The WaPo has an utterly dispiriting story providing more detail on a document first revealed in this big NYT story on Jim Comey. Here’s how the NYT described it:

During Russia’s hacking campaign against the United States, intelligence agencies could peer, at times, into Russian networks and see what had been taken. Early last year, F.B.I. agents received a batch of hacked documents, and one caught their attention.

The document, which has been described as both a memo and an email, was written by a Democratic operative who expressed confidence that Ms. Lynch would keep the Clinton investigation from going too far, according to several former officials familiar with the document.

Read one way, it was standard Washington political chatter. Read another way, it suggested that a political operative might have insight into Ms. Lynch’s thinking.

[snip]

The document complicated that calculation, according to officials. If Ms. Lynch announced that the case was closed, and Russia leaked the document, Mr. Comey believed it would raise doubts about the independence of the investigation.

But as the WaPo reveals, the document was not an email, but rather a Russian document purportedly reporting on email. And while in August the FBI deemed the document a hoax, it took five months — covering the all important July announcement ending the Hillary investigation — to get to that point.

The document, obtained by the FBI, was a piece of purported analysis by Russian intelligence, the people said. It referred to an email supposedly written by the then-chair of the Democratic National Committee, Rep. Debbie Wasserman Schultz (D-Fla.), and sent to Leonard Benardo, an official with the Open Society Foundations, an organization founded by billionaire George Soros and dedicated to promoting democracy.

The Russian document did not contain a copy of the email, but it described some of the contents of the purported message.

[snip]

Comey had little choice, these people have said, because he feared that if Lynch announced no charges against Clinton, and then the secret document leaked, the legitimacy of the entire case would be questioned.

From the moment the bureau received the document from a source in early March 2016, its veracity was the subject of an internal debate at the FBI. Several people familiar with the matter said the bureau’s doubts about the document hardened in August when officials became more certain that there was nothing to substantiate the claims in the Russian document. FBI officials knew the bureau never had the underlying email with the explosive allegation, if it ever existed.

Yet senior officials at the bureau continued to rely on the document as part of their justification for how they handled the case before and after the election.

As the WaPo lays out, the FBI hadn’t even asked Loretta Lynch, much less the other participants in the alleged emails, about them before Comey used the document to justify his July statement on the investigation into Hillary’s emails. They simply relied on it, in spite of the way a Debbie Wasserman Schultz and George Soros screams of the worst kind of fevered misinformation that circulated last year. Or, at a minimum, they acted based on the assumption that they couldn’t combat evidently fake news were it to leak.

We talk a lot about dumb ordinary voters who can’t sort through PizzaGate and Seth Rich conspiracies on their own.

But even the FBI, with all the investigative tools you can imagine, was unable to sort through fake news. And that had a role in one of the most significant events in last year’s election.

Parts of the security community have decided that Lazarus, a hacking group associated with North Korea, is behind WannaCry, including the global ransomware attack from a few weeks back. That’s based on significant reuse of code from earlier Lazarus activities.

But to explain certain aspects of the attack — notably, why Lazarus would become incompetent at ransomware after having been perfectly competent at it in the past — proponents of this theory are adopting some curious theories. For example, this — in Symantec’s report on the code reuse — doesn’t make any sense at all.

The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

It’s effectively the equivalent of saying, “using just three bitcoin wallets doesn’t make sense [it doesn’t, if your goal is actual ransomware], so we’ll just claim that’s further proof that there must be few people involved.” In interviews, Symantec’s technical director has explained away other inconsistencies in this story by hackers working for a brutal dictator with a penchant for executing those who cross them by suggesting they were moonlighting when they blew up Lazarus’ ransomware by misdeploying it with Eternal Blue.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

Krypt3ia has a post making fun of the nonsense theories out there.

• LAZARUS code snippets found in WANNACRY samples
• LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
• LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
• LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS“
• LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
• LAZARUS aka UNIT 108 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
• LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

Note the last bullet is a reference to another post he did, where he showed another piece of code in WannaCry was taken from folks working to reverse engineer Eternal Blue for Metasploit. That piece of borrowed code doesn’t permit you to blame the Evil Hermit Kingdom, though, so no one is talking about it.

Perhaps the oddest piece of evidence presented relating the claim North Korea did WannaCry comes from CNBC.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

CNBC must be referring to this passage from Shadow Brokers’ latest screed.

In May, No dumps, theshadowbrokers is eating popcorn and watching “Your Fired” and WannaCry. Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country? The oracle is telling theshadowbrokers North Korea is being responsible for the global cyber attack Wanna Cry. Nukes and cyber attacks, America has to go to war, no other choices! (Sarcasm) No new ZeroDays.

As part of a narrative of how reasonable it was to release all these files after they’ve been patched (all the while threatening far more damaging leaks), Shadow Brokers comments on WannaCry. Importantly, it lays out one detail — the kill switches — that doesn’t make sense if the goal was true ransomware, as well as another detail — “caring about target country”? — that I don’t understand. (Russia was hit badly in the attack, the US very lightly, and there were reports that Arabic speaking countries weren’t hard hit, which I find interesting since it is the one Microsoft supported language that for which a ransomware note was not included.)

But the part that CNBC has read to mean Shadow Brokers endorsed this theory instead does nothing of the sort; if anything, it does the opposite. I read it as a comment about how quickly we go from dodgy attribution to calling for war. And it comes with a sarcasm tag!

Moreover, why would you take Shadow Brokers’ endorsement for anything? Either they did WannaCry (which actually seems to be what CNBC suggests; Krypt3ia makes fun of that possibility, too), in which case any endorsement might be disinformation, or they didn’t do it, and they’d have no more clue who did than the rest of us.

The entire exercise in attribution with WannaCry is particularly odd given the assumptions that it is what it looks like, traditional ransomware, in spite of all the evidence to suggest it is not. And so we’ll just ignore obvious tags, like a “sarcasm” tag, because accounting for such details gets very confusing.

This passage from John Brennan’s testimony about Russia to the House Intelligence Committee yesterday has gotten a lot of attention:

Through the so-called Gang of Eight process, we kept Congress apprised of these issues as we identified them. Again, in consultation with the White House, I personally briefed the full details of our understanding of Russian attempts to interfere with the election to Congressional leadership, specifically Senators Harry Reid, Mitch McConnell, Dianne Feinstein, and Richard Burr, and to Representatives Paul Ryan, Nancy Pelosi, Devin Nunes, and Adam Schiff between 11 August and 6 September. I provided the same briefing to each of the Gang of Eight members.  Given the highly sensitive nature of what was an active counterintelligence case involving an ongoing Russian effort to interfere in our presidential election, the full details of what we knew at the time were shared only with those members of Congress, each of whom was accompanied by one senior staff member. The substance of those briefings was entirely consistent with the main judgments contained in the January classified and unclassified assessments, namely that Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton and harm her electability and potential presidency and to help President Trump’s election chances.

The passage has been used to question why GOP leaders, most especially Mitch McConnell, didn’t react more strongly, particularly given public reports that he wouldn’t sign onto a more aggressive statement about Russian efforts.

As I noted in this post, the record thus far reflects a difference in emphasis (on protecting the election systems rather than on Russian attempts to hurt Clinton).

But I want to look more closely at what Brennan actually said.

His description of the briefings seems to be a denial of what I laid out in this post — the NYT report that he gave Harry Reid a special briefing (one which may have been based on the Christopher Steele dossier) that was more alarming than others.

CIA DIRECTORS SHOULD NOT MEET WITH JUST ONE GANG OF EIGHT MEMBER

The second detail I find most interesting in this story is that John Brennan privately briefed Harry Reid about his concerns about the Russians.

John O. Brennan, the C.I.A. director, was so concerned about the Russian threat that he gave an unusual private briefing in the late summer to Harry Reid, then the Senate Democratic leader.

Top congressional officials had already received briefings on Russia’s meddling, but the one for Mr. Reid appears to have gone further. In a public letter to Mr. Comey several weeks later, Mr. Reid said that “it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government — a foreign interest openly hostile to the United States.”

While I’m generally sympathetic to Democrats’ complaints that DOJ should have either remained silent about both investigations or revealed both of them, it was stupid for Brennan to give this private briefing (and I hope he gets grilled about it by HPSCI when he testifies in a few weeks). In addition to the things Reid said publicly about the investigation, it’s fairly clear he and his staffers were also behind some of the key leaks here (and, as CNN reported yesterday, leaks about the investigation actually led targets of it to alter their behavior). For reasons beyond what appears in this story, I think it likely Reid served as a cut-out for Brennan.

And that’s simply not appropriate. There may well have been reasons to avoid briefing Richard Burr (who was advising Trump). But spooks should not be sharing information with just one party. CIA did so during its torture cover-up in ways that are particularly troubling and I find this — while not as bad — equally problematic.

When Brennan said he “provided the same briefing to each of the Gang of Eight members,” he might be seen as denying that the briefing to Reid was anything unusual.

Except this NYT article describes Reid’s as taking place in “late summer” and describes top officials as already having received briefings. Another NYT article describes the special briefing for Reid as having taken place on August 25.

In an Aug. 25 briefing for Harry Reid, then the top Democrat in the Senate, Mr. Brennan indicated that Russia’s hackings appeared aimed at helping Mr. Trump win the November election, according to two former officials with knowledge of the briefing.

The officials said Mr. Brennan also indicated that unnamed advisers to Mr. Trump might be working with the Russians to interfere in the election. The F.B.I. and two congressional committees are now investigating that claim, focusing on possible communications and financial dealings between Russian affiliates and a handful of former advisers to Mr. Trump. So far, no proof of collusion has emerged publicly.

Mr. Trump has rejected any suggestion of a Russian connection as “ridiculous” and “fake news.” The White House has also sought to redirect the focus from the investigation and toward what Mr. Trump has said, with no evidence, was President Barack Obama’s wiretapping of phones in Trump Tower during the presidential campaign.

The C.I.A. and the F.B.I. declined to comment for this article, as did Mr. Brennan and senior lawmakers who were part of the summer briefings.

In the August briefing for Mr. Reid, the two former officials said, Mr. Brennan indicated that the C.I.A., focused on foreign intelligence, was limited in its legal ability to investigate possible connections to Mr. Trump. The officials said Mr. Brennan told Mr. Reid that the F.B.I., in charge of domestic intelligence, would have to lead the way.

As described by the NYT, the Reid briefing went beyond what Brennan says he briefed all the Gang of Eight members on, specially with regards to Trump advisors working with Russia. It’s possible Brennan briefed Reid twice.

Much later in the hearing, Trey Gowdy asked Brennan about the Steele dossier. Some of Brennan’s responses — especially his claim not to know who commissioned the Steele dossier; watch him play with his pen — were not all that believable. Brennan went on to say that the CIA didn’t rely on the dossier, but his denial pertained to the IC report on the hack.

It wasn’t part of the corpus of intelligence, uh, information that we had. It was not in any way used as a basis for the intelligence community assessment that was done, uh, it was not.

Note the funny mouth gesture which used to be Brennan’s main “tell.”

Gowdy being Gowdy was not smart enough to ask whether the dossier was ever used in a briefing to members of Congress.

As I have noted, the IC denials pertaining to the dossier are, um, unconvincing (one two three). That’s all the more true given that Steele has admitted to sharing copies of his dossier with his former employer, who would naturally share with Brennan (elsewhere in the hearing Brennan refused to address what our foreign partners had shared with us).

In any case, it seems to me the question is not so much whether McConnell blew off the seriousness of the Brennan warning, but, still, whether Reid received another briefing–perhaps outside that date scope–that included information McConnell didn’t get.

The Trump Administration has a plan to infringe on Americans’ right to bear drones.

It has submitted language carving out an exception in surveillance and hacking laws such that it can track and destroy drones. The idea is a government agent (military or civilian) will be able to track and destroy any drone over a covered facility or operation, with no legal recourse for the owner of the drone.

Covered facilities are basically any stationary structure an agency wants to designate. The legislative language describes the following as covered operations:

(A) any operation that is conducted in the United States by a member of the Armed Forces or a Federal officer, employee, agent, or contractor, that is important to public safety, law enforcement, or national or homeland security, and is designated by the head of a department or agency, consistent with the Federal Government-wide policy issued pursuant to subsection (d); and

(B) may include, but is not limited to, search and rescue operations; medical evacuations; wildland firefighting; patrol and detection monitoring of the United States border; a National Security Special Event or Special Event Assessment Ratings event; a fugitive apprehension operation or law enforcement investigation; a prisoner detention, correctional, or related operation; securing an authorized vessel, whether moored or underway; authorized protection of a person; transportation of special nuclear materials; or a security, emergency response, or military training, testing, or operation.

At one level, I’m sympathetic to the need. There have definitely been cases where drones have disrupted the work of firefighters and drones flying over sporting events (which might be classified as a National Security Special Event) certainly could pose a terrorist threat. And while I’m not aware of any public descriptions of drones being used to spy on military facilities or training, its inclusion here suggests it has happened (which also might explain the seeming urgency). Also, given the emphasis in the language on detecting drones, it’s clear that there are drones going unnoticed that are surveilling facilities and operations.

Still, there are a whole bunch of activities in this list that also rightly deserve oversight, at least from the press. And this language would give the Federal government the ability to blow any press drone out of the air with impunity.

So while I recognize the need to limit drone overflights of certain kinds of activities, this also seems like the completely wrong way to go about infringing on citizens’ right to bear drones. At the very least, the language should include some kind of requirement for notice and appeal, such that the government can’t just arbitrarily decide that it should be immune from the surveillance (literally, “over-sight”) of citizens.

The WaPo reports that Trump called both Admiral Mike Rogers and Dan Coats to ask if they could issue statements denying any collusion between Trump’s campaign and Russia.

Trump made separate appeals to the director of national intelligence, Daniel Coats, and to Adm. Michael S. Rogers, the director of the National Security Agency, urging them to publicly deny the existence of any evidence of collusion during the 2016 election.

Coats and Rogers refused to comply with the requests, which they both deemed to be inappropriate, according to two current and two former officials, who spoke on the condition of anonymity to discuss private communications with the president.

If Trump was calling spooks, he presumably would have called all spooks, including CIA Director Mike Pompeo (with whom he is probably closer than the other two). So why aren’t we hearing about that call? Is Pompeo just better at keeping secrets than his counterparts? Or is he hiding it because he didn’t object as strongly as his counterparts?

The NYT has a story about how China started rolling up CIA’s spy network in 2010, the cause of which (the story says) still has not been solved. One possible cause is that a Chinese-American exposed America’s spies to the Chinese. But the government was never able to establish enough proof that he was the Chinese mole to arrest him, not even when they lured him back to the US to try to bust him.

The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.

[snip]

As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.

After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.

Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.

The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.

A second possibility is that bad tradecraft allowed China to discover America’s spies.

Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.

Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.

A third possibility — which the NYT doesn’t examine at length and which it ties to the poor tradecraft — is that China hacked the CIA’s method of communicating with assets.

Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources.

[snip]

Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets.

[snip]

This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said.

I lay these three possibilities out because the timing of the moment the exposure became critical — 2010 and 2011 — and the allusions to a hacked covert communication channel sound a lot like what CIA whistleblower John Reidy complained about seeing his employer, SAIC, oversee starting in 2005. While his complaint is heavily redacted, it sounded like he accused SAIC of providing inadequate security for a system serving the intersection of human assets and electronic reporting.

[H]is heavily redacted appeal at least appears to suggest his complaint was very serious and should have been a timely way to limit the compromise of CIA assets and officers.

Reidy describes playing three roles in 2005: facilitating the dissemination of intelligence reporting to the Intelligence Community, identifying Human Intelligence (HUMINT) targets of interest for exploitation, and (because of resource shortages) handling the daily administrative functions of running a human asset. In the second of those three roles, he was “assigned the telecommunications and information operations account” (which is not surprising, because that’s the kind of service SAIC provides to the intelligence community). In other words, he seems to have worked at the intersection of human assets and electronic reporting on those assets.

Whatever role he played, he described what by 2010 had become a “catastrophic intelligence failure[]” in which “upwards of 70% of our operations had been compromised.” The problem appears to have arisen because “the US communications infrastructure was under siege,” which sounds like CIA may have gotten hacked. At least by 2007, he had warned that several of the CIA’s operations had been compromised, with some sources stopping all communications suddenly and others providing reports that were clearly false, or “atmospherics” submitted as solid reporting to fluff reporting numbers. By 2011 the government had appointed a Task Force to deal with the problem he had identified years earlier, though some on that Task Force didn’t even know how long the problem had existed or that Reidy had tried to alert the CIA and Congress to the problem. [my emphasis]

All that seems to point to the possibility that tech contractors had set up a reporting system that had been compromised by adversaries, a guess that is reinforced by his stated desire to bring a “qui tam lawsuit brought against CIA contractors for providing products whose maintenance and design are inherently flawed and yet they are still charging the government for the products.”

The task force described in Reidy’s complaint coincides with the “Honey Badger” investigation described in the NYT, and the scale of the losses — 70% of operations compromised — sounds the same too. Reidy complained that those working on the task force didn’t learn how long he had been calling attention to the problem. And as he was appealing his complaint, he was being spied on by the intelligence community.

Of course, Reidy’s complaints were especially easy to silence because he was a contractor that the intelligence contractor community basically blacklisted.

I’m checking with the NYT reporters to see if this sounds like their story. But either the CIA had two catastrophic intelligence failures at the same time in 2010, or this sounds like the Chinese compromise.

In which case the fourth possibility to explain the compromise is that shitty intelligence contractors created the problem and then covered it up.

The WaPo is reporting that the FBI probe into ties between Russia and Trump’s campaign is looking at a person still in the White House, in addition to Mike Flynn and Paul Manafort.

The law enforcement investigation into possible coordination between Russia and the Trump campaign has identified a current White House official as a significant person of interest, showing that the probe is reaching into the highest levels of government, according to people familiar with the matter.

Further down in the article, WaPo names some people that might be this other person of interest — but just one of them is actually in the White House.

Current administration officials who have acknowledged contacts with Russian officials include President Trump’s son-in-law, Jared Kushner, as well as Attorney General Jeff Sessions and Secretary of State Rex Tillerson.

Still further down, the WaPo covers what first got me believing Jared Kushner is the ultimate target of this probe: his meeting with Sergey Gorkov, the FSB-trained head of the sanctioned Russian bank, Vnesheconombank.

The White House also has acknowledged that Kushner met with Kislyak, the Russian ambassador to the United States, in late November. Kushner also has acknowledged that he met with the head of a Russian development bank, Vnesheconombank, which has been under U.S. sanctions since July 2014. The president’s son-in-law initially omitted contacts with foreign leaders from a national security questionnaire, though his lawyer has said publicly he submitted the form prematurely and informed the FBI soon after that he would provide an update.

Vnesheconombank handles development for the state, and in early 2015, a man purporting to be one of its New York-based employees was arrested and accused of being an unregistered spy.

That man — Evgeny Buryakov — ultimately pleaded guilty and was eventually deported. He had been in contact with former Trump adviser Carter Page, though Page has said he shared only “basic immaterial information and publicly available research documents” with the Russian. Page was the subject of a secret warrant last year issued by the Foreign Intelligence Surveillance Court, based on suspicions he might have been acting as an agent of the Russian government, according to people familiar with the matter. Page has denied any wrongdoing, and accused the government of violating his civil rights.

As I’ve noted since, there was a lot of smoke coming from Kushner’s direction: first, SSCI’s explicit interest in interviewing Kusher and then two competing stories about a Trump request for CIA’s Sergey Kislyak dossier that only makes sense if the audience were Kushner, not Flynn.

But there are a few more dots (in addition to people claiming to have confirmed this point) that support the idea that Kushner is the ultimate target here, and that Trump, in his clumsy attempts to protect Mike Flynn by firing Jim Comey, is actually attempt to protect the father of his grandchildren.

Back on March 2, Jim Comey’s then still secret Twitter account favorited this NYT article disclosing that Mike Flynn had a previously undisclosed face-to-face meeting with Sergey Kislyak at Trump Tower. (h/t TC)

Michael T. Flynn, then Donald J. Trump’s incoming national security adviser, had a previously undisclosed meeting with the Russian ambassador in December to “establish a line of communication” between the new administration and the Russian government, the White House said on Thursday.

Jared Kushner, Mr. Trump’s son-in-law and now a senior adviser, also participated in the meeting at Trump Tower with Mr. Flynn and Sergey I. Kislyak, the Russian ambassador. But among Mr. Trump’s inner circle, it is Mr. Flynn who appears to have been the main interlocutor with the Russian envoy — the two were in contact during the campaign and the transition, Mr. Kislyak and current and former American officials have said.

[snip]

They generally discussed the relationship and it made sense to establish a line of communication,” Ms. Hicks said. “Jared has had meetings with many other foreign countries and representatives — as many as two dozen other foreign countries’ leaders and representatives.”

The story was presented as White House confirmation of earlier New Yorker reporting that Kushner had the meeting, with the White House newly disclosing Flynn’s presence at it. But we now know that the representation that Kushner’s meeting with Kislyak was just one of a slew of meetings with foreign leaders wasn’t quite right. He had sent an aide to a subsequent meeting, and coming out of that meeting, he met with Gorkov, basically meeting with someone personally lobbying to get rid of Ukraine-related sanctions.

Later that month, though, Mr. Kislyak requested a second meeting, which Mr. Kushner asked a deputy to attend in his stead, officials said. At Mr. Kislyak’s request, Mr. Kushner later met with Sergey N. Gorkov, the chief of Vnesheconombank, which the United States placed on its sanctions list after President Vladimir V. Putin of Russia annexed Crimea and began meddling in Ukraine.

Of course, while we only learned that fact later, when Comey favorited that story on March 2, he would have known the full details of the follow-up communications. In other words, he would recognize that story as yet another case of the White House hiding Russian communications. He would also likely already know that Kushner had not included that meeting on his security clearance form.

We only learned that story on March 27, when the NYT revealed the Senate Intelligence Committee wanted to interview Kushner about the meeting. As I noted at the time, the discussion between Gorkov and Kushner, coming before Flynn’s December 29 discussions with Kislyak, would dramatically change the connotation of Flynn’s discussions of sanctions. Because, while the immediate context of the December 29 discussions would have been the new hacking related sanctions imposed on December 28, with the prior meeting with Gorkov, they would likely also include the Ukrainian ones. That was the payoff discussed in any quid pro quo related to the election: Putin would help elect Trump, and in exchange Trump would end economic sanctions.

Of course, to make the argument that Flynn was offering to give Russia the payoff for the election-related help, you’d have to get Flynn to cooperate. If you got Flynn to cooperate, he’d be able to tell the FBI whether or not those December 29 conversations pertained just to the hacking sanctions or also to the Ukrainian ones.

The FBI has a great many things they can and will use to get Flynn to cooperate, including his undisclosed foreign payments and his lies to the FBI in his January 24 interview.

[Large section based off erroneous reading of Wittes’ post removed.]

When Trump fired Comey, he claimed that Comey had thrice told him “he” wasn’t under investigation. Even assuming Comey did, consider how Trump would understand that and how normal people would. To us, “he” would include just Trump. But to someone like Trump whose only real loyalty is to family, “he” would include his family. Including Kushner.

Trump may well think Flynn is a nice man that deserves his loyalty. More likely, though, Trump knows that Flynn could sink his son-in-law. I believe that’s why Trump had to fire Comey in an effort to undercut the Flynn investigation.

And Rod Rosenstein, the survivor, just picked a partner from the firm of Kushner and Ivanka’s lawyer Jamie Gorelick, Robert Mueller, to take over the investigation into Flynn.

Update: Sure enough, Reuters is reporting that Mueller, by design, may not be able to investigate Kushner or Paul Manafort.

Within hours of Mueller’s appointment on Wednesday, the White House began reviewing the Code of Federal Regulations, which restricts newly hired government lawyers from investigating their prior law firm’s clients for one year after their hiring, the sources said.

An executive order signed by Trump in January extended that period to two years.

Mueller’s former law firm, WilmerHale, represents Trump’s son-in-law Jared Kushner, who met with a Russian bank executive in December, and the president’s former campaign manager Paul Manafort, who is a subject of a federal investigation.

Legal experts said the ethics rule can be waived by the Justice Department, which appointed Mueller. He did not represent Kushner or Manafort directly at his former law firm.

If the department did not grant a waiver, Mueller would be barred from investigating Kushner or Manafort, and this could greatly diminish the scope of the probe, experts said.

It is, as I understand it, fairly customary for each new presidential administration to rewrite the Executive Order on classification. George W Bush didn’t do so right away — he finalized his classification EO on March 23, 2003. Obama moved a bit more quickly, superseding the Bush EO with his own classification EO on December 29, 2009.

But even among the flood of Executive Orders that Trump has signed thus far in his term, I don’t believe he has modified the Obama one.

That means a change made in 2003, which was retained in the Obama EO, remains in place: the inclusion of the Vice President among those who is and can name Original Classification Authorities (here’s Bill Clinton’s EO for comparison). Here’s the language that gave Dick Cheney classification authorities:

Classification Authority. (a) The authority to classify information originally may be exercised only by:

(1) the President and, in the performance of executive duties, the Vice President;

And here’s how Obama slightly tweaked that language to retain that authority for Joe Biden:

a) The authority to classify information originally may be exercised only by:

(1) the President and the Vice President;

Now, Cheney got this authority at an interesting time. That was a key time for Torture cover-up; in fact, sometime in that period, someone in the White House ordered George Tenet to make torture a Special Access Program. He was already pushing back against the CIA whistleblowers who knew the intelligence behind Iraq was crap, an effort that would lead to Scooter Libby sharing Valerie Plame’s identity with Judy Miller on Cheney’s orders (it remains unclear whether Cheney had Bush’s permission to leak this). Yet for some reason, the new classification rules appear most closely connected with Stellar Wind (I believe this had to do with a change in whom Stellar Wind could target).

In any case, from that moment forward, the Vice President has had the authority to classify things. As you can imagine, given Cheney’s role in the Plame outing, there was a heated and still publicly unresolved debate whether the Vice President also got declassification authorities, including of things that the President or Presidential authority had classified.

I raise this issue because more and more people have started raising questions about whether Mike Pence is sabotaging Donald Trump, especially as leaks like this come out of the White House.

President Trump told Russian officials in the Oval Office this month that firing the F.B.I. director, James B. Comey, had relieved “great pressure” on him, according to a document summarizing the meeting.

“I just fired the head of the F.B.I. He was crazy, a real nut job,” Mr. Trump said, according to the document, which was read to The New York Times by an American official. “I faced great pressure because of Russia. That’s taken off.”

Mr. Trump added, “I’m not under investigation.”

The conversation, during a May 10 meeting — the day after he fired Mr. Comey — reinforces the notion that Mr. Trump dismissed him primarily because of the bureau’s investigation into possible collusion between his campaign and Russian operatives. Mr. Trump said as much in one televised interview, but the White House has offered changing justifications for the firing.

The White House document that contained Mr. Trump’s comments was based on notes taken from inside the Oval Office and has been circulated as the official account of the meeting. One official read quotations to The Times, and a second official confirmed the broad outlines of the discussion.

If Pence believes — perhaps based on knowledge personally imparted by Cheney allies — that he has the ability to declassify anything that the President can, then he can leak details of White House events with utter impunity. Having him insta-declassify things would be a fairly safe way to feed the never-ending stream of embarrassing information coming out of the White House.

Oh, sure. He’d have utterly venal motive to do so. By feeding the Trump Russian scandal, Pence would make it increasingly likely he’d become President without having to expose his regressive views to the review of voters. But there’s nothing Trump could do about it so long as an EO granting Pence the same authorities that Cheney abused to great effect remains on the book.

Writing this post made me look more closely at what Trump’s Homeland Security Czar Tom Bossert said in a briefing on WannaCry on Monday, May 15.

He claimed, having just gotten off the phone with his British counterpart and in spite of evidence to the contrary, that there had been minimal disruption to care in Britain’s DHS.

The UK National Health Care Service announced 48 of its organizations were affected, and that resulted in inaccessible computers and telephone service, but an extremely minimal effect on disruption to patient care.

[snip]

And from the British perspective, I thought it was important to pass along from them two points — one, that they thought it was an extremely small number of patients that might have been inconvenienced and not necessarily a disruption to their clinical care, as opposed to their administrative processes.  And two, that they felt that some of those reports might have been misstated or overblown given how they had gotten themselves into a position of patching.

Of course, this may be an issue in the upcoming election, so I can see why Theresa May’s government might want to downplay any impact on patient care, especially since the Tories have long been ignoring IT problems at DHS.

He dodged a follow-up question about whether there might be more tools in the Shadow Brokers haul that would lead to similar attacks in the future, by pointing to our Vulnerabilities Equities Process.

Q    I guess a shorter way to put it would be is there more out there that you’re worried about that would lead to more attacks in the future?

MR. BOSSERT:  I actually think that the United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of.  That’s something that we do when we know of the vulnerability, not when we know we lost a vulnerability.  I think that’s a key distinction between us and other countries — and other adversaries that don’t provide any such consideration to their people, customers, or industry.

Obviously, the VEP did not prevent this attack. More importantly, someone in government really needs to start answering what the NSA and CIA (and FBI, if it ever happens) do when their hacking tools get stolen, an issue which Bossert totally ignored.

But I’m most interested in something Bossert said during the original exchange on NSA’s role in all this.

Q    So this is one episode of malware or ransomware.  Do you know from the documents and the cyber hacking tools that were stolen from NSA if there are potentially more out there?

MR. BOSSERT:  So there’s a little bit of a double question there.  Part of that has to do with the underlying vulnerability exploit here used.  I think if I could, I’d rather, instead of directly answering that, and can’t speak to how we do or don’t do our business as a government in that regard, I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.  This was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents, and cause an infection in encryption and locking. [my emphasis]

Three days into the WannaCry attack, having spent the weekend consulting with DHS and NSA, Bossert asserted that WannaCry was spread via phishing.

That is a claim that was reported in the press. But even by Monday, I was seeing security researchers persistently question the claim. Over and over they kept looking and failing to find any infections via phishing. And I had already seen several demonstrations showing it didn’t spread via phishing.

Now, Bossert is one of the grown-ups in the Trump Administration. His appointment — and the cybersecurity policy continuity with Obama’s policy — was regarded with relief when it was made, as laid out in this Wired profile.

“People that follow cybersecurity issues will be happy that Tom is involved in those discussions as one of the reasoned voices,” Healey says.

“Frankly, he’s an unusual figure in this White House. He’s not a Bannon. He’s not even a Priebus,” says one former senior Obama administration official who asked to remain unnamed, contrasting Bossert with Trump’s top advisers Stephen Bannon and Reince Priebus. “He has a lot of credibility. He’s very straightforward and level-headed.”

And (as the rest of the profile makes clear) he does know cybersecurity.

So I’m wondering why Bossert was stating that this attack spread by phishing at a time when open source investigation had already largely undermined that hasty claim.

There are at least three possibilities. Perhaps Bossert simply mistated here, accidentally blaming the vector we’ve grown used to blaming. Possibly (though this would be shocking) the best SIGINT agency in the world still hadn’t figured out what a bunch of people on Twitter already had.

Or, perhaps there were some phished infections, which quickly got flooded as the infection spread via SMB. Though that’s unlikely, because the certainty that it didn’t spread via email has only grown since Monday.

So assuming Bossert was, in fact, incorrect when he made this claim, why did have this faulty information?

Over at Matt Suiche’s website, he chronicles the discovery of a way to work around WannaCry’s ransomware. First a guy named Adrien Guinet figured out how the find the prime numbers that had computed the key locking a computer’s files. Then a guy named Benjamin Delpy recreated the effort and tested it against versions up to Windows 7. This is not a cure-all, but it may be a way to restore files encrypted by the attackers.

This of course comes after Suiche and before him Malware Tech set up sinkholes to divert the malware attack. Other security researchers have released tools to prevent the encryption of files after infection.

And all the while, NSA — which made the exploit that made this worm so damaging, EternalBlue — has remained utterly silent. At this point, Lauri Love, who faces 99 years of prison time for alleged hacking in the US, has done more in public to respond to this global ransomware attack than the NSA has.

The most public comment from NSA has come in the form of this WaPo article, which describes “current and former” officials defending the use of EternalBlue and sort of confirming that NSA told Microsoft of the vulnerability. It also revealed the White House called an emergency cabinet meeting to deal with the attack. Department of Homeland Security released a pretty useless statement last Friday. On Monday, Homeland Security Czar Tom Bossert answered questions at the press briefing (sometimes inaccurately, I think), emphasizing that the US is not responsible for the attack.

I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.

That’s it. That’s what we’ve seen of our government’s response to a malware attack that it had a role in creating.

(For what it’s worth, people in the UK have said their cybersecurity organization, the National Cyber Security Centre, has been very helpful.)

Don’t get me wrong. I’m sure folks at NSA have been working frantically to understand and undercut this attack. Surely they’ve been coordinating with the private sector, including Microsoft and more visible victims like FedEx. NSA intervention may even explain why there have been fewer infections in the US than in Europe. There may even be some cooperation between the security people who’ve offered public solutions and the NSA. But if those things have happened, it remains totally secret.

And I understand why NSA would want to remain silent. After all, companies and countries are going to want some accountability for this, and while the hackers deserve the primary blame, NSA’s own practices have already come in for criticism in Europe.

Plus, I’m sure whatever NSA is doing to counter this attack is even more interesting — and therefore more important to keep secret from the attackers — than the really awesome sinkholes and prime number workarounds the security researchers have come up with. It’s worth noting that the attackers and aspiring copy-catters are undoubtedly watching the public discussions in the security community to figure out how to improve the attack (though the WannaCry attackers didn’t seem to want or be able to use the information on sinkholes to their advantage, as the release that fixed that problem is corrupted).

But, in my opinion, NSA’s silence creates a legitimacy problem. This is the premier SIGINT agency in the world, tasked to keep the US (and more directly, DOD networks) safe from such attacks. And it has remained silent while a bunch of researchers and consultants collaborating together have appeared to be the primary defense against the weaponization of an NSA tool.

If 22 year olds fueled by pizza are the best line of defense against global attacks, then it suggests (I’m not endorsing this view, mind you) that we don’t need the NSA.

Update: On Twitter, Jake Williams asked whether NSA would have had a better response if the defensive Information Assurance Directorate hadn’t been disbanded last year by Mike Rogers. I hadn’t thought of that, but it’s a good question.