7 October 2016- I call it the “fog of cyber war”. In an era where everyone is amped up about cyber attacks, “other Snowdens”, etc. a lot of first impressions are tinged with paranoia and misinformation or are just flat out wrong. I don’t know what to do about this except to say that, as with other dramatic events like mass shootings, it’s best to take first reports with a giant grain of salt.
For instance, last week we were told that Harold T. Martin III, the contractor arrested by the F.B.I. on Aug. 27th, brazenly violated basic security rules, taking home a staggering quantity of highly classified material. He had been doing this undetected, agency officials were chagrined to learn, since the late 1990s. He was “another Snowden”.
Except now intelligence officials say they have not been able to definitively connect Martin any of the leaked documents. So that means there was at least one more leaker still at large. For a list of the “not Snowden” leaks see the end of this post.
And in another story we are told via Reuters that Yahoo! searched emails for the NSA.
I am fortunate. I have been a long-time member of InfraGard, a non-profit organization serving as a public-private partnership between U.S. businesses and the U.S. Federal Bureau of Investigation. It is an association of individuals that facilitates information sharing and intelligence between businesses, academic institutions, state and local law enforcement agencies, and other intelligence community participants. That membership, coupled with my Linkedin intelligence community groups and ties to the Munich Security Conference allows me to run a check on many of these “cyber stories” via my network.
So some points made by my network:
- The press seems confused. Yahoo “secretly built a custom software program to search all of its customers’ incoming emails”. And Yahho “secretly built a custom software program to scan hundreds of millions of Yahoo Mail accounts”. Well? Which is it? Did they “search incoming emails” or did they “scan mail accounts”? Whether we are dealing with emails in transmit, or stored on the servers, is a BFD (Big Fucking Detail) that you can’t gloss over and confuse in a story like this.
- Several artilces note “some surveillance experts” said this represents the first case to surface of a U.S. internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time. Who are these “some surveillance experts”? We are never reluctant to get our names out there? Why is the story keeping their identities secret?
- The ex-Yahoo employees who “talked”. Are they whistleblowers?
- Without seeing the court order on which this is all based it cannot be known what information intelligence officials were looking for, only that they wanted Yahoo to search for a “set of characters”. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.
- Hmm … “set of characters”? Is this an exact quote for somewhere? Or something the author of the story made up?
- These “requests” normally come in the form of a classified edict sent to the company’s legal team. But the question is from NSL? A FISA court order? What?
- As an intelligence expert I already know about the NSA/FBI’s ability to ask for strong selectors (email addresses). What we don’t know about is their ability to search all emails, regardless of account, for arbitrary keywords/phases. If that’s what’s going on, then this would be a huge story. But the story doesn’t make it clear that this is actually what’s going on — just strongly implies it.
- Possibles: the government may simply be demanding that when Yahoo satisfies demands for emails (based on email addresses), that it does so from the raw incoming stream, before it hits spam/malware filters. Or, they may be demanding that Yahoo satisfies their demands with more secrecy, so that the entire company doesn’t learn of the email addresses that a FISA order demands. Or, the government may be demanding that the normal collection happen in real time, in the seconds that emails arrive, instead of minutes later.
- This might be a DHS cybersecurity information sharing program that distributes IoCs (indicators of compromise) to companies under NDA. Because it’s a separate program under NDA, Yahoo would need to setup a email malware scanning system separate from their existing malware system in order to use those IoCs. For more just follow @declanm’s stream on Twitter.
Bottom line: the story is full of mangled details that really tell us nothing. We can come up with multiple, unrelated scenarios that are consistent with the content in the story. The story certainly doesn’t say that Yahoo did anything wrong, or that the government is doing anything wrong (at least, wronger than we already know).
BUT … I’m convinced the government is up to no good, strong arming companies like Yahoo into compliance.
Some of the leaks/disclosures recently made, none of them attributable to Edward Snowden
Dec. 29, 2013 A catalog containing tools and techniques used by the National Security Agency’s hacking division was published by Der Spiegel, a German magazine.
June 23, 2015 A list of eavesdropping targets from France and intercepted communications were released by WikiLeaks and news media outlets.
July 1, 2015 A list of eavesdropping targets from Germany and intercepted communications were released by WikiLeaks and news media outlets.
July 4, 2015 WikiLeaks released a list of eavesdropping targets from Brazil.
July 31, 2015 A list of eavesdropping targets from Japan and intercepted communications were released by WikiLeaks and news media outlets.
Feb. 23, 2016 Intercepted communications and a list of eavesdropping targets from the European Union, the United Nations and Italy were released by WikiLeaks.
Aug. 15, 2016 A group called the Shadow Brokers released online the top-secret computer code used to hack into the systems of foreign governments.