New Right Hook: Mike Flynn Lied When He Admitted to a Judge He Lied to the FBI

Apparently, the latest Grassley-Graham effort to spin a very understandable reaction to the discovery that the incoming National Security Advisor might be compromised by Russia — to have a meeting about whether that requires a change in the government’s investigative approach and then memorialize the meeting — as a Christopher Steele plots is not an isolated event. To accompany the Grassley-Graham effort to obscure, the right wing is now seeing a conspiracy, best captured in this Byron York piece with follow-ups elsewhere, in Mike Flynn’s guilty plea.

At issue is leaked March 2017 testimony from Jim Comey (in a piece complaining about the leak of Flynn’s FISA intercepts) that the FBI agents who interviewed Flynn on January 24, 2017 believed any inaccuracies in Flynn’s interview with the FBI were unintentional.

In March 2017, then-FBI Director James Comey briefed a number of Capitol Hill lawmakers on the Trump-Russia investigation.


According to two sources familiar with the meetings, Comey told lawmakers that the FBI agents who interviewed Flynn did not believe that Flynn had lied to them, or that any inaccuracies in his answers were intentional. As a result, some of those in attendance came away with the impression that Flynn would not be charged with a crime pertaining to the Jan. 24 interview.

From that, York spins out a slew of laughable claims: Mike Flynn would have no reason to address the FBI amid swirling coverage of lies about Russian ties! The Deputy Attorney General “sends” FBI agents to conduct interviews! DOJ “effectively gave” Jim Comey authority to decide Hillary’s fate but then fired him for usurping that authority! They lead up to York’s theory that DOJ may have overridden the FBI agents in forcing Flynn to sign a plea admitting he made false statements.

It could be that the FBI agents who did the questioning were overruled by Justice Department officials who came up with theories like Flynn’s alleged violation of the Logan Act or his alleged vulnerability to blackmail.


To some Republicans, it appears the Justice Department used a never-enforced law and a convoluted theory as a pretext to question Flynn — and then, when FBI questioners came away believing Flynn had not lied to them, forged ahead with a false-statements prosecution anyway. The Flynn matter is at the very heart of the Trump-Russia affair, and there is still a lot to learn about it.

Along the way, York feigns apparent ignorance of everything he knows about how criminal investigations work.

For example, York pretends to be unaware of all the pieces of evidence that have surfaced since that time that have changed the context of Flynn’s January 24 interview. There’s the weird dinner Trump invited Comey to on January 27, a day after Sally Yates first raised concerns about the interview with White House Counsel Don McGahn, where Trump told Comey “I need loyalty, I expect loyalty.” There’s the more troubling meeting on February 14, where (after asserting that Flynn had indeed lied to Mike Pence) Trump asked Comey to drop the Flynn investigation.

He repeated that Flynn hadn’t done anything wrong on his calls with the Russians, but had misled the Vice President. He then said, “I hope you can see your way clear to letting this go, to letting Flynn go. He is a good guy. I hope you can let this go.”

There’s the March 30 phone call in which the President complained about the “cloud” of the Russian investigation. There’s the April 11 phone call where the President complained about that “cloud” again, and asked for public exoneration. There’s the newly reported Don McGahn call following that conversation, to Dana Boente asking for public exoneration. There’s Comey’s May 9 firing, just in time for Trump to tell Russians on May 10 that firing that “nut job” relieved pressure on him. There’s the letter Trump drafted with Stephen Miller’s help that made it clear Comey was being fired because of the Russian investigation.

Already by the time of Comey’s firing, the White House claim that Mike Flynn got fired because he lied about his conversations to Sergey Kislyak to Mike Pence, was falling apart.

Then, in August, the Mueller team obtained the transition emails that transition lawyers had withheld from congressional requests (and therefore from Mueller), including those of Flynn himself, Jared Kushner, and KT McFarland. The transition would go on to squawk that these emails, which didn’t include Trump and dated to before Trump became President, were subject to executive privilege, alerting Mueller that the emails would have been withheld because the emails (some sent from Mar-A-Lago) reflected the involvement of Trump. Not to mention that the emails tied conversations about Russia to the “thrown election.”

Then there’s Jared Kushner’s interview with Mueller’s team in the weeks before Mike Flynn decided to plead guilty. At it, prosecutors asked Jared if he had any information that might exculpate Flynn.

One source said the nature of this conversation was principally to make sure Kushner doesn’t have information that exonerates Flynn.

There were reports that Flynn felt like he had been sold out just before he flipped, and I would bet this is part of the reason why. In addition to instructions regarding the sanction calls with Kislyak, which were directed by KT McFarland, Flynn’s statement of offense describes someone we know to be Kushner directing Flynn to call countries, including Russia, to try to persuade them to avoid a vote on Israeli West Bank settlements.

On or about December 22, 2016, a very senior member of the Presidential Transition Team directed FLYNN to contact officials from foreign governments, including Russia, to learn where each government stood on the resolution and to influence those governments to delay the vote or defeat the resolution.

Granted, Mueller’s team didn’t make the point of the lies as obvious as they did with the George Papadopoulos plea, where they made clear Papadopoulos lied to hide that he learned of the “dirt” on Hillary in the form of emails after he started on the campaign and whether he told the campaign about those emails (not to mention that he had contacts with Ivan Timofeev).

Mueller’s not telling us why Flynn’s lies came to have more significance as Mueller collected more and more evidence.

But what they make clear is that the significance of Flynn’s lies was not, as it first appeared, that he was trying to hide the subject of the calls from Mike Pence. I mean, maybe he did lie to Pence about those calls. But discussions about how to work with the Russians were not secret; they included at least Kushner, McFarland, Tom Bossert, Reince Priebus, Steve Bannon, and Sean Spicer. Some of those conversations happened with McFarland emailing while at Mar-A-Lago with the President-Elect.

So given the weight of the evidence collected since, Flynn’s lies now appear neither an effort to avoid incriminating himself on Logan Act charges, nor an effort to cover up a lie he told others in the White House, but the opposite. His lies appear to have hidden how broadly held the Russian discussions were within the transition team, not to mention that he was ordered to make the requests he did, possibly by people relaying orders from Trump, rather than doing them on his own.

That, by itself, doesn’t make the Flynn conversations (as distinct from the lies) illegal. But it means Trump went to great lengths to try to prevent Flynn from suffering any consequences for lying to hide the degree to which negotiations with Russia during the transition period were the official policy of the Trump team. And when Trump (or rather, his son-in-law) stopped protecting Flynn on that point, Flynn decided to admit to a judge that he had been knowingly lying.

It doesn’t take a conspiracy to realize that the FBI Agents who interviewed Flynn in January had none of the evidence since made available largely because Trump tried so hard to protect Flynn that he fired his FBI Director over it. It takes looking at the evidence, which makes it clear why those false statements looked very different as it became clear Flynn, after acting on Trump transition team instructions, got sold out as other senior Trump officials started trying to protect themselves.

Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.


it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.


[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.


Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return;
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

The Bankrupt Attribution of WannaCry

I’ve been puzzling through this briefing, purportedly attributing the WannaCry hack to North Korea, which followed last night’s Axis of CyberEvil op-ed (here’s the text). The presser was … perhaps even more puzzling than the Axis of CyberEvil op-ed.

Unlike the op-ed, Homeland Security Czar Tom Bossert provided hints about how the government came to attribute this attack.

Bossert makes much of the fact that the Five Eyes plus Japan all agree on this.

We do so with evidence, and we do so with partners.

Other governments and private companies agree.  The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.

He also points to the Microsoft and (unnamed — because it’d be downright awkward to name Kaspersky in the same briefing where you attack them as a cybersecurity target) security consultant attributions from months ago.

Commercial partners have also acted.  Microsoft traced the attack to cyber affiliates of the North Korean government, and others in the security community have contributed their analysis.

Here are the specific things he says about how the US, independent of Microsoft and villains like Kaspersky, made an attribution.

What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.  We had to examine a lot.  And we had to put it together in a way that allowed us to make a confident attribution.


[I]t’s a little tradecraft, to get to your second question.  It’s hard to find that smoking gun, but what we’ve done here is combined a series of behaviors.  We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks.  And so you have to apply some gumshoe work here, not just some code analysis.

Nevertheless, Bossert alludes to people launching this attack from “keyboards all over the world,” but says because these “intermediaries … had carried out those types of attacks on behalf of the North Korean government in the past,” they were confident in the attribution.

People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea.  And so that’s one of the challenges behind cyber attribution.


[T]here were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past.  And that was one of the tradecraft routines that allowed us to reach that conclusion.

Taking credit for stuff the private sector did

In his prewritten statement, Bossert provides on explanation for the timing of all this. One of the reasons the US is attributing the WannaCry attack now — aside from the need to gin up war with North Korea — is that Facebook and Microsoft, “acting on their own initiative last week,” took action last week against North Korean targets.

We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers.  Microsoft acted before the attack in ways that spared many U.S. targets.

Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe.  They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.

Yet even while acknowledging that Microsoft and Facebook are busy keeping the US safe, he demands that the private sector … keep us safe.

We call today — I call today, and the President calls today, on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors the ability to launch reckless and disruptive cyber acts.

Golly how do you think the US avoided damage from the attack based on US tools so well?

Then Bossert invites Assistant Secretary for Cybersecurity and Communications at DHS Jeanette Manfra to explain not how the US attributed this attack (the ostensible point of this presser), but how the US magically avoided getting slammed — by an attack based on US tools — as badly as other countries did.

By midafternoon, I had all of the major Internet service providers either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States.  We partnered with the Department of Health and Human Services to reach out to hospitals across the country to offer assistance.  We engaged with federal CIOs across our government to ensure that our systems were not vulnerable.  I asked for assistance from our partners in the IT and cybersecurity industry.  And by 9:00 p.m. that night, I had over 30 companies represented on calls, many of whom offered us analytical assistance throughout the weekend.

By working closely with these companies and the FBI throughout that night, we were able to issue a technical alert, publicly, that would assist defenders with defeating this malware.  We stayed on alert all weekend but were largely able to escape the impacts here in this country that other countries experienced.

Managing to avoid getting slammed by an attack that the US had far more warning of (because it would have recognized and had 96 days to prepare) is proof, Manfra argues, of our preparation to respond to attacks we didn’t write the exploit for.

[T]he WannaCry attack demonstrated our national capability to effectively operate and respond.

Ix-Nay on the AdowBrokers-Shay

Which brings us to the dramatic climax of this entire presser, where Tom Bossert plays dumb about the fact that his this attack exploited an NSA exploit. In his first attempt to deflect this question, Bossert tried to distinguish between vulnerabilities and the exploits NSA wrote for them.

Q    Had they not been able to take advantage of the vulnerabilities that got published in the Shadow Brokers website, do you think that would have made a significant difference in their ability to carry out the attack?

MR. BOSSERT:  Yeah.  So I think what Dave is alluding to here is that vulnerabilities exist in software.  They’re not — almost never designed on purpose.  Software producers are making a product, and they’re selling it for a purpose.

Pretending a vulnerability is the same thing as an exploit, Bossert pointed to the (more visible but still largely the same) Vulnerabilities Exploit Process Trump has instituted.

When we find vulnerabilities, the United States government, we generally identify them and tell the companies so they can patch them.

In this particular case, I’m fairly proud of that process, so I’d like to elaborate.  Under this President’s leadership and under the leadership of Rob Joyce, who’s serving as my deputy now and the cybersecurity coordinator, we have led the most transparent Vulnerabilities Equities Process in the world.

Hey, by the way, why isn’t Rob Joyce at this presser so the person in government best able to protect against cyber attacks can answer questions?

Oh, never mind–let’s continue with this VEP thing.

And what that means is the United States government finds vulnerabilities in software, routinely, and then, at a rate of almost 90 percent, reveals those.  They could be useful tools for us to then exploit for our own national security benefit.  But instead, what we choose to do is share those back with the companies so that they can patch and increase the collective defense of the country.  It’s not fair for us to keep those exploits while people sit vulnerable to those totalitarian regimes that are going to bring harm to them.

So, in this particular case, I’m proud of the VEP program.  And I’d go one step deeper for you:  Those vulnerabilities that we do keep, we keep for very specific purposes so that we can increase our national security.  And we use them for very specific purposes only tailored to our perceived threats.  I think that they’re used very carefully.  They need to be protected in such a way that we don’t leak them out and so that bad people can get them.  That has happened, unfortunately, in the past.

Hell! Let’s go for broke. Let’s turn the risk that someone can steal our toys and set off a global worm into the promise that we’ll warn people they’ve been hacked.

But one level even deeper.  When we do use those vulnerabilities to develop exploits for the purpose of national security for the classified work that we do, we sometimes find evidence of bad behavior.  Sometimes it allows us to attribute bad actions.  Other times it allows us to privately call — and we’re doing this on a regular basis, and we’re doing it better and in a more routine fashion as this administration advances — we’re able to call targets that aren’t subject to big rollouts.  We’re able to call companies, and we’re able to say to them, “We believe that you’ve been hacked.  You need to take immediate action.”  It works well; we need to get better at doing that.  And I think that allows us to save a lot of time and money.

We’re not yet broke yet, though! When Bossert again gets asked whether WannaCry was based off a US tool, he tried to argue the only tool involved was the final WannaCry one, not than the underlying NSA exploit.

Q    So you talked about the 90 percent of times when you guys share information back with companies rather than exploit those vulnerabilities.  Was this one of the 10 percent that you guys had held onto?

MR. BOSSERT:  So I think there’s a case to be made for the tool that was used here being cobbled together from a number of different sources.  But the vulnerability that was exploited — the exploit developed by the culpable party here — is the tool, the bad tool.

This soon descends into full-on Sergeant Schultz.

I don’t know what they got and where they got it, but they certainly had a number of things cobbled together in a pretty complicated, intentional tool meant to cause harm that they didn’t entirely create themselves.

MalwareTech took a risk doing what he always does [er, did, before the US government kidnapped him] with malware?

Then there’s weird bit — one of those Bossert moments (like when he said WannaCry was spread by phishing) that makes me think he doesn’t know what he’s talking about. When asked if this North Korean attribution changed the government’s intent to prosecute MalwareTech (Marcus Hutchins), Bossert dodged that tricksy question (the answer is, yes, the prosecution is still on track to go to trial next year) but then claimed that Hutchins “took a risk” doing something he has repeatedly said he always does when responding to malware.

I can’t comment on the ongoing criminal prosecution or judicial proceedings there.  But I will note that, to some degree, we got lucky.  In a lot of ways, in the United States we were well-prepared.  So it wasn’t luck — it was preparation, it was partnership with private companies, and so forth.  But we also had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it.  He took a risk, it worked, and it caused a lot of benefit.  So we’ll give him that.  Next time, we’re not going to get so lucky.

After dodging the issue of why the government is prosecuting the guy whose “luck” Bossert acknowledges saved the world, he has the gall to say — in the very next breath!! — we need to do the kind of information sharing that Hutchins’ prosecution disincents.

So what we’re calling on here today is an increased partnership, an increased rapidity in routine speed of sharing information so that we can prevent patient zero from being patient 150.

Whatever you do, don’t follow the lack of money

All that was bad enough. But then things really went off the rail when a journalist asked about what one of the poorest countries on earth — a country with a severe exchangeable currency shortage — did with the money obtained in this ransomware attack.

Q    Tom, the purpose of ransomware is to raise money.  So do you have a sense now of exactly how much money the North Koreans raised as a result of this?  And do you have any idea what they did with the money?  Did it go to fund the nuclear program?  Did it go just to the regime for its own benefit?  Or where did that money go?

MR. BOSSERT:  Yeah, it’s interesting.  There’s two conundrums here.  First, we don’t really know how much money they raised, but they didn’t seem to architect it in the way that a smart ransomware architect would do.  They didn’t want to get a lot of money out of this.  If they did, they would have opened computers if you paid.  Once word got out that paying didn’t unlock your computer, the payment stopped.

And so I think that, in this case, this was a reckless attack and it was meant to cause havoc and destruction.  The money was an ancillary side benefit.  I don’t think they got a lot of it.

Wow. A couple things here. First, of one of the poorest countries in the world, Bossert said with a straight face: “They didn’t want to get a lot of money out of this.”

He has to do that, because he has just said that, “They’ve got some smart programmers.” So he has to treat the attack, as implemented, as the attack that the perpetrators wanted. That apparently doesn’t mean he feels bound to offer some explanation for why North Korea would forgo the money that their smart programmers could have earned. Because he never offers that, without which you have zero credible attribution.

Still nuttier, at one level it cannot be true that “we don’t know how much money they raised.” Later in his presser he claims, “cryptocurrency might be difficult to track” and suggests the government only learned about how little they were making because, “targets seem to have reported to us, by and large, that they mostly didn’t pay. … So we were able to track the behavior of the targets in that case.”

Um. No. It was very public! We watched WannaCry’s perps collect $144,000 via the @Actual_ransom account, and we watched the account be cashed out in the immediate wake of the aforementioned MalwareTech arrest (as Hutchins noted, making it look like he had absconded with his Bitcoin rather than gotten arrested by the FBI).  That, too, is a detail that Bossert would have needed to address for this to be a marginally credible press conference.

But wait! There’s more! We also know that as soon as WannaCry’s perps publicly cashed out, Shapeshift blacklisted all its known accounts, making it impossible for WannaCry to launder the money, and adding still more transparency to the process. Which means Bossert should know well the answer to the question “how much did North Korea (or whatever perp) make off this?” is, zero. None. Because their money got cut off in the laundering process. (For some reason, Bossert gave Shapeshift zero credit here, which raises further questions I might return to at a later date.) Either attribution includes details about this process or … it’s not credible.

Bossert’s backflips to pretend Trump isn’t treating North Korea differently than Russia

Now, all this is before you get into the gymnastics Bossert performed to pretend that Trump isn’t treating North Korea — against whom this attribution will serve as justification for war — differently than Russia. After being asked about it, Bossert claimed,

President Trump not only continued the national emergency for cybersecurity, but he did so himself and sanctioned the Russians involved in the hacks of last year.

His effort to conflate last year’s hack-related sanctions with the sanctions imposed by Congress but not fully implemented looked really pathetic.

Q    Have all the sanctions been implemented?

MR. BOSSERT:  This was — yeah, this was the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.  President Trump continued that national emergency, pursuant to the International Emergency Economic Powers Act, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Pivoting to one of the most important private companies

Immediately after which, perhaps in an act of desperation, Bossert pivoted to Kaspersky, one of the most important security firms in unpacking WannaCry and therefore utterly central to any claim the answer to cyberattacks is to share between the private and public sector. Bossert said this to defend the claim that the Trump administration is taking Russian threats seriously.

Now, look, in addition, if that’s not making people comfortable, this year we acted to remove Kaspersky from all of our federal networks.  We did so because having a company that can report back information to the Russian government constituted a risk unacceptable to our federal networks.

And then — in the same press conference where Bossert hailed cooperation, including with private security firms like Kaspersky, he boasted about how “in the spirit of cooperation” the US has gotten “providers, sellers, retail stores” to ban one of the firms that was critical in analyzing and minimizing the WannaCry impact.

In the spirit of cooperation, which is the second pillar of our strategy — accountability being one, cooperation being the second — we’ve had providers, sellers, retail stores follow suit.  And we’ve had other private companies and other foreign governments also follow suit with that action.

In case you’re counting, he has boasted about cooperation in the same breath as speaking of both MalwareTech and Kaspersky.

Whatever. From this we’re supposed to conclude we should go to war against North Korea and their non-NK keyboarders the world over and  that the way to defend ourselves against them is to simultaneously demand “cooperation” even while treating two of the most important entities who minimized the threat of WannaCry as outlaws.

Tom Bossert Brings You … Axis of CyberEvil!

I was struck, when reviewing the NYT article on the KT McFarland email, how central Homeland Security Czar Tom Bossert was to the discussion of asking Russia not blow off Obama’s Russia sanctions.

“Key will be Russia’s response over the next few days,” Ms. McFarland wrote in an email to another transition official, Thomas P. Bossert, now the president’s homeland security adviser.


Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.


Mr. Bossert replied by urging all the top advisers to “defend election legitimacy now.”


Obama administration officials were expecting a “bellicose” response to the expulsions and sanctions, according to the email exchange between Ms. McFarland and Mr. Bossert. Lisa Monaco, Mr. Obama’s homeland security adviser, had told Mr. Bossert that “the Russians have already responded with strong threats, promising to retaliate,” according to the emails.

There Tom Bossert was, with a bunch of political hacks, undercutting the then-President as part of an effort to “defend election legitimacy now.”

Which is one of the reasons I find Bossert’s attribution of WannaCry to North Korea — in a ridiculously shitty op-ed — so sketchy now, as Trump needs a distraction and contemplates an insane plan to pick a war with North Korea.

The guy who — well after it was broadly known to be wrong — officially claimed WannaCry was spread by phishing is now offering this as his evidence that North Korea is the culprit:

We do not make this allegation lightly. It is based on evidence.

A representative of the government whose tools created this attack, said this without irony.

The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.

And the guy whose boss has, twice in the last week, made googly eyes at Vladimir Putin said this as if he could do so credibly.

As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.

Much of the op-ed is a campaign ad falsely claiming a big break with the Obama Administration.

Change has started at the White House. President Trump has made his expectations clear. He has ordered the modernization of government information-technology to enhance the security of the systems we run on behalf of the American people. He continued sanctions on Russian hackers and directed the most transparent and effective government effort in the world to find and share vulnerabilities in important software. We share almost all the vulnerabilities we find with developers, allowing them to create patches. Even the American Civil Liberties Union praised him for that. He has asked that we improve our efforts to share intrusion evidence with hacking targets, from individual Americans to big businesses. And there is more to come.

A number of the specific items Bossert pointed to to claim action are notable for the shoddy evidence underlying them, starting with the Behzad Mesri case and continuing to Kaspersky — which has consistently had more information on the compromises we blame it for than the US government.

When we must, the U.S. will act alone to impose costs and consequences for cyber malfeasance. This year, the Trump administration ordered the removal of all Kaspersky software from government systems. A company that could bring data back to Russia represents an unacceptable risk on federal networks. Major companies and retailers followed suit. We brought charges against Iranian hackers who hacked several U.S. companies, including HBO. If those hackers travel, we will arrest them and bring them to justice. We also indicted Russian hackers and a Canadian acting in concert with them. A few weeks ago, we charged three Chinese nationals for hacking, theft of trade secrets and identity theft. There will almost certainly be more indictments to come.

The Yahoo case, which is backed by impressive evidence, was based on evidence gathered under Obama, from whose Administration Bossert claims to have made a break.

And this kind of bullshit — in an op-ed allegedly focused on North Korea — is worthy of David Frum playing on a TRS-80.

Going forward, we must call out bad behavior, including that of the corrupt regime in Tehran.

Especially ending as it does with a thinly disguised call for war.

As for North Korea, it continues to threaten America, Europe and the rest of the world—and not just with its nuclear aspirations. It is increasingly using cyberattacks to fund its reckless behavior and cause disruption across the world. Mr. Trump has already pulled many levers of pressure to address North Korea’s unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang’s ability to mount attacks, cyber or otherwise.

I mean, maybe dirt poor North Korea really did build malware designed not to make money. But this is not the op-ed to credibly make that argument.

Trump Appears to Have Withheld the KT McFarland Email about the “Thrown Election”

This post explains what appears to be the real reason for the fake outrage about Mueller obtaining information from GSA: by doing so, he appears to have obtained proof that the Transition was withholding emails material to the investigation. Go to this post for a more general summary of what we know about the claim. 

Here’s the letter that Trump For America lawyer sent to Congress to cause a big hullabaloo about how Robert Mueller obtained transition period emails. I unpacked it in this Twitter thread and commented on it in an update to this post.

But this passage deserves a separate post, because it seems to go to the heart of why the Republicans are spewing propaganda like this.

Additionally, certain portions of the PTT materials the Special Counsel’s Office obtained from the GSA, including materials that are susceptible to privilege claims, have been leaked to the press by unknown persons. Moreover, the leaked records have been provided to the press without important context and in a manner that appears calculated to inflict maximum reputational damage on the PTT and its personnel, without the inclusion of records showing that PTT personnel acted properly – which in turn forces TFA to make an impossible choice between (a) protecting its legal privileges by keeping its records confidential and (b) waiving its privileges by publicly releasing records that counteract the selective leaks and misguided news reports. In short, since the GSA improperly provided them to the Special Counsel’s Office, the PTT’s privileged materials have not only been reviewed privately by the Special Counsel’s Office without notification to TFA – they have also been misused publicly.

Kory Langhofer is insinuating — without quite risking the claim — that after GSA shared certain emails with Robert Mueller’s office, “unknown persons” leaked them to the press. The insinuation is that Mueller’s team leaked them.

I can think of just one set of emails that fit this description: emails from KT McFarland that provided proof that Mike Flynn lied to the FBI about his conversations with Sergei Kislyak on December 29, 2016. The NYT quoted extensively from them in a December 2 story.

Among other things, McFarland stated in the emails that Russia “has just thrown the U.S.A. election to” Trump.

On Dec. 29, a transition adviser to Mr. Trump, K. T. McFarland, wrote in an email to a colleague that sanctions announced hours before by the Obama administration in retaliation for Russian election meddling were aimed at discrediting Mr. Trump’s victory. The sanctions could also make it much harder for Mr. Trump to ease tensions with Russia, “which has just thrown the U.S.A. election to him,” she wrote in the emails obtained by The Times.


Mr. Obama, she wrote, was trying to “box Trump in diplomatically with Russia,” which could limit his options with other countries, including Iran and Syria. “Russia is key that unlocks door,” she wrote.

She also wrote that the sanctions over Russian election meddling were intended to “lure Trump in trap of saying something” in defense of Russia, and were aimed at “discrediting Trump’s victory by saying it was due to Russian interference.”

“If there is a tit-for-tat escalation Trump will have difficulty improving relations with Russia, which has just thrown U.S.A. election to him,” she wrote.

Contrary to Langhofer’s suggestion, NYT made some effort to mitigate the damage of McFarland’s comment seemingly confirming the Trump team knew the election had been stolen, including speaking to a White House lawyer about it.

It is not clear whether Ms. McFarland was saying she believed that the election had in fact been thrown. A White House lawyer said on Friday that she meant only that the Democrats were portraying it that way.

And while NYT’s explanation that they got the emails “from someone who had access to transition team communications” certainly could include Mueller’s team among the culprits, it could also include GSA officials themselves or — even more likely — a former Trump official with a grudge. At least three were CCed on the email in question: Bannon, Priebus, and Spicer.

Mr. Bossert forwarded Ms. McFarland’s Dec. 29 email exchange about the sanctions to six other Trump advisers, including Mr. Flynn; Reince Priebus, who had been named as chief of staff; Stephen K. Bannon, the senior strategist; and Sean Spicer, who would become the press secretary.

In other words, Langhofer uses the leak as an excuse to suggest wrong-doing by Mueller, when other possibilities are far more likely.

But consider the other implication of this: Langhofer is suggesting that this email chain (which included no named active lawyers, nor included Trump directly, though they were written in Trump’s presence at Mar a Lago) is “susceptible to privilege claims.” He is further suggesting that GSA is the only way this email could have been released (ignoring, of course, the Bannon/Priebus/Spicer) options.

If that’s right, then he’s suggesting that Trump was involved in this email chain directly. There’s no reason to believe he was CCed. But since the emails were written from Mar-a-Lago, it’s likely he was consulted in the drafting of the emails.

In addition, Langhofer is also admitting that Trump’s team didn’t release these emails directly — at least not to Congress.

Emails which couldn’t be more central to the point of Mueller’s investigation.

Did the GOP just admit that Trump withheld this email? Because if so, it suggests the “thrown election” comment is far more damning than the NYT laid out.

Update: It’s not clear whether Mueller ever tried to obtain these records via GSA (though it’s possible FBI obtained emails before the inauguration). But this, from the letter, makes it clear at least Congress had made requests, which led TFA to try to take GSA out of the loop even though SCO had a document preservation request.

In order to comply with congressional document production requests, TFA ordered from the GSA electronic copies of all PTT emails and other data. Career GSA staff initially expressed concern that providing copies of PTT emails to TFA might violate a document preservation request that the GSA had received from the Special Counsel’s Office.

Withholding this email from Congress would be particularly problematic, as McFarland testified in conjunction with her now-frozen nomination to be Ambassador to Singapore that she knew nothing about Flynn’s communications with Kislyak. h/t SS

Update: Ah, this explains how Mueller was getting emails: via voluntary production, along with everything the Transition was giving Congress. Which means the email was withheld, and this October subpoena was an attempt to see whether they’d cough it up on their own.

Special counsel Robert Mueller’s team in mid-October issued a subpoena to President Donald Trump’s campaign requesting Russia-related documents from more than a dozen top officials, according to a person familiar with the matter.

The subpoena, which requested documents and emails from the listed campaign officials that reference a set of Russia-related keywords, marked Mr. Mueller’s first official order for information from the campaign, according to the person. The subpoena didn’t compel any officials to testify before Mr. Mueller’s grand jury, the person said.

The subpoena caught the campaign by surprise, the person said. The campaign had previously been voluntarily complying with the special counsel’s requests for information, and had been sharing with Mr. Mueller’s team the documents it provided to congressional committees as part of their probes of Russian interference into the 2016 presidential election.


Mueller’s team had previously issued subpoenas individually to several top campaign officials, including former campaign chairman Paul Manafort and former national security adviser Mike Flynn.

[Correction: I’ve been corrected on this passage, which makes it clear this is about campaign emails, not transition ones. But I assume he made parallel requests for all three phases of Trump organization.]

Update: Mueller’s spox, Peter Carr, issued a statement saying, “When we have obtained emails in the course of our ongoing criminal investigation, we have secured either the account owner’s consent or appropriate criminal process.” Given what I’ve laid out here, I actually think “C” may have been the case:

  • Subpoena to Flynn, obtain voluntary compliance for specific things as well as evidence shared with Congress prior to August
  • In August (perhaps after being alerted to withheld documents by Priebus/Spicer/Bannon/Papadopoulos?) obtain emails from GSA, technically the device owners
  • In October, subpoena for Russian-related emails from the same ~13 people

Trump Transition Team Outraged To Be Treated as Transition Team!!

This is a general post on the GOP claim Mueller improperly obtained emails from ~13 Transition officials, updated as new news comes available. This post explains what is really going on: the Transition appears to have withheld emails — including the KT McFarland one referring to the election as having been “thrown” — and Mueller obtained proof they were withholding things. 

Both Fox News and Axios have pieces reflecting the outrage!!! among Trump people that they got asked questions about emails they thought they had hidden from Mueller’s investigation. Axios reveals that Mueller obtained the full contents of 12 accounts (Reuters says 13), one including 7,000 emails, from people on the “political leadership” and “foreign-policy team;” it says it includes “sensitive emails of Jared Kushner.”

Fox reveals that a transition lawyer wrote Congress today claiming that it was unlawful for government employees to turn over emails hosted on government servers for a criminal investigation.

A lawyer for the Trump presidential transition team is accusing Special Counsel Robert Mueller’s office of inappropriately obtaining transition documents as part of its Russia probe, including confidential attorney-client communications and privileged communications.

In a letter obtained by Fox News and sent to House and Senate committees on Saturday, the transition team’s attorney alleges “unlawful conduct” by the career staff at the General Services Administration in handing over transition documents to the special counsel’s office.

Officials familiar with the case argue Mueller could have a problem relating to the 4th Amendment – which protects against unreasonable searches and seizures.

Kory Langhofer, the counsel to Trump for America, wrote in the letter that the the GSA “did not own or control the records in question.”

But, Langhofer says, Mueller’s team has “extensively used the materials in question, including portions that are susceptible to claims of privilege.”

And Axios explains that the Trump people actually sorted through this stuff. “The sources say that transition officials assumed that Mueller would come calling, and had sifted through the emails and separated the ones they considered privileged.”

I’m really looking forward to hearing the full story about this, rather than just this partisan spin. For example, I’m interested in whether Mueller realized via some means (perhaps from someone like Reince Priebus or Sean Spicer — update, or George Papadopoulos) that the White House had withheld stuff that was clearly responsive to his requests, so he used that to ask GSA to turn over the full set.

I’m also interested in how they’ll claim any of this was privileged. The top 13 political and foreign policy people on the Trump team might include (asterisks mark people confirmed to be among those whose accounts were obtained):

  1. Pence
  2. Bannon
  3. Jared*
  4. Flynn*
  5. KT McFarland
  6. Spicer
  7. Priebus
  8. Nunes
  9. Sessions
  10. Seb Gorka
  11. Stephen Miller
  12. Hope Hicks
  13. Ivanka
  14. Don Jr
  15. Rebekah Mercer
  16. Kelly Anne Conway
  17. Rudy Giuliani
  18. Steven Mnuchin
  19. Rick Gates
  20. Corey Lewandowski
  21. Tom Bossert

Just one of those people — Sessions — is a practicing lawyer (and he wasn’t, then), and he wasn’t playing a legal role in the transition (though both Sessions and Nunes may have been using their congressional email, in which case Mueller likely would show far more deference; update: I’ve added Rudy 911 to the list, and he’d obviously qualify as a practicing lawyer). Though I suppose they might have been talking with a lawyer. But I would bet Mueller’s legal whiz, Michael Dreeben, would point to the Clinton White House Counsel precedent and say that transition lawyers don’t get privilege.

Furthermore, Trump wasn’t President yet! This has come up repeatedly in congressional hearings. You don’t get privilege until after you’re president, in part to prevent you from doing things like — say — undermining existing foreign policy efforts of the actually still serving President. So even if these people were repeating things Trump said, it wouldn’t be entitled to privilege yet.

Finally, consider that some of these people were testifying to the grand jury months and months ago. But we’re only seeing this complaint today. That’s probably true for two reasons. One, because Mueller used the emails in question (most notably, the emails between McFarland and Flynn from December 29 where they discussed Russian sanctions) to obtain a guilty plea from Flynn. And, second, because Republicans are pushing to get Trump to fire Mueller.

Update: I’ve added Pence, Don Jr., Ivanka, Hope Hicks, Kelly Anne Conway, Rudy Giuliani, Steven Mnuchin back in here.

Update: Here’s more from Reuters.

Langhofer, the Trump transition team lawyer, wrote in his letter that the GSA’s transfer of materials was discovered on Dec. 12 and 13.

The FBI had requested the materials from GSA staff last Aug. 23, asking for copies of the emails, laptops, cell phones and other materials associated with nine members of the Trump transition team response for national security and policy matters, the letter said.

On Aug. 30, the FBI requested the materials of four additional senior members of the Trump transition team, it said.

The GSA transfer may only have been discovered this week (probably as a result of Congress’ investigation). But the witnesses had to have known these emails went beyond the scope of what the transition turned over. And the request date definitely is late enough for Mueller to have discovered not everything got turned over, perhaps even from George Papadopoulos, who flipped in late July.

Update: One more thing. Remember that there were worries that transition officials were copying files out of a SCIF. That, by itself, would create an Insider Threat concern that would merit FBI obtaining these emails directly.

Update: Here’s a report dated June 15 on a transition lawyer instructing aides and volunteers to save anything relating to Russia, Ukraine, or known targets (Flynn, Manafort, Page, Gates, and Stone).

Update: AP reports that Flynn was (unsurprisingly) among those whose email was obtained.

Update: Here’s the letter. I unpacked it here. It’s a load of — I believe this is the technical term — shite. First, it stakes everything on PTT not being an agency. That doesn’t matter at all for a criminal investigation — Robert Mueller was no FOIAing this stuff. It then later invokes a bunch of privileges (the exception is the attorney client one) that only come with the consequent responsibilities. It then complains that Mueller’s team didn’t use a taint team.

Perhaps the craziest thing is they call for a law that would only permit someone to access such emails for a national security purpose — as if an espionage related investigation isn’t national security purpose!

Update: Chris Geidner got GSA’s side of the story. Turns out they claim the now dead cover up GC didn’t make the agreement the TFA lawyer says he did. In any case, GSA device users agreed their devices could be monitored.

“Beckler never made that commitment,” he said of the claim that any requests for transition records would be routed to the Trump campaign’s counsel.

Specifically, Loewentritt said, “in using our devices,” transition team members were informed that materials “would not be held back in any law enforcement” actions.

Loewentritt read to BuzzFeed News a series of agreements that anyone had to agree to when using GSA materials during the transition, including that there could be monitoring and auditing of devices and that, “Therefore, no expectation of privacy can be assumed.”

Update: Mueller’s spox, Peter Carr, issued a statement saying, “When we have obtained emails in the course of our ongoing criminal investigation, we have secured either the account owner’s consent or appropriate criminal process.”

Why Did Tom Bossert Claim WannaCry Was Spread Via Phishing?

Writing this post made me look more closely at what Trump’s Homeland Security Czar Tom Bossert said in a briefing on WannaCry on Monday, May 15.

He claimed, having just gotten off the phone with his British counterpart and in spite of evidence to the contrary, that there had been minimal disruption to care in Britain’s DHS.

The UK National Health Care Service announced 48 of its organizations were affected, and that resulted in inaccessible computers and telephone service, but an extremely minimal effect on disruption to patient care.


And from the British perspective, I thought it was important to pass along from them two points — one, that they thought it was an extremely small number of patients that might have been inconvenienced and not necessarily a disruption to their clinical care, as opposed to their administrative processes.  And two, that they felt that some of those reports might have been misstated or overblown given how they had gotten themselves into a position of patching.


Of course, this may be an issue in the upcoming election, so I can see why Theresa May’s government might want to downplay any impact on patient care, especially since the Tories have long been ignoring IT problems at DHS.

He dodged a follow-up question about whether there might be more tools in the Shadow Brokers haul that would lead to similar attacks in the future, by pointing to our Vulnerabilities Equities Process.

Q    I guess a shorter way to put it would be is there more out there that you’re worried about that would lead to more attacks in the future?

MR. BOSSERT:  I actually think that the United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of.  That’s something that we do when we know of the vulnerability, not when we know we lost a vulnerability.  I think that’s a key distinction between us and other countries — and other adversaries that don’t provide any such consideration to their people, customers, or industry.

Obviously, the VEP did not prevent this attack. More importantly, someone in government really needs to start answering what the NSA and CIA (and FBI, if it ever happens) do when their hacking tools get stolen, an issue which Bossert totally ignored.

But I’m most interested in something Bossert said during the original exchange on NSA’s role in all this.

Q    So this is one episode of malware or ransomware.  Do you know from the documents and the cyber hacking tools that were stolen from NSA if there are potentially more out there?

MR. BOSSERT:  So there’s a little bit of a double question there.  Part of that has to do with the underlying vulnerability exploit here used.  I think if I could, I’d rather, instead of directly answering that, and can’t speak to how we do or don’t do our business as a government in that regard, I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.  This was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents, and cause an infection in encryption and locking. [my emphasis]

Three days into the WannaCry attack, having spent the weekend consulting with DHS and NSA, Bossert asserted that WannaCry was spread via phishing.

That is a claim that was reported in the press. But even by Monday, I was seeing security researchers persistently question the claim. Over and over they kept looking and failing to find any infections via phishing. And I had already seen several demonstrations showing it didn’t spread via phishing.

Now, Bossert is one of the grown-ups in the Trump Administration. His appointment — and the cybersecurity policy continuity with Obama’s policy — was regarded with relief when it was made, as laid out in this Wired profile.

“People that follow cybersecurity issues will be happy that Tom is involved in those discussions as one of the reasoned voices,” Healey says.

“Frankly, he’s an unusual figure in this White House. He’s not a Bannon. He’s not even a Priebus,” says one former senior Obama administration official who asked to remain unnamed, contrasting Bossert with Trump’s top advisers Stephen Bannon and Reince Priebus. “He has a lot of credibility. He’s very straightforward and level-headed.”

And (as the rest of the profile makes clear) he does know cybersecurity.

So I’m wondering why Bossert was stating that this attack spread by phishing at a time when open source investigation had already largely undermined that hasty claim.

There are at least three possibilities. Perhaps Bossert simply mistated here, accidentally blaming the vector we’ve grown used to blaming. Possibly (though this would be shocking) the best SIGINT agency in the world still hadn’t figured out what a bunch of people on Twitter already had.

Or, perhaps there were some phished infections, which quickly got flooded as the infection spread via SMB. Though that’s unlikely, because the certainty that it didn’t spread via email has only grown since Monday.

So assuming Bossert was, in fact, incorrect when he made this claim, why did have this faulty information?