With much fanfare today, DOJ indicted four men for pawning Yahoo from 2014 to 2016. The indictment names two FSB officers, Dmitry Dokuchaev (who was charged by Russia with treason in December) and Igor Sushchin (who worked undercover at a Russian financial company), and two other hackers, Alexsey Belan (who has been indicted in the US twice and was named in December’s DNC hack sanctions) and Karim Baratov (who, because he lives in Canada, was arrested and presumably will be extradited).

Among the charged crimes, they accused Belan of using his access to the Yahoo network to game search results for erectile dysfunction drugs, for which he got commission from the recipient of the redirected traffic.

BELAN leveraged his access to Yahoo’s network to enrich himself: (a) through an online marketing scheme, by manipulating Yahoo search results for erectile dysfunction drugs; (b) by searching Yahoo user email accounts for credit card and gift card account numbers and other information that could be monetized; and (c) by gaining unauthorized access to the accounts of more than 30 million Yahoo users, the contacts of whom were then stolen as part of a spam marketing scheme.

But almost the entirety of the rest of the indictment — forty-seven charges worth — consist of stuff the FBI and NSA do both lawfully in this country and under EO 12333 in other countries (almost certainly including Russia).

Collect metadata and then collect content over time

Consider the details the indictment provides about how these Russians obtained information from Yahoo and other email services, including Google.

First, they collected a whole bunch of metadata.

[T]he conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion.

The US did this in bulk under the PRTT Internet dragnet program from 2004 to 2011, and now conducts similar metadata collection overseas (as well as — in more targeted fashion — under PRISM). Mind you, the Russians got far more types of metadata than the US did under the PRTT program.

account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”

But this likely gives you an understanding of the kinds of things the US does collect overseas, as well as via the PRISM program.

The Russians then either accessed the accounts directly or created fake cookies to access accounts (note, the US also gets cookies lawfully from at least some Internet providers; I suspect they also do so under the new USA Freedom collection).

The indictment provides this comment about how many Yahoo user accounts the Russians accessed by minting cookies over the almost three years they were in Yahoo’s networks (January 2014 to December 1, 2016; this may not represent the entirety of the Yahoo content they accessed).

The conspirators utilized cookie minting to access the contents of more than 6,500 Yahoo user accounts.

Compare that to US requests from Yahoo in just 2015. Yahoo turned over content on at least 40,000 accounts under FISA (first half, second half) and content in response to 2,356 US law enforcement requests during a period when government requests averaged 1.8 account per request (so roughly 4,240 accounts).

Once they accessed the accounts, they maintained access to them, as the government does under PRISM.

The conspirators used their access to the AMT to (among other unauthorized actions) maintain persistent unauthorized access to some of the compromised accounts.

The Russians used both the metadata and content stolen from Yahoo to obtain access to other accounts, both in the US and in Russia.

the conspirators used the stolen Yahoo data to compromise related user accounts at Yahoo, Google, and other webmail providers, including the Russian Webmail Provider

Again, this is a key function of metadata requests by the US — to put together a mosaic of all the online accounts of a given target, so they can access all the accounts that may be of interest.

Like PRISM (but reportedly unlike the scan of all Yahoo emails FBI had done in 2015), the Russians were not able to search all of Yahoo’s email for content. Instead they searched metadata to find content of interest.

The AMT did not permit text searches of underlying data. It permitted the conspirators to access information about particular Yahoo user accounts. However, by combining their control of the stolen UDE copy and access to the AMT, the conspirators could, for example, search the UDE contents to identify Yahoo user accounts for which the user had provided a recovery email account hosted by a specific company of interest to the conspirators (e.g., “[email protected]”)­ showing that the user was likely an employee of the company of interest-and then use information from the AMT to gain unauthorized access to the identified accounts using the means described in paragraph 26.

And, as we’ll see below, the Russians “hunted SysAdmins,” as we know NSA does, to get further access to whatever networks they managed.

In other words, aside from the Viagra ads and credit card theft, the Russians were doing stuff that America’s own spies do all the time, using many of the same methods.

Let me be clear: I’m not saying this means America is just as evil as Russia. Indeed, as the list of targets suggests, a lot of this collection serves for internal spying purposes, something the US primarily does under the guise of Insider Threat analysis. Rather, I’m simply observing that except for some of the alleged actions of Belan, this indictment is an indictment for spying, not typical hacking.

The US didn’t indict anyone in China when it hacked Google in 2013. Nor did China indict the US when details of America’s far greater sabotage of Huawei networks emerged under the Snowden leaks. But the US chose to indict not just Belan, but also three people engaged in nation-state spying. Why?

Redefine economic espionage

I find all this particularly interesting given that the government included four charges — counts 2 and 4 through 6 — related to economic espionage for stealing the following:

a. Yahoo’s UDB and the data therein, including user data such as the names of Yahoo users, identified recovery email accounts and password challenge answers, and Yahoo-created and controlled data regarding its users’ accounts;

b. Yahoo’s AMT, its method and manner of functioning and capabilities, and the data it contained and provided; and

c. Yahoo’s cookie minting source code.

The US always justifies its global spying by claiming that it does not engage in industrial espionage, based on the flimsy explanation that it doesn’t share any information with allegedly private companies (including government contractors like Lockheed) they can use to compete unfairly.

But here we are, treating nation-state information collection — the kinds of actions our own hackers do all the time — as economic espionage. The only distinction here is that Belan also used his Yahoo access for personal profit. And yet Sushchin and Dokuchaev are also named in those counts.

Which raises the question of why DOJ decided to indict this as they did, especially since it risks an escalation of spying-related indictments. If I were Russia (maybe even China) I’d draw up indictments of American spies who’ve accessed Vkontakte or Yandex and accuse them of economic espionage.

I’ve got several suggestions:

• To leverage Baratov to learn more about the other three indictees (and FSB Officer 3, who is also mentioned prominently in the indictment)
• To expose Russia’s targets
• To expose FSB’s internal spying

Leverage Baratov to learn more about the other three indictees (and FSB Officer 3)

The US is almost certainly never going to get custody of Sushchin, Dokuchaev, or Belan, who are all in Russia safe from any extradition requests. That’s not true of Baratov, who was arrested and whose beloved Aston Martin and Mercedes Benz will be seized. These charges are larded on in such a way as to incent cooperation from Baratov.

Which means the government probably hopes to use the indictment to learn more about the other three indictees.

Remember: Belan was named in the sanctions on the DNC hack. So it may be that DOJ wants more information about those he works with, possibly up to and including on the DNC hack.

Expose Russia’s targets

Then there are the very long descriptions of the kind of people the accused collected on. The indictment highlights these three examples.

For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. (“Google”) webmail accounts of:

a. an assistant to the Deputy Chairman of the Russian Federation;

b. an officer of the Russian Ministry of Internal Affairs;

c. a physical training expert working in the Ministry of Sports of a Russian republic;

Then provides this list of people hacked at Yahoo:

• a diplomat from a country bordering Russia who was posted in a European country
• the former Minister of Economic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”)
• a Russian journalist and investigative reporter who worked for Kommersant Daily
• a public affairs consultant and researcher who analyzed Russia’s bid for World Trade Organization membership
• three different officers of U.S. Cloud Computing Company 1
• an account of a Russian Deputy Consul General
• a senior officer at a Russian webmail and internet-related services provider

And this list of people targeted by Belan (who may or may not have been related to his own efforts rather than FSB’s):

• 14 employees of a Swiss bitcoin wallet and banking firm
• a sales manager at a major U.S. financial company
• a Nevada gaming official
• a senior officer of a major U.S. airline
• a Shanghai-based managing director of a U.S. private equity firm
• the Chief Technology Officer of a French transportation company
• multiple Yahoo users affiliated with the Russian Financial Firm

And this list of people Baratov hacked at Gmail and other ISPs:

• an assistant to the Deputy Chairman of the Russian Federation
• a managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;
• an officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;
• a physical training expert working in the Ministry of Sports of a Russian republic;
• a Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation
• the CEO of a metals industry holding company in a country bordering Russia
• a prominent banker and university trustee in a country bordering Russia
• a managing director of a finance and banking company in a country bordering Russia
• a senior official in a country bordering Russia

For those who weren’t alerted by Yahoo or Google they’d been hacked, these descriptions provide enough detail (as well as partial email addresses for some targets) to figure it out from the indictment.

Expose FSB’s internal spying

As these descriptions make clear, some of these targets are potentially well-connected people in Russia: a Russian Deputy Consul General, someone from Department K, the office of the Deputy Chairman of the Russian Federation, the Chairman of a Russian Federation Council committee (who also happens to be a businessman). Perhaps those people were targeted for sound political reasons — perhaps counterintelligence or corruption, for example. Or perhaps FSB was just trying to gain leverage in the political games of Russia.

Remember: One of the guys — Dokuchaev — is already being prosecuted in Russia for treason. These details might give Russia more details to go after him.

Sushchin is a special example. As the indictment explains, he was working undercover at some Russian financial firm, but it’s unclear whether his firm knew he was FSB or not.

SUSHCHIN was embedded as a purported employee and Head of Information Security at the Russian Financial Firm, where he monitored the communications of Russian Financial Firm employees, although it is unknown to the grand jury whether the Russian Financial Firm knew of his FSB affiliation.

But it’s clear that Sushchin’s role here was largely to conduct some very focused spying on the firm that he worked for.

In one instance, in or around April 2015, SUSHCHIN ordered DOKUCHAEV to target a number ofindividuals, including a senior board member ofthe Russian Financial Firm, his wife, and his secretary; and a senior officer ofthe Russian Financial Firm (“Corporate Officer l “).

[snip]

[I]n or around April 2015, SUSHCHIN sent DOKUCHAEV a list of email accounts associated with Russian Financial Firm personnel and family members to target, including Google accounts. During these April 2015 communications, SUSHCHIN identified a Russian Financial Firm employee to DOKUCHAEV as the “main target.” Also during these April 2015 communications, SUSHCHIN forwarded to DOKUCHAEV an email sent by that “main target’s” wife to a number of other Russian Financial Firm employees. SUSHCHIN added the cover note “this may be of some use.”

Maybe that operation was known by his employers; maybe it wasn’t. Certainly, his cover has now been blown.

All of which is to say that — splashy as this indictment is — the unstated reasons behind it are probably far more interesting than the actual charges listed in it.

Around the same time Donald Trump was dodging all responsibility for the catastrophically botched Yemen raid, he was planning to give his generals more authority to launch such raids on their own, without his approval.

President Donald Trump has signaled that he wants his defense secretary, retired Marine Gen. Jim Mattis, to have a freer hand to launch time-sensitive missions quickly, ending what U.S. officials say could be a long approval process under President Barack Obama that critics claimed stalled some missions by hours or days.

[snip]

Despite the controversy, Trump has signaled that he wants to operate more like the CEO he was in the private sector in such matters, and delegate even more power to Mattis, which may mean rewriting one of President Barack Obama’s classified Presidential Policy Directives on potentially lethal operations in countries where the U.S. is not officially involved in combat.

Meanwhile, Trump is also moving drone-killing back to the CIA after a protracted effort by the Obama Administration to put them exclusively on DOD’s hands.

President Donald Trump has given the Central Intelligence Agency secret new authority to conduct drone strikes against suspected terrorists, U.S. officials said, changing the Obama administration’s policy of limiting the spy agency’s paramilitary role and reopening a turf war between the agency and the Pentagon.

The new authority, which hadn’t been previously disclosed, represents a significant departure from a cooperative approach that had become standard practice by the end of former President Barack Obama’s tenure: The CIA used drones and other intelligence resources to locate suspected terrorists and then the military conducted the actual strike. The U.S. drone strike that killed Taliban leader Mullah Mansour in May 2016 in Pakistan was the best example of that hybrid approach, U.S. officials said.

The Obama administration put the military in charge of pulling the trigger to promote transparency and accountability. The CIA, which operates under covert authorities, wasn’t required to disclose the number of suspected terrorists or civilian bystanders it killed in drone strikes. The Pentagon, however, must publicly report most airstrikes.

These may be unrelated developments (though, as referenced by DB, they both would have been governed under Barack Obama’s drone killing rulebook, because it actually applied to all targeted killing, whether conducted by drone or raid).

But they portent a potentially horrible development: diminished involvement of the President in the granular details of Findings that approve covert operations.

Findings are the presidential documents meant to outline a covert operation and give notice to Congress’ Intelligence Committees that they’re happening. They’re supposed to be updated as programs change. While there’s a lot to complain about the secrecy of them, they at least serve as a way to make a political figure — the President — responsible for whatever goes on in covert operations.

If Trump delegates more authority for targeted killing while at the same time moving more of it back into CIA’s hands, that likely means more covert targeted killings will happen without the kind of close involvement that occurred for much (though not all) of Obama’s Administration.

There are two problems with that. First, it makes it more likely the CIA will discount political consequences of individual operations — not because the CIA is not politically savvy (in areas like this they’re more savvy than the Reality Show president), but because they will be able to deny any screw-ups.

It also makes it more likely the White House and CIA will end up in mutual recriminations the next time there’s a really unpopular strike, with CIA officers bearing the brunt of Trump’s abdication of the role he’s supposed to play in covert operations.

There’s recent precedent for such a problem: the torture program, where the Finding signed by George Bush (crafted by Dick Cheney) let CIA set its own policy, which left the CIA without cover when the shit started hitting the fan.

I assume the CIA is well aware of the risks of such a structure (though Gina Haspel’s elevation to Deputy Director after being a key player in many of the worst parts of the torture scandal may make her less worried about the risks, given that she has ultimately been protected). But the men and women at the implementing stage of such a policy shift may not have much leeway to fight it.

I noted something in the batch of Semiannual Section 702 Assessments I Con the Record released in January that may explain one reason why the government has such problems giving defendants who’ve been captured in Section 702 surveillance the notice required under the law.

Starting with the 14th Assessment — the one released in February 2016, which covers December 2014 to May 2015 (which also began to integrate feedback from PCLOB), the assessments started to reveal that disseminated reports don’t identify where information on a US Person comes from.

23 (C//NF) NSA does not maintain records that allow it to readily determine, in the case of a report that includes information from several sources, from which source a reference to a U.S. person was derived. Accordingly, the references to U.S. person identities may have resulted from collection pursuant to Section 702 or from other authorized signals intelligence activity conducted by NSA that was reported in conjunction with information acquired under Section 702. Thus, the number provided above is assessed to likely be over-inclusive. NSA has previously provided this explanation in its Annual Review pursuant to Section 702(l)(3) that is provided to Congress.

Presumably, the reports track that intelligence in the report comes from Section 702, or else they wouldn’t be able to track how often serialized reports contain US person information derived from Section 702- or PAA-acquired data, which is where this footnote appears. (In this reporting period, 9.7% of reports including US person information.) But they don’t track which tidbits come from 702 and which come from — say — EO 12333 authorized information or foreign partners.

Given that these reports get circulated outside of NSA (and even outside those people cleared into Section 702), that might mean someone with a dual intelligence/law enforcement role would see the information, pursue further investigation, and yet not know that the investigation “derived” from 702 data, which would then mean the defendant might never get notice.

Remember how infosec people made fun of John Podesta when they learned his iCloud password — which got exposed in the Wikileaks dump of his stolen emails — was Runner4567? 4Chan used the password to hack a bunch of Podesta’s accounts.

Among the pages that got exposed in this week’s Wikileaks dumps of CIA’s hacking tools was a page of Operational Support Branch passwords. For some time the page showed the root password for the network they used for development purposes.

These passwords, as well as one (“password”) for another part of their server, were available on the network site as well.

Throughout the period of updates, it included a meme joking about setting your password to Incorrect.

At the beginning of January 2015, it included the passwords for two unclassified laptops used by the department, one of which was the very guessable 0sbP@ass.

OSB unclass laptop #1 password (tag 2005K676, Dell service tag: 7731Y32): “OSBDemoLap9W53!” (Without quotes)

OSB unclass laptop #2 password (tag 2005K677, Dell service tag: CN81Y32): “0sbP@ss” (no quotes, first chracter is a zero)

Remember, Assange has claimed that CIA treated its exploits as unclassified so they could be spread outside of CIA facilities.

A discussion ensued about what a bad security practice this was.

2015-01-30 14:30 [User #14588054]:

Am I the only one who looked at this page and thought, “I wonder if security would have a heart attack if they saw this.”?

2015-01-30 14:50 [User #7995631]:

Its locked down to the OSB group… idk if that helps.

2015-01-30 15:10 [User #14588054]:

I noticed, but I still cringed when I first saw the page.

I have no idea whether these passwords exacerbated CIA’s exposure. The early 2015 discussion happened well before — at least as we currently understand it — the compromise that led to Wikileaks’ obtaining the files. The laptops themselves were unclassified, and would only be a problem if someone got physical custody of them. Though shared devices like laptops were one of the things for which CIA had a multi-factor authentication problem up until at least August of 2016.

But if we’re going to make fun of John Podesta for password hygiene exposed in a Wikileaks dump, we ought to at least acknowledge that CIA’s hackers, people who spent their days exploiting hygiene sloppiness like this, had (simple) passwords lying around on a server that — as it turns out — was nowhere near as secure as it needed to be.

Update: After refusing to resign, Preet has now officially been fired. It remains to be seen whether there’s some underlying legal reason to force Trump to do this, or whether it’s press grand-standing.

Dana Boente, the US Attorney for Eastern District of VA and Acting Deputy Attorney General since Trump fired Sally Yates, just called the other US Attorneys and told them to submit their resignations effective immediately.

The press seems most interested in whether this order covers media hound Preet Bharara, US Attorney for Southern District of NY. Preet is leading an investigation into NY political scandals affecting key Democrats, and Trump had told him he would be kept on (Preet’s political godfather is Chuck Schumer, which may have had something to do with that).

But I’m far more interested in whether Boente himself is resigning to himself.

In addition to serving as Acting DAG, since Jeff Sessions recused himself from any investigation into Trump last week, Boente has been in charge of that investigation. So if Boente resigned to himself this afternoon, it would mean no one was in charge of the investigation. Plus, Boente also oversees several other interesting investigations, notably the long-standing investigation of Wikileaks.

Mind you, Rod Rosenstein, at least until this afternoon US Attorney for MD, is all teed up to be confirmed as DAG. Except Richard Blumenthal has said he would hold up that investigation until a special counsel was appointed to investigate Trump. With no DAG and no one in charge of the Trump investigation (the USAs in WDPA, DC, and NDCA, who also have a piece of the investigation presumably also just resigned), Blumenthal might be pressured to relent on that front.

Update: NBC finally got some clarity on Boente — he (and Rosenstein) will stay on. Which I guess means Preet is out.

Michael Hayden thinks he has an explanation for all the whistleblowers. It’s those damn millennials.

How do you make sure every one of [the people who have clearance] was and remains a loyal American or a loyal member of British security services and so on. Beyond that, Catty, there’s another dynamic at work here. In order to do this kind of stuff, we have to recruit from a certain demographic, and I don’t mean to judge them at all, but this group of millennials and related groups simply have different understandings of the words loyalty and secrecy and transparency than certainly my generation did. And so we bring these folks into the agency, good Americans all, I can only assume, but again, culturally they have different instincts than the people who made the decision to hire them.

The reason Chelsea Manning and Edward Snowden leaked vast troves of documents, according to Hayden, is because they’re young and not as loyal as people like him.

That may be true, to a point. Both Manning and Snowden seem to have a cosmopolitanism that a lot of Americans — those Americans raised during the Cold War — don’t have. We live in a globe now, just just America, and it’s possible Manning and Snowden felt some loyalty to humankind, rather than just America.

But there’s another problem with Hayden’s claim. There have been a number of whistleblowers who are of his generation. Consider all the intelligence people who’ve joined VIPS in response to idiotic foreign policy, after all.

Or consider an even more interesting example: Bill Binney. Binney was, during the Cold War, one of the most aggressive spies out there. He has said to me, repeatedly, that he’s the guy who invented Collect it all (though he, of course, wanted privacy protections for Americans). But when his approach came to be rolled out against Americans as part of the War on Terror that Hayden pursued with little self-reflection, Binney balked, quit the NSA, and started complaining that his program had been repurposed to target everyone.

Now, Binney didn’t bring a trove of documents with him. But he’s definitely animated by some of the same things that animated Manning and Snowden.

And Binney is two years older than Hayden.

There are a lot of things that motivate whistleblowers, and Daniel Ellsberg (who is 14 years older than Hayden) has said repeatedly that Snowden is just like he was.

But I do think one thing that has happened is that during the Cold War, for good or ill, Americans believed that they were the force of good. That belief is a lot harder to sustain in this day and age, for a range of reasons (not least the warrantless wiretapping and torture that Hayden facilitated). So just maybe the values remain the same, but America has changed?

Several days after Shadow Brokers first announced an auction of a bunch of NSA tools last August, Wikileaks announced it had its own “pristine” copy of the files, which it would soon release.

Wikileaks never did release that archive.

On January 7-8, Shadow Brokers got testy with Wikileaks, suggesting that Wikileaks had grown power hungry.

Shadow Brokers threw in several hashtags, two of which could be throw-offs or cultural references to a range of things (though as always with pop culture references, help me out if I’m missing something obvious). The third — “no more secrets” — in context invokes Sneakers, a movie full of devious US intelligence agencies, double dealing Russians, and the dilemma of what you do when you’ve got the power that comes from the ability to hack anything.

Moments later, Shadow Brokers called out Wikileaks, invoking (in the language of this season’s South Park) Wikileaks’ promise to release the file.

Of course, within a week, Shadow Brokers had reneged on a promise of sorts. Less than an hour before calling out Wikileaks for growing power hungry, Shadow Brokers suggested it would sell a range of Windows exploits. Four days later, it instead released a limited (and dated) subset of Windows files — ones curiously implicating Kaspersky Labs. All the “bullshit political talk,” SB wrote in a final message, was just marketing.

Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention.

And with that, the entity called Shadow Brokers checked out, still claiming to be in possession of a range of (dated) NSA hacking exploits.

Less than a month later (and over a month before Monday’s release), Wikileaks started the prep for the Vault 7 release of CIA’s hacking tools. (Given the month of lead hype and persistent attention throughout, I’m not sure why any claimed rapid and “overwhelming” response to the release should be attributed to Russian bots.)

Having been called out for sitting on the Shadow Brokers’ files (if, indeed, Wikileaks actually had them), Wikileaks this time gave the appearance of being forthcoming, claiming “the largest ever publication of confidential documents on the [CIA].”

Except …

While Wikileaks released a great deal of information about CIA’s hacking, it didn’t release the code itself, or the IP addresses that would reveal targets or command and control servers.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States.

Now, perhaps Wikileaks really is doing all this out of a sense of responsibility. More likely, it is designed to create a buzz for more disclosure that WL can use to shift responsibility for further disclosure. Yesterday, Wikileaks even did a silly Twitter poll designed to get thousands to endorse further leaks.

In reality, whether for their own PR reasons or because it reflects the truth, tech companies have been issued statements reassuring users that some of the flaws identified in the Wikileaks dump have already been fixed (and in fact, for some of them, that was already reflected in the Wikileaks documents).

Thus far, however, Wikileaks is sitting on a substantial quantity of recent CIA exploits and may be sitting on a significant quantity of dated NSA exploits. Mind you, the CIA seems to know (belatedly) precisely what Wikileaks has; while NSA has a list of the exploits Shadow Brokers was purportedly trying to sell, it’s not clear whether NSA knew exactly what was in that dump. But CIA and NSA can’t exactly tell the rest of the world what might be coming at them in the form of repurposed leaked hacking tools.

There has been a lot of conversation — most lacking nuance — about what it means that CIA uses code from other hackers’ exploits (including Shamoon, the Iranian exploit that has recently been updated and deployed against European targets). There has been less discussion about what it means that Wikileaks and Shadow Brokers and whatever go-betweens were involved in those leaks might be involved have been sitting on US intelligence community exploits.

That seems like a worthwhile question.

Update: as his delayed presser on this release, Assange stated that he would work with tech companies to neutralize the exploits, then release them.

I know I keep harping on the disclosures about the intelligence community’s security practices disclosed in the House Intelligence Report on Edward Snowden. But they go some way to explain why people keep walking out of spy agencies with those agencies’ hacking tools.

Over three years after the Snowden leaks, multiple Intelligence Inspector General Reports show, agencies still hadn’t plugged holes identified in response to Snowden’s leaks. When the CIA did an audit mandated by 2015’s CISA bill, for example, it revealed that “CIA has not yet implemented multi-factor authentication controls such as a physical token for general or privileged users of the Agency’s enterprise or mission systems.”

As I understand it, this had something to do with multi-factor use on devices used by multiple persons. So it may not have been as bad as this sounds (and — again, as I understand it, the problem has since been fixed).

Nevertheless, the CIA is whining about how evil Wikileaks is for publishing documents that (per Wikileaks, anyway) CIA stored with inadequate protection.

The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.

Sorry. I mean, Americans can be pissed that its premier intelligence agency got pwned.

But Americans should also be pissed that CIA is storing powerful weapons in a way such that they can easily be leaked. We wouldn’t excuse this with CIA’s anthrax stash. We should not give the Agency a pass here.

Today, Wikileaks released a big chunk of documents pertaining to CIA’s hacking tools.

People will — and already have — treated this as yet another Russian effort to use Wikileaks as a cutout to release documents it wants out there. And that may well be the case. It would follow closely on the release, by Shadow Brokers, of a small subset of what were billed as NSA hacking tools (more on that in a bit).

Wikileaks attributes the files to two sources. First, it suggests a “US government hacker and contractor … provided WikiLeaks with portions of the archive.”

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In an apparent reference to this source, Wikileaks explains,

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.

It also notes that developers may steal tools without a trace (though speaks of this in terms of proliferation, not this leak).

Securing such ‘weapons’ is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same ‘weapons’ against the organizations that contain them.

But Wikileaks also suggests that, because the CIA doesn’t classify its attack tools, it leaves them more vulnerable to theft.

In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of “Vault 7” — the CIA’s weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse.

The CIA made these systems unclassified.

Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the ‘battlefield’ of cyber ‘war’.

To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.

Wikileaks is trying to appear more responsible than it was with recent leaks, which doxed private individuals. It explains that it has anonymized names. (It very helpfully replaces those names with numbers, which leaves enough specificity such that over 30 CIA hackers will know Wikileaks has detailed information on them, down to their favorite memes.) And it has withheld the actual exploits, until such time — it claims — that further consensus can be developed on how such weapons should be analyzed. In addition, Wikileaks has withheld targets.

Wikileaks has carefully reviewed the “Year Zero” disclosure and published substantive CIA documentation while avoiding the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.

Wikileaks has also decided to redact and anonymise some identifying information in “Year Zero” for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in “Vault 7” part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Several comments about this: First, whether for reasonable or unreasonable purpose, withholding such details (for now) is responsible. It prevents Wikileaks’ release from expanding the use of these tools. Wikileaks’ password for some of these files is, “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds,” suggesting the motive.

Of course, by revealing that these tools exist, but not releasing them, Wikileaks could (hypothetically) itself use them. Wikileaks doesn’t explain how it obtained upcoming parts of this release, but it’s possible that someone used CIA’s tools against itself.

In addition, by not revealing CIA’s targets, Wikileaks both explicitly and implicitly prevents CIA (and the US generally) to offer the excuse they always offer for their surveillance tools: that they’re chasing terrorists — though of course, this is just a matter of agency vocabulary.

Among the list of possible targets of the collection are ‘Asset’, ‘Liason [sic] Asset’, ‘System Administrator’, ‘Foreign Information Operations’, ‘Foreign Intelligence Agencies’ and ‘Foreign Government Entities’. Notably absent is any reference to extremists or transnational criminals.

We will no doubt have further debate about whether Wikileaks was responsible or not with this dump. But consider: various contractors (and to a much lesser degree, the US intelligence community) have been releasing details about Russian hacking for months. That is deemed to be in the common interest, because it permits targets to prevent being hacked by a state actor.

Any hacking CIA does comes on top of the simplified spying the US can do thanks to the presence of most tech companies in the US.

So why should CIA hacking be treated any differently than FSB or GRU hacking, at least by the non-American part of the world?

This leak may well be what Wikileaks claims it to be — a concerned insider exposing the CIA’s excesses. Or perhaps it’s part of a larger Russian op. (Those two things could even both be true.) But as we talk about cybersecurity, we would do well to remember that all nation-state hackers pose a threat to the digital commons.

Last week, at least three media outlets have provided new details about the relationship between former MI6 officer Christopher Steele — the author of the Trump dossier — and the FBI. First WaPo reported that Steele had reached a verbal agreement that the FBI would pay him to continue his investigation of Russia’s involvement with Trump after still unnamed Democrats stopped paying him after the election. CNN then reported that FBI actually had paid Steele for his expenses. Finally, NBC reported Steele backed out of the deal before it was finalized. Chuck Grassley just sent a letter to Jim Comey asking for more information about the proposed arrangement with Steele.

I’m with Grassley on this. According to WaPo and NBC, FBI would only have paid Steele after the election, presumably regardless of the outcome; by that point Steele’s research couldn’t affect the outcome of the investigation. Nevertheless, the possibility that FBI may have used information from a Democratically paid oppo researcher does raise questions of propriety. Add in the discrepancies in these three reports about whether FBI did pay for Steele’s work, and Grassley is right to raise questions.

I’m also interested in what the relationship says about the way in which political necessities may have impacted the content of Steele’s dossier. All three reports attribute the termination of any FBI-Steele relationship, at least in part, to Steele’s frustration with the FBI. WaPo goes on at some length, explaining that Steele got pissed when Jim Comey reopened the Hillary investigation on October 28, and then grew angrier after the NYT reported the FBI had not confirmed any link to Russia.

Ultimately, the FBI did not pay Steele. Communications between the bureau and the former spy were interrupted as Steele’s now-famous dossier became the subject of news stories, congressional inquiries and presidential denials, according to the people familiar with the arrangement, who spoke on the condition of anonymity because they were not authorized to discuss the matter.

[snip]

In October, anticipating that funding supplied through the original client would dry up, Steele and the FBI reached a spoken understanding: He would continue his work looking at the Kremlin’s ties to Trump and receive compensation for his efforts.

But Steele’s frustration deepened when FBI Director James B. Comey, who had been silent on the Russia inquiry, announced publicly 11 days before the election that the bureau was investigating a newly discovered cache of emails Clinton had exchanged using her private server, according to people familiar with Steele’s thinking.

Those people say Steele’s frustration with the FBI peaked after an Oct. 31 New York Times story that cited law enforcement sources drawing conclusions that he considered premature. The article said that the FBI had not yet found any “conclusive or direct link” between Trump and the Russian government and that the Russian hacking was not intended to help Trump.

WaPo doesn’t lay this out in detail, however. Here’s what happened on those days in October:

October 28: Comey informs eight committee chairs he will reopen the investigation, which promptly (and predictably) leaks.

October 30: Having been officially briefed on the dossier, Harry Reid writes Comey accusing him of a Hatch Act violation for releasing the information on Clinton while withholding what we know to be information in the dossier.

October 31, 6:52PM: David Corn publishes story based on dossier.

October 31, 9:27PM: NYT publishes article describing multiple investigations into Russian interference, stating “no evidence has emerged that would link him or anyone else in his business or political circle directly to Russia’s election operations.”

October 31, 10:52PM: NYT edits article, adding “conclusive or direct” as a caveat in the sentence “Law enforcement officials say that none of the investigations so far have found any conclusive or direct link between Mr. Trump and the Russian government.”

Notably, assuming the times in Newsdiffs (from which I got the NYT timing) are correct, Steele had already gone public before the NYT published its article. That suggests he (like Harry Reid) believed his research should be part of a competing public story. And by going public in what was obviously a Democratically-seeded article, Steele likely made it far more difficult for FBI to continue the relationship.

Already, these new timeline details raise questions about the degree to which Steele’s concerns that the Trump Russian investigation should have more prominence than the email investigation may have influenced his work. Even if Jim Comey did do something colossally stupid by announcing the reopening of the investigation, that shouldn’t affect Steele’s interest in providing the best intelligence to the US, regardless of the public impact, unless he was always motivated primarily by his role as campaign oppo researcher.

The pointless Alfa Bank report that nevertheless seems to reinforce the dodgy Alfa server story

But I also wonder whether it relates to the content. Consider report 112, dated September 14. It pertains to “Kremlin-Alpha Group Cooperation.” It doesn’t have much point in a dossier aiming to hurt Trump. None of his associates nor the Russian DNC hack are mentioned. It does suggest that that Alfa Group had a “bag carrier … to deliver large amounts of illicit cash to” Putin when he was Deputy Mayor of St. Petersburg, though describes the current relationship as “both carrot and stick,” relying in part on kompromat pertaining to Putin’s activities while Deputy Mayor. It makes no allegations of current bribery, though says mutual leverage helps Putin “do his political bidding.”

As I said, there’s no point to have that Alfa Bank passage in a dossier on Trump. But it does serve, in its disclosure, to add a data point (albeit not a very interesting one) to the Alfa Server story that (we now know) FBI was already reviewing but which hadn’t been pitched to the press yet. In Corn’s piece, he mentions the Alfa Bank story but not the report on Putin’s ties to it. It may be in there because someone — perhaps already in possession of the Alfa Bank allegations — asked Steele to lay out more about Alfa’s ties with Putin.

Here’s one reason that’s interesting, though. Even aside from all the other reasons the Alfa story is dodgy, it was deliberately packaged for press consumption. Rather than the at least 19 servers that Trump’s spam email was pinging, it revealed just two: Alfa Bank and Spectrum Health (the latter of which got spun, anachronistically, as a DeVos organization that thus had to be tight with Trump). Which is to say, the Alfa story was dodgy and packaged by yet unknown people.

The discovery of direct collusion during the intelligence review of the Russian hack

More interesting still is what happens in the period that — according to public reporting, anyway — Steele was working for free.

Contrary to what Steele’s anger suggests, there was no real evidence of direct Russian ties to Trump outside of the famous PeeGate incident (and even if that happened, he was not a knowing participant). In the first report, there’s a claim that “the Kremlin has been feeding TRUMP and his team valuable intelligence … including Democratic presidential candidate Hillary Clinton,” but the part of the report that purportedly describes that sharing states that the Kremlin file on Hillary “had not yet been made available abroad, including to TRUMP or his campaign team,” seemingly contradicting the claim. A subsequent report describes a Presidential Administration official discussed the “possible release [of the dossier] to the Republican’s campaign team,” but without any confirmation that occurred (or even that Trump knew about it).

A subsequent report includes a claim of a “well-developed conspiracy of co-operation between [Trump’s team] and the Russian leadership managed through Paul Manafort and Carter Page. It continued to suggest a quid pro quo between the Russian hack and a shift on Ukraine and NATO policies. But in subsequent discussions of Manafort and Page’s corruption, it drops this claim entirely. Even when Michael Cohen enters the narrative, its about managing fallout over Manafort’s Ukrainian corruption.

There are claims that Trump was trying to set up business in Russia, followed by repeated descriptions of Russians not succeeding in getting him to do so.

In other words, in spite of the fact that there were some really damning allegations in the reports, the subsequent reporting didn’t necessarily back the most inflammatory aspects of them.

After the election, there’s just one report, dated December 13. That dates it to after the CIA’s leak fest reporting that Putin hacked the DNC not just to hurt Hillary and the US, but also to elect Trump. It dates to after Obama ordered an IC report on the hack. It dates to after John McCain delivered yet another copy of the dossier to FBI. It slightly precedes a Crowdstrike report (also done for free) bumping its formerly non-public “medium” confidence Russia’s GRU hacked the DNC to “high.”

And after previous reports describing Michael Cohen’s meetings as serving to cover up Manafort’s corruption and Page’s non-consummated Rosneft deal, this one alleges “the operatives involved [in the DNC hack] had been paid by both TRUMP’s team and the Kremlin,” the first such allegation. That is, over a month after the election but less than a month before its leak, the kind of detail backing direct collusion reappeared in this report.

Chuck Grassley’s questions

Which brings me back to Grassley’s letter. In addition to asking about payments, whether the agreement ever went into force, and whether and how Steele’s material served as a basis for FBI reports or even warrants, Grassley asks a question I’ve long wanted to know: Why we got this version of the memo, which is obviously just a partial selection of the complete dossier (rather like the Alfa story).

6. How did the FBI first obtain Mr. Steele’s Trump investigation memos?  Has the FBI obtained additional memos from this same source that were not published by Buzzfeed?  If so, please provide copies.

We will actually learn a lot about the validity of the dossier if we see what other parts got dealt to the FBI, and if so whether the copy released to the public was cherry picked for the most damning information.