What’s Classified, Doc? (The Clinton Emails and the FBI)

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes:

From the group of 30,000 e-mails returned to the State Department, 110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received. Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were “up-classified” to make them Confidential; the information in those had not been classified at the time the e-mails were sent.

For example, seven e-mail chains concern matters that were classified at the Top Secret/Special Access Program level when they were sent and received. These chains involved Secretary Clinton both sending e-mails about those matters and receiving e-mails from others about the same matters. There is evidence to support a conclusion that any reasonable person in Secretary Clinton’s position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation.

Separately, it is important to say something about the marking of classified information. Only a very small number of the e-mails containing classified information bore markings indicating the presence of classified information. But even if information is not marked “classified” in an e-mail, participants who know or should know that the subject matter is classified are still obligated to protect it.

I will state that there is information which is both classified and available to the public. For example, the Snowden documents are still classified, and I have friends with clearances who need to leave conversations when they come up. They are, simultaneously, publicly available. There is a legalistic position that such information is only classified. Such rejection of reality is uninteresting to me.

I can read Comey’s statements two ways. One is that Clinton was discussing Snowden documents, which she likely needed to do as Secretary of State. The other is that she was discussing information which was not both public and classified. My assessment of her behavior is dependent on knowing this.

Are facts available to distinguish between these cases?

CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like.

After you’re done being outraged, send thanks to John for calling attention to the issue.

The New York Observer story, “How a White House Flickr Fail Outed Bin Laden Hunter ‘CIA John’” is also quite interesting.

Questions about a Libyan no-fly zone

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces.

There are strong calls to move quickly, such as “Fiddling While Libya Burns” in the New York Times. But I think there are some important questions that I haven’t heard answered. A no-fly zone is a military intervention in Libya. It involves an act of war against the current government, and however bad that government is, we need to consider the question not of a “no-fly zone” but an “act of war” and its implications.

Some questions I’d love to hear answered include:

  • What if it doesn’t work? Are we willing to put soldiers on the ground to support the rebels?
  • What if it does? Who’s in charge?
  • What if it half works? We imposed a no fly zone in Iraq in 1991, and then invaded 11 years later because we hadn’t thought through the question of what we do to remove the no-fly zone. If the rebels end up with a Kurdistan, how do we finish? Another invasion? Fly walk away and let the Libyan air force to bomb in 2 years?
  • What does success look like? What’s our goal? Do we support offensive operations? If the rebels end up with some aircraft, do we let them fly?

There are other questions, about sovereignty, but I think there’s a good tradeoff to be made between preventing democide and respecting sovereignty. But I haven’t seen a proposal which seems to have considered what happens after a no-fly zone is imposed. Is there one?

The Emergent Chaos of Facebook relationships

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler.

A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!)

The second is that borders seem to be remarkably effective at inhibiting friendships, especially in Asia.


The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said.

“But at this point, TSA in consultation with counterterrorism experts have indicated to me that the procedures that they have been putting in place are the only ones right now that they consider to be effective against the kind of threat that we saw in the Christmas Day bombing.” (“Obama: TSA pat-downs frustrating but necessary“)

I’ve spent the last several years developing tools, techniques, methodologies and processes for software threat modeling. I’ve taught thousands of people more effective ways to threat model. I’ve released tools for threat modeling, and even a game to help people learn to threat model. (I should note here that I am not speaking for my employer, and I’m now focused on other problems at work.) However, while I worked on software threat modeling, not terror threat modeling, the President’s statement concerns me. Normally, he’s a precise speaker, and so when he says “effective against the kind of threat that we saw in the Christmas Day bombing,” I worry.

In particular, the statement betrays a horrific backwards bias. The right question to ask is “will this mitigation protect the system against the attack and predictable improvements?” The answer is obviously “no.” TSA has smart people working there, why are they letting that be the headline question?

The problems are obvious. For example, in a Flyertalk thread, Connie asks: “If drug mules swallow drugs and fly, can’t terrorists swallow explosive devices?” and see also “New threat to travellers from al-Qaeda ‘keister bomb’.”

Half of getting the right answer is asking the right questions. If the question the President is hearing is “what can we do to protect against the threat that we saw in the Christmas day bombing (attempt)” then there are three possible interpretations. First is that the right question is being asked at a technical level, and the wrong question is being asked at the top. Second, the wrong questions are being asked up and down the line. Third is that the wrong question is being asked at the top, but it’s the right question for a TSA Administrator who wants to be able to testify before Congress that “everything possible was done.”

I’ve said before and I’ll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I’ve commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions. I’ll suggest “how do you model future threats?” as an excellent place to start.

Continuing on from there, an effective systematic approach would involve diagramming the air transport system, and ensuring that everyone and everything who gets to the plane without being authorized to be on the flight deck goes through reasonable and minimal searches under the Constitution, which are used solely for flight security. Right now, there’s discrepancies in catering and other servicing of the planes, there’s issues with cargo screening, etc.

These issues are getting exposed by the red teaming which happens, but that doesn’t lead to a systematic set of balanced defenses.

As long as the President is asking “Is this effective against the kind of threat that we saw in the Christmas Day bombing?” we’ll know that the right threat models aren’t making it to the top.


Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.”

I think that was the wrong warning. Wikileaks is poking at a very dangerous system. We went to war with Iraq, claiming it had links to Al Qaida and chemical weapons programs. (I think there were good reasons for both Iraqi citizens and Western democracies to want a well planned and executed regime change in Iraq, and even better reasons to expect that attempts to do so would descend into chaos. But that’s besides the point.) Since then, we have publicly announced that we have death squads targeting US citizens. Does Wikileaks expect any less?

The American system of classifying documents is seriously flawed. That’s been the conclusion of every blue ribbon panel that studies it. Transparency and accountability are key tools that we the people use to constrain the power of government. But people in power never like transparency. They don’t like oversight and second-guessing. So over-classification is a natural outcome. Insofar as leaks help to constrain that, they’re useful to us, the governed. To the extent that leaks force a conversation about “why was this document classified,” they’re useful.

Now, leaking the names of informers is clearly problematic. It seems that, like many news organizations, Wikileaks asked the Pentagon for advice on redaction. They were rebuffed.

But that’s not the point of this post. The first point of this post is to say that the Leviathan is an angry and mean son of a bitch that’s now going to attack Wikileaks as hard as it can. If discrediting works, great. If not, expect escalation. Whatever their personal failings may or may not be, more transparency and accountability in government is a worthy goal, and we should support that goal. We should support that goal even as we can see flaws in Wikileaks. And despite their flaws, Wikileaks is making more transparency in less comfortable areas than anyone else.

The right response to the Afghan war diary would be for the Pentagon and for each of our allies to review what they have classified and why, and release more of it. Little of what was released was really surprising, and much of it should have been officially released with minor redaction. But instead of that review, we see the Leviathan lashing out at Wikileaks.

To the extent that Wikileaks pushes governments to become more transparent, we all benefit. If But more transparency not the reaction we’re seeing, and to distract us from that is the dirtiest trick so far.

If you think government has too much power, you should support Wikileaks. If you think that America’s overseas entanglements are hurting America or the world, you should support Wikileaks. If you think military adventurism is hurting the world, you should support Wikileaks. Because whatever Wikileak’s faults, their goals are important ones.

Which brings us to the second point of this post, which is to remind you, when you read negative stories about Wikileaks, ask yourself “who benefits?” The answer isn’t going to be “you and me.”

Transparent Lies about Body Scanners

Body scan.png

In “Feds Save Thousands of Body Scan Images,” EPIC reports:

In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit.

Previously, the government has assured us the images won’t be saved. Joshua Marpet pointed out that the “Nation’s Perverts Endorse Full-Body Airport Scanners.” Jeremiah Grossman asked if this is a violation of 18 U.S.C. § 2251.

The real trouble is that the TSA is funding the creation of these machines and forcing them on us. The companies who make them will push their chaotic deployment elsewhere. The machines are being built with recording and transmission capabilities. Chaos is going to emerge, our privacy will suffer, and it is the fault of the leaderless TSA.

The TSA has lied, consistently and persistently about the capabilities, effectiveness and health impacts of these machines. They have released scary misleading pictures, such as the one on the right. 99.99% of people walking through the machines do not have a gun strapped to their thigh. All the perverts watching the machines will see is your private parts.

TSA has a mission which can’t succeed. Anything it might do won’t prevent the destruction of aircraft. The measures they’ve talked their way into are a one-way street in today’s ‘admit nothing’ Washington culture. The head of the agency is a no-promotion position, made less attractive by the Obama administration’s ‘no revolving door’ policies.

Meanwhile, we suffer through the indignities.

Dear England, may we borrow Mr. Cameron for a bit?

Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture by UK security services. (“
Britain Pledges Inquiry Into Torture

And yes, it’s certainly more fun to investigate the opposition, but…I’d really like to bring Mr. Cameron over here for a little while. Some investigations would do us, and our fight against al Qaeda, a great deal of good.

Cyberdeterrence Papers

This just came past my inbox:

The National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. government.

To stimulate work in this area, the NRC is offering one or more monetary prizes for excellent contributed papers that address one or more of the questions of interest found in its call for papers, which can be found at

Abstracts of less than 500 words are due April 1, 2010. First drafts are due May 21, 2010, final drafts July 9, 2010. For more information, see the call for papers.

The broad themes of interest include

  1. Theoretical Models for Cyberdeterrence
  2. Cyberdeterrence and Declaratory Policy
  3. Operational Considerations in Cyberdeterrence
  4. Regimes of Reciprocal/Consensual Limitations Regarding Cyberattack
  5. Cyberdeterrence in a Larger Context
  6. The Dynamics of Action/Reaction in Cyber Conflict
  7. Escalation Dynamics of Cyber Conflict

Readers with questions can contact Herb Lin, 202-334-3191, hlin at nas … edu

Me, I’m glad to see the administration moving towards more contests and open solicitations as a way of tapping into different ideas from a broader set of contributors.

I saw something that an abstract is not required to submit a fill paper, but would encourage checking in on the rules for yourself.

What the FBI Was Doing on Beethoven’s Birthday


This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe:


The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.”

“Wolverine” has raked in nearly $375 million in worldwide gross since its release. How much money the leak cost Fox will never be settled for certain.

I’m glad we’re spending money on things to keep us safe.

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.


One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

The Conch Republic

Apparently, in a sovereign-in-cheeck move, the the Florida Keys have withdrawn from the United States, and declared themselves to be “The Conch Republic.” Their motto is “We seceded where others failed.” Perhaps you haven’t heard of them because they make all the good jokes, making writing about them hard.

I heard about them because of an incident that was mentioned in this podcast. The United States will allow Cuban refugees to enter if they reach dry land. The Border Patrol declared that 15 Cuban refugees that had reached the bridge were not in the United States, and thus could be returned to Cuba. Based on this disavowal, the Conch Republic seized the bridge and declared it their territory, in what is now known as “The great invasion of 1995.”

Next time I need a good vacation in the sun, I know where I’m going.

Shown: “Close up Bloody Battle.”

Some thoughts on the Olympics, Chicago and Obama

So the 2016 Olympics will be in Rio de Janeiro. Some people think this was a loss for Obama, but Obama was in a no-win situation. His ability to devote time to trying to influence the Olympics is strongly curtailed by other, more appropriate priorities. If he hadn’t gone to Copenhagen, he would have been blamed for not caring. If he went, he’s blamed anyway. In reality, he does have some control over what happened. He could have fixed the “harrowing experience” we show the world under the ironic words “Welcome to the United States:”

In the official question-and-answer session following the Chicago presentation, Syed Shahid Ali, an I.O.C. member from Pakistan, asked the toughest question. He wondered how smooth it would be for foreigners to enter the United States for the Games because doing so can sometimes, he said, be “a rather harrowing experience.” (New York Times, “Rio Wins“)

Ironically, the President has experienced harrowing nonsense at borders, see “US Senators Detained In Russia.” He should put someone on fixing the Customs and Immigration service before it costs us even more.

However, it’s really unclear if the “loss” is a loss. “No Games Chicago” was a citizens group advocating against destroying Chicago’s parks and budget for the Olympics, and according to CNN, 45% of the city’s residents didn’t want the games. And as the AP documents in “Olympics Aren’t Necessarily an Economic Bonanza,” the outlandish “economic benefit” numbers that Olympic advocates usually throw around are based on a “multiplier effect” of around 3. Me, I know what an Olympics event costs–Montreal taxpayers paid off the ’76 Olympics in 2006.

So congratulations, Rio. I hope you don’t bulldoze the less waelthy neighborhoods, and I hope you’re all paid off by 2030 or so.