Tuesday Morning: Été Frappé

/31 Comments/in , , /by

[graphic: Map of Belgian attacks 22MAR2016 for Le Monde via Eric Beziat]

[graphic: Map of Belgian attacks 22MAR2016 for Le Monde via Eric Beziat]

Whatever I was going to write today has been beaten into submission by current events.

Woke up to news about alleged terror attacks in Belgium — social media was a mess, a deluge of information with little organization. Best I can tell from French language news outlets including Le Monde, the first attack was at 8:00 a.m. local time at the Zaventem Airport just outside Brussels. The second attack occurred at the metro station Maelbeek at 9:11 a.m. Both attacks appeared use bombs, unlike the Paris attack this past year — two at the airport, one at the metro. Reports indicate 15 deaths and 55 seriously injured so far.

A third explosion reported in the city at a different location in the city of Brussels has been attributed to the controlled detonation of a suspicious package after the second attack.

In the time gap between the two attacks, one might suppose many law enforcement and military would have gone to the airport to respond to the first attack. Was there synchronization by planned schedule, or was there coordination by communication?

However, communications may have been difficult as telecom networks were quickly flooded. How soon were the telecom networks overloaded? Or were the networks throttled for observation? We may not ever know.

It’s worth reexamining what Marcy wrote about the communications found after Paris attack (here and here). It may be relevant if the same practices were used by the attackers in Brussels.

Important to note that Paris terror attack suspect Salah Abdeslam was arrested March 18 in a raid in Brussels. He is believed to have transported several of the attackers to the Stade de France just before the November 13 attack. Abdeslam may have been one of several suspects who fled from another earlier raid during which another suspect was killed.

Still working on the order issued late yesterday vacating today’s planned hearing on #AppleVsFBI. The order is here.

UPDATE — 9:30 a.m. EST — Marcy will be posting in a bit about the #AppleVsFBI hearing that wasn’t.

Another interesting story that broke in France today: French Supreme Court affirmed a previous lower court decision which ruled legal the wiretapping of former president Nicolas Sarkozy. Sarkozy has been under investigation for various forms of influence peddling since 2010, including receipt of campaign funds from Libya’s Muammar Gaddafi in 2007.

UPDATE — 1:00 p.m. EST/5:00 p.m. London/6:00 p.m. Brussels, Paris —

Now into the post-emergency recovery stage — all manner of political functionaries and talking heads have offered their two bits on this morning’s attacks. Three days of mourning have been declared in Belgium. Pictures of the alleged bombers at the airport taken by security video camera have now been published. The airport attackers detonated their weapons in the pre-security check-in area. 34 deaths have now been reported as a result of the attacks for which ISIS has now claimed responsibility. Across the Channel, the UK remains on alert for multiple attacks after last week’s raid in Brussels; UK travelers have been discouraged from traveling to Brussels.

Timeline (via Agence France-Presse)

22 mars Peu après 09h00/22 March Shortly after 9:00 a.m.
Explosion dans la station de métro Maelbeek.
Explosion in the Maelbeek metro station.

22 mars 08h00/22 March 8:00 a.m.
Deux explosions a l’aeroport. Possible kamikaze.
Two explosions at the airport. Possible suicide bomber.

21 mars/21 March
[Suspect] Najim Laachraoui, dont l’ADN a été retrouvé sur des explosifs, identifié et activement recherché.
Najim Laachraoui, whose DNA was found on explosives, identified and actively sought.

18 mars/18 March
Salah Abdeslam arête à Molenbeek.
Abdeslam Salah arrested in Molenbeek.

15 mars/15 March
Fusillade, quartier Forest – Mohammed Belkaid, lié aux auteurs de attentats de Paris du 13 novembre est tué. Empreintes de Salah Abdeslam retrouvées.
Shooting, Forest district – Mohamed Belkaid, linked to Paris attack planners of November 13, killed. Footprints of Salah Abdeslam found.

Share this entry

Are the Authorities Confusing a PRISM Problem with an Encryption Problem?

/6 Comments/in , /by

CNN has its own version of updated reporting from the Paris attack. It provides a completely predictable detail inexplicably not included in the weekend’s big NYT story: that the one phone with any content on it — as distinct from a pure burner — had Telegram loaded on it.

Several hours earlier, at 2:14 p.m., while they were still at the Alfortville hotel, the Bataclan attackers had downloaded the encryption messaging app Telegram onto their Samsung smart phone, according to police reports. No recovered content from the messaging app is mentioned in the French police documents, suggesting there were likely communications by the Bataclan attackers that will never be recovered.

As well as offering end-to-end encryption, the Telegram messaging app offers an option for users to “self-destruct” messages. At 4:39 p.m. on November 13, one of the attackers downloaded detailed floor plans of the Bataclan venue onto the Samsung phone and conducted online searches for the American rock band playing there that night, the Eagles of Death Metal.

I predicted as much in my post on that NYT story.

My suspicion is that, as had been reported, rather than emails ISIS relied on Telegram, but used in such a fashion that would make it less useful on burner phones (“secret” Telegram chat are device specific, meaning you’d need a persistent phone number to use that function). But if these terrorists did use Telegram, they probably eluded authorities not because of encryption, but because it’s fairly easy to make such chats temporary (again, using the secret function). Without Telegram being part of PRISM, the NSA would have had to obtain the metadata for chats via other means, and by the time they IDed the phones of interest, there may have been no metadata left.

If ISIS’ use of Telegram (which was publicly acknowledged when Telegram shut down a bunch of ISIS channels in the wake of the attack) is what anonymous sources keep insisting is an encryption problem, then it suggests the problem is being misportrayed as an encryption one.

True, Telegram does offer the option of end to end encryption for its messaging. There are questions about its encryption (though thus far it hasn’t been broken publicly). So it does offer users the ability to carry out secret chats and to then destroy them, which may be where the concern about all the “scoured” “email” in the NYT piece comes from, the assumption these terrorists have used Telegram but deleted those messages.

But as the Grugq points out, it’s a noisy app in other ways that the NSA should be able to exploit.

Contact Theft

When registering an account with Telegram, the app helpfully uploads the entire Contacts database to Telegram’s servers (optional on iOS). This allows Telegram to build a huge social network map of all the users and how they know each other. It is extremely difficult to remain anonymous while using Telegram because the social network of everyone you communicate with is known to them (and whomever has pwned their servers).

Contact books are extremely valuable information. We know that the NSA went to great lengths to steal them from instant messenger services. On mobile the contact lists are even more important because they are very frequently linked to real world identities.

Voluminous Metadata

Anything using a mobile phone exposes a wide range of metadata. In addition to all the notification flows through Apple and Google’s messaging services, there is the IP traffic flows to/from those servers, and the data on the Telegram servers. If I were a gambling man, I’d bet those servers have been compromised by nation state intelligence services and all that data is being dumped regularly.

This metadata would expose who talked with who, at what time, where they were located (via IP address), how much was said, etc. There is a huge amount of information in those flows that would more than compensate for lacking access to the content (even if, big assumption, the crypto is solid).

He spends particular time on Telegram’s Secret chat function (the one that allows a person to destroy a chat). But he doesn’t talk about how that might play into the extensive use of burners that we’ve seen from ISIS. Secret chats are device specific (that is, they can be sent only to a numbered device, not an account). That would make the function very hard to integrate with disciplined burner use, because the whole point of burners is not to have persistent telephone numbers. How will a terrorist remember the new number he wants to associate with a Telegram secret chat? Write it on a piece of paper?

In other words, it seems you could use one (disciplined burners) or another (full use of Telegram with persistent phones), the latter of which would provide its own kind of intelligence. It may well be ISIS does merge these two uses, but if so we shouldn’t expect to see Telegram on their true burner phones. Plus, assuming the bearer of the phone speaks that dialect the Belgians were struggling to translate, voice calls on burners would be just as useful as transient use of Telegram.

But that’s probably not the real problem for authorities. In fact, if known terrorists had been using, say, WhatsApp rather than Telegram for such encrypted chats, authorities might have had more information on their network than they do now. That’s because WhatsApp metadata would be available under PRISM, whereas to get Telegram data, non-German authorities are going to have to go steal it.

If that supposition is correct, it would suggest that the US should drop all efforts to make Apple phones’ encryption weaker. So long as it has the presumed best security (notwithstanding the iMessage vulnerability just identified by researchers at Johns Hopkins), people from around the world will choose it, ensuring that the world’s best SIGINT agency could have ready access. If Telegram is perceived as being better — or even being close, given the location — people of all sorts will prefer that.

That won’t give you the content, in either case (even if you had the Moroccan translators you needed to translate, if that indeed remained a problem for authorities). But you’re better off having readily accessible metadata than losing it entirely.

Share this entry

For Counterterrorism Experts, Absence of Evidence Equals Encryption

/7 Comments/in /by

The NYT has a fascinating story based on shared criminal files and attack review, describing what authorities currently know about how ISIS pulled off the Paris attack. It describes continued problems with transliteration (though it’s not clear that played a role in this attack).

“We don’t share information,” said Alain Chouet, a former head of French intelligence. “We even didn’t agree on the translations of people’s names that are in Arabic or Cyrillic, so if someone comes into Europe through Estonia or Denmark, maybe that’s not how we register them in France or Spain.”

It describes, over and over, the volume of burner and borrowed phones the attackers used, including a lot of calls that ended up being easy to trace.

After numerous delays, one of the attackers began using a hostage’s cellphone to send text messages to a contact outside. At one point, one of the gunmen turned to a second and said in fluent French, “I haven’t gotten any news yet,” suggesting they were waiting for an update from an accomplice. Then they switched and continued the discussion in Arabic, according to the police report.

[snip]

The attackers seized cellphones from the hostages and tried to use them to get onto the Internet, but data reception was not functioning, Mr. Goeppinger told the police. Their use of hostages’ phones is one of the many details, revealed in the police investigation, pointing to how the Islamic State had refined its tradecraft. Court records and public accounts have detailed how earlier operatives sent to Europe in 2014 and early 2015 made phone calls or sent unencrypted messages that were intercepted, allowing the police to track and disrupt their plots. But the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.

[snip]

Everywhere they went, the attackers left behind their throwaway phones, including in Bobigny, at a villa rented in the name of Ibrahim Abdeslam. When the brigade charged with sweeping the location arrived, it found two unused cellphones still inside their boxes.

New phones linked to the assailants at the stadium and the restaurant also showed calls to Belgium in the hours and minutes before the attacks, suggesting a rear base manned by a web of still unidentified accomplices.

Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest. From 8:41 p.m. until just before he died at 9:28 p.m., the phone was in constant touch with a phone inside the rental car being driven by Mr. Abaaoud. It also repeatedly called a cellphone in Belgium.

Remember, earlier reports on some of these same terrorists described them using a Moroccan dialect for which Belgian authorities, at least, did not have ready translators, which would make voice calls almost as effective as encrypted communications, especially so long as that common phone number in Belgium remained unknown. The story describes the attackers using Arabic, though doesn’t say whether it was a dialect.

After numerous delays, one of the attackers began using a hostage’s cellphone to send text messages to a contact outside. At one point, one of the gunmen turned to a second and said in fluent French, “I haven’t gotten any news yet,” suggesting they were waiting for an update from an accomplice. Then they switched and continued the discussion in Arabic, according to the police report.

But it then makes an enormous logical leap, from the very first line of the story, that absence of emails equates to some operational security pertaining to emails.

Investigators found crates’ worth of disposable cellphones, meticulously scoured of email data. [See note]

[snip]

According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown, and is among the details that Mr. Abdeslam’s capture could help reveal.

[snip]

Most striking is what was not found on the phones: Not a single email or online chat from the attackers has surfaced so far.

What seems most likely from this description is that for phones terrorists used as burners, they simply didn’t load them with apps to conduct more extensive communication. And why would they, especially if they knew from past reporting that their language was proving hard to “decrypt” for authorities, even with time?

Then there’s this description of a laptop that might have used encryption.

One of the terrorists pulled out a laptop, propping it open against the wall, said the 40-year-old woman. When the laptop powered on, she saw a line of gibberish across the screen: “It was bizarre — he was looking at a bunch of lines, like lines of code. There was no image, no Internet,” she said. Her description matches the look of certain encryption software, which ISIS claims to have used during the Paris attacks.

I asked one of the reporters on this story, Rukmini Callimachi, whether the computer showed up in the report; it did not. Which either suggests it was destroyed in one of the suicide vest explosions beyond all forensic use, or wasn’t one of the terrorist laptops at all (or was misremembered by the eyewitness, which would be unsurprising given the unreliable nature of even witnesses who are not, by nature of being hostages, very stressed).

Yet even if this computer had full disc encryption (as opposed to just being a Linux machine, as some people have suggested), there’s no reason to assume there’d be emails. And, as the story makes clear, the phone recovered outside of Bataclan was not encrypted (this was the one that had a text on it).

As the bodies of the dead were being bagged, the police found a white Samsung phone in a trash can outside the Bataclan.

It had Belgian SIM card that had been in use only since the day before the attack. The phone had called just one other number — belonging to an unidentified user in Belgium. Another new detail from the report showed that the phone’s photo album police found images of the concert hall’s layout, as well as Internet searches for “fnacspectacles.com,” a website that sells concert tickets; “bataclan.fr“; and the phrase “Eagles of Death at the Bataclan.”

[snip]

Even though one of the disposable phones was found to have had a Gmail account with the username “yjeanyves1,” the police discovered it was empty, with no messages in the sent or draft folders.

Note, that account name is very French, not at all similar to the names of the perpetrators (see the list here), which makes me wonder whether it’s an artefact of a prior owner, from whom this phone could have been stolen.

My suspicion is that, as had been reported, rather than emails ISIS relied on Telegram, but used in such a fashion that would make it less useful on burner phones (“secret” Telegram chat are device specific, meaning you’d need a persistent phone number to use that function). But if these terrorists did use Telegram, they probably eluded authorities not because of encryption, but because it’s fairly easy to make such chats temporary (again, using the secret function). Without Telegram being part of PRISM, the NSA would have had to obtain the metadata for chats via other means, and by the time they IDed the phones of interest, there may have been no metadata left.

The authorities now have a great deal of evidence on these terrorists. And what it shows is that burner phones used with discipline serve as a far more important operational security tool than encryption. Indeed, at this point, the authorities only claim the terrorists used encryption because they have no evidence of it!

And yet, that doesn’t appear to have stopped the IC from convincing Obama that the Paris terrorists used encryption and so we have to break it here.

Note: On Twitter, Callimachi acknowledged that that first line makes no sense and said she would try to have it changed.

Update: And now it reads like this:

Investigators found crates’ worth of disposable cellphones.

Share this entry

Why Isn’t Jim Comey Crusading against This Tool Used to Hide Terrorist Secrets?

/11 Comments/in , , /by

Several times over the course of Jim Comey’s crusade against strong encryption, I have noted that, if Comey wants to eliminate the tools “bad guys” use to commit crimes, you might as well eliminate the corporation. After all, the corporate structure helped a bunch of banksters do trillions of dollars of damage to the US economy and effectively steal the homes from millions with near-impunity.

It’d be crazy to eliminate the corporation because it’s a tool “bad guys” sometimes use, but that’s the kind of crazy we see in the encryption debate.

Yesterday, Ron Wyden pointed to a more narrow example of the way “bad guys” abuse corporate structures to — among other things — commit terrorism: the shell corporation.

In a letter to Treasury Secretary Jack Lew, he laid out several cases where American shell companies had been used to launder money for crime — including terrorism, broadly defined.

Screen Shot 2016-02-26 at 9.51.49 AM

He then asked for answers about several issues. Summarizing:

  • The White House IRS-registration for beneficial information on corporations probably won’t work. Does Treasury have a better plan? Would the Senate and House proposals to have states or Treasury create such a registry provide the ability to track who really owns a corporation?
  • FinCen has proposed a rule that would not only be easily evaded, but might weaken the existing FATCA standard. Has anyone review this?
  • Does FinCen actually think its rule would identify the natural person behind shell companies?
  • Would requiring financial institutions to report balances held by foreigners help information sharing?

They’re good questions but point, generally, to something more telling. We’re not doing what we need to to prevent our own financial system from being used as a tool for terrorism. Unlike encryption, shell companies don’t have many real benefits to society. Worse, it sounds like Treasury is making the problem worse, not better.

Of course, the really powerful crooks have reasons to want to retain the status quo. And so FBI Director Jim Comey has launched no crusade about this much more obvious tool of crime.

Share this entry

On December 10, Intelligence Committees Not Told Any Encrypted Communications Used in San Bernardino

/1 Comment/in , /by

Here’s what Senate Intelligence Chair Richard Burr and House Intelligence Ranking Member Adam Schiff had to say about a briefing on the San Bernardino attack they attended on December 10.

Lawmakers on Thursday said there was no evidence yet that the two suspected shooters used encryption to hide from authorities in the lead-up to last week’s San Bernardino, Calif., terror attack that killed 14 people.

“We don’t know whether it played a part in this attack,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) told reporters following a closed-door briefing with federal officials on the shootings.

But that hasn’t ruled out the possibility, Burr and others cautioned.

“That’s obviously one issue were very interested in,” House Intelligence Committee ranking member Adam Schiff (D-Calif.) said. “To what degree were either encrypted devices or communications a part of the impediment of the investigation, either while the events were taking place or to our investigation now?”

The recent terror attacks in San Bernardino and Paris have shed an intense spotlight on encryption.

While no evidence has been uncovered that either plot was hatched via secure communications platforms, lawmakers and federal officials have used the incidents to resurface an argument that law enforcement should have guaranteed access to encrypted data.

On December 10, we should assume from these comments, the Congressmen privy to the country’s most secret intelligence and law enforcement information, were told nothing about a key source of evidence in the San Bernardino attack being encrypted. Schiff made it quite clear the members of Congress in the briefing were quite interested in that question, but nothing they heard in the briefing alerted them to a known trove of evidence being hidden by encryption.

That’s an important benchmark because of details the FBI provided in response to a questions from Ars Tecnica’s Cyrus Farivar. As had been made clear in the warrant, FBI seized the phone on December 3. But the statement also reveals that FBI asked the County to reset Farook’s Apple ID password on December 6. That means they were already working on that phone several days before the briefing to the Intelligence Committee members (it’s unclear whether that briefing was just for the Gang of Four or for both Intelligence Committees).

While, given what Tim Cook described last night, the FBI had not yet asked for Apple’s assistance by that point, the FBI had to have known what they were dealing with by December 6 — an iPhone 5C running iOS9. Therefore, they would have known the phone was encrypted by default (and couldn’t be open with a fingerprint).

Yet even four days later, they were not sufficiently interested in that phone they had to have known to be encrypted to tell Congress it held key data.

Update: Wow, this, from Apple’s motion to vacate the order, makes this all the more damning.

Screen Shot 2016-02-25 at 6.09.00 PM

Share this entry

What Claims Did the Intelligence Community Make about the Paris Attack to Get the White House to Change on Encryption?

/5 Comments/in , , /by

I’m going to do a series of posts laying out the timeline behind the Administration’s changed approach to encryption. In this, I’d like to make a point about when the National Security Council adopted a “decision memo” more aggressively seeking to bypass encryption. Bloomberg reported on the memo last week, in the wake of the FBI’s demand that Apple help it brute force Syed Rezwan Farook’s work phone.

But note the date: The meeting at which the memo was adopted was convened “around Thanksgiving.”

Silicon Valley celebrated last fall when the White House revealed it would not seek legislation forcing technology makers to install “backdoors” in their software — secret listening posts where investigators could pierce the veil of secrecy on users’ encrypted data, from text messages to video chats. But while the companies may have thought that was the final word, in fact the government was working on a Plan B.

In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered agencies across the U.S. government to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, including Apple Inc.’s iPhone, the marquee product of one of America’s most valuable companies, according to two people familiar with the decision.

The approach was formalized in a confidential National Security Council “decision memo,” tasking government agencies with developing encryption workarounds, estimating additional budgets and identifying laws that may need to be changed to counter what FBI Director James Comey calls the “going dark” problem: investigators being unable to access the contents of encrypted data stored on mobile devices or traveling across the Internet. Details of the memo reveal that, in private, the government was honing a sharper edge to its relationship with Silicon Valley alongside more public signs of rapprochement. [my emphasis]

That is, the meeting was convened in the wake of the November 13 ISIS attack on Paris.

We know that last August, Bob Litt had recommended keeping options open until such time as a terrorist attack presented the opportunity to revisit the issue and demand that companies back door encryption.

Privately, law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Litt was commenting on a draft paper prepared by National Security Council staff members in July, which also was obtained by The Post, that analyzed several options. They included explicitly rejecting a legislative mandate, deferring legislation and remaining undecided while discussions continue.

It appears that is precisely what happened — that the intelligence community, in the wake of a big attack on Paris, went to the White House and convinced them to change their approach.

So I want to know what claims the intelligence community made about the use of encryption in the attack that convinced the White House to change approach. Because there is nothing in the public record that indicates encryption was important at all.

It is true that a lot of ISIS associates were using Telegram; shortly after the attack Telegram shut down a bunch of channels they were using. But reportedly Telegram’s encryption would be easy for the NSA to break. The difficulty with Telegram — which the IC should consider seriously before they make Apple back door its products — is that its offshore location probably made it harder for our counterterrorism analysts to get the metadata.

It is also true that an ISIS recruit whom French authorities had interrogated during the summer (and who warned them very specifically about attacks on sporting events and concerts) had been given an encryption key on a thumb drive.

But it’s also true the phone recovered after the attack — which the attackers used to communicate during the attack — was not encrypted. It’s true, too, that French and Belgian authorities knew just about every known participant in the attack, especially the ringleader. From reports, it sounds like operational security — the use of a series of burner phones — was more critical to his ability to move unnoticed through Europe. There are also reports that the authorities had a difficult time translating the dialect of (probably) Berber the attackers used.

From what we know, though, encryption is not the reason authorities failed to prevent the French attack. And a lot of other tools that are designed to identify potential attacks — like the metadata dragnet — failed.

I hate to be cynical (though comments like Litt’s — plus the way the IC used a bogus terrorist threat in 2004 to get the torture and Internet dragnet programs reauthorized — invite such cynicism). But it sure looks like the IC failed to prevent the November attack, and immediately used their own (human, unavoidable) failure to demand a new approach to encryption.

Update: In testimony before the House Judiciary Committee today, Microsoft General Counsel Brad Smith repeated a claim MSFT witnesses have made before: they provided Parisian law enforcement email from the Paris attackers within 45 minutes. That implies, of course, that the data was accessible under PRISM and not encrypted.

Share this entry

The Latest 60 Minutes Propaganda: We Need a Crypto Back Door because ISIS Is “Coming Here” with WMD

/17 Comments/in , , /by

It has been clear for several years now that 60 Minutes has become a propaganda vehicle for the intelligence community (postpost, post). So it was unsurprising that John Brennan was given an opportunity to fearmonger last night without pesky people like Ron Wyden around pointing out that CIA itself poses a threat, even according to the terms laid out by the Intelligence Community.

I find the timing and content of John Brennan’s appearance of note.

The first segment (indeed the first words!) of the appearance did two things: first conflate ISIS-inspired attacks with ISIS-directed ones to suggest the terrorist organization might strike in the US.

Scott Pelley: Is ISIS coming here?

John Brennan: I think ISIL does want to eventually find it’s, it’s mark here.

Scott Pelley: You’re expecting an attack in the United States?

John Brennan: I’m expecting them to try to put in place the operatives, the material or whatever else that they need to do or to incite people to carry out these attacks, clearly. So I believe that their attempts are inevitable. I don’t think their successes necessarily are.

Here’s how the global threat testimony from last week, which really serves as temporal justification for Brennan’s appearance, carried out a similar though more nuanced conflation of ISIS’ aspirations with the aspirational plots here in the US.

The United States will almost certainly remain at least a rhetorically important enemy for most violent extremists in part due to past and ongoing US military, political, and economic engagement overseas. Sunni violent extremists will probably continually plot against US interests overseas. A smaller number will attempt to overcome the logistical challenges associated with conducting attacks on the US homeland. The July 2015 attack against military facilities in Chattanooga and December 2015 attack in San Bernardino demonstrate the threat that homegrown violent extremists (HVEs) also pose to the homeland. In2014, the FBI arrested approximately one dozen US-based ISIL supporters, in 2015, that number increased to approximately five dozen arrests. These individuals were arrested for a variety of reasons, predominantly for attempting to provide material support to ISIL.

Both Brennan and the threat testimony slide carefully from ISIS overcoming the logistical problems to attack themselves with attacking here to the ISIS-inspired far smaller attacks.

After having suggested ISIS wants to attack the US, Pelley then led Brennan to overstate the degree to which the Paris attackers hid behind encryption.

Scott Pelley: What did you learn from Paris?

John Brennan: That there is a lot that ISIL probably has underway that we don’t have obviously full insight into. We knew the system was blinking red. We knew just in the days before that ISIL was trying to carry out something. But the individuals involved have been able to take advantage of the newly available means of communication that are–that are walled off, from law enforcement officials.

Scott Pelley: You’re talking about encrypted Internet communications.

John Brennan: Yeah, I’m talking about the very sophisticated use of these technologies and communication systems.

From all the reports thus far, ISIS achieved what little obscurity they had primarily through burner devices, not through encryption (not to mention the fact that French authorities got an encryption key from someone who had decided against carrying out an ISIS attack the summer before this attack). And while Jim Comey revealed that FBI had not yet cracked one of several phones used by the San Bernardino attackers (who were not directed by ISIS and may have only invoked it for their own obscurantist purposes), the threat testimony pointed to social media as as big a concern as encryption (most of what ISIS uses is fairly weak).

Terrorists will almost certainly continue to benefit in 2016 from a new generation of recruits proficient in information technology, social media, and online research. Some terrorists will look to use these technologies to increase the speed of their communications, the availability of their propaganda, and ability to collaborate with new partners. They will easily take advantage of widely available, free encryption technology, mobile-messaging applications, the dark web, and virtual environments to pursue their objectives.

Finally — still in the first segment!!! — Pelley invites Brennan to suggest that limited reports that ISIS has used chemical weapons in Syria mean they might use them here.

Scott Pelley: Does ISIS have chemical weapons?

John Brennan: We have a number of instances where ISIL has used chemical munitions on the battlefield.

Scott Pelley: Artillery shells.

John Brennan: Sure. Yeah.

Scott Pelley: ISIS has access to chemical artillery shells?

John Brennan: Uh-huh (affirm). There are reports that ISIS has access to chemical precursors and munitions that they can use.

The CIA believes that ISIS has the ability to manufacture small quantities of chlorine and mustard gas.

Scott Pelley: And the capability of exporting those chemicals to the West?

John Brennan: I think there’s always the potential for that. This is why it’s so important to cut off the various transportation routes and smuggling routes that they have used.

Compare Brennan’s suggestion that ISIS may be manufacturing CW with the threat testimony note that two people have been exposed to mustard gas, though with far more widespread allegations of such use.

We assess that non state actors in the region are also using chemicals as a means of warfare. The OPCW investigation into an alleged ISIL attack in Syria in August led it to conclude that at least two people were exposed to sulfur mustard. We continue to track numerous allegations ofISIL’s use of chemicals in attacks in Iraq and Syria, suggesting that attacks might be widespread.

Now, I’ll grant you that Brennan much more carefully dodges here than Dick Cheney ever used to. But it’s pure fear-mongering — especially in the wake of the Oregon standoff that makes it clear domestic extremists are not only every bit as motivated as ISIS wannabes, but better trained and equipped. And fear-mongering using Dick Cheney’s favorite techniques (albeit with the added kicker of crypto fear-mongering).

And it all happened as Brennan’s buddies the Saudis are pretending to (finally) join the fight against ISIS in what is a fairly transparent attempt to prevent Russian-backed Syrian forces from gaining a crucial advantage in Syria. That is, this fairly crass fear-monger is likely directed at Assad as much as it is ISIS.

Share this entry

Tuesday Morning: The Fat One You’ve Awaited

/10 Comments/in , , , /by

Mardi Gras. The day before Ash Wednesday. Fat Tuesday. In Brazil, it’s Carnival — plenty of parades with costumed dancers and samba. In New Orleans, it means king cake, beads, and more parades, but here in Michigan, it means pączki. No parades in the snow, just an icy trek to the Polish bakery for some decadent sweets we get but once a year.

I’m still drafting this, too much stuff to weed through this morning. I’ll update as I write. Snag a cup of joe and a pączki while you wait. Make mine raspberry filled, please!

Economic indicators say “Maybe, Try Again”
Asian and European stock markets were a mess this morning. There’s no sign of an agreement between OPEC nations on production and pricing, which may lead to yet more floundering in the stock market. Yet one indicator — truck tonnage on the roads — doesn’t show signs of a recession in the U.S.

UK court cases topsy-turvy: LIBOR Six and a secret trial

  • UK can’t hold the LIBOR Six bankers accountable for their part in the 2008 economic crisis because the prosecution was sloppy. It’s pretty bad when a defense attorney asks if the prosecution was “making this up as they go along.”
  • The article’s first graf is a warning:

    Warning: this article omits information that the Guardian and other news organisations are currently prohibited from publishing.

    The case, R v Incedal and Rarmoul-Bouhadjar, continues to look like a star chamber, with very little information available to the public about the case. The accused have been charged and served time, but the media has been unable to freely access information about the case, and their appeal has now been denied. A very ugly precedent for a so-called free country.

Facebook: French trouble, and no free internet in India

  • Shocked, SHOCKED, I am: French regulators told Facebook its handling of users data didn’t sufficiently protect their privacy. The Commission nationale de l’informatique et des libertés (CNIL) told the social media platform it has three months to stop sharing users’ data with U.S. facilities for processing. CNIL also told Facebook to stop tracking non-Facebook users without warning them.
  • The Indian government told Facebook thanks, but no thanks to its Free Basics offering, a so-called free internet service. The service ran afoul of net neutrality in that country as it implicitly discouraged users from setting up sites outside Facebook’s platform. Many users did not understand there was a difference between Facebook and the internet as a whole. Mr. Zuckerberg really needs to study the meaning of colonialism, and how it might pertain to the internet in emerging markets.

Boy kicked out of school because of his DNA
This is a really sad story not resolved by the Genetic Information Nondiscrimination Act (GINA). The boy has cystic fibrosis; his parents informed the school on his paperwork, as they should in such cases. But because of the risks to the boy or his siblings with similar genes, the boy was asked to leave. GINA, unfortunately, does not protect against discrimination in education, only in healthcare and employment. This is a problem Congress should take up with an amendment to GINA. No child should be discriminated against in education because of their genes over which they have no control, any more than a child should be discriminated against because of their race, gender identity, or sexuality.

All right, get your party on, scarf down the last of your excess sweets, for tomorrow is sackcloth and ashes. I can hardly wait for the sugar hangover to come.

Share this entry

Superb Owl: Keeping Eye on Fans and More?

/4 Comments/in , , /by

If humans could see the full spectrum of radiation, the San Francisco Bay Area shines bright like the sun this evening — not from lighting, but from communications. The Super Bowl concentrates more than 100,000 people, most of whom will have a wireless communications device on their person — cellphone, phablet, or tablet. There are numerous networks conveying information both on the field, the stands and to the fans watching globally on television and the internet.

And all of the communications generates massive amounts of data surely monitored in some way, no matter what our glorious government may tell us to the contrary. The Super Bowl is a National Special Security Event (NSSE), rated with a Special Event Assignment Rating (SEAR) level 1. The designation ensures the advance planning and involvement of all the three-letter federal agencies responsible for intelligence and counterterrorism you can think of, as well as their state and local counterparts. They will be watching physical and electronic behavior closely.

Part of the advance preparation includes establishing a large no-fly zone around the Bay Area. Non-government drones will also be prohibited in this airspace.

What’s not clear to the public: what measures have been taken to assure communications continuity in the same region? Yeah, yeah — we all know they’ll be watching, but how many of the more than one million visitors to the Bay Area for the Super Bowl are aware of the unsolved 15 or 16 telecom cable cuts that happened over the last couple of years? What percentage of local residents have paid or are paying any attention at all to telecommunications infrastructure, or whether crews “working” on infrastructure are legitimate or not?

Planning for a SEAR 1 event begins almost as soon as the venue is announced — perhaps even earlier. In the case of Super Bowl 50, planning began at least as early as the date the game was announced nearly 34 months ago on March 28th, 2014. The Levi’s stadium was still under construction as late as August that same year.

And the first cable cut event happened nearly a year earlier, on April 16, 2013 — six months after Levi’s Stadium was declared one of two finalists to host the 50th Super Bowl, and one month before Levi’s was awarded the slot by NFL owners.

News about a series of 11 cable cuts drew national attention last summer when the FBI asked for the public’s assistance.  These events happened to the east of San Francisco Bay though some of them are surely inside the 32-mile radius no-fly zone observed this evening.

But what about the other cuts which took place after April 2013, and after the last of 11 cuts in June 2015? News reports vary but refer to a total of 15 or 16 cuts about which law enforcement has insufficient information to charge anyone with vandalism or worse. A report last month quotes an FBI spokesperson saying there were 15 attacks against fiber optic cable since 2014. Based on the date, the number of cuts excludes the first event from April 2013, suggesting an additional four cuts have occurred since June 2015.

Where did these cuts occur? Were they located inside tonight’s no-fly zone? Will any disruption to communications services be noticed this evening, when so many users are flooding telecommunications infrastructure? Will residents and visitors alike even notice any unusual technicians at work if there is any disruption?

Keep your eyes peeled, football fans.

Share this entry

What Would It Take for the Government to Obtain Google’s Counter-Terror Ads Algos?

/4 Comments/in /by

Some weeks ago, the government went to Silicon Valley to ask for new ways to counter ISIS’ propaganda. We’re now seeing the response to that request, with the report that Google will show positive ads when people search for extremist content.

In a new development, Google said it’s testing ways to counter extremist propaganda with positive messages on YouTube and in Google search results.

Google executive Anthony House told MPs that taking extremist videos down from YouTube isn’t enough, and people searching for that content should be presented with competing narratives:

We should get the bad stuff down, but it’s also extremely important that people are able to find good information, that when people are feeling isolated, that when they go online, they find a community of hope, not a community of harm.

There are two programs being tested by Google to make sure the positive messages are seen by people seeking out extremist content: one to make sure the “good” kind of videos are easily found on YouTube; and another to display positive messages when people search for extremist-related terms.

The second program involves giving grants to nonprofit organizations to use Google AdWords to display competing ads alongside the search results for those extremist-related terms.

If Google wants to do this, that’s fine.

But I’m wondering about the legal standard here. It’s unclear whether Google will only show these “positive” (whoever and however that gets defined) when people search for “extremist” content, or whether they’ll show Google ads to those whose email content reflects an interest in “extremist” material.

In both cases, however, Google will use material that counts as “content” to decide to show these ads.

And then what happens? That is, what happens to Google’s records determining that these users should get that content? Do the records, stripped of the content itself, count as a third party record that can be obtained with a subpoena? Or do they count as content?

Congress hasn’t passed legislation requiring tech companies to report their terrorist users. But does having Google use its algorithms to determine who is an extremist give the government a way to find out who Google thinks is an extremist?

Share this entry