Posts

[Photo: Emily Morter via Unsplash]

K. T. McFarland’s Big Fat Email [UPDATED]

[NB: Update at the bottom of this post.]

I am posting this on the fly, haven’t yet fully digested what I just read. All I can really do right now is roll my eyes as I wave my hands in the air and scream about the stupid that burns.

You need to read this article, Emails Dispute White House Claims That Flynn Acted Independently on Russia; this bit in particular just boggles my mind although it’s not the only thing in this article which made me ululate.

Excerpt, The New York Times

And of course it’s Obama’s or the Democratic Party’s fault she was taken out of context here. Uh-huh. And Clinton should be impeached.

This bit is nearly as mind-blowingly whack:

Excerpt, The New York Times

“Political malpractice” is not the first thing that comes to mind here, Mr. Cobb.

UPDATE — 9:00 PM EST —

NYT’s Michael Schmidt has now provided K. T. McFarland’s full quote to clarify what was meant in the email.

We’re supposed to believe the context is about spin McFarland anticipated Obama (or the unspecified Democrats in the NYT’s article) would employ against Trump.

However lawyer Ty Cobb’s explainer-cum-apologia doesn’t sound like McFarland and others on the transition team were merely indulging in speculation.

Any time now I expect someone in the administration will not only say openly that Trump authorized the transition team to discuss dropping the sanctions, but that it isn’t illegal when the president does it.

Except in the U.S. we only have one president at a time.

Retired Generals of Flynn-Associated IP3: “United States Mideast Strategy Is Resourcing Conflict”

Yesterday, I decided that I should take a deep dive into a couple of issues that are playing big roles in current political drama: the Middle East nuclear power plant plans that Michael Flynn “represented” in some travel but did not note in his security disclosures and the manufactured controversy over Uranium One. I’m still reading and hope to post regularly on these and other topics, but want to point out one passing reference that made my jaw drop.

In Monday’s Washington Post article on Flynn’s troubles, we have this passage:

Around June 2016, according to his financial disclosure, Flynn ended his association with ACU and began advising a company called IP3/IronBridge, co-founded by retired Rear Adm. Michael Hewitt, a former ACU adviser.

IP3 initially proposed partnering with China and other nations, rather than Russia, to build nuclear power plants, according to a company spokesman, who said the China component has since been dropped.

In August 2016, the company produced a PowerPoint presentation that included Flynn’s photo and former government title on a page titled “IP3/IronBridge: Formidable US Leadership.” The document was labeled as a “Presentation to His Majesty King Salman Bin Abdul Aziz” of Saudi Arabia and displayed the seals of Saudi Arabia and the United States. The presentation was obtained by Democrats on the House Oversight Committee, who made it public.

After reading this, I started digging a bit into IP3, to see what they have been up to. I found this fascinating piece in Medium, written by the all-star trio of Jack Keane, Keith Alexander and Bud McFarlane. The article dates from October 31 of this year, so it comes over a year after the PowerPoint referenced in the Post article. The Medium article opens with the basis for the US-Saudi relationship going back more than seven decades:

In 1945, President Roosevelt and King Abdul Aziz of Saudi Arabia forged a partnership under which the United States provided security for the Kingdom to assure the flow of oil to global markets. While the United States has never wavered from this commitment through 13 Presidents and 6 Saudi monarchs, the core themes of arms and oil alone no longer cover the full scope of our countries’ goals and mutual interests.

That’s pretty blunt language, but yes, the core theme of US-Saudi relations does indeed seem to be “arms and oil”. But a bit further down, we have this:

Any new U.S. strategy for the Middle East will fail unless we move beyond fighting terrorism or reacting to the influence of evolving regional encroachment from Russia and Iran. The United States must approach the Middle East in ways that promote diversified, strong economies. We need a strategy that doesn’t rely solely on resourcing conflict with weapons sales, arms agreements, or new deployments of U.S. military forces, but one of empowerment through the intellectual capital and industrial might of our nation’s private sector. We must better enable the stabilizing visions of our GCC partners, Egypt, Israel, and Jordan as part of a reimagined Middle East economy.

I have to admit that on my first reading of this paragraph, I chuckled. I was convinced that it contained a very revealing typo. I mean, surely these retired generals would never just come out and say that the US strategy in the Middle East is to “resource conflict”, would they? Didn’t they mean that the weapons sales, arms agreements and troop deployments are aimed at resolving conflicts even though they certainly provide the resources to prolong them? That’s how the US presents these moves, after all. Who even uses “resource” as a verb anyway?

I continued in my reading, and in this copy of a letter from the Democrats on the House Oversight Committee posted by Politico (always read the footnotes; the URL is in footnote 21) I hit paydirt with the URL for IP3 PowerPoint referenced in the Post article above. Here is the slide that the Post refers to on the IP3 team including Flynn:

That is slide number 3 in the presentation. Here is slide number 5:

And there we have it. The Medium article did not have a typo. Over a year earlier, the PowerPoint says the US should “shift toward resourcing stability” rather than resourcing conflict. I find that to be a remarkably candid statement, considering who is saying it.

For quite some time, my line on US strategy for any trouble spot in the world has been that the US asks “What group can we arm?”. Here we have a huge collection of retired generals saying very much the same thing in slightly different language. I follow my observation by saying our question should rather be “What can we do to address the concerns of those who are moved to violence in this trouble spot?” And again, this group is offering their alternative. I see this as a massive improvement in outlook and perhaps a bit of slowly dawning self-awareness on behalf of the generals for what their actions have wrought.

Of course, once we dive into the IP3 team’s vision for how we “resource stability” things go right back to the track history of these generals proposing policies that are almost the exact opposite of what should be done. But that is fodder for later posts.

Just a couple of closing notes seem in order. First, it is clear from the committee letter in which I got the PowerPoint URL that the file actually was sent to the committee by an employee of ACU, which is a competitor of IP3. Further, the cover slide contains the cryptic note “2016 MSH Proprietary and Confidential”. I haven’t found an explanation for “MSH”. I thought it might refer to Michael Hewitt, but his middle initial is W. It doesn’t seem to fit any of the companies involved or the ACU employee who sent the file.

Also, in all the articles I’ve read about Flynn’s involvement in this effort, it appears that he consistently and publicly advocated for the building of the power plants to avoid Russian involvement and to be undertaken as an approach to reducing Russia’s influence in the Middle East. That makes Flynn’s June 2015 trip sponsored by ACU very confusing, since ACU is the group advocating Russian involvement in the building and running of the power plants. It would, however, align with his move to IP3 once it was formed. Also, the stories now seem to suggest that within the White House, IP3’s approach was quashed based on Flynn’s conflicts of interest rather than any White House preference for Russian involvement in building the plants. Will that story change? After all, Russia eventually got the contract for Egypt.

Minority Report: An Alternative Look at NotPetya

NB: Before reading:

1) Check the byline — this is NotMarcy;

2) Some of this content is speculative;

3) This is a minority report; I’m not on the same paragraph and perhaps not the same page with Marcy.

Tuesday’s ‘Petya/Petna/NotPetya’ malware attacks generated a lot of misleading information and rapid assumptions. Some of the fog can be rightfully blamed on the speed and breadth of infection. Some of it can also be blamed on the combined effect of information security professionals discussing in-flight attacks in full view of the public who make too many assumptions.

There’s also the possibility that some of the confusing information may have been deliberately generated to thwart too-early intervention. If this isn’t criminal hacking but cyber warfare, propaganda should be expected as in all other forms of warfare. Flawed assumptions, too, can be weaponized.

A key assumption worth re-examining is that Ukraine was NotPetya’s primary target rather than collateral damage.

After the malware completed its installation and rebooted an infected machine, a message indicated files had been encrypted and payment could be offered for decryption.

Thousands of dollars were paid $300 at a time in cryptocurrency but a decryption key wouldn’t be forthcoming. Users who tried to pay the ransom found the contact email address hosted by Posteo.net had been terminated. The email service company was unhelpful bordering on outright hostile in its refusal to assist users contacting the email account holder. It looked like a ransom scam gone very wrong.

As Marcy noted in her earlier post on NotPetyna, information security expert Matt Suiche posted that NotPetya was a wiper and not ransomware. The inability of affected users to obtain decryption code suddenly made perfect sense. ‘Encrypted’ files are never going to be opened again.

It’s important to think about the affected persons and organizations and how they likely responded to the infection. If they didn’t already have a policy in place for dealing with ransomware, they may have had impromptu meetings about their approach; they had to buy cryptocurrency, which may have required a crash DIY course in how to acquire it and how to make a payment — scrambling under the assumption they were dealing with ransomware.

It all began sometime after 10:30 UTC/GMT — 11:30 a.m. London (BDT), 1:30 p.m. Kyiv and Moscow local time, even later in points across Russia farther east.

(And 4:30 a.m. EDT — well ahead of the U.S. stock market, early enough for certain morning Twitter users to tweet about the attack before America’s work day began.)

The world’s largest shipping line, Maersk, and Russia’s largest taxpayer and oil producer Rosneft tweeted about the attack less than two hours after it began.

By the end of the normal work day in Ukraine time, staff would only have just begun to deal with the ugly truth that the ransom may have been handed off and no decryption key was coming.

As Marcy noted, June 28th is a public holiday in Ukraine — Constitution Day. I hope IT folks there didn’t have a full backup scheduled to run going into the holiday evening — one that might overwrite a previous full backup.

The infection’s spread rate suggested early on that email was not the only means of transmission, if it had been spread at all by spearfishing. But many information security folks advocated not opening any links in email. A false sense of security may have aided the malware’s dispersion; users may have thought, “I’m not clicking on anything, I can’t get it!” while their local area network was being compromised.

And then it hit them. While affected users sat at their machines reading fake messages displayed by the malware, scrambling to get cryptocurrency for the ransom, NotPetya continued to encrypt files under their noses and spread across business’s local area networks. Here’s where Microsoft’s postmortem is particularly interesting; it not only gives a tick-tock of the malware’s attack on a system, but it lists the file formats encrypted.

Virtually everything a business would use day to day was encrypted, from Office files to maps, website files to emails, zip archives and backups.

Oh, and Oracle files. Remember Oracle pushed a 299 vulnerability mega-patch on April 19, days after ShadowBrokers dumped some NSA tools? Convenient, that; these vulnerabilities were no longer a line of attack except through file encryption.

While information security experts have done a fine job tackling a many-headed hydra ravaging businesses, they made some rather broad assumptions about the reason for the attack. Kaspersky concluded the target was Ukraine since ~60% of infected devices were located there though 30% were located in Russia. But the malware’s aim may not have been the machines or even the businesses affected in Ukraine.

What did those businesses do? What they did required tax application software MEDoc. If the taxes to be calculated were based on business’s profits — (how much did they make) X (tax rate) — they hardly needed tax software. A simple spreadsheet would suffice, or the calculation would be built into accounting software.

No, the businesses affected by the malware pushed at 10:30 GMT via MEDoc update would be those which sold goods or services frequently, on which sales tax would have been required for each transaction.

What happens when a business’s sales can’t be documented? What happens when their purchases can’t be documented, either?

Which brings me to the affected Russian businesses, specifically Rosneft. There’s not much news published in English detailing the impact on Rosneft; we’ve only got Kaspersky’s word that 30% of infections affected Russian machines.

But if Rosneft is the largest public oil company in the world, Russia’s largest taxpayer as Rosneft says on their Twitter profile, it may not take very many infections to wreak considerable damage on the Russian economy. Consider the ratio of one machine invoicing the shipment of entire ocean tanker of oil versus many machines billing heating oil in household-sized quantities.

And if Rosneft oil was bought by Ukraine and resold to the EU, Ukraine’s infected machines would cause a delay of settlements to Russia especially when Rosneft must restore its own machines to make claims on Ukrainian customers.

The other interesting detail in this malware story is that the largest container line in the world, Maersk, was also affected. You may have seen shipping containers on trucks, trains, in shipyards and on ships marked in bold block letters, MAERSK. What you probably haven’t seen is Maersk’s energy transport business.

This includes shipping oil.

It’s not Ukraine’s oil Maersk ships; most of what Ukraine sells is through pipelines running from Russia in the east and mostly toward EU nations in the west.

It’s Russian oil, probably Rosneft’s, shipping overseas. If it’s not in Maersk container vessels, it may be moving through Maersk-run terminal facilities. And if Maersk has no idea what is shipping, where it’s located, when it will arrive, it will have a difficult time settling up with Rosneft.

Maersk also does oil drilling — it’s probably not Ukraine to whom Maersk may lease equipment or contract its services.

Give the potential damage to Russia’s financial interests, it seems odd that Ukraine is perceived as the primary target.

 

NotPetya’s attack didn’t happen in a vacuum, either.

A report in Germany’s Die Welt reported the assassination of Ukraine’s chief of intelligence by car bomb. The explosion happened about the same time that Ukraine’s central bank reported it had been affected by NotPetya — probably a couple hours after 10:30 a.m. GMT.

On Monday, privately-owned Russian conglomerate Sistema had a sizable chunk of assets “arrested” — not seized, but halted from sale or trading — due to a dispute with Rosneft over $2.8 billion dollars. Rosneft claims Sistema owes it money from the acquisition of oil producer Bashneft, owned by Sistema until 2014. Some of the assets seized included part of mobile communications company MTS. It’s likely this court case Rosneft referred to in its first tweet related to NotPetya.

The assassination’s timing makes the cyber attack look more like NotPetya was a Russian offensive, but why would Russia damage its largest sources of income and mess with its cash flow? The lawsuit against Sistema makes Rosneft appear itchy for income — Bashneft had been sold to the state in 2014, then Rosneft bought it from the state last year. Does Rosneft need this cash after the sale (or transfer) of a 19.5% stake worth $10.2 billion last year?

Worth noting here that Qatar’s sovereign wealth fund financed the bulk of the deal; commodities trader Glencore only financed 300 million euros of this transaction. How does the rift between other Middle Eastern oil states and Qatar affect the value of its sovereign wealth fund?

In her previous post, Marcy spitballed about digital sanctions — would they look like NotPetya? I think so. I can’t help recall this bit at the end of the Washington Post’s opus on Russian election interference published last week on June 23:

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

[…]

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

I’m sure it’s just a coincidence that NotPetya launched Tuesday this week. This bit reported in Fortune is surely a coincidence, too:

The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (CSCO, +1.07%) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.” [boldface mine]

Indeed.

Two more things before this post wraps: did anybody notice there has been little discussion about attribution due to characters, keyboards, language construction in NotPetya’s code? Are hackers getting better at producing code without tell-tale hints?

Did the previous attacks based on tools released by the Shadow Brokers have secondary — possibly even primary — purposes apart from disruption and extortion? Were they intended to inoculate enterprise and individual users before a destructive weapon like NotPetya was released? Were there other purposes not obvious to information security professionals?

From Long Island and Maryland with Love

Yet another Trump-Russia-related story dropped after regular business hours, this time in a holiday news dump zone. But after weeks of big stories dropping later in the day, we’re all conditioned to hold off our cocktails.

The Washington Post article had two tidbits I found interesting (Marcy tackles the anonymous letter at the root of the story). First, Russian Ambassador Kislyak’s reaction to Trump son-in-law and transition team member Jared Kushner’s proposal to establish a backchannel between Trump’s team and Russia.

Kislyak reportedly was taken aback by the suggestion of allowing an American to use Russian communications gear at its embassy or consulate — a proposal that would have carried security risks for Moscow as well as the Trump team.

Yeah. Not the first time Russia agents found American behavior sketchy. Recall the 2015 arrest of three Russian spies in New York? Evgeny Buryakov was really skeptical about his American contact’s insistence on casino business, and with good reason. Kislyak sounds just as skeptical about Kushner’s request in today’s WaPo piece.

And then this bit:

Russia would also have had reasons of its own to reject such an overture from Kushner. Doing so would require Moscow to expose its most sophisticated communications capabilities — which are likely housed in highly secure locations at diplomatic compounds — to an American.

Remember Obama’s last sanctions on Russia, ordered December 29? They included evicting two diplomatic compounds — one in Long Island, another in Maryland (back to this Maryland compound in a moment). What’s the chances these evictions were not only punitive but as a deterrent to their use for backchannel communications?

I’ve wondered for a while now about the communications methods Russian spies have used in the U.S., pondering about them in my post about 2015’s three-man spy ring. What might have been left behind after the last Obama administration sanctions?

Now back to Maryland and that storied Pioneer Point estate on the water, used by putative Russian diplomats as their dacha away from the hubbub of Washington D.C. It’s a lovely place, conveniently located near Annapolis, not an overly long drive from D.C., delightful waterfront for boating.

And only a hop-skip-jump across the Chesapeake Bay Bridge or a boat ride over the bay from Strategic Campaign Group (SCG) at 191 Main St #310, Annapolis — an address about a block from docks and waterfront restaurants. You may recall SCG was raided earlier this month in relation to reported conservative fundraising scams. Just so happens SCG has ties to Paul Manafort and to the Trump organization by former employee James Perry. At the time of the raid, the FBI said SCG was under investigation for fundraising related to a 2013 race.

I’m sure the proximity of SCG to the Russian’s Pioneer Point dacha is just a coincidence. But squirrel away the location for future reference.

Off to have the first holiday weekend cocktail — and no, it’s not a White Russian or a Moscow Mule. Have a good one!

UPDATE — 9:50 p.m. EDT —
Reuters dropped another one about a half-hour ago. Really, Jared? You can’t recall three additional contacts with Russian ambassador Kislyak? You’re really going to make Jamie Gorelick torch her reputation with this “dog ate my homework” prevarication? Are you really so clueless about communications collection? Because if you are, that’s as big a reason for your security clearance to be yanked as your lying has been. Somebody terminate his clearance immediately, please, whether he’s a target of the investigation or not.

I need another cocktail. Race you to the bar. If only we could make Jared buy us all a round.

Minority Report: A Look at Timing of WannaCry and Trump’s Spillage

CAVEAT: Note well these two points before continuing —

1) Check the byline; this is Rayne, NOT Marcy; we may have very different opinions on matters in this post.

2) This post is SPECULATIVE. If you want an open-and-shut case backed by unimpeachable evidence this is not it. Because it addresses issues which may be classified, there may never be publicly-available evidence.

Moving on…

Like this past week’s post on ‘The Curious Timing of Flynn Events and Travel Ban EO‘, I noticed some odd timing and circumstances. Event timing often triggers my suspicions and the unfolding of the WannaCry ransomware attack did just that. WannaCry didn’t unfold in a vacuum, either.

Timeline (Italics: Trump spillage)

13-AUG-2016 — Shadow Brokers dumped first Equation Group/NSA tools online

XX-XXX-201X — Date TBD — NSA warned Microsoft about ETERNALBLUE, the exploit which Microsoft identified as MS17-010. It is not clear from report if this warning occurred before/after Trump’s inauguration.

XX-FEB-2017 — Computer security firm Avast Software Inc. said the first variant of WannaCry was initially seen in February.

14-MAR-2017 — Microsoft released a patch for vulnerability MS17-010.

14-APR-2017 — Easter weekend — Shadow Brokers dumps Equation Group/NSA tools on the internet for the fifth time, including ETERNALBLUE.

(Oddly, no one noted the convenience to Christian countries celebrating a long holiday weekend; convenient, too, that both western and eastern Orthodox Christian sects observed Easter on the same date this year.)

10-MAY-2017White House meeting between Trump, Foreign Minister Sergei Lavrov, and Ambassador Sergey Kislyak. No US media present; Russian media outlet TASS’ Washington bureau chief and a photographer were, however.

12-MAY-2017 — ~8:00 a.m. CET — Avast noticed increased activity in WannaCry detections.

[graphic: Countries with greatest WannaCry infection by 15-MAY-2017; image via Avast Software, Inc.]

12-MAY-2017 — 3:24 a.m. EDT/8:24 a.m. BST London/9:24 a.m. CET Madrid/10:24 a.m. MSK Moscow — early reports indicated telecommunications company Telefonica had been attacked by malware. Later reports by Spanish government said, “the attacks did not disrupt the provision of services or network operations…” Telefonica said the attack was “limited to some computers on an internal network and had not affected clients or services.”

12-MAY-2017 — 10:00 a.m. CET — WannaCry “escalated into a massive spreading,” according to Avast.

12-MAY-2017 — timing TBD — Portugal Telecom affected as was UK’s National Health Service (NHS). “(N)o services were impacted,” according to Portugal Telecom’s spokesperson. A Russian telecom firm was affected as well, along with the Russian interior ministry.

12-MAY-2017 — ~6:23 p.m. BST — Infosec technologist MalwareTechBlog ‘sinkholes’ a URL to which WannaCry points during execution. The infection stops spreading after the underlying domain is registered.

13-MAY-2017 — Infosec specialist MalwareTechBlog posts a tick-tock and explainer outlining his approach to shutting down WannaCry the previous evening

15-MAY-2017 — ~5:00 p.m. EDT — Washington Post reported Trump disclosed classified “code worded” intelligence to Lavrov and Kislyak during his meeting the previous Wednesday.

16-MAY-2017 — National Security Adviser H. R. McMaster said “I wanted to make clear to everybody that the president in no way compromised any sources or methods in the course of this conversation” with Lavrov and Kislyak. But McMaster did not say information apart from sources or methods had been passed on; he did share that “‘the president wasn’t even aware of where this information came from’ and had not been briefed on the source.”

The information Trump passed on spontaneously with the Russian officials was related to laptop bomb threats originating from a specific city inside ISIS-held territory. The city was not named by media though it was mentioned by Trump.

16-MAY-2017 — Media outlets reported Israel was the ally whose classified intelligence was shared by Trump.

Attack attribution

You’ll recall I was a skeptic about North Korea as the source of the Sony hack. There could be classified information cinching the link, but I don’t have access to it. I remain skeptical since Sony Group’s entities leaked like sieves for years.

I’m now skeptical about the identity of the hacker(s) behind WannaCry ransomware this past week.

At first it looked like Russia given Cyrillic character content within the malware. But this map didn’t make any sense. Why would a Russian hacker damage their own country most heavily?

[graphic: WannaCry distribution; image via BBC]

The accusations have changed over time. North Korea has been blamed as well as the Lazarus Group. Convenient, given the missile test this past week which appeared focused on rattling Russia while President Putin was attending a conference in China. And some of the details could be attributed to North Korea.

But why did the ransomware first spread in Spain through telecom Telefonica? Why did it spread to the UK so quickly?

This didn’t add up if North Korea is the origin.

Later reports said the first infections happened in western Asia; the affected countries still don’t make sense if North Korea is the perpetrator, and/or China was their main target.

Malware capability

Given the timing of the ransomware’s launch and the other events also unfolding concurrently — events we only learned about last evening — here’s what I want to know:

Can vulnerability MS17-010, on which WannaCry was based, be used as a remote switch?

Think about the kind and size of laptops still running Windows XP and Windows 8, the operating systems Microsoft had not patched for the Server Message Block 1.0 (SMBv1) vulnerability. They’re not the slim devices on which Windows 10 runs; they’re heavier, more often have hard disk drives (HDDs) and bulkier batteries. I won’t go into details, but these older technologies could be replaced by trimmer technologies, leaving ample room inside the laptop case — room that would allow an older laptop to host other resources.

Let’s assume SMBv1 could be used to push software; this isn’t much of an assumption since this is what WannaCry does. Let’s assume the software looks for specific criteria and takes action or shuts down depending on what it finds. And again, it’s not much of an assumption based on WannaCry and the tool set Shadow Brokers have released to date.

Let’s assume that the software pushed via SMBv1 finds the right criteria in place and triggers a detonation.

Yes. A trigger. Not unlike Stuxnet in a way, though Stuxnet only injected randomness into a system. Nowhere near as complicated as WannaCry, either.

Imagine an old bulky laptop running Windows XP, kitted out internally as an IED, triggered by a malware worm. Imagine several in a cluster on the same local network.

Is this a realistic possibility? I suspect it is based on U.S. insistence that a thinly-justified laptop ban on airplanes is necessary.

Revisit timing

Now you may grasp why the timing of events this past week gave me pause, combined with the details of location and technology.

The intelligence Trump spilled to Lavrov and Kislyak had been linked to the nebulous laptop threat we’ve heard so much about for months — predating the inauguration. Some outlets have said the threat was “tablets and laptops” or “electronic devices” carried by passengers onto planes, but this may have been cover for a more specific threat. (It’s possible the MS17-010 has other counterparts not yet known to public so non-laptop threats can’t be ruled out entirely.)

The nature of the threat may also offer hints at why an ally’s assets were embedded in a particular location. I’ll leave it to you to figure this out on your own; this post has already spelled out enough possibilities.

Trump spilled, the operation must be rolled up, but the roll up also must include closing backdoors along the way to prevent damage if the threat has been set in motion by Trump’s ham-handed spillage.

Which for me raises these questions:

1) Was Shadow Brokers the force behind WannaCry — not just some hacker(s) — and not just the leaking of the underlying vulnerability?

2) Was WannaCry launched in order to force telecoms and enterprise networks, device owners, and Microsoft to patch this particular vulnerability immediately due to a classified ‘clear and present danger’?

3) Was WannaCry launched to prevent unpatched MS17-010 from being used to distribute either a malware-as-trigger, or to retaliate against Russia — or both? The map above shows a disproportionate level of impact suggesting Russia was a potential target if secondary to the operation’s aim. Or perhaps Russia screwed itself with the intelligence entities behind Shadow Brokers, resulting in a lack of advance notice before WannaCry was unleashed?

4) Was WannaCry launched a month after the Shadow Brokers’ dump because there were other increasing threats to the covert operation to stop the threat?

5) Are Shadow Brokers really SHADOW BROKERS – a program of discrete roll-up operations? Is Equation Group really EQUATION GROUP – a program of discrete cyber defense operations united by a pile of cyber tools? Are their interactions more like red and blue teams?

6) Is China’s response to WannaCry — implying it was North Korea but avoiding directly blaming them — really cover for the operation which serves their own (and Microsoft’s) interests?

The pittance WannaCry’s progenitor raised in ransom so far and the difficulty in liquidating the proceeds suggests the ransomware wasn’t done for the money. Who or what could produce a snappy looking ransomware project and not really give a rat’s butt about the ransom?

While Microsoft complains about the NSA’s vulnerability hording, they don’t have much to complain about. WannaCry will force many users off older unsupported operating systems like XP, Win 7 and 8, and Windows Server 2003 in a way nothing else has done to date.

[graphic: 5-year chart, MSFT performance via Google Finance]

Mother’s Day ‘gift’?

I confess I wrestled with writing this; I don’t want to set in motion even more ridiculous security measures that don’t work simply because a software company couldn’t see their software product had an inherent risk, and at least one government felt the value of that risk as a tool was worth hiding for years. It’s against what I believe in — less security apparatus and surveillance, more common sense. But if a middle-aged suburban mom in flyover country can line up all these ducks and figure out how it works, I could’t just let it go, either.

Especially when I figured out the technical methodology behind a credible threat on Mother’s Day. Don’t disrespect the moms.

Three Things: Day 6, Bombs Away, Get Carter 2

As long as my schedule permits I’ll continue to post Three Things each day at least through next Tuesday. Here we go…

Day 6: Countdown to Tax Day deadline continues
There’s a clear trend in interest about Trump’s tax returns since the election with a spike reflecting two pages leaked from Trump’s 2005 return on Rachel Maddow’s show last month. Stretching out the Google Trends period to five years and a seasonal bump can be seen each year. This year’s seasonal bump is completely distorted by discussion of Trump’s returns.

59 Tomahawk missiles launched at Syria and a GBU-43/B MOAB dropped on Afghanistan aren’t going to change this picture. Where are your tax returns, Trump?

Bombs away
Speaking of missiles and bombs, I sure hope somebody is watching transactions related to military industrial complex stocks. The image here includes just three companies, one of which is Raytheon, the maker of Tomahawk missiles in which  Trump may or may not own shares. How convenient for shareholders of record last Friday the stock went ex dividend this Monday after a spike in price late last week when 59 missiles were aimed just off a Syrian runway.

Considering both Russia and Syria knew in advance the US was deploying missiles, one would be foolish not to wonder if any one with vested interest in NYSE:RTN or competitors might also have known in advance to buy before the 01:40 UTC launch with a sell order for Monday’s open. For those of you mentally checking off time zones of key cities and major stock markets:

Damascus Fri 07-APR-2017 4:40:00 am EEST UTC+3 hours
Washington DC Thu 06-APR-2017 9:40:00 pm EDT UTC-4 hours
Moscow Fri 07-APR-2017 4:40:00 am MSK UTC+3 hours
Tokyo Fri 07-APR-2017 10:40:00 am JST UTC+9 hours
Shanghai Fri 07-APR-2017 9:40:00 am CST UTC+8 hours
Corresponding UTC(GMT) Fri 07-APR-2017 01:40:00

Get Carter 2
I’d much rather talk about a second installment of the 1971 movie featuring Michael Caine but no, it’s all about Carter Page and his less-than-stellar ability to prevaricate about his dealings with Russians. While quizzed by ABC’s George Stephanopolous about the chances sanctions were discussed by Page and Russians during the 2016 campaign season, Carter replied, “Something may have come up in a conversation…”

Uh-huh. Imagine somebody at the FBI cutting to a taped conversation or two at that point. Page insists he didn’t ask or offer about the sanctions, but he’s wholly unconvincing. It’s no wonder at all known Russian spies in the Buryakov case were skeptical about Page, a.k.a. ‘Male-1’. Whatever Page claims there was enough there to pass the threshold requirements for a FISA warrant.

Why is Page talking to media now anyhow? Is he somebody’s canary-in-the-coal-mine? Definitely not a FISA warrant canary.

That’s Three Things. By the way: about 22 percent of taxpayers wait until the last two weeks before the deadline to file. Tick-tock — only a handful of hours until Day 5 before deadline.

(p.s. treat this like an open thread)

Of Spies and Casinos

[photo: liebeslakritze via Flickr]

Many have forgotten the case of Russian spies arrested in the U.S.

Not the ten from the Illegals Program sleeper cell spy ring rounded up in 2010, whose integration into the U.S. formed the backbone of the cable drama, The Americans.

No, the ones in New York City who attempted to recruit college students and collect economic intelligence.

Three in total were arrested a year ago January — Evgeny Buryakov, Igor Sporyshev and Victor Podobnyy — the latter two shipped out as they were here under diplomatic visas while the first was prosecuted and jailed.

The story is rather interesting though it didn’t garner much attention outside New York. The spies were tasked with not only recruiting but gathering intelligence in the financial sector about market destabilization and the status of development and investment in alternative energy.

Buryakov, who was not under diplomatic protection, wasn’t the sharpest pencil in the box. He was a little put out at having a less than glamorous gig, and he was rather imprudent. He was recorded easily, and his words used as evidence against him.

One interesting bit was thinly fleshed out in the USDOJ’s complaint.

Buryakov toured casinos in Atlantic City.

But which casinos?

In July 2014, a confidential contact working on behalf of the FBI, “posed as the representative of a wealthy investor looking to work with Bank-1 [the Russian bank for which Buryakov posed as an employee] to develop casinos in Russia,” and approached Buryakov about casino development in Russia. A tour of Atlantic City casinos was taken in August.

Combing through the complaint looking for the colleges from which they attempted to recruit revealed no mention of Trump University.

But the casinos visited aren’t clear. The Trump Plaza (closed September 2014) or the Trump Taj Mahal (closed October 2016) can’t be ruled out as sites visited by Buryakov — the Plaza closed only a few weeks later.

The skepticism with which they viewed the casino gambit was amusing (excerpt from complaint, p. 23-24):

It was a trap, just as suspected; did the confidential source not give off the right vibe, or were the Russians skeptical of any investment in casinos developed in Russia? Trump, after all, didn’t get his Trump Towers Moscow off the ground even after his 2013 trip for the Miss World Pageant. Did the skepticism worry the FBI they might lose their targets? Or did the FBI finally have enough of toying with these guys and decide it was time to drop the hammer? Was some other trigger which forced the FBI to wrap up this investigation?

A few other points worth noting:

• “Others known and unknown” were also involved in spying or supporting spies but were not included in the warrant according to the complaint (ex: CC-1 and CC-2 in complaint). Who were they and where are they now? Has the FBI continued to watch them? Were any of them among the Russians who were escorted out of the U.S. after former president Obama announced new sanctions this past December?

• “And then Putin even tried to justify that they weren’t even tasked to work, they were sleeper cells in case of martial law,” Victor Podobnyy remarked in a conversation about the Illegals Program sleeper cells. What did he mean by, “in case of martial law”? Is this a continuing concern with regard to any remaining undetected sleeper cells?

• A “leading Russian state-owned news organization” was mentioned in the complaint, “used for intelligence gathering purposes.” Which news outlet was this? How did this news organization figure into advanced methods used by this operation? It would be interesting to know if this was RT (formerly Russia Today) given Michael Flynn’s and Jill Stein’s attendance at an RT event in December 2015.

• The spies used an office in Manhattan for conveying information to their superiors. How was this done apart from phone calls; what technology and networks if any were involved?

There’s an important bit about aeronautics, but I’ll tackle that in another post. It’s important enough to be broken out on its own.

Oh, one last thing about this case: timing.

— On January 21, 2016 UK’s public inquest announced its final conclusions into the PO-210 poisoning death of Alexander Litivinenko, attributing the murder to orders from the top of Russia’s FSB — including Vladimir Putin.

— The next day, January 22,  the UK froze the assets of the escaped henchmen accused of the poisoning while seeking their extradition.

— A sealed complaint and a request for warrants were filed in Southern District of New York for the three Russian spies on January 23, 2016.

— The arrests of the spies was reported publicly on January 26, 2016.

These events on either side of the Atlantic didn’t happen in a vacuum. The casinos’ tour and the hand-off of government documents happened nearly six months before the complaint and warrants were filed and issued. But the Litvinenko inquest conclusion and the arrests happened within a couple of days — mere hours apart.

It shouldn’t be surprising to find coordinated retaliation occurred against both the UK and the US.

Long Island Iced Tea

I love maps. They often reveal things quickly and simply in a way text cannot. Like this map I’ve pulled together showing two points recently in the news.

To the right, Groton, Connecticut, where the U.S. has a naval facility

To the left, Glen Cove, New York — the location of a waterfront compound, Killenworth Mansion, owned for decades by Russia. The site was used for electronic spying according to the Reagan administration. A second compound, Norwich House, located five miles away in Upper Brookville, was vacated in December after former president Obama issued new sanctions on Russia in response to alleged interference in U.S. 2016 presidential election.

Multiple news reports yesterday noted a Russian spy ship “loitering” approximately 30 miles south of Groton, near Long Island’s shoreline, in international waters.

But none of them mentioned the ship was approximately 60-80 miles from the site of the Russian government compounds.

Huh. What an interesting coincidence that this Russian vessel didn’t loiter near any of more than a dozen naval facilities along the east coast. Granted, Groton is home to the Naval Submarine Base New London, home to the Navy’s subs on the east coast.

But is this submarine base more interesting than any of the Navy facilities in Maryland, Virginia, Florida? Not to mention Rhode Island, South Carolina or Georgia. Nor did the spy ship hang around near the other waterfront facility located in Maryland that Russia was forced to vacate in December.

It’s almost if the Russians left something behind on Long Island and were looking for it.

Or listening for it.

UPDATE — 5:38 p.m. EST: Here’s another nifty map depicting existing and planned submarine communications cables landed in northeast US. Fun stuff! I wonder which one carries the most financial data to/from Wall Street to overseas markets…

Submarine communications cables, northeast US, 2016 (via Greg’s Cable Map at cablemap.info)

Monday: A Border Too Far

In this roundup: Turkey, pipelines, and a border not meant to be crossed.

It’s nearly the end of the final Monday of 2016’s General Election campaign season. This shit show is nearly over. Thank every greater power in the universe we made it this far through these cumulative horrors.

Speaking of horrors, this Monday’s movie short is just that — a simple horror film, complete with plenty of bloody gritty gore. Rating on it is mature, not for any adult content but for its violence. The film is about illegal immigrants who want more from life, but it plays with the concepts of alien identity and zombie-ism. Who are the illegals, the aliens, the zombies? What is the nature of the predator and their prey? Does a rational explanation for the existence of the monstrous legitimize the horror they perpetuate in any way?

The logline for this film includes an even shorter tag line: Some borders aren’t meant to be crossed. This is worth meditating on after the horrors we’ve seen this past six months. Immigrants and refugees aren’t the monsters. And women aren’t feeble creatures to be marginalized and counted out.

Should also point out this film’s production team is mostly Latin American. This is the near-future of American storytelling and film. I can’t wait for more.

Tough Turkey
The situation in Turkey is extremely challenging, requiring diplomacy a certain Cheeto-headed candidate is not up to handling and will screw up if he places his own interests ahead of that of the U.S. and the rest of the world.

  • Luxembourg’s foreign minister compares Erdoğan’s purge to Nazi Germany (Deutsche Welle) — Yeah, I can’t argue with this when a political party representing an ethnic minority and a group sharing religious dogma are targeted for removal from jobs, arrest and detention.
  • Op-Ed: Erdoğan targeting critics of all kinds (Guardian) — Yup. Media, judges, teachers, persons of Kurdish heritage or Gulenist religious bent, secularists, you name it. Power consolidation in progress. Democracy, my left foot.
  • HDP boycotts Turkish parliament after the arrest of its leaders (BBC) — Erdoğan claimed the arrested HDP leaders were in cahoot with the PKK, a Kurdish group identified as a terrorist organization. You’ll recall HDP represents much of Turkey’s Kurdish minority. But Erdoğan also said he doesn’t care if the EU calls him a dictator; he said the EU abets terrorism. Sure. Tell the cities of Paris and Brussels that one. Think Erdoğan has been taking notes from Trump.
  • U.S. and Turkish military leaders meet to work out Kurd-led ops against ISIS (Guardian) — Awkward. Turkish military officials were still tetchy about an arrangement in which Kurdish forces would act against ISIS in Raqqa, Syria, about 100 miles east of Aleppo. The People’s Protection Units (YPG) militia — the Kurdish forces — will work in concert with Arab members of Syrian Democratic Forces (SDF) coalition in Raqqa to remove ISIS. Initial blame aimed at the PKK for a car bomb after HDP members were arrested heightened existing tensions between Erdoğan loyalists and the Kurds, though ISIS later took responsibility for the deadly blast. Depending on whose take one reads, the Arab part of SDF will lead the effort versus any Kurdish forces. Turkey attacked YPG forces back in August while YPG and Turkey were both supposed to be routing ISIS.

In the background behind Erdoğan’s moves to consolidate power under the Turkish presidency and the fight to eliminate ISIS from Syria and neighboring territory, there is a struggle for control of oil and gas moving through or by Turkey.

Russia lost considerable revenue after oil prices crashed in 2014. A weak ruble has helped but to replace lost revenue based on oil’s price, Russia has increased output to record levels. Increase supply only reduces price, especially when Saudi Arabia, OPEC producers, and Iran cannot agree upon and implement a production limit. If Russia will not likewise agree to production curbs, oil prices will remain low and Russia’s revenues will continue to flag.

Increasing pipelines for both oil and gas could bolster revenues, however. Russia can literally throttle supply near its end of hydrocarbon pipelines and force buyers in the EU and everywhere in between to pay higher rates — the history of Ukrainian-Russian pipeline disputes demonstrates this strategy. Bypassing Ukraine altogether would help Russia avoid both established rates and conflict there with the west. The opportunities encourage Putin to deal with Erdoğan, renormalizing relations after Turkey shot down a Russian jet last November. Russia and Turkey had met in summer of 2015 to discuss a new gas pipeline; they’ve now met again in August and in October to return to plans for funding the same pipeline.

A previous pipeline ‘war’ between Russia and the west ended in late 2014. This conflict may only have been paused, though. Between Russia’s pressure to sell more hydrocarbons to the EU, threats to pipelines from PKK-attributed terrorism and ISIS warfare near Turkey’s southwestern border, and implications that Erdoğan has been involved in ISIS’ sales of oil to the EU, Erdoğan may be willing to drop pursuit of EU membership to gain more internal control and profit from Russia’s desire for more hydrocarbon revenues. In the middle of all this mess, Erdoğan has expressed a desire to reinstate the death penalty for alleged coup plotters and dissenters — a border too far for EU membership since death penalty is not permitted by EU law.

This situation requires far more diplomatic skill than certain presidential candidates will be able to muster. Certainly not from a candidate who doesn’t know what Aleppo is, and certainly not from a candidate who thinks he is the only solution to every problem.

Cybery miscellany

That’s it for now. I’ll put up an open thread dedicated to all things election in the morning. Brace yourselves.

Tuesday: Disinfowar Dust Up

In this roundup: Disinfowar, fossil fuels’ finale, pipeline problems, and a longish short about evolving hope.

The embedded feature video here, Dust by Ember Lab, won a number of awards last year. It’s a gritty blend of real and fantasy, and the closest thing to a American feature film with an Asian lead (there were no true feature-length films with an Asian/Asian-American lead or co-lead last year). It’s a little exposition dense, but this is integral to the challenge of world-building for a sci-fi/fantasy story. I wouldn’t be a bit surprised to see this story extended into a true feature or a series.

Disinfowar
If you haven’t already read Marcy’s latest piece today, you should do so soon. We are now deep in disinfo slung by multiple parties.

The one thing that niggles at me about WikiLeaks’ involvement in this latest volley of disinfo: why didn’t WikiLeaks release the Podesta emails when they originally said they were going to do so?

Or was skanky political operative Roger Stone blowing more disinfo out his ass when he tweeted about the impending Wikileaks’ release?

And how does the concurrent “Trump pussy grab” video story interleave with the WikiLeaks’ disinformation? Let’s take a look at the timing.

Early September — WikiLeaks’ Julian Assange claims to have documents damaging to Hillary Clinton which would be released before the election.

30-SEP-2016 Friday — WikiLeaks cancels release of an info dump on Hillary Clinton due to alleged security concerns. The info dump has been framed by some as a potential ‘October surprise’.

02-OCT-2016 Sunday — 12:52 am: Roger Stone tweets [email protected] is done”.

03-OCT-2016 Monday — Unspecified time: Producer at an NBC entertainment outlet Access Hollywood remembers video of Trump with Billy Bush.

03-OCT-2016 Monday — 5:55 pm: AP publishes story, “‘Apprentice’ cast and crew say Trump was lewd and sexist.”

04-OCT-2016 Tuesday — Date of canceled WikiLeaks’ info dump.

Midweek (no date/day given) — Access Hollywood’s executive producer Rob Silverstein and team have reviewed the video. A script is prepared for airing of video, but it will not appear Friday evening before the next presidential debate on Sunday.

05-OCT-2016 Wednesday — No WikiLeaks’ info dump.

07-OCT-2016 Friday — First thing in the morning, Access Hollywood was still working on story; an NBC source said the story “wasn’t quite finalized.”

07-OCT-2016 Friday — Noon: Washington Post’s David Farenthold asks NBC for a comment on the Trump/Billy Bush tape which had been leaked to him by unnamed source(s).

07-OCT-2016 Friday — 2-4:00 pm (approximately, exact publication time to be confirmed): Washington Post runs Farenthold’s story, “Trump recorded having extremely lewd conversation about women in 2005.”

07-OCT-2016 Friday — 11:03 pm: WikiLeaks tweets link to “The #PodestaEmails Part 1.

09-OCT-2016 Sunday — 9:50 pm: During the second presidential debate, Wikileaks tweets, “Hillary Clinton just confirmed the authenticity of our #PodestaEmails release of her paid speeches excerpts.

10-OCT-2016 Monday — 9:36 am: WikiLeaks tweets link with “RELEASE: The #PodestaEmails part two: 2,086 new emails.

A Google Trends snapshot of key words from these two stories also tells the story. To be fair, though ‘pussy’ spiked on Friday, it’s a pretty popular internet search term (in case this had not occurred to some of our readers).

[Source: Google Trends - compare terms:'wikileaks', 'hillary', 'podesta''pussy', 'billy bush']

[Source: Google Trends – compare terms:’wikileaks'(blue), ‘hillary'(red), ‘podesta'(yellow), ‘pussy'(green), ‘billy bush'(purple) – click to expand]

Really convenient timing, no matter the validity of the content in the emails.

Wheels

  • Germany’s upper house of parliament wants combustion engine cars off the roads by 2030 (Reuters) — This is one of the most important stories so far this year: one of the largest single nation economies in the world wants to end use of gasoline- and diesel-fueled vehicles within its borders inside 18 years. How will this impact Volkswagen Group, the largest automaker in EU? At least VW now has impetus to move completely away from its failed passenger diesel engines. Political parties across the Bundesrat, the upper house, support ending sales of combustion engine vehicles. What next steps Germany will take is unclear as is the next possible response by the EC in Brussels.
  • VW’s CEO Matthias Mueller knew nothing about passenger diesel vehicle scandal (Reuters) — Might be plausible that Mueller didn’t know anything about VW and Bosch tweaking engine control units to defeat emissions standards since Mueller was the head of Porsche before VW Group appointed him to replace Martin Winterkorn. And we all know Porsche isn’t the first brand you’d seek when shopping for either passenger diesel vehicles or fuel efficiency.
  • Fiat Chrysler and Canadian union Unifor avoid a strike (Detroit Free Press) — The deal includes updates to two plants and a restructuring of workers’ wage scale while working around the impending demise of the Chrysler 200 and Dodge Dart car models. No mention of self-driving/autonomous cars in FCA’s future lineup, if any.

Pipe meets face

  • Russian facial recognition software IDs 73% of people of of million-person database (Wall Street Journal) — This application developed by startup NTechLab beat Alphabet’s facial recognition software. This gives me the fecking creeps, especially considering the countries interested in buying this software.
  • Facial recognition app failed when used at pipeline protest (Indian Country) — A Crow Creek Tribe activist found he had been ‘identified’ as a pipeline protester by facial recognition software though he had been at a family event elsewhere during the time he was alleged to participate in the protest.
  • Pipeline construction work resumes after appeals court ruling against tribes (ABC News) — In a stunningly callous move, U.S. Court of Appeals for the D.C. Circuit issued a decision Sunday evening — before Columbus Day, the observation which offends Native Americans — denying Native American tribes’ request for an injunction to stop construction of the Dakota Access Pipeline. Work on the pipeline picked up again today, though the tribes vow to continue their protests. Protesters were arrested yesterday for trespassing, including actor Shailene Woodley. Woodley may have been selected in particular because of her high media profile and because she was streaming the protest online.

Longread: Asymmetry’s role in Trump’s rise
Worth reading NYU’s Jay Rosen on media’s inability to deal with asymmetry in the U.S. political system, and how this permitted Trump’s elevation as a presidential candidate. Personally I take issue with the concept that the “GOP has become an insurgent outlier in American politics.” In a two-party system where nearly half the population identifies with either one of these parties, neither of the two parties can be insurgent or an outlier.

Instead, this asymmetry — the departure from the past equivalency of either of these two major parties — results from the application of the Overton Window over decades to move nearly half the population toward a more conservative consensus. Applied too much, too often, and nearly half the population has adopted an ideology which is incompatible with the values espoused by a critical mass of this nation before the Overton Window was applied.

And the media, like meteorologists focusing on the day’s weather — is it cloudy or sunny? rain or shine? — missed the entire shift of the political climate toward fascism. Rather like the financial crisis of 2008, for that matter, when they failed to adequately look at the big picture before the entire economy went over the cliff.

That’s a wrap. Make sure you’re registered to vote as many states have deadlines today. Check in with housebound and with college students to see if they are registered and encourage use of absentee ballots where appropriate. Absentee voting has begun in some states.