Larry Hosken. Technical writer. Puzzlehunt enthusiast.
148 stories

What We Learned About Russian and U.S. Spycraft From Mueller’s Indictment of Hackers

1 Share

On Friday, Special Counsel Robert Mueller, as part of his investigation into interference with the 2016 presidential election, charged 12 Russian military intelligence officers with conducting “large-scale cyber operations to interfere with the 2016 U.S. presidential election.” The indictment contains a surprising amount of technical information about alleged Russian cyberattacks against a range of U.S. political targets, including the Democratic Congressional Campaign Committee, the Democratic National Committee, members of Hillary Clinton’s presidential campaign, the Illinois (probably) State Board of Elections, and an American election vendor, apparently VR Systems, and its government customers.

While the indictment only describes the U.S. government’s charges in this case, the specific technical evidence presented is compelling and paints by far the most detailed and plausible picture yet of what exactly occurred in 2016.

It also sheds light on what the U.S. government is capable of doing when it investigates cyberattacks, as well as how Russia’s Main Intelligence Directorate of the General Staff, or GRU, allegedly conducted the attacks — which it denies — and what operational security mistakes they made. Here are what I find to be the most compelling takeaways from the indictment.

A man walks past the building of the Russian military intelligence service in Moscow, Russia, Saturday, July 14, 2018. Twelve Russian military intelligence officers hacked into the Clinton presidential campaign and Democratic Party and released tens of thousands of private communications in a sweeping conspiracy by the Kremlin to meddle in the 2016 U.S. election, according to an indictment announced days before President Donald Trump's summit with Russian President Vladimir Putin. (AP Photo/Pavel Golovkin)Russia

A man walks past the building of the Russian military intelligence service in Moscow, Russia, on July 14, 2018.

Photo: Pavel Golovkin/AP

The Russians Got Caught Because They Didn’t Compartmentalize Enough

The indictment says that the organization DCLeaks, which claimed that it was started by a group of “American hacktivists,” and the persona Guccifer 2.0, who claimed to be a Romanian “lone hacker,” are both controlled by the named Russian intelligence officers. DCLeaks operated the website and the Twitter account @dcleaks_, and Guccifer 2.0 operated the website and the Twitter account @Guccifer_2.

Russian officers took steps to anonymize their hacking and infrastructure, according to the indictment, trying to leave no trace of their identity as they rented servers, registered internet domain names, and set up accounts for email, Twitter, and other uses. But they didn’t do the best job compartmentalizing this infrastructure. This allowed Mueller’s team to confirm that the same people were behind a number of ostensibly distinct operations: DCLeaks, Guccifer 2.0, the spear-phishing campaign, and the hacks of the DCCC and DNC networks.

For example, the spear-phishing emails that John Podesta, Clinton’s campaign chair, and others received included links to the URL shortening service Bitly. The Bitly account that created these links was registered using the email address “” The attackers used that same email address to create an account on a provider where they leased a server, which they paid for using an “online cryptocurrency service” (based on the wording of some instructions quoted in the indictment, I think the service in question may be BitPay). This same cryptocurrency account was used to pay for registering the domain name This means that whoever was behind the spear-phishing campaign (and thus the DCCC and DNC hacks) also bought the domain name, and also leased this server.

Before I bring up another example, here’s a quick note about how virtual private networks, or VPNs, work. VPNs can be used to conceal your internet protocol, or IP, address. When you connect to a website, for example, while connected to a VPN, that website learns your VPN’s internet address and not your real internet address.

Someone used “the same pool of bitcoin funds” to pay for a Malaysian VPN service, as well as a Malaysian server to host the website, the indictment states. Months later, someone logged into the @Guccifer_2 Twitter account from that same Malaysian VPN account. This confirms that the same people who are behind also have access to the @Guccifer_2 Twitter account.

What isn’t mentioned in the indictment is that, on one occasion, someone reportedly logged into the @Guccifer_2 Twitter account without connecting to a VPN service first, revealing their real IP address. “Working off the IP address,” the Daily Beast stated in March, “U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow.”

Russian Hackers May Have Leased Infrastructure From U.S. Providers Who Talked to Investigators

To take over first the DCCC network and then the DNC network, GRU hackers, according to the indictment, used a spear-phishing email, which tricked the recipient into entering their password on a malicious site. They then used the victim’s credentials to access DCCC’s internal network and installed custom malware called X-Agent on “at least ten DCCC computers,” according to the indictment. Soon thereafter, the indictment states, the hackers pivoted to DNC’s network. From one of the DCCC computers, the Russian hackers allegedly “activated X-Agent’s keylog and screenshot functions to steal credentials of a DCCC employee who was authorized to access the DNC network.” Armed with DNC login credentials, they were able to access “approximately thirty-three DNC computers.” Once on the DNC network, they compromised DNC’s Microsoft Exchange Server, gaining access to thousands of emails.

After someone hacks a computer and installs spyware, the attacker then sends commands to the spyware to send data back to them. This is typically done by connecting to a computer known as a command and control, or C2, server.

According to the indictment, the computer that the Russians leased to act as X-Agent’s C2 server was located in Arizona. After they had allegedly infected computers in the DCCC network with X-Agent, they logged into this C2 server in order to issue commands to specific hacked computers to log keystrokes and take screenshots.

The indictment goes so far as to specify exactly what data was collected on this C2 server, and at what times. For example, it says that on April 14, the Russians surveilled a DCCC employee’s computer for eight hours, during which time they captured “communications with co-workers and the passwords she entered while working on fundraising and voter outreach projects.”

In the midst of the hack, the DNC discovered what was going on and hired security firm CrowdStrike to investigate it for them. On June 15, CrowdStrike published a blog post, scarce on details, announcing the compromise of the DNC network and attributing the hack to Cozy Bear and Fancy Bear, code names for the GRU hacking units.

Five days after CrowdStrike’s blog post, according to the indictment, the Russians allegedly deleted all of the logs from their C2 server that “documented their activities,” including their login history.

The fact that the U.S. government had access to the keystrokes and screenshots collected by the C2 server, and even knew at what point in time the GRU agents deleted the activity logs and login history from the server, leads me to believe that the hosting provider likely started to cooperate with the investigation, including possibly sharing snapshots of the hard drive connected to the C2 server. This would allow the investigators to have access to this information.

It also appears that the hackers were unaware that the DNC was on to them until after CrowdStrike published their findings. They appeared to have deleted logs from their C2 server after U.S. investigators already had access to it.

In addition to leasing a server in Arizona, the Russians also allegedly leased a separate server in Illinois that they used for a separate piece of malware called X-Tunnel, which was responsible for compressing and then uploading gigabytes of stolen documents from the DCCC and DNC networks to the server in Illinois “through encrypted channels.” It is possible that government investigators obtained information from the hosting provider they leased this server from, as well.

Several Other Companies Must Also Have Talked to Investigators

The quantity of technical details related to GRU’s 2016 cyberattacks show that the U.S. government has some impressive capabilities. But the primary capability they appear to have used wasn’t technical, it was legal: the subpoena. The U.S. government can compel companies to hand over data.

Based on reading the indictment, I think that the U.S. government almost certainly received data from Bitly, Twitter, Facebook, Google, WordPress, and probably from several other companies, including BitPay or other cryptocurrency payment processors, VPN providers, VPS hosting providers, and domain name registrars, among others. (Twitter and WordPress declined to comment. BitPay said, “BitPay has received subpoenas from U.S. government agencies but how the information is to be used or why it is requested is not shared with us.” Facebook and Google did not respond to a request for comment.)

With access to all of the information that companies have related to specific accounts, like IP addresses the attackers used to login to services from, time stamps of when they were active, copies of emails and direct messages sent, and potentially images of the hard drives attached to servers used in the attack, it’s possible to paint a very detailed picture.

The U.S. Likely Compromised At Least Two GRU Officers’ Computers

One thing that stood out while reading the indictment is how many times the document mentioned exactly what one of the defendants, GRU cyber operations officer Ivan Yermakov, was researching on the internet, and when:

  • “On or about March 28, 2016, YERMAKOV researched the names of Victims 1 and 2 and their association with Clinton on various social media sites.”
  • “For example, beginning on or about March 15, 2016, YERMAKOV ran a technical query for the DNC’s internet protocol configurations to identify connected devices.”, “On or about the same day, YERMAKOV searched for open-source information about the DNC network, the Democratic Party, and Hillary Clinton.”, “On or about April 7, 2016, YERMAKOV ran a technical query for the DCCC’s internet protocol configurations to identify connected devices.”
  • “During that time, YERMAKOV researched PowerShell commands related to accessing and managing the Microsoft Exchange Server.”
  • “On or about May 31, 2016, YERMAKOV searched for open-source information about Company 1 [CrowdStrike] and its reporting on X-Agent and X-Tunnel.”

How could the U.S. investigators have access to this information? Two explanations come to mind. The most likely is that the National Security Agency compromised Yermakov’s computer and regularly logged his keystrokes or accessed his browser history. Another explanation would be that Yermakov used Google while logged into an account to do these searches, and the investigators learned his search history from Google. I find the latter to be less convincing because the search engine Yandex is much more popular in Russia, and are GRU officers really stupid enough to use California-based Google?

Another defendant, Anatoly Kovalev, an officer assigned to a different GRU cyber unit, was mentioned only in connection to attacks on the U.S. election infrastructure, not on the Democrats specifically. But one mention stood out:

  • “In or around August 2016, the Federal Bureau of Investigation issued an alert about the hacking of SBOE 1 [State Board of Election 1, probably the state of Illinois] and identified some of the infrastructure that was used to conduct the hacking. In response, KOVALEV deleted his search history. KOVALEV and his co-conspirators also deleted records from accounts used in their operations targeting state boards of elections and similar election-related entities.”

How could U.S. investigators know that Kovalev deleted his search history, as well as records belonging to multiple online accounts? Again, I believe the most likely scenario is that the NSA compromised his computer, accessed his browser history, and perhaps logged his keystrokes and took screenshots from his computer using a C2 server of their own.

My guess is that after GRU’s fatal mistake, logging into the @Guccifer_2 Twitter account from their Moscow-based IP address, U.S. investigators learned who worked in that office, what their roles were in the hack, and ultimately, infected some of their workstations with malware to gather further evidence.

3283618 01/30/2018 Metal shelves for crypto-currency mining. Eugene Odinokov/Sputnik  via AP

Metal shelves for crypto-currency mining.

Photo: Eugene Odinokov/Sputnik via AP

The U.S. Government Is Very Good at Tracking Bitcoin

The indictment accuses the Russians of conspiring to “launder the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin.”

Far from being anonymous, bitcoin transactions are stored forever in a public ledger known as the blockchain that’s open for anyone on the internet to inspect. An account that holds bitcoin is called a “wallet,” but unlike traditional bank accounts, bitcoin wallets are just a number — they don’t include the identity or name of the owner. Because of this, if you’re able to acquire bitcoin anonymously, as the Russian defendants allegedly tried to do, you can spend it on anything without the transactions being linked to you.

But it turns out, this is much harder than it seems.

One method to gain access to bitcoin anonymously is to “mine” it, which involves devoting large amounts of computer power toward solving math problems on random numbers over and over again until you’re lucky enough to get a correct answer, in which case, a lot of money is added to your bitcoin wallet. According to the indictment, the Russians allegedly mined their own block of bitcoin. The indictment also alleges that the Russians used other methods to obtain bitcoin anonymously, including “purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards.” The latter method refers to buying prepaid gift cards, debit cards, or other similar cards from physical retail stores using cash, and then anonymously reselling them on the internet in exchange for bitcoin.

One complication to using bitcoin anonymously is payment processors. While it’s not necessary for bitcoin transactions, many websites that accept bitcoin as a type of payment use companies such as BitPay or Coinbase to help them process it. These payment processors often attach the buyer’s email address and IP address to transactions.

The use of these payment processors, along with reusing the same email address for different transactions, helped the U.S. investigators follow the money. They were likely also helped by looking at what was purchased in bitcoin transactions.

For example, the indictment states the hackers used their freshly mined bitcoin to purchase from a Romanian domain name registrar, and that a U.S.-based payment processing company was involved in the transaction. Because the block of bitcoin was used to purchase, that block must be controlled by GRU officers, and any other transactions from that same block also must have also originated from the GRU.

U.S. investigators could have linked the pool of bitcoin that the Russians mined to DCLeaks via information from the domain registrar, the cryptocurrency payment processor, or even just from the email account that would have received notifications and receipts from these two companies.

The Government Captured DMs and Emails Between WikiLeaks and Guccifer 2.0; WikiLeaks Encouraged Misinformation About Source

According to the indictment, on June 22, WikiLeaks sent a message to Guccifer 2.0 (the indictment doesn’t specify on which platform) asking that they “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.”

On July 6, WikiLeaks asked again: “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after,” adding that “we think trump has only a 25% chance of winning against hillary … so conflict between bernie and hillary is interesting.”

On July 14, Guccifer 2.0 sent an email to WikiLeaks that included an encrypted attachment named “wk dnc link1.txt.gpg.” But the body of the email was plaintext — unencrypted and vulnerable to interception by third parties. The indictment says that the unencrypted body explained that “the encrypted file contained instructions on how to access an online archive of stolen DNC documents.” Four days later, WikiLeaks responded to this email in another plaintext email, saying that it had received “the 1Gb or so archive” and would release the documents that week.

On July 22, WikiLeaks published a database containing the hacked DNC emails.

The indictment doesn’t publish the full text of this exchange of private messages and emails, although it seems clear from quotations in the indictment that Mueller’s team possesses them. They are consistent, in both content and typo-ridden style, with previous leaked Twitter direct messages between WikiLeaks and its closest supporters. Surely WikiLeaks understood that its Twitter DMs and plaintext emails with its source, Guccifer 2.0, would eventually come to light.

Two and a half weeks after publishing the DNC emails, while being interviewed on a Dutch television show, WikiLeaks editor Julian Assange encouraged a conspiracy theory that DNC staffer Seth Rich, who had just recently been killed in what the D.C. police say was a botched robbery, was his source for the DNC emails. After stating WikiLeaks sources face danger, Assange alluded to Rich’s shooting, and again alluded to the risks faced by WikiLeaks sources, before stating “we don’t comment on who our sources are.”

“Whistleblowers go to significant efforts to get us material, and often very significant risks,” Assange said. “There’s a 27-year-old, works for the DNC, who was shot in the back, murdered, just a few weeks ago, for unknown reasons as he was walking down the street in Washington.”

WikiLeaks did not respond to a request for comment.

Whistleblower Reality Winner Is in Prison for Leaking Essentially the Same Information Now Being Used as Evidence Against Russian Officers

In the Trump administration’s first leak prosecution, 26-year-old former NSA contractor Reality Winner was indicted under the Espionage Act for disclosing a classified document to a news organization. The news organization in question is widely reported to be The Intercept, which published a top-secret document describing in detail a GRU plot to hack American election vendor VR Systems, and then target its customers — local election officials in swing states — with a spear-phishing campaign.

At least some state election officials learned about GRU’s spear-phishing attack from reading about it in the news, not from the federal government — prompting two of them, North Carolina and Virginia, both VR Systems customers, to begin searching their internal emails for evidence of being targeted by the spear-phishing campaign.

Two and a half weeks before Mueller’s office issued the indictment against these 12 GRU officers, Winner entered into a plea deal with the Justice Department, pleading guilty to one count of violating Section 793 of the Espionage Act and agreeing to serve 63 months in prison and three years of supervised release.

The key information that Winner is said to have released to journalists — that NSA had evidence that Russia conducted cyberattacks against the the U.S. electoral system — is now being publicly used to indict the GRU agents who allegedly planned and executed that attack. (Other information from the document linked to Winner does not appear in the indictment.)

Winner is currently awaiting her sentencing hearing in county jail in Lincolnton, Georgia, where she’s been since her arrest in June 2017. After she’s sentenced, she’ll be transferred to federal prison, where, if she serves the full 63 months she agreed to in her plea deal, she’ll be scheduled for release in 2022.

The post What We Learned About Russian and U.S. Spycraft From Mueller’s Indictment of Hackers appeared first on The Intercept.

Read the whole story
2 days ago
San Francisco, USA
Share this story

What data on 20 million traffic stops can tell us about ‘driving while black’

1 Share
A new book uncovers big racial disparities in policing.
Read the whole story
2 days ago
San Francisco, USA
Share this story

Brett Kavanaugh Repeatedly Ruled in Favor of the Security State, Most Recently for the CIA — and Against Me

1 Share

On a Monday afternoon, on July 9, the D.C. Court of Appeals handed down a 2-1 decision against me and in favor of the CIA in a long-running Freedom of Information Act lawsuit. At 4:20 p.m., Judges Brett Kavanaugh and Gregory Katsas, a Trump appointee, filed a 14-page opinion with the clerk of the court in Washington. They ruled that the CIA had acted “reasonably” in responding to my request for certain ancient files related to the assassination of President John F. Kennedy in 1963. Appended to their decision was a 17-page dissent from their colleague Judge Karen LeCraft Henderson who strongly objected to their decision.

That evening, President Donald Trump announced to the world that Kavanaugh was his choice to fill the Supreme Court seat of retiring Justice Anthony Kennedy. In his remarks at the White House event, Kavanaugh touted his “Female Relationship Resume” and declared, “My judicial philosophy is straightforward: A judge must be independent and must interpret the law, not make the law.”

In her tart dissent issued that morning, Henderson, the senior judge in the D.C. Court of Appeals, called that claim into question. She took Kavanaugh to task precisely for a lack of independence and for making law, rather than interpreting it. On the issue of compensation for successful FOIA litigants, Henderson said the prospective Supreme Court justice ignored the letter of the law while siding with a “recalcitrant” CIA over a working journalist — i.e., me — who had uncovered information of genuine public benefit.

Kavanaugh’s ruling in Morley v. CIA was of a piece with his record as an advocate of unbridled executive branch power. His view that at a sitting president cannot be indicted, or even subpoenaed, is well known. Less known is his permissive treatment of the CIA. In my case, as in another key FOIA case from 2014, Kavanaugh ruled that the agency could not be held publicly accountable for its actions — even ones that occurred more than 50 years ago.

Henderson not only dismantled Kavanaugh’s arguments, but her dissent also identified some recurring flaws in his jurisprudence. The source was almost as notable as the document itself.

Henderson is no liberal. She was working as lawyer in private practice in Charleston, South Carolina, when President Ronald Reagan appointed her to the federal bench in 1986. In 1990, President George H.W. Bush elevated her to the D.C. Court of Appeals. She is a conservative who chafes at concepts like abortion rights and immigrant rights. Last October, she joined Kavanaugh in ruling that a pregnant, unaccompanied 17-year-old migrant did not have the right to obtain an abortion while in custody of the Department of Homeland Security.

Henderson faulted her colleague Kavanaugh on impeccably conservative grounds.

In other instances, Henderson has given the benefit of the doubt to U.S. national security agencies. In 2008, she ruled against four Guantánamo detainees seeking to sue Defense Secretary Donald Rumsfeld for the torture they endured. She dismissed their case with the rather blithe observation that “torture is a foreseeable consequence of the military’s detention of suspected enemy combatants.”

Henderson, however, didn’t give Kavanaugh the benefit of the doubt in Morley v. CIA. Rather, she faulted her colleague on impeccably conservative grounds: his excessive deference to government arguments, which she found unwarranted by facts; his willingness to overlook relevant law, which she found inexplicable; and his willingness to substitute his own opinions for the law, which she found unacceptable. She wrote, “The majority, it appears to me, overlooks the district court’s latest errors in order to ‘bring the case to an end.'”

Henderson’s dissent illuminates Kavanaugh in action: a creative and cavalier judge who is willing to make law — not interpret it —when it comes to ruling in favor of the government.

I had glimpsed Kavanaugh up close several times in the course of my lawsuit, which was filed in 2003. He heard oral arguments from my pro bono attorney Jim Lesar three times, in 2011, 2014, and 2018. In these hearings, he struck me as an engaged jurist with an agile mind. He asked incisive questions. In his subsequent written decisions, I could discern his judgment on how FOIA law applies to issues of journalism, transparency, and national security. He was conservative, but smart and seemingly open to opposing arguments. I had harbored hopes that he might rule in my favor, but his agility was more opportunistic than independent.

A review of the “protracted history” — Henderson’s phrase — of the case shows why. In Morley v. CIA, I sought the records of a deceased undercover CIA officer, George Joannides. Based on extensive interviews with his former Cuban-American associates, I knew Joannides was working undercover out of Miami in 1963 and had some knowledge about events leading up to the assassination of John F. Kennedy Jr. Joannides had also served as the agency’s liaison to congressional investigators who re-opened the JFK investigation in 1978.


CIA officer George Joannides, left, receives a Career Intelligence Medal in 1981 from deputy CIA director Bobby Ray Inman.

Photo: CIA

In 2004, the CIA responded by giving me a small batch of documents from Joannides’s personnel file. Beyond that, the agency asked for summary judgment to block any further releases, which was promptly granted by District Court Judge Richard Leon, a George W. Bush appointee. Lesar filed an appeal on my behalf, contending that the CIA had not conducted the searches required by law.

In December 2007, a three-judge panel — including Henderson — upheld most of Lesar’s arguments. The judges unanimously agreed that the agency’s actions had failed to follow the Freedom of Information Act on no less than seven different points of law. The court ordered the CIA to reconsider its response and conduct additional file searches. Nine months later, the CIA gave me an additional 500 pages of documents, including photographs of Joannides receiving a Career Intelligence Medal, one of the agency’s highest honors.

I appealed, seeking still more documents. In April 2012, another three-judge panel — this time including Kavanaugh — ruled my arguments were without merit and the case was closed, at least on the issue of what documents would be released.

Yet I had one more argument. The case law around the FOIA holds that when a plaintiff “substantially prevails” over the government, they are entitled to have their court costs paid by the defendant. So I filed a motion for the government to pay my court costs, namely compensation for Lesar.

A veteran FOIA litigator, Lesar often takes difficult cases on a contingency basis for working journalists or public interest causes, gambling that if he wins, the government will pay his fee. His clients have included well-known authors and veteran Washington journalists. In Morley v. CIA, he had merely bested a squadron of CIA and Justice Department lawyers with three-piece suits and six-figure salaries. I thought he should get compensated, and the law indicated the same.

The CIA refused, claiming there was little “public benefit” to the new information generated by the lawsuit. Leon, the district court judge, agreed. I appealed again, thinking my case was strong. By then, the lawsuit had been covered by the New York Times and Fox News. The Associated Press New York office had compiled a long report on still-secret JFK records, including the Joannides files, which ran in 30 news outlets across the country, including the San Diego Union, St. Paul Pioneer Press, and CBS News in Dallas. The Times and at least six other news sites published the photo of Joannides receiving his medal, which the CIA had only coughed up under judicial order. In short, many news editors thought the information I had found would benefit their readers. I expected that would count for something.

WASHINGTON - MAY 22:  (L-R)  U.S. Senate Majority Whip Mitch McConnell (R-KY), District of Columbia Circut Court of Appeals nominee Brett Kavanaugh and Senate Majority Leader Bill Frist (R-TN) hold a news conference in the Capitol May 22, 2006 in Washington, DC. Frist said that Kavanaugh deserves a straight up-or-down vote in the Senate.  (Photo by Chip Somodevilla/Getty Images)

From left, U.S. Senate Majority Whip Mitch McConnell, R-Ky., then-D.C. Circuit Court of Appeals nominee Brett Kavanaugh, and Senate Majority Leader Bill Frist, R-Tenn., hold a news conference in the Capitol on May 22, 2006.

Photo: Chip Somodevilla/Getty Images

Kavanaugh served on the three-judge panel that heard oral arguments on the issue in 2014. He and two other judges agreed that Leon had failed to apply a four-factor test of “public benefit,” established in previous FOIA cases. The test balances the value of the information sought or obtained for an informed citizenry, the plaintiff’s commercial interests, and the government’s actions. Leon, they found, had improperly relied on only one factor: His belief that the release of Joannides files had added nothing of substance to the JFK assassination story. The appellate court sent the case back.

In March 2017, Leon shuffled his thoughts and once again ruled that there was no “public benefit” from my case. I again appealed, and, a year later, I finally had my day in court. On March 19, 2018, a new three-judge panel consisting of Kavanaugh, Henderson, and the newcomer Katsas heard the latest round of arguments in the federal courthouse in Washington. By that time, Kavanaugh knew that his name was on Trump’s November 2017 short list of candidates to fill the next Supreme Court vacancy.

Kavanaugh was his usual brisk self in the hearing. He gaveled from the center seat while Henderson listened remotely by telephone, and the forlorn Katsas looked on, perhaps bewildered by the complexity of a case infused with the conspiratorial overtones that inevitably shroud any public discussion of the JFK story. Kavanaugh closely questioned Lesar, while Henderson corrected the government attorney Benton Peterson on a point of fact. After 30 minutes of questions, the hearing was over.

Kavanaugh’s decision could not be considered a surprise. He had sided with the CIA before.

The three judges deliberated for three and a half months. They filed a split decision on July 9 that was delivered per curiam — “by the court” in Latin — denoting an unsigned opinion usually reserved for unanimous or collective decisions. It was an odd designation for a decision contested by the senior judge on the Court of Appeals, but the label spared Kavanaugh from having his name on a pro-CIA decision on the same day as a big announcement. Five hours after the opinion was filed, Kavanaugh stood beaming with his wife and daughters in front of the TV cameras as Trump announced his nomination for the Supreme Court.

Kavanaugh’s decision could not be considered a surprise. He had sided with the CIA before. In 2014, he ruled against the nonprofit National Security Archive in a prolonged FOIA lawsuit over an internal history of the failed 1961 CIA operation at the Bay of Pigs. Kavanaugh, in a 2-1 ruling, agreed with CIA and Justice Department lawyers that the document was a “draft,” and its release would “expose an agency’s decision-making process in such a way as to discourage candid discussion within the agency and thereby undermine the agency’s ability to perform its functions.”

Kavanaugh was referring to a study that was 50 years old. Congress quickly overturned his decision with legislation mandating that such histories be released after 25 years.

In my case, Kavanaugh ruled for the CIA again.

“This FOIA case has dragged on for a staggering 15 years,” the majority opinion began, a line that seems likely to have been written by Kavanaugh, given Katsas’s recent arrival on the bench. “The litigation over attorney’s fees alone has taken eight years. It is time to bring the case to an end.”

The CIA had acted “reasonably,” he said. The word recurred 15 times in the opinion. The words “reasonable” and “unreasonable” showed up 24 times. The CIA had been reasonable, Kavanaugh wrote, while depicting me as a modestly paid scrounger who was wasting the court’s time over claims of “minimal” interest about the JFK assassination. He said nothing about the JFK Records Act as a unanimous expression of Congress in support of full disclosure or about the mainstream media coverage of the lawsuit as a possible public benefit.

In her tightly argued dissent, Henderson wasted no time in blasting Kavanaugh’s insinuations.

“Over the past 15 years, we have remanded this case four times,” she declared. “During the same period, we have reversed the same district court twice in a nearly identical Freedom of Information Act (FOIA) cases. That makes six opinions from this court. I share the majority’s displeasure at the resulting waste of judicial resources, especially because ‘fee litigation [is] one of the last thing lawyers and judges should be spending their time on,’” she wrote, citing one of her old decisions in a separate case. Henderson added, “Jefferson Morley, however, is not to blame for this ‘staggering’ saga.”

Henderson pointed out that the court’s 2013 remand order found that I had already met the standard of “public benefit” established in case law. She quoted that decision at length and went on to briefly outline some key points in my case, namely, the connections between Joannides, an anti-Batista-turned-anti-Castro Cuban exile group called Directorio Revolucionario Estudiantil, and accused JFK assassin Lee Harvey Oswald:

Morley’s request had potential public value. He has proffered — and the CIA has not disputed — that Joannides served as the CIA case officer for a Cuban group, the DRE, with whose officers Oswald was in contact prior to the assassination.

She noted that the court had also “previously determined that Morley’s request sought information ‘central’ to an intelligence committee’s inquiry into the performance of the CIA and other federal agencies in investigating the assassination. “

“In other words,” the exasperated Henderson wrote, “we held that Morley satisfied the public-benefit factor in this case.”

“To me, the CIA’s multiple flawed legal positions suggests that it was ‘recalcitrant’ in declining to produce any documents before being sued.”

By ignoring this finding, Henderson went on, Kavanaugh ultimately depended on repeated assertions that the CIA responded “reasonably” to my inquiries. Yet, Henderson noted the appellate court’s 2007 decision found the agency’s initial response to my FOIA request was deficient on seven different legal points. Kavanagh had decided in favor of an agency that had flouted the law, she concluded.

“To me, the CIA’s multiple flawed legal positions suggests that it was ‘recalcitrant’ in declining to produce any documents before being sued,” Henderson wrote.

While Kavanaugh had shot me down, I could take Henderson’s closing words as a moral victory. She wrote:

This case does not call for “[d]eference piled on deference.” … It calls for an adherence to … our four earlier Morley opinions. Because I believe the district court ignored our mandate and misapplied our precedent, I would vacate the district court order a fifth time and remand with instructions to award Morley the attorney’s fees to which he is entitled.

Henderson’s dissent stands as a warning from a civil and conservative colleague about Supreme Court nominee Brett Kavanaugh. She has identified a strain of recklessness in Kavanaugh’s cynical jurisprudence. She wrote that, in his opinion with Katsas, Kavanaugh had “ignored our mandate and misapplied our precedent.”

Top photo: Judge Brett Kavanaugh listens to Sen. Rob Portman, R-Ohio, talk about Kavanaugh’s qualifications before a meeting in the Russell Senate Office Building on July 11, 2018, in Washington, D.C.

The post Brett Kavanaugh Repeatedly Ruled in Favor of the Security State, Most Recently for the CIA — and Against Me appeared first on The Intercept.

Read the whole story
3 days ago
San Francisco, USA
Share this story

What The Latest Mueller Indictment Tells Us About Election Hacking

1 Share

Summer Fridays just aren’t as relaxing as they used to be. This afternoon, special counsel Robert Mueller released indictments of 12 Russian intelligence officers alleging that they conspired to hack into various Democratic Party computers and email accounts during the 2016 election, and that they communicated with people associated with the Trump campaign. The indictment also singled out Russian intelligence for having hacked into a state board of elections website and a private company that helps administer elections.

While the Mueller investigation is primarily focused on whether members of the Trump campaign colluded with Russia, it has also tackled issues of Russian interference in our democracy at large. Russian tampering with election systems is a troubling piece of that interference, and remains a worry with four months to go until the midterm elections. (Here’s a story I wrote in the spring about a worst-case scenario for Russian interference on this upcoming Election Day.)

American elections are administered by states and local municipalities, using a combination of in-house and private vendors that don’t operate under a consistent security standard. We’ve known for almost a year that that the election systems of 21 states were scanned by Russian hackers in the lead-up to the 2016 elections. To our knowledge, only one state, Illinois, is confirmed to have been hacked. So what new information did today’s indictments tell us about 2016 election interference?

What we learned today

Count 11 of Mueller’s indictment tells us that in or around July 2016, Russian intelligence officers hacked into a state board of elections website and “stole information related to approximately 500,000 voters.” Though the state is not named, this is probably referring to the hack of the Illinois system, during June and July 2016. But the indictment appears to reveal that more voter information was exposed than originally thought: Illinois authorities initially said that the names and personal information of fewer than 200,000 voters had been exposed, but if the hack detailed in the Mueller indictment is in fact the Illinois attack, then that number was underestimated by about 300,000.

The Mueller indictment also tells us that in addition to targeting state election sites, the hackers scanned the web presences of certain counties in Georgia, Iowa and Florida, looking for vulnerabilities.

Anything else of interest?

The indictment potentially confirms an Intercept report from last year that a private company involved with election administration was also targeted by the hackers.

Mueller’s indictment says that the Russian intelligence officers hacked into the computers of a vendor that supplied software used to verify voter registration information. The Intercept report was based on National Security Agency documents, which did not directly identify the company but made references to a product made by VR Systems, whose products are used in eight states. The indictment also says the hackers sent more than 100 targeted phishing emails to people involved with administering Florida elections.

Read the whole story
7 days ago
San Francisco, USA
Share this story

Would Asking People To Hack America’s Election Systems Make Them More Safe?

1 Share

There are four months until the midterm elections, and the security of state election systems remains a concern. The clock is ticking to ferret out problems and fix them before Nov. 6. Websites associated with voting continue to have poor cybersecurity hygiene, even after the revelation that hackers probed the systems of 21 states in the lead-up to the 2016 election. And while Congress has increased the funds available to states to improve their election systems, many are still jumping through bureaucratic hoops to actually access the money.

One way to supplement much-needed security checks of election systems would be to replicate the security practices of tech-savvy companies. Many private tech companies treat cybersecurity differently than the government does, adapting security practices to deal with inevitable mistakes quickly and through the wisdom of the crowd. They rely partly on outside feedback to suss out vulnerabilities, something that many in the elections community seem allergic to. This could mean that fixable security flaws are left on the table for bad actors to exploit.

Tech companies were among the first to use crowdsourcing as a way to fix mistakes that cropped up in their systems. In a more innocent time for the internet, the tech community developed responsible disclosure programs for vulnerabilities based on good faith. “Norms began to develop,” said Alex Rice, former head of product security at Facebook and a co-founder of HackerOne, a company that works to help hackers and security researchers safely disclose vulnerabilities. “The right thing to do for all users of that technology was to get it into the hands of people who could take action and fix it.”

Later, tech companies started cash rewards programs — “bug bounties” — that gave hackers an incentive to report vulnerabilities through the proper channels rather than sell them on the black market.

But more traditional companies and the government have been slower to adapt to the norms of responsible disclosure. (The Department of Defense has been working to adapt more quickly, launching a “Hack the Pentagon” initiative in 2016.) Finding bugs in online systems is technically a violation of the Computer Fraud and Abuse Act, a 1986 law meant to provide a framework by which to prosecute digital crime. The law bans access to computers and networks “without authorization or exceeding authorized access,” a broad framing that prosecutors have used to target such actions as stealing corporate secrets from computer networks and setting up fake accounts on social media.

While the norm in most parts of Silicon Valley is to ignore the law for the sake of righting security flaws — many see it as woefully outdated and vaguely written — that’s not the case for every company’s approach to security. “One of the really perverse realities of being online today is there’s not a real legal framework of what you should be doing when you come to a security vulnerability,” Rice said. “That has created a pretty significant chilling effect.” Hackers and independent security researchers fear prosecution if they report vulnerabilities.

Nate Cardozo, a lawyer at the Electronic Frontier Foundation who works on the organization’s Coders’ Rights Project, described two disparate approaches to cybersecurity. One is the open-source approach that’s been embraced by the academic and computer science communities, where source code is publicly available for vetting in the way an academic paper is subject to peer review. The other is “security through obscurity,” which Cardozo described as, “We defend our product by keeping the source code proprietary.” Security through obscurity is looked down on by most in the tech community, Cardozo said, but it’s the approach favored by many in the elections community. That’s why those who find vulnerabilities in state election systems or in the systems of vendors used by states — the private companies that manufacture voting machines and election software — might be less likely to report them.

Neil Jenkins, a former Department of Homeland Security official and the current chief analytic officer of the Cyber Threat Alliance, agreed that election security is lacking when it comes to handling independent reports of security vulnerabilities. The norms are different, Jenkins said, in part because there’s a more adversarial relationship between election security researchers and private vendors of election software and equipment. “There’s not a lot of trust between people who have done research on elections systems vulnerabilities and vendors,” he said.

A recent example of this lack of trust comes from Georgia. In 2017, security researcher Logan Lamb found that voter information from the Georgia secretary of state’s office was available online after he ran a script on the website for Kennesaw State University’s Center for Election Systems, which was responsible for testing some of the state’s voting machines. Lamb reported the problem to the center and was told by the executive director that if he talked about the vulnerability, “the people downtown, the politicians … would crush” him, according to an interview Lamb gave to Politico Magazine. Later, after the vulnerability became public, Lamb was investigated by the FBI.

The potential for legal trouble could be seen as daunting to many who want to report security breaches. Cardozo said that because of the legal gray area, the Electronic Frontier Foundation has created practical guidelines for hackers and security researchers hoping to responsibly report a vulnerability to entities that might not be used to receiving them.

“We view our role as advising the researcher on their relative risk — not just their legal risk but the risk that they’ll get sued, even if it’s a frivolous suit,” Cardozo said. The foundation also advises security researchers on the basics of how to approach a company with a vulnerability, right down to proofreading emails to ensure that they don’t sound threatening to the company.

While many like Cardozo think the Computer Fraud and Abuse Act ought to be updated — a bill named after coder Aaron Swartz aims to do just this — the short-term problem of fixing existing flaws in election systems still exists. Jenkins is optimistic that the Department of Homeland Security could do something to ensure that states are made aware of flaws sooner.

“This is something that DHS could probably help with at pretty low cost to DHS,” he said, noting there’s an already-existent coordinating council meant to facilitate information sharing about election infrastructure that could be used to promote a more open culture. A DHS official told FiveThirtyEight that in its work with state and local election officials, the coordinating council is “growing and maturing the risk management culture in this sector, which includes discussions on vulnerability disclosure.” The elections community, the spokesperson said, would be open to bug bounties and vulnerability reporting.

But Rice of HackerOne remains more circumspect given the lack of trust between security researchers and the elections community — and the continued legal gray area that hackers and researchers operate in. He praised the National Cybersecurity and Communications Integration Center, a DHS-run program tasked with responding to incidents that affect critical infrastructure like voting systems, but said it’s not enough. The DHS official said that no election infrastructure vulnerabilities had been reported to NCCIC in fiscal year 2017. There were more than 800 vulnerabilities reported in critical infrastructure industrial control systems — nuclear reactors, electrical grids, dams and the like.

“[NCCIC] is a great piece of the puzzle in that it allows communication to be established, but it doesn’t go all the way in that researchers who participate in that process can’t be confident that the contractors and vendors who are actually building the voting systems don’t prosecute them,” Rice said.

Until that changes, well-meaning hackers are sure to be more hesitant to come forward with fixes, leaving election systems at the mercy of more malevolent cyber actors.

Read more: “The Moscow Midterms”

CORRECTION (July 12, 2018, 4:23 p.m.): An earlier version of this article misspelled the name of coder Aaron Swartz.

Read the whole story
8 days ago
San Francisco, USA
Share this story

The Great Tariff Boat Race

1 Comment

IMAGE: Peak Pegasus. Photo by Jackie Pritchard, Marine Traffic.

Peak Pegasus is a bulk cargo ship, built in 2013, and, like so many commercial vessels, flagged in Liberia. At 229 metres long and 32.26 metres broad, she is Panamax-sized (the maximum width that can squeak through the canal is 32.31 metres), and she can carry a little more than 82,000 tons of whatever you need to move. For her owner, JP Morgan Global Maritime, that has most recently meant commodity crops such as sorghum and soybeans. And that, thanks to the imbecile currently installed in the White House, has made her last couple of voyages more interesting than usual.

For those who have switched off the news in despair, a quick update: the United States recently imposed tariffs on $34 billion’ worth of Chinese goods; the Chinese responded by levying an equal amount on American imports; and, just today, the White House has threatened to tax an additional $200 billion of Chinese tilapia, handbags, and chemicals.

The majority of farmers across the American Midwest voted for the current President. They also export more than half their soybean harvest to China, as livestock feed. In Kansas, Texas, Colorado, and Oklahoma, farmers also grow tens of thousands of acres of sorghum, specifically for export to China, where it is fed to pigs and distilled into baiju. What could possibly go wrong?

This is where the recent adventures of Peak Pegasus are instructive. According to Reuters, back in April, the Peak Pegasus took on 58,503 tonnes of sorghum from an Archer Daniels Midland grain elevator in Corpus Christi, Texas, and set off for Guangzhou, in southern China. En route, officials in Beijing announced that they were launching an anti-dumping probe into U.S. sorghum exports, in retaliation for new U.S. tariffs on imported Chinese washing machines and solar panels.

Peak Pegasus changed direction, heading instead for South Korea. It was, Reuters reported, one of twelve cargo ships full of sorghum headed to China, whose importers, faced with losses of millions of dollars, were frantically trying to resell the grain elsewhere. “Four cargoes have been resold to Saudi Arabia and Japan, and another is heading to Spain,” Reuters continued, but at “steep discounts.”

IMAGE: Peak Pegasus en route, via Bloomberg.

Fast forward a couple of months, and the Peak Pegasus was in Seattle, loading up with 70,000 tonnes of American soybeans. It left on June 8, headed to Dalian, in northeast China. China’s new 25 percent levy on the cargo was scheduled to take effect at noon on Friday, July 6; three weeks into its month-long journey, Peak Pegasus was scheduled to land with a few hours to spare—long enough, according to an anonymous source quoted by Bloomberg, to clear customs before the tariffs took effect.

As it neared China, Peak Pegasus accelerated—and also began trending on Chinese social media. According to Reuters, on Friday, July 6, the ship’s progress was the 34th-highest ranked topic on Weibo, with users wishing it luck. “You are no ordinary soybean!” cheered one user.

And then, tragedy. Peak Pegasus finally arrived in Dalian at 5.07 p.m. local time. On Weibo, Reuters reported, one user wondered whether letting the beans sprout might offer a loophole, another offered to take the soy on a romantic trip to Turkey instead. As of today, Peak Pegasus is still a few miles offshore, lying at anchor amidst a cluster of ships.

IMAGE: Peak Pegasus’s position on July 11, according to Marine Traffic.

In an interview with the Communist Party’s official newspaper, the People’s Daily, on Wednesday, Yu Xubo, the president of state grain trader COFCO, said that, going forward, China will feed its pigs with soybean imports from South America instead, as well as increased imports of rapeseed, sunflower seed, and fishmeal. Meanwhile, much of the 90 million acres of the American Midwest—an area almost the same size as California—that is currently planted with soybeans will likely switch to crops with lower profit margins, such as corn or wheat, instead. And, no doubt, the Peak Pegasus’s future voyages will look quite different.

(Thanks to Geoff Manaugh for the tip.)

Read the whole story
8 days ago
"As it neared China, [the cargo ship] Peak Pegasus accelerated—and also began trending on Chinese social media."
San Francisco, USA
Share this story
Next Page of Stories