Logic in Washington

Nobody ever said that logic enters into a press release, or press reporting of political events.  They are supposed to be statements of fact that are fluffed up, slanted towards a particular view, and chunked out in large doses to a mass audience that neither understands the issues, nor appreciates their subtle diffferences.  Lawyers and public relations people are the usual suspects in the preparation and dissemination of them, not the subjects of the releases.  That should tell you something about why we don't pay much attention to them - until we do.

So we have the case of the e-mail server in Hillary Clinton's basement, so aptly described by Lauren French of Politico [ Trey Gowdy: Hillary Clinton wiped her server clean ] published yesterday.  French quotes the illustrious Rep. Elijah Cummings, " the top Democrat on the Benghazi panel, said Clinton’s response 'confirms' that the former secretary of state has provided all documents related to the Benghazi attacks to the committee."  [ http://www.politico.com/story/2015/03/gowdy-clinton-wiped-her-server-clean-116472.html#ixzz3VgsmpXPW ] 

Saturday's New York Times [ Michael S. Schmidt, No Emails From Clinton's Time as State Dept. Are on Her Server, Lawyer Says ] quotes her lawyer, David Kendall, as saying there were no emails from her time in office at State, that relate to her duties there.  Her lawyers and her were said to have examined all the emails and determined which ones were related to her service and which not.  Now that the others are gone, we can be assured, he said, that there was no point in pursuing the matter further.  The story then goes on the quote Cummings more extensively saying, "This confirms what we all knew -- that Secretary Clinton already produced her official records to the State Department, that she did not keep her personal emails, and that the select committee has already obtained her emails relating to the attacks in Benghazi."  

The idea, of course, is to say this over and over, in as many places as reporters gather, to persuade a large audience that the Cummings statement is true.  This is not, as some people seem to think, a scored debate, where you get points for saying things that barely contain a good argument, but give the appearance of doing so.  Readers do not do research on the credibility of statements politicians make, though "fact checkers" on both sides of an argument claim they do.  The Times rightly adds the thought that she didn't turn over those records until the State Department, two years after she left, requested she provide them.  We have left the chosing of what was official, and what not, to people who represent their own intersts, and the interests of their clients.  This is a not-so-novel way of doing business in big commercial offices and government, but not what we think of when we say the word "democracy".  If this happened in Russia, China, or Iran, we wouldn't even think twice about our conclusions.    Books at Amazon

PayPal Gets Whacked by Treasury

On 3/25/15 the U.S. Treasury announced another "settlement agreement" from their Office of Foreign Asset Control, which in spite of its name, doesn't always look at foreign assets.  PayPal, an eBay subsidiary, agrees to pay to the U.S. Department of the Treasury the amount of $7,658,300.  In order to understand why a business would voluntarily give up that kind of money, we have to look at what they were cited for [ http://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20150325_33.aspx ]

A settlement agreement allows a company to admit no wrongdoing, but pay a fine to avoid further action.  I've always found these agreements amusing because they are close to extortion, but good for both sides - especially here.  Either settle, or go to court, and we have the evidence to convict you.   In this case, we know what they are accused of:

"Separately, between October 20, 2009 and April 1, 2013, PayPal processed 136 transactions totaling $7,091.77 to or from a PayPal account registered to Kursad Zafer Cire, an individual designated by the U.S. State Department... on January 12, 2009 pursuant to Executive Order 13382 of June 28, 2005, "Blocking Property of Weapons of Mass Destruction Proliferators and Their Supporters." PayPal explained to OFAC that it failed to identify its customer as a potential Specially Designated National (SDN) at the time of his designation because the MSB's automated interdiction filter was not "working properly." Approximately six months later, PayPal's automated interdiction filter appropriately flagged Cire's account as a potential match to the SDN List. A PayPal Risk Operations Agent mistakenly believed that the system had generated the alert in order to confirm Cire's name and address, however, and the Risk Operations Agent dismissed the alert without requesting or obtaining any additional information.

On four separate occasions between September 3, 2009 and November 16, 2009, PayPal's automated interdiction flagged Cire's account for review due to a potential match to the SDN List. On each occasion, however, separate PayPal Risk Operations Agents dismissed the alerts because the previous alerts had been dismissed, which PayPal asserted made these alerts appear as though they were duplicates. PayPal stated that this conduct did not comply with the MSB's internal policies and procedures for handling SDN name matches.

On February I4, 2013, PayPal's interdiction filter again flagged Cire's account for a potential match to the SDN List, and a PayPal Risk Operations Agent followed the MSB's (a term applying to money service business providers) procedures for handling an SDN name match by creating a "case" for the match, restricting Cire's account, and requesting additional information from the customer. Upon receiving the requested information, which included a copy of Cire's passport showing a date o f birth and place of birth that were identical to those of the SON, PayPal's Risk Operations Agent dismissed the match due to an apparent misunderstanding of why the interdiction filter had flagged Cire's account for review. On April3, 2013, PayPal's interdiction filter flagged Cire's account for a seventh time, and the MSB appropriately blocked the account and reported it to OFAC."

Then there were additional reports about violating Cuban Assets Control, Iranian Transactions and Sanctions Regulations (125 counts in two cites), Sudanese Sanctions Regulations, Global Terrorism Sanctions Regulations, and the Weapons of Mass Destruction Proliferators Sanctions Regulations related to the Cire case. 

Imagine what kind of compliance program a company of this size has to run in order to find transactions from one person who is trying to avoid sanctions.  In 2014, PayPal was running about $62B a quarter in volume, on 1.06B transactions.  This is what drives compliance officers nuts, but keeps them employed. [http://www.statista.com/statistics/277841/paypals-total-payment-volume/]

"The apparent violations of theWMDPSR constitute an egregious case. In reaching its determination that the apparent violations of the WMDPSR were egregious, OFAC considered the following facts and circumstances: PayPal demonstrated reckless disregard for U.S. economic sanctions requirements when its interdiction software failed to identify Cire as a potential match to the SDN List for approximately six months after Cire's designation and when, after the software ultimately flagged the accountholder as a potential match to the SDN List, employees cleared name matches against Cire's account on six separate occasions prior to appropriately identifying and blocking the account. The conduct was particularly reckless with respect to those transactions on or after September 3, 2009-the date that a PayPal Risk Operation Agent dismissed the second alert. Further, PayPal agents engaged in a pattern of conduct by repeatedly ignoring certain warning signs about potential matches to the SDN List; in the course of this conduct, PayPal provided economic benefit to Cire and undermined the integrity of the WMDPSR and its policy objectives; and multiple PayPal Risk Operation Agents failed to adhere to the MSB's policies and procedures pertaining to SDN match escalation.

PayPal has taken remedial action by hiring new management within its Compliance Division, and undertaking various measures to strengthen PayPal's OFAC screening processes and measures, including steps to implement more effective controls. "

Somebody always gets blamed....

Dennis F. Poindexter books at Amazon

France & U.S. Sharing Errors

When David Gauthier-Villars, in his 22 March story about Charlie Hebdo's newsroom killings [France Identifies Security Gaps, but Fixing Them Proves Challenging, The Wall Street Journal ] describes the problems the French Intelligence Services were having with information sharing, it sounded familiar.  He says the French services were "functioning in silos, often suffering from shortsightedness and straining to screen through a welter of information....".  It sounded very much like the 9-11 Commission Report describing how we managed to see that certain persons might be training to fly airplanes, and putting that scenario together with other information that would have said what they might be up to.  Except that that information never did come together, or get shared with the people who could do something about it.

" Although he had been convicted in 2013 as part of the high-profile terror case, Mr. Coulibaly featured in police files as a garden-variety criminal, officials said. Even more worrying, they said, his entry was of a type that should have normally been purged from the police database.

Because it had mistakenly been kept active, a police patrol did log last summer that Mr. Coulibaly was bonding with a convicted terrorist. But the intelligence sat in his file."  

This is the kind of thing that benefits from hindsight.  The 9-11 Commission put it this way:  "National Intelligence is still organized around the collection disciplines of the home agencies, not the joint mission.  The importance of integrated, all-source analysis cannot be overstated.  Without it, it is not possible to 'connect the dots'.  No one component holds all the relevant information."  If we look at that same issue now, things are not a great deal different than they were then, for the French or the U.S.  The most famous comment made by the 9-11 Commission was the connect the dots analysis, yet it is far from a solved problem.  

The Journal says, "In September 2011, the French counterterrorism agency—at the time known as the DCRI—received a tip from the U.S.: Someone behind a screen at a small computer shop in the Paris suburb of Gennevilliers had been exchanging messages with someone in Yemen.

A quick search yielded a potential suspect: Chérif Kouachi, who had been convicted of being part of a terror group in 2008, and was living in a one-room apartment two buildings away from the shop, MVI Services.

Another unnerving piece of intelligence in the U.S. report: Said Kouachi and a French former inmate, Salim Benghalem, had traveled to Oman in summer 2011 and had almost certainly crossed into Yemen."  

Somebody was certainly sharing information with France. Intelligence services do this well, usually in spite of procedures that make it more difficult if they are followed.   There are a lot of equities in sharing that have to be considered, and bureaucrats will find all of them.  The 9-11 Commission addressed this from a different perspective, saying the ability to define, share and correlate information should come from standards and training, directed from the top down and says unequivocally, "too many agencies now have the authority to say no to change."  They pointed out the need for IT to be standardized for maximum sharing between agencies.  That is a 100 year project that has yet to get started.  

"French investigators now believe Chérif Kouachi, whose own Algerian and French passports had been confiscated during his parole, used his brother’s ID to travel to the Middle East in 2011, from July 25 to August 15, " says the Journal article.  We would like to believe that the Customs and Border patrol could coordinate every traveller to his actual identity and feed information about that travel to the Intelligence agencies, but we have seen people on the "no fly" list actually fly and it is only discovered after the fact.  I'm not sure we would allow a person in prison, or on parole, to travel that way, but someone should find out if we are actually doing anything to check.  

Everyone in the world is trying to figure out how a person gets from somewhere to Syria to fight for ISIS, yet it isn't too hard to figure out - after the fact.  What we need are better ways of finding out before they get to where they are going.  The libertarians are doing backflips over this kind of surveillance because people are allowed to go to Syria, and come back.  What they can't do is go to Syria, or any other country, to fight for ISIS and come back.  That is harder to prove, and even harder still to discover.  I like what some countries are doing with people they find going to Syria to join the cause.  They take away their citizenship.  They can go, but they can't come back.  Why can't we do that?

Dennis F. Poindexter books at Amazon

No Russian Agents in Ukraine

In the 11th of March issue of the Wall Street Journal, Philip Shishkin [How Russian Spy Games Are Sabotaging Ukraine’s Intelligence Agency]  writes an intriguing story about the Russian's ability to infiltrate the internal National Security Services of the Ukraine.  The Russians, of course, deny any such thing, just as they deny having troops or sending weapons into the country: 

"The Kremlin, for its part, has disavowed any role in the war. 'We do not interfere in Ukraine’s internal affairs,' Russian Foreign Minister Sergei Lavrov said last year. ' There are no Russian agents there.' ”  He also said there were no Russian troops in Ukraine, but we know the truth of that one.  

The story begins with a trio of Ukraine's finest being sent on a mission to the east to capture a Nationalist and bring him in.  Instead, they are captured, compromised by somebody inside their own organization.  They are paraded around in their underwear in front of the Russian news media.  The rest of the story is well worth reading.  

This kind of work is always dangerous, but it is not as dangerous in most places as it is in Ukraine, where the services were allowed to keep their Russian officers, who were as friendly with Russia as the U.S. is with the U.K.  A series of attempted purges of those officers were not very successful and when Viktor Yanukovych took over as President, the Russians had someone in power who would cooperate.  Now that he is gone, it is time for another purge, this time a long-lasting one.  

Crimea after a Year

In today's Wall Street Journal, Paul Sonne writes an interesting article about Putin's own statements about how he directed the takeover of Crimea by Russian forces [ Putin Details Crimea Takeover Before One-Year Anniversary].  Perhaps the most significant thing about this self-centered description of how it was done, was Putin's portrayal of his willingness to put his nuclear forces on alert if he felt it was necessary.  Crimea might have been a different ballgame if he had done that.  Just the thought that he might think the nuclear option is in play here, may scare enough of the Europeans for them to rethink providing more support to the Ukrainians.  Certainly this accounts for why the Obama Administration is so anxious to avoid sending lethal aid to Ukraine.  Maybe Putin's strategy worked and Europe, the Uk and US were not ready to deal with the Cold War again.  They have all cut their militaries back to the point of not being able to wage a conventional war anywhere against a force like the Russians have put into Ukraine.  The only way to stop someone in that scenario is to haul out the nuclear threat. Putin was willing to do raise the ante, but nobody on our side was willing to counter.  The outcome was the loss of the Crimea to a Russian invasion.   Putin didn't stop there and he isn't likely too as long as nobody puts a force up to match his.  When he said he could be in Kiev in three days, he probably wasn't far off.  

Dennis F. Poindexter books at Amazon

Applications Security Not What it Used to be

I was surprised to read a Gartner report [ see http://www.gartner.com/newsroom/id/2846017 ] that says 75% of mobile apps will fail basic security testing in 2015.  The report says:

"Through 2017, Gartner predicts that 75 percent of mobile security breaches will be the result of mobile application misconfigurations, rather than the outcome of deeply technical attacks on mobile devices. A classic example of misconfiguration is the misuse of personal cloud service through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware for the vast majority."  

it made me stop and wonder what was going on the world of software development when basic security was being totally missed by developers.  They certainly have missed some security details in the past development of operating systems and enterprise applications, but 75% seems like a big number.  What is going on here?  

More people can be a developer now without knowing a bunch of diverse sets of languages and o//perating systems.  They can write for one type of O/S and that can be for a phone.  Kids are doing it in school where they probably don't get the basics of security like they should.  When they go to college they will get it, right?  No.  They don't get the basics of security in software development there either.  Some professors gloss over it.  A few don't cover it at all but give references that have to be read.  Some don't know anything about security and leave it out entirely.  I know because I worked with Universities and Colleges for years trying to get them to put more security into their course work.  The vast majority just won't do it.  They think security is something Security people do.  

By the time they work their way into a company (or start one on their own) they begin to have to have more responsibility for inclusion of basic security as a part of doing business on the Internet.  That should be part of a business due diligence for a product that is going to be operated in a hostile environment.  We don't see them getting blamed for the way they write software, and they always promise to fix it "in the next release".  I can't tell you how often I heard that phrase.  Vendors very carefully avoid any liability to products they produce.  They make you sign long agreements that you have to agree to or you don't get the software or the upgrade.  I have always thought of this as extorsion.  They deny you the right to the product after you have paid for it, by adding conditions nobody should have to agree to.  If they sold cars the way they sell software, I would still have my .first one.  

How about a description of what basic security features every app should have, with the types of behavior that are prohibited?  We used to do that in systems I worked on.  It is called a Security Policy and every system is tested for adherence to it.  Apple does do this type of testing, but the Android systems generally ignore it.  Google announced on the 16th that they will be reviewing apps for compliance with its policy and devoted some internal resources to doing it.  Other Android OEMs are in such a rush to have apps available that they want to work out the operational aspects with patches and updates.  In the meantime, every user that downloads that app is at risk until the vendor changes the software.  

A few standards and a little testing would go a long way to correcting some of the deficiencies in the system that produces apps.  If the software doesn't meet the testing standards, it can't be sold.  If it fails a basic security test, don't let it be sold until those things are corrected.  All sides of the industry seem willing to dump the testing off on a user who has to be hacked and complain before anything gets done.  This is like GM putting off ignition switch repairs until they finally had enough complaints to take a closer look.  Eventually the software industry will have to look more closely at itself and accept responsibility for what it is producing.  

The Private Email Mandate

One of the most striking aspects of the Hillary Clinton Defense Organization is the "everybody does it" appeal.  The logic goes that every Secretary before her ( at least one in a previous administration ) used personal email, admitting to having two accounts, one for personal mail.  That is far short of everyone, so we need to think about boosting the numbers up and calling for changes in policy that would allow any government official to do what Hillary did.  An Executive Order could wipe away any future problems for the Clinton Foundation, and clear the way for her to campaign without fear.  

A draft of Executive Order 44759 reads as follows:  

The President sees a benefit to allowing employees of the Federal government to use private email services for all business they conduct, so long as the information contained in that business correspondence is unclassified, within the meaning of the National Security Act.  

This Order meets the intent of the Paperwork Reduction Act and the Records Management Act.  Records contained on personal email must be reviewed by each individual employee and those which comprise official business forwarded to the agency for archival purposes.  The decision of whether information is business related is the perogative of the employee.  IT services may be located at a private residence, a commercial service, or a combination of both.    Employees travelling outside the continental U.S. or directing correspondence to foreign nationals must encrypt email services if they are transmitted over foreign networks.  

This opportunity for employees to maintain their own email systems recognizes Federal government agencies cannot maintain the privacy of individuals who work for them.  That business eventually becomes public and may result in some personal impact.  Since disclosures have caused employees embarrassment in the past, all employees will be able to review their mail for any issues that might reflect on their ability to perform their duties, or matters related to their personal habits, physical well-being, or health.  All other email must be archived as directed above.  

The Freedom of Information Act will apply only to those matters of correspondence which have been reviewed by the employee, the government agency, and/or representatives of both.  

Law enforcement activities may apply to courts for authority to examine personal records maintained by the employee.  A special Privacy Court will be established for this purpose.  

The benefits have been researched by the Congressional Budget Office and Office of Management and Budget and are contained in a report referenced below.  On page 452, savings clearly show a reduced cost for the general fund, and specific costs related to maintenance of email services for government employees.  These savings will exceed $500 M per annum.  

Agencies will develop policies to support the implementation of this Order not later than the beginning of FY 2016, which begins 1 September 2015. 

orginal signed

Dennis F. Poindexter books at Amazon

When Identity Theft Can Kill

The Justice Department has just announced the arrest and conviction of an Iranian pilot who stole personal information about a U.S. pilot (his passport, credit cards and pilot certificates) then used them to order certifications he could pawn off as his own.  He paid for the new ones with a stolen credit card.  This requires a little more planning than just stealing a credit card or passport.  Credit Justice, the FAA and Danish police for their cooperation in this. [see whole story at  http://www.justice.gov/opa/pr/iranian-pilot-sentenced-27-months-prison-stealing-us-pilot-s-identity-obtain-federal-aviation ]

It doesn't require too much thought to see the potential for something to go wrong when one person steals another person's certifications.  Yes, I can do that surgery you want.  Yes, I can fly you up to Chicago on that plane of yours.  Yes, I have a PhD in Nuclear Physics.  There are all kinds of things that can be stolen or manufactured, without doing the work or having a skill.  It is surprising how few times people who should know better, never check.  

Many years ago, we were accepting bids for a big contract and going through all the offers from the bidders.  I noticed that quite a few of their resumes from one of the bidders showed PhDs from a school I had not heard of.  It was just a casual check on the Internet that led us to conclude there was no University by that name, at least not one that had classes, professors, or accreditation.  When our contracting officer called them the next day, they withdrew their bid.  Nobody got killed.  Nobody even thought much about it.  They probably should have.

With planes disappearing now and again around the world, we have to wonder if there might be a reason we haven't thought of.  The airlines certainly haven't discussed fradulent credentials in any accident I ever heard of, though this pilot seems to have had one while he carried this stolen credential.  

" According to court records, on Sept. 15, 2012, Haghighi crashed an airplane in Bornholm, Denmark, while in possession of the victim’s ATP certificate.  After facing criminal charges in Denmark and Germany, Haghighi returned to Iran, only to later resurface in Indonesia.  He was finally arrested in Panama, where he waived extradition to the United States in August 2014."  He flew for at least 3 years with those phoney creds.  This is not a comfort to me, even though I rarely fly outside the U.S.  Why didn't someone at an airline notice this sooner?  I think I want to know more about some of the hospitals I have been to in the past.  They are hiring more people who have degrees from some really interesting places.  They don't seem to ask a lot of questions about where that certification or degree came from.  This is a good example that reminds us that checking up on certs and degrees may be worth the time.  

Government Contracting Out Email

Before we hear it from the Hillary Defense Fund, we should look closely at what is going on in the Federal government to contract out their e-mail services.  Every part of the Federal establishment is looking at using Google, Amazon, and Microsoft for official government business, from HHS to the Intelligence Community.  They are doing it now, in great numbers, but you don't hear much about it.  

None of these services involve putting email servers in the basement of anyone's house.  They have different rules than a private individual who might sign up for a private account to use on a home computer, and they are probably more secure, though that is a relative term when it comes to email.  Is it OK to contract out a service like this, when the Feds already fund their own services internally?  They can't have it both ways....

If anyone believes that the Big Three can do email services that are equivalent to what a government agency provides, they should be allowed to contract it out.  What doesn't happen after that cutting the IT services of that agency an amount equal to what they no longer require as result of contracting the service out.  This would be like operating food concessions in the Pentagon and still keeping government cooks employed there.  The reason for contracting the service out is to save money.  If we contract it out and still have the same levels of staff, we aren't saving anything. 

I don't think any vendor can run a service as well as some government agencies, for the obvious reason that the information being exchanged is sometimes very sensitive, even though it is not classified.  We are going to see the "it wasn't classified" argument from the Defense Fund.  What they will never say is that it should have been.  State Department negotiations with other countries and the underlying basis of those are classified, but they don't always classify them in email.  This is usually out of ignorance of classification guidance, not because unclassified e-mail is easier to use.  Every government email system has something euphamisticly called "spills".  Classified information gets out on the unclassified system, generally by accident, but always by someone making a mistake somewhere.  I'm not sure how Google, Amazon or Microsoft handles that kind of thing.   They have to have people with security clearances, sometimes pretty high clearances, to handle it.  They can't be in another country, and they can't be foreign nationals in the U.S. The circuits are leased by the private service and run by whatever country the service is in.  We have international treaties for this kind of thing in government, but I don't know what they do to provide people to operate those services.  We also don't know how well commercial services handle the encryption and/or service of personal devices that are used to transport the mail.  Did Hillary's Blackberry belong to her or to the government?  Where did her service of hardware and software come from?  Did she ever have a spill?

I don't really care what the Feds do, but they have to stop trying to have it both ways.  If they really think it is a good idea to contract it out, then get on with it, but take the IT cuts that go with it.  If they look more closely at it, they might change their minds about having an outside service do it.  

Engineering for Stupid

We used to have a saying among computer engineers that went like this:  "You can't engineer out stupid."  The meaning, to those of us in security, is that engineering for security cannot compensate for every stupid thing that a user might do.  We have had people connect classified computers to the Internet.  We have had users send classified documents over the Internet (some very sensitive things too).  We have had some government officials use private accounts for public business.  No amount of engineering can compensate for things like that.  

The Defenders of Hillary wish the whole issue raised by Clinton's use of a private email account at State was that she didn't violate the law.  Nobody makes laws for stupid, anymore than we can engineer for it.  We always assume a certain amount of common sense - best practice, so to speak - that a responsible official will follow.  No agency writes laws for things like this; they only have policies.  Some senior people think policies are for other people.  Only a few confuse them with laws.  When you violate a law, police or investigators come and look.  When you violate a policy, your own internal IG comes.  They are not equal responses.  

When the White House Controls Information

Susan Milligan authored an interesting report in the Columbia Journalism Review about the openness  of the current White House [ see http://www.cjr.org/analysis/the_president_and_the_press.php?utm_content=bufferea272&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer ]  

It points to the Obama Administration as one of the least open in moden memory.  It reminded me of a comment my brother made to me after he read a draft of my newest book on Cyberwar.  He said Cyberwar looks like something being done in politics, and not just something done by governments at war.  Milligan has hit on some basic Information War principles being used by the White House to manage information, and blames the press corps for much of what has become a one-way transfer of information.  Very little comes out of press conferences, and they are rarely given.  Questions are repeated by reporters who want to be seen asking them, while the White House is seen answering them multiple times.  Many important questions are never asked.  

Policy decisions are seldom discussed until made.  In the current discussion of the nuclear deal with Iran, the President thinks it best to wait for a deal to be made public before we decide whether it is good enough.  Once a deal is made, it has to be good enough because it will not be changed.  The debate will be over.  

"Evidence suggests that the relationship between the President and the press is more distant than it has been in a half century."  The President seems to see the press as an enemy.  Watching the press respond  to Hilliary Clinton's use of private email on her own home computer or the feeding frenzy surrounding the recent visit of the Israeli Prime Minister, gives us some reason to see why.  For reasons we can never explain, the White House seems to never want to admit a mistake, even one they did not make.  They want to explain why a certain thing happened, when admiting the error and moving on might be a better way to approach a failed decision.  It is really OK that Hillary had that email in her basement computer network - the real thing we are worried about is whether it was preserved for history?  Don't we think it is unusual and a National Security risk to do that sort of thing?   It is really OK that the U.S. France, and Germany are trying to make a deal with the Iranians who do more to promote terrorism in the Middle East than any other country?   They see bad decisions as things that need to be expalined, even when the explanations are bordering on the rediculous.  

This goes back to credibility, the most important element of persuasion.  The Russians tried to convince the world that Ukrainian Nationalists did not shoot down a commercial airliner and that there were no Russian troops in Ukraine except those who went there on vacation.  They developed incredible stories to convince us that these events occured in different ways.  The U.S. is falling victim to the same kind of strategy.  It thinks the pubic will buy anything that is packaged well and said quickly, whether credible or not.  That is arrogance unbefitting our American institutions.  

Last Interview on Russia in Ukraine

In Canada's National Post today is an interesting article about the last interview given by Boris Nemtsov, who was shot in the back, off the main square in Moscow.   

[ Boris Nemtsov’s last interview, given hours before he was assassinated: ‘Putin lied’]     

Nemtsov was rumored to be developing a report about Russian troops crossing over into Ukraine to fight, something the Russian government denies in spite of overwhelming evidence against them, including captured soldiers and Internet selfies taken on both sides of the border.  NATO published before and after pictures of Russian forces and there was little doubt they loaded tanks, rocket launchers and troop transports onto trucks and moved them into Ukraine.  One of them shot down a commercial airliner, then beat a retreat to Russia.  In the article, Nemtsov mentions there was no doubt Russia had troops in the Ukraine and they were fighting, more importantly dying, in substantial numbers.  

Unless Nemtsov knew something that the press didn't already know, it is hard to believe the the Russian government would see a reason to kill him in such a public way.  Not that enemies of Putin don't end up dead at regular intervals, but this guy well known in Russia and  internationally.  He would be missed, and his murder would be a cause célèbre among the world's elite. 

The Russian press has already started to publish irrational stories about motivations of people who killed him.  The most rediculous is the one saying Putin's enemies did it to make Putin look bad.  The story is similar to the one the press used to say enemies of the Russian Nationalists in Ukraine shot down a commercial airliner [the passengers were already dead] to discredit the cause.  Credibility is a little thin when the government controlled press deicides to sheep dip their way through a range of stories, hoping one will stick with the public.  Truth is never very close to the hearts of these reporters, or to the offical statements made by the Russian government.  Putting Putin in charge of the investigation was a nice touch.  We know for sure how far this investigation is going.