They name a Windows implant ODDJOB: There is no reference to ODDJOB in the Snowden files. The Windows command and control implant was revealed in a leak of NSA hacking tools by a person or group that went by the name Shadow Brokers, generally believed to be a front for a foreign intelligence service. See Joseph Cox, “Shadow Brokers Dump Alleged Windows Exploits and NSA Presentations on Targeting Banks,” Motherboard, April 14, 2017, at https://perma.cc/5STA-VRZ5.
“denial and deception”: Undated NSA memo, “Denial and Deception Action Plan Review.” Based on Microsoft Office metadata, the memo was first saved on December 19, 2001. On file with author.
with “Cover Payroll”: Ibid.
MISS MONEYPENNY: A compendium of every scene in which Moneypenny appears in a Bond film is at “All the Miss Moneypenny Scenes 1962–2015,” YouTube, www.youtube.com/watch?v=jEL3bZSdokM.
“I had a blue force tracker”: Confidential source, interview with author, 2018. The source worked in a comparable expeditionary role, not in Unit S3283.
not going to write about those things: I am not sure I would have described the unit at all, given the risks, if its work and equipment had not been made public in more detail in a widely reproduced article and original NSA document called the ANT Catalog. Jacob Appelbaum and Christian Stöcker, “Shopping for Spy Gear: Catalog Advertises NSA Toolbox,” Der Spiegel, December 29, 2013, www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html.
ROOFIE: Slang for Rohypnol, roofie is the street name for a notorious drug that sexual predators use to incapacitate women. Fact Sheet, “Date Rape Drugs,” Office on Women’s Health, U.S. Department of Health and Human Services, at www.womenshealth.gov/a-z-topics/date-rape-drugs.
“Introduction to BLINDDATE”: Syllabus for seven-part training course, on file with author.
(“Grab a partner!”): The toolkit encompassing BLINDDATE, HAPPYHOUR, NIGHTSTAND, BADDECISION, and SECONDDATE is described in “Introduction to BADDECISION,” December 15–16, 2010, on file with author and published in redacted form by the Intercept at https://perma.cc/N855-Q5LX; “Introduction to WLAN / 802.11 Active CNE Operations,” December 15–16, 2010, at https://perma.cc/3PGN-BA3D; and training slides called “Foxacid,” at https://perma.cc/AA3W-TSC7. In some documents, NIGHTSTAND is spelled NITESTAND. Dutch authorities in the fall of 2018 uncovered a closely parallel toolkit used by Russia’s military intelligence service, the GRU. See “The GRU Close Access Operation Against the OPCW in Perspective,” Electrospaces, October 9, 2018, at https://perma.cc/ANH3-AUMB.
into “a backdoor”: Technically, in this case, the PANT_SPARTY tool embedded an NSA decryption key into a 2012 version of OpenSSH Portable, a commonly used software package for secure communication with a Unix server. A surveillance target would believe he or she had a secure link to the server, but the NSA could read the traffic at will. “SNIPs of SIGINT: Monthly Notes for June 2012,” on file with author.
PANT_SPARTY: See “Pants Party,” Urban Dictionary, at https://perma.cc/8FC9-24CD.
“workforce that was incredibly young”: Alan Tu, interview with author, July 5, 2018.
defend the practice: Alexandra Robbins, “Nurses Make Fun of Their Dying Patients. That’s Okay,” Washington Post, April 16, 2015, at https://perma.cc/AJN8-7SBF.
Scandals have ensued: See, for example, Emily Yahr, “What Went Wrong with Joan Rivers’s Last Medical Procedure: Lawsuit,” Washington Post, January 28, 2015, at https://perma.cc/HMM8-CFG3; Yanan Wang, “Patient Secretly Recorded Doctors as They Operated on Her. Should She Be So Distressed by What She Heard?,” Washington Post, April 7, 2016, at https://perma.cc/QNM8-3NX9; and Tom Jackman, “Anesthesiologist Trashes Sedated Patient—and It Ends Up Costing Her,” Washington Post, June 23, 2015, at https://perma.cc/N5K3-DLY7.
He had put a lot of effort: See James Comey, A Higher Loyalty: Truth, Lies, and Leadership (New York: Flatiron Books, 2018), beginning with this observation on p. xi: “Ethical leaders can mold a culture by their words and, more important, by their actions, because they are always being watched.”
history of marijuana use: Charles Levinson, “Comey: FBI ‘Grappling’ with Hiring Policy Concerning Marijuana,” Wall Street Journal, May 20, 2014, at https://perma.cc/T2AS-E4KZ.
“That’s a great question”: James Comey, interview with author, October 16, 2018.
assign its cover names at random: NSA historian James Bamford, for example, explained NSA cover names this way in Tom Bowman, “Why Does the NSA Keep an EGOTISTICALGIRAFFE? It’s Top Secret,” National Public Radio, November 10, 2013, at https://perma.cc/2FLJ-MM9N. The late Matthew Aid, author of The Secret Sentry: The Untold History of the National Security Agency, likewise said in a newspaper interview, the reporter wrote, “that most of the NSA’s code names are no more than computer-generated sequences of words.” Emily Heil, “What’s the Deal with NSA’s Operation Names,” Washington Post, October 22, 2013, at https://perma.cc/J67L-MNXB.
VOYEUR: NSA briefing document, “TRANSGRESSION Branch: A Discovery Collaboration Effort,” November 1, 2010, on file with author. For a GCHQ description of VOYEUR, see “Fourth Party Opportunities,” first published by Der Spiegel at www.spiegel.de/media/media-35684.pdf [inactive]. For an unclassified reference to VOYEUR, see Collin Anderson and Karim Sadjadpour, “Iran’s Cyber Ecosystem: Who Are the Threat Actors?,” Carnegie Endowment for International Peace, January 4, 2018.
SCISSORS: “FY-2002 Signals Intelligence Directorate (SID) Project Baseline Standards and Architecture Assessment Activity,” July 2002, p. 203, on file with author.
evoke the “brotopia”: Emily Chang, Brotopia: Breaking Up the Boys’ Club of Silicon Valley (New York: Portfolio, 2018).
BOUNDLESSINFORMANT: Glenn Greenwald and Ewen MacAskill, “Boundless Informant: The NSA’s Secret Tool to Track Global Surveillance Data,” Guardian, June 11, 2013, at https://perma.cc/2VLS-S587.
TRANSGRESSION: NSA briefing document, “TRANSGRESSION Branch,” cited above.
PITIEDFOOL: “SNIPs of SIGINT: Monthly Notes for June 2012,” on file with author.
“They really want to win”: Tom Donilon to author, October 29, 2013.
“The approach we’ve been using”: “I hunt people who hack routers (part 5),” December 2012, on file with author. Emphasis in original.
nerds use “dork”: A quick and dirty search of the Snowden archive turned up 120 occurrences of “dork” or “dorked” in this meaning.
“are honing their skillz”: “I hunt people who hack routers (part 5),” December 2012.
“There are 10 types of people”: Training slides, “Public Key Cryptography & Public Key Infrastructure,” 2002, on file with author.
by switching on: CAPTIVATEDAUDIENCE is described in an NSA wiki article titled “QUANTUMTHEORY CT Successes,” on file with author.
“Everyone can be friends!”: A folder full of these “awesome pics” is on file with author.
Smart Target Enhancement Program: Course syllabus, “12 FAA FOREIGNNESS FACTORS WITH EXAMPLES,” undated, on file with author. I rely here also on a tutorial titled “Entering New FAA-Authorized DNI Tasking in the Unified Targeting Tool (UTT) / Gamut,” March 30, 2010, on file with author.
The most derisive descriptions: The examples in this paragraph are found in “Entering New FAA-Authorized DNI Tasking in the Unified Targeting Tool (UTT) / Gamut,” March 30, 2010; “12 FAA FOREIGNNESS FACTORS WITH EXAMPLES”; and “Target Analyst Rationale Instructions Final,” October 20, 2009.
EXUBERANTCORPSE: Special Source Operations Weekly, March 14, 2013, slide 9, on file with author.
When U.S. warplanes: Ellen Knickmeyer and Jonathan Finer, “Insurgent Leader Al-Zarqawi Killed in Iraq,” Washington Post, June 8, 2006, at https://perma.cc/BH3X-CZ2P. See also Lawrence Joffe, “Abu Musab al-Zarqawi Obituary,” Guardian, June 8, 2006, at https://perma.cc/8T2C-NZFP.
fist-b
umping status report: On file with author.
taking part in a criminal conspiracy: See chapter 7.
Eventually he agreed to breakfast: James R. Clapper, interview with author, August 17, 2018.
as long ago as 1984: Kenneth Thompson, “Reflections on Trusting Trust,” Turing Award lecture, reproduced in Communications of the ACM, August 1984, at https://perma.cc/NL2L-7JX3.
the Gemalto gambit: This story came to light in Jeremy Scahill and Josh Begley, “The Great SIM Heist,” Intercept, February 19, 2015, https://theintercept.com/2015/02/19/great-sim-heist/.
“looking for interns”: The call for applicants, posted on the NSA’s classified WikiInfo board, is titled “S3285/InternProjects,” on file with author.
CHAPTER SEVEN: FIRSTFRUITS
al Qaeda killed 2,996 people: Brad Plumer, “Nine Facts About Terrorism in the United States Since 9/11,” Washington Post, September 11, 2013, at https://perma.cc/47DN-JQWV.
a nine-page memo for Ashcroft: Untitled and undated draft memo from NSA director Michael V. Hayden to Attorney General John Ashcroft, on file with author. Metadata from the electronic file date it to March 19, 2002, but internal evidence suggests that the bulk of it was finished in December 2001. The period covered in this accounting of leaks ended on November 23, 2001.
the three stories singled out: The NSA memo for Ashcroft cited Barton Gellman, “Annan Suspicious of UNSCOM Role,” Washington Post, January 6, 1999; Thomas Lippman and Barton Gellman, “U.S. Says It Collected Iraq Intelligence Via UNSCOM,” Washington Post, January 8, 1999; and especially Barton Gellman, “U.S. Spied on Iraqi Military Via UN; Arms Control Team Had No Knowledge of Eavesdropping,” Washington Post, March 2, 1999, at https://perma.cc/ZTY6-9W2U.
still finding remnants: But some of my stories reflected a gradual decline of diplomatic backing for unrestricted weapons inspections in Iraq. Barton Gellman, “US Fought Surprise Inspections,” Washington Post, August 14, 1998; Barton Gellman, “US Tried to Halt Several Searches,” Washington Post, August 27, 1998; and Barton Gellman, “Inspector Quits UN Team, Says Council Bowing to Defiant Iraq,” Washington Post, August 27, 1998.
continuing to hide: Stymied by Iraqi obstruction, inspectors from the UN Special Commission, known as UNSCOM, developed aggressive intelligence methods in response. Barton Gellman, “A Futile Game of Hide and Seek: Ritter, UNSCOM Foiled by Saddam’s Concealment Strategy,” Washington Post, October 11, 1998; Barton Gellman, “Arms Inspectors ‘Shake the Tree’: UNSCOM Adds Covert Tactic,” Washington Post, October 12, 1998. This series, titled “Shell Games,” was a finalist for the Pulitzer Prize for National Reporting.
concealed microwave antennas: Gellman, “U.S. Spied on Iraqi Military Via UN.” The story reported that “unbeknownst to UNSCOM, the U.S. signals and sensor technicians who installed and maintained the system were intelligence operatives, and the repeater stations they built had a covert capability. Hidden in their structure were antennas capable of intercepting microwave transmissions, and the U.S. agents placed some of them near important nodes of Iraqi military communications.”
Security Council disbanded it: United Nations Security Council Resolution 1284, adopted on December 17, 1999, shuttered UNSCOM and replaced it with a much less aggressive inspection regime under the United Nations Monitoring, Verification and Inspection Commission, or UNMOVIC. The text is at https://undocs.org/S/RES/1284(1999).
“disclosed the basic concept”: This was an active surveillance program when I discovered it. The U.S. government shut it down when I told Clinton administration officials, as I reported on the story, that the UN Secretariat was asking about it.
counterintelligence term of art: The methods of D&D encompass both concealment and misdirection. Denial, for example, is hiding a weapons lab under a barn so that spy satellites cannot see it. Deception is laying a false trail of shipping records to hint that the lab is located somewhere else. See the entries for “denial” and “deception” in Mark L. Reagan, ed., Counterintelligence Glossary—Terms & Definitions of Interest for CI Professionals (Office of the National Counterintelligence Executive, June 9, 2014), at https://fas.org/irp/eprint/ci-glossary.pdf.
“My next story”: We eventually ran a series of stories about the secret intelligence spending plan. The first was Barton Gellman and Greg Miller, “‘Black Budget’ Summary Details U.S. Spy Network’s Successes, Failures and Objectives,” Washington Post, August 29, 2013, at https://perma.cc/2ELY-WBK7. My colleagues produced a splendid online data visualization at www.washingtonpost.com/wp-srv/special/national/black-budget.
“These guys are coming in hot”: Shawn Turner, who said that to me and Greg Miller, recalled the moment in an interview on May 30, 2019.
“True disbelief that”: Greg Miller, message to author, May 16, 2019.
million-dollar bounties: Zerodium, which calls itself “the world’s leading exploit acquisition platform,” buys software flaws that it can weaponize for government clients. It made the public million-dollar offer in 2015. See “ZERODIUM’s Million Dollar iOS 9 Bug Bounty (Expired),” September 21, 2015, at https://perma.cc/AF7A-C5K8.
“Warning: We believe”: The Google warning appeared on my accounts on February 19, 2014.
largest independent Apple: “Computers and Electronics,” Mayor’s Office of Film, Theater, and Broadcasting, City of New York, archived at https://perma.cc/N749-ZMLP.
Morgan Marquis-Boire: I knew Morgan as a talented hacker and security researcher. He provided me with advice and did several pro bono forensic investigations on my behalf, for which I am grateful. In 2017, credible accusations of sexual assault were levied against him. He disappeared from public view and has not, to my knowledge, responded to the accusations. See Sarah Jeong, “In Chatlogs, Celebrated Hacker and Activist Confesses Countless Sexual Assaults,” Verge, November 19, 2017, at https://perma.cc/J583-ZJKV.
“Within the span”: Ashkan Soltani, interview with author, October 16, 2015.
“My take is”: Rick Ledgett, interview with author, August 22, 2017.
two counts of espionage: These were initial criminal charges in support of an extradition request to Hong Kong authorities. The grand jury empaneled in Norfolk very likely has handed up a sealed indictment alleging additional criminal counts. See Criminal Complaint of Edward Snowden, United States v. Edward J. Snowden, Case No. 1:13 CR 265, U.S. District Court for the Eastern District of Virginia, at https://perma.cc/M2T8-KZB8. Each of the three publicly disclosed charges carries a maximum sentence of ten years in prison. See 18 U.S.C. § 793 (a)—(f), § 798(a)(3)(1)—(4) (2012); 18 U.S.C. § 641 (2012).
trying to jail James Risen: MacBride oversaw the prosecution of Jeffrey Sterling, beginning in 2010, for unauthorized disclosure of classified information to Risen, and repeatedly called Risen before a grand jury to testify against his alleged source. The initial indictment refers to Risen as “Author A.” See United States v. Jeffrey Alexander Sterling, at https://assets.documentcloud.org/documents/2106787/sterling-indictment.pdf. When Risen refused, the government moved to have him jailed for contempt of court. The Fourth Circuit Court of Appeals ruled against Risen in 2013 and the Supreme Court followed suit in 2014. See Adam Liptak, “Supreme Court Rejects Appeal from Times Reporter over Refusal to Identify Source,” New York Times, June 2, 2014.
lost his final appeal: Later, on the brink of Risen’s confinement, the Justice Department abruptly withdrew the subpoena. As the trial judge prepared to hold Risen in contempt, prosecutors announced without explanation in January 2015 that they no longer required him as a witness. See Matt Apuzzo, “Times Reporter Will Not Be Called to Testify in Leak Case; Legal Fight Ends for James Risen of the New York Times,” New York Times, January 12, 2015.
“It’s nothing personal”: Neil MacBride to author, June 1, 2011.
command me to present myself: Rule 17, Subpoena, Federal Rules of Criminal Procedure, at www.law.cornell.edu/rules/frcrmp/rule_17.
>
credit and banking records: Michael Isikoff, “DOJ Gets Reporter’s Phone, Credit Card Records in Leak Probe,” MSNBC, February 25, 2011.
“I Spy, No Lie”: The video interview with Keith Alexander originated on the Defense Department’s official science blog. Jessica L. Tozer, “I Spy, No Lie,” Armed with Science, October 24, 2013, at https://perma.cc/P6SR-X7HJ. Also available on YouTube at www.youtube.com/watch?v=6Kc5Xvr24Aw.
“I’d have to go to these people”: Shawn Turner, interview with author, May 30, 2019.
“Snowden claims that he’s won”: James Clapper, testimony before the Senate Select Committee on Intelligence, January 29, 2014, transcribed at http://wapo.st/2b26smO and archived at https://archive.is/QxYVN. The relevant video excerpt is https://youtu.be/CowlDnng2Zc.
Snowden’s “agents”: The NSA inspector general compared Snowden and his journalistic “agents” unfavorably to notorious FBI traitor Robert Hanssen, saying “Hanssen’s theft was in a sense finite whereas Snowden is open-ended, as his agents decide daily which documents to disclose.” George Ellard, panel remarks, “A New Paradigm of Leaking,” Symposium on Leakers, Whistleblowers and Traitors, February 25, 2014, transcript available at Journal of National Security Law & Policy 8, no. 1 (2015). Ellard used identical language at a February 24, 2014, conference at Georgetown University Law Center, as I sat less than ten feet away. See Conor Friedersdorf, “A Key NSA Overseer’s Alarming Dismissal of Surveillance Critics,” Atlantic, February 27, 2014, at http://theatln.tc/My1aQ8.
“I must confess”: George Ellard, interview with author, December 9, 2014.
“I understand what Keith was saying”: James R. Clapper, interview with author, August 17, 2018.
was entirely blacked out: See FBI, Domestic Investigations and Operations Guide, updated September 28, 2016, released in two volumes at https://perma.cc/6YD4-VG3D and https://perma.cc/K7FR-6VTQ.
Dark Mirror Page 46