Back when Shadow Brokers doxxed some NSA hackers, I argued some allusions Shadow Brokers made served as a kind of warning, in that case directed at people who hack for NSA. As I understand it, Shadow Brokers’ threats reflected access to specific and accurate information.

Though I haven’t confirmed any of these details, yesterday’s Shadow Brokers post seems to do more of the same, although this time directed at NSA itself.

Consider this passage:

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? “75% of U.S. cyber arsenal” TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS. This is theshadowbrokers way of telling theequationgroup “all your bases are belong to us”. TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.

Shadow Brokers starts by saying it just dropped the EternalBlue dump, along with some other files, because “The ShadowBrokers is having many more where [those were] coming from.” Shadow Brokers then cites from a detail first reported in a WaPo report (though presents the factoid as a direct quote when it is not): that Hal Martin stole 75% of the US cyberarsenal. The WaPo report actually stated that Martin had stolen “75 percent of TAO’s library of hacking tools.”

Shadow Brokers then made some assertions that may disprove a claim WaPo made yesterday: “It is not clear how the Shadow Brokers obtained the hacking tools, which are identical to those breached by former NSA contractor Harold T. Martin III, according to former officials.” It described exactly where, on the NSA servers, the files came from. “TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS.” Having suggested it had at least seen file paths or screen caps of the NSA’s file system, Shadow Brokers then made its point even more clear: “This is theshadowbrokers way of telling theequationgroup ‘all your bases are belong to us‘,” both making fun of the claims about its broken language but also suggesting takeover (though I’m curious if mis-citation using a plural here is intentional — perhaps these file systems are in different places? — or just one of a some egregious typos in this post).

Again, I haven’t confirmed whether those details are accurate. Surely the NSA has doublechecked. If they are accurate, then the other claims made in the post — specifically about the other things it has to dump — will especially merit attention.

TheShadowBrokers Monthly Data Dump could be being:

• web browser, router, handset exploits and tools
• select items from newer Ops Disks, including newer exploits for Windows 10
• compromised network data from more SWIFT providers and Central banks
• compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

One more point. Shadow Brokers seems to suggest Oracle and another Microsoft patch were due to notice from former NSA hackers, as if all the former NSA employees are helping their employers clean up holes they’ve long known about.

Oracle is patching huge numbers of vulnerabilities but TheShadowBrokers is not caring enough to be look up exact dates.

[snip]

TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?

It’s not clear whether they’d be doing this because they knew of holes NSA had been using or not.

But it’s worth observing that Shadow Brokers is not making vague threats here.

Let’s look at some dates the WaPo’s sources and Shadow Brokers are giving for the EternalBlue exploit that caused havoc around the world starting on Friday.

Yesterday, WaPo had a story on how concerned people within NSA were about the EternalBlue Windows exploit used in the WannaCry ransomware. It was so powerful, one source described, it was like “fishing with dynamite.”

In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee.

“It was like fishing with dynamite,” said a second.

But that power came with risks. Among others, when the NSA started using the powerful tool more than five years, the military would have been exposed to its use.

Since the NSA began using EternalBlue, which targets some versions of Microsoft Windows, the U.S. military and many other institutions have updated software that was especially vulnerable.

Though Cyberscoop notes the US military hasn’t been entirely protected from WannaCry. An IP address associated with the Army Research Lab in Fort Huachuca was infected (though that could have been a deliberate attempt to respond to the ransomware).

WannaCry ransomware infected a machine tied to an IP address associated with the Army Research Laboratory, CyberScoop has learned. The information, found on a list of affected IP addresses provided by a security vendor, would mark the first time the ransomware was found on a federal government computer.

The security vendor, who provided the data on condition of anonymity to discuss sensitive material, observed communications from the victim IP address to the attackers’ known command and control server on May 12; confirming that the ransomware infection involving the ARL was in fact successful.

The IP address is tied to a server block parked at a host located at Fort Huachuca, Arizona. The type of machine the IP address is attached to is unknown.

In the early days of EternalBlue, the WaPo explains, it would often crash the infected computer, resulting in a bluescreen that might alert victims to its presence. That opened the possibility that the victim might discover the exploit and then turn it back on the US.

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

The WaPo puts the date before which DOD was vulnerable to its own weapon at 2014.

What if the Shadow Brokers had dumped the exploits in 2014, before the government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

In yesterday’s post, Shadow Brokers claimed the Windows exploits released last month — which it had first named in January — came from a 2013 OpsDisk.

In January theshadowbrokers is deciding to show screenshots of lost theequationgroup 2013 Windows Ops Disk.

I’ll have a bit more to say about Shadow Brokers’ claims yesterday. But if this description of the source of the exploit is correct — an ops disk dating to 2013 — it opens up the possibility it was discovered around the same time (perhaps in response to the bluescreen effect). If it did, then it would have been able to attack DOD with it.

I keep asking people what the source for Shadow Brokers’ files might have been able — might still be able — to steal from the US using the tools in question. This timeline seems to suggest the Ops Disk would have been deployed before DOD was prepared to withstand its own weapons.

The other day, Microsoft President and Chief Legal Officer Brad Smith wrote a blog post about the WannaCry ransomware exploiting his company’s products to disrupt the world. At one level it was one of the first entries in what will surely be an interesting policy discussion once there’s an aftermath to the crisis, calling for collective action and a Digital Geneva Convention.

But at another level, Smith’s post provided an opportunity to bitch out the CIA and NSA, the leaked and stolen exploits of which have really fucked with Microsoft in the last few months.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Joining the many people who object to the analogy between Tomahawks and hacking exploits, the entity that caused this crisis, Shadow Brokers, is none too impressed with Smith’s response, either. Along with suggesting NSA was paying Microsoft to sit on vulnerabilities and unleashing a load of expletives (you can click through for both of those), Shadow Brokers lays out the tensions between Microsoft, its enterprise contracts with the government, and the NSA’s reticence about the vulnerabilities in Microsoft products it is exploiting.

Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT.

[snip]

Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch.

Then Shadow Brokers brings the hammer: threatens to dump (among other offerings in an “exploit of the month club”) a Windows 10 vulnerability.

TheShadowBrokers Monthly Data Dump could be being:

• web browser, router, handset exploits and tools
• select items from newer Ops Disks, including newer exploits for Windows 10
• compromised network data from more SWIFT providers and Central banks
• compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Heck, at this point, Shadow Brokers doesn’t even need to have this exploit (though I’m guessing the NSA and Microsoft both may be erring on the side of caution at this point). Because simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government.

It might even force some disclosure about exploits more critical to NSA’s current toolkit than the very powerful tools Shadow Brokers already used to create a global ransomware worm.

Let’s stipulate that Donald Trump is an incompetent president. Let’s stipulate that his fondness for the Russians exhibits at least naiveté about their intentions, if not out and out compromise. Let’s agree that when he fucks up, it is fair game to scream about it as a way to limit his power. Let’s acknowledge ruefully, again, that the man who got elected heckling “Lock her up!” continues to engage in far more egregious mistreatment of classified information than an email server.

But it’s worth looking at one paragraph in the WaPo story on how Donald Trump shared code word intelligence with the two Russian Sergeys, Foreign Minister Sergey Lavrov and the omnipresent Ambassador to the US Sergey Kislyak last week.

First, some background.

The whole point of the story, which is sourced to “current and former U.S. officials,” just one of whom is described as a former intelligence official (meaning the others could be members of Congress), is that Trump’s actions are particularly egregious because he revealed the city from which ISIS was allegedly plotting a laptop attack on US planes that has led US Homeland Security to consider ineffective bans on laptops in passenger areas of planes.

Trump went on to discuss aspects of the threat that the United States learned only through the espionage capabilities of a key partner. He did not reveal the specific intelligence-gathering method, but he described how the Islamic State was pursuing elements of a specific plot and how much harm such an attack could cause under varying circumstances. Most alarmingly, officials said, Trump revealed the city in the Islamic State’s territory where the U.S. intelligence partner detected the threat. [my emphasis]

Revealing the city, these US officials sharing the information anonymously because of “the sensitivity of the subject” explain, might help ID the US ally or capability involved in revealing this laptop threat.

The identification of the location was seen as particularly problematic, officials said, because Russia could use that detail to help identify the U.S. ally or intelligence capability involved. Officials said the capability could be useful for other purposes, possibly providing intelligence on Russia’s presence in Syria. Moscow would be keenly interested in identifying that source and perhaps disrupting it.

Hmmm. How many cities does ISIS still hold…?

The other problem with sharing this information is that it is not ours to share. This ally gets very frustrated when it discovers we shared information that it hasn’t permitted us to share.

At a more fundamental level, the information wasn’t the United States’ to provide to others. Under the rules of espionage, governments — and even individual agencies — are given significant control over whether and how the information they gather is disseminated, even after it has been shared. Violating that practice undercuts trust considered essential to sharing secrets.

[snip]

At a more fundamental level, the information wasn’t the United States’ to provide to others. Under the rules of espionage, governments — and even individual agencies — are given significant control over whether and how the information they gather is disseminated, even after it has been shared. Violating that practice undercuts trust considered essential to sharing secrets.

The officials declined to identify the ally but said it has previously voiced frustration with Washington’s inability to safeguard sensitive information related to Iraq and Syria.

“If that partner learned we’d given this to Russia without their knowledge or asking first, that is a blow to that relationship,” the U.S. official said.

So: bad to share because this ally gets to veto any sharing of this information, and “if that partner learned we’d given this to Russia without their knowledge or asking first, that is a blow to that relationship.” And especially bad to share the city (even though there can’t be many possibilities) because that would make it easier to figure out the underlying sources and methods.

This stuff is so sensitive, the WaPo explains, that if anyone else were to share it (with an adversary, they caveat), it’d be illegal.

For almost anyone in government, discussing such matters with an adversary would be illegal.

You with me so far? Sharing bad without okay of frustrated ally, sharing location especially bad, illegal if you’re not the President.

Okay. Now read this paragraph:

The Post is withholding most plot details, including the name of the city, at the urging of officials who warned that revealing them would jeopardize important intelligence capabilities.

So multiple people learned of this event, and went out and leaked it (which is illegal to do for most anyone besides the President, the WaPo helpfully notes), not just with the WaPo’s two reporters, but with reporters from Buzzfeed, NYT, WSJ, and more. They leaked it to reporters who they presumably knew would then report it, alerting the frustrated ally that Trump had shared the information, which is a blow to that relationship, and also alerting the frustrated ally that they then proceeded to go leak it more.

I’m confused, is that a blow to that relationship too, leaking the sharing so it can be revealed? Or did, say, the Saudis call up a bunch of members of Congress and former spooks and permit them to leak this to the press so Donald and his close relationship with the Russians can be undermined?

And these sources who are outraged that Trump shared the city where our frustrated ally that shouldn’t learn we’re leaking it without its permission learned of the plot? These sources shared plot details, including the name of the city, with journalists whose job it is to publish stuff like this, though the journalists didn’t share it with us or the Russians.

Now, I’ll grant you, WaPo’s reporters aren’t an adversary (depending on who you ask), though neither are they tasked with keeping a nation that has already lost a plane to ISIS safe. WaPo’s reporters aren’t fighting for power in Syria like Russia (and our frustrated ally), so they can’t personally use this information for advantage there.

So, yeah, it’s different. But these very outraged sources are still sharing the information that it is so outrageous to share.

Me? I’m hoping all this sharing and leaking about sharing will reveal what the underlying threat really is supposed to be. Because some of our frustrated allies have a habit of exaggerating threats so we implement stupid transportation policies and grow ever more reliant on their intelligence that they seem to keep sharing even though it seems to keep getting leaked.

Yesterday, Mike Lee trolled Democrats by suggesting that Merrick Garland, who has a lifetime seat on the DC Circuit, should vacate that and lead the FBI. In a piece explaining how utterly moronic the many Democrats who took his bait are, Dave Weigel explains this is “Why Liberals Lose” — not just because they never press for advantage effectively, but because they so often fall prey when Republicans do.

We live in a golden age of political stupidity, but I’m not being hyperbolic when I say this: The idea of pulling Judge Merrick Garland off the D.C. Circuit federal appeals court and into the FBI is one of the silliest ideas I’ve seen anyone in Washington fall for. It’s like Wile E. Coyote putting down a nest made of dynamite and writing “NOT A TRAP” on a whiteboard next to it. It’s also an incredibly telling chapter in the book that’s been written since the Republican National Convention — the story of how Republicans who are uncomfortable with the Trump presidency gritting their teeth as they use it to lock in control of the courts.

You should definitely read all of Weigel’s piece, which is spot on.

But there are other aspects that the success of Lee’s ploy explain about Why Liberals Lose. First and foremost, it shows how mindlessly Democrats adopt the playing field that Republicans deal them.

I mean, even as Democrats have been pushing for months to use the Russian scandal to impeach Trump, and even at the moment where that actually seems feasible (down the road), most Democrats simply accepted the necessity of replacing Jim Comey and have shifted instead to fighting the worst names being floated, people like Trey Gowdy (an initial trial balloon) and Alice Fisher and Michael Garcia, who’re reportedly being formally considered.

Why are Democrats even accepting that Trump should get to replace Comey?

According to CNBC’s count from mid-April, Trump had filled just 24 of the 554 Senate confirmed positions in government.

Sure, Trump has filled a handful more in the interim month, but Trump is otherwise not in a rush to staff the government. Yet he has immediately turned to replacing Comey.

There is nothing more illegitimate than for Trump to be able to give someone a ten year term as FBI Director because he fired Jim Comey.

Trump is no longer hiding the fact that he fired Comey to try to undercut the Russian investigation. And the timeline is clear: the dinner to which Trump called Comey to twice demand his loyalty took place on January 27.

As they ate, the president and Mr. Comey made small talk about the election and the crowd sizes at Mr. Trump’s rallies. The president then turned the conversation to whether Mr. Comey would pledge his loyalty to him.

Mr. Comey declined to make that pledge. Instead, Mr. Comey has recounted to others, he told Mr. Trump that he would always be honest with him, but that he was not “reliable” in the conventional political sense.

[snip]

By Mr. Comey’s account, his answer to Mr. Trump’s initial question apparently did not satisfy the president, the associates said. Later in the dinner, Mr. Trump again said to Mr. Comey that he needed his loyalty.

Mr. Comey again replied that he would give him “honesty” and did not pledge his loyalty, according to the account of the conversation.

That means it took place the same day of Sally Yates’ second conversation with Don McGahn about FBI’s investigation into Mike Flynn (and by association, I always point out, Jared Kushner).

It was always a pipe dream for Democrats to think they could stave off Neil Gorsuch’s confirmation, in part because you really do need a full panel at SCOTUS.

But for the moment, the FBI will continue to run the same way the rest of government is running: with the acting officials who’re filling in until Trump gets around to filling the spot. Moreover, Andrew McCabe, the Acting FBI Director, is a Comey loyalist who will ensure his initiatives will continue for whatever portion of Comey’s remaining 6 years he gets to serve.

This is important not just for the Russian investigation — it’s important to the future of our democracy. Alice Fisher, for example, would be an even more insanely pro-corporate FBI Director than Comey (former Board Member of HSBC, remember) or Mueller.

Democrats should be out there, loudly and in unison, decrying how inappropriate it would be for Trump to get to replace Comey when everyone watching knows the firing was one of the most corrupt things a President has done in a century.

Instead, they’re falling prey to Mike Lee’s obvious ploys.

Since 2014, I have been trying to alert anyone who would listen about Section 704.

That’s a part of FISA Title VII — the part of FISA that will be reauthorized this year. When Congress passed FISA Amendments Act in 2008, they promised they’d protect US persons overseas by requiring an order to surveil them. Almost always, the section that accomplished that was referred to Section 703, which is basically PRISM for Americans overseas.

Except I discovered when I (briefly) worked at the Intercept that NSA never uses 703. Ever. Which meant that what they use to surveil Americans overseas is somewhat looser Section 704 (or, for Americans against whom there is a traditional domestic FISA order, 705b). Except no one — and I mean literally no one, not in the NGO community nor on the Hill — understood how Section 704 was used.

Exactly a year ago, I laid all this out in a post and suggested that, as part of the Section 702 reauthorization this year, Congress should finally figure out how 704 works and whether there are any particular concerns about it.

It turns out, four months before I wrote that, NSA’s Inspector General had finalized a report showing that in the seven and a half years since Section 704 was purportedly protecting Americans overseas, it wasn’t. The report is heavily redacted, but what isn’t redacted showed that the NSA had never set up a means to identify all 704/705b queries, and so couldn’t reliably oversee whether analysts were following the rules. The report showed that Signals Intelligence Compliance and Oversight only started helping DOJ and ODNI do their compliance reviews of 704/705b in October 2014, by providing the queries they could identify to the reviewers. But not all queries can be audited, because not all the feeds in question can be sent to NSA’s auditing and logging system.

The review itself — conducted from March to August of 2015 on data from the first quarter of that year — showed a not insignificant amount of querying non-compliance.

The 704 compliance problems are a part of the problem with NSA’s decision to shut down upstream surveillance (because 704 collection authorization is one of the things that automatically gets a US person approved for upstream searches]. Though, in her most biting comment in an otherwise pathetic opinion, Chief FISC judge Rosemary Collyer note the failure to tell her about this when 702 certificates were submitted in September or in an October 4 hearing showed a lack of candor.

At the October 26, 2016 hearing, the Court ascribed the government’s failure to disclose those IG and OCO reviews at the October 4, 2016 hearing to an institutional “lack of candor” on NSA’s part and emphasized that “this is a very serious Fourth Amendment issue.”

A review that post-dated the IG Report revealed the problem was even bigger than that. In the compliance section of the report, Collyer noted that 85% of the 704/705b queries conducting using one particular tool (which was rolled out in 2012) were non-compliant.

NSA examined all queries using identifiers for “U.S. persons targeted pursuant to Sections 704 and 705(b) of FISA using the tool [redacted] in [redacted] . . . from November 1, 2015 to May 1, 2016.” Id. at 2-3 (footnote omitted). Based on that examination, “NSA estimates that approximately eighty-five percent of those queries, representing [redacted] queries conducted by approximately [redacted] targeted offices, were not compliant with the applicable minimization procedures.” Id. at 3. Many of these non-compliant queries involved use of the same identifiers over different date ranges. Id. Even so, a non-compliance rate of 85% raises substantial questions about the propriety of using of [redacted] to query FISA data. While the government reports that it is unable to provide a reliable estimate of the number of non-compliant queries since 2012, id., there is no apparent reason to believe the November 2015-April 2016 period coincided with an unusually high error rate.

And NSA was unable to chase down the reporting based off this non-compliant querying.

The government reports that NSA “is unable to identify any reporting or other disseminations that may have been based on information returned by [these] non-compliant queries” because “NSA’s disseminations are sourced to specific objects,” not to the queries that may have presented those objects to the analyst. Id. at 6. Moreover, [redacted] query results are generally retained for just [redacted].

All of which is to say that the authority that the government has been pointing to for years to show how great Title VII is is really a dumpster fire of compliance problems.

And still, we know very little about how this authority is used.

The number of Americans affected is not huge — roughly 80 people approved under 704 plus anyone approved for domestic FISA order that goes overseas (though that would almost certainly include Carter Page). Still, if this is supposed to be the big protection Americans overseas receive, it hasn’t been providing much protection.

In the wake of the Comey firing, particularly given the way Deputy Attorney General Rod Rosenstein let himself serve as a pawn, many people have renewed their call for “a special prosecutor.” In the short term, however, I believe Dana Boente — that is, the status quo — is a better solution.

As a reminder, Dana Boente is the US Attorney of Eastern District of VA. With Rosenstein’s confirmation as DAG, Boente is the last remaining confirmed US Attorney in the United States. Boente’s office is overseeing at least two parts of the Russian investigation: the generalized investigation into Wikileaks, and the investigation into Trump’s campaign. The latter investigation recently issued subpoenas to Mike Flynn associates. There are reportedly parts of the investigation in three other places: some work being done in Main Justice, as well a a team investigating Guccifer 2.0/Shadow Brokers in San Francisco, and a team investigating the Russian hackers in Pittsburgh.

But the bulk of what people think of as “the Russian investigation” — the investigation into Trump’s cronies — is happening in EDVA, overseen by The Last USA.

In addition to reporting up to Rosenstein as DAG and Rosenstein as Acting AG for the Russian investigation, Boente just took over as Acting Assistant Attorney General for National Security Division — the office that reviews things like FISA orders. That means Boente — for better and worse — has more authority, on several levels, than a “Special Counsel” would have.

First, note I use the term “Special Counsel,” not “Special Prosecutor.” Ken Starr was a Special Prosecutor, but in the wake of his fiasco and given persistent questions about the constitutionality of having someone who was totally independent from the structure of DOJ prosecuting people, Congress got rid of the provision supporting Special Prosecutors.

So if Rod Rosenstein wanted to appoint someone “independent” to oversee the Russian investigation, he’d have to use the Special Counsel provision.

While I think it is permissible to hire someone from outside of DOJ to do that job (so it is possible he could call up corporate lawyer Pat Fitzgerald for his third ride on the Special Counsel merry-go-round to, in dramatic fashion, save the investigation undercut by the firing of his good friend Jim Comey), in practice the recent Special Counsel appointments (the UndieBomb 2.0 leak investigation, the StuxNet leak investigation, the John Kiriakou prosecution, the Torture investigation, and the Plame investigation) have all been DOJ prosecutors, either US Attorneys (in all but one case) or an Assistant USA Attorney, in the case of John Durham’s whitewash of torture. Plus, while Fitz is still well-loved at DOJ and FBI as far as I know, if Rosenstein appointed him, I bet Trump would fire him within minutes because he’s sure as hell not going to be “loyal.” And because of Fitz’ past gunning hard for Cheney and Bush, many Republicans might not put up much of a stink there.

If Rosenstein were to adhere to the practice of naming existing DOJ prosecutors, though, it’d mean he’d be choosing between Boente, The Last USA, or an AUSA (perhaps one of the ones who recently reported to him in MD). In both cases, the Special Counsel would report to Rosenstein for AG approvals (as Pat Fitz reported to Jim Comey for the Plame case).

You can see quickly why Boente is the preferable option. First, there’s no reason to believe he isn’t pursuing the investigation (both investigations, into Wikileaks and Trump’s associates) with real vigor. He is a hard ass prosecutor and if that’s what you want that’s what you’d get. His grand jury pool is likely to be full of people with national security backgrounds or at least a predisposition to be hawks.

But — for better and worse — Boente actually has more power than a Special Counsel would have (and more power than Fitz had for the Plame investigation), because he is also in charge of NSD, doing things like approving FISA orders on suspected Russian agents. I think there are problems with that, particularly in the case of a possible Wikileaks prosecution. But if you want concentrated power, Boente is a better option than any AUSA. With the added benefit that he’s The Last USA, which commands some real respect.

Sure. If next week Trump calls Boente to dinner and demands his loyalty on threat of firing, this may change. But the same logic that people are using with a Special Counsel (that if Trump fired that person, maybe then Republicans in Congress would want something more independent) holds for Boente. Firing The Last USA ought to be as incendiary as firing an AUSA, assuming anything will be.

In her opinion approving the April 26 certifications (which may be one of the most unimpressive FISC opinions I’ve read), Rosemary Collyer borrowed heavily on the 2015 authorization in finding this year’s constitutional. As such she refers to Thomas Hogan’s imposition of a reporting requirement for any back door searches “in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.”

She then describes the one incident reported this year: basically an Agent seeing an email of someone referring to violence toward children. The Agent searched on the person who allegedly committed the violence and the names of the children, only to find the same email again. The Agent reported the suspected child abuse to the local child protective services.

But, she reveals, no one reported this until DOJ’s National Security Division asked about such reporting during their review.

The Court notes, however, that the FBI did not identify those queries as responsive to the Court’s reporting requirement until NSD asked whether any such queries had been made in the course of gathering information about the Section I.F dissemination. Notice at 2. The Court is carrying forward this reporting requirement and expects the government to take further steps to ensure compliance with it.

There are several reasons this is troublesome.

First, the incident would have gone unreported unless someone felt obliged to be honest when asked specifically about it (ODNI/DOJ don’t do reviews in all field offices, so not everyone will get asked).

Moreover, the incident got reported not because it was “receive[d] and reviewe[d],” but because it was disseminated. So there may be a great deal of back door searches that get received and reviewed but because they don’t constitute evidence of a crime, aren’t disseminated, with the consequent paper trail.

Finally, this means certain kinds of criminal searches won’t be reported: those where FBI gets a criminal tip, then looks on their 702 data, only to find something they might use to coerce informants. Information used to coerce informants would suddenly become foreign intelligence information, so no longer subject to the reporting requirement.

To meet the actual requirement from FISC — rather than the one they’re willing to comply with — FBI needs to dramatically restructure the compliance to this reporting requirement, to measure when a search is done for criminal purposes, and then — as soon as an agent conducts that review — gets noticed to the FISC.

Of course, that would require precisely the kind of tracking the FBI has refused to do. Their arbitrary rewriting of this requirement demonstrates why.

Update: In application for certificates submitted on September 26, 2016, DOJ said this about its back door searches:

In a latter filed on December 4, 2015, the government noted that there is no automated way for the FBI to track whether a query is run solely for a foreign intelligence purpose, to extract evidence of a crime, or both. However, the December 4, 2015 letter detailed the processes the FBI put in place to attempt to identify those queries that are run in FBI systems containing raw 702-acquired information after December 4, 2015, that are designed to extract evidence of a crime. In addition, the December 4, 2015 letter explained that FBI had issued guidance to its personnel about this reporting requirement and the process to enable FBI to centrally track such scenarios and report any such queries to NSD that would fall under the reporting requirement described above. Additionally, NSD conducts minimization reviews in multiple FBI field offices each year. As part of these minimization reviews, NSD and FBI National Security Law Branch have emphasized the above requirements and processes during field office training. Further, during the minimization reviews, NSD audits a sample of queries performed by FBI personnel in the databases storing raw FISA-acquired information, including raw section 702-acquired information. Since December 2015, NSD has reviewed these queries to determine if any such queries were conducted solely for the purpose of retaining evidence of a crime. If such a query was conducted, NSD would seek additional information from the relevant FBI personnel as to whether FBI personnel received and reviewed section 702-acquired information of or concerning a U.S. person in response to such a query. Since the above processes were put in place in December 2015, FBI and NSD have not identified any instance in which FBI personnel have received and reviewed section 702-acquired information of or concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.

There are several key details here.

First, DOJ reported no queries on September 26, which means the query must have happened after that (though it’s not clear whether Collyer’s opinion would reflect the most recent reporting).

It’s also clear DOJ will only find these in spot checks. As DOJ makes clear here (and as was misrepresented at a recent hearing), NSD and ODNI don’t actually visit every FBI office (though I’m sure they hit SDNY, EDNY, DC, EDVA, MD, and NDCA routinely, which are the biggest national security offices). That means there’s not going to be a chance to find many possible queries.

There’s also some fuzzy language here. I’m particularly intrigued by this double usage of “FBI personnel,” as if someone from outside of FBI does review this, perhaps on an analytical contract.

If such a query was conducted, NSD would seek additional information from the relevant FBI personnel as to whether FBI personnel received and reviewed section 702-acquired information of or concerning a U.S. person in response to such a query.

Or perhaps FBI calls up NSA and asks them to access the same content?

Finally, it’s clear the definition FBI is using, with respect to “foreign intelligence, crime, or both” permits generalized queries (in part to see if there’s intelligence to use to coerce someone to be an informant) that could serve either purpose. Such an approach cannot measure how much more often someone more likely to talk with a 702 target — like Muslims or Chinese-Americans — get pursued for crimes after a longer assessment decides against using the person as an informant.

Which is another way of saying that this metric is not measuring what Judge Hogan wanted it to measure.

I Con the Record has released a slew of documents pertaining to last year’s problem with upstream searches, including the opinion ultimately approving new certifications. I’m doing a working thread and suspect I will have concerns about FISC oversight that I haven’t had on past such reviews.

But for now, I’m aghast at this paragraph and accompanying footnote, describing how NSA’s office of compliance and IG were trying to get a grasp on the problems.

In anticipation of the January 31 deadline, the government updated the Court on these querying issues in the January 3, 2017 Notice. That Notice indicated that the IG’s follow-on study (covering the first quarter of 2016) was still ongoing. A separate OCO review, limited in many of the same ways as the IG studies, and covering the periods of April through December 2015 and April through July of 2016, found that some redacted] [improper queries were conducted by [redacted] analysts during those periods.21 The January 3, 2017 Notice stated that “human error was the primary factor” in these incidents, but also suggested that system design issues contributed. For example, some systems that are used to query multiple datasets simultaneously required analysts to “opt-out” of querying Section 702 upstream Internet data rather than requiring an affirmative “opt-in,” which, in the Court’s view, would have been more conducive to compliance. See January 3, 2017 Notice at 5-6. It also appeared that NSA had not yet fully assessed the scope of the problem: the IG and OCO reviews “did not include systems through which queries are conducted of upstream data but that do not interface with NSA’s query audit system.” Id. at 3 n.6. Although NSD and ODNI undertook to work with NSA to identify other tools and systems in which NSA analysts were able to query upstream data, id., and the government proposed training and technical measures, it was clear to the Court that the issue was not yet fully scoped out.

21 NSA further reported that OCO reviewed queries involving a number of identifiers for known U.S. persons who were not targets under Sections 704 or 705(b) of the Act, and which were associated with “certain terrorism-related events that had occurred in the United States.” January 3, 2017 Notice at 6. NSA OCO found [redacted] such queries, [redacted] of which improperly ran against Section 702 upstream Internet data. [redacted] of the improper queries were run in a system called [redacted] which NSA analysts use to of a current or prospective target of NSA collection, including under Section 702. Id. at 6-7. [my emphasis]

This passage seems to reveal several things: that NSA was querying upstream content before identifying whether something could be used as a target (which I suspect means it involved a triage process). It reveals that not all queries are being audited!!!!

And it also reveals that one reason NSA analysts were collecting upstream data is because over three years after DOJ and ODNI had figured out analysts were breaking the rules because they forgot to exclude upstream from their search, they were still doing so. Overseers noted this back in 2013!

NSA [redacted] incidents of non-compliance with this subsection of its minimization procedures, many of which involved analysts inadvertently searching upstream collection. For example, [redacted], the NSA analyst conducted approved querying with United States persons identifiers ([long redaction]), but inadvertently forgot to exclude Section 702-acquired upstream data from his query.

This problem should have been fixed in the first full period when they were doing upstream searches. But for some reason … NSA never did.

Update: This language seems to say that this problem existed for the entire time they were conducting upstream in the 2011 fashion.

In May and June 2016, NSA reported to oversight personnel in the ODNI and DOJ that, since approximately 2012, use of to query communications in had resulted in inadvertent violations of the above-described querying rules for Section 702 information. Id. The violations resulted from analysts not recognizing the need to avoid querying datasets for which querying requirements were not satisfied or not understanding how to formulate queries to exclude such datasets. Id. at 1-2.

In this post, I laid out claims based on Emmanuel Macron’s campaign manager’s claims about having included fakes in the email targeted by hackers. Yesterday, the NYT had a story that explains (and in some small ways, possibly conflicts with) the earlier report on this. In it, Macron’s head of tech Mounir Mahjoubi explained that the campaign had done far more than provide false metadata; they had created entire false accounts with false documents.

“We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,” Mr. Mahjoubi said. “I don’t think we prevented them. We just slowed them down,” he said. “Even if it made them lose one minute, we’re happy,” he said.

Mr. Mahjoubi refused to reveal the nature of the false documents that were created, or to say whether, in the Friday document dump that was the result of the hacking campaign, there were false documents created by the Macron campaign.

But he did note that in the mishmash that constituted the Friday dump, there were some authentic documents, some phony documents of the hackers’ own manufacture, some stolen documents from various companies, and some false emails created by the campaign.

“During all their attacks we put in phony documents. And that forced them to waste time,” he said. “By the quantity of the documents we put in,” he added, “and documents that might interest them.”

Mahjoubi has said there were five authentic accounts hacked, which might help to put a scope on the fakes (though he has seemed to say different things about what got faked before, and he had claimed that the Russians had definitively not succeeded, which must now be regarded as affirmative — and understandable — disinformation).

Remarkably, creating a great deal of fake documents sounds like a lot of work, but the NYT also notes Mahjoubi’s department was only 18 people.

With only 18 people in the digital team, many of them occupied in producing campaign materials like videos, Mr. Mahjoubi hardly had the resources to track down the hackers. “We didn’t have time to try to catch them,” he said.

Which, particularly given earlier reports that France’s security services had contacted the Macron campaign, may suggest that DGSE (possibly with the help of NSA, which was providing intelligence in real time) put together the fake documents.

If true, that may suggest the most important part of any fake documents is one Mahjoubi didn’t mention. If I were loading up hackers with a bunch of fake documents, I’d include beacons, to provide a way to track both the hackers and the process by which the hackers distributed documents.

If Macron (or DGSE or some other intelligence agency) did this, I suspect we’ll find real answers to the topics covered in the rest of the story, which claim certain things were fakes due to Russian sloppiness, but given Mahjoubi’s justifiable unwillingness to say what was fake and not may yet prove. As I noted here, I have yet to see convincing evidence that Russian metadata in the documents was accidental, and given the Guccifer precedent, we should in no way assume it is.

In other words, if Macron is tracking these documents, we may find out a lot more shortly (though the French are also better at keeping secrets than American spooks have been of late).

As to the question of my underlying post — whether Macron had fooled Wikileaks, as distinct from a bunch of right wing propagandists who’ve never been remotely bound by facts — the verdict is still out. Given Wikileaks’ ostentatious show of vetting the documents, if Macron can prove fakes that Wikileaks has not itself proven, it will discredit Wikileaks’ ability to claim the ability to vet (and probably give Wikileaks pause in the future).

Still, particularly given the way Wikileaks succeeded in debunking fakes boosted by Democratically aligned sources in October by releasing real versions the day after the fakes, it’s worth noting that deliberate fakes have been released twice, and neither time have they had the full effect they might have had to discredit Wikileaks (in this case, in that Wikileaks never did “publish” as opposed to “link to” the documents). That in and of itself is worth notice. If Macron was more successful (and especially if we come to learn Macron seeded the fake documents with some kind of trackers) this operation may still serve as a deterrent in the future, which would be the best effect possible.

But Macron’s confirmation they faked content may also undercut claims of attribution to Russians.