NYT’s Churlish Vote Hacking Story Should Name Reality Winner

/11 Comments/in , /by

NYT has a story reporting that that there has been almost no forensic analysis to find out whether Russian attempts to tamper with localized voting infrastructure had any effect on the election.

After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.

It’s a worthwhile story that advances the current knowledge about these hacks in several ways. It reveals that several other election services companies got breached.

Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.

It reveals a local investigation (which had already been reported) into one county that used VR systems, Durham, North Carolina, did not conduct the forensic analysis necessary to rule out a successful hack.

In Durham, a local firm with limited digital forensics or software engineering expertise produced a confidential report, much of it involving interviews with poll workers, on the county’s election problems. The report was obtained by The Times, and election technology specialists who reviewed it at the Times’ request said the firm had not conducted any malware analysis or checked to see if any of the e-poll book software was altered, adding that the report produced more questions than answers.

And it describes other counties that experienced the same kind of poll book irregularities that Durham had.

In North Carolina, e-poll book incidents occurred in the counties that are home to the state’s largest cities, including Raleigh, Winston-Salem, Fayetteville and Charlotte. Three of Virginia’s most populous counties — Prince William, Loudoun, and Henrico — as well as Fulton County, Georgia, which includes Atlanta, and Maricopa County, Arizona, which includes Phoenix, also reported difficulties. All were attributed to software glitches.

That said, the headline and the second framing paragraph (following the “After a presidential campaign scarred by Russian meddling” one above) suggest no one else has been looking at this question.

The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found.

That’s particularly churlish given that NYT’s story so closely resembles a superb NPR story published on August 10.

Both stories focus on Durham County, NC. Both stories start with an extended description of how things went haywire as people showed up to vote. Both rely heavily on someone who worked Election Protection’s help lines on election day, Susan Greenhalgh.

It’s not just NPR. One of NYT’s other premises, that no one knew how many states were affected, was reported back in June by Bloomberg (which gave an even higher number for the total of states affected). Another detail — that local officials still don’t know whether they’ve been hacked because they don’t have clearance — has been reported by Motherboard and NPR, among others.

And, like both the NPR Durham story and the Bloomberg one, NYT also invokes the Intercept’s report on this from June.

Details of the breach did not emerge until June, in a classified National Security Agency report leaked to The Intercept, a national security news site.

But unlike Bloomberg (and like NPR) NYT doesn’t mention that Reality Winner is in jail awaiting trial, accused of having leaked that document (as I noted about the Bloomberg article, it’s highly likely the multiple “current and former government officials” who served as sources for this story won’t face the same plight Winner is).

I get that outlets may have a policy against naming someone in a case like this. But if you’re going to claim people aren’t paying attention to this issue, it’s the least you can do to actually inform readers that someone risked her freedom to bring attention to the matter, and the government has successfully convinced a judge to prohibit her from even discussing why leaking the document was important.

By all means, let’s have more analysis of whether votes were affected. But let’s make sure the people who are actually trying to generate more attention get the credit they deserve.

MalwareTech’s Case Gets Complex

/15 Comments/in /by

Today, prosecutor Michael Chmelar and Marcus Hutchins’ lawyers, Marcia Hofmann and Brian Klein, had a phone meeting with judge Nancy Johnson.

Hutchins’ lawyers got the judge to agree to further loosen his bail terms (putting him on a curfew rather than house arrest, it appears). But, after agreeing willingly to most requests last week, the government is now objecting to the change, asking for a stay and reconsideration. Recall, too, that AUSA Michael Chmelar had tacitly agreed to have Hutchins taken off GPS monitoring. We will likely see the substance of their complaint in a motion in the coming days.

The other thing that happened — again, as I reported would happen here — the case got deemed complex, meaning the trial can be delayed without a violation of the Speedy Trial Act. The minutes describe the judge’s approval of the motion for these reasons.

Based on the information presented here, the nature of the charges, the nature and amount of the discovery, the fact that discovery is coming from multiple sources and the fact that some of the information may need independent testing/review, the court will designate this matter COMPLEX.

The most interesting detail here is that independent testing may be required. Probably — especially given researchers are already raising doubts — Hutchins’ lawyers are going to get outside experts to check the government claims that the code sold in Kronos came from Hutchins.

Another detail from the minutes is that Hutchins’ lawyers object to the redaction of the indictment.

The Government gives background of this case and notes that defendant Hutchins is the only party to appear thus far.

[snip]

The defense notes that it objects to the redaction of the Indictment.

The WI courthouse already accidentally revealed the name of Hutchins’ co-defendant, Tran.

In spite of some effort, no one I’ve seen has identified a likely (and sufficiently interesting) co-defendant whose last name is Tran — or a connection between that name and VinnyK, the name currently associated with selling the malware. Presumably, if the co-defendant’s aliases were unsealed, it would be easier for researchers to understand what Hutchins has been accused of, and who he has been accused of conspiring with.

As for the discovery, some of that was provided in the minutes. As I noted, the government turned over Hutchins’ custodial interview (curiously, the minutes don’t specify that they were with the FBI) and the recordings of two calls.

 The government will be following its open file policy. To date, the defendant has provided the defense with the following:

– 1 CD with post arrest statements

– CD with 2 audio recordings from the county jail in Nevada. (The government is awaiting a written transcript from the FBI.)

Here’s what’s left to discovery, with my comments interspersed.

In addition, there are:

– 150 pages of Jabber chats between the defendant and an individual (somewhat redacted).

Were these encrypted or group chats? If the former, via what means did FBI decrypt them? Did someone hand them over to the FBI?

– Business records from Apple, Google and Yahoo.

These would be accessible via Section 702 (though, given the lack of a FISA notice, would likely have been backstopped via subpoena if they were collected via 702).

– Statements (350 pages) to the defendant from another internet forum which were seized by the government in another District.

The government provides no details on what the location (US or overseas) of this forum is — and they describe it as statements to Hutchins rather than statements by him. But their existence shows that another District had enough interest in some conversations Hutchins happened to be involved in that they collected — via whatever means — this forum.

– 3-4 samples of malware

At a minimum, the government needs 3 pieces of malware: Kronos before Hutchins allegedly updated it, Kronos after he did, and the version of Kronos that got sold. Apparently, the government hasn’t decided how many versions they’ll give the defense. And all that still leaves the question of victims; to prove that anything Hutchins did affected any Americans they might need more malware.

In part for that reason, I suspect independent researchers will continue to look for their own publicly available samples.

– A search warrant executed on a third party which may contain some privileged information.

As with the other forum, this suggests the FBI or some other agency was interested enough in another case — or a corporation — such that some kind of privilege might apply. This could, in fact, be a victim.

All of that is what led the defense to request (after the government already said it would do the same, having initially said this wouldn’t be a complex case) that this should be deemed complex, in part so Hutchins’ team can have a couple of months to review what they’re looking at.

The parties agree that the case should be designated as complex. Information is still being obtained from multiple sources. The issues are complex[.] The defendant requests 45-60 days in which to review the discovery. The government notes that it is in agreement with the request.

So it’s a complex case and it’ll drag on until such time as the government gets more coercive to get whatever it is they’re after or they drop the case.

A Tale of Two Malware Researchers: DOJ Presented Evidence Yu Pingan Knew His Malware Was Used as Such

/in /by

The government revealed the arrest in California of a Chinese national, Yu Pingan, who is reportedly associated with the malware involved in the OPM hack.

The complaint that got him arrested, however, has nothing to do with the OPM hack. Rather, it involves four US companies (none of which are in the DC area), at least some of which are probably defense contractors.

Company A was headquartered in San Diego, California, Company B was headquartered in Massachusetts, Company C was headquartered in Los Angeles, California, and Company D was headquartered in Arizona.

Yu is introduced as a “malware broker.” But deep in the affidavit, the FBI describes Yu as running a site selling malware as a penetration testing tool.

UCC #1 repeatedly obtained malware from YU. For example, on or about March 3, 2013, YU emailed UCC #1 samples of two types of malware: “adjesus” and “hkdoor.” The FBI had difficulty deciphering adjesus, but open source records show that it was previously sold as a penetration testing tool (which is what legitimate security researchers call their hacking. tools) on the website penelab.com.5 Part of the coding for the second piece of malware, hkdoor, indicated that “Penelab” had created it for a customer named “Fangshou.”6 Seized communications and open source records show that YU ran the penelab.com website (e.g., he used his email address and real name to register it) and that UCC #1 used the nickname “Fangshou.”

For that reason — and because Yu was arrested as he arrived in the US for a conference — a few people have questioned whether a fair comparison can be made between Yu and Marcus Hutchins, AKA MalwareTech.

It’s an apples to oranges comparison, as DOJ rather pointedly hasn’t shared the affidavit behind Hutchins’ arrest warrant, so we don’t have as much detail on Hutchins. That said, Hutchins’ indictment doesn’t even allege any American victims, whereas Yu’s complaint makes it clear he (or his malware) was involved in hacking four different American companies (and yet, thus far, Yu has been accused with fewer crimes than Hutchins has).

In any case, at least what we’ve been given shows a clear difference. Over a year before providing Unindicted Co-Conspirator 1 two more pieces of malware, the complaint shows, UCC #1 told Yu he had compromised Microsoft Korea’s domain.

YU and UCC #1 ‘s communications include evidence tying them to the Sakula malware. On or about November 10, 2011, UCC #1 told YU that he had compromised the legitimate Korean Microsoft domain used to download software updates for Microsoft products. UCC #1 provided the site http://update.microsoft.kr/hacked.asp so YU could confirm his claim. UCC #1 explained that he could not use the URL to distribute fraudulent updates, but the compromised site could be used for hacking attacks known as phishing.

So unlike in Hutchins’ case, DOJ has provided evidence (and there’s more in the affidavit) that Yu knew he was providing malware to hack companies.

Indeed, unless the government has a lot more evidence against Hutchins (more on that in a second), it’s hard to see why they’ve been charged with the same two crimes, Conspiracy to violate CFAA and CFAA.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers Gets Results! Congress Finally Moves to Oversee Vulnerabilities Equities Process

/8 Comments/in , /by

Since the Snowden leaks, there has been a big debate about the Vulnerabilities Equities Process — the process by which NSA reviews vulnerabilities it finds in code and decides whether to tell the maker or instead to turn it into an exploit to use to spy on US targets. That debate got more heated after Shadow Brokers started leaking exploits all over the web, ultimately leading to the global WannaCry attack (the NotPetya attack also included an NSA exploit, but mostly for show).

In the wake of the WannaCry attack, Microsoft President Brad Smith wrote a post demanding that governments stop stockpiling vulnerabilities.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

But ultimately, the VEP was a black box the Executive Branch conducted, without any clear oversight.

The Intelligence Authorization would change that. Starting 3 months after passage of the Intel Authorization, it would require each intelligence agency to report to Congress the “process and criteria” that agency uses to decide whether to submit a vulnerability for review; the reports would be unclassified, with a classified annex.

In addition, each year the Director of National Intelligence would have to submit a classified list tracking what happened with the vulnerabilities reviewed in the previous year. In addition to showing how many weren’t disclosed, it would also require the DNI to track what happened to the vulnerabilities that were disclosed. One concern among spooks is that vendors don’t actually fix their vulnerabilities in timely fashion, so disclosing them may not make end users any safer.

There would be an unclassified report on the aggregate reporting of vulnerabilities both at the government level and by vendor. Arguably, this is far more transparency than the government provides right now on actual spying.

This report would, at the very least, provide real data about what actually happens with the VEP and may show (as some spooks complain) that vendors won’t actually fix vulnerabilities that get disclosed. My guess is SSCI’s mandate for unclassified reporting by vendor is meant to embarrass those (potentially including Microsoft?) that take too long to fix their vulnerabilities.

I’m curious how the IC will respond to this (especially ODNI, which under James Clapper had squawked mightily about new reports). I also find it curious that Rick Ledgett wrote his straw man post complaining that Shadow Brokers would lead people to reconsider VEP after this bill was voted out of the SSCI; was that a preemptive strike against a reasonable requirement?

SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT.

Report Policy And Process.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government.

(2) FORM.—Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(b) Annual Report On Vulnerabilities.—

(1) IN GENERAL.—Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on—

(A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year;

(B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and

(C) vulnerabilities disclosed since the previous report that have either—

(i) been patched or mitigated by the responsible vendor; or

(ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed.

(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:

(A) The date the vulnerability was disclosed to the responsible vendor.

(B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor.

(C) An unclassified appendix that includes—

(i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and

(ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments.

(3) FORM.—Each report submitted under paragraph (1) shall be in classified form.

(c) Vulnerabilities Equities Policy And Process Of The Federal Government Defined.—In this section, the term “vulnerabilities equities policy and process of the Federal Government” means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software).

Senate Intelligence Bill Aims to Label WikiLeaks — and Maybe the Journalists Who Look Like Them — Spooks

/11 Comments/in , /by

I’m reading the draft Senate Intelligence Authorization for 2018; in a follow-up, I will lay out why it is a remarkably useful bill, particularly in the way it addresses vulnerabilities identified in the wake of the Russian efforts to tamper with our election.

But there is a major point of concern, one which led Senator Ron Wyden to vote against the bill in committee. Attached to a must-pass bill, it holds that it is the sense of Congress that WikiLeaks resembles a non-state hostile intelligence service.

SEC. 623. SENSE OF CONGRESS ON WIKILEAKS.

It is the sense of Congress that WikiLeaks and the senior leadership of WikiLeaks resemble a non-state hostile intelligence service often abetted by state actors and should be treated as such a service by the United States.

In explaining his opposition to the provision, Wyden laid out all the unintended consequences that might come from labeling WikiLeaks a hostile intelligence service. “My concern is that the use of the novel phrase ‘non-state hostile intelligence service’ may have legal, constitutional, and policy implications, particularly should it be applied to journalists inquiring about secrets,” stated Senator Wyden. “The language in the bill suggesting that the U.S. government has some unstated course of action against ‘non-state hostile intelligence services’ is equally troubling. The damage done by WikiLeaks to the United States is clear. But with any new challenge to our country, Congress ought not react in a manner that could have negative consequences, unforeseen or not, for our constitutional principles. The introduction of vague, undefined new categories of enemies constitutes such an ill-considered reaction.”

Wyden has a point. If WikiLeaks is treated as an intelligence service, for example, then anyone having extensive conversations with them can be targeted for surveillance. Any assistance someone gives — like donations — can be deemed a potential criminal violation. And a lot of people who access and support Wikileaks because of the content it publishes may be deemed suspect.

Wyden did find other things in the bill to praise, including three things he sponsored, two of them explicitly tied to the Russian threat:

  1. A report on the threat to the United States from Russian money laundering. The amendment calls on intelligence agencies to work with elements of the Treasury Department’s Office of Terrorism and Financial Intelligence, such as the Financial Crimes Enforcement Network (FinCEN), to assess the scope and threat of Russian money laundering to the United States.
  2. Requires Congressional notification before the establishment of any U.S.-Russia cybersecurity unit, including a report on what intelligence will be shared with the Russians, any counterintelligence concerns, and how those concerns would be mitigated.
  3. A report from the Intelligence Community on whether cyber security vulnerabilities in the U.S. cell network, including known vulnerabilities to SS7, are resulting in foreign government surveillance of Americans. The report follows on a study by the Department of Homeland Security that found major, widespread weaknesses in U.S. mobile networks.

But he nevertheless voted against the bill to register his concerns about the new label for WikiLeaks.

The WikiLeaks language would sure make it harder for Trump to exchange information with Julian Assange in exchange for a pardon. But tacking this onto such an otherwise useful bill seems like a bad idea.

Government Aims to Protect Other Ongoing Investigations in MalwareTech Case

/3 Comments/in , /by

In its request for a protection order governing discovery materials turned over to the defense in the Marcus Hutchins/MalwareTech case, the government provided this explanation of things it needed to keep secret.

The discovery in this matter may include information related to other ongoing investigations, malware, and investigative techniques employed by the United States during its investigation of Mr. Hutchins and others.

The government will always aim to protect investigative techniques — though in an international case investigating hackers, those techniques might well be rather interesting. Of particular interest, the government wants to hide techniques it may have used against Hutchins … and against others.

The government’s claim it needs to hide information on malware will disadvantage researchers who are analyzing the Kronos malware in an attempt to understand whether any code Hutchins created could be deemed to be original and necessary to the tool. For example, Polish researcher hasherezade showed that the hooking code Hutchins complained had been misappropriated from him in 2015, when the government claims he was helping his co-defendant revise Kronos, was not actually original to him.

The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here//thanks to  @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.

Hasherezade may well have proven a key part of the government’s argument wrong here. Or she may be missing some other piece of code the government claims comes from Hutchins. By hiding any discussions about what code the government is actually looking at, though, it prevents the security community from definitely undermining the claims of the government, at least before trial.

Finally, there’s the reference to other, ongoing investigations.

One investigation of interest might be the Kelihos botnet. In the April complaint against Pyotr Levashov, the government claimed that the Kelihos botnet had infected victims with Kronos malware.

In addition to using Kelihos to distribute spam, the Defendant also profits by using Kelihos to directly install malware on victim computers. During FBI testing, Kelihos was observed installing ransomware onto a test machine, as well as “Vawtrak” banking Trojan (used to steal login credentials used at financial institutions), and a malicious Word document designed to infect the computer with the Kronos banking Trojan.

Unlike known uses of Kronos by itself, Kelihos is something that has victimized people in the United States; the government has indicted and is trying to extradite Pyotr Levashov in that case. So that may be one investigation the government is trying to protect.

It’s also possible that, in an effort to pressure Hutchins to take a plea deal, the government is investigating allegations he engaged in other criminal activity, activity that would more directly implicate him in criminal hacking. There’s little (aside from statutes of limitation) to prevent the government from doing that, and their decision to newly declare the case complex may suggest they’re threatening more damaging superseding indictments against Hutchins, if they can substantiate those allegations, to pressure him to take a plea deal.

Finally, there’s WannaCry. As I noted, while the government lifted some of the more onerous bail conditions on Hutchins, they added the restriction that he not touch the WannaCry sinkhole he set up in May. The reference to ongoing investigations may suggest the government will be discussing aspects of that investigation with Hutchins’ defense team, but wants to hide those details from the public.

Update: I’ve corrected the language regarding Kelihos to note that this doesn’t involve shared code. h/t ee for finding the reference.

Dana Rohrabacher Brokering Deal for Man Publishing a CIA Exploit Every Week

/26 Comments/in , , /by

Yesterday, right wing hack Charles Johnson brokered a three hour meeting between Dana Rohrabacher and Julian Assange. At the meeting, Assange apparently explained his proof that Russia was not behind the hack of the DNC. In a statement, Rohrabacher promises to deliver what he learned directly to President Trump.

Wikileaks founder Julian Assange on Wednesday told Rep. Dana Rohrabacher that Russia was not behind leaks of emails during last year’s presidential election campaign that damaged Hillary Clinton’s candidacy and exposed the inner workings of the Democratic National Committee.

The California congressman spent some three hours with the Australian-born fugitive, now living under the protection of the Ecuadorian embassy in the British capital.

Assange’s claim contradicts the widely accepted assessment of the U.S. intelligence community that the thousands of leaked emails, which indicated the Democratic National Committee rigged the nomination process against Sen. Bernie Sanders in favor of Clinton, were the result of hacking by the Russian government or persons connected to the Kremlin.

Assange, said Rohrabacher, “emphatically stated that the Russians were not involved in the hacking or disclosure of those emails.” Rohrabacher, who chairs the House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats, is the only U.S. congressman to have visited the controversial figure.

The conversation ranged over many topics, said Rohrabacher, including the status of Wikileaks, which Assange maintains is vital to keeping Americans informed on matters hidden by their traditional media. The congressman plans to divulge more of what he found directly to President Trump.

I’m utterly fascinated that Assange has taken this step, and by the timing of it.

It comes not long after Rod Wheeler’s lawsuit alleging that Fox News and the White House worked together to invent a story that murdered DNC staffer Seth Rich was in contact with WikiLeaks. Both that story and this one have been promoted aggressively by Sean Hannity.

It comes in the wake of the VIPS letter that — as I’ve begun to show — in no way proves what it claims to prove about the DNC hack.

It comes just after a very long profile by the New Yorker’s Raffi Khatchadourian, who has previously written more sympathetic pieces about Assange. I have a few quibbles with the logic behind a few of the arguments Khatchadourian makes, but he makes a case — doing analysis on what documents got released where that no one else has yet publicly done (and about which numerous people have made erroneous claims in the past) — that Assange’s claims he wasn’t working with Russia no longer hold up.

But his protestations that there were no connections between his publications and Russia were untenable.

[snip]

Whatever one thinks of Assange’s election disclosures, accepting his contention that they shared no ties with the two Russian fronts requires willful blindness. Guccifer 2.0’s handlers predicted the WikiLeaks D.N.C. release. They demonstrated inside knowledge that Assange was struggling to get it out on time. And they proved, incontrovertibly, that they had privileged access to D.N.C. documents that appeared nowhere else publicly, other than in WikiLeaks publications. The twenty thousand or so D.N.C. e-mails that WikiLeaks published were extracted from ten compromised e-mail accounts, and all but one of the people who used those accounts worked in just two departments: finance and strategic communications. (The single exception belonged to a researcher who worked extensively with communications.) All the D.N.C. documents that Guccifer 2.0 released appeared to come from those same two departments.

The Podesta e-mails only make the connections between WikiLeaks and Russia appear stronger. Nearly half of the first forty documents that Guccifer 2.0 published can be found as attachments among the Podesta e-mails that WikiLeaks later published.

The Assange-Rohrabacher meeting also follows a NYT story revealing that the author of a piece of malware named in the IC’s first Joint Analysis Report of the DNC hack, Profexor, has been cooperating with the FBI. The derivative reports on this have overstated the connection Profexor might have to the DNC hack (as opposed to APT 28, presumed to be associated with Russia’s military intelligence GRU).

A member of Ukraine’s Parliament with close ties to the security services, Anton Gerashchenko, said that the interaction was online or by phone and that the Ukrainian programmer had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking.

Mr. Gerashchenko described the author only in broad strokes, to protect his safety, as a young man from a provincial Ukrainian city. He confirmed that the author turned himself in to the police and was cooperating as a witness in the D.N.C. investigation. “He was a freelancer and now he is a valuable witness,” Mr. Gerashchenko said.

It is not clear whether the specific malware the programmer created was used to hack the D.N.C. servers, but it was identified in other Russian hacking efforts in the United States.

But Profexor presumably is describing to the FBI how he came to sell customized access to his tool to hackers working for Russia and who those hackers were.

In other words, this bid by Assange to send information to Trump via someone protected by the Constitution’s Speech and Debate Clause, but who is also suspected — even by his Republican colleagues! — of being on Russia’s payroll, comes at a very interesting time, as outlets present more evidence undermining Assange’s claims to have no tie to Russia.

Coming as it does as other evidence is coming to light, this effort is a bit of a Hail Mary by Assange: as soon as Trump publicizes his claims (which he’ll probably do during tomorrow’s shit-and-tweet) and they get publicly discredited, Assange (and Trump) will have little else to fall back on. They will have exposed their own claims, and provided the material others can use to attack Trump’s attempts to rebut the Russia hack claims. Perhaps Assange’s claims will be hard to rebut; but by making them public, finally, they will be revealed such that they can be rebutted.

I’m just as interested in the reporting on this, though, which was first pushed out through right wing outlets Daily Caller and John Solomon.

The story is presented exclusively in terms of Assange’s role in the DNC hack, which is admittedly the area where Assange’s interests and Trump’s coincide.

Yet not even the neutral LAT’s coverage of the meeting, which even quotes CIA Director and former Wikileaks fan Mike Pompeo,mentions the more immediate reason why Assange might need a deal from the United States. Virtually every week since March, Wikileaks has released a CIA exploit. While some of those exploits were interesting and the individual exploits are surely useful for security firms, at this point the Vault 7 project looks less like transparency and more like an organized effort to burn the CIA. Which makes it utterly remarkable a sitting member of Congress is going to go to the president to lobby him to make a deal with Assange, to say nothing of Assange’s argument that Wikileaks should get a White House press pass as part of the deal.

Dana Rohrabacher is perhaps even as we speak lobbying to help a guy who has published a CIA hack of the week. And that part of the meeting is barely getting notice.

Government Changes Its Tune about MalwareTech

/20 Comments/in /by

Marcus Hutchins, AKA MalwareTech, just plead not guilty at his arraignment in Milwaukee, WI. After the hearing, his attorney, Marcia Hofmann, called him a “hero” and said he would be fully vindicated.

A dramatic change in the tone of the government suggested that might well be the case. Whereas at Hutchins’ Las Vegas hearing, the government used his appearance at a tourist-focused gun range in an attempt to deny him bail, here, the government was amenable to lifting many of the restrictions on his release conditions. Hutchins will be able to live in Los Angeles, where his other attorney, Brian Klein, is. He will be able to continue working. He can travel throughout the US, though he cannot leave the country (though his defense tried to get him released to the UK).

About the only major restriction — aside from GPS monitoring and monitoring by pretrial services — is that he can’t touch the WannaCry sinkhole.

The government’s attorney, Michael Chmelar, described Hutchins’ alleged crimes as “historic,” a seeming concession that he’s not currently a threat. That said, while the government had not deemed this a complex crime when they indicted Hutchins back on July 11, Chmelar said he expected they would do so in the coming weeks. The trial is currently scheduled for October, but with a complex designation, that will slide.

Chmelar said that they had or would turn over today both Hutchins’ FBI interview, as well as two other recorded phone calls. The rest of discovery will be delayed until the defense signs a protection order.

Perhaps the funniest part of the hearing came when the lawyers tried to help Magistrate William Duffin understand what a “sinkhole” is.

Update: Fixed spelling of Hofmann’s last name–sorry Marcia!

Update: Forgot to mention — the case was assigned to JP Stadtmueller, a 75-year old Reagan appointee, formerly the Chief Judge of EDWI.

Marcus Hutchins, the Word of God

/2 Comments/in /by

Motherboard obtained the hearing transcript from Marcus Hutchins (AKA MalwareTech) court hearing on August 4. It reveals precisely the oblique language Prosecutor Dan Cowhig actually used, which got reported very differently, to explain Hutchins’ alleged admission to have authored the Kronos malware.

In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another.

Compare that to this allegation, in Hutchins’ indictment.

It’s a very different thing to create code that may make up part of a package that would be sold on AlphaBay as malware and to write code that makes up part of the code ultimately packaged and sold as malware. It seems likely the government overstated what they had evidence of in the indictment (and, one wonders, to the grand jury), which might, in turn, significantly alter questions of intent.

Even with the government’s claim that Hutchins discussed getting paid for his code in chat logs (we’ll see about their provenance and accuracy after Hutchins goes broke trying to pay the bills in WI without a job, I guess), it’s not entirely clear the government even claims to have evidence that Hutchins wanted to sell a tool to rip off banks.

Which means that any eventual trial (assuming Hutchins doesn’t plea out of desperation) may turn on textual analysis of what it was some agents in WI bought off the dark web and what Hutchins coded years ago.

Three Things: Non-Nuclear Proliferation

/3 Comments/in , , , /by

The entire social media universe has been panicking over Fearless Leader’s whacked-out statement on North Korea at the end of his bigly speech yesterday on opioids. His hyperbole was on par with his decades of hawkishness about nuclear weapons, so both unsurprising while infuriating.

What I want to know: did he say what he did to distract from the Trump-Russia investigation underway, and/or did he say what he did roughly 30 minutes before the stock market closed for somebody’s benefit? I’d love to know who might have been short selling yesterday afternoon and this morning after his recent petulant tweet hyping the stock market’s record highs. Things don’t look good today, either, in spite of calming noises from Secretary of Exxon Tillerson.

[source: Google Finance]

Whatever. Let’s look at some non-nuclear matters.

~ 3 ~

The New York Times’ op-ed, Our Broken Economy, trended yesterday morning on Twitter and is still making waves today. It’s a pretty good read with compelling charts, if not very deep. Morons across the internet have misinterpreted what it tells us, which is that income has stagnated or fallen for the majority of the U.S. while the income of the uppermost 1% to .01% has skyrocketed in less than a decade. Loss of leverage in wage negotiations due to union busting and the skyrocketing cost of secondary education have held back the lower 80%.

What has most recently ‘weaponized’ the growth of income, while destroying any illusion of the American dream? In my opinion, three things contributed the most:

— the loss of Glass-Steagall Act and the subsequent unmooring of the financial industry from risk-reducing practices which siloed capital;

Citizens United, which exacerbated the trend toward regulatory capture;

— the financial crash of 2008 and the subsequent loss of wealth for the lower 80% in terms of savings, investments, and property ownership.

But a fourth, rapidly growing factor is making difference and may also be exploding as an unintended consequence of legislation passed in 2007 requiring a larger percentage of margin on commodities trading. Algorithmic trading, conducted out of sight, skimming from every trade, on stocks rather than on commodities and at inhuman speed and scale, has increased unearned wealth but only for the very wealthiest.

Matt Bruenig says we must confront capital. Yes, but I think the appeal to do so is based in fairness, a universal ethic. A system which distorts pricing by not allocating true and full costs of the commons consumed to products and services  sold is unfair. It is not a ‘free market’ and certainly not a fair when the playing field isn’t level and not every business pays for what it consumes of the commons.

And it’s not fair when businesses deliberately suppress wages below workers’ real cost of living. That’s slavery. We don’t need charts to tell us something is wrong when the prevailing wage won’t provide meager shelter and food.

~ 2 ~

The effect of Michigan’s criminal state government on Flint doesn’t remain in Flint. More than 70 new cases of Legionnaires disease have been reported in southeastern Michigan; this time the state’s health authorities have been prompt about reporting them, unlike the shoddy reporting around cases 2-3 years ago directly related to the water in Flint.

I will bet good money many of these new cases have a link to Flint since the water system has still not been completely replaced.

Eclectablog reminds us Flint’s Water Crisis is now at Day 678 and the city has yet to be made whole though Michigan’s Gov. Rick Snyder admitted he knew that Flint’s drinking water was poisoned with lead. There are still Flint residents who cannot drink their tap water without the use of a water filter.

Given the outbreak of Legionnaires disease, I wonder how many more Michiganders may actually sicken and die because of Rick Snyder’s handling of Flint’s financial emergency and the water system.

~ 1 ~

You might already have read about the lawsuit filed against Disney for its failure to protect children’s privacy; I know Marcy tweeted about it. More than 40 applications Disney developed and sold collect information without consent about the kids using them, putting them at risk, in violation of the Children’s Online Privacy Protection Act (COPPA).

But here’s what really bugs me about this on top of the privacy problems: Disney not only had a history with violating COPPA; the government went after them in 2011 and 2014 for problems with Playdom and MarvelKids. Disney must have known competitors Mattel and VTech had problems with their network-enabled electronic toys breaching children’s privacy circa November 2015. Why did Disney fail to remediate their 43 applications more than 18 months ago when both Mattel and VTech were under fire?

Disclosure: I own Disney stock. And yes, I’m thinking shareholders should be pissed off about this failure to disclose a material risk in financial reports BEFORE parents filed a lawsuit.

~ 0 ~

That’s it for now. See you tomorrow if we haven’t already been fried to a crisp. This is an open thread – treat each other nicely.