their vulnerabilities.

I’m curious how the IC will respond to this (especially ODNI, which under James Clapper had squawked mightily about new reports). I also find it curious that Rick Ledgett wrote his straw man post complaining that Shadow Brokers would lead people to reconsider VEP after this bill was voted out of the SSCI; was that a preemptive strike against a reasonable requirement?


SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT.

Report Policy And Process.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government.

(2) FORM.—Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(b) Annual Report On Vulnerabilities.—

(1) IN GENERAL.—Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on—

(A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year;

(B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and

(C) vulnerabilities disclosed since the previous report that have either—

(i) been patched or mitigated by the responsible vendor; or

(ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed.

(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:

(A) The date the vulnerability was disclosed to the responsible vendor.

(B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor.

(C) An unclassified appendix that includes—

(i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and

(ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments.

(3) FORM.—Each report submitted under paragraph (1) shall be in classified form.

(c) Vulnerabilities Equities Policy And Process Of The Federal Government Defined.—In this section, the term “vulnerabilities equities policy and process of the Federal Government” means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software).

Shadow Brokers Further Incites War between “scumbag Microsoft Lawyer” and NSA

The other day, Microsoft President and Chief Legal Officer Brad Smith wrote a blog post about the WannaCry ransomware exploiting his company’s products to disrupt the world. At one level it was one of the first entries in what will surely be an interesting policy discussion once there’s an aftermath to the crisis, calling for collective action and a Digital Geneva Convention.

But at another level, Smith’s post provided an opportunity to bitch out the CIA and NSA, the leaked and stolen exploits of which have really fucked with Microsoft in the last few months.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Joining the many people who object to the analogy between Tomahawks and hacking exploits, the entity that caused this crisis, Shadow Brokers, is none too impressed with Smith’s response, either. Along with suggesting NSA was paying Microsoft to sit on vulnerabilities and unleashing a load of expletives (you can click through for both of those), Shadow Brokers lays out the tensions between Microsoft, its enterprise contracts with the government, and the NSA’s reticence about the vulnerabilities in Microsoft products it is exploiting.

Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT.

[snip]

Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch.

Then Shadow Brokers brings the hammer: threatens to dump (among other offerings in an “exploit of the month club”) a Windows 10 vulnerability.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Heck, at this point, Shadow Brokers doesn’t even need to have this exploit (though I’m guessing the NSA and Microsoft both may be erring on the side of caution at this point). Because simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government.

It might even force some disclosure about exploits more critical to NSA’s current toolkit than the very powerful tools Shadow Brokers already used to create a global ransomware worm.