The Implications of DOJ’s FOIA “Lies”

/5 Comments/in , /by

On Thursday, we learned it has been the practice of DOJ for nearly a quarter century to provide misleading information in response to FOIAs asking for certain kinds of information–broadly, ongoing investigations, informants, and foreign intelligence.

In this post I want to consider how the practice may be ripe for abuse.

Here’s the statutory language in question, Section 552(c) of FOIA:

(c)(1) Whenever a request is made which involves access to records described in subsection (b)(7)(A) [ed: this is the law enforcement exception] and – (A) the investigation or proceeding involves a possible violation of criminal law; and (B) there is reason to believe that (i) the subject of the investigation or proceeding is not aware of its pendency, and (ii) disclosure of the existence of the records could reasonably be expected to interfere with enforcement proceedings, the agency may, during only such time as that circumstance continues, treat the records as not subject to the requirements of this section.

(2) Whenever informant records maintained by a criminal law enforcement agency under an informant’s name or personal identifier are requested by a third party according to the informant’s name or personal identifier, the agency may treat the records as not subject to the requirements of this section unless the informant’s status as an informant has been officially confirmed.

(3) Whenever a request is made which involves access to records maintained by the Federal Bureau of Investigation pertaining to foreign intelligence or counterintelligence, or international terrorism, and the existence of the records is classified information as provided in subsection (b)(1) [ed: this is the exemption for information that has been properly classified according to Executive Order], the Bureau may, as long as the existence of the records remains classified information, treat the records as not subject to the requirements of this section.

Let’s take each of these in order.

Ongoing Legal Investigation

The first exclusion–for information that might tip the subject of an investigation into a potential crime to that investigation and therefore lead her to, for example, destroy evidence–makes a bit of sense.

But it seems ripe for abuse in several ways.

First, DOJ can only exclude these files if “the subject of the investigation or proceeding is not aware of its pendency.” But DOJ gets to decide whether the subject of an investigation really “knows” she is being investigated or not. As the Meese Guidelines governing this practice explain,

Obviously, where all investigative subjects already are aware of an investigation’s pendency, the “tip off” harm sought to be prevented through this record exclusion is not of concern. Accordingly, the language of this exclusion requires agencies to consider the level of awareness already possessed by all investigative subjects involved as they consider employing it. It is appropriate that agencies do so, as the statutory language provides, according to a good-faith, “reason to believe” standard, which closely comports with the “could reasonably be expected to” standard utilized both within this exclusion and in the amended form of Exemption 7(A).

This “reason to believe” standard for considering a subject’s pre-existing awareness should afford agencies all necessary latitude in making such determinations. As the exclusion is phrased, this requirement is satisfied so long as an agency determines that it affirmatively possesses “reason to believe” that such awareness does not in fact exist. Read more

Share this entry

The Dangers of Hiring BAE’s Mercenaries

/24 Comments/in , , /by

How stupid was Moammar Qaddafi, who reportedly hired the same mercenary firm that tried to take out Equatorial Guinea’s dictator in 2004?

A total of 50 private soldiers, including 19 South Africans, are reported to have travelled to Libya on instructions to smuggle the former dictator from his birthplace of Sirte over the border to Niger.

Among them were said to be members of the team led by former SAS officer Simon Mann on the “Wonga coup” to unseat Equatorial Guinea’s dictator.

In addition to Simon Mann, after all, those plotters also had ties to Mark Thatcher, Maggie’s kid. And in addition to Sir Mark’s involvement with that coup attempt, Thatcher was involved in the BAE kick-back scheme with Saudi Arabia. And that scheme reportedly funded covert operations … presumably things like the Wonga coup. Led by the same Saudi family the head of which Qaddafi allegedly tried to assassinate.

Perhaps, after Qaddafi’s “secret” deal with Britain on the Lockerbie bomber, he thought he could trust the same mercenaries tied to a very British coup. Or perhaps he was just in a pinch and couldn’t get any more reliable mercenaries to help him escape Libya.

But it appears Qaddafi shouldn’t have trusted these particular mercs.

It has been alleged that one of the security firms who provided mercenaries for the mission may have acted as a “double agent”, helping Nato to pinpoint Gaddafi’s convoy for attack, and that the dictator’s escape was “meant to fail”.

[snip]

A source in the private security sector said it was “highly likely” that one of those involved deliberately recruited mercenaries who were ill-equipped to handle the mission.

“These guys did not have the experience to be successful,” he said. “The formation of the convoy, the way they tried to leave Sirte, it’s clear they were meant to fail.

“Someone got paid to protect him and at the same time to deliver him.”

Which makes it all the more interesting that Hillary was hanging out in Libya they day before Qaddafi was assassinated. I have noted how convenient it is that Qaddafi didn’t survive to testify at the ICC about how Ibn Sheikh al-Libi was suicided so conveniently; the same is true of his Lockerbie deal. I guess if you own the mercs “protecting” someone, it becomes a lot easier to arrange such convenient assassinations?

I guess dictators today can’t find mercenaries like they used to.

Share this entry

Is DOJ Trying to Hide Valerie Plame at the Sterling Trial?

/10 Comments/in , , /by

While I was away in South Carolina, the government released the redacted copy of Leonie Brinkema’s order on several issues relating to the Jeffrey Sterling case (the government immediately appealed aspects of this ruling).

There are several interesting aspects of the ruling. First, Brinkema refused to let the government admit the talking points Condi Rice used to convince the NYT not to publish the Merlin story back in 2003 without Rice testifying herself. Although the ruling will probably have a negligible affect in this case, I nevertheless find it ironic, given that the government gave up prosecuting two former AIPAC employees when their defense attorney Abbe Lowell threatened to call Rice to testify about her A1 cutout habits.

Also, Brinkema is allowing the government to introduce a redacted copy of Sterling’s 2000 performance evaluation, presumably so they can argue that Sterling leaked the details about Merlin out of anger that his Equal Opportunity complaint went nowhere. I find this troubling. When that suit was litigated, the government declared state secrets over something, presumably the real performance review. Given the possibility the review referred to Merlin, it seems unfair to allow the government to use the performance review against Sterling without releasing the whole thing (if that is, in fact, what the government invoked state secrets over).

But I’m most interested in what Brinkema’s order suggests about the government’s effort to deal with CIA witnesses. The government, it appears, wants to keep the names of 10 former and current CIA employees who will testify secret from both the defense and the jury.

[T]he Court will hold in abeyance pending further briefing the Government’s request not to disclose, even under seal, to the defendant or jury the true names of these witnesses as they testify.

Brinkema’s planned approach–in addition to using screens to hide the witnesses, she plans to delay the time when potential jurors would get a list of potential witnesses–suggests these names might be publicly recognizable.

Specifically, asking potential jurors if they recognize the names of any witnesses will be delayed until a qualified pool of jurors is established and jurors stricken for cause have been excused from the courtroom. Then, as groups of jurors are considered for peremptory challenge, they will be shown an alphabetical list containing the full names of all witnesses, with no other identifying information. Any jurors recognizing a witness’s name will be stricken for cause. Because the witness list will contain the full names of many CIA employees whose identities the Government wants to protect, it will remain classified; however, a redacted list will become part of the public record.

Of course, this trial will take place in Northern Virginia; it’s quite possible that these CIA witnesses are neighbors or friends of potential jurors. And the government has a clear interest in preventing these potential jurors from learning that their neighbors are actually spooks.

But as the video above makes clear, at least one of the former CIA employees who might be called to testify, Valerie Plame, would be recognizable to a far larger group of people–those who even remotely followed the CIA Leak Case (I think Valerie would have been on maternity leave during the actual events described in Risen’s book). And this filing (see PDF 5-6)–an argument laying out Pat Lang’s proposed testimony refuting the government’s claim that the information Sterling allegedly leaked hurt the country–shows Lang read the FBI interview reports of 22 witnesses; the last name of two of those witnesses, one classified, one apparently not, starts with a “W.”

Mind you, I’m not suggesting the government doesn’t already have very good reason to want to hide the CIA affiliation of these 10 proposed witnesses–they do, which is part of the reason their case may be in trouble, since these witnesses will be used, in part, to prove Sterling’s alleged leaks were serious. Sterling has a clear right to confront his accusers, but the government wants to ensure he doesn’t even know their real names (this may be one of the things the government is appealing).

But I wanted to raise the possibility that they want to hide at least one of these identities not because the identity remains classified–Dick Cheney ruined that–but instead out of a desire to avoid confirming that Plame played a role in the Merlin operation.

Share this entry

The Army Teaches American Culture to Americans

/20 Comments/in , /by

Sorry for my absence over the last week. Mr. EW and I drove to South Carolina to visit his family. I had thought I’d get posting time. It didn’t work out that way.

Profuse thanks to Jim White and bmaz for watching the shop while I was gone.

While I was in SC, I read this Secrecy News piece about the cultural literacy flash cards the Army had developed for soldiers serving in Afghanistan.

These cards can be used in many different ways, but they are designed as ―fillers‖ to be taken out of your ACU pocket and used between tasks or waiting for the next training to begin. Soldiers must understand how vital culture is in accom-plishing today’s missions. Military personnel who have a superficial or even dis-torted picture of a host culture make enemies for the United States. Each Soldier must be a culturally literate ambassador, aware and observant of local cultural be-liefs, values, behaviors and norms.

I was interested in the cards because I’ve had several conversations with fans of CounterInsurgency doctrine. Repeatedly, I’ve argued the US is never going to be good at COIN, because Americans generally–and a good proportion of grunt recruits more specifically–are too parochial to be able to execute COIN, which requires a fairly acute sensitivity to culture. Hell, we don’t even learn other languages–not even Spanish, which is virtually a second language in this country. So I was curious about how the Army tried to overcome this parochialism.

The cards struggle to explain what culture is, generally.

Humans are biologically equipped to create and use culture. Culture is all knowl-edge passed from one generation to another. Culture can be divided into symbolic culture and material culture. Symbolic culture is all of a group’s ideas, symbols and languages. Material culture is tools, clothing, houses and other things that people make or use. It is all human inventions: from stone tools to spacecraft.
[Critical Thinking: What kinds of culture do we take for granted in everyday life?] [brackets and emphasis original]

Having tried to get honors college freshman to understand culture, I get that this is a tough concept for relatively sheltered young adults to understand. The cards, curiously, didn’t ask readers to do what has worked for me in the past–a straight inventory of differences between one’s own culture and that of others. Rather, it spent pages laying out Afghan culture (without, IMO, distinguishing sufficiently between Pashtun and other Afghan cultures). And then included one page (see page 31) describing what the card authors believe American culture to be. Here’s how the cards describe “the characteristics of American Culture”:

  • Fast-paced.
  • Punctuality.
  • Women’s rights.
  • Egalitarian, belief in equal opportunity; not outcomes.
  • Goal-oriented.
  • Individualism.
  • Pragmatism.
  • Tolerance.
  • Separation of church and state.
  • Value work and personal success.
  • Love of technology.

Now, to be fair, the military generally is one of the most egalitarian institutions left in our increasingly unequal country. So I don’t blame whatever contractor the Army inadvisedly picked to write these cards for claiming the US still is egalitarian.

But “women’s rights”? “Separation of church and state”? “Tolerance”?

Maybe I found these assertions to be all the more laughable because I read them in SC–not known for either its commitment to women’s rights or tolerance.

But if you want to point to one reason why we’ll never succeed at COIN, you can look to the military’s institutional misunderstanding of who we Americans are.

Share this entry

The Coordinated Leaky Drips In The White House

/14 Comments/in , , , , , , , , , /by

As I’ve noted previously, there has been a hue and cry against the critical and untenable use, and abuse, of secrecy by the United States government. There has always been some abuse of the government’s classified evidence for political gain by various administrations operating the Executive Branch, but the antics of the Obama administration have taken the disingenuous ploy to a new art form.

Today, via Politico’s old fawning Washington DC gluehorse, Roger Simon, comes an unadulterated (sometimes x-rated) and stunningly tin eared and arrogant admission of what the Obama White House is all about, straight from the lips of Obama consigliere Bill Daley:

Rahm was famous for calling reporters, do you call reporters? I ask.

“I call; I’m not as aggressive leaking and stroking,” Daley says. “I’m not reflecting on Rahm, but I’m not angling for something else, you know? Rahm is a lot younger [Emmanuel is 51], and he knew he was going to be doing something else in two years or four years or eight years, and I’m in a different stage. I’m not going to become the leaker in chief.”

You’ve got others for that, I say.

“Yeah, and hopefully in some organized leaking fashion,” Daley says, laughing. “I’m all for leaking when it’s organized.”

Oh, ha ha ha, isn’t that just hilarious? Bill Daley, and the White House he runs, are all for leaking, history bears out even the most highly classified government secrets, and doing so in an organized pre-planned fashion, when it serves their little self-centric petty political interests. But god help an honest citizen like Thomas Drake who, after exhausting all other avenues of pursuit within the government, leaks only the bare minimum information necessary to expose giant government waste, fraud and illegality because he feels it his duty as a citizen.

For citizens like Tom Drake, the “most transparent administration in history” will come down on his head like a ton of nuclear bricks even when they embarrass themselves in so doing. But they are more than willing to exploit and leak to self serve their own interests. What is good for the king is not appropriate for the commoner.

In this regard, I wish to amplify point that Glenn Greenwald has previously made about the pernicious affect of this duplicitous use of classified information. Glenn said:

But the problem is much worse than mere execssive secrecy. Anyone who purports concern over the harmful leaking of classified information should look first to the Obama administration, which uses secrecy powers as a manipulative tool to propagandize the citizenry: trumpeting information that makes the leader and his government look good while  suppressing anything with the force of criminal law that does the opposite. Using secrecy powers to propagandize the citizenry this way is infinitely more harmful than any of the leaks the Obama administration has so aggressively prosecuted.

That is exactly right. It is not just that the government keeps unnecessary secrets from the public on information that is critical to their duties and responsibilities as citizens, it is that the self-serving selective leaking creates an intentionally fraudulent paradigm for the citizenry. It is not only manipulative, is fundamentally dishonest and duplicitous.

When the leaking is so selective and self-serving it is not just the people who are deceived, is the press they rely on as a neutral information conduit from which to make their opinions and determinations. The press then becomes little more than a hollow funnel for opportunistic and dishonest spin. We saw the effects of this in the case of Anwar Awlaki’s extrajudicial assassination, and have seen it again in the Scary Iranian Terrorist Murder ruse.

The last bastions against this pernicious practice are the press and courts. Until both start admitting how they are relentlessly gamed and played by the White House, there is little hope for change. And make no mistake, the press ratifies this pernicious conduct by lazily accepting such leaks and reporting without properly noting just how malignant the process is. It is all a joke to Bill Daley and Barack Obama, and the joke is on us.

PS: For a little more on the joy that is White House Chief of Staff Bill Daley, see Digby today. And a fine dissertation of why Daley should be fired on the spot by Joan Walsh in Salon. I would only note that it is not just Rahm and Daley, it is the man who consistently brings this Chicago style heavy handed belligerence to the White House. Mr. Obama’s two Chiefs of Staff do not operate apart from him, they ARE him and his Presidency. The buck for this stops at the top.

Share this entry

Confirmed: the Government Hid–and Is Still Hiding–Manssor Arbabsiar’s First Docket

/10 Comments/in , , , /by

I first raised questions of why the government had charged Manssor Arbabsiar–the Scary Iran Plotter–with an amended complaint almost two weeks ago. As I noted then, the obvious existence of an earlier sealed complaint might suggest the possibility that Arbabsiar was charged with something entirely different than the murder-for-hire charges he got charged with on October 11.

First (and this is what got me looking at the docket in the first place), the complaint is an amended complaint. That says there’s a previous complaint. But that complaint is not in the docket. Not only is it not in the docket, but the docket starts with the arrest on September 29 (notice the docket lists his arrest twice, on both September 29 and October 11), but the numbering starts with the amended complaint (normally, even if there were a sealed original complaint, it would be incorporated within the numbering, such that the docket might start with the amended complaint but start with number 8 or something).

Two things might explain this. First, that there was an earlier unrelated complaint–say on drug charges, but the charges are tied closely enough to this op such that this counts as an amended complaint. Alternately, that Arbabsiar was charged with a bunch of things when he was arrested on September 29, but then, after at least 12 days of cooperation (during which he waived Miranda rights each day), he was charged with something else and the new complaint incorporated Ali Gholam Shakuri’s involvement, based entirely on Arbabsiar’s confession and Shakuri’s coded conversations with Arbabsiar while the latter was in US custody. [emphasis original]

If Arbabsiar were originally charged with something different than he was charged with on October 11–for example, if he were charged with drug charges that might put him away for hard time–it might explain why he waived Miranda rights for 12 days in a row, when he had, on 5 different occasions in his past, hired lawyers to represent him when he got in legal trouble.

Well, this filing not only confirms that an earlier complaint exists–the earlier complaint is dated September 28–but it confirms my suspicion the complaint is in an different docket that is entirely sealed.

On September 28, 2011, Magistrate Judge James C. Francis IV authorized a complaint bearing docket number 11 Mag. 2534 (“Sealed Complaint”), charging the above-listed defendant. The Sealed Complaint is attached hereto as Exhibit A.

On October 11, 2011, Magistrate Judge Michael H. Dolinger authorized an Amended Complaint (11 Mag. 2617) charging the defendant and Gholam Shakuri (“Amended Complaint”). By order of the Honorable Loretta A. Preska, dated October 11, 2011, the Sealed Complaint was ordered to remain sealed. On October 11, 2011, the defendant was presented on only the Amended Complaint.

The Government respectfully requests that the Court enter a limited unsealing order permitting the Government to produce the Sealed Complaint in redacted form to defense counsel as part of the discovery process. The Sealed Complaint would otherwise remain sealed.

First, compare the docket numbers:

First Complaint: 11-mg-2534

Amended Complaint: 11-mg-2617

Criminal Indictment: 11-cr-897

These are three entirely different dockets.

A search for criminal magistrate docket 11-2534 returns nothing. Which means the docket–the entire docket–is and remains sealed.

This increases the likelihood that the first complaint charges entirely different charges–such as opium charges–than the amended complaint does.

Indeed, the language of this letter appears to suggest that only Arbabsiar was charged in the first complaint. Even if this earlier complaint pertained to murder-for-hire charges, this might make sense–as I have pointed out, most of the current charges are conspiracy charges that would involve at least two defendants. But the letter suggests–by stating only that “the defendant was presented on only the Amended Complaint”–that there may be charges unique to Arbabsiar, completely unrelated charges that hang over him still–that weren’t charged because of his 12-day cooperation to implicate Shakuri.

And here’s the kicker. The government isn’t even telling Arbabsiar’s defense counsel all of what was in that first complaint. They are asking that she receive the complaint in redacted form.

So not only are they hiding the original basis of his arrest from us–US citizens and the world community, to whom the government claimed this is an international incident. But they’re hiding parts of this earlier complaint even from the public defender tasked to actually represent this guy.

Share this entry

Why Does Duqu Matter?

/19 Comments/in , /by

The short answer is that if your PC got infected by Stuxnet last year, you were just collateral damage, unless you were operating a very specific set of uranium enrichment centrifuges. If you get Duqu this year, your network is under attack from a CIA/Mossad operation. They might seem a little outrageous, but bear with me while we get into the weeds of what Duqu is all about. I will lay out a set of assertions that lead to the conclusion that Duqu really is the “precursor to the next Stuxnet” as Symantec say in their whitepaper.

1. Stuxnet was created by the CIA and the Mossad

Although no one has officially claimed responsiblity for Stuxnet, both the U.S. and Israeli governments have done everything but take offical responsibility. Neither government has ever denied responsibilty, even when directly asked. In fact, officials in both governments have been reported as breaking out in big smiles when the subject comes up.

2. Duqu is from the same team that created Stuxnet.

The first clue that Duqu is from the Stuxnet team is the similarities between the rootkit components in both pieces of malware. The folks who have studied the two most closely are sure that Duqu is based on the Stuxnet component’s source code. Despite what you may have read on the internet, the actual source code to Stuxnet is not publicly available. Some folks have reverse-engineered some of the Stuxnet source code from the binaries that are available, for various technical reasons, I’m sure that these don’t serve as the basis for Duqu.

Duqu even has a fix for a bug in Stuxnet. Also, the only two pieces of malware in history to install themselves with as Windows device drivers with legitimate, but stolen, digital certificates are Stuxnet and Duqu. Both Stuxnet and Duqu were active in the wild and managed to evade detection for many months. While that’s not unheard of for malware, it is another point of similarity.

Stuxnet targeted a specific industrial control system (ICS) installation (the Siemens PLCs that were used to control the centrifuges at Natanz). Here’s the lastest on what Duqu targets:

Some of the companies affected or targeted by Duqu include the actual equipment that an ICS would control such as motors, pipes, valves and switches. To date, the vendors that make the PLC, controllers and systems/applications found in control centers are not yet affected, although this information could change as more variants are identified and these vendors look more closely at their systems.

There are no other instances of computer malware that target these sorts of installations.

 

3. Stuxnet was a worm, Duqu is not.

Stuxnet was a very aggressive computer worm. It had to be to jump the “air gap” that protects a secure ICS such as the system that ran the Natanz installation. When Stuxnet was discovered, the A-V vendors quickly discovered millions of computers had been (benignly) infected with Stuxnet. Duqu, on the other hand, has been found on only a handful of computers. Interestingly, no one has yet discovered the dropper, that is, the program used to place the Duqu rootkit on the infected machines. This is almost certainly because Duqu is being placed on these machines via a spear phishing attack. In spear phishing, specific targets are chosen and the attack is customized to the target.

4. Duqu is being used to download a RAT (Remote Access Trojan)

The rootkit component was used to download a standalone program designed to steal information from the computer that it has infected (including screenshots, keystrokes, lists of files on all drives, and names of open windows). Duqu is doing computer network reconnaissance. The information gathered by Duqu is very useful for planning future attacks. Before the command and control server was taken off-line, Symantec observed Duqu downloading three additional files to an infected machine.   The first was a module that could be injected into other processes running on the machine to gather some process-specific information as well as the computer’s local and system times (including time zone and daylight savings time bias). Another downloaded module was used to extend the normal 36-day limitation on Duqu installations. The last downloaded module was a stripped down version of the standalone RAT, lacking the key logging and file exploration functionality.

5. Put it all together and it adds up to a well-executed, highly targeted covert operation

For the last ten months, Duqu has been quietly stalking a small number of industrial manufacturers. No one even noticed before early September and it wasn’t until last week that the nature of the threat was clear to anyone. Duqu is spying on a handful of companies, gathering data that will be used for the design and development of the true Stuxnet 2.0. One thing we don’t know is who the target of Stuxnet 2.0 will be. But I have a suspicion. Nothing indicates that the ultimate target (i.e., Iran) of the Stuxnet team has changed. In August of this year, Iran announced that it had activated its first pre-production set of his newer IR-2m and IR-4 centrifuges. These are the successors to the centrifuges that Stuxnet attacked. If you wanted to do these centrifuges what Stuxnet did to the earlier IR-1 centrifuges, you would need a lot of specific data about the safe operating specs of the various components that go into making advanced centrifuges. If you knew or suspected who was supplying Iran with these components, you might want to gather some data from the internal networks of those suppliers. That’s what I think the point of Duqu really is.

Share this entry

The OTHER Saudi Assassination Plotter Got a Reduced Sentence in July

/2 Comments/in , , , /by

This post from Cannonfire reminded me how convenient for our country it is that Moammar Qaddafi was executed rather than captured alive and tried: he will not be able to tell anyone, now that he’s dead, how Ibn Sheikh al-Libi, who under torture provided one of the casus belli for the Iraq war, came to be suicided in a Libyan prison just as Americans started focusing on torture in 2009.

That, plus the death of the Saudi Crown Prince Sultan bin Abdul-Aziz al Saud, made me think of another plot Qaddafi brings to his grave: that he had purportedly arranged to assassinate then Crown Prince now King Abdullah. The evidence to support that plot mostly came from Abdulrahman Alamoudi, a prominent American Muslim who was arrested in 2003 on charges he violated trade sanctions against Libya.

Tell me if this sounds familiar. A naturalized American citizen is arrested upon re-entry to the country and charged with a bunch of crimes. After a period of no bail, he confesses to participation in the assassination plot of a top Saudi.

Court documents said the assassination plot arose from a March 2003 conference at which Libyan leader Moammar Gaddafi and Prince Abdullah had a heated exchange. Angered at how Gaddafi was treated, Libyan officials recruited Alamoudi.

Even after he learned that the target was Abdullah, Alamoudi shuttled money and messages between Libyan officials and the two Saudi dissidents in London, the documents said. Although Gaddafi is not named as a planner, sources familiar with the case have said he appears in the documents as “Libyan government official #5,” who met personally with Alamoudi.

Mind you, though the judge considered the assassination plot in Alamoudi’s sentence, he plead guilty not to murder-for-hire, but to prohibited financial transactions with Libya (the kind of thing JPMC just got its wrist slapped for), unlawful procurement of naturalization, and tax evasion.

Anyway, thinking about the similarities between that case and the Scary Iran Plot led me to consult Alamoudi’s docket (most of which is not available online). What happens to a guy convicted in connection with plotting with a nasty African dictator as we launch the war to finally kill that dictator?

Well, it turns out that at about the time it was clear we’d stick around to ensure Qaddafi died in this kinetic action, a sealed document got filed in Alamoudi’s case. And, on July 20, 2011, Alamoudi got about 30% knocked off his sentence, from 276 months to 197.

Mind you, no one was hiding the fact that Alamoudi would continue to cooperate with authorities while in prison–so it’s no surprise his sentence got lowered. Nor does Alamoudi’s sentence reduction necessarily have anything to do with Alamoudi’s testimony in the assassination plot.

But I do expect, a decade from now, that’s what’s going to happen to Manssor Arbabsiar’s docket.

Share this entry

Scary Iran Plot: FBI Had No Need to Investigate Arbabsiar’s Corpus Christi Past

/17 Comments/in , , , /by

So imagine this scenario.

A DEA informant calls up his handler out of the blue and says,

Omigod! Some crazy Iranian just approached me to arrange some kind of hit on behalf of this Iranian terror organization. He asked about explosives (I bragged about my C4 expertise.) He found me through my aunt in Corpus Christi. She says she knows him from when he used to be a used car salesman.

The DEA calls the FBI. What’s one of the first things the FBI would do?

Maybe look him up in the FBI’s own files (they find he doesn’t have a federal record). And just after that, you’d think they’d start investigating him in Corpus Christi, where Narc knew him to have connections. Maybe call the cops there and see if they knew this crazy Iranian. Which, since Arbabsiar has a pretty consistent record of petty arrests and lawsuits, they do.

Which is why it’s sort of odd that the FBI never contacted the Corpus Christi cops–they first talked to them the day after Arbabsiar was charged.

Arbabsiar had previous arrests in Nueces County during nearly 20 years living in the area.

That meant arrest records and personal details were on file in the county’s warehouse. But no one from any federal agency ever asked for the folder, Kaelin said.

“From an intelligence-gathering standpoint, even the tiniest bits of information could have a connection to something bigger,” he said. “They never asked to see it.”

In fact, FBI agents never contacted the sheriff’s office or the police department about their investigation into Arbabsiar.

That’s all the more weird given that some of the criminal files on Arbabsiar were on dead tree files in a warehouse from back in the day when the FBI itself didn’t really use computers (you know, like last year).

Now, my scenario sounds weird, almost impossible, particularly in the age of information sharing between local cops and national counterterrorism investigators.  Even if they were worried about keeping Narc’s identity secret–which I’m sure is particularly critical so close to the border in South Texas–you’d think they’d at least go and make discreet investigations about Arbabsiar (particularly given the claims that, by the end of the investigation, FBI officers seemed to be going out of their way to make their presence known.

Neighbors, however, said it had been years since Arbabsiar lived in the stucco house he once shared with his wife on a suburban cul-de-sac. They said it appeared that as many as 10 people were living in the house, and lately there had been some signs of suspicious activity: When residents looked for available Wi-Fi networks, networks with names like “FBI Van 1” would pop up.l

Unless …

Unless they didn’t need to do that background research on Arbabsiar when Narc purportedly came to them out of the blue to tell them about this crazy Iranian seeking an assassin purportedly out of the blue.

The FBI’s seeming disinterest in learning about Arbabsiar from the law enforcement officials who ostensibly knew him best suggests they already knew about him when he approached Narc.

(As a number of media outlets have reported, the Grand Jury has indicted the plotters, a mere nine days after the Administration started making an international incident about this. I’ll update or do a post once the indictment is in the docket.)

Share this entry

Did Duqu fix the bug that revealed Stuxnet?

/36 Comments/in , /by

 
Count DookuDuqu isn’t Christopher Lee in Attack of the Clones, but it is the newest computer malware to hit mainstream consciousness. It’s attracting attention mainly because it is based on the same software source code base as the Windows portion of Stuxnet. If you haven’t heard about Duqu, check out the Wired article that first alerted me to its existence. If you are interested in the technical details, you need to read the excellent write-up by Symantec (pdf link).
Unfortunately, the twitterverse, blogosphere, and the computer security profession all seem to be caught up in a hype/debunking/speculation cycle that is spreading more heat than light. The primary significance of Duqu is what it tells us about the operation behind Stuxnet and Duqu, i.e. that it is an on-going enterprise conducting computer espionage and sabotage around the world. The fact that it is rather obviously (though not publicly) run by the U.S. intelligence community should concern everyone.
I’ll put up a more extensive post later (including a timeline!) detailing what the Duqu phase of the Stuxnet operation tells us about the cyberwarfare strategy of the U.S. and how it is endangering the safety and security of the U.S. and the whole industrialized world. But first, I want to remind everyone how Stuxnet was originally discovered:

… the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.
 
 

This incident became curiouser and curiouser as Symantec, Langner, and others took apart Stuxnet. There wasn’t any obvious reason that Stuxnet would have caused that sort of behavior on an infected computer. I even wondered at the time whether or not Stuxnet’s cover was blown intentionally since the perpetrators moved quickly to call further attention to themselves. But, thanks to the good work of the Symantec team, we can surmise something quite revealing about the initial discovery of Stuxnet.
 
The rootkit component of Duqu is quite similar to, but not exactly the same as, the one in Stuxnet. In both cases, if the infected computer gets rebooted while it is infected, the rootkit wants to make sure that it is running before the operating system is fully loaded. That’s why this rootkit (both flavors, Stuxnet and Duqu) is packaged as a hardware device driver. Here’s a feature of Duqu’s driver that wasn’t present in Stuxnet (as described by Symantec on page 4 of the pdf linked above):

The driver then registers a DriverReinitializationRoutine and calls itself (up to 200 times) until it is able to detect the presence of the HAL.DLL file. This ensures the system has been initialized to a point where it can begin injecting the main DLL.

The bolded portion is the new functionality that wasn’t present in Stuxnet. As a software developer, this detail tells me a lot. The driver is checking to make sure that the hardware abstraction layer (HAL.DLL) of Windows is loaded before it proceeds with the re-infection routine. The HAL is a portion of the Windows OS that really needs to be loaded before device drivers can function properly. Between the time that Stuxnet was deployed and this later version was compiled, the Stuxnet team identified a problem (a race condition) with their software being loaded before the HAL, probably only under the rarest of circumstances. So they modified their program to take this possible condition into account.
As I thought about this, I realized that the likely impact of the Stuxnet device driver being loaded before the HAL was properly initialized would almost certainly be that the machine would continuously crash and reboot. Look again at how Stuxnet was first discovered (remember it was in the wild for at least a full year before it was noticed by any anti-virus vendor):

… the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.

By November 3, 2010 (the compile date of the Duqu component), the Stuxnet team had fixed the bug that led to the discovery of Stuxnet last year. And then went almost another full year without being discovered by the anti-virus vendors. It is likely to be a lot harder to reconstruct what the Stuxnet team has been up to this time around, but it is clear that the operation is on-going and we can assume (unless specific information turns up pointing in a different direction) that the primary target is still the Iranian nuclear program.

Share this entry