Jeffrey Sterling Finally Convicted

In the Justice Department's press release we would know that Sterling was a former member of the CIA and gave information to a member of the press who presumably knew it was classified national security information, but was not named.  " Jeffrey Alexander Sterling, 47, of O’Fallon, Missouri, was convicted today in the Eastern District of Virginia of six counts of unauthorized disclosure of national defense information, and one count each of unlawful retention of national defense information, unauthorized conveyance of government property and obstruction of justice.  Sterling was indicted on Dec. 22, 2010, and arrested on Jan. 6, 2011.  Sentencing is scheduled for April 24, 2015."  

Fortunately, the Washington Post has been covering this case and knows a good deal about it that the Justice Department is not disclosing.  Matt Zapotosky [ Former CIA officer Jeffrey Sterling convicted in leak case, Washington Post, 26 January 2015]  says it was a New York Times reporter, and he says, it was James Risen who used part of the material in a book, "State of War" published in 2006.  Risen said he would not reveal his sources if he testified, but the prosecutors never asked him to testify, leaving the really big issue in this case unresolved.  If Risen knew it would cause harm to the U.S. if he disclosed it, why did he?  

Ex-CIA Sterling certainly knew he could not get away with giving classified information to Risen, but did Risen have a reason to not want to give up his sources?  The exchanges went on for over 2 years.  It would  be hard for him to claim he didn't know it was classified information he was being given.  You might read Gabriel Shoenfeld's "Journalism or Espionage?"  at [http://www.nationalaffairs.com/publications/detail/journalism-or-espionage].  Also read the story of James Rosen of Fox News who was getting his information about North Korea from classified reports in the State Department.  

Risen is not the only New York Times reporter to publish classified information that came into his possession.  There will be others who have done the same thing.  There have been a whole litenany of them since the Pentagon Papers, but nobody will address the central issue of the press publsihing things they know to be legitimately classified by the government.  The whole world has this problem, but only a few countries have done anything about protecting their own information.  The U.S. hasn't.  We need an official secrets act to cover this kind of disclosure.  It isn't about freedom of the press.  It is about a laws that favor the publication of information that will do harm to the country, in the name of a free press.   

Ukraine in the Middle

Allen Cullison and and James Marson write in today's Wall Street Journal that they Ukrainians are between a rock and a hard place trying to keep up the fight against Russian troops and keep their own electorates at peace with one another [Heavy Fighting Drains Ukraine Government’s Options and Finances, 28 January 2015].

There is a delicate balance involved in winning battles without winning the war, and still showing progress in fixing the economy, all while losing ground to the Russians who haven't stopped sending in invasion forces and have taken the airport in Donetsk and are about to take the rail yards at Debaltseve.  Political parties might want to throw out a government that let its country fall to Russia after Crimea.  Kiev might be next.  Maybe somebody in the State Department is waiting for the President to return to deal with immigration policy before doing more to upset the Russians.  The Germans and French are not doing much better.  Everybody is more worried about ISIS than the Russians, which may be what the Russians count on.  

Let your Congressional representatives know that this is an important issue and something needs to be done about it.  While the President seems to think Congress does next to nothing, responding to constituents is not what that means.  They know it is an issue when enough people write in.  They might not care one bit before that happens, but will be concerned afterwards.  Go to the website of your Congressional representatives and show some concern.  It doesn't take long, if you can vote.  It only takes one Charlie Wilson to make a war.

Ukraine Escalation

An assessment that soldiers at the airport  in Ukraine  have been attacked with poison gas creates an unlikely scenario for NATO.  Right now, it is safe to say it is "still under investigation" which gives the White House some time to figure out why we should not call it poison gas.  If we can figure out why we should not call terrorists Islamic terrorists, this will be easy.  The Russians and their allies in the east, will say it was not poison gas because they have none so couldn't have given it to anyone else to use.

And shelling is escalating, killing more civilians.  We got to be in a convoy when a car camera caught a barrage landing on a truck at the head of a short line of moving vehicles, uncomfortably close to the camera.  This is done while Europe and the US do practically nothing, being distracted by the Middle East and their own war with Islamic terrorists. We might want to ask who will help these poor people from being absorbed into Putin's New Russia?

Turn off the Terror

We can hardly turn on a TV in the morning without seeing one terrorist or another putting someone in peril.  For the past few days it has been the usual suspect, dressed in black and carrying a knife which we might suppose he will use on one of the two men in jumpsuits on their knees next to him.  He has done it before, so we know what the result will be.  First the picture; then the government reaction; then the parents of one of these poor people crying and begging for a life to be saved.  It has to drag on for days.  The content varies with the hapless individuals who manage to get captured driving around in what has become some of the most dangerous territories in the world for journalists.  

The message is shown repeatedly, analyzed, and commented upon in print media to embelish the story.  A small production studio, in God knows where, manages to take the headlines from really important events because the perpetrators kill in cold blood.  On the world stage this is about ratings, though not the kind of ratings that advertisers necessarily pay any attention to.  These are snuff films, in case you have never heard the term.  Some little boy or girl is captured by a gang, is raped, mutilated, and killed on film for the benefit of those who pay for this kind of thing.  Some people must watch them, because they are still being made.  They are just different kinds of terrorists, but terrorists none the less.  

We have to stop the people who benefit from this by turning them off.  If ratings really matter, we have to change the channel when a new crop of victims show up on the screen.  We have to say to ourselves, "I will not be a party to this."  By watching, you are part of it and a part that the terrorists want to reach.  Making a person feel that they are not safe, or a friend is not safe, or a whole country for that matter, is their intent.  

Terrorists are competing for public attention when they commit their acts of violence, kidnappings, and murder, but the press is facilitating it.  Our free press is willing to publish most things that will keep the ratings up.  I would invite you to do two things:  (1) turn the channel.  It doesn't even have to be for long, and let the station or carrier know you don't want to see that kind of thing on your children's television again.  It encourages bad behavior.  (2) write letters to the editor about print versions of the same stories that benefit terrorists, but don't benefit us.   Our press is complicit in spreading this kind of thing.  

If this is the path to heaven for even one man, there is something wrong with religion.  Few would believe their God was inclined to encourage this type of activity, nor allow it to be videotaped and spread around the world.  Turn it off.  

 

Real Identity Theft

We have a new low in criminal conduct with the plea deal of Leah Shanae Elliott, of Clinton Maryland, the last of 15 members of a gang of identity thieves. [see  http://www.justice.gov/opa/pr/15th-member-washington-dc-based-identity-theft-ring-pleads-guilty ]  This woman convinced her mother who worked at a children's hospital to steal information about the parents of 78 children who were being treated there.  She, and the others, then used this information and a good bit more collected from skimmers, credit cards at work places,  and the usual places for such things, and made lines of credit which they used to buy things for themselves.

It is bad enough to have a child in the hospital.  It is worse to have a person on staff at that hospital stealing information that is supposed to be protected by the hospital.  It is the same with waiters and waitresses at places we eat, banks, credit unions, medical and dental centers, local businesses and non-profits, all places where this gang got their information.  If we can't trust the people who serve us in businesses and public service organizations, then we seem to have gotten away from the most basic kind of employee integrity.

In my very first job, an employee was stealing from the cash register in amounts of $5 to $10.  He certainly didn't need the money, but it was an easy thing to do and he got caught by a sharp-eyed coworker and the boss.  We were all glad to see him go.  The hotel was the only one effected, since they didn't take him to the police.  There would never be a record of what he did and he could go on to do it somewhere else.

It is a little different when employees steal information that is being used to establish a line of credit and use it to buy goods in someone else's name.  They got driver's licenses and lines of credit with no more than information they stole.  States facilitate the establishment of identity with fraudulent information.

They are not stealing from the people who employ them, and those people may not even have any liability for what their employees did when the individuals violated the trust of their position.  Those places need to do more with pre-employment screening and information protection, though there seems to be little incentive to do so.  State license facilities need to do more with who they issue driver's licenses.  In Maryland, where she came from, an illegal alien can get a driver's license now.  It isn't hard and it doesn't require much proof of who you are.  These places make it easy to be in the business of identity theft.  They make it easy to be an illegal alien too, but that is another matter.

Identity theft is a global problem because we make it easy to get information, and steal from the rest of us.  There are all kinds of rules about the protection of privacy information in hospitals and public places, but all of them depend on the trustworthiness of employees and we do less and less on that end of the process.  Take a look at some of your own states' laws on employment screening.  It is barely possible to check past employment, let alone find court convictions and firings.  In five years or less, when this group is out of jail, I'm sure they won't find it hard to go somewhere else and start over.  Maybe Maryland's new governor can help change that in his own jurisdiction, but there will be plenty of other places they can go when they get out.    

The Politics and Procurement of Obamacare's Website

After the publication of the Office of the Inspector General (OEI-03-14-00230) of Health and Human Services, it should not be any big surprise that the opening of the Obamacare website was such a fiasco.  There are very few things in contracting and performance monitoring that went right in that procurement, but reading the report,  I find more missing than present. 

HHS has already started to say that it was way ahead of the report and has taken actions to make sure this doesn’t happen again.  (Note the timely departure of Louis Tavenner, one day after the report was released and the departure of CGI as a website contractor on January 10, though retains it for other work. )  The politics of this are not the main point of this post, though they certainly seem to be worth looking into further.  According to Patrick Howley ( http://dailycaller.com/2014/01/20/after-firing-cgi-no-bid-contract-for-obamacare-site-goes-to-firm-that-ran-obama-campaign-tech/ ) CGI employed Toni Townes-Whitley, Michelle Obama’s Princeton classmate and White House Christmas dinner guest, and replaced them in a non-competitive bid with Accenture, which employs Rayid Ghani, Obama for America data analytics team member.  His article is worth reading.  It is the non-competitive nature of this work that got HHS into trouble to begin with.  

Given the scope of these IG report findings, it is unlikely HSS will recover quickly.  This is a summary of the main points:  

1.  There were 60 contractors with no lead integrator named.  Even the worst programs in the history of government IT have not had this problem.  A former CIO was interviewed and offered this comment:  “…CMS perceived CGI to be the project’s lead integrator, but the company did not have the same understanding of its role. This deficiency could have been addressed through more rigorous acquisition planning, such as clearly defining roles in an acquisition strategy and in descriptions of contractors’ work.”

 2.  Several of the contractors did not submit proposals for the work.  When the OIG report says they didn’t understand their roles, they were probably understating the problem.  Of those that did submit proposals, four were identified as not technically sufficient and were rejected.  Only CGI remained.   When they had to be replaced, the OIG says CMS said there was not sufficient time to compete the contract and rolled the new one out.  Of course, we might wonder why nobody protested this method of getting the work, but it would be worth knowing if anyone even raised an objection. 

3.  Five of the six contracts were cost reimbursement, putting all the burden on the government for cost containment.  The OIG says there was no reason given for choice of a contract “where it assumed the risk of cost increases” except a general statement that the real costs “could not be defined accurately”.  The replacement contract for CGI was a cost-plus award fee contract.  This was not an overnight process of building a website and it was not like the HHS did not know they would need one, years out.  

The IG report is wishy-washy even by standards of their profession.  The “missed opportunity” and “additional challenges” are describing events that are a good deal more than can be explained away like this.  We would have to hope there will eventually be hearings this year on procurements and how they are being done in HHS.  They are obviously a mess and describing the process as a missed opportunity will not save them from them scrutiny.  

No One Accessed Any Sensitive Data

The statement comes anytime there is a problem with a hack or an accident of development.  Yes, we know there was a problem that allowed some people to get access to things they shouldn't, but nobody got access to records they were not supposed to see.  The latest of these is on the Federal Retirees who have access to OPM on a portal.  We heard the same thing during the Obamacare website fiasco.  Federal News Radio carried the story of the OPM website in their yesterday on-line addition, saying "the agency is still investigating how some retirees could see others' information".  If some retirees could see other peoples records, that was a problem that wouild leave the statement by OPM a little suspect.  How could they possibly know?

I have heard witnesses or suspects say "Not that I know of" or the less subjective "Not that I remember".  These are not hard and fast statements that nothing bad happened, but they are not denials either.  They are fudges on the edge of truth sometimes, but hard to prove one way or another.  Maybe that subject did really not remember those 614 incidents that led to his indictment on drug charges.  So, why does somebody like OPM deny categorically that anyone got access to somebody else's records, when the flaw they were announcing gave access to those records?  Because they don't know and probably can't find out, whose records were exposed to whom.  Denial is easier than reviewing all those audit records to see who might have been on and what they had access to.  

There has to be a penalty for this kind of behavior.  Obamacare's nortorious beginnings were an open invitation to every hacker in the world to get health and privacy information on millions of people all at once, and have the government officials deny that anything was taken from them.  Considering the state of security of that system, there was no way to tell who got access to what.  Experian still denies that anyone took information from their customers, while the evidence is they may have lost as many as 200,000,000 records.  Brian Krebs wrote extensively about it, but it doesn't stop Experian from the denials.  They told me "Don't believe all those stories on the Internet".  Essentially, OPM is saying the same thing, though on a much smaller scale.  

We need a change in law that compensates for the lack of judgement on the part of some managers who don't report or deny reports of substantiated losses, something like the addtional penalties some robbers get for using a gun.  If you knew about it and intentionally didn't report, or you had evidence from a third party that there were losses and you still did not react, you get additional time in jail or an additional fine for not reporting.  Come to think of it, when has a government or business official ever been prosecuted for negligence in the way they handled our information?  Ever?  I can't think of one.  

After I published this, Brian addressed issues on data breaches that are worth reading at:  

http://krebsonsecurity.com/2015/01/toward-better-privacy-data-breach-laws/

Tor Majority Use is Criminal

After reading Pierluigi Paganini's article on Hacking the Tor Network: Follow up [http://resources.infosecinstitute.com/hacking-tor-network-follow/]  and 83 Percent of Tor hidden service traffic flowed to Pedo websites. Study finds            [http://securityaffairs.co/wordpress/31690/cyber-crime/pedo-websites-tor-network.html ],  I started to wonder if Tor was something other than what it appears.  It always looked like a good service that prevented bad people from getting information about me from some of those connections I was making to Chinese and Russian websites.  Now it turns out, I was in the minority of people using Tor for legitimate research.  Most of them were looking for child porn and drugs.  It is almost like discovering that most people go to the supermarket to have an orgy, and you are going for groceries.  
That smile didn't mean the bread was fresh, after all.  

Tor is really just a small part of the Internet, and nobody would argue that the Internet was a criminal enterprise because so many people use it for criminal purposes.  But, if we were to find out that 83% of the users of the Internet were using it for criminal purposes, we might have a different feeling about it.  We might even look towards regulation or policing, at least that part that we control.  We could equally look towards finding out where those criminals are and try to prosecute them.  That hasn't worked out very well because we have some countries like China and Russia who think their national strategy to steal information from anyone who has it is good policy.  It certainly works for them.  Russia is often accused of being a kleptocracy - an oligarchical government that controls its national resources and funds for its own benefits rather than that of its people.  [for a good discussion of Russia  see Duty: Memoirs of a Secretary at War, by Robert Gates]  We are never going to get rid of their criminal underground.  

Tor is a U.S. based organization [ https://www.torproject.org/about/contact.html.en#mail ]  with mostly good intentions.  Privacy is good.  Anonymity is good, especially when visiting websites that might be located in places trying to take advantage of everyone who goes there.  Other governments, less tolerant of dissent, are equally interested in stopping Tor from operating.  These are all really good reasons for having a service that does what this one does.  But, it still makes me wonder if the enterprise is good if 83% of it is used for criminal purposes.  How far are we willing to go to allow them to continue as a public service organization if a majority of the transactions are criminal?  

The law enforcement community seems willing to allow them to continue and taking advantage of the occasional case that compromises portions of their user database.  Once they get in, as they did in Silk Road 2.0, they can map out the users and find the distributors.  For now, they seem to be content with that strategy.  Maybe the good they do outweighs the bad.  Not very many prosecutors are keen on making value judgements like that, but we shall see if it lasts.  

A Different Approach to Controlling the Media

What we see in the killing of artists in Charlie Hebdo is different from the way Russian and Chinese interests have controlled their press, but the same in trying to control a press outside its own country.  Who did it will determine who the radicals have determined will be their standard bearer in going up against external media they would like to silence.  Putin, inside Russia, has killed enough reporters for them to get the message that they cannot say anything they want.  Those jailed in China feel the same.  Only the jihadists who lack the sophistication and intelligence to deal with the press through more subtle controls, break into an office building and kill innocents and martyrs alike.  They have already seen the backlash and will come to see more of it as time goes on.

It is hard to get a million and a half people to agree on anything, let alone coming out in the cold to let the world know they are not going to bow to this kind of intimidation.  They probably expected trouble, and could easily have gotten some, but they came anyway.

40 world leaders came to pay their respects to France but one country was notably absent.  We are shamed by this.  We should all apologize to the citizens of France for our government's response.  We are supposed to be the leaders of the free world.  Nothing lately has been more about freedom than a cold blooded murder of people speaking their mind in a way found offensive by some, but deserving of death by almost nobody.  A small sliver of the world who professes to know better than the rest.

The New Cyberwar, Russian style

In yesterday's Politico Peter Pomerantsev laid out the inside of Russia's information war against all who disagree with it, in an article called Inside Putin's Information War.  [http://www.politico.com/magazine/story/2015/01/putin-russia-tv-113960.html#ixzz3NyZHPLPY]   His own book, Nothing Is True and Everything Is Possible: The Surreal Heart of the New Russia is an example of how Russia uses its media as weapons of the new Information War.  

Pomerantsev was actually part of this war, writing for some of the same places we find infuriating, like Russia Today.  He quotes people he knows and worked for who published bizarre and inaccurate reports about what Russia was doing in the Ukraine.  

"Information war is now the main type of war,” says the Kremlin’s chief propagandist Dmitry Kieselev, 'preparing the way for military action.' And Putin’s Russia is very good at it, having combined the dirtiest mechanisms of PR, brainwashing techniques pioneered in cults and a rich KGB tradition of psy-ops into a sort of television Frankenstein with which it controls its own population, conquers neighboring countries and attacks the West."

In an unusually direct attack against the Russian press, Pomerantsev described how it used the downing of a civilian airliner in Ukraine as a way of providing made up stories of how it occurred even when those stories proved incredible to the readers.  Apparently, Russian readers are used to being lied to and don't look for the truth in their news.  When it comes to Russian media, we might consider the source before repeating their stories in our own press.  

Social Media Face Down with China

Social Media are learning to push the limits of places like China and Russia which want to control information inside their countries and use social media to do it.  They lable people who disagree with thier approaches "subversives" and rely on policies and laws that prohibit publication of subversive material.  They demand material be removed.  Facebook, Google, and Twitter have all experienced this with China and Russia.  

In today's Wall Street Journal, there is an opinion piece about Mark Zuckerberg's attempt to deal with being banned in China.  Zuckerberg has gone so far as to give a speech in Mandarin and invite the Chief Censor to his campus in the U.S. in hopes of learning how to adapt to Chinese rules on the Internet.  

China really doesn't care since it went its own way years ago by developing their own copies of social media.  They have Renren.com, the Facebook clone.  They would rather force their own people onto networks they control, then let someone they don't control operate there.  Sina Weibo doubles for Twitter and includes some aspects of Facebook too.  Russia is finally coming around to the Chinese way of thinking about their social media, so it won't be long before we see a Russian knock-off of these kinds of services.  

It shouldn't come as a surprise to anyone that some countries don't believe in the free exchange of information.   The Vindu Goel and Andrew Kramer (Web Freedom Seen as an Issue) in todays

New York Times, add Turkey to the list of countries trying to get help from social media sites to control dissent.  Russia, China, Syria, Iran, Egypt, Turkey and Saudia Arabia all have some of the same types of control, though possibly without the hoopla that has gone with it.  

We are entering an age when the haves and have nots are not related to those with access to the Internet and those without.  The more Internet connectivity countries get, the less some like it.  When the Russians looked at the Arab Spring, they were sure it was a bad idea to allow the free exchange of information.  They want to manage (not control)  content on the Internet.  They want to control it in their own countries and, where they can, in any other country that don't agree with them.  Hacking Facebook, Linkedin, Twitter and Google accounts for dissenters, and hacking  newspapers to find sources are good indicators of what they are up to.