Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #960 Update on the High Profile Hacks

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE.

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE.

You can sub­scribe to RSS feed from Spitfirelist.com HERE.

You can sub­scribe to the com­ments made on pro­grams and posts–an excel­lent source of infor­ma­tion in, and of, itself HERE.

This broad­cast was record­ed in one, 60-minute seg­ment.

CIA SealIntro­duc­tion: As indi­cat­ed by the title, this broad­cast updates the high-pro­file hacks, at the epi­cen­ter of “Rus­sia Gate,” the bru­tal polit­i­cal fan­ta­sy that is at the core of Amer­i­can New Cold War pro­pa­gan­da and that may well lead to World War III.

(Oth­er pro­grams deal­ing with this sub­ject include: FTR #‘s 917, 923, 924, 940, 943, 958, 959.)

As we have not­ed in many pre­vi­ous broad­casts and posts, cyber attacks are eas­i­ly dis­guised. Per­pe­trat­ing a “cyber false flag” oper­a­tion is dis­turbing­ly easy to do. In a world where the ver­i­fi­ably false and phys­i­cal­ly impos­si­ble “con­trolled demolition”/Truther non­sense has gained trac­tion, cyber false flag ops are all the more threat­en­ing and sin­is­ter.

Now, we learn that the CIA’s hack­ing tools are specif­i­cal­ly craft­ed to mask CIA author­ship of the attacks. Most sig­nif­i­cant­ly, for our pur­pos­es, is the fact that the Agen­cy’s hack­ing tools are engi­neered in such a way as to per­mit the authors of the event to rep­re­sent them­selves as Russ­ian.

This is of para­mount sig­nif­i­cance in eval­u­at­ing the increas­ing­ly neo-McCarthyite New Cold War pro­pa­gan­da about “Russ­ian inter­fer­ence” in the U.S. elec­tion.

We then high­light the recent con­clu­sions of the French cyber­in­tel­li­gence chief (Guil­laume Poupard) and his warn­ings about the incred­i­ble dan­gers of cyber-misattribution–the ease with which any ran­dom hack­er could car­ry­ing out a spear-phish­ing attack, and his baf­fle­ment at the NSA’s recent Russ­ian attri­bu­tion to the spear-phish­ing French elec­tion hacks.

Char­ac­ter­is­tic of the disin­gen­u­ous, pro­pa­gan­dis­tic spin of Amer­i­can news media on Putin/Russia/the high pro­file hacks is a New York Times arti­cle that accus­es Putin of lay­ing down a pro­pa­gan­da veil to cov­er for alleged Russ­ian hack­ing, omit­ting his remarks that–correctly–note that con­tem­po­rary tech­nol­o­gy eas­i­ly per­mits the mis­at­tri­bu­tion of cyber espionage/hacking.

Andrew Auerenheimer: Guest at Glenn Greenwald's party; apparent resident of Ukraine; probable author of the phony documents in the Macron hack

Andrew Aueren­heimer: Guest at Glenn Green­wald’s par­ty; appar­ent res­i­dent of Ukraine; prob­a­ble author of the pho­ny doc­u­ments in the Macron hack

We then review the grotesque­ly dark com­ic nature of the Macron hacks (sup­pos­ed­ly done by “Russ­ian intel­li­gence”.)

Those “Russ­ian gov­ern­ment hack­ers” real­ly need an OPSEC refresh­er course. The hacked doc­u­ments in the “Macron hack” not only con­tained Cyril­lic text in the meta­da­ta, but also con­tained the name of the last per­son to mod­i­fy the doc­u­ments. That name, “Rosh­ka Georgiy Petro­vichan”, is an employ­ee at Evri­ka, a large IT com­pa­ny that does work for the Russ­ian gov­ern­ment, includ­ing the FSB (Russ­ian intel­li­gence.)

Also found in the meta­da­ta is the email of the per­son who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 phish­ing a

ttacks against the CDU in Ger­many that have been attrib­uted to APT28. It would appear that the “Russ­ian hack­ers” not only left clues sug­gest­ing it was Russ­ian hack­ers behind the hack, but they decid­ed to name names this time–their own names.

In relat­ed news, a group of cyber­se­cu­ri­ty researchers study­ing the Macron hack has con­clud­ed that the mod­i­fied doc­u­ments were doc­tored by some­one asso­ci­at­ed with The Dai­ly Stormer neo-Nazi web­site and Andrew “the weev” Auern­heimer.

Aueren­heimer was a guest at Glenn Green­wald and Lau­ra Poitras’s par­ty cel­e­brat­ing their receipt of the Polk award.

“ ‘We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.’ . . .”

The  pub­lic face, site pub­lish­er of The Dai­ly Stormer is Andrew Anglin. But look who the site is reg­is­tered to: Andrew Auern­heimer (the site archi­tect) who appar­ent­ly resided in Ukraine as of the start of this year.

The analy­sis from the web-secu­ri­ty firm Virtualroad.org. indi­cates that some­one asso­ci­at­ed with the Dai­ly Stormer mod­i­fied those faked documents–very pos­si­bly a high­ly skilled neo-Nazi hack­er like “the weev”.

Based on analy­sis of how the doc­u­ment dump unfold­ed, it’s look­ing like the inex­plic­a­bly self-incrim­i­nat­ing “Russ­ian hack­ers” may have been a bunch of Amer­i­can neo-Nazis. Imag­ine that.

In FTR #917, we under­scored the gen­e­sis of the Seth Rich mur­der con­spir­a­cy the­o­ry with Wik­iLeaks and Julian Assange, who was in touch with Roger Stone dur­ing the 2016 cam­paign. (Stone func­tioned as the unof­fi­cial dirty tricks spe­cial­ist for the Trump cam­paign, a role he has played–with relish–since Water­gate.

The far-right Seth Rich mur­der con­spir­a­cy the­o­ry acquired new grav­i­tas, thanks in part to Kim Schmitz, aka “Kim Dot­com.” We exam­ined Schmitz at length in FTR #812. A syn­op­tic overview of the polit­i­cal and pro­fes­sion­al ori­en­ta­tion of Kim Dot­com is excerpt­ed from that broad­cast’s descrip­tion: “A col­league of Eddie the Friend­ly Spook [Snow­den], Julian Assange and Glenn Green­wald, Kim Schmitz, aka “Kim Dot­com”] espous­es the same libertarian/free mar­ket ide­ol­o­gy under­ly­ing the “cor­po­ratism” of Ben­i­to Mus­soli­ni. With an exten­sive crim­i­nal record in Ger­many and else­where, “Der Dot­com­man­dant” has elud­ed seri­ous pun­ish­ment for his offens­es, includ­ing exe­cut­ing the largest insid­er trad­ing scheme in Ger­man his­to­ry.

Embraced by the file-shar­ing com­mu­ni­ty and ele­ments of the so-called pro­gres­sive sec­tor, Dot­com actu­al­ly allied him­self with John Banks and his far-right ACT Par­ty in New Zealand. His embrace of the so-called pro­gres­sive sec­tor came lat­er and is viewed as hav­ing dam­aged left-lean­ing par­ties at the polls. Dot­com is enam­ored of Nazi mem­o­ra­bil­ia and owns a rare, author-auto­graphed copy of ‘Mein Kampf.’ . . .”

Pro­gram High­lights Include:

  • The dis­sem­i­na­tion of the Seth Rich dis­in­for­ma­tion by Fox News and Rush Lim­baugh, gen­er­at­ed by Wik­iLeaks, Roger Stone and Kim Dot­com.
  • Kim Dot­com’s tweet­ing of an admit­ted­ly pho­ny doc­u­ment about the Seth Rich BS.
  • Dot­com’s refusal to retract his tweet of the pho­ny doc­u­ment.
  • Review of the Shad­ow Bro­kers non-hack of the NSA.
  • Review of the Shad­ow Bro­kers use of white suprema­cist pro­pa­gan­da.
  • Review of the role of Crowd­strike’s Dim­itri Alper­ovitch in the dis­sem­i­na­tion of the “Rus­sia did it” pro­pa­gan­da.
  • Review of the role of Ukrain­ian fas­cist Alexan­dra Chalu­pa in the dis­sem­i­na­tion of the “Rus­sia did it” pro­pa­gan­da.

1a. As we have not­ed in many pre­vi­ous broad­casts and posts, cyber attacks are eas­i­ly dis­guised. Per­pe­trat­ing a “cyber false flag” oper­a­tion is dis­turbing­ly easy to do. In a world where the ver­i­fi­ably false and phys­i­cal­ly impos­si­ble “con­trolled demolition”/Truther non­sense has gained trac­tion, cyber false flag ops are all the more threat­en­ing and sin­is­ter.

Now, we learn that the CIA’s hack­ing tools are specif­i­cal­ly craft­ed to mask CIA author­ship of the attacks. Most sig­nif­i­cant­ly, for our pur­pos­es, is the fact that the Agen­cy’s hack­ing tools are engi­neered in such a way as to per­mit the authors of the event to rep­re­sent them­selves as Russ­ian.

This is of para­mount sig­nif­i­cance in eval­u­at­ing the increas­ing­ly neo-McCarthyite New Cold War pro­pa­gan­da about “Russ­ian inter­fer­ence” in the U.S. elec­tion.

“Wik­iLeaks Vault 7 Part 3 Reveals CIA Tool Might Mask Hacks as Russ­ian, Chi­nese, Ara­bic” by Stephanie Dube Dwil­son; Heavy; 4/3/2017.

This morn­ing, Wik­iLeaks released part 3 of its Vault 7 series, called Mar­ble. Mar­ble reveals CIA source code files along with decoy lan­guages that might dis­guise virus­es, tro­jans, and hack­ing attacks. These tools could make it more dif­fi­cult for anti-virus com­pa­nies and foren­sic inves­ti­ga­tors to attribute hacks to the CIA. Could this call the source of pre­vi­ous hacks into ques­tion? It appears that yes, this might be used to dis­guise the CIA’s own hacks to appear as if they were Russ­ian, Chi­nese, or from spe­cif­ic oth­er coun­tries. These tools were in use in 2016, Wik­iLeaks report­ed.

 It’s not known exact­ly how this Mar­ble tool was actu­al­ly used. How­ev­er, accord­ing to Wik­iLeaks, the tool could make it more dif­fi­cult for inves­ti­ga­tors and anti-virus com­pa­nies to attribute virus­es and oth­er hack­ing tools to the CIA. Test exam­ples weren’t just in Eng­lish, but also Russ­ian, Chi­nese, Kore­an, Ara­bic, and Far­si. This might allow a mal­ware cre­ator to not only look like they were speak­ing in Russ­ian or Chi­nese, rather than in Eng­lish, but to also look like they tried to hide that they were not speak­ing Eng­lish, accord­ing to Wik­iLeaks. This might also hide fake error mes­sages or be used for oth­er pur­pos­es. . . .

1b. We then review the recent con­clu­sions of the French cyber­in­tel­li­gence chief and his warn­ings about the incred­i­ble dan­gers of cyber-misattribution–the ease with which any ran­dom hack­er could car­ry­ing out a spear-phish­ing attack, and his baf­fle­ment at the NSA’s recent Russ­ian attri­bu­tion to the spear-phish­ing French elec­tion hacks.

“French Secu­ri­ty Chief Warns of Risk for “Per­ma­nent War” in Cyber­space”; CBS News; 06/02/2017

Cyber­space faces an approach­ing risk of “per­ma­nent war” between states and crim­i­nal or extrem­ist orga­ni­za­tions because of increas­ing­ly destruc­tive hack­ing attacks, the head of the French government’s cyber­se­cu­ri­ty agency warned Thurs­day.

In a wide-rang­ing inter­view in his office with The Asso­ci­at­ed Press, Guil­laume Poupard lament­ed a lack of com­mon­ly agreed rules to gov­ern cyber­space and said: “We must work col­lec­tive­ly, not just with two or three West­ern coun­tries, but on a glob­al scale.”

“With what we see today – attacks that are crim­i­nal, from states, often for espi­onage or fraud but also more and more for sab­o­tage or destruc­tion – we are get­ting clos­er, clear­ly, to a state of war, a state of war that could be more com­pli­cat­ed, prob­a­bly, than those we’ve known until now,” he said.

His com­ments echoed tes­ti­mo­ny from the head of the U.S. Nation­al Secu­ri­ty Agency, Adm. Michael Rogers, to the Sen­ate Armed Ser­vices Com­mit­tee on May 9. Rogers spoke of “cyber effects” being used by states “to main­tain the ini­tia­tive just short of war” and said: “‘Cyber war’ is not some future con­cept or cin­e­mat­ic spec­ta­cle, it is real and here to stay.”

Poupard said “the most night­mare sce­nario, the point of view that Rogers expressed and which I share” would be “a sort of per­ma­nent war — between states, between states and oth­er orga­ni­za­tions, which can be crim­i­nal and ter­ror­ist orga­ni­za­tions — where every­one will attack each oth­er, with­out real­ly know­ing who did what. A sort of gen­er­al­ized chaos that could affect all of cyber­space.

Poupard is direc­tor gen­er­al of the gov­ern­ment cyber-defense agency known in France by its acronym, ANSSI. Its agents were imme­di­ate­ly called to deal with the after­math of a hack and mas­sive doc­u­ment leak that hit the elec­tion cam­paign of Pres­i­dent Emmanuel Macron just two days before his May 7 vic­to­ry.

Macron’s polit­i­cal move­ment said the uniden­ti­fied hack­ers accessed staffers’ per­son­al and pro­fes­sion­al emails and leaked cam­paign finance mate­r­i­al and con­tracts — as well as fake decoy doc­u­ments — online.

Con­trary to Rogers, who said the U.S. warned France of “Russ­ian activ­i­ty” before Macron’s win, Poupard didn’t point the fin­ger at Rus­sia. He told the AP that ANSSI’s inves­ti­ga­tion found no trace behind the Macron hack of the noto­ri­ous hack­ing group APT28 — iden­ti­fied by the U.S. gov­ern­ment as a Russ­ian intel­li­gence out­fit and blamed for hacks of the U.S. elec­tion cam­paign, anti-dop­ing agen­cies and oth­er tar­gets. The group also is known by oth­er names, includ­ing “Fan­cy Bear.”

Poupard described the Macron cam­paign hack as “not very tech­no­log­i­cal” and said: “The attack was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

With­out rul­ing out the pos­si­bil­i­ty that a state might have been involved, he said the attack’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

“It real­ly could be any­one. It could even be an iso­lat­ed indi­vid­ual,” he said.

Poupard con­trast­ed the “Macron Leaks” hack with anoth­er far more sophis­ti­cat­ed attack that took French broad­cast­er TV5 Monde off the air in 2015. There, “very spe­cif­ic tools were used to destroy the equip­ment” in the attack that “resem­bles a lot what we call col­lec­tive­ly APT28,” he said.

“To say ‘Macron Leaks’ was APT28, I’m absolute­ly inca­pable today of doing that,” he said. “I have absolute­ly no ele­ment to say whether it is true or false.”

Rogers, the NSA direc­tor, said in his Sen­ate Armed Ser­vices hear­ing that U.S. author­i­ties gave their French coun­ter­parts “a heads-up” before the Macron doc­u­ments leaked that: “‘We are watch­ing the Rus­sians. We are see­ing them pen­e­trate some of your infra­struc­ture. Here is what we have seen. What can we do to try to assist?’”

Poupard said Rogers’ com­ments left him per­plexed and that the French had long been on alert about poten­tial threats to their pres­i­den­tial elec­tion.

“Why did Admi­ral Rogers say that, like that, at that time? It real­ly sur­prised me. It real­ly sur­prised my Euro­pean allies. And to be total­ly frank, when I spoke about it to my NSA coun­ter­parts and asked why did he say that, they didn’t real­ly know how to reply either,” he said. “Per­haps he went fur­ther than what he real­ly want­ed to say.”

Still, Poupard said the attack high­light­ed the cyber-threat to demo­c­ra­t­ic process­es. “Unfor­tu­nate­ly, we now know the real­i­ty that we are going to live with for­ev­er, prob­a­bly,” he said.

The attack on TV5 was a rare pub­lic exam­ple. In 2016, oth­ers tar­get­ed gov­ern­ment admin­is­tra­tions and big com­pa­nies quot­ed on the bench­mark French stock mar­ket index, the CAC-40, he said.

Point­ing fin­gers at sus­pect­ed authors is fraught with risk, because sophis­ti­cat­ed attack­ers can mask their activ­i­ties with false trails, he said.

“We suf­fered attacks that were attrib­uted to Chi­na, that we think came from Chi­na. Among them, some came from Chi­na. Chi­na is big, I don’t know if it was the state, crim­i­nals,” he said. “What I am cer­tain of is that among these attacks, some strange­ly resem­bled Chi­nese attacks but in fact didn’t come from Chi­na.”

“If you start to accuse one coun­try when in fact it was anoth­er coun­try … we’ll get inter­na­tion­al chaos,” he said. “We’ll get what we all fear, which is to say a sort of per­ma­nent con­flict where every­one is attack­ing every­one else.”

1c. Mr. Poupard denied the NSA/U.S. asser­tion that APT28 aka “Cozy Bear/Fancy Bear/Russia” hacked the French elec­tion.

“French Cyber Secu­ri­ty Leader: No Trace of Russ­ian Hack­ing Group in Emmanuel Macron Cam­paign Leaks”; Asso­ci­at­ed Press; 06/01/2017

The head of the French government’s cyber secu­ri­ty agency, which inves­ti­gat­ed leaks from Pres­i­dent Emmanuel Macron’s elec­tion cam­paign, says they found no trace of a noto­ri­ous Russ­ian hack­ing group behind the attack.

In an inter­view in his office Thurs­day with The Asso­ci­at­ed Press, Guil­laume Poupard said the Macron cam­paign hack “was so gener­ic and sim­ple that it could have been prac­ti­cal­ly any­one.”

He said they found no trace that the Russ­ian hack­ing group known as APT28, blamed for oth­er attacks includ­ing on the U.S. pres­i­den­tial cam­paign, was respon­si­ble.

Poupard is direc­tor gen­er­al of the gov­ern­ment cyber-defense agency known in France by its acronym, ANSSI. Its experts were imme­di­ate­ly dis­patched when doc­u­ments stolen from the Macron cam­paign leaked online on May 5 in the clos­ing hours of the pres­i­den­tial race.

Poupard says the attack’s sim­plic­i­ty “means that we can imag­ine that it was a per­son who did this alone. They could be in any coun­try.”

2. A New York Times arti­cle by Andrew Hig­gins (one of the more fla­grant­ly pro­pa­gan­diz­ing NYT writ­ers vis a vis Russia/Ukraine) spins Vladimir Putin’s com­ments about Russ­ian hack­ing. Where­as the Times por­trayed his com­ments as “giv­ing an out” to the non­sense about Rus­sia hack­ing U.S. elec­tions. What the Times eclipsed (along with oth­er U.S. media) was the con­clu­sion of Putin’s com­ments. He not­ed that hack­ing is very eas­i­ly dis­guised and mis­rep­re­sent­ed.

“Maybe Pri­vate Russ­ian Hack­ers Med­dled in Elec­tion, Putin Says” by Andrew Hig­gins; The New York Times; 06/01/2017

. . . . An expert at mud­dy­ing the waters and cre­at­ing con­fu­sion, Mr. Putin advanced a num­ber of alter­na­tive the­o­ries that could help Moscow address any firm evi­dence that might emerge as a trail lead­ing to Rus­sia.

Stat­ing that mod­ern tech­nol­o­gy can eas­i­ly be manip­u­lat­ed to cre­ate a false trail, he said, “I can imag­ine that some­one is doing this pur­pose­ful­ly — build­ing the chain of attacks so that the ter­ri­to­ry of the Russ­ian Fed­er­a­tion appears to be the source of that attack.” He added, “Mod­ern tech­nolo­gies allow to do that kind of thing; it’s rather easy to do.”

Mr. Putin appeared to be repeat­ing an argu­ment he first made ear­li­er in the week in an inter­view with the French news­pa­per Le Figaro.

“I think that he was total­ly right when he said it could have been some­one sit­ting on their bed or some­body inten­tion­al­ly insert­ed a flash dri­ve with the name of a Russ­ian nation­al, or some­thing like that,” Mr. Putin told the French news­pa­per, refer­ring to Mr. Trump. “Any­thing is pos­si­ble in this vir­tu­al world. Rus­sia nev­er engages in activ­i­ties of this kind, and we do not need it. It makes no sense for us to do such things. What for?” . . .

3. Those “Russ­ian gov­ern­ment hack­ers” real­ly need a OPSEC refresh­er course. The hacked doc­u­ments in the “Macron hack” not only con­tained Cyril­lic text in the meta­da­ta, but also con­tained the name of the last per­son to mod­i­fy the doc­u­ments. And that name, “Rosh­ka Georgiy Petro­vichan”, is an employ­ee at Evri­ka, a large IT com­pa­ny that does work for the Russ­ian gov­ern­ment, includ­ing the FSB.

Also found in the meta­da­ta is the email of the per­son who uploaded the files to “archive.org”, and that email address, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 phish­ing attacks against the CDU in Ger­many that have been attrib­uted to APT28. It would appear that the ‘Russ­ian hack­ers’ not only left clues sug­gest­ing it was Russ­ian hack­ers behind the hack, but they decid­ed name names this time–their own names.

Not sur­pris­ing­ly, giv­en the fas­cist nature of Wik­iLeaks, they con­clud­ed that Rus­sia was behind the hacks. (For more on the fas­cist nature of Wik­iLeaks, see FTR #‘s 724, 725, 732, 745, 755, 917.)

“Evi­dence Sug­gests Rus­sia Behind Hack of French Pres­i­dent-Elect” by Sean Gal­lagher; Ars Tech­ni­ca; 5/8/2017.

Russ­ian secu­ri­ty firms’ meta­da­ta found in files, accord­ing to Wik­iLeaks and oth­ers.

Late on May 5 as the two final can­di­dates for the French pres­i­den­cy were about to enter a press black­out in advance of the May 7 elec­tion, nine giga­bytes of data alleged­ly from the cam­paign of Emmanuel Macron were post­ed on the Inter­net in tor­rents and archives. The files, which were ini­tial­ly dis­trib­uted via links post­ed on 4Chan and then by Wik­iLeaks, had foren­sic meta­da­ta sug­gest­ing that Rus­sians were behind the breach—and that a Russ­ian gov­ern­ment con­tract employ­ee may have fal­si­fied some of the dumped doc­u­ments.

Even Wik­iLeaks, which ini­tial­ly pub­li­cized the breach and defend­ed its integri­ty on the organization’s Twit­ter account, has since acknowl­edged that some of the meta­da­ta point­ed direct­ly to a Russ­ian com­pa­ny with ties to the gov­ern­ment:

#Macron­Leaks: name of employ­ee for Russ­ian govt secu­ri­ty con­trac­tor Evri­ka appears 9 times in meta­da­ta for “xls_cendric.rar” leak archive pic.twitter.com/jyhlmldlbL— Wik­iLeaks (@wikileaks) May 6, 2017

Evri­ka (“Eure­ka”) ZAO is a large infor­ma­tion tech­nol­o­gy com­pa­ny in St. Peters­burg that does some work for the Russ­ian gov­ern­ment, and the group includes the Fed­er­al Secu­ri­ty Ser­vice of the Russ­ian Fed­er­a­tion (FSB) among its acknowl­edged cus­tomers (as not­ed in this job list­ing). The com­pa­ny is a sys­tems inte­gra­tor, and it builds its own com­put­er equip­ment and pro­vides “inte­grat­ed infor­ma­tion secu­ri­ty sys­tems.” The meta­da­ta in some Microsoft Office files shows the last per­son to have edit­ed the files to be “Rosh­ka Georgiy Petro­vich,” a cur­rent or for­mer Evri­ka ZAO employ­ee.

Accord­ing to a Trend Micro report on April 25, the Macron cam­paign was tar­get­ed by the Pawn Storm threat group (also known as “Fan­cy Bear” or APT28) in a March 15 “phish­ing” cam­paign using the domain onedrive-en-marche.fr. The domain was reg­is­tered by a “Johny Pinch” using a Mail.com web­mail address. The same threat group’s infra­struc­ture and mal­ware was found to be used in the breach of the Demo­c­ra­t­ic Nation­al Com­mit­tee in 2016, in the phish­ing attack tar­get­ing mem­bers of the pres­i­den­tial cam­paign of for­mer Sec­re­tary of State Hillary Clin­ton, and in a num­ber of oth­er cam­paigns against polit­i­cal tar­gets in the US and Ger­many over the past year.

The meta­da­ta attached to the upload of the Macron files also includes some iden­ti­fy­ing data with an e‑mail address for the per­son upload­ing the con­tent to archive.org:

Well this is fun pic.twitter.com/oXsH83snCS— Pwn All The Things (@pwnallthethings) May 6, 2017

The e‑mail address of the uploader, frankmacher1@gmx.de, is reg­is­tered with a Ger­man free web­mail provider used pre­vi­ous­ly in 2016 Pawn Storm / APT28 phish­ing attacks against the Chris­t­ian Demo­c­ra­t­ic Union, Ger­man Chan­cel­lor Angela Merkel’s polit­i­cal par­ty.

The involve­ment of APT28, the edit­ing of some doc­u­ments leaked by some­one using a Russ­ian ver­sion of Microsoft Office, and the attempt to spread the data through ampli­fi­ca­tion in social media chan­nels such as 4Chan, Twit­ter, and Facebook—where a num­ber of new accounts post­ed links to the data—are all char­ac­ter­is­tics of the infor­ma­tion oper­a­tions seen dur­ing the 2016 US pres­i­den­tial cam­paign.

Andrew Auerenheimer: Guest at Glenn Greenwald's party

Andrew Aueren­heimer aka “Weev”: Guest at Glenn Green­wald’s par­ty

4. In relat­ed news, a group of cyber­se­cu­ri­ty researchers study­ing the Macron hack has con­clud­ed that the mod­i­fied doc­u­ments were doc­tored by some­one asso­ci­at­ed with The Dai­ly Stormer neo-Nazi web­site and Andrew “the weev” Auern­heimer.

Aueren­heimer was a guest at Glenn Green­wald and Lau­ra Poitras’s par­ty cel­e­brat­ing their receipt of the Polk award.

“ ‘We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.’ . . .”

Who is in con­trol of the Dai­ly Stormer? Well, its pub­lic face and pub­lish­er is Andrew Anglin. But look who the site is reg­is­tered to: Andrew Auern­heimer, who appar­ent­ly resided in Ukraine as of the start of this year:

The analy­sis from the web-secu­ri­ty firm Virtualroad.org. indi­cates that some­one asso­ci­at­ed with the Dai­ly Stormer mod­i­fied those faked doc­u­ments. Like, per­haps a high­ly skilled neo-Nazi hack­er like “the weev”.

Based on an analy­sis of how the doc­u­ment dump unfold­ed it’s look­ing like the inex­plic­a­bly self-incrim­i­nat­ing ‘Russ­ian hack­ers’ may have been a bunch of Amer­i­can neo-Nazis. Imag­ine that.

“U.S. Hack­er Linked to Fake Macron Doc­u­ments, Says Cyber­se­cu­ri­ty Firm” by David Gau­thi­er-Vil­lars; The Wall Street Jour­nal; 5/16/2017.

Ties between an American’s neo-Nazi web­site and an inter­net cam­paign to smear Macron before French elec­tion are found

A group of cyber­se­cu­ri­ty experts has unearthed ties between an Amer­i­can hack­er who main­tains a neo-Nazi web­site and an inter­net cam­paign to smear Emmanuel Macron days before he was elect­ed pres­i­dent of France.

Short­ly after an anony­mous user of the 4chan.org dis­cus­sion forum post­ed fake doc­u­ments pur­port­ing to show Mr. Macron had set up an undis­closed shell com­pa­ny in the Caribbean, the user direct­ed peo­ple to vis­it nouveaumartel.com for updates on the French elec­tion.

That web­site, accord­ing to research by web-secu­ri­ty provider Virtualroad.org, is reg­is­tered by “Wee­v­los,” a known online alias of Andrew Auern­heimer, an Amer­i­can hack­er who gained noto­ri­ety three years ago when a U.S. appeals court vacat­ed his con­vic­tion for com­put­er fraud. The site also is host­ed by a serv­er in Latvia that hosts the Dai­ly Stormer, a neo-Nazi news site that iden­ti­fies its admin­is­tra­tor as “Weev,” anoth­er online alias of Mr. Aeurn­heimer, Virtualroad.org says.

“We strong­ly believe that the fake off­shore doc­u­ments were cre­at­ed by some­one with con­trol of the Dai­ly Stormer serv­er,” said Tord Lund­ström, a com­put­er foren­sics inves­ti­ga­tor at Virtualroad.org.

Through Tor Eke­land, the lawyer who rep­re­sent­ed him in the com­put­er-fraud case in the U.S., Mr. Auern­heimer said he “doesn’t have any­thing to say.”

A French secu­ri­ty offi­cial said a probe into the fake doc­u­ments was look­ing into the role of far-right and neo-Nazi groups but declined to com­ment on the alleged role of Mr. Auern­heimer.

In the run-up to the French elec­tion, cyber­se­cu­ri­ty agen­cies warned Mr. Macron’s aides that Russ­ian hack­ers were tar­get­ing his pres­i­den­tial cam­paign, accord­ing to peo­ple famil­iar with the mat­ter. On May 5, nine giga­bytes of cam­paign doc­u­ments and emails were dumped on the inter­net. The Macron cam­paign and French author­i­ties have stopped short of pin­ning blame for the hack on the Krem­lin.

Intel­li­gence and cyber­se­cu­ri­ty inves­ti­ga­tors exam­in­ing the flur­ry of social-media activ­i­ty lead­ing up to the hack fol­lowed a trail of com­put­er code they say leads back to the Amer­i­can far-right.

Con­tact­ed by email over the week­end, the pub­lish­er of the Dai­ly Stormer, Andrew Anglin, said he and Mr. Auern­heimer had used their news site to write about the fake doc­u­ments because “We fol­low 4chan close­ly and have a more mod­ern edi­to­r­i­al process than most sites.”

When asked if he or Mr. Auern­heimer were behind the fake doc­u­ments, Mr. Anglin stopped reply­ing.

Mr. Auern­heimer was sen­tenced to 41 months in prison by a U.S. court in late 2012 for obtain­ing the per­son­al data of thou­sands of iPad users through an AT&T web­site. In April 2014, an appeals court vacat­ed his con­vic­tion on the grounds that the venue of the tri­al, in New Jer­sey, was improp­er.

Asked if Mr. Auern­heimer resided in Ukraine, as a Jan­u­ary post on a per­son­al blog indi­cates, his lawyer said: “I think this is about right.”

The day after the data dump, French secu­ri­ty offi­cials sum­moned their U.S. coun­ter­parts sta­tioned in Paris to for­mal­ly request a probe of the role Amer­i­can far-right web­sites might have played in dis­sem­i­nat­ing the stolen data, accord­ing to a West­ern secu­ri­ty offi­cial. A U.S. secu­ri­ty offi­cial had no com­ment.

Mounir Mahjoubi, who was in charge of com­put­er secu­ri­ty for Mr. Macron’s cam­paign said far-right groups, or “an inter­na­tion­al col­lec­tive of con­ser­v­a­tives,” may have coor­di­nat­ed to dis­rupt the French elec­tion.

“We will take time to do analy­sis, to decon­struct who real­ly runs these groups,” Mr. Mahjoubi told French radio last week. He couldn’t be reached for com­ment.

French pros­e­cu­tors have launched for­mal probes into both the fake doc­u­ments and the data dump.

The pho­ny doc­u­ments intend­ed to smear Mr. Macron were post­ed to 4chan.org twice by an anony­mous user, first on May 3 and again on May 5 using high­er-res­o­lu­tion files.

Soon after the sec­ond post, sev­er­al 4chan.org users in the same online con­ver­sa­tion below the post appeared to con­grat­u­late Mr. Auern­heimer.

“Weev… you’re doing the lord’s work,” wrote one of the anony­mous users.


That web­site, accord­ing to research by web-secu­ri­ty provider Virtualroad.org, is reg­is­tered by “Wee­v­los,” a known online alias of Andrew Auern­heimer, an Amer­i­can hack­er who gained noto­ri­ety three years ago when a U.S. appeals court vacat­ed his con­vic­tion for com­put­er fraud. The site also is host­ed by a serv­er in Latvia that hosts the Dai­ly Stormer, a neo-Nazi news site that iden­ti­fies its admin­is­tra­tor as “Weev,” anoth­er online alias of Mr. Aeurn­heimer, Virtualroad.org says.

When asked if he or Mr. Auern­heimer were behind the fake doc­u­ments, Mr. Anglin stopped reply­ing.

Asked if Mr. Auern­heimer resided in Ukraine, as a Jan­u­ary post on a per­son­al blog indi­cates, his lawyer said: “I think this is about right.”

5. The far-right Seth Rich mur­der con­spir­a­cy the­o­ry acquired new grav­i­tas, thanks in part to Kim Schmitz, aka “Kim Dot­com.” We exam­ined Schmitz at length in FTR #812. A syn­op­tic overview of the polit­i­cal and pro­fes­sion­al ori­en­ta­tion of Kim Dot­com is excerpt­ed from that broad­cast’s descrip­tion: “A col­league of Eddie the Friend­ly Spook [Snow­den], Julian Assange and Glenn Green­wald, Kim Schmitz, aka “Kim Dot­com”] espous­es the same libertarian/free mar­ket ide­ol­o­gy under­ly­ing the “cor­po­ratism” of Ben­i­to Mus­soli­ni. With an exten­sive crim­i­nal record in Ger­many and else­where, “Der Dot­com­man­dant” has elud­ed seri­ous pun­ish­ment for his offens­es, includ­ing exe­cut­ing the largest insid­er trad­ing scheme in Ger­man his­to­ry.

Embraced by the file-shar­ing com­mu­ni­ty and ele­ments of the so-called pro­gres­sive sec­tor, Dot­com actu­al­ly allied him­self with John Banks and his far-right ACT Par­ty in New Zealand. His embrace of the so-called pro­gres­sive sec­tor came lat­er and is viewed as hav­ing dam­aged left-lean­ing par­ties at the polls. Dot­com is enam­ored of Nazi mem­o­ra­bil­ia and owns a rare, author-auto­graphed copy of ‘Mein Kampf.’ . . .”

6. Right-wing media is going to keep bit­ing on Dotcom’s nuggets of ‘tes­ti­mo­ny’, giv­en its seem­ing­ly insa­tiable appetite for this sto­ry­line already and the long-held appetite for seem­ing­ly any sto­ry­line that pro­motes the ‘Clin­ton Body Count’ nar­ra­tive and por­trays Hillary and ‘Kil­lary’.

“The Bonkers Seth Rich Con­spir­a­cy The­o­ry, Explained” by Jeff Guo; Vox; 05/24/2017

The life of Seth Rich, a 27-year-old Demo­c­ra­t­ic Nation­al Com­mit­tee staffer, end­ed near­ly a year ago when he was shot to death near his house in Wash­ing­ton, DC. Then came the trag­ic and bizarre after­life: Since July, Rich has been the focus of intense right-wing con­spir­a­cy the­o­ries that have only esca­lat­ed as the Trump administration’s scan­dals have deep­ened.

As the police have repeat­ed­ly stat­ed, there is no evi­dence that Rich’s death was any­thing oth­er than the con­se­quence of a botched rob­bery. But some peo­ple, espe­cial­ly on the right, believe Rich was mur­dered by the Clin­tons for know­ing too much about some­thing. The most recent the­o­ries claim that Rich, not the Rus­sians, was respon­si­ble for leak­ing the emails, pub­lished in Wik­iLeaks, that revealed Demo­c­ra­t­ic par­ty lead­ers had talked dis­parag­ing­ly about Bernie Sanders.

Thanks to an erro­neous Fox News sto­ry last week, which was final­ly retract­ed on Tues­day, Rich recent­ly became the focus of an intense media blitz from con­ser­v­a­tive out­lets — many of which were eager for some­thing to talk about besides the scan­dals swirling around Don­ald Trump.

Fox News’s Sean Han­ni­ty was one of the most enthu­si­as­tic rumor­mon­gers, devot­ing seg­ments on three sep­a­rate occa­sions last week to Rich. Even after Fox News retract­ed its sto­ry, Han­ni­ty promised he would con­tin­ue to inves­ti­gate. “I retract­ed noth­ing,” he said defi­ant­ly on his radio show Tues­day.

Rich’s fam­i­ly has been beg­ging right-wing news out­lets to stop spread­ing unfound­ed rumors about him, but by now the sit­u­a­tion seems to have got­ten out of con­trol.

In death, Rich has become a mar­tyr to the right, buoyed by a host of char­ac­ters each with their own ulte­ri­or motives: There is Wik­iLeaks founder Julian Assange, who wants to down­play the con­nec­tions between Wik­iLeaks and the Rus­sians; there are the Clin­ton haters, who want to spread the idea that the Clin­tons are mur­der­ers; there are the Trump sup­port­ers, who want to min­i­mize the idea that Russ­ian hack­ers helped deliv­er the elec­tion to their can­di­date; and there are the talk­ing heads on Fox News, who last week need­ed some­thing oth­er than neg­a­tive Trump sto­ries to make con­ver­sa­tion about.

We might not know who killed Seth Rich, but we do know who turned his lega­cy into a text­book study of where fake news comes from, how it spreads, and the vic­tims it cre­ates.

Seth Rich was mur­dered in a sense­less act of vio­lence

Seth Rich worked in Demo­c­ra­t­ic pol­i­tics for most of his career. He grew up and went to col­lege in Oma­ha, Nebras­ka, where as a stu­dent he vol­un­teered on two Demo­c­ra­t­ic Sen­ate cam­paigns. After grad­u­at­ing, he moved to Wash­ing­ton, DC, for a job at Green­berg Quin­lan Ros­ner, a pro­gres­sive opin­ion research and con­sult­ing firm. He was lat­er hired by the Demo­c­ra­t­ic Nation­al Com­mit­tee, where he worked on a project to help peo­ple find where to vote.

On Sun­day, July 10, Rich was shot to death about a block from where he lived in the Bloom­ing­dale neigh­bor­hood of DC. Gun­shot detec­tion micro­phones place the time of the shoot­ing at around 4:20 am. Rich had last been seen at around 1:30 am leav­ing Lou’s City Bar in Colum­bia Heights, about a 40-minute walk from where he lived.

It is unclear exact­ly what hap­pened dur­ing those three inter­ven­ing hours. The Wash­ing­ton Post report­ed that, accord­ing to his par­ents, cell­phone records show that Rich called his girl­friend at 2:05 am and talked to her for more than two hours. He hung up just min­utes before he was shot.

The police found Rich on the side­walk with mul­ti­ple gun­shot wounds, at least two in the back. He still had his watch, his cell­phone, and his wal­let. There were signs of a strug­gle: bruis­es on his hands, knees, and face, and a torn wrist­watch strap. Accord­ing to the police report, he was still “con­scious and breath­ing.” Fam­i­ly mem­bers say they were told that Rich was “very talk­a­tive,” though it is not pub­licly known if he was able to describe his assailant or assailants. Rich died a few hours lat­er in the hos­pi­tal.

The police sus­pect­ed Rich had been the vic­tim of an attempt­ed rob­bery. Bloom­ing­dale is a gen­tri­fy­ing part of Wash­ing­ton that still suf­fers from vio­lent crime. In 2016, there were 24 report­ed rob­beries with a gun that occurred with­in a quar­ter-mile of the street cor­ner where Rich was shot.

The first con­spir­a­cy the­o­ries grew out of the “Clin­ton body count” rumor

Almost imme­di­ate­ly after news of Rich’s death, con­spir­a­cy the­o­ries began cir­cu­lat­ing on social media. A few fac­tors helped make Rich a tar­get of spec­u­la­tion:

* The mur­der­ers left behind Rich’s valu­ables. (Though, by that same para­noid log­ic, wouldn’t a pro­fes­sion­al hit­man have tak­en Rich’s wal­let and phone in order to make it look like a reg­u­lar mug­ging?)
* Rich worked at the DNC, where in Decem­ber there had been a minor scan­dal involv­ing a soft­ware glitch that allowed the Bernie Sanders cam­paign to access pri­vate vot­er data col­lect­ed by the Clin­ton cam­paign.
* Hillary Clin­ton had just clinched the nom­i­na­tion after a sur­pris­ing­ly bruis­ing pri­ma­ry, and there were still sore feel­ings in the air.
* There’s a long-run­ning con­spir­a­cy the­o­ry that the Clin­tons have assas­si­nat­ed dozens of their polit­i­cal ene­mies.

If those facts don’t seem to add up to a coher­ent sto­ry, well, you’re think­ing too hard. Con­spir­a­cy the­o­ries don’t oper­ate log­i­cal­ly. They start from an assump­tion — for instance, “the Clin­tons are shady” — and spi­ral out­ward in search of cor­rob­o­ra­tion.

On Red­dit, for instance, one user wrote a 1,400-word post list­ing things that he found “sus­pi­cious.” Here were some of the stray facts the red­di­tor claimed were evi­dence of a hit job by the DNC or the Clin­tons:

* Rich’s for­mer employ­er, Green­berg Quin­lan Ros­ner, once did some con­sult­ing work for British Petro­le­um. (“Is it pos­si­ble that Mr. Rich was aware of the public’s dis­dain for oil industry/fracking?”)
* Rich once worked on Ben Nelson’s cam­paign for sen­a­tor. (“[Nel­son] con­tributed a cru­cial vote to help pass Oba­macare back in 2009.”)
* The polit­i­cal con­ven­tions were com­ing up. (“The TIMING of this tragedy seems too ‘coin­ci­den­tal’”)

It’s unclear what any of these facts have to do with the Clin­tons, but some­how the Red­dit user con­clud­ed: “giv­en his posi­tion & tim­ing in pol­i­tics, I believe Seth Rich was mur­dered by cor­rupt politi­cians for know­ing too much infor­ma­tion on elec­tion fraud.”

Oth­ers on Twit­ter and the trolling web­site 4chan also spec­u­lat­ed that Rich might have crossed the Clin­tons in some way. Rich’s death seemed to fit in with the “Clin­ton body count” the­o­ry, which dates to the 1990s and claims that the Clin­tons are so vin­dic­tive that they hire hit­men to mur­der peo­ple they don’t like.

Peo­ple who believe the Clin­tons are mur­der­ers often point to deputy White House coun­sel Vince Fos­ter, who suf­fered from clin­i­cal depres­sion and died of a gun­shot wound to the mouth in 1993. Sev­er­al inves­ti­ga­tions all ruled Foster’s death a sui­cide, but some con­ser­v­a­tives insist­ed there must have been foul play. They claimed that Fos­ter, who was look­ing into the Clin­tons’ tax­es, may have uncov­ered evi­dence of cor­rup­tion in con­nec­tion to the White­wa­ter con­tro­ver­sy, a guilt-by-asso­ci­a­tion scan­dal involv­ing friends of the Clin­tons’.

The “Clin­ton body count” the­o­ry has endured over the years sim­ply because peo­ple don’t live for­ev­er. Any time some­one dies who was con­nect­ed to the Clin­tons — and since Bill Clin­ton was the pres­i­dent of the Unit­ed States, lit­er­al­ly thou­sands of peo­ple were in his orbit — this the­o­ry is dredged up again by the tin­foil hat crowd. And then it slow­ly fades.

At first it seemed the spec­u­la­tion about Seth Rich would die down quick­ly as well. But then 12 days lat­er, on July 22, Wik­iLeaks pub­lished thou­sands of pri­vate emails from the DNC, and Rich became a polit­i­cal­ly use­ful dis­trac­tion.

Julian Assange and Wik­iLeaks super­charged the Seth Rich rumors

A month before Rich was mur­dered, the DNC admit­ted that Russ­ian hack­ers had bro­ken into its com­put­er net­work, gain­ing access to all of the DNC’s emails. The thought of Russ­ian inter­fer­ence in Amer­i­can pol­i­tics was infu­ri­at­ing to Rich, accord­ing to one per­son “who was very close” to him, the Wash­ing­ton Post report­ed: “It was crazy. Espe­cial­ly for Seth. He said, ‘Oh, my God. We have a for­eign enti­ty try­ing to get involved in our elec­tions?’ That made him so angry.”

When Wik­iLeaks released its dump of DNC emails on July 22, the obvi­ous expla­na­tion was that it had obtained those emails from the Russ­ian hack­ers. This con­nec­tion was lat­er con­firmed by top US intel­li­gence agen­cies, who con­clud­ed “with high con­fi­dence” that DNC servers were hacked by top Russ­ian gov­ern­ment hack­ers, who had then giv­en the emails to Wik­iLeaks. “Moscow most like­ly chose Wik­iLeaks because of its self-pro­claimed rep­u­ta­tion for authen­tic­i­ty,” the US intel­li­gence report explained, as well as for its con­nec­tion to the Russ­ian pro­pa­gan­da out­let Rus­sia Today.

But Wik­iLeaks has repeat­ed­ly denied its ties to Rus­sia, and ever since last sum­mer it has used Seth Rich as a way to dis­tract from claims that it abet­ted Russ­ian inter­fer­ence in the US elec­tion. Wik­iLeaks founder Julian Assange had his own rea­sons to fear a Clin­ton pres­i­den­cy — as sec­re­tary of state, Clin­ton want­ed to indict Assange for his involve­ment in releas­ing the mil­lions of US diplo­mat­ic cables leaked by Chelsea Man­ning.

On Dutch tele­vi­sion in August 2016, Assange hint­ed that Rich, not Rus­sia, may have been the source for the Wik­iLeaks emails. “Whistle­blow­ers go to sig­nif­i­cant efforts to get us mate­r­i­al, and often very sig­nif­i­cant risks,” he said. “As a 27-year-old, works for the DNC, was shot in the back, mur­dered just a few weeks ago for unknown rea­sons as he was walk­ing down the street in Wash­ing­ton.”

“Was he one of your sources then?” the anchor asked.

“We don’t com­ment on who our sources are,” Assange replied.

“Then why make the sug­ges­tion about a young guy being shot in the streets of Wash­ing­ton?” the anchor replied.

Pressed repeat­ed­ly for clar­i­fi­ca­tion, Assange con­clud­ed that “oth­ers, oth­ers have sug­gest­ed that. We’re inves­ti­gat­ing to under­stand what hap­pened in that sit­u­a­tion with Seth Rich. I think it’s a con­cern­ing sit­u­a­tion; there’s not a con­clu­sion yet.”

As part of its “inves­ti­ga­tion,” Wik­iLeaks offered a $20,000 prize in August for infor­ma­tion about Rich’s mur­der.

This is the point where Seth Rich became a prop in a game of inter­na­tion­al espi­onage.

Trump sup­port­ers and the alt-right ampli­fied the the­o­ry that Rich was some kind of Demo­c­ra­t­ic whistle­blow­er or leak­er, even though the facts didn’t real­ly fit this pat­tern. He didn’t have access to the DNC emails, and he had nev­er shown any prowess at hack­ing — being a data ana­lyst involves a very dif­fer­ent set of skills. Besides, the DNC wasn’t the only orga­ni­za­tion that was hacked: Clin­ton cam­paign chair John Podesta’s per­son­al emails, for instance, were stolen sep­a­rate­ly, as were the emails at the Demo­c­ra­t­ic Con­gres­sion­al Cam­paign Com­mit­tee.

Nev­er­the­less, many on the right were inspired by the Wik­iLeaks insin­u­a­tions and start­ed to con­coct their own con­spir­a­cy the­o­ries about Rich’s mur­der. In August, for­mer House speak­er and pres­i­den­tial can­di­date Newt Gin­grich told a con­ser­v­a­tive talk show host that Rich’s death was sus­pi­cious. “First of all, of course it’s worth talk­ing about,” he said. “And if Assange says he is the source, Assange may know. That’s not com­pli­cat­ed.”

That same month, Trump advis­er Roger Stone claimed, with­out evi­dence, that Rich was mur­dered “on his way to meet with the FBI to dis­cuss elec­tion fraud.”

To Trump sup­port­ers, the claim that Rich had been mur­dered by the Clin­tons had twofold appeal: It rein­forced the rumor that the Clin­tons were shady oper­a­tives, and it dis­tract­ed from the mount­ing evi­dence that Rus­sia had inter­fered with the US elec­tion — pos­si­bly in col­lu­sion with the Trump cam­paign.

In the pres­i­den­tial debate on Sep­tem­ber 26, Trump famous­ly sug­gest­ed that it could have been a lone hack­er who was respon­si­ble for the stolen DNC emails. “It could be Rus­sia, but it could also be Chi­na. It could also be lots of oth­er peo­ple. It also could be some­body sit­ting on their bed that weighs 400 pounds,” he said.

Thanks to a weird mis­com­mu­ni­ca­tion, the con­spir­a­cy the­o­ry comes back in May

After the elec­tion, the con­spir­a­cy the­o­ries about Seth Rich fad­ed from pub­lic con­scious­ness, as the focus turned instead to the FBI’s inves­ti­ga­tion of con­nec­tions between Trump staffers and Russ­ian agents. Sus­pi­cions still bub­bled in right-wing cor­ners of Red­dit and on alt-right web­sites like Gate­way Pun­dit, and Assange con­tin­ued to claim that it wasn’t the Rus­sians who pro­vid­ed the hacked emails — but most of Amer­i­ca had moved on.

But Rich returned to the news last week, when the local TV sta­tion FOX 5 DC aired an inter­view with pri­vate inves­ti­ga­tor Rod Wheel­er, who claimed that sources in the FBI told him there was evi­dence of a con­nec­tion between Rich and Wik­iLeaks:

FOX 5 DC: You have sources at the FBI say­ing that there is infor­ma­tion…

WHEELER: For sure…

FOX 5 DC: …that could link Seth Rich to Wik­iLeaks?

WHEELER: Absolute­ly. Yeah. That’s con­firmed.

Con­ser­v­a­tive media out­lets jumped on the sto­ry, which aired the night of Mon­day, May 15. By Tues­day morn­ing, con­ser­v­a­tive out­lets like Bre­it­bart, the Blaze, and the Dai­ly Caller all had their own pieces relay­ing Wheeler’s claims.

On Tues­day, Fox News added its own rev­e­la­tion: It claimed that an unnamed “fed­er­al inves­ti­ga­tor” had con­firmed that Rich had been in con­tact with Wik­iLeaks. “I have seen and read the emails between Seth Rich and Wik­ileaks,” the source said, accord­ing to Fox News. Fox News addi­tion­al­ly claimed this source had evi­dence that Rich had giv­en thou­sands of DNC emails to Wik­iLeaks.

This was a two-source sto­ry: The report also said that Wheel­er had inde­pen­dent­ly cor­rob­o­rat­ed what the anony­mous “fed­er­al inves­ti­ga­tor” had told Fox News.

But here’s where it gets con­fus­ing. By Tues­day after­noon, Wheel­er told CNN that he had mis­spo­ken. It turns out he didn’t have any evi­dence of his own.

What had hap­pened, appar­ent­ly, was that ear­li­er in the week, Fox News had con­tact­ed Wheel­er for its own sto­ry on Rich. That was when Wheel­er learned that Fox News had a source alleg­ing there was con­tact between Rich and Wik­iLeaks. When Wheel­er went on local TV on Mon­day night to talk about Rich, he believed he was giv­ing view­ers a “pre­view” of the Fox News sto­ry set to run on Tues­day.

That, at least, is how Wheel­er explained the sit­u­a­tion to CNN last Tues­day. Some­how, through mis­com­mu­ni­ca­tion or slop­py report­ing, the Fox News report used Wheel­er to back up its claims about the Rich-Wik­iLeaks con­nec­tion. This was incor­rect, Wheel­er said. He had no inde­pen­dent knowl­edge.

“I only got that [infor­ma­tion] from the reporter at Fox News,” he told CNN.

Yes­ter­day, after leav­ing it up for a week, Fox News final­ly retract­ed its Seth Rich sto­ry, which was down to one anony­mous source. “The arti­cle was not ini­tial­ly sub­ject­ed to the high degree of edi­to­r­i­al scruti­ny we require for all our report­ing,” an editor’s note explained. “Upon appro­pri­ate review, the arti­cle was found not to meet those stan­dards and has since been removed.”

Con­ser­v­a­tive media has a field day

It’s unlike­ly that any of this would have been a big deal had there not been a stun­ning series of dam­ag­ing reports about Don­ald Trump last week.

Among oth­er things, it was revealed that Trump had shared state secrets with the Rus­sians, that he had pres­sured FBI Direc­tor James Comey to drop his inves­ti­ga­tion into ties between Trump affil­i­ates and Rus­sia, and that the Rus­sia probe had reached a cur­rent high-lev­el White House offi­cial, who many sus­pect is Trump’s son-in-law, Jared Kush­n­er.

One way the con­ser­v­a­tive media min­i­mized all the bad news was to focus on oth­er sto­ries. The lat­est Seth Rich alle­ga­tions became a wel­come dis­trac­tion from the con­stant rev­e­la­tions com­ing out of the Wash­ing­ton Post and the New York Times.

For instance, while most out­lets were cov­er­ing the rev­e­la­tion that Trump had vol­un­teered clas­si­fied infor­ma­tion to Rus­sians, the alt-right web­site Bre­it­bart devot­ed its front page to the Seth Rich con­spir­a­cy. Bre­it­bart even slammed the main­stream media for ignor­ing the rumors about Rich: “Silence from Estab­lish­ment Media over Seth Rich Wik­iLeaks Report” was the title of one sto­ry.

Fox News in par­tic­u­lar devot­ed out­size atten­tion to the Rich sto­ry, repeat­ed­ly rehash­ing the con­spir­a­cy the­o­ry. On his 10 pm show, Fox pun­dit Sean Han­ni­ty devot­ed seg­ments to Rich on Tues­day, Thurs­day, and Fri­day last week. “I’m not back­ing off ask­ing ques­tions even though there is an effort that nobody talk about Seth Rich,” he said on Fri­day night.

On Tues­day, even after Fox News retract­ed the sto­ry that ignit­ed the lat­est round of spec­u­la­tion, Han­ni­ty remained con­vinced that the Seth Rich con­spir­a­cy the­o­ry had legs. “I am not Fox.com or FoxNews.com,” he said on his radio show. “I retract­ed noth­ing.”

Lat­er that evening, on his tele­vi­sion show, Han­ni­ty said that for now, he would stop talk­ing about Rich “out of respect for the family’s wish­es.” On Twit­ter, though, he was defi­ant, claim­ing that “lib­er­al fas­cism” was try­ing to silence his voice.

“Ok TO BE CLEAR, I am clos­er to the TRUTH than ever,” he tweet­ed. “Not only am I not stop­ping, I am work­ing hard­er.”

“Please retweet,” he added.

Rich was an unlucky vic­tim of the con­ser­v­a­tive media

The recent atten­tion has reignit­ed the old Seth Rich con­spir­a­cy the­o­ries, bring­ing forth even more unsub­stan­ti­at­ed claims.

On Fox News’s Sun­day morn­ing talk show, Newt Gin­grich repeat­ed his belief that Rich, not Rus­sia, was respon­si­ble for the DNC hack. “It turns out, it wasn’t the Rus­sians,” he said. “It was this young guy who, I sus­pect, was dis­gust­ed by the cor­rup­tion of the Demo­c­ra­t­ic Nation­al Com­mit­tee.”

On Mon­day, Assange issued a cryp­tic tweet using the hash­tag “#SethRich” which fanned the flames even fur­ther: “Wik­iLeaks has nev­er dis­closed a source. Sources some­times talk to oth­er par­ties but iden­ti­ties nev­er emerge from Wik­iLeaks. #SethRich.”

And on Tues­day, New Zealand file-shar­ing entre­pre­neur Kim Dot­com, who is want­ed by the US gov­ern­ment for copy­right infringe­ment and rack­e­teer­ing, claimed that Rich had per­son­al­ly con­tact­ed him in 2014, and that the two had talked about “a num­ber of top­ics includ­ing cor­rup­tion and the influ­ence of cor­po­rate mon­ey in pol­i­tics.”

“I know that Seth Rich was involved in the DNC leak,” Dot­com wrote in a state­ment. . . .

Kim Dotcom manifesting the lifestyle of the politically and economically oppressed.

Kim Dot­com man­i­fest­ing the lifestyle of the polit­i­cal­ly and eco­nom­i­cal­ly oppressed.

7. Kim Dot­com just tweet­ed out a doc­u­ment that’s alleged­ly from the FBI demon­strat­ing that Seth Rich was indeed the source of the hacked DNC emails. The twist is that the doc­u­ment is a bla­tant fraud and Kim Dot­com acknowl­edges as much. Ol’ Kim decid­ed to tweet it out any­way, Dotcom’s assert­ing that there’s no need to delete the tweet pro­mot­ing the fake doc­u­ment because, hey, he put up some sub­se­quent tweets ques­tion­ing their authen­tic­i­ty. Twist & spin.

How­ev­er, there was anoth­er rather intrigu­ing admis­sion by Dot­com in the fol­low­ing inter­view ask­ing him why he tweet­ed out doc­u­ments he knew were fake: Dot­com is con­tin­u­ing to assert that he has evi­dence Rich was the source of the DNC hacks.

He’s just not ready to reveal it yet but he strong­ly hints that the evi­dence has to do with his close ties to Wik­ileaks. And then he refers back to a Bloomberg TV inter­view he did on May 13th, 2015, where Dot­com pre­dicts that Julian Assange is going to be Hillary Clinton’s “worst night­mare” in the upcom­ing elec­tion. How so? Because, says Dot­com, Assange “has access to infor­ma­tion,” with­out going into specifics.

Of fun­da­men­tal impor­tance to out under­stand­ing is the asser­tion by Craig Mur­ray, for­mer UK ambas­sador to Uzbek­istan, that the infor­ma­tion giv­en to Wik­iLeaks was­n’t a hack at all, but infor­ma­tion from a flash dri­ve giv­en to him by a DNC insid­er.

There may well have been hacks into the DNC and e‑mail of John D. Podes­ta, but they were NOT Russ­ian.

Dot­com refers to a May 2015 inter­view – long before Seth Rich would have been in a posi­tion to pass along emails. It is before Rich would have had a motive if he real­ly was a dis­il­lu­sioned Bernie-crat but short­ly before Crowd­strike “con­clud­ed” the DNC was ini­tial­ly hacked – where Dot­com con­fi­dent­ly asserts that Julian Assange already had a bunch of dirt on Hillary and was going to be her worst night­mare. And yet we didn’t real­ly see any old embar­rass­ing emails emerge from Wik­ileaks dur­ing the cam­paign. Along with being incred­i­bly sleazy it’s all rather curi­ous:

“Kim Dot­com Says FBI File About Seth Rich Is Fake, But He Won’t Delete It From Twit­ter” by Matt Novak; Giz­mo­do; 5/20/2017

Have you seen that FBI file, pur­port­ing to be about the death of DNC staffer Seth Rich? Kim Dot­com, who thrust him­self into the sto­ry recent­ly by telling Sean Han­ni­ty that he had evi­dence Rich had sent doc­u­ments to Wik­ileaks, pub­lished the doc­u­ment on Twit­ter, help­ing to spread it online. Dot­com now acknowl­edges that the doc­u­ment is fake. But he told Giz­mo­do that he’s not going to delete it.

The fake FBI doc­u­ment was first pub­lished on a web­site called Bor­der­land Alter­na­tive Media and it wasn’t long before it start­ed to spread on social media, includ­ing by Kim Dot­com. Alex Jones’ Prison Plan­et picked it up, but has since delet­ed its own ver­sion of the sto­ry.

The internet’s inter­est in the July 2016 mur­der of Seth Rich revolves around claims that he leaked Demo­c­ra­t­ic Par­ty doc­u­ments to Wik­ileaks, an idea that Julian Assange has hint­ed at repeat­ed­ly. The police say that Seth Rich’s mur­der was a rob­bery gone bad. But inter­net con­spir­a­cy the­o­rists believe that Rich was killed as ret­ri­bu­tion for leak­ing emails about the DNC. What­ev­er the case, the FBI file is com­plete bull­shit.

“I was skep­ti­cal. I tweet­ed that the doc­u­ment could be a fake and that the FBI has to weigh in about it,” Dot­com told me over direct mes­sage on Twit­ter.

The doc­u­ment is obvi­ous­ly fake to any­one who’s looked at real FBI files. For one thing, the FBI doesn’t use black to redact infor­ma­tion, it uses white box­es. And much more damn­ing­ly, the redac­tions include par­tial words and par­tial dates, as well as the par­tial redac­tion of its clas­si­fi­ca­tion stamp, things that would nev­er be done.

[see pics of hoax FBI doc­u­ments]

You can see the com­par­i­son between the fake FBI file on Seth Rich (above left) with a recent­ly obtained FBI file on mil­i­tary his­to­ri­an Robert Dorr (above right). It’s a slop­py fake.

“After doing some foren­sic analy­sis of the doc­u­ment I came to believe it is not authen­tic. And I have retweet­ed Wik­ileaks which came to the same con­clu­sion,” Dot­com told me.

But as any Twit­ter user knows, tweets with incor­rect infor­ma­tion spread much faster than cor­rec­tions. So I asked Dot­com why he didn’t delete the tweets with the fake FBI file.

“There is no need to delete those tweets because I have been very cau­tious and warned with­in an hour of the release of that doc­u­ment that it could be a fake,” Dot­com told me.

That all seemed rea­son­able, if mis­guid­ed, to me. But then I asked Dot­com for evi­dence of his claims that he knows Rich was involved in the DNC leak. Dur­ing our back and forth on Twit­ter DM, Dot­com sent me a mes­sage say­ing that he knew I wasn’t going to write a bal­anced piece, and insin­u­at­ed that he sim­ply knows because of his close ties to Wik­ileaks.

I just had a look at your twit­ter feed and it looks like your are very much anti-trump. And that’s ok. I already know that your sto­ry wont be bal­anced. But this is not a Trump issue. Seth was a Sanders sup­port­er. The pro­gres­sives should ask what real­ly hap­pened to Seth. He’s one of yours. And they should be inter­est­ed that the mat­ters I have raised are prop­er­ly inves­ti­gat­ed.

Please have a look at my Bloomberg inter­view in which I announced long before the elec­tion that Julian is going to be a prob­lem for Clin­ton. My rela­tions to Wik­ileaks are well known. I have said many times in the past that I have been a major donor and Julian has been a guest at my moment of Truth event.

How do you think I knew?

The Bloomberg inter­view Dot­com is refer­ring to is from May 13, 2015, where­in he said that Assange would be “Clinton’s worst night­mare.” At this point, Clin­ton had just announced her can­di­da­cy a month ear­li­er and Don­ald Trump hadn’t even entered the race yet.

Inter­view­er: You’re say­ing Julian Assange is going to be Hillary’s worst night­mare?

Dot­com: I think so, yeah.

Inter­view­er: How so?

Dot­com: Well, he has access to infor­ma­tion.

Inter­view­er: What infor­ma­tion?

Dot­com: I don’t know the specifics.

Inter­view­er: Why Hillary in par­tic­u­lar?

Dot­com: Hillary hates Julian. She’s just an adver­sary, I think, of inter­net free­dom.

Inter­view­er: And she signed your extra­di­tion request.

Dot­com: Yeah.

Inter­view­er: So, you have a bone to pick with her.

Dot­com: You know what the cra­zi­est thing is? I actu­al­ly like Hillary. I like Oba­ma. So it’s so crazy that all of this hap­pened.

Dur­ing the course of our con­ver­sa­tion over Twit­ter DM, Dot­com point­ed me to numer­ous links online, but none of them answered my basic ques­tion: How do you know that Seth Rich was involved in the DNC leak?

One of the links Dot­com sent me con­tained his open let­ter to the fam­i­ly of Seth Rich, who have asked Dot­com to stop spread­ing con­spir­a­cy the­o­ries about the mur­der of their son.

In that let­ter, Dot­com says “I sim­ply wish to make sure that the inves­ti­ga­tors have the ben­e­fit of my evi­dence.” Again, I asked Dot­com for that evi­dence and he said that he would only show such things to the Rich fam­i­ly, at the advice of his lawyers and “out of respect for the Rich fam­i­ly.”

But Dotcom’s most recent pub­lic com­ment on the mat­ter, a let­ter post­ed today direct­ed to the FBI Spe­cial Coun­sel who are inves­ti­gat­ing the Trump regime’s ties to Rus­sia, makes it look like Dotcom’s inter­est in the Seth Rich case may not be alto­geth­er altru­is­tic.

Dot­com is orig­i­nal­ly from Ger­many but moved to New Zealand from Hong Kong in 2009, and is cur­rent­ly want­ed in the Unit­ed States for run­ning the file host­ing and shar­ing site Megau­pload, which was accused of sys­tem­at­i­cal­ly vio­lat­ing copy­right. His extra­di­tion to the US has been blocked repeat­ed­ly and he’s been in a state of legal lim­bo for years.

But Dotcom’s new let­ter to the FBI Spe­cial Coun­sel says that he’d be will­ing to share his evi­dence that Seth Rich was involved in leak­ing infor­ma­tion to Wik­ileaks pro­vid­ed he’s giv­en safe pas­sage to the US:

Mr Dot­com is also com­mit­ted to achiev­ing an out­come where his evi­dence can be prop­er­ly received and reviewed by you as part of the Inves­ti­ga­tion. You will, how­ev­er, appre­ci­ate that, giv­en his cur­rent sta­tus, he is not in a posi­tion to vol­un­tar­i­ly leave New Zealand’s juris­dic­tion. Fur­ther, he is con­cerned that, should he trav­el to the Unit­ed States vol­un­tar­i­ly, he would be arrest­ed and detained in cus­tody on the cur­rent counts on which he has been indict­ed.

The let­ter goes on to say that after “spe­cial arrange­ments” have been made, he’ll be glad to trav­el to the US to give his evi­dence. One imag­ines that those spe­cial arrange­ments would involve drop­ping the case against him.

Accord­ing­ly, for Mr Dot­com to attend in per­son in the Unit­ed States to make a state­ment, and/or give oral evi­dence at any sub­se­quent hear­ing, spe­cial arrange­ments would need to be dis­cussed and agreed between all rel­e­vant par­ties. Such arrange­ments would need to include arrange­ments for his safe pas­sage from New Zealand and return. This is because Mr Dot­com is deter­mined to clear his name in New Zealand.

So make of that what you will. Kim Dot­com clear­ly has rea­son to be angry at the US Jus­tice Depart­ment, but if he real­ly had evi­dence prov­ing that a man was mur­dered for polit­i­cal rea­sons, it seems a bit shady to use it as a bar­gain­ing chip for your own free­dom. It seems unlike­ly that the FBI would grant Dotcom’s request, so if he real­ly does have any infor­ma­tion on the Seth Rich case, we may nev­er get to see it.

But giv­en the fact that there’s vir­tu­al­ly no evi­dence out­side of the wildest con­spir­a­cy the­o­ry boards that Seth Rich was killed by any­one con­nect­ed to the Clin­ton cam­paign, I wouldn’t hold my breath any­way.

8. The Shad­ow Bro­kers, released some more NSA hack­ing tools, along with a list of IP address­es the NSA was tar­get­ing. All of this was appar­ent­ly in response to a sense of betray­al. Betray­al by Don­ald Trump. Yes, when Don­ald Trump launched a cruise mis­sile attack against Syr­ia this so upset The Shad­ow Bro­kers that they wrote anoth­er long bro­ken Eng­lish rant (with a white nation­al­ist theme) about Trump liv­ing up to his promis­es and then released some more hack­ing tools.

We ana­lyzed the Shad­ow­Bro­kers in FTR #923.

Suf­fice it to say, that this group is, in all prob­a­bil­i­ty, not Russ­ian at all.

“Mys­te­ri­ous Group Posts More Alleged NSA Hack­ing Tools; Rus­sia Link Sus­pect­ed” by Tim John­son; McClatchy DC; 4/10/2017.

In the lat­est in a drum­beat of intel­li­gence leaks, a hack­ing group known as the Shad­ow Bro­kers has released anoth­er set of tools it said were designed by the top-secret Nation­al Secu­ri­ty Agency to pen­e­trate com­put­er sys­tems world­wide.

In a rant-filled state­ment over the week­end, Shad­ow Bro­kers also released a list of servers it said the tools had infect­ed.

One doc­u­ment appeared to show that NSA spy­ware had been placed on servers in South Korea, Rus­sia, Japan, Chi­na, Mex­i­co, Tai­wan, Spain, Venezuela and Thai­land, among oth­er coun­tries. The dump includ­ed details of how the NSA pur­port­ed­ly had gained access to Pakistan’s main mobile net­work.

The release marked the most recent in a steady stream of dis­clo­sures of pur­port­ed hack­ing tools devel­oped by the NSA and the CIA. Shad­ow Bro­kers made a sim­i­lar release in August, and in March the anti-secre­cy group Wik­iLeaks released sev­er­al batch­es of files that pur­port­ed to show how the CIA spies on its tar­gets. Wik­iLeaks has dubbed those leaks Vault7.

Cyber­se­cu­ri­ty experts dif­fered in their assess­ment of the leaked mate­r­i­al but sev­er­al agreed that it would give glob­al foes cru­cial infor­ma­tion about Amer­i­can hack­ing abil­i­ties and plans.

In its state­ment, Shad­ow Bro­kers said the lat­est leak, fol­low­ing one eight months ago, “is our form of protest” to goad Pres­i­dent Don­ald Trump into stay­ing loy­al to his fol­low­ers and pro­mot­ing anti-glob­al­ism. The screed includ­ed pro­fan­i­ty, some white suprema­cist com­men­tary and a pass­word to the cache of tools. . . .

8. CrowdStrike–at the epi­cen­ter of the sup­posed Russ­ian hack­ing con­tro­ver­sy is note­wor­thy. Its co-founder and chief tech­nol­o­gy offi­cer, Dmit­ry Alper­ovitch is a senior fel­low at the Atlantic Coun­cil, financed by ele­ments that are at the foun­da­tion of fan­ning the flames of the New Cold War.

 “Is Skep­ti­cism Trea­son?” by James Car­den; The Nation; 1/3/2017.

. . . In this respect, it is worth not­ing that one of the com­mer­cial cyber­se­cu­ri­ty com­pa­nies the gov­ern­ment has relied on is Crowd­strike, which was one of the com­pa­nies ini­tial­ly brought in by the DNC to inves­ti­gate the alleged hacks. . . . Dmitri Alper­ovitch is also a senior fel­low at the Atlantic Coun­cil. . . . The con­nec­tion between [Crowd­strike co-founder and chief tech­nol­o­gy offi­cer Dmitri] Alper­ovitch and the Atlantic Coun­cil has gone large­ly unre­marked upon, but it is rel­e­vant giv­en that the Atlantic Coun­cil—which is is fund­ed in part by the US State Depart­ment, NATO, the gov­ern­ments of Latvia and Lithua­nia, the Ukrain­ian World Con­gress, and the Ukrain­ian oli­garch Vic­tor Pinchuk—has been among the loud­est voic­es call­ing for a new Cold War with Rus­sia. As I point­ed out in the pages of The Nation in Novem­ber, the Atlantic Coun­cil has spent the past sev­er­al years pro­duc­ing some of the most vir­u­lent spec­i­mens of the new Cold War pro­pa­gan­da. . . . 

9. Next, the pro­gram high­lights a top­ic that was ini­tial­ly broached in the last pro­gram. The OUN/B milieu in the U.S. has appar­ent­ly been instru­men­tal in gen­er­at­ing the “Rus­sia did it” dis­in­for­ma­tion about the high-pro­file hacks. A Ukrain­ian activist named Alexan­dra Chalu­pa has been instru­men­tal in dis­trib­ut­ing this dis­in­for­ma­tion to Hillary Clin­ton and influ­enc­ing the progress of the dis­in­for­ma­tion in the media. 

“The Anony­mous Black­list Quot­ed by the Wash­ing­ton Post Has Appar­ent Ties to Ukrain­ian Fas­cism and CIA Spy­ing” by Mark Ames; Alternet.org; 12/7/2016.

. . . . One of the key media sources [46] who blamed the DNC hacks on Rus­sia, ramp­ing up fears of cryp­to-Putin­ist infil­tra­tion, is a Ukrain­ian-Amer­i­can lob­by­ist work­ing for the DNC. She is Alexan­dra Chalupa—described as the head of the Demo­c­ra­t­ic Nation­al Committee’s oppo­si­tion research on Rus­sia and on Trump, and founder and pres­i­dent of the Ukrain­ian lob­by group ‘US Unit­ed With Ukraine Coali­tion’ [47], which lob­bied hard to pass a 2014 bill increas­ing loans and mil­i­tary aid to Ukraine, impos­ing sanc­tions on Rus­sians, and tight­ly align­ing US and Ukraine geostrate­gic inter­ests. . . . In one leaked DNC email [50] ear­li­er this year, Chalu­pa boasts to DNC Com­mu­ni­ca­tions Direc­tor Luis Miran­da that she brought Isikoff to a US-gov­ern­ment spon­sored Wash­ing­ton event fea­tur­ing 68 Ukrain­ian jour­nal­ists, where Chalu­pa was invit­ed ‘to speak specif­i­cal­ly about Paul Man­afort.’ In turn, Isikoff named her as the key inside source [46] ‘prov­ing’ that the Rus­sians were behind the hacks, and that Trump’s cam­paign was under the spell of Krem­lin spies and sor­cer­ers. . . .

 

 

 

 

Discussion

13 comments for “FTR #960 Update on the High Profile Hacks”

  1. Now that Don­ald Trump appears to be intent on liv­ing up to the phrase “it’s not the crime, it’s the coverup” regard­ing the inves­ti­ga­tion into pos­si­ble Russ­ian col­lu­sion, hope­ful­ly one of the out­comes of the shift of Trump’s cul­pa­bil­i­ty from “did he col­lude with the Rus­sians?” to “did he obstruct jus­tice in to the inves­ti­ga­tion into his col­lu­sion with the Russ­ian?” will be a will­ing­ness to ask the oth­er obvi­ous ques­tion, “did the Trump cam­paign car­ry out the hack attacks and make it look like the Russ­ian, regard­less of whether or not there was any oth­er col­lu­sion?” Because, you know, it seems like pulling off such a stunt and pro­pelling US/Russian rela­tions to a new low and threat­en­ing to spark future con­flicts in order to cov­er up a cam­paign crime would be an incred­i­bly big deal. As big a deal, if not big­ger, than out­right col­lu­sion giv­en the destruc­tive capa­bil­i­ty of a Russ­ian con­flict and the obvi­ous poten­tial for such dis­as­trous results that could result from such an oper­a­tion. Would­n’t that be trea­son too?

    So, in the spir­it of hop­ing the lat­ter ques­tion gets asked, here’s the lat­est reminder that cyber-attri­bu­tion is far more neb­u­lous than most US cov­er­age of this issue would like to admit: you know the now-infa­mous Qatari news arti­cle that trashed Trump, praised Iran, and end­ed up trig­ger­ing a sev­er­ing of rela­tions with Qatar’s Sun­ni neigh­bors? And you know how the FBI has already said that Russ­ian hack­ers did it? Well, there was a sec­ond big hack that rat­tled Mid­dle East gov­ern­ments just a few days lat­er. A hack of the emails of the UAE’s influ­en­tial ambas­sador to the US, Yousef Al Otai­ba. A hack that appears to be a kind of counter-point to the Qatari hack and intend­ed to cre­ate dif­fi­cul­ties between the US and UAE and reveal an ongo­ing UAE cam­paign to encour­age the US to move its mas­sive air­base out of the Qatar (pre­sum­ably to a near­by place like the UAE). And as the attri­bu­tion to that hack unfolds, it’s look­ing like a now-famil­iar sto­ry: Russ­ian hack­ers did it hack­ers that could have been any­one did it...hackers who decid­ed to use a “.ru” email address to dis­sem­i­nate their hacked mate­r­i­al.

    First, here’s an overview of the al Otai­ba hack which is most­ly a peek behind the US/UAE diplo­mat­ic cur­tain:

    The Huff­in­g­ton Post

    Some­one Is Using These Leaked Emails To Embar­rass Washington’s Most Pow­er­ful Ambas­sador
    Huff­Post con­firmed eight inflam­ma­to­ry D.C. insid­er email exchanges, includ­ing between Yousef Al Otai­ba and for­mer Defense Sec­re­tary Robert Gates.

    By Akbar Shahid Ahmed
    06/03/2017 10:01 am ET | Updat­ed

    WASHINGTON — A mys­te­ri­ous source con­tact­ed mul­ti­ple news out­lets this week to share emails between the influ­en­tial ambas­sador of the Unit­ed Arab Emi­rates, Yousef Al Otai­ba, and top fig­ures in the Amer­i­can for­eign pol­i­cy com­mu­ni­ty, includ­ing for­mer Defense Sec­re­tary Robert Gates.

    In pri­vate cor­re­spon­dence, Otai­ba — an extreme­ly pow­er­ful fig­ure in Wash­ing­ton, D.C., who is report­ed­ly in “in almost con­stant phone and email con­tact” with Jared Kush­n­er, Pres­i­dent Don­ald Trump’s advis­er and son-in-lawis seen push­ing for the U.S. to close down its mil­i­tary base in Qatar and oth­er­wise pok­ing at issues that could dri­ve a wedge between the U.S. and that Arab nation. He also says that his country’s de fac­to ruler is sup­port­ive of a wave of anti-Qatar crit­i­cism in the U.S. that the Gulf state last month called a smear cam­paign and that has prompt­ed behind-the-scenes alarm inside the U.S. gov­ern­ment.

    The anony­mous leak­ers told Huff­Post they sought to expose the UAE’s efforts to manip­u­late the U.S. gov­ern­ment, and denied any alle­giance to Qatar or any oth­er gov­ern­ment.

    Regard­less of the leak­ers’ intent, the rev­e­la­tions promise to height­en ten­sions between the two U.S. part­ners. If the UAE suc­ceeds in dam­ag­ing America’s decades-old rela­tion­ship with Qatar, the result could dra­mat­i­cal­ly under­mine U.S. goals in the Mid­dle East. The two Amer­i­can part­ners’ esca­lat­ing rival­ry could wors­en con­flict in war zones where they sup­port dif­fer­ent proxy forces — notably in Libya, which has become a haven for smug­glers, war­lords, and ter­ror­ists — while dis­tract­ing atten­tion from big­ger inter­na­tion­al pri­or­i­ties, like restor­ing sta­bil­i­ty in Syr­ia and Iraq after the expect­ed bat­tle­field defeat of the Islam­ic State. And the UAE strat­e­gy could leave the U.S. more wed­ded to that government’s whims, includ­ing its pol­i­cy of main­tain­ing brit­tle auto­crat­ic rule across the region instead of try­ing to secure long-term sta­bil­i­ty by hav­ing some lev­el of pop­u­lar par­tic­i­pa­tion.

    The UAE and Qatar have tak­en their rival­ry pub­lic in recent days fol­low­ing a con­tro­ver­sial report in Qatari media. Qatari author­i­ties soon claimed that the May 23 sto­ry — which sug­gest­ed that the country’s ruler, Sheikh Tamim bin Hamad Al Thani, gave a speech describ­ing his respect for Iran, his sup­port for the Pales­tin­ian mil­i­tant group Hamas and his ties with Israel — was a fake prod­uct of a hack. But news sources based in the UAE and Sau­di Ara­bia still sug­gest that it exposed his true feel­ings.

    Though Qatar and the Emi­rates are puta­tive allies, they have drift­ed apart since 2011 because of their dif­fer­ing reac­tions to the Arab Spring protests that year. As the large­ly non-vio­lent Mus­lim Broth­er­hood move­ment gained pow­er across the region, Qatar sup­port­ed it, see­ing it as a vehi­cle for the Mid­dle East’s demo­c­ra­t­ic aspi­ra­tions. The UAE calls the group a ter­ror front. With a new U.S. admin­is­tra­tion in pow­er, the time is ripe for one or the oth­er to push for Amer­i­can action in its own inter­ests.

    Otai­ba, who has been the UAE’s ambas­sador to the Unit­ed States since 2008, is known as one of the best-con­nect­ed diplo­mats in Wash­ing­ton, D.C. He makes fre­quent high-pro­file appear­ances around the city and the U.S. speak­ing cir­cuit, and he’s ensured that the Trump admin­is­tra­tion has already cozied up to the Emi­rates, which hosts a recent­ly opened Trump golf course.

    The leak­ers pro­vid­ed Huff­Post with three batch­es of emails from Otai­ba, some as recent as May and oth­ers from as far back as 2014, the last time the UAE sup­port­ed a major effort to spread skep­ti­cism about Qatar in the Unit­ed States. Huff­Post con­tact­ed eight of the indi­vid­u­als who’d exchanged mes­sages with the ambas­sador and shared the con­tents of those emails; none denied that the exchanges took place. Though Otai­ba did not respond to repeat­ed Huff­Post requests for com­ment, a UAE Embassy spokes­woman con­firmed to the Dai­ly Beast that the Hot­mail address used for the mes­sages belongs to him.

    Otaiba’s emails show an effort to build alliances and a focus on Qatar.

    The night before for­mer U.S. Defense Sec­re­tary Robert Gates was sched­uled to speak at a high-pro­file Wash­ing­ton con­fer­ence on Qatar, for instance, Otai­ba wrote him an art­ful­ly word­ed note. “The sub­ject of the con­fer­ence has been a neglect­ed issue in U.S. for­eign pol­i­cy despite all the trou­ble it’s caus­ing,” the diplo­mat wrote. “Com­ing from you, folks will lis­ten care­ful­ly.”

    Gates emailed back that he thought he had “the chance to put some folks on notice.”

    Otai­ba offered to buy the for­mer Cab­i­net offi­cial lunch and passed along a mes­sage from his boss back home. “MBZ sends his best from Abu Dhabi,” the ambas­sador wrote, using a nick­name for UAE Crown Prince Muhammed bin Zayed. “He says ‘give them hell tomor­row.’”

    The next day, Gates offered a scathing assault on Qatar, exco­ri­at­ing its sup­port for Islamists, at an event host­ed by the hawk­ish Foun­da­tion for Defense of Democ­ra­cies. “The Unit­ed States mil­i­tary doesn’t have any irre­place­able facil­i­ty,” he said. “Tell Qatar to choose sides or we will change the nature of the rela­tion­ship, to include down­scal­ing the base.”

    The inci­dent wor­ried U.S. offi­cials. The Amer­i­can ambas­sador to Qatar, expe­ri­enced career diplo­mat Dana Shell Smith, con­tact­ed many of the con­fer­ence speak­ers before­hand to try to tone down the rhetoric. It appears that her attempt back­fired: foun­da­tion offi­cials have pub­licly crit­i­cized and ques­tioned her efforts.

    The pow­er­ful Wash­ing­ton-based foun­da­tion fea­tures heav­i­ly in the Otai­ba emails. While many of those mes­sages show the ambas­sador help­ing its ana­lysts plan trips to the UAE, they also con­tain two of the most strik­ing rev­e­la­tions about Otai­ba: He explic­it­ly advo­cat­ed for mov­ing the U.S. base out of Qatar — some­thing he hasn’t done pub­licly — and he dis­cussed the idea of pres­sur­ing com­pa­nies in U.S.-friendly coun­tries to avoid busi­ness oppor­tu­ni­ties in Iran.

    An Arab’s Favorite Pro-Israel Group

    The Foun­da­tion for Defense of Democ­ra­cies spends much of its time try­ing to strength­en ties between Wash­ing­ton and con­ser­v­a­tive polit­i­cal forces in Israel. But despite the UAE’s refusal to estab­lish diplo­mat­ic ties with Israel, the think tank and oth­ers in the pro-Israel lob­by have found com­mon ground with the Emi­rates on two major issues: Both want to con­tain Iran and polit­i­cal Islam. Both suf­fered a high-pro­file defeat when the U.S. and oth­er nations reached a nuclear deal with Iran in 2015. And for the past year or so, both have been push­ing to make the future of U.S. rela­tions with Qatar a debate in D.C.

    Emi­rati cri­tiques of Qatar often raise the same points the foundation’s schol­ars bring up in their fre­quent appear­ances before Con­gress and in the media: The Qatari gov­ern­ment pro­vides, in the words of the U.S. Trea­sury Depart­ment, a “per­mis­sive juris­dic­tion” for fundrais­ers and donors hop­ing to aid vio­lent Mus­lim extrem­ists. In sup­port­ing the rights of pro­test­ers and democ­ra­cy activists (at least com­pared to its neigh­bors), Qatar is accused of pro­mot­ing Islamists who claim to be peace­ful but real­ly seek to impose bru­tal Shari­ah law. And it fre­quent­ly offers a plat­form to hate­mon­gers tar­get­ing Israel, Jews, the minor­i­ty Shi­ite com­mu­ni­ty with­in Islam, LGBTQ indi­vid­u­als and oth­ers — gen­er­al­ly on its mar­quee media prop­er­ty, the Ara­bic edi­tion of Al-Jazeera.

    But experts on the region note that Qatar’s flaws as an Amer­i­can part­ner are not unique: Kuwait has also been called a “per­mis­sive juris­dic­tion,” and Sau­di Ara­bia and the UAE also host ter­ror financiers and cler­ics who spread hate speech. The vendet­ta against Qatar, then, appears to be dri­ven by more defen­sive con­cerns, name­ly the pro-Israel side’s focus on Hamas and any­one who sup­ports that group, and the UAE’s wor­ry that the Mus­lim Broth­er­hood could threat­en its own rul­ing regime.

    Otai­ba made his views about the U.S. base in Qatar clear in an April 28 mes­sage this year to John Han­nah, a senior coun­selor at the Foun­da­tion for Defense of Democ­ra­cies and a for­mer aide to Vice Pres­i­dent Dick Cheney.

    Han­nah had emailed the ambas­sador a Forbes arti­cle not­ing that an Emi­rati-owned hotel would actu­al­ly be host­ing a Hamas con­fer­ence in “Mus­lim Broth­er­hood-lov­ing” Qatar. Otai­ba appeared tak­en aback by the jab; the UAE is rarely crit­i­cized in Washington’s pol­i­cy com­mu­ni­ty.

    “Shouldn’t we be try­ing to move the base?” he wrote. “I don’t think it’s fair to point the fin­ger at an Emi­rati com­pa­ny on this one.”

    Han­nah respond­ed by say­ing he agreed about the mil­i­tary base. But he said crit­i­cism of the deci­sion to host Hamas was fair no mat­ter who owned the hotel. Otai­ba snapped back that the UAE would move its hotel when the U.S. moved its base.

    “Don’t move the hotel,” Han­nah answered. “Just force Hamas to resched­ule at a dif­fer­ent venue not owned by Emi­ratis.”

    On Fri­day, Han­nah told Huff­Post that the com­mu­ni­ca­tions were busi­ness as usu­al.

    “As a lead­ing Wash­ing­ton think tank, [the foun­da­tion] is engaged in pol­i­cy dis­cus­sions with a range of actors across the Mid­dle East and else­where. My own rela­tion­ship with Ambas­sador Otai­ba goes back years, includ­ing both my time in gov­ern­ment and out,” he wrote in an email.

    ...

    Although the broad­er for­eign pol­i­cy con­ver­sa­tion is only now not­ing the align­ment of inter­ests between pro-Israel hawks and anti-Iran, anti-Broth­er­hood forces in the Gulf, like the UAE, informed ana­lysts have rec­og­nized it for years.

    In a Feb. 5, 2014, email to Otai­ba, lob­by­ist and for­mer Clin­ton aide Rich Mintz directs him to note com­ments by for­mer Oba­ma admin­is­tra­tion offi­cial Den­nis Ross at a pub­lic think tank event.

    Ross, a for­mer senior advis­er to Pres­i­dent Barack Oba­ma, is well respect­ed among Mid­dle East pol­i­cy-mak­ers. In a sum­ma­ry pre­pared by Mintz’s lob­by­ing firm, Ross appeared to say that “as opposed to a few years ago, the talk­ing points in the Gulf were almost iden­ti­cal to the ones he heard in speak­ing to Israeli offi­cials.”

    (Mintz did not respond to a Huff­Post request for com­ment; Huff­Post was not able to inde­pen­dent­ly con­firm that exchange.)

    In recent weeks, Ross has pub­licly joined the cho­rus of Qatar crit­ics and Emi­rates boost­ers. “The Qataris should know we have alter­na­tives and are pre­pared to devel­op them in the UAE and else­where unless Qatar is pre­pared to be a gen­uine part­ner and not a par­ty that con­tributes to the very threats we need to counter,” he wrote in USA Today on May 8.

    ———-

    “Some­one Is Using These Leaked Emails To Embar­rass Washington’s Most Pow­er­ful Ambas­sador” by Akbar Shahid Ahmed; The Huff­in­g­ton Post; 06/03/2017

    “In pri­vate cor­re­spon­dence, Otai­ba — an extreme­ly pow­er­ful fig­ure in Wash­ing­ton, D.C., who is report­ed­ly in “in almost con­stant phone and email con­tact” with Jared Kush­n­er, Pres­i­dent Don­ald Trump’s advis­er and son-in-law — is seen push­ing for the U.S. to close down its mil­i­tary base in Qatar and oth­er­wise pok­ing at issues that could dri­ve a wedge between the U.S. and that Arab nation. He also says that his country’s de fac­to ruler is sup­port­ive of a wave of anti-Qatar crit­i­cism in the U.S. that the Gulf state last month called a smear cam­paign and that has prompt­ed behind-the-scenes alarm inside the U.S. gov­ern­ment.”

    And all these Otabia emails were released just days after the Qatari hack by some­one claim­ing to not work for the Qataris but who mere­ly wants to expose UAE/US lob­by­ing efforts:

    ...
    The anony­mous leak­ers told Huff­Post they sought to expose the UAE’s efforts to manip­u­late the U.S. gov­ern­ment, and denied any alle­giance to Qatar or any oth­er gov­ern­ment.
    ...

    So was this a Qatari counter-hack? Some oth­er actor who would like to add to the diplo­mat­ic ten­sion in the region? At this point we don’t know.

    And as the arti­cle below notes, a group going around dis­trib­ut­ing these hacked emails calls itself “Glob­al­Leaks” and uses a .ru email. Which would sug­gests these were Russ­ian hackers...if you take every­thing at face val­ue. But as a group of cyber­se­cu­ri­ty researchers who have ana­lyzed the Otai­ba hack point out, any­one could have done it and just tried to make it look like Russ­ian hack­ers (it’s not like .ru email address­es can’t be obtained by non-Rus­sians). And while these researchers can’t attribute the hack to any gov­ern­ment or group with pre­ci­sion, they do note that it looks like the meth­ods used by what appears to be a mer­ce­nary hack­er group that’s been oper­at­ing in the region. A group that’s been hired by a num­ber of Gulf states to hack oth­er Gulf offi­cials:

    The New York Times

    Hack­ing in Qatar High­lights a Shift Toward Espi­onage-for-Hire

    By DAVID D. KIRKPATRICK and SHEERA FRENKEL
    June 8, 2017

    DOHA, Qatar — The report appeared just after mid­night on the offi­cial Qatari news agency’s web­site, and its con­tents were stun­ning: The emir of Qatar was quot­ed as describ­ing “ten­sions” with Pres­i­dent Trump and spec­u­lat­ing he may not last in office, rec­om­mend­ing friend­ship with Iran, prais­ing the Pales­tin­ian mil­i­tants of Hamas, and then attest­ing to his own “good” rela­tions with Israel.

    The con­tra­dic­to­ry state­ments could hard­ly have been bet­ter con­trived to alien­ate the Unit­ed States and Arab coun­tries around the Gulf, and Qatar imme­di­ate­ly began to deny the report, ear­ly on May 24. But with­in 20 min­utes, satel­lite net­works con­trolled by Sau­di Ara­bia and the Unit­ed Arab Emi­rates had seized on the damn­ing news flash and began inter­view­ing long lines of well-pre­pared com­men­ta­tors to expound on the per­fidy of Qatar.

    The Qatari gov­ern­ment said the news agency had been hacked, a claim now sup­port­ed by the F.B.I. and British law enforce­ment offi­cials. Though they would not say so pub­licly, Qatari offi­cials blamed the Saud­is and Emi­ratis.

    Prob­a­bly not coin­ci­den­tal­ly, a few days lat­er, emails hacked from the Emi­rates’ ambas­sador to Wash­ing­ton began turn­ing up in the West­ern news media and then the Qatari news net­work Al Jazeera.

    The cyber-intrigue was the open­ing skir­mish in a pitched bat­tle among osten­si­ble Gulf allies this week. Sau­di Ara­bia and the U.A.E. ral­lied depen­dent Arab states to cut off diplo­mat­ic rela­tions, trav­el and trade with Qatar, and the uni­ty of the Amer­i­can-backed alliance against the Islam­ic State and Iran has been frac­tured.

    But the dirty tricks also her­ald­ed a broad­er trans­for­ma­tion in inter­na­tion­al espi­onage. The dust-up in the Gulf is the clear­est sign yet that cyber­at­tacks cou­pled with dis­in­for­ma­tion cam­paigns are no longer the exclu­sive domain of sophis­ti­cat­ed pow­ers like Rus­sia. Any coun­try can get in the game for the rel­a­tive­ly low price of a few free­lance hack­ers.

    The F.B.I. and oth­er experts con­clud­ed the hack of Qatar’s news agency was the result of a com­put­er break-in, and was most like­ly car­ried out by Russ­ian hack­ers for hire, accord­ing to Amer­i­can and Qatari offi­cials briefed on the inves­ti­ga­tion. F.B.I. offi­cials told The New York Times that Russ­ian mer­ce­nary hack­ers have fre­quent­ly come up in inves­ti­ga­tions of attacks spon­sored by nation-states.

    In fact, the hack­ing war in the Gulf region has like­ly been going on for years, though it has nev­er played out on such a pub­lic stage. In 2015, for exam­ple, an Arab inter­me­di­ary with ties to Qatar pro­vid­ed The Times with inter­nal emails from the Emi­rati For­eign Min­istry which stat­ed that the U.A.E. was know­ing­ly vio­lat­ing a Unit­ed Nations res­o­lu­tion by ship­ping weapons to Libyan mili­tias.

    “The fact of the mat­ter is that the U.A.E. vio­lat­ed the U.N. Secu­ri­ty Coun­cil Res­o­lu­tion on Libya and con­tin­ues to do so,” Ahmed al-Qasi­mi, a senior Emi­rati diplo­mat, wrote in an inter­nal email that was dat­ed Aug. 4, 2015, and pro­vid­ed to The Times. Oth­er inter­nal Emi­rati emails about Libyan deal­ings and North Kore­an arms deals sur­faced through Qatari-linked web­sites and the Guardian news­pa­per.

    Qatar has, at times, backed its own Libyan client mili­tias on the oth­er side of a three-year proxy war against the U.A.E — with both sides con­found­ing West­ern attempts to bro­ker a uni­ty gov­ern­ment in Libya.

    In a report sched­uled to be released on Fri­day, two inde­pen­dent cyber­se­cu­ri­ty researchers claim that at least one group of hack­ers can be found work­ing as free­lancers for a num­ber of Gulf states, and that their meth­ods bear a strik­ing resem­blance to the meth­ods used to hack the Emi­rati ambas­sador.

    “They seem to be hack­ers-for-hire, free­lanc­ing for all sorts of dif­fer­ent clients, and adapt­ing their skills as need­ed,” said Collin Ander­son, who is one of the researchers. Mr. Ander­son and his part­ner, Clau­dio Guarnieri, have nick­named the group Bahamut, after a mon­strous fish float­ing in the Ara­bi­an Sea in the Jorge Luis Borges nov­el “Book of Imag­i­nary Beings.”

    The group reg­u­lar­ly uses spear phish­ing attacks — emails designed to look inno­cent but con­tain mali­cious soft­ware appli­ca­tions. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group tar­get­ed a num­ber of Emi­rati diplo­mats as well as oth­er pub­lic fig­ures in the Gulf region.

    Oth­er news orga­ni­za­tions have report­ed receiv­ing leaked Emi­rati emails from a group call­ing itself Glob­al­Leaks and using email address­ing end­ing in .ru, sug­gest­ing the mer­ce­nary hack­ers may be Rus­sians or wish to pose as Russ­ian.

    The Emi­rati ambas­sador, Yousef al-Otai­ba, is well known for his assid­u­ous efforts to con­vince Amer­i­can think tanks and gov­ern­ment offi­cials that Qatar had threat­ened the sta­bil­i­ty of the region by cheer­ing the Arab upris­ings of 2011 and, in par­tic­u­lar, by back­ing the Mus­lim Broth­er­hood.

    Mr. Otai­ba, a charis­mat­ic fig­ure who speaks near­ly native-sound­ing Eng­lish, has also served as a per­son­al tutor in region­al pol­i­tics to Jared Kush­n­er, the son-in-law and a senior advis­er to Pres­i­dent Trump.

    Sev­er­al of the new­ly leaked emails appear to include exam­ples of Mr. Otai­ba press­ing anti-Qatari argu­ments with Amer­i­can offi­cials, who ban­ter with him like old friends.

    ...

    In fact, on Thurs­day, the gov­ern­ment of Qatar list­ed the hack­ing attack as part of a broad­er pub­lic influ­ence cam­paign that has been appear­ing in Amer­i­can news­pa­pers and think tank con­fer­ences. A time­line the gov­ern­ment dis­trib­uted to reporters, iden­ti­fied a series of 14 op-ed arti­cles that appeared across the Amer­i­can media in a sud­den flur­ry begin­ning around the same time — late April — all sin­gling out Qatar for sup­port­ing Islamist mil­i­tants or extrem­ists.

    Pres­i­dent Trump arrived in the region on May 20, weeks after the bar­rage of crit­i­cism began, for an Arab sum­mit in Sau­di Ara­bia. “He told us exact­ly: ‘We have to work togeth­er in stop­ping the fund­ing of extrem­ist groups in the region and when­ev­er I read reports about this region I read about Qatar and Sau­di,’ ” the Qatari for­eign min­is­ter, Sheikh Mohammed bin Abdul­rah­man Al Thani, recalled on Thurs­day.

    “Mr. Pres­i­dent,” the for­eign min­is­ter said he replied, “are the reports based on media reports or intel­li­gence reports? If it is based on media reports, then this is some­thing we can­not answer.”

    “We assured them that we have strong coop­er­a­tion with our secu­ri­ty agen­cies,” the for­eign min­is­ter added.

    Then, three days after the Trump meet­ing in Riyadh, the Foun­da­tion for the Defense of Democ­ra­cies held a con­fer­ence in Wash­ing­ton ded­i­cat­ed to crit­i­cism of Qatar, titled “Qatar and the Mus­lim Brotherhood’s Glob­al Affil­i­ates.”

    Robert M. Gates, the for­mer defense sec­re­tary and a friend of Mr. Otai­ba, gave the keynote. Atten­dees includ­ed many of the authors of the crit­i­cal op-ed arti­cles and senior Oba­ma admin­is­tra­tion offi­cials. Orga­niz­ers encour­aged Mr. Otai­ba to attend, and his staff sent Abu Dhabi, the Emi­rati cap­i­tal, a detailed report.

    No rep­re­sen­ta­tive of Qatar was invit­ed. The hack of the Qatari news agency took place after mid­night that night.

    Mr. Ander­son, the cyber secu­ri­ty researcher, said the low cost and rel­a­tive ease of hir­ing hack­ers meant that more such attacks would sure­ly fol­low.

    “This is the future for what coun­tries all around the world can do,” he said, “if they have the mon­ey and the resources.”

    By Thurs­day night, Qatar’s Al Jazeera net­work report­ed that hack­ers were attempt­ing to over­load and crash its inter­net servers.

    ———–

    “Hack­ing in Qatar High­lights a Shift Toward Espi­onage-for-Hire” by DAVID D. KIRKPATRICK and SHEERA FRENKEL; The New York Times; 06/08/2017

    “In a report sched­uled to be released on Fri­day, two inde­pen­dent cyber­se­cu­ri­ty researchers claim that at least one group of hack­ers can be found work­ing as free­lancers for a num­ber of Gulf states, and that their meth­ods bear a strik­ing resem­blance to the meth­ods used to hack the Emi­rati ambas­sador.”

    And as these cyber­se­cu­ri­ty researchers not, not only are the meth­ods in the Otai­ba hack sim­i­lar ito a group of mer­ce­nary hack­ers they assert are work­ing for a num­ber of Gulf states, but that this is the sign of a broad­er trans­for­ma­tion in the acces­si­bil­i­ty of hacking/disinformation capa­bil­i­ties that were once thought to be rel­a­tive­ly exclu­sive.

    ...
    But the dirty tricks also her­ald­ed a broad­er trans­for­ma­tion in inter­na­tion­al espi­onage. The dust-up in the Gulf is the clear­est sign yet that cyber­at­tacks cou­pled with dis­in­for­ma­tion cam­paigns are no longer the exclu­sive domain of sophis­ti­cat­ed pow­ers like Rus­sia. Any coun­try can get in the game for the rel­a­tive­ly low price of a few free­lance hack­ers.

    ...

    “They seem to be hack­ers-for-hire, free­lanc­ing for all sorts of dif­fer­ent clients, and adapt­ing their skills as need­ed,” said Collin Ander­son, who is one of the researchers. Mr. Ander­son and his part­ner, Clau­dio Guarnieri, have nick­named the group Bahamut, after a mon­strous fish float­ing in the Ara­bi­an Sea in the Jorge Luis Borges nov­el “Book of Imag­i­nary Beings.”

    The group reg­u­lar­ly uses spear phish­ing attacks — emails designed to look inno­cent but con­tain mali­cious soft­ware appli­ca­tions. While it is not yet clear if Bahamut was behind the hack of the ambassador’s email, the group tar­get­ed a num­ber of Emi­rati diplo­mats as well as oth­er pub­lic fig­ures in the Gulf region.

    Oth­er news orga­ni­za­tions have report­ed receiv­ing leaked Emi­rati emails from a group call­ing itself Glob­al­Leaks and using email address­ing end­ing in .ru, sug­gest­ing the mer­ce­nary hack­ers may be Rus­sians or wish to pose as Russ­ian.
    ...

    “Oth­er news orga­ni­za­tions have report­ed receiv­ing leaked Emi­rati emails from a group call­ing itself Glob­al­Leaks and using email address­ing end­ing in .ru, sug­gest­ing the mer­ce­nary hack­ers may be Rus­sians or wish to pose as Russ­ian.”

    Yep, unless the hack­ers were Russ­ian hack­ers who want­ed to adver­tise for some rea­son that they’re Russ­ian hack­ers, the use of a .ru email address by the group dis­trib­ut­ing these emails basi­cal­ly tells us noth­ing about who did it. And while these cyber­se­cu­ri­ty researchers are sus­pect­ing that the “Bahamut” group of mer­ce­nar­ies is behind the hack, if their meth­ods involve spear-phish­ing emails it’s not like oth­er skill hack­ers famil­iar with the cyber­se­cu­ri­ty indus­try’s track­ing of the Bahamut group could­n’t mim­ic their meth­ods. That’s the fun of our new dig­i­tal cold war.

    So at this point it sounds like we have no real idea who did the hack, but who­ev­er did it appears to want to send a “Hi! I’m a Russ­ian hack­er!” sig­nal to the world. Of course.

    Posted by Pterrafractyl | June 12, 2017, 8:30 pm
  2. @Pterrafractyl–

    In assess­ing this, one should not lose sight of the fact that the CIA’s hack­ing code enables the author­ship of the deed to assume an Ara­bic lan­guage cov­er, as well as Russ­ian, Chi­nese or Far­si.

    Or, as we might say “Farce-ey.”

    Don’t for­get that the Shad­ow Bro­kers have seen to it that the entire glob­al hack­ing com­mu­ni­ty has the NSA’s hack­ing tools.

    Katy, bar the door!

    Best,

    Dave

    Posted by Dave Emory | June 12, 2017, 8:57 pm
  3. One of the curi­ous aspects of the Kim ‘Dot­com’ Schmitz’s claims about being in con­tact with Seth Rich is how long he wait­ed to make his big claim that he was in con­tact with Rich all along. Because that claim did­n’t come out until May 19th of this year, a few days after the big Fox News disinformation/hoax piece on Rich. Why did­n’t Dot­com make these claims soon­er? Like, in the mid­dle of the 2016 cam­paign? Would­n’t that have been the opti­mal time for such a stunt?

    But here’s what adds to the curi­ous tim­ing: Check out this tweet from Dot­com he back in Sep­tem­ber 28, 2016, and direct­ed to Don­ald Trump:

    Hey @realDonaldTrump, I’m not 400 pounds and I have nev­er hacked from inside my bed. How­ev­er, you owe me ??— Kim Dot­com (@KimDotcom) Sep­tem­ber 28, 2016

    And don’t for­get that this tweet came two days after the first Pres­i­den­tial Debate between Don­ald Trump and Hillary Clin­ton on Sep­tem­ber 26, 2017, dur­ing which Trump made his infa­mous “the hack­er could have been a 400 pound guy sit­ting his bed” com­ment. So Schmitz/‘Dotcom’ was clear­ly respond­ing to Trump’s com­ment about the hack­ing. And he’s clear­ly claim­ing attri­bu­tion for some­thing that helped Trump. And yet no claims from Dot­com at the time that Seth Rich was the DNC leak­er. Despite how the tim­ing would have been per­fect for such a claim...especially if Dot­com has the evi­dence he claims he has. And yet all we get from Dot­com before his Seth Rich claims last month was a very mys­te­ri­ous tweet that appears to be telling Trump he “owes” Dot­com over the DNC hacks.

    Also keep in mind that if Dot­com, or some­one close­ly asso­ci­at­ed with him, was the actu­al hack­er, draw­ing atten­tion to him­self back when the elec­tion was still going on by mak­ing claims about his con­tacts with Seth Rich could have brought much clos­er scruti­ny to Dot­com with poten­tial­ly huge impli­ca­tions for the elec­tion if sus­pi­cions fell on Dot­com. Espe­cial­ly giv­en Dot­com’s pre­dic­tions back in May of 2015 that Julian Assange was going to be Hillary Clin­ton’s worst night­mare. So if Dot­com was con­cerned about get­ting impli­cat­ed in the hack, wait­ing until after the elec­tion does kind of make sense.

    But for some­one who clear­ly want­ed Hillary to lose to Trump, wait­ing until now to make these claims instead of last fall real­ly is rather curi­ous. Espe­cial­ly giv­en Dot­com’s Sep­tem­ber 28th mys­tery tweet. Unless, of course, mak­ing these claims ear­li­er would have been poten­tial­ly even more dam­ag­ing to Trump. Which could have been the case if Dot­com was indeed the hack­er.

    Posted by Pterrafractyl | June 13, 2017, 2:45 pm
  4. It sounds like the hack­ing of state elec­tion sys­tems in the 2016 elec­tion was a lot more exten­sive than pre­vi­ous­ly report­ed: Up to 39 states were hacked to one degree or anoth­er in a giant spear-phish­ing cam­paign accord­ing to a recent report in Bloomberg. And while there was no indi­ca­tion that the hack­ers were attempt­ing to manip­u­late actu­al vote tal­lies, there were some signs that hack­ers tried, but failed, to manip­u­late the vot­er reg­istry data­bas­es in Illi­nois, which could have the effect of chang­ing vote totals by throw­ing some peo­ple off the vot­er rolls. And since Illi­nois was one of only a hand­ful of states to give fed­er­al inves­ti­ga­tors full access to their sys­tems it’s unclear how many oth­er states had sim­i­lar attempts.

    As of now, offi­cials appear to be extreme­ly wor­ried that this mass hack­ing oper­a­tion is going to hap­pen in the 2018 or 2020 elec­tions. And, of course, as of now, offi­cials are char­ac­ter­iz­ing the entire thing as an oper­a­tion of Russ­ian mil­i­tary intel­li­gence, point­ing to evi­dence like the IP address used. Yep, the GRU appar­ent­ly does­n’t know how to use VPNs, prox­ies, or TOR and instead decid­ed to use known GRU IP address­es to car­ry out this incred­i­bly inflam­ma­to­ry hack­ing oper­a­tion.

    The arti­cle also dis­cuss­es how the exten­sive nature of the hacks so alarmed the Oba­ma White House that a spe­cial ‘cyber Red Phone’ in Octo­ber that was set up between Wash­ing­ton and Moscow to defuse poten­tial cyber con­flicts was used for the very first time. The Russ­ian gov­ern­ment denied respon­si­bil­i­ty, asked for more infor­ma­tion, and said they would inves­ti­gate it. All while the hack­ing con­tin­ued.

    So either the Russ­ian gov­ern­ment was exe­cut­ing an unprece­dent­ed high-pro­file self-incrim­i­nat­ing wave of incred­i­bly inflam­ma­to­ry hacks and con­tin­ued to do so even after the ‘cyber Red Phone’ got used for the first time with appar­ent­ly no con­cern for the con­se­quences, or some­one (like the GOP) was hack­ing the US elec­toral sys­tems and try­ing to frame the Rus­sians. Either way, those state elec­tion sys­tems could prob­a­bly use an over­haul soon:

    Bloomberg Pol­i­tics

    Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known

    by Michael Riley and Jor­dan Robert­son

    June 13, 2017, 4:00 AM CDT

    * Attack­ers said to take mea­sure of vot­ing sys­tems, data­bas­es
    * A ‘red phone’ warn­ing to the Krem­lin from Oba­ma White House

    Russia’s cyber­at­tack on the U.S. elec­toral sys­tem before Don­ald Trump’s elec­tion was far more wide­spread than has been pub­licly revealed, includ­ing incur­sions into vot­er data­bas­es and soft­ware sys­tems in almost twice as many states as pre­vi­ous­ly report­ed.

    In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base. Details of the wave of attacks, in the sum­mer and fall of 2016, were pro­vid­ed by three peo­ple with direct knowl­edge of the U.S. inves­ti­ga­tion into the mat­ter. In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said.

    The scope and sophis­ti­ca­tion so con­cerned Oba­ma admin­is­tra­tion offi­cials that they took an unprece­dent­ed step — com­plain­ing direct­ly to Moscow over a mod­ern-day “red phone.” In Octo­ber, two of the peo­ple said, the White House con­tact­ed the Krem­lin on the back chan­nel to offer detailed doc­u­ments of what it said was Russia’s role in elec­tion med­dling and to warn that the attacks risked set­ting off a broad­er con­flict.

    The new details, but­tressed by a clas­si­fied Nation­al Secu­ri­ty Agency doc­u­ment recent­ly dis­closed by the Inter­cept, show the scope of alleged hack­ing that fed­er­al inves­ti­ga­tors are scru­ti­niz­ing as they look into whether Trump cam­paign offi­cials may have col­lud­ed in the efforts. But they also paint a wor­ri­some pic­ture for future elec­tions: The newest por­tray­al of poten­tial­ly deep vul­ner­a­bil­i­ties in the U.S.’s patch­work of vot­ing tech­nolo­gies comes less than a week after for­mer FBI Direc­tor James Comey warned Con­gress that Moscow isn’t done med­dling.

    “They’re com­ing after Amer­i­ca,” Comey told the Sen­ate Intel­li­gence Com­mit­tee inves­ti­gat­ing Russ­ian inter­fer­ence in the elec­tion. “They will be back.”

    A spokes­woman for the Fed­er­al Bureau of Inves­ti­ga­tion in Wash­ing­ton declined to com­ment on the agency’s probe.

    Krem­lin Denials

    Russ­ian offi­cials have pub­licly denied any role in cyber attacks con­nect­ed to the U.S. elec­tions, includ­ing a mas­sive “spear phish­ing” effort that com­pro­mised Hillary Clinton’s cam­paign and the Demo­c­ra­t­ic Nation­al Com­mit­tee, among hun­dreds of oth­er groups. Pres­i­dent Vladimir Putin said in recent com­ments to reporters that crim­i­nals inside the coun­try could have been involved with­out hav­ing been sanc­tioned by the Russ­ian gov­ern­ment.

    One of the mys­ter­ies about the 2016 pres­i­den­tial elec­tion is why Russ­ian intel­li­gence, after gain­ing access to state and local sys­tems, didn’t try to dis­rupt the vote. One pos­si­bil­i­ty is that the Amer­i­can warn­ing was effec­tive. Anoth­er for­mer senior U.S. offi­cial, who asked for anonymi­ty to dis­cuss the clas­si­fied U.S. probe into pre-elec­tion hack­ing, said a more like­ly expla­na­tion is that sev­er­al months of hack­ing failed to give the attack­ers the access they need­ed to mas­ter America’s dis­parate vot­ing sys­tems spread across more than 7,000 local juris­dic­tions.

    Such oper­a­tions need not change votes to be effec­tive. In fact, the Oba­ma admin­is­tra­tion believed that the Rus­sians were pos­si­bly prepar­ing to delete vot­er reg­is­tra­tion infor­ma­tion or slow vote tal­ly­ing in order to under­mine con­fi­dence in the elec­tion. That effort went far beyond the care­ful­ly timed release of pri­vate com­mu­ni­ca­tions by indi­vid­u­als and par­ties.

    One for­mer senior U.S. offi­cial expressed con­cern that the Rus­sians now have three years to build on their knowl­edge of U.S. vot­ing sys­tems before the next pres­i­den­tial elec­tion, and there is every rea­son to believe they will use what they have learned in future attacks.

    Secure Chan­nel

    As the first test of a com­mu­ni­ca­tion sys­tem designed to de-esca­late cyber con­flict between the two coun­tries, the cyber “red phone” — not a phone, in fact, but a secure mes­sag­ing chan­nel for send­ing urgent mes­sages and doc­u­ments — didn’t quite work as the White House had hoped. NBC News first report­ed that use of the red phone by the White House last Decem­ber.

    The White House pro­vid­ed evi­dence gath­ered on Russia’s hack­ing efforts and rea­sons why the U.S. con­sid­ered it dan­ger­ous­ly aggres­sive. Rus­sia respond­ed by ask­ing for more infor­ma­tion and pro­vid­ing assur­ances that it would look into the mat­ter even as the hack­ing con­tin­ued, accord­ing to the two peo­ple famil­iar with the response.

    “Last year, as we detect­ed intru­sions into web­sites man­aged by elec­tion offi­cials around the coun­try, the admin­is­tra­tion worked relent­less­ly to pro­tect our elec­tion infra­struc­ture,” said Eric Schultz, a spokesman for for­mer Pres­i­dent Barack Oba­ma. “Giv­en that our elec­tion sys­tems are so decen­tral­ized, that effort meant work­ing with Demo­c­ra­t­ic and Repub­li­can elec­tion admin­is­tra­tors from all across the coun­try to bol­ster their cyber defens­es.”

    Illi­nois Data­base

    Illi­nois, which was among the states that gave the FBI and the Depart­ment of Home­land Secu­ri­ty almost full access to inves­ti­gate its sys­tems, pro­vides a win­dow into the hack­ers’ suc­cess­es and fail­ures.

    In ear­ly July 2016, a con­trac­tor who works two or three days a week at the state board of elec­tions detect­ed unau­tho­rized data leav­ing the net­work, accord­ing to Ken Men­zel, gen­er­al coun­sel for the Illi­nois board of elec­tions. The hack­ers had gained access to the state’s vot­er data­base, which con­tained infor­ma­tion such as names, dates of birth, gen­ders, driver’s licens­es and par­tial Social Secu­ri­ty num­bers on 15 mil­lion peo­ple, half of whom were active vot­ers. As many as 90,000 records were ulti­mate­ly com­pro­mised.

    But even if the entire data­base had been delet­ed, it might not have affect­ed the elec­tion, accord­ing to Men­zel. Coun­ties upload records to the state, not the oth­er way around, and no data moves from the data­base back to the coun­ties, which run the elec­tions. The hack­ers had no way of know­ing that when they attacked the state data­base, Men­zel said.

    The state does, how­ev­er, process online vot­er reg­is­tra­tion appli­ca­tions that are sent to the coun­ties for approval, Men­zel said. When vot­ers are added to the coun­ty rolls, that infor­ma­tion is then sent back to the state and added to the cen­tral data­base. This process, which is com­mon across states, does present an oppor­tu­ni­ty for attack­ers to manip­u­late records at their incep­tion.

    Patient Zero

    Illi­nois became Patient Zero in the government’s probe, even­tu­al­ly lead­ing inves­ti­ga­tors to a hack­ing pan­dem­ic that touched four out of every five U.S. states.

    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.

    (An NSA doc­u­ment report­ed­ly leaked by Real­i­ty Win­ner, the 25-year-old gov­ern­ment con­tract work­er arrest­ed last week, iden­ti­fies the Flori­da con­trac­tor as VR Sys­tems, which makes an elec­tron­ic vot­er iden­ti­fi­ca­tion sys­tem used by poll work­ers.)

    In Illi­nois, inves­ti­ga­tors also found evi­dence that the hack­ers tried but failed to alter or delete some infor­ma­tion in the data­base, an attempt that wasn’t pre­vi­ous­ly report­ed. That sug­gest­ed more than a mere spy­ing mis­sion and poten­tial­ly a test run for a dis­rup­tive attack, accord­ing to the peo­ple famil­iar with the con­tin­u­ing U.S. coun­ter­in­tel­li­gence inquiry.

    States’ Response

    That idea would obsess the Oba­ma White House through­out the sum­mer and fall of 2016, out­weigh­ing wor­ries over the DNC hack and pri­vate Demo­c­ra­t­ic cam­paign emails giv­en to Wik­ileaks and oth­er out­lets, accord­ing to one of the peo­ple famil­iar with those con­ver­sa­tions. The Home­land Secu­ri­ty Depart­ment dis­patched spe­cial teams to help states strength­en their cyber defens­es, and some states hired pri­vate secu­ri­ty com­pa­nies to aug­ment those efforts.

    In many states, the extent of the Russ­ian infil­tra­tion remains unclear. The fed­er­al gov­ern­ment had no direct author­i­ty over state elec­tion sys­tems, and some states offered lim­it­ed coop­er­a­tion. When then-DHS Sec­re­tary Jeh John­son said last August that the depart­ment want­ed to declare the sys­tems as nation­al crit­i­cal infra­struc­ture — a des­ig­na­tion that gives the fed­er­al gov­ern­ment broad­er pow­ers to inter­vene — Repub­li­cans balked. Only after the elec­tion did the two sides even­tu­al­ly reach a deal to make the des­ig­na­tion.

    ...

    After the Oba­ma admin­is­tra­tion trans­mit­ted its doc­u­ments and Rus­sia asked for more infor­ma­tion, the hack­ers’ work con­tin­ued. Accord­ing to the leaked NSA doc­u­ment, hack­ers work­ing for Russ­ian mil­i­tary intel­li­gence were try­ing to take over the com­put­ers of 122 local elec­tion offi­cials just days before the Nov. 8 elec­tion.

    While some inside the Oba­ma admin­is­tra­tion pressed at the time to make the full scope of the Russ­ian activ­i­ty pub­lic, the White House was ulti­mate­ly unwill­ing to risk pub­lic con­fi­dence in the election’s integri­ty, peo­ple famil­iar with those dis­cus­sions said.

    ———-

    “Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known” by Michael Riley and Jor­dan Robert­son; Bloomberg Pol­i­tics; 06/13/2017

    “In Illi­nois, inves­ti­ga­tors also found evi­dence that the hack­ers tried but failed to alter or delete some infor­ma­tion in the data­base, an attempt that wasn’t pre­vi­ous­ly report­ed. That sug­gest­ed more than a mere spy­ing mis­sion and poten­tial­ly a test run for a dis­rup­tive attack, accord­ing to the peo­ple famil­iar with the con­tin­u­ing U.S. coun­ter­in­tel­li­gence inquiry.”

    So in Illi­nois, one of a hand­ful of states that gave fed­er­al inves­ti­ga­tors the most com­plete access to their sys­tems and appar­ent­ly one of the first states hacked since the hack was first detect­ed in July, inves­ti­ga­tors found evi­dence of at least attempts at manip­u­lat­ing vot­er roll data. That’s cer­tain­ly a big deal and the kind of find­ing that poten­tial­ly rais­es ques­tions about the integri­ty of a lot more than just the votes for Pres­i­dent. ALL races in a state could be impact­ed by manip­u­lat­ing the vot­er rolls.

    How about the rest of the states? That’s unclear. Thanks, in part, to the GOP’s block­ing of an attempt by DHS to declare the nation’s vot­ing sys­tems as “nation­al crit­i­cal infra­struc­ture” that would have giv­en fed­er­al inves­ti­ga­tors great access to the oth­er states’ vot­ing sys­tems:

    ...
    In many states, the extent of the Russ­ian infil­tra­tion remains unclear. The fed­er­al gov­ern­ment had no direct author­i­ty over state elec­tion sys­tems, and some states offered lim­it­ed coop­er­a­tion. When then-DHS Sec­re­tary Jeh John­son said last August that the depart­ment want­ed to declare the sys­tems as nation­al crit­i­cal infra­struc­ture — a des­ig­na­tion that gives the fed­er­al gov­ern­ment broad­er pow­ers to inter­vene — Repub­li­cans balked. Only after the elec­tion did the two sides even­tu­al­ly reach a deal to make the des­ig­na­tion.
    ...

    And at this point fed­er­al inves­ti­ga­tors appar­ent­ly can’t real­ly say how many oth­er states expe­ri­enced sim­i­lar attempts. Still, based on the dig­i­tal “sig­na­tures” that inves­ti­ga­tors have iden­ti­fied (because the ‘Russ­ian hack­ers’ appar­ent­ly did­n’t both­er try­ing to obscure them), “traces” of the hack­ers were found in the sys­tems of 39 states:

    ...
    Patient Zero

    Illi­nois became Patient Zero in the government’s probe, even­tu­al­ly lead­ing inves­ti­ga­tors to a hack­ing pan­dem­ic that touched four out of every five U.S. states.

    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.

    (An NSA doc­u­ment report­ed­ly leaked by Real­i­ty Win­ner, the 25-year-old gov­ern­ment con­tract work­er arrest­ed last week, iden­ti­fies the Flori­da con­trac­tor as VR Sys­tems, which makes an elec­tron­ic vot­er iden­ti­fi­ca­tion sys­tem used by poll work­ers.)
    ...

    And it sounds like a large num­ber of those hacks (or hack attempts) took place in the last week of the cam­paign:

    ...
    After the Oba­ma admin­is­tra­tion trans­mit­ted its doc­u­ments and Rus­sia asked for more infor­ma­tion, the hack­ers’ work con­tin­ued. Accord­ing to the leaked NSA doc­u­ment, hack­ers work­ing for Russ­ian mil­i­tary intel­li­gence were try­ing to take over the com­put­ers of 122 local elec­tion offi­cials just days before the Nov. 8 elec­tion.
    ...

    So, over­all, if we take this report at face val­ue, the Russ­ian gov­ern­ment brazen­ly hacked into the Illi­nois state vot­ing sys­tems, tried to manip­u­late vot­er roll data, and then con­tin­ued to brazen­ly hack — or attempt to hack — into at least 38 oth­er states. All using dig­i­tal “sig­na­tures”, like IP address, that were traced back to the GRU. And the real­ly big wave of attacks hap­pened in the last week of the cam­paign, after Pres­i­dent Oba­ma used the “cyber Red Phone” for the first time ever in Octo­ber. And the Russ­ian gov­ern­ment ignored those calls to stop the hack­ing with­out any appar­ent fear of reprisal. And just kept hack­ing away with­out both­er­ing to change those dig­i­tal “sig­na­tures” from the July Illi­nois hack. Are we sure “Lazy Bear” isn’t a more appro­pri­ate moniker for this alleged GRU hack­ing group? “Fan­cy Bear” does­n’t quite cap­ture their main attribute.

    Of course, since dig­i­tal “sig­na­tures” are the kind of things hack­ers can often spoof and a dec­la­ra­tion of cyber war would be an insane move by the Russ­ian gov­ern­ment, there’s the very obvi­ous pos­si­bil­i­ty that some­one else made all these hack­ing attempts. So it’s worth not­ing that in The Inter­cept report about the leaked NSA doc­u­ment show­ing the analy­sis of the hack­ing of a Flori­da vot­ing sys­tems com­pa­ny they inter­view Jake Williams — a for­mer mem­ber of NSA’s elite hack­ing Tai­lored Access Oper­a­tions team — and ask him about the spear-phish­ing cam­paign used against those 122 offi­cials in the last week of the cam­paign. Accord­ing to Williams, that spear-phish­ing oper­a­tion was of “medi­um sophis­ti­ca­tion” that “prac­ti­cal­ly any hack­er can pull off”:

    The Inter­cept

    Top-Secret NSA Report Details Russ­ian Hack­ing Effort Days Before 2016 Elec­tion

    Matthew Cole, Richard Espos­i­to, Sam Bid­dle, Ryan Grim

    June 5 2017, 2:44 p.m.

    Russ­ian mil­i­tary intel­li­gence exe­cut­ed a cyber­at­tack on at least one U.S. vot­ing soft­ware sup­pli­er and sent spear-phish­ing emails to more than 100 local elec­tion offi­cials just days before last November’s pres­i­den­tial elec­tion, accord­ing to a high­ly clas­si­fied intel­li­gence report obtained by The Inter­cept.

    The top-secret Nation­al Secu­ri­ty Agency doc­u­ment, which was pro­vid­ed anony­mous­ly to The Inter­cept and inde­pen­dent­ly authen­ti­cat­ed, ana­lyzes intel­li­gence very recent­ly acquired by the agency about a months-long Russ­ian intel­li­gence cyber effort against ele­ments of the U.S. elec­tion and vot­ing infra­struc­ture. The report, dat­ed May 5, 2017, is the most detailed U.S. gov­ern­ment account of Russ­ian inter­fer­ence in the elec­tion that has yet come to light.

    While the doc­u­ment pro­vides a rare win­dow into the NSA’s under­stand­ing of the mechan­ics of Russ­ian hack­ing, it does not show the under­ly­ing “raw” intel­li­gence on which the analy­sis is based. A U.S. intel­li­gence offi­cer who declined to be iden­ti­fied cau­tioned against draw­ing too big a con­clu­sion from the doc­u­ment because a sin­gle analy­sis is not nec­es­sar­i­ly defin­i­tive.

    The report indi­cates that Russ­ian hack­ing may have pen­e­trat­ed fur­ther into U.S. vot­ing sys­tems than was pre­vi­ous­ly under­stood. It states unequiv­o­cal­ly in its sum­ma­ry state­ment that it was Russ­ian mil­i­tary intel­li­gence, specif­i­cal­ly the Russ­ian Gen­er­al Staff Main Intel­li­gence Direc­torate, or GRU, that con­duct­ed the cyber attacks described in the doc­u­ment:

    Russ­ian Gen­er­al Staff Main Intel­li­gence Direc­torate actors … exe­cut­ed cyber espi­onage oper­a­tions against a named U.S. com­pa­ny in August 2016, evi­dent­ly to obtain infor­ma­tion on elec­tions-relat­ed soft­ware and hard­ware solu­tions. … The actors like­ly used data obtained from that oper­a­tion to … launch a vot­er reg­is­tra­tion-themed spear-phish­ing cam­paign tar­get­ing U.S. local gov­ern­ment orga­ni­za­tions.

    This NSA sum­ma­ry judg­ment is sharply at odds with Russ­ian Pres­i­dent Vladimir Putin’s denial last week that Rus­sia had inter­fered in for­eign elec­tions: “We nev­er engaged in that on a state lev­el, and have no inten­tion of doing so.” Putin, who had pre­vi­ous­ly issued blan­ket denials that any such Russ­ian med­dling occurred, for the first time float­ed the pos­si­bil­i­ty that free­lance Russ­ian hack­ers with “patri­ot­ic lean­ings” may have been respon­si­ble. The NSA report, on the con­trary, dis­plays no doubt that the cyber assault was car­ried out by the GRU.

    ...

    The Spear-Phish­ing Attack

    As described by the clas­si­fied NSA report, the Russ­ian plan was sim­ple: pose as an e‑voting ven­dor and trick local gov­ern­ment employ­ees into open­ing Microsoft Word doc­u­ments invis­i­bly taint­ed with potent mal­ware that could give hack­ers full con­trol over the infect­ed com­put­ers.

    But in order to dupe the local offi­cials, the hack­ers need­ed access to an elec­tion soft­ware vendor’s inter­nal sys­tems to put togeth­er a con­vinc­ing dis­guise. So on August 24, 2016, the Russ­ian hack­ers sent spoofed emails pur­port­ing to be from Google to employ­ees of an unnamed U.S. elec­tion soft­ware com­pa­ny, accord­ing to the NSA report. Although the doc­u­ment does not direct­ly iden­ti­fy the com­pa­ny in ques­tion, it con­tains ref­er­ences to a prod­uct made by VR Sys­tems, a Flori­da-based ven­dor of elec­tron­ic vot­ing ser­vices and equip­ment whose prod­ucts are used in eight states.

    The spear-phish­ing email con­tained a link direct­ing the employ­ees to a mali­cious, faux-Google web­site that would request their login cre­den­tials and then hand them over to the hack­ers. The NSA iden­ti­fied sev­en “poten­tial vic­tims” at the com­pa­ny. While mali­cious emails tar­get­ing three of the poten­tial vic­tims were reject­ed by an email serv­er, at least one of the employ­ee accounts was like­ly com­pro­mised, the agency con­clud­ed. The NSA notes in its report that it is “unknown whether the afore­men­tioned spear-phish­ing deploy­ment suc­cess­ful­ly com­pro­mised all the intend­ed vic­tims, and what poten­tial data from the vic­tim could have been exfil­trat­ed.”

    VR Sys­tems declined to respond to a request for com­ment on the spe­cif­ic hack­ing oper­a­tion out­lined in the NSA doc­u­ment. Chief Oper­at­ing Offi­cer Ben Mar­tin replied by email to The Intercept’s request for com­ment with the fol­low­ing state­ment:

    Phish­ing and spear-phish­ing are not uncom­mon in our indus­try. We reg­u­lar­ly par­tic­i­pate in cyber alliances with state offi­cials and mem­bers of the law enforce­ment com­mu­ni­ty in an effort to address these types of threats. We have poli­cies and pro­ce­dures in effect to pro­tect our cus­tomers and our com­pa­ny.

    Although the NSA report indi­cates that VR Sys­tems was tar­get­ed only with login-steal­ing trick­ery, rather than com­put­er-con­trol­ling mal­ware, this isn’t nec­es­sar­i­ly a reas­sur­ing sign. Jake Williams, founder of com­put­er secu­ri­ty firm Ren­di­tion Infos­ec and for­mer­ly of the NSA’s Tai­lored Access Oper­a­tions hack­ing team, said stolen logins can be even more dan­ger­ous than an infect­ed com­put­er. “I’ll take cre­den­tials most days over mal­ware,” he said, since an employee’s login infor­ma­tion can be used to pen­e­trate “cor­po­rate VPNs, email, or cloud ser­vices,” allow­ing access to inter­nal cor­po­rate data. The risk is par­tic­u­lar­ly height­ened giv­en how com­mon it is to use the same pass­word for mul­ti­ple ser­vices. Phish­ing, as the name implies, doesn’t require every­one to take the bait in order to be a suc­cess — though Williams stressed that hack­ers “nev­er want just one” set of stolen cre­den­tials.

    In any event, the hack­ers appar­ent­ly got what they need­ed. Two months lat­er, on Octo­ber 27, they set up an “oper­a­tional” Gmail account designed to appear as if it belonged to an employ­ee at VR Sys­tems, and used doc­u­ments obtained from the pre­vi­ous oper­a­tion to launch a sec­ond spear-phish­ing oper­a­tion “tar­get­ing U.S. local gov­ern­ment orga­ni­za­tions.” These emails con­tained a Microsoft Word doc­u­ment that had been “tro­janized” so that when it was opened it would send out a bea­con to the “mali­cious infra­struc­ture” set up by the hack­ers.

    The NSA assessed that this phase of the spear-fish­ing oper­a­tion was like­ly launched on either Octo­ber 31 or Novem­ber 1 and sent spear-fish­ing emails to 122 email address­es “asso­ci­at­ed with named local gov­ern­ment orga­ni­za­tions,” prob­a­bly to offi­cials “involved in the man­age­ment of vot­er reg­is­tra­tion sys­tems.” The emails con­tained Microsoft Word attach­ments pur­port­ing to be benign doc­u­men­ta­tion for VR Sys­tems’ EViD vot­er data­base prod­uct line, but which were in real­i­ty mali­cious­ly embed­ded with auto­mat­ed soft­ware com­mands that are trig­gered instant­ly and invis­i­bly when the user opens the doc­u­ment. These par­tic­u­lar weaponized files used Pow­er­Shell, a Microsoft script­ing lan­guage designed for sys­tem admin­is­tra­tors and installed by default on Win­dows com­put­ers, allow­ing vast con­trol over a system’s set­tings and func­tions. If opened, the files “very like­ly” would have instruct­ed the infect­ed com­put­er to begin down­load­ing in the back­ground a sec­ond pack­age of mal­ware from a remote serv­er also con­trolled by the hack­ers, which the secret report says could have pro­vid­ed attack­ers with “per­sis­tent access” to the com­put­er or the abil­i­ty to “sur­vey the vic­tims for items of inter­est.” Essen­tial­ly, the weaponized Word doc­u­ment qui­et­ly unlocks and opens a target’s back door, allow­ing vir­tu­al­ly any cock­tail of mal­ware to be sub­se­quent­ly deliv­ered auto­mat­i­cal­ly.

    Accord­ing to Williams, if this type of attack were suc­cess­ful, the per­pe­tra­tor would pos­sess “unlim­it­ed” capac­i­ty for siphon­ing away items of inter­est. “Once the user opens up that email [attach­ment],” Williams explained, “the attack­er has all the same capa­bil­i­ties that the user does.” Vikram Thakur, a senior research man­ag­er at Symantec’s Secu­ri­ty Response Team, told The Inter­cept that in cas­es like this the “quan­ti­ty of exfil­trat­ed data is only lim­it­ed by the con­trols put in place by net­work admin­is­tra­tors.” Data theft of this vari­ety is typ­i­cal­ly encrypt­ed, mean­ing any­one observ­ing an infect­ed net­work wouldn’t be able to see what exact­ly was being removed but should cer­tain­ly be able to tell some­thing was afoot, Williams added. Over­all, the method is one of “medi­um sophis­ti­ca­tion,” Williams said, one that “prac­ti­cal­ly any hack­er can pull off.”

    The NSA, how­ev­er, is uncer­tain about the results of the attack, accord­ing to the report. “It is unknown,” the NSA notes, “whether the afore­men­tioned spear-phish­ing deploy­ment suc­cess­ful­ly com­pro­mised the intend­ed vic­tims, and what poten­tial data could have been accessed by the cyber actor.”

    ...

    ———-

    “Top-Secret NSA Report Details Russ­ian Hack­ing Effort Days Before 2016 Elec­tion” by Matthew Cole, Richard Espos­i­to, Sam Bid­dle, Ryan Grim; The Inter­cept; 06/05/2017

    The NSA assessed that this phase of the spear-fish­ing oper­a­tion was like­ly launched on either Octo­ber 31 or Novem­ber 1 and sent spear-fish­ing emails to 122 email address­es “asso­ci­at­ed with named local gov­ern­ment orga­ni­za­tions,” prob­a­bly to offi­cials “involved in the man­age­ment of vot­er reg­is­tra­tion sys­tems.” The emails con­tained Microsoft Word attach­ments pur­port­ing to be benign doc­u­men­ta­tion for VR Sys­tems’ EViD vot­er data­base prod­uct line, but which were in real­i­ty mali­cious­ly embed­ded with auto­mat­ed soft­ware com­mands that are trig­gered instant­ly and invis­i­bly when the user opens the doc­u­ment...”

    A spear-phish­ing attacks using doc­u­ments from the Flori­da-based “VR Sys­tems” as the bait. That’s what the alleged Russ­ian hack­ers did in the last week of the cam­paign. And how sophis­ti­cat­ed was this spear-phish­ing attack? Almost any hack­er could have done it. That’s how sophis­ti­cat­ed:

    ...
    Accord­ing to Williams, if this type of attack were suc­cess­ful, the per­pe­tra­tor would pos­sess “unlim­it­ed” capac­i­ty for siphon­ing away items of inter­est. “Once the user opens up that email [attach­ment],” Williams explained, “the attack­er has all the same capa­bil­i­ties that the user does.” Vikram Thakur, a senior research man­ag­er at Symantec’s Secu­ri­ty Response Team, told The Inter­cept that in cas­es like this the “quan­ti­ty of exfil­trat­ed data is only lim­it­ed by the con­trols put in place by net­work admin­is­tra­tors.” Data theft of this vari­ety is typ­i­cal­ly encrypt­ed, mean­ing any­one observ­ing an infect­ed net­work wouldn’t be able to see what exact­ly was being removed but should cer­tain­ly be able to tell some­thing was afoot, Williams added. Over­all, the method is one of “medi­um sophis­ti­ca­tion,” Williams said, one that “prac­ti­cal­ly any hack­er can pull off.”
    ...

    “Over­all, the method is one of “medi­um sophis­ti­ca­tion,” Williams said, one that “prac­ti­cal­ly any hack­er can pull off.””

    So accord­ing to fed­er­al inves­ti­ga­tors, ‘the GRU’ used a spear-phish­ing tech­nique that any hack­er could have pulled off, and did it in a man­ner that left dig­i­tal “sig­na­tures”, like IP address, that appar­ent­ly led back to the GRU. And kept the same dig­i­tal sig­na­tures in the July 2016 hack on the Illi­nois vot­ing sys­tem that were found in the wave of spear-phish­ing attacks in the last week of the cam­paign. Even after get­ting a “cyber Red Phone” call from the White House in for the first time ever in Octo­ber, thus open­ing Rus­sia to poten­tial revenge attacks for years to come and poi­son-pilling the pos­si­ble util­i­ty of hav­ing a Russ­ian-friend­ly Pres­i­dent Trump in the White House. It’s as if the cost-ben­e­fit analy­sis did­n’t fac­tor in the costs. That’s the sto­ry we’re sup­posed to accept.

    And, amaz­ing­ly, based on the first report, it sounds the bulk of the 39 hacked states got hacked by this spear-phish­ing cam­paign in the last week of the cam­paign despite the intense focus around poten­tial hack­ing in the pri­or months. Those must have been some pret­ty com­pelling phish­ing emails. It rais­es the ques­tion as to whether or not some of the those 122 tar­get­ed offi­cials were try­ing to get their sys­tems hacked. Keep in mind one of the very inter­est­ing things about a spear-phish­ing attack in a sce­nario like these one one of the hacked par­ties (the GOP) just might want to get hacked: Spear-phish­ing a great way for an insid­er to invite in a hack­er while main­tain­ing plau­si­ble deni­a­bil­i­ty. Oops! I was tricked! ;)

    It’s pret­ty clear that US state vot­ing sys­tems have a num­ber of seri­ous vul­ner­a­bil­i­ties. Specif­i­cal­ly, peo­ple who fall for phish­ing emails and what­ev­er mal­ware is now install on those sys­tems after those hacks. Also note one of the main things pro­tect­ing these sys­tems from a much big­ger hack: the decen­tral­ized nature of US vot­ing sys­tems, which dif­fer­ent locales use dif­fer­ent tech­nolo­gies. It’s a lot hard­er to pull off a big hack in a decen­tral­ized sys­tem. And let’s also not for­get that one of the giant vot­ing vul­ner­a­bil­i­ties today is a direct con­se­quence of the US’s response to the 2000 elec­tion vot­ing deba­cle in Flori­da. Fol­low­ing that, Con­gress gave states gobs of cash to replace their paper bal­lot sys­tems with hack­able elec­tron­ic vot­ing machines. And now we a prob­lem with hack­able elec­tron­ic vot­ing machines. Still.

    So if there is a big push to over­haul and improve US vot­ing sys­tems in antic­i­pa­tion of the 2016 hack­ers return­ing in future elec­tions keep in mind that it’s a lot hard­er to hack paper bal­lots.

    Posted by Pterrafractyl | June 14, 2017, 10:21 pm
  5. Here’s an arti­cle that reminds us of some­thing to keep in mind when assess­ing the curi­ous case of the appar­ent hack­ing of Qatar’s news agency fol­lowed by the email hack of the UAE’s ambas­sador to the US that some sus­pect was done by a mer­ce­nary hack­er group: Mid­dle East­ern gov­ern­ments prob­a­bly don’t need to hire rogue hack­er mer­ce­nary groups to car­ry out very sophis­ti­cat­ed hacks:

    BBC

    How BAE sold cyber-sur­veil­lance tools to Arab states

    15 June 2017

    A year-long inves­ti­ga­tion by BBC Ara­bic and a Dan­ish news­pa­per has uncov­ered evi­dence that the UK defence giant BAE Sys­tems has made large-scale sales across the Mid­dle East of sophis­ti­cat­ed sur­veil­lance tech­nol­o­gy, includ­ing to many repres­sive gov­ern­ments.

    These sales have also includ­ed decryp­tion soft­ware which could be used against the UK and its allies.

    While the sales are legal, human rights cam­paign­ers and cyber-secu­ri­ty experts have expressed seri­ous con­cerns these pow­er­ful tools could be used to spy on mil­lions of peo­ple and thwart any signs of dis­sent.

    The inves­ti­ga­tion began in the small Dan­ish town of Nor­re­sund­by, home to ETI, a com­pa­ny spe­cial­is­ing in high-tech sur­veil­lance equip­ment.

    ETI devel­oped a sys­tem called Evi­dent, which enabled gov­ern­ments to con­duct mass sur­veil­lance of their cit­i­zens’ com­mu­ni­ca­tions.

    A for­mer employ­ee, speak­ing to the BBC anony­mous­ly, described how Evi­dent worked.

    “You’d be able to inter­cept any inter­net traf­fic,” he said. “If you want­ed to do a whole coun­try, you could. You could pin-point peo­ple’s loca­tion based on cel­lu­lar data. You could fol­low peo­ple around. They were quite far ahead with voice recog­ni­tion. They were capa­ble of decrypt­ing stuff as well.”

    One ear­ly cus­tomer of the new sys­tem was the Tunisian gov­ern­ment.

    The BBC tracked down a for­mer Tunisian intel­li­gence offi­cial who oper­at­ed Evi­dent for the coun­try’s vet­er­an leader, Pres­i­dent Zine al-Abidine Ben Ali.

    “ETI installed it and engi­neers came for train­ing ses­sions,” he explained. “[It] works with key­words. You put in an oppo­nen­t’s name and you will see all the sites, blogs, social net­works relat­ed to that user.”

    The source says Pres­i­dent Ben Ali used the sys­tem to crack down on oppo­nents until his over­throw in Jan­u­ary 2011, in the first pop­u­lar upris­ing of the Arab Spring.

    Cam­paign­ers ‘van­ished’

    As protests spread across the Arab world, social media became a key tool for organ­is­ers.

    Gov­ern­ments began shop­ping around for more sophis­ti­cat­ed cyber-sur­veil­lance sys­tems — open­ing up a lucra­tive new mar­ket for com­pa­nies like BAE Sys­tems.

    In 2011, BAE bought ETI and the com­pa­ny became part of BAE Sys­tems Applied Intel­li­gence.

    Over the next five years, BAE used its Dan­ish sub­sidiary to sup­ply Evi­dent sys­tems to many Mid­dle East­ern coun­tries with ques­tion­able human rights records.

    Free­dom of infor­ma­tion requests sub­mit­ted by the BBC and the Dag­bladet Infor­ma­tion news­pa­per in Den­mark revealed exports to Sau­di Ara­bia, the UAE, Qatar, Oman, Moroc­co and Alge­ria.

    While it is not pos­si­ble to link indi­vid­ual cas­es direct­ly to the Evi­dent sys­tem, increased lev­els of cyber-sur­veil­lance since the start of the Arab Spring have had a direct and dev­as­tat­ing impact on the activ­i­ties of human rights and democ­ra­cy cam­paign­ers in many of the states that acquired it.

    “I would­n’t be exag­ger­at­ing if I said more than 90% of the most active cam­paign­ers in 2011 have now van­ished,” says Yahya Assiri, a for­mer Sau­di air force offi­cer who fled the coun­try after post­ing pro-democ­ra­cy state­ments online.

    “It used to be that ‘the walls have ears’, but now it’s ‘smart­phones have ears,’ ” says Man­al al-Sharif, a Sau­di wom­en’s rights activist who also now lives abroad.

    “No coun­try mon­i­tors its own peo­ple the way they do in the Gulf coun­tries. They have the mon­ey, so they can buy advanced sur­veil­lance soft­ware.”

    The sit­u­a­tion has led cam­paign­ers to voice deep con­cerns about the future of civ­il soci­ety in the Mid­dle East.

    “Sur­veil­lance will destroy peo­ple’s con­fi­dence in organ­is­ing, express­ing and shar­ing ideas, try­ing to cre­ate a polit­i­cal move­ment,” warns Gus Hosein of Lon­don-based Pri­va­cy Inter­na­tion­al.

    ‘Respon­si­ble trad­ing’

    The BBC has also asked for respons­es from the gov­ern­ments of Sau­di Ara­bia, Oman and the UAE. It has not yet received any replies.

    All sales of Evi­dent were made entire­ly legal­ly under Dan­ish gov­ern­ment export licences, issued by the Dan­ish Busi­ness Author­i­ty.

    BAE Sys­tems in the UK declined a BBC request for an inter­view on the issue, say­ing it was against com­pa­ny pol­i­cy to com­ment on spe­cif­ic con­tracts. But in a writ­ten state­ment the com­pa­ny said: “BAE sys­tems works for a num­ber of organ­i­sa­tions around the world with­in the reg­u­la­to­ry frame­work of all rel­e­vant coun­tries and with­in our respon­si­ble trad­ing prin­ci­ples.”

    Dur­ing the course of the BBC inves­ti­ga­tion, it emerged that sales of Evi­dent could also poten­tial­ly have an impact on nation­al secu­ri­ty in the UK.

    An upgrad­ed ver­sion of the sys­tem now offers anoth­er capa­bil­i­ty — decryp­tion or, to use the tech­ni­cal term, crypt­analy­sis.

    This enables users to read com­mu­ni­ca­tions even if they have been secu­ri­ty encrypt­ed.

    Crypt­analy­sis is such a pow­er­ful tool that its export is tight­ly con­trolled.

    Export autho­ri­sa­tions

    The BBC has obtained a 2015 email exchange between the British and Dan­ish export author­i­ties in which the British side clear­ly express­es con­cern about this capa­bil­i­ty with ref­er­ence to an Evi­dent sale to the Unit­ed Arab Emi­rates.

    “We would refuse a licence to export this crypt­analy­sis soft­ware from the UK because of Cri­te­ria 5 con­cerns,” says the email.

    “Cri­te­ria 5” refers to the nation­al secu­ri­ty of the UK and its allies.

    The wor­ry is that the soft­ware could give users access to the UK’s own com­mu­ni­ca­tions.

    “Once you’ve sold the equip­ment to some­one they can prob­a­bly do what they want with it,” says Ross Ander­son, pro­fes­sor of Secu­ri­ty Engi­neer­ing at Cam­bridge Uni­ver­si­ty.

    “An Arab coun­try wants to buy crypt­analy­sis equip­ment sup­pos­ed­ly for its own law enforce­ment. They have embassies in Lon­don, Wash­ing­ton, Paris and Berlin. What’s to stop them putting bulk sur­veil­lance equip­ment in our cities and then using the crypt­analy­sis equip­ment to deci­pher all the mobile phone calls they hear?”

    Despite British objec­tions, the Dan­ish author­i­ties approved the Evi­dent export.

    The Dan­ish for­eign min­istry declined to be inter­viewed but in state­ment said the Dan­ish Busi­ness Author­i­ty would not grant export autho­ri­sa­tion if an EU mem­ber state request­ed that it did not because of secu­ri­ty con­cerns.

    Defence experts argue that at a time when coun­tries around the world face height­ened ter­ror­ist threats, there is a clear jus­ti­fi­ca­tion for sales of sur­veil­lance equip­ment.

    “It’s a trade-off,” says Jonathan Shaw, for­mer head of Cyber-Secu­ri­ty at the UK Min­istry of Defence.

    “I would imag­ine the con­sid­er­a­tion that plays in peo­ple’s minds is not so much the eco­nom­ic advan­tage... but it’s that the secu­ri­ty of the state we’re talk­ing to is close­ly linked to ours. Or they are track­ing peo­ple who are a direct threat to Britain and we need their assis­tance.”

    Accord­ing to a 2016 UK Home Office report, mass sur­veil­lance tech­nol­o­gy has played a sig­nif­i­cant role in every major counter-ter­ror­ism inves­ti­ga­tion in the last decade.

    “The more ter­ror­ist inci­dents there are, the more peo­ple will start to see the ben­e­fits of favour­ing secu­ri­ty over pri­va­cy,” Mr Shaw adds.

    ...

    ‘Unac­cept­able’

    Dutch MEP Mari­et­je Schaake is one of the few Euro­pean politi­cians pre­pared to dis­cuss con­cerns about sur­veil­lance tech­nol­o­gy exports.

    She says Euro­pean coun­tries will ulti­mate­ly pay a price for the com­pro­mis­es now being made.

    “Each and every case where some­one is silenced or ends up in prison with the help of EU-made tech­nolo­gies I think is unac­cept­able,” she told the BBC.

    “I think the fact that these com­pa­nies are com­mer­cial play­ers, devel­op­ing these high­ly sophis­ti­cat­ed tech­nolo­gies that could have a deep impact on our nation­al secu­ri­ty, on peo­ple’s lives, requires us to look again at what kind of restric­tions maybe be need­ed, what kind of trans­paren­cy and account­abil­i­ty is need­ed in this mar­ket before it turns against our own inter­est and our own prin­ci­ples.”

    ———-

    “How BAE sold cyber-sur­veil­lance tools to Arab states”; BBC; 06/15/2017

    ““You’d be able to inter­cept any inter­net traf­fic,” he said. “If you want­ed to do a whole coun­try, you could. You could pin-point peo­ple’s loca­tion based on cel­lu­lar data. You could fol­low peo­ple around. They were quite far ahead with voice recog­ni­tion. They were capa­ble of decrypt­ing stuff as well.””

    That sounds like some pret­ty advanced hack­ing capa­bil­i­ties. Advanced hack­ing capa­bil­i­ties in a lot of gov­ern­ment hands:

    ...
    As protests spread across the Arab world, social media became a key tool for organ­is­ers.

    Gov­ern­ments began shop­ping around for more sophis­ti­cat­ed cyber-sur­veil­lance sys­tems — open­ing up a lucra­tive new mar­ket for com­pa­nies like BAE Sys­tems.

    In 2011, BAE bought ETI and the com­pa­ny became part of BAE Sys­tems Applied Intel­li­gence.

    Over the next five years, BAE used its Dan­ish sub­sidiary to sup­ply Evi­dent sys­tems to many Mid­dle East­ern coun­tries with ques­tion­able human rights records.

    Free­dom of infor­ma­tion requests sub­mit­ted by the BBC and the Dag­bladet Infor­ma­tion news­pa­per in Den­mark revealed exports to Sau­di Ara­bia, the UAE, Qatar, Oman, Moroc­co and Alge­ria.
    ...

    And it’s not like these advanced hack­ing capa­bil­i­ties only work in the Mid­dle East:

    ...
    The BBC has obtained a 2015 email exchange between the British and Dan­ish export author­i­ties in which the British side clear­ly express­es con­cern about this capa­bil­i­ty with ref­er­ence to an Evi­dent sale to the Unit­ed Arab Emi­rates.

    “We would refuse a licence to export this crypt­analy­sis soft­ware from the UK because of Cri­te­ria 5 con­cerns,” says the email.

    “Cri­te­ria 5” refers to the nation­al secu­ri­ty of the UK and its allies.

    The wor­ry is that the soft­ware could give users access to the UK’s own com­mu­ni­ca­tions.

    “Once you’ve sold the equip­ment to some­one they can prob­a­bly do what they want with it,” says Ross Ander­son, pro­fes­sor of Secu­ri­ty Engi­neer­ing at Cam­bridge Uni­ver­si­ty.

    “An Arab coun­try wants to buy crypt­analy­sis equip­ment sup­pos­ed­ly for its own law enforce­ment. They have embassies in Lon­don, Wash­ing­ton, Paris and Berlin. What’s to stop them putting bulk sur­veil­lance equip­ment in our cities and then using the crypt­analy­sis equip­ment to deci­pher all the mobile phone calls they hear?”
    ...

    So when the next big ‘who­dun­nit?’ hack attack hap­pens and peo­ple start assem­bling a sus­pect list and ask­ing ‘cui bono?’, don’t for­get that BAE already sold these capa­bil­i­ties to a num­ber of the gov­ern­ments across the Mid­dle East.

    Also don’t for­get that sell­ing advanced hack­ing tools to Mid­dle East­ern gov­ern­ments isn’t some BAE monop­oly. It’s a com­pet­i­tive mar­ket.

    Posted by Pterrafractyl | June 16, 2017, 2:34 pm
  6. You know that report about how the elec­tion sys­tems of 39 US states were “hit” by ‘Russ­ian hack­ers’, most of them just a week, before the 2016 Novem­ber elec­tion? Well, the Nation­al Asso­ci­a­tion of Sec­re­taries of State, an orga­ni­za­tion that rep­re­sents the chief elec­tion offi­cials in 40 states, has a rebut­tal: They have no idea what this report was talk­ing about and believe it’s a mat­ter of cyber­se­cu­ri­ty firms being over­ly aggres­sive to earn state con­tracts to pro­tect elec­tion sys­tems:

    Ben­zin­ga

    State Elec­tion Offi­cials Baf­fled By Report 39 States ‘Hit’ By Russ­ian Hack­ers

    Mark Fritz , Ben­zin­ga Staff Writer
    June 15, 2017 1:16pm

    State elec­tion offi­cials are baf­fled by a Bloomberg report alleg­ing that Russ­ian hack­ers com­pro­mised the vot­ing sys­tems in 39 states, adding that cyber­se­cu­ri­ty firms were engag­ing in scare tac­tics to win state and local con­tracts to pro­tect elec­tion sys­tems.

    The June 13 Bloomberg sto­ry said that hack­ers staged incur­sions last year into vot­er data­bas­es and soft­ware sys­tems in almost twice as many states as pre­vi­ous­ly report­ed.

    “In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base,” the report said.

    It cit­ed three unnamed sources with direct knowl­edge of “the U.S. inves­ti­ga­tion into the mat­ter.”

    “In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said,” the report said.

    The Nation­al Secu­ri­ty Agency, the FBI and the U.S. Home­land Secu­ri­ty Depart­ment all are look­ing into var­i­ous aspects of what intel­li­gence offi­cials said was Russ­ian med­dling into the U.S. elec­tion sys­tems.

    Kay Stim­son, spokes­woman for the Nation­al Asso­ci­a­tion of Sec­re­taries of State, said the mem­bers of her group — which rep­re­sents the chief elec­tion offi­cials in 40 states — were tak­en aback by the alle­ga­tion that 39 states were hacked.

    “We can­not ver­i­fy any infor­ma­tion in that report,” Stim­son told Ben­zin­ga. “It has some claims that have raised some red flags. I don’t know where they’re get­ting it. We’re not able to assess to the cred­i­bil­i­ty.”

    Cyber Secu­ri­ty Firms Cap­i­tal­iz­ing On Russ­ian Scare

    She said that some cyber­se­cu­ri­ty firms were engag­ing in scare tac­tics at the state and local lev­els.

    “There are cyber­se­cu­ri­ty firms mak­ing some wild claims,” she said. “It is a very aggres­sive indus­try.”

    Bloomberg attrib­uted the num­ber of states “hit” — Stim­son ques­tioned the mean­ing of the word — to the sys­tems in 39 states. “It’s hard to say how they ‘hit’ 39 states,” she said.

    Home­land Secu­ri­ty also issued a report about the Bloomberg report, say­ing: “While we are not going to get into specifics of activ­i­ty at the state lev­el, the vast major­i­ty of what we saw was scan­ning — not attempts to intrude — and unsuc­cess­ful attempts to steal data held in vot­er reg­is­tra­tion data­bas­es.”

    Lit­tle Doubt Russ­ian Med­dling In Elec­tion

    Despite the reac­tion to the Bloomberg report, there is lit­tle doubt that Russ­ian actors attempt­ed to access U.S. elec­tion sys­tems. Spe­cial inves­ti­ga­tor Robert Mueller has been tasked with spear­head­ing the inves­ti­ga­tion into whether the Trump cam­paign col­lud­ed with Krem­lin affil­i­ates to leak dam­ag­ing emails and rig the elec­tion.

    ...

    ———-

    “State Elec­tion Offi­cials Baf­fled By Report 39 States ‘Hit’ By Russ­ian Hack­ers” by Mark Fritz; Ben­zin­ga; 06/15/2017

    ““We can­not ver­i­fy any infor­ma­tion in that report,” Stim­son told Ben­zin­ga. “It has some claims that have raised some red flags. I don’t know where they’re get­ting it. We’re not able to assess to the cred­i­bil­i­ty.””

    Yeah, that’s quite a rebut­tal. So none of the infor­ma­tion from that Bloomberg report can be ver­i­fied. And the way the spokesper­son for the asso­ci­a­tion rep­re­sent­ing 40 state elec­tion chiefs puts it, this report was like­ly hype cre­at­ed by a cyber­se­cu­ri­ty indus­try intent on cre­at­ing a pan­ic over future Russ­ian hack­ers for the pur­pose of basi­cal­ly cre­at­ing demand for their ser­vices:

    ...
    Cyber Secu­ri­ty Firms Cap­i­tal­iz­ing On Russ­ian Scare

    She said that some cyber­se­cu­ri­ty firms were engag­ing in scare tac­tics at the state and local lev­els.

    “There are cyber­se­cu­ri­ty firms mak­ing some wild claims,” she said. “It is a very aggres­sive indus­try.”

    Bloomberg attrib­uted the num­ber of states “hit” — Stim­son ques­tioned the mean­ing of the word — to the sys­tems in 39 states. “It’s hard to say how they ‘hit’ 39 states,” she said.
    ...

    And the Depart­ment of Home­land Secu­ri­ty down­played the report too:

    ...
    Home­land Secu­ri­ty also issued a report about the Bloomberg report, say­ing: “While we are not going to get into specifics of activ­i­ty at the state lev­el, the vast major­i­ty of what we saw was scan­ning — not attempts to intrude — and unsuc­cess­ful attempts to steal data held in vot­er reg­is­tra­tion data­bas­es.”
    ...

    That cer­tain­ly sup­ports the notion that the “39 states were hacked by the Rus­sians” was, at a min­i­mum, an exag­ger­a­tion. And when DHS talks about the “vast major­i­ty” of what they saw was “scan­ning”, keep in mind that “scan­ning” com­put­ers con­nect­ed to the inter­net is ubiq­ui­tous and if they were using IP address­es to attribute this scan­ning to “Russ­ian hack­ers”, if the US intel­li­gence report on the evi­dence for ‘Russ­ian hack­ers’ in the DNC serv­er hack is any indi­ca­tion of the way IP address­es are being used to assess cul­pa­bil­i­ty for these state sys­tem scan­ning attempts, IP address­es aren’t the most com­pelling evi­dence in this case:

    Counter Punch

    Did the Rus­sians Real­ly Hack the DNC?

    by Gre­go­ry Elich
    Jan­u­ary 13, 2017

    Rus­sia, we are told, breached the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC), swiped emails and oth­er doc­u­ments, and released them to the pub­lic, to alter the out­come of the U.S. pres­i­den­tial elec­tion.

    How sub­stan­tial is the evi­dence back­ing these asser­tions?

    ...

    Com­mand-and-con­trol servers remote­ly issue mali­cious com­mands to infect­ed machines. Odd­ly, for such a key com­po­nent of the oper­a­tion, the com­mand-and-con­trol IP address in both attacks was hard-cod­ed in the mal­ware. This seems like anoth­er inex­plic­a­ble choice, giv­en that the point of an advanced per­sis­tent threat is to oper­ate for an extend­ed peri­od with­out detec­tion. A more suit­able approach would be to use a Domain Name Sys­tem (DNS) address, which is a decen­tral­ized com­put­er nam­ing sys­tem. That would pro­vide a more covert means of iden­ti­fy­ing the com­mand-and-con­trol serv­er. [13] More­over, one would expect that address to be encrypt­ed. Using a DNS address would also allow the com­mand-and-con­trol oper­a­tion to eas­i­ly move to anoth­er serv­er if its loca­tion is detect­ed, with­out the need to mod­i­fy and rein­stall the code.

    One of the IP address­es is claimed to be a “well-known APT 28” com­mand-and-con­trol address, while the sec­ond is said to be linked to Russ­ian mil­i­tary intel­li­gence. [14] The first address points to a serv­er locat­ed in San Jose, Cal­i­for­nia, and is oper­at­ed by a serv­er host­ing ser­vice. [15] The sec­ond serv­er is sit­u­at­ed in Paris, France, and owned by anoth­er serv­er host­ing ser­vice. [16] Clear­ly, these are servers that have been com­pro­mised by hack­ers. It is cus­tom­ary for hack­ers to route their attacks through vul­ner­a­ble com­put­ers. The IP address­es of com­pro­mised com­put­ers are wide­ly avail­able on the Deep Web, and typ­i­cal­ly a hacked serv­er will be used by mul­ti­ple threat actors. These two par­tic­u­lar servers may or may not have been reg­u­lar­ly uti­lized by Russ­ian Intel­li­gence, but they were not unique­ly so used. Almost cer­tain­ly, many oth­er hack­ers would have used the same machines, and it can­not be said that these IP address­es unique­ly iden­ti­fy an infil­tra­tor. Indeed, the sec­ond IP address is asso­ci­at­ed with the com­mon Tro­jan virus­es Agent-APPR and Shun­nael. [17]

    “Every­one is focused on attri­bu­tion, but we may be miss­ing the big­ger truth,” says Joshua Cro­man, Direc­tor of the Cyber State­craft Ini­tia­tive at the Atlantic Coun­cil. “[T]he lev­el of sophis­ti­ca­tion required to do this hack was so low that near­ly any­one could do it.” [18]

    ...

    ———-

    “Did the Rus­sians Real­ly Hack the DNC?” by Gre­go­ry Elich; Counter Punch; 01/13/2017

    “One of the IP address­es is claimed to be a “well-known APT 28” com­mand-and-con­trol address, while the sec­ond is said to be linked to Russ­ian mil­i­tary intel­li­gence. [14] The first address points to a serv­er locat­ed in San Jose, Cal­i­for­nia, and is oper­at­ed by a serv­er host­ing ser­vice. [15] The sec­ond serv­er is sit­u­at­ed in Paris, France, and owned by anoth­er serv­er host­ing ser­vice. [16] Clear­ly, these are servers that have been com­pro­mised by hack­ers. It is cus­tom­ary for hack­ers to route their attacks through vul­ner­a­ble com­put­ers. The IP address­es of com­pro­mised com­put­ers are wide­ly avail­able on the Deep Web, and typ­i­cal­ly a hacked serv­er will be used by mul­ti­ple threat actors. These two par­tic­u­lar servers may or may not have been reg­u­lar­ly uti­lized by Russ­ian Intel­li­gence, but they were not unique­ly so used. Almost cer­tain­ly, many oth­er hack­ers would have used the same machines, and it can­not be said that these IP address­es unique­ly iden­ti­fy an infil­tra­tor. Indeed, the sec­ond IP address is asso­ci­at­ed with the com­mon Tro­jan virus­es Agent-APPR and Shun­nael. [17]

    So were IP address­es of the “scans” of these state elec­tion sys­tems the pri­ma­ry evi­dence used to deter­ine that the Russ­ian gov­ern­ment attempt­ed a stun­ning­ly brazen last-minute mas­sive hack­ing oper­a­tion against US elec­tion sys­tems? That’s a ques­tion that needs answer­ing now that there’s mas­sive alarm raised over future Russ­ian gov­ern­ment hack attacks. Espe­cial­ly now that state elec­tion offi­cials refuse to val­i­date any part of that Bloomberg report and sug­gest it an instance of cyber­se­cu­ri­ty indus­try hype.

    Of course, if the report was true, it’s pos­si­ble these state elec­tion offi­cials are cov­er­ing their back­sides by down­play­ing the extent that their defen­sive mea­sures (or lack there­of) had been breached. It’s some­thing we can’t rule out. But note how the Bloomberg report sources claim that the “dig­i­tal sig­na­tures” col­lect­ed from the ini­tial Illi­nois sys­tems hack were dis­trib­uted to the rest of the states and 39 of them report­ed find­ing “traces” of the same hack­ers. So there’s a sig­nif­i­cant con­flict in the claims because the Bloomberg report sources and stance by the State elec­tion chiefs. Also don’t for­get that the Bloomberg report was based on three anony­mous sources, and only one of them made the claim about 39 states get­ting hit:

    Bloomberg Pol­i­tics

    Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known

    by Michael Riley
    and Jor­dan Robert­son
    June 13, 2017, 4:00 AM CDT

    * Attack­ers said to take mea­sure of vot­ing sys­tems, data­bas­es
    * A ‘red phone’ warn­ing to the Krem­lin from Oba­ma White House

    Russia’s cyber­at­tack on the U.S. elec­toral sys­tem before Don­ald Trump’s elec­tion was far more wide­spread than has been pub­licly revealed, includ­ing incur­sions into vot­er data­bas­es and soft­ware sys­tems in almost twice as many states as pre­vi­ous­ly report­ed.

    In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base. Details of the wave of attacks, in the sum­mer and fall of 2016, were pro­vid­ed by three peo­ple with direct knowl­edge of the U.S. inves­ti­ga­tion into the mat­ter. In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said.

    ...

    Illi­nois Data­base

    Illi­nois, which was among the states that gave the FBI and the Depart­ment of Home­land Secu­ri­ty almost full access to inves­ti­gate its sys­tems, pro­vides a win­dow into the hack­ers’ suc­cess­es and fail­ures.

    ...

    Patient Zero

    Illi­nois became Patient Zero in the government’s probe, even­tu­al­ly lead­ing inves­ti­ga­tors to a hack­ing pan­dem­ic that touched four out of every five U.S. states.

    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.

    ...

    ———-

    “Russ­ian Cyber Hacks on U.S. Elec­toral Sys­tem Far Wider Than Pre­vi­ous­ly Known” by Michael Riley and Jor­dan Robert­son; Bloomberg Pol­i­tics; 06/13/2017

    “In Illi­nois, inves­ti­ga­tors found evi­dence that cyber intrud­ers tried to delete or alter vot­er data. The hack­ers accessed soft­ware designed to be used by poll work­ers on Elec­tion Day, and in at least one state accessed a cam­paign finance data­base. Details of the wave of attacks, in the sum­mer and fall of 2016, were pro­vid­ed by three peo­ple with direct knowl­edge of the U.S. inves­ti­ga­tion into the mat­ter. In all, the Russ­ian hack­ers hit sys­tems in a total of 39 states, one of them said.”

    So just one of the three anony­mous sources actu­al­ly made the “39 states were hit” claim and that appeared to be based on the “dig­i­tal sig­na­tures” from the Illi­nois hack. And the only exam­ple sig­na­ture was IP address­es:

    ...
    Using evi­dence from the Illi­nois com­put­er banks, fed­er­al agents were able to devel­op dig­i­tal “sig­na­tures” — among them, Inter­net Pro­to­col address­es used by the attack­ers — to spot the hack­ers at work.

    The sig­na­tures were then sent through Home­land Secu­ri­ty alerts and oth­er means to every state. Thir­ty-sev­en states report­ed find­ing traces of the hack­ers in var­i­ous sys­tems, accord­ing to one of the peo­ple famil­iar with the probe. In two oth­ers — Flori­da and Cal­i­for­nia — those traces were found in sys­tems run by a pri­vate con­trac­tor man­ag­ing crit­i­cal elec­tion sys­tems.
    ...

    So, all in all, it does look like the claims by State elec­tion chiefs that this report was hyped bogus do have some weight behind them. In which case we just had a high pro­file and high­ly provoca­tive claim by some­one, pre­sum­ably from the cyber­se­cu­ri­ty indus­try, that is in seri­ous doubt.

    This does­n’t mean that US elec­tion sys­tems don’t have seri­ous poten­tial vul­ner­a­bil­i­ties to hack­ing. After all, if there’s one thing we’ve learned from all this is that’s spear-phish­ing can hit any large orga­ni­za­tion and it’s not some­thing eas­i­ly defend­ed against by IT staff because all that’s required is an email that fools one per­son in an orga­ni­za­tion.

    But if there is going to be a mean­ing­ful attempt to secure US vot­ing sys­tems, it’s prob­a­bly best that we don’t co-min­gle that effort was a mas­sive pub­lic rela­tions cam­paign that por­trays Rus­sia as a coun­try that’s aggres­sive­ly attack­ing US elec­tion sys­tems. Unless, of course, the Russ­ian gov­ern­ment did actu­al­ly order this, in which case we are all in per­il because it would imply the Russ­ian gov­ern­ment went insane and decid­ed to start pro­vok­ing the US into a seri­ous future con­flict by attack­ing US elec­tion sys­tems in a man­ner intend­ed to be iden­ti­fied as a Russ­ian gov­ern­ment hack. But since the evi­dence for that case con­tin­ues to grow weak­er with each ques­tion­able and/or debunked ‘rev­e­la­tion’ of ‘Russ­ian hack­ing’, it’s going to be impor­tant to rec­og­nize that, yes, hack­ers, even Russ­ian hack­ers poten­tial­ly, could threat­ened US vot­ing sys­tems and they real­ly do need to be bet­ter secured, but the Russ­ian gov­ern­ment prob­a­bly isn’t the pri­ma­ry elec­toral threat Amer­i­cans need to wor­ry about going for­ward. After all, bla­tant­ly hack­ing US elec­tion sys­tems is some­thing that goes far beyond an Russ­ian media cam­paign and treads into war ter­ri­to­ry if the Russ­ian gov­ern­ment does it right before the elec­tion after get­ting the “cyber Red Phone” call to stop it. It would be like a psy­op designed to inflame ten­sions to dan­ger­ous lev­els. But for the GOP, mess­ing with elec­tron­ic vot­ing machines is expect­ed at this point. With no mean­ing­ful con­se­quences. Espe­cial­ly now that any­one can just blame the Rus­sians and no one will ques­tion the evi­dence at all appar­ent­ly.

    Posted by Pterrafractyl | June 17, 2017, 4:12 pm
  7. Well look at that: As inves­ti­ga­tors explore the more than three dozen com­pa­nies and indi­vid­u­als that Michael Fly­nn worked for — as a con­sul­tant, advis­er, board mem­ber, or speak­er — while advis­ing the Trump cam­paign last year. And two of those enti­ties are rais­ing some extra eye­brows. Fly­nn was an advi­so­ry board mem­ber of Lux­em­bourg-based OSY Tech­nolo­gies and con­sult­ed for the US-based pri­vate equi­ty firm Fran­cis­co Part­ners. What’s so ques­tion­able about these enti­ties? Well, Fran­cis­co Part­ners owns NSO Group — a secre­tive Israel-based cyber­weapons deal­er that sells advanced hack­ing tools to gov­ern­ments around the world — and OSY Tech­nolo­gies is an NSO Group off­shoot. Fly­nn joined OSY in May of last year Yep, Michael Fly­nn worked for both the own­er of an advanced cyber­weapons deal­er and one of its off­shoots through­out the 2016 cam­paign:

    The Huff­in­g­ton Post

    Michael Fly­nn Worked With For­eign Cyber­weapons Group That Sold Spy­ware Used Against Polit­i­cal Dis­si­dents
    While serv­ing as a top cam­paign advis­er to Don­ald Trump, Fly­nn worked with firms linked to NSO Group — which devel­ops spy­ware and sells it to gov­ern­ments.

    By Paul Blu­men­thal , Jes­si­ca Schul­berg
    06/19/2017 03:55 pm ET | Updat­ed

    WASHINGTON — While serv­ing as a top cam­paign aide to Don­ald Trump, for­mer nation­al secu­ri­ty advis­er Michael Fly­nn made tens of thou­sands of dol­lars on the side advis­ing a com­pa­ny that sold sur­veil­lance tech­nol­o­gy that repres­sive gov­ern­ments used to mon­i­tor activists and jour­nal­ists.

    Fly­nn, who resigned in Feb­ru­ary after mis­char­ac­ter­iz­ing his con­ver­sa­tions with the Russ­ian ambas­sador to the U.S., has already come under scruti­ny for tak­ing mon­ey from for­eign out­fits. Fed­er­al inves­ti­ga­tors began prob­ing Flynn’s lob­by­ing efforts on behalf of a Dutch com­pa­ny led by a busi­ness­man with ties to the Turk­ish gov­ern­ment ear­li­er this year. Flynn’s moon­light­ing wasn’t typ­i­cal: Most peo­ple at the top lev­el of major pres­i­den­tial cam­paigns do not simul­ta­ne­ous­ly lob­by for any enti­ty, espe­cial­ly not for­eign gov­ern­ments. It’s also unusu­al for for­mer U.S. intel­li­gence offi­cials to work with for­eign cyber­se­cu­ri­ty out­fits.

    Nor was Flynn’s work with for­eign enti­ties while he was advis­ing Trump lim­it­ed to his Ankara deal. He earned near­ly $1.5 mil­lion last year as a con­sul­tant, advis­er, board mem­ber, or speak­er for more than three dozen com­pa­nies and indi­vid­u­als, accord­ing to finan­cial dis­clo­sure forms released ear­li­er this year.

    Two of those enti­ties are direct­ly linked to NSO Group, a secre­tive Israeli cyber­weapons deal­er found­ed by Omri Lavie and Shalev Hulio, who are rumored to have served in Unit 8200, the Israeli equiv­a­lent of the Nation­al Secu­ri­ty Agency.

    Fly­nn received $40,280 last year as an advi­so­ry board mem­ber for OSY Tech­nolo­gies, an NSO Group off­shoot based in Lux­em­bourg, a favorite tax haven for major cor­po­ra­tions. OSY Tech­nolo­gies is part of a cor­po­rate struc­ture that runs from Israel, where NSO Group is locat­ed, through Lux­em­bourg, the Cay­man Islands, the British Vir­gin Islands, and the U.S.

    Fly­nn also worked as a con­sul­tant last year for Fran­cis­co Part­ners, a U.S.-based pri­vate equi­ty firm that owns NSO Group, but he did not dis­close how much he was paid. At least two Fran­cis­co Part­ners exec­u­tives have sat on OSY’s board.

    Flynn’s finan­cial dis­clo­sure forms do not spec­i­fy the work he did for com­pa­nies linked to NSO Group, and his lawyer did not respond to requests for com­ment. For­mer col­leagues at Flynn’s con­sult­ing firm declined to dis­cuss Flynn’s work with NSO Group. Exec­u­tives at Fran­cis­co Part­ners who also sit on the OSY Tech­nolo­gies board did not respond to emails. Lavie, the NSO Group co-founder, told Huff­Post he is “not inter­est­ed in speak­ing to the press” and referred ques­tions to a spokesman, who did not respond to queries.

    Many gov­ern­ment and mil­i­tary offi­cials have moved through the revolv­ing door between gov­ern­ment agen­cies and pri­vate cyber­se­cu­ri­ty com­pa­nies. The major play­ers in the cyber­se­cu­ri­ty con­tract­ing world — SAIC, Booz Allen Hamil­ton, CACI Fed­er­al and KeyW Cor­po­ra­tion — all have for­mer top gov­ern­ment offi­cials in lead­er­ship roles or on their boards, or have for­mer top exec­u­tives work­ing in gov­ern­ment.

    But it’s less com­mon for for­mer U.S. intel­li­gence offi­cials to work with for­eign cyber­se­cu­ri­ty out­fits. “There is a lot of oppor­tu­ni­ty in the U.S. to do this kind of work,” said Ben John­son, a for­mer NSA employ­ee and the co-founder of Obsid­i­an Secu­ri­ty. “It’s a lit­tle bit unex­pect­ed going over­seas, espe­cial­ly when you com­bine that with the fact that they’re doing things that might end up in hands of ene­mies of the U.S. gov­ern­ment. It does seem ques­tion­able.”

    What is clear is that dur­ing the time Fly­nn was work­ing for NSO’s Lux­em­bourg affil­i­ate, one of the company’s main prod­ucts — a spy soft­ware sold exclu­sive­ly to gov­ern­ments and mar­ket­ed as a tool for law enforce­ment offi­cials to mon­i­tor sus­pect­ed crim­i­nals and ter­ror­ists — was being used to sur­veil polit­i­cal dis­si­dents, reporters, activists, and gov­ern­ment offi­cials. The soft­ware, called Pega­sus, allowed users to remote­ly break into a target’s cel­lu­lar phone if the tar­get respond­ed to a text mes­sage.

    Last year, sev­er­al peo­ple tar­get­ed by the spy­ware con­tact­ed Cit­i­zen Lab, a cyber­se­cu­ri­ty research team based out of the Uni­ver­si­ty of Toron­to. With the help of experts at the com­put­er secu­ri­ty firm Look­out, Cit­i­zen Lab researchers were able to trace the spy­ware hid­den in the texts back to NSO Group spy­ware. After Cit­i­zen Lab pub­li­cized its find­ings, Apple intro­duced patch­es to fix the vul­ner­a­bil­i­ty. It is not known how many activists in oth­er coun­tries were tar­get­ed and failed to report it to experts.

    NSO Group told Forbes in a state­ment last year that it com­plies with strict export con­trol laws and only sells to autho­rized gov­ern­ment agen­cies. “The com­pa­ny does NOT oper­ate any of its sys­tems; it is strict­ly a tech­nol­o­gy com­pa­ny,” NSO Group told Forbes.

    But once a sale is com­plete, for­eign gov­ern­ments are free to do what they like with the tech­nol­o­gy.

    “The gov­ern­ment buys [the tech­nol­o­gy] and can use it how­ev­er they want,” Bill Mar­czak, one of the Cit­i­zen Lab researchers, told Huff­Post. “They’re basi­cal­ly dig­i­tal arms mer­chants.”

    The month before Fly­nn joined the advi­so­ry board of OSY Tech­nolo­gies, NSO Group opened up a new arm called West­Bridge Tech­nolo­gies, Inc., in the D.C. region. (The com­pa­ny was orig­i­nal­ly reg­is­tered in Delaware in 2014, but formed in Mary­land in April 2016.) Led by NSO Group co-founder Lavie, West­Bridge is vying for fed­er­al gov­ern­ment con­tracts for NSO Group’s prod­ucts. Hir­ing Fly­nn would pro­vide NSO Group with a well-con­nect­ed fig­ure in Wash­ing­ton, to help get its foot in the door of the noto­ri­ous­ly insu­lar world of secret intel­li­gence bud­get­ing.

    “When you’re try­ing to build up your busi­ness, you need some­one who has con­nec­tions, some­one who is seen as an author­i­ty and a legit­i­mate pres­ence,” John­son said. Hir­ing some­one with Flynn’s back­ground in intel­li­gence would “open up doors that they wouldn’t have had access to,” John­son said.

    Through­out 2016, Fly­nn worked for a num­ber of cyber­se­cu­ri­ty firms per­son­al­ly and through his con­sult­ing firm, Fly­nn Intel Group. In addi­tion to his advi­so­ry board seat at OSY Tech­nolo­gies, he sat on the board of Adobe Sys­tems, a large soft­ware com­pa­ny with Pen­ta­gon con­tracts, and the boards of the cyber­se­cu­ri­ty com­pa­nies Green­Zone Sys­tems and HALO Pri­va­cy. (Though Fly­nn described him­self as an Adobe advi­so­ry board mem­ber in his finan­cial dis­clo­sure paper­work, the group said in a state­ment that he pro­vid­ed only “peri­od­ic coun­sel to Adobe’s pub­lic sec­tor team.”)

    Promi­nent human rights activists and polit­i­cal dis­si­dents have report­ed being tar­get­ed by NSO’s tech­nol­o­gy. On August 10, 2016, Ahmed Man­soor, an inter­na­tion­al­ly rec­og­nized Emi­rati human rights activist, received a text mes­sage prompt­ing him to click a link to read “new secrets” about detainees abused in UAE pris­ons. He got a sim­i­lar text the next day. But Man­soor, who had already been repeat­ed­ly tar­get­ed by hack­ers, knew bet­ter than to click the links. Instead, he for­ward­ed the mes­sages to Cit­i­zen Lab.

    Cit­i­zen Lab soon deter­mined that NSO Group’s mal­ware exploit­ed an undis­closed mobile phone vul­ner­a­bil­i­ty, known as a zero-day exploit, that enabled its cus­tomers — that is, for­eign gov­ern­ments — to sur­veil a target’s phone after the tar­get clicked the link includ­ed in the phish­ing text mes­sage. If Man­soor had clicked that link, his “phone would have become a dig­i­tal spy in his pock­et, capa­ble of employ­ing his phone cam­era and micro­phone to snoop on activ­i­ty in the vicin­i­ty of the device, record­ing his What­sApp and Viber calls, log­ging mes­sages sent in mobile chat apps, and track­ing his move­ments,” Cit­i­zen Lab wrote in a report.

    Across the globe in Mex­i­co, where Coca-Cola and Pep­si­Co were work­ing to repeal a tax on sodas imposed in 2014, two activists and a gov­ern­ment-employed sci­en­tist, all of whom sup­port­ed the soda tax, received a series of sus­pi­cious text mes­sages. The texts, which became increas­ing­ly aggres­sive and threat­en­ing, came as the sci­en­tist and the activists were prepar­ing a pub­lic rela­tions cam­paign in sup­port of rais­ing the soda tax and pro­mot­ing aware­ness of the health risks linked to sug­ary bev­er­ages.

    Dr. Simón Bar­quera, researcher at Mexico’s Nation­al Insti­tute for Pub­lic Health, received a text on July 11, 2016, invit­ing him to click a link the sender said would lead him to a detailed inves­ti­ga­tion of his clin­ic. When Bar­quera didn’t fol­low through, the texts esca­lat­ed. On the 12th, he got a text with a link to a pur­port­ed court doc­u­ment, which the sender claimed men­tioned Bar­quera by name. On the 13th, yet anoth­er text includ­ed a link that sup­pos­ed­ly con­tained infor­ma­tion about a funer­al. The day after that, the sender wrote, “You are an ass­hole Simon, while you are work­ing I’m fuc king your old lady here is a pho­to.” The final text Bar­quera received in August said that his daugh­ter was in “grave con­di­tion” after an acci­dent, and includ­ed a link that would sup­pos­ed­ly tell him where she was being treat­ed.

    Ale­jan­dro Calvil­lo, direc­tor of the con­sumer rights non­prof­it El Poder del Con­sum­i­dor, received a text with a link claim­ing to be from a man who want­ed to know if Calvil­lo could attend the man’s father’s funer­al. Anoth­er text sent to Calvil­lo includ­ed a link that the sender said was a viral news sto­ry that men­tioned him. The final tar­get, Luis Encar­nación, a coor­di­na­tor for the obe­si­ty pre­ven­tion group Coa­li­cion Con­traPE­SO, also received a text with a link claim­ing that he was named in a news arti­cle.

    The tar­gets quick­ly got in touch with Cit­i­zen Lab and for­ward­ed their text mes­sages to the researchers. In Feb­ru­ary 2017, Cit­i­zen Lab released a new report link­ing NSO Group’s tech­nol­o­gy to the phish­ing attempts tar­get­ing the pro-soda tax cam­paign­ers.

    Cit­i­zen Lab researchers have also iden­ti­fied texts sent last sum­mer to Mex­i­can jour­nal­ist Rafael Cabr­era that they believe were an attempt to infect his phone with NSO Group’s Pega­sus spy­ware. Cabr­era, who now works for Buz­zFeed Mex­i­co, was tar­get­ed by hack­ers after he broke a sto­ry reveal­ing a poten­tial con­flict of inter­est with the Mex­i­can first fam­i­ly and a Chi­nese com­pa­ny.

    Cit­i­zen Lab believes NSO Group may have also sold its mobile phone spy­ing tech­nol­o­gy to many gov­ern­ments, includ­ing those of Kenya, Mozam­bique, Yemen, Qatar, Turkey, Sau­di Ara­bia, Uzbek­istan, Thai­land, Moroc­co, Hun­gary, Nige­ria and Bahrain.

    Work­ing with repres­sive regimes is stan­dard prac­tice in the cyber­weapons indus­try. The Ital­ian sur­veil­lance mal­ware firm Hack­ing Team has worked with dozens of coun­tries known to jail dis­si­dents, accord­ing to emails uploaded to Wik­iLeaks. The FBI and the Drug Enforce­ment Agency were among the company’s cus­tomers, accord­ing to the doc­u­ments.

    Despite recent scruti­ny over Mansoor’s case, NSO Group’s val­ue has explod­ed in recent years. Fran­cis­co Part­ners bought the cyber­weapons deal­er in 2014 for $120 mil­lion. It is now report­ed­ly val­ued at over $1 bil­lion.

    ...

    ———-

    “Michael Fly­nn Worked With For­eign Cyber­weapons Group That Sold Spy­ware Used Against Polit­i­cal Dis­si­dents” by Paul Blu­men­thal, Jes­si­ca Schul­berg; The Huff­in­g­ton Post; 06/19/2017

    “The month before Fly­nn joined the advi­so­ry board of OSY Tech­nolo­gies, NSO Group opened up a new arm called West­Bridge Tech­nolo­gies, Inc., in the D.C. region. (The com­pa­ny was orig­i­nal­ly reg­is­tered in Delaware in 2014, but formed in Mary­land in April 2016.) Led by NSO Group co-founder Lavie, West­Bridge is vying for fed­er­al gov­ern­ment con­tracts for NSO Group’s prod­ucts. Hir­ing Fly­nn would pro­vide NSO Group with a well-con­nect­ed fig­ure in Wash­ing­ton, to help get its foot in the door of the noto­ri­ous­ly insu­lar world of secret intel­li­gence bud­get­ing.

    Yep, not only was Fly­nn work­ing for NSO Group’s OSY Tech­nolo­gies and its own­ers at Fran­cis­co Part­ners, but NSO Group was also ini­ti­at­ing plans to get more US gov­ern­ment contracts...something that would pre­sum­ably be much like­li­er to hap­pen if Don­ald Trump won the White House and brought Fly­nn into the gov­ern­ment.

    And note how NSO Group was­n’t the only cyber­se­cu­ri­ty firm Fly­nn was work­ing for:

    ...
    “When you’re try­ing to build up your busi­ness, you need some­one who has con­nec­tions, some­one who is seen as an author­i­ty and a legit­i­mate pres­ence,” John­son said. Hir­ing some­one with Flynn’s back­ground in intel­li­gence would “open up doors that they wouldn’t have had access to,” John­son said.

    Through­out 2016, Fly­nn worked for a num­ber of cyber­se­cu­ri­ty firms per­son­al­ly and through his con­sult­ing firm, Fly­nn Intel Group. In addi­tion to his advi­so­ry board seat at OSY Tech­nolo­gies, he sat on the board of Adobe Sys­tems, a large soft­ware com­pa­ny with Pen­ta­gon con­tracts, and the boards of the cyber­se­cu­ri­ty com­pa­nies Green­Zone Sys­tems and HALO Pri­va­cy. (Though Fly­nn described him­self as an Adobe advi­so­ry board mem­ber in his finan­cial dis­clo­sure paper­work, the group said in a state­ment that he pro­vid­ed only “peri­od­ic coun­sel to Adobe’s pub­lic sec­tor team.”)
    ...

    Now, in terms of assess­ing the sig­nif­i­cance of these busi­ness rela­tion­ships, on the one hand, cyber­se­cu­ri­ty is one of the areas where one should expect the for­mer head of the US Defense Intel­li­gence Agency to go into after leav­ing gov­ern­ment. On the oth­er hand, we just wit­nessed the most hack-inten­sive US cam­paign in his­to­ry and all the hack­ing was done in favor of Don­ald Trump. So, you know, some sus­pi­cions that maybe, just maybe, one of the pri­vate elite hack­ing firms Fly­nn worked for has some­thing to do with these hacks.

    It’s impor­tant to note that, in terms of the tim­ing, both the DNC serv­er hacks and John Podesta’s email hack were already car­ried out by the time Fly­nn joined OSY in May (the same month the hacks were end­ed for both the DNC and Podes­ta emails), so it’s not like Fly­nn joined OSY and then the hack­ing start­ed (not that Fly­nn would­n’t have like­ly been in con­tact with them well before May). Still, due to the rel­a­tive lack of sophis­ti­ca­tion required to car­ry­ing out a spear-phish­ing — the method behind both the DNC serv­er hack and Podesta’s emails and, alleged­ly, the attempts to hack 39 state elec­tion sys­tems a week before the elec­tion — it real­ly is the case that almost any­one could have pulled these hacks off if they had ade­quate hack­ing skills and want­ed to hide their tracks and make it look like ‘the Rus­sians’ did it. And the NSO Group’s soft­ware spe­cial­izes in cre­ate spear-phish­ing cam­paigns designed to trick peo­ple into click­ing on the bad links using a vari­ety of dif­fer­ent tricks and insert spy­ing mal­ware in the vic­tims’ sys­tems:

    The New York Times

    Using Texts as Lures, Gov­ern­ment Spy­ware Tar­gets Mex­i­can Jour­nal­ists and Their Fam­i­lies

    By AZAM AHMED and NICOLE PERLROTH
    JUNE 19, 2017

    MEXICO CITY — Mexico’s most promi­nent human rights lawyers, jour­nal­ists and anti-cor­rup­tion activists have been tar­get­ed by advanced spy­ware sold to the Mex­i­can gov­ern­ment on the con­di­tion that it be used only to inves­ti­gate crim­i­nals and ter­ror­ists.

    The tar­gets include lawyers look­ing into the mass dis­ap­pear­ance of 43 stu­dents, a high­ly respect­ed aca­d­e­m­ic who helped write anti-cor­rup­tion leg­is­la­tion, two of Mexico’s most influ­en­tial jour­nal­ists and an Amer­i­can rep­re­sent­ing vic­tims of sex­u­al abuse by the police. The spy­ing even swept up fam­i­ly mem­bers, includ­ing a teenage boy.

    Since 2011, at least three Mex­i­can fed­er­al agen­cies have pur­chased about $80 mil­lion worth of spy­ware cre­at­ed by an Israeli cyber­arms man­u­fac­tur­er. The soft­ware, known as Pega­sus, infil­trates smart­phones to mon­i­tor every detail of a person’s cel­lu­lar life — calls, texts, email, con­tacts and cal­en­dars. It can even use the micro­phone and cam­era on phones for sur­veil­lance, turn­ing a target’s smart­phone into a per­son­al bug.

    The com­pa­ny that makes the soft­ware, the NSO Group, says it sells the tool exclu­sive­ly to gov­ern­ments, with an explic­it agree­ment that it be used only to bat­tle ter­ror­ists or the drug car­tels and crim­i­nal groups that have long kid­napped and killed Mex­i­cans.

    But accord­ing to dozens of mes­sages exam­ined by The New York Times and inde­pen­dent foren­sic ana­lysts, the soft­ware has been used against some of the government’s most out­spo­ken crit­ics and their fam­i­lies, in what many view as an unprece­dent­ed effort to thwart the fight against the cor­rup­tion infect­ing every limb of Mex­i­can soci­ety.

    “We are the new ene­mies of the state,” said Juan E. Par­di­nas, the gen­er­al direc­tor of the Mex­i­can Insti­tute for Com­pet­i­tive­ness, who has pushed anti-cor­rup­tion leg­is­la­tion. His iPhone, along with his wife’s, was tar­get­ed by the soft­ware, accord­ing to an inde­pen­dent analy­sis. “Ours is a soci­ety where democ­ra­cy has been erod­ed,” he said.

    The deploy­ment of sophis­ti­cat­ed cyber­weapon­ry against cit­i­zens is a snap­shot of the strug­gle for Mex­i­co itself, rais­ing pro­found legal and eth­i­cal ques­tions for a gov­ern­ment already fac­ing severe crit­i­cism for its human rights record. Under Mex­i­can law, only a fed­er­al judge can autho­rize the sur­veil­lance of pri­vate com­mu­ni­ca­tions, and only when offi­cials can demon­strate a sound basis for the request.

    It is high­ly unlike­ly that the gov­ern­ment received judi­cial approval to hack the phones, accord­ing to sev­er­al for­mer Mex­i­can intel­li­gence offi­cials. Instead, they said, ille­gal sur­veil­lance is stan­dard prac­tice.

    “Mex­i­can secu­ri­ty agen­cies wouldn’t ask for a court order, because they know they wouldn’t get one,” said Eduar­do Guer­rero, a for­mer ana­lyst at the Cen­ter for Inves­ti­ga­tion and Nation­al Secu­ri­ty, Mexico’s intel­li­gence agency and one of the gov­ern­ment agen­cies that use the Pega­sus spy­ware. “I mean, how could a judge autho­rize sur­veil­lance of some­one ded­i­cat­ed to the pro­tec­tion of human rights?”

    “There, of course, is no basis for that inter­ven­tion, but that is besides the point,” he added. “No one in Mex­i­co ever asks for per­mis­sion to do so.”

    The hack­ing attempts were high­ly per­son­al­ized, strik­ing crit­ics with mes­sages designed to inspire fear — and get them to click on a link that would pro­vide unfet­tered access to their cell­phones.

    Car­men Aris­tegui, one of Mexico’s most famous jour­nal­ists, was tar­get­ed by a spy­ware oper­a­tor pos­ing as the Unit­ed States Embassy in Mex­i­co, instruct­ing her to click on a link to resolve an issue with her visa. The wife of Mr. Par­di­nas, the anti-cor­rup­tion activist, was tar­get­ed with a mes­sage claim­ing to offer proof that he was hav­ing an extra­mar­i­tal affair.

    For oth­ers, immi­nent dan­ger was the entry point, like a mes­sage warn­ing that a truck filled with armed men was parked out­side Mr. Pardinas’s home.

    “I think that any com­pa­ny that sells a prod­uct like this to a gov­ern­ment would be hor­ri­fied by the tar­gets, of course, which don’t seem to fall into the tra­di­tion­al role of crim­i­nal­i­ty,” said John Scott-Rail­ton, a senior researcher at Cit­i­zen Lab at the Munk School of Glob­al Affairs at the Uni­ver­si­ty of Toron­to, which exam­ined the hack­ing attempts.

    The Mex­i­can gov­ern­ment acknowl­edges gath­er­ing intel­li­gence against legit­i­mate sus­pects in accor­dance with the law. “As in any demo­c­ra­t­ic gov­ern­ment, to com­bat crime and threats against nation­al secu­ri­ty the Mex­i­can gov­ern­ment car­ries out intel­li­gence oper­a­tions,” it said in a state­ment.

    But the gov­ern­ment “cat­e­gor­i­cal­ly denies that any of its mem­bers engages in sur­veil­lance or com­mu­ni­ca­tions oper­a­tions against defend­ers of human rights, jour­nal­ists, anti-cor­rup­tion activists or any oth­er per­son with­out pri­or judi­cial autho­riza­tion.”

    The Mex­i­can government’s deploy­ment of spy­ware has come under sus­pi­cion before, includ­ing hack­ing attempts on polit­i­cal oppo­nents and activists fight­ing cor­po­rate inter­ests in Mex­i­co.

    Still, there is no iron­clad proof that the Mex­i­can gov­ern­ment is respon­si­ble. The Pega­sus soft­ware does not leave behind the hacker’s indi­vid­ual fin­ger­prints. Even the soft­ware mak­er, the NSO Group, says it can­not deter­mine who, exact­ly, is behind spe­cif­ic hack­ing attempts.

    But cyber­ex­perts can ver­i­fy when the soft­ware has been used on a target’s phone, leav­ing them with few doubts that the Mex­i­can gov­ern­ment, or some rogue actor with­in it, was involved.

    “This is pret­ty much as good as it gets,” said Bill Mar­czak, anoth­er senior researcher at Cit­i­zen Lab, who con­firmed the pres­ence of NSO code on sev­er­al phones belong­ing to Mex­i­can jour­nal­ists and activists.

    More­over, it is extreme­ly unlike­ly that cyber­crim­i­nals some­how got their hands on the soft­ware, the NSO Group says, because the tech­nol­o­gy can be used only by the gov­ern­ment agency where it is installed.

    The com­pa­ny is part of a grow­ing num­ber of dig­i­tal spy­ing busi­ness­es that oper­ate in a loose­ly reg­u­lat­ed space. The mar­ket has picked up in recent years, par­tic­u­lar­ly as com­pa­nies like Apple and Face­book start encrypt­ing their cus­tomers’ com­mu­ni­ca­tions, mak­ing it hard­er for gov­ern­ment agen­cies to con­duct sur­veil­lance.

    Increas­ing­ly, gov­ern­ments have found that the only way to mon­i­tor mobile phones is by using pri­vate busi­ness­es like the NSO Group that exploit lit­tle-known vul­ner­a­bil­i­ties in smart­phone soft­ware. The com­pa­ny has, at times, oper­at­ed its busi­ness­es under dif­fer­ent names. One of them, OSY Tech­nolo­gies, paid Michael T. Fly­nn, Pres­i­dent Trump’s for­mer nation­al secu­ri­ty advis­er, more than $40,000 to be an advi­so­ry board mem­ber from May 2016 until Jan­u­ary, accord­ing to his pub­lic finan­cial dis­clo­sures.

    Before sell­ing to gov­ern­ments, the NSO Group says, it vets their human rights records. But once the com­pa­ny licens­es the soft­ware and installs its hard­ware inside intel­li­gence and law enforce­ment agen­cies, the com­pa­ny says, it has no way of know­ing how its spy tools are used — or whom they are used against.

    The com­pa­ny sim­ply bills gov­ern­ments based on the total num­ber of sur­veil­lance tar­gets. To spy on 10 iPhone users, for exam­ple, the com­pa­ny charges $650,000 on top of a flat $500,000 instal­la­tion fee, accord­ing to NSO mar­ket­ing pro­pos­als reviewed by The New York Times.

    Even when the NSO Group learns that its soft­ware has been abused, there is only so much it can do, the com­pa­ny says, argu­ing that it can­not sim­ply march into intel­li­gence agen­cies, remove its hard­ware and take back its spy­ware.

    “When you’re sell­ing AK-47s, you can’t con­trol how they’ll be used once they leave the load­ing docks,” said Kevin Mahaf­fey, chief tech­nol­o­gy offi­cer at Look­out, a mobile secu­ri­ty com­pa­ny.

    Rather, the NSO Group relies on its cus­tomers to coop­er­ate in a review, then turns over the find­ings to the appro­pri­ate gov­ern­men­tal author­i­ty — in effect, leav­ing gov­ern­ments to police them­selves.

    Typ­i­cal­ly, the company’s only recourse is to slow­ly cut off a government’s access to the spy tools over the course of months, or even years, by ceas­ing to pro­vide new soft­ware patch­es, fea­tures and updates. But in the case of Mex­i­co, the NSO Group has not con­demned or even acknowl­edged any abuse, despite repeat­ed evi­dence that its spy tools have been deployed against ordi­nary cit­i­zens and their fam­i­lies.

    ...

    ———-

    “Using Texts as Lures, Gov­ern­ment Spy­ware Tar­gets Mex­i­can Jour­nal­ists and Their Fam­i­lies” by AZAM AHMED and NICOLE PERLROTH; The New York Times; 06/19/2017

    “Increas­ing­ly, gov­ern­ments have found that the only way to mon­i­tor mobile phones is by using pri­vate busi­ness­es like the NSO Group that exploit lit­tle-known vul­ner­a­bil­i­ties in smart­phone soft­ware. The com­pa­ny has, at times, oper­at­ed its busi­ness­es under dif­fer­ent names. One of them, OSY Tech­nolo­gies, paid Michael T. Fly­nn, Pres­i­dent Trump’s for­mer nation­al secu­ri­ty advis­er, more than $40,000 to be an advi­so­ry board mem­ber from May 2016 until Jan­u­ary, accord­ing to his pub­lic finan­cial dis­clo­sures.”

    And note how even when a phone is known to be hacked by some­one using the NSO Group mal­ware after a suc­cess­ful spear-phish­ing attempt, there’s still no way to know which NSO Group client did it. Even NSO Group claims it can’t deter­mine who did it:

    ...
    The Mex­i­can government’s deploy­ment of spy­ware has come under sus­pi­cion before, includ­ing hack­ing attempts on polit­i­cal oppo­nents and activists fight­ing cor­po­rate inter­ests in Mex­i­co.

    Still, there is no iron­clad proof that the Mex­i­can gov­ern­ment is respon­si­ble. The Pega­sus soft­ware does not leave behind the hacker’s indi­vid­ual fin­ger­prints. Even the soft­ware mak­er, the NSO Group, says it can­not deter­mine who, exact­ly, is behind spe­cif­ic hack­ing attempts.

    But cyber­ex­perts can ver­i­fy when the soft­ware has been used on a target’s phone, leav­ing them with few doubts that the Mex­i­can gov­ern­ment, or some rogue actor with­in it, was involved.

    “This is pret­ty much as good as it gets,” said Bill Mar­czak, anoth­er senior researcher at Cit­i­zen Lab, who con­firmed the pres­ence of NSO code on sev­er­al phones belong­ing to Mex­i­can jour­nal­ists and activists.

    More­over, it is extreme­ly unlike­ly that cyber­crim­i­nals some­how got their hands on the soft­ware, the NSO Group says, because the tech­nol­o­gy can be used only by the gov­ern­ment agency where it is installed.
    ...

    ““This is pret­ty much as good as it gets,” said Bill Mar­czak, anoth­er senior researcher at Cit­i­zen Lab, who con­firmed the pres­ence of NSO code on sev­er­al phones belong­ing to Mex­i­can jour­nal­ists and activists.”

    Yes, “this” is pret­ty much as good as it gets in terms of estab­lish­ing evi­dence of who was behind a hack of this nature, where “this” is “cir­cum­stan­tial evi­dence”. And that cir­cum­stan­tial evi­dence is pret­ty good if you’re talk­ing about a Mex­i­can dis­si­dent with mal­ware traced back to the NGO Group on their phone. Sure, maybe some oth­er NSO Group client did the hack in that cir­cum­stance but it’s a pret­ty good bet it was the Mex­i­can gov­ern­ment in such a cir­cum­stance sim­ply due to a lack of oth­er NSO Group clients who would care about a Mex­i­can dis­si­dent.

    And yet for the DNC/Podesta hacks, which were also spear-phish­ing cam­paigns but against tar­gets with a wide vari­ety of poten­tial ene­mies across the globe, the pri­ma­ry evi­dence we’re giv­en that the Russ­ian gov­ern­ment was real­ly behind the hacks was the amaz­ing­ly slop­py hack­er ‘mis­takes’ like Cyril­lic char­ac­ters in the hacked doc­u­ment meta-data and leav­ing the Bit­ly accounts they were using to cre­ate the links used in the spear-phish­ing emails pub­lic so Cyber-secu­ri­ty researchers could watch their entire hack­ing cam­paign list of tar­gets. In oth­er words, ‘evi­dence’ that could have eas­i­ly be left to be found.

    So that all adds to the mys­tery of Michael Fly­nn and the poten­tial role he played in the Trump cam­paign. The for­mer head of the US mil­i­tary’s spy agency worked for a com­pa­ny that makes advanced soft­ware designed to first con­duct a suc­cess­ful spear-phish­ing cam­paign and then gives the vic­tim NSO Group’s spe­cial spy­ing mal­ware, the same kind of cam­paign that attacked the DNC, John Podes­ta, and the 39 state elec­tion sys­tems. And yet almost no one seems to raise the ques­tion as to whether or not Fly­nn and his deep ties to the hack­ing world could have had any­thing to do with those high-pro­file hacks. Only con­sid­er­a­tion of Russ­ian hack­ers is allowed. It’s a pret­ty mys­te­ri­ous mys­tery, although per­haps not as mys­te­ri­ous as the inves­ti­ga­tion.

    Posted by Pterrafractyl | June 21, 2017, 2:55 pm
  8. https://www.theguardian.com/technology/2017/jun/16/facebook-moderators-identity-exposed-terrorist-groups#img‑2

    Revealed: Face­book exposed iden­ti­ties of mod­er­a­tors to sus­pect­ed ter­ror­ists

    A secu­ri­ty lapse that affect­ed more than 1,000 work­ers forced one mod­er­a­tor into hid­ing – and he still lives in con­stant fear for his safe­ty

    Olivia Solon in San Fran­cis­co

    Fri­day 16 June 2017 03.09 EDT
    First pub­lished on Fri­day 16 June 2017 03.00 EDT

    Face­book put the safe­ty of its con­tent mod­er­a­tors at risk after inad­ver­tent­ly expos­ing their per­son­al details to sus­pect­ed ter­ror­ist users of the social net­work, the Guardian has learned.

    The secu­ri­ty lapse affect­ed more than 1,000 work­ers across 22 depart­ments at Face­book who used the company’s mod­er­a­tion soft­ware to review and remove inap­pro­pri­ate con­tent from the plat­form, includ­ing sex­u­al mate­r­i­al, hate speech and ter­ror­ist pro­pa­gan­da.

    A bug in the soft­ware, dis­cov­ered late last year, result­ed in the per­son­al pro­files of con­tent mod­er­a­tors auto­mat­i­cal­ly appear­ing as noti­fi­ca­tions in the activ­i­ty log of the Face­book groups, whose admin­is­tra­tors were removed from the plat­form for breach­ing the terms of ser­vice. The per­son­al details of Face­book mod­er­a­tors were then view­able to the remain­ing admins of the group.

    Of the 1,000 affect­ed work­ers, around 40 worked in a counter-ter­ror­ism unit based at Facebook’s Euro­pean head­quar­ters in Dublin, Ire­land. Six of those were assessed to be “high pri­or­i­ty” vic­tims of the mis­take after Face­book con­clud­ed their per­son­al pro­files were like­ly viewed by poten­tial ter­ror­ists.

    The Guardian spoke to one of the six, who did not wish to be named out of con­cern for his and his family’s safe­ty. The Iraqi-born Irish cit­i­zen, who is in his ear­ly twen­ties, fled Ire­land and went into hid­ing after dis­cov­er­ing that sev­en indi­vid­u­als asso­ci­at­ed with a sus­pect­ed ter­ror­ist group he banned from Face­book – an Egypt-based group that backed Hamas and, he said, had mem­bers who were Islam­ic State sym­pa­thiz­ers – had viewed his per­son­al pro­file.

    Face­book con­firmed the secu­ri­ty breach in a state­ment and said it had made tech­ni­cal changes to “bet­ter detect and pre­vent these types of issues from occur­ring”.

    “We care deeply about keep­ing every­one who works for Face­book safe,” a spokesman said. “As soon as we learned about the issue, we fixed it and began a thor­ough inves­ti­ga­tion to learn as much as pos­si­ble about what hap­pened.”

    The mod­er­a­tor who went into hid­ing was among hun­dreds of “com­mu­ni­ty oper­a­tions ana­lysts” con­tract­ed by glob­al out­sourc­ing com­pa­ny Cpl Recruit­ment. Com­mu­ni­ty oper­a­tions ana­lysts are typ­i­cal­ly low-paid con­trac­tors tasked with polic­ing Face­book for con­tent that breach­es its com­mu­ni­ty stan­dards.

    Over­whelmed with fear that he could face retal­i­a­tion, the mod­er­a­tor, who first came to Ire­land as an asy­lum seek­er when he was a child, quit his job and moved to east­ern Europe for five months.

    “It was get­ting too dan­ger­ous to stay in Dublin,” he said, explain­ing that his fam­i­ly had already expe­ri­enced the hor­ri­fy­ing impact of ter­ror­ism: his father had been kid­napped and beat­en and his uncle exe­cut­ed in Iraq.

    “The only rea­son we’re in Ire­land was to escape ter­ror­ism and threats,” he said.

    The mod­er­a­tor said that oth­ers with­in the high-risk six had their per­son­al pro­files viewed by accounts with ties to Isis, Hezbol­lah and the Kur­dis­tan Work­ers Par­ty. Face­book com­plies with the US state department’s des­ig­na­tion of ter­ror­ist groups.

    “When you come from a war zone and you have peo­ple like that know­ing your fam­i­ly name you know that peo­ple get butchered for that,” he said. “The pun­ish­ment from Isis for work­ing in counter-ter­ror­ism is behead­ing. All they’d need to do is tell some­one who is rad­i­cal here.”

    Face­book mod­er­a­tors like him first sus­pect­ed there was a prob­lem when they start­ed receiv­ing friend requests from peo­ple affil­i­at­ed with the ter­ror­ist orga­ni­za­tions they were scru­ti­niz­ing.
    An urgent inves­ti­ga­tion by Facebook’s secu­ri­ty team estab­lished that per­son­al pro­files belong­ing to con­tent mod­er­a­tors had been exposed. As soon as the leak was iden­ti­fied in Novem­ber 2016, Face­book con­vened a “task force of data sci­en­tists, com­mu­ni­ty oper­a­tions and secu­ri­ty inves­ti­ga­tors”, accord­ing to inter­nal emails seen by the Guardian, and warned all the employ­ees and con­tract­ed staff it believed were affect­ed. The com­pa­ny also set-up an email address, nameleak@fb.com, to field queries from those affect­ed.

    Face­book then dis­cov­ered that the per­son­al Face­book pro­files of its mod­er­a­tors had been auto­mat­i­cal­ly appear­ing in the activ­i­ty logs of the groups they were shut­ting down.

    Craig D’Souza, Facebook’s head of glob­al inves­ti­ga­tions, liaised direct­ly with some of the affect­ed con­trac­tors, talk­ing to the six indi­vid­u­als con­sid­ered to be at the high­est risk over video con­fer­ence, email and Face­book Mes­sen­ger.

    In one exchange, before the Face­book inves­ti­ga­tion was com­plete, D’Souza sought to reas­sure the mod­er­a­tors that there was “a good chance” any sus­pect­ed ter­ror­ists noti­fied about their iden­ti­ty would fail to con­nect the dots.

    “Keep in mind that when the per­son sees your name on the list, it was in their activ­i­ty log, which con­tains a lot of infor­ma­tion,” D’Souza wrote, “there is a good chance that they asso­ciate you with anoth­er admin of the group or a hack­er ...”

    “I under­stand Craig,” replied the mod­er­a­tor who end­ed up flee­ing Ire­land, “but this is tak­ing chances. I’m not wait­ing for a pipe bomb to be mailed to my address until Face­book does some­thing about it.”

    The bug in the soft­ware was not fixed for anoth­er two weeks, on 16 Novem­ber 2016. By that point the glitch had been active for a month. How­ev­er, the bug was also retroac­tive­ly expos­ing the per­son­al pro­files of mod­er­a­tors who had cen­sored accounts as far back as August 2016.

    Face­book offered to install a home alarm mon­i­tor­ing sys­tem and pro­vide trans­port to and from work to those in the high risk group. The com­pa­ny also offered coun­sel­ing through Facebook’s employ­ee assis­tance pro­gram, over and above coun­sel­ing offered by the con­trac­tor, Cpl.

    The mod­er­a­tor who fled Ire­land was unsat­is­fied with the secu­ri­ty assur­ances received from Face­book. In an email to D’Souza, he wrote that the high-risk six had spent weeks “in a state of pan­ic and emer­gency” and that Face­book need­ed to do more to “address our press­ing con­cerns for our safe­ty and our fam­i­lies”.
    He told the Guardian that the five months he spent in east­ern Europe felt like “exile”. He kept a low pro­file, rely­ing on sav­ings to sup­port him­self. He spent his time keep­ing fit and liais­ing with his lawyer and the Dublin police, who checked up on his fam­i­ly while he was away. He returned to Ire­land last month after run­ning out of mon­ey, although he still lives in fear.

    “I don’t have a job, I have anx­i­ety and I’m on anti­de­pres­sants,” he said. “I can’t walk any­where with­out look­ing back.”

    This month he filed a legal claim against Face­book and Cpl with the Injuries Board in Dublin. He is seek­ing com­pen­sa­tion for the psy­cho­log­i­cal dam­age caused by the leak.

    Cpl did not respond to a request to com­ment. The state­ment pro­vid­ed by Face­book said its inves­ti­ga­tion sought to deter­mine “exact­ly which names were pos­si­bly viewed and by whom, as well as an assess­ment of the risk to the affect­ed per­son”.

    The social media giant played down the threat posed to the affect­ed mod­er­a­tors, but said that it con­tact­ed each of them indi­vid­u­al­ly “to offer sup­port, answer their ques­tions, and take mean­ing­ful steps to ensure their safe­ty”.

    “Our inves­ti­ga­tion found that only a small frac­tion of the names were like­ly viewed, and we nev­er had evi­dence of any threat to the peo­ple impact­ed or their fam­i­lies as a result of this mat­ter,” the spokesman said.

    Details of Facebook’s secu­ri­ty blun­der will once again put a spot­light on the gru­el­ing and con­tro­ver­sial work car­ried out by an army of thou­sands of low-paid staff, includ­ing in coun­tries like the Philip­pines and India.
    0:00
    The Guardian recent­ly revealed the secret rules and guide­lines Face­book uses to train mod­er­a­tors to police its vast net­work of almost two bil­lion users, includ­ing 100 inter­nal train­ing man­u­als, spread­sheets and flow­charts.

    The mod­er­a­tor who fled Ire­land worked for a 40-strong spe­cial­ist team tasked with inves­ti­gat­ing reports of ter­ror­ist activ­i­ty on Face­book. He was hired because he spoke Ara­bic, he said.

    He felt that con­tract­ed staff were not treat­ed as equals to Face­book employ­ees but “sec­ond-class cit­i­zens”. He was paid just €13 ($15) per hour for a role that required him to devel­op spe­cial­ist knowl­edge of glob­al ter­ror net­works and scour through often high­ly-dis­turb­ing mate­r­i­al.

    “You come in every morn­ing and just look at behead­ings, peo­ple get­ting butchered, stoned, exe­cut­ed,” he said.

    Facebook’s poli­cies allow users to post extreme­ly vio­lent images pro­vid­ed they don’t pro­mote or cel­e­brate ter­ror­ism. This means mod­er­a­tors may be repeat­ed­ly exposed to the same haunt­ing pic­tures to deter­mine whether the peo­ple shar­ing them were con­demn­ing or cel­e­brat­ing the depict­ed acts.

    The mod­er­a­tor said that when he start­ed, he was giv­en just two weeks train­ing and was required to use his per­son­al Face­book account to log into the social media giant’s mod­er­a­tion sys­tem.
    “They should have let us use fake pro­files,” he said, adding: “They nev­er warned us that some­thing like this could hap­pen.”

    Face­book told the Guardian that as a result of the leak it is test­ing the use of admin­is­tra­tive accounts that are not linked to per­son­al pro­files.

    Mod­er­a­tion teams were con­tin­u­al­ly scored for the accu­ra­cy and speed of their deci­sions, he said, as well as oth­er fac­tors such as their abil­i­ty to stay updat­ed train­ing mate­ri­als. If a moderator’s score dropped below 90% they would receive a for­mal warn­ing.
    In an attempt to boost morale among agency staff, Face­book launched a month­ly award cer­e­mo­ny to cel­e­brate the top qual­i­ty per­form­ers. The prize was a Face­book-brand­ed mug. “The mug that all Face­book employ­ees get,” he not­ed.

    Con­tact the author: olivia.solon@theguardian.com

    Posted by Michelle Zucker | June 21, 2017, 6:52 pm
  9. This arti­cle from “The Hill” express­es con­cern because an RNC data­base was not secure in an Ama­zon cloud serv­er. The ques­tion not asked is why does the RNC need files of invor­ma­tion address­ing 46 issues for near­ly 200 Mil­lion Amer­i­cans. The most impor­tant para­graphs from the arti­cle are these three:

    1. For exam­ple, a 50-giga­byte file of “Post Elect 2016” infor­ma­tion, last updat­ed in mid-Jan­u­ary, con­tained mod­eled data about a voter’s like­ly posi­tions on 46 dif­fer­ent issues rang­ing from “how like­ly it is the indi­vid­ual vot­ed for Oba­ma in 2012, whether they agree with the Trump for­eign pol­i­cy of ‘Amer­i­ca First’ and how like­ly they are to be con­cerned with auto man­u­fac­tur­ing as an issue, among oth­ers.”
    2. Accord­ing to Ad Age, the RNC spent $983,000 between Jan­u­ary 2015 and Novem­ber 2016 for Deep Root’s ser­vices and $4.2 mil­lion for Tar­get­Point’s.
    3. The Deep Root Ana­lyt­ics expo­sure con­tains infor­ma­tion on more than half of the Amer­i­can pop­u­la­tion.

    http://thehill.com/policy/cybersecurity/338383-data-on-198-million-us-voters-left-exposed-to-the-internet-by-rnc-data

    Data on 198M vot­ers exposed by GOP con­trac­tor
    BY JOE UCHILL — 06/19/17 09:00 AM EDT
    Fullscreen
    A data ana­lyt­ics con­trac­tor employed by the Repub­li­can Nation­al Com­mit­tee (RNC) left data­bas­es con­tain­ing infor­ma­tion on near­ly 200 mil­lion poten­tial vot­ers exposed to the inter­net with­out secu­ri­ty, allow­ing any­one who knew where to look to down­load it with­out a pass­word. 

    “We take full respon­si­bil­i­ty for this sit­u­a­tion,” said the con­trac­tor, Deep Root Ana­lyt­ics, in a state­ment.  

    The data­bas­es were part of 25 ter­abytes of files con­tained in an Ama­zon cloud account that could be browsed with­out log­ging in. The account was dis­cov­ered by researcher Chris Vick­ery of the secu­ri­ty firm UpGuard. The files have since been secured. 

    Vick­ery is a promi­nent researcher in uncov­er­ing improp­er­ly secured files online. But, he said, this expo­sure is of a mag­ni­tude he has nev­er seen before
     
    “In terms of the disc space used, this is the biggest expo­sure I’ve found. In terms of the scope and depth, this is the biggest one I’ve found,” said Vick­ery. 
    The acces­si­ble files, accord­ing to UpGuard, con­tain a main 198 mil­lion-entry data­base with names, address­es of vot­ers and an “RNC ID” that can be used with oth­er exposed files to research indi­vid­u­als.

    For exam­ple, a 50-giga­byte file of “Post Elect 2016” infor­ma­tion, last updat­ed in mid-Jan­u­ary, con­tained mod­eled data about a voter’s like­ly posi­tions on 46 dif­fer­ent issues rang­ing from “how like­ly it is the indi­vid­ual vot­ed for Oba­ma in 2012, whether they agree with the Trump for­eign pol­i­cy of ‘Amer­i­ca First’ and how like­ly they are to be con­cerned with auto man­u­fac­tur­ing as an issue, among oth­ers.”

    That file appears in a fold­er titled “target_point,” an appar­ent ref­er­ence to anoth­er firm con­tract­ed by the RNC to crunch data. UpGuard spec­u­lates that the fold­er may imply that the firm Tar­get­Point com­piled and shared the data with Deep Root. Anoth­er fold­er appears to ref­er­ence Data Trust, anoth­er con­tract­ed firm. 

    UpGuard ana­lyst Dan O’Sul­li­van looked him­self up in the data­base and writes in the offi­cial report that the cal­cu­lat­ed pref­er­ences were, at least for him, right on the mon­ey. 

    “It is a tes­ta­ment both to their tal­ents, and to the real dan­ger of this expo­sure, that the results were astound­ing­ly accu­rate,” he said. 

    The Deep Root Ana­lyt­ics cloud serv­er had 25 ter­abytes of data exposed, includ­ing 1.1 ter­abytes avail­able for down­load. 

    Over the 2016 elec­tion sea­son, the RNC was a major client of Deep Root, one of a hand­ful firms it con­tact­ed for big data analy­sis. Firms like Deep Root Ana­lyt­ics use data from a vari­ety of sources to extrap­o­late social and polit­i­cal pref­er­ences of vot­ers to deter­mine how best to mar­ket to them. 

    Accord­ing to Ad Age, the RNC spent $983,000 between Jan­u­ary 2015 and Novem­ber 2016 for Deep Root’s ser­vices and $4.2 mil­lion for Tar­get­Point’s. 

    “Deep Root Ana­lyt­ics builds vot­er mod­els to help enhance adver­tis­er under­stand­ing of TV view­er­ship. The data accessed was not built for or used by any spe­cif­ic client. It is our pro­pri­etary analy­sis to help inform local tele­vi­sion ad buy­ing,” said Deep Root Ana­lyt­ics in their state­ment. 
    Mis­con­fig­ured cloud servers and online data­bas­es are a com­mon way for data to be acci­den­tal­ly left exposed to the pub­lic. Vick­ery has found every­thing from mil­i­tary engi­neer­ing plans to data­bas­es of believed ter­ror­ists in exact­ly this way.

    What is uncom­mon in this case is the size and scope of this expo­sure. If its records are accu­rate, the Deep Root Ana­lyt­ics expo­sure con­tains infor­ma­tion on more than half of the Amer­i­can pop­u­la­tion. It dwarfs the sec­ond-largest expo­sure of vot­er infor­ma­tion — 93.4 mil­lion records of Mex­i­can cit­i­zens — by more than 100 mil­lion vot­ers and tops the largest data breach of vot­er infor­ma­tion — 55 mil­lion records of Philip­pine vot­ers — by more than 140 mil­lion. 

    Any­one who knew the files’ web address could have accessed them. But with­out that knowl­edge, they are much hard­er to find. Even armed with a search for unse­cured data­bas­es, find­ing expo­sures of any mag­ni­tude is tough work. Vick­ery sifts through a large num­ber of unse­cured data­bas­es to find ones that inter­est­ing enough to pub­lish research.

    Deep Root has con­tract­ed the secu­ri­ty firm Stroz Fried­berg to per­form a thor­ough inves­ti­ga­tion of the expo­sure.]

    The expo­sure, between June 1 and June 14, was sealed shut short­ly after Vick­ery made the dis­cov­ery dur­ing the night of June 12 and noti­fied rel­e­vant reg­u­la­to­ry bod­ies. 

    Posted by Michelle Zucker | June 21, 2017, 7:00 pm
  10. @Michelle Zuck­er–

    Pter­rafractyl con­tributed this infor­ma­tion, plus some addi­tion­al, edi­fy­ing points that you might want to peruse.

    Best,

    Dave

    Posted by Dave Emory | June 21, 2017, 7:42 pm
  11. The Wash­ing­ton Post has a big new piece on US’s inves­ti­ga­tion into the 2016 elec­tion hacks that con­tains a num­ber of inter­est­ing rev­e­la­tions, both in terms of how the US gov­ern­ment came to the . And over­all, per­haps the biggest rev­e­la­tions is how lit­tle the tech­ni­cal evi­dence of the hack had to do with the final con­clu­sion that the Russ­ian gov­ern­ment was behind the attacks. Instead, it sounds like that con­clu­sion was based on a CIA source in the Krem­lin. And even when that intel­li­gence was deliv­ered oth­er agen­cies weren’t ready to accept the CIA’s con­clu­sion and it took intel­li­gence from anoth­er nation (not named) to pro­vide the final intel­li­gence tip­ping point that led to a broad-based con­clu­sion the not only was the Russ­ian gov­ern­ment behind the cyber­at­tacks but that Vladimir Putin him­self ordered it. And that ally’s intel­li­gence is described as “the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia” and the NSA still was­n’t con­vinced based on what sounds like a lack of con­fi­dence in that source. So it looks like a CIA Krem­lin source and an unnamed for­eign intel­li­gence agency with ques­tion­able cre­den­tials are the basis of what appears to be a like­ly future full-scale US/Russian cyber­war.

    Beyond that, the piece describes the fears of those top US offi­cials exam­in­ing this issue over the sum­mer of 2016 and it sounds like many were con­cerned that the DNC hacks real­ly were just a warm up to a much broad­er full-scale cyber­war against the US elec­tion that would have includ­ed hack­ing the elec­tion sys­tems and dis­rupt­ing the vote. So that gives is a sense of the mind­set (or at least pro­ject­ed mind­set) of top gov­ern­ment offi­cials: at least some were con­vince that Putin was so pissed off at the prospect of Hillary Clin­ton becom­ing Pres­i­dent that he was will­ing to launch a cyber­war. A cyber­war that would undoubt­ed­ly pro­voke a seri­ous response and obvi­ous­ly be very dif­fi­cult to con­tain.

    Final­ly, the piece ends with a descrip­tion what appears to be the most sig­nif­i­cant US response to the alleged Russ­ian gov­ern­ment role in the hacks: the US has already plant­ed a num­ber of ‘cyber­bombs’ on Russ­ian net­works intend­ed to be very painful if used and capa­ble of being remote­ly trig­gered in response to a future Russ­ian cyber­at­tack. It could be an attack on the US elec­tri­cal grid or a future elec­tion. But those ‘cyber­bombs’ are appar­ent­ly being put in place now and the order has been giv­en to trig­ger them in the future with­out a pres­i­den­tial order. Unless Don­ald Trump rescinds that order.

    So based on a CIA Krem­lin source and the intel­li­gence from a mys­tery ally the US is open­ly plant­i­ng retal­ia­to­ry cyber­bombs on Russ­ian net­works. What could pos­si­bly go wrong:

    The Wash­ing­ton Post

    Obama’s secret strug­gle to pun­ish Rus­sia for Putin’s elec­tion assault

    By Greg Miller, Ellen Nakashima and Adam Entous
    June 23, 2017

    Ear­ly last August, an enve­lope with extra­or­di­nary han­dling restric­tions arrived at the White House. Sent by couri­er from the CIA, it car­ried “eyes only” instruc­tions that its con­tents be shown to just four peo­ple: Pres­i­dent Barack Oba­ma and three senior aides.

    Inside was an intel­li­gence bomb­shell, a report drawn from sourc­ing deep inside the Russ­ian gov­ern­ment that detailed Russ­ian Pres­i­dent Vladimir Putin’s direct involve­ment in a cyber cam­paign to dis­rupt and dis­cred­it the U.S. pres­i­den­tial race.

    But it went fur­ther. The intel­li­gence cap­tured Putin’s spe­cif­ic instruc­tions on the operation’s auda­cious objec­tives — defeat or at least dam­age the Demo­c­ra­t­ic nom­i­nee, Hillary Clin­ton, and help elect her oppo­nent, Don­ald Trump.

    At that point, the out­lines of the Russ­ian assault on the U.S. elec­tion were increas­ing­ly appar­ent. Hack­ers with ties to Russ­ian intel­li­gence ser­vices had been rum­mag­ing through Demo­c­ra­t­ic Par­ty com­put­er net­works, as well as some Repub­li­can sys­tems, for more than a year. In July, the FBI had opened an inves­ti­ga­tion of con­tacts between Russ­ian offi­cials and Trump asso­ciates. And on July 22, near­ly 20,000 emails stolen from the Demo­c­ra­t­ic Nation­al Com­mit­tee were dumped online by Wik­iLeaks.

    But at the high­est lev­els of gov­ern­ment, among those respon­si­ble for man­ag­ing the cri­sis, the first moment of true fore­bod­ing about Russia’s inten­tions arrived with that CIA intel­li­gence.

    The mate­r­i­al was so sen­si­tive that CIA Direc­tor John Bren­nan kept it out of the President’s Dai­ly Brief, con­cerned that even that restrict­ed report’s dis­tri­b­u­tion was too broad. The CIA pack­age came with instruc­tions that it be returned imme­di­ate­ly after it was read. To guard against leaks, sub­se­quent meet­ings in the Sit­u­a­tion Room fol­lowed the same pro­to­cols as plan­ning ses­sions for the Osama bin Laden raid.

    It took time for oth­er parts of the intel­li­gence com­mu­ni­ty to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the pub­lic, in a declas­si­fied report, what offi­cials had learned from Bren­nan in August — that Putin was work­ing to elect Trump.

    Over that five-month inter­val, the Oba­ma admin­is­tra­tion secret­ly debat­ed dozens of options for deter­ring or pun­ish­ing Rus­sia, includ­ing cyber­at­tacks on Russ­ian infra­struc­ture, the release of CIA-gath­ered mate­r­i­al that might embar­rass Putin and sanc­tions that offi­cials said could “crater” the Russ­ian econ­o­my.

    But in the end, in late Decem­ber, Oba­ma approved a mod­est pack­age com­bin­ing mea­sures that had been drawn up to pun­ish Rus­sia for oth­er issues — expul­sions of 35 diplo­mats and the clo­sure of two Russ­ian com­pounds — with eco­nom­ic sanc­tions so nar­row­ly tar­get­ed that even those who helped design them describe their impact as large­ly sym­bol­ic.

    Oba­ma also approved a pre­vi­ous­ly undis­closed covert mea­sure that autho­rized plant­i­ng cyber weapons in Russia’s infra­struc­ture, the dig­i­tal equiv­a­lent of bombs that could be det­o­nat­ed if the Unit­ed States found itself in an esca­lat­ing exchange with Moscow. The project, which Oba­ma approved in a covert-action find­ing, was still in its plan­ning stages when Oba­ma left office. It would be up to Pres­i­dent Trump to decide whether to use the capa­bil­i­ty.

    In polit­i­cal terms, Russia’s inter­fer­ence was the crime of the cen­tu­ry, an unprece­dent­ed and large­ly suc­cess­ful desta­bi­liz­ing attack on Amer­i­can democ­ra­cy. It was a case that took almost no time to solve, traced to the Krem­lin through cyber-foren­sics and intel­li­gence on Putin’s involve­ment. And yet, because of the diver­gent ways Oba­ma and Trump have han­dled the mat­ter, Moscow appears unlike­ly to face pro­por­tion­ate con­se­quences.

    Those clos­est to Oba­ma defend the administration’s response to Russia’s med­dling. They note that by August it was too late to pre­vent the trans­fer to Wik­iLeaks and oth­er groups of the troves of emails that would spill out in the ensu­ing months. They believe that a series of warn­ings — includ­ing one that Oba­ma deliv­ered to Putin in Sep­tem­ber — prompt­ed Moscow to aban­don any plans of fur­ther aggres­sion, such as sab­o­tage of U.S. vot­ing sys­tems.

    Denis McDo­nough, who served as Obama’s chief of staff, said that the admin­is­tra­tion regard­ed Russia’s inter­fer­ence as an attack on the “heart of our sys­tem.”

    “We set out from a first-order prin­ci­ple that required us to defend the integri­ty of the vote,” McDo­nough said in an inter­view. “Impor­tant­ly, we did that. It’s also impor­tant to estab­lish what hap­pened and what they attempt­ed to do so as to ensure that we take the steps nec­es­sary to stop it from hap­pen­ing again.”

    But oth­er admin­is­tra­tion offi­cials look back on the Rus­sia peri­od with remorse.

    “It is the hard­est thing about my entire time in gov­ern­ment to defend,” said a for­mer senior Oba­ma admin­is­tra­tion offi­cial involved in White House delib­er­a­tions on Rus­sia. “I feel like we sort of choked.”

    ...

    This account of the Oba­ma administration’s response to Russia’s inter­fer­ence is based on inter­views with more than three dozen cur­rent and for­mer U.S. offi­cials in senior posi­tions in gov­ern­ment, includ­ing at the White House, the State, Defense and Home­land Secu­ri­ty depart­ments, and U.S. intel­li­gence ser­vices. Most agreed to speak only on the con­di­tion of anonymi­ty, cit­ing the sen­si­tiv­i­ty of the issue.

    The White House, the CIA, the FBI, the Nation­al Secu­ri­ty Agency and the Office of the Direc­tor of Nation­al Intel­li­gence declined to com­ment.

    ‘Deeply con­cerned’

    The CIA break­through came at a stage of the pres­i­den­tial cam­paign when Trump had secured the GOP nom­i­na­tion but was still regard­ed as a dis­tant long shot. Clin­ton held com­fort­able leads in major polls, and Oba­ma expect­ed that he would be trans­fer­ring pow­er to some­one who had served in his Cab­i­net.

    The intel­li­gence on Putin was extra­or­di­nary on mul­ti­ple lev­els, includ­ing as a feat of espi­onage.

    For spy agen­cies, gain­ing insights into the inten­tions of for­eign lead­ers is among the high­est pri­or­i­ties. But Putin is a remark­ably elu­sive tar­get. A for­mer KGB offi­cer, he takes extreme pre­cau­tions to guard against sur­veil­lance, rarely com­mu­ni­cat­ing by phone or com­put­er, always run­ning sen­si­tive state busi­ness from deep with­in the con­fines of the Krem­lin.

    The Wash­ing­ton Post is with­hold­ing some details of the intel­li­gence at the request of the U.S. gov­ern­ment.

    In ear­ly August, Bren­nan alert­ed senior White House offi­cials to the Putin intel­li­gence, mak­ing a call to deputy nation­al secu­ri­ty advis­er Avril Haines and pulling nation­al secu­ri­ty advis­er Susan E. Rice aside after a meet­ing before brief­ing Oba­ma along with Rice, Haines and McDo­nough in the Oval Office.

    Offi­cials described the president’s reac­tion as grave. Oba­ma “was deeply con­cerned and want­ed as much infor­ma­tion as fast as pos­si­ble,” a for­mer offi­cial said. “He want­ed the entire intel­li­gence com­mu­ni­ty all over this.”

    Con­cerns about Russ­ian inter­fer­ence had gath­ered through­out the sum­mer.

    Rus­sia experts had begun to see a trou­bling pat­tern of pro­pa­gan­da in which fic­ti­tious news sto­ries, assumed to be gen­er­at­ed by Moscow, pro­lif­er­at­ed across social-media plat­forms.

    Offi­cials at the State Depart­ment and FBI became alarmed by an unusu­al spike in requests from Rus­sia for tem­po­rary visas for offi­cials with tech­ni­cal skills seek­ing per­mis­sion to enter the Unit­ed States for short-term assign­ments at Russ­ian facil­i­ties. At the FBI’s behest, the State Depart­ment delayed approv­ing the visas until after the elec­tion.

    Mean­while, the FBI was track­ing a flur­ry of hack­ing activ­i­ty against U.S. polit­i­cal par­ties, think tanks and oth­er tar­gets. Rus­sia had gained entry to DNC sys­tems in the sum­mer of 2015 and spring of 2016, but the breach­es did not become pub­lic until they were dis­closed in a June 2016 report by The Post.

    Even after the late-July Wik­iLeaks dump, which came on the eve of the Demo­c­ra­t­ic con­ven­tion and led to the res­ig­na­tion of Rep. Deb­bie Wasser­man Schultz (D‑Fla.) as the DNC’s chair­woman, U.S. intel­li­gence offi­cials con­tin­ued to express uncer­tain­ty about who was behind the hacks or why they were car­ried out.

    At a pub­lic secu­ri­ty con­fer­ence in Aspen, Colo., in late July, Direc­tor of Nation­al Intel­li­gence James R. Clap­per Jr. not­ed that Rus­sia had a long his­to­ry of med­dling in Amer­i­can elec­tions but that U.S. spy agen­cies were not ready to “make the call on attri­bu­tion” for what was hap­pen­ing in 2016.

    “We don’t know enough ... to ascribe moti­va­tion,” Clap­per said. “Was this just to stir up trou­ble or was this ulti­mate­ly to try to influ­ence an elec­tion?”

    Bren­nan con­vened a secret task force at CIA head­quar­ters com­posed of sev­er­al dozen ana­lysts and offi­cers from the CIA, the NSA and the FBI.

    The unit func­tioned as a sealed com­part­ment, its work hid­den from the rest of the intel­li­gence com­mu­ni­ty. Those brought in signed new non-dis­clo­sure agree­ments to be grant­ed access to intel­li­gence from all three par­tic­i­pat­ing agen­cies.

    They worked exclu­sive­ly for two groups of “cus­tomers,” offi­cials said. The first was Oba­ma and few­er than 14 senior offi­cials in gov­ern­ment. The sec­ond was a team of oper­a­tions spe­cial­ists at the CIA, NSA and FBI who took direc­tion from the task force on where to aim their sub­se­quent efforts to col­lect more intel­li­gence on Rus­sia.

    Don’t make things worse

    The secre­cy extend­ed into the White House.

    Rice, Haines and White House home­land-secu­ri­ty advis­er Lisa Mona­co con­vened meet­ings in the Sit­u­a­tion Room to weigh the mount­ing evi­dence of Russ­ian inter­fer­ence and gen­er­ate options for how to respond. At first, only four senior secu­ri­ty offi­cials were allowed to attend: Bren­nan, Clap­per, Attor­ney Gen­er­al Loret­ta E. Lynch and FBI Direc­tor James B. Comey. Aides ordi­nar­i­ly allowed entry as “plus-ones” were barred.

    Grad­u­al­ly, the cir­cle widened to include Vice Pres­i­dent Biden and oth­ers. Agen­das sent to Cab­i­net sec­re­taries — includ­ing John F. Ker­ry at the State Depart­ment and Ash­ton B. Carter at the Pen­ta­gon — arrived in envelopes that sub­or­di­nates were not sup­posed to open. Some­times the agen­das were with­held until par­tic­i­pants had tak­en their seats in the Sit­u­a­tion Room.

    Through­out his pres­i­den­cy, Obama’s approach to nation­al secu­ri­ty chal­lenges was delib­er­ate and cau­tious. He came into office seek­ing to end wars in Iraq and Afghanistan. He was loath to act with­out sup­port from allies over­seas and firm polit­i­cal foot­ing at home. He was drawn only reluc­tant­ly into for­eign crises, such as the civ­il war in Syr­ia, that pre­sent­ed no clear exit for the Unit­ed States.

    Obama’s approach often seemed reducible to a sin­gle imper­a­tive: Don’t make things worse. As brazen as the Russ­ian attacks on the elec­tion seemed, Oba­ma and his top advis­ers feared that things could get far worse.

    They were con­cerned that any pre-elec­tion response could pro­voke an esca­la­tion from Putin. Moscow’s med­dling to that point was seen as deeply con­cern­ing but unlike­ly to mate­ri­al­ly affect the out­come of the elec­tion. Far more wor­ri­some to the Oba­ma team was the prospect of a cyber-assault on vot­ing sys­tems before and on Elec­tion Day.

    They also wor­ried that any action they took would be per­ceived as polit­i­cal inter­fer­ence in an already volatile cam­paign. By August, Trump was pre­dict­ing that the elec­tion would be rigged. Oba­ma offi­cials feared pro­vid­ing fuel to such claims, play­ing into Russia’s efforts to dis­cred­it the out­come and poten­tial­ly con­t­a­m­i­nat­ing the expect­ed Clin­ton tri­umph.

    Before depart­ing for an August vaca­tion to Martha’s Vine­yard, Oba­ma instruct­ed aides to pur­sue ways to deter Moscow and pro­ceed along three main paths: Get a high-con­fi­dence assess­ment from U.S. intel­li­gence agen­cies on Russia’s role and intent; shore up any vul­ner­a­bil­i­ties in state-run elec­tion sys­tems; and seek bipar­ti­san sup­port from con­gres­sion­al lead­ers for a state­ment con­demn­ing Moscow and urg­ing states to accept fed­er­al help.

    The admin­is­tra­tion encoun­tered obsta­cles at every turn.

    Despite the intel­li­gence the CIA had pro­duced, oth­er agen­cies were slow­er to endorse a con­clu­sion that Putin was per­son­al­ly direct­ing the oper­a­tion and want­ed to help Trump. “It was def­i­nite­ly com­pelling, but it was not defin­i­tive,” said one senior admin­is­tra­tion offi­cial. “We need­ed more.”

    Some of the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia came from anoth­er coun­try, offi­cials said. Because of the source of the mate­r­i­al, the NSA was reluc­tant to view it with high con­fi­dence.

    Bren­nan moved swift­ly to sched­ule pri­vate brief­in­gs with con­gres­sion­al lead­ers. But get­ting appoint­ments with cer­tain Repub­li­cans proved dif­fi­cult, offi­cials said, and it was not until after Labor Day that Bren­nan had reached all mem­bers of the “Gang of Eight” — the major­i­ty and minor­i­ty lead­ers of both hous­es and the chair­men and rank­ing Democ­rats on the Sen­ate and House intel­li­gence com­mit­tees.

    Jeh John­son, the home­land-secu­ri­ty sec­re­tary, was respon­si­ble for find­ing out whether the gov­ern­ment could quick­ly shore up the secu­ri­ty of the nation’s archa­ic patch­work of vot­ing sys­tems. He float­ed the idea of des­ig­nat­ing state mech­a­nisms “crit­i­cal infra­struc­ture,” a label that would have enti­tled states to receive pri­or­i­ty in fed­er­al cyber­se­cu­ri­ty assis­tance, putting them on a par with U.S. defense con­trac­tors and finan­cial net­works.

    On Aug. 15, John­son arranged a con­fer­ence call with dozens of state offi­cials, hop­ing to enlist their sup­port. He ran into a wall of resis­tance.

    The reac­tion “ranged from neu­tral to neg­a­tive,” John­son said in con­gres­sion­al tes­ti­mo­ny Wednes­day.

    Bri­an Kemp, the Repub­li­can sec­re­tary of state of Geor­gia, used the call to denounce Johnson’s pro­pos­al as an assault on state rights. “I think it was a polit­i­cal­ly cal­cu­lat­ed move by the pre­vi­ous admin­is­tra­tion,” Kemp said in a recent inter­view, adding that he remains uncon­vinced that Rus­sia waged a cam­paign to dis­rupt the 2016 race. “I don’t nec­es­sar­i­ly believe that,” he said.

    Stung by the reac­tion, the White House turned to Con­gress for help, hop­ing that a bipar­ti­san appeal to states would be more effec­tive.

    In ear­ly Sep­tem­ber, John­son, Comey and Mona­co arrived on Capi­tol Hill in a car­a­van of black SUVs for a meet­ing with 12 key mem­bers of Con­gress, includ­ing the lead­er­ship of both par­ties.

    The meet­ing devolved into a par­ti­san squab­ble.

    “The Dems were, ‘Hey, we have to tell the pub­lic,’?” recalled one par­tic­i­pant. But Repub­li­cans resist­ed, argu­ing that to warn the pub­lic that the elec­tion was under attack would fur­ther Russia’s aim of sap­ping con­fi­dence in the sys­tem.

    Sen­ate Major­i­ty Leader Mitch McConnell (R‑Ky.) went fur­ther, offi­cials said, voic­ing skep­ti­cism that the under­ly­ing intel­li­gence tru­ly sup­port­ed the White House’s claims. Through a spokes­woman, McConnell declined to com­ment, cit­ing the secre­cy of that meet­ing.

    Key Democ­rats were stunned by the GOP response and exas­per­at­ed that the White House seemed will­ing to let Repub­li­can oppo­si­tion block any pre-elec­tion move.

    On Sept. 22, two Cal­i­for­nia Democ­rats — Sen. Dianne Fein­stein and Rep. Adam B. Schiff — did what they couldn’t get the White House to do. They issued a state­ment mak­ing clear that they had learned from intel­li­gence brief­in­gs that Rus­sia was direct­ing a cam­paign to under­mine the elec­tion, but they stopped short of say­ing to what end.

    A week lat­er, McConnell and oth­er con­gres­sion­al lead­ers issued a cau­tious state­ment that encour­aged state elec­tion offi­cials to ensure their net­works were “secure from attack.” The release made no men­tion of Rus­sia and empha­sized that the law­mak­ers “would oppose any effort by the fed­er­al gov­ern­ment” to encroach on the states’ author­i­ties.

    When U.S. spy agen­cies reached unan­i­mous agree­ment in late Sep­tem­ber that the inter­fer­ence was a Russ­ian oper­a­tion direct­ed by Putin, Oba­ma direct­ed spy chiefs to pre­pare a pub­lic state­ment sum­ma­riz­ing the intel­li­gence in broad strokes.

    With Oba­ma still deter­mined to avoid any appear­ance of pol­i­tics, the state­ment would not car­ry his sig­na­ture.

    On Oct. 7, the admin­is­tra­tion offered its first pub­lic com­ment on Russia’s “active mea­sures,” in a three-para­graph state­ment issued by John­son and Clap­per. Comey had ini­tial­ly agreed to attach his name, as well, offi­cials said, but changed his mind at the last minute, say­ing that it was too close to the elec­tion for the bureau to be involved.

    “The U.S. intel­li­gence com­mu­ni­ty is con­fi­dent that the Russ­ian gov­ern­ment direct­ed the recent com­pro­mis­es of e‑mails from U.S. per­sons and insti­tu­tions, includ­ing from U.S. polit­i­cal orga­ni­za­tions,” the state­ment said. “We believe, based on the scope and sen­si­tiv­i­ty of these efforts, that only Russia’s senior-most offi­cials could have autho­rized these activ­i­ties.”

    Ear­ly drafts accused Putin by name, but the ref­er­ence was removed out of con­cern that it might endan­ger intel­li­gence sources and meth­ods.

    The state­ment was issued around 3:30 p.m., timed for max­i­mum media cov­er­age. Instead, it was quick­ly drowned out. At 4 p.m., The Post pub­lished a sto­ry about crude com­ments Trump had made about women that were cap­tured on an “Access Hol­ly­wood” tape. Half an hour lat­er, Wik­iLeaks pub­lished its first batch of emails stolen from Clin­ton cam­paign chair­man John Podes­ta.

    ...

    ‘Ample time’ after elec­tion

    The Sit­u­a­tion Room is actu­al­ly a com­plex of secure spaces in the base­ment lev­el of the West Wing. A video feed from the main room cours­es through some Nation­al Secu­ri­ty Coun­cil offices, allow­ing senior aides sit­ting at their desks to see — but not hear — when meet­ings are under­way.

    As the Rus­sia-relat­ed ses­sions with Cab­i­net mem­bers began in August, the video feed was shut off. The last time that had hap­pened on a sus­tained basis, offi­cials said, was in the spring of 2011 dur­ing the run-up to the U.S. Spe­cial Oper­a­tions raid on bin Laden’s com­pound in Pak­istan.

    The blacked-out screens were seen as an omi­nous sign among low­er-lev­el White House offi­cials who were large­ly kept in the dark about the Rus­sia delib­er­a­tions even as they were tasked with gen­er­at­ing options for retal­i­a­tion against Moscow.

    Much of that work was led by the Cyber Response Group, an NSC unit with rep­re­sen­ta­tives from the CIA, NSA, State Depart­ment and Pen­ta­gon.

    The ear­ly options they dis­cussed were ambi­tious. They looked at sec­tor­wide eco­nom­ic sanc­tions and cyber­at­tacks that would take Russ­ian net­works tem­porar­i­ly offline. One offi­cial infor­mal­ly sug­gest­ed — though nev­er for­mal­ly pro­posed — mov­ing a U.S. naval car­ri­er group into the Baltic Sea as a sym­bol of resolve.

    What those low­er-lev­el offi­cials did not know was that the prin­ci­pals and their deputies had by late Sep­tem­ber all but ruled out any pre-elec­tion retal­i­a­tion against Moscow. They feared that any action would be seen as polit­i­cal and that Putin, moti­vat­ed by a seething resent­ment of Clin­ton, was pre­pared to go beyond fake news and email dumps.

    The FBI had detect­ed sus­pect­ed Russ­ian attempts to pen­e­trate elec­tion sys­tems in 21 states, and at least one senior White House offi­cial assumed that Moscow would try all 50, offi­cials said. Some offi­cials believed the attempts were meant to be detect­ed to unnerve the Amer­i­cans. The patch­work nature of the Unit­ed States’ 3,000 or so vot­ing juris­dic­tions would make it hard for Rus­sia to swing the out­come, but Moscow could still sow chaos.

    “We turned to oth­er sce­nar­ios” the Rus­sians might attempt, said Michael Daniel, who was cyber­se­cu­ri­ty coor­di­na­tor at the White House, “such as dis­rupt­ing the vot­er rolls, delet­ing every 10th vot­er [from reg­istries] or flip­ping two dig­its in everybody’s address.”

    The White House also wor­ried that they had not yet seen the worst of Russia’s cam­paign. Wik­iLeaks and DCLeaks, a web­site set up in June 2016 by hack­ers believed to be Russ­ian oper­a­tives, already had troves of emails. But U.S. offi­cials feared that Rus­sia had more explo­sive mate­r­i­al or was will­ing to fab­ri­cate it.

    “Our pri­ma­ry inter­est in August, Sep­tem­ber and Octo­ber was to pre­vent them from doing the max they could do,” said a senior admin­is­tra­tion offi­cial. “We made the judg­ment that we had ample time after the elec­tion, regard­less of out­come, for puni­tive mea­sures.”

    The assump­tion that Clin­ton would win con­tributed to the lack of urgency.

    Instead, the admin­is­tra­tion issued a series of warn­ings.

    Bren­nan deliv­ered the first on Aug. 4 in a blunt phone call with Alexan­der Bort­nikov, the direc­tor of the FSB, Russia’s pow­er­ful secu­ri­ty ser­vice.

    A month lat­er, Oba­ma con­front­ed Putin direct­ly dur­ing a meet­ing of world lead­ers in Hangzhou, Chi­na. Accom­pa­nied only by inter­preters, Oba­ma told Putin that “we knew what he was doing and [he] bet­ter stop or else,” accord­ing to a senior aide who sub­se­quent­ly spoke with Oba­ma. Putin respond­ed by demand­ing proof and accus­ing the Unit­ed States of inter­fer­ing in Russia’s inter­nal affairs.

    In a sub­se­quent news con­fer­ence, Oba­ma allud­ed to the exchange and issued a veiled threat. “We’re mov­ing into a new era here where a num­ber of coun­tries have sig­nif­i­cant capac­i­ties,” he said. “Frankly, we’ve got more capac­i­ty than any­body both offen­sive­ly and defen­sive­ly.”

    There were at least two oth­er warn­ings.

    On Oct. 7, the day that the Clap­per-John­son state­ment was released, Rice sum­moned Russ­ian Ambas­sador Sergey Kislyak Sergey Kislyak to the White House and hand­ed him a mes­sage to relay to Putin.

    Then, on Oct. 31, the admin­is­tra­tion deliv­ered a final pre-elec­tion mes­sage via a secure chan­nel to Moscow orig­i­nal­ly cre­at­ed to avert a nuclear exchange. The mes­sage not­ed that the Unit­ed States had detect­ed mali­cious activ­i­ty, orig­i­nat­ing from servers in Rus­sia, tar­get­ing U.S. elec­tion sys­tems and warned that med­dling would be regard­ed as unac­cept­able inter­fer­ence. Rus­sia con­firmed the next day that it had received the mes­sage but replied only after the elec­tion through the same chan­nel, deny­ing the accu­sa­tion.

    As Elec­tion Day approached, pro­po­nents of tak­ing action against Rus­sia made final, futile appeals to Obama’s top aides: McDo­nough, Rice and Haines. Because their offices were part of a suite of spaces in the West Wing, secur­ing their sup­port on any nation­al secu­ri­ty issue came to be known as “mov­ing the suite.”

    One of the last to try before the elec­tion was Ker­ry. Often per­ceived as reluc­tant to con­front Rus­sia, in part to pre­serve his attempts to nego­ti­ate a Syr­ia peace deal, Ker­ry was at crit­i­cal moments one of the lead­ing hawks.

    In Octo­ber, Kerry’s top aides had pro­duced an “action memo” that includ­ed a pack­age of retal­ia­to­ry mea­sures includ­ing eco­nom­ic sanc­tions. Know­ing the White House was not will­ing to act before the elec­tion, the plan called for the mea­sures to be announced almost imme­di­ate­ly after votes had been secure­ly cast and count­ed.

    Ker­ry signed the memo and urged the White House to con­vene a prin­ci­pals meet­ing to dis­cuss the plan, offi­cials said. “The response was basi­cal­ly, ‘Not now,’” one offi­cial said.

    Elec­tion Day arrived with­out penal­ty for Moscow.

    ...

    A U.S. cyber-weapon

    The most dif­fi­cult mea­sure to eval­u­ate is one that Oba­ma allud­ed to in only the most oblique fash­ion when announc­ing the U.S. response.

    “We will con­tin­ue to take a vari­ety of actions at a time and place of our choos­ing, some of which will not be pub­li­cized,” he said in a state­ment released by the White House.

    He was refer­ring, in part, to a cyber oper­a­tion that was designed to be detect­ed by Moscow but not cause sig­nif­i­cant dam­age, offi­cials said. The oper­a­tion, which entailed implant­i­ng com­put­er code in sen­si­tive com­put­er sys­tems that Rus­sia was bound to find, served only as a reminder to Moscow of the Unit­ed States’ cyber reach.

    But Oba­ma also signed the secret find­ing, offi­cials said, autho­riz­ing a new covert pro­gram involv­ing the NSA, CIA and U.S. Cyber Com­mand.

    Oba­ma declined to com­ment for this arti­cle, but a spokesman issued a state­ment: “This sit­u­a­tion was tak­en extreme­ly seri­ous­ly, as is evi­dent by Pres­i­dent Oba­ma rais­ing this issue direct­ly with Pres­i­dent Putin; 17 intel­li­gence agen­cies issu­ing an extra­or­di­nary pub­lic state­ment; our home­land secu­ri­ty offi­cials work­ing relent­less­ly to bol­ster the cyber defens­es of vot­ing infra­struc­ture around the coun­try; the Pres­i­dent direct­ing a com­pre­hen­sive intel­li­gence review, and ulti­mate­ly issu­ing a robust response includ­ing shut­ting down two Russ­ian com­pounds, sanc­tion­ing nine Russ­ian enti­ties and indi­vid­u­als, and eject­ing 35 Russ­ian diplo­mats from the coun­try.”

    The cyber oper­a­tion is still in its ear­ly stages and involves deploy­ing “implants” in Russ­ian net­works deemed “impor­tant to the adver­sary and that would cause them pain and dis­com­fort if they were dis­rupt­ed,” a for­mer U.S. offi­cial said.

    The implants were devel­oped by the NSA and designed so that they could be trig­gered remote­ly as part of retal­ia­to­ry cyber-strike in the face of Russ­ian aggres­sion, whether an attack on a pow­er grid or inter­fer­ence in a future pres­i­den­tial race.

    Offi­cials famil­iar with the mea­sures said that there was con­cern among some in the admin­is­tra­tion that the dam­age caused by the implants could be dif­fi­cult to con­tain.

    As a result, the admin­is­tra­tion request­ed a legal review, which con­clud­ed that the devices could be con­trolled well enough that their deploy­ment would be con­sid­ered “pro­por­tion­al” in vary­ing sce­nar­ios of Russ­ian provo­ca­tion, a require­ment under inter­na­tion­al law.

    The oper­a­tion was described as long-term, tak­ing months to posi­tion the implants and requir­ing main­te­nance there­after. Under the rules of covert action, Obama’s sig­na­ture was all that was nec­es­sary to set the oper­a­tion in motion.

    U.S. intel­li­gence agen­cies do not need fur­ther approval from Trump, and offi­cials said that he would have to issue a coun­ter­mand­ing order to stop it. The offi­cials said that they have seen no indi­ca­tion that Trump has done so.

    ———-

    “Obama’s secret strug­gle to pun­ish Rus­sia for Putin’s elec­tion assault” by Greg Miller, Ellen Nakashima and Adam Entous; The Wash­ing­ton Post; 06/23/2017

    “Inside was an intel­li­gence bomb­shell, a report drawn from sourc­ing deep inside the Russ­ian gov­ern­ment that detailed Russ­ian Pres­i­dent Vladimir Putin’s direct involve­ment in a cyber cam­paign to dis­rupt and dis­cred­it the U.S. pres­i­den­tial race.”

    So a CIA deep Russ­ian gov­ern­ment source is the pri­ma­ry source of the ‘Putin ordered it’ con­clu­sion. Well, at least that’s bet­ter than the bad joke tech­ni­cal evi­dence that’s been pro­vid­ed thus far. But even that source’s claims appar­ent­ly weren’t enough to con­vinced oth­er parts of the intel­li­gence com­mu­ni­ty. It took the intel­li­gence from the unnamed ally to do that:

    ...
    But it went fur­ther. The intel­li­gence cap­tured Putin’s spe­cif­ic instruc­tions on the operation’s auda­cious objec­tives — defeat or at least dam­age the Demo­c­ra­t­ic nom­i­nee, Hillary Clin­ton, and help elect her oppo­nent, Don­ald Trump.

    At that point, the out­lines of the Russ­ian assault on the U.S. elec­tion were increas­ing­ly appar­ent. Hack­ers with ties to Russ­ian intel­li­gence ser­vices had been rum­mag­ing through Demo­c­ra­t­ic Par­ty com­put­er net­works, as well as some Repub­li­can sys­tems, for more than a year. In July, the FBI had opened an inves­ti­ga­tion of con­tacts between Russ­ian offi­cials and Trump asso­ciates. And on July 22, near­ly 20,000 emails stolen from the Demo­c­ra­t­ic Nation­al Com­mit­tee were dumped online by Wik­iLeaks.

    But at the high­est lev­els of gov­ern­ment, among those respon­si­ble for man­ag­ing the cri­sis, the first moment of true fore­bod­ing about Russia’s inten­tions arrived with that CIA intel­li­gence.

    ...

    It took time for oth­er parts of the intel­li­gence com­mu­ni­ty to endorse the CIA’s view. Only in the administration’s final weeks in office did it tell the pub­lic, in a declas­si­fied report, what offi­cials had learned from Bren­nan in August — that Putin was work­ing to elect Trump.

    ...

    Despite the intel­li­gence the CIA had pro­duced, oth­er agen­cies were slow­er to endorse a con­clu­sion that Putin was per­son­al­ly direct­ing the oper­a­tion and want­ed to help Trump. “It was def­i­nite­ly com­pelling, but it was not defin­i­tive,” said one senior admin­is­tra­tion offi­cial. “We need­ed more.”

    Some of the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia came from anoth­er coun­try, offi­cials said. Because of the source of the mate­r­i­al, the NSA was reluc­tant to view it with high con­fi­dence.
    ...

    “Some of the most crit­i­cal tech­ni­cal intel­li­gence on Rus­sia came from anoth­er coun­try, offi­cials said. Because of the source of the mate­r­i­al, the NSA was reluc­tant to view it with high con­fi­dence.”

    That sure sounds like a ‘slam dunk’ case. And not the good kind. And based on these intel­li­gence sources, the US is open­ly plant­i­ng retal­ia­to­ry cyber­bombs on Russ­ian net­works:

    ...
    But Oba­ma also signed the secret find­ing, offi­cials said, autho­riz­ing a new covert pro­gram involv­ing the NSA, CIA and U.S. Cyber Com­mand.

    ...

    The cyber oper­a­tion is still in its ear­ly stages and involves deploy­ing “implants” in Russ­ian net­works deemed “impor­tant to the adver­sary and that would cause them pain and dis­com­fort if they were dis­rupt­ed,” a for­mer U.S. offi­cial said.

    The implants were devel­oped by the NSA and designed so that they could be trig­gered remote­ly as part of retal­ia­to­ry cyber-strike in the face of Russ­ian aggres­sion, whether an attack on a pow­er grid or inter­fer­ence in a future pres­i­den­tial race.

    Offi­cials famil­iar with the mea­sures said that there was con­cern among some in the admin­is­tra­tion that the dam­age caused by the implants could be dif­fi­cult to con­tain.

    As a result, the admin­is­tra­tion request­ed a legal review, which con­clud­ed that the devices could be con­trolled well enough that their deploy­ment would be con­sid­ered “pro­por­tion­al” in vary­ing sce­nar­ios of Russ­ian provo­ca­tion, a require­ment under inter­na­tion­al law.

    The oper­a­tion was described as long-term, tak­ing months to posi­tion the implants and requir­ing main­te­nance there­after. Under the rules of covert action, Obama’s sig­na­ture was all that was nec­es­sary to set the oper­a­tion in motion.

    U.S. intel­li­gence agen­cies do not need fur­ther approval from Trump, and offi­cials said that he would have to issue a coun­ter­mand­ing order to stop it. The offi­cials said that they have seen no indi­ca­tion that Trump has done so.

    Keep in mind that such a response from the US would be entire­ly pre­dictable if the Russ­ian gov­ern­ment real­ly did order this hack attack. Rus­sia would be at a height­ened risk for years or decades to come if Putin real­ly did order this attack and there’s no rea­son to assume that the Russ­ian gov­ern­ment would­n’t be well aware of this con­se­quence. So if Putin real­ly did order this hack he would have to have gone insane. That’s how stu­pid this attack was if Putin actu­al­ly ordered it. But accord­ing to a CIA spy in the Krem­lin, along with a ques­tion­able for­eign ally, that’s exact­ly what Putin did. Because he appar­ent­ly went insane and pre­emp­tive­ly launched a cyber­war know­ing full well how dev­as­tat­ing the long-term con­se­quences could be. Because he real­ly, real­ly, real­ly hates Hillary. That’s the nar­ra­tive we’re being giv­en.

    And now, any future attacks on US elec­tions or the US elec­tri­cal grid that can some­how be pinned on the Rus­sians is going to trig­ger some sort of painful wave or retal­ia­to­ry cyber­bombs. Which, of course, will like­ly trig­ger a way of counter-retal­ia­to­ry cyber­bombs in the US. And a full-scale cyber­war will be born and we’ll just have to hope it stays in the cyber domain. That’s were we are now based on a CIA spy in the Krem­lin and an unnamed for­eign intel­li­gence agency.

    Posted by Pterrafractyl | June 23, 2017, 2:48 pm
  12. Here’s a pair of sto­ries that are only tan­gen­tial­ly relat­ed to the high pro­file 2016 DNC hacks and is real­ly more a pre­lude to some yet-to-hap­pen hacks of sen­si­tive gov­ern­ment. It’s also excit­ing news for peo­ple who like to rou­tine­ly scan the Ama­zon Cloud search­ing for servers left acci­den­tal­ly vul­ner­a­ble to the pub­lic: The Ama­zon Cloud is join­ing IBM and Microsoft as one of three pri­vate com­pa­nies avail­able for host­ing the US Depart­ment of Defense’s most sen­si­tive unclas­si­fied data:

    NextGov

    Ama­zon Web Ser­vices Can Now Host the Defense Department’s Most Sen­si­tive Data

    By Frank Konkel
    Sep­tem­ber 13, 2017

    Ama­zon Web Ser­vices has a new mar­ket for its cloud com­put­ing, ana­lyt­ics, and stor­age ser­vices.

    This week, the Defense Depart­ment grant­ed the cloud com­put­ing giant a pro­vi­sion­al autho­riza­tion to host Impact Lev­el 5 work­loads, which are the mil­i­tary and Pentagon’s most sen­si­tive, unclas­si­fied infor­ma­tion.

    “This fur­ther bol­sters AWS as an indus­try leader in help­ing sup­port the DoD’s crit­i­cal mis­sion in pro­tect­ing our secu­ri­ty,” the com­pa­ny said in a state­ment. “The AWS ser­vices sup­port a vari­ety of DoD work­loads, includ­ing work­loads con­tain­ing sen­si­tive con­trolled unclas­si­fied infor­ma­tion and Nation­al Secu­ri­ty Sys­tems infor­ma­tion.”

    Already, DoD is using AWS to host sen­si­tive, mis­sion-crit­i­cal work­loads, includ­ing the oper­a­tional con­trol sys­tem for the Glob­al Posi­tion­ing Sys­tem. The pro­vi­sion­al autho­riza­tion allows mil­i­tary cus­tomers an eas­i­er route to use AWS for a vari­ety of oth­er IT ser­vices.

    In total, three com­mer­cial companies—AWS, IBM and Microsoft—are now able to host and store the military’s most sen­si­tive unclas­si­fied data. AWS has expand­ed its defense busi­ness, it remains the dom­i­nant cloud ser­vice provider in the intel­li­gence com­mu­ni­ty by virtue of its its $600 mil­lion con­tract with the Cen­tral Intel­li­gence Agency. AWS’ C2S cloud hosts clas­si­fied infor­ma­tion for the 17 intel­li­gence agen­cies.

    ...

    ———-

    “Ama­zon Web Ser­vices Can Now Host the Defense Department’s Most Sen­si­tive Data” by Frank Konkel; NextGov; 09/13/2017

    “In total, three com­mer­cial companies—AWS, IBM and Microsoftare now able to host and store the military’s most sen­si­tive unclas­si­fied data. AWS has expand­ed its defense busi­ness, it remains the dom­i­nant cloud ser­vice provider in the intel­li­gence com­mu­ni­ty by virtue of its $600 mil­lion con­tract with the Cen­tral Intel­li­gence Agency. AWS’ C2S cloud hosts clas­si­fied infor­ma­tion for the 17 intel­li­gence agen­cies.”

    Yep, the Ama­zon Web Ser­vices (AWS) are already being host­ing clas­si­fied infor­ma­tion for 17 US intel­li­gence agen­cies, led by a $600 mil­lion con­tract with the CIA. A con­tract that involved Ama­zon devel­op­ing a com­plete­ly sep­a­rate cloud infra­struc­ture with extra lay­ers of secu­ri­ty, includ­ing being com­plete­ly sep­a­rate from the rest of the inter­net and extra encryp­tion.

    But it sounds like this recent rule change that allows for unclas­si­fied, but still high­ly sen­si­tive, data does­n’t involve that sep­a­rate extra secure cloud. It’s just the reg­u­lar Ama­zon AWS. What could pos­si­bly go wrong? Well, here’s a sto­ry from back in May star­ring Booz Allen Hamil­ton (Edward Snow­den’s brief employ­er) that’s a pret­ty good exam­ple of what could go wrong:

    Giz­mo­do

    Top Defense Con­trac­tor Left Sen­si­tive Pen­ta­gon Files on Ama­zon Serv­er With No Pass­word [Updat­ed]

    Dell Cameron
    5/31/17 9:40am

    Sen­si­tive files tied to a US mil­i­tary project were leaked by a mul­ti-bil­lion dol­lar firm once described as the world’s most prof­itable spy oper­a­tion, Giz­mo­do has con­firmed.

    A cache of more than 60,000 files was dis­cov­ered last week on a pub­licly acces­si­ble Ama­zon serv­er, includ­ing pass­words to a US gov­ern­ment sys­tem con­tain­ing sen­si­tive infor­ma­tion, and the secu­ri­ty cre­den­tials of a lead senior engi­neer at Booz Allen Hamil­ton, one of the nation’s top intel­li­gence and defense con­trac­tors. What’s more, the rough­ly 28GB of data con­tained at least a half dozen unen­crypt­ed pass­words belong­ing to gov­ern­ment con­trac­tors with Top Secret Facil­i­ty Clear­ance.

    The exposed cre­den­tials could poten­tial­ly grant their hold­ers fur­ther access to repos­i­to­ries hous­ing sim­i­lar­ly sen­si­tive gov­ern­ment data.

    Count­less ref­er­ences are made in the leaked files to the US Nation­al Geospa­tial-Intel­li­gence Agency (NGA), which in March award­ed Booz Allen an $86 mil­lion defense con­tract. Often referred to as the Pentagon’s “map­mak­ers,” the com­bat sup­port agency works along­side the Cen­tral Intel­li­gence Agency, the Nation­al Recon­nais­sance Office, and the Defense Intel­li­gence Agency to col­lect and ana­lyze geospa­tial data gath­ered by spy satel­lites and aer­i­al drones.

    The NGA on Tues­day con­firmed the leak to Giz­mo­do while stress­ing that no clas­si­fied infor­ma­tion had been dis­closed. “NGA takes the poten­tial dis­clo­sure of sen­si­tive but unclas­si­fied infor­ma­tion seri­ous­ly and imme­di­ate­ly revoked the affect­ed cre­den­tials,” an agency spokesper­son said. The Ama­zon serv­er from which the data was leaked was “not direct­ly con­nect­ed to clas­si­fied net­works,” the spokesper­son not­ed.

    UpGuard cyber risk ana­lyst Chris Vick­ery dis­cov­ered the Booz Allen serv­er last week while at his San­ta Rosa home run­ning a scan for pub­licly acces­si­ble s3 buck­ets (what Ama­zon calls its cloud stor­age devices). At first there was no rea­son to sus­pect it con­tained sen­si­tive mil­i­tary data. Typ­i­cal­ly, US gov­ern­ment servers host­ed by Ama­zon are seg­re­gat­ed into what’s called the Gov­Cloud—a “gat­ed com­mu­ni­ty” pro­tect­ed by advanced cryp­tog­ra­phy and phys­i­cal secu­ri­ty. Instead, the Booz Allen buck­et was found in region “US-East­‑1,” chiefly com­prised of pub­lic and com­mer­cial data.

    Yet the files bore some hall­marks of a gov­ern­ment project. First, Vick­ery spot­ted the pub­lic and pri­vate SSH keys of a Booz Allen employ­ee, iden­ti­fied by his LinkedIn page as a lead senior engi­neer in Virginia—also home to the NGA’s Fort Belvoir cam­pus. “Expos­ing a pri­vate key belong­ing to a Booz Allen IT engi­neer is poten­tial­ly cat­a­stroph­ic for mali­cious intru­sion possibilities,”he said.

    SSH keys employ what’s called pub­lic-key cryp­tog­ra­phy and chal­lenge-response authen­ti­ca­tion. Essen­tial­ly, Booz Allen stores sen­si­tive data in the cloud, and before the engi­neer can access it, his pri­vate key must pair suc­cess­ful­ly with a pub­lic key on Booz Allen’s serv­er. This pro­to­col only real­ly works, how­ev­er, so long as the employee’s pri­vate key remains a secret.

    “Booz Allen takes any alle­ga­tion of a data breach very seri­ous­ly, and prompt­ly began an inves­ti­ga­tion into the acces­si­bil­i­ty of cer­tain secu­ri­ty keys in a cloud envi­ron­ment,” a Booz Allen spokesman told Giz­mo­do on Tues­day. “We secured those keys, and are con­tin­u­ing with a detailed foren­sic inves­ti­ga­tion. As of now, we have found no evi­dence that any clas­si­fied infor­ma­tion has been com­pro­mised as a result of this mat­ter.”

    Mark Zaid, a Wash­ing­ton lawyer who spe­cial­izes in nation­al secu­ri­ty cas­es, said the inci­dent is like­ly to dredge up bad mem­o­ries of the com­pa­ny. “The first thing that jumps to mind,” he said, is “Oh, no. It’s Booz Allen again.”
    The NGA on Tues­day con­firmed the leak to Giz­mo­do while stress­ing that no clas­si­fied infor­ma­tion had been dis­closed. “NGA takes the poten­tial dis­clo­sure of sen­si­tive but unclas­si­fied infor­ma­tion seri­ous­ly and imme­di­ate­ly revoked the affect­ed cre­den­tials,” an agency spokesper­son said. The Ama­zon serv­er from which the data was leaked was “not direct­ly con­nect­ed to clas­si­fied net­works,” the spokesper­son not­ed.
    Zaid was refer­ring to Edward Snow­den, the for­mer NSA con­trac­tor who worked for Booz Allen when he fled to Hong Kong in 2013 with a trove of clas­si­fied mate­r­i­al. Anoth­er of the firm’s employ­ees, Harold Mar­tin III, was arrest­ed last year and charged under the Espi­onage Act after fed­er­al agents dis­cov­ered over 50 ter­abytes of clas­si­fied data in his res­i­dence, the trunk of his car and in an unlocked out­door shed.

    “Obvi­ous­ly, Booz Allen is a large com­pa­ny and a well-respect­ed defense con­trac­tor,” Zaid added. “And none of these cas­es are nec­es­sar­i­ly relat­ed to one anoth­er. But it still rais­es some real seri­ous con­cerns about what’s going on with Booz Allen’s secu­ri­ty pro­to­cols.”

    In addi­tion to keys, the Booz Allen serv­er con­tained mas­ter cre­den­tials to a dat­a­cen­ter oper­at­ing system—and oth­ers used to access the GEOAx­IS authen­ti­ca­tion por­tal, a pro­tect­ed Pen­ta­gon sys­tem that usu­al­ly requires an ID card and spe­cial com­put­er to use. Yet anoth­er file con­tained the login cre­den­tials of a sep­a­rate Ama­zon buck­et, the con­tents of which remain a mys­tery; there’s no way to ver­i­fy the con­tents legal­ly since the buck­et is secured by a pass­word, and thus not open to the pub­lic.

    More­over, a cat­e­go­riza­tion script found in one of the Booz Allen files indi­cates the sys­tem under con­struc­tion is at least designed to han­dle clas­si­fied infor­ma­tion. And while Vick­ery didn’t real­ize its sig­nif­i­cance at the time, the leaked files also appear con­nect­ed to a third serv­er he found open last month.

    In April, he dis­cov­ered an Ama­zon buck­et with no pass­word con­tain­ing a review of what he now believes is the same NGA sys­tem. An “appli­ca­tion secu­ri­ty risk assess­ment,” car­ried out using HP soft­ware called For­ti­fy, detailed 3039 issues with­in the program’s source code (only 7 were described as crit­i­cal). “I’m read­ing the report,” he says, “and the code snip­pets line up with code from the sec­ond buck­et.”

    The mis­sion of UpGuard’s Cyber Risk Team is to locate and secure leaked sen­si­tive records, so Vickery’s first email on Wednes­day was to Joe Mahaf­fee, Booz Allen’s chief infor­ma­tion secu­ri­ty offi­cer. But after receiv­ing no imme­di­ate response, he went direct­ly the agency. “I emailed the NGA at 10:33am on Thurs­day. Pub­lic access to the leak was cut off nine min­utes lat­er,” he said.

    “You can have fan­tas­tic cyber­se­cu­ri­ty, but if you’re using IT sys­tems to share infor­ma­tion with a part­ner whose cyber­se­cu­ri­ty isn’t up to snuff, then your pro­tec­tion mea­sures don’t mean very much,” says Paulo Shakar­i­an, a cyber­se­cu­ri­ty fel­low at the Wash­ing­ton think-tank New Amer­i­ca. The big unre­solved ques­tion, he says, is whether Booz Allen had prop­er secu­ri­ty pro­to­cols in place for its con­trac­tors work­ing on the NGA project. “And like­wise, what has NGA done to ensure that the prop­er pro­tec­tive mea­sures were in place.”

    NGA informed Giz­mo­do that it was still eval­u­at­ing the inci­dent and had yet to deter­mine a prop­er course of action. “It’s impor­tant to note that a mis­con­fig­u­ra­tion, prop­er­ly report­ed and addressed, does not dis­qual­i­fy indus­try part­ners from doing busi­ness with NGA,” the agency said, adding that it reserves the right to “address any vio­la­tions or pat­terns of non-com­pli­ance appro­pri­ate­ly.”

    ...

    Update: June 1st, 6:04pm ET: Booz Allen Hamil­ton sent Giz­mo­do the fol­low­ing state­ment:

    Both our client and Booz Allen have con­firmed that no clas­si­fied data was avail­able on the impact­ed unclas­si­fied cloud envi­ron­ments. And we have con­firmed that none of those user­names and pass­words could have been used to access clas­si­fied infor­ma­tion. This appears to be a case in which an employ­ee unin­ten­tion­al­ly left a key with­in an unclas­si­fied cloud envi­ron­ment where mul­ti­ple users can devel­op soft­ware in an open envi­ron­ment. As soon as we learned of this mis­take, we took action to secure the areas and alert­ed our client and began an inves­ti­ga­tion. Again, the impor­tant point here is that the affect­ed cloud areas were not designed to con­tain any clas­si­fied infor­ma­tion. Our client has said they’ve found no evi­dence that clas­si­fied data was involved, and so far our foren­sics have indi­cat­ed the same. While any inci­dent of this nature is unac­cept­able and we hope to learn from it, so far we see this event as hav­ing lim­it­ed impact.

    ———-

    “Top Defense Con­trac­tor Left Sen­si­tive Pen­ta­gon Files on Ama­zon Serv­er With No Pass­word [Updat­ed]” by Dell Cameron; Giz­mo­do; 05/31/17

    UpGuard cyber risk ana­lyst Chris Vick­ery dis­cov­ered the Booz Allen serv­er last week while at his San­ta Rosa home run­ning a scan for pub­licly acces­si­ble s3 buck­ets (what Ama­zon calls its cloud stor­age devices). At first there was no rea­son to sus­pect it con­tained sen­si­tive mil­i­tary data. Typ­i­cal­ly, US gov­ern­ment servers host­ed by Ama­zon are seg­re­gat­ed into what’s called the Gov­Cloud—a “gat­ed com­mu­ni­ty” pro­tect­ed by advanced cryp­tog­ra­phy and phys­i­cal secu­ri­ty. Instead, the Booz Allen buck­et was found in region “US-East­‑1,” chiefly com­prised of pub­lic and com­mer­cial data.”

    Fun times ahead for all the peo­ple who rou­tine­ly scan pub­licly acces­si­ble AWS “buck­ets” for vul­ner­a­bil­i­ties. You just might stum­ble upon unpro­tect­ed files from the US Nation­al Geospa­tial-Intel­li­gence Agency (NGA). Or maybe you’ll find a bunch of pass­words and pri­vate SSH keys that will allow you to break into oth­er sen­si­tive sys­tems:

    ...
    Yet the files bore some hall­marks of a gov­ern­ment project. First, Vick­ery spot­ted the pub­lic and pri­vate SSH keys of a Booz Allen employ­ee, iden­ti­fied by his LinkedIn page as a lead senior engi­neer in Virginia—also home to the NGA’s Fort Belvoir cam­pus. “Expos­ing a pri­vate key belong­ing to a Booz Allen IT engi­neer is poten­tial­ly cat­a­stroph­ic for mali­cious intru­sion possibilities,”he said.

    SSH keys employ what’s called pub­lic-key cryp­tog­ra­phy and chal­lenge-response authen­ti­ca­tion. Essen­tial­ly, Booz Allen stores sen­si­tive data in the cloud, and before the engi­neer can access it, his pri­vate key must pair suc­cess­ful­ly with a pub­lic key on Booz Allen’s serv­er. This pro­to­col only real­ly works, how­ev­er, so long as the employee’s pri­vate key remains a secret.
    ...

    And maybe you’ll even find files asso­ci­at­ed with a vul­ner­a­ble “buck­et” you dis­cov­ered months ear­li­er:

    ...
    More­over, a cat­e­go­riza­tion script found in one of the Booz Allen files indi­cates the sys­tem under con­struc­tion is at least designed to han­dle clas­si­fied infor­ma­tion. And while Vick­ery didn’t real­ize its sig­nif­i­cance at the time, the leaked files also appear con­nect­ed to a third serv­er he found open last month.

    In April, he dis­cov­ered an Ama­zon buck­et with no pass­word con­tain­ing a review of what he now believes is the same NGA sys­tem. An “appli­ca­tion secu­ri­ty risk assess­ment,” car­ried out using HP soft­ware called For­ti­fy, detailed 3039 issues with­in the program’s source code (only 7 were described as crit­i­cal). “I’m read­ing the report,” he says, “and the code snip­pets line up with code from the sec­ond buck­et.”
    ...

    Yes, this same secu­ri­ty ana­lyst dis­cov­ered an Ama­zon buck­et months ear­li­er with no pass­word con­tain­ing an “appli­ca­tion secu­ri­ty risk assess­ment” reveal­ing soft­ware vul­ner­a­bil­i­ties. And the ana­lyst is pret­ty sure that the appli­ca­tion secu­ri­ty risk assess­ment was an assess­ment for the same sys­tem that was being devel­oped on the vul­ner­a­ble buck­et he dis­cov­ered back in May. And it appears to be a sys­tem designed to han­dle clas­si­fied infor­ma­tion.

    So while this pub­licly avail­able Ama­zon buck­et did­n’t con­tain clas­si­fied infor­ma­tion, it did appear to be the devel­op­ment envi­ron­ment for a sys­tem designed to han­dle clas­si­fied infor­ma­tion. And that’s a sto­ry from months before the DoD grant­ed Ama­zon a pro­vi­sion­al autho­riza­tion to host Impact Lev­el 5 work­loads, the mil­i­tary and Pentagon’s most sen­si­tive, unclas­si­fied infor­ma­tion, on its cloud.

    And that all means we should get ready for lots of fun future sto­ries about how a bunch of sen­si­tive data was stolen off a pub­licly acces­si­ble Ama­zon web serv­er used by a nation­al secu­ri­ty con­trac­tor fol­lowed up with a bunch of assur­ances that no one should wor­ry because it was just unclas­si­fied data that was stolen.

    Posted by Pterrafractyl | September 19, 2017, 2:53 pm
  13. Here’s a pair of sto­ries that, at best, are a reminder of the poten­tial for algo­rithms and AI sys­tems to acquire the hate and big­otry of their human cre­ators. And, at worst, are a reminder that the poten­tial for algo­rithms and AI sys­tems to acquire the hate and big­otry of their human cre­ators might be a great excuse for com­pa­nies like Face­book to push a far-right agen­da and just go “oops!” when they get caught.

    The sec­ond arti­cle is also a reminder of what we wit­nessed fol­low­ing the hack of the French elec­tion: that the US and Europe remain dan­ger­ous­ly hyper­fo­cused on the poten­tial for Russ­ian elec­tion med­dling to the exclu­sion of almost any oth­er force on the world stage (like the far-right move­ments that exist in every coun­try on the plan­et and clear­ly want to med­dle in elec­tions.

    But first, check out the adver­tis­ing cat­e­gories Face­book’s algo­rithms auto-gen­er­at­ed:

    Prop­ub­li­ca

    Face­book Enabled Adver­tis­ers to Reach ‘Jew Haters’
    After being con­tact­ed by ProP­ub­li­ca, Face­book removed sev­er­al anti-Semit­ic ad cat­e­gories and promised to improve mon­i­tor­ing.

    by Julia Angwin, Madeleine Varn­er and Ari­ana Tobin
    Sept. 14, 4 p.m. EDT

    Want to mar­ket Nazi mem­o­ra­bil­ia, or recruit marchers for a far-right ral­ly? Facebook’s self-ser­vice ad-buy­ing plat­form had the right audi­ence for you.

    Until this week, when we asked Face­book about it, the world’s largest social net­work enabled adver­tis­ers to direct their pitch­es to the news feeds of almost 2,300 peo­ple who expressed inter­est in the top­ics of “Jew hater,” “How to burn jews,” or, “His­to­ry of ‘why jews ruin the world.’”

    To test if these ad cat­e­gories were real, we paid $30 to tar­get those groups with three “pro­mot­ed posts” — in which a ProP­ub­li­ca arti­cle or post was dis­played in their news feeds. Face­book approved all three ads with­in 15 min­utes.

    After we con­tact­ed Face­book, it removed the anti-Semit­ic cat­e­gories — which were cre­at­ed by an algo­rithm rather than by peo­ple — and said it would explore ways to fix the prob­lem, such as lim­it­ing the num­ber of cat­e­gories avail­able or scru­ti­niz­ing them before they are dis­played to buy­ers.

    “There are times where con­tent is sur­faced on our plat­form that vio­lates our stan­dards,” said Rob Leath­ern, prod­uct man­age­ment direc­tor at Face­book. “In this case, we’ve removed the asso­ci­at­ed tar­get­ing fields in ques­tion. We know we have more work to do, so we’re also build­ing new guardrails in our prod­uct and review process­es to pre­vent oth­er issues like this from hap­pen­ing in the future.”

    Facebook’s adver­tis­ing has become a focus of nation­al atten­tion since it dis­closed last week that it had dis­cov­ered $100,000 worth of ads placed dur­ing the 2016 pres­i­den­tial elec­tion sea­son by “inau­then­tic” accounts that appeared to be affil­i­at­ed with Rus­sia.

    Like many tech com­pa­nies, Face­book has long tak­en a hands off approach to its adver­tis­ing busi­ness. Unlike tra­di­tion­al media com­pa­nies that select the audi­ences they offer adver­tis­ers, Face­book gen­er­ates its ad cat­e­gories auto­mat­i­cal­ly based both on what users explic­it­ly share with Face­book and what they implic­it­ly con­vey through their online activ­i­ty.

    Tra­di­tion­al­ly, tech com­pa­nies have con­tend­ed that it’s not their role to cen­sor the Inter­net or to dis­cour­age legit­i­mate polit­i­cal expres­sion. In the wake of the vio­lent protests in Char­lottesville by right-wing groups that includ­ed self-described Nazis, Face­book and oth­er tech com­pa­nies vowed to strength­en their mon­i­tor­ing of hate speech.

    Face­book CEO Mark Zucker­berg wrote at the time that “there is no place for hate in our com­mu­ni­ty,” and pledged to keep a clos­er eye on hate­ful posts and threats of vio­lence on Face­book. “It’s a dis­grace that we still need to say that neo-Nazis and white suprema­cists are wrong — as if this is some­how not obvi­ous,” he wrote.

    But Face­book appar­ent­ly did not inten­si­fy its scruti­ny of its ad buy­ing plat­form. In all like­li­hood, the ad cat­e­gories that we spot­ted were auto­mat­i­cal­ly gen­er­at­ed because peo­ple had list­ed those anti-Semit­ic themes on their Face­book pro­files as an inter­est, an employ­er or a “field of study.” Facebook’s algo­rithm auto­mat­i­cal­ly trans­forms people’s declared inter­ests into adver­tis­ing cat­e­gories.

    Here is a screen­shot of our ad buy­ing process on the company’s adver­tis­ing por­tal:
    [see screen­shot]

    This is not the first con­tro­ver­sy over Facebook’s ad cat­e­gories. Last year, ProP­ub­li­ca was able to block an ad that we bought in Facebook’s hous­ing cat­e­gories from being shown to African-Amer­i­cans, His­pan­ics and Asian-Amer­i­cans, rais­ing the ques­tion of whether such ad tar­get­ing vio­lat­ed laws against dis­crim­i­na­tion in hous­ing adver­tis­ing. After ProPublica’s arti­cle appeared, Face­book built a sys­tem that it said would pre­vent such ads from being approved.

    Last year, ProP­ub­li­ca also col­lect­ed a list of the adver­tis­ing cat­e­gories Face­book was pro­vid­ing to adver­tis­ers. We down­loaded more than 29,000 ad cat­e­gories from Facebook’s ad sys­tem — and found cat­e­gories rang­ing from an inter­est in “Hun­gar­i­an sausages” to “Peo­ple in house­holds that have an esti­mat­ed house­hold income of between $100K and $125K.”

    At that time, we did not find any anti-Semit­ic cat­e­gories, but we do not know if we cap­tured all of Facebook’s pos­si­ble ad cat­e­gories, or if these cat­e­gories were added lat­er. A Face­book spokesman didn’t respond to a ques­tion about when the cat­e­gories were intro­duced.

    Last week, act­ing on a tip, we logged into Facebook’s auto­mat­ed ad sys­tem to see if “Jew hater” was real­ly an ad cat­e­go­ry. We found it, but dis­cov­ered that the cat­e­go­ry — with only 2,274 peo­ple in it — was too small for Face­book to allow us to buy an ad pegged only to Jew haters.

    Facebook’s auto­mat­ed sys­tem sug­gest­ed “Sec­ond Amend­ment” as an addi­tion­al cat­e­go­ry that would boost our audi­ence size to 119,000 peo­ple, pre­sum­ably because its sys­tem had cor­re­lat­ed gun enthu­si­asts with anti-Semi­tes.

    Instead, we chose addi­tion­al cat­e­gories that popped up when we typed in “jew h”: “How to burn Jews,” and “His­to­ry of ‘why jews ruin the world.’” Then we added a cat­e­go­ry that Face­book sug­gest­ed when we typed in “Hitler”: a cat­e­go­ry called “Hitler did noth­ing wrong.” All were described as “fields of study.”

    These ad cat­e­gories were tiny. Only two peo­ple were list­ed as the audi­ence size for “how to burn jews,” and just one for “His­to­ry of ‘why jews ruin the world.’”” Anoth­er 15 peo­ple com­prised the view­er­ship for “Hitler did noth­ing wrong.”

    Facebook’s auto­mat­ed sys­tem told us that we still didn’t have a large enough audi­ence to make a pur­chase. So we added “Ger­man Schutzstaffel,” com­mon­ly known as the Nazi SS, and the “Nazi Par­ty,” which were both described to adver­tis­ers as groups of “employ­ers.” Their audi­ences were larg­er: 3,194 for the SS and 2,449 for Nazi Par­ty.

    Still, Face­book said we need­ed more — so we added peo­ple with an inter­est in the Nation­al Demo­c­ra­t­ic Par­ty of Ger­many, a far-right, ultra­na­tion­al­ist polit­i­cal par­ty, with its much larg­er view­er­ship of 194,600.

    Once we had our audi­ence, we sub­mit­ted our ad — which pro­mot­ed an unre­lat­ed ProP­ub­li­ca news arti­cle. With­in 15 min­utes, Face­book approved our ad, with one change. its approval screen, Face­book described the ad tar­get­ing cat­e­go­ry “Jew hater” as “Anty­semi­tyzm,” the Pol­ish word for anti-Semi­tism. Just to make sure it was refer­ring to the same cat­e­go­ry, we bought two addi­tion­al ads using the term “Jew hater” in com­bi­na­tion with oth­er terms. Both times, Face­book changed the ad tar­get­ing cat­e­go­ry “Jew hater” to “Anti­semi­tyzm” in its approval.

    Here is one of our approved ads from Face­book:
    [see screen­shot]

    A few days lat­er, Face­book sent us the results of our cam­paigns. Our three ads reached 5,897 peo­ple, gen­er­at­ing 101 clicks, and 13 “engage­ments” — which could be a “like” a “share” or a com­ment on a post.

    Since we con­tact­ed Face­book, most of the anti-Semit­ic cat­e­gories have dis­ap­peared.

    Face­book spokesman Joe Osborne said that they didn’t appear to have been wide­ly used. “We have looked at the use of these audi­ences and cam­paigns and it’s not com­mon or wide­spread,” he said.

    ...

    ———-

    “Face­book Enabled Adver­tis­ers to Reach ‘Jew Haters’” by Julia Angwin, Madeleine Varn­er and Ari­ana Tobin; Prop­ub­li­ca; 09/14/2017

    “To test if these ad cat­e­gories were real, we paid $30 to tar­get those groups with three “pro­mot­ed posts” — in which a ProP­ub­li­ca arti­cle or post was dis­played in their news feeds. Face­book approved all three ads with­in 15 min­utes.”

    $30 to adver­tise to Face­book’s “Jew Haters”. And it was approved in 15 min­utes. But it was­n’t just the “Jew Haters” tar­get­ed with his $30 ad buy because there were enough to meet the min­i­mum num­ber of peo­ple Face­book requires for these kinds of pur­chas­es. So oth­er cat­e­gories had to be added. Cat­e­gories appar­ent­ly gen­er­at­ed auto­mat­i­cal­ly based on user activ­i­ty:

    ...
    After we con­tact­ed Face­book, it removed the anti-Semit­ic cat­e­gories — which were cre­at­ed by an algo­rithm rather than by peo­ple — and said it would explore ways to fix the prob­lem, such as lim­it­ing the num­ber of cat­e­gories avail­able or scru­ti­niz­ing them before they are dis­played to buy­ers.
    ...

    And it was­n’t until Prop­ub­li­ca added the cat­e­go­ry for Ger­many’s neo-Nazi Nation­al Demo­c­ra­t­ic Par­ty (NDP) that they final­ly had enough peo­ple in their col­lec­tion of hate cat­e­gories to meet the min­i­mum num­ber of tar­get Face­book users required for the ad buy to be placed:

    ...
    Last week, act­ing on a tip, we logged into Facebook’s auto­mat­ed ad sys­tem to see if “Jew hater” was real­ly an ad cat­e­go­ry. We found it, but dis­cov­ered that the cat­e­go­ry — with only 2,274 peo­ple in it — was too small for Face­book to allow us to buy an ad pegged only to Jew haters.

    Facebook’s auto­mat­ed sys­tem sug­gest­ed “Sec­ond Amend­ment” as an addi­tion­al cat­e­go­ry that would boost our audi­ence size to 119,000 peo­ple, pre­sum­ably because its sys­tem had cor­re­lat­ed gun enthu­si­asts with anti-Semi­tes.

    Instead, we chose addi­tion­al cat­e­gories that popped up when we typed in “jew h”: “How to burn Jews,” and “His­to­ry of ‘why jews ruin the world.’” Then we added a cat­e­go­ry that Face­book sug­gest­ed when we typed in “Hitler”: a cat­e­go­ry called “Hitler did noth­ing wrong.” All were described as “fields of study.”

    These ad cat­e­gories were tiny. Only two peo­ple were list­ed as the audi­ence size for “how to burn jews,” and just one for “His­to­ry of ‘why jews ruin the world.’”” Anoth­er 15 peo­ple com­prised the view­er­ship for “Hitler did noth­ing wrong.”

    Facebook’s auto­mat­ed sys­tem told us that we still didn’t have a large enough audi­ence to make a pur­chase. So we added “Ger­man Schutzstaffel,” com­mon­ly known as the Nazi SS, and the “Nazi Par­ty,” which were both described to adver­tis­ers as groups of “employ­ers.” Their audi­ences were larg­er: 3,194 for the SS and 2,449 for Nazi Par­ty.

    Still, Face­book said we need­ed more — so we added peo­ple with an inter­est in the Nation­al Demo­c­ra­t­ic Par­ty of Ger­many, a far-right, ultra­na­tion­al­ist polit­i­cal par­ty, with its much larg­er view­er­ship of 194,600.
    ...

    “Still, Face­book said we need­ed more — so we added peo­ple with an inter­est in the Nation­al Demo­c­ra­t­ic Par­ty of Ger­many, a far-right, ultra­na­tion­al­ist polit­i­cal par­ty, with its much larg­er view­er­ship of 194,600.”

    In a way it’s at least a lit­tle reliev­ing that cat­e­gories like “Hitler did noth­ing wrong” only had 15 users Face­book iden­ti­fied as a tar­get audi­ence for that cat­e­go­ry. It could be worse! Like, say 194,600 users, which is the num­ber of peo­ple in the NPD tar­get audi­ence. But it’s also pret­ty dis­turb­ing that Face­book made it so cheap and easy to tar­get this glob­al hate audi­ence.

    And, again, at best this real­ly was just an algo­rith­mic ‘oops’ but we can’t rule out the pos­si­bil­i­ty that a cor­po­rate giant like Face­book which the far-right fig­ure­head Peter Thiel on its board, is qui­et­ly try­ing to cap­ture and fos­ter far-right audi­ences.

    But accord­ing to Face­book this was all an inno­cent mis­take. Let’s hope so. And let’s also hope the sud­den dis­cov­ery that Face­book in Ger­many has pri­or­i­tiz­ing far-right polit­i­cal par­ties like the AfD when peo­ple do a search for polit­i­cal dis­cus­sions was also just an inno­cent mis­take. As the fol­low­ing arti­cle notes, it’s one of the many dis­cov­er­ies about the role the ‘Alt-Right’ is play­ing in Ger­many’s cur­rent elec­tions and it’s a role that does­n’t appear to include a Krem­lin coun­ter­part. Despite wide­spread fears that all sorts of Russ­ian dirty tricks were inevitably going to be inject­ed into the race. But as far as observers can tell, it’s just the ‘Alt-Right’ that’s flood­ing Ger­man social media sites with far-right mes­sages and it specif­i­cal­ly appears to be Amer­i­can ‘Alt-Right’ peo­ple doing this. Apparnt­ly with the help of anoth­er Face­book pro-far-right ‘whoops! How did that hap­pen?’:

    USA Today

    There is med­dling in Ger­many’s elec­tion — not by Rus­sia, but by U.S. right wing

    Kim Hjelm­gaard, Pub­lished 11:31 a.m. ET Sept. 20, 2017

    Less than a week before Sun­day’s vote that is like­ly to hand Ger­man Chan­cel­lor Angela Merkel a fourth term, evi­dence of antic­i­pat­ed Russ­ian med­dling has yet to mate­ri­al­ize, but U.S. right-wing groups have inter­fered, accord­ing to Ger­man researchers.

    “So far we have not been able to track down any spe­cif­ic Russ­ian activ­i­ty,” said Simon Hegelich,” a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who has advised the Ger­man gov­ern­ment about the threat of hack­ing and fake news.

    Instead, Hegelich and oth­ers point to an alliance of most­ly anony­mous online trolls and extrem­ist agi­ta­tors who are dis­sem­i­nat­ing right-wing mate­ri­als through YouTube; mes­sag­ing board sites like 4chan and red­dit; and Gab.ai, a tex­ting ser­vice.

    “A lot of the stuff we are see­ing in Ger­many can be linked to, or is at least inspired by, the ‘alt-right’ move­ment in the U.S.,” Hegelich said, refer­ring to a loose­ly defined group whose far-right ide­ol­o­gy includes racism, pop­ulism and white nation­al­ism.

    He said prov­ing con­nec­tions among sym­pa­thiz­ers is extreme­ly dif­fi­cult and may nev­er be con­clu­sive. But an analy­sis of 300 mil­lion tweets over the past six months by Hegelich and researchers at the Tech­ni­cal Uni­ver­si­ty of Munich shows Ger­many is a hotspot for posts that use the hash­tag “#AltRight.”

    Many den­i­grate both lead­ing can­di­dates — Merkel and her con­ser­v­a­tive Chris­t­ian Demo­c­ra­t­ic Union par­ty, and her chief rival, Mar­tin Schulz of the left-of-cen­ter Social Demo­c­ra­t­ic Par­ty — with the hash­tags #Merkel and #Schulz.

    And many of those posts orig­i­nate in the U.S., adding to the impres­sion that right-wing social media users in both coun­tries may be try­ing to sway Ger­man pub­lic opin­ion. It’s pos­si­ble that some of this alt-right mes­sag­ing com­ing out of the U.S. may be con­nect­ed to Russ­ian inter­fer­ence; that, too, is dif­fi­cult to deter­mine, Hegelich said.

    “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role,” Andrew Auern­heimer, a hack­er and blog­ger for the U.S. neo-Nazi Dai­ly Stormer web­site wrote after Don­ald Trump’s elec­tion vic­to­ry last year.

    The Dai­ly Stormer has been avail­able inter­mit­tent­ly since August after major tech­nol­o­gy firms includ­ing Google forced the site offline for com­ments about the death of Heather Hey­er by an alt-right pro­test­er in Char­lottesville, Va. Nev­er­the­less, the web­site con­tin­ues to pub­lish com­men­taries about the Ger­man elec­tion.

    “There is essen­tial­ly no chance that the AfD (Alter­na­tive for Ger­many par­ty) can win this elec­tion,” Adri­an Sol wrote Sun­day on the site, refer­ring to Ger­many’s far-right anti-immi­gra­tion and anti-Euro­pean Union par­ty.

    “How­ev­er, if they can keep putting pres­sure on the estab­lish­ment and change the nar­ra­tive, (there) may be hope yet that Ger­many can some day be saved.”

    A report pub­lished Wednes­day by Hope Not Hate, a British anti-racism watch­dog, con­clud­ed that the alt-right move­ment has “breathed life and youth back into for­mer­ly declin­ing and dor­mant parts of the Euro­pean extreme right.”

    The report, based on an under­cov­er inves­ti­ga­tion of far-right fig­ure­heads, found that extrem­ist indi­vid­u­als, orga­ni­za­tions, web­sites and forums on both sides of the Atlantic are increas­ing­ly engag­ing with each anoth­er and “weaponiz­ing” the Inter­net.

    San­dro Gay­ck­en, the founder and direc­tor of the Berlin-based Dig­i­tal Soci­ety Insti­tute, said right-wing voic­es are try­ing to infil­trate con­ver­sa­tions about the Ger­man elec­tion on Face­book and oth­er social media plat­forms.

    One exam­ple: Gay­ck­en said for the past two months, new and exist­ing Face­book users in Ger­many who search for polit­i­cal dis­cus­sion groups on the social media plat­form have been auto­mat­i­cal­ly giv­en rec­om­men­da­tions that pri­or­i­tize right-wing par­ties such as AfD, expect­ed to enter the coun­try’s nation­al par­lia­ment for the first time after Sun­day’s vote.

    “It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said.

    “Even left-wing jour­nal­ists.”

    In a state­ment, Face­book said it was aware of the issue report­ed in Ger­many and that it was relat­ed to its “Groups Dis­cov­er” fea­ture, and that it has now tem­porar­i­ly turned off the cat­e­go­ry “news and pol­i­tics” in the “Dis­cov­er” tab while it inves­ti­gates the mat­ter.

    Face­book said it was also exam­in­ing the accounts of appar­ent­ly fake users who pur­chased Face­book ads dur­ing the U.S. elec­tion. These accounts were sub­se­quent­ly linked to the pro-Krem­lin troll farm known as the Inter­net Research Agency. Face­book said that it has not yet uncov­ered sim­i­lar ad pur­chas­es relat­ed to the Ger­man vote.

    “We haven’t seen any trace of the Rus­sians, just right-wingers,” Gay­ck­en added.

    Accord­ing to polls pub­lished by Ger­man media Sun­day, Merkel’s par­ty is pro­ject­ed to win 36% of the vote, well ahead of Schulz’s SPD on 22%. AfD is fore­cast to come in third, with 11%. If Merkel wins, she could forge ahead with plans to pur­sue clos­er polit­i­cal and eco­nom­ic union with EU mem­bers, a pol­i­cy as deeply unpop­u­lar with AfD’s sup­port­ers as her deci­sion to open Ger­many’s bor­ders to 1 mil­lion refugees since 2015.

    Ger­many’s vul­ner­a­bil­i­ty to polit­i­cal hack­ers, Inter­net trolls and bots linked to Rus­sia is hard to gauge. Plus, there may not be much point doing so, accord­ing to Mark Gale­ot­ti, who runs the Cen­ter for Euro­pean Secu­ri­ty, a research insti­tute in Prague.

    “There is no ‘pro-Putin’ can­di­date,” he said.

    “Any inter­fer­ence would be unlike­ly to have any sub­stan­tive impact on the elec­tion result and only hard­en Ger­many’s posi­tion against Moscow.”

    Merkel has nev­er­the­less sought to blunt poten­tial Russ­ian inter­fer­ence through aggres­sive pub­lic infor­ma­tion cam­paigns, by estab­lish­ing addi­tion­al cyber­se­cu­ri­ty agen­cies and strate­gies and by ush­er­ing in the Net­work Enforce­ment Act, a law that come this Octo­ber will fine social media com­pa­nies up to $57 mil­lion if they do not remove hate speech, defama­tion and incite­ments to vio­lence with­in 24 hours.

    Ger­man polit­i­cal par­ties also pledged not to use social bots in the elec­tion cam­paign, and inde­pen­dent media mon­i­tor­ing orga­ni­za­tions such as Cor­rec­tiv, which debunk fake news and call out dis­in­for­ma­tion, have been estab­lished recent­ly.

    The gov­ern­ment has insist­ed the soft­ware used to tab­u­late votes — paper bal­lots are hand-count­ed and then passed to region­al author­i­ties — is secure despite a study pub­lished Sept. 7. by the Chaos Com­put­er Club, a Ger­man tech­nol­o­gy watch­dog, show­ing the sys­tem’s encryp­tion method was out­dat­ed and vul­ner­a­ble to manip­u­la­tion.

    But what may seem like a lack of inter­est from Moscow may just be a sign of suc­cess.

    “I think there is more Russ­ian activ­i­ty than meets the eye,” said Joerg For­brig, a Berlin-based polit­i­cal affairs expert at the Ger­man Mar­shall Fund of the Unit­ed States, a pub­lic pol­i­cy think tank whose Alliance for Secur­ing Democ­ra­cy unit built an online tool that tracks Russ­ian pro­pa­gan­da and dis­in­for­ma­tion efforts. Its “Hamil­ton 68” dash­board ana­lyzes about 600 Twit­ter accounts direct­ly con­trolled by Rus­sia, by users who pro­mote Russ­ian themes, and by users and top­ics Rus­sia seeks to dis­cred­it or attack.

    “In the past we have seen a very sys­tem­at­ic and skilled out­reach pro­gram into Ger­many’s Russ­ian-speak­ing pop­u­la­tion. This was first test­ed in state elec­tions in Berlin last Sep­tem­ber. In those areas where there are very high num­bers of Russ­ian speak­ers liv­ing in Berlin, the AfD’s vote share was up to 35%,” For­brig said.

    He said these cam­paigns involved cir­cu­lat­ing posters and leaflets with mes­sages that were inim­i­cal to the Ger­man gov­ern­men­t’s posi­tion on Russ­ian sanc­tions or NATO.

    For­brig said there could be forms of Russ­ian sup­port for the AfD not yet rec­og­nized.

    The Alliance for Secur­ing Democ­ra­cy has con­clud­ed that Rus­sia has med­dled in the affairs of at least 27 Euro­pean and North Amer­i­can coun­tries since 2004 with inter­fer­ence that ranges from cyber­at­tacks to dis­in­for­ma­tion cam­paigns.

    In 2015, a Russ­ian-intel­li­gence-linked hack­ing group called Fan­cy Bear stole data from Ger­man par­lia­men­tar­i­ans, includ­ing Merkel. This data has yet to be released to the pub­lic. Fan­cy Bear is the same group thought to be behind the hacks of the Demo­c­ra­t­ic Nation­al Com­mit­tee in the run up to the U.S. elec­tion. Moscow repeat­ed­ly has dis­missed alle­ga­tions it inter­venes in elec­tions as anti-Russ­ian pro­pa­gan­da.

    Still, For­brig added the Ger­man elec­tion may be less sus­cep­ti­ble to out­side influ­ence for three rea­sons: Vot­ers watched alleged Russ­ian med­dling take place in the U.S. and French elec­tions, which has led to high lev­els of aware­ness; Ger­many’s mul­ti-par­ty elec­toral sys­tem makes it more dif­fi­cult to pre­dict how mes­sages and infor­ma­tion tar­get­ed at one group might impact oth­ers; and Ger­many’s media is, For­brig said, gen­er­al­ly more “bal­anced and calm” and lacks “shrill voic­es” com­pared to its coun­ter­parts else­where. Fur­ther, its media is still viewed as a trust­ed source of infor­ma­tion — not always the case in Pres­i­dent Trump’s Wash­ing­ton.

    ...

    ———–

    “There is med­dling in Ger­many’s elec­tion — not by Rus­sia, but by U.S. right wing” by Kim Hjelm­gaard; USA Today; 09/20/2017

    ““So far we have not been able to track down any spe­cif­ic Russ­ian activ­i­ty,” said Simon Hegelich,” a pro­fes­sor of polit­i­cal sci­ence data at the Tech­ni­cal Uni­ver­si­ty of Munich who has advised the Ger­man gov­ern­ment about the threat of hack­ing and fake news.”

    No Russ­ian nefar­i­ous­ness to be find. Phew! Oh wait:

    ...
    Instead, Hegelich and oth­ers point to an alliance of most­ly anony­mous online trolls and extrem­ist agi­ta­tors who are dis­sem­i­nat­ing right-wing mate­ri­als through YouTube; mes­sag­ing board sites like 4chan and red­dit; and Gab.ai, a tex­ting ser­vice.

    “A lot of the stuff we are see­ing in Ger­many can be linked to, or is at least inspired by, the ‘alt-right’ move­ment in the U.S.,” Hegelich said, refer­ring to a loose­ly defined group whose far-right ide­ol­o­gy includes racism, pop­ulism and white nation­al­ism.

    He said prov­ing con­nec­tions among sym­pa­thiz­ers is extreme­ly dif­fi­cult and may nev­er be con­clu­sive. But an analy­sis of 300 mil­lion tweets over the past six months by Hegelich and researchers at the Tech­ni­cal Uni­ver­si­ty of Munich shows Ger­many is a hotspot for posts that use the hash­tag “#AltRight.”

    Many den­i­grate both lead­ing can­di­dates — Merkel and her con­ser­v­a­tive Chris­t­ian Demo­c­ra­t­ic Union par­ty, and her chief rival, Mar­tin Schulz of the left-of-cen­ter Social Demo­c­ra­t­ic Par­ty — with the hash­tags #Merkel and #Schulz.

    And many of those posts orig­i­nate in the U.S., adding to the impres­sion that right-wing social media users in both coun­tries may be try­ing to sway Ger­man pub­lic opin­ion. It’s pos­si­ble that some of this alt-right mes­sag­ing com­ing out of the U.S. may be con­nect­ed to Russ­ian inter­fer­ence; that, too, is dif­fi­cult to deter­mine, Hegelich said.
    ...

    Yep, the Alt-Right does­n’t need the Krem­lin’s troll farm to get its mes­sage out. The ‘Alt-Right’ is a troll farm. A vir­tu­al troll farm that has its sites set on ensur­ing the AfD and oth­er far-right par­ties do as well as pos­si­ble.

    And this vir­tu­al troll farm has had some big help appar­ent­ly. From Face­book of course:

    ...
    San­dro Gay­ck­en, the founder and direc­tor of the Berlin-based Dig­i­tal Soci­ety Insti­tute, said right-wing voic­es are try­ing to infil­trate con­ver­sa­tions about the Ger­man elec­tion on Face­book and oth­er social media plat­forms.

    One exam­ple: Gay­ck­en said for the past two months, new and exist­ing Face­book users in Ger­many who search for polit­i­cal dis­cus­sion groups on the social media plat­form have been auto­mat­i­cal­ly giv­en rec­om­men­da­tions that pri­or­i­tize right-wing par­ties such as AfD, expect­ed to enter the coun­try’s nation­al par­lia­ment for the first time after Sun­day’s vote.

    “It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said.

    “Even left-wing jour­nal­ists.”

    In a state­ment, Face­book said it was aware of the issue report­ed in Ger­many and that it was relat­ed to its “Groups Dis­cov­er” fea­ture, and that it has now tem­porar­i­ly turned off the cat­e­go­ry “news and pol­i­tics” in the “Dis­cov­er” tab while it inves­ti­gates the mat­ter.

    Face­book said it was also exam­in­ing the accounts of appar­ent­ly fake users who pur­chased Face­book ads dur­ing the U.S. elec­tion. These accounts were sub­se­quent­ly linked to the pro-Krem­lin troll farm known as the Inter­net Research Agency. Face­book said that it has not yet uncov­ered sim­i­lar ad pur­chas­es relat­ed to the Ger­man vote.

    “We haven’t seen any trace of the Rus­sians, just right-wingers,” Gay­ck­en added.
    ...

    ““It’s real­ly strange because Face­book says this should be impos­si­ble because you are only sup­posed to get rec­om­men­da­tions based on your own ‘friends,’ ‘groups’ and ‘likes.’ But every­one in Ger­many is get­ting these right-wing par­ty rec­om­men­da­tions,” he said. ”

    Every­one in Ger­many is get­ting right-wing par­ties rec­om­mend­ed to them on Face­book. And appar­ent­ly this is only the case for right-wing par­ties. Anoth­er algo­rith­mic ‘oops!’? Is the vir­tu­al troll farm some­how gam­ing the sys­tem? Or is Face­book actu­al­ly qui­et­ly try­ing to use its immense pow­er to pro­mote the far-right? It’s a ques­tion we’re once again forced to ask.

    Anoth­er thing we should keep in mind relat­ed to the the Bun­destag hack of 2015 as an exam­ple of a high pro­file polit­i­cal hack from Russ­ian that Ger­many has already had to deal with:

    ...
    In 2015, a Russ­ian-intel­li­gence-linked hack­ing group called Fan­cy Bear stole data from Ger­man par­lia­men­tar­i­ans, includ­ing Merkel. This data has yet to be released to the pub­lic. Fan­cy Bear is the same group thought to be behind the hacks of the Demo­c­ra­t­ic Nation­al Com­mit­tee in the run up to the U.S. elec­tion. Moscow repeat­ed­ly has dis­missed alle­ga­tions it inter­venes in elec­tions as anti-Russ­ian pro­pa­gan­da.
    ...

    That 2015 hack isn’t just relat­ed to the DNC hack because Fan­cy Bear was attrib­uted with the hack in both cas­es. They’re also relat­ed by the fact that the same com­mand and con­trol serv­er was used in both hacks. And we know this because both hacks uti­lized unen­crypt­ed mal­ware that inex­plic­a­bly hard cod­ed the I.P. address of the com­mand and con­trol serv­er and that com­mand and con­trol serv­er was appar­ent­ly uti­liz­ing a ver­sion of OpenSSL that would have made it vul­ner­a­ble to the Heart­bleed attack. In oth­er words, that com­mand and con­trol serv­er that was used for both the Bun­destag hack of 2015 and DNC hack of 2016 was vul­ner­a­ble to effec­tive­ly being hijacked and shared by mul­ti­ple hack­ing groups.

    Thus far there does­n’t appear to be a big hack impact­ing Ger­many’s elec­tion and there isn’t much time left if it’s going to hap­pen (the vote is on Sun­day). But if there is, let’s not for­get that, despite the fact that the big Macron hack in France’s elec­tions con­tin­ues to be rou­tine­ly attrib­uted to Rus­sia in the US media and the NSA even said it was sure it was Rus­sia, the French chief of cyber­se­cu­ri­ty said France had no evi­dence Russ­sia did the hack, and the NSA refused to pro­vide France evi­dence of Russ­ian attri­bu­tion, and the pubicly avail­able evi­dence of how the hacked doc­u­ments were leaked online strong­ly sug­gests that it was neo-Nazi hack­er Andrew “the weev” Auern­heimer who actu­al­ly car­ried out the hack. So when you read the com­ment about how the French elec­tions were hack by Rus­sians like this one...

    ...
    Still, For­brig added the Ger­man elec­tion may be less sus­cep­ti­ble to out­side influ­ence for three rea­sons: Vot­ers watched alleged Russ­ian med­dling take place in the U.S. and French elec­tions, which has led to high lev­els of aware­ness; Ger­many’s mul­ti-par­ty elec­toral sys­tem makes it more dif­fi­cult to pre­dict how mes­sages and infor­ma­tion tar­get­ed at one group might impact oth­ers; and Ger­many’s media is, For­brig said, gen­er­al­ly more “bal­anced and calm” and lacks “shrill voic­es” com­pared to its coun­ter­parts else­where. Fur­ther, its media is still viewed as a trust­ed source of infor­ma­tion — not always the case in Pres­i­dent Trump’s Wash­ing­ton.
    ...

    ...don’t for­get that the big Macron hack also appears to have Amer­i­can ‘Alt-Right’ neo-Nazi ori­gins.

    Also note that, while the far-right troll army aggres­sive­ly try­ing to get Marine Le Pen elect­ed real­ly was indeed com­prised of French far-right­ist, the Nation­al Front was using an ‘Alt-Right’ “For­eign Legion” on social media too.

    Which should­n’t be too sur­pris­ing. As Andrew Auern­heimer told the world after Don­ald Trump’s vic­to­ry:

    ...
    “There will nev­er be an elec­tion again in which trolling, hack­ing and extreme far-right pol­i­tics do not play a role,” Andrew Auern­heimer, a hack­er and blog­ger for the U.S. neo-Nazi Dai­ly Stormer web­site wrote after Don­ald Trump’s elec­tion vic­to­ry last year.
    ...

    Trag­i­cal­ly, Yep.

    Posted by Pterrafractyl | September 20, 2017, 11:09 pm

Post a comment