Posts

[Some of] Where Trump Wants to Go with the Server in Ukraine Story

/127 Comments/in , , , /by

As I emphasized in this post, before Trump pushed Volodymyr Zelensky to frame Hunter Biden, he first pressed Ukraine’s president to “get to the bottom” of the “what happened with this whole situation with Ukraine.”

The President: I would like you to do us a favor though because our country has been through a lot and Ukraine knows a lot about it. I would like you to find out what happened with this whole situation with Ukraine, they say Crowdstrike … I guess you have one of your wealthy people… The server, they say Ukraine has it. There are a lot of things that went on, the whole situation. I think you are surrounding yourself with some of the same people. I would like to have the Attorney General call you or your people and I would like you to get to the bottom of it. As you saw yesterday, that whole nonsense ended with a very poor performance by a man named Robert Mueller, an incompetent performance, but they say a lot of it started with Ukraine. Whatever you can do, it’s very important that you do it if that’s possible.

Contrary to virtually all the coverage on this, there is reason to believe that Bill Barr can get information from Ukraine that will feed the disinformation about the Russian operation. Trump has obviously been told — and not just by Rudy Giuliani (as Tom Bossert believes) — to ask for this, but some of this is probably part of the disinformation that Russia built in to the operation.

Rudy Giuliani wants to frame Alexandra Chalupa

This morning, Rudy Giuliani explained that he wants to know who in Ukraine provided information damning to Trump during the 2016 campaign.

GIULIANI: I have never peddled it. Have you ever hear me talk about Crowdstrike? I’ve never peddled it. Tom Bossert doesn’t know what he’s talking about. I have never engaged in any theory that the Ukrainians did the hacking. In fact, when this was first presented to me, I pretty clearly understood the Ukrainians didn’t do the hacking, but that doesn’t mean Ukraine didn’t do anything, and this is where Bossert…

STEPHANOPOULOS: So, why does the president keep repeating it?

GIULIANI: Let’s get on to the point…

STEPHANOPOULOS: Well, this was in the phone call.

GIULIANI: I agree with Bossert on one thing, it’s clear: there’s no evidence the Ukrainians did it. I never pursued any evidence and he’s created a red herring. What the president is talking about is, however, there is a load of evidence that the Ukrainians created false information, that they were asked by the Obama White House to do it in January of 2016, information he’s never bothered to go read. There are affidavits that have been out there for five months that none of you have listened to about how there’s a Ukrainian court finding that a particular individual illegally gave the Clinton campaign information. No one wants to investigate that. Nobody cared about it. It’s a court opinion in the Ukraine. The Ukrainians came to me. I didn’t go to them. The Ukrainians came to me and said…

STEPHANOPOULOS: When did they first come to you?

GIULIANI: November of 2016, they first came to me. And they said, we have shocking evidence that the collusion that they claim happened in Russia, which didn’t happen, happened in the Ukraine, and it happened with Hillary Clinton. George Soros was behind it. George Soros’ company was funding it.

This is an effort to frame Alexandra Chalupa, who while working as a DNC consultant in 2016 raised alarms about Paul Manafort. This is an effort that Trump has pursued since 2017 in part with a story first floated to (!!) Ken Vogel, an effort that key propagandist John Solomon was pursuing in May. Remember, too, that Chalupa was hacked separately in 2016, and believed she was being followed.

Peter Smith’s operation may have asked for help from a hacker in Ukraine

But per the transcript, this is not about Rudy, it’s about Barr. And even leaving Rudy’s antics aside, there is more that Trump may be after.

First, a fairly minor point, but possibly important. According to Charles Johnson, he advised Peter Smith to reach out to Weev for help finding Hillary’s deleted emails.

Johnson said he also suggested that Smith get in touch with Andrew Auernheimer, a hacker who goes by the alias “Weev” and has collaborated with Johnson in the past. Auernheimer—who was released from federal prison in 2014 after having a conviction for fraud and hacking offenses vacated and subsequently moved to Ukraine—declined to say whether Smith contacted him, citing conditions of his employment that bar him from speaking to the press.

At the time (and still, as far as I know), Weev was living in Ukraine. The Mueller Report says that his investigators never found evidence that Smith or Barbara Ledeen (or Erik Prince or Mike Flynn, who were also key players in this effort) ever contacted Russian hackers.

Smith drafted multiple emails stating or intimating that he was in contact with Russian hackers. For example, in one such email, Smith claimed that, in August 2016, KLS Research had organized meetings with parties who had access to the deleted Clinton emails, including parties with “ties and affiliations to Russia.”286 The investigation did not identify evidence that any such meetings occurred. Associates and security experts who worked with Smith on the initiative did not believe that Smith was in contact with Russian hackers and were aware of no such connection.287 The investigation did not establish that Smith was in contact with Russian hackers or that Smith, Ledeen, or other individuals in touch with the Trump Campaign ultimately obtained the deleted Clinton emails.

Weev is a hacker, but not Russian. So if Smith had reached out to Weev — and if Weev had given him any reason for optimism in finding the emails or even the alleged emails that Ledeen obtained — it might explain why Trump would believe there was information in Ukraine that would help him.

CrowdStrike once claimed its certainty on Russian attribution related to a problematic report on Ukraine

But that’s not the CrowdStrike tie.

At least part of the CrowdStrike tie — and what Zelensky actually could feed to Trump — pertains to a report they did in December 2016. They concluded that one of the same tools that was used in the DNC hack had been covertly distributed to Ukrainian artillery units, which (CrowdStrike claimed) led to catastrophic losses in the Ukranian armed forces. When the report came out — amid the December 2016 frenzy as President Obama tried to figure out what to do with Russia given the Trump win — CrowdStrike co-founder Dmitri Alperovitch pitched it as further proof that GRU had hacked the DNC. In other words, according to CrowdStrike, their high confidence on the DNC attribution was tied to their analysis of the Ukrainian malware.

In a now deleted post, infosec researcher Jeffrey Carr raised several problems with the CrowdStrike report. He correctly noted that CrowdStrike vastly overstated the losses to the Ukranian troops, which both an outside analyst and then the Ukranian Defense Ministry corrected. CrowdStrike has since updated its report, correcting the claim about Ukrainian losses, but standing by its analysis that GRU planted this malware as a way to target Ukrainian troops.

Carr also claimed to know of two instances — one, another security company, and the other, a Ukrainian hacker — where the tool was found in the wild.

Crowdstrike, along with FireEye and other cybersecurity companies, have long propagated the claim that Fancy Bear and all of its affiliated monikers (APT28, Sednit, Sofacy, Strontium, Tsar Team, Pawn Storm, etc.) were the exclusive developers and users of X-Agent. We now know that is false.

ESET was able to obtain the complete source code for X-Agent (aka Xagent) for the Linux OS with a compilation date of July 2015. [5]

A hacker known as RUH8 aka Sean Townsend with the Ukrainian Cyber Alliance has informed me that he has also obtained the source code for X-Agent Linux. [11]

Carr argued that since CrowdStrike’s attribution of the DNC hack assumed that only GRU had access to that tool, their attribution claim could no longer be trusted. At the time I deemed Carr’s objections to be worthwhile, but not fatal for the CrowdStrike claim. It was, however, damning for CrowdStrike’s public crowing about attribution of the DNC hack.

Since that time, the denialist crowd has elaborated on theories about CrowdStrike, which BuzzFeed gets just parts of here. Something that will be very critical moving forward but which BuzzFeed did not include, is that the president of CrowdStrike, Shawn Henry, is the guy who (while he was still at FBI) ran the FBI informant who infiltrated Anonymous, Sabu. Because the FBI reportedly permitted Sabu to direct Antisec to hack other countries as a false flag, the denialist theory goes, Henry and CrowdStrike must be willing to launch false flags for their existing clients. [See update below, which makes it clear FBI did not direct this.] The reason I say this will be important going forward is that these events are likely being reexamined as we speak in the grand jury that has subpoenaed both Chelsea Manning and Jeremy Hammond.

So Trump has an incentive to damage not just CrowdStrike’s 2016 reports on GRU, but also CrowdStrike generally. In 2017, Ukraine wanted to rebut the CrowdStrike claim because it made it look bad to Ukranian citizens. But if Trump gives Zelensky reason to revisit the issue, they might up the ante, and claim that CrowdStrike’s claims did damage to Ukraine.

I also suspect Trump may have been cued to push the theory that the GRU tool in question may, indeed, have been readily available and could have been used against the DNC by someone else, perhaps trying to frame Russia.

As I’ve noted, the GRU indictment and Mueller Report list 30 other named sources of evidence implicating the GRU in the hack. That list doesn’t include Dutch hackers at AIVD, which provided information (presumably to the Intelligence Community generally, including the FBI). And it doesn’t include NSA, which Bossert suggested today attributed the hack without anything from CrowdStrike. In other words, undermining the CrowdStrike claims would do nothing to undermine the overall attribution to Russia (though it could be useful for Stone if it came out before his November 5 trial, as the four warrants tied to his false statements relied on CrowdStrike). But it would certainly feed the disinformation effort that has already focused on CrowdStrike.

That’s just part of what Trump is after.

Update: Dell Cameron, who’s one of the experts on this topic, says that public accounts significantly overstate how closely Sabu was being handled at this time. Nevertheless, the perception that FBI (and Henry) encouraged Sabu’s attacks is out there and forms a basis for the claim that CrowdStrike would engage in a false flag attack. Here’s the chatlog showing some of this activity. Hammond got to the Brazilian target by himself.

What if Julian Assange Flipped?

/41 Comments/in , , , /by

I’ve said this before, I’ll say it again: I hope to hell Chelsea Manning’s advisors are cognizant of the ways her attempts to avoid testifying against Julian Assange may put her in unforeseen legal jeopardy.

I’m thinking of that anew given my consideration of what I consider to be a distant, but real, possibility: that the US government would offer Assange a plea deal on the current charge he faces in exchange for testimony in a range of other issues. The idea is crazy, but perhaps not as crazy as it sounds.

As I laid out in this post, it seems the US government has been carefully orchestrating the Assange arrest since Ecuador first applied for diplomatic status for him in 2017 in an attempt to exfiltrate him, possibly to Russia. They’re now on the clock, with (depending on which expert you ask) just 44 more days to lard on the additional charges multiple outlets have reported are coming. Meanwhile, he’s being held at Belmarsh, with conflicting stories about what kind of visitors he’s been permitted — though the UN Special Rapporteur for Privacy did visit him this week. Though I’ve asked some top experts, it’s not entirely clear whether, if he were being interrogated right now, that’d be under UK law or US law; the former has fewer protections against self-incrimination for people being detained.

One passage of the Mueller Report may provide an explanation for why his prosecutors didn’t obtain Julian Assange’s testimony.

The Office limited its pursuit of other witnesses and information-such as information known to attorneys or individuals claiming to be members of the media-in light of internal Department of Justice policies. See, e.g., Justice Manual §§ 9-13.400, 13.410.

Assange would fall squarely within DOJ policy covering people who are subjects or targets of an investigation for activities related to their news-gathering activities.

Member of the news media as subject or target. In matters in which a member of the Department determines that a member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the member of the Department requesting Attorney General authorization to use a subpoena, 2703(d) order, or 3123 order to obtain from a third party the communications records or business records of a member of the news media shall provide all facts necessary to a determination by the Attorney General regarding both whether the member of the news media is a subject or target of the investigation and whether to authorize the use of such subpoena or court order. 28 C.F.R. 50.10(c)(5)(i). If the Attorney General determines that the member of the news media is a subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities, the Attorney General’s determination should take into account the principles reflected in 28 C.F.R. 50.10(a), but need not take into account the considerations identified in 28 C.F.R. 50.10(c)(5)(ii) – (viii). Id. Members of the Department must consult with the PSEU regarding whether a member of the news media is a subject or target of an investigation related to an offense committed in the course of, or arising out of, newsgathering activities.

The EDVA case appears to have gotten over this policy (perhaps by distinguishing the assistance on cracking a password from newsgathering activities); but it’s not clear Mueller did (especially given the discussion of First Amendment considerations in passages relating to WikiLeaks). In any case, this calculus may change given that he’s in British, not US custody.

And there has been very little reporting on what’s going on with him — or with US investigations into him.

There are a number of investigations the government would love to get his testimony on, including:

Testimony against Joshua Schulte

Schulte is the accused Vault 7 leaker. WikiLeaks has been far less circumspect about the possibility he’s their source than with other leakers (while also engaging in far less of an effort to lay the case that he’s a whistleblower). Plus, the government has video evidence of Schulte attempting to leak classified information.

But thus far, Schulte’s prosecution has been slowed by CIA’s reluctance to share the classified information Schulte needs to defend himself. Plus, the FBI apparently bolloxed up the initial search warrants for Schulte (in what I suspect was a sloppy effort at parallel construction), which Schulte has been trying to win the ability to speak publicly about for over a year; he recently appealed a decision denying him a request to exempt those initial warrants from his protective order.

To the extent that Assange and Schulte (if he is really the Vault 7 source) communicated — and there’s good reason to believe WikiLeaks did communicate in advance of this publication — then Assange might be able to provide testimony that would get beyond the classification problems.

Testimony about the response to his pardon requests (including Roger Stone’s role in it)

I also believe that DOJ continues to investigate the long effort — an effort that includes Roger Stone, whom prosecutors say is still under investigation — in brokering a pardon for Assange, possibly in part for Assange providing disinformation about where the Democratic documents came from. Consider that, as recently as November, Mueller was trying to learn whether Trump had discussed pardoning Assange before his inauguration, a question about which Trump was especially contemptuous, even given his overall contempt for responding to questions.

Then there’s a subtle point I find really interesting. When the Mueller Report lays out all the times Don Jr magnified Russian trolls, it noted that the failson’s fondness for Russian propaganda continued after the election.

96 See, e.g., @DonaldJTrumpJr 10/26/16 Tweet (“RT @TEN_GOP: BREAKING Thousands of names changed on voter rolls in Indiana. Police investigating #VoterFraud. #DrainTheSwamp.”); @DonaldJTrumpJr 11/2/16 Tweet (“RT @TEN_GOP: BREAKING: #VoterFraud by counting tens of thousands of ineligible mail in Hillary votes being reported in Broward County, Florida.”); @DonaldJTrumpJr 11/8/16 Tweet CRT @TEN_GOP: This vet passed away last month before he could vote for Trump. Here he is in his #MAGA hat. #voted #ElectionDay.”). Trump Jr. retweeted additional @TEN_GOP content subsequent to the election.

[snip]

103 @DonaldJTrumpJr 11/7/16 Tweet (“RT @Pamela jetonc13. Detroit residents speak out against the failed policies of Obama, Hillary & democrats . . . . “) [my emphasis]

The page-long section (page 60) that lays out Don Jr’s innocuous pre-election interactions (which is how I described them when they were first published) does not, similarly, note the President’s son’s more damning interactions with WikiLeaks that took place after the election, where Assange once privately

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

And then publicly asked for an Ambassadorship that would amount to a pardon.

Given the thoroughness of the report, I find the silence about these exchanges to be notable.

Admittedly, one aspect of the pardon campaign implicates Assange far more than (at least given the public details) it does Trump: his seeming attempt at extortion using the CIA’s hacking tools. But that doesn’t mean the government wouldn’t like his testimony about the larger effort, and I have reason to suspect that is something they were pursuing via other channels as well.

WikiLeaks’ ongoing interactions with Russia

Finally, I’m sure the US government would be willing to give Assange some consideration if he offered to describe his interactions with Russia over the years. The most public aspect of that was the WikiLeaks effort to get Snowden safely out of Hong Kong, which ended unexpectedly in Russia. But there are also credible allegations WikiLeaks engaged in some catch-and-kill of damning documents, most publicly with an incriminating document from the Syria Files. Emma Best looks more closely at that incident in a longer profile of a Russian hacker, Maksym Igor Popov, who seemed to shift loyalties back and forth from the US to Russia even while cultivating Anonymous.

Simultaneously, Sabu, who had been boasting about an alleged breach of Iranian systems, pivoted to the then-pending Syria files. “We owned central syrian bank and got all their emails,” he told Popov. There were “a lot of scandals” in those emails. In the 2012 exchange, Popov is told about an alleged email revealing that Syria had secretly sent Russia billions of Euros. Sabu appears to confuse the amount, which was 2 billion, with an amount from a similar transfer involving an Austrian bank. Reporting by The Daily Dot implies that the two emails were often discussed in the same conversation, while also revealing that the email Sabu was describing to the alleged Russian contractor was omitted from WikiLeaks’ eventual release.

WikiLeaks responded to the reporting by claiming that they “either never had the data or [that it was] in some strange MIME format so it isn’t indexed,” and that the reporting was an attack on WikiLeaks that was meant “to help HRC.”

Popov was impressed by Sabu’s description of the Syria emails, though he briefly confused them with another, unspecified cache that Sabu hinted Popov helped release. “If you want real access to the emails, I can [give it to you],” Sabu offered. Popov responded ecstatically, saying he could use it to create disinformation and fabricate conspiracies. Undaunted by Popov’s intended use for the emails, Sabu said he’d “try to set it all up soon.”

This exchange occurred several months after WikiLeaks received the first batch of the Syria files and several weeks after WikiLeaks gave the LulzSec hackers private access to a search engine to help parse the Stratfor emails which the group had also provided to WikiLeaks.

19:16 <Sabu> though we did very well on syria.. we owned central syrian bank and got all their emails 19:16 <LoD> and Nepalese hack 19:16 <Sabu> a lot of scandals ... like syria sending russia 5 billion euros before civil unrest and when russia sent warsip to trait of whateves its called 19:16 <LoD> Ive actually checked it RESPECT syria gave me some things to mastermind my next operations those email accounts were of much help to improve our strategy 19:17 <LoD> i give you thumbs up 19:17 <Sabu> well we didn't realease it yet ... that was another small hack you released. if you want real access to emails I can ive you 19:17 <LoD> really? 19:17 <LoD> can you? 19:17 <LoD> man I WILL BE in DEBT 19:17 <LoD> I can utilize it in my release 19:18 <LoD> to create a conspiracy 19:18 <Sabu> ya I'll try to set it all up soon

If Popov acquired early access to the Syria files, it would have been the score of a lifetime, giving him an exclusive early inside look at corporations and governments. However, as any later logs of discussions between Popov and Sabu aren’t part of the leaked file, it’s unclear if Popov actually received early access to the Syria files.

Already by this time period in 2011, some former Anons were expressing concern that their operations were being facilitated by Russian infrastructure.

Some followers came to believe that the leaders sought only personal aggrandisement or were effectively in cahoots with the organised criminals who may have raided Sony’s credit-card hoard after Anonymous knocked down the door. Even stalwarts such as Housh are unhappy that much of Anonymous’s infrastructure is now housed on computers used by Russian criminals. “It’s not like the Russians wanted us to get HBGary, but I want to know personally why they are doing this,” he says of the chat hosts. “Where is the money coming from?”

To be sure: a tie with Anonymous is different than a tie directly with WikiLeaks, even if Anonymous was serving as one of WikiLeaks’ important source streams at the time. Further, Best notes that there’s no evidence in available files that Popov interacted directly with WikiLeaks — nor would there be, given the scope of the publicly available chat logs.

But, particularly given the allegations that Assange fed the Seth Rich hoax as part of an effort to deny that he knew he had gotten the Democratic files from Russia, I’m sure the US government would love to know from him about any ties between WikiLeaks and Russia.

Offering Assange a plea deal might be one way to close the book on WikiLeaks without the political controversy of a trial.

The question, of course, is whether Assange would take one. Admittedly, it’s highly unlikely.

Still, as noted, he repeatedly claimed he’d love to tell all if he could avoid prison altogether. But even in a best case scenario, he’s looking at a long extradition fight from Belmarsh in conditions that are reportedly pretty shitty. A plea deal might be one way to limit how much more time in custody he faces.

Which could bode poorly for people like Chelsea Manning, making significant sacrifices to protect Assange.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In Subpoenaing Chelsea Manning, the Government Picks a Likely Needless Fight with the Transparency Community Again

/30 Comments/in , , /by

I’m bumping this post from earlier in the week. After refusing to answer questions before the grand jury under a grant of immunity, the Judge in this matter, Claude Hilton, held Chelsea Manning in contempt. She has been booked into the Alexandria jail until she either answers the questions or the grand jury expires. 

Here’s an interview Manning did just before going in for her contempt hearing. 

As NYT first reported, a grand jury in EDVA has subpoenaed Chelsea Manning to testify. She has said she’ll fight the subpoena.

Ms. Manning, who provided a copy of the subpoena to The New York Times, said that her legal team would file a motion on Friday to quash it, arguing that it would violate her constitutional rights to force her to appear. She declined to say whether she would cooperate if that failed.

“Given what is going on, I am opposing this,” she said. “I want to be very forthright I have been subpoenaed. I don’t know the parameters of the subpoena apart from that I am expected to appear. I don’t know what I’m going to be asked.”

The WaPo adds details about a grand jury appearance last year by David House. Notably, he appears to have been asked about the Iraq and Afghan war logs, not the State department cables that have been more central to public reporting based off WikiLeaks releases.

Last July, computer expert David House, who befriended Manning in 2010 at a hacker space in Boston he founded, testified for 90 minutes before the grand jury. In an interview, House said he met the WikiLeaks founder in January 2011 while Assange was under house arrest at Ellingham Hall, a manor house 120 miles northeast of London. Assange was fighting an extradition request by Sweden, where he faced an inquiry into allegations of sexual assault.

Assange asked House to help run political operations for WikiLeaks in the United States. “Specifically, he wanted me to help achieve favorable press for Chelsea Manning,” he said.

House, who testified in exchange for immunity, said the grand jury was interested in his relationship with Assange. “They wanted full insight into WikiLeaks, what its goals were and why I was associated with it,” he said. “They wanted explanations of why certain things occurred and how they occurred. . . . It was all related to disclosures around the war logs.”

The WaPo also argues that Manning will have a tough time fighting this subpoena, which is probably right, though I’m not sure how her legal exposure works given the commutation. She may have a real basis to challenge the subpoena (or at least invoke the Fifth) based off a double jeopardy claim.

Setting aside the legal questions though, I think this subpoena raises real tactical ones. Unless the government believes they need to show a newly-understood pattern of behavior on the part of WikiLeaks dating to before the time Julian Assange took refuge in Ecuador’s embassy as part of a bid to boot him, I think this move is likely to backfire, even from the most hawkish government perspective.

Subpoenaing people for stuff that happened nine years ago, when WikiLeaks’ actions are more immediately suspect in the context of the Vault 7 releases, only makes sense if prosecutors are pursuing some new theory of criminal activity. Contra what Steve Vladeck says to the WaPo (that Assange’s charges last year may be about a 10 year statute of limitations tied to the Espionage Act), prosecutors may be pursuing a conspiracy charge that has continued to more recent years, of which the 2009 actions were the first overt acts (which would also toll the statutes of limitation).

But it’s not just the US government that appears to have a new understanding of WikiLeaks’ actions. So do people who have been involved with the organization over the years, particularly in the wake of WikiLeaks’ 2016 efforts to help Russia elect Donald Trump. The public reversals on supporting Assange from Xeni Jardin, Barrett Brown, and Emma Best have been accompanied by a whole lot of reporting (some of it obviously based on leaks of communications from other former insiders) that lay out activities that go beyond the passive receipt of public interest documents and subsequent publication of them. More will surely be coming.

What journalists and activists are presenting about WikiLeaks doesn’t necessarily get the government beyond a First Amendment defense — certainly not one that might put a lot of respectable investigative reporting at risk. But it does undermine Assange’s claims to be a mere publisher.

And unless there’s a really good legal reason for the government to pursue its own of evolving theory of WikiLeaks’ activities, it doesn’t make sense to rush where former WikiLeaks supporters are headed on their own. In virtually all venues, activists’ reversed understanding of WikiLeaks is bound to have more credibility (and almost certainly more nuanced understanding) than anything the government can offer. Indeed, that would likely be especially true, internationally, in discussions of Assange’s asylum claim.

A charge against Assange in conjunction with Vault 7 or the 2016 election operation might accelerate that process, without foreclosing the government’s opportunity to present any evolved understanding of WikiLeaks’ role in the future (especially if tied to conspiracy charges including the 2016 and 2017 activities).

But getting into a subpoena fight with Chelsea Manning is likely to have the opposite effect.

That’s true, in part, because post-commutation a lot of people worry about the impact renewed pressure from the government against Manning will have, regardless of the legal soundness of it. The government wanted Aaron Swartz to become an informant when they ratcheted up the pressure on him between 2011 and 2013. They didn’t get that information. And his suicide has become a key symbol of the reasons to distrust law enforcement and its ham-handed legal tactics.

There’s even good reason to believe history will likely eventually show that FBI’s use of Sabu as an informant likely didn’t get them what they thought they got. And it’s not just Sabu. It is my strong suspicion that we’ll eventually learn that at key moments, the known instincts and habits of the FBI were exploited just as badly as the good faith efforts of transparency activists, even before the Bureau’s bumbling efforts played the perhaps decisive  role in the 2016 election.

We’re at a moment when, amid rising tribalism, both federal law enforcement and the transparency community are actually reassessing. That reassessment is key to being less susceptible to exploitation, on both sides.

But ratcheting up the stakes, as a subpoena of Manning at this moment amounts to, will reverse that trend.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The Theory of Prosecution You Love for Julian Assange May Look Different When Applied to Jason Leopold

/75 Comments/in , , /by

The WaPo confirmed something Seamus Hughes disclosed last night: Sometime before August 22, EDVA had filed a sealed complaint (not indictment) against Julian Assange.

WikiLeaks founder Julian Assange has been charged under seal, prosecutors inadvertently revealed in a recently unsealed court filing — a development that could significantly advance the probe into Russian interference in the 2016 election and have major implications for those who publish government secrets.

The disclosure came in a filing in a case unrelated to Assange. Assistant U.S. Attorney Kellen S. Dwyer, urging a judge to keep the matter sealed, wrote that “due to the sophistication of the defendant and the publicity surrounding the case, no other procedure is likely to keep confidential the fact that Assange has been charged.” Later, Dwyer wrote the charges would “need to remain sealed until Assange is arrested.”

Dwyer is also assigned to the WikiLeaks case. People familiar with the matter said what Dwyer was disclosing was true, but unintentional.

The confirmation closely follows a WSJ story describing increased confidence that the US will succeed in extraditing Assange for trial.

The confirmation that Assange has been charged has set off a frenzy, both among Assange supporters who claim this proves their years of claims he was indicted back in 2011 and insisting that charging him now would amount to criminalizing journalism, and among so-called liberals attacking Assange lawyer Barry Pollack’s scolding of DOJ for breaking their own rules.

I’ve long been on record saying that I think most older theories of charging Assange would be very dangerous for journalism. More recently, though, I’ve noted that Assange’s actions with respect to Vault 7, which had original venue in EDVA where the Assange complaint was filed (accused leaker Joshua Schulte waived venue in his prosecution), go well beyond journalism. That said, I worry DOJ may have embraced a revised theory on Assange’s exposure that would have dire implications for other journalists, most urgently for Jason Leopold.

There are, roughly, four theories DOJ might use to charge Assange:

  • Receiving and publishing stolen information is illegal
  • Conspiring to release stolen information for maximal damage is illegal
  • Soliciting the theft of protected information is illegal
  • Using stolen weapons to extort the US government is illegal

Receiving and publishing stolen information is illegal

The first, theory is the one that Obama’s DOJ rejected, based on the recognition that it would expose NYT journalists to prosecution as well. I suspect the Trump Administration will have the same reservations with such a prosecution.

Conspiring to release stolen information for maximal damage is illegal

The second imagines that Assange would be charged for behavior noted in the GRU indictment — WikiLeaks’ solicitation, from someone using the persona of Guccifer 2.0, of material such that it would be maximally damaging to Hillary Clinton.

On or about June 22, 2016, Organization 1 sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” The Conspirators responded, “ok . . . i see.” Organization 1 explained, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

After failed attempts to transfer the stolen documents starting in late June 2016, on or about July 14, 2016, the Conspirators, posing as Guccifer 2.0, sent Organization 1 an email with an attachment titled “wk dnc link1.txt.gpg.” The Conspirators explained to Organization 1 that the encrypted file contained instructions on how to access an online archive of stolen DNC documents. On or about July 18, 2016, Organization 1 confirmed it had “the 1Gb or so archive” and would make a release of the stolen documents “this week.”

Significantly, WikiLeaks (but not Roger Stone) was referred to in the way an unidicted co-conspirator normally is, not named, but described in such a way to make its identity clear.

This is a closer call. There is a Supreme Court precedent protecting journalists who publish stolen newsworthy information. But it’s one already being challenged in civil suits in ways that have elicited a lot of debate. Prosecuting a journalist for trying to do maximal damage actually would criminalize a great deal of political journalism, starting with but not limited to Fox. Note that when the founders wrote the First Amendment, the norm was political journalism, not the so-called objective journalism we have now, so they certainly didn’t expect press protections to be limited to those trying to be fair to both sides.

Such a charge may depend on the degree to which the government can prove foreknowledge of the larger agreement with the Russians to damage Hillary, as well as the illegal procurement of information after WikiLeaks expressed an interest in information damaging Hillary.

Mueller might have evidence to support this (though there’s also evidence that WikiLeaks refused to publish a number of things co-conspirators leaked to them, including but not limited to the DCCC documents). The point is, we don’t know what the fact pattern on such a prosecution would look like, and how it would distinguish the actions from protected politically engaged journalism.

Soliciting the theft of protected information is illegal

Then there’s the scenario that Emma Best just hit on yesterday: that DOJ would prosecute Assange for soliciting hacks of specific targets. Best points to Assange’s close coordination with hackers going back to at least 2011 (ironically, but in a legally meaningless way, with FBI’s mole Sabu).

This is, in my opinion, a possible way DOJ would charge Assange that would be very dangerous. I’m particularly worried because of the way the DOJ charged Natalie Mayflower Edwards for leaking Suspicious Activity Reports to Jason Leopold. Edwards was charged with two crimes: Unauthorized Disclosure of Suspicious Activity Reports and Conspiracy to Make Unauthorized Disclosures of Suspicious Activity Reports (using the same Conspiracy charge that Mueller has been focused on).

In addition to describing BuzzFeed stories relying on SARs that Edwards saved to a flash drive by October 18, 2017 and then January 8, 2018, it describes a (probably Signal) conversation from September 2018 where Leopold — described in the manner used to describe unindicted co-conspirators — directed Edwards to conduct certain searches for material that ended up in an October story on Prevezon, a story published the day before Edwards was charged.

As noted above, the October 2018 Article regarded, among other things, Prevezon and the Investment Company. As recently as September 2018, EDWARDS and Reporter-1 engaged in the following conversation, via the Encrypted Application, in relevant part:

EDWARDS: I am not getting any hits on [the CEO of the Investment Company] do you have any idea what the association is if I had more information i could search in different areas

Reporter-1: If not on his name it would be [the Investment Company]. That’s the only other one [The CEO] is associated with Prevezon Well not associated His company is [the Investment Company]

Based upon my training and experience, my participation in the investigation, and my conversations with other law enforcement agents familiar with the investigation, I believe that in the above conversation, EDWARDS was explaining that she had performed searches of FinCEN records relating to Prevezon, at Reporter-l’s request, in order to supply SAR information for the October 2018 Article.

Edwards still has not been indicted, two weeks after her arraignment. That suggests it’s possible the government is trying to persuade her to plead and testify against Leopold in that conspiracy, thereby waiving indictment. The argument, in that case, would be that Leopold went beyond accepting stolen protected information, to soliciting the theft of the information.

This is the model a lot of people are embracing for an Assange prosecution, and it’s something that a lot of journalists not named Jason Leopold also do (arguably, it’s similar but probably more active than what James Rosen got dubbed a co-conspirator in the Stephen Jin-Woo Kim case).

Charging Leopold in a bunch of leaks pertaining to Russian targets would be a nice way (for DOJ, not for journalism) to limit any claim that just Assange was being targeted under such a theory. Indeed, it would placate Trump and would endanger efforts to report on what Mueller and Congress have been doing. Furthermore, it would be consistent with the aggressive approach to journalists reflected in the prosecution of James Wolfe for a bunch of leaks pertaining to Carter Page, which involved subpoenaing years of Ali Watkins’ call records.

In short, pursuing Leopold for a conspiracy to leak charge would be consistent with — and for DOJ, tactically advantageous — the theory under which most people want Assange charged.

Using stolen weapons to extort the US government is illegal

Finally, there’s the fourth possibility, and one I think is highly likely: charging Assange for his serial efforts to extort a pardon from the US government by threatening to release the Vault 7 (and ultimately, a single Vault 8 live malware) files.

This post shows how, starting in January 2017, Assange (and Oleg Deripaska) representative Adam Waldman was reaching out to top DOJ officials trying to negotiate a deal and using the release of the Vault 7 documents as leverage.

This post shows how, the second time Assange tweeted Don Jr asking for an Ambassadorship, he included a threatening reference to Vault 8, WikiLeaks’ name for the actual malware stolen and leaked from CIA, the first file from which Assange had released days earlier.

[B]ack in November 2017, some outlets began to publish a bunch of previously undisclosed DMs between Don Jr and Wikileaks. Most attention focused on Wikileaks providing Don Jr access to an anti-Trump site during the election. But I was most interested in Julian Assange’s December 16, 2016 “offer” to be Australian Ambassador to the US — basically a request for payback for his help getting Trump elected.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

In the wake of the releases, on November 14, 2017, Assange tweeted out a follow-up.

As I noted at the time, the offer included an implicit threat: by referencing “Vault 8,” the name Wikileaks had given to its sole release, on November 9, 2017 of an actual CIA exploit (as opposed to the documentation that Wikileaks had previously released), Assange was threatening to dump more hacking tools, as Shadow Brokers had done before it. Not long after, Ecuador gave Assange its first warning to stop meddling in other countries politics, explicitly pointing to his involvement in the Catalan referendum but also pointing to his tampering with other countries. That warning became an initial ban on visitors and Internet access in March of this year followed by a more formal one on May 10, 2018 that remains in place.

Notably, Ecuador may have warned Assange back then to stop releasing America’s malware from their Embassy; those warnings have laid the groundwork for the rigid gag rules recently imposed on Assange on risk of losing asylum.

Immediately after this exchange, accused Vault 7/8 leaker Joshua Schulte had some Tor accesses which led to him losing bail. They didn’t, however, lead BOP to take away his multiple devices (!?!?!). Which means that when they raided his jail cell on or around October 1, they found a bunch of devices and his activity from 13 email and social media accounts. Importantly, DOJ claims they also obtained video evidence of Schulte continuing his efforts to leak classified information.

The announcement of that raid, and the additional charges against Schulte, coincided with a period of increased silence from WikiLeaks, broken only by last night’s response to the confirmation Assange had been charged.

I think it possible and journalistically safe to go after Assange for releasing stolen weapons to extort a criminal pardon. But most of the other theories of prosecuting Assange would also pose real risks for other journalists that those rooting for an Assange prosecution appreciate and rely on.

As I disclosed in July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

The MalwareTech Case Resets to Zero: A Dialogue Wherein the Government Repeats “YouTube” Over and Over

/2 Comments/in /by

Yesterday, the government responded to Marcus Hutchins (MalwareTech)’s renewed challenges, submitted two weeks ago, to the superseding indictment the government used to replace its previous crappy-ass indictment and thereby set the motions process almost back to zero. Here’s my abbreviated summary of what Hutchins argues in the renewed motions, with the government response.

1) Motion for a Bill of Particulars with respect to CFAA charges

Hutchins: Name the 10 or more protected computers I allegedly damaged and the damage I did, because recording and exfiltrating data is not damaging a computer. Also, name the computers I allegedly tried to access without authorization.

Government: We’re going to revert to the outdated definition of malware the Seventh Circuit has already rejected to claim it is damage. Also, we’re going to pretend we used the word intent where you keep nagging us for not doing so.

2) Challenge to Seventh Count (CFAA)

Hutchins: You’ve rewritten the CFAA language, “[K]nowingly cause[] the transmission of a program, information and command, and as a result of such conduct, intentionally cause[] damage without authorization, to a protected computer[.],” but not included the intentionality language.

Government: Correct! We’ve simply replaced the word “intentionally” with “attempted,” so it’s all good.

[A]n attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” (emphasis added) Because Count Seven is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” (which Hutchins believes to be necessary) would be unnecessary and redundant. See United States v. Rutherford, 54 F.3d 370, 373 (7th Cir. 1995) (stating attempts are intentional acts; and under common law, “an attempt includes the specific intent to commit an unlawful act”).

emptywheel: There are some cases where the government succeeded in convicting people of CFAA without the charged person causing the damage himself, but I’d have to look closer to see if this will fly under Seventh Circuit precedents.

3) Motion to dismiss the whole damn indictment

Hutchins: There was no damage in the damage charges, no wiretapping device in the wiretapping charges, nor did Marcus advertise any such device, and laying out how MalwareTech writes blog posts analyzing malware does not mean he advertised a wiretapping device.

The superseding indictment states that Mr. Hutchins “hacked control panels” associated with a so-called competing malware called Phase Bot and wrote a blog post about it. (First Superseding Indictment ¶ 4(h).) It does not appear that this allegation alone is the basis of any count, as Mr. Hutchins would presumably be charged with a direct—rather than inchoate—violation of § 1030(a)(2)(C) if that were the case. To the extent it is a basis for any count, however, the defense notes that analyzing malware is, in fact, what Mr. Hutchins does professionally. In total, Mr. Hutchins wrote a total of three lengthy blog posts to educate the public about Phase Bot’s structure and functionality. These blog posts were based on Mr. Hutchins’ analysis of Phase Bot installed on his own computers. Any attempt to punish or interfere with Mr. Hutchins’ lawful security research and publishing activities would, of course, violate his First Amendment rights.

Government: We’re going to define malware however we damn well please, even if we have to use a British dictionary rather than the American one the Seventh Circuit uses to throw a Brit in the pokey. Hell, we’re willing to play word games with four different reference books if we need to! But if you use a dictionary to argue the law means what the law says, then you’re cheating.

Therefore, the Court should resist Hutchins’s attempt to limit the scope of sections 2511 and 2512 based on a definition found in one online dictionary; or because “malware” or “spyware” or “software” is not specifically listed in the definition of “electronic, mechanical, or other device.” The reference to “any device or apparatus” is written broadly in order to capture changes in technology.

Also, because Hutchins’ co-conspirator showed a video of malware operating on a computer and both talked about malware operating on a computer in forums, that turns the malware into a device! Presto!

4) Motion to dismiss wiretapping because Congress never intended to charge foreigners with wiretapping and none of the rest of this happened in the United States

Hutchins: “A foreign defendant like Mr. Hutchins is not subject to the jurisdiction of the United States merely because someone else posted a video on the Internet.” And “to the extent that Mr. Hutchins and Individual B interacted while Individual B was purportedly in the United States, that circumstance cannot, as the first superseding indictment tries to do, subject Mr. Hutchins’ alleged dealings with Individual A to domestic prosecution.”

Government: So what if Congress didn’t intend wiretapping to apply extraterritorially? There’s a YouTube! Also, you’re being hypertechnical by arguing Congress’ intent in passing a law. Besides, that was so long ago!

[B]ecause the conduct charged in Counts Two and Three occurred in the U.S. there is no extraterritorial application of U.S. law to foreign conduct. This is true even if Hutchins and Individual A were abroad when the conduct occurred in the U.S.

Also, there’s a YouTube!

emptywheel: One interesting aspect of the government’s desperate attempt to claim the actions of two people outside of the US took place in the US is that the malware in question was sold on location obscuring sites, Darkode and AlphaBay. That doesn’t change that an officer in Easter (as the government calls it at least twice) District of WI bought the malware in WI. But it will do interesting things to the government’s claim that Hutchins and VinnyK “directed” such sales at the US. It all seems to come down to the YouTube.

5) Motion to compel the identity of Randy

Hutchins: In order to shore up your dodgy indictment, you’ve made Randy into an uncharged co-conspirator. Now you really have to give us his ID.

Government: Sure, sure, we’ve included Randy in overt acts to get around the fact that Randy, but not you, intended to steal data so we can argue you’re guilty. But that doesn’t change his role in the investigation. You’re just using a local rule against us. Plus, you were mean to Sabu once on Twitter so obviously you just want to call for reprisal against Randy.

emptywheel: As far as I know MalwareTech has not called for reprisal against me for cooperating with the government against a cybercriminal. Maybe he’s just opposed to cybercriminals blaming others for their own crimes, as Randy appears to have done?

More seriously, I’m going to pull out two more things.

First, here’s some language from the government response in 4 that pretty much sums up their argument.

Second, Hutchins misunderstands the nature of the charges in Count One and Seven and the government’s burden at trial. Conspiracy punishes an illegal agreement. United States v. Read, 658 F.2d 1225, 1240 (7th Cir. 1981) (describing liability for a conspiracy and mail fraud). And it is well established that under conspiracy law, the object of the conspiracy does not need to be achieved for liability to attach. United States v. Donner, 497 F.2d 184, 190 (7th Cir. 1974). Therefore, the government only needs to prove Hutchins conspired to damage computers, not the actual damage he intended.

The same is true for Count Seven. An attempt is a substantial step towards completing the crime with the intent to complete the crime. United States v. Sanchez, 615 F.3d 836, 843-44 (7th Cir. 2010). As with Count One, the government does not have a burden to prove damage; only an attempt to damage.

What the government has done has charged crimes that permit Hutchins to be held liable for criminal acts his co-conspirator maybe possibly intended, even though it’s not clear he had the same intent as his co-conspirator, even if neither had the intent to facilitate wiretapping or damage to computers (depending on what dictionary you use). I make light above, but this is a very powerful aspect of US law, and it shouldn’t be dismissed outright.

Finally, the only place either side addresses false statements (one of the two new charges that’s not just smearing old charges more thinly and using the part of CFAA they should have charged under in the first place, the other being wire fraud) is in argument 4. Hutchins says that because everything else is bunk there are not false statements that can be charged.

If the Court grants this motion as to Counts One Through Eight and Ten, it should also dismiss Count Nine. That count charges a violation of 18 U.S.C. § 1001 and flows from an allegedly false statement Mr. Hutchins made to law enforcement during a post-arrest interrogation focusing on the conduct charged in the broader indictment. Section 1001 is violated only when a false statement is made about a “matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States.” 18 U.S.C. § 1001(a). This motion asserts a lack of domestic jurisdiction over the alleged offenses such that any false statement made by Mr. Hutchins about those offenses is not subject to prosecution under § 1001.

The government (predictably) doesn’t agree. It says jurisdiction doesn’t matter, what matters is that the FBI was investigating.

In this case, the FBI was conducting a criminal investigation which falls within the meaning of “any matter” as used in 18 U.S.C. § 1001. United States v. Rogers, 466 U.S. 475, 476-484 (1984); see also 28 U.S.C. § 533; 28 C.F.R. § 0.85. Additionally, the term “jurisdiction” as used in section 1001 “merely differentiates the official, authorized functions of an agency or department from matters peripheral to the business of that body.” United States v. Rogers, 466 U.S. 475, 476- 484 (1984). Therefore, even if all the other counts of the superseding indictment were dismissed, Count Nine would survive. Hutchins’s motion should therefore be denied.

I fear this argument might well work: that because the FBI was investigating something mostly in a poorly executed attempt to strand Hutchins here so they could make him inform on others, he can be charged with false statements. That’s crazy. But that’s also the way false statements may work.

All of which is to say, a great deal of the government’s argument boils down to, “YouTube! Try this dictionary! YouTube! Or maybe this dictionary! YouTube!” But that doesn’t mean it won’t all work.

Did Wikileaks Do US Intelligence Bidding in Publishing the Syria Files?

/34 Comments/in , /by

Consider this nutty data point: between CNN’s Reliable Sources and NBC’s Meet the Press, Julian Assange was on more Sunday shows today than John McCain, with two TV appearances earlier this week.

Sadly, even in discussions of the potential that the DNC hack-plus-publication amounts to tampering with US elections, few seem to understand that evidence at least suggests that Wikileaks — not its allegedly Russian source — determined the timing of the release to coincide with the Democratic National Convention. Guccifer 2, at least, was aiming to get files out earlier than Wikileaks dumped them. So if someone is tampering, it is Julian Assange who, I’ve noted, has his own long-standing gripes with Hillary Clinton (though he disclaims any interest in doing her harm). If his source is Russia, that may just mean they had mutual interest in the publication of the files; but Assange claims to have determined the timing.

Since Wikileak’s role in the leak has been downplayed even as Assange has made the media rounds, since the nation’s spooks claim that publishing these documents is what makes it different, I want to consider this exchange Assange had with Chuck Todd:

CHUCK TODD:

All right. Let me ask you this. Do you, without revealing your source on this, do you accept information and leaked documents from foreign governments?

JULIAN ASSANGE:

Well, our publishing model means that what we publish is guaranteed to be true. That’s what we’re concerned about. That’s what our readers are concerned about. That’s the right of the general public, to not–

[snip]

CHUCK TODD:

Does that not trouble you at all, if a foreign government is trying to meddle in the affairs of another foreign government?

JULIAN ASSANGE:

Well, it’s an interesting speculative question that’s for the press and others to perhaps–

CHUCK TODD:

That doesn’t bother you? That is not part of the WikiLeaks credo?

JULIAN ASSANGE:

Well, it’s a meta story. If you’re asking would we accept information from U.S. intelligence that we had verified to be completely accurate, and would we publish that, and would we protect our sources in U.S. intelligence, the answer is yes, of course we would. [my emphasis]

Sure, at one level this is typical Assange redirection. When Todd asked if he’d accept files from Russia, Assange instead answered that he would accept them from the United States.

But it may not be so farcical as it seems. Consider the case of the Syria Files Wikileaks posted in spring 2012, at the beginning of the time the US was engaging in covert operations in Syria. They contained embarrassing information on Bashar al-Assad, his wife, and close associates, as well as documents implicating western companies that had facilitated Assad’s repression. Even at the time, people asked if the files were a western intelligence pys-op, though they were explicitly sourced to various factions of Anonymous. Then, between Jeremy Hammond and Sabu’s sentencing processes, it became clear that in January 2012, the latter identified targets for Anonymous hackers, targets that include the Syrian government.

An informant working for the F.B.I. coordinated a 2012 campaign of hundreds of cyberattacks on foreign websites, including some operated by the governments of Iran, Syria, Brazil and Pakistan, according to documents and interviews with people involved in the attacks.

Exploiting a vulnerability in a popular web hosting software, the informant directed at least one hacker to extract vast amounts of data — from bank records to login information — from the government servers of a number of countries and upload it to a server monitored by the F.B.I., according to court statements.

[snip]

The sentencing statement also said that Mr. Monsegur directed other hackers to give him extensive amounts of data from Syrian government websites, including banks and ministries of the government of President Bashar al-Assad. “The F.B.I. took advantage of hackers who wanted to help support the Syrian people against the Assad regime, who instead unwittingly provided the U.S. government access to Syrian systems,” the statement said.

What’s not known (as multiple reports say is still not known about the DNC hack) is whether the specific files the Sabu-directed Anonymous hackers obtained were the same ones that Wikileaks came to publish, though the timing certainly works out. It’s a very distinct possibility. In which case Assange’s comment may be more than redirection, but instead a reminder that Wikileaks has played the analogous role in US-directed hack-and-publish operation, one designed to damage Assad and his western allies. If those documents did ultimately come via FBI direction of Sabu, then Assange might be warning US spooks that their own similar actions could be exposed if he were asked to reveal more about any Russian role in the DNC hack.

Who Brought Key Al Qaeda Forums Down?

/1 Comment/in , , /by

A number of al Qaeda’s online jihadist forums have gone down for extended periods.

Al-Qaeda’s main Internet forums have been offline for more than a week in what experts say is the longest sustained outage of the Web sites since they began operating eight years ago.

No one has publicly asserted responsibility for disabling the sites, but the breadth and the duration of the outages have prompted some experts to conclude that the forums have been taken down in a cyberattack — launched perhaps by a government, a government-backed organization or a hackers’ group.

US Cyber Command denied to the WaPo that it–or other US government agencies–were responsible.

There is still some uncertainty about whether a cyberattack caused the recent outages, and skeptics note that some prominent al-Qaeda forums remain online. U.S. government agencies, including U.S. Cyber Command, had no role in the outages, according to officials who would speak about the issue only on the condition of anonymity.

Still, Will McCants, a former State Department

Whereas government sources CNN contacted (Barbara Starr, CNN’s resident DOD mouthpiece, is bylined) declined to comment.

No entity has claimed responsibility and U.S. officials contacted by CNN would not comment.

Ssort of.

A U.S. official said the United States has been aware of the al Qaeda websites being down and finds it “of interest to us.”

But the WaPo also describes our government using foreign government assistance in the past.

In the past, U.S. officials have also relied on diplomatic channels to dismantle extremist sites that are viewed as a threat to American personnel or interests, according to former U.S. officials familiar with the episodes.

The approach has worked in more than a dozen cases and in each instance was backed by at least the implicit threat of a cyberattack by the U.S. military if the Web site’s host country failed to act, the officials said. The countries that cooperated were in Europe, the Persian Gulf and the Pacific, they said.

“We’ve never had a country refuse us,” said James Cartwright, the former vice chairman of the Joint Chiefs of Staff, speaking at a U.S. China Economic and Security Review Commission hearing at George Mason University last week. “But if they did, then you can invoke the right of self-defense.”

It reports the sites in question are hosted in Malaysia, Costa Rica and Gaza.

Meanwhile, Will McCants suggests to CNN that the outage may be related to Spain’s arrest of alleged Al Qaeda propagandist Mudhar Hussein Almalki

Zelin speculated the outage could be tied to the recent arrest of Mudhar Hussein Almalki in Spain. Almalki maintained the Ansar al-Mujahidin Forum, according to a Spanish police document provided to CNN. The police document alleges Almalki ran the site and oversaw who could access it, spread information to jihadists and maintained private chat rooms to “carry out meetings with others to give out instructions,” according to a translation of the document.

Read more

Spooky AssadLeaks: The Provenance of the Emails

/20 Comments/in , , /by

As I wrote in this post, I got interested in the provenance of a set of leaked Bashar al-Assad emails largely because of the way in which two of them were used to suggest, dubiously, Nir Rosen was an Assad agent.

The Guardian and Al Arabiya have both offered posts describing, in part, how they came by the emails, with the Guardian’s offering more details. The short version is:

March 15, 2011: Uprising escalates in Daraa.

Late March: “a young government worker in Damascus” handed off a slip of paper to a friend. The paper had four codes (plus or including the two email addresses, the Guardian is not clear) that would provide access to personal email accounts of Bashar al-Assad and his wife Asma. The friend was apparently supposed to pass them onto “a small group of exiled Syrians who would know what to do with them.”

June: “Two Syrian professionals in a Gulf state” obtain the emails. The Guardian doesn’t explain whether they were the original intended recipients, nor does it explain the delay. Though it does include a blurb describing their sudden awakening to politics that makes it clear the Guardian has spoken to at least one of the activists and replicated their self-narrative uncritically.

The uprising in the southern Syrian city of Deraa on 15 March had empowered them, as it had hundreds of thousands of others in the totalitarian state. They were now determined to do what they could to bring an end to more than four decades of rule by the Assad clan.

“It was clear who we were dealing with,” said one of the activists. “This was the president and his wife. There was no doubt.”

August 6: Sabu solicits Syrian MOD hacker to “disrupt govt communication systems.”

June to December: The emails are used with increasing frequency over time; Assad appears to build a PR strategy using them.

January: Anonymous (which had been infiltrated by the FBI since at least June, the same month the Syrian activists purportedly got the email codes) hacks Bashar al-Assad’s servers, accessing 78 different email accounts.

February 7: Anonymous releases the Assad emails which were published by Ha-aretz, claims the password was 12345. These are, at least in part, the very same emails being released today. Assad’s brother-in-law Firas al-Akhras emails him to tell him the inbox of the Ministry of Presidential Affairs had been leaked. All the emails are shut down.

March 15, 2012: The emails published.

In their narratives, neither the Guardian nor al Arabiya note that the FBI had been running Sabu since last June, precisely the same month the “activists” reportedly got the “secret codes” (12345?) that would allow them to access the Assad emails.

Now there are plenty of questions I have about this: Who was the mole, how did he or she get this information, who was the friend, what caused the 3-month delay. All of those questions, of course, are particularly interesting giving the coincidence of timing with the Sabu recruitment.

And why release these emails now? Just because of the one-year anniversary of Daraa, and the other events planned for the day?

Suffice it to say it feels a lot like outside entities–aside from whatever professionals-turned-activists purportedly monitored these accounts–were involved.

With that feeling in mind, two more details worth noting. First, al Arabiya’s story on how they got the emails focuses instead on what they didn’t publish: a bunch of “scandalous emails.”

Hundreds of “scandalous” emails were accordingly deleted by Al Arabiya.

By comparison, the Guardian said only it didn’t publish personal emails. Both sources, however, want people–perhaps including Assad?–to know that there were more emails that may be out there.

The other thing I find interesting is the detail the Guardian pays to Assad’s email habits.

[The Syrian activists in the Gulf state] soon noticed differences in the way the couple used their email accounts. “We had to be quick with Bashar’s emails,” one of the activists said. “He would delete most as soon as they arrived in his inbox, whereas his wife wouldn’t. So as soon as they went from unread to read we had to get them fast.”

Deleting emails as soon as they arrive shows a degree of awareness of web security. So too did the fact that Assad never attached his name or initials to any of the emails he sent. However, many of the emails that arrived in his inbox are addressed to him as president and contain intimate details of events and discussions that were not known outside of the inner sanctum and would have been very difficult to manipulate.

Even before I remembered that the same guy the Guardian claims was showing some web security used “12345” as his password, this entire passage sounded bogus, more like a way to provide cover for some other means to collect these emails that don’t involve more sophisticated wiretapping of packets, as opposed to email in-boxes.

But once you remember this is a guy who reportedly used “12345” as his password, then the entire claim Assad was practicing good security becomes laughable. Which makes this entire passage suspect.

There are two stories of how Bashar al-Assad got his emails hacked in the last year. In one version, Syrian activists managed to spy on their dictator in real time and are presumably releasing emails that lack a smoking gun (but did include “scandalous” emails) as a sort of anniversary present for Assad. The other story involves the FBI flipping at least one hacker and having him continue to hack at their command.

Or maybe there’s just one, far more intriguing story.

So It Was the FBI Threatening to Take Down the Internet, Then?

/8 Comments/in , /by

As soon as the news came out today that Sabu, the head of LulzSec, offered an FBI computer to facilitate the publication of Stratfor (no doubt set up a LulzSec-assisted indictment of Julian Assange in the future)…

Hector Xavier Monsegur, an unemployed 28-year-old Puerto Rican living in New York, was unmasked as “Sabu”, the leader of the LulzSec hacking group that has been behind a wave of cyber raids against American corporations including Rupert Murdoch’s News Corporation, the intelligence consultancy Stratfor, British and American law enforcement bodies, and the Irish political party Fine Gael.

[snip]

In a US court document, the FBI’s informant – there described as CW – “acting under the direction of the FBI” helped facilitate the publication of what was thought to be an embarrassing leak of conference call between the FBI and the UK’s Serious and Organised Crime Agency in February.

Officers from both sides of the Atlantic were heard discussing the progress of various hacking investigations in the call.

A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.

…I though back to the threat Anonymous made to TAKE DOWN THE ENTIRE INTERNET!!! Which of course made more sense understood as a ploy to help fear monger than an actual threat from actual terrorists.

Was it the FBI making such threats?

Which makes this conversation Sabu had just two weeks before he was indicted all the more interesting.

<SABU> You just said there was a claim that I may be a terrorist. You “researched” it and wrote the article

<SABU> There re claims I am with the CIA pushing to get tighter / stricter cyber-laws passed

<SABU> its literally the same shit, two different extremes.

[snip]

<SABU> The people are aware that our governments in the UK and the US have involved themselves in black operations in the past. it makes a lot of sense if lets say a rogue group of hackers suddenly began attaking national interests — spawning a massive overhaul of internet security, theoretically.

Read more