“First just let me say again I’m shocked. Flabbergasted. All of us are. This is outrageous. Worse than anything Nixon ever did. I wouldn’t have believed something like this could happen in the United States of America,” says Number One.
He’s impassioned. My attention level escalates. Just two days ago, I’d been fully prepared to be told there was nothing suspicious in my computer. Or maybe that all the evidence was gone. I might be told that the idea of the computer being tapped was the stuff of science fiction or an Orwellian novel. I never thought I’d hear what I was hearing.
Referring to the typed notes, Number One tells me that my computer was infiltrated by a sophisticated entity that used commercial, nonattributable spyware that’s proprietary to a government agency: either the CIA, FBI, the Defense Intelligence Agency, or the National Security Agency (NSA). This particular intrusion came in silently attached to an otherwise innocuous email that I received and opened in February 2012. The intrusion was “redone” in July through a BGAN satellite terminal. I don’t even know what a BGAN satellite terminal is, but I later look it up online and find this ad:
BGAN Portable Satellite Internet & Phone. Connect a Laptop, Smartphone or Any Wireless Device to a satellite terminal for High-Speed Internet and phone from anywhere on the planet. Terminals are small enough to be carried inside of a laptop case, yet deliver broadband up to 492 Kbps. . . . BGAN is the hands down winner for carry portability, and ease of setup by anyone.
Number One continues.
The intrusion was “refreshed” another time using Wi-Fi at a Ritz Carlton hotel. The uninvited programs were running constantly on my laptop. They included a keystroke program that monitored everything I typed, visited online, and viewed on my screen. They accessed all of my email including my CBS work account. They obtained the passwords to my financial accounts and other applications, some of which are noted on the typewritten paper that I’m staring at. I’m told that I should assume my smartphones are also afflicted.
Continuing on, the intruders discovered my Skype account handle, stole the password, activated the audio, and made heavy use of it, presumably as a listening tool. As I understand it, the intrusion stopped abruptly about the time that I noted my computers quit turning on at night. Did the intruders know by reading my emails and listening to me on the phone in early December that I was on to them? Did they remotely attempt to stop the programs at that time and cover their tracks, resulting in the end of the overnight computer activity?
Number One goes on to say that this was probably not a court-sanctioned action. He says the government’s legal taps are usually of much shorter duration and they don’t end abruptly as this one did. I’m also told flatly that my surveillance doesn’t match up with a PATRIOT Act order. An insider checked for me. I have many questions, but Number One can’t answer them. He’s just the messenger.
There’s one more finding. And it’s more disturbing than everything else.
“Did you put any classified documents on your computer?” asks Number One.
“No,” I say. “Why?”
“Three classified documents were on your computer. But here’s the thing. They were buried deep in your operating system. In a place that, unless you’re some kind of computer whiz specialist, you wouldn’t even know exists.”
“Well, I certainly didn’t put anything there.”
“Just making an educated guess, I’d say whoever got in your computer planted them.”
That’s worth pausing to let the chill run all the way up the back of my neck to the part of my brain that thinks, Why? To frame me? A source? My heart accelerates. I’m thinking it, but it’s Number One who finally breaks the silence to say it.
“They probably planted them to be able to accuse you of having classified documents if they ever needed to do that at some point.”
So a government-related entity has infiltrated my computer, email, and likely my smartphones, and that included illegally planting classified documents in a possible attempt to lay the groundwork to eventually entrap or frame me . . . or someone who talks to me? As it begins to sink in, I think of the whistleblowers and sources who have spoken to me over the past two years, often confidentially. By having well-placed sources help me discover this infiltration, did I just dodge a bullet? Did I get them before they got me?
Number One has firsthand experience in covert government surveillance. “Reporters used to be off-limits,” he opines. “Even when we had a court order on a bad guy, if a reporter even lived anywhere in the vicinity, we stayed away. You just didn’t go near journalists. It was sacrosanct. Obviously, that’s changed.”
I tell him about the extra fiber optics line on the back of my house.
“It’s possible somebody was using that,” he tells me. “But taps aren’t usually done at people’s homes anymore. It’s all done through Verizon. They cooperate. There’s no need to come to your house; we can get everything we want through the phone company.”
This is months before Edward Snowden would reveal exactly that, building on revelations by New York Times reporter Risen and others who had written as far back as 2005 of phone companies assisting the government with surveillance.
I gather my laptop and notes, get a Coke to go, and know that the next step I need to take is notifying my supervisor at CBS News. The implications far surpass my own computer and personal life. The infiltration includes the CBS email system and the news division’s proprietary software used in writing scripts and organizing the daily news broadcasts. The intruders could have accessed the entire CBS corporate system. This is huge. I can’t reveal to CBS who’s helping me or exactly how I know what I know, but they’re aware that I have well-placed sources.
| NOTIFYING CBS
I walk straight into the CBS News Washington bureau and look for my bureau chief, Chris Isham. Isham is a longtime investigative reporter with plenty of knowledge about the way the government operates. He’ll understand more than most the implications of what I’m about to tell him. He invites me into his office and closes the door. He sits on a short couch, and I plop into an adjacent chair with my notes and fill him in.
“I can’t be the only one they’re doing this to,” I conclude.
“I know,” he agrees. “You can’t be.”
But Isham doesn’t want to sound the corporation’s alarm bells yet. He explains that since my sources have to be protected, even from CBS, we will reach out to a trusted, private analysis firm and see if they can duplicate the findings of an intrusion on the CBS computer. If so, he says, we can then go to CBS News chairman Jeff Fager and CBS News president David Rhodes with the information.
But there’s a challenge with this plan: I notice that that typewritten note from Number One says my computer is now “clean.” Does that mean everything has been wiped from it?
I communicate with Number One to ask the question. The next day, he returns with an answer. The inside government analyst did wipe the computer.
“Why did he do that?” I ask Number One. I’m forever grateful for the help he’s given. Without it I probably wouldn’t even know today that I’d been the subject of a criminal intrusion. But why did he wipe the evidence?
“I don’t know. I’m not sure in the beginning we really expected to find anything. And I guess we never talked about what the procedure would be if we did,” says Number One.
It’s true. In fact, I’m pretty sure none of us in the group actually expected any real evidence to be discovered. We never played out the scenario.
“Maybe he thought he was doing me a favor,” I suggest. “Maybe he thought he was helping me by cleaning up my computer and getting it running smoothly again.”
Cleaned up. Running smoothly, say the notes on the typewritten paper. Duplicating the evidence now will take a miracle.
| THE MCALLEN CASE
The MCALLEN Case begins on February 2, 2013.
>
We’re expecting snow on a chilly Saturday in Northern Virginia. The doorbell rings and I greet the very businesslike Jerry Patel,*** the private computer forensics analyst hired by Isham at CBS. Patel is doing CBS a favor by coming here. I haven’t shared many details with him and I can tell at the outset he doesn’t really expect to find anything significant. He thinks he’s here to put my mind at ease. To assure me that the strange goings-on with my computers aren’t the work of any intruder. Maybe just ordinary malware, a nagging virus, or a glitch.
I begin with niceties but none are necessary. Patel patiently tolerates the introduction before asking to be directed to the star of the show: my computers. I lead him upstairs into my bedroom and adjacent office. At night, this entire area becomes my workspace. My husband knows that when I’m on an important story, this is the business space until one or two in the morning. Forget about lights out.
Patel sits on the couch in my bedroom and unlocks a briefcase full of gear like a high-tech handyman. He tells me he’s given this job a code name: The MCALLEN Case. I give a brief summary of what’s been going on. Then he opens up the CBS News laptop and begins deconstructing the files. He transforms the user-friendly format of my Toshiba Windows into a baffling screen full of lines punctuated by brackets, forward slashes, and question marks. He looks in places that most of us have no idea exist in our computers. I’m practically breathing down his neck as I watch his fingers dance along the keyboard and his eyes scan one line after another. As the hours pass and my mind gets accustomed to looking at the gibberish, it almost begins to make sense to me.
Other than a few “nonstandard” observations, the process is frankly pretty mundane. That is, until the date of December 9, 2012, surfaces. That was the time frame when I noticed that my computers had stopped freelancing on me.
“It looks like what we’re seeing here is a log-in attempt at 4:20, approximately 4:20 and three seconds in the morning on December 9, 2012.”
His voice has escalated from the soft monotone to somewhat expressive for the first time on the visit. I wasn’t the one who attempted to log in at 4:20 in the morning. Patel spots another suspect message on December 12, 2012.
“What’s unusual is audit policy changes.”
He tells me that someone with administrative privileges, not me, has taken action in my computer. His voice becomes excited.
“Someone changed the audit policy at 8:48 in the morning . . . your computer rebooted at one o’clock in the morning. . . . So we’ll go backwards. Here we go. December 11 we’re back at the time in question. 4:05 [a.m.] . . . all right.”
I don’t know how to interpret what he’s saying but I’m following along as he points to the lines on the screen.
“But you see . . .” he says, pointing to 4:05 a.m.
“There’s nothing there . . .” I observe.
“Oh boy.”
“What does that mean?”
“Ohhh boy. Look at the difference. December 10, 5:00:50 seconds. December 11th. Someone removed 24 hours.”
He exhales, makes a whoosh noise, and summarizes.
“We have evidence that shows 24 hours, 23 hours of log messages have been removed. That’s suspicious behavior.”
Now he’s breathing heavily. It alarms me because it alarms him and he’s not easily alarmed. His voice becomes more formal and he launches into what sounds like a speech for posterity.
“In my professional opinion, someone has accessed this box. I’m going to be honest with you. I was hoping you weren’t infected. But . . . I see evidence that shows a deliberate and skilled attempt to clean the log files of activity.
“Approximately 23 hours . . . 22 hours, 55 minutes of log messages have been removed. That is extremely nonstandard, especially considering the act of clearing a log is a log message in and of itself. So I am now going to concur with . . . I’m starting to concur with your suspicions.”
His findings are lining up with what my earlier analysis found.
“Well, I suppose this visit wasn’t for nothing then,” he says. Deeper offsite analysis will be required.
It’s dusk and the clouds are heavy with impending snow. Patel has been here six hours now and needs to head back to town to meet friends for dinner. Before he leaves, he wants to take a quick look at my personal Apple iMac desktop computer. Since his time is short, I ask him to go straight to December 9 on the iMac, too. If the intruders removed evidence of their presence from my laptop around that time, they might have tried to cover their tracks on the iMac desktop as well. Within a few minutes, it’s confirmed.
“Oh shit!” The high-tech handyman is now fully animated. “Pardon my French but . . .”
“That’s gone, too?” I say, looking over his shoulder.
“That’s now a pattern. . . . We have a gap,” Patel reports in the official posterity voice. “A second gap from December 8, 2012, 10:12:11 p.m. to December 9, 2012, 3:18:39 p.m. That’s not normal. Someone did that to your computer. Two separate instances showing the same MO. That shows knowledge of the event logging and it shows skill. Somebody’s deleting days of messages. . . . That shows skill.”
He then searches through what he says is a key file.
“It should be bigger than that. It should be huge. Somebody deleted the file on December 11. It’s not supposed to be like that. It’s supposed to have lots of data in it and it doesn’t.”
“So what does that mean?” I ask.
“Someone was covering their tracks.” Long exhale.
“So they would’ve done that remotely? ’Cause no one’s been in the house.”
“Yeah. We’re examining the last log. And we have a deletion wtemp log that actually begins Saturday, December 11. Suggests the log was deleted on that day.”
He proposes conducting further analysis at his office. But he tells me at the outset that he doesn’t think he’ll be able to attribute the intrusion to the guilty party. He can already see that from his cursory analysis. They’re too sophisticated, he tells me. Too skilled. This is far beyond the abilities of even the best nongovernment hackers. They’ll have covered their tracks.
It’s snowing now. And dark. Patel remarks that sometimes his computer forensics job is a little dull. But the MCALLEN Case is not. He rushes off to meet his friends, leaving me and my compromised computers. I look out the window and watch his headlights track down my long driveway and down the road until they disappear. What now? As someone who’s usually constantly online, I don’t much feel like working on my computers tonight.
Two days later, Patel sends an email to Isham and copies me. I hear his voice in my mind as I read his words. “It is my professional opinion that a coordinated action (or series of actions) have taken place. I don’t wish to go into details because the integrity of email is now in question. . . . It bothers me that I was not able to leave Sharyl with an increased sense of security Saturday evening, but hopefully we can all work together to remedy this ASAP.”
It’s February 4, 2013. Three and a half months before revelations about the Obama administration’s seizure of AP phone records and those of the FOX News reporter. Almost exactly four months before the news that the NSA is secretly collecting Verizon phone records, as revealed by Edward Snowden.
| THE DISRUPTIONS CONTINUE
When you challenge powerful institutions in the twenty-first century, you conduct your business with the notion ever present in the back of your mind that somebody’s listening. Tapping your phone. Reading your computer files. Trying to learn what your sources are telling you. Finding a way to stop you. These thoughts float through your mind, escalating in direct proportion to the strength of the story and the power held by whomever it challenges. You think of it, but you don’t really believe it’s actually happening. You certainly don’t think someone will turn up one day and hand you proof.
In fairness, I’ve begun telling my sensitive
sources that our communications aren’t secure. Funny thing is, none of them is surprised. They tell me they already assumed they were under government surveillance. But we do start crafting more secure ways to exchange information. For example, as I make contact with important confidential sources about the Benghazi attacks, I set up meetings on the phone but then later change the time and place in a way that can’t be monitored. Of course, the intruders now know that I know. And I know that they know that I know. And so on. It’s the loop of the paranoid wrapped in suspicion codified by truth.
CBS has remained strangely unfazed by the official news from Patel confirming what I’d told them: that an intruder has been in my computers and in the company’s news and corporate system. I’d thought that the moment they got the corroboration, it would set off processes and inquiries. That corporate forensics experts would descend upon me and my house, looking to secure my personal and professional information, to protect my sources and look for the origin. That my colleagues would be officially notified so that they, too, could make their sources aware and a damage assessment could be made.
But none of these things happens.
CBS does ask Patel to conduct further investigation, but there seems to be no particular urgency, and he comes to the Washington bureau to pick up my laptop. We’ve kept it off the CBS system since the day Number One first gave me the news. I sign the chain-of-custody document and hand over the computer. I wonder if the intruders have already penetrated my newly issued CBS News laptop. When I earlier recounted to Number One how I heard the castle lock sound one night and assumed the intruder had been locked out of the CBS system, he practically chuckled, like a patient elder speaking to an ingénue.
“You may have heard that sound but I hate to disappoint you—we can cut through that firewall like butter. It’s not an impediment.”
Patel and his company are working for CBS. They’re clearly tasked with protecting the network’s security, not mine. But they do sit down with me and Isham and have a serious conversation to say that I should find ways to better protect my computer privacy. Aware of the persistent interruptions in my FiOS service, they tell me that I should have my Verizon FiOS box replaced again, and relocated inside the house.
Stonewalled: My Fight for Truth Against the Forces of Obstruction, Intimidation, and Harassment in Obama's Washington Page 29
