Category Archives: Spying

Germany: : Das unterwanderte Land (The Infiltrated Country)

I’ve been working for a couple of months on an investigation of the totality of U.S. intelligence in Germany, out today in Stern magazine.  English translation coming soon.

Stern 31 October 2013

NSA Tailored Access Operations

Found a little more about Tailored Access Operations (TAO), the Computer Network Exploitation/Computer Network Attack (CNE/CNA) operation of NSA, long known, but mentioned in the Washington Post article last week revealing the National Intelligence Budget.  The Post describes TAO as “surreptitiously installing spyware and tracking devices on targeted computers and mobile-phone networks.”  I think that description is too broad.

Tailored Access Operations, or sometimes called Defense Tailored Access Operations, is part of the S3 Data Aquisition, or the Signal Intelligence Directorate.  It is made up of six subordinate elements (branches):

  • S321:  Remote Operations Center (ROC)
  • S323: Data Network Technologies (DNT)
  • S324: Telecommunication Network Technologies (TNT)
  • S325: Mission Infrastructure Technologies (MIT)
  • S327: Requirements & Targeting (R&T)
  • S328: Access Technologies Operations (ATO)

The Remote Operations Center is the primary CNE operation of the U.S. government to gain access and intelligence from computer networks in direct support to cyber security & network warfare missions.  It is made up of the following divisions:

  • NOC: Network Ops Center
  • ORD: Operational Readiness Division (Training)
  • IOD: Interactive Ops Division
  • POD: Production Ops Division
  • AOD: Access Operations Division

The Network Warfare Team (NWT) provides liaison between the military and TAO.

Two tool development organizations are also subordinate to TAO:

  • TNT- Telecommunications Network Technologies
  • DNT- Data Network Technologies.

Fusion Centers and the Homeland: Shouldn’t Somebody Say Something?

“Homeland security begins with hometown security, and fusion centers play a vital role in keeping communities safe all across America,” homeland security commandant Janet Napolitano said at the government-sponsored National Fusion Center Training Event held in Phoenix, Arizona last week.

Amid controversy over the federal government’s spending on lavish conferences (hence the rapid deployment of the name training event), Napolitano’s obsession with making all of America snitches under her See Something, Say Something campaign, continued controversy over ICE’s secure communities program, and even speculation that the former Arizona governor will step down if Obama wins a second term, no one actually paid attention to the Secretary’s central message.

The “war” on terror, the one over there that was supposed to have been a magnet for terrorists so that American itself would be safe, shows no sign of either ultimate success or conclusion, and it is turning these United States into an even greater battlefield.

Napolitano even says that the threat of home-grown terrorism is “increasing,” and she anchors federal government strategy to turn state-level fusion centers as increasingly essential links between local law enforcement and the Washington intelligence machine.

Secretary of Homeland Security Janet Napolitano, looking stern. Source: AP

I know that Napolitano’s piece of this forever war is the homeland, but who would have thought that eleven years after 9/11, some federal government official could stand up before 600 state and local government intelligence officers cheering them on, and it’s a non-story?

To be fair to the locals, fusion centers represent not just threat early warning; they are also federal support at a time when police budgets are declining, they are a seat at the information table, and they are a new and exotic career pursuit, one that promises the big times.  Under the rubric of “all hazards” most fusion centers admittedly focus more on everyday crime.”  But the funding, and the push, is all about terrorism, and the justification, is that there are an abundance of terrorists in our midst.

Terrorists are “not just those coming from abroad we’re concerned about, it’s those that are U.S. citizens – that are home grown, that are right here,” Napolitano declares.

“It can be people who are right here and who we don’t have much knowledge about,” Napolitano said.

Not knowing much about them of course means information collection, Internet stalking, surveillance, even reconnaissance drones at the local level.

Ron Brooks, chairman of the Criminal Intelligence Coordinating Council and a San Francisco-area fusion center official told the Arizona Republic: “We’re worried about the al-Qaida attack, the self-radicalized homegrown extremism attack, the far-right violence, but we’re also worried about everyday crime that impacts our community.”

Brooks says a lot of work needs to be done to educate people about what to look for in their search for the home-grown.  “There are times when we get suspicious activity reported to us by law enforcement or the public, and it really is about how someone is dressing or talking or worshiping, and we push that back and say, ‘That’s not appropriate’…” he says.

But fear not, civil liberties and privacy is all being taken care of: as Napolitano says, there’s an organization at homeland security responsible for it.

And See Something, Say Something is working, according to Napolitano, because the campaign has recently expanded to include partnerships with sports teams, sports leagues, transportation agencies and colleges and universities.  Hooray!

Putting aside my view that there shouldn’t even be something called homeland security – it’s just law enforcement at home, not national security – is Napolitano right that homeland security begins with hometown security?  Are the states even intended to be so intimately involved in national security in the first place?  Isn’t that the fundamental role of the federal government?  The United States has transformed, and we are less secure, and what’s the news?  How much money some agency spends on conferences or the fact that sports leagues are now part of the homeland security reserves…

Catching Insiders Who Threaten the Army

Saw this Army poster and couldn’t help but post it.

How inane, and obvious to the point of almost comical and counterproductive.  You think it might be referring to service members who are Muslims?

New Terrorism Guidelines Represent Further Triumph of Lawyering and an Independent IC

“U.S. eases restrictions on keeping citizens’ data,” The Washington Post broke last night.

“U.S. Relaxes Limits on Use of Data in Terror Analysis,” now says The New York Times.

“U.S. Agencies Allowed to Keep Residents’ Data for Five Years,” says Bloomberg.

“Government Now Allowed to Store Info on Innocent Americans,” says Antiwar.com.

Let the game of telephone begin: liberties stolen; privacy over.

Yesterday, the Director of National Intelligence and Attorney General released what they call “updated guidelines designed to allow NCTC to obtain and more effectively analyze certain data in the government’s possession to better address terrorism-related threats.”

The “Guidelines for Access, Retention, Use, and Dissemination by the National Counter-terrorism Center (NCTC) of Information in Datasets Containing Non-Terrorism Information,” the DNI and Justice Department say in their press release, allow the NCTC to “better protect the nation and its allies from terrorist attacks” while “at the same time protecting privacy and civil liberties.”

The updated Guidelines, the government says, “do not provide any new authorities for the U.S. Government to collect information.”

I received a copy of the new guidelines from the DNI press office at 7:53 PM last night, but I note that the 32 page document is not readily available (as of 9 AM the day after the release) on either the DNI or Attorney General’s websites.

I don’t think there’s a conspiracy here, but I do think if you read the actual document and aren’t familiar with existing guidelines and the ifs, ands, and buts of government regulations, you could easily come away concerned.

And thus constitutes the divide, the divide between Washington and the rest of the nation, between the national security imperative and the colloquial understanding of liberty as practiced by the rest of the country.  The usual suspects of the civil liberties industry (and I don’t mean to disparage them) and the anti-government set (from gun-toters to olive-branchers) will decry; talking heads promoting public slumber will counsel calm; the media will muddle.

Meanwhile the government’s lawyers will satisfy themselves and reassure – as they did in their tortured legal justification sanctioning the summary assassination of an American citizen – that it’s all in accordance with applicable laws.  If you’ve got nothing to hide, what’s the problem?, the agents of idiocy will bellow.

The NCTC, the actual document says, “shall not access, acquire, retain, use, or disseminate United States person information solely for the purpose of monitoring activities protected by the First Amendment or monitoring the lawful exercise of other rights secured by the Constitution or other laws of the United States.”

Any information received must be reviewed to ensure that it is terrorist-related, the guideline says, that is, “based on the knowledge and experience of counterterrorism analysts as well as the facts and practical considerations of everyday life.”

It’s all pretty straightforward, except that these rules only apply to the National Counter-terrorism Center.  And they leave open possibilities – indeed the likelihood – that the national security establishment will over-reach, that an overzealous someone will bend and stretch the rules and their intent, heck, that this has already been done, is already being done, which is why new Guidelines were required.

The NCTC, the Guidelines say, receives its information from federal, state, local governments and “other sources,” “other entities,” “data providers,” none of whom are named.  Any abuses, in other words, will take place elsewhere.

As long as Washington is lost in its terror war, as long as the intelligence community remains beyond accountability, as long as lawyers justify anything as legal, what is already happening in America will continue to happen.  It isn’t a government conspiracy; it’s an American erosion occurring because we haven’t figure out yet either how to deal with the abundance of information the government feels justified to collect and analyze and we haven’t figured out how to deal with the basic criminal threat that terrorism represents.

Those Chinese! Stealing Our Secrets…

Posted on Indeed.com as of March 17, 2012:

Reverse Engineer (TS/SCI Clearance)
Siege Technologies, LLC – Manchester, NH 03101

Siege Technologies is actively looking for cleared engineers and researchers who have expertise in reverse engineering binary software and vulnerability and/or malware analysis. Particular areas of expertise of interest include x86 or Motorola assembly, IDA Pro and other reverse engineering tools (Hex-rays/SoftICE/Ollydbg/etc.), fuzzing, protocol dissection and grammar construction, malware deconstruction, assembly and kernel level software development/experimentation on Windows or embedded platforms and familiarity dealing with complex systems and/or algorithms.

Qualifications

Qualified applicants for this position should include a Bachelors degree in Computer Science/Engineering or a related field (or equivalent experience) and an active security clearance. Successful candidates will possess a strong understanding in one or more of the following areas: Operating system fundamentals, including interrupts, threading, virtual memory, device drivers; knowledge and understanding of operating system/kernel internals including stack/heap design and memory layout and management, device drivers, file system/application formats, reverse engineering, modification of existing binaries, and low level software development.

The Enemy Nation of Non-Joiners

This week, in case you missed it, the federal government announced the creation of yet another citizen war reserve organization.  FEMA Corps will be a unit of 1,600 from AmeriCorps’ National Civilian Community Corps who are solely devoted to FEMA disaster response and recovery.  On the surface, it sounds great.  But the surface is way too glossy.

Ever since the Presidential Task Force on Citizen Preparedness in the War on Terrorism, established by George W. Bush just weeks after 9/11; and Operation TIPS (Terrorism Information Prevention System) established in 2002 and then scaled back the same year, the federal government has been struggling with the question of public involvement and mobilization in the war on terror.

In the ways of bureaucracy, every agency of the Department of Homeland Security, and every other department – from the Department of Agriculture to the FBI have jumped on the bandwagon, and more than two dozen “public-private” partnerships have been created since 9/11.  The NSA has its network of research affiliates in the private sectors coding to its specifications to enhance cyber security against outsiders.  The Director of National Intelligence even opened its own Office of Private Sector Partnerships in 2009.  These are not contracts or contractors, though money does flow from the federal government and the cumulative effort I’m sure is a pretty penny from our pockets.

These are volunteer organizations, voluntary efforts, that is, if you think that standing up and singing the national anthem at a public event is optional.

I’ve already written about “whole-of-society” efforts by Northern Command (NORTHCOM) to do its version of nation building on the homeland battlefield and I’m trying to wrap my head around what this boundless effort means.  There are, of course, the standard concerns of privacy, civil liberties, and even the hopeless Washington preoccupation with ‘fraud, waste, and abuse’ (which I liken to the medical establishment’s declaring war on microbes), but somewhere I fear there is also a fundamental reordering of American society, one that places too much emphasis on national security and one that puts too much power into the hands of the federal government.

But most important, in enlisting certain segments of society, people of a certain predilection, many others are left behind.  As a commenter said yesterday in response to my blog, the missions and capabilities of organizations become “predestined” by their very structure.  So after the people who are predisposed to  be volunteer firemen, after the businesses that are part of the so-called critical infrastructure cluster under the government umbrella, after ‘good Muslims’ or the civic-minded sign up, the enemy becomes who’s left.  Well, at least who’s left is the universe of dots to search for.

Nowhere is this more obvious than the Obama administration’s weird attachment to its  “If You See Something, Say Something™” campaign, which is the citizen-participation counterpart of the Nationwide Suspicious Activity Reporting Initiative.

On some level, this is just a case of a bunch of Boy Scouts and A-students cleaning up and trying to do better than their predecessors – in other words, cleaning up the paperwork for the same ugly effort and then repackaging it as reformed.  But there is also a problem of asking Boy Scouts to run a killing machine.

In the case of See Something, Say Something, the Department of Homeland Security (DHS) goes out of its way to assure that it “respects civil rights or civil liberties by emphasizing behavior, rather than appearance, in identifying suspicious activity.”  That’s part of the smokescreen of accepting the banality of evil.

So, if you see something that doesn’t have anything to do with race, ethnicity, national origin, religious affiliation, beliefs, thoughts, ideas, expressions, associations, or speech, unless it has to do with terrorism – and I’m not joking, that what the DHS says – report it.

Sound kind of hopeless?  How is someone supposed to figure out the differences?  They aren’t; you can’t.  So you either better enlist in the army of common sense or else we’ll make a note of the fact that you didn’t.

Whistleblower Tribulations

My post yesterday about Thomas Drake was hardly noticed compared to the list of NSA code names I threw out there.  But Drake noticed.

“You have any number of significant errors in your blog, including the fact that no charges by the government were reduced to misdemeanors,” Drake wrote me in an email.  He invited me to meet with him and his attorney.

I thought: What kind of person invites someone to meet with them and their attorney?  And then I remembered: He’s from Washington!   And more important, he’s now a whistleblower, and the maintenance of reputation and scrupulous adherence to the facts is part of the role.

I invited Mr. Drake to correct the record, but haven’t yet heard back.

But this morning, I did hear from a former editor, who tells me that he’s gotten to “know” Drake and his attorney over the past few months, and that I “got some things wrong” in the blog:

“Most importantly, the government’s case failed precisely because their contention that Tom had retained classified documents was falling apart. The judge ruled definitively that he did NOT give classified documents to the reporter. The government was forced to admit that other counts were for documents that had been declassified. And the only remaining count was classified only AFTER it was taken from Tom’s computer, an ex-post facto abuse that so enraged George W’s very own classification czar, William Leonard, that he filed formal complaints against the NSA and the Justice department for claiming documents were classified that contained no secrets. He said, “I’ve never seen a more a more deliberate and willful example of government officials improperly classifying a document.”

In my former editor’s email, the word “documents” is repeated five times in case I don’t get it.

But I went back and looked at my blog and I never used the word once.  I said classified information, in fact because I know the difference.  My point was and is that the government – the executive branch — decides.  The criteria – information the release of which would do damage to the U.S. national security – is maddeningly vague.  Hence the tug of war with the news media or whistleblowers when the government feels that its secrets have been compromised; in Washington at least, this is a deadly word game.

I can only speak from experience: News organizations and journalists invariably claim (hide behind?) the argument that information that they want to publish is in the public domain, that is, that it is already compromised in some way.  I’ve sat in many such a discussion and negotiation with government people to demonstrate that some piece or body of information was obtained using open sources.  I’ve listened to editors (and others) argue that the information is “unclassified” and I’ve listened to and watch government people squirm in frustration, trying to explain that just because a piece of paper is stamped “unclassified” or has no markings doesn’t mean its release won’t do harm, that many pieces of paper or information put together makes for classified information – the so-called ‘mosaic’ theory – or that circumstances warrant the information not being published.  I’ve listened to editors and security people and lawyers talk past each other for hours because the classification system isn’t perfect and because, well, we are talking about national security, a fairly grandiose and consequential concept.

I’ve also been involved in discussions when classified information was involved, that is, information that the government has actual reason to believe is legitimately classified, and where the news organization can’t really argue that they obtained something already in the public domain.  These are, shall we say, more complicated negotiations, and they are usually resolved by editors agreeing not to publish some detail or fact – even if it is already in the public domain – as a gesture.  Editors like to call it something other than acceding to the government’s demands in order to maintain the balance of power.  The government is invariably unhappy but content that the negotiation at least took place; that the publication in question plays its role and is inside the Washington vortex.

If someone works for the government – or has a security clearance granted by the government – and breaks away from that vortex, takes independent action, the government retaliates.  Whether it’s a former CIA director (John Deutch) accused by the security people of mishandling classified information or a standard issue whistleblower, the bureaucracy can be brutal, unforgiving, and duplicitous.  The Wen Ho Lee case comes to mind.  Government lawyers love to, need to, make examples of people, both to enforce the system of behavioral conformity and create legal precedent.

I’ve dealt with many a whistleblower in the past and the patterns are pretty much the same: the whistleblower feels – feels – all of the inconsistencies and injustices, they want to tell their story.  But at the same time, as former government employees, as vulnerable targets well aware not only that journalists will squeeze them dry and throw them away as quickly as the security types will pounce on any additional disclosure of ‘classified’ information, the whistleblower plays this little game of holding closely to their facts.  In some cases, it’s all that they have.

In Washington, in Washington culture, value is measured by information; that’s the power.  Outside Washington, evil government is a better sell.

If I wrote anything in my blog that is factually wrong, I’ll correct it.  I see that what I wrote isn’t pleasing to Mr. Drake.  I wish him the best.

Getting to the Bottom of the Intelligence Community; Is There a Way?

NSA whistleblower Thomas Drake is in the news again, with an interview in Salon and his own blog posting in Daily Kos, rambling on in the way whistleblowers are supposed to do, muddying the waters about the issues, and making a claim about the Obama administration that has found its way into a general indictment levied against President Hope by the disenchanted left: That Obama has gone after whistleblowers and leakers more than Bush ever did.

I doubt that this is true but would be interested in being corrected if someone’s got some facts.

As an executive at the National Security Agency (NSA), Drake was a source for a 2006 Baltimore Sun series about a billion dollar NSA program called Trailblazer, a software system.  Drake alleged that the program did not work, violated Americans’ privacy rights, and that was inferior to a rival program called Thinthread (NSA code names are actually one word).  He was indicted on numerous felony counts of espionage before the prosecution decided to reduce the charges to misdemeanors.

Drake says in his blog posting this week “that the Obama Administration is engaged in an unprecedented war against whistleblowers and the 1st Amendment and using the Espionage Act (a World War I era statute designed to go after spies and not whistleblowers), as a bludgeon to target, investigate, prosecute and indict those revealing government war crimes, abuses of power, illegalities and wrongdoing – both within and without the government.”

Salon says rather casually that Drake never disclosed classified information.  Drake opines that “it is not a crime to reveal government wrongdoing to a reporter.”

The problem with Salon’s characterization and Drake’s bluster is that they are both wrong.

What is classified information is what the government decides is classified.  A $10 billion industry exists to classify information and guard it, and unfortunately, they decide.  National security information is classified based upon Executive Order and government regulations, not law, and the courts have consistently declined to second guess the executive branch on these matters.

Hence, a government employee, particularly one like Drake who held high level clearances and signed non-disclosure pledges, should know better, and is guilty of something.  It’s not quite espionage, but there are plenty of other ways the government could choose to prosecute him: on special laws protecting communications security, on issues of stolen government property, on violations of his pledges.

Drake seems to think that because he leaked classified information about a program to a reporter – revealing, as he likes to say, “waste, fraud, and abuse” — somehow the information is automatically not classified and protected by whistleblower protection statutes.  Again he is wrong on all counts.

[Updated March 14, 2012:  Drake's lawyer points out that Drake was not charged with leaking classified information, that he was charged with "improper retention of ... allegedly classified information."  I stand corrected.]

The reason why the case fell apart is that Drake just happens to also be protected, protected by the news media and vague concepts about the First Amendment, protected by Congressional supporters, protected by a certain American aesthetic about government malfeasance and overreach, and most important I guess, even protected by his very inside knowledge, what the intelligence community calls ‘graymail,’ his knowledge of even more classified information that might come out if the government were to take him to trial.

Most important though, in the cycle of whistleblowers and the news media’s squeezing them dry and throwing them away is that for all of what Drake “revealed,” we really know very little about what NSA is doing.  If you read the Salon interview or the earlier Jane Mayer profile in The New Yorker, you might imagine you understand the battle between the secret programs Trailblazer versus ThinThread.

I don’t, and the reason is because the reporters themselves don’t understand.  Similarly when The New York Times reported in 2009 from another NSA whistleblower that the code name of an illegal Email program was Pinwale, and that the database was “systematically [creating] archives both foreign and domestic e-mail messages by the millions,” we just don’t know.

Drake describes the NSA as a rogue agency that operates in a black box that the public cannot penetrate.  I don’t know if its rogue, but I do know that it’s huge and does operate in a black box.  Congress seems to condone that: It is very big money after all.

Trailblazer, ThinThread, Pinwale: These are just three of hundreds of secret NSA programs, none of which we really know anything about.  I’ve collected a list of current (2012) NSA programs from contracts and work orders, corporate briefings and other documents.  Maybe the news media and Congress and the people should ask what’s going on rather than focus on the messenger, no matter how unfortunate his former intelligence career ended.

Here’s a novel notion: Maybe they are not “fraud, waste, and abuse” at all – maybe it’s just excess and autonomy and misdirection and even a waste of time and money.  We’d never know though if fraud, waste, and abuse remain the only standards by which we are allowed to pry.

NSA Code Names Revealed

The list below current NSA (and NSA-contractor) programs (as of March 13, 2012) involved in all aspects of signals intelligence (SIGINT) collection, processing, analysis, dissemination, and storage.  Some are purely administrative programs, some are tools and databases associated with social network analysis, metadata analysis, and target research.  The current focus of NSA’s work seems to be the telecommunications infrastructure to include wireless, optical, electrical, and converged networks.

Current intelligence lingo associated with these programs include:

  • Dial Number Recognition (DNR)
  • Digital Network Intelligence (DNI)
  • Geospatial Metadata Analysis (GMA)
  • SIGINT Geospatial Analysis (SGA)
  • SIGINT Terminal Guidance (STG)

The Programs

AGILEVIEW:  DNI tool

AGILITY: DNI tool

AIRGAP/COZEN

AIGHANDLER: Geolocation analysis

ANCHORY/MAUI: DNI

ARCANAPUP

ARTEMIS:  Geospatial analysis

ASSOCIATION

AUTOSOURCE

BEAMER

BELLVIEW

BLACKPEARL

CADENCE/GAMUT: Collection mission system for tasking

CHALKFUN

CINEPLEX

CLOUD

COASTLINE

COMMONVIEW

CONTRAOCTAVE

CONVERGENCE

COURIERSKILL:  Collection mission system

CREEK

CREST

CROSSBONES

CPE (Content Preparation Environment):  Reporting tool

CULTWEAVE: SIGINT database

CYBERTRANS

DISHFIRE: DNI

DOUBLEARROW

DRAGONFLY:  Geolocation analysis

Enhanced WEALTHYCLUSTER (EWC)

ETHEREAL: DNI

FASCIA

FASTSCOPE

FOREMAN

GAMUT/UTT

GISTQUEUE

GJALLER:  Geospatial analysis

GLAVE

GLOBALREACH

GOLDMINER

GOLDPOINT

GOSSAMER:  Geospatial analysis

GROWLER: Geospatial analysis

HERCULES:  CIA terrorism database

HIGHTIDE/SKYWRITER:  Desktop dashboard

HOMEBASE

INFOSHARE

JOLLYROGER

KINGFISH:  Geospatial analysis

LIQUIDFIRE

MAINWAY: DNI signals navigation database

MARINA: Database

MASTERLINK: Tasking source

MASTERSHAKE

MAUI/ANCHORY

MESSIAH

METTLESOME: Collection mission system

NEWHORIZONS

NIGHTSURF

NORMALRUN/CHEWSTICK/FALLENORACLE

NUCLEON

OCTAVE: DNI/DNR tool for tasking

PATHMASTER/MAILORDER

PINWALE: DNI database

PANOPTICON

PRESENTER

PROTON:  SIGINT database

RAVENWING

RENOIR:  Visualization tool

ROADBED

SCORPIOFORE/CPE

SHARKFINN

SKOPE:  SIGINT analytical toolkit

SKYWRITER: DNI reporting tool

SNAPE

SPOTBEAM

STINGRAY:  Geospatial analysis

SURREY

TAPERLAY

TAROTCARD

TEMPTRESS: Geolocation analysis

TRACFIN

TRAILMAPPER

TREASUREMAP: DNI visualization tool

TRICKLER

TUNINGFORK/SEEKER: DNI

TURMOIL:  Collection mission system

TUSKATTIRE

TWISTEDPATH

UIS/PINWALE: DNI

UTT: DNR tool for tasking

WEALTHYCLUSTER: Collection mission system

WIRESHARK

WITCHHUNT: Geolocation analysis

XKEYSCORE: DNI collection mission system

YELLOWSTONE/SPLITGLASS