Cybersecurity Archives - Page 16 of 88

Facebook on the Hot Seat Before Senate Judiciary Committee

April 10, 2018/45 Comments/in 2016 Presidential Election, Culture, Cybersecurity, Internet infrastructure /by Rayne

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the Senate Judiciary Committee this afternoon. At the time of this post Zuckerberg has already been on the hot seat for more than two hours and another two hours is anticipated.

Before this hearing today I have already begun to think Facebook’s oligopolic position and its decade-plus inability to effectively police its operation requires a different approach than merely increasing regulation. While Facebook isn’t the only corporation monetizing users’ data as its core business model, its platform has become so ubiquitous that it is difficult to make use of a broad swath of online services without a Facebook login (or one of a very small number of competing platforms like Google or Twitter).

If Facebook’s core mission is connecting people with a positive experience, it should be regulated like a telecommunications provider — they, too, are connectors — or it should be taken public like the U.S. Postal Service. USPS, after all, is about connecting individual and corporate users by mediating exchange of analog data.

The EU’s General Data Protection Regulation (GDPR) offers a potential starting point as a model for the U.S. to regulate Facebook and other social media platforms. GDPR will shape both users’ expectations and Facebook’s service whether the U.S. is on board or not; we ought to look at GDPR as a baseline for this reason, while compliant with the First Amendment and existing data regulations like the Computer Fraud and Abuse Act (CFAA).

What aggravates me as I watch this hearing is Zuckerberg’s obvious inability to grasp nuance, whether divisions in political ideology or the fuzzy line between businesses’ interests and users’ rights. I don’t know if regulation will be enough if Facebook (manifest in Zuckerberg’s attitude) can’t fully and willingly comply with the Federal Trade Commission’s 2011 consent decree protecting users’ privacy. It’s possible fines for violations of this consent decree arising from the Cambridge Analytica/SCL abuse of users’ data might substantively damage Facebook; will we end up “owning” Facebook before we can even regulate it?

Have at it in comments.

UPDATE — 6:00 PM EDT — One of my senators, Gary Peters, just asked Zuck about audio capture, whether Facebook uses audio technology to listen to users in order to place ads relevant to users’ conversational topics. Zuck says no, which is really odd given the number of anecdotes floating around about ads popping up related to topics of conversation.

It strikes me this is one of the key problems with regulating social media: we are dealing with a technology which has outstripped its users AND its developers, evident in the inability to discuss Facebook’s operations with real fluency on either the part of government or its progenitor.

This is the real danger of artificial intelligence (AI) used to “fix” Facebook’s shortcomings; not only does Facebook not understand how its app is being abused, it can’t assure the public it can prevent AI from being flawed or itself being abused because Facebook is not in absolute control of its platform.

Zuckerberg called the Russian influence operation an ongoing “arms race.” Yeah — imagine arms made and sold by a weapons purveyor who has serious limitations understanding their own weapons. Gods help us.

EDIT — 7:32 PM EDT — Committee is trying to wrap up, Grassley is droning on in old-man-ese about defending free speech but implying at the same time Facebook needs to help salvage Congress’ public image. What a dumpster fire.

Future shock. Our entire society is suffering from future shock, unable to grasp the technology it relies on every day. Even the guy who launched Facebook can’t say with absolute certainty how his platform operates. He can point to the users’ Terms of Service but he can’t say how any user or the government can be absolutely certain users’ data is fully deleted if it goes overseas.

And conservatives aren’t going to like this one bit, but they are worst off as a whole. They are older on average, including in Congress, and they struggle with usage let alone implications and the fundamentals of social media technology itself. They haven’t moved fast enough from now-deceased Alaska Senator Ted Steven’s understanding of the internet as a “series of tubes.”

The MalwareTech Poker Hand: Calling DOJ’s Bluff

April 2, 2018/3 Comments/in Cybersecurity /by emptywheel

With a full poker hand’s worth of filings on Friday, MalwareTech’s (AKA Marcus Hutchins) lawyers are finally revealing the main thrust of their defense. The five filings are:

A motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
A motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
A motion to dismiss the indictment, arguing on three different grounds that,
- The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
- The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
- The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
A motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
A motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Effectively, these five motions (which are likely to meet with mixed success, but even where they’re likely to fail, will lay the groundwork for trial) work together to sustain an argument that Hutchins should never have been charged with these crimes in the US, and that FBI may have cheated a bit to get the incriminatory statements that might let them sustain the prosecution.

I laid out the general oddity of these charges here, and the background to the Miranda challenge and grand jury instructions here, here, and here.

Hutchins was high and tired, not drunk, for his one minute Miranda warning

While I don’t expect the Miranda challenge (item 2) to be effective on its face, I do expect it to serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial. This motion provides more detail about why his defense thinks it will be an effective tactic. It’s not just that Hutchins is a foreigner and couldn’t be expected to know how US Miranda works, or that the FBI only documented that they asked Hutchins if he had drinking alcohol four months after the arrest (as I laid out here). But as the motion notes, the FBI doesn’t claim to have asked whether he was exhausted or otherwise intoxicated.

According to an FBI memorandum, before “initiating a post arrest interview,” an agent asked Mr. Hutchins if he had been drinking that day, and he responded that he had not. That memorandum, written over four months after the arrest, then states that the agent asked Mr. Hutchins “if has [sic] in a good state of mind to speak to the FBI Hutchins agreed.” Mr. Hutchins did not understand it to be an inquiry as to whether he had used drugs or was exhausted.

The initial 302 of the interrogation records Hutchins telling the agents that he had been partying and not sleeping.

Mr. Hutchins discussed his partying while in Las Vegas, as well as his lack of sleep, during the interrogation.

The motion admits that he had been using drugs (of unspecified type) the night before.

As Mr. Hutchins sat in the airport lounge, he was not drinking, but he was exhausted from partying all week and staying up the night before until the wee hours. He had also used drugs.

Nevada legalized the recreational use of marijuana effective July 2017, so if he was still high during this interview, he might have been legally intoxicated under state (but not federal) law. And there’s not a lick of evidence that the FBI asked him about that.

After laying out that the FBI has no record of asking Hutchins whether he was sober (rather than just not drunk), the motion reveals that the FBI couldn’t decide at what time it gave Hutchins his Miranda warning.

An FBI Advice of Rights form sets forth Miranda warnings and reflects Mr. Hutchins’ signature. It is dated August 2, 2017, but the time it was completed includes two crossed out times, 11:08 a.m. and 2:08 p.m., and one uncrossed out time, 1:18 p.m. (which is one minute after the FBI log reflects Mr. Hutchins’ arrest, as noted above).

And as noted before, and reiterated here, the FBI didn’t record that part of his interview.

The motion notes that if the final, current record of the time of warning is correct, then the Miranda warning, including any discussion of how US law differs from British law, took place in the minute after he was whisked away from this gate.

Hutchins recently tweeted that he “slept the entire time I was in prison,” which while not accurate (he was neither in prison nor in real solitary), would otherwise corroborate the claim he was exhausted.

The government’s cobbled case on intentionality and computer law

Items 3 and 5, arguing the law is inappropriately applied and specifically not instructed correctly with regards to two charges, work together to argue that the government has cobbled together charges against Hutchins via misapplying both CFAA and Wiretap law, and in turn using conspiracy charges and misstating requisite intentionality to be able to get at Hutchins.

As I’ve noted, Hutchins’ lawyers have been arguing for some time that the government may not have properly instructed the grand jury on the intentionality required under charges 2 and 6. At a hearing in February, Magistrate Nancy Joseph showed some sympathy to this argument (though is still reviewing whether the defense should get the grand jury instructions). As I noted in that post, whereas the government once claimed it would easily fix this problem by getting a superseding indictment (possibly larding on new charges), they seem to have lost their enthusiasm for doing so.

It’s the combination of the rest of the legal challenge that I find more interesting. The challenge will interact with recent innovations in charging other foreign hackers, especially a bunch of Russians that will make DOJ especially defensive of this challenge. But the motions all cite Seventh Circuit precedent closely, so I’m not sure whether that matters.

Ultimately, this motion makes roughly the same arguments that Orin Kerr made as soon as the indictment came out. As he introduced his more thorough explanation in August,

This raises an interesting legal question: Is it a crime to create and sell malware?

The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability — basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

Kerr is not flaming hippie, so I assume that these arguments will be rather serious challenges for the government and I await the analysis of this challenge by more Fourth Amendment lawyers. But as he suggested back in August, Hutchins’ team may well be right that this indictment is an overreach.

DOJ still hasn’t explained why it charged Hutchins for a crime with no known US victims

While requests for Bill of Particulars (basically, a request for more details about what the government is claiming broke the law) are usually unsuccessful, this one does two interesting things. It asks the government for proof of damage, including proof of which ten computers got damaged.

Mr. Hutchins asks that the government be required to particularize the “damage” it intends to offer into evidence at trial in connection with the alleged violations of the Computer Fraud and Abuse Act by the two defendants. Mr. Hutchins also asks that the government be required to particularize the “10 or more protected computers” to which it contends the defendants conspired and attempted to cause “damage.”

Whether the motion itself is successful or not, demanding proof that ten computers were damaged helps support the challenge to the two CFAA charges based on whether stealing credentials amounts to damage. It also lays the groundwork for the motion made explicitly in item 4 — that Hutchins should never have been charged in the US, much less Wisconsin.

As I laid out in this piece, it appears likely that charges against Hutchins arose out of back door searches done as part of the investigation into who “MalwareTech” was after he sinkholed WannaCry. For whatever reason (probably because the government thought Hutchins could inform on someone, possibly related to either WannaCry itself or Kelihos), the government decided to cobble together a case against Hutchins consisting — by all appearances — entirely of incidental collection so as to coerce him into a plea deal. When he got a team of very good lawyers and then bail, that put a lot more pressure on the appropriateness of the charges in the first place.

So now, eight months after Hutchins was arrested, we’re finally getting to that question of why the US government decided to charge him for a crime that even DOJ didn’t claim had significant US victims.

The motion starts by noting that Hutchins didn’t do most of the acts alleged, his co-defendant Tran (whom the government has shown little urgency in extraditing) did. But even for Tran’s acts (basically marketing and selling the malware), there’s no affirmative tie made to Wisconsin.

As part of the purported conspiracy, the indictment alleges that Mr. Hutchins created the Kronos software, described as “a particular type of malware that recorded and exfiltrated user credentials and personal identifying information from protected computers.” (Id. ¶¶ 3(e), 4(a).) It also alleges that Mr. Hutchins and his co-defendant later updated Kronos. (Id. ¶ 4(d).)

All other alleged overt acts in furtherance of the purported conspiracy pertain solely to Mr. Hutchins’ co-defendant. Per the indictment, the codefendant (1) used a video posted to YouTube to demonstrate how Kronos worked, (2) advertised Kronos on internet forums, (3) sold a version of Kronos, and (4) offered crypting services for Kronos. (Id. ¶¶ 4(b), (c), (e), (f), (g).)

Aside from a bare allegation that each offense was committed “in the state and Eastern District of Wisconsin and elsewhere,” the indictment does not describe any connection to this District.

While the government has long suggested that the case is in EDWI because an FBI agent located there bought a copy of Kronos, the motion suggests Hutchins’ team hasn’t even seen good evidence of that yet.

Here, the indictment reflects that Mr. Hutchins was on foreign soil, and any acts he performed occurred there. There is no indication that damage was caused in the Eastern District of Wisconsin—or, indeed, that any damage occurred at all. At best, a buyer was present in this District. But the buyer would then need to use Kronos to cause damage in the District for venue to lie. Nothing [i]n the indictment supports that conclusion.

The charging of two foreigners is all the more problematic on the four wiretapping charges, given that (unlike CFAA), Congress did not mean to apply it to foreigners.

There is evidence that Congress intended the CFAA—the legal basis of Counts One and Six—to have extraterritorial application. The CFAA prohibits certain conduct with respect to “protected computers,” 18 U.S.C. § 1030(e)(2)(B), and the legislative history shows that Congress crafted the definition of that term with foreign-based attackers in mind. S. Rep. 104-357, at 4-5 (1996).

The Wiretap Act—at issue in Counts Two through Five—is different, though. That law does not reflect a clear congressional mandate that it should apply extraterritorially. Accordingly, courts have repeatedly found that it “has no extraterritorial force.” Huff v. Spaw, 794 F.3d 543, 547 (6th Cir. 2015) (quoting United States v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987)).

There is a great deal of precedent to establish venue based on where a federal agent bought something. Indeed, the main AlphaBay case against Alexandre Cazes consisted of that (remember that Kronos was ultimately sold on AlphaBay). But that case was based on the illegal sale of drugs and ATM skimmers, not software, which given the challenge to the CFAA and Wiretapping application here, might make the EDWI purchase of Kronos insufficient to justify venue here.

I’m not sure whether this motion will succeed or not. But one way or another, given that the defense appears to have seen no real basis for venue here, this motion may serve as critical groundwork for what appears to be a justifiable argument that this case should never have been charged in the US.

I keep waiting for DOJ to give up this case in the face of having to argue that the guy who sinkholed WannaCry should be prosecuted because he refused to accept a plea deal on charges with no known US victims. But they’re probably too stubborn to do that.

Update: Corrected Joseph’s name. h/t GM.

John Bolton Will Get to Start His Iran War Because Nine Iranians Stole Academic Dissertations

March 23, 2018/62 Comments/in Cybersecurity /by emptywheel

Earlier today, Rod Rosenstein rolled out a dangerously vague indictment of nine Iranians, allegedly tied to the Revolutionary Guard, for hacking hundreds of universities and some private companies and NGOs.

I say it’s dangerously vague because, while it’s clear the Iranians compromised thousands of university professors, it’s not clear precisely what they stole. But it appears that most of data stolen from universities (some privacy companies, government agencies, and NGOs were targeted too) consists of scholarship.

[M]embers of the conspiracy used stolen account credentials and obtained unauthorized access to victim professor accounts, though which they then exfiltrated, or transferred to themselves, academic data and documents from the systems of compromised universities, including, among other things, academic journalist, these, dissertations, and electronic books.

The indictment describes the stolen data benefitting (along with the IRGC) “Iran-based universities.” And it specifies that the hackers sold the information so that Iranians could access US academic online libraries.

Magapaper sold stolen academic resources to customers within Iran, including Iran-based public universities and institutions, and Gigapaper sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library systems of particular United States-based and foreign universities.

The indictment claims the Iranians stole “academic data and intellectual property” which cost the affected 144 US universities “$3.4 billion to procure and access.” But that’s reminiscent of the Aaron Swartz case (to which several people have likened this), where the prosecutor justified pursuing Swartz because he had downloaded “intellectual property that cost millions to create,” something like 4.75 million articles and 87 Gigabytes of data (See the extensive discussion about cost and damages in this MIT report.) DOJ accuses the Iranians of stealing 31 terabytes of data.

As I said, this is a dangerously vague indictment. And, from the metadata, it appears that the indictment may be more than a month old. ( h/t z3dster)

There are also not dates on any of the signature lines, so it may be this indictment has just been sitting in a drawer in southern Manhattan, waiting to serve as a casus belli.

Perhaps there was more sensitive data stolen here. Perhaps the professors who got hacked were more selectively targeted than the sheer number of academics targeted — 100,000 got phished, with almost 8,000 responding — suggests.

But absent far more details, this indictment seems to make an international incident out of people in a very closed society trying to access academic information that is readily available here.

I’ve long written about the potential downsides of indicting nation-state hackers, which is effectively what these guys are — particularly the possibility that doing so will invite retaliation against our own official hackers. But in some cases — with the OPM hack, with hacks of national security information, with the Russians who targeted the election — that might make sense.

But indicting nation-state hackers for stealing dissertations?

Update: This confirms what z3dster noted: this thing has been sealed since February 7. Why? And why did it get unsealed the day after Bolton was hired?

The Daily Beast Guccifer Scoop and Those GRU Officers Sanctioned Last Week

March 22, 2018/64 Comments/in 2016 Presidential Election, Cybersecurity, emptywheel, Mueller Probe, Russian hacks /by emptywheel

The Daily Beast has a story reporting (in addition to the already reported news that the DNC hack got moved under Robert Mueller) that the person behind the Guccifer 2.0 persona “slipped up” once and failed to use the VPN hiding his location in the GRU headquarters in Moscow.

[O]n one occasion, The Daily Beast has learned, Guccifer failed to activate the VPN client before logging on. As a result, he left a real, Moscow-based Internet Protocol address in the server logs of an American social media company, according to a source familiar with the government’s Guccifer investigation.

The US identified which particular officer was behind the Guccifer persona.

Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.

And then, according to TDB, the Guccifer persona was handed off to a more experienced GRU officer, with better English skills.

Sometime after its hasty launch, the Guccifer persona was handed off to a more experienced GRU officer, according to a source familiar with the matter. The timing of that handoff is unclear, but Guccifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater command of English that the persona’s earlier efforts.

TDB’s sources did not reveal the name of the officer identified from the VPN “slip up.”

The Daily Beast’s sources did not disclose which particular officer worked as Guccifer.

But we may already know the name or names of the GRU officers involved. As I noted last week, Treasury added two names to the list of GRU officers sanctioned in conjunction with the DNC hack: Sergei Afanasyev and Grigoriy Viktorovich Molchanov. Both would actually be (very) experienced officers — they are 55 and 62. And both include very interesting “as of” dates identifying the last point when our intelligence officials identified their positions: February 2017 and April 2016, respectively.

The latter is of particular interest, as it came during the period when Guccifer 2.0 was setting up his infrastructure. But the government doesn’t know a ton about this guy — they know his birth year, but not his birth date, and possibly not even his passport information.

In any case, last week, the government revealed two new people it blames (and therefore sanctioned) for the DNC hack.

As TDB notes, the revelation that the government has tied Guccifer 2.0 to a known GRU officer is utterly damning for Roger Stone, who has admitted talking to him. But they don’t lay out how squirrelly Stone was in early March when trying to deny he was in trouble for his dalliances with Guccifer 2.0 and Wikileaks, which I laid out here.

In his response he does the following:

Raises doubts that he was actually talking to Guccifer 2.0 (even though Guccifer 2.0’s only identity was virtual, so Stone’s online interactions with any entity running the Guccifer Twitter account would by definition be communication with Guccifer 2.0)

Repeats his earlier doubts that Guccifer 2.0 is a Russian operative

Emphasizes that he couldn’t have couldn’t have been involved in any hack of the DNC Guccifer 2.0 had done because he first spoke to him six weeks after the email release (in reality, he was speaking to him three weeks after the Wikileaks release)

Admits he once believed Guccifer 2.0 did the hack but (pointing to the Bill Binney analysis, and giving it a slightly different focus than he had in September) claims he no longer believes that

Invents something about a WaPo report that’s not true, thereby shifting the focus to receiving documents (as opposed to, say, information)

Denies he received documents from anyone but not that he saw documents (other than the Wikileaks ones) before they were released

This denial stops well short of explaining why he reached out to Guccifer. And it does nothing to change the record — one backed by his own writing — that Stone reached out because he believed Guccifer, whoever he might be, had hacked the DNC.

At the time Stone reached out to Guccifer (as I pointed out, he misrepresented the timing of this somewhat in his testimony), he believed Guccifer had violated the law by hacking the DNC.

He never does explain to Todd why he did reach out.

Guccifer 2.0 never comes back in the remainder of the interview.

Just weeks ago, when his buddy Sam Nunberg was giving (potentially immunized) testimony to the grand jury, Stone was really really squirrelly about whether his conversations with Guccifer 2.0 put him at legal jeopardy. The confirmation of the GRU tie may provide one reason why he’s so squirrelly.

Update: As Kaspersky’s Aleks Gostev notes, Treasury should know far more on Sergei Afanasyev. RT publicly described him as Deputy Chief of GRU in April 2016. And Molchanov is, at least now, head of GRU’s academy.

How the DNC Hack Skeptics’ Dominant Theory Sinks Stone

March 12, 2018/11 Comments/in 2016 Presidential Election, Cybersecurity, emptywheel, Mueller Probe /by emptywheel

I’ve been thinking about something since I wrote this piece on Roger Stone’s Swiss cheese denials of conspiring with Guccifer 2.0 or Wikileaks on the hack-and-leak. As I laid out, Stone’s denial consists of two tactics: he admits he spoke with Guccifer 2.0 at a time he believed him to have done the hack but notes that that happened after (he claims six weeks, but it was really three) the documents already started coming out. And he denies knowing anything in advance about Wikileaks, which wouldn’t be a problem anyway, he says, because there’s no evidence Wikileaks is a Russian asset.

Effectively, that puts Stone’s involvement after the undeniably criminal act — the hack of the DNC and puts the rest into simple general foreknowledge of Wikileaks’ plan.

As I noted in my first post on Stone’s non-denials, that doesn’t address the possibility he was involved in the Peter Smith led rat-fuck negotiations with Russian hackers to find Hillary’s deleted emails.

But there’s one other problem with it.

According to the public record, Guccifer 2.0 first spoke with Stone on August 12 (though in his statement to Congress, he fudged that date interestingly and claimed the first contact — perhaps meaning DM — was August 14). While that post-dates all known hacking, it pre-dates at least one and possibly several key dates on the leak part of the operation. As Raffi Khatchadourian lays out, Wikileaks may have obtained the John Podesta emails around this time.

A pattern that was set in June appeared to recur: just before DCLeaks became active with election publications, WikiLeaks began to prepare another tranche of e-mails, this time culled from John Podesta’s Gmail account. “We are working around the clock,” Assange told Fox News in late August. “We have received quite a lot of material.” It is unclear how long Assange had been in possession of the e-mails, but a staffer assigned to the project suggested that he had received them in the late summer: “As soon as we got them, we started working on them, and then we started publishing them. From when we received them to when we published them, it was a real crunch. My only wish is that we had the equivalent from the Republicans.”

All of the raw e-mail files that WikiLeaks published from Podesta’s account are dated September 19th, which appears to indicate the day that they were copied or modified for some purpose.

Indeed, Stone’s “Podesta time in the barrel” comment, which Chuck Todd noted addressed Tony but not John Podesta, may even have preceded Wikileaks’ receipt of the emails.

But Stone’s discussions with Guccifer 2.0 undeniably precede an event that, at least according to the skeptics’ theory, necessarily precedes the publication of Podesta’s emails. That’s Craig Murray obtaining … something from someone while he was in the US for the Sam Adams Award on September 25. He has said he didn’t obtain the documents, but it might be a key or something.

That still doesn’t, by itself, make Stone’s conduct criminal. But it does mean his timeline is not exonerating.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Reality Winner: The Cost of Mounting a Defense Arguing the Government Overclassifies

March 10, 2018/23 Comments/in 2016 Presidential Election, Cybersecurity, emptywheel, Leak Investigations /by emptywheel

In this Democracy Now appearance, Reality Winner’s mom, Billie Winner-Davis, suggested that, whereas her case had originally been due to go to trial next month, it now looks like it will stretch into 2019.

We do not have a trial date at this point. The trial was originally scheduled for October, and then it was pushed to March. But as of right now, we do not have a new trial date. So we don’t know when she will be—face the jury. What I’m being told is that it will be late 2018, if not early February 2019.

Earlier this week the two sides submitted a proposed schedule that shows even that may be optimistic. Because Winner’s defense wants to use classified information to argue the document she is accused of releasing is not national defense information, it has to go through the onerous Classified Information Procedures Act process (see this for a description of the CIPA process) to get that information approved for use in a trial. If I’m doing the math correctly, most optimistically the proposed schedule looks like this:

March 30, 2018: Defense submits all proposed subpoenas
April 30: Deadline for discovery, including remainder of government’s CIPA Section 4
June 14: Government’s Rule 16 expert disclosures
July 14: Defendant’s Rule 16 expert disclosures, if they already have clearance (former ISOO head, Bill Leonard, who is already serving as expert witness already has clearance)
July 29: Defendant’s amended CIPA 5 notice
August 13: Government’s supplemental Rule 16 expert disclosures due, government’s objections to adequacy of defendant’s CIPA 5 notice
September 10: Government’ CIPA 6(a) motion
October 1: Defendant’s response to government’s CIPA 6(a) motion
October 15: Government’s reply to CIPA 6(a) motion
October 21: CIPA hearing (this is where the two sides argue about what classified information the defense needs to make her case)

At this point, there would either be 42 days to argue about CIPA 6(c) motion (where the government proposes unclassified substitutes). If that happens, it will be 90 days until trial, meaning it would start March 1. If it doesn’t, then the trial would skip that 42 day process and presumably drop into very early 2019).

Early January 2019 or March 1: Trial start

Again, this is a joint proposal, meaning the defense is on board with the long delay. Either they think they can win a graymail attempt (meaning the judge agrees they should get the classified information but the government refuses to provide adequate substitutes and so is forced to dismiss the case) or they believe they can make a case (with the help of Leonard) on the NDI claims generally. They may also anticipate that other events — the Mueller investigation, the congressional investigations into the Russian hack, state investigations, or more journalism — may make it clear how absurd it is to try Winner for information that has become publicly available as we have a public discussion about what the Russians did in 2016.

But if not, because (unlike most other people save Hal Martin recently charged under the Espionage Act) she will have been in jail for 19 months assuming an early January 2019 trial, or 21 months assuming a March 2019 trial. Winner is charged with one count of willful retention and dissemination of National Defense Information.

By comparison, Jeffrey Sterling, who was found guilty on nine counts, including five unauthorized disclosure counts, was sentenced to 42 months (the government had been asking for nine years, but Leonie Brinkema seemed to have reservations about the evidence behind a number of the guilty verdicts, and the sentencing came in the wake of the David Petraeus sweetheart two years of probation plea deal). Admittedly, the government piled on the charges in that case, whereas here they charged as one count things they might have charged as several (by charging both the leaks to The Intercept and WaPo, for example, or by charging her for not telling the full truth to the FBI). Nevertheless, Sterling was accused of exposing a critically sensitive program and an intelligence asset, whereas Winner is charged with leaking one document in an environment where very similar information is being leaked or released by multiple government sources.

Stephen Jin-Woo Kim, who pled guilty to one count of disseminating NDI pertaining to CIA resources in North Korea, was sentenced to 13 months.

This is the no-win situation Winner is in, trying to challenge her conviction after having been denied bail. Because of the way we deal with classified information, she’ll have served a likely full sentence by the time she gets to trial.

It still may be worth it. After all, if she wins at trial, she’ll avoid a record as a felon.

But the larger battle seems to be one about the ridiculousness of our classification system. As Leonard said (see PDF 99-100) in his declaration to explain why he was providing his services pro bono in this case, he believes the kind of overclassification of information that may be at issue here amounts to degrading the entire classification system.

My motivation for becoming involved in this case. was my concern for the integrity of the classification system. I strongly believe that classification is a critical national security tool and that the responsibilities of cleared individuals to properly protect classified information are profound. At the same time, government agencies have equally profound responsibilities and in this regard, I have long witnessed the over•classification of rnfonnation within the Executive Branch due to the failure of agencies to fulfill these responsibilities. In this way, the actions of agencies can actually undermine the integrity of the classification system in that to be effective, it must be used with precision. As Justice Potter Stewart said in the Pentagon Papers case, “when everything is classified, then nothing is classified … ”

[snip]

My involvement in [two prior prosecutions, that of Steven Rosen and Thomas Drake] confirmed for me the importance~ especially in criminal prosecutions, of not allowing representatives of the Executive Branch to simply assert that certain information is classified or closely held or potentially damaging if disclosed.

That is, Winner might prove a point: that this kind of information should be more accessible to the public.

But along the way she will have paid a very costly price.

Update, March 15: After two hearings, Magistrate Brian Epps cut two months off this schedule, setting Winner’s trial date for October 15. That will mean she will have been in jail over 16 months by the time of her trial.

The Preferred Anti-Obama Russian Hack Story Remains Silent on Shadow Brokers

March 9, 2018/48 Comments/in 2016 Presidential Election, Cybersecurity, Mueller Probe /by emptywheel

Michael Isikoff and David Corn are fluffing their upcoming book on the Russian tampering with the 2016 election. This installment covers the same ground, and the same arguments, and has the same weaknesses that this WaPo article did: It describes how urgent but closely held the CIA tips were (without considering whether the close hold on the intelligence led the IC to make incorrect conclusions about the attack). It describes efforts to make a public statement that got drowned out by the Pussy Grabber and Podesta releases. It airs the disappointment of those who thought Obama should have launched a more aggressive response.

Perhaps the biggest addition to the WaPo version is that this one includes more discussion of Obama’s thoughts on cyber proliferation, with the acknowledgement that the US would be more vulnerable than Russia in an escalating cyber confrontation.

Michael Daniel and Celeste Wallander, the National Security Council’s top Russia analyst, were convinced the United States needed to strike back hard against the Russians and make it clear that Moscow had crossed a red line. Words alone wouldn’t do the trick; there had to be consequences. “I wanted to send a signal that we would not tolerate disruptions to our electoral process,” Daniel recalled. His basic argument: “The Russians are going to push as hard as they can until we start pushing back.”

Daniel and Wallander began drafting options for more aggressive responses beyond anything the Obama administration or the US government had ever before contemplated in response to a cyberattack. One proposal was to unleash the NSA to mount a series of far-reaching cyberattacks: to dismantle the Guccifer 2.0 and DCLeaks websites that had been leaking the emails and memos stolen from Democratic targets, to bombard Russian news sites with a wave of automated traffic in a denial-of-service attack that would shut the news sites down, and to launch an attack on the Russian intelligence agencies themselves, seeking to disrupt their command and control modes.

[snip]

One idea Daniel proposed was unusual: The United States and NATO should publicly announce a giant “cyber exercise” against a mythical Eurasian country, demonstrating that Western nations had it within their power to shut down Russia’s entire civil infrastructure and cripple its economy.

[snip]

The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington’s demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.

“If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure—and possibly shut down the electrical grid.

[snip]

Asked at a post-summit news conference about Russia’s hacking of the election, the president spoke in generalities—and insisted the United States did not want a blowup over the issue. “We’ve had problems with cyber intrusions from Russia in the past, from other counties in the past,” he said. “Our goal is not to suddenly in the cyber arena duplicate a cycle escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so that everybody’s acting responsibly.”

The most dramatic part of the piece quotes an angry Susan Rice telling her top Russian expert to stand down some time after August 21.

One day in late August, national security adviser Susan Rice called Daniel into her office and demanded he cease and desist from working on the cyber options he was developing. “Don’t get ahead of us,” she warned him. The White House was not prepared to endorse any of these ideas. Daniel and his team in the White House cyber response group were given strict orders: “Stand down.” She told Daniel to “knock it off,” he recalled.

Daniel walked back to his office. “That was one pissed-off national security adviser,” he told one of his aides.

But like the WaPo article before it, and in spite of the greater attentiveness to the specific dates involved, the Isikoff/Corn piece makes not one mention of the Shadow Brokers part of the operation, which first launched just as NSC’s Russian experts were dreaming up huge cyber-assaults on Russia.

On August 13, Shadow Brokers released its first post, releasing files that had compromised US firewall providers and including a message that — while appearing to be an attack on American Elites and tacitly invoking Hillary — emphasizes how vulnerable the US would be if its own cybertools were deployed against it.

We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites?

Sure, it’s possible the IC didn’t know right away that this was a Russian op (though Isikoff and Corn claim, dubiously and in contradiction to James Clapper’s November 17, 2016 testimony, that the IC had already IDed all the cut-outs Russia was using on the Guccifer 2.0 and DC Leaks operations). Though certainly the possibility was publicly discussed right away. By December, I was able to map out how it seemed the perpetrators were holding the NSA hostage to any retaliation attempts. Nice little NSA you’ve got here; it’d be a shame if anything happened to it. After the inauguration, Shadow Brokers took a break, until responding to Trump’s Syria strike by complaining that he was abandoning those who had gotten him elected.

Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

That was followed by a release of tools that would soon lead to billion dollar attacks using repurposed NSA tools.

As recently as February, the NSA and CIA were still trying to figure out what Russia (and the stories do appear to confirm the IC believed this was Russia) had obtained.

I mean, it’s all well and good to complain that Obama asked the NSC to stand down from its plans to launch massive cyberattacks as a warning to Putin. But you might, first, consider whether that decision happened at a time when the US was facing far greater uncertainty about our own vulnerabilities on that front.

Three Things: This Matin, Think Latin

March 2, 2018/37 Comments/in Culture, Cybersecurity, Domestic Policy, Economics, Mueller Probe /by Rayne

I have three things cluttering up my notes — just big enough to give pause but not big enough for a full post. I’ll toss them out here for an open thread.

~ 3 ~Aluminum -> Aeronautics -> Stock Market and Spies
I’ve spent quite a while researching the aeronautics industry over the couple of years, trying to make sense out of a snippet in the Buryakov spy case indictment. The three spies were at one point digging into an aeronautics company, but the limited amount of information in the indictment suggested they were looking at a non-U.S. company.

You can imagine my surprise on December 6, 2016, when then-president-elect tweeted about Boeing’s contract for the next Air Force One, complaining it was too expensive. Was it Boeing the spies were discussing? But the company didn’t fit what I could see in the indictment, though Boeing’s business is exposed to Russia, in terms of competition and in terms of components (titanium, in particular).

It didn’t help that Trump tweeted before the stock market opened and Boeing’s stock plummeted after the opening bell. There was plenty of time for dark pool operators to go in and take positions between Trump’s tweet and the market’s open. What an incredible bonanza for those who might be on their toes — or who knew in advance this was going to happen.

And, of course, the media explained this all away as Trump’s “Art of the Deal” tactics, ignoring the fact he wasn’t yet president and he was renegotiating the terms of a signed government contract before he took office. (Ignoring also this is not much different than renegotiating sanctions before taking office…)

I was surprised again only a couple weeks later about Boeing and Lockheed; this time I wasn’t the only person who saw the opportunity, though the timing of the tweet and market opening were different.

Again, the media took note of the change in stock prices before rolling over and playing dead before the holidays.

There have been a few other opportunities like this to “take advantage of the market,” though they are a bit more obscure. Look back at the NYSE and S&P trends whenever Trump has tweeted about North Korea; if one knew it was coming, they could make a fortune.

A human would only need the gap as long as that between a Fox and Friends’ mention of bad, bad North Korea and a corresponding Trump tweet to make the play (although one might have to watch that vomit-inducing program to do this). An algorithm monitoring FaF program and Trump tweets would need even less time.

Yesterday was somebody’s platinum opportunity even if Trump was dicking around with U.S. manufacturers (including aeronautics companies) and global aluminum and steel producers. His flip-flop on tariffs surely made somebody beaucoup bucks — maybe even an oligarch with a lot of money and a stake in one of the metals, assuming he knew in advance where Trump was going to end up by the close of the market day. The market this morning is still trying to make sense of his ridiculous premise that trade wars are good and winnable; too bad the market still believes this incredibly crappy businessman is fighting a war for U.S. trade.

Just for the heck of it, go to Google News, search for [trump tariffs -solar], look for Full Coverage, sort by date and not relevance. Note how many times you see Russia mentioned in the chronologically ordered feed — mine shows exactly zero while China, Korea, Germany are all over the feed. I sure hope somebody at the SEC is paying as much attention to this as cryptocurrency.

I suppose I have to spell this out: airplanes are made of aluminum and steel, capisce?

~ 2 ~Italian Son
One niggling bit from Glenn Simpson’s testimony for Fusion GPS before the Senate Intelligence Committee has stuck with me. I wish I could time travel and leave Simpson a note before testimony and tell him, “TELL US WHAT YOU SEE, GLENN!” when he is presented with Paul Manafort’s handwritten notes. The recorder only types what was actually said and Glenn says only the sketchiest bit about what he sees. Reading this transcript, we have only the thinnest amount of context to piece together what he sees.

Q. Do any of the other entries in here mean anything to you in light of the research you’ve conducted or what you otherwise know about Mr. Browder?

A. I’m going to — I can only speculate about some of these things. I mean, sometimes —

MR. LEVY: Don’t speculate.

A. Just would be guesses.

Q. Okay.

A. I can skip down a couple. So “Value in Cyprus as inter,” I don’t know what that means.”Illici,” I don’t know what that means. “Active sponsors of RNC,” I don’t know what that means. “Browder hired Joanna Glover” is a mistaken reference to Juliana Glover, who was Dick Cheney’s press secretary during the Iraq war and associated with another foreign policy controversy. “Russian adoptions by American families” I assume is a reference to the adoption issue.

Q. And by “adoption issue” do you mean Russia prohibiting U.S. families from adopting Russian babies as a measure in response to the Magnitsky act?

A. I assume so.

Bold mine, to emphasis the bit which has been chewing away at me. “Illici” could be an interrupted “illicit”; the committee and Simpson use the word or a modifier, illicitly, eight times during the course of their closed door session. It’s not a word we use every day; the average American Joe/Josie is more likely to use “illegitimate” or the even more popular “illegal” to describe an unlawful or undesirable action or outcome.

(I’m skeptical Manafort was stupid enough to begin scratching out “illicit” and catch himself in time, but then I can’t believe how stupid much of this criminality has been.)

But the average American Joe/Josie doesn’t travel abroad, speak with Europeans often, or speak second languages. The average white Joe/Josie may be three or more generations from their immigrant antecedents.

Not so Mr. Manafort, who is second generation Italian on both sides of his family. He may speak some Italian since his grandfather was an immigrant — and quite likely Catholic, too. Hello, Latin masses in Italian American communities.

Did Manafort mean “illici,” a derivative of Latin “illicio,” which means to entice or seduce? Or was it a corrupted variant of Latin “illico,” which means immediately?

Or is Manafort a bad speller who really meant either “elici”, “elicio,” or “elicit,” meaning to draw out or entice?

Like Simpson, these are just guesses. Only Manafort really knows and I seriously doubt he’ll ever tell what he meant.

~ 1 ~If you haven’t checked your personal online privacy and cybersecurity recently, give Privacy Haus’s checklist a look. Nearly all of the items I’ve already addressed but I tried one of the items suggested as a fix to an ongoing challenge. Good stuff!

~ 0 ~That’s it, have at it in this open thread! One last thing: if you didn’t read Marcy’s op-ed, Has Jared Kushner Conspired to Defraud America? in Wednesday’s NYT, you should. You’re going to need it as part of a primer going forward.

NBC’s Broken Story about Mueller Charging the DNC Hackers

March 1, 2018/74 Comments/in 2016 Presidential Election, Cybersecurity, Mueller Probe, Russian hacks /by emptywheel

NBC has a BROKEN story reporting that Robert Mueller is contemplating charges against the people who carried out the hack of the DNC (and other targets) in 2016.

Special Counsel Robert Mueller is assembling a case for criminal charges against Russians who carried out the hacking and leaking of private information designed to hurt Democrats in the 2016 election, multiple current and former government officials familiar with the matter tell NBC News.

Much like the indictment Mueller filed last month charging a different group of Russians in a social media trolling and illegal-ad-buying scheme, the possible new charges are expected to rely heavily on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS), several of the officials say.

Mueller’s consideration of charges accusing Russians in the hacking case has not been reported previously. Sources say he has long had sufficient evidence to make a case, but strategic issues could dictate the timing. Potential charges include violations of statutes on conspiracy, election law as well as the Computer Fraud and Abuse Act. One U.S. official briefed on the matter said the charges are not imminent, but other knowledgeable sources said they are expected in the next few weeks or months. It’s also possible Mueller opts not to move forward because of concerns about exposing intelligence or other reasons — or that he files the indictment under seal, so the public doesn’t see it initially.

As they have frequently of late, they misunderstand the story they’re telling. They misunderstand this sentence, entirely.

Mueller’s consideration of charges accusing Russians in the hacking case has not been reported previously.

It’s not news, at all, that DOJ was considering charges against those who carried out the hack. Nor is it news that DOJ had enough evidence to charge people in it.

Here’s what WSJ reported on those two topics in November, almost exactly four months ago.

The Justice Department has identified more than six members of the Russian government involved in hacking the Democratic National Committee’s computers and swiping sensitive information that became public during the 2016 presidential election, according to people familiar with the investigation.

Prosecutors and agents have assembled evidence to charge the Russian officials and could bring a case next year, these people said. Discussions about the case are in the early stages, they said.

[snip]

The pinpointing of particular Russian military and intelligence hackers highlights the exhaustive nature of the government’s probe. It also suggests the eagerness of some federal prosecutors and Federal Bureau of Investigation agents to file charges against those responsible, even if the result is naming the alleged perpetrators publicly and making it difficult for them to travel, rather than incarcerating them. Arresting Russian operatives is highly unlikely, people familiar with the probe said.

So: not news that DOJ had pinpointed Russians responsible, not news they were planning on charges “next year” last year, which would mean, “this year” this year.

What is news is that this reporting from the WSJ report is no longer operative.

Federal prosecutors and federal agents working in Washington, Pittsburgh, San Francisco and Philadelphia have been collaborating on the DNC investigation. The inquiry is being conducted separately from Special Counsel Robert Mueller’s investigation of alleged Russian meddling in the 2016 election and any possible collusion by President Donald Trump’s associates.

[snip]

The Justice Department and FBI investigation into the DNC hack had been under way for nearly a year, by prosecutors and agents with cyber expertise, before Mr. Mueller was appointed in May. Rather than take over the relatively technical cyber investigation, Mr. Mueller and the Justice Department agreed that it would be better for the original prosecutors and agents to retain that aspect of the case, the people familiar with the Justice Department-FBI probe said. [my emphasis]

Mind you, we’ve since learned that Ryan Dickey got added to Mueller’s team … oh, in November. And contrary to what NBC says about the heavy reliance, in the Internet Research Agency indictment, “on secret intelligence gathered by the CIA, the FBI, the National Security Agency (NSA) and the Department of Homeland Security (DHS),” it really wasn’t all that sophisticated from a cybersecurity standpoint. Especially not once you consider the interesting forensics on it (aside from IDing the IRA’s VPNs) would have come from Facebook and Twitter.

You don’t need Dickey’s talents for the IRA indictment. You need him for something that is technical.

I’ll leave it for you to consider what it means that Mueller subsumed this part of the investigation even as WSJ was reporting he wasn’t going to do that. I’ll leave you to consider, too, what it means that they brought in a prosecutor with the ability to try these things.

But understand that the news here is not that DOJ is contemplating indicting the people behind the DNC hack. WSJ already scooped that story. It’s that Mueller, not prosecutors in Pittsburgh, San Francisco and Philadelphia, are going to charge it.

What Lies Beneath the Gates

February 28, 2018/83 Comments/in Cybersecurity, Mueller Probe /by Rayne

[NB: Note the byline; this post is speculative. /~Rayne]

It’s amazing what a simple internet search can reveal. Take, for instance, a search using the rather innocuous parameters, [“rick gates” iii “press release”].

A little scrolling and presto — some interesting things surface.

Did you know that Rick Gates had served on the board of ID Watchdog, a “consumer-facing identity theft protection and resolution services” firm for use in safeguarding personal credit? But that’s not the entire story; take a look at this timeline:

2010 — Gates, along with his business partner Paul Manafort, worked as an unregistered agent for Victor Yanukovych (who would take office as Ukraine’s president in 2010) and Yanukovych’s political parties. Gates and Manafort represented Yanukovych from at least 2006 through 2015, laundering Yanukovych’s payments through scores of U.S. and foreign entities and bank accounts, using foreign nominee companies and bank accounts created/opened by them and their accomplices in nominee names and in various foreign countries (see DOJ’s indictment dated 27-OCT-2017).

19-APR-2011 — Gates joined the board of publicly-listed credit monitoring firm ID Watchdog. Gates bio from the press release:

Mr. Gates has over 15 years of international political, finance and business development experience working for multinational firms. Currently, he is the managing partner of Pericles LP, a private equity fund, that focuses on technology, infrastructure, and real estate targets. Much of his work focuses on investment, business development and deal structures in Europe.

Mr. Gates has worked on several US presidential campaigns and has participated in many international political campaigns in Europe and Africa. Mr. Gates graduated with a M.A. in Public Policy from George Washington University and a B.A. in Government from The College of William & Mary. He also completed the Executive Management Programme in Brussels and London.

26-JUL-2011 — 2010 tax filing (assume Gates filed his taxes on/about this time in the absence of confirmation by image of tax return); a fraudulent tax return was filed.

11-OCT-2012 through 14-OCT-2015 — Gates under-reported his income, filing fraudulent tax returns during this period which did not reflect full amount of payments from Yanukovych and parties. Gates also did not file Foreign Bank and Financial Accounts (FBAR) reports disclosing offshore bank accounts from which cash was wired after being laundered through numerous shell businesses.

21-JUN-2016 — When Paul Manafort was elevated by Donald Trump to campaign chair after firing Corey Lewandowski, Gates worked as Manafort’s deputy. He would remain deputy after Manafort resigned on August 19.

09-NOV-2016 — Gates stepped down from his role at ID Watchdog, a day after the 2016 presidential election. He then became deputy chairman of the inaugural committee.

??-DEC-2016 — A security researcher notified credit reporting company Equifax that an employee portal was open to the internet and vulnerable.

07-MAR-2017 — A patch was issued for the Apache Struts (CVE-2017-5638) vulnerability.

??-MAR-2017 — Equifax was hacked for the first known time; it contacted Mandiant for assistance. It did not notify the government or consumers.

…the company said it experienced a security incident involving a payroll-related service during the 2016 tax season earlier this year. Equifax said the incident was reported to customers, affected individuals and regulators.

??-JUN-2017 — Equifax closed the vulnerable employee portal

16-JUN-2017 — ID Watchdog announced it had agreed to be acquired by Equifax.

13-MAY/30-JUL-2017 — From Equifax’s press release dated September 15:

Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.

29-JUL-2017 — Date which Equifax’s CEO said a breach was first noticed.

01/02-AUG-2017 — Four Equifax executives who sold a combined $2 million in company stock over these two days claimed they did not know about the breach at the time they traded their shares.

02-AUG-2017 — Equifax contacted Mandiant to conduct a forensic investigation into the breaches. The fourth of four Equifax executives sold a portion of his company stock on the same day.

10-AUG-2017 — Equifax announced it had acquired ID Watchdog.

07-SEP-2017 — Equifax notified the public that it has been breached and 145.5 million consumers’ credit data has been exposed.

18-SEP-2017 — Equifax’s earlier breach in March was made public.

27-SEP-2017 — Consumer Financial Protection Bureau’s then-Director Richard Cordray said regulators would be embedded within credit reporting companies to prevent future breaches of consumers’ data.

15-OCT-2017 — About this time, local news reported Gates was still working for Tom Barrack, CEO of Colony Capital and a member of the Presidential Council of Economic Advisers, prior to the indictment.

27-OCT-2017 — Gates was indicted for the first time.

15-NOV-2017 — Cordray stepped down as CFPB’s director.

25-NOV-2017 — Trump named Office of Budget and Management’s director Mick Mulvaney to succeed Cordray, to hold two offices concurrently.

18-JAN-2018 — Mulvaney allotted zero dollars for CFPB in the federal budget.

05-FEB-2018 — Mulvaney “pulled back from a full-scale probe” into Equifax’s breach.

This chain of events raises so many questions.

— Why Gates? Of all the people a public-listed company like ID Watchdog could pick, why this particular person with weak credentials in technology, let alone identity management or credit monitoring? Does Gates have a special relationship to ID Watchdog in some way?

— As a board member, what kind of access did Gates have to ID Watchdog’s systems? Did ID Watchdog have any ties or links to Equifax before the breaches?

— Did ID Watchdog provide any services to Gates — and possibly his partner, Paul Manafort — related to identity validation and monitoring? Did Gates acquire his second passport while serving on ID Watchdog’s board? What of his partner Manafort, who had at least 10 passports and possibly more identities?

— If ID Watchdog provided services to Gates, did any of Gates’ many bank accounts ever trigger alerts?

Gates “frequently changed banks and opened and closed bank accounts,” prosecutors said. In all, Gates opened 55 accounts with 13 financial institutions, the prosecutors’ court filing said. Some of his bank accounts were in England and Cyprus, where he held more than $10 million from 2010 to 2013.

— Doesn’t it seem odd Gates would serve on the board of an identity-monitoring firm located in Denver, CO while he was working frequently on lobbying-related contracts overseas and on the Trump campaign? Was he compensated by ID Watchdog and was this income reported accurately on tax filings?

— Did Equifax begin acquisition negotiations with ID Watchdog before or after Gates’ departure from the board? If before, did Gates play any role in the negotiations? Or does the timing of the acquisition simply look bad because of the breaches?

— Did Mick Mulvaney pull back on the CFPB’s investigation and oversight measures into Equifax as well as the other credit reporting bureaus to prevent any review of Trump campaign or administration members’ relationships with Equifax, or their data reported by Equifax and ID Watchdog? Did Mulvaney suppress the Equifax investigation and starve CFPB because he’s a misogynist ass and just wants to be a dick to Senator Elizabeth Warren? Or did Mulvaney merely toss ethics in his handling of CFPB including the Equifax investigation as payback for campaign contributors when he represented South Carolina as a congressman?

Perhaps it’s simply an interesting coincidence that a former Trump campaign team member who has been charged with multiple counts of bank and tax fraud, just happened to sit on ID Watchdog’s board of directors while he committed aforementioned fraud.

Maybe it’s just a weird quirk of fate that Equifax bought ID Watchdog around the same time it was being hacked a second time, potentially exposing Rick Gates’ credit records (and Paul Manafort’s) along with those of +145.5 million other consumers.

But it seems a massive stretch for us not to look a little further when Trump’s OMB director commits the CFPB to a slow death by budgetary starvation before icing the Equifax investigation and ID Watchdog’s role along with it.