• Buro Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, de overheid in Nederland en Europa kritisch volgt. Een grond-rechten kollektief dat al 30 jaar publiceert over uitbreiding van repressieve wetgeving, publiek-private samenwerking, bevoegdheden, overheids-optreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202, 06-34339533, signal +31684065516, info@burojansen.nl (pgp)
    Steun Buro Jansen & Janssen. Word donateur, NL43 ASNB 0856 9868 52 of NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.
  • Publicaties

  • Migratie

  • Politieklachten

  • Protocol Europol

    Protocol Europol

    Protocol Europol

    Protocol Europol

    Samenwerkingsprotocol regiopolitie Rotterdam-Rijnmond en BVD

    SAMENWERKINGSPROTOCOL tussen:

    De REGIOPOLITIE ROTTERDAM-RIJNMOND

    en

    De BINNENLANDSE VEILIGHEIDSDIENST

    1. Inleiding

    Het verschaffen van veiligheid is van ouds een van de kerntaken van de overheid.

    De burgemeester en het Openbaar Ministerie zijn verantwoordelijk voor de meest directe vormen van veiligheidszorg: het handhaven van de openbare orde en het vervolgen van strafbare feiten. Beiden voeren het gezag over de politie voor zover het handelen van de politie hun specifieke verantwoordelijkheid betreft. De politie is belast met de feitelijke uitvoeringstaken.

    lees meer

    Zuid-Afrikaans surveillance bedrijf VASTech leverancier van repressieve regimes

    Het Zuid Afrikaanse VASTech raakte in 2011 in opspraak na onthullingen over de levering van surveillance apparatuur aan het Libië van al-Qadhafi. Het leidde niet tot nader onderzoek of vervolging vanwege mogelijke betrokkenheid bij mensenrechtenschendingen.

    Dit was niet de eerste keer dat VASTech surveillance apparatuur verkocht aan een repressief regime. Het bedrijf leverde aan het Zimbabwe van Mugabe en het Egypte van Moebarak. VASTech was sinds 2002 actief in Syrië en was in 2008 het enige bedrijf dat een voorstel kon indienen voor ‘monitoring equipment for international exchange’. In 2008 werd het Ministerie van Binnenlandse Zaken van de Verenigde Arabische Emiraten voorzien van een ‘mass monitoring system’.

    Het Zuid-Afrikaanse bedrijf bleef na de onthullingen over Libië leveren aan repressieve regimes. Vanaf 2018 werkte het aan een monitoring centrum voor Saoedi-Arabië, dat in 2021 werd opgeleverd. Ook verkocht het bedrijf apparatuur aan onder meer Mexico, Pakistan en Georgië.

    lees meer

    Het wordt duidelijk wie er loyaal zijn

    Dupont op justitie en veiligheid

    Vorige week begonnen wij met een actie om zoveel mogelijk mails en brieven te versturen naar enige militaire bonden, het Veteranen Instituut en de Commandant der Strijdkrachten R.P. Bauer.

    Deze actie is niet beëindigd en gaat gewoon door. Er zijn verschillende redenen voor deze actie: Door grote aantallen mails en brieven wordt er druk uitgeoefend op de geadresseerden. Niemand kan er meer omheen of roepen dat ze het niet wisten. Er is een PR-probleem bij Defensie door zoveel kritieke vragen en opmerkingen. Door de actie wordt tevens duidelijk wie er achter de veteranen staan en wie niet.

    lees meer

    De waarheid volgens Staatsbosbeheer

    Dupont op justitie en veiligheid

    Nu er een waar offensief lijkt gestart tegen Staatsbosbeheer (SBB), kan SBB niet anders dan reageren. Zij doen dit op verschillende manieren. Zo worden de handlangers in het veld, de bos- en landwachters, ingezet om hun ervaringen te delen. Maar er wordt ook gebruik gemaakt van een minister die reageert op de verschrikkelijke ervaringen van bos- en landwachters en veldwachters incluis. Ook wordt er gebruik gemaakt van journalisten. Wij gaan eens kijken of het voor de hand ligt dat er waarheid wordt gesproken.

    lees meer

    Onderzoek naar ‘onafhankelijkheid’ van Rijksrecherche?

    Grueber op Justitie en Veiligheid

    Wanneer komt er eindelijk een onderzoek naar de ‘onafhankelijkheid’ van onze Rijksrecherche, net zoals er nu onderzoeken gestart worden naar de ‘onafhankelijkheid’ van het WODC (Wetenschappelijk Onderzoeks- en Documentatiecentrum)?

    De Rijksrecherche onderzoekt o.a. incidenten waarbij het door de politie toegepaste geweld leidde tot de dood van arrestanten.

    Het verleden lijkt uit te wijzen dat onderzoeksresultaten van deze ‘onafhankelijke’ organisatie op grote schaal onderhevig zijn aan sturing en manipulatie door het Openbaar Ministerie, de Nationale Politie en het Ministerie van Justitie & Veiligheid.

    lees meer

    Politiemotorbendes, provocatie en ongeoorloofde opsporingsmethoden

    Dupont op Justitie en Veiligheid

    In enkele eerdere bijdragen van Dupont werd al uit de doeken gedaan hoe de Nederlandse politie, naar Amerikaans model, motorbendes opzette die gedrag, structuur en naar eigen zeggen ‘protocollen en tradities’ van de MC’s kopieerde. Kopieerde of pikte van de Hells Angels, als bedenkers van die structuren en regels die nu overal navolging vinden. Dupont vermeldde ook hoe in de Verenigde Staten al talrijke schietpartijen waren begonnen door leden van deze politiemotorbendes en hoe daar verschillende doden bij gevallen waren.

    lees meer

    Motorbendes met alleen maar politieagenten

    Dupont op Justitie en Veiligheid

    De politie heeft er maar mooi zijn handen vol mee. De motorclubs schieten blijkbaar als paddestoelen de grond uit. De politie heeft er ook een fraaie naam voor bedacht: ‘Outlaw Motorcycle Gangs’. En door die naam maar te blijven voeren gaan de media die naam ook gebruiken. En zo krijgt wie de naam heeft ook de daad. Dat geldt ook voor motorclubs die niet in verband gebracht kunnen worden met criminaliteit. Bovendien is er in Nederland nog geen enkele motorclub door een rechter verboden. Dus om ze dan toch crimineel te noemen. Discriminatie? Stemmingmakerij? Laster?

    lees meer

    Metadata Surveillance Didn’t Stop the Paris Attacks

    Van nieuwsblog.burojansen.nl

    And yet intelligence officials and politicians are now saying it could have. They’re wrong.

    Since terrorists struck Paris last Friday night, the debate over whether encryption prevents intelligence services from stopping attacks has reignited. The New York Times and Yahoo reported on vague claims that the terrorists’ use of encryption stymied investigators who might have thwarted their plans. CIA Director John Brennan made equally vague comments Monday morning, warning that thanks to the privacy protections of the post-Snowden era, it is now “much more challenging” for intelligence agencies to find terrorists. Jeb Bush piled on, saying that the United States needs to restore its program collecting metadata on U.S. phone calls, even though that program won’t be shut down until the end of this month.

    Following a terrorism incident as shocking as the Paris attacks, it is no surprise that politicians and the intelligence establishment would want to widen American spying capabilities. But their arguments are conflating the forest—bulk metadata collection—and the trees: access to individual communications about the attack. To understand why that’s the case, start with this tweet from former NSA and DHS official Stewart Baker: “NSA’s 215 program”—and by association the far larger metadata dragnet of which the domestically focused phone-metadata program is just a small part—“was designed to detect a Mumbai/Paris-style attack.”

    Only it didn’t.

    The metadata surveillance system appears to have failed before it even got to the encryption stage.
    The United States and United Kingdom’s metadata collection that focuses on the Middle East and Europe is far more extensive than the phone dragnet being shut down later this month, and its use has far more permissive rules. This dragnet is mostly limited by technology, not law. And France—which rewrote its surveillance laws after the Charlie Hebdo attack earlier this year—has its own surveillance system. Both are in place, yet neither detected the Nov. 13 plot. This means they failed to alert authorities to the people they should more closely target via both electronic and physical surveillance. In significant part, this system appears to have failed before it even got to the stage at which investigators would need to worry about terrorists’ use of encryption.

    To understand why that’s true, it helps to understand how the metadata dragnet relates to surveillance of content as well as human spying.

    In most public comments going back to the initial leaks from Edward Snowden (and in Baker’s tweet from the weekend), authorities have made a shaky claim: that the surveillance dragnet is “designed to detect” an attack like Paris. Based on that claimed purpose, their dragnets are failing.

    But that claim was always an oversimplification. It oversold the importance of the dragnet, by itself, such that citizens might more willingly tolerate the collection of highly revealing personal details. Because it doesn’t include the actual content of our conversations, call metadata doesn’t seem especially intimate; if it’s the only thing authorities say they need to prevent a big terrorist attack, citizens might easily conclude that they’re fine with the government collecting it. But the claim also served to hide how quickly metadata analysis can lead to the reading of content.

    The intelligence community has given us a more nuanced understanding of the purpose of the metadata dragnet, however, in a National Academy of Sciences paper on “Bulk Collection of Signals Intelligence” released earlier this year. President Obama asked for the paper in early 2014 to assess whether the intelligence apparatus could accomplish what it currently does with metadata dragnets (both those conducted in the U.S. and overseas) via more targeted data collection.

    The NAS report measured the dragnet in terms of three functions:

    Contact chaining, which maps out networks of people based on whom they communicate or even spend time with.

    Identifying and keeping current all known identifiers (phone numbers, email addresses, device identifiers, IP addresses, Internet IDs) a person of interest uses. This is done, in part, by using algorithms to match up the communication patterns of different accounts.

    “Triaging” the identifiers collected to categorize the urgency of the threat to national security from the party associated with each one.
    If the dragnet accomplishes its purpose, it will provide a fairly comprehensive picture of who is communicating or hanging out with whom, connect all the known communications identities of any given person (which is critical to developing a comprehensive picture of someone’s network and the communications tools he uses), and then use those pictures to identify who poses threats that should be followed more closely.

    If the metadata dragnet works, that can happen even with encrypted communication.

    It’s only through that process that authorities get around to actually reading content. Authorities will use the metadata dragnet, for example, to choose what content to keep from bulk content collection. It’s likely they’ll collect, but maybe not immediately read, communications that are one or two degrees of separation from identifiers of interest just in case it becomes interesting later. Importantly, the NSA will even keep encrypted communications that, because of their metadata, are of interest.

    The metadata dragnet also helps the intelligence community decide whom to target in its bulky Section 702 PRISM collection, which last year affected more than 92,000 targets and everyone they communicated with. Here, rather than doing the bulk collection itself, the NSA capitalizes on the fact that much of the world uses American tech companies like Google and Facebook to conduct (and often, store) its online communications. So when the triaging process identifies new foreign identifiers that seem important, NSA can ask the tech companies to preserve and share on an ongoing basis everything that’s associated with that identifier, including more metadata. In most cases, NSA will get the content of communications those identifiers have, which they’ll read and store and pull up again in the future if a related identifier is involved.

    There are a few exceptions where officials cannot get the contents of communications via PRISM because they’re encrypted at the user level, rather than server level. The most important of these exceptions are WhatsApp and iMessage (and the latter only if users have opted not to use Apple’s cloud to store their communications), as well as any communications users have encrypted on their own. The NSA can’t get this content from Facebook, Apple, or other providers, but it can get metadata, so for users of interest, surveilers should at least know who is communicating with whom as well as some other useful details about them, though not what they’re saying.

    For WhatsApp and iMessage users of interest, as well as those using their own encryption, the intelligence agencies will seek ways to bypass the encryption, often by hacking a user’s device or identifying his IP address and then accessing other devices or Internet accounts using that IP.

    Importantly, however, it takes the triaging process or a particular event (like Friday’s attack) to identify users of such importance that the NSA will make the effort to conduct more targeted spying.

    Finally, there’s old-fashioned physical surveillance and human intelligence, asking people to spy on others. As reflected by the CIA’s recent decision to add a digital innovation unit, even old-fashioned spying is increasingly guided and assisted by communications technology, both in identifying targets but also finding ways and information to compromise those targets. Numerous declassified reports make it clear the FBI uses the American phone dragnet to identify people who might make useful informants. (It also sometimes uses communications content to find intelligence they can use to coerce that cooperation.) Presumably, other intelligence services do the same.

    For targets in a known location that are using very good communications security (by using encryption and ensuring their multiple identities cannot be correlated, not even with geolocation), physical surveillance of known targets (as several of the Paris perpetrators were by authorities) is always an option. The problem with that is it is very time- and labor-intensive—and because France and Belgium have so many potentially dangerous extremists, selecting whom would get that level of attention requires a very good combing process.

    It all comes back to this triage, which is in significant part about how well the intelligence community uses that forest of metadata to pick whom it should target.

    “Knowing who someone communicates with is metadata, not content, and most encrypted protocols (e.g. WhatsApp, Telegram, etc.) don’t change this,” Nicholas Weaver, a researcher at the International Computer Science Institute at UC–Berkeley explains. “In attempting to identify actual threat actors, ‘this person is communicating with ISIS’ is probably all you need to justify more intensive targeted actions, such as system compromise, that bypass any effects of encryption.”

    There are a number of reasons why the dragnet might not work as planned. Some important metadata may be missing, perhaps even from the PlayStation 4 consoles some terrorists have used to communicate, which Belgium’s Interior Minister said has posed particular problems in the days before the attack. (Though there’s no evidence PS4s played a role in this attack.) Some metadata, especially that scraped from content, may be increasingly unavailable if the content itself is encrypted. When individuals keep their online identities rigorously separate, that too makes the dragnet less useful, as it makes it hard to identify a terrorist network. Finally, it may be that the triage process doesn’t always measure the importance of communications effectively.

    In any case, news reports on the investigation into Friday’s attacks have suggested that some of the terrorists involved in the attack—even a figure identified as the possible planner—have had some of their communications analyzed already. If so, enough metadata was available to partially map out this network. If investigators know about these communications now, they could have known about them on Thursday, before the attack. And if they did, investigators might have been able to bypass whatever encryption the terrorists did use.

    The terrorists who conducted Friday’s attack may well have been using encryption. But if so, it appears that the metadata dragnet failed well before agencies got to any encrypted communications.

    By Marcy Wheeler
    NOV. 16 2015 10:44 PM

    Find this story at 16 November 2015

    © 2015 The Slate Group LLC

    Tomgram: Engelhardt, Creating an Un-Intelligence Machine The Fog of Intelligence Or How to Be Eternally “Caught Off Guard” in the Greater Middle East

    Van nieuwsblog.burojansen.nl

    1,500.

    That figure stunned me. I found it in the 12th paragraph of a front-page New York Times story about “senior commanders” at U.S. Central Command (CENTCOM) playing fast and loose with intelligence reports to give their air war against ISIS an unjustified sheen of success: “CENTCOM’s mammoth intelligence operation, with some 1,500 civilian, military, and contract analysts, is housed at MacDill Air Force Base in Tampa, in a bay front building that has the look of a sterile government facility posing as a Spanish hacienda.”

    Think about that. CENTCOM, one of six U.S. military commands that divide the planet up like a pie, has at least 1,500 intelligence analysts (military, civilian, and private contractors) all to itself. Let me repeat that: 1,500 of them. CENTCOM is essentially the country’s war command, responsible for most of the Greater Middle East, that expanse of now-chaotic territory filled with strife-torn and failing states that runs from Pakistan’s border to Egypt. That’s no small task and about it there is much to be known. Still, that figure should act like a flash of lightning, illuminating for a second an otherwise dark and stormy landscape.

    And mind you, that’s just the analysts, not the full CENTCOM intelligence roster for which we have no figure at all. In other words, even if that 1,500 represents a full count of the command’s intelligence analysts, not just the ones at its Tampa headquarters but in the field at places like its enormous operation at al-Udeid Air Base in Qatar, CENTCOM still has almost half as many of them as military personnel on the ground in Iraq (3,500 at latest count). Now, try to imagine what those 1,500 analysts are doing, even for a command deep in a “quagmire” in Syria and Iraq, as President Obama recently dubbed it (though he was admittedly speaking about the Russians), as well as what looks like a failing war, 14 years later, in Afghanistan, and another in Yemen led by the Saudis but backed by Washington. Even given all of that, what in the world could they possibly be “analyzing”? Who at CENTCOM, in the Defense Intelligence Agency, or elsewhere has the time to attend to the reports and data flows that must be generated by 1,500 analysts?

    Of course, in the gargantuan beast that is the American military and intelligence universe, streams of raw intelligence beyond compare are undoubtedly flooding into CENTCOM’s headquarters, possibly overwhelming even 1,500 analysts. There’s “human intelligence,” or HUMINT, from sources and agents on the ground; there’s imagery and satellite intelligence, or GEOINT, by the bushelful. Given the size and scope of American global surveillance activities, there must be untold tons of signals intelligence, or SIGINT; and with all those drones flying over battlefields and prospective battlefields across the Greater Middle East, there’s undoubtedly a river of full motion video, or FMV, flowing into CENTCOM headquarters and various command posts; and don’t forget the information being shared with the command by allied intelligence services, including those of the “five eyes“ nations, and various Middle Eastern countries; and of course, some of the command’s analysts must be handling humdrum, everyday open-source material, or OSINT, as well — local radio and TV broadcasts, the press, the Internet, scholarly journals, and god knows what else.

    And while you’re thinking about all this, keep in mind that those 1,500 analysts feed into, and assumedly draw on, an intelligence system of a size surely unmatched even by the totalitarian regimes of the twentieth century. Think of it: the U.S. Intelligence Community has — count ‘em — 17 agencies and outfits, eating close to $70 billion annually, more than $500 billion between 2001 and 2013. And if that doesn’t stagger you, think about the 500,000 private contractors hooked into the system in one way or another, the 1.4 million people (34% of them private contractors) with access to “top secret” information, and the 5.1 million — larger than Norway’s population — with access to “confidential and secret” information.

    Remember as well that, in these years, a global surveillance state of Orwellian proportions has been ramped up. It gathers billions of emails and cell phone calls from the backlands of the planet; has kept tabs on at least 35 leaders of other countries and the secretary general of the U.N. by hacking email accounts, tapping cell phones, and so on; keeps a careful eye and ear on its own citizens, including video gamers; and even, it seems, spies on Congress. (After all, whom can you trust?)

    In other words, if that 1,500 figure bowls you over, keep in mind that it just stands in for a far larger system that puts to shame, in size and yottabytes of information collected, the wildest dreams of past science fiction writers. In these years, a mammoth, even labyrinthine, bureaucratic “intelligence” structure has been constructed that is drowning in “information” — and on its own, it seems, the military has been ramping up a smaller but similarly scaled set of intelligence structures.

    Surprised, Caught Off Guard, and Left Scrambling

    The question remains: If data almost beyond imagining flows into CENTCOM, what are those 1,500 analysts actually doing? How are they passing their time? What exactly do they produce and does it really qualify as “intelligence,” no less prove useful? Of course, we out here have limited access to the intelligence produced by CENTCOM, unless stories like the one about top commanders fudging assessments on the air war against the Islamic State break into the media. So you might assume that there’s no way of measuring the effectiveness of the command’s intelligence operations. But you would be wrong. It is, in fact, possible to produce a rough gauge of its effectiveness. Let’s call it the TomDispatch Surprise Measurement System, or TSMS. Think of it as a practical, news-based guide to the questions: What did they know and when did they know it?

    Let me offer a few examples chosen almost at random from recent events in CENTCOM’s domain. Take the seizure at the end of September by a few hundred Taliban fighters of the northern provincial Afghan capital of Kunduz, the first city the Taliban has controlled, however briefly, since it was ejected from that same town in 2002. In the process, the Taliban fighters reportedly scattered up to 7,000 members of the Afghan security forces that the U.S. has been training, funding, and arming for years.

    For anyone following news reports closely, the Taliban had for months been tightening its control over rural areas around Kunduz and testing the city’s defenses. Nonetheless, this May, based assumedly on the best intelligence analyses available from CENTCOM, the top U.S. commander in the country, Army General John Campbell, offered this predictive comment: “If you take a look very closely at some of the things in Kunduz and up in [neighboring] Badakhshan [Province], [the Taliban] will attack some very small checkpoints… They will go out and hit a little bit and then they kind of go to ground… so they’re not gaining territory for the most part.’”

    As late as August 13th, at a press briefing, an ABC News reporter asked Brigadier General Wilson Shoffner, the U.S. deputy chief of staff for communications in Afghanistan: “There has been a significant increase in Taliban activity in northern Afghanistan, particularly around Kunduz. What is behind that? Are the Afghan troops in that part of Afghanistan at risk of falling to the Taliban?”

    Shoffner responded, in part, this way: “So, again, I think there’s been a lot of generalization when it comes to reports on the north. Kunduz is — is not now, and has not been in danger of being overrun by the Taliban, and so — with that, it’s kind of a general perspective in the north, that’s sort of how we see it.”

    That General Cambell at least remained of a similar mindset even as Kunduz fell is obvious enough since, as New York Times reporter Matthew Rosenberg reported, he was out of the country at the time. As Goldstein put it:

    “Mostly, though, American and Afghan officials appeared to be genuinely surprised at the speedy fall of Kunduz, which took place when Gen. John F. Campbell, the commander of coalition forces, was in Germany for a defense conference… Though the Taliban have been making gains in the hinterlands around Kunduz for months, American military planners have for years insisted that Afghan forces were capable of holding onto the country’s major cities.

    “‘This wasn’t supposed to happen,’ said a senior American military officer who served in Afghanistan, speaking on the condition of anonymity. ‘The Afghans are fighting, so it’s not like we’re looking at them giving up or collapsing right now. They’re just not fighting very well.’”

    It’s generally agreed that the American high command was “caught off guard” by the capture of Kunduz and particularly shocked by the Afghan military’s inability to fight effectively. And who would have predicted such a thing of an American-trained army in the region, given that the American-backed, -trained, and -equipped Iraqi Army on the other side of the Greater Middle East had a similar experience in June 2014 in Mosul and other cities of northern Iraq when relatively small numbers of Islamic State militants routed its troops?

    At that time, U.S. military leaders and top administration officials right up to President Obama were, as the Wall Street Journal reported, “caught off guard by the swift collapse of Iraqi security forces” and the successes of the Islamic State in northern Iraq. Peter Baker and Eric Schmitt of the Times wrote in retrospect, “Intelligence agencies were caught off guard by the speed of the extremists’… advance across northern Iraq.” And don’t forget that, despite that CENTCOM intelligence machine, something similar happened in May 2015 when, as Washington Post columnist David Ignatius put it, U.S. officials and American intelligence were “blindsided again” by a very similar collapse of Iraqi forces in the city of Ramadi in al-Anbar Province.

    Or let’s take another example where those 1,500 analysts must have been hard at work: the failed $500 million Pentagon program to train “moderate” Syrians into a force that could fight the Islamic State. In the Pentagon version of the elephant that gave birth to a mouse, that vast effort of vetting, training, and arming finally produced Division 30, a single 54-man unit of armed moderates, who were inserted into Syria near the forces of the al-Qaeda-aligned al-Nusra Front. That group promptly kidnapped two of its leaders and then attacked the unit. The result was a disaster as the U.S.-trained fighters fled or were killed. Soon thereafter, the American general overseeing the war against the Islamic State testified before Congress that only “four or five” armed combatants from the U.S. force remained in the field.

    Here again is how the New York Times reported the response to this incident:

    “In Washington, several current and former senior administration officials acknowledged that the attack and the abductions by the Nusra Front took American officials by surprise and amounted to a significant intelligence failure. While American military trainers had gone to great lengths to protect the initial group of trainees from attacks by Islamic State or Syrian Army forces, they did not anticipate an assault from the Nusra Front. In fact, officials said on Friday, they expected the Nusra Front to welcome Division 30 as an ally in its fight against the Islamic State.

    “‘This wasn’t supposed to happen like this,’ said one former senior American official, who was working closely on Syria issues until recently, and who spoke on the condition of anonymity to discuss confidential intelligence assessments.”

    Now, if accurate, this is wild stuff. After all, how anyone, commander or intelligence analyst, could imagine that the al-Nusra Front, classified as an enemy force in Washington and some of whose militants had been targeted by U.S. air power, would have welcomed U.S.-backed troops with open arms is the mystery of all mysteries. One small footnote to this: McClatchy News later reported that the al-Nusra Front had been poised to attack the unit because it had been tipped off in advance by Turkish intelligence, something CENTCOM’s intelligence operatives evidently knew nothing about.

    In the wake of that little disaster and again, assumedly, with CENTCOM’s full stock of intelligence and analysis on hand, the military inserted the next unit of 74 trained moderates into Syria and was shocked (shocked!) when its members, chastened perhaps by the fate of Division 30, promptly handed over at least a quarter of their U.S.-supplied equipment, including trucks, ammunition, and rifles, to the al-Nusra Front in return for “safe passage.” Al-Nusra militants soon were posting photos of the weapons online and tweeting proudly about them. CENTCOM officials initially denied that any of this had happened (and were clearly in the dark about it) before reversing course and reluctantly admitting that it was so. (“‘If accurate, the report of NSF [New Syrian Forces] members providing equipment to al-Nusra Front is very concerning and a violation of Syria train-and-equip program guidelines,’ U.S. Central Command spokesman Colonel Patrick Ryder said.”)

    To turn to even more recent events in CENTCOM’s bailiwick, American officials were reportedly similarly stunned as September ended when Russia reached a surprise agreement with U.S. ally Iraq on an anti-ISIS intelligence-sharing arrangement that would also include Syria and Iran. Washington was once again “caught off guard” and, in the words of Michael Gordon of the Times, “left… scrambling,” even though its officials had known “that a group of Russian military officers were in Baghdad.”

    Similarly, the Russian build-up of weaponry, planes, and personnel in Syria initially “surprised” and — yes — caught the Obama administration “off guard.” Again, despite those 1,500 CENTCOM analysts and the rest of the vast U.S. intelligence community, American officials, according to every news report available, were “caught flat-footed” and, of course, “by surprise” (again, right up to the president) when the Russians began their full-scale bombing campaign in Syria against various al-Qaeda-allied outfits and CIA-backed opponents of Syrian President Bashar al-Assad. They were even caught off guard and taken aback by the way the Russians delivered the news that their bombing campaign was about to start: a three-star Russian general arrived at the U.S. Embassy in Baghdad to offer an hour’s notice. (Congressional lawmakers are now considering “the extent to which the spy community overlooked or misjudged critical warning signs” about the Russian intervention in Syria.)

    The Fog Machine of American Intelligence

    You get the point. Whatever the efforts of that expansive corps of intelligence analysts (and the vast intelligence edifice behind it), when anything happens in the Greater Middle East, you can essentially assume that the official American reaction, military and political, will be “surprise” and that policymakers will be left “scrambling” in a quagmire of ignorance to rescue American policy from the unexpected. In other words, somehow, with what passes for the best, or at least most extensive and expensive intelligence operation on the planet, with all those satellites and drones and surveillance sweeps and sources, with crowds of analysts, hordes of private contractors, and tens of billions of dollars, with, in short, “intelligence” galore, American officials in the area of their wars are evidently going to continue to find themselves eternally caught “off guard.”

    The phrase “the fog of war” stands in for the inability of commanders to truly grasp what’s happening in the chaos that is any battlefield. Perhaps it’s time to introduce a companion phrase: the fog of intelligence. It hardly matters whether those 1,500 CENTCOM analysts (and all those at other commands or at the 17 major intelligence outfits) produce superlative “intelligence” that then descends into the fog of leadership, or whether any bureaucratic conglomeration of “analysts,” drowning in secret information and the protocols that go with it, is going to add up to a giant fog machine.

    It’s difficult enough, of course, to peer into the future, to imagine what’s coming, especially in distant, alien lands. Cobble that basic problem together with an overwhelming data stream and groupthink, then fit it all inside the constrained mindsets of Washington and the Pentagon, and you have a formula for producing the fog of intelligence and so for seldom being “on guard” when it comes to much of anything.

    My own suspicion: you could get rid of most of the 17 agencies and outfits in the U.S. Intelligence Community and dump just about all the secret and classified information that is the heart and soul of the national security state. Then you could let a small group of independently minded analysts and critics loose on open-source material, and you would be far more likely to get intelligent, actionable, inventive analyses of our global situation, our wars, and our beleaguered path into the future.

    The evidence, after all, is largely in. In these years, for what now must be approaching three-quarters of a trillion dollars, the national security state and the military seem to have created an un-intelligence system. Welcome to the fog of everything.

    Tom Engelhardt is a co-founder of the American Empire Project and the author of The United States of Fear as well as a history of the Cold War, The End of Victory Culture. He is a fellow of the Nation Institute and runs TomDispatch.com. His latest book is Shadow Government: Surveillance, Secret Wars, and a Global Security State in a Single-Superpower World.

    [Note: Nick Turse was my co-conspirator on this piece and I thank him for all his help.]

    Follow TomDispatch on Twitter and join us on Facebook. Check out the newest Dispatch Book, Nick Turse’s Tomorrow’s Battlefield: U.S. Proxy Wars and Secret Ops in Africa, and Tom Engelhardt’s latest book, Shadow Government: Surveillance, Secret Wars, and a Global Security State in a Single-Superpower World.

    Posted by Tom Engelhardt at 7:29am, October 15, 2015.
    Follow TomDispatch on Twitter @TomDispatch.
    Email Print
    [Note to TomDispatch Readers: Here’s a small reminder. TomDispatch keeps itself going to a significant extent thanks to the donations of faithful readers. In return for contributions of $100 or more, we like to offer — as a small but (we hope) meaningful thank you — signed, personalized copies of superlative books that help, like this website, make some sense of our embattled world. Among those on offer at present are Nick Turse’s Tomorrow’s Battlefield and his bestselling Kill Anything That Moves, my own Shadow Government and The End of Victory Culture, David Vine’s Base Nation, and Greg Grandin’s Kissinger’s Shadow. Check out our donation page for the full list. Tom]

    By Tom Engelhardt

    Find this story at 15 October 2015

    Copyright 2015 Tom Engelhardt

    A DEATH IN ATHENS Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee?

    Van nieuwsblog.burojansen.nl

    JUST OUTSIDE THE MAIN DOWNTOWN part of Athens lies Kolonos, an old Athenian neighborhood near the archaeological park of Akadimia Platonos, where Plato used to teach. Along the maze of narrow streets, flower-filled balconies hang above open-air markets, and locals gather for hours at lazy sidewalk cafes, sipping demitasse cups of espresso and downing shots of Ouzo in quick gulps.

    It was a neighborhood Costas Tsalikidis knew well. He lived at No. 18 Euclid Street, a loft apartment just down the hall from his parents. Slim and dark-haired, with a strong chin and a sly smile, he was born in Athens 38 years earlier to a middle-class family in the construction business. Talented in math and physics from an early age, he earned a degree in electrical engineering from the National Technical University of Athens, considered the most prestigious college in Greece, where he specialized in telecommunications, and later obtained his master’s in computer science in England. Putting his skills to good use, for the last 11 years he had worked for Vodafone-Panafon, also known as Vodafone Greece, the country’s largest cell phone company, and was promoted in 2001 to network-planning manager at the company’s headquarters in the trendy Halandri section of Athens.

    On March 9, 2005, Costas’ brother, Panagiotis, dropped by the apartment. He thought he’d have a coffee before a business meeting scheduled for that morning. But as he entered the building, he found his mother, Georgia, running up and down the corridor yelling for help.

    “Cut him down!” she was saying. “Cut him down!”

    Panagiotis had no idea what she was talking about until he went inside his brother’s apartment and saw Costas hanging from a rope tied to pipes above the lintel of his bathroom door, an old wooden chair nearby. He and his mother cut the rope and laid Costas down on the bed.

    Costas Tsalikidis Photo: Courtesy of the Tsalikidis familyThe day before his death, Costas’ boss at Vodafone had ordered that a newly discovered code — a powerful and sophisticated bug — be deactivated and removed from its systems. The wiretap, placed by persons unknown, targeted more than 100 top officials, including then Prime Minister Kostas Karamanlis and his wife, Natassa; the mayor of Athens; members of the Ministerial Cabinet; as well as journalists, capturing not only the country’s highest secrets, but also its most intimate conversations. The question was, who did it?
    For a year, the eavesdropping case remained secret, but when the affair finally became public, it was regarded as Greece’s Watergate. One newspaper called it “a scandal of monumental proportions.” And at its center was the dark underside of the 2004 Summer Olympic Games in Athens. While the athletes were competing for medals as millions watched, far in the shadows spies had hacked into the country’s major telecom systems to listen and record.

    A decade later, Costas’ death is caught up in an investigation into what now appears to have been a U.S. covert operation in Greece. Last February, Greek authorities took the extraordinary step of issuing an international arrest warrant for a CIA official the Greeks believe was a key figure in the operation while based in Athens. Unnoticed by the U.S. press, the warrant was a nearly unprecedented action by an allied country. The intelligence official, identified as William George Basil, was accused of espionage and eavesdropping. But by then he had already left the country, and the U.S. government, as it has done for the past 10 years, continues to stonewall Greek authorities on the agency’s involvement.

    The Greek charges only touch the surface, however, and Basil may be less a key figure than simply a spy guilty of poor tradecraft. An investigation by The Intercept has uncovered not only the role of the CIA, but also that of the NSA, as well as how and why the operation was carried out. The investigation began while I was producing a documentary for PBS NOVA on cyberwarfare, scheduled to air on October 14, for which some of the interviews were conducted. In addition, I have had exclusive access to highly classified and previously unreported NSA documents released by Edward Snowden.

    The Intercept, along with the Greek newspaper Kathimerini, interviewed over two dozen people familiar with the wiretapping case, ranging from U.S. intelligence officials and Greek government officials to those involved in the investigation and its aftermath. Many of those interviewed agreed to talk on condition that their names not be used, fearing criminal prosecution for speaking on intelligence matters or professional retribution. While some questions remain, the evidence points to a massive illegal eavesdropping program that may have led to Costas’ tragic death.

    “COSTAS WAS ENGAGED,” his brother, Panagiotis, told me last year. “He was planning to get married.” Like Costas, who was three years younger, Panagiotis spoke fluent English, the product of frequent trips to the U.S., both on business and vacation.

    After a dinner of lamb and hummus at a restaurant not far from the apartment where Costas died, Panagiotis spoke emotionally about his brother. “He had met the woman of his life and they were planning to get married really soon. And for that reason, they were looking to get a house and they had already started buying things that they could use in their new household. Costas was happy and optimistic and things had been working out really good for him.”

    At the time, Panagiotis couldn’t understand what had happened; Costas was in good health and, at least until recently, seemed to love his job at Vodafone. “I thought there was no reason for him to commit suicide,” he said, although he acknowledged Costas had been under more pressure than usual. “In the last year of his life, he was working very hard because Greece had undertaken the Olympic Games of 2004,” he said. “And that meant a lot of hours at work and a lot of planning to beef up the networks.”

    Given the enormous numbers of journalists and tourists who were planning to attend the events, all wanting to communicate, Costas’ workload increased enormously in the months before the games were to begin. Eventually, the technical infrastructure created by the Athens Olympics Organizing Committee for staff and media involved more than 11,000 computers, 23,000 fixed-line telephone devices, and 9,000 mobile phones. But the Olympics ended more than six months before Costas’ death, so there had to be another reason.

    At work, things suddenly began to change. Costas told his brother that he wanted to quit. “He tendered his resignation to the company, but it wasn’t accepted,” Panagiotis told me. “He wanted to get out.” And he sent a text to his fiancée, a piano teacher named Sara Galanopoulou, saying he had to leave his job, adding cryptically that it was a “matter of life and death.”

    As Costas Tsalikidis and his colleagues at Vodafone worked overtime in the months leading up to the games, thousands of miles away another group was also getting ready for the Summer Olympics in Greece: members of the U.S. National Security Agency. But rather than communicating, they were far more interested in listening. According to previously undisclosed documents from the Snowden archive, NSA has a long history of tapping into Olympic Games, both overseas and within the U.S. “NSA has had an active role in the Olympics since 1984 Los Angeles games,” according to a classified document from 2003, “and has seen its involvement increase with the recent games in Atlanta, Sydney, and Salt Lake City. During the 2002 Winter Olympics in Salt Lake City, the focus was on counterterrorism, and NSA acted largely in support of the FBI in a fusion cell known as the Olympics Intelligence Center (OIC). … NSA’s support to the 2004 Olympics in Athens will be much more complicated.”

    In 2004, for the first time since the 9/11 attacks of 2001, the Summer Olympic Games would be held outside the U.S., and thus the difficulties would be far greater. “Several factors will make the Athens Olympics vastly different,” the document continued, “not the least of which is the fact these Olympics will not be held at a domestic location. Also different is that the security organization that NSA will support is the EYP, or Greek National Intelligence Service. NSA will gather information and tip off the EYP of possible terrorist or criminal actions. Without a doubt, the communication between NSA and EYP will take some coordination, and for that reason preparations are already underway.”

    According to a former senior U.S. intelligence official involved with the operation, there was close cooperation between NSA and the Greek government. “The Greeks identified terrorist nets, so NSA put these devices in there and they told the Greeks, OK, when it’s done we’ll turn it off,” said the source. “They put them in the Athens communications system, with the knowledge and approval of the Greek government. This was to help with security during the Olympics.”

    The Olympic Games ran smoothly — there were no serious terrorist threats and Greece had its best medal tally in more than a century. On August 29, 16 days after the games began, closing ceremonies were held at the Athens Olympic Stadium. As 70,000 people watched, Greek performers displayed traditional dances, a symbolic lantern was lit with the Olympic Flame, and Dr. Jacques Rogge, president of the International Olympics Committee, gave a short speech and then officially closed the games.

    Two weeks later, the Paralympics ended, and at that point, keeping their promise to the Greek government, the NSA employees should have quietly disconnected their hardware and deleted their software from the local telecommunications systems, packed up their bugging equipment, and boarded a plane for Fort Meade. The problem was, they didn’t. Instead, they secretly kept the spying operation active, but instead of terrorists, they targeted top Greek officials. According to the former U.S. intelligence official involved with the operation, the NSA began conducting the operation secretly, without the approval or authorization of the CIA chief of station in Athens, the U.S. ambassador, or the Greek government.

    “We had a huge problem right after the Greek Olympics,” the source said. “They [NSA] said when the Olympics is over, we’ll turn it off and take it away. And after the Olympics they turned it off but they didn’t take it away and they turned it back on and the Greeks discovered it. They triangulated some signals, anonymous signals, and it all pointed back to the embassy.”

    At that point, the source said, someone from the Greek government called Richard Eric Pound, the CIA chief of station at the embassy in Athens and the person officially responsible for all intelligence operations in the country. Pound had arrived in May 2004, replacing Michael F. Walker, the agency’s former deputy director of the paramilitary Special Activities Division, as chief of station in Athens. Describing himself as “a small town boy from Indiana who set off to see the world,” Pound had joined the agency in 1976. Hefty and mustachioed, he was a veteran of the agency’s backwater posts in Africa.

    Pound, according to the source, knew nothing about the operation having been turned back on, so he called his boss at CIA headquarters to ask about it. “He says, ‘What in God’s name is this all about?’” said the source (Pound declined to speak to The Intercept). Pound’s boss then immediately called his NSA counterpart. “Oh, yeah, we were going to tell you about that,” the NSA official told Pound’s CIA boss, according to the source. “They didn’t take it out and they turned it back on.”

    National Security Agency Deputy Director John Chris Inglis testifies before the House Select Intelligence Committee on the NSA’s PRISM program, which tracks web traffic and US citizens’ phone records, during a hearing on Capitol Hill in Washington, DC, June 18, 2013. AFP PHOTO / Saul LOEB (Photo credit should read SAUL LOEB/AFP/Getty Images) National Security Agency Deputy Director John Chris Inglis in Washington, D.C., June 18, 2013. Photo: Saul Loeb/AFP/Getty ImagesNot informing the chief of station and the ambassador was an enormous breach of protocol. The chain of events surprised another source, a long-time veteran of the CIA’s National Clandestine Service, who was once a colleague of Basil in Athens. “I can’t think of another time in my experience when that ever happened, that’s how unusual it is,” the source said. “I’m astounded by that.”
    In 2006, Chris Inglis became the NSA’s deputy director, the agency’s No. 2 official, who was thus in a position to discover what had happened. In an interview, I questioned him about the scandal and the illegal bugging operation. “Was the NSA involved?” I asked. Inglis offered no denial. “I couldn’t say whether NSA was involved in that or any other activity that might have been alleged to be conducted by an intelligence service, let alone NSA.”

    Inglis did confirm, however, that NSA operations in foreign countries would normally have the approval of the CIA chief of station. “The chief of station,” he said, “would speak on intelligence matters for the nation, or essentially be expected to adjudicate matters on behalf of the nation.” He added, “So if NSA was expected to conduct an intelligence operation physically in some particular place of the world, I would expect that the chief of mission — the ambassador — and that the chief of station — the intelligence rep — would have some influence on that, some kind of ability to understand what it was and to ensure that it was done in the proper way.”

    I also put the question to Gen. Michael Hayden, the NSA director at the time. “Do you remember the incident that came up involving Greece?” I asked. “Not anything we’re going to talk about here,” he said. “Did that come to your attention?” I pressed. “Not something I can talk about,” he replied.

    At the time of the Greek bugging operation, Hayden was also secretly running the NSA’s illegal warrantless eavesdropping and metadata dragnet surveillance programs, the largest domestic spying operations in U.S. history.

    FILE – In this Dec. 6, 2002 an aerial file photo of the US embassy in Athens, Greece. Theodoros Pangalos a former foreign minister of Greece said on Tuesday, Oct. 29, 2013 the U.S. is not the only country eavesdropping on foreign diplomats: his country’s secret services did that to U.S. ambassadors in Athens and Ankara in the 1990s. (AP Photo/Thanassis Stavrakis, File) An aerial file photo of the U.S. Embassy in Athens, Greece, Dec. 6, 2002. Photo: Thanassis Stavrakis/AP
    Stonewalled by the U.S., over the past decade Greek investigators were nevertheless able to follow a digital trail right to the front door of the U.S. Embassy in Athens, and then to William George Basil, a mysterious embassy official with a Greek background.

    Although very little is publicly known about Basil, interviews with his relatives and childhood friends in Greece, as well as fellow embassy employees and intelligence officials in Athens and the U.S., shed light on his background.

    Basil was born on December 10, 1950, in Baltimore, where many of his relatives had settled after emigrating from Greece. Much of his extended family came from the small Greek island of Karpathos in the Aegean Sea, a port of call for the Argonauts traveling between Libya and Crete, and mentioned in Homer’s Iliad. There, his ancestors worked as stonemasons and as farmhands in mountainside wheat fields.

    His father, George, had emigrated to the U.S. where Basil and his sister, Maria, spent their early years. But when Basil was 9, his now-divorced father became engaged to a woman from Karpathos and they all traveled to the island for the wedding. An old snapshot shows a young Basil in a suit jacket sitting uneasily on the back of a donkey. After a few months, the family returned to the U.S., then in the 1960s, when Basil was in his early teens, moved back to Karpathos for good.

    Today, childhood friends there still remember Basil as “Billy,” an Americanized youth who liked to spend time on the beach. His cousin Nikos Kritikos often played sports with him. “He played rugby when he was young,” Nikos said. “He was amazingly smart. … We grew up in the same house; his stepmother, Marigoula, raised us.” And Basil’s uncle Manolis Kritikos, a local schoolteacher, remembered him as “a happy kid who smiled.” “He was always restless as a young man, he searched things,” he said. “Most of all he liked the history of this place, the folklore. … And he loved Greece and [the Karpathos village of] Olympos more than anything.”

    Basil 9 years old attending his father’s wedding on Karpathos Basil, 9 years old, attending his father’s wedding on Karpathos. After graduating from high school at the American Community Schools in Athens in 1968, Basil joined the Army for five years and was posted to Alaska. Then, according to Basil’s former CIA colleague, he took a job as a Baltimore County deputy sheriff and later joined the CIA’s Office of Security as a polygraph expert. But, after nearly two decades, said the colleague, he grew bored with strapping recruits and potential agents to lie detector machines and sought a position in the agency’s Directorate of Operations. Largely based on his Greek heritage and fluency in the language, he was accepted and quickly disappeared behind the agency’s heavy black curtain, emerging undercover as a Foreign Service Officer with the State Department.
    With a black diplomatic passport in his pocket, he was soon on his way to Athens, a city he knew well; he had owned an apartment in the city for many years, which he rented out. Soon after arriving, he moved into an apartment near the beach in Glyfada, one of the most exclusive areas of the city, home to ship owners and wealthy business executives. A long-time biker, he would often cruise around the city on his motorcycle.

    At the U.S. Embassy in Athens, he was officially a second secretary in the regional affairs section, later promoted to first secretary. In reality, he joined the CIA station as a terrorism expert. The station, located on the embassy’s top floor (with the forgery section in the basement), was one of the largest in Europe, because it often served smaller Middle East stations with logistical help and temporary personnel. Protected by a bulletproof vest under his shirt, a 9 mm pistol strapped to his belt, and a small M38 handgun on his ankle, Basil, who had a reputation as an Olympic-level shooter, drove around the city in an armored car looking for informants to recruit and liaising with the Greek police organization. According to a confidential report by Greek prosecutor Yiannis Diotis, obtained by The Intercept, Basil played a role in a March 2003 operation — just prior to the U.S. invasion of Iraq — that involved an informant recruited by the embassy’s CIA station. The operation, code-named “Net,” led to the discovery, by a joint U.S.-Greek team, of a small cache of guns and explosives in the basement of the Iraq Embassy in Athens.

    While most CIA assignments to Athens were two years, Basil kept extending his tour, giving him an opportunity to spend time on Karpathos, visiting friends and relatives and playing backgammon. “He never withheld where he was working or what he was doing,” recalled his cousin Nikos. “A lot of times we would call each other and he would tell me, ‘I am in the Middle East.’ His job was to report on the sentiment of those countries’ society. … From what he said he had a lot of friends in high places. I understood that he was acquainted with Ministers of Interior and Ministers of Public Order in Greece.”

    One person who knew Basil in passing was John Brady Kiesling, a now-retired career Foreign Service Officer who had worked as the embassy’s political officer from July 2000 to March 2003. I spoke to him in his apartment in the historic Plaka section of Athens, a labyrinth of winding streets and colorful shops in the shadow of the Acropolis. After leaving his post at the embassy, he decided to remain in Greece, where he has followed the bugging case closely. When I brought up the possibility of the NSA conducting a covert operation out of the embassy, without the knowledge of either the ambassador or the CIA chief of station, he looked surprised. “I would say that a rogue agency was performing it if it was performed without the prior clearance with the ambassador, as the president’s representative in Greece,” he said. “It definitely is something that is hanging as a sort of swinging sword blade over the U.S.-Greek relationship.”

    But according to Basil’s former CIA colleague in Athens, there are occasions when an ambassador is not informed by the agency because of the sensitivity of the operation. However, there was never a time when a chief of station was kept in the dark. “There were times we didn’t inform the ambassador — it was just too sensitive — and we would have to get a waiver signed,” the source said.

    william-george-basil Visa from U.S. passport of William George Basil. A half-dozen miles southwest of Athens is the city of Piraeus. The largest passenger port in Europe and the third largest in the world, it services about 20 million passengers a year. Piraeus is to ships what Chicago’s O’Hare Airport is to planes. There are long rows of ferries, endless quays, hydrofoils and mega-yachts, tankers and cruise ships. It was here, not far from the pier for ferries to Karpathos that the planning ended and the operation began. According to the Greek prosecutor’s report, on June 8, 2004, someone entered the Mobile Telecommunication Center at 31 Akti Miaouli Street, and in the name of a “Markos Petrou,” purchased the first four of what would eventually be 14 prepaid cell phones.
    They would become the “shadow” phones. As normal calls from Vodafone went to and from legitimate parties, a parallel stream of digitized voice and data — an exact copy — was directed to the NSA’s shadow phones. The data would then be automatically transferred miles away to NSA receivers and computers for monitoring, analysis, and storage.

    Not long after, according to the Snowden documents I reviewed, the NSA contingent began arriving at US-966G, the surveillance agency’s code for the Athens embassy. The planning had already been underway. “Although the first race, dive, and somersault are still a year away,” noted a Signals Intelligence Directorate document, “SID Today,” dated August 15, 2003, “in truth, NSA has been gearing up for the 2004 Olympics for quite some time, in anticipation of playing a larger role than ever before at the international games.” The document then noted that NSA would be sending “the largest contingent of personnel in support of the games in our history. A team of 10 NSA analysts will arrive in Greece anywhere from 30-45 days before the Olympics and stay until the flame is extinguished. … The scope of the Olympics is tremendous, and so will be the support of SID [Signals Intelligence Directorate] and NSA.”

    Then, in a note of unintended irony, the writer added, “The world will be watching and so will NSA!”

    A key part of the operation would be obtaining secret access to the Greek telecom network. And it is here that Costas Tsalikidis may have entered the picture. As a senior engineer in charge of network planning, working for the country’s largest cellular service provider, he would have been one of those in a position to become the team’s inside person. But he was also far from the only one. “Of course, it could have even been me,” said another Vodafone technician interviewed.

    The operation could have been accomplished a number of ways. At the beginning, the installation of the bugging software, while illegal according to Greek law, had been secretly authorized by the Greek government. Thus, an inside person would have been operating outside the law in providing assistance to U.S. intelligence, but with the patriotic objective of helping protect Greece from terrorists. Also, the person may never have been told that the software was supposed to be removed following the conclusion of the games. In any case, it is unlikely that the person would have known who the targets were since they were just lists of phone numbers.

    In fact, recruiting a foreign telecom employee as an “inside person” for a major bugging operation was standard operating procedure for both the NSA and the CIA, according to the senior intelligence official involved with the Athens operation. “What the NSA really doesn’t like to admit, about 70 percent of NSA’s exploitation is human enabled,” the former official said. “For example, at a foreign Ministry of Post and Telecommunications, if NSA determines it needs to get access to that system, NSA and/or the CIA in coordination would come up with a mechanism that would allow them to replicate the existing switch to be swapped out. The CIA would then go and seek out the person who had access to that switch — like a Nortel switch or a router — go in there, and then it would be the CIA that would effect the operation. And then the take from it would be exploited by the NSA.”

    And according to a highly classified NSA document provided by Snowden and previously published by The Intercept, covertly recruiting employees in foreign telecom companies has long been one of the NSA’s deepest secrets. A program code-named “Sentry Owl,” for example, deals with “foreign commercial platform[s]” and “human asset[s] cooperating with the NSA/CSS [Central Security Service].” The document warns that information related to Sentry Owl must be classified at an unusually high level, known as ECI, or Exceptionally Controlled Information, well above top secret.

    “Human intelligence guys can provide sometimes the needed physical access without which you just can’t do the signals intelligence activity,” Gen. Hayden, the NSA head at the time of the Athens bugging, who later ran the CIA, told me.

    Basil’s ties to Greece made him very good at developing local agents. “He was the best recruiter the station had, the best,” said the former CIA associate in Athens. “[Basil] may have been in charge of recruiting the guy on the inside. He may have made the initial recruitment.”

    With an agent in place inside the network, the next step would be to implant spyware capable of secretly transmitting the conversations of the NSA’s targets to the shadow phones where they could be resent to NSA computers. Developing such complex malware is the job of the NSA’s Tailored Access Operations (TAO) organization. And, according to the previously undisclosed Snowden documents, members of the group “performed CNE [Computer Network Exploitation] operations against Greek communications providers” as part of the preparations for the Olympics. In lay terms, this means they developed malware to secretly extract communications data. Also involved were members of the Special Source Operations (SSO) group, the specialists who work covertly with telecom companies, such as AT&T — or in this case Vodafone — to get secret access to their networks.

    The key to the operation was hijacking a particular piece of software, the “lawful intercept” program. Installed in most modern telecom systems, it gave a telecom company the technical capability to respond to a legal warrant from the local government to monitor a suspect’s communications. Vodafone’s central switching equipment was made by Ericsson, the large Swedish company, and on January 31, 2002, Ericsson delivered to Vodafone an upgrade containing the lawful intercept program, a piece of software known as the Remote Control Equipment Subsystem (RES). According to a report by Greece’s Authority for Communication Security and Privacy (ADAE), Costas was the Vodafone employee who accepted delivery of the upgrade.

    Normally, when a lawful warrant is submitted to a company such as Vodafone Greece, the information, including the target phone numbers, would first be logged into a program called the Interception Management System (IMS). This creates a permanent record of the request that can later be audited. The information is then sent to the RES, which initiates the actual monitoring by secretly creating a duplicate communications stream for the targeted number. That duplicate stream is then transmitted, along with the metadata — date, time, and number calling or being called — to the law enforcement agency.

    But despite having the capability to initiate wiretaps with the RES program, at the time of the Olympics Greece did not have laws in place to permit them. As a result, Vodafone never paid the additional fee to Ericsson for the IMS program and the digital key to activate the system. Far behind the NSA, the Greek government had only simple wiretap technology. “All they had was some primitive suitcase methods that would allow very limited surveillance of very specific targets,” said Kiesling, the former U.S. Embassy official. “From an American point of view, that was terrifyingly primitive.”

    Thus, according to Greek sources, prior to the Olympics U.S. officials began asking the Greek government for permission to secretly activate the lawful intercept program, which led to the government agreeing to the U.S. bugging operation. Ironically, the presidential decree permitting widespread eavesdropping was finally enacted on March 10, 2005, the day after Costas’ death.

    For NSA, the missing IMS program was the technical opening its operatives needed. In essence, they created malware that would secretly turn on the RES program and begin tapping. But without the IMS program there would be no audit trail, no indication or evidence that eavesdropping was going on as the target numbers were being tapped and transmitted to the shadow phones by the RES. “It was a very complex system, because it was invisible to detection,” Vodafone Greece CEO George Koronias told investigators. “It functioned independently of whether the lawful interception system was activated, and bypassed the security alarm.”

    Exploiting the weaknesses associated with lawful intercept programs was a common trick for NSA. According to a previously unreleased top-secret PowerPoint presentation from 2012, titled “Exploiting Foreign Lawful Intercept Roundtable,” the agency’s “countries of interest” for this work included, at that time, Mexico, Indonesia, Egypt, and others. The presentation also notes that NSA had about 60 “Fingerprints” — ways to identify data — from telecom companies and industry groups that develop lawful intercept systems, including Ericsson, as well as Motorola, Nokia, and Siemens.

    There are also a variety of “Access Methods” used to penetrate other countries’ lawful intercept programs. These include using the highly secret Special Collection Service. Known internally as “F-6,” it is described in another Snowden document as “a joint NSA-CIA organization whose mission is to covertly collect SIGINT [Signals Intelligence] from official U.S. establishments abroad, such as embassies and consulates.” The organization’s job, according to the PowerPoint, is to intercept microwaves, the thousands of communications-packed signals that crisscross a city. The PowerPoint also suggested using the Special Source Operations unit, the people who work out secret arrangements with the local telecom companies. And with the Tailored Access Operations unit, techniques could be developed to hack into the country’s telecom systems. For the Athens Olympics operation, it would be a full house.

    With the malware installed, the NSA was set to go, with more than a dozen shadow phones purchased and a contingent of employees from at least 11 different NSA organizations poised to begin eavesdropping during “24-hour watches.” According to the ADAE report, the tappers first activated the malware at Vodafone’s communications centers on August 4, 2004, and five days later they began inserting the target phone numbers. Then on September 28, following the conclusion of the Paralympic Games, some of the malware was removed. But less than a week later, long after the Olympic Torch had been extinguished, new malware was implanted.

    “And then,” said Kiesling, looking both troubled and perplexed, “the mystery becomes why it continued after the Olympics, and that’s a mystery that still has not been solved.” It was a question I asked a former senior NSA official with long involvement in worldwide eavesdropping operations. “They never [remove it],” the official said with a laugh. “Once you have access, you have access. You have the opportunity to put implants in, that’s an opportunity.”

    “FEVER,” COSTAS WROTE. Several of the antennas used for the bugging operation were heating up, and to Costas, it was as if they had a fever. After the Olympic Games concluded, Costas started having problems at work. In the weeks following Costas’ death, his brother discovered one of his notebooks, dating from October and November 2004, after the Olympics, and it described a number of incidents. “In his notes he said that at certain points in time certain antennas seemed to get overworked and they were trying to figure out why that was happening,” said Panagiotis. “Now it turned out that those antennas were the same antennas that were connected with the system of the wiretapping.” In another entry, which Panagiotis submitted to the prosecutor, Costas wrote about a month before he died: “Something is not right at the company.”

    Then, at 7:56 p.m. on January 24, 2005, someone installed a routine update in the NSA’s bugging software at Vodafone’s facility in the Paiania section of the city. It would turn out to be anything but routine. Within seconds, errors appeared, which caused hundreds of text messages from customers to go undelivered, and people began complaining. At the same time, an automatic failure report was sent to Vodafone management. It was as if a burglar alarm had gone off during a robbery. As normally happens, Vodafone sent the voluminous logs and data dumps to Ericsson for analysis, while those involved quietly waited — and worried. The once cheerful and upbeat Costas turned glum and angry. “We have heard that Costas was in meetings inside the company, in meetings that were very loud and a lot of people were arguing,” said Panagiotis. “He tendered his resignation to the company, but it wasn’t accepted. … He wanted to get out.”

    On March 4, after weeks of investigation, Ericsson notified Vodafone that it had discovered a sophisticated piece of malware, containing a hefty 6,500 lines of code — evidence of a large bugging operation. The company also turned up the target phone numbers of the prime minister and his wife, the mayor of Athens, members of the Ministerial Cabinet, and scores of high officials, as well as the numbers for the shadow phones and the metadata describing when the calls were made.

    Three days later, Vodafone technicians isolated the malware. Then on March 8, before law enforcement had an opportunity to get involved, Koronias, the Vodafone Greece CEO, ordered the software deactivated and removed, thus hampering any future investigation. Apparently alerted, those involved in the bugging operation immediately turned off their shadow phones. “Vodafone’s decision to deactivate the software meant our hands were tied,” Yiannis Korandis, the chief of the EYP, the Greek National Intelligence Service, told investigators.

    The next morning Panagiotis discovered his brother’s body hanging from a white rope tied to a pipe above the bathroom doorway. To this day, he is convinced that Costas was murdered to keep him quiet and prevent him from quitting and going public with the details. “He probably wanted answers there and then and I think that led to his demise,” he said. The bugging, Panagiotis suspects, may have been the reason Costas sent the text to his fiancée about leaving his job being a “matter of life and death.”

    Athens, GREECE: Vodafone Greece Chief Executive Officer George Koronias holds documents 06 April 2006 before the start of a parliamentary committee hearing investigating the case of a phone-tapping scandal, which targeted Prime Minister Costas Karamanlis and top officials during and after the 2004 Athens Olympics games. AFP PHOTO / Louisa Gouliamaki (Photo credit should read LOUISA GOULIAMAKI/AFP/Getty Images) Vodafone Greece CEO George Koronias holds documents in April 2006 before the start of a parliamentary committee hearing investigating the phone-tapping scandal. Photo: Louisa Gouliamaki /AFP/Getty ImagesWithin hours of Costas’ death, Ericsson prepared a formal “Incident Case Description,” outlining technical details about the malware and how it worked. It contained the warning: “This document is to be treated as highly confidential and … all necessary steps to protect this information must be taken, including the mandatory use of Entrust encryption within Ericsson.” After seven pages of technical detail, the report concluded that someone had loaded unauthorized “corrections,” i.e. malware implants, “designed to introduce RES functionality in such a way that it is not visible to any observer. Neither Ericsson nor Vodafone have any knowledge of the corrections. Nor is it known who supplied the correction, who loaded them or how long they have been loaded in the network.” In other words, someone had introduced malware to secretly activate the lawful intercept’s tapping function while at the same time hiding the fact that it had been turned on. On March 10, the report was turned over to Vodafone Greece CEO Koronias.
    The Tsalikidis family’s former lawyer, Themistoklis Sofos, believes that Costas discovered the spy software by chance and then reported it. “Some people were afraid that he would talk so they killed him in a professional manner,” he told a Greek newspaper. Although the official coroner’s report said he took his own life, no suicide note was ever found, and the initial forensic report was inconclusive.

    Nevertheless, Supreme Court prosecutor Dimitris Linos said that Costas’ death was clearly tied to the eavesdropping operation. “If there had not been the phone tapping, there would not have been a suicide,” he said in June 2006. In his report, prosecutor Yiannis Diotis also said that Costas had knowledge of the illegal phone-tapping software. And Giorgos Constantinopoulos, a former colleague in charge of communications security for Vodafone, reportedly told prosecutors that he was sure Costas was in a position to know about the spy software, and that his death was likely connected to that discovery.

    THROUGHOUT THIS PAST SUMMER in Athens as the debt crisis mounted, crowds of pro-government demonstrators filled Syntagma Square shouting angry chants against European creditors. A few blocks away on Panepistimiou Street, an anarchy symbol was spray-painted on the walls of the headquarters of the Bank of Greece. And behind the Doric columns and yellow neo-classical façade of the Parliament Building, nervous politicians huddled and debated what to do next.

    But a mile and a half away, in a heavily guarded compound near Pedion tou Areos, one of the largest parks in Athens, prosecutors were finally bringing to a close a decade of investigations. And on June 26 the finger of guilt was pointed directly at America’s Central Intelligence Agency. Now it is up to the Justices’ Council to decide how to proceed, and it may prove very embarrassing for the United States.

    From the very start, according to a former senior Greek official involved in the investigation, there was no doubt within the highest levels of government that the U.S. was behind the bugging. On Friday, March 25, 2005, two weeks after Panagiotis cut the rope from his brother’s neck, Greeks celebrated Independence Day, followed by a weekend of festivities. But in Maximos Mansion, the Greek White House, the talk was far from jubilant. As Greek Navy helicopters flew low over the Acropolis during a military parade, members of the Greek inner circle were meeting with Prime Minister Costas Karamanlis about the bugging scandal that had targeted him and his wife.

    A few days before, Foreign Minister Petros Molyviatis was in Washington engaged in high-level meetings with top officials. Secretary of State Condoleezza Rice spoke of the “excellent state of relations between Greece and the United States,” and President George W. Bush issued a proclamation declaring “our special ties of friendship, history, and shared values with Greece.” He noted, “Our two Nations are founded on shared ideals of liberty.” But based on the investigation up to that point, close aides, including Foreign Minister Molyviatis, were convinced that U.S. intelligence was behind the operation. Although at least one member of the group wanted to bury the whole matter rather than cause a rupture in relations with the U.S., Karamanlis disagreed, according to the source. “No way,” Karamanlis said. “If they find this on us 10 years from now, things will prove really difficult.”

    The decision was made to have the police and the EYP intelligence service launch an investigation. Although far from exhaustive, with many questions left unanswered, Minister of Public Order George Voulgarakis and several other officials finally held a televised press conference in February 2006. Scribbling with a blue marker on a white board, they noted that the 14 shadow cell phones were using four mobile phone antennas with a radius of about 2 kilometers in central Athens.

    Within that area was the U.S. Embassy on Vassilissis Sofias Avenue, which turned out to be a matter of great embarrassment for both the U.S. and Greek governments. “The U.S. has been fingered in the media as the culprit,” U.S. Ambassador Charles P. Ries noted in a classified memo to Washington, released by WikiLeaks. Ries suspected Voulgarakis of the leak. Calling him “a less reliable ally,” Ries said Voulgarakis “has allowed rumors to circulate that the U.S. is behind [the] major eavesdropping case in Greece.” Nevertheless, both sides wanted to pretend all was normal. Thus, Foreign Minister Molyviatis suggested to Ries that they move a previously scheduled meeting between them from the ambassador’s residence to the very public Grande Bretagne Hotel in central Athens. There, Ries noted in his memo, “All could see that the U.S.-Greece relationship was unimpaired.”

    It was an odd lunch. Molyviatis was sitting across from the man whose embassy, he believed, had been listening in on his cell phone for months. And Ries, out of the loop because it was a rogue NSA/CIA operation, still may not have known of his embassy’s involvement. “Addressing the eavesdropping case,” Ries said in his memo, “Molyviatis gave his opinion that the whole hullabaloo [the press conference] had been unnecessary. It would have been sufficient to hand the matter to the judicial authorities for investigation and, if appropriate, prosecution, he said. But now, both he and the Prime Minister were keen to show that the current hysteria did not detract from excellent U.S.-Greece relations.”

    For some, however, the cozy relations only seemed to increase the anger. In May, a Greek terrorist organization, “Revolutionary Struggle,” attempted to assassinate Voulgarakis with a remote-controlled bomb. Pointing to the wiretapping scandal and weakening Greek sovereignty as a key reason for the attack, the group said it opposed state-sponsored “terrorism of mass surveillance.” At the U.S. Embassy, the deputy chief of mission sent a classified cable to Washington, released by WikiLeaks, with a warning. “This group is to be taken seriously,” he said. “While there is no mention thus far of targeting foreign ‘capitalist-imperialists,’ it would not be a leap of faith for RS to focus its attention on the U.S. presence in Greece.” Ten months later, the group fired a rocket at the embassy.

    Around the time the eavesdropping was discovered, Basil left the country, apparently with a quick reassignment by CIA to Sudan. Then, according to Greek documents obtained by The Intercept, on August 4, as things quieted down, he obtained a visa at the Greek Embassy in Khartoum and returned 10 days later to Athens and his cover job as first secretary for regional affairs. The diplomatic position gave him immunity from arrest.

    The investigation was the first of what would be five major probes stretching over a decade in which more than 500 witnesses would be questioned, including agents of the EYP. Evidence built up slowly as investigators picked apart the telltale computer logs, traced the cell phone signals, and dissected layers and layers of software. Over the years, piece after piece, the puzzle began to come together.

    In his testimony, Ericsson’s managing director for Greece, Bill Zikou, laid out the “how,” describing the method by which the bugging was accomplished. “What happened in this incident,” he said, “is that a complex, sophisticated, non-Ericsson intruder piece of software was planted into the Vodafone Greece network,” which by activating the RES function “thus made illegal interceptions possible.”

    william-basil200 William George Basil. Date unknown. Photo: FacebookThen investigators turned to the “who.” At the conclusion of its operation, the NSA was hoping that it could disappear into the night without leaving a trace. “Unlike the athletes, when the Olympics are over, the NSA team is hoping you won’t even know they were there,” said one of the classified documents. It bore the ironic title, “Another Successful Olympics Story.” But as a result of sloppy intelligence tradecraft by the American spies, each step pointed the investigators closer and closer to the U.S.
    One person who spent a great deal of time buying shadow phones was William Basil. “We used to call him the telephone man,” said the former CIA colleague in Athens. “All we do is we buy burner phones. Just drive in any direction you want and go to a random phone store and just buy a phone, make a call, and throw the phone away.”

    But Basil wasn’t the only one buying shadow phones. According to the prosecutor’s confidential report, issued June 26, 2015 and obtained by The Intercept, investigators traced four of the shadow cell phones to the shop in Piraeus. There, the prosecutor showed pictures of Basil and his wife, Irene, to the store’s manager. “She is known” to the store, the manager said. The prosecutor then noted in his report that Irene was “acting as designated by him [Basil] and on his behalf.” And according to registered deeds, the family of Irene Basil has long owned a home in Piraeus just a few miles from the shop.

    Things got even sloppier. After purchasing the four shadow phones, meant to be untraceable, the SIM card from one of them was removed and placed in a cell phone registered to the U.S. Embassy. It was a direct link between the covert operation and the U.S. government. Investigators then traced more than 40 calls to and from the U.S. Embassy involving the phone. The numbers listed in the ADAE report include the embassy’s main number, the emergency after-hours number, the Marine guard, and the FBI office. There was even a call to a women’s clothing store in Athens, Rouge Paris.

    Then, on the same shadow phone using another SIM card, investigators found calls to Maryland. Based on the phone numbers, The Intercept was able to determine that those calls were made to Ellicott City, where Basil and his wife used to own property, and to neighboring Cantonsville, both bedroom communities for NSA. The implications greatly worried the investigators. “We were scared,” one told a parliamentary committee. “This is something that the Foreign and Justice Ministries should investigate.”

    Finally, after years of slow, ineffective, and politically hindered investigations that produced more fog than clarity, the determined work of the ADAE and a few others began paying off. The evidence pointed at the U.S. Embassy, and with a bit of luck and thanks to the American spies’ mistakes, prosecutors came up with a name, William Basil, and the international arrest warrant was issued last February.

    But by then, he was long gone. After Athens, Basil was promoted to deputy chief of station in Islamabad, Pakistan, then sent back to a desk job at headquarters, that of director of human resources at the agency’s Counterterrorism Center. Now retired and no longer protected by diplomatic immunity, he may never see Greece again, the country where his wife currently lives in her family’s home in Piraeus. In 2012, according to a petition he signed protesting a planned marine park on Karpathos, he wrote, “I own property in Karpathos and plan to retire there next year.”

    Today the two-story house near the beach in Diafani sits empty; construction materials are stacked on the porch, its exterior unpainted. Nearby, friends and relatives can’t believe that Billy from Karpathos could have secretly wiretapped their top officials, or spied on their government. “There’s no way he did what they say he did,” said Basil’s cousin Nikos. “Because of his love [for] Greece, they would know that if that thing [the wiretapping] needed to be done, they would most certainly ask somebody else to do it. No way he did it. It is well known that he was first and foremost a Greek patriot.”

    Months before the arrest warrant was issued, Basil had been in touch by phone with a prominent criminal lawyer in Athens, Ilias G. Anagnostopoulos, according to a Greek source, who asked not to be named because of the confidential nature of the information. When asked by the attorney if he would be willing to testify if it came to that, Basil, according to the source, replied: “If there are questions, of course I can answer them.” The attorney met with the prosecutor, but after leaks to the press, Basil told Anagnostopoulos to drop the matter for the time being. Complicating matters, the prosecutor has filed the eavesdropping case alongside a much larger, but unconnected, conspiratorial case involving an assassination attempt on former Prime Minister Karamanlis, a key target of the wiretapping operation.

    CIA Chief of Station Eric Pound left Athens in 2007, returning to headquarters to become chief of the External Operations and Cover Division, the organization responsible for creating front companies overseas for clandestine officers masquerading as business executives or other occupations. After he retired in September 2009, Pound mentioned to a college audience that the CIA has an obsession to learn the truth. He added, “But obsession does not always lead to success.”

    Costas Tsalikides March 9, 2005 Costas Tsalikidis, March 9, 2005.
    Panagiotis and other family members also want the truth. In 2011, Costas’ family asked two coroners to reexamine the medical records. One was Dr. Steven Karch, a forensic pathologist and former medical examiner in San Francisco, and the other was Dr. Theodoros Vougiouklakis, an associate professor of forensic medicine in Greece. Karch called the original autopsy “farcical.” Based on pictures of the body, the coroners concluded that the marks to Costas’ neck couldn’t have come from simply jumping off the chair. “Something was done to him prior,” Karch told The Intercept.
    The family agrees with this conclusion. “I believe there are people who know what happened, what exactly and who exactly did it and they will give us those facts,” said Panagiotis. “I believe that as time goes by the reasons for protecting the perpetrators will fade and mouths will open.” Last March, on the 10th anniversary of Costas’ death, his mother spoke to a local Greek reporter for the first time. “I want to know what happened to my child and nobody that investigated until now, 10 years [later], gave me the slightest response,” she said. “As long as I live I will live with this suffering. I want to punish those who are guilty for what happened, and those who know [but] do not speak.”

    There appears little chance that her questions will be answered, however. It is extremely unlikely the Obama administration will ever allow Basil, or any other intelligence official, to be extradited. Nor is it likely that Basil will return to Greece voluntarily with an arrest warrant waiting for him. Around 2009 he appeared in a Facebook picture, seemingly in disguise, sporting a long white beard and moustache. “Dude, Santa’s job isn’t available for what … another seven months,” a friend joked on Facebook. Though he has not responded to requests for an interview, pictures online show him in Greece in 2013 attending his daughter’s wedding, without the beard, in the Glyfada section of Athens. Multiple attempts to reach Basil by phone, and through family members, were unsuccessful. Both the CIA and NSA declined to comment on any issue surrounding the Athens wiretapping, including Basil’s indictment.

    As for the NSA, a classified review of the Greek Olympics asked the now ironic question, “After this year’s gold medal performance, what comes next?” Next will certainly be the Olympics scheduled for Rio de Janeiro, Brazil, next summer. According to a previously published top-secret NSA slide, the agency has already planted malware throughout the country’s telecommunications system. And, if history is any guide, in the weeks leading up to the start of the games, teams from the SCS, SSO, TAO, and other organizations will arrive once again to begin 24/7 eavesdropping. And as in Greece, they may just happen to leave some of their monitoring equipment behind.

    Sitting in his apartment overlooking Athens’ Plaka, John Brady Kiesling could make little sense of it all. “I don’t see a shred of evidence that this wiretapping did the U.S. government any good,” he said. “I think it’s just important to underscore that intelligence gathering is never free. It always comes at a human and political cost to someone. In this case it was paid by an innocent Vodafone technician.”

    Aggelos Petropoulos of the Athens-based newspaper Kathimerini contributed reporting from Greece, and Ryan Gallagher, senior reporter at The Intercept, contributed research and reporting from the Snowden Archive.

    Documents published with this story:

    Another Successful Olympics Story
    Exploiting Foreign Lawful Intercept Roundtable
    Gold Medal Support for Olympic Games
    NSA Team Selected for Olympics Support
    SID Trains for Athens Olympics

    James Bamford
    Sep. 29 2015, 4:01 a.m.

    Find this story at 29 September 2015
    Copyright https://theintercept.com/

    BEHIND THE CURTAIN A Look at the Inner Workings of NSA’s XKEYSCORE (II)

    Van nieuwsblog.burojansen.nl

    The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.

    In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.

    This global Internet surveillance network is powered by a somewhat clunky piece of software running on clusters of Linux servers. Analysts access XKEYSCORE’s web interface to search its wealth of private information, similar to how ordinary people can search Google for public information.

    Based on documents provided by NSA whistleblower Edward Snowden, The Intercept is shedding light on the inner workings of XKEYSCORE, one of the most extensive programs of mass surveillance in human history.

    How XKEYSCORE works under the hood

    It is tempting to assume that expensive, proprietary operating systems and software must power XKEYSCORE, but it actually relies on an entirely open source stack. In fact, according to an analysis of an XKEYSCORE manual for new systems administrators from the end of 2012, the system may have design deficiencies that could leave it vulnerable to attack by an intelligence agency insider.

    XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.

    John Adams, former security lead and senior operations engineer for Twitter, says that one of the most interesting things about XKEYSCORE’s architecture is “that they were able to achieve so much success with such a poorly designed system. Data ingest, day-to-day operations, and searching is all poorly designed. There are many open source offerings that would function far better than this design with very little work. Their operations team must be extremely unhappy.”

    Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.

    As of 2009, XKEYSCORE servers were located at more than 100 field sites all over the world. Each field site consists of a cluster of servers; the exact number differs depending on how much information is being collected at that site. Sites with relatively low traffic can get by with fewer servers, but sites that spy on larger amounts of traffic require more servers to filter and parse it all. XKEYSCORE has been engineered to scale in both processing power and storage by adding more servers to a cluster. According to a 2009 document, some field sites receive over 20 terrabytes of data per day. This is the equivalent of 5.7 million songs, or over 13 thousand full-length films.

    This map from a 2009 top-secret presentation does not show all of XKEYSCORE’s field sites.
    When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.

    There might be security issues with the XKEYSCORE system itself as well. As hard as software developers may try, it’s nearly impossible to write bug-free source code. To compensate for this, developers often rely on multiple layers of security; if attackers can get through one layer, they may still be thwarted by other layers. XKEYSCORE appears to do a bad job of this.

    When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

    There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.

    AppIDs, fingerprints and microplugins

    Collecting massive amounts of raw data is not very useful unless it is collated and organized in a way that can be searched. To deal with this problem, XKEYSCORE extracts and tags metadata and content from the raw data so that analysts can easily search it.

    This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.”

    One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

    PGP-encrypted messages are detected with the “encryption/pgp/message” fingerprint, and messages encrypted with Mojahedeen Secrets 2 (a type of encryption popular among supporters of al Qaeda) are detected with the “encryption/mojaheden2” fingerprint.

    When new traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern. A slideshow presentation from 2010 says that XKEYSCORE contains almost 10,000 appIDs and fingerprints.

    AppIDs are used to identify the protocol of traffic being intercepted, while fingerprints detect a specific type of content. Each intercepted stream of traffic gets assigned up to one appID and any number of fingerprints. You can think of appIDs as categories and fingerprints as tags.

    If multiple appIDs match a single stream of traffic, the appID with the lowest “level” is selected (appIDs with lower levels are more specific than appIDs with higher levels). For example, when XKEYSCORE is assessing a file attachment from Yahoo mail, all of the appIDs in the following slide will apply, however only “mail/webmail/yahoo/attachment” will be associated with this stream of traffic.

    To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).

    Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.

    Here’s an example of a microplugin fingerprint for “botnet/conficker_p2p_udp_data,” which is tricky botnet traffic that can’t be identified without complicated logic. A botnet is a collection of hacked computers, sometimes millions of them, that are controlled from a single point.

    Here’s another microplugin that uses C++ to inspect intercepted Facebook chat messages and pull out details like the associated email address and body of the chat message.

    One document from 2009 describes in detail four generations of appIDs and fingerprints, which begin with only the ability to scan intercepted traffic for keywords, and end with the ability to write complex microplugins that can be deployed to field sites around the world in hours.

    If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.

    Illustration for The Intercept by Blue Delliquanti

    Documents published with this article:

    Advanced HTTP Activity Analysis
    Analyzing Mobile Cellular DNI in XKS
    ASFD Readme
    CADENCE Readme
    Category Throttling
    CNE Analysis in XKS
    Comms Readme
    DEEPDIVE Readme
    DNI101
    Email Address vs User Activity
    Free File Uploaders
    Finding and Querying Document Metadata
    Full Log vs HTTP
    Guide to Using Contexts in XKS Fingerprints
    HTTP Activity in XKS
    HTTP Activity vs User Activity
    Intro to Context Sensitive Scanning With XKS Fingerprints
    Intro to XKS AppIDs and Fingerprints
    OSINT Fusion Project
    Phone Number Extractor
    RWC Updater Readme
    Selection Forwarding Readme
    Stats Config Readme
    Tracking Targets on Online Social Networks
    TRAFFICTHIEF Readme
    Unofficial XKS User Guide
    User Agents
    Using XKS to Enable TAO
    UTT Config Readme
    VOIP in XKS
    VOIP Readme
    Web Forum Exploitation Using XKS
    Writing XKS Fingerprints
    XKS Application IDs
    XKS Application IDs Brief
    XKS as a SIGDEV Tool
    XKS, Cipher Detection, and You!
    XKS for Counter CNE
    XKS Intro
    XKS Logos Embedded in Docs
    XKS Search Forms
    XKS System Administration
    XKS Targets Visiting Specific Websites
    XKS Tech Extractor 2009
    XKS Tech Extractor 2010
    XKS Workflows 2009
    XKS Workflows 2011
    UN Secretary General XKS

    Micah Lee, Glenn Greenwald, Morgan Marquis-Boire
    July 2 2015, 4:42 p.m.
    Second in a series.

    Find this story at 2 July 2015

    Copyright https://theintercept.com/

    << oudere artikelen