What Claims Did the Intelligence Community Make about the Paris Attack to Get the White House to Change on Encryption?

/5 Comments/in , , /by

I’m going to do a series of posts laying out the timeline behind the Administration’s changed approach to encryption. In this, I’d like to make a point about when the National Security Council adopted a “decision memo” more aggressively seeking to bypass encryption. Bloomberg reported on the memo last week, in the wake of the FBI’s demand that Apple help it brute force Syed Rezwan Farook’s work phone.

But note the date: The meeting at which the memo was adopted was convened “around Thanksgiving.”

Silicon Valley celebrated last fall when the White House revealed it would not seek legislation forcing technology makers to install “backdoors” in their software — secret listening posts where investigators could pierce the veil of secrecy on users’ encrypted data, from text messages to video chats. But while the companies may have thought that was the final word, in fact the government was working on a Plan B.

In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered agencies across the U.S. government to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, including Apple Inc.’s iPhone, the marquee product of one of America’s most valuable companies, according to two people familiar with the decision.

The approach was formalized in a confidential National Security Council “decision memo,” tasking government agencies with developing encryption workarounds, estimating additional budgets and identifying laws that may need to be changed to counter what FBI Director James Comey calls the “going dark” problem: investigators being unable to access the contents of encrypted data stored on mobile devices or traveling across the Internet. Details of the memo reveal that, in private, the government was honing a sharper edge to its relationship with Silicon Valley alongside more public signs of rapprochement. [my emphasis]

That is, the meeting was convened in the wake of the November 13 ISIS attack on Paris.

We know that last August, Bob Litt had recommended keeping options open until such time as a terrorist attack presented the opportunity to revisit the issue and demand that companies back door encryption.

Privately, law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Litt was commenting on a draft paper prepared by National Security Council staff members in July, which also was obtained by The Post, that analyzed several options. They included explicitly rejecting a legislative mandate, deferring legislation and remaining undecided while discussions continue.

It appears that is precisely what happened — that the intelligence community, in the wake of a big attack on Paris, went to the White House and convinced them to change their approach.

So I want to know what claims the intelligence community made about the use of encryption in the attack that convinced the White House to change approach. Because there is nothing in the public record that indicates encryption was important at all.

It is true that a lot of ISIS associates were using Telegram; shortly after the attack Telegram shut down a bunch of channels they were using. But reportedly Telegram’s encryption would be easy for the NSA to break. The difficulty with Telegram — which the IC should consider seriously before they make Apple back door its products — is that its offshore location probably made it harder for our counterterrorism analysts to get the metadata.

It is also true that an ISIS recruit whom French authorities had interrogated during the summer (and who warned them very specifically about attacks on sporting events and concerts) had been given an encryption key on a thumb drive.

But it’s also true the phone recovered after the attack — which the attackers used to communicate during the attack — was not encrypted. It’s true, too, that French and Belgian authorities knew just about every known participant in the attack, especially the ringleader. From reports, it sounds like operational security — the use of a series of burner phones — was more critical to his ability to move unnoticed through Europe. There are also reports that the authorities had a difficult time translating the dialect of (probably) Berber the attackers used.

From what we know, though, encryption is not the reason authorities failed to prevent the French attack. And a lot of other tools that are designed to identify potential attacks — like the metadata dragnet — failed.

I hate to be cynical (though comments like Litt’s — plus the way the IC used a bogus terrorist threat in 2004 to get the torture and Internet dragnet programs reauthorized — invite such cynicism). But it sure looks like the IC failed to prevent the November attack, and immediately used their own (human, unavoidable) failure to demand a new approach to encryption.

Update: In testimony before the House Judiciary Committee today, Microsoft General Counsel Brad Smith repeated a claim MSFT witnesses have made before: they provided Parisian law enforcement email from the Paris attackers within 45 minutes. That implies, of course, that the data was accessible under PRISM and not encrypted.

The Latest 60 Minutes Propaganda: We Need a Crypto Back Door because ISIS Is “Coming Here” with WMD

/17 Comments/in , , /by

It has been clear for several years now that 60 Minutes has become a propaganda vehicle for the intelligence community (postpost, post). So it was unsurprising that John Brennan was given an opportunity to fearmonger last night without pesky people like Ron Wyden around pointing out that CIA itself poses a threat, even according to the terms laid out by the Intelligence Community.

I find the timing and content of John Brennan’s appearance of note.

The first segment (indeed the first words!) of the appearance did two things: first conflate ISIS-inspired attacks with ISIS-directed ones to suggest the terrorist organization might strike in the US.

Scott Pelley: Is ISIS coming here?

John Brennan: I think ISIL does want to eventually find it’s, it’s mark here.

Scott Pelley: You’re expecting an attack in the United States?

John Brennan: I’m expecting them to try to put in place the operatives, the material or whatever else that they need to do or to incite people to carry out these attacks, clearly. So I believe that their attempts are inevitable. I don’t think their successes necessarily are.

Here’s how the global threat testimony from last week, which really serves as temporal justification for Brennan’s appearance, carried out a similar though more nuanced conflation of ISIS’ aspirations with the aspirational plots here in the US.

The United States will almost certainly remain at least a rhetorically important enemy for most violent extremists in part due to past and ongoing US military, political, and economic engagement overseas. Sunni violent extremists will probably continually plot against US interests overseas. A smaller number will attempt to overcome the logistical challenges associated with conducting attacks on the US homeland. The July 2015 attack against military facilities in Chattanooga and December 2015 attack in San Bernardino demonstrate the threat that homegrown violent extremists (HVEs) also pose to the homeland. In2014, the FBI arrested approximately one dozen US-based ISIL supporters, in 2015, that number increased to approximately five dozen arrests. These individuals were arrested for a variety of reasons, predominantly for attempting to provide material support to ISIL.

Both Brennan and the threat testimony slide carefully from ISIS overcoming the logistical problems to attack themselves with attacking here to the ISIS-inspired far smaller attacks.

After having suggested ISIS wants to attack the US, Pelley then led Brennan to overstate the degree to which the Paris attackers hid behind encryption.

Scott Pelley: What did you learn from Paris?

John Brennan: That there is a lot that ISIL probably has underway that we don’t have obviously full insight into. We knew the system was blinking red. We knew just in the days before that ISIL was trying to carry out something. But the individuals involved have been able to take advantage of the newly available means of communication that are–that are walled off, from law enforcement officials.

Scott Pelley: You’re talking about encrypted Internet communications.

John Brennan: Yeah, I’m talking about the very sophisticated use of these technologies and communication systems.

From all the reports thus far, ISIS achieved what little obscurity they had primarily through burner devices, not through encryption (not to mention the fact that French authorities got an encryption key from someone who had decided against carrying out an ISIS attack the summer before this attack). And while Jim Comey revealed that FBI had not yet cracked one of several phones used by the San Bernardino attackers (who were not directed by ISIS and may have only invoked it for their own obscurantist purposes), the threat testimony pointed to social media as as big a concern as encryption (most of what ISIS uses is fairly weak).

Terrorists will almost certainly continue to benefit in 2016 from a new generation of recruits proficient in information technology, social media, and online research. Some terrorists will look to use these technologies to increase the speed of their communications, the availability of their propaganda, and ability to collaborate with new partners. They will easily take advantage of widely available, free encryption technology, mobile-messaging applications, the dark web, and virtual environments to pursue their objectives.

Finally — still in the first segment!!! — Pelley invites Brennan to suggest that limited reports that ISIS has used chemical weapons in Syria mean they might use them here.

Scott Pelley: Does ISIS have chemical weapons?

John Brennan: We have a number of instances where ISIL has used chemical munitions on the battlefield.

Scott Pelley: Artillery shells.

John Brennan: Sure. Yeah.

Scott Pelley: ISIS has access to chemical artillery shells?

John Brennan: Uh-huh (affirm). There are reports that ISIS has access to chemical precursors and munitions that they can use.

The CIA believes that ISIS has the ability to manufacture small quantities of chlorine and mustard gas.

Scott Pelley: And the capability of exporting those chemicals to the West?

John Brennan: I think there’s always the potential for that. This is why it’s so important to cut off the various transportation routes and smuggling routes that they have used.

Compare Brennan’s suggestion that ISIS may be manufacturing CW with the threat testimony note that two people have been exposed to mustard gas, though with far more widespread allegations of such use.

We assess that non state actors in the region are also using chemicals as a means of warfare. The OPCW investigation into an alleged ISIL attack in Syria in August led it to conclude that at least two people were exposed to sulfur mustard. We continue to track numerous allegations ofISIL’s use of chemicals in attacks in Iraq and Syria, suggesting that attacks might be widespread.

Now, I’ll grant you that Brennan much more carefully dodges here than Dick Cheney ever used to. But it’s pure fear-mongering — especially in the wake of the Oregon standoff that makes it clear domestic extremists are not only every bit as motivated as ISIS wannabes, but better trained and equipped. And fear-mongering using Dick Cheney’s favorite techniques (albeit with the added kicker of crypto fear-mongering).

And it all happened as Brennan’s buddies the Saudis are pretending to (finally) join the fight against ISIS in what is a fairly transparent attempt to prevent Russian-backed Syrian forces from gaining a crucial advantage in Syria. That is, this fairly crass fear-monger is likely directed at Assad as much as it is ISIS.

Tuesday Morning: The Fat One You’ve Awaited

/10 Comments/in , , , /by

Mardi Gras. The day before Ash Wednesday. Fat Tuesday. In Brazil, it’s Carnival — plenty of parades with costumed dancers and samba. In New Orleans, it means king cake, beads, and more parades, but here in Michigan, it means pączki. No parades in the snow, just an icy trek to the Polish bakery for some decadent sweets we get but once a year.

I’m still drafting this, too much stuff to weed through this morning. I’ll update as I write. Snag a cup of joe and a pączki while you wait. Make mine raspberry filled, please!

Economic indicators say “Maybe, Try Again”
Asian and European stock markets were a mess this morning. There’s no sign of an agreement between OPEC nations on production and pricing, which may lead to yet more floundering in the stock market. Yet one indicator — truck tonnage on the roads — doesn’t show signs of a recession in the U.S.

UK court cases topsy-turvy: LIBOR Six and a secret trial

  • UK can’t hold the LIBOR Six bankers accountable for their part in the 2008 economic crisis because the prosecution was sloppy. It’s pretty bad when a defense attorney asks if the prosecution was “making this up as they go along.”
  • The article’s first graf is a warning:

    Warning: this article omits information that the Guardian and other news organisations are currently prohibited from publishing.

    The case, R v Incedal and Rarmoul-Bouhadjar, continues to look like a star chamber, with very little information available to the public about the case. The accused have been charged and served time, but the media has been unable to freely access information about the case, and their appeal has now been denied. A very ugly precedent for a so-called free country.

Facebook: French trouble, and no free internet in India

  • Shocked, SHOCKED, I am: French regulators told Facebook its handling of users data didn’t sufficiently protect their privacy. The Commission nationale de l’informatique et des libertés (CNIL) told the social media platform it has three months to stop sharing users’ data with U.S. facilities for processing. CNIL also told Facebook to stop tracking non-Facebook users without warning them.
  • The Indian government told Facebook thanks, but no thanks to its Free Basics offering, a so-called free internet service. The service ran afoul of net neutrality in that country as it implicitly discouraged users from setting up sites outside Facebook’s platform. Many users did not understand there was a difference between Facebook and the internet as a whole. Mr. Zuckerberg really needs to study the meaning of colonialism, and how it might pertain to the internet in emerging markets.

Boy kicked out of school because of his DNA
This is a really sad story not resolved by the Genetic Information Nondiscrimination Act (GINA). The boy has cystic fibrosis; his parents informed the school on his paperwork, as they should in such cases. But because of the risks to the boy or his siblings with similar genes, the boy was asked to leave. GINA, unfortunately, does not protect against discrimination in education, only in healthcare and employment. This is a problem Congress should take up with an amendment to GINA. No child should be discriminated against in education because of their genes over which they have no control, any more than a child should be discriminated against because of their race, gender identity, or sexuality.

All right, get your party on, scarf down the last of your excess sweets, for tomorrow is sackcloth and ashes. I can hardly wait for the sugar hangover to come.

Superb Owl: Keeping Eye on Fans and More?

/4 Comments/in , , /by

If humans could see the full spectrum of radiation, the San Francisco Bay Area shines bright like the sun this evening — not from lighting, but from communications. The Super Bowl concentrates more than 100,000 people, most of whom will have a wireless communications device on their person — cellphone, phablet, or tablet. There are numerous networks conveying information both on the field, the stands and to the fans watching globally on television and the internet.

And all of the communications generates massive amounts of data surely monitored in some way, no matter what our glorious government may tell us to the contrary. The Super Bowl is a National Special Security Event (NSSE), rated with a Special Event Assignment Rating (SEAR) level 1. The designation ensures the advance planning and involvement of all the three-letter federal agencies responsible for intelligence and counterterrorism you can think of, as well as their state and local counterparts. They will be watching physical and electronic behavior closely.

Part of the advance preparation includes establishing a large no-fly zone around the Bay Area. Non-government drones will also be prohibited in this airspace.

What’s not clear to the public: what measures have been taken to assure communications continuity in the same region? Yeah, yeah — we all know they’ll be watching, but how many of the more than one million visitors to the Bay Area for the Super Bowl are aware of the unsolved 15 or 16 telecom cable cuts that happened over the last couple of years? What percentage of local residents have paid or are paying any attention at all to telecommunications infrastructure, or whether crews “working” on infrastructure are legitimate or not?

Planning for a SEAR 1 event begins almost as soon as the venue is announced — perhaps even earlier. In the case of Super Bowl 50, planning began at least as early as the date the game was announced nearly 34 months ago on March 28th, 2014. The Levi’s stadium was still under construction as late as August that same year.

And the first cable cut event happened nearly a year earlier, on April 16, 2013 — six months after Levi’s Stadium was declared one of two finalists to host the 50th Super Bowl, and one month before Levi’s was awarded the slot by NFL owners.

News about a series of 11 cable cuts drew national attention last summer when the FBI asked for the public’s assistance.  These events happened to the east of San Francisco Bay though some of them are surely inside the 32-mile radius no-fly zone observed this evening.

But what about the other cuts which took place after April 2013, and after the last of 11 cuts in June 2015? News reports vary but refer to a total of 15 or 16 cuts about which law enforcement has insufficient information to charge anyone with vandalism or worse. A report last month quotes an FBI spokesperson saying there were 15 attacks against fiber optic cable since 2014. Based on the date, the number of cuts excludes the first event from April 2013, suggesting an additional four cuts have occurred since June 2015.

Where did these cuts occur? Were they located inside tonight’s no-fly zone? Will any disruption to communications services be noticed this evening, when so many users are flooding telecommunications infrastructure? Will residents and visitors alike even notice any unusual technicians at work if there is any disruption?

Keep your eyes peeled, football fans.

What Would It Take for the Government to Obtain Google’s Counter-Terror Ads Algos?

/4 Comments/in /by

Some weeks ago, the government went to Silicon Valley to ask for new ways to counter ISIS’ propaganda. We’re now seeing the response to that request, with the report that Google will show positive ads when people search for extremist content.

In a new development, Google said it’s testing ways to counter extremist propaganda with positive messages on YouTube and in Google search results.

Google executive Anthony House told MPs that taking extremist videos down from YouTube isn’t enough, and people searching for that content should be presented with competing narratives:

We should get the bad stuff down, but it’s also extremely important that people are able to find good information, that when people are feeling isolated, that when they go online, they find a community of hope, not a community of harm.

There are two programs being tested by Google to make sure the positive messages are seen by people seeking out extremist content: one to make sure the “good” kind of videos are easily found on YouTube; and another to display positive messages when people search for extremist-related terms.

The second program involves giving grants to nonprofit organizations to use Google AdWords to display competing ads alongside the search results for those extremist-related terms.

If Google wants to do this, that’s fine.

But I’m wondering about the legal standard here. It’s unclear whether Google will only show these “positive” (whoever and however that gets defined) when people search for “extremist” content, or whether they’ll show Google ads to those whose email content reflects an interest in “extremist” material.

In both cases, however, Google will use material that counts as “content” to decide to show these ads.

And then what happens? That is, what happens to Google’s records determining that these users should get that content? Do the records, stripped of the content itself, count as a third party record that can be obtained with a subpoena? Or do they count as content?

Congress hasn’t passed legislation requiring tech companies to report their terrorist users. But does having Google use its algorithms to determine who is an extremist give the government a way to find out who Google thinks is an extremist?

Dzhokhar Tsarnaev’s Yahoo Warrant

/in /by

The government has started unsealing a bunch of previously sealed documents from the Boston Marathon investigation. In this post I wanted to comment on a motion to suppress the evidence from a Yahoo, Google, and computer search.

There are two interesting details in it. The FBI got a warrant for both Tsarnaev brothers’ Yahoo email on April 19, 2013, while Dzhokhar was still bleeding out in a boat in Watertown. The warrant basically got everything connected with the account, and then permitted the government to search both the contents and metadata for a list of things:

1. All communications between or among Tamerian [sic] Tsarnaev and Dzhokhar Tsarnaev;

2. All communications pertaining to the Boston Marathon, explosives, bombs, the making of improvised explosive devices, firearms, and potential people and places against which to use firearms, explosives or other destructive devices.;

3. The identity of the person or persons who have owned or operated the [email protected] and [email protected] e-mail accounts or any associated e-mail accounts;

4. The data described in paragraphs II(A)(3)-(5), above [i.e., the contents of all electronic data files, whether word-processing, spreadsheet, image, video, or any other content, calendar data, and lists of friends, buddies, contacts, or other subscribers].

6. [sic] The existence and identity of any co-conspirators;

7. The travel or whereabouts of the person or persons who have owned or operated the [email protected] and [email protected] e-mail accounts or any associated email accounts;

8. The identity, location, and ownership of any computers used to access these e-mail accounts;

9. Other e-mail or Internet accounts providing Internet access or remote data storage or e-commerce accounts;

10.The existence or location of physical media storing electronic data, such as hard drives, CD- or DVD-ROMs, or thumb drives; and

11.The existence or location of paper print-outs of any data from any of the above.

The motion went on to explain that item 4, above, included the following:

3. The contents of all electronic data files, whether word-processing, spreadsheet, image, video, or any other content;

4. The contents of all calendar data;

5. Lists of friends, buddies, contacts, or other subscribers.

I’m interested in this because the full list — including whatever other items were included in item 4 and whatever was originally numbered 5 — probably resembles what the government would get from Yahoo under PRISM, and therefore answers questions I raised in this post about how the government requests under PRISM to Yahoo expanded between August 2007 and January 2008. The calendar and buddy lists are unsurprising (indeed, we know NSA used to steal that stuff in the clear). But I’m also interested in how many of the initial list address hardware, which suggests one thing they’re likely getting under PRISM is mapping of such hardware. Also note the location-data of both the person using the account and the hardware associated with its use.

The other interesting detail is that the government didn’t go after Dzhokhar’s other Internet accounts until July 3, 2013, after he’d already been indicted.

On July 3, 2013, after the grand jury had returned its indictment against Mr. Tsarnaev, the government sought search warrants for multiple providers, including Google, Facebook, YouTube, Twitter, Instagram, and Skype.

The motion doesn’t say whether or not the government had already obtained the call detail records from these accounts, which it could have gotten with an administrative subpoena. It also doesn’t include Vkontakte (which would have required an MLAT process), which both brothers used.

I’m most interested in this, however, because it means the government didn’t go after Skype until over two months into the investigation. Remember: Dzhokhar had relied entirely on Skype for his “calling” for several weeks leading up to the attack, between the time his iPhone got shut down and the time he got a burner for use in the attack. So I find the delay of interest.

Of course, these Internet communications platforms are all things we believe the government dragnets the metadata of overseas.  I assume they got call detail records using an Administrative subpoena, but technically it’s the kind of thing they might not have needed to do.

Update: Nick Weaver pulled the warrant itself. Here’s the section on connection logs.

User connection logs for any connections to or from these and any associated e-mail accounts, including:

a. Connection time and date;

b. Disconnect time and date;

c. The IP address that was used when the user connected to the service;

d. Source and destination of any e-mail messages sent from or received by the account, and the date, time, and length of the message; and

e. Any address to which e-mail was or is to be forwarded from the account or e-mail address.

Update: Here’s a list of what has been released so far. Fox says they’ll update as things get unsealed here.

In Response to Continued Resonance of Awlaki Videos, US Relaunched Social Media Propaganda Campaign

/10 Comments/in , /by

As far as we know, the perpetrators of the November attack on Paris were radicalized by each other, in specific neighborhoods in Europe.

According to the complaint filed against his Enrique Marquez, the friend who got him guns, Syed Rizwan Farook, adopted radical beliefs after consuming the lectures, videos, and magazine of Anwar al-Awlaki. In fact, Farook and Marquez moved towards planning an attack in 2011, in the immediate wake of the drone killing of Awlaki and his son. As to Tashfeen Malik, Farook’s wife, while she did some searches on ISIS just before Farook started an attack on his workplace, public reporting suggests that like the French terrorists, she adopted extreme beliefs through relationships formed in brick and mortar life.

Nevertheless, in response to the anxiety produced by these attacks, the Obama Administration is rolling out yet another propaganda campaign against ISIS. As part of it, it shifts the approach to funding NGOs to do the propaganda work, something I argued any such efforts should be doing in a piece for Vice this week. Though as I noted, any such effort needs to stop countering ISIS propaganda and offering a positive vision that will be meaningful to those with grievances. That was one of the things included in a briefing to Silicon Valley today.

There is also a need for more credible positive messaging and content that provides alternatives to young people concerned about many of the grievances ISIL highlights

The other part of the campaign is a bit sillier. The Administration asked for tech companies to do things like measuring resonance of ISIL messages.

Some have suggested that a measurement of level of radicalization could provide insights to measure levels of radicalization to violence. While it is unclear whether radicalization is measureable or could be measured, such a measurement would be extremely useful to help shape and target counter-messaging and efforts focused on countering violent extremism. This type of approach requires consideration of First Amendment protections and privacy and civil liberties concerns, additional front-end research on specific drivers of radicalization and themes among violent extremist populations, careful design of intervention tools, dedicated technical expertise, and the ability to iteratively improve the tools based on experience in deploying them. Industry certainly has a lot of expertise in measuring resonance in order to see how effective and broad a messaging campaign reaches an audience. A partnership to determine if resonance can be measured for both ISIL and counter-ISIL content in order to guide and improve and more effectively counter the ISIL narrative could be beneficial.

This seems to be a problematic approach both because this should be the intelligence community’s job and because they’re supposed to be pretending this isn’t about focusing on Muslims. Plus, as I noted, the recent big attacks weren’t primarily about social media. More importantly, Jim Comey has testified that the social media companies already are helpful.

Comey, apparently, only went along to demand encryption — and it showed up in the briefing document shared at the meeting.

In addition to using technology to recruit and radicalize, terrorists are using technology to mobilize supporters to attack and to plan, move money for, coordinate, and execute attacks. The roles played by terrorist leaders and attack plotters in this activity vary, ranging from providing general direction to small groups to undertake attacks of their own design wherever they are located to offering repeated and specific guidance on how to execute attacks. To avoid law enforcement and the intelligence community detecting their activities, terrorists are using encrypted forms of communications at various stages of attack plotting and execution. We expect terrorists will continue to use technology to mobilize, facilitate, and operationalize attacks, including using encrypted communications where law enforcement cannot obtain the content of the communication even with court authorization. We would be happy to provide classified briefings in which we could share additional information.

While Apple was at this meeting, some of the other key players the government would have to address about encryption were not, making this appeal rather silly.

And note the seduction here: the government wants to tell the tech companies how extremists (they really mean only ISIS) are using encryption, but they’re only willing to do so in a classified setting. That would make it harder to counter the bogus claims the government has repeatedly been caught making.

Ultimately, the Administration seems to have no awareness of another of the key problems. They recognize that ISIS’ propaganda is splashy. But they accord no responsibility for mainstream media for magnifying it.

[T]here is a shortage of compelling credible alternative content; and this content is often not as effectively produced or distributed as pro-ISIL content and lacks the sensational quality that can capture the media’s attention.

If the government is going to ask the private sector to do their part, why aren’t they on a plane demanding that CNN stop fear-mongering all the time, both magnifying the effect of ISIS’ propaganda and increasing the polarization between Muslims and right wingers? If CNN can’t be asked to adjust its business model to stop empowering terrorists, why is Silicon Valley being asked to, when the latter are more central to baselines security?

 

Update: Here’s a list of participants.

Denis McDonough,White House Chief of Staff,

Lisa Monaco, Assistant to the President for Homeland Security & Counter Terrorism

Todd Park, White House Advisor for Technology

Megan Smith, White House Chief Technology Officer

Loretta Lynch, Attorney General

James Clapper, Director, National Intelligence

James Comey, Director, FBI

Tony Blinken, Deputy Secretary, Department of State

Mike Rogers, Director of the National Security Agency

Jeh Johnson, Secretary of Homeland Security

The 18-Minute Gap

/15 Comments/in /by

The FBI had a press conference today to ask for help filling in the last 18 minutes of the 4-hour gap between the time  San Bernardino killer Syed Rizwan Farook and his wife, Tashfeen Malik, shot up his holiday party and the time cops killed them in a shootout.

In the absence of any other evidence the couple worked with a more organized group, the FBI wants to make sure the couple didn’t do anything in that 18-minute window that would indicate some kind of cooperation.

[A]mid signs that the investigation is slowing down, they issued a public appeal for help from anyone who might have information on what the couple, Syed Rizwan Farook and Tashfeen Malik, did from 12:59 p.m. to 1:17 p.m. on Dec. 2, perhaps in the form of a witness sighting or an image by a stray surveillance camera.

[snip]

Officials said Mr. Farook left his home at 8:37 a.m. and arrived at the Inland Regional Center, where co-workers were attending a morning training session and a holiday party, at 8:47 a.m. They said he left at 10:37 a.m., leaving behind a knapsack filled with pipe bombs that were never detonated. He returned at 10:56 with Ms. Malik and opened fire, leaving 14 people dead and 22 injured.

From there, the couple went to Seccombe Lake, which is a short drive from the Inland Regional Center. F.B.I. divers searched the lake last month and found no items related to the investigation.

[snip]
Mr. Bowdich said the couple spent most of the four hours after the attack driving.

“A lot of zigzagging around, going back and forth on the highway, going up and down,” he said. “There is no rhyme or reason to it that we can find yet. Maybe that 18-minute gap closes that gap, maybe it doesn’t.”

Frankly, I’m more interested in why the FBI doesn’t have cell phone tracking data from this period, especially given that they clearly have it from after the 18 minute gap. I asked on Twitter today but none of the journalists who covered this presser seem to have asked that obvious question (though there seems to be a map indicating some kind of cell tracking).

If they shut off their phones or otherwise hid their tracks, it would suggest some importance to whatever they were doing in that 18 minute gap.

One thing the FBI didn’t say, nor any of the crack reports I saw covering the press conference, is that the 18 minute gap — from 12:59 p.m. to 1:17 — happens to coincide with a period when Farook’s now arrested buddy, Enrique Marquez, was not captured on his employers’ closed circuit video.

Screen Shot 2016-01-05 at 9.35.28 PM

Frankly, that’s not the most interesting possibility for the couple’s actions in that window (and I don’t know whether Marquez’ employer was in the geographical window where the couple may have been).

But as I noted, Marquez’ claims to have dissociated from Farook after they planned a terrorist attack in 2012 don’t accord with the fact that he fake-married Farook’s brother’s sister-in-law.

The San Bernardino Complaint

/44 Comments/in /by

After some conflicting reports today about what would happen to Enrique Marquez — the long time friend of San Bernardino killer Syed Rizwan Farook, who purchased two guns used in the attack — DOJ charged Marquez on a 3-count complaint, including conspiring to materially support terrorism associated with a contemplated 2012 attack he and Farook started planning in the weeks after Anwar al-Awlaki got executed. Marquez had been cooperating for 10 days without a lawyer until yesterday (he almost demanded a lawyer part way into the first day, but was persuaded he didn’t need one). It’s unclear whether he stopped cooperating or the FBI just got bored interrogating him before charging him today.

Marquez’ apparent panic on December 2-3

In spite of the fact that Marquez supplied the gun and, the government says, the smokeless powder used in the couple’s pipe bomb, and in spite of the fact that he was raving about terrorist attacks on Facebook almost a month before the attack, the government claims to believe Marquez that he didn’t know about it beforehand.

Screen Shot 2015-12-17 at 6.52.05 PM

Given the timeline in the complaint, Marquez could not have been involved in the attack on the Christmas party, though he did take lunch during the period when the couple was on the run. The timeline after that is not provided: In a short period of time (though after midnight the day of the attack), he called 911, checked himself into the hospital (both times admitting he was Farook’s friend), and missed the immigration interview for his fake marriage, which will lead his fake wife (the sister of Farook’s brother’s wife) to be deported to Russia.

Screen Shot 2015-12-17 at 5.55.46 PM

Did Farook stop planning an attack between 2012 and 2015?

After Farook and Marquez called off the 2012 attack, Marquez claims he drifted apart from Farook (though how that’s consistent with fake-marrying his sister-in-law’s sister, I don’t know).

After having given extensive details of Farook, and through him, Marquez’ embrace of extremist culture up until 2012, the complaint goes silent about what Farook was consuming, raising questions for me about whether he continued to plan, or resumed plans after Tashfeen Malik came to the US.

One thing that raises questions for me is the powder allegedly used in pipe bomb intended to go off in the attack. Early on, the complaint claims the pipe bomb was “ready to detonate” ¶16. Later, it makes it clear the pipe bomb malfunctioned. Immediately after explaining that it had malfunctioned (without providing the details included in a report why it might have), the complaint ties the smokeless powder to Marquez’ purchase (for which no purchase record appears in the complaint) in 2012.

Screen Shot 2015-12-17 at 8.41.40 PM

One obvious explanation for why the pipe bombs didn’t go off (aside from the fact they used a really simple Inspire recipe) is that the powder was over 4 years old by the time of the attack. Given that they had considered using bombs for the 2012 attack, the container was likely opened. Which leaves open the possibility it had degraded.

If you’re planning a new attack — and spending money to train all through that period — why not buy new powder to ensure your bomb goes off?

But there’s a counter point having to do with Farook’s apparently meticulous accounting for the attack, which he called a wedding. Farook did a spreadsheet (FBI found it on a thumb drive) of his planned attack in 2011-2012, with the earliest date October 29 and the latest presumed to be January 2, 2012. The spread sheet tracks payments for a number of things, including one of the two guns Marquez bought, as well as gun range sessions and other equipment. It stops before the purchase of the second gun (which was purchased February 22, 2012) and doesn’t resume leading up to the 2015 attack.

So either Farook got bored playing terror accountant, or there’s a continuation of this spread sheet, but we don’t know how long. There have been reports that FBI is still looking for a hard drive missing from the house, so it’s quite possible a continuation of the spread sheet continued on, perhaps up to the present, track all the money spent on shooting practice. But why track this stuff? Was someone reimbursing him? And why put it on a thumb drive?

Malik’s ISIS surfing

Which brings me to the thing most outlets are focusing on, Malik’s statement of allegiance to ISIS. I have always thought this statement felt like an attempt to distract (which, if it was, it succeeded), and the description in the complaint only makes me wonder more.

The timeline in the complaint shows Malik searching for info on ISIS literally the minute before her husband arrived at the Christmas party.

Screen Shot 2015-12-17 at 8.25.06 PM

And it shows a post on a “Facebook page associated with Malik” (when the complaint talks about Marquez’ Facebook they described his verified account, though Malik is not the one being charged here) posting allegiance to Abu Bakr al-Baghdadi just 16 minutes after the SUV returned to the county center.

Screen Shot 2015-12-17 at 8.30.02 PM

There’s no other mention of ISIS in the complaint (or, for that matter, what other radical Islamic propaganda the couple were consuming between 2012 and 2015).

How many involved in the shooting

Finally there’s a small but, given initial reports there were three people involved in the shooting at the county center, potentially significant discrepancy. Early in the complaint, the FBI describes two individuals conducting the shooting.

Screen Shot 2015-12-17 at 7.39.15 PM

Whereas later the complaint is not so sure how many people there were.

Screen Shot 2015-12-17 at 8.28.02 PM

There were reports that survivors recognized Farook when the shooting started, which says if there was just one shooter, it was him. But at least given what we know, there’d be no reason for Malik to stay in the SUV, as there’s no reason to believe she drove (she had no driver’s license mentioned, and of course lived much of her life in Saudi Arabia). Remember, too, there were four guns total used in the attack.

On Intent, Mental Health, and Terrorism

/15 Comments/in /by

In thoroughly unsurprising news, Joshua Ryne Goldberg was declared unfit to stand trial yesterday.

Goldberg is the Jewish guy who pretended to be a lot of things online, many of them anti-Jewish, but who had a role in the incitement of the Garland, TX attack and got busted for sending an informant instructions on how to build a bomb and encouraging him to bomb Kansas City’s 9/11 commemoration.

Joshua Goldberg is a troll. But he has liaised with IS supporters and called for terrorist attacks against the West. Police who arrested him on Friday morning Australian time said he had recently instructed a confidential source on how to make a bomb.

And even before his recent exploits, Goldberg’s dangerous social media fantasies may have had real-world consequences. An Australi Witness tweet in the lead up to an exhibition of pictures of the Prophet Mohammed in Garland, Texas, in May, urged Muslims to go with “weapons, bombs or with knifes”. Two men answered the call, and were killed by police.

“Australi Witness” praised them as martyrs.

Since July he has fed out a series of bomb threats against various targets, including a synagogue in Melbourne and another in Perth. Most recently, he said he was working with others to direct a “pressure cooker bombing” in the United States.

[snip]

He has masqueraded as a neo-Nazi blogger called “Michael Slay” on the site Daily Stormer, and as a fictional Australian left-wing anti-free speech activist called “Tanya Cohen”. He’s caused significant harm to anti-sexploitation campaigner Caitlin Roper by setting up a fake account in her name and then defaming transsexuals.

According to a prison psychologist who testified at a hearing yesterday, Goldberg suffers from an illness on the schizophrenia spectrum.

After numerous interviews, Dr. Lisa Feldman, a forensic psychologist with the Federal Detention Center in Miami, found Goldberg not mentally sound enough for trial. She said Goldberg suffers from a mental disorder she described as on the “schizophrenia spectrum” and that he could not participate in his own defense.

[snip]

Goldberg exhibited “very paranoid, suspicious ideas and a feeling that other people wanted to harm him,” Feldman testified.

After his transfer to the detention center in Miami, Goldberg stopped bathing himself and was eventually put on suicide watch, Feldman said. She said he insisted constantly that he should be in a hospital, not a prison.

While she could not rule out that Goldman was exaggerating some of his mental health symptoms, Feldman said Goldman’s background materials and behavior at the facility made it clear to her that he was not able to understand his legal predicament.

Neither Kevin Frein, a national security prosecutor for the U.S. Attorney’s Office, nor Goldman’s attorney Paul Shorstein, objected to her findings.

Let me be clear: I don’t doubt that Goldberg is incompetent to stand trial. You’d sort of have to be, to voice support for all these contradictory issues.

That said, I suspect it was a lot easier for the criminal justice system to find him incompetent than it would be to find the long list of young Muslim men with mental illnesses who get caught in stings.

That’s true, in part, because people are going to believe that bluster from a Jewish guy advocating attacks targeting Jews lacks real intent, whereas bluster from a Muslim harbors intent. It’s all bluster, often spurred by mental illness, but we believe the Muslims meant it.

But also because Goldberg’s claim of credit for the Garland attack might pose really uncomfortable questions for the government, given the conflicting reports on whether they had a warning of the attack (making it likely they were following Goldberg). If ISIS-inspired attacks are, in fact, inspired by Jewish kids living in their parents’ basement just talking shite, then what does that say about the war on terror?

Moreover, what does that say about FBI’s success prosecuting guys for “material support” because they retweet ISIS propaganda? Goldberg was producing ISIS propaganda, but it’s hard to believe he really “meant” it.

A whole lot of online trolling consists of individuals engaging in make-believe to see if they can get a response. But what if it becomes increasingly clear that some of it really is make-believe, even while that make-believe has real consequences?