Obama Worried Trump Would Warn the Russians about Their Compounds … Did They?

/26 Comments/in /by

Halfway through this CBS story highlighting all the proof that shock, shock! there was spying going on in Russia’s two foreign service compounds shut down in December is this buried lede:

The Russians were given 24 hours to get out of the compound and 72 hours to leave the country. Current U.S. officials tell CBS News they vacated the compounds before the 24-hour deadline, striking some as odd and raising the question of whether the diplomats had been tipped off about their expulsion. [my emphasis]

But the possibility that someone had warned the Russians they needed to start destroying and transferring their spy toys is actually not new. Per this May AP story, it’s something the Obama team specifically worried about.

The distrust in the other camp was clear months earlier. In late December, as the White House prepared to levy sanctions and oust Russians living in the in the U.S. in retaliation for the hacks, Obama officials did not brief the Trump team on the decision until shortly before it was announced publicly. The timing was chosen in part because they feared the transition team might give Moscow lead time to clear information out of two compounds the U.S. was shuttering, one official said.

So … Obama officials worried Trump’s folks might warn Russia. And details about the evacuation suggest Russia may have had warning.

I wonder. Who might have wanted to warn the Russians that compounds used for sensitive spying and communications were about to be raided?

The Compartments in WaPo’s Russian Hack Magnum Opus

/56 Comments/in , /by

The WaPo has an 8300 word opus on the Obama Administration’s response to Russian tampering in the election. The article definitely covers new ground on the Obama effort to respond while avoiding making things worse, particularly with regards to imposing sanctions in December. It also largely lays out much of the coverage the three bylined journalists (Greg Miller, Ellen Nakashima, and Adam Entous) have broken before, with new details. The overall message of the article, which has a number of particular viewpoints and silences, is this: Moscow is getting away with their attack.

“[B]ecause of the divergent ways Obama and Trump have handled the matter, Moscow appears unlikely to face proportionate consequences.”

The Immaculate Interception: CIA’s scoop

WaPo starts its story about how Russia got away with its election op with an exchange designed to make the non-response to the attack seem all the more senseless. It provides a dramatic description of a detail these very same reporters broke on December 9: Putin, who was personally directing this effort, was trying to elect Trump.

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladi­mir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

[snip]

The material was so sensitive that CIA Director John Brennan kept it out of the President’s Daily Brief, concerned that even that restricted report’s distribution was too broad. The CIA package came with instructions that it be returned immediately after it was read.

[snip]

In early August, Brennan alerted senior White House officials to the Putin intelligence, making a call to deputy national security adviser Avril Haines and pulling national security adviser Susan Rice side after a meeting before briefing Obama along with Rice, Haines and McDonough in the Oval Office.

While the sharing of this information with just three aides adds to the drama, WaPo doesn’t consider something else about it. The inclusion of Rice and McDonough totally makes sense. But by including Avril Haines, Brennan was basically including his former Deputy Director who had moved onto the DNSA position, effectively putting two CIA people in a room with two White House people and the President. Significantly, Lisa Monaco — who had Brennan’s old job as White House Homeland Security Czar and who came from DOJ and FBI before that — was reportedly excluded from this initial briefing.

There are a number of other interesting details about all this. First, for thousands of wordspace, the WaPo presents this intelligence as irreproachable, even while providing this unconvincing explanation of why, if it is so secret and solid, the CIA was willing to let WaPo put it on its front page.

For spy agencies, gaining insights into the intentions of foreign leaders is among the highest priorities. But Putin is a remarkably elusive target. A former KGB officer, he takes extreme precautions to guard against surveillance, rarely communicating by phone or computer, always running sensitive state business from deep within the confines of the Kremlin.

The Washington Post is withholding some details of the intelligence at the request of the U.S. government.

If this intelligence is so sensitive, why is even the timing of its collection being revealed here, much less its access to Putin?

That seemingly contradictory action is all the more curious given that not all agencies were as impressed with this intelligence as CIA was. It’s not until much, much later in its report until WaPo explains what remains true as recently as Admiral Rogers’ latest Congressional testimony: the NSA wasn’t and isn’t as convinced by CIA’s super secret intelligence as CIA was.

Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.

By the time this detail is presented, the narrative is in place: Obama failed to respond adequately to the attack that CIA warned about back in August.

The depiction of this top-level compartment of just Brennan, Rice, McDonough, and Haines is interesting background, as well, for the depiction of the way McDonough undermined a State Department plan to institute a Special Commission before Donald Trump got started.

Supporters’ confidence was buoyed when McDonough signaled that he planned to “tabledrop” the proposal at the next NSC meeting, one that would be chaired by Obama. Kerry was overseas and participated by videoconference.

To some, the “tabledrop” term has a tactical connotation beyond the obvious. It is sometimes used as a means of securing approval of an idea by introducing it before opponents have a chance to form counterarguments.

“We thought this was a good sign,” a former State Department official said.

But as soon as McDonough introduced the proposal for a commission, he began criticizing it, arguing that it would be perceived as partisan and almost certainly blocked by Congress.

Obama then echoed McDonough’s critique, effectively killing any chance that a Russia commission would be formed.

Effectively, McDonough upended the table on those (which presumably includes the CIA) who wanted to preempt regular process.

Finally, even after  these three WaPo journalists foreground their entire narrative with CIA’s super duper scoop (that NSA is still not 100% convinced is one), they don’t describe their own role in changing the tenor of the response on December 9 by reporting the first iteration of this story.

“By December, those of us working on this for a long time were demoralized,” said an administration official involved in the developing punitive options.

Then the tenor began to shift.

On Dec. 9, Obama ordered a comprehensive review by U.S. intelligence agencies of Russian interference in U.S. elections going back to 2008, with a plan to make some of the findings public.

The WaPo’s report of the CIA’s intelligence changed the tenor back in December, and this story about the absence of a response might change the tenor here.

Presenting the politics ahead of the intelligence

The WaPo’s foregrounding of Brennan’s August scoop is also important for the way they portray the parallel streams of the intelligence and political response. It portrays the Democrats’ political complaints about Republicans in this story, most notably the suggestion that Mitch McConnell refused to back a more public statement about the Russian operation when Democrats were pushing for one in September. That story, in part because of McConnell’s silence, has become accepted as true.

Except the WaPo’s own story provides ample evidence that the Democrats were trying to get ahead of the formal intelligence community with respect to attribution, both in the summer, when Clapper only alluded to Russian involvement.

Even after the late-July WikiLeaks dump, which came on the eve of the Democratic convention and led to the resignation of Rep. Debbie Wasserman Schultz (D-Fla.) as the DNC’s chairwoman, U.S. intelligence officials continued to express uncertainty about who was behind the hacks or why they were carried out.

At a public security conference in Aspen, Colo., in late July, Director of National Intelligence James R. Clapper Jr. noted that Russia had a long history of meddling in American elections but that U.S. spy agencies were not ready to “make the call on attribution” for what was happening in 2016.

And, more importantly, in the fall, when the public IC attribution came only after McConnell refused to join a more aggressive statement because the intelligence did not yet support it (WaPo makes no mention of it, but DHS’s public reporting from late September still attributed the the threat to election infrastructure to “cybercriminals and criminal hackers”).

Senate Majority Leader Mitch McConnell (R-Ky.) went further, officials said, voicing skepticism that the underlying intelligence truly supported the White House’s claims. Through a spokeswoman, McConnell declined to comment, citing the secrecy of that meeting.

Key Democrats were stunned by the GOP response and exasperated that the White House seemed willing to let Republican opposition block any pre-election move.

On Sept. 22, two California Democrats — Sen. Dianne Feinstein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a statement making clear that they had learned from intelligence briefings that Russia was directing a campaign to undermine the election, but they stopped short of saying to what end.

A week later, McConnell and other congressional leaders issued a cautious statement that encouraged state election officials to ensure their networks were “secure from attack.” The release made no mention of Russia and emphasized that the lawmakers “would oppose any effort by the federal government” to encroach on the states’ authorities.

When U.S. spy agencies reached unanimous agreement in late September that the interference was a Russian operation directed by Putin, Obama directed spy chiefs to prepare a public statement summarizing the intelligence in broad strokes.

I’m all in favor of beating up McConnell, but there is no reason to demand members of Congress precede the IC with formal attribution for something like this. So until October 7, McConnell had cover (if not justification) for refusing to back a stronger statement.

And while the report describes Brennan’s efforts to brief members of Congress (and the reported reluctance of Republicans to meet with him), it doesn’t answer what remains a critical and open question: whether Brennan’s briefing for Harry Reid was different — and more inflammatory — than his briefing for Republicans, and whether that was partly designed to get Reid to serve as a proxy attacker on Jim Comey and the FBI.

Brennan moved swiftly to schedule private briefings with congressional leaders. But getting appointments with certain Republicans proved difficult, officials said, and it was not until after Labor Day that Brennan had reached all members of the “Gang of Eight” — the majority and minority leaders of both houses and the chairmen and ranking Democrats on the Senate and House intelligence committees.

Nor does this account explain another thing: why Brennan serially briefed the Gang of Eight, when past experience is to brief them in groups, if not all together.

In short, while the WaPo provides new details on the parallel intelligence and political tracks, it reinforces its own narrative while remaining silent on some details that are critical to that narrative.

The compartments

The foregrounding of CIA in all this also raises questions about a new and important detail about (what I assume to be the subsequently publicly revealed, though this is not made clear) Task Force investigating this operation: it lives at CIA, not FBI.

Brennan convened a secret task force at CIA headquarters composed of several dozen analysts and officers from the CIA, the NSA and the FBI.

The unit functioned as a sealed compartment, its work hidden from the rest of the intelligence community. Those brought in signed new non-disclosure agreements to be granted access to intelligence from all three participating agencies.

They worked exclusively for two groups of “customers,” officials said. The first was Obama and fewer than 14 senior officials in government. The second was a team of operations specialists at the CIA, NSA and FBI who took direction from the task force on where to aim their subsequent efforts to collect more intelligence on Russia.

Much later in the story, WaPo reveals how, in the wake of Obama calling for a report, analysts started looking back at their collected intelligence and learning new details.

Obama’s decision to order a comprehensive report on Moscow’s interference from U.S. spy agencies had prompted analysts to go back through their agencies’ files, scouring for previously overlooked clues.

The effort led to a flurry of new, disturbing reports — many of them presented in the President’s Daily Brief — about Russia’s subversion of the 2016 race. The emerging picture enabled policymakers to begin seeing the Russian campaign in broader terms, as a comprehensive plot sweeping in its scope.

It’s worth asking: did the close hold of the original Task Force, a hold that appears to have been set by Brennan, contribute to the belated discovery of these details revealing a broader campaign?

The surveillance driven sanctions

I’m most interested in the description of how the Obama Admin chose whom to impose sanctions on, though it includes this bizarre claim.

But the package of measures approved by Obama, and the process by which they were selected and implemented, were more complex than initially understood.

The expulsions and compound seizures were originally devised as ways to retaliate against Moscow not for election interference but for an escalating campaign of harassment of American diplomats and intelligence operatives. U.S. officials often endured hostile treatment, but the episodes had become increasingly menacing and violent.

Several of the details WaPo presents as misunderstood (including that the sanctions were retaliation for treatment of diplomats) were either explicit in the sanction package or easily gleaned at the time.

One of those easily gleaned details is that the sanctions on GRU and FSB were mostly symbolic. WaPo uses the symbolic nature of the attack on those who perpetrated the attack as a way to air complaints that these sanctions were not as onerous as those in response to Ukraine.

“I don’t think any of us thought of sanctions as being a primary way of expressing our disapproval” for the election interference, said a senior administration official involved in the decision. “Going after their intelligence services was not about economic impact. It was symbolic.”

More than any other measure, that decision has become a source of regret to senior administration officials directly involved in the Russia debate. The outcome has left the impression that Obama saw Russia’s military meddling in Ukraine as more deserving of severe punishment than its subversion of a U.S. presidential race.

“What is the greater threat to our system of government?” said a former high-ranking administration official, noting that Obama and his advisers knew from projections formulated by the Treasury Department that the impact of the election-related economic sanctions would be “minimal.”

Three things that might play into the mostly symbolic targeting of FSB, especially, are not mentioned. First, WaPo makes no mention of the suspected intelligence sources who’ve been killed since the election, most credibly Oleg Erovinkin, as well as a slew of other suspect and less obviously connected deaths. It doesn’t mention the four men Russia charged with treason in early December. And it doesn’t mention DOJ’s indictment of the Yahoo hackers, including one of the FSB officers, Dmitry Dokuchaev, that Russia charged with treason (not to mention the inclusion within the indictment of intercepts between FSB officers). There’s a lot more spy vs. spy activity going on here that likely relates far more to retaliation or limits on US ability to retaliate, all of which may be more important in the medium term than financial sanctions.

Given the Yahoo and other indictments working through San Francisco (including that of Yevgeniey Nikulin, who claims FBI offered him a plea deal involving admitting he hacked the DNC), I’m particularly interested in the shift in sanctions from NY to San Francisco, where Nikulin and Dokuchaev’s victims are located.

The FBI was also responsible for generating the list of Russian operatives working under diplomatic cover to expel, drawn from a roster the bureau maintains of suspected Russian intelligence agents in the United States.

[snip]

The roster of expelled spies included several operatives who were suspected of playing a role in Russia’s election interference from within the United States, officials said. They declined to elaborate.

More broadly, the list of 35 names focused heavily on Russians known to have technical skills. Their names and bios were laid out on a dossier delivered to senior White House officials and Cabinet secretaries, although the list was modified at the last minute to reduce the number of expulsions from Russia’s U.N. mission in New York and add more names from its facilities in Washington and San Francisco.

And the WaPo’s reports confirm what was also obvious: the two compounds got shut down (and were a priority) because of all the spying they were doing.

The FBI had long lobbied to close two Russian compounds in the United States — one in Maryland and another in New York — on the grounds that both were used for espionage and placed an enormous surveillance burden on the bureau.

[snip]

Rice pointed to the FBI’s McCabe and said: “You guys have been begging to do this for years. Now is your chance.”

The administration gave Russia 24 hours to evacuate the sites, and FBI agents watched as fleets of trucks loaded with cargo passed through the compounds’ gates.

Finally, given Congress’ bipartisan fearmongering about Kaspersky Lab, I’m most interested that at one point Treasury wanted to include them in sanctions.

Treasury Department officials devised plans that would hit entire sectors of Russia’s economy. One preliminary suggestion called for targeting technology companies including Kaspersky Lab, the Moscow-based cybersecurity firm. But skeptics worried that the harm could spill into Europe and pointed out that U.S. companies used Kaspersky systems and software.

In spite of all the fearmongering, no one has presented proof that Kaspersky is working for Russia (there are even things, which I won’t go in to for the moment, that suggest the opposite). But we’re moving close to de facto sanctions against Kaspersky anyway, even in spite of the fact (or perhaps because) they’re providing better intelligence on WannaCry than half the witnesses called as witnesses to Congress. But discrediting Kaspersky undercuts one of the only security firms in the world who, in addition to commenting on Russian hacking, will unpack America’s own hacking. You sanction Kaspersky, and you expand the asymmetry with which security firms selectively scrutinize just Russian hacking, rather than all nation-state hacking.

The looming cyberattack and the silence about Shadow Brokers

Which brings me to the last section of the article, where, over 8000 words in, the WaPo issues a threat against Russia in the form of a looming cyberattack Obama approved before he left.

WaPo’s early description of this suggests the attack was and is still in planning stages and relies on Donald Trump to execute.

Obama also approved a previously undisclosed covert measure that authorized planting cyber weapons in Russia’s infrastructure, the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It would be up to President Trump to decide whether to use the capability.

But if readers make it all the way through the very long article, they’ll learn that’s not the case. The finding has already been signed, the implants are already being placed (implants which would most likely be discovered by Kaspersky), and for Trump to stop it, he would have to countermand Obama’s finding.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain.

As a result, the administration requested a legal review, which concluded that the devices could be controlled well enough that their deployment would be considered “proportional” in varying scenarios of Russian provocation, a requirement under international law.

The operation was described as long-term, taking months to position the implants and requiring maintenance thereafter. Under the rules of covert action, Obama’s signature was all that was necessary to set the operation in motion.

U.S. intelligence agencies do not need further approval from Trump, and officials said that he would have to issue a countermanding order to stop it. The officials said that they have seen no indication that Trump has done so.

Whatever else this article is designed to do, I think, it is designed to be a threat to Putin, from long gone Obama officials.

Given the discussion of a looming cyberattack on Russia, it’s all the more remarkable WaPo breathed not one word about Shadow Brokers, which is most likely to be a drawn out cyberattack by Russian affiliates on NSA. Even ignoring the Shadow Brokers’ derived global ransomware attack in WannaCry, Shadow Brokers has ratcheted up the severity of its releases, including doxing NSA’s spies and hacks of the global finance system, It has very explicitly fostered tensions between the NSA and private sector partners (as well as the reputational costs on those private sector partners). And it has threatened to leak still worse, including NSA exploits against current Microsoft products and details of NSA’s spying on hostile nuclear programs.

The WaPo is talking about a big cyberattack, but an entity that most likely has close ties to Russia has been conducting one, all in plain sight. I suggested back in December that Shadow Brokers was essentially holding NSA hostage in part as a way to constrain US intelligence retaliation against Russia. Given ensuing events, I’m more convinced that is, at least partly, true.

But in this grand narrative of CIA’s early warning and Obama’s inadequate response, details like that remain unsaid.

Penetrated: Today’s Senate Intelligence Committee Hearing on Russian Interference in the 2016 U.S. Elections

/43 Comments/in , , , /by

If you didn’t catch the Senate Intelligence Committee hearing on Russian influence on 2016 U.S. election on live stream, you should try to catch a replay online. I missed the first panel but caught the second when University of Michigan Prof. J. Alex Halderman began his testimony with his opening statement.

The same Halderman who questioned the 2016 election could have been hacked based on his expertise.

The same Halderman who hacked a voting machine to play Pac Man.

When asked if it was possible Russia could change votes, Halderman told the SIC that he and a team of students demonstrated they were able to hack DC’s voting system, change votes, and do so undetected in under 48 hours. Conveniently, Fox News interviewed Halderman last September; Halderman explained the DC hack demonstration at that time (see embedded video); the interview fit well with Trump’s months-long narrative that the election was ‘rigged’.

If you aren’t at least mildly panicked after watching the second panel’s testimony and reading Halderman’s statement, you’re asleep or dead, or you just plain don’t care about the U.S.’ democratic system.

Contrast and compare this Senate hearing to the House Intelligence Committee’s hearing with former DHS Secretary Jeh Johnson as a witness. Johnson sent out numerous messages last year expressing his concerns about election integrity, but after listening to the second Senate panel, Johnson should have been hair-on-fire (it’s figure of speech, go with it). But the Obama administration erred out of some twisted sense of heightened sensibility about appropriateness (which would have been better suited to its policies on drone use and domestic surveillance). The excess of caution feels more like foot dragging when viewed through the lens of time and Johnson’s testimony.

Early in the hearing, Johnson as well as DHS witnesses Jeanette Manfra and Samuel Liles said there was no evidence votes were changed. It’s important to note, though, that Johnson later clarifies in a round about way there was no way to be certain of hacking at that time (about 1:36:00-1:41:00 in hearing). I find it incredibly annoying Johnson didn’t simply defer to information security experts about the possibility there may never be evidence even if there were hacks; it’s simply not within in his skill set or experience then or now to say with absolute certainty based on forensic audit there was no evidence of votes changed. Gathering that evidence never happened because federal and state laws do not provide adequately for standardized full forensic audits before, during, or after an election.

Halderman’s SIC testimony today, in contrast, makes it clear our election system was highly vulnerable in many different ways last November.

Based on the additional testimony of a representative of National Association of State Election Directors, the President-Elect of National Association of Secretaries of State (NASS) & Secretary of State, Executive Director of Illinois State Board of Elections Illinois — whose combined testimony revealed lapses in communication between federal, state, and local government combined with gaps in information security education — the election system remains as vulnerable today as it was last autumn.

Nothing in either of these two hearings changed the fact we’ve been penetrated somewhere between 21 and 39 times. Was it good for you?

The Outdated XP Testimony on WannaCry to Congress

/12 Comments/in , /by

The Oversight Committee had a hearing on WannaCry last week. I won’t have time to watch the hearing for a few days, but I did read the testimony with some alarm. That’s because two of the four witnesses appear to have misstated one detail about the attack.

First, Symantec CTO Hugh Thompson suggested that the spread of the ransomware was due to Microsoft not releasing a patch for XP when it had released EternalBlue patches for other systems in March.

WannaCry spread to unpatched computers. Microsoft released a patch for the SMB vulnerability for Windows 7 and newer operating systems in March, but unpatched systems and systems running XP or older operating systems were unprotected. After the WannaCry outbreak began, Microsoft released a patch for XP and earlier platforms. Four days after the initial outbreak these patches were widely applied and new infections slowed to a trickle.

The implication here is that the ransomware primarily affected XP, and only because there hadn’t been a patch available.

Retired General Touhill suggested this outdated system was actually Windows 95 — and claimed that Microsoft had released that patch in March, along with the supported system patches.

Systems using unpatched versions of the Windows 95 operating system have been highlighted as exemplar victims of the Wannacry attack. Microsoft who, after a long and very public notification process, discontinued support to the Windows 95 operating system in 2014, about 19 years after its initial release. However, in light of the warnings and their own research, in March of this year Microsoft issued a rare emergency patch to Windows 95, nearly three years after they had discontinued support of the software. Despite these extraordinary actions, many organizations still did not heed the warnings and properly patch and configure their systems. As a result, they fell victim to Wannacry.

In fact, XP (to say nothing of Windows 95) was not the problem. Windows 7 was. Kaspersky Lab (which Congress has spent time of late demonizing as potential Russian spies) first pointed this out on May 19.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That’s according to Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there’s little question Windows 7 was overwhelmingly affected by WCry, which is also known as “WannaCry” and “WannaCrypt.” Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

The figures challenge the widely repeated perception that the outbreak was largely the result of end users who continued to deploy Windows XP, a Windows version Microsoft decommissioned three years ago. In fact, researchers now say, XP was largely untouched by last week’s worm because PCs crashed before WCry could take hold. Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn’t installed a critical security patch Microsoft issued in March

Days later Sophos confirmed that analysis.

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

[snip]

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

It’s still a question of whether a victim patched their computer or not, but Microsoft did make a patch available for Windows 7 along with other supported systems. Though, as Sophos notes, unless users were paying extra for support, they might not have noticed the patch was there.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

That suggests one problem with the patching wasn’t the timeliness, but the secrecy. But, Congress might not learn that detail given the testimony they got last week.

Three days after the attack started, Homeland Security Czar Tom Bossert was still claiming WannaCry was spread via phishing. Now Congress is getting other debunked reporting.

We might respond better to these threats if the government was getting information that was at least as accurate as that information available to lowly hippie bloggers.

The Sources for Some Russian Voting Hack Stories Will Not Be Prosecuted

/20 Comments/in , /by

Yesterday, former Homeland Security Secretary Jeh Johnson spent 90 minutes meeting with the Senate Intelligence Committee’s Russian investigators.

Today, Bloomberg reports that Russian probes of election-related targets was far more extensive than previously reported, reaching into 39 states. It relies on three unnamed sources for the story, either including, or in addition to, at least one former senior US official.

In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

[snip]

Another former senior U.S. official, who asked for anonymity to discuss the classified U.S. probe into pre-election hacking, said a more likely explanation is that several months of hacking failed to give the attackers the access they needed to master America’s disparate voting systems spread across more than 7,000 local jurisdictions.

[snip]

One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks. [my emphasis]

The report also uses the document allegedly leaked by Reality Winner as corroboration and confirmation of one of the companies targeted, rather curiously included as a parenthetical comment.

(An NSA document reportedly leaked by Reality Winner, the 25-year-old government contract worker arrested last week, identifies the Florida contractor as VR Systems, which makes an electronic voter identification system used by poll workers.)

The Bloomberg story is critically important, as it should provide pressure on the Republicans for real protections for voting systems, even if they’ll probably ignore that pressure. It provides far more details than the Winner document did. That said, much of this information might come out formally in Jeh Johnson testimony before the House Intelligence Committee.

I raise all this to note that the treatment of Bloomberg’s sources will be dramatically different than that of Winner. I’d bet there won’t even be a referral for this story, especially if it relies on (as is likely) information shared by people protected by the speech and debate clause and/or people who might have been original classification authorities (OCAs — the people who get to decide whether something is classified or not) for this information in the past.

Perhaps that is as it should be. Perhaps our democracy has unofficially agreed that OCAs and congressional staffers should serve as kind of a relief valve, the place where classified information may be leaked without criminal penalty. Perhaps we believe those kinds of people have a better read on whether the interests of leaking outweigh the sensitivity of an issue. Though obviously, when OCAs like David Petraeus become impossible to punish (or former SSCI staff director Bill Duhnke, who was the FBI’s primary suspect for the Merlin leak, but who was protected by the Senate’s refusal to cooperate), that creates a profoundly unequal system of justice. Reality Winner can be prosecuted even while people leaking similar — perhaps even more sensitive — information within weeks might not even be investigated.

To be clear, I don’t want Bloomberg’s sources to be investigated. But we need to acknowledge the double standards for leakers in this country.

Which Was a More Sensitive Open Secret Revealed as a Result of the Reality Winner Story: Details on Russian Hacks of Voting Equipment, or Invisible Printer Dots?

/26 Comments/in , /by

Mr. EW doesn’t follow my work all that closely. He’s most apt to read something I wrote if it gets cited in TechDirt, a fact that occasionally makes me fantasize about getting Mike Masnick to publish secret messages about fixing leaky toilets or broken screen doors.

So I was pretty interested in Mr. EW’s take on the Reality Winner story. He believes, as many people do, that Winner was caught using the printer dot technology that Rob Graham laid out here.

I don’t doubt that the FBI or NSA used the printer dot technology to confirm that they had gotten the right person before they charged Winner. But it’s not mentioned at all in DOJ’s narrative of how they caught Winner (who, remember, pled not guilty even though she confessed to the FBI). They cite the following steps (search warrant affidavit, complaint affidavit):

  1. May 30: The Intercept contacts NSA and provides a copy of the document. NSA confirms for itself that it is real and classified.
  2. June 1: NSA makes a leak referral to the FBI.
  3. Undated:
    1. NSA notes that the document has been folded, suggested it was printed off.
    2. NSA checks who has accessed and printed the document.
    3. NSA checks the work computers of the six people who have printed the document, including Winner.
    4. NSA finds a direct email, from March, from Winner’s work computer to The Intercept using her personal Gmail account pertaining to TI’s podcast.
  4. June 1: For the second time, The Intercept contacts a contractor to validate the document (he or she had told them it was fake on May 24), telling the contractor that the NSA has confirmed its authenticity. The contractor provided a document number to The Intercept, and on the same day, the contractor informed the NSA about the May 24 and June 1 interactions, probably also passing on the detail that the document had been sent from Augusta, GA.
  5. June 2: FBI verifies Winner’s residence for a search warrant.
  6. June 3: FBI interviews Winner, who admits to “removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia.”

Winner was arrested on June 3; her arrest was unsealed on June 5, just after The Intercept published the document.

On June 5, Graham posted a piece explaining how the hidden dots on the hard copy of the document would have told NSA that the document had been printed out on May 9, making it even easier for the NSA to pinpoint who had printed out the document.

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

As I explained to Mr. EW last night, nothing in the official record says the NSA used this hidden dot technology in its hunt for the leaker. I explained that while my friends started talking about the hidden dots almost immediately, there was nothing in the public record about it.

Clearly, the government didn’t exactly want that (and no doubt a number of other investigative methods, presumably including at a minimum checks on the non-government computer communications of the six people who printed out the document, and potentially also a check of postal records) detail to become public.

Yet, as a result of the reporting on this, people like Mr. EW not only know about the dot technology, but believe it was the key factor in identifying Winner. If they follow Rob Graham closely, they’ll also know that (in response to my question) another presumed leaker to The Intercept had managed to pass on a printed (and frankly far more important leaked) document — FBI’s Domestic Investigations and Operations Guidewithout including the telltale dots (I told Mr. EW about the follow-up but he’s more likely to read it if TechDirt links so…) So they would have learned that the dots are an operational security issue, but there are as yet unknown ways to mitigate that problem.

As I’ve stated several times, while the document Winner leaked to The Intercept provides new details about Russian attempts to hack the election, it simply adds to the widely known narrative already in the public (though the redacted details would no doubt be even more interesting). The secret dots though! — that was news to most people (including me).

Which secret do you think the government is most grumpy about having been made public?

Who Would Have Told Trump to Go Back to Demand a Patronage Relationship with Comey?

/49 Comments/in , /by

Jim Comey made a comment in his testimony the other day I’ve not seen others mention. Mark Warner asked him to explain this comment on patronage from his written testimony.

The President began by asking me whether I wanted to stay on as FBI Director, which I found strange because he had already told me twice in earlier conversations that he hoped I would stay, and I had assured him that I intended to. He said that lots of people wanted my job and, given the abuse I had taken during the previous year, he would understand if I wanted to walk away.

My instincts told me that the one-on-one setting, and the pretense that this was our first discussion about my position, meant the dinner was, at least in part, an effort to have me ask for my job and create some sort of patronage relationship. That concerned me greatly, given the FBI’s traditionally independent status in the executive branch.

I replied that I loved my work and intended to stay and serve out my ten-year term as Director. And then, because the set-up made me uneasy, I added that I was not “reliable” in the way politicians use that word, but he could always count on me to tell him the truth. I added that I was not on anybody’s side politically and could not be counted on in the traditional political sense, a stance I said was in his best interest as the President. A few moments later, the President said, “I need loyalty, I expect loyalty.”

When Warner asked Comey to explain this comment at Thursday’s hearing, Comey explained he thought that Trump was belatedly trying to get something from Comey in exchange for letting him stay on his job.

WARNER: Let me move to the January 27th dinner, where you said “The president began by asking me whether I wanted to stay on as FBI director.”

He also indicated that “lots of people” again your words, “Wanted the job.” You go on to say the dinner itself was “Seemingly an effort to” to quote have you ask him for your job and create some “patronage” relationship. The president seems from my reading of your memo to be holding your job or your possibility of continuing your job over your head in a fairly direct way. What was your impression, and what did you mean by this notion of a patronage relationship?

COMEY: Well, my impression, and again it’s my impression, I could always be wrong but my common sense told me what was going on is, either he had concluded or someone had told him that you didn’t, you’ve already asked Comey to stay, and you didn’t get anything for it. And that the dinner was an effort to build a relationship, in fact, he asked specifically, of loyalty in the context of asking me to stay. As I said, what was odd about that is we’d already talked twice about it by that point and he said I very much hope you’ll stay. In fact, I just remembered sitting a third, when you’ve seen the. IC tour of me walking across the blue room, and what the president whispered in my ear was “I really look forward to working with you.” So after those encounters —

WARNER: That was a few days before your firing.

COMEY: On the Sunday after the inauguration. The next Friday I have dinner and the president begins by wanting to talk about my job and so I’m sitting there thinking wait a minute three times we’ve already, you’ve already asked me to stay or talked about me staying. My common sense, again I could be wrong but my common sense told me what’s going on here is, he’s looking to get something in exchange for granting my request to stay in the job. [my emphasis]

Comey explained that — after already having been assured three times that he would remain in his position — Trump raised the issue anew in a private dinner. Comey didn’t say this, but this happened the day after Sally Yates first told White House Counsel Don McGahn that Mike Flynn had misrepresented his comments to Sergey Kislyak. And in that dinner, Trump implied that if Comey wanted to stay in the job he’d been offered three times already, he had to give Trump loyalty.

What I’m especially interested in is what Comey believed elicited this: Comey figured that “either [Trump] had concluded or someone [else] had told [Trump] that you didn’t, you’ve already asked Comey to stay, and you didn’t get anything for it” which is what led Trump to invite Trump for dinner.

Given the timing, it would be interesting all by itself if Trump had decided on his own to get some kind of commitment from Comey in order to keep his job, because it would make it far more likely that McGahn told Trump about Yates’ concerns.

But Comey testified that he thought that perhaps someone else went to Trump and suggested he should go back to Comey and try to demand loyalty to keep his job.

Who?

Does Comey think Mike Flynn did this? Don McGahn (which would be downright shocking)? Or did he think that one of the two people who lingered at the next weird meeting alone with Trump — Attorney General Sessions or Son-in-Law-in-Chief Jared Kushner — made the suggestion?

He didn’t say. But I find the suggestion that Comey believes someone may have — at the same time as DOJ was telling the White House that Mike Flynn was in trouble — encouraged Trump to go make demands from Comey.

Vladimir Putin Places a Bet in the Cryptocurrency Shadow Brokers Isn’t Using

/2 Comments/in /by

Back on June 1, I asked why Shadow Brokers had picked a new cryptocurrency to not make a profit with rather than Bitcoin. For its new leak of the month club, it started by asking for payment in Zcash, a currency with better privacy features. I speculated three possibilities:

First, currencies have been bouncing around in response to some of this stuff. So it’s possible this is an attempt to flood the market.

Certainly, too, the invocation of DARPA seems about increasing distrust, just as SB did in its efforts to increase the distrust between Microsoft and the government.

More interestingly, though, perhaps this is SB’s way of adding to the risk to NSA of any releases. While some people believe NSA has already disclosed all the vulnerabilities it believes SB to have (indeed, SB’s last post suggested as much as well), if there’s any doubt about that, by using a more secretive currency, it will add the risk to NSA of not knowing who has anything SB sells.

My first suggestion wasn’t very coherent: I meant it was possible SB’s backers were trying to drive up the value of one currency versus the other.

After I wrote that first post, SB decided to add Monero to its currencies of choice — though the way in which SB asked for payment here was even more fucked up than normal (if you’re assuming the goal is to actually obtain anonymous payment). As has been explained to me, the way SB asked for funds would leave the payment ID visible to the blockchain.

In any case, given that SB has now used three different currencies, all in ways that seem designed not to make any money, I find it very interesting that Vladimir Putin was sidling up to the founder of yet another cryptocurrency this week, talking about adopting it as a national model.

Putin met Ethereum founder Vitalik Buterin on the sidelines of the St. Petersburg Economic Forum last week and supported his plans to build contacts with local partners to implement blockchain technology in Russia, according to a statement on Kremlin’s website.

“The digital economy isn’t a separate industry, it’s essentially the foundation for creating brand new business models,” Putin said at the event, discussing means to boost growth long-term after Russia ended its worst recession in two decades.

Virtual currencies could help the economy by making transactions happen more quickly and safely online.

[snip]

Russia’s central bank has already deployed an Ethereum-based blockchain as a pilot project to process online payments and verify customer data with lenders including Sberbank PJSC, Deputy Governor Olga Skorobogatova said at the St. Petersburg event. She didn’t rule out using Ethereum technologies for the development of a national virtual currency for Russia down the road.

VEB, the bank that was cozying up to Jared Kushner, has also apparently integrated Ethereum into its business model.

Remember, too, SB hasn’t necessarily promised exploits. They’ve also suggested they might release more details on NSA’s hacking of SWIFT-related facilities, a financial regime that has been used to pressure Russia.

Along with all the other functions that SB seems to serve, is one of them about degrading potential competitor currencies?

What a Difference a Day Makes to the Privileges of a King

/21 Comments/in , , /by

As part of his testimony today, Jim Comey revealed he gave some or all of the nine memos he wrote documenting his interactions with President Trump to a friend, since confirmed to be Columbia Professor Dan Richman, who in turn shared one with the press.

COLLINS: Finally, did you show copies of your memos to anyone outside of the department of justice?

COMEY: Yes.

COLLINS: And to whom did you show copies?

COMEY: I asked — the president tweeted on Friday after I got fired that I better hope there’s not tapes. I woke up in the middle of the night on Monday night because it didn’t dawn on me originally, that there might be corroboration for our conversation. There might a tape. My judgement was, I need to get that out into the public square. I asked a friend of mine to share the content of the memo with a reporter. Didn’t do it myself for a variety of reasons. I asked him to because I thought that might prompt the appointment of a special counsel. I asked a close friend to do it.

COLLINS: Was that Mr. Wittes?

COMEY: No.

COLLINS: Who was it?

COMEY: A close friend who is a professor at Columbia law school.

The fact that Comey released the memo through Richman formed part of Trump lawyer Marc Kasowitz’s pushback after the hearing.

Of course, the Office of the President is entitled to expect loyalty from those who are serving in an administration, and, from before this President took office to this day, it is overwhelmingly clear that there have been and continue to be those in government who are actively attempting to undermine this administration with selective and illegal leaks of classified information and privileged communications. Mr. Comey has now admitted that he is one of the leakers.

Today, Mr. Comey admitted that he unilaterally and surreptitiously made unauthorized disclosures to the press of privileged communications with the President. The leaks of this privileged information began no later than March 2017 when friends of Mr. Comey have stated he disclosed to them the conversations he had with the President during their January 27, 2017 dinner and February 14, 2017 White House meeting. Today, Mr. Comey admitted that he leaked to his friends his purported memos of these privileged conversations, one of which he testified was classified. He also testified that immediately after he was terminated he authorized his friends to leak the contents of these memos to the press in order to “prompt the appointment of a special counsel.” Although Mr. Comey testified he only leaked the memos in response to a tweet, the public record reveals that the New York Times was quoting from these memos the day before the referenced tweet, which belies Mr. Comey’s excuse for this unauthorized disclosure of privileged information and appears to [sic] entirely retaliatory.

Kasowitz gets a lot wrong here. Comey said one memo was classified, but that’s the memo that memorialized the January 6 meeting, not the ones described here. And the NYT has already corrected the claim that the shared memos preceded the tweet.

And, as a number of people (including Steve Vladeck) have noted, even if this information were covered by executive privilege, even if that privilege weren’t waived with Trump’s tweet, it’s not a crime to leak privileged information.

Nevertheless, Kasowitz’ focus on purportedly privileged documents is all the more interesting given the pathetic conduct of Director of National Intelligence Dan Coats and NSA Director Mike Rogers at yesterday’s 702 hearing. After a great deal of obfuscation from both men about why they couldn’t answer questions about Trump’s request they intervene in the FBI’s Mike Flynn investigation, Angus King finally got Rogers to admit that he and Coats never got a conclusive answer about whether the White House was invoking privilege.

King: I think you testified, Admiral Rogers, that you did discuss today’s testimony with someone in the White House?

Rogers: I said I asked did the White House intend to invoke executive privilege with respect to interactions between myself and the President of the United States.

King: And what was the answer to that question?

Rogers: To be honest I didn’t get a definitive answer. Both myself and the DNI are still talking–

King: So then I’ll ask both of you the same question. Why are you not answering these questions? Is there an invocation by the President of the United States of executive privilege? Is there or not?

Rogers: Not that I’m aware of.

King: Then why are you not answering the question?

Rogers: Because I feel it is inappropriate, Senator.

King: What you feel isn’t relevant Admiral. What you feel isn’t the answer. The question is why are you not answering the questions. Is it an invocation of executive privilege? If there is, then let’s know about it, and if there isn’t answer the questions.

Rogers: I stand by the comments I’ve made. I’m not interested in repeating myself, Sir. And I don’t mean that in a contentious way.

King: Well I do mean it in a contentious way. I don’t understand why you’re not answering our questions. When you were confirmed before the Armed Services Committee you took an oath, do you solemnly swear to give the committee the truth, the full truth and nothing but the truth. You answered yes to that.

Rogers: I do. And I’ve also answered that those conversations were classified. It is not appropriate in an open forum to discuss those classified conversations.

King: What is classified about a conversation about whether or not you should intervene in the FBI investigation?

Rogers: Sir I stand by my previous comments.

King: Mr. Coats? Same series of questions. What’s the basis for your refusal to answer these questions today?

Coats: The basis is what I’ve previously explained, I do not believe it is appropriate for me to–

King: What’s the basis? I’m not satisfied with I do not believe it is appropriate or I do not feel I should answer. I want to understand a legal basis. You swore that oath to tell us the truth, the whole truth, and nothing but the truth, and today you are refusing to do so. What is the legal basis for your refusal to testify to this committee?

Coats: I’m not sure I have a legal basis.

In other words, these men admit they had no legal basis (they’re not classified, no matter what Rogers claimed) to dodge the Committee’s question. But nevertheless they’re invoking things like their feelings to avoid testifying.

Clearly, the White House is playing a game here, invoking loyalty rather than law to compel silence from its top officials.

Kasowitz’ claims are, on their face, bogus. But taken in conjunction with the dodges from Coats and Rogers, they’re all the more problematic.

 

Comey and Friends Expected Jeff Sessions to Recuse by February 14

/32 Comments/in /by

Here’s another detail from Jim Comey’s testimony that deserves more attention. On February 14, the day that President Trump asked Comey to drop the investigation into Mike Flynn, Comey and his aides expected Jeff Sessions to recuse himself from the investigation.

We also concluded that, given that it was a one-on-one conversation, there was nothing available to corroborate my account. We concluded it made little sense to report it to Attorney General Sessions, who we expected would likely recuse himself from involvement in Russia-related investigations. (He did so two weeks later.) [my emphasis]

Obviously, Sessions should have recused in any case, since he was involved in the campaign. But Comey specifically framed this as “Russia-related investigations,” not Trump investigations generally. Comey doesn’t say why the top people at FBI believed he would recuse, but by this point, the FBI would have pulled all intercepts involving Sergey Kislyak, so would have discovered ones reflecting conversations with Sessions.

In any case, to have that belief, the FBI presumably had already talked to Sessions about his conflicts with the Russian investigation.

That’s consistent with something Sessions said in his recusal statement. He describes the recusal process as a several week series of meetings.

During the course of the last several weeks, I have met with the relevant senior career Department officials to discuss whether I should recuse myself from any matters arising from the campaigns for President of the United States.

Having concluded those meetings today, I have decided to recuse myself from any existing or future investigations of any matters related in any way to the campaigns for President of the United States.

Yet it took two more weeks (actually, 16 days) for Sessions to recuse, which suggests he didn’t do it just for the election-related reasons, and didn’t do it when FBI first talked to him about it. He only did it once the leaks about his ties to Kislyak came out.

Given Trump’s reported continued rage at Sessions for recusing — so much so he’s considering firing him (do it!!!) — I find that very significant. It makes it more likely that Sessions and Trump spoke about a potential recusal in the interim weeks, and more likely that Trump thought he had a plan in place to kill any investigation that Sessions recusal killed.