Young Ashkan spent the first years of his American childhood in Akron, Ohio. He developed a knack for breaking and rebuilding things to change the way they worked. Among his earliest memories is a battery-powered car, a Datsun replica, that he navigated through the house by programming buttons on a numeric keypad—four units forward, two units right, three units left to steer around an armchair. By the age of ten, when his family moved to “Tehrangeles,” the central Los Angeles neighborhood of Little Persia, he was assembling telephone auto-dialers and writing BASIC computer code. He taught himself to read hexadecimal notation to crack the copy protection on Jumpman, the hot computer game of the day. Later, he soldered a rewritable chip onto the motherboard of a Sony game console, bypassing firmware locks. Armed with a dial-up modem, he exchanged hacking tips in computer forums known as bulletin boards. There he learned how to alter the software instructions in early cellular phones. At age fifteen, he got hold of a Motorola MicroTac and wired it to a laptop computer at home. With a series of typed commands he overrode the built-in controls and repurposed the phone as a makeshift spy device. If he wanted to, he could sniff the airwaves for nearby cellular signals and assume the identity of any phone in range. Freon and a hammer, he also discovered, cracked the Kryptonite bicycle locks of the day. All these were common pursuits in the teenage hacker circles Soltani joined. Like a lot of future security experts, Soltani told me, “I grew up finding vulnerabilities in systems.”
Soltani earned a bachelor’s degree in cognitive science and did his graduate work in computer security and privacy at the University of California, Berkeley. Along with two fellow grad students, he produced a thesis project called “Know Privacy.” Their work showed how well-known websites gathered and sold far more information from visitors than they disclosed in their privacy policies. Later, as a consultant to the Wall Street Journal, Soltani intercepted the secret signals of smartphone apps as they exfiltrated personal data from users, unawares. MobileScope, his start-up company, commercialized his technique. When I first met Soltani, in May 2012, I created a false identity and let him demonstrate the product on a spare iPad I kept at home. He showed how software developers followed me surreptitiously around New York City and the internet, in violation of government regulations and promises made in their terms of service. I launched a medical app, dreamed up an awkward question, and typed “gonorrhea” in the query field. Two dozen lines sprang out from the icon for my device on the MobileScope screen, each representing a data grab by an advertiser, an information broker, or a middleman in the data economy. In an instant, invisibly, the iPad had transmitted my age, gender, device ID, location, and enough other details to identify my alter ego, “Bart Testbed,” if he was real. Some of the companies harvested the embarrassing search term as well. Apple has since tightened privacy controls, and Google has done some of the same for its Android phones, but somewhere a database includes a medical profile of the unfortunate Mr. Testbed. The suspicions that launched Soltani’s project arose from “the same hacker mindset” he carried from his childhood: “Here are the vulnerabilities where the law says one thing but the tech works the other way.”
Between college and grad school, Soltani worked and played as the spirit moved him. A Vancouver company dispatched him on a computer security assignment to Hong Kong. He found his way to a DJ gig by night. When he tired of employment, he snowboarded through most of 2003 with a group of friends, trading lessons for lift tickets and living on the cheap. They changed hemispheres with the seasons, migrating from winter to winter in Lake Tahoe, New Zealand, and Japan. In 2005, AT&T hired Soltani to help combat a nightmarish wave of spam. The phone company had switched on a feature that enabled customers to receive a text message sent by email. Spammers lit up AT&T phones with billions of unwanted texts, emailing every possible ten-digit number. Here again, an unexpected security hole. Soltani designed a defensive perimeter with spam filters running on high-speed routers. “That became my specialty for a period of time,” he said. Word of mouth brought him similar contracts at France Telecom and the Nippon Telegraph and Telephone Corporation in Japan. U.S. Customs and Border Patrol then hired Soltani to secure a computer facility in West Virginia against denial-of-service attacks that flooded its network with tens of millions of spurious queries. Lacking a security clearance, Soltani was forbidden to touch the government computers. He had to tell his employers where to click and what to type, line by line.
By the time I met him, Soltani had served a stint as staff technologist at the Federal Trade Commission. There he made himself a plague upon Google and Facebook with forensic work that proved they spied illegally on their users. Since then he had earned most of his living as a consultant to state attorneys general who wanted to sue technology companies in New Jersey, California, Ohio, and New York state courts. Compact and charismatic, Soltani had a Rolodex of admirers across government, industry, and university lines, even, somehow, in the companies he had shamed. His impromptu “tech policy cocktail hours,” set up on the fly as he traveled, filled the back rooms of dive bars in Washington, San Francisco, and New York.
In April 2013, six or seven weeks before the Snowden stories went public, I asked Soltani to take a long walk with me in Battery Park at the southern tip of Manhattan, leaving our electronic devices behind. I had to beef up my digital security, I told him, and pronto. We walked through scenarios, workflows, and tools. I did not tell him why and he did not ask. The discretion impressed me. When my first NSA story went live on the evening of June 6, Soltani sent an encrypted email. “So that was it,” he wrote. Four months later, on September 23, I introduced him to Marty Baron. They hit it off, and Baron gave his blessing for the hire. He did not blink when Soltani told him that my initial precautions for the Snowden archive were not secure enough. We would need some high-end laptop computers to “lobotomize,” as Ashkan put it, by blocking ports, removing batteries, and pulling out network circuit boards.
The Post signed a contract with Soltani on the same terms as mine. Baron assured him the paper would cover his legal defense if he needed one. “The paper’s history is consistent here and its reputation depends upon it,” I wrote to Soltani later that day. I told Baron he would not regret the hire: “We’re fired up about stories in the pipeline.”
On a regular basis, as we set to work, we came across more cave paintings. They spoke to identity and status and the attitudes of NSA data geeks on the hunt.
* * *
—
The larger part of the NSA’s intake depends upon what the agency describes as special sources. The NSA asks for secret access to one or another piece of the backbone of the global communications network. Security-cleared executives at U.S. internet and telecommunications companies agree to provide it. The NSA likes that arrangement. Why hotwire a car when the owner will lend you the keys? Some executives—not as many since Snowden—regard support for U.S. intelligence as a patriotic duty. Some are compelled by law. Some companies, like AT&T, have classified arrangements with the NSA, code-named BLARNEY, that stretch back to the 1970s. Some hope for a leg up on bigger government contracts or to ward off regulations. The companies are compensated for their trouble from a classified budget for “corporate partners” that reached $394 million in fiscal year 2011.
When the NSA cannot negotiate access, it helps itself. Overseas, where domestic legal restrictions do not apply, the acquisitions directorate, S3, is free to tunnel just about anywhere it likes. A worldwide hacking infrastructure called QUANTUM deploys a broad range of tools to inject software exploits, intercept communications with methods known as man in the middle and man on the side, and reroute calls and emails through NSA collection points. Most of these are known as passive operations because they collect electronic signals automatically as they pass through large trunk lines and junctions. When passive methods do not suffice, the job becomes, in NSA parlance, interactive. During one representative week in April 2012, there were 2,588 such interactive missio
ns. That kind of bespoke hacking is the province of Tailored Access Operations, and, within it, the Rock.
Sometimes the Rock hits a wall it cannot breach. Commonly that means the surveillance target is using devices or network connections that do not touch the public internet, leaving no path for delivery of a software exploit. That is when the NSA turns to “human-enabled” collection by the Access Operations division, which performs clandestine missions against foreign embassies in the United States and targets of interest overseas. The division’s seal, like the one for Special Source Operations, features a predator encircling the globe. The beast on this one, though, is not an eagle. It is a serpent with a long, forked tongue and demonic red eyes. The Latin motto, Decipio—Circumvenio—Latrocinor, can be rendered in English as “I deceive, I circumvent, I plunder.”
The message is a gamer’s gasconade: We cheat, we steal, we eat your lunch. In one official briefing, cartoonish swagger gives way to an actual cartoon. The unit is represented as a stick-figure superhero. The “bad guy,” wearing devil horns, tries to conceal himself in an internet neighborhood that NSA headquarters hackers cannot see. “CNE Man”—the acronym stands for computer network exploitation—swoops in and saves the day, shouting, “YEAH!!! MAKE DATA HAPPEN!” The NSA has a term for this kind of work. It is called traffic shaping. Access Operations personnel take control of a switch, for example by placing a hardware implant, and change the route traversed by the phone calls, web searches, and emails it wants to acquire. That is why the cartoon refers to “midpoint” collection: the NSA diverts the data stream mid-journey. The bad guys—who commonly are not bad at all but merely interesting—keep talking, unawares. CNE Man is a bandit in a cape. That is understood to be okay because the target is, in this case literally, demonized.
A variation on the hero theme takes inspiration from James Bond. The actual spies borrow secret agent mojo from an imaginary counterpart. They name a Windows implant ODDJOB, for example, after the Bond villain in Goldfinger with the razor-edged bowler hat.
A more interesting invocation comes in a planning memo for “denial and deception,” which is what intelligence officers call the job of hiding their work and misdirecting opponents. It would not do, after all, for CNE Man to fly into a clandestine operation with an NSA serpent on his chest. Field personnel need legends to help them blend in. They pretend to be repair crews, inspectors, or the like to deflect suspicion if anyone spots them at work. Someone has to book their travel and produce their phony paperwork. There is, it turns out, a whole bureaucracy to provide them with “Cover Payroll, Cover Travel, [and] Cover Finance,” among other services. Inevitably, the support system has a cover name of its own: MISS MONEYPENNY, after the faithful secretary who flirts with Bond and pines after a romance that is not to be. With Moneypenny as helpmeet, the swashbuckling data burglar becomes Bond himself.
CNE Man, who works in real life at a safe distance, does not generally need to brave physical danger. Another unit fits better into the Hollywood mold of a spy. When midpoint operations will not do the job, the NSA sends in S3283, Expeditionary Access Operations. Its personnel slip across foreign borders or just alongside, seeking vantage points on hard targets that the NSA cannot reach by other means. These teams, which carry out what the agency calls its “human-enabled close access network exploitation program,” have a Latin motto, too: Si ceteri non—“If others do not.” That is to say: when all else fails.
Sneaking up on a surveillance target can be risky. Not always, because the targets are sometimes allied government leaders who would probably confine their response to angry words if they caught on. In other cases, discovery is more hazardous. S3283 insertion teams rely on misdirection and swift departure from the scene. If armed, a choice made case to case, they carry only light weapons for self-defense. “I had a blue force tracker,” one veteran of expeditionary surveillance in a war zone told me, referring to equipment that showed the location of American troops deployed a considerable distance away. “I’d coordinate with a guy at the threat operations center in the U.S. embassy. I had enough rounds to last me maybe thirty minutes, an M-4 [rifle], sidearm, some water, and an evasion and escape plan. I was out there on my own.”
There is more about Unit S3283 in the Snowden archive, including target locations, photographs of personnel in the field, and details of their tactics and techniques. I am not going to write about those things. What interests me here is the way the NSA talks about their work. Locker room bravado is one thing when it takes place in the field. The trash talk, in this case, is built into the official vocabulary of Fort Meade, where engineers and managers describe close access work in terms of seduction and drunken conquest. Surveillance targets, as depicted in formal accounts of expeditionary operations, are like women who would regret the night if only they remembered it in the morning.
One common mission for Unit S3283 is to hack into a local wireless network. Wi-fi signals do not travel far, even when amplified by surveillance equipment, which means that access teams have to sneak in fairly close. Every stage of their work comes with a suggestive cover name. First comes BLINDDATE, in which a team member searches for vulnerable machines. He slips into the network during HAPPYHOUR, mingles among the computers there, and lures his tipsy victim into a liaison. Next comes NIGHTSTAND, short for one-night stand, wherein the operator delivers a load of malware into the defenseless machine. Further exploitation and hilarity ensue on SECONDDATE. For all their subtlety, the cover names might as well be BIMBO, ROOFIE, BAREBACK, and THE CLAP.
None of this is to cast shade on the operations themselves. By nature an expeditionary mission is closely targeted, the opposite of mass surveillance, and the NSA chooses the marks to fit the demands of its political masters. The targets I saw in documents are what you would expect of an intelligence agency doing its job. The question is what to make of the giggles between the lines. It is not too much, I think, to say that sexual exploitation is an official metaphor of close access operations, passed up the chain of command in operations reports and back down to the lower ranks in training materials. The seven-part qualifying course on wireless exploitation techniques, for example, includes units called “Introduction to BLINDDATE” (“Grab a partner!”) and “Introduction to NIGHTSTAND.” There are plenty more where those come from. The NSA archive features dozens of cover names in the same style, from VIXEN and BADGIRL to LADYLOVE and PANT_SPARTY. The latter is versatile slang in pop culture, suitable for any of several intimate acts. In surveillance-speak it stands for injection of an NSA software tool into “a backdoor” in the target’s defenses. Get up close, whip out your PANT_SPARTY tool, and stick it in her back door. The developers, briefers, and trainers who trade in this kind of mirth, without exception that I could find, are men.
Alan Tu, the former threat operations analyst, told me the dick-swinging badinage is the product of a “workforce that was incredibly young, young and male. Many either in their first post-college job, or nineteen- to twenty-one-year-old military operators. This is the age of peak testosterone.” It would not occur to those men, Tu added, that anyone outside their circle would read what they wrote or find reason to object. And oversight can be thin, he recalled: “Getting quality managers was sometimes a struggle because often, they would pick from what seemed to be the most appropriate technical guy and give them their first leadership and management job.”
Snowden turned down a job in TAO, but this was the culture he grew up in. “The memes are awesome for morale and having fun but you’re having fun with systems that get people literally killed,” he told me. “It is adolescent empowerment. Literally, ‘I can do what I want. What are you going to do to stop me? I am all-powerful.’ I would point out what defines our understanding adolescence and what it means to be juvenile is a lack of self awareness and restraint.”
Some insiders compare bro-style chatter to the private repartee of surgeons and trauma nurses. There may be truth in that. Clowning can bring s
tress relief and build esprit de corps. The analogy is imperfect, though, and it has a double edge. There are medical professionals who joke about terminal patients behind their backs, and some who defend the practice, but patients and the public do not respond well when they find out. Scandals have ensued in recent years when doctors, under cover of anesthesia, were caught taking selfies with an unconscious patient, mocking another’s appearance, and calling a third a “retard” who probably had syphilis. Society expects a degree of maturity from people who wield the knives. We find their power frightening otherwise.
Toward the end of 2018, I sat down with former FBI director James B. Comey for a long conversation in a midtown New York hotel suite. He had put a lot of effort into cultural change in his own agency before Donald Trump fired him in May 2017. The FBI, like the NSA, worked hard to recruit and accommodate young technical talent. Before the Trump administration came to power, Comey was looking for ways to soften a ban on applicants with a history of marijuana use. “I have to hire a great workforce to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview,” he told the Wall Street Journal then. Attorney General Jeff Sessions put a stop to any squishiness on that point, but the bureau, like the NSA, relaxed some entrenched ideas about who belonged. I asked Comey whether he thought Fort Meade has come to grips with the subculture that the young hacker recruits brought with them.
Dark Mirror Page 21