The Times continues its coverage of the SolarWinds breach, and adds a detail that explains why the Russians continue to eat our lunch:
Employees say that under [SolarWinds CEO Kevin] Thompson, an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense. His approach helped almost triple SolarWinds’ annual profit margins to more than $453 million in 2019 from $152 million in 2010.
But some of those measures may have put the company and its customers at greater risk for attack. SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.
So many things went wrong in this case that singling out one CEO for taking profits over security may seem myopic. But the SVR must love the poetry of it: a greedy American CEO tries to increase his paycheck by hiring engineers easy for them to compromise, leading to the largest network intrusion in history.
I want to see Congress investigate this, and I want to see Thompson reduced to penury for his greed. Not that anything will change; until we have rational regulation of software security—hell, until we have any regulation of software security—criminals and our adversaries will keep exploiting companies like SolarWinds.
You have to admire Vladimir Putin's sense of humor. For five years, he's manipulated our STBXPOTUS into doing just about everything Russia could have wanted. Now that our STBXPOTUS has become STBX, Putin doesn't need him anymore. So why not come clean?
He did just that at his year-end press conference last Thursday:
Steve Rosenberg, BBC: Don't you think over the last years you also have borne part of the responsibility for making these relations [with Europe and the West] seem like a cold war...?
Putin: Who withdrew from the missile defense treaties? The INT treaty: who withdrew? It wasn't us but it was the US. ... You do realize that we are smart people, we are not idiots.
Here's the whole clip. The part in question starts at 44:17.
It really warms the heart that our STBXPOTUS never got to the level of artistry and malice Putin can exhibit so casually. He calls our president an idiot, with good evidence to support the insult, while lying on a scale the target of the insult can scarcely fathom.
Also, I love that the French spell his name "Poutine." But that's just an accident of the French language.
FireEye, a cybersecurity firm, revealed last week that unknown parties had penetrated its network and that its clients, including the US Government, were at risk. Bruce Schneier has technical details about the attack. Former Homeland Security Adviser Thomas Bossert lays out the scope of it:
The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.
This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.
According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
The magnitude of this ongoing attack is hard to overstate.
The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.
Now, if only we had an administration that believed its experts and a majority party in the Senate that would pass a Defense Reauthorization Bill...
So, did the president know about and fail to act on this intelligence, or did his staff conceal it from him? I don't really care; either answer should disqualify them from continuing to work in the White House:
United States intelligence officers and Special Operations forces in Afghanistan alerted their superiors as early as January to a suspected Russian plot to pay bounties to the Taliban to kill American troops in Afghanistan, according to officials briefed on the matter.
The crucial information that led the spies and commandos to focus on the bounties included the recovery of a large amount of American cash from a raid on a Taliban outpost that prompted suspicions. Interrogations of captured militants and criminals played a central role in making the intelligence community confident in its assessment that the Russians had offered and paid bounties in 2019, another official has said.
The emerging details added to the picture of the classified intelligence assessment, which The New York Times reported on Friday was briefed to President Trump and discussed by the White House’s National Security Council at an interagency meeting in late March. The Trump administration had yet to act against the Russians, the officials said.
Mr. Trump defended himself on Sunday by denying that he had been briefed on the intelligence, expanding on a similar White House rebuttal a day earlier, as leading congressional Democrats and even some Republicans demanded a response to Russia that the administration had yet to authorize.
Read that last graf again: the president responded not by demanding Russia stop the practice, not by sending his flaccid Secretary of State to excoriate Putin in person, not by doing anything that a normal person would do in this situation. No, the president flatly lied that he just didn't know about the contents of his daily intelligence brief. I guess he didn't want to risk offending his KGB case officer.
Remember back in 2015 and 2016 when we worried a lot about Russia's influence over Trump? This is not something I wanted to be correct about, but the evidence is pretty damning.
People who don't study history tend not to understand why our foreign allies and adversaries behave the ways they do. Case in point: the Soviet Union, of which the largest part lives on as the Russian Federation, ended in part because we forced them to spend down their economy just to keep up with us. They might still hate us a little for that.
One man who helped this effort, Gus Weiss, hit on the idea of sabotaging the technology that Soviet spies bought or stole from American and other Western companies. Via Bruce Schneier, Wired has a long-form description of Weiss and his plan:
This plan to feed defective technology, which Weiss says carried the operation designation “Kudo,” existed as part of a larger government mobilization in response to the Farewell intelligence across the national security community. “It was multilayered operation,” Galahad told me. According to Galahad, Weiss didn’t hold any formal leadership role in this effort; instead, “Gus did his work through his own contacts. He was a White House guy. He could get people to pay attention to his ideas. He had friends in the computer business. He had Casey’s ear.”
Galahad told me that Weiss zeroed in on the Soviet industrial sector; he wanted to gut punch the Soviet economy. Galahad recalled that Weiss was friendly with the analysts in the CIA’s Office of Soviet Research. “Let’s say the Italians were building a tractor factory for the Russians in the Ukraine—the guys in OSR would have had access to those blueprints. Gus shared his ideas and recommendations based on that intelligence to his friends at the DoD.”
Meanwhile, the government worked with private sector software companies to create doctored industrial products. They were then made available to the patent clerks and engineers in American technology and arms companies who’d been recruited by the KGB.
High up on the Soviet tech shopping list was software to regulate the pressure gauges and valves for the critical Siberian gas pipeline. According to Tim Weiner’s Legacy of Ashes, the Soviets sought the software on the open market. American export controls prohibited its sale from the US. However, a small industrial software company located in Calgary called Cov-Can produced what the Soviets wanted. As Weiner writes, “The Soviets sent a Line X officer to steal the software. The CIA and the Canadians conspired to let them have it.”
The faulty software “weaved” its way through Soviet quality control. The pipeline software ran swimmingly for months, but then pressure in the pipeline gradually mounted. And one day—the date remains unclear, though most put it in June 1982—the software went haywire, the pressure soaring out of control. The pipeline ruptured, igniting a blast in the wilds of Siberia so massive that, according to Thomas C. Reed’s At the Abyss, “at the White House, we received warning from our infrared satellites of some bizarre event out in the middle of Soviet nowhere. NORAD feared a missile liftoff from a place where no rockets were known to be based. Or perhaps it was the detonation of a nuclear device. The Air Force chief of intelligence rated it at three kilotons.”
I wonder if Presidents Putin and Trump discussed this history during any of their recent unrecorded conversations?
Don Von Drehle argues that Vladimir Putin succeeds by weakening the West, regardless of the short-term consequences to Russia:
It’s ironic that Americans of all political stripes have contributed to Putin’s success — by failing to understand what he wants and why he wants it. His goals are not the goals of the former Soviet Union (though he has described the collapse of the U.S.S.R. as a “disaster”). During the Cold War, the Kremlin pursued the spread of communist ideology. Putin is nonideological, according to former U.S. ambassador to Russia Michael McFaul, now of Stanford University and a Post contributing columnist. “I see him as impulsive, emotional, opportunistic. Putin sees himself as the last great nationalist, anti-globalist leader.”
A unified United States, pursuing a bipartisan, pro-democracy foreign policy is Putin’s biggest fear. So, he has taken the risk of creating an operation specifically to sow discord through social media. Putin’s computer hackers look for any internal divisions and tensions that tend to erode American unity or discredit American leadership. Though he clearly favored Trump over Hillary Clinton in 2016, Putin doesn’t generally favor one point of view over another; he supports whichever candidates are most divisive and amplifies whatever arguments are most bitter. Whoever is freaking out on Facebook or Twitter is a potential ally in his cause. At the State of the Union address, he no doubt enjoyed both the snubbed handshake and the ripped speech.
At the same time, Putin went to work on other vulnerable pieces of the Western alliance. By enabling Syrian dictator Bashar al-Assad’s brutal tactics, he helped to send millions of refugees fleeing to Europe. When xenophobic nationalist movements flared up in reaction, the Russians poured on the gas via social media. Russia’s unseen hand wasn’t the only factor in the European backlash. But now the European Union may be coming apart.
These efforts would have been toxic even if Clinton had made a better case to voters around the Great Lakes and won the election in 2016. But the fact that Putin’s hackers went all-in for Trump, who won the electoral college with just 46 percent of the vote, turned a Russian win into a rout. The election itself became a cause of further division. Russia’s role became a new wedge issue, the doubt that keeps on festering.
I've no doubt the US and Western Europe will survive Putin's passive-aggression. Ultimately, the fundamentals are on our side. But remember, Putin's goal isn't to win, exactly; it's for us to lose. And in that respect he's succeeding.
We typically think of January 1st as the day things happen. But December 31st is often the day things end.
On 31 December 1999, two things ended at nearly the same time: the presidency in Russia of Boris Yeltsin, and the American control of the Panama Canal Zone.
Also twenty years ago, my company gave me a $1,200 bonus ($1,893 in 2019 dollars) and a $600 suite for two nights in midtown Manhattan because I volunteered to spend four hours at our data center on Park Avenue, just so that Management could say someone was at the data center on Park Avenue continuously from 6am on New Year's Eve until 6pm on New Year's Day. Since all of the applications I wrote or had responsibility for were less than two years old, literally nothing happened. Does this count as an anniversary? I suppose not.
And one hundred years ago, 31 December 1919 was the last day anyone could legally buy alcohol in the United States for 13 years, as the Volstead Act took effect at midnight on 1 January 1920.
I'm DD tonight, but I will still raise a glass of Champagne to toast these three events.
Photo by Harris & Ewing - Library of Congress, Public Domain, Link
The Post reported today that a simple review of phone logs shows how the president and his stooges left themselves open to Russian espionage by using insecure cell phones:
The disclosures provide fresh evidence suggesting that the president continues to defy the security guidance urged by his aides and followed by previous incumbents — a stance that is particularly remarkable given Trump’s attacks on Hillary Clinton in the 2016 presidential campaign for her use of a private email account while serving as secretary of state.
The connection to the Ukraine campaign is also troubling because of how Moscow could exploit knowledge that Trump was secretly engaged in efforts to extract political favors from the government in Kyiv.
Trump and Giuliani have effectively “given the Russians ammunition they can use in an overt fashion, a covert fashion or in the twisting of information,” said John Sipher, former deputy chief of Russia operations at the CIA. Sipher and others said that it is so likely that Russia tracked the calls of Giuliani and others that the Kremlin probably knows more now
“Congress and investigators have call records that suggest certain things but have no means whatsoever of getting the actual text” of what was said, Sipher said. “I guarantee the Russians have the actual information.”
Ordinarily I'd chalk this up to stupidity. But GOP strategist Rick Wilson sees something far darker:
The traitors deliberately ignore the reporting, counsel, and warnings of the intelligence community when it comes to Russia’s attacks and Vladimir Putin’s vast, continuing intelligence and propaganda warfare against the United States.
The traitors — be they United States senators like John Kennedy and Lindsey Graham or columnists from the Federalist, Breitbart, and a slurry of other formally conservative media outlets — repeat the Kremlin-approved propaganda messages and tropes of that warfare, word for word.
It’s not simply treason by making common cause with a murderous autocrat in Russia, or merrily wrecking the alliances around the world that kept America relatively secure for seven decades.
Their betrayal is also to our system of government, which as imperfect — and often downright fucked up — as it is, has been remarkably capable of surviving.
And if you can’t spot the treason yet, you will soon enough. That’s the thing about spies, traitors, and those who betray their country — they rarely stay hidden forever.
We need to get this administration out of office in 2021, and help the American people understand the danger their sympathizers represent. If only we still taught civics in schools.
I found myself actually shocked at one piece of testimony in yesterday's impeachment hearing:
A U.S. ambassador’s cellphone call to President Trump from a restaurant in the capital of Ukraine this summer was a stunning breach of security, exposing the conversation to surveillance by foreign intelligence services, including Russia’s, former U.S. officials said.
The call — in which Trump’s remarks were overheard by a U.S. Embassy staffer in Kyiv — was disclosed Wednesday by the acting U.S. ambassador to Ukraine, William B. Taylor Jr.
“The security ramifications are insane — using an open cellphone to communicate with the president of the United States,” said Larry Pfeiffer, a former senior director of the White House Situation Room and a former chief of staff to the CIA director. “In a country that is so wired with Russian intelligence, you can almost take it to the bank that the Russians were listening in on the call.”
Republicans, who used to bang the drum on security issues so loudly you could barely make out the words they were actually saying, do not seem to have noticed this event. Which shocks me even more.
I don't know how much closer to shooting someone on 5th Avenue the President needs to get to show people he does not have American interests at heart. His abrupt withdrawal of our forces from Syria comes awfully close:
U.S. forces, caught unawares by the move, began a hasty and logistically problematic retreat; at one point American troops found themselves deliberately “bracketed” by Turkish artillery fire—pinned in position and wholly reactive to the movements of a foreign state’s force, one set in motion by their own commander in chief. This may have been the first time any nation that houses U.S. nuclear weapons—there are an estimated 50 thermonuclear air-drop warheads at Incirlik Air Force Base in Turkey—targeted U.S. troops with its own army.
Since then, U.S. forces on the ground are in anguish and “ashamed,” witnessing atrocities and abandoning allies to potential Turkish war crimes. The Kurds, having seen Trump almost pull this last year, had asked their American partners’ help in planning for a post-U.S. scenario by aligning with Syrian dictator Bashar al-Assad and his Russian backers. The U.S. had said no, assuring the Kurds it would not abandon them. After all, Trump had publicly bragged last year that he’d singlehandedly stopped Erdogan from going in before; “I called him and asked him not to do it, and he hasn’t done it,” he said in June. But Erdogan did it. And he told Trump that he was doing it.
Like so many others who have covered Trump and his coterie of dullards, I have often been caught up in questions of whether despots have blackmail leverage over Trump or offer him favors; of whether he recognizes his kind or he’s an easily influenced idiot. Motives would be wonderful to pin down—after we stop the serial arsonist from starting fires. What’s happening in Syria shows that it doesn’t matter whether Trump is a dope, weak bluffer, toddler-in-chief, serial abuser, narcissist, pathological liar, or mob grifter. It doesn’t matter if he’s been recruited as an agent of a foreign government. It makes no difference whether he’s evil, stupid, or a madman.
You don’t need a psychological sketch to understand the events in Syria, just the bare and obvious truth: Because Trump is president, people are being murdered before cameras, the world is more unsafe, and American promises are worth less than the cursed, disembodied presidential account that they’re tweeted on.
Putin must be tired of all the winning.