Van nieuwsblog.burojansen.nl

A la lumière de notes déclassifiées de la DGSI, «Libération» retrace le
parcours d’Ismaël Omar Mostefaï, l’un des assaillants du 13 Novembre,
sous-estimé par les services français.

Rétrospectivement, c’est peut-être sur le parcours d’Ismaël Omar
Mostefaï, l’un des trois kamikazes du Bataclan, que la faillite du
renseignement intérieur s’avère la plus crue dans le dossier des
attentats du 13 novembre 2015. Connu du contre-terrorisme français
depuis 2008, le jeune homme – qui s’est fait exploser à 29 ans dans la
salle de spectacle avec Samy Amimour et Foued Mohamed-Aggad – n’a jamais
fait l’objet d’une surveillance assidue. Et ce, malgré près de six
années passées au contact des sphères fondamentalistes. Une proximité
dont la Direction centrale du renseignement intérieur (DCRI, devenue
DGSI en 2014) avait parfaitement connaissance. Libération retrace
l’itinéraire d’Ismaël Omar Mostefaï, à la lumière des notes
déclassifiées sur demande des juges antiterroristes parisiens.

Décrochage.

Fils d’un chauffeur routier algérien aux pratiques rigoristes, Ismaël
Omar Mostefaï grandit à Courcouronnes (Essonne). Entre 2004 et 2010, le
jeune homme cumule décrochage scolaire et huit condamnations pénales
pour détention de stupéfiants, violences, outrage et conduite sans
permis. En 2005, la famille Mostefaï déménage à Chartres, où Ismaël Omar
intègre peu à peu un groupe salafiste.

Dès 2009, huit membres de cette cellule se réunissant dans des
appartements font l’objet d’une attention particulière de la DCRI. Et
pour cause : comme l’a révélé Mediapart une dizaine de jours après les
attentats du 13 Novembre, le petit noyau de fondamentalistes est fédéré
autour d’Abdelilah Ziyad, un prédicateur marocain au CV bien rempli. Et
qui, surtout, n’a rien à faire dans la préfecture d’Eure-et-Loir.

En effet, Ziyad, la soixantaine, n’est autre que le «co-instigateur des
attentats de Fès et Marrakech», selon les notes de la DGSI que nous
avons pu consulter. Le 24 août 1994, trois Français recrutés par Ziyad
abattent deux touristes et en blessent un autre dans le hall de l’hôtel
Atlas Asni de Marrakech. Arrêté en août 1995, il est jugé un an plus
tard. A l’audience, il confesse son implication et écope de huit ans de
prison. La peine est assortie de dix ans d’interdiction du territoire
français. Libéré en 2001, Ziyad disparaît. Du moins momentanément.

En 2008, l’émir est donc débusqué à Chartres. Mais la réalité est bien
pire : en violation de son interdiction du territoire, Ziyad vit depuis
des années sous de fausses identités à Migennes (Yonne). Il effectue
alors secrètement des allers-retours à Chartres. C’est à son contact que
Mostefaï épouse l’idéologie jihadiste. En août 2012, sa famille
redéménage. Cette fois-ci, à Romilly-sur-Seine (Aube). Pile dans la
sphère d’influence de Ziyad, qui réside à Migennes mais qui dispose
d’attaches dans l’Aube. Cet emménagement est-il fortuit ? A l’époque, en
tout cas, les services spécialisés ne semblent guère s’en inquiéter.
Pourtant, à l’été 2012, Ismaël Omar Mostefaï coupe les ponts avec sa
famille.

«Leur maître».

Quelques semaines plus tard, le 29 septembre, il est localisé à Charmoy,
une commune limitrophe de… Migennes. Les gendarmes arrêtent un véhicule
avec deux personnes à bord, dont Mostefaï. Aux pandores, les deux
acolytes expliquent chercher une rue. Pour la DGSI, cette virée a une
tout autre motivation. Dans une note du 24 octobre 2012, le service
intérieur écrit : «Certains membres de ce groupe [les huit salafistes de
Chartres, ndlr] ont repris leurs déplacements dans l’agglomération de
Migennes afin d’y rencontrer leur maître.» Un maître qui n’est autre
qu’Abdelilah Ziyad, empruntant désormais l’identité d’Abdelmalek Bachir.
Malgré ces éléments, qui caractérisent la volonté récurrente de Mostefaï
de côtoyer son mentor, la DGSI n’adopte aucune surveillance poussée.
Plusieurs mois passent. Et Mostefaï est des plus discrets. Le 6
septembre 2013, il pénètre en Turquie avec deux hommes, dont Samy
Amimour. Leur destination est la Syrie, ce que la France n’apprendra que
des mois plus tard, presque par hasard. Rien dans les notes de la DGSI
ne documente ce premier voyage au Levant. Pire, les agents se disent
probablement que Mostefaï ne s’est jamais rendu en Syrie lorsqu’ils le
relocalisent le 9 avril 2014 à… Chartres.

«Combat de rue».

Ce jour-là, le futur kamikaze participe encore à une réunion sous
l’égide de Ziyad. Une entrevue jugée suffisamment sérieuse par la DGSI
pour que soient engagées des mesures de surveillance de certains
participants. D’aucuns feront l’objet d’écoutes et de filatures jusqu’en
septembre 2015. Dans une note de ce même 9 avril, que révèle Libération,
la DGSI écrit : «Les membres du groupe se sont entraînés physiquement en
présence de Bachir Abdelmalek, qu’ils considèrent comme leur maître. Ils
se sont également livrés à l’apprentissage de techniques de combat de
rue, sous l’égide de Bachir Abdelmalek, qu’ils jugent expert en la
matière.» Malgré ces renseignements clairs, Mostefaï est jugé
«périphérique» et ne bénéficie, une nouvelle fois, d’aucune attention
soutenue.

La suite est encore plus invraisemblable. Mostefaï part une deuxième
fois en Syrie. Quand ? Nul ne le sait aujourd’hui. En octobre 2014, la
France envoie une requête à la Turquie concernant le passage sur son sol
de jihadistes présumés. Ankara retourne une liste sur laquelle figure
Mostefaï pour… son premier séjour, celui effectué en septembre 2013.
Quatorze mois plus tard, les autorités françaises sont enfin au parfum.
Mais ni la DGSI ni son homologue extérieur, la DGSE, ne parviendront à
relocaliser précisément Mostefaï et à prévenir son deuxième retour et sa
participation à l’attentat du 13 Novembre au Bataclan, dans lequel 90
personnes ont trouvé la mort.

Par Willy Le Devin — 29 mars 2017 à 19:46
Find this story at 29 March 2017

Copyright http://www.liberation.fr/

Van nieuwsblog.burojansen.nl

Exclusive: Documents obtained by the Guardian reveal details of how police posed as protesters amid unrest following the death of Eric Garner
People protest after a grand jury decided not to indict officer Daniel Pantaleo in the Eric Garner case.

Undercover officers in the New York police department infiltrated small groups of Black Lives Matter activists and gained access to their text messages, according to newly released NYPD documents obtained by the Guardian.

The records, produced in response to a freedom of information lawsuit led by New York law firm Stecklow & Thompson, provide the most detailed picture yet of the sweeping scope of NYPD surveillance during mass protests over the death of Eric Garner in 2014 and 2015. Lawyers said the new documents raised questions about NYPD compliance with city rules.

The documents, mostly emails between undercover officers and other NYPD officials, follow other disclosures that the NYPD regularly filmed Black Lives Matter activists and sent undercover personnel to protests. The NYPD has not responded to the Guardian’s request for comment or interview.

Emails show that undercover officers were able to pose as protesters even within small groups, giving them extensive access to details about protesters’ whereabouts and plans. In one email, an official notes that an undercover officer is embedded within a group of seven protesters on their way to Grand Central Station. This intimate access appears to have helped police pass as trusted organizers and extract information about demonstrations. In other emails, officers share the locations of individual protesters at particular times. The NYPD emails also include pictures of organizers’ group text exchanges with information about protests, suggesting that undercover officials were either trusted enough to be allowed to take photos of activists’ phones or were themselves members of a private planning group text.

protesters text message
Police obtained access to protesters’ text messages, the documents show. Photograph: NYPD/Screenshot/Scribd
“That text loop was definitely just for organizers, I don’t know how that got out,” said Elsa Waithe, a Black Lives Matter organizer. “Someone had to have told someone how to get on it, probably trusting someone they had seen a few times in good faith. We clearly compromised ourselves.”

Keegan Stephan, a regular attendee of the Grand Central protests in 2014 and 2015, said information about protesters’ whereabouts was limited to a small group of core organizers at that time. “I feel like the undercover was somebody who was or is very much a part of the group, and has access to information we only give to people we trust,” said Stephan, who has been assisting attorneys with a lawsuit to obtain the documents on behalf of plaintiff James Logue, a protester. “If you’re walking to Grand Central with a handful of people for an action, that’s much more than just showing up to a public demonstration – that sounds like a level of friendship.”

Joseph Giacalone, a retired NYPD detective sergeant and professor at John Jay College, agreed that it would not be easy for an undercover officer to join a small group of protesters and hear their plans. “It would be pretty amazing that they would be able to get into the core group in such a short window of time,” said Giacalone. “This could have been going on a while before for these people to get so close to the inner circle.”

The NYPD documents also included a handful of pictures and one short video taken at Grand Central Station demonstrations. Most are pictures of crowds milling about or taking part in demonstrations. In one picture of a small group of activists, the NYPD identifies an individual in a brown jacket as the “main protester”. These images of protesters are reminiscent of those taken by undercover transit police, who were also deployed to Black Lives Matter protests in Grand Central Station in 2015.

nypd documents
Facebook Twitter Pinterest
An individual is identified as the ‘main protester’. Photograph: NYPD/Screenshot/Scribd
Giacalone said this type of leadership identification was standard police practice at protests. “If you take out the biggest mouth, everybody just withers away, so you concentrate on the ones you believe are your organizers,” he said. “Once you identify that person, you can run computer checks on them to see if they have a warrant out or any summons failures, then you can drag them in before they go out to speak or rile up the crowd, as long as you have reasonable cause to do so.”

Attorneys say the documents raise legal questions about whether the NYPD was acting in compliance with the department’s intelligence-gathering rules, known as the Handschu Guidelines. The guidelines, which are based on an ongoing decades-old class-action lawsuit, hold that the NYPD can begin formally investigating first amendment activity “when facts or circumstances reasonably indicate that an unlawful act has been, is being, or will be committed” and if the police surveillance plan has been authorized by a committee known as the Handschu Authority. (That committee was exclusively staffed by NYPD officials at the time.) However, according to the guidelines, before launching a formal investigation, the NYPD can also conduct investigative work such as “checking of leads” and “preliminary inquiries” with even lower standards of suspicion.

Michael Price, counsel at the Brennan Center for Justice, said it was difficult to know whether NYPD’s undercover surveillance operations crossed the line, as the documents did not make clear what, if any, stage of investigation the police were in at the time of the operations. But he said the department’s retention of pictures and video raised questions, since police are not allowed to retain information about public events unless it relates to unlawful activity.

“So my question would be: what was the unlawful activity that police had reason to suspect here?” said Price. “It doesn’t appear that there was any criminal behavior they were talking about in the emails. Most references are to protesters being peaceful, so I would be very concerned if they were hinging their whole investigation on civil disobedience, such as unpermitted protests or blocking of pedestrians.”

Throughout the emails, the NYPD’s undercover sources provide little indication of any unlawful activity, frequently characterizing demonstrators as peaceful and orderly with only one mention of a single arrest.

“The documents uniformly show no crime occurring, but NYPD had undercovers inside the protests for months on end as if they were al-Qaida,” said David Thompson, an attorney of Stecklow & Thompson, who helped sue for the records.

Giacalone argued that police could have easily come up with a legal justification to initiate surveillance, especially if such operations occurred after the shooting of two NYPD officers in December of 2014 (all dates in the NYPD’s email communications were redacted). But he noted that such investigative activities would be harder to justify if officers were not directly observing signs of unlawful activity.

“If they’re not talking about any crimes being committed, they’re going to have a difficult time defending this. It may end up in another one of these lawsuits,” said Giacalone. “Some may say this is good police work, fine, but good police work or not, we have rules against this kind of thing in New York.”

Attorneys have already filed a petition charging that the NYPD may have failed to produce all of its surveillance records. But for some protesters, the damage has already been done.

“In the first couple of months, we had a lot of people in and out of the group, some because they didn’t fit our style but others because of the whispers that they were undercovers,” recalled Waithe. “Whether it was real or perceived, that was the most debilitating part for me, the whispers … It’s really hard to organize when you can’t trust each other.”

George Joseph in New York
Tuesday 4 April 2017 11.00 BST Last modified on Tuesday 4 April 2017 22.00 BST
Find this story at 4 April 2017

© 2017 Guardian News and Media Limited

Van nieuwsblog.burojansen.nl

Exclusive: Watchdog investigates claim that secretive unit worked with Indian police to obtain campaigners’ passwords

An anonymous letter claimed the Scotland Yard unit accessed activists’ email accounts for ‘a number of years’.

The police watchdog is investigating allegations that a secretive Scotland Yard unit used hackers to illegally access the private emails of hundreds of political campaigners and journalists.

The allegations were made by an anonymous individual who says the unit worked with Indian police, who in turn used hackers to illegally obtain the passwords of the email accounts of the campaigners, and some reporters and press photographers.

Met presses undercover police inquiry to examine fewer officers
Read more
The person, who says he or she previously worked for the intelligence unit that monitors the activities of political campaigners, detailed their concerns in a letter to the Green party peer Jenny Jones. The peer passed on the allegations to the Independent Police Complaints Commission (IPCC), which is investigating.

Hacked passwords were passed to the Metropolitan police unit, according to the writer of the letter, which then regularly checked the emails of the campaigners and the media to gather information. The letter to Jones listed the passwords of environmental campaigners, four of whom were from Greenpeace. Several confirmed they matched the ones they had used to open their emails.

The letter said: “For a number of years the unit had been illegally accessing the email accounts of activists. This has largely been accomplished because of the contact that one of the officers had developed with counterparts in India who in turn were using hackers to obtain email passwords.”

Jones said: “There is more than enough to justify a full-scale criminal investigation into the activities of these police officers and referral to a public inquiry. I have urged the Independent Police Complaints Commission to act quickly to secure further evidence and to find out how many people were victims of this nasty practice.”

The letter also alleges that emails of reporters and photographers, including two working for the Guardian, were monitored. A spokesperson for the Guardian said: “Allegations that the Metropolitan police has accessed the email accounts of Guardian journalists are extremely concerning and we expect a full and thorough investigation into these claims.”

The IPCC has for several months been investigating claims that the national domestic extremism and disorder intelligence unit shredded a large number of documents over a number of days in May 2014.

The stories you need to read, in one handy email
Read more
Last month the IPCC said it had uncovered evidence suggesting the documents had been destroyed despite a specific instruction that files should be preserved to be examined by a judge-led public inquiry into the undercover policing of political groups.

The letter claimed that the shredding “has been happening for some time and on a far greater scale than the IPCC seems to be aware of”. The author added that “the main reason for destroying these documents is that they reveal that [police] officers were engaged in illegal activities to obtain intelligence on protest groups”.

The letter to Jones lists 10 individuals, alongside specific passwords that they used to access their email accounts. Lawyers at Bindmans, who are representing Jones, contacted six on the list and, after outlining the allegations, asked them to volunteer their passwords.

Five of them gave the identical password that had been identified in the letter. The sixth gave a password that was almost the same. The remaining four on the list have yet to be approached or cannot be traced.

Colin Newman has for two decades volunteered to help organise mainly local Greenpeace protests which he says were publicised to the media. He used the password specified in the letter for his private email account between the late 1990s and last year.

Newman said he felt “angry and violated, especially for the recipients”. He added: “I am open about my actions as I make a stand and am personally responsible for those, but it is not fair and just that others are scrutinised.

“I am no threat. There is no justification for snooping in private accounts unless you have a reason to do so, and you have the authority to do that.”

He said he had been cautioned by the police once, for trespassing on the railway during a protest against coal about two years ago.

Another on the list was Cat Dorey who has worked for Greenpeace, both as an employee and a volunteer, since 2001. She said all the protests she had been involved in were non-violent.

The password specified in the letter sent to Jones had been used for emails that contained private information about her family and friends.

She said: “Even though Greenpeace UK staff, volunteers, and activists were always warned to assume someone was listening to our phone conversations or reading our emails, it still came as a shock to find out I was being watched by the police. It’s creepy to think of strangers reading my personal emails.”

In 2005, she was part of a group of Greenpeace protesters who were sentenced to 80 hours of community service after installing solar panels on the home of the then deputy prime minister, John Prescott, in a climate change demonstration.

According to the letter, the “most sensitive side of the work was monitoring the email accounts of radical journalists who reported on activist protests (as well as sympathetic photographers) including at least two employed by the Guardian newspaper”. None were named.

Investigators working for the IPCC have met Jones twice with her lawyer, Jules Carey, and have asked to interview the peer. An IPCC spokesperson said: “After requesting and receiving a referral by the Metropolitan police service, we have begun an independent investigation related to anonymous allegations concerning the accessing of personal data. We are still assessing the scope of the investigation and so we are not able to comment further.”

The letter’s writer said he or she had spoken out about the “serious abuse of power” because “over the years, the unit had evolved into an organisation that had little respect for the law, no regard for personal privacy, encouraged highly immoral activity and, I believe, is a disgrace”.

In recent years, the unit has monitored thousands of political activists, drawing on information gathered by undercover officers and informants as well as from open sources such as websites. Police chiefs say they need to keep track of a wide pool of activists to identify the small number who commit serious crime to promote their cause.

But the unit has come in for criticism after it was revealed to be compiling files on law-abiding campaigners, including John Catt, a 91-year-old pensioner with no criminal record as well as senior members of the Green party including the MP Caroline Lucas.

The Metropolitan police said the IPCC had made it “aware of anonymous allegations concerning the accessing of personal data, and requested the matters were referred to them by the MPS. This was done. The MPS is now aware that the IPCC are carrying out an independent investigation.”

Rob Evans
Tuesday 21 March 2017 16.35 GMT Last modified on Wednesday 22 March 2017 00.50 GMT

Find this story at 22 March 2017

© 2017 Guardian News and Media Limited

Van nieuwsblog.burojansen.nl

The whistleblower lists damning claims of spying on innocent individuals by a secretive Scotland Yard unit. It’s now vital that we hold the police to account
‘When the police act with impunity all of our private lives are put at risk’

As the only Green party peer I receive a lot of post to my office in the House of Lords. Rarely, though, do I open letters like the one that has been revealed. The anonymous writer alleged that there was a secretive unit within Scotland Yard that has used hackers to illegally access the emails of campaigners and journalists. It included a list of 10 people and the passwords to their email accounts.

As soon as I read the first sentence of the letter, I knew the content would be astonishing – and when some aspects of the letter were corroborated by lawyers and those on the list – I was convinced that we owed it to this brave whistleblower to hold the police to account.

The list of allegations is lengthy. It includes illegal hacking of emails, using an Indian-based operation to do the dirty work, shredding documents and using sex as a tool of infiltration. And these revelations matter to all of us. None of us knows whether the police organised for our emails to be hacked, but all of us know the wide range of personal information that our emails contain. It might be medical conditions, family arguments, love lives or a whole range of drug- or alcohol-related misdemeanours.

When the police act with impunity, all of our private lives are put at risk. Whether you’re involved in a local campaign against library closures, a concerned citizen worried about air pollution or someone working for a charity – who’s to say that officers won’t be spying on the emails you send? The police put me on the domestic extremism database during the decade when I was on the Metropolitan Police Authority signing off their budgets and working closely with officers on the ground to fight crimes such as road crime and illegal trafficking. If someone in my position – no criminal record and on semi-friendly terms with the Met commissioner – can end up on the database, then you can too.

The truth is that without the bravery and professionalism of two serving police officers who have blown the whistle on state snooping I would know nothing about my files, and those of other campaigners, being shredded by the Domestic Extremism Unit. We would have had no suspicion that those files had been shredded to cover up the illegal hacking of personal and work e-mails by the police.

Please don’t fall for the old establishment lie that the problem is a few rotten apples. This alleged criminality is the result of a deliberate government policy of using the police and security services to suppress dissent and protest in order to protect company profits and the status quo. Such an approach inevitably leads to police officers overstepping the mark as they feel emboldened by those at the top levels of government and an immunity from prosecution provided by senior officers keen to please the people who decide their budgets.

The stories you need to read, in one handy email
Read more
The police don’t always act as neutral agents of the law. We know that the Thatcher government’s determination to break the miners’ strike led to the Orgreave confrontation in 1984. There are still allegations about the links between the police and those running blacklisting databases that led to hundreds of construction workers being condemned to unemployment and poverty.

And don’t mistake this for a partisan attack on Conservative politicians. Theresa May has forced through the draconian Investigatory Powers Act, but the Labour party too has been timid at best in opposing this snoopers’ charter. Indeed it was the Blair government that left a legacy of draconian public order laws, and which broadly defined the anti-terrorism legislation upon which an edifice of modern surveillance powers has been constructed.

Many are unaware that joining an anti-fracking group, or going on a demonstration, could get you labelled a domestic extremist, photographed, questioned and followed for months or even years – without ever having been convicted of a crime.

It’s only by speaking out against these intrusions that we are able to challenge this rotten culture of impunity. After all, it was David Cameron who gave us the Hillsborough inquiry and Theresa May who set up the Pitchford inquiry into undercover officers. Politicians don’t always do things for good reasons, but they do respond to public pressure.

Change is possible, but in the meantime, we should be doing everything we can to make it hard for the police to spy on us. Use encryption, two-step email security and other precautions suggested by organisations such as Liberty. Don’t stop saying what you think, or working to make the world a better place, but do assume that the police will be working to protect the companies, banks or energy companies that you want to challenge.

It isn’t how things should be, but the evidence shows that is the way things are.

A campaign to get the police out of the lives of environmentalists and social justice campaigners is a good start, but it will fail unless it reaches out – starting by working with those in the Muslim community intimidated by Prevent.

Above all, we must convince the middle ground of society that everyone will be safer if the security services focused on what we all want them to do – stopping terrorists and serious criminals. This is not unreasonable, and the starting point is a change to the legislation so that it narrows the definition of terrorism to exclude the nonviolent, noisy and rebellious

Wednesday 22 March 2017 15.23 GMT Last modified on Wednesday 22 March 2017 17.29 GMT
Jenny Jones
Find this story at 22 March 2017

© 2017 Guardian News and Media Limited

Van nieuwsblog.burojansen.nl

POLICE Scotland has confirmed that a secret file was created on the activities of a disgraced undercover unit at the G8 summit at Gleneagles.

The “intelligence briefings” on the National Public Order Intelligence Unit, whose officers had sex with the protestors they spied on, will now be examined by a watchdog as part of its covert policing probe. Police Scotland said they would not comment on the contents of the file.

Two Met-based units – the Special Demonstration Squad and the NPOIU – were set up to keep tabs on so-called subversives and domestic extremists.

Loading article content

A key strategy was to embed undercover officers in campaign groups, which included anti-racism organisations, and report back to handlers.

However, some of the tactics deployed by officers in the units, such as using the identities of dead babies and deceiving women into long-term sexual relationships before vanishing, have since been exposed.

The Pitchford Inquiry, set up by Theresa May when she was Home Secretary, is examining undercover policing going back decades.

Although the judicial-led investigation does not apply to Scotland, NPOIU activity took place north of the border in the run up to the G8 summit in Scotland in 2005.

Mark “Stone” was a driver for campaigners at the G8, but was unmasked as undercover officer Mark Kennedy.

He later said in an interview: “My superior officer told me on more than one occasion, particularly during the G8 protests in Scotland in 2005, that information I was providing was going directly to Tony Blair’s desk.”

Ahead of the G8, the then Scottish Executive issued a Ministerial Certificate blocking the release of information connected with the summit. The blackout applied to all Scottish public authorities, including police forces, health bodies and the Government.

However, it can be revealed that the SNP Government quietly revoked the certificate in 2010, a decision that could result in information on the summit being released.

After being asked by this newspaper for the titles of all files produced by on the G8 in 2005, Police Scotland confirmed the names of 1168 files.

Forty-four were created by the former Fife Constabulary, whose patch included the Gleneagles hotel, while 1124 files were produced by Lothian and Borders police.

Many of the files are on routine policing matters, but one document is described as “intelligence briefings” on the “National Public Order Intelligence Unit”.

Other files include “stop the war coalition – regulatory board” and “indymedia”, which was a left-wing website at the time.

There was also correspondence with the security services on the “Senior Leadership Development Programme”, a funding request for a “special branch operation” in May 2005 and over a dozen files on the peaceful Make Poverty History march.

After the UK Government refused to extend the Pitchford Inquiry to Scotland, Her Majesty’s Inspectorate of Constabulary in Scotland launched its own review of undercover policing.

A spokesperson for HMICS said: “As outlined in our terms of reference HMICS will examine the scale and extent of undercover police operations in Scotland conducted by the SDS and the NPOIU. As part of our scrutiny, we will review the authorisations for undercover deployments during the G8 Summit in Scotland in July 2005. HMICS are currently engaged in this process with the full cooperation of Police Scotland. With specific regard to the intelligence file, HMICS will ?examine this file for any information that may inform our review process.”

Donal O’Driscoll, a core participant in the Pitchford Inquiry who was spied on in Scotland, said: “We have long argued that the both the SDS and the NPOIU were active in Scotland, particularly around the 2005 G8. The existence of this file strengthens our case that there needs to be a full inquiry into the activities of spy cops in Scotland – and renders the exclusion of Scotland from the Pitchford Inquiry even more inexplicable.

“We continue to have no confidence in the HMICS review. Nevertheless, I’d expect them to at least make the effort to examine this and related briefings as part of the bare minimum they need to do. Not least because it is now beyond dispute there were multiple undercover police from the NPOIU and foreign police forces present at the G8 protests. However, only a full public inquiry can get to the truth as to what the police and the state had planned and co-ordinated when they interfered in legitimate democratic protest.”

A Police Scotland spokesperson said: “Police Scotland does not routinely comment on covert policing or intelligence. We will not offer any comment on the contents of any specific files. Any inquiries relating to the NPOIU should be directed to the Met Police. Police Scotland will also fully and openly co-operate with the review of undercover policing to be carried out by HMICS.”

/ Paul Hutcheon, Investigations Editor / @paulhutcheon

Find this story at 25 March 2017
© Copyright 2017 Herald & Times Group

Van nieuwsblog.burojansen.nl

THE DEPARTMENT OF Homeland Security announced an unprecedented new restriction on travelers from 10 airports in eight Muslim-majority countries on Tuesday.

The DHS restriction states “that all personal electronic devices larger than a cell phone or smart phone be placed in checked baggage at 10 airports where flights are departing for the United States.”

It’s a Muslim laptop ban.

The 10 airports are in Jordan, Egypt, Turkey, Saudi Arabia, Kuwait, Morocco, Qatar, and the United Arab Emirates.

American-based airlines do not fly directly to the United States from these airports, so these restrictions will not apply to them. The impact of this move will instead fall on nine airlines, including Gulf-based carriers that U.S. airlines have been asking President Trump to punish since the day after his election.

The U.S. carriers have long complained that Gulf carriers such as Emirates, Etihad Airways, and Qatar Airways are unfairly subsidized by their national governments.

Executives at Delta Airlines, United Airlines, and American Airlines met with Trump in early February. The day before the meeting, a group representing these American airlines, called the Partnership for Open & Fair Skies, distributed a slick video using Trump’s own words to argue against the subsidies.

With this new travel impediment, Trump may be throwing these executives a bone. The new restrictions appear to be targeting airports that serve as flight “hubs” for these airlines — such as Dubai International, which is the hub of Emirates. Airlines use these hub airports to transfer passengers between flights, delivering significant savings.

California Democratic Rep. Adam Schiff, who is the ranking member of the House Intelligence Committee, quickly rose to the defense of Trump’s DHS on Tuesday, calling the restrictions both “necessary and proportional to the threat”:

Ranking House Intel Dem Schiff backs new electronics ban on US-bound flights from 8 Muslim-maj countries – critics say measure is arbitrary pic.twitter.com/3zPwehf2ZW

— Jessica Schulberg (@jessicaschulb) March 21, 2017

In 2015, Schiff was one of 262 Members of the House who signed a letter protesting subsidies for the Gulf airlines. The letter is featured on the website of the Partnership for Open & Fair Skies.

Whatever the motivation, the security justifications are unclear at best. The Guardian interviewed a number of top technologists about the new policy on Tuesday, and they were puzzled. “If you assume the attacker is interested in turning a laptop into a bomb, it would work just as well in the cargo hold,” Nicholas Weaver, who is a researcher at the International Computer Science Institute, told the paper.

“From a technological perspective, nothing has changed between the last dozen years and today. That is, there are no new technological breakthroughs that make this threat any more serious today,” Bruce Schneier, a top technologist at the Berkman Klein Center for Internet & Society at Harvard University, told the Guardian. “And there is certainly nothing technological that would limit this newfound threat to a handful of Middle Eastern airlines.”

The United Kingdom enacted similar restrictions hours after the United States, but with two puzzling differences. The U.K. ban includes 14 airlines, including six based in the U.K. And it does not include airports in Qatar or the UAE — which are the epicenter of the subsidies dispute. Canada is reportedly weighing its own restrictions.

For its part, Emirates responded by inviting customers to sample its in-flight entertainment in lieu of tablets and laptops — by repurposing an old advertisement featuring Jennifer Anniston:

Let us entertain you. pic.twitter.com/FKqayqUdQ7

— Emirates airline (@emirates) March 21, 2017

Zaid Jilani
March 21 2017, 7:51 p.m.
Find this story at 21 March 2017

Copyright https://theintercept.com/

Van nieuwsblog.burojansen.nl

A new Homeland Security rule will ban electronics on flights from airports in Muslim-majority countries. Is this protectionism or prudence? Well, it’s complicated.

Travelers from eight different Muslim-majority nations will no longer be allowed to carry laptops, tablets, or certain other electronic devices with them in the cabin on flights inbound to the U.S., according to new rules that take effect on Tuesday. The U.K. was quick to announce that it would follow suit with a Muslim laptop ban of its own.

Officials at the U.S. Department of Homeland Security and Transportation Security Administration say that the new rules reflect a potential threat of terrorists smuggling explosive devices on board planes using portable electronic devices—iPads, Kindles, and the like. The DHS guidance cites a 2016 attempted airliner downing in Somalia as one recent incident that could be linked to a laptop bomb. The U.S. rules affect last-point-of-departure airports from 10 airports—some of them the busiest hubs in the Middle East—from Saudi Arabia to Istanbul to the UAE.

Behind the order, though, lies a long history of conflict between America’s big three carriers—Delta, United, and American—and their peers in the Gulf. Critics spied an ulterior motive behind the Trump administration’s new rule: a protectionist measure for U.S. carriers promised by President Donald Trump.

Henry Farrell and Abraham Newman floated this notion in the Washington Post, suggesting that the financial security of United, American, and Delta might be behind the new counterterrorism measures. The U.S. airlines have grumbled for years that their counterparts from the Gulf—specifically Emirates, Etihad Airways, and Qatar Airways—benefit unfairly from government subsidies. Those carriers have recently expanded their service to U.S. cities such as Chicago and Washington, D.C. (as any Washington Wizards fan can tell you, since Etihad is a major advertiser in the Verizon Center).

Back in February, the chief executives of United, American, and Delta sent a letter to U.S. Secretary of State Rex Tillerson complaining about the “massive subsidization of three state-owned Gulf carriers … and the significant harm this subsidized competition is causing to U.S. airlines and U.S. jobs.” In a meeting with the executives shortly thereafter, Trump promised “phenomenal” tax relief, broad deregulation, and other forms of support to the industry.

It’s not yet clear whether this laptop travel ban applies exclusively to all inbound flights from Muslim-majority airports or just those from Gulf carriers. If the latter, that would be a boon to U.S. operators. International business-class travelers—and there are a lot of them circulating between the U.S. and the Middle East—are bound to prefer flights that allow them to work on the plane. During a 14-hour nonstop haul from Dubai to Dulles, passengers are likely to appreciate all the electronic conveniences and entertainment they can carry.

But a one-sided ban would also be a plain violation of trade rules. Global airline carriers have been duking it out over national subsidies for years. In September, the World Trade Organization ruled that the European Union had been illegally propping up Airbus to the tune of $22 billion, a decision that the Washington Post described as “the most expensive dispute in international history.”

A U.K. electronics ban in the Gulf would bite the hand that feeds British Airways.
The Financial Times reports that the rule applies only to non-U.S. carriers: Saudi Arabian Airlines, Royal Jordanian Airlines, Emirates, Etihad Airways, Qatar Airways, Kuwait Airways, Turkish Airlines, EgyptAir, and Royal Air Maroc. Several of these state-owned airlines have indeed enjoyed massive subsidies from their governments. But there’s nothing in the guidance released by Homeland Security that specifies those carriers or otherwise exempts U.S. domestic airlines from the electronics ban. DHS is specific only about the 10 affected airports.

According to CNN, domestic carriers are not affected by the ruling because they do not operate any direct flights to the U.S. from those airports. A travel engine search corroborates and complicates that explanation. Delta runs flights from Cairo to Washington, D.C., that are operated by Air France, for example. British Airways operates American Airlines flights from Istanbul to New York. Both Delta and United operate inbound flights by other carriers—Lufthansa, KLM, and so on—from the restricted airports.

Homeland Security has not responded to a request for clarification. Across the pond, an electronics ban is even more more complicated, since Qatar Airways has increased its ownership stake in the parent company for British Airways to 20 percent after Brexit. A U.K. electronics ban in the Gulf would bite the hand that feeds British Airways.

These bans may be motivated by urgent and legitimate national security concerns. Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence and a Democrat, says that the electronics ban is justified. There is a debate to be had even if the threat is real, though. The tradeoff between travel security and convenience is an enormous drag on productivity (not to mention a cost for airports and airlines). The new rules may sidestep that debate. If an electronics ban applies solely to Gulf carriers, exempting domestic airlines, then it’s pretty plainly a protectionist measure, of the kind that Trump has explicitly promised to deliver for U.S. airlines.

The risk, of course, is that Gulf states could respond in kind—meaning that no one gets to binge on Netflix on international flights. Trade battles have a way of escalating quickly. After the European Union restricted hormone-treated beef from America in 1999, the Clinton administration retaliated with a 100 percent tariff on Roquefort from France. The Bush administration escalated the conflict—totally arbitrarily!—with a 300 percent duty on Roquefort in 2003. The ensuing cheese war lasted nearly through the Obama administration.

Depriving Americans of imported fromage is one thing; taking screens away from their toddlers could represent a whole other degree of inconvenience. Whether or not the Trump administration is pushing protectionist trade policies under the guise of national security, it seems likely that international flights are going to feel a whole hell of a lot longer.

KRISTON CAPPS @kristoncapps Mar 21, 2017 10 Comments

Find this story at 21 March 2017

Copyright 2017 The Atlantic Monthly Group.

Van nieuwsblog.burojansen.nl

The question of whether political operative Roger Stone helped Russian hackers break into the email of Democratic politicians, to some people, invites another: Who says the hackers were Russian?

The FBI does, and so do several U.S. intelligence agencies, as they’ve declared repeatedly over the past five months. But among private-sector computer security companies, not everybody thinks the case is proven.

“I have no problem blaming Russia for what they do, which is a lot,” said Jeffrey Carr of the international cybersecurity company Taia Global Inc. “I just don’t want to blame them for things we don’t know that they did. It may turn out that they’re guilty, but we are very short on evidence here.”

As Carr notes, the FBI never examined the servers that were hacked at the Democratic National Committee. Instead, the DNC used the private computer security company CrowdStrike to detect and repair the penetrations.

“All the forensic work on those servers was done by CrowdStrike, and everyone else is relying on information they provided,” said Carr. “And CrowdStrike was the one to declare this the work of the Russians.”

The CrowdStrike argument relies heavily on the fact that remnants of a piece of malware known as AGENT-X were found in the DNC computers. AGENT-X collects and transmits hacked files to rogue computers.

“AGENT-X has been around for ages and ages, and its use has always been attributed to the Russian government, a theory that’s known in the industry as ‘exclusive use,’” Carr said. “The problem with exclusive use is that it’s completely false. Unlike a bomb or an artillery shell, malware doesn’t detonate on impact and destroy itself.

“You can recover it, reverse-engineer it, and reuse it. The U.S. government learned a lesson about that when it created the Stuxnet computer worm to destroy Iran’s nuclear program. Stuxnet survived and now other people have it.”

Carr said he is aware of at least two working copies of AGENT-X outside Russian hands. One is in the possession of a group of Ukrainian hackers he has spoken with, and the other is with an American cybersecurity company. “And if an American security company has it, you can be certain other people do, too,” he said.

There’s growing doubt in the computer security industry about CrowdStrike’s theories about AGENT-X and Russian hackers, Carr said, including some critical responses to a CrowdStrike report on Russian use of the malware to disable Ukrainian artillery.

“This is a close-knit community and criticizing a member to the outside world is kind of like talking out of turn,” Carr said. “I’ve been repeatedly criticized for speaking out in public about whether the hacking was really done by the Russians. But this has to be made public, has to be addressed, and has to be acknowledged by the House and Senate Intelligence Committees.”

MARCH 24, 2017 7:00 AM
BY GLENN GARVIN

Find this story at 24 March 2017
Copyright http://www.miamiherald.com/

Van nieuwsblog.burojansen.nl

Russia, we are told, breached the servers of the Democratic National Committee (DNC), swiped emails and other documents, and released them to the public, to alter the outcome of the U.S. presidential election.

How substantial is the evidence backing these assertions?

Hired by the Democratic National Committee to investigate unusual network activity, the security firm Crowdstrike discovered two separate intrusions on DNC servers. Crowdstrike named the two intruders Cozy Bear and Fancy Bear, in an allusion to what it felt were Russian sources. According to Crowdstrike, “Their tradecraft is superb, operational security second to none,” and “both groups were constantly going back into the environment” to change code and methods and switch command and control channels.

On what basis did Crowdstrike attribute these breaches to Russian intelligence services? The security firm claims that the techniques used were similar to those deployed in past security hacking operations that have been attributed to the same actors, while the profile of previous victims “closely mirrors the strategic interests of the Russian government. Furthermore, it appeared that the intruders were unaware of each other’s presence in the DNC system. “While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations,” Crowdstrike reports, “in Russia this is not an uncommon scenario.” [1]

Those may be indicators of Russian government culpability. But then again, perhaps not. Regarding the point about separate intruders, each operating independently of the other, that would seem to more likely indicate that the sources have nothing in common.

Each of the two intrusions acted as an advanced persistent threat (APT), which is an attack that resides undetected on a network for a long time. The goal of an APT is to exfiltrate data from the infected system rather than inflict damage. Several names have been given to these two actors, and most commonly Fancy Bear is known as APT28, and Cozy Bear as APT29.

The fact that many of the techniques used in the hack resembled, in varying degrees, past attacks attributed to Russia may not necessarily carry as much significance as we are led to believe. Once malware is deployed, it tends to be picked up by cybercriminals and offered for sale or trade on Deep Web black markets, where anyone can purchase it. Exploit kits are especially popular sellers. Quite often, the code is modified for specific uses. Security specialist Josh Pitts demonstrated how easy that process can be, downloading and modifying nine samples of the OnionDuke malware, which is thought to have first originated with the Russian government. Pitts reports that this exercise demonstrates “how easy it is to repurpose nation-state code/malware.” [2]

In another example, when SentinalOne Research discovered the Gyges malware in 2014, it reported that it “exhibits similarities to Russian espionage malware,” and is “designed to target government organizations. It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands.” The security firm explains that Gyges is an “example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” [3]

Attribution is hard, cybersecurity specialists often point out. “Once an APT is released into the wild, its spread isn’t controlled by the attacker,” writes Mark McArdle. “They can’t prevent someone from analyzing it and repurposing it for their own needs.” Adapting malware “is a well-known reality,” he continues. “Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgment.” [4]

Security Alliance regards security firm FireEye’s analysis that tied APT28 to the Russian government as based “largely on circumstantial evidence.” FireEye’s report “explicitly disregards targets that do not seem to indicate sponsorship by a nation-state,” having excluded various targets because they are “not particularly indicative of a specific sponsor’s interests.” [5] FireEye reported that the APT28 “victim set is narrow,” which helped lead it to the conclusion that it is a Russian operation. Cybersecurity consultant Jeffrey Carr reacts with scorn: “The victim set is narrow because the report’s authors make it narrow! In fact, it wasn’t narrowly targeted at all if you take into account the targets mentioned by other cybersecurity companies, not to mention those that FireEye deliberately excluded for being ‘not particularly indicative of a specific sponsor’s interests’.” [6]

FireEye’s report from 2014, on which much of the DNC Russian attribution is based, found that 89 percent of the APT28 software samples it analyzed were compiled during regular working hours in St. Petersburg and Moscow. [7]

But compile times, like language settings, can be easily altered to mislead investigators. Mark McArdle wonders, “If we think about the very high level of design, engineering, and testing that would be required for such a sophisticated attack, is it reasonable to assume that the attacker would leave these kinds of breadcrumbs? It’s possible. But it’s also possible that these things can be used to misdirect attention to a different party. Potentially another adversary. Is this evidence the result of sloppiness or a careful misdirection?” [8]

“If the guys are really good,” says Chris Finan, CEO of Manifold Technology, “they’re not leaving much evidence or they’re leaving evidence to throw you off the scent entirely.” [9] How plausible is it that Russian intelligence services would fail even to attempt such a fundamental step?

James Scott of the Institute for Critical Infrastructure Technology points out that the very vulnerability of the DNC servers constitutes a muddied basis on which determine attribution. “Attribution is less exact in the case of the DNC breach because the mail servers compromised were not well-secured; the organization of a few hundred personnel did not practice proper cyber-hygiene; the DNC has a global reputation and is a valuable target to script kiddies, hacktivists, lone-wolf cyber-threat actors, cyber-criminals, cyber-jihadists, hail-mary threats, and nation-state sponsored advanced persistent threats; and because the malware discovered on DNC systems were well-known, publicly disclosed, and variants could be purchased on Deep Web markets and forums.” [10]

Someone, or some group, operating under the pseudonym of Guccifer 2.0, claimed to be a lone actor in hacking the DNC servers. It is unclear what relation – if any – Guccifer 2.0 has to either of the two APT attacks on the DNC. In a PDF file that Guccifer 2.0 sent to Gawker.com, metadata indicated that it was it was last saved by someone having a username in Cyrillic letters. During the conversion of the file from Microsoft Word to PDF, invalid hyperlink error messages were automatically generated in the Russian language. [11]

This would seem to present rather damning evidence. But who is Guccifer 2.0? A Russian government operation? A private group? Or a lone hacktivist? In the poorly secured DNC system, there were almost certainly many infiltrators of various stripes. Nor can it be ruled out that the metadata indicators were intentionally generated in the file to misdirect attribution. The two APT attacks have been noted for their sophistication, and these mistakes – if that is what they are – seem amateurish. To change the language setting on a computer can be done in a matter of seconds, and that would be standard procedure for advanced cyber-warriors. On the other hand, sloppiness on the part of developers is not entirely unknown. However, one would expect a nation-state to enforce strict software and document handling procedures and implement rigorous review processes.

At any rate, the documents posted to the Guccifer 2.0 blog do not necessarily originate from the same source as those published by WikiLeaks. Certainly, none of the documents posted to WikiLeaks possess the same metadata issues. And one hacking operation does not preclude another, let alone an insider leak.

APT28 relied on XTunnel, repurposed from open source code that is available to anyone, to open network ports and siphon data. The interesting thing about the software is its failure to match the level of sophistication claimed for APT28. The strings in the code quite transparently indicate its intent, with no attempt at obfuscation. [12] It seems an odd oversight for a nation-state operation, in which plausible deniability would be essential, to overlook that glaring point during software development.

Command-and-control servers remotely issue malicious commands to infected machines. Oddly, for such a key component of the operation, the command-and-control IP address in both attacks was hard-coded in the malware. This seems like another inexplicable choice, given that the point of an advanced persistent threat is to operate for an extended period without detection. A more suitable approach would be to use a Domain Name System (DNS) address, which is a decentralized computer naming system. That would provide a more covert means of identifying the command-and-control server. [13] Moreover, one would expect that address to be encrypted. Using a DNS address would also allow the command-and-control operation to easily move to another server if its location is detected, without the need to modify and reinstall the code.

One of the IP addresses is claimed to be a “well-known APT 28” command-and-control address, while the second is said to be linked to Russian military intelligence. [14] The first address points to a server located in San Jose, California, and is operated by a server hosting service. [15] The second server is situated in Paris, France, and owned by another server hosting service. [16] Clearly, these are servers that have been compromised by hackers. It is customary for hackers to route their attacks through vulnerable computers. The IP addresses of compromised computers are widely available on the Deep Web, and typically a hacked server will be used by multiple threat actors. These two particular servers may or may not have been regularly utilized by Russian Intelligence, but they were not uniquely so used. Almost certainly, many other hackers would have used the same machines, and it cannot be said that these IP addresses uniquely identify an infiltrator. Indeed, the second IP address is associated with the common Trojan viruses Agent-APPR and Shunnael. [17]

“Everyone is focused on attribution, but we may be missing the bigger truth,” says Joshua Croman, Director of the Cyber Statecraft Initiative at the Atlantic Council. “[T]he level of sophistication required to do this hack was so low that nearly anyone could do it.” [18]

In answer to critics, the Department of Homeland Security and the FBI issued a joint analysis report, which presented “technical details regarding the tools and infrastructure used” by Russian intelligence services “to compromise and exploit networks” associated with the U.S. election, U.S. government, political, and private sector entities. The report code-named these activities “Grizzly Steppe.” [19]

For a document that purports to offer strong evidence on behalf of U.S. government allegations of Russian culpability, it is striking how weak and sloppy the content is. Included in the report is a list of every threat group ever said to be associated with the Russian government, most of which are unrelated to the DNC hack. It appears that various governmental organizations were asked to send a list of Russian threats, and then an official lacking IT background compiled that information for the report, and the result is a mishmash of threat groups, software, and techniques. “PowerShell backdoor,” for instance, is a method used by many hackers, and in no way describes a Russian operation.

Indeed, one must take the list on faith, because nowhere in the document is any evidence provided to back up the claim of a Russian connection. Indeed, as the majority of items on the list are unrelated to the DNC hack, one wonders what the point is. But it bears repeating: even where software can be traced to Russian origination, it does not necessarily indicate exclusive usage. Jeffrey Carr explains: “Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it. It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone.” Carr quotes security firm ESET in regard to the Sednit group, one of the items on the report’s list, and which is another name for APT28: “As security researchers, what we call ‘the Sednit group’ is merely a set of software and the related infrastructure, which we can hardly correlate with any specific organization.” Carr points out that X-Agent software, which is said to have been utilized in the DNC hack, was easily obtained by ESET for analysis. “If ESET could do it, so can others. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will.” [20]

The salient impression given by the government’s report is how devoid of evidence it is. For that matter, the majority of the content is taken up by what security specialist John Hinderaker describes as “pedestrian advice to IT professionals about computer security.” As for the report’s indicators of compromise (IoC), Hinderaker characterizes these as “tools that are freely available and IP addresses that are used by hackers around the world.” [21]

In conjunction with the report, the FBI and Department of Homeland Security provided a list of IP addresses it identified with Russian intelligence services. [22] Wordfence analyzed the IP addresses as well as a PHP malware script provided by the Department of Homeland Security. In analyzing the source code, Wordfence discovered that the software used was P.A.S., version 3.1.0. It then found that the website that manufactures the malware had a site country code indicating that it is Ukrainian. The current version of the P.A.S. software is 4.1.1, which is much newer than that used in the DNC hack, and the latest version has changed “quite substantially.” Wordfence notes that not only is the software “commonly available,” but also that it would be reasonable to expect “Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.” To put it plainly, Wordfence concludes that the malware sample “has no apparent relationship with Russian intelligence.” [23]

Wordfence also analyzed the government’s list of 876 IP addresses included as indicators of compromise. The sites are widely dispersed geographically, and of those with a known location, the United States has the largest number. A large number of the IP addresses belong to low-cost server hosting companies. “A common pattern that we see in the industry,” Wordfence states, “is that accounts at these hosts are compromised and those hacked sites are used to launch attacks around the web.” Fifteen percent of the IP addresses are currently Tor exit nodes. “These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.” [24]

If one also takes into account the IP addresses that not only point to current Tor exits, but also those that once belonged to Tor exit nodes, then these comprise 42 percent of the government’s list. [25] “The fact that so many of the IPs are Tor addresses reveals the true sloppiness of the report,” concludes network security specialist Jerry Gamblin. [26]

Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.” Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. “No,” he continues. “This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage.” Graham goes on to point out that “what really happened” with the supposed Russian hack into the Vermont power grid “is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid)” is U.S. government “misinformation.” [27]

The indicators of compromise, in Graham’s assessment, were “published as a political tool, to prove they have evidence pointing to Russia.” As for the P.A.S. web shell, it is “used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world.” Relying on the government’s sample for attribution is problematic: “Just because you found P.A.S. in two different places doesn’t mean it’s the same hacker.” A web shell “is one of the most common things hackers use once they’ve broken into a server,” Graham observes. [28]

Although cybersecurity analyst Robert M. Lee is inclined to accept the government’s position on the DNC hack, he feels the joint analysis report “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.” The report’s list “detracts from the confidence because of the interweaving of unrelated data.” The information presented is not sourced, he adds. “It’s a random collection of information and in that way, is mostly useless.” Indeed, the indicators of compromise have “a high rate of false positives for defenders that use them.” [29]

Among the government’s list of Russian actors are Energetic Bear and Crouching Yeti, two names for the same threat group. In its analysis, Kaspersky Lab found that most of the group’s victims “fall into the industrial/machinery building sector,” and it is “not currently possible to determine the country of origin.” Although listed in the government’s report, it is not suggested that the group played a part in the DNC hack. But it does serve as an example of the uncertainty surrounding government claims about Russian hacking operations in general. [30]

CosmicDuke is one of the software packages listed as tied to Russia. SecureList, however, finds that unlike the software’s predecessor, CosmicDuke targets those who traffic in “controlled substances, such as steroids and hormones.” One possibility is that CosmicDuke is used by law enforcement agencies, while another possibility “is that it’s simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.” In either case, whether or not the software is utilized by the Russian government, there is a broader base for its use. [31]

The intent of the joint analysis report was to provide evidence of Russian state responsibility for the DNC hack. But nowhere does it do so. Mere assertions are meant to persuade. How much evidence does the government have? The Democratic Party claims that the FBI never requested access to DNC servers. [32] The FBI, for its part, says it made “multiple requests” for access to the DNC servers and was repeatedly turned down. [33] Either way, it is a remarkable admission. In a case like this, the FBI would typically conduct its own investigation. Was the DNC afraid the FBI might come to a different conclusion than the DNC-hired security firm Crowdstrike? The FBI was left to rely on whatever evidence Crowdstrike chose to supply. During its analysis of DNC servers, Crowdstrike reports that it found evidence of APT28 and APT29 intrusions within two hours. Did it stop there, satisfied with what it had found? Or did it continue to explore whether additional intrusions by other actors had taken place?

In an attempt to further inflame the hysteria generated from accusations of Russian hacking, the Office of the Director of National Intelligence published a declassified version of a document briefed to U.S. officials. The information was supplied by the CIA, FBI, and National Security Agency, and was meant to cement the government’s case. Not surprisingly, the report received a warm welcome in the mainstream media, but what is notable is that it offers not a single piece of evidence to support its claim of “high confidence” in assessing that Russia hacked the DNC and released documents to WikiLeaks. Instead, the bulk of the report is an unhinged diatribe against Russian-owned RT media. The content is rife with inaccuracies and absurdities. Among the heinous actions RT is accused of are having run “anti-fracking programming, highlighting environmental issues and the impacts on health issues,” airing a documentary on Occupy Wall Street, and hosting third-party candidates during the 2012 election.[34]

The report would be laughable, were it not for the fact that it is being played up for propaganda effect, bypassing logic and appealing directly to unexamined emotion. The 2016 election should have been a wake-up call for the Democratic Party. Instead, predictably enough, no self-examination has taken place, as the party doubles down on the neoliberal policies that have impoverished tens of millions, and backing military interventions that have sown so much death and chaos. Instead of thoughtful analysis, the party is lashing out and blaming Russia for its loss to an opponent that even a merely weak candidate would have beaten handily.

Mainstream media start with the premise that the Russian government was responsible, despite a lack of convincing evidence. They then leap to the fallacious conclusion that because Russia hacked the DNC, only it could have leaked the documents.

So, did the Russian government hack the DNC and feed documents to WikiLeaks? There are really two questions here: who hacked the DNC, and who released the DNC documents? These are not necessarily the same. An earlier intrusion into German parliament servers was blamed on the Russians, yet the release of documents to WikiLeaks is thought to have originated from an insider. [35] Had the Russians hacked into the DNC, it may have been to gather intelligence, while another actor released the documents. But it is far from certain that Russian intelligence services had anything to do with the intrusions. Julian Assange says that he did not receive the DNC documents from a nation-state. It has been pointed out that Russia could have used a third party to pass along the material. Fair enough, but former UK diplomat Craig Murray asserts: “I know who the source is… It’s from a Washington insider. It’s not from Russia.” [36]

There are too many inconsistencies and holes in the official story. In all likelihood, there were multiple intrusions into DNC servers, not all of which have been identified. The public ought to be wary of quick claims of attribution. It requires a long and involved process to arrive at a plausible identification, and in many cases the source can never be determined. As Jeffrey Carr explains, “It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method. Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.” [37]

Russia-bashing is in full swing, and there does not appear to be any letup in sight. We are plunging headlong into a new Cold War, riding on a wave of propaganda-induced hysteria. The self-serving claims fueling this campaign need to be challenged every step of the way. Surrendering to evidence-free emotional appeals would only serve those who arrogantly advocate confrontation and geopolitical domination.

Notes.

[1] Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike blog, June 15, 2016.

[2] Josh Pitts, “Repurposing OnionDuke: A Single Case Study Around Reusing Nation-state Malware,” Black Hat, July 21, 2015.

[3] Udi Shamir, “The Case of Gyges, the Invisible Malware,” SentinelOne, July 2014.

[4] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[5] “The Usual Suspects: Faith-Based Attribution and its Effects on the Security Community,” October 21, 2016.

[6] Jeffrey Carr, “The DNC Breach and the Hijacking of Common Sense,” June 20, 2016.

[7] “APT28: A Window into Russia’s Cyber Espionage Operations?” FireEye, October 27, 2014.

[8] Mark McArdle, “’Whodunnit?’ Why the Attribution of Hacks like the Recent DNC Hack is so Difficult,” Esentire, July 28, 2016.

[9] Patrick Howell O’Neill, “Obama’s Former Cybersecurity Advisor Says Only ‘Idiots’ Want to Hack Russia Back for DNC Breach,” The Daily Dot, July 29, 2016.

[10] Janes Scott, Sr., “It’s the Russians! … or is it? Cold War Rhetoric in the Digital Age,” ICIT, December 13, 2016.

[11] Sam Biddle and Gabrielle Bluestone, “This Looks like the DNC’s Hacked Trump Oppo File,” Gawker, June 15, 2016.

Dan Goodin, “’Guccifer’ Leak of DNC Trump Research Has a Russian’s Fingerprints on It,” Ars Technica, June 16, 2016.

[12] Pat Belcher, “Tunnel of Gov: DNC Hack and the Russian XTunnel,” Invincea, July 28, 2016.

[13] Seth Bromberger, “DNS as a Covert Channel within Protected Networks,” National Electric Sector Cyber Security Organization, January 25, 2011.

[14] Thomas Rid, “All Signs Point to Russia Being Behind the DNC Hack,” Motherboard, July 25, 2016.

[15] https://www.threatminer.org/host.php?q=45.32.129.185

[16] https://www.threatminer.org/host.php?q=176.31.112.10

[17] https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-APPR/detailed-analysis.aspx

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-062518-5557-99

[18] Paul, “Security Pros Pan US Government Report on Russian Hacking,” The Security Ledger, December 30, 2016.

[19] “Grizzly Steppe – Russian Malicious Cyber Activity,” JAR-16-20296, National Cybersecurity & Communications Integration Center, Federal Bureau of Investigation, December 29, 2016.

[20] Jeffrey Carr, “FBI/DHS Joint Analysis Report: A Fatally Flawed Effort,” Jeffrey Carr/Medium, December 30, 2016.

[21] John Hinderaker, “Is “Grizzly Steppe’ Really a Russian Operation?” Powerline, December 31, 2016.

[22] https://www.us-cert.gov/sites/default/files/publications/JAR-16-20296A.csv

[23] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[24] Mark Maunder, “US Govt Data Shows Russia Used Outdated Ukrainian PHP Malware,” Wordfence, December 30, 2016.

[25] Micah Lee, “The U.S. Government Thinks Thousands of Russian Hackers May be Reading my Blog. They Aren’t,” The Intercept, January 4, 2017.

[26] Jerry Gamblin, “Grizzly Steppe: Here’s My IP and Hash Analysis,” A New Domain, January 2, 2017.

[27] Robert Graham, “Dear Obama, from Infosec,” Errata Security, January 3, 2017.

[28] Robert Graham, “Some Notes on IoCs,” Errata Security, December 29, 2016.

[29] Robert M. Lee, “Critiques of the DHS/FBI’s Grizzly Steppe Report,” Robert M. Lee blog, December 30, 2016.

[30] “Energetic Bear – Crouching Yeti,” Kaspersky Lab Global Research and Analysis Team, July 31, 2014.

[31] “Miniduke is back: Nemesis Gemina and the Botgen Studio,” Securelist, July 3, 2014.

[32] Ali Watkins, “The FBI Never Asked for Access to Hacked Computer Servers,” Buzzfeed, January 4, 2017.

[33] “James Comey: DNC Denied FBI Direct Access to Servers During Russia Hacking Probe,” Washington Times, January 10, 2017.

[34] “Assessing Russian Activities and Intentions in Recent Activities and Intentions in Recent US Elections,” Office of the Director of National Intelligence, January 6, 2017.

[35] “Quelle für Enthüllungen im Bundestag Vermutet,” Frankfurter Allgemeine Zeitung, December 17, 2016.

[36] RT broadcast, January 7, 2017. https://www.youtube.com/watch?v=w3DvaVrRweY

[37] Jeffrey Carr, “Faith-based Attribution,” Jeffrey Carr/Medium, July 10, 2016.

Join the debate on Facebook
Gregory Elich is on the Board of Directors of the Jasenovac Research Institute and the Advisory Board of the Korea Policy Institute. He a member of the Solidarity Committee for Democracy and Peace in Korea, a columnist for Voice of the People, and one of the co-authors of Killing Democracy: CIA and Pentagon Operations in the Post-Soviet Period, published in the Russian language. He is also a member of the Task Force to Stop THAAD in Korea and Militarism in Asia and the Pacific. His website is https://gregoryelich.org

JANUARY 13, 2017
by GREGORY ELICH

Find this story at 13 January 2017
Copyright © CounterPunch

Van nieuwsblog.burojansen.nl

THERE ARE SOME good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy.

There’s a lot of evidence from the attack on the table, mostly detailing how the hack was perpetrated, and possibly the language of the perpetrators. It certainly remains plausible that Russians hacked the DNC, and remains possible that Russia itself ordered it. But the refrain of Russian attribution has been repeated so regularly and so emphatically that it’s become easy to forget that no one has ever truly proven the claim. There is strong evidence indicating that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers. There’s even evidence that the attackers are the same group that’s been spotted attacking other targets in the past. But again: No one has actually proven that group is the Russian government (or works for it). This remains the enormous inductive leap that’s not been reckoned with, and Americans deserve better.

We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, which contracted its services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime. If we’re going to blame the Russian government for disrupting our presidential election — easily construed as an act of war — we need to be damn sure of every single shred of evidence. Guesswork and assumption could be disastrous.

The gist of the Case Against Russia goes like this: The person or people who infiltrated the DNC’s email system and the account of John Podesta left behind clues of varying technical specificity indicating they have some connection to Russia, or at least speak Russian. Guccifer 2.0, the entity that originally distributed hacked materials from the Democratic party, is a deeply suspicious figure who has made statements and decisions that indicate some Russian connection. The website DCLeaks, which began publishing a great number of DNC emails, has some apparent ties to Guccifer and possibly Russia. And then there’s WikiLeaks, which after a long, sad slide into paranoia, conspiracy theorizing, and general internet toxicity has made no attempt to mask its affection for Vladimir Putin and its crazed contempt for Hillary Clinton. (Julian Assange has been stuck indoors for a very, very long time.) If you look at all of this and sort of squint, it looks quite strong indeed, an insurmountable heap of circumstantial evidence too great in volume to dismiss as just circumstantial or mere coincidence.

But look more closely at the above and you can’t help but notice all of the qualifying words: Possibly, appears, connects, indicates. It’s impossible (or at least dishonest) to present the evidence for Russian responsibility for hacking the Democrats without using language like this. The question, then, is this: Do we want to make major foreign policy decisions with a belligerent nuclear power based on suggestions alone, no matter how strong?

What We Know

So far, all of the evidence pointing to Russia’s involvement in the Democratic hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms (like CrowdStrike or FireEye) who sell cyber-defense services to other companies, or independent researchers, some with university affiliations and serious credentials, and some who are basically just Guys on Twitter. Although some of these private firms groups had proprietary access to DNC computers or files from them, much of the evidence has been drawn from publicly available data like the hacked emails and documents.

Some of the malware found on DNC computers is believed to be the same as that used by two hacking groups believed to be Russian intelligence units, codenamed APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry researchers who track them.

The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with APT 28/Fancy Bear.
Malware found on the DNC computers was programmed to communicate with an IP address associated with APT 28/Fancy Bear.
Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained cyrillic metadata indicating it had been edited on a document with Russian language settings.
Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard published in June suggests he is not Romanian, as he originally claimed.
The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees.
Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider.
A bit.ly link believed to have been used by APT 28/Fancy Bear in the past was also used against Podesta.
Why That Isn’t Enough

Viewed as a whole, the above evidence looks strong, and maybe even damning. But view each piece on its own, and it’s hard to feel impressed.

For one, a lot of the so-called evidence above is no such thing. CrowdStrike, whose claims of Russian responsibility are perhaps most influential throughout the media, says APT 28/Fancy Bear “is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.” But this isn’t a Russian technique any more than using a computer is a Russian technique — misspelled domains are a cornerstone of phishing attacks all over the world. Is Yandex — the Russian equivalent of Google — some sort of giveaway? Anyone who claimed a hacker must be a CIA agent because they used a Gmail account would be laughed off the internet. We must also acknowledge that just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works for the Russian government — it just makes him a liar.

Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:

Their tradecraft is superb, operational security second to none and the extensive usage of “living-off-the-land” techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and “access management” tradecraft — both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.

Compare that description to CrowdStrike’s claim it was able to finger APT 28 and 29, described above as digital spies par excellence, because they were so incredibly sloppy. Would a group whose “tradecraft is superb” with “operational security second to none” really leave behind the name of a Soviet spy chief imprinted on a document it sent to American journalists? Would these groups really be dumb enough to leave cyrillic comments on these documents? Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before? It’s very hard to buy the argument that the Democrats were hacked by one of the most sophisticated, diabolical foreign intelligence services in history, and that we know this because they screwed up over and over again.

But how do we even know these oddly named groups are Russian? CrowdStrike co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based threat actor” whose modus operandi “closely mirrors the strategic interests of the Russian government” and “may indicate affiliation [Russia’s] Main Intelligence Department or GRU, Russia’s premier military intelligence service.” Security firm SecureWorks issued a report blaming Russia with “moderate confidence.” What constitutes moderate confidence? SecureWorks said it adopted the “grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments. … Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” All of this amounts to a very educated guess, at best.

Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin is speculative, a fact that’s been completely erased from this year’s discourse. In its 2014 reveal of the group, the high-profile security firm FireEye couldn’t even blame Russia without a question mark in the headline: “APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post itself is remarkably similar to arguments about the DNC hack: technical but still largely speculative, presenting evidence the company “[believes] indicate a government sponsor based in Moscow.” Believe! Indicate! We should know already this is no smoking gun. FireEye’s argument that the malware used by APT 28 is connected to the Russian government is based on the belief that its “developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities.”

As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report on APT 28 is questionable from the start:

To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

The notion that APT 28 has a narrow focus on American political targets is undermined in another SecureWorks paper, which shows that the hackers have a wide variety of interests: 10 percent of their targets are NGOs, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are “government supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s targets are “government personnel” of any nationality — hardly the focused agenda described by CrowdStrike.

Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit of the Russian government, a fact that has never been proven beyond any reasonable doubt. According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, all we can truly conclude is that some email accounts at the DNC et al. appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.

Security researcher Claudio Guarnieri put it this way:

[Private security firms] can’t produce anything conclusive. What they produce is speculative attribution that is pretty common to make in the threat research field. I do that same speculative attribution myself, but it is just circumstantial. At the very best it can only prove that the actor that perpetrated the attack is very likely located in Russia. As for government involvement, it can only speculate that it is plausible because of context and political motivations, as well as technical connections with previous (or following attacks) that appear to be perpetrated by the same group and that corroborate the analysis that it is a Russian state-sponsored actor (for example, hacking of institutions of other countries Russia has some geopolitical interests in).

Finally, one can’t be reminded enough that all of this evidence comes from private companies with a direct financial interest in making the internet seem as scary as possible, just as Lysol depends on making you believe your kitchen is crawling with E. Coli.

What Does the Government Know?

In October, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement blaming the Russian government for hacking the DNC. In it, they state their attribution plainly:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.

What’s missing is any evidence at all. If this federal confidence is based on evidence that’s being withheld from the public for any reason, that’s one thing — secrecy is their game. But if the U.S. Intelligence Community is asking the American electorate to believe them, to accept as true their claim that our most important civic institution was compromised by a longtime geopolitical nemesis, we need them to show us why.

The same goes for the CIA, which is now squaring off directly against Trump, claiming (through leaks to the Washington Post and New York Times) that the Russian government conducted the hacks for the express purpose of helping defeat Clinton. Days later, Senator John McCain agreed with the assessment, deeming it “another form of warfare.” Again, it’s completely possible (and probable, really) that the CIA possesses hard evidence that could establish Russian attribution — it’s their job to have such evidence, and often to keep it secret.

But what we’re presented with isn’t just the idea that these hacks happened, and that someone is responsible, and, well, I guess it’s just a shame. Our lawmakers and intelligence agencies are asking us to react to an attack that is almost military in nature — this is, we’re being told, “warfare.” When a foreign government conducts (or supports) an act of warfare against another country, it’s entirely possible that there will be an equal response. What we’re looking at now is the distinct possibility that the United States will consider military retaliation (digital or otherwise) against Russia, based on nothing but private sector consultants and secret intelligence agency notes. If you care about the country enough to be angry at the prospect of election-meddling, you should be terrified of the prospect of military tensions with Russia based on hidden evidence. You need not look too far back in recent history to find an example of when wrongly blaming a foreign government for sponsoring an attack on the U.S. has tremendously backfired.

We Need the Real Evidence, Right Now

It must be stated plainly: The U.S. intelligence community must make its evidence against Russia public if they want us to believe their claims. The integrity of our presidential elections is vital to the country’s survival; blind trust in the CIA is not. A governmental disclosure like this is also not entirely without precedent: In 2014, the Department of Justice produced a 56-page indictment detailing their exact evidence against a team of Chinese hackers working for the People’s Liberation Army, accused of stealing American trade secrets; each member was accused by name. The 2014 trade secret theft was a crime of much lower magnitude than election meddling, but what the DOJ furnished is what we should demand today from our country’s spies.

If the CIA does show its hand, we should demand to see the evidence that matters (which, according to Edward Snowden, the government probably has, if it exists). I asked Jeffrey Carr what he would consider undeniable evidence of Russian governmental involvement: “Captured communications between a Russian government employee and the hackers,” adding that attribution “should solely be handled by government agencies because they have the legal authorization to do what it takes to get hard evidence.”

Claudio Guarnieri concurred:

All in all, technical circumstantial attribution is acceptable only so far as it is to explain an attack. It most definitely isn’t for the political repercussions that we’re observing now. For that, only documental evidence that is verifiable or intercepts of Russian officials would be convincing enough, I suspect.

Given that the U.S. routinely attempts to intercept the communications of heads of state around the world, it’s not impossible that the CIA or the NSA has exactly this kind of proof. Granted, these intelligence agencies will be loath to reveal any evidence that could compromise the method they used to gather it. But in times of extraordinary risk, with two enormous military powers placed in direct conflict over national sovereignty, we need an extraordinary disclosure. The stakes are simply too high to take anyone’s word for it.

Sam Biddle
December 14 2016, 5:30 p.m.

Find this story at 14 December 2016

Copyright https://theintercept.com/

Van nieuwsblog.burojansen.nl

On the May 13, 2016, Lebanese people were surprised when the Hezbollah’s leading man Hassan Nasrallah was seen mourning the death of his most senior militia commander Mustafa Badreddine.

No sooner did the news of Badreddine demise in Syria broke out, the Lebanese media adopted the story perpetuated by Hezbollah on the circumstances surrounding his death. Still, a few days later, questions began to rise about the credibility of Hezbollah’s version of events.

After investigations into the story, evidence proved that Badreddine did not die fighting in the battlefields of Syria as claimed, but rather, the Hezbollah militia commander was assassinated. And the person responsible for his assassination was none other but his revered leader and friend, Hassan Nasrallah.

Events leading up to May 12
In 2013, Hezbollah was summoned to fight in Syria and Nasrallah commissioned Badreddine to lead the factions there alongside Iran’s Qassem Soleimani who led Quds Force, a branch of Iran’s Revolutionary Guard Corps (IRGC).

Soleimani ignored Badreddine’s great experience and aspired to lead the entire battle all by himself. While Badreddine took one risk after the other in the battlefields, leading his soldiers to victories and assuming full responsibility for the losses, he discovered that Soleimani was favoring the lives of the revolutionary guards over those of Hezbollah. The former asked the latter to lead his soldiers himself and take full responsibility over his army.

Both Hassan Nasrallah and Qassem Soleimani are said to have a hand behind Mustafa Badreddine mysterious death.

While Badreddine was fighting with his army in Syria, he was tried in absentia at the International Tribunal in the case of the assassination Rafiq Hariri, former Prime Minister of Lebanon in 2005. Nasrallah has been under a huge pressure from Soleimani, who requested the removal of Badreddine from the battlefield. Consequently, it appears that he had schemed to get rid of the commander.

The question then begs: What really happened on the evening of May 12, 2016? How did Soleimani and Nasrallah arrange the assassination of Mustafa Badreddine? And what really happened near the Damascus International Airport on the night between the May 12-13, 2016?

Aftermath
On May 14, 2016, less than two days after the operation, Al-Akhbar newspaper published the results of the investigation. Badreddine was reported to have arrived to the international airport was reportedly accompanied to the meeting with three other people but was the only one who was killed.

Initial reporting by Al-Mayadeen blamed Israel for the fatal attack, claiming that an Israeli Air Force (IAF) strike successfully targeted Badreddine’s position. But that article was later erased.

The cause of his death was assumed to be a vacuum bomb, while the nearest fighter group was 12 km away from the Damascus airport, which places it in the range of the artillery. Yet, these groups usually used unguided shells for their operations.

However, no gun powder residue found at the scene.

Infographic: Who was Hezbollah’s Mustafa Badreddine?

(Design by: Craig Willers)

Nicholas Blanford, a nonresident senior fellow with the Middle East Peace and Security Initiative, recently wrote an analysis on that point.

“The one claim of responsibility from the rebels came from the Jaysh al-Sunna group which said it had killed Badreddine in Khan Touman in southern Aleppo province. If that were true, why would Hezbollah hide it and make up a story about “takfiris” killing Badreddine much further south in the Damascus airport area?” Blanford asked.

“Also it is unclear what weapon system would be in the hands of rebel groups in the vicinity of Damascus airport that could account for the “large explosion” that Hezbollah said on Friday killed Badreddine. Diplomatic sources in Beirut confirmed that there really was a powerful blast near Damascus airport on Thursday (May 12) even if its origin remains unknown,” Blanford added.

One airport employee recounted the events of the night, saying airport employees were being barred from entering their workplace as the operation was taking place.

“As I was approaching to go to work, I saw a lot of people crowding near the airport. At approximately 10 PM that night we suddenly heard a loud bang and what sounded like fire from three rifles,” the airport employee told Al Arabiya.

“We tried approaching the scene to see what was going on but we were stopped by Hezbollah fighters telling us we weren’t allowed to enter. They did not even allow Syrian senior army officer or the Syrian police from entering the airport,” he said.

Images show the reported site hours before Mustafa Badreddine was killed compared to the same site pictured a day later. (Al Arabiya)

Al Arabiya also obtained images of the site where Mustafa Badreddine was killed which revealed aerial views of the exact scene on May 12 and May 14, both photos showing the site unscathed.

On the same say, the Shiite cleric Abbas Hoteit declared to the south Lebanon website Janoubia that “Badreddine was killed by two treacherous bullets”.

Evidence and eyewitness accounts suggested that four people met at the security building near the Damascus airport that night, one of them being Badreddine himself. The identity of the second person was discovered immediately after the operation on Twitter when a number of people reported they saw Soleimani leaving the site minutes before the operation. The third person was Badreddine’s bodyguard, who could not save his commander’s life.

According to eyewitnesses, the fourth person identified was Ibrahim Hussein Jezzini, a person who Badreddine reportedly trusted the most.

Badreddine’s death was seen as a victory for those affected by his involvement in attacks dating back to the 1980s, reportedly including the deadly suicide truck bombing attack that left over 200 US soldiers dead in Beirut in 1983 as well as the bombings targeting the French and US embassies in Kuwait the same year.

Al Arabiya News ChannelWednesday, 8 March 2017
Find this story at 8 March 2017

Copyright http://english.alarabiya.net

Van nieuwsblog.burojansen.nl

Killing of Mustafa Amine Badreddine last year shows the ‘depth of the internal crisis within Hezbollah,’ Gadi Eisenkot says.

Lt. Gen. Gadi Eisenkot said reports that Mustafa Amine Badreddine was killed by Hezbollah officers are in accordance to “intelligence we have.” The incident “indicates the depth of the internal crisis within Hezbollah,” and “the extent of the cruelty, complexity and tension between Hezbollah and its patron Iran.”
He added that despite Hezbollah’s fighting in Syria providing it with cumulative operational experience, it remains in crisis. “It is an internal crisis over what they are fighting fore, an economic crisis and a leadership crisis,” he asserted. Eisenkot was speaking at an academic conference in Netanya.
Badreddine, one of Hezbollah’s highest ranking military commanders, was killed in Syria in May last year. Initial reports attributed the attack to a covert Israeli operation, but signs suggested otherwise.
Badreddine was said to have assumed the position of his brother-in-law, Hezbollah commander Imad Moughniyeh, who died in a 2008 assassination in Damascus also attributed to Israel. However, some dispute his official status as the group’s military leader, saying he was only in charge of its operations in Syria, as Hezbollah has never publicly named a successor for Moughniyeh, whose son Jihad was also killed in Syria in an attack said to be Israel’s doing.

A U.S. Department of the Treasury statement detailing sanctions against Badreddine had said he was assessed to be responsible for the group’s military operations in Syria since 2011, and he had accompanied Hezbollah leader Sayyed Hassan Nasrallah during strategic coordination meetings with Assad in Damascus.

Eisenkot also hinted at the Israeli army’s recent operational activity, which has generated tension with the Russian regime. He said, “Despite six years of war in Syria, we are managing to maintain a quiet border, and to prevent the growth in power of those who need not be strengthened with advanced weaponry.” He added that the civil war in Syria involves not only risks but also “many opportunities for regional and international cooperation.”
In his remarks, Eisenkot also stressed Iran’s influence on Hezbollah and Hamas. “Iran is waging before us another campaign, a proxy war, and it is present both in Lebanon and in Syria with thousands of Shi’ite militiamen, as well as in Gaza,” he said. The chief of staff contended that the “primary challenge” for the Israel Defense Forces is Hezbollah, which operates both in Lebanon and in Syria.
Mossad chief Yossi Cohen, however, said Iran poses Israel’s foremost threat. Iran did not give up its nuclear ambitions, and it is trying to influence and shape the Middle East, said Cohen, also at the conference.
“As long as the Ayatollah regime exists, Iran will be the primary challenge for the security establishment, with or without the nuclear deal,” he asserted.

Gili Cohen Mar 22, 2017 12:44 PM

Find this story at 22 March 2017
© Haaretz Daily Newspaper Ltd

Van nieuwsblog.burojansen.nl

Israel’s military chief said Tuesday that a top Hezbollah commander who died last year was assassinated by members of his own group, the Iran-backed Lebanese Shiite militia.

Mustafa Badreddine died near the Syrian capital, Damascus, in May 2016, and Hezbollah said that Syrian rebel shelling caused his death.

But recent Arab media reports have alleged that Hezbollah wanted rid of Badreddine because of a difference in opinion on how to wage the military campaign in support of President Bashar al-Assad in Syria. Hezbollah has deployed thousands of troops to the war-torn country to boost the Syrian dictator’s ranks.

Lieutenant-General Gadi Eisenkot, chief of the Israeli armed forces, said that Israeli intelligence had corroborated reports of Hezbollah assassinating one of its own commanders, but did not elaborate on the circumstances.

“According to [media] reports, he was killed by his superiors, which points to the extent of the cruelty, complexity and tension between Hezbollah and its patron, Iran,” he said during a conference speech in the central Israeli city of Netanya, Israeli newspaper Haaretz reported. “These reports corresponded with the information we have and with our assessment.”

Read more: Another war between Israel and Hezbollah is inevitable

He continued: “It is an internal crisis over what they are fighting for, an economic crisis and a leadership crisis.”

Hezbollah spokesman Mohammed Afif told Reuters the Israeli remarks were “lies that do not deserve comment.”

Both the U.S. and Israel believed 55-year-old Badreddine to be Hezbollah’s military commander in Syria. His brother-in-law Imad Mughniyeh was Hezbollah’s military commander until he was assassinated in a 2008 bomb blast in Damascus, which reports suggested was the work of both Israel’s Mossad and America’s CIA agencies. Israel as a rule does comment on its foreign operations.

The Lebanese militia fought a one-month war with Israel, its primary enemy, in 2006. It centered on the southern Lebanese border with northern Israel, and the Golan Heights, a contested territory that Israel captured from Syria in the 1967 Six-Day War.

Iran, whose leadership routinely calls for Israel’s destruction, continues to support Hezbollah financially and militarily. Israel continues to conduct strikes against Hezbollah in Syria and Lebanon to prevent Iranian arms transfers to the group.

BY JACK MOORE ON 3/21/17 AT 1:51 PM

Find this story at 21 March 2017

Copyright http://www.newsweek.com/

Van nieuwsblog.burojansen.nl

The General Directorate of General Security announced Wednesday that it has arrested two Lebanese men, two Nepalese women and a Palestinian man on charges of “spying for Israeli embassies abroad.”

“During interrogation, the detainees confessed to the charges, admitting that they had called phone numbers belonging to the Israeli enemy’s embassies in Turkey, Jordan, Britain and Nepal with the aim of spying and passing on information,” a General Security statement said.

The investigations revealed that the two aforementioned Nepalese women were actively recruiting Nepalese domestic workers in Lebanon with the aim of spying for Israel.

“They gave them the phone number of the Israeli embassy in Nepal so that they pass on information about their employers to the Mossad Israeli intelligence agency,” the statement added.

“Following interrogation, they were referred to the relevant judicial authorities on charges of collaborating with the Israeli enemy and efforts are underway to arrest the rest of the culprits,” General Security said.

by Naharnet Newsdesk 25 January 2017, 16:04

Find this story at 25 January 2017

Naharnet © 2017

Van nieuwsblog.burojansen.nl

Hezbollah has confirmed its military commander, Mustafa Badreddine, was killed in Syria this week in what it described as a “major explosion” at Damascus airport.

Media reports in Lebanon and Israel quickly suggested the blast had been caused by an Israeli airstrike, a suggestion to which Hezbollah gave weight, announcing it was investigating whether a “missile or artillery strike” had been responsible.

Badreddine was the most senior member of the organisation to have been killed since the death of his predecessor and brother-in-law, Imad Mughniyeh, who was assassinated by a joint Mossad/CIA operation in the Syrian capital in February 2008.

There was no immediate reaction from the Israeli government, which has authorised at least eight air strikes against targets inside Syria since the start of the civil war five years ago. Most had targeted anti-aircraft systems that Israeli officials claimed were being moved to Lebanon, where they could pose a threat against its air force.

Mustafa Amine Badreddine, in an undated handout picture released at the Special Tribunal for Lebanon website.
Facebook Twitter Pinterest
Mustafa Amine Badreddine, in an undated handout picture released at the Special Tribunal for Lebanon website.
Announcing Badreddine’s death, Hezbollah said: “He said months ago that he would not return from Syria except as a martyr or carrying the flag of victory. He is the great jihadi leader Mustafa Badreddine, and he has returned today a martyr.”

The statement added: “The information gleaned from the initial investigation is that a major explosion targeted one of our centres near Damascus International airport, which led to the martyrdom of Sayyid Zul Fikar [his nom de guerre] and the injuries of others.

“The investigation will work to determine the nature of the explosion and its causes, whether it was due to an air or missile or artillery strike, and we will announce the results of the investigation soon.”

Nicknamed Zul Fikar, after the sword of Imam Ali, the Prophet Muhammad’s cousin and one of the most revered figures in Shia Islam, Badreddine was born in 1961 in the southern Beirut suburb of Ghobeiry, and rose to greater prominence after Mughniyeh’s assassination.

He was sentenced to death in Kuwait in the 1980s over a plot to blow up the American and French embassies there during the Iran-Iraq war, but later escaped after Saddam Hussein’s army invaded the oil-rich emirate and threw open its prisons.

Hezbollah said he had been involved in nearly all the group’s operations since its inception in the early 1980s. Most had targeted Israel, which occupied southern Lebanon from 1982 to 2000. However, Badreddine had also been accused of leading a cell that was allegedly responsible for the assassination of former Lebanese prime minister Rafiq Hariri on the Beirut waterfront in February 2005.

He was indicted in 2011 by the special tribunal for Lebanon, an international court established in the Hague, in connection with the massive 2005 bombing, which led Syrian leader Bashar al-Assad to withdraw his forces from Lebanon in the face of a civic uprising.

Badreddine and four other alleged members of Hezbollah remain on trial in absentia at the Hague. Prosecutors have offered one of the few publicly available glimpses of the shadowy Hezbollah operative, describing him as the “apex” of the cell that allegedly killed Hariri, and a figure akin to an “untraceable ghost” who assumed multiple identities.

‘Nobody wants to stay in Lebanon. It’s a miserable life’
Read more
He was known to have studied at a Lebanese university and to have maintained an apartment in the Lebanese seaside area of Jounieh. He was also active in the south Beirut suburb of Dahiyeh, where he was last seen early last year at a wake for Jihad Mughniyeh, the son of Imad Mughniyeh, who was also killed by an Israeli airstrike.

While holding senior positions throughout his career, Badreddine was most known for his role in leading Hezbollah’s large contingent in Syria, which it sent to defend the interest of the Assad regime as his grip on power weakened in 2012. Hezbollah has since lost an estimated 900 members in fighting across Syria, where along with Iran, it has taken the lead in directing numerous battles.

Israel has refused to comment on airstrikes it has previously launched inside Syria. However, unnamed officials have said the strikes had targeted anti-aircraft systems that were allegedly being transferred to Hezbollah. It had also targeted a Hezbollah leader, Samir Kuntar, who had been jailed inside Israel for more than 30 years until his release in 2008.

Despite Israeli protests, Russia has recently proceeded with a long-delayed sale to Iran of the advanced S-300 weapons system, which can shoot down most modern fighter jets. Israeli officials have said they would prioritise tracking the whereabouts of the systems, the position of which in southern Lebanon would pose a potent threat to their air force.

The US treasury department sanctioned Badreddine in 2012 for his activities in support of the government of Assad in Syria, along with the group’s leader, Hassan Nasrallah, and its head of external operations, Talal Hamiyah.

Hezbollah said it would hold funeral services on Friday in honour of Badreddine. In south Beirut, posters of Badreddine, whose image had rarely been published, were being hung from overpasses and lamp-posts.

Tens of thousands of mourners are expected to pay their respects at a shrine site for Hezbollah dead, which includes the graves of Imad and Jihad Mughniyah. Nasrallah is also expected to make a public statement – his second within a week.

Martin Chulov and Kareem Shaheen in Beirut
Friday 13 May 2016 04.00 BST First published on Friday 13 May 2016 03.32 BST

Find this story at 13 May 2016

© 2017 Guardian News and Media Limited