I’m concerned about this TrumpiLeaks page on Michael Moore’s website. I’m concerned about it because I spend a lot of time thinking about information security and helping people practice it. I’m concerned about it because we all know examples of news outlets who do actually obsess about source protection and yet still, on occasion, have gotten it wrong.
My own little side project on the topic is slow moving, mostly due to a lack of money + time. But I’d rather have it slow moving instead of thoughtless risk enabling. I don’t mind risk-takers. A number of people I work with fit that description, but they know these risks and have at least given passing thought into how to reduce them. This TrumpiLeaks pages is all egging-on and little mitigation. It’s kind of similar to the New York Times own confidential news tip page, the only major difference being is they’ve got a SecureDrop option. The options they list may be secure, depending on the person’s situation, but choosing the right end-to-end encryption tool is just the beginning. The Intercept has a page that goes into this, but most people will not be equipped with the skills or experience to make the right decisions. It’s also very likely that by coming across the information they want to share with a journalist, the source has already made a few wrong choices about the trail they may be leaving.
Michael Moore and the New York Times are missing two things on their pages:
Practical Guidance on how not to end up like Chelsea Manning or Reality Winner. (such as ‘don’t use work computers or printers’ or ‘don’t send authentic files, send the copied or retyped content,’ and etc.)
A clear set of expectations on what a journalist or news organisation will do once they receive the information: How will they share it? With whom? What verification methods are used and what risk could they pose? What prior notice will they give the source? What will be redacted and how? To what extent in practice and in legal challenges will the news organisation protect the sources identity?
Long ago, in the early ’00s, I made a website. It was called poisonkitchen.com, and I’ll get into why it was called that a few lines later. It was one of the first websites I ever created, while still working in newspapers as a reporter and editor. The purpose of this thing was to create a space for fellow print reporters to dish information about work and life at their news organisations, in an age when newspapers were declining in revenue and quality far before the internet was perceived a serious threat.
I never kept a local copy of it, because that seemed kind of pointless. Here’s a Time Machine capture of it in it’s earlier days as a a static html page site. Later on, I remade the site adding a blog made with pMachine (The internet archive doesn’t display that unique code too well), and some php forum script. The forum was the main point; It was picking up where a previous site, called News Mait, had left off when it closed. The site had its regulars, but over time, as many single-purpose niche sites run by one person in their spare time go, it’s useful its useful lifespan was limited. Other sites better at handling the topic of toxic newsroom working environments moved in. I let it the site go. Closed it, and transferred the domain to someone who said he was going to “do something” with it. He never did.
The domain is still owned, but pointing to nothing. It’s booked and locked for some reason, but hasn’t actually ever been used in more than 12 years(!). I’m not entirely sure what the owner is hoping to achieve, though a movie option could be one possibility. Anyway, that’s not a huge deal or the point of this post. I digress… often. Recent events reminded me about the domain name, though. I was in Berlin the other week and the news was all about U.S. President Trump’s latest attacks against the press. An independent press is under attack by the executive branch of the U.S. government. More so than in any other time in recent history.
So, what’s with the slightly creepy sounding domain, then? My choice of the domain all those years ago was based on the pejorative that Hitler had dubbed the Münchener Post (Munich Post), an adversarial newspaper that critiqued each of Adolf’s speeches and investigated his every political move up until and including the day before the SS were sent to close the paper and arrest it’s staff. The editor’s last instruction to his staff upon publishing the final addition, allegedly, had simple been, “run.”
The Nazi regime had dubbed the Munich Post ‘fake news’, and tried various means to block the paper’s journalists from covering politics. Ultimately, once power had been concentrated, it was banned, published anyway, and arrest warrants were issued against many members of the staff.
This may not sound like an entirely uplifting story arc, but I found the narrative inspiring. I had come by this piece of great journalistic history while reading a chapter about it in Explaining Hitler by Ron Rosenbaum, long before I’d thought of starting a website called ‘Poison Kitchen.’ But once I read it, I decided it would make a great sounding website of some sort.
The point of naming the site poisonkitchen.com was that people went into journalism for aspirational reasons that seldom ended up matching the reality. Newspapers didn’t push hard enough in the lead up to the election in 2000, and this was what had led (at that time) to President George Bush winning a demonstratively flawed vote. He didn’t have much use for an investigative press, either.
The situation today seems to once more tick all the right boxes, only more so: We now have a deranged, conspiracy obsessed, authoritarian president in the U.S. who targets segments of the population with hateful rhetoric, attacks the press, tries to enact draconian laws against immigrants, employs vast propaganda to pursue his goals, and doesn’t seem to like an independent judiciary, either. He also took office with a minority vote and seems to not like being reminded of that. He may have tiny hands, an orange complexion and cartoony hair, but to be honest, these aspects are the least of our worries.
A forum isn’t going to cut it. But I spent last week getting some interesting notions at the Internet Freedom Festival on what just might. The media landscape has changed, the web as changed, and I’m in a different place, too. As a technologist who now works with journalists on issues of secure hosting, web applications and digital safety, I think I have use for a Poison Kitchen domain again. I can’t have that .com, but that’s okay, because domains have changed, too. So, there’s poison.kitchen.
Don’t rush over there now, there’s not much to see. Here in my mini-launch manifesto, I’m just going to lay out some concepts that the domain’s eventually arriving website will be exploring.
There are two parts to this. The first deals with the safety and confidence of the potential whistle blower, or anonymous source of the information. The second has to do with how well that information is used in coverage.
Not everyone wants to be famous/notorious. Not everyone who would share newsworthy but highly sensitive information wants to be an Edward Snowden and allow this one act be what defines them. Chelsea Manning didn’t want to. From Jeremy Hammond to Mordechai Vanunu, we’ve seen examples through history where people paid a high price to make the world more aware. Mathematically speaking, if those people exist, then there are likely many others who have access to information they would release to a journalist, but would rather not give up their family, friends, income and entire way of life in the process. That should be possible.
Sensitive information in talented hands has more impact. Snowden’s NSA files leak were more useful because they went through talented investigative journalists, first. The Panama Papers leaks became more impactful because of how the story was handled by ICIJ. How much better and more accurate would the coverage of the CIA ‘hacking tools’ leak be, had it been released first to knowledgeable technology journalists? Helping sources self select the right journalistic contacts should be posible.
These are some ideas based around the two items mentioned above.
Build source confidence in methods and tools and the journalists they reach out to. Encryption tools and technology overall have taken a bashing over the last few years. It’s time to bash back. Yes, there are suitable, and safe ways to transmit a piece of information with reasonable expectation of both privacy and anonymity. No, it’s not single-app, one-click, or “It Just Works“™ easy. Outside of that, a source needs reasonable confidence that the journalist will treat what they share carefully, which many journalists may want to do, but may not know what it involves.
Combine all the known resources, guides, templates and risk assessment tools to enable sources to contact specific journalists of their choice more securely. As the story that’s now in both myth and legend goes: Edward Snowden needed to work at it for more than a year to get Glenn Greewald to spend an hour setting up encryption keys for an email address. There are now guides, tools and how-to things all over the web on setting this up, but it’s really just one way of reaching out to a journalist, or being a journalist who wants to hear from a source, and it may not be your way, or the correct way for your situation. This is aimed at sources to be able to confidently reach journalists and transmit information.
Implement secure contact pathways of communication for independent/freelance journalists and their sources. The New York Times, Guardian and other large news organisations have the facility to manage in house highly secure systems, such as Secure Drop. Investigative, freelance or independent journalists may not have these resources, but they do often have specific areas of deep knowledge, and can sometimes be better placed to receive confidential information on a topic that is their primary focus. Over the longer haul, The site’s goal would to take advantage of existing secure contact methods to create a gateway between sources desiring higher levels of off-record care and attention, with qualified journalists of their choice who agree to an ethical framework for dealing with confidential source material.
The short answer: Probably not. The longer answer: Keep reading.
There’s a lot of interest in mobile security coming out of the United States these days. I can see the smoke signals for it from across the Atlantic in the number of resources popping up online, Twitter hashtags, and the Analytics for pages on the topic that I’ve got running on different websites. One term that keeps popping up is “burner phone.” No, we’re not taking about a Samsung Galaxy Note 7. The “burner phone” carries with it all the connotations of drug dealing or other black market services, but it can have applicable uses for various activists, journalists and/or people trading in confidential/classified information. It’s just a pain in the ass, that’s all.
More folks seem to be interested as of late in some sort of pocket device that will somehow keep their communications super secret. No such thing exists. It would be easier to say that burners are entirely digital security mythology, but it’s more complicated then that. There are legitimate, applicable scenarios for a burner phone (or they wouldn’t be a thing). It’s also made more complicated by horrible write-ups about them, even on often decent sources of information about technology.
But do you really need a burner phone? Not the generalised “you” as in you people, but specifically you in particular. What are you trying to achieve? Most likely, you don’t need a burner phone.
Looking for some private space
If this is about basic privacy and concerns, like whether Big Brother is reading your text messages, then you can calm down a little bit. You do not require a burner phone. There are a lot of smartphone apps out there making bold promises, but for the sake of time and productivity, let’s just run with Signal (iOS | Android) for now, by Open Whisper Systems.
If you’re looking to have a private chat among contacts with whom you have no problems being connected, then this is going to be fine. That would extend to work colleagues, and discussing confidential work or personal matters in most scenarios. Set ‘disappearing messages’ so texts don’t even stay on one another’s devices. Block screen capturing and even exchange encrypted files through the Signal desktop client.
What if you don’t want to share your personal mobile number with your contacts?
There are, of course, a number of reasons for this. You may be a journalist and you don’t want your sources to know your personal number. You may want a temporary, project-based number. You may want to publish a contact number and not expose your personal digits on the open web. A second number can be good for controlling your business hours and keeping some contacts from getting too far into your personal life.
A burner phone would be overkill. You may want to get a second mobile for better work/life balance, or just use a mobile phone that can run two SIM cards at the same time. You can also get a data-only number, and use that to communicate. It’s also quite possible that an App for temporary numbers will work for you. Just make sure you’ve read the fine print and understand what you’re getting into.
A second work-related mobile is the better choice for the work-life firewall. Your second phone won’t have your personal social Apps on it, or be connected to your family photos and non-professional contacts. It can have specific work-related apps that you’d never use in your off time. If you’re number gets shared around and people send you anything nefarious that attacks your work phone, you’re other phone with all your personal data is not going to be exposed (and vice versa).
Don’t use a mobile for these contacts: Set up anonymous online burner accounts which you and your contacts only access via a strong VPN provider or Tor Browser.
Use secure, disposable communications tools: Communicate with one another using Crytpocat or meet.jit.si, which won’t log your communications or require any revealing personal details about you or your contacts.
The reason you want a burner phone is fairly straight forward: You’re involved in a project and its success relies on you having a temporary number that will cease to be used at the end of the project and it is vital that this number not be associated with your identity or the identity of your contacts, and/or your contacts’ identities should not ever be associated with your identity. You may be able to use a single burner phone for this project, or you may need to replace it one or more times during it. You won’t ever use it again, though.
A burner is still a tracking device in your pocket. It is still collecting and relaying its holder’s location, contacts, call, texting and data records to every tower and network it touches. This kind of phone isn’t just a piece of equipment, it’s a lifestyle choice. Employing a burner the right way adds additional costs to your project and it also requires a greater investment in time spent managing it.
There are many myths around burner phones. The notion that a “dumb” phone makes a more less traceable burner is false. These phones are still transmitting data, recording your travels on various networks and sending a lot of information. They also don’t have the option of adding encryption on top of your communications. The answer for which mobile you need is determined by what you want to do with it and through what channels you’re communicating.
Reasonable uses for a burner phone (including but not limited to):
Creating an anonymous connection to another contact’s burner device.
Dealing with sources who may be involved in criminal activity.
Dealing with sources who could be under increased monitoring.
Protecting your contacts if your own identity and background could pose a safety problem for them.
Distancing yourself from any of the meta data around the information that your phone will receive or send.
Attending a protest or going into an area where your device could be inspected or taken (or needs to be ditched).
Obtaining the mobile: Bought in person, ideally from a local shop that keeps fewer sales instead of a major retailer; device is unlocked and can accept a SIM from any provider; paid for in cash; purchase requires no data collection on the buyer to complete.
Obtaining a SIM card: Top-up, pay-as-you-go; Paid in cash, separately from the mobile; purchase and top-ups require no user data in the transaction.
Using your burner: Never carry your burner with your own phone; Never make calls with your burner from locations where you use your own phone; Never contact anyone you contact on your own phone with your burner; Install or store nothing that can be associated with your identity on the mobile (tougher than you think); Do not keep real names associated with contact numbers in your phone (especially if your contact is using a burner phone as well); Do not install anything not required for a specific need in your project.
Time is short: The longer you use a burner phone, the more it will be associated with you. Humans are predictable creatures of habit. You’re mobile may become associated with others who are being tracked or in events that take place, even if it is not immediately associated with you. Once the mobile number gains attention, it can be researched. How often was it used? Where? What other numbers has it called? When? Do the areas where it has been used have CCTV cameras? Your burner phone will likely have a lifespan of just a few weeks before it needs live up to its ‘burner’ street cred.
No part of your burner phone is reusable. Both the device, its SIM card and any data cards that were used need to be destroyed. The device and its SIM carry unique identifying numbers. Replacing one SIM with another in the same device just correlates both cards with that phone. Data cards are seldomly securely wiped well enough that a decent forensics specialist couldn’t beat. Get rid of it all. That was the point.
Before going too far down this road, ask: Is this trip really necessary?
UPDATES: Aside from the strategies listed below, here are some some other guides, resources and tips on dealing with your digital privacy in U.S. airports, or around any borders with paranoid state regimes…
The United States of America can now be fairly classified as a declining state in terms of freedom, liberty, speech and human rights. The Economist has downgraded it’s status to “flawed democracy” (late in the game). The White House is presently battling with the courts for the right to exclude entry to the country from not just seven Muslim majority countries (bad enough as that would be), but the right to ban people of any nationality on the basis that they were born in one of these countries. It is the thin end of the wedge to enact President Trump’s promise of a complete ban on Muslims and a Muslim registry.
If you need to go to the United States, your rights may be at serious risk. But this is nothing new in terms of data. Department of Homeland Security agents were allowed (under President Obama) the authority to copy the your device hard drive at any point of entry into the U.S. But this will probably be put into greater practice in the coming days.
So, if you’re traveling to the United States, consider the following:
Travel tech-light. Leave your computer at home, or carry a wiped machine and/or mobile. Get a mobile after you arrive. Basic mobile phones and pay-as-you-go SIMS are easy to obtain (still) for cash in the U.S. See if you can use a local laptop after you arrive, and get into your accounts on the other side. The less you carry, the safer you and your contacts will be.
Encrypt your computer and your mobile hard drives. If agents are going to access it or copy information from a device, they’ll have to talk with you about it first. Switch your devices off before you land, for this to mean anything.
Log out of everything. Before you arrive at the border, make sure that nothing is syncing, updating or sending or receiving from your devices. Wipe all the local data in your browser. Don’t leave passwords, browsing history, cookie information or download history in your cache. Remove your accounts from any email clients you have set up. Wipe any access information. If agents want to access theses, they will have to ask you to log into each one, keeping everything they see transparent to you. Don’t leave clues on your machine as to what services you use.
Create alternate social media personas. This is more difficult to pull off than it sounds, but essentially it means creating fairly vanilla/bland social profiles that don’t include any social, political or other aspects of your identity you think may get you or others in trouble. It means keeping a smattering of contacts that you don’t think will raise your profile in a problematic way at the border. Honestly, this is how they™ win, but if you need to get from point A to B, then sometimes needs must. If you’re involved in an sort of anti-regime activism or opposition, then keeping that information containerized is just a practical reality.
Encrypt files locally and send what you need ahead of you. If you have someone on the other side you trust, encrypt the files and information you’ll want to use after you pass through the U.S. border, and send it to them. Use Veracrypt or pgp key encryption to secure the information locally. Transfer it using a secure cloud service or a volatile, encrypted file-sharing service such as onionshare, or run FileTea through a decent VPN or Tor. Wipe it from your device, and re-install it when you get to your friend.
Encrypt your information and hide it in the cloud. Find a decent, secure cloud storage service. Export your confidential information and encrypt it locally on your machine. Rename your file as well (“pics_of_cat.zip”, “art_masters_thesis.tar” or so on). Store this in your cloud hosting service and make sure to securely wipe it from your machine. Get it back when you’ve got a secure internet connection after you’re away from the border control.
Set up 2-factor authentication on any accounts that have it available. If you’re asked to log into an account, this will give the border control agent and the Department of Homeland Security future access to that account. 2-factor authentication on many services allows you to monitor where your account is logged in and end those sessions remotely. It will let you know when and if anyone tries to log in from a different location.
Consider all accounts accessed at the border to be compromised. As a matter of digital hygiene, change any password that you use at the request of a government official. Update your passwords using stronger ones not similar to your compromised passwords.
Consider any device handed over to a border agent to be compromised. If a border agent takes your device and does anything you can’t visibly see happening, then assume the device has been infected with malware (spyware) and wipe it before using again. Dismantle it to look for physical tampering, if it’s taken where you can’t see it.
I was in a charity shop in Peckham a coule of days before the new year’s eve and was flipping through the pages of a history of MI9. There I came across a diagram of the Escape Knife (or, escaper’s knife). As I’d lost my trusty ol’e Leatherman due to some haste and stupidity on the way to the airport a while back, I was in the market for a new multitask tool thingamajig, and I also like things that come with a bit of history to them. Also, it just seems like we’re living in an era where having something on hand called an “escape knife” seems more handy. Image searching the diagram and name, though, tells me that things things aren’t in production any longer, and buying one vintage runs in around the £1,200+ range. So I’ll pass.
But I like the mandate of MI9, which was basically to help people escape or evade fascists by designing tools, researching technology and developing tactics. There still seems to be a need for these things.
Sort of like during the bulk of the 2000s, I’m hearing more people grumbling about needing to escape Trump’s America, though this time around it sounds like the real challenge for more people will be getting into the U.S., rather than getting out. But still I see people looking for ways to emigrate to Canada, Europe or even to UK for some reason, though I’m not entirely sure what they’re specifically hoping to evade by coming to Brexit Land.
So, first the bad news: There is no escape. We’ve all entered ‘The Man in the High Castle’ alternate reality together. The good news is that there is a wealth of how-to guides, manuals and resources created by and for people living or working in closed and closing societies on how to do any number of things, whether its communicating privately or anonymously, looking up information without leaving a data record behind, how to meet discretely, how to store personal information securely, how to detect if you’re being followed and lose who’s following you, etc. and etc. To learn how to do things things, the first thing you need to do is accept that you’re now living in an emerging closing society. It’s okay, you actually have been for a little while now, you just didn’t have a fluffy-haired soon-to-be-president, orange twat reminding you about it in a daily barrage of poorly-thought-out Twitter outbursts. Until now. Welcome to now.
You had been warned. Maybe you didn’t care because it still seemed like things were being run by people who could string a coherent sentence together. Maybe you took the warnings seriously, but didn’t think they’d ever apply to you. Apparently, when your side loses an election, they don’t switch off the massive, legal-grey-area global spy network when they pack up and move out.
“It is possible that I will end up living like the dissidents who I defended from foreign dictatorships for so long. I will talk in coded terms, as I have started to do already. Did you think it was a coincidence that I published an article about Elijah Lovejoy, a journalist who sought freedom for all and was killed by St. Louis mobs, right before the election?” — Sarah Kendzior
Penetration Testers’ Guide to Windows 10 Privacy & Security is for you if you are going to use Windows 10, not that I’m advocating that sort of lifestyle choice. Get ready to spend some serious time with Andrew Douma’s how-to post, which is far more readable than any actual Microsoft documentation might be.
draft_encrypt-email-guide-10-2016 is a group edited guide on getting into sending and receiving encrypted emails using PGP. It’s spearheaded by Matt Mitchell, who will be porting it to Gitlab and Medium once the gang are done fidgeting with it. However, it’s already far more readable than a number of other attempts. I’ll update the links here when it’s moved to it’s finalized home.
How can I use my mobile phone more securely? by yours truly, can help you get your mobile phone under control, or at least understand how little control you have. Remember: You have control over whether you carry it when you don’t want a record of your travels. You can control what you don’t say or type in it. That’s your control.
Data at the border is another one I hacked together, about the data you carry with you, and how to keep it from being exposed, through theft, confiscation, in a search, etc.
Surveillance Evasion, by Ami Toben at protectioncircle.org will help you understand what’s needed to evade hostile physical surveillance when traveling between Point A and Point B.
Is S/He an Informant? A Ten Point Checklist by by Ret Marut on behalf of activists allegedly impacted by undercover infiltrators in their groups is still going to be useful if you’re going to be organizing in 2017-2020 America.
Think You Can Live Offline Without Being Tracked? is a short FastCompany interview with various privacy experts, that will give you some idea on the near impossibility and/or depressing reality of trying to sustain such an existence for a long period of time, which is why I trend more toward episodic tactics and throw-away plans. Spoiler: When an article ends in a question mark, the answer is usually ‘no.’ The Lone Ranger lived his secret identity and had just the one friend. Don Diego de la Vega kept his anonymous Zorro persona compartmentalized and so could still throw swanky dinner parties. Be Zorro.
Plan, prep & test
Whether you are just one or some, you need to know what you’re going to be doing and what kind of trouble it could entail. These will help…
SAFETAG, developed by Internews, is a professional security auditing framework using a mix of penetration testing and risk assessment methods that are useful for smaller organisations and groups who face adversarial conditions.
If the supposed Russian propaganda campaign was a metaphorical hacking attack that broke through the weak firewall that is America’s lack of media literacy, then the cyber attacks against the Democratic National Committee the Clinton campaign and others was just plain non-metaphorical hacking. And the evidence of it is more credible.
The great thing about writing slowly and sporadically is that someone’s going to get around to doing it before you, and possibly better. War is Boring covers the play-by play of the whole saga. So read that for the details. I’m more interested here in who’s still decided it’s not true, and why. Maintaining the counter narrative is approaching the Herculean level of being a climate denier or opposing vaccines.
The evidence is fairly conclusive. Yes, attribution can be difficult, but unlike debates over whether this or that piece of faux news content is actually part of a strategic propaganda campaign or not, the evidence is rarely as subjective. You have server logs, the paths of data packets, the history of malware and the servers it connects to, common vectors of attack and the error that the hackers make that can leave a digital footprint of their own. This is not to say that someone can’t refute the evidence or produce valid counter-arguments. It’s that anyone doing so has to take the digital evidence seriously, and respond to it. The circle of people with the background to do that is relatively small. This hasn’t stopped a lot of people outside of it from trying really hard, though.
So instead of going through the various evidence and reasons that the attribution for the DNC hacks is credible, I’ll let the War is Boring post, the various Crowdstrike blog posts (here, here, here, etc.) and others do that.
One objection came from Sam Biddle, who countered in The Intercept that “We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, who contracted their services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime.” That would be true in a number of instances, but not this one. Actually, it is entirely common. Crowdstrike is one of just a few firms in the field of advanced cyber attack analysis. Corporations, governments, large organisations hire companies like this to do exactly this kind of thing. Furthermore, the analysis goes far beyond Crowdstrike’s work on the DNC hacks. ThreatConnect looked at the various personas used to gain and disseminate hacked emails, and could trace them all to common origin servers. So, that hired firms investigated this is not counter-evidence.
Most striking part of NYT article was the primitive nature of Podesta hack & the sheer luck of its success: hardly some masterful invasion pic.twitter.com/uZf3pc7cAP
In the Tweet above, Greenwald asserts that these hacks were down to luck, and weren’t that sophisticated. The argument is that they look to armature to be from a government. The argument doesn’t work on a lot of levels. I mean, look at how much else governments have done that come off as half-baked.
In one respect, Greenwald is right. The attacks weren’t that sophisticated. But it’s also true that spearphishing attacks don’t need to be sophisticated in order to be state sponsored, or to be effective. Many states use off-the-shelf methods to attack targets. Why spend more than what’s needed? Why not hire people who can cheaply deploy a simple hack before investing in more complex, and possibly more traceable, methods? The more typical it is, the more likely it will blend in.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh
Spearphishing attacks are fairly basic: You get the target to click a link and enter some sensitive information, or download a piece of malware onto their computer. Once you’re into one account, you use it to trick their contacts and get into theirs. They’re also quite successful, because people aren’t actively skeptical about things that look like they’re coming from trusted sources. It’s the same attack that that millions of people fall for which allows criminals access to their social network pages, online shopping sites and bank accounts And this is all it took to get into the email accounts of Secretary of State Colin Powell and Clinton campaign chairman John Podesta. So, that the hacks were simplistic, is not counter-evidence.
Others point to statements made by Craig Murray, the former U.S. diplomat who’s now a Wikileaks supporter. The gist of Murray’s claim is that the stolen email data came from someone on the inside of the Democratic party, and not hackers. He says he knows this because he was the person they gave the data to. It’s worth noting that Julian Assange doesn’t support the statement.
That aside, there are other transparent problems with this line from the start: Who inside the democratic party or the Clinton campaign had backdoor server access to email accounts? He’s basically implicating either someone running campaign IT, or the account holders themselves. It also runs counter to what Julian Assange says about the source. While Assange has said the Guccifer 2.0 look like a Russian operation, his own source, he has said, is not a state actor from the U.S., Russia or elsewhere.
Whether what Assange is saying is true or not, is impossible to ascertain, but it does not contradict the evidence laid out by Crowdstrike and others. Reasonably, The thousands of emails copied from John Podesta’s gmail account couldn’t have come from either a disgruntled insider or a disinterested outsider. It came from someone who knew about spearphishing attacks and who used infrastructure that was also targeting high-profile email account holders in Ukraine, the Baltics, China and Iran. So just saying you got the data handed to you doesn’t refute the evidence pointing to how it was originally obtained.
Guccifer 2.0, the source of these DNC emails, doesn’t talk like a hacker. It’s widely believed by researchers that this person is a cut-out, or a a front for the real attackers. One of the reasons for this is that he doesn’t talk like a hacker. I suppose, but that’s fairly subjective. He may not sound technically proficient, but maybe he’s just avoiding that language on purpose.
Much of the software that Guccifer 2.0 used seems to have been Russian language. That’s fine. Maybe the hacker was a Russian speaker. We’ve got some evidence here that points to specific geographical and/or linguistic details. But there are, logically, hackers who speak Russian that are not employed by a government.
Then we have the indirect corollary events: Trump refusing to meet for intelligence briefings, dismissing out of hand that the Russian government could be involved, calling for hackers to hack Clinton campaign data earlier on the campaign, etc. All of these are easily found with a Google search, but to quote every Reddit user ever: correlation is not causation. It is suspicious, but not in and of itself evidence.
Infrastructure reuse seems, to me, the best evidence. Analysing email headers, studying the VPN used, the domain registration meta and most interestingly, the common server employed in different attack campaigns from Ukraine to the U.S. are traceable and more conclusive than anything else.
When the best defense is not offense
While there’s a consensus forming around who’s behind the DNC email attacks, there’s still room for debate in what should be done about it. Obama’s response continues to be the wrong one. He could have helped prevent the attacks earlier, when he’d first been informed about them, but did nothing. Now he’s making public statements threatening retaliatory hacks against Russia. This is ridiculous, of course. First: Obama’s remaining time as president is just days. Second: Obama is not Anonymous. One doesn’t use a televised address to announce a cyber offensive. Finally, a threat of a cyber attack is not what counters a cyber attack. The Cold War logic, flawed as that is, doesn’t work here at all.
The best defense is, in fact, defensive tactics. The NSA is sitting on top of zero-day exploits that could strengthen the networks and devices we all use. Release those to the companies effected by them. Stop trying to install backdoors in technology, and end all these pointless attacks on strong encryption. End the mass surveillance projects that put more and more data streams at risk. More strategically, identify what you’re trying to protect and who wants to get it.
For individuals, avoiding the kinds of hacks that snared Podesta and Powell is fairly low tech: Use complex, long pass-phrases, enable 2-factor authentication, and don’t click on documents or links you haven’t examined. You will then have stronger online security then people who work in national defense, apparently.
Also realise Russia isn’t the only country doing this.
American cyber attacks against the rest of the world are well documented. This hack is fairly small beans compared to United States offensive cyber operations taking place on a daily basis. Also, a lot of smaller states are in on it as well, and those that can’t run it entirely in-house, can outsource it, mostly from firms located in Western countries.
There is enough evidence to reasonably make the assertion that Russian government sponsored hackers were behind the DNC and Clinton campaign email hacking campaign. What’s missing from the people who continue to oppose it is a credible reason to support their case.
This post has been a long time coming. Whenever I get the time to write something, the situation has changed. In the hopes of getting something done and obligating myself to write another one, this is going to be a 2-parter on the topic of “The Hacked Election.”
Part The First: suddenly, fake news is a problem. (below)
Part The Second: Russian government-affiliated hacker(s) either did or did not break into some email accounts. (here)
America’s post-presidential election detritus had previously fallen under one of two headings: The first was “fake news,” and the second was email/server hacking. These have since been tidily packaged under the single HACKED ELECTION banner.
It makes sense. Even Google barons Eric Schmidt and Jared Cohen conjoin the two strands, writing in Time Magazine: “All future wars will begin as cyberwars. Cyberattacks and online disinformation campaigns will define the next generation of conflict, and they will unfold silently, invisibly and relatively inexpensively. The threat is real, but we are equipped with the means to keep the cyberpeace. It’s now incumbent on policymakers and tech companies to help keep our information secure and our infrastructure safe.”
I deal with servers, and sometimes hackers. I also get to support various news verification practices and tools. So, on both counts, checking into Facebook has been painful as of late. I especially enjoyed that period during the election campaign when people shared poorly researched articles about Hillary Clinton’s email server security as some sort of defense for voting for a third party candidate. Technology and politics collide in strange ways.
The internet has all sorts of ways to check various items that are passed off as fact. It also works great as a way of spreading false information. It seems to be better at the latter. Most people don’t check things. Everyone shares. In this post, and the next one, I’m going to suggest we go back to treating each item under the “hacked election” heading as separate things.
Fake news vs propaganda vs just dumb
Back in late November, The Washington Post ran an article on a new self-proclaimed fact-checking website called propornot.com. This was actually what originally propelled me to start drafting this post (which should tell you how slow I am these days). When it was first published, the article was locked behind a paywall so I didn’t read it straight away. But I did read Glenn Greenwald’s critique of it at The Intercept. This user experience story has clues as to why some online content spreads faster than others. Take heed.
Anyway, the WaPo story is no longer blocked, but it does carry a disclaimer saying the publication doesn’t vouch for the website. Still, it’s a single-source article, and not a particularly good one. What’s interesting about it are these two things:
Propornot.com is not just aimed telling you what content is false, it is labeling websites it claims are Russian propaganda astroturf machines;
Greenwald asserts that such lists are a sort of digital McCarthyism.
Both propositions are flawed. I’ll deal with Greenwald’s first, because it’s easy to dismiss, and variations of it are being employed by people that we all know. You have them scattered amongst your Facebook friends. Some of them may be family. These people post a lot of dodgy crap, but when you call them on it they go either full troll-relativism, and ask something like, how is CNN more authentic? Or, they might jump the linguistic shark and ask what “fake” actually means. For the purposes of this: By fake, we mean content that is not substantiated with credible evidence or fact. Another term for “fake news” is “not news” or “fiction” or “lies.”
What’s dubbed in the media as fake news, is dangerous. Sometimes it hits individuals. Read my friend Arrington de dionyso’s piece, ‘How I became a target of the alt-right’, for more on that. But its also dangerous to society. Fake news is popular. False articles about the U.S. election typically performed better than authentic information in clicks-n-shares on Facebook. Propaganda and other kinds of phony articles are cheap to produce and don’t rely on advertising, as the point of the stories isn’t to get you to see ads, but to just read them. You’re already consuming the product by looking at it. In contrast, authentic journalism and investigative coverage (with verification processes) is expensive. The economic ecosystem of digital publishing rewards the former, and punishes the latter.
Some election coverage has clearly been propaganda. We have the one-woman show that is Eva Bartlett as a prime example of this. Pushing out daily content on how entire massacres in Syria are faked, and and all the videos you’ve ever seen about the White Helmets rescuing people are supposedly staged, on some studio lot, I suppose not far from where they faked the moon landing. So here’s a professional propagandist running demonstratively false information. Yet I’ll see six or seven people I’d previously attributed as having some intelligence sharing it as though it were fact. They’ll also often defend this bilge regardless of whatever counter evidence is brought into the discussion. Countering this stuff is exhausting, and is another activity that the ecosystem of digital publishing doesn’t often reward.
In another example, we have noted “anti-imperialists” pundit Vanessa Beeley, who’s only online goal is to constantly repeat Russian or Syrian regime talking points on social media and repeat false claims in rapid succession on sites such as Center for Research on Globalization, RT, Mintpress News and (rather unfortunately) Antiwar.com and various Ron Paul fan sites. The thing these sites have in common is that they almost exclusively cite one another when supporting various dubious claims, until you end up in a circular set of links.
But legitimate organizations, such as the White Helmets rescue group, do need to use extreme caution in what they publish, as these people rely on it for their content, and wait to misappropriate any material they can.
The Bellingcat blog has a post on how White Helmet campaign material has been re-purposed by Beeley and others to discredit the organization: “Because of this, they have regularly been smeared by the Syrian and Russian governments, and decried as fakes and terrorists. Russian state TV outlet RT (formerly ‘Russia Today’), for example, ran an opinion piece on 26 October by writer Vanessa Beeley, who labeled them a “terrorist support group and Western propaganda tool’, while a separate report a week earlier questioned the White Helmets’ neutrality by claiming that they were funded by Western governments. As early as May, Kremlin wire Sputnik called the White Helmets a “controversial quasi-humanitarian organisation” which was ‘fabricating ‘evidence’ of Russia’s ‘disastrous’ involvement in Syria”. This Sputnik piece also quoted Beeley, as saying that the White Helmets ‘demonize the Assad government and encourage direct foreign intervention.’ ”
But not all of this can be attributed to propaganda, or to a single state-run propagandist’s goal. A lot of it is just stupidity taken to a dangerous extreme: The whole #pizzagate strangeness that drew my friend Arrington into the the target of online alt-right Trump trolls, is of a different variety. It is, of course an entire fabrication, but it’s something that fermented in the bizarre and poorly designed forums populated by folks who haven’t entirely dismissed the possibility of lizard people running things. And that can end with an armed man swinging a gun around in a pizzeria. But while this was a lunacy enabled by at least one member of President Elect Trump’s team, We cannot add this to the list of Russian propaganda operations… without evidence. There are more simple likelihoods: such as that a percentage of the population is dangerously unbalanced. The roots of something like Pizzagate came entirely from inside the U.S.
There is more than a little evidence that the Occam’s Razor favours the “unbalanced population” thesis. The Index on Censorship found in their last study that, more and more, journalists are being attacked in the United States and Europe, not by state actors, but by partisan supporters who support a fringe or far-right candidate, and who don’t tolerate criticism of them. And the candidates, (or president elect) aren’t rushing to criticize it or intervene in any serious way.
This is my problem with Propornot.com and the emerging narrative. Some content — on the election, Trump, Clinton, and topics of interest to Russia’s government, such as events in Ukraine and Syria — is state manufactured and disseminated online. This is without a doubt. Sputnik, Russia Today, and some other outlets provide clear evidence of this. But that’s propaganda and not “hacking the election.” Other content may come from people who either believe this propaganda, or parrot it out of some sense that they’re giving The West™ a well-deserved smack regardless of whether it’s true. Others are actually publishing original content not remotely commissioned by a Russian agency, butwhich simply reflects their ideology or belief.
Putting the technical problems aside, the simple fact is this: An app that outsources audience critical thinking will not teach media literacy. And we desperately need more of that in a world gushing with constant information. We don’t want to back into an internet that looks like this.
And yet, making lists of sites you find dodgy is not McCarthyism unless you are the government. Glenn Greenwald is over-stating the situation in his article on propornot.com. If the Washington Post didn’t look at it carefully enough when promoting the website, Greenwald is going a bit too far off the reservation in the other direction. It may be that the site is being run by some shady division of the CIA or out of the White House somewhere, but that’s not been proven.
There are a lot of sites constantly pushing dodgy content. Some of these are consistently sourced in Tweets and Facebook posts by people we all know. Ed Brayton curated a list of these a little while ago on Patheos. I keep my own little roster as a polite note to potential commenters about one possible reason I may be ignoring them. This is not censorship. This is not chilling effect territory. This is discourse. At no place on my list (or in Brayton’s) is it alleged that we’ve found evidence that they are Russian astroturf platforms. And if you want to debate what “fake news” is, Columbia Journalism Review has a nice template outlining six varieties. Explain that away.
Really, though, if you look at the Propornot.com list, you’ll see why it’s problematic. Yes, it names a lot of dodgy websites. It also includes sites that are simply opinionated, critical of Clinton or Obama, or supportive of Trump. A couple of them are run by people I know. Having a point of view doesn’t mean someone is part of an intelligence operation to change the outcome of an election. Some of the sites on that list are actually publishing good content. People have various ethical issues about Wikileaks, right or wrong, but no one is seriously alleging the site is publishing false information. In fact, the problem has been that it’s been publishing authenticated information. (More on that in the next post, though)
Throughout this post I’ve fallen into a trap (willingly). I’ve been calling this kind of content “fake news.” In fact there’s are better phrases, like not news, or pretend news, faux news, make believe, or lies. Or maybe it’s some genre of fiction we still need to name. Something that in the post-truth era allows people to believe climate change is a globalist neo-liberal conspiracy, vaccines are some sort of government control program and that Hillary Clinton runs a pedophile ring out of a Washington, DC, pizzeria. We may need a different word, but it isn’t a new thing.
“Yellow journalism” was what people used to call it. It’s also not just the stuff of small websites and fringe blogs. Large, mainstream publications have run false reports from likes of Stephen Glass, Janet Cooke, Nik Cohn, Patricia Smith and others. They all wrote believable prose that somehow bypassed the requirement of fact checking.
It’s also important to remember propaganda is something the United States does as well. The U.S. has no shortage of examples of being caught trying to manipulate another country’s election results through the media. This doesn’t mean you have to like it when it’s done to your country, but it does imply that many people who are upset about this should maybe take the indignation down a couple of notches.
Did Russian-circulated propaganda play a part in “hacking” the election for Donald Trump? It is impossible to coherently or rationally argue that it didn’t exist, or have an effect. The evidence is clear that it did, that Trump benefited from it, and had no problem with his supporters repeating it. That is a scary situation, but a separate situation.
Alleging that Russian propaganda is actually responsible for the entire election outcome isn’t remotely accurate, and dismisses the weak footing that the Democratic party found itself in, and how it failed to strategically consider states that would be pulling in the most contentious electoral collage votes. Hillary Clinton won the popular vote, sure, but her campaign didn’t do the work to win votes where it counted. When you’re scoring that many own-goals, you can’t blame one or two shots by another team for the final score. But Russia’s propaganda isn’t a hack, or if it is, it’s an old one. If media literacy is a metaphorical firewall, then the United States has a gaping security flaw. It’s just business as usual. I think some blame needs to go to the people who believed it.
Trust but verify, and don’t really trust until you verify
We don’t need automated ways of telling people something is false. Media literacy comes from knowing who information sources are, and understanding their various motives, past track record and knowing how to determine what’s accurate.
Verification Junkie is a “growing directory of tools for verifying, fact checking and assessing the validity of eyewitness reports and user generated content online” by one Josh Stearns.
Bellingcat’s Guides show how to use any number of databases, custom searches and meta data analaysis methods to verify content.
Exposing the Invisibleis for people looking for investigative resources, but it’s got very good pages on verification techniques.
All those warnings about the dangers of mass surveillance coming out for the last few years just got a little more real for a lot of people. Apparently, when your side loses an election, they don’t switch off the massive, legal-grey-area global spy network when they pack up and move out.
Maybe now the orange face of hate will make you take surveillance against journalists and activists seriously. https://t.co/UVzcIZFKIn
Trying to collect everyone’s data for analysis at any future time may sound like a brilliant idea to you. Think of the good that can be done! No. You can’t think of such a thing in terms of it being run by rational, decent people. You can’t think of it being run by people on your side. You have to consider it as if it were possible that such powers could be put in the hands of a maniac.
Don't create state powers on an assumption that govt. will exercise self-restraint. Final slide from my talk last month at @ISC2 Dublin. pic.twitter.com/IJSO4jjgPN
Many people supporting Hillary Clinton for president, and the re-election of President Obama before that, were eager to dismiss this issue. Both (along with many other Democrat and Republican leaders both past and present) were part of the construction of this machine, though. Soon it will be handed over to a President Trump, providing he can beat the upcoming rape trial and several other allegations winding through the courts and avoid being impeached.
Trump will soon be in charge of: NSA mass surveillance, Guantanamo, CIA drone strikes, war in seven countries, nukes https://t.co/V3xFfMW0IQ
This isn’t just an American issue, or about some constitutional rights that only apply to people on the right side of the upcoming Mexico-funded wall. This has to do with all the U.S.’ intelligence trading agreements.
When Obama — with Clinton’s support — extended and expanded the reach of America’s mass surveillance project, most of his advocates were defensive, apologists, or dismissive about it. What does it matter? How does it effect you? many folks looked the other way while millions of people around the world were targeted based on “selectors” generated from some text they may have put online somewhere, a video they may have watched, photos they posted, or maybe just how their surname, language or national origin happened to feature on the computer screen of some NSA contractor. Lots of people thought it wasn’t a big deal. Many people may have even believed that, well, if they don’t have anything to hide…
This isn’t a warning, it’s a reminder. The warnings have been coming out for years, people just didn’t do anything about them. While the apparatus stay’s the same, its uses can and will change. The selectors can be altered. Other people may find all sort of things that they suddenly wish they could hide even if they can’t: Political affiliation, who their friends or family members might be, social interests, reading lists, gender identity, religion, race. What selectors will the new regime prioritize?
All my "imagine if these surveillance powers ended up in the hands of a crazy person" rants have panned out.
UPDATE (20/11/2016): Too late. The most invasive and dangerous bill in the history of modern British politics, and the most invasive mass surveillance framework in the history of democratic states has been approved to become law. As with all policies crafted out of blunt fear, it will make people far less safe.
“We do have to worry about a UK Donald Trump. If we do end up with one, and that is not impossible, we have created the tools for repression.” — Liberal Democrat peer, Lord Strasburger
Of course, this concern predates the eventuality of a total kakistocracy situation, such as what’s happening in the United States right now. The UK has had various examples of abuse of already existing surveillance powers in its own recent history.
Many people argue that there are no technical solutions to bad policy when it comes to privacy and mass surveillance. I would agree with that. Technical solutions are often clumsy, buggy, time-consuming and are difficult to scale. But when political avenues have been closed — as they have with the passing of this Investigatory Powers Bill, then technological solutions are what we’ve got left to work with. You can’t wait for the law to have your human rights. Sometimes you just have to exercise your rights until the law recognizes them.
The British government is at war with its citizens, and using the Tory government’s new Snoopers’ Charter as its weapon. There is virtually no opposition to it. In spite of Liberty’s campaign work on the IPBill, its former director, embattled Labour Peer Shami Chakrabarti, has been utterly quiet on the topic, as has the vast majority of her party and its leader, Jeremy Corbyn. The SNP and Liberal Democrats form what is essentially the opposition on this issue. You need to stop what you’re doing and pay attention to the…
Well timed with the release of Oliver Stone’s Snowden biopic, is the Pardon Snowden campaign, which is essentially an ACLU sponsored online petition aimed at convincing President Obama to use some of his final-days karma points on a pardon for the NSA whistle blower. I signed it. I think you should isgn it, too. I don’t think it will actually result in a pardon; I’m too cynical to believe in the magic fairy dust of clicktivism. The power of petitions is to show popular support, and they’re often at their most powerful when they reveal how those in government refuse to listen to those they govern. So, do please sign it. I hope millions of Americans do.
I think I’ll forever prefer Laura Poitras’ documentary, CitizenFour, which soberly and chillingly details the NSA’s mass surveillance program as revealed by it’s one-time contract employee. But I will be getting around to Stone’s dramatization of Snowden’s story, and I’m fairly sure I’ll find it entertaining. I think it’s a tad too soon, and there’s a real problem that the fictionalized bits of the film may filter into the popular conscious as being historical fact, but if a fact-based thriller revives the necessary discussion on the United States’ descent into being a dangerous, mass surveillance super-state, then so be it.
The America of today still needs its exiles like Snowden. While I’m sure he’d really like to go home, see family and friends, get back to something approaching normality and all that, a pardon would be be a public relations exercise. It would not fix anything. Snowden’s inability to return home — as excruciating as that must be — continues to to poke America in a soft spot that needs prodding with a sharp stick. So I hope he gets to go home; and I know that as an exile, he will continue to have more impact. The latter will probably continue to be the case.
The country (both its establishment and a fairly substantial percentage of its citizenry) has not come to grips with the fact that is has a problem. As of 2015, about 42% of Americans expressed approval of the NSA mass surveillance program. That it’s a “minority” isn’t that comforting when it’s just under half. That means there’s just 9% to the majority. Inside the political establishment, there is something approaching to a consensus on the subject.
“Without Snowden, the American people could not balance for themselves the risks, costs and benefits of omniscient domestic surveillance. Because of him, we can,” wrote former CIA officer Barry Eisler in Time. I think it’s important to emphasize the word “former” there. For each one of him, there are dozens in Washington, D.C, who don’t want the status quo adjusted or even questioned.
Beyond that, there is no political will inside the American political establishment for a change to the present state of things. The Washington Post, which used Snowden as a source for it’s Pulitzer winning articles on NSA spy programs, has turned around and called for him to be prosecuted for releasing the documents that it, in turn, made public.
In no uncertain terms, The House Permanent Select Committee on Intelligence made clear that “Edward Snowden is no hero – he’s a traitor who willfully betrayed his colleagues and his country,” in spite of there being no evidence to anything released doing anything but reputational harm (significant as that may be) and causing more people to re-evaluate the existence of certain activities. The Committee press release reminds that We the People can’t actually see the report, but rest assured, it’s 36 pages long and has 230 footnotes. What that’s supposed to tell us, I have not one clue. It’s like saying ‘okay, we can’t tell you why we think this, but you can trust it because the report is printed on some high quality paper and uses a very readable sans-serif font.’
The entire committee executive summary of the mystery report is misleading, and that’s already been explored by investigative journalist Barton Gellman, here. But it’s fueling the technocratic red herring arguments, like that from Harvard Law School professor Jack Goldsmith, whose entire argument hinges on the claim that “it is naïve or disingenuous to think that the damage to U.S. intelligence operations was anything but enormous,” without citing any evidence to support the claim in what amounts to a rant that mostly focuses on perceptions of what it means to swear national allegiance and pithy remarks one why he doesn’t like presidential pardons. And he teaches law.
In some sort of magical reality alternate universe where President Obama decides to give Edward Snowden a pardon, it will not be a signal that anything has changed. Not in terms of the U.S.’s relationship with its invasive mass surveillance techniques, and not with its increasing lazzais faire attitude about various agencies using off-the-shelf, whack-a-mole malware in what seems to pass for targeted surveillance. In that context, a pardon would be a propaganda move. This policy trajectory would not change under a President Clinton, and would likely take a turn for the bizarre (if not worse) under a President Trump.
So, support a pardon for Edward Snowden because of what it will mean when it doesn’t happen. America needs its exiles. They may one day be the only ones who can speak freely about what’s wrong with it.