Easy Comey Easy Goey

What’s really going to tangle up the opposition is that the stated reason for firing Comey is a perfectly good reason to fire Comey, except that it happens not to be why they’re firing Comey.  He praised the damn letter to high heaven at the time.  It would strain even the credulity of the estimable Dr Pangloss to believe that he has suddenly done a 180 and come round to believe that the violations of due process that contributed so much to his victory are in fact violations of due process.  This is the platonic ideal of tail wags dog: he wanted to fire Comey, and so they found the only remotely plausible justification.  As in the case of all of the intemperate CIA hyperventilation about Assange, however, many Democrats agree that Comey deserves the boot– it may not be not nearly so unpopular as it looks from here in the Tidal Marsh.

Do not delude yourself: there won’t be a special prosecutor.  The commentariat has got to quit pretending that there might be.  There won’t be a special prosecutor because the AG (or deputy AG) has to appoint one, and they’re the ones who recommended Comey’s dismissal in the first place.  Failing the AG’s office, Congress could technically have one appointed by passing a law that moved the appointment process out of the AG’s office, but it would have to get past a veto.  The story is not that Ben Sasse got out there like a real person and threw a fit.  The story is that aside from those few people who have not had their spines surgically removed, Republicans are circling the wagons, no doubt a difficult feat for the boneless.  Mitch McConnell is already whoring himself out to the White House.  That 2/3rds vote doesn’t exist.

The firing of Comey is a political crisis, not a constitutional one, but it’s still an existential threat to the separation of powers and the rule of law.  The regime will survive it.  Jack Shafer is funny and also right: Trump is the Teflon Man, and this can get off the front pages fast if he does something sufficiently spectacular elsewhere as a chaser.  I dare not speculate what that might be.  In Congress, this is going to degenerate into partisan warfare that will make the Benghazi hearings look like the Year of Jubilee.  Elsewhere, the Beltway Buzz, or rather the Beltway My-Phone-Is-On-Vibrate-Because-I’m-In-Class-Stop-Texting-Me-Oh-My-God, informs me that the rank-and-file FBI are not amused.  There may be leaks on the scale of a major hull breach impending.  Not that that helps: it’ll just degrade the rule of law faster.

And fuck you, Lavrov.

Lying under OAUTH

I don’t like this new thing where I’m going about my own damn business and suddenly end up on the front lines of the hybrid war, but that’s the cyberpunk dystopia we live in now.  Like nearly everyone inside the Beltway, my workplace got hit with the Google Docs OAUTH worm yesterday afternoon around 1500.  Thanks to Zeynep Tufekci’s efforts on Twitter, I was wise to it well before we actually saw one, and I managed to head my idiot comrades off from clicking on any of them.  I left work in a stew, went to the gym in a stew, failed to bench-press Putin’s equivalent in grubby metal plates, and then found myself speculating wildly this morning in a Twitter thread, but since I always end up yelling GET A BLOG at inveterate threaders (lookin’ at you, Jeet Heer), I’m moving this over here where it belongs.  Anyone all like “Weasels, dude, what the fuck are you talking about?” should 1. stop living under such a rock and 2. read this.

It’s much too early for attribution, of course, but last time something like this happened, it came from APT28, who, as you may recall from my It Was The Russians attribution roundup post a few weeks ago, are the Russians.  While I should probably wait for further information from those who saw the landing page while there was still a domain to WHOIS, I’m inclined to believe this was intel collection— not necessarily from Moscow— until we have some negative confirmation.  What little I’ve seen of the WHOIS data (Google nuked everything before I got to clap eyes on the genuine article) shows the domains were all registered before TrendLab’s report on APT28’s use of faux-Google OAUTH exploits.  The apparent targets are consistent with the intel theory, as is the technique, if you look at it from a spyish angle instead of a hackish one.

The best argument against a state-level actor is that the phish was a dragnet.  Past OAUTH worms and other phishing campaigns from APT28 and Friends have overwhelmingly been spearphishes.  By contrast, this looks to many people like it could be a bunch of rubes looking to make a buck.

Yeah.

Sure.

Tell me another one.

The targets involved were media, feds, NGOs, contractors, and apparently academia.  The business sector only seems to have caught it second hand.  This is consistent with the interests of an intelligence service, but not with financial motives.  It’s still unclear where it began, but according to the above Gizmodo article, EFF thinks it may have started at Buzzfeed.  My own first hint of incoming fire was chatter early yesterday afternoon about a Google docs phish affecting journalists and media companies.  I put out some feelers and started hearing about it directly from friends in politics and the media around 1400 yesterday.  In DC it spread fast, like the bubonic plague-themed illustration of exponential growth that my middle school algebra teacher put on for the edification and amusement of a bunch of morbid eighth graders, hopping from journalists onto government networks and thence to NGOs and the private sector.  The ones I saw all came from a compromised address at USAID.

Then, the hard part of a spearphish is the intel-gathering that has to happen beforehand.  Public-facing social media will only tell you so much.  You’re not going to find out about a journalist’s confidential sources there, and many feds avoid realname social media entirely, because of the inherent opsec problem.  If only there was an easy way to map social networks in Washington so you could narrowly focus your OSINT efforts on the likeliest victims.

Enter a malicious Google app that siphons up your contacts and blasts itself out to your entire network.  That Mailinator address, presumably intended to detect whether the messages sent successfully, was CCed for every single hop the phish made between accounts.  Someone has that full dataset somewhere, even though Google nuked the app and the related domains, and is making it into a lovely network graphic with pretty colors and all.

As a phish searching for financial data, this campaign isn’t the greatest: it doesn’t catch any credentials that could be checked against banks or other accounts, and there doesn’t seem to have been a malware payload besides the mischievous app.  As a way to map networks and gather intelligence for a more sophisticated spearphishing campaign while looking like stupid crime, it’s brilliant.  So if there’s another, more subtle round of OAUTH spearphishes hitting intel targets any time soon, you’ll find me at a corner table at the Hamilton in the most disreputable clothes I own, inhaling cocktails and looking smug.

Leave Assange Alone

Listen.  I, too, think Julian Assange is a self-righteous posturing phony, a rapist, an abetter of tyrants, and a witting KGB cutout.  He’s a sniveling manchild who only publishes on countries with laws preventing them from pursuing him or without the resources to spike his coffee with polonium.  As a private citizen, I would love nothing more than to throw him out the embassy window into the waiting arms of the British constabulary.  I hate his stunted, vestigial guts; I hate the gut flora that inhabit them; and if I should be so lucky as to outlive him I fully intend to dance the hopak on his grave.  But that’s not what this is about.  As usual, this is about liberal democracy.

According to the Washington Post, it is not yet clear what charges DoJ wants to bring.  There may be evidence that Wikileaks was involved in more than receipt and publication of classified documents, or they may want to go for him under the Espionage Act of 1917.  The relevant clause seems to be this:

Whoever having unauthorized possession of, access to, or control over any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it…  shall be fined under this title or imprisoned not more than ten years, or both.

Hitherto the US government, aware of the bad precedent it would set and the SCOTUS smackdown that would likely follow, has not prosecuted anyone under the Espionage Act for publishing leaked material.  The Obama administration, otherwise godawful on transparency and press freedom, was at least in this one case well aware of the ancient principle according to which What Is Good For The Goose Is Good For The Gander.  Assange’s lawyer, while no doubt an even bigger human trash midden than his client, is right: Wikileaks is a publisher, and journalistic activities are protected even when the journalists in question are unethical dickweasels.  Especially when the journalists in question are unethical dickweasels.

A prosecution of Assange is the foot in the door.  There is classified information in every national newspaper every day, especially lately.  If DoJ succeeds in prosecuting him under the Espionage Act, it will be open season for the White House on all of our national outlets.  They’ll send Junior out there with an elephant gun.  Marty Baron’s head will end up stuffed on a wall.

There is no law of unintended consequences at work here.  From a White House that’s been frothing constantly at the mouth about all non-wiki leaks, the message is quite clear: it stops printing classified material, or it gets the Espionage Act.  After a successful Assange prosecution, journalists would be catching hell from all sides.  Besides having to worry about ending up in the camps for talking to whistleblowers, those bold enough to carry on regardless would find themselves dealing with editors reluctant to have the FBI in rummaging through the archives and making off with files and computers.

Of course much as it may seem like a contradiction, it was inevitable that the regime would turn on Assange sooner or later.  After 8 November, he became a threat, and he is the ideal vector for getting at the press.  Now that at long bloody last Assange is widely hated on the center-left, the political fallout from a prosecution under the Espionage Act would unfortunately not be particularly bad.  Critics on the left are already more likely to focus on the hypocrisy angle, and on the right, a prosecution of Assange might actually bring surveillance hawks, neocons, and Manning-haters round to il Douche’s side.  It might even be popular.

Why do we even HAVE that lever?

We are six state legislatures away from triggering an Article V constitutional convention, and hardly anybody is paying attention.

For anyone who needs a refresher, Article V is as follows:

The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as Part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate.

Congress must call a convention if the threshhold is met.  Once the convention is assembled, the delegates themselves have to establish procedures.  The convention is not constitutionally required to stay on topic and there is no higher authority than can intervene to mediate disputes.  The proponents of the convention, a rogues’ gallery of omnicidally insane budget hawks lead by ALEC and The Convention Of States, are currently trying to introduce legislation in Congress that will bring the proposals out of congressional records and into Archives’ jurisdiction where they can be catalogued, so that the convention will be triggered promptly if or perhaps when they pass the threshhold.

The convention provision has so far never been triggered because legal scholars agree that there’s no way to control an Article V convention.  This may well be what Gödel saw.  The constitution is the highest authority right up until a convention is called: after that, the Framers did not see fit to give us instructions, no precedent exists, and nothing can be assumed.  The last one turned out happily in the end, but we must remember that in 1787 the delegates ignored both their instructions from the state legislatures and the ratification procedures laid out in the Articles of Confederation, and we ended up with a totally new system of government.  This time Hamilton, Madison, and Jay are not coming to save us.

And, of course, our present situation doesn’t resemble 1787: the early republic was only six years out from complete regime change, and the convention was called to reform an ad-hoc system that everyone knew wasn’t working, even when they didn’t agree on what should be done about it.  We, on the other hand, have enjoyed a hundred and fifty-two years of a continuously functioning constitutional system, the only amendment in the national discourse is the abolition of the electoral college, and the last thing standing between us and the authoritarian populist maniac in the White House is those four pieces of parchment in a glass case down the street.  The state legislatures won’t send judges and political scientists and constitutional scholars: they will send politicians.  There are no rules to rein in the influence of moneyed interests.  This will not go well for us.

The lack of national news coverage is troubling.  It is a general truth of the internet that when people demand to know why the media aren’t talking about Thing, the media are, in fact, talking about Thing, which is why the morons demanding discussion of Thing know about Thing in the first place.  That isn’t the case here.  I consume a frankly unhealthy amount of news.  I found out about this while following up on a debate going on at Balkinization, and went looking for reporting afterward.  There’s some coverage in state-capital papers, and a single Washington Post editorial from a few weeks ago.  That’s all.  This advance has been going on unnoticed since 2010.  If the initiative reaches the threshhold, it will blindside the American people.

Between the regime and growing polarization, I don’t think we would survive this.

Everyone needs to take several deep breaths and read a book about the Spanish Civil War.

Swear to God this is how you get masked centrists storming a building and threatening to shoot a hostage an hour until everyone sits down and has a civilized cross-factional dialogue.

I did my civic duty and went to Tax March DC yesterday, because lord knows il Douche needs to see yelling hordes demanding to see his taxes.  I went to Tax March DC expecting to march about the tax returns.  I had a flag and a sign and a snarky t-shirt and everything.  In retrospect this was foolish of me and I never should have allowed myself to be taken in.

There are many more people angry about the lack of tax returns than there are people who happen to share the specific economic agenda of some of the organizers of the event.  If the priority here is getting Congress and OGE to do something about creeping kleptocracy, the best tactic is to make the march as non-ideological and broadly appealing as possible.  This is not what they did.  Instead, they mixed in a menu of progressive economic policy items which alienated a lot of people who despise corruption but hold different policy positions.  There were also a series of identity-based non-sequiturs: there’s a prize for anyone who can tell me what his tax returns have to do with intersectional feminism.

We need to get back to a place where we can have a normal policy debate.  That is not possible right now.  The authoritarian populist thrives on polarization: he needs an internal enemy to demonize, or everyone will notice that he has no clothes.  When progressives rightly demand that Republicans denounce and oppose Trump, and then shut them out of the resistance on other policy grounds when they do, they are playing directly into his tiny tiny hands.  A resistance that apparently goes out of its way to alienate opponents of the populist who do not share their policy goals will drive those potential allies back towards the populist in the end.  Take alliances where you can get them.  An opposition party adequately alarmed by the threat that the populist poses in himself should try to build as broad a coalition as possible, rather than attempting to hitch their own economic wagon to the fortunes of the opposition.  This is going to end in the failure of both of their goals.  There are many people with substantial policy disagreements who share a determination to stand up against authoritarian populist horseshit.  Americans hate corruption and tax cheaters: we threw the British out and bonded into a nation over our shared hatred of unfair taxation.  It’s sort of our hat.  If you seek alliances, they will join you.  If you demand ideological purity, you might still get Evan McMullin and Country Over Party to show up, but you won’t get a coalition.

Instead I’m left with the impression that certain progressive factions are trying to use warranted alarm over the regime to mobilize the base, when they should be panicking about democracy and seeking alliances wherever they can find them.  Certainly economic solutions are part of the strategy to crowbar some support away from the populist, but that’s for the campaign trail, not for an anti-corruption demonstration.  The insistence on ideological purity suggests that either progressive organizers aren’t aware of the scope of the threat or even that in some cases they don’t believe their own rhetoric.  Perhaps they’ve managed to cry wolf on themselves: when you’ve been telling yourself and your supporters for years that your opponent is a wannabe tyrant and an existential threat, you find you’ve lost your sense of urgency when that turns out to finally be true.  Or perhaps it’s cynical political calculus combined with failure of imagination.  Or maybe they’re just short-sighted and strategically illiterate.

No one ever got into a position of authority by gleefully celebrating ideological impurity, however, so I’ll probably have to content myself with grumbling in cheap kabob restaurants after protests and yelling on the internet.  We’re all fucked.

Anyway Happy Easter.

April 2017: The URLy Bird Gets The Worm

Watch the video by Alexei Navalny, patron saint of OSINT nerds everywhere, that set off the protests on the 26th.

I’m a lifelong British monarch detractor and yet when I got done reading this I had to sneak off to cry in the bathroom.

The lesson from Egypt is that overthrowing the tyrant is only step one.  Make sure that, once he’s gone, you know what you’re going to try to replace him with.

Legislation has been introduced in the Duma that would allow police (and no longer just the FSB) to fire into crowds to “prevent terrorism” (link is in Russian).  Classy, Vlad.  Real classy.

Speaking of that bastard al-Sisi, Breitbart is alleged to be in with the Egyptians.

“Behind all the desktop screens and plate-glass of his office, the buzz of data and the hum of metrics, Nate Silver retreats to a quiet, dark, and holy room. He takes the knife and slits in one stroke the throat of a pure-white bull; its blood arcs and drizzles in all directions. He examines its patterns. And he knows.”

Aaaaaand Putin’s bringing back the use of psychiatric hospitals to confine dissidents.

If you happen to be a Spotify user, you can listen to the Operation Nifty Package playlist (there’s an argument to be made that the Army carried out the original rickroll, eighteen years before 4chan).

The Exxon payments weren’t real.

Stingrays?  In my city?  It’s more likely than you think (and these are just the ones we know about).

A new one for the Constitutional Violation Vault: an argument that Bannon and company’s habit of bossing department heads without having been congressionally approved might be in violation of the Appointments Clause.  I’m not sure how persuasive I find this, but it’s interesting.

Eduard Basurin gets OSINTed.

And the Opsec Fail Award of the Month goes to [drumroll] Jim Comey, who really really should be better at this.

Journalists and oppo researchers looking into the Russia thing are being harrassed.

The Straussians continue to be at it.

Interesting elaboration of Shadi Hamid’s point about secularization becoming a trap if what replaces religion is ethnonationalism.

“Large proportions of people from marginalized groups simply decline to be intersectional and this is a problem for an ideology which claims to listen to them and represent them,” or, as Terry Pratchett says in Night Watch, “People on the side of The People always ended up disappointed, in any case. They found that The People tended not to be grateful or appreciative or forward-thinking or obedient. The People tended to be small-minded and conservative and not very clever and were even distrustful of cleverness. And so the children of the revolution were faced with the age-old problem: it wasn’t that you had the wrong kind of government, which was obvious, but that you had the wrong kind of people.”

The latest installment in the Gorkening (I am waaaaay fewer degrees of Beltway from this man than I am comfortable with).

Heineken is apparently a Communist plot.

Populism vs. parliamentary democracy.  Also, Geert Wilders looks like a Batman villain.

Χριστὸς ἀνέστη, nerds.  Go eat some lamb.

There Is A Fancy Bear In The Woods…

The Warren assigned your Auntie Weasels to produce a full account of what our glorious leader likes to call The Cyber, so here goes.  Even without the IC’s TS-SCI Ears-Only Eat Before Reading intel, the attribution is not seriously in doubt.  The DNC breach is the most straightforward.  It was carried out by APT28 (Fancy Bear, Sofacy, GRU) and APT29 (Cozy Bear, FSB).  These groups are Russian covers.  This was known well before the DNC hacks: these groups operate out of Russian time zones, build their code in Russian-language environments, and only seem to attack targets of interest to Putin’s ‘government’.  There’s more history of these threat groups here and here.

Guccifer 2.0 claims to be a Romanian, like the original.  They’re not.  The consensus is that Gucci is six KGB politicals in an unconvincing black hacker hoodie (TW: fake Cyrillic). To start with, a chat with a reporter from Motherboard revealed that Gucci does not, in fact, speak correct Romanian, and the metadata is riddled with Russian, as spotted by PwnAllTheThings (although interestingly suggesting a wannabe Chekist hacktivist rather than GRU).  Linguistic analysis of their English suggests Russian is a more likely native language than Romanian.  Later, they sent a written statement displaying some of the same grammatical markers to a cybersecurity conference hosted in London by PSBE Futures Group.  To cement the case against Gucci’s personhood, they cleaned up their English and their metadata soon after the first interview. As to The Cyber, in the chat interview with Motherboard, Gucci claims to have broken into the DNC via an NGP VAN 0day in the summer of 2015, except that:

  1. CrowdStrike found no such thing.
  2. NGP VAN is a cloud-based service not stored locally on any DNC machines and is not a particularly efficient attack vector.
  3. Any breach would have been spotted when NGP VAN did the Dec. 2015 audit to figure out how the Sanders campaign wound up seeing the Clinton donor and voter rolls.
  4. NGP VAN is sufficiently specialized and obscure that there isn’t a commercial market for 0days.

This is in effect a claim to be vastly more sophisticated than the Bears, and it’s coming from some time-traveling quantum twerp who doesn’t seem to realize that building a 0day is laughably inefficient when a phish would accomplish the same with much less sorrow.  Not only that, but they continue to insist that not only did they use a vulnerability which apparently does not exist, but also that they were the only attacker inside the DNC.  Which is all a roundabout way of saying that the person blogging and speaking to reporters knows buggerall about The Cyber, and [bad Russian accent] also is KGB cutout.  Lastly, as has been observed over and over again, the dox Gucci released were impressively boring and do not in any way further his alleged ideological goals.  Thomas Rid of King’s College Cambridge suggests, based on the quick turnaround between the DNC noticing Bears running around in their network, CrowdStrike’s involvement, and the sloppy appearance of Gucci, that the DNC leak was a panicky seat-of-the-pants attempt to salvage an otherwise blown operation, and not a very good one.  It’s evidently enough for KGB purposes to sow enough doubt to give a foothold to the Putinistas, whataboutists, and conspiracy-mongers. The ThreatConnect guys’ theory, citing the ludicrous amplification of the whole thing on Russian state media and the low value of the dox, that Gucci’s stuff was ultimately more useful to Putin for reinforcing narratives on state media than as an active measure here in the US is very interesting.  But what was the primary purpose of the op, before CrowdStrike came along to blow the whole show sky-high: passive intelligence collection or active measures?  Since so far the Warren lacks the manpower and infrastructure to bug the Kremlin, we’ll have to invite wild speculation.

As for Podesta, SecureWorks has this technical account of the phishing campaign that got him and this breakdown of their targets.  The phishing email that got Podesta turns up in the Wikileaks dump (link obviously goes to Wikileaks, approach with however much caution fits your paranoia level).  TG-4127, the group it’s associated with, is our old friends Fancy Bear again.  Much of the information published by DCLeaks also seems to have come from this phish, and as far as I’ve seen all of it was obtained by APT28, but I need to follow that rabbit hole a little further to see whether other phishing campaigns may have been involved.  This one got caught because of an opsec fail in the use of Bitly to mass-generate customized landing pages.  The phish itself wasn’t nearly as crude as it looks from the plaintext in WL.  Podesta would have seen this, also via @PwnAllTheThings:

This is pretty good, as it goes: the tipoff is accounts.googlemail.com and of course the URL at the fraudulent login page.  One has to wonder if they tried to put the source of the fake breach in Ukraine deliberately.  Maybe this phishing email may be what Putin was referring to when he tried to pin the leaks on the Ukrainian government?

Krypt3ia makes a pretty good case, based on the metadata, that the Clinton Foundation dox were fake.  Motherboard has some reporting on the same thing (even the rightist Daily Caller thinks they’re bogus).  The Hill reports that the Clinton Foundation was able to turn up no evidence of a breach: Gucci the invisible wonder-hacker strikes again?  You tell me.  This seems kind of weird and haphazard, and casts doubt on the authenticity of Gucci’s other data dumps.  It’s certainly not the KGB’s best work.  It’s also, let’s be real, kind of weird that no emails either from or claiming to be from the Notorious HRC Server have turned up anywhere in all this mess.  Maybe they would have, if Trump hadn’t publicly asked the Russians to cough them up.  Who knows.

Lastly, the feds interrupted an attack on voter registration infrastructure in Illinois and Arizona before any damage was done.  Voter rolls are part of the public record, so there’s no intel-collection motive for this, although the KGB is somewhat notoriously bad at OSINT.  It remains unclear what was intended.

Further bulletins as events warrant.