Category: intelligence and stupidity

The problem: the US can’t promise information security to anyone

I’ll be having more to say about the latest Snowdonian revelations as they apply to macro-politics, probably at the Fistful. In the meantime, the document at Le Monde is interesting from a technical point of view.

They mention attacking a PBX – quite a common issue, because a lot of them are proprietary and not very managed and getting at voice calls is high-value. They also mention some attacks involving hacking the end-user PC (obviously), some others that require physical access, and very interestingly, a couple that involve sensing something from a distance.

Specifically, MAGNETIC, DROPMIRE, and OCEAN involve respectively magnetic emanations from computers, similar things from laser printers, and “optical collection from raster-based computer screens”. The first two fall within what is known as TEMPEST, a NATO term for information leaking from computer systems in the radio spectrum and how to prevent it. The US informed its allies about this, up to a point, and NATO created a standard. (They, in their turn, found out from Sir Peter Wright.)

Either the French were in the habit of letting really secret stuff get into non-TEMPEST machines, or the Americans know more about it than they let on and also more than the French suspect. The French are no fools about this stuff; although 70% of the world’s CAPEX on LTE networks in the last two years was in the States, Alcatel snagged most of it. There are, as they say, huge issues about trust.

OCEAN, though, sounds new and interesting. Something similar, VAGRANT, appears to have been used on computer screens at the French embassy in Washington. Overall, the French missions in the US were targeted with malware (HIGHLANDS), with optical observation (VAGRANT or OCEAN), and with an exploit of their PBX (just PBX).

Which reminds me. Remember these posts? Well, over here, we have a discussion of Pakistani worries about cyberwar/information security. I contend that more guarantees of information security would do the avoidance of nuclear war there nothing but good. It would be great if the US, which is a friend-ish to both sides, could help create confidence.

But of course now they can’t. The SIGINT alliances worked because they were both alliances about intelligence and also about security. That implies limits on what the US (or any party to them) could do. So this turned out being a macro-politics post after all.

We didn’t let Coulson see anything sensitive except for the SIGINT

So Andy Coulson, famously, was subject to a background check by Control Risks before joining Downing St. There was some doubt as to whether he had actually gone through the positive vetting process. Supposedly he had, and he was cleared to see “Strap 1″ material. But then it turned out in fact the DVA hadn’t finished the process when he quit and in fact the date he quit fits suspiciously well with the timetable.

OK, so what exactly is “Strap 1″ material?

Well, the answer is “this”: a GCHQ program to “stain” jihadis’ computers so that they could be identified even if their IP addresses were obscured by multiple layers of network-address translation or indeed by TOR, revealed in the latest Snowdendump, is classified as UK Top Secret/Strap 1/COMINT.

The fact that it contains COMINT – communications intelligence – automatically flags it as being even more agonisingly secret, and subject to the inter-allied arrangements for the security of signals intelligence product.

two points on Snowden in the UK

Just a couple of points about the British wing of Snowden. First of all, what function does it serve to go begging to the Americans for sums of money that aren’t especially big in the context of a £1.8bn single intelligence budget?

Well, the money is a costly-signal that UK cooperation is valuable to the Americans. This legitimises the “NSA ask” in return. And in turn, the “ask” can be used to lobby the rest of government. We must have X, Y, and perhaps even Z because otherwise we’d displease the NSA and they’d pull their contribution…which you would have to replace!

Second, it’s interesting the way the government likes to re-use acronyms. According to Richard Aldrich, GCHQ’s budget line-item for fundamental research in cryptography and computing was called “Methods to Improve” throughout the coldwar. It’s no surprise, then, that “Mastering the Internet” has the same acronym, and probably a fair guess that the new name meant much the same thing but with Internet awesomesauce to impress notorious e-mail printer, Tony Blair.

PRISM. Sometimes it’s easier to solve these things in L

I think it is probably important to direct attention to this post, which contains the only convincing explanation of PRISM I’ve yet seen, including the tiny budget (if it only cost $20m to process everything in Apple, Google, Facebook etc, what do they need all those data centres for), the overt denials, and the denial of any technical backdoor.

Basically, the argument is that PRISM is an innovation in the technology of law rather than the technology of computing, some sort of expedited court order programmed in Lawyer requiring the disclosure of specified data, and perhaps providing for enduring or repeated collection. This would avoid the need to duplicate vast amounts of infrastructure or trawl every damn thing, would stick to the letter of the law, and would help engineers sleep, as it wouldn’t imply creating a vulnerability that could be used by both the NSA and God-knows-who. It would also permit the President and such folk to deny that everyone was being monitored, as of course they are not.

That said, data could be requested on anybody who the court could be convinced was of interest. As the legalities seem quite permissive and anyway the court is a bit of a flexible friend, this means a lot of people. And in an important sense it doesn’t matter. The fact that surveillance is possible is important in itself. Bentham’s panopticon was based on the combination of overt surveillance – the prisoners knew that there was a guard watching them – and covert surveillance – the fact that the prisoners didn’t know at any given moment who the guard might be watching and therefore could not be certain they were not being observed.

The degree to which this was an aim of PRISM must be limited, because it was after all meant to be secret. But it is hard to avoid the conclusion that it’s there.

Something else. I’ve occasionally said that the Great Firewall of China should be seen as a protectionist trade-barrier as much as an instrument of censorship. Huge Chinese Internet companies exist that probably wouldn’t if everyone there used Facebook, Google, etc. Here you see another benefit of it – the Public Security Bureau gets to spy on QQ, but it’s harder for the Americans (or anyone else) to poke around. This may explain why the NSA seems to pick up lots of data from India and much less from KSA or China; you can PRISM for terrorists trying to affect the Indo-Pak nuclear balance and you can’t for Chinese targets.

Borders are always interesting, and this is today’s version.

Iran, of course, does another twist on this. It has a vigorous internal ISP industry, but monopolises international interconnection through a nationalised telco, DCI, that practices serious censorship. However, the same company also sells unfiltered, real Internet connectivity to actors outside Iran, notably in Oman, Pakistan, Iraq, and Afghanistan, almost certainly following Iranian foreign policy goals. DCI has even gone so far as to invest heavily in a new Europe-Middle East submarine cable to add capacity and improve quality (notably by taking a shorter route to Europe, and adding path-diversity against Cap’n Bubba and his anchor). Back in 2006, supposedly, the best Internet service in Kabul was in the cybercafe they installed in the Iranian embassy’s cultural centre.

(A starter-for-ten. Has anyone else noticed that the major cloud computing providers, Amazon Web Services, Salesforce/Heroku, Rackspace et al, aren’t mentioned?)


Yahoo! has not joined any program in which we volunteer to share user data with the U.S. government. We do not voluntarily disclose user information. The only disclosures that occur are in response to specific demands. And, when the government does request user data from Yahoo!, we protect our users. We demand that such requests be made through lawful means and for lawful purposes. We fight any requests that we deem unclear, improper, overbroad, or unlawful. We carefully scrutinize each request, respond only when required to do so, and provide the least amount of data possible consistent with the law.

The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false. Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive. Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested. Then, and only then, do our employees evaluate the request and legal requirements in order to respond—or deny—the request.

Yahoo!’s top lawyer, spinning like a top, but basically confirming the notion of PRISM as a surveillance technology implemented in Lawyer.

A very Blairite disaster

So, the Kenyan Police counter-terrorism spokesman has this to say:

“Kenya’s government arrested Michael Olemendis Ndemolajo. We handed him to British security agents in Kenya and he seems to have found his way to London and mutated to Michael Adebolajo,” a Kenyan counter-terrorism spokesman, Muthui Kariuki, told the Associated Press. He added: “The Kenyan government cannot be held responsible for what happened to him after we handed him to the British authorities.”

Assorted relatives and friends seem to think the question is more whether the British had any business asking him questions while he was under the control of the Kenyans, who are alleged to have brutalised him in various ways. Further, the security service’s approach to recruiting informers seems to involve following them around and repeatedly buttonholing them, openly, in the street.

It sounds like an out-take from Four Lions – secret intelligence with a GOLF SALE sign. Perhaps the aim was actually deliberately overt, public, in your face surveillance, rather than recruitment, as a deterrent or an example to others. Either way, I think we can all agree that the situation has not developed to our advantage.

Which reminded me of this classic Daniel Davies post:

young Muslim men are exactly the ones who are vulnerable to being drawn into violent extremist movements, and their parents have both much better information about this happening than we do, and a powerful interest in stopping their sons turning into suicide bombers. In actual fact, [the launch of the CONTEST strategy was] yet another god-damned own goal which had the effect of getting peoples’ backs even further up.

How could this have been sold better?

Well, it seems to me that if the action that you want to achieve is “hand your children over to us”, the very most obvious message that you need to add to that is “we promise that we will keep them safe”. However, since our government currently has as its policy that it wants to hold people for 90 days without trial, and to extradite them without hearings to the Americans, who in turn might subject them to extraordinary rendition and waterboarding, we are not currently in a position to make that promise. We need to get into a position to make that promise, and fast.

A policy recommendation – if an allied police force catches someone like this, treat it as a consular matter and fetch the guy back to the UK. Then it can be a police matter. Or the secret services could try to persuade him to inform…in secret. Just letting the Kenyans or whoever batter him is just as bad and fools nobody. It also makes the UK look duplicitous and underhand as well as ruthless.

I suspect this is better advice than any of the barrage of availability entrepreneurship spewing from the surveillance industry, Hazel Blears, Hitchens Minor 2.0, or the swarm of assorted grant-seeking missiles this sad event has released.

Churchill was wrong for most of his career, you know…

This Ha’aretz piece is interesting for the insight it gives into Israeli policy and especially into process, but also for a couple of other things. Notably, it’s remarkably frank about the Obama administration deliberately trying to stop Netanyahu going to war, and the role of dodgy casino guy Sheldon Adelson in both US and Israeli right-wing politics, and it provides the new information that the Americans have given up on the formal diplomatic channel and concentrated on influencing the Israeli military directly, on a brasshat to brasshat basis. The implied conclusion is that the IDF leadership are interested in external reality while Bibi is too busy being Winston Churchill, and further that they are interested in getting information from the Americans about what their own prime minister is thinking.

Also, Netanyahu considers himself an expert on US politics. The danger here is that the America he is an expert on may not be the same America everyone else is dealing with. If, as I suspect, he is getting a lot of his information from his Republican contacts, he’s living in an alternate universe. In so far as people like Sheldon Adelson are impressed by US politicians who know Bibi Netanyahu personally, his contacts are literally being paid to tell him what he wants to hear. It’s ironically similar to Bush before the Iraq war, just with the stove-pipe reversed.

However, I was astonished by this quote:

While the Fifth Fleet of the U.S. Navy is operating in the Straits of Hormuz, just as the Pacific Fleet was anchored at its home base near Honolulu on the fateful morning of December 7, 1941, the two instances are not really comparable.

Well, no, they’re not, are they? Some tabloid journalists keep a few paragraphs of general-purposes “sexy” in a file they can drop into a story as required and just change a couple of parameters to fit. This sounds like the same thing, but with Churchill!

Meanwhile, Colin Kahl, and this. It does look like there’s a coordinated push-back against the bullshit, which is good news for those of us who remember 2002. The US Navy bombs Iran…with love. Of a purely Platonic form between comrades of the sea. Oops. while also bringing the carrier back.

US policy does look like it’s trying to achieve three goals – 1) no war with Iran, 2) reassure the GCC countries (so they don’t start one), 3) restrain the Israelis (without pressing so hard they freak and start one). These are partly contradictory, but then what isn’t? Certainly, the combination of being ostentatiously nice to Iranian sailors while also sailing a giant carrier up and down the Gulf does fit the needs of 1) and 2).

a short telegram, or a very long tweet

Everyone’s linked to Mark Perry (of Conflicts Forum/Alistair Crooke fame)’s piece on Israeli spooks running around Baluchistan posing as the CIA already, but I will too as it’s very interesting indeed. I’m not sure what their bag in this is, other than the notion of “always escalate” and hope to profit from the general confusion.

But what’s really interesting is what the story is doing out there now. Here’s Laura Rozen’s write-up, which introduces the suggestion that they may have represented themselves as being from NATO and notes that a leader of the organisation said as much on Iranian TV before being executed. Meanwhile, the Iranians write to the Americans accusing the CIA of being behind the assassination of another nuclear scientist.

On Twitter, she suggests that the scientist wasn’t killed by the Americans (i.e. presumptively by the Israelis, or by people working for them wittingly or otherwise), and that this was staged specifically to queer the possibility of reviving the Iran-Turkey uranium swap deal. (You do wonder what George F. Kennan would have made of diplomatic tweeting.) Further, we know that a back-channel has been set up.

Disclosing information about the Israeli operation in Baluchistan might be a smart way of establishing trust between the US and Iran. Obviously, information about terrorists running about blowing stuff up and killing people is of value to Iran. Information that it’s the Israelis is obviously congenial to Iran. Crucially, burning an Israeli spy network is costly to the Americans and not something they would do lightly (the Perry piece is a monument to important people trying all they could to do nothing). In that sense, it is a meaningful signal – much more convincing than mere words. Presumably, Perry’s role at Conflicts Forum and with Arafat makes him a convincing postman into the bargain. And third-party spies are just the sort of thing that enemies can bond over. I recall reading about the IRA and the UVF staging a joint investigation to find informers in the early 1970s.

Another dose of speculation – if Baluch rebels were meeting with people who they thought were from NATO, was this plausible because NATO was in fact paying them off to leave the Karachi-Quetta-Kandahar supply route alone?

The intersection of electronic warfare and mall management

Here’s something interesting. You may remember this story from back in November about the CIA spy network in Lebanon that met at a Pizza Hut they codenamed PIZZA, and which was rolled up by a joint Hezbollah-Lebanese military intelligence investigation. The key detail is as follows:

U.S. officials also denied the source’s allegation that the former CIA station chief dismissed an email warning that some of his Lebanese agents could be identified because they used cellphones to call only their CIA handlers and no one else.

Lebanon’s security service was able to isolate the CIA informants by analyzing cellphone company records that showed the numbers called, duration of each call and location of the phone at the time of the call, the source said.

Using billing and cell tower records for hundreds of thousands of phone numbers, software can isolate cellphones used near an embassy, or used only once, or only on quick calls. The process quickly narrows down a small group of phones that a security service can monitor.

If the top paragraph is true, it would have been catastrophically ill-advised. Even somebody special, like a CIA agent under diplomatic cover, has a relatively large number of weak ties to normal people. This is the reverse of the small-world principle, and is a consequence of the fact that the great majority of people are real human beings rather than important persons. As a result, things like STELLAR WIND, the illegal Bush-era effort to analyse the whole pile of call-detail records at AT&T and Verizon in the hope that this would find terrorists, face a sort of Bayesian doom. We’ve gone over this over and over again.

However, phone numbers that only talk to special people are obviously suspicious. Most numbers with a neighbourhood length of 1 will be things like machine-to-machine SIMs in vending machines and cash points, but once you’d filtered those out, the remaining pool of possibles would be quite small. It is intuitive to think of avoiding surveillance, or keeping a low profile, but what is required is actually camouflage rather than concealment.

There are more direct methods – which is where electronic warfare and shopping mall management intersect.

Path Intelligence, a Portsmouth-based startup, will install a network of IMSI-catchers, devices which act as a mobile base station in order to identify mobile phones nearby, in your shopping centre so as to collect really detailed footfall information.

Similarly, you could plant such a device near that Pizza Hut to capture which phones passed by and when, and which ones usually coincided. Alternatively, you could use it in a targeted mode to confirm the presence or absence of a known device. Which makes me wonder about the famous Hezbollah telecoms network, and whether it was intended at least in part to be an electronic-intelligence network – as after all, nothing would be a better cover for a huge network of fake mobile base stations than a network of real ones.

Meanwhile, this year’s CCC (like last year’s) was just stuffed with GSM exploits. It really is beginning to look a lot like “time we retired that network”.

Now that’s what I call lobbying

In the recent case of Liam Fox and Adam Werritty, there was an issue that the news media spent an enormous amount of time and effort dancing around with innuendo, newspaper code, and carefully lawyered prose. It is a fact that the word “lawyered” is to the word “lawyer” as the word “doctored” is to the word “doctor”. Without understanding this hidden and sordid side of the issue, you would have been seriously misinformed. The matter was very sensitive, and there was an excellent chance of getting sued and probably also demonised as being deranged by shameful prejudices.

I refer, of course, to whether or not the Defence Secretary’s private office was having unprotected sex with other defence secretaries’ private offices.

It took a while to surface this at all – the Guardian let a wee squeak out on Thursday, and eventually it was the Sindy that took the plunge and surfaced it in the same way you surface a submarine, with an enormous roar of compressed air thundering into the ballast tanks under pressure while the nuclear reactor cranks up to full power. It’s a must read.

The fact that Werritty’s freebies included trips to the Herzliya Security Conference paid for by pro-Israeli lobbying groups should have been a screaming giveaway, but then, that’s what a good cover story is for. I presume that was what the Sindy eventually followed up.

I mentioned this element of the story to Daniel Davies earlier in the week. I can offer no special insight except for the enduring value of pattern recognition. This has, after all, happened before in recent memory, with really bad consequences.

Consider Mr. Michael Ledeen and the affair of the weapons of mass destruction. Mr. Ledeen, a professional neoconservative, claimed to have intelligence about Iraqi efforts to acquire uranium and various other things, which came from his contacts in Iran, some of whom were recommended to him by his contacts in Israel, one of whom, Larry Franklin, was convicted of spying for Israel in the US State Department. Ledeen believed these contacts to be renegade members of the Iranian secret service. (He had never visited Iran, and I think to this day never has, and he doesn’t to the best of my knowledge speak Persian, so how he would have known is beyond me.) The CIA, for its part, believed that this was partly true. They just disagreed with the “renegade” bit. But Donald Rumsfeld had deliberately decided to ignore the CIA, so Ledeen’s intelligence was accepted. However, that wasn’t the end of the story. At some point, the Department of Defense became suspicious and called in its own Counter-Intelligence Field Activity to investigate.

At this point, a thick curtain of secrecy was drawn down on the story, even if we did eventually get the Phase IIA report. Whatever CIFA found out, Ledeen was able to introduce the famous forged documents on uranium from Niger, which seem to have come from the Italian secret service, as being Iranian information with Israeli approval, and this was used in the even more famous dossier.

I wouldn’t be at all surprised if old blogging chum from way back in the day, 2004, Laura Rozen hasn’t also had this thought, as she was instrumental in digging into the whole Ledeen affair and she’s too smart to miss it. Also, hilariously, she and Spencer Ackerman had the honour of being targeted by Ledeen’s mates in Silvio Berlusconi’s intelligence service with a scurrilous smear-campaign. I should probably hat-tip the lady’s Twitter feed.

Note the elements of the story. Ledeen is a semi-official adviser with special, privileged access to policymakers. He is outside the formal requirements of government service, but has access inside it. He is seen to have special access to an important ally, and therefore to be trustworthy. A third party observed this, and took advantage of it to introduce information (or rather, disinformation) into the policymaking system. Does anybody see a pattern here? Similarly, Werritty was offered privileged access from outside the government firewall because he was ideologically congenial. It seems that this was considered acceptable because the influence exerted came from a country considered friendly. But then, there were the rogue Iranian intelligence agents, or were they just ordinary Iranian intelligence agents?

In May 2009, Mr Werritty arranged a meeting in Portcullis House between Mr Fox and an Iranian lobbyist with close links to President Ahmadinejad’s regime. In February this year, Mr Werritty arranged a dinner with Mr Fox, Britain’s ambassador to Israel, Matthew Gould, and senior political figures – understood to include Israeli intelligence agents – during an Israeli security conference in Herzliya, during which sanctions against Iran were discussed. Despite Mr Werritty having no official MoD capacity, an Israeli source said there was “no question” that Mr Werritty was regarded as anyone other than Mr Fox’s chief of staff who was able to fix meetings at the highest levels, and was seen as an “expert on Iran”.

Well, at least Werritty actually went to Iran. Unfortunately this is the worst of the story, as it seems he was going round encouraging Iranian dissidents, or people he thought were Iranian dissidents, and promising them British support. This is really incredibly, shamefully irresponsible – he could have got people killed, and it cannot be ruled out that he did, although it’s also quite possible that the whole affair was just a massive exercise in bullshitting and wanktankery.

Probably he really believes that he was in contact with the opposition. I’m fairly sure Ledeen doesn’t think he’s an Iranian agent either. This is where this classic Onion article comes into play. As I said at the time, why *do* all these Iranian agents keep sucking Michael Ledeen’s cock?

It is all reminiscent of Bruce Schneier’s thoughts on what happens if you create a backdoor into some computer system, so people like us can get in and out without anyone noticing. The problem is that once you do that, it immediately becomes the biggest security threat to the system as anyone else can use it too. Once this new interface to the MoD was created, with Werritty accepting connections from the wider Internet and forwarding them to Fox, of course it attracted dubious actors. Hence the parade of various people trying to sell aircraft spares and dodgy encryption software to the military or to get someone’s knighthood expedited.

For my next trick, what parallels do you see between Werritty’s role with Liam Fox and those of Andy Coulson and Neil Wallis with No.10 Downing Street and the Metropolitan Police (and of course the Conservative Central Office) respectively? Remember that both of them were at various times funded by third parties. Further, is it not interesting that the same key Conservatives who defended Coulson to the bitter end – George Osborne and Michael Gove – also tried to save Liam Fox? (Jonathan Freedland seems to have sensed something here – check out the reference to “Cheneyite Tories”.) And is it not even more interesting that George Osborne actually recommended Andy Coulson for the job? And is it not completely fucking outrageous that William Hague, Atlantic Bridge board member and Foreign Secretary (I think this is the right order of precedence), dares to claim that proper Cabinet government is back in the midst of this berserk threat-chaos?


I’m not quite as sceptical as some about this. However, it’s not clear to me how this differs from the sort of thing UNOSAT does all the time – here’s their analysis of imagery over Abyei, the key border area between North and South Sudan. Actually it looks like the “Enough Project” is going to be using UNOSAT imagery itself, going by UNOSAT’s own website.

If you follow the link you’ll see that they have more than reasonable capability (50cm resolution) and that they routinely observe the presence of refugees/displaced persons and returnees, construction, and the like. There’s obvious relevance to an effort to monitor potential conflict along the border, especially as oil prospecting is an issue. You can’t easily hide oil exploration from a satellite that can resolve objects 50cm across.

However, the downside is that the UNOSAT report is comparing images over a two-year period. I would suspect that they will need much more frequent passes to be operationally responsive, which is where the costs get interesting.

Also, I’ve just been over to the website and it’s a bit of an unstructured clickaround. What I’ve always liked about MySociety sites is that they all have a function – FixMyStreet reports things in your street that need fixing, WDTK issues Freedom of Information Act requests, TWFY looks up information on MPs, TheStraightChoice logged what candidates promised and said about each other during their campaigns. DemocracyClub, for example, worked because as soon as you logged in it gave you something to do and some feedback about doing it, and then it hassled you to do something more. It had structure.

Notoriously, if you don’t give volunteers something to do as soon as they show up, they’ll wander off. It is nowhere easier to wander off than on the Internet. And so there’s a button to twitbookspace it and a donation link. There isn’t, however, a to-do list or, say, a list of pairs of images that need comparing.