Uncategorized

Physical Counter Surveillance – The Dry Cleaning Run and Evading Capture

In a meeting with a former counter-intelligence practitioner I first learned of ‘dry cleaning’ as tradecraft jargon in the realm of countersurveillance. Willam E. Dyson’s book Terrorism – An Investigator’s Handbook, 4th Edition (2015; first edition published in 2011) defines it as follows:

dry cleaning A process by which a subject takes actions that enable him to “lose” anyone who is attempting to follow him. A person may “dry clean” himself by entering a crowded movie theater and leaving soon after through a rear door. Undercover officers and informants should also undertake “dry cleaning” maneuvers before meeting each other.

The Terms & Definitions of Interest for DoD Counterintelligence Professionals (.pdf, 2011) from the U.S. Office of Counterintelligence (DXC), part of the Defense Intelligence Agency (DIA), contains a definition taken from an old manual of the Air Force Office of Special Investigations (AFOSI):

Dry Cleaning. [Tradecraft jargon] Any technique used to elude surveillance. A usual precaution used by intelligence personnel when actively engaged in an operation. (AFOSI Manual 71-142, 9 Jun 2000)

Following the meeting I did a bit of self-study and came across a reposted text apparently once shared at the now-defunct forum at XtremeRoot.net. I’m reposting it here because 1) it is IMO a useful read that covers (a subset of) aspects that also came up in said meeting, and 2) LOCKSS. I could not readily identify whom to contact to ask for permission to re-post it here. If you’re the author, feel free to contact me (see sidebar).

Further reading on this topic (friendly reminder: always apply critical thinking):

Traditional humint tradecraft presumably remains a key aspect of modern intelligence, notwithstanding the tech-heavy era we now live in. And be reminded that technology can fail — for instance by accident, by sabotage or (indirectly) by adversarial interception/surveillance.

NOTE: everything below this line is NOT authored by me, except for one [NOTE: (…)] block that I added.


I recently underwent some counter surveillance training, and it was one of the most exciting things I’ve ever done. As such, I thought I’d write up a short tutorial based on what I was taught and what I went through. This is all related to personal counter surveillance – i.e. preventing people following you.

There are 3 major parts to counter surveillance:
1) Planning
2) Identification – Spotting people who may be following you and verifying their intent.
3) Evasion – Making it difficult to follow you by performing certain maneuvers and following certain rules.

These principles, when put together, form something called a cleaning run. Its objective is to get you to a destination whilst identifying and losing any tail you might have.

Planning
The basic rules of a cleaning run are as follows:

  • Give yourself roughly double to triple the amount of time usually needed to get to the destination. A cleaning run can last up to 3 hours!
  • Plan your journey before heading out.
  • Move across a large geographic area.
  • Act naturally.
  • Try to spend at least 50% of your journey in areas that are not covered by CCTV.
  • Vary your transport method. Travel by bus, tram, train and taxi as well as on foot.
  • Be aware of your surroundings and the people nearby.
  • Be prepared! You need a pen, paper, envelope, stamps and enough cash for transport and visits to cafes / coffee shops. If you smoke, take some cigarettes and a lighter too.

The first step is to plan your journey. Start in an arbitrary direction, heading nowhere near your destination. You need to visit a variety of locations including quiet suburbs and busy city centres. Try to make the path you take relatively realistic (e.g. don’t walk round a block twice) and make it look like you have a reason to go to certain places along the way. You need at least two locations that will be almost entirely deserted – large open areas like parks are excellent for spotting someone following you. Make sure that your route crosses a few bridges and goes down some small side streets. You need to be able to stop off frequently at shops and other attractions. Look up timetables for buses, trams and trains, and use these services in your journey. You’ll also want to find places with post boxes and phone boxes, as they can provide some useful distractions.

Identification
Before you can shake a tail, you need to identify it. The best way to do this is to spot people you have seen before. A professional team can consist of 10 or more people, of which 2 or 3 at a time will follow you. They do a hand over periodically and try to avoid re-using the same members so that you don’t notice the tail. The “tried and tested” positioning system is to have one person follow directly behind you and another follow on the other side of the road further behind. If a third person is used, they are usually kept further back. If they think you’ve identified an agent, they’ll pull them out and replace them if possible.

The following things about a person can help you identify them as a tail:

  • If there are multiple agents, expect 90% of them to be 30 years old or less.
  • A professional team member usually has a precise watch. You can spot these quite easily if you’re close by.
  • They will change their course when you stop or change your course.
  • They will avoid looking directly at you, or stare.
  • Untrained people in a team might talk into their sleeve or talk to themselves.
  • If there are only one or two agents and they are associated with the police (CID, SOCA, etc), they will usually be wearing a suit (this is true for the UK, at least).
  • When waiting, they will usually loiter aimlessly or appear fascinated by a mundane sign or poster.

When walking down quiet roads it is easy to notice someone following you. However, it is difficult to turn round and get a good look at them without them noticing. One great method to this is to enter a shop and purchase something. As you enter, glance behind you to see if anyone is there. If there is, hold the door for them. When you leave, go back the way you came for a while, then turn off and go another direction. You can usually identify at least one surveillance member this way.

In places with some traffic, cross over at an intersection. If you’re on the left of the street turn right and vice versa. This gives you chance to stop and look around as if you were checking for traffic. If you cross at a pedestrian crossing, pretend to press the button but don’t. This gives you time to stop and look around longer, making anyone following you quite obvious.

Small bridges and alleys can make great choke points. Be aware that isolated areas might be problematic because they might confront you, so try to pick areas with at least a few people around. If you smoke, stop to light up as you walk down a choke point. Stand sideways so that you can see both directions. This means that anyone following you will have to walk straight past, so you can easily identify them. You could also stop to write an SMS message – it’s feasible that you can’t walk and text at the same time. If you do this, start writing it and stop after the 4th or 5th letter. Most people will at least try to write and walk before failing!

In larger shops, stand and browse the magazines. You can use the short periods between picking up each magazine to glance in a direction to look for anyone you remember from before, or anyone looking at you. Untrained people will often behave unusually and can easily give themselves away in certain situations. They may stare intently at you, or completely avoid making eye contact. In the case of the ones who are quite obviously attempting to watch you without directly looking, orchestrate your path so that you walk past them, then stop and ask the time. This usually shocks and disorientates them, and they’ll usually get flustered and stutter their reply.

Use your pen and paper to jot down short descriptions of people that might be following you and anyone that you see twice. You can buy a newspaper and use the crossword to jot things down too. If you see someone twice in two far apart areas, you’re probably being followed. The same applies if you see the same person three times as you’re performing your run.

A clever trick is to scan for Bluetooth devices nearby when sat around. If you see the same name twice, you have a tail. [NOTE: one probably should not carry any electronic device to a secret meeting to begin with, except burners — which still requires tradecraft. Radio emissions — and not only Bluetooth or Wi-Fi — should be assumed to be unique fingerprints.]

Evasion
Once you’ve spotted the people you want to escape, you need to start doing things to divert their attention from you to thin out the crowd. The text-book stuff like dodging down an alley or switching back on yourself is way too obvious and a professional will be able to handle it easily.

Organise your journey so that you arrive at a train station, get your tickets, then have to wait 10 minutes in the coffee shop before boarding a train. If possible, use the automated ticket machine and jump in just before someone else gets in the queue behind you. This helps stop agents from shoulder-surfing to find out where you’re going, or listening in on your conversation with the ticket office person. Wait until the last minute before moving to the platform, or sit on the wrong platform until your train is announced and then move to the correct one. Sit as close to a door as possible so you can see the entire carriage.

When travelling by bus, pay for a ticket to the furthest destination it goes to, then get off before that stop. This helps divert resources and prevent any surveillance teams from setting up in a target location. If you can sit at the back do so, as you can see where everybody is. On double-decker buses you might want to sit up top to make it more obvious if you’re being followed.

Towards the final quarter of your run, make it look like you’re doing something sinister. Go to a phonebox and call the number of a small computer shop. Ask something like “how much is your cheapest SATA hard drive?” and write down the price and a random postal code that’s near the computer shop. Write a single letter on the bottom of the paper to make it more confusing, then place it on top of the phone unit and leave the box. This will look like you’re trying to perform a dead-drop, so an agent would investigate. This reduces the number of people following you. You can then go into another phone box, fumble around underneath it to make it look like you’re grabbing something that’s taped to the bottom, get out an envelope and pretend to put this non-existent thing inside it, attach a stamp, write an address on there (somewhere around five miles away) and go post it in a postbox. An agent will need to get someone to open the phone box, so this will delay them further.

Strike up a conversation with someone in the street to make it look like that’s who you went to go see. This is best done in a quiet area, so you can watch the people nearby.

You can perform a covert U-turn by walking past a shop and showing some interest in it (stare at it as you walk) and then stopping 20 feet down the road as you very obviously check your watch. Stare at your watch for a second, then turn back and go to that shop. This makes it look like you couldn’t decide if you had time to go to the shop. Some poorly trained agents might just stop still and stare at you gormlessly if you do this.

In extreme circumstances, you can go for certain overt techniques that give away the fact that you know you’re being followed:

  • Do a U-turn whilst walking and check out everyone who looks at you.
  • Do the whole “tying my shoelace” thing. It can mean agents have to be dropped because they have to pass you, but it’s very obvious and you can’t actually identify them easily.
  • Ask someone you think is tailing you for a lighter. Strike up conversation about the weather or contemplate them on their hair, shirt or watch if they have to spend more than 5 seconds fumbling around for it.
  • Dodge down an alleyway quickly or move in a circuitous through a store with multiple exits. These allow you to shake a tail, but make it obvious that you are immediately wary of someone following you.
  • Sit in a coffee shop and wait until you see someone that you know is following you. As you get up to leave, they will look over. Stare directly at them and wave before leaving.
  • Use a payphone to call for three taxis. Book one from your current location (or nearby) to position A, and book the other two from near position A to position B. Take only one of the second taxis, then have them drop you off slightly outside location B. If they’re resourceful enough to be able to pull phone records, they’ll spend resources trying to find out who you called and where you asked to go to. Once they discover you have called 3 taxis, they’ll know something is odd.

[…]

[Dutch] Kwetsbare Pulse Connect Secure SSL-VPNs in Nederlandse IP-adresruimte: bevindingen en gedachten

UPDATE 2019-09-20: volgens onze testset (die niet per se volledig is) zijn er thans nog 157 kwetsbare systemen bereikbaar op Nederlandse IP-adresruimte. Niet alle systemen horen bij een Nederlandse organisatie — het betreft ook buitenlandse organisaties die hier digitale presence hebben met (ten minste) een Pulse Connect Secure SSL-VPN.
UPDATE 2019-09-05: A Chinese APT is now going after Pulse Secure and Fortinet VPN servers – Security researchers spot Chinese state-sponsored hackers going after high-end enterprise VPN servers.

[Onderstaand bericht in samenwerking met Ralph Moonen, CTO bij Secura. Zie eventueel BNR Nieuwsradio, 2 september 2019: “Interne netwerk van tientallen Nederlandse bedrijven en organisaties staat wagenwijd open”.]

Pulse Secure, een spinoff van Juniper die het Juniper-product Junos Pulse zelfstandig heeft voortgezet onder een nieuw handelsmerk, is één van de grootste leveranciers van producten voor netwerktoegangsbeveiliging: marktonderzoekbedrijf Frost & Sullivan erkende het in oktober 2018 als één van de belangrijkste vier spelers in het marktsegment voor het MKB en grootbedrijven, met wereldwijd 20.000 klanten.

In april 2019 publiceerde Pulse Secure een kritiek beveiligingsadvies voor Pulse Connect Secure en Pulse Policy Secure, respectievelijk een SSL-VPN en NAC/BYOD-oplossing. Klanten van Pulse Secure gebruiken de producten voor beveiligde toegang van (bijvoorbeeld) medewerkers tot een extranet of een intern netwerk.

Het bijschrift in het advies luidt als volgt (markering is origineel):

Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Many of these vulnerabilities have a critical CVSS score and pose significant risk to your deployment. We strongly recommend to upgrade to the corresponding version with the fix as soon as possible.

De beveiligingspatches, die dus reeds in april 2019 zijn gepubliceerd door de vendor, verhelpen een reeks ernstige kwetsbaarheden. Daarvan had CVE-2019-11510 de hoogst mogelijke (CVSSv3-)kwetsbaarheidscore: 10.

Via die kwetsbaarheid kan een anonieme, niet-ingelogde aanvaller op afstand vanaf internet willekeurige bestanden uitlezen, waaronder de .mdb-database met gebruikersnamen, wachtwoorden (in leesbare en/of ontsleutelbare vorm) en sessie-identifiers van VPN-sessies. Actieve sessies kunnen worden gekaapt (bron); trouwens ook via CVE-2019-11540, een cross-site script inclusion kwetsbaarheid, in combinatie met (bijvoorbeeld) BeEF. Tweefactorauthenticatie is daarmee ook buitenspel gezet. In combinatie met andere kwetsbaarheden kan ook infectie met malware/spionage-software plaatsvinden.

Het is aan systeem- c.q. netwerkbeheerders bij organisaties die deze producten gebruiken om op de hoogte zijn van deze beveiligingspatch(es) en deze vrijwel onmiddelijk installeren (eventueel via een noodprocedure binnen het normale change management-proces). Al dan niet op aanwijzing van hun CISO, naar aanleiding van een beveiligingsadvies van het NCSC, en/of een tip van een derde. De realiteit toont aan dat dat in dit geval bij veel organisaties niet goed is verlopen.

In augustus hebben de Taiwanese ontdekkers van de kwetsbaarheden — Orange Tsai en Meh Chang van DEVCORE, die uitstekend werk hebben geleverd — tijdens Black Hat USA 2019 (slides in .pdf-formaat) en DEF CON 27 (videos) details van hun ontdekkingen gepubliceerd, en vrij snel daarna werd o.a. CVE-2019-11510 being exploited in the wild gezien. Op zaterdagochtend 24 augustus was dat te zien in de logs van dit blog (scroll in het grijze schermpje naar rechts om de rest v/d regel te zien):

/var/log/www.cyberwar.nl-access.bloglog:- 81.40.150.167 - - [24/Aug/2019:10:45:57 +0200] "GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1" 400 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Naar aanleiding daarvan is onderzoek verricht op Nederlandse IP-adressen, waarbij 537 kwetsbare Pulse Connect Secure-systemen zijn aangetroffen. ‘s Avonds is de lijst aan het NCSC doorgegeven (cert@ncsc.nl), daarbij in eerste instantie twee gevallen uitlichtend die in potentie als “ernstig” of “zeer ernstig” zijn te kwalificeren voor nationale veiligheid. Iets later die avond belde het NCSC met een ontvangstbevestiging. Beide systemen zijn vrijwel direct gepatcht.

De afgelopen week is dagelijks opnieuw getest (en dat blijft de komende tijd doorgaan). De uitkomst is als volgt:

Nota bene: het is mogelijk dat er méér kwetsbare systemen bestaan dan tijdens dit onderzoek zijn gevonden. Van de systemen die wél zijn meegeteld is aannemelijk dat die daadwerkelijk kwetsbaar zijn (en dus geen foutpositieve, zoals een honeypot). Niet elk systeem is van een Nederlandse organisatie: er zitten ook buitenlandse organisaties bij die gebruikmaken van de goede internetinfrastructuur die we in Nederland hebben.

Ten tijde van schrijven zijn dus nog ruim 300 Pulse Connect Secure SSL-VPN’s op Nederlandse IP-adresruimte kwetsbaar (*) voor ten minste CVE-2019-11510.

Het initiële lijstje van kwetsbare systemen in Nederlandse IP-adresruimte loog er niet om — het omvatte onder meer:

  • Rijksoverheid
  • lokale overheden
  • luchtvaartsector (zowel flight operators als industrie/onderzoek)
  • beursgenoteerde bedrijven (o.a. met high-tech intellectueel eigendom)
  • defensie-industrie (10 organisaties)
  • onderwijssector (waaronder een universiteit en een hogeschool)
  • financiële sector (meerdere banken, verzekeraars, belasting- en administratiekantoren)
  • ICT-bedrijven (meerdere bekende/grote namen, met o.a. Defensie als klant; en enkele ICT-beveiligingsbedrijven)
  • havenbedrijven
  • petrochemische industrie
  • zorgpartijen (o.a. zorgaanbieders en nationale zorg-ICT)
  • enkele kleinere ISPs en telecomproviders
  • […meer…]

Attributie aan de organisaties is gebaseerd op een combinatie van WHOIS-gegevens van het IP-adres, de systeem-/domeinnamen in het TLS-certificaat, en PTR- en A-records in DNS. Slechts in enkele gevallen ging het — oordelend naar die gegevens — om een test- of ontwikkelsysteem. De rest betreft productieomgevingen of voormalige productieomgevingen. In voormalige productieomgevingen kunnen nog altijd actuele gebruikersnamen/wachtwoorden staan; dus ook dán is er in potentie een ‘echt’ probleem, ook als die omgeving onmiddels is ontkoppeld van de rest van het netwerk.

Organisaties die Pulse Connect Secure gebruiken doen er goed aan hun logs te controleren op aanwezigheid van de volgende waarde (zonder de “[…]”):

[...]/data/runtime/mtmp/lmdb/dataa/data.mdb[...]

Als dat bestand succesvol is gedownload door een onbekende derde dan is het zaak de VPN-gebruikers onmiddellijk hun wachtwoord te laten wijzigen op alle systemen waar zij dat wachtwoord gebruiken. Hopelijk betreft dat niet óók hun privéaccounts bij Facebook, Google, Apple, enzovoorts; hergebruik van wachtwoorden blijft een hardnekkig fenomeen.

Het NCSC heeft meerdere meldingen ontvangen inzake Pulse Secure en verschillende partijen geïnformeerd. Ons (Secura) is niet bekend welke partijen wel en welke niet. Vanwege de ernst van de situatie hebben ook wij direct actie in gang gezet (better safe than sorry): een reeks organisaties is vorige week door ons gebeld en een meerdere kwetsbare systemen zijn inmiddels gepatcht. Ongetwijfeld zullen meer partijen zo’n inspanning hebben ondernomen. We hebben het echter druk genoeg met onze normale werkzaamheden en zouden dit dus liever niet hoeven doen; maar voelen het een beetje als een morele plicht (if not us, then who?).

Dit soort situaties is onacceptabel: het kan niet zo zijn dat honderden systemen — in dit geval ook bij grootbedrijven en in vitale sectoren — na het bekend worden van ernstige kwetsbaarheden nog maandenlang actief zijn als sitting ducks voor kwaadwillenden.

Daarover het volgende.

Zowel het NCSC als private ICT-beveiligingsbedrijven als journalisten als (andere) individuele onderzoekers hebben beperkte mogelijkheden en resources. Het testen van andermans systemen op een kwetsbaarheid kan strafbaar zijn onder de wet computercriminaliteit, ook al zijn de bedoelingen goed en doorstaat de werkwijze de toets aan subsidiariteit/proportionaliteit (zo was ons onderzoek beperkt tot het uitlezen van versie-informatie en een bestand dat op alle Pulse Connect Secure-systemen identitiek is — dus geen gebruikersgegevens verwerven, laat staan code injecteren of commando’s uitvoeren).

Coordinated Vulnerability Disclosure (CVD; voorheen Responsible Disclosure) is voor dit soort cases hooguit een lapmiddel, want te arbeidsintensief gegeven de urgentie en omvang van het aantal kwetsbare organisaties. De verantwoordelijkheid kan niet liggen bij individuele onderzoekers of beveiligingsbedrijven die ongevraagd ad-hoc testen. Maar getuige wat is aangetroffen kan de verantwoordelijkheid vooralsnog óók niet alleen liggen bij de private organisaties zelf. En de vendor heeft gedaan wat deze moest doen: een beveiligingspatch uitbrengen en daarover communiceren aan klanten.

Het NCSC is dan weer met handen en voeten gebonden door wetgeving en ethische overwegingen: misschien wenst de Rijksoverheid zich in beginsel niet wil te mengen in private aangelegenheden. En ICT-beveiliging van private organisaties is en blijft in beginsel een private aangelegenheid.

De situatie rondom CVE-2019-11510 toont echter aan dat die verantwoordelijkheid bij private organisaties nog onvoldoende effectief wordt gedragen, ook bij organisaties die competente IT-beveiligers in dienst hebben (zo weten we beroepshalve). Hoe de huidige situatie zich laat verklaren is niet duidelijk — het zou een onderwerp kunnen zijn voor een (wetenschappelijk?) evaluatieonderzoek.

Het idee is niet nieuw, maar misschien zou het NCSC of een ander (Rijks)overheidsorgaan de ruimte/bevoegdheid moeten krijgen om Nederlandse IP-adresruimte bij (uitsluitend) zeer ernstige kwetsbaarheden in internet-facing producten onder voorwaarden proactief te testen (of laten testen) op kwetsbare systemen. Een centraal contactlijstje met CISOs van MKB en grootbedrijven zou daarbij kunnen helpen, als dat niet reeds bestaat.

Het opent wel een can of worms:

  • Risico’s
    • Wat als een privaat systeem uitvalt door een test die de overheid uitvoert? (of laat uitvoeren)
    • Hoe weet je dat een IP-adres(blok) op het tijdstip van een test nog in gebruik is door organisatie X, en alleen door die organisatie?
    • Hoe om te gaan met blacklisting/whitelisting van IP-adressen waarmee de overheid test?
  • Privacy
    • Wat als grondig/zorgvuldig testen met zich meebrengt dat gebruikersgegevens worden uitgelezen, al is het maar een beetje?
    • In hoeverre is het mogelijk om op een betrouwbare/robuuste manier de IP-adresruimte die door individuele burgers wordt gebruikt (dus niet bedrijfsmatig door een organisatie) buiten de scan te laten?
  • Taakopvatting van de overheid
    • Vinden we dit wel/niet een taak voor de overheid?
    • Is er een minder inbreukmakend middel waarmee hetzelfde doel kan worden bereikt?
    • Zou het voor private organisaties opt-in of opt-out moeten zijn?
    • Hoe om te gaan met gevallen waarbij een private organisatie ook na melding door de overheid een kwetsbaar systeem niet patcht?
    • Welke kwetsbaarheden wel testen, welke niet?
    • Hoe weten we dat de overheid de gevonden kwetsbaarheden niet zelf uitbuit voor (andere) overheidsbelangen zoals opsporings- en inlichtingenwerk? (misschien geen groot punt van zorg; maar het kan niet buiten beschouwing blijven.)

Misschien eist actief testen op kwetsbaarheid door de Rijksoverheid een verandering in wetgeving. Dat is dan een kluif voor juristen en/of politiek.

Tot slot als quick-reference het lijstje met affected en non-affected versies van Pulse Connect Secure en Pulse Policy Secure (bron: SA44101):

SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities
resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX

Affected Versions:
Pulse Connect Secure 9.0R1 - 9.0R3.3
Pulse Connect Secure 8.3R1 - 8.3R7
Pulse Connect Secure 8.2R1 - 8.2R12
Pulse Connect Secure 8.1R1 - 8.1R15
Pulse Policy Secure 9.0R1 - 9.0R3.3
Pulse Policy Secure 5.4R1 - 5.4R7
Pulse Policy Secure 5.3R1 - 5.3R12
Pulse Policy Secure 5.2R1 - 5.2R12
Pulse Policy Secure 5.1R1 - 5.1R15

Not Affected:
Pulse Connect Secure 9.1R1 and above
Pulse Connect Secure 9.0R4 & 9.0R3.4
Pulse Connect Secure 8.3R7.1
Pulse Connect Secure 8.2R12.1
Pulse Connect Secure 8.1R15.1 
Pulse Policy Secure 9.1R1 and above
Pulse Policy Secure 9.0R4 & 9.0R3.4
Pulse Policy Secure 5.4R7.1
Pulse Policy Secure 5.3R12.1
Pulse Policy Secure 5.2R12.1
Pulse Policy Secure 5.1R15.1

P.S. 1: wie klant is bij een cyberverzekeraar en vier maanden lang een kritieke beveiligingspatch op een internet-facing systeem niet installeert hoeft bij een compromittering waarschijnlijk niet te rekenen op een uitkering. Lees meer: ‘Vlijt en naarstigheid’ in een digitale wereld: eigen schuld en beredding in de context van de cyberverzekering (.pdf) van mr. N.M. Brouwer in AV&S 2019/23, augustus 2019.

P.S. 2: Pulse Secure-productversies die later kwetsbaar bleken hebben begin 2018 in de VS een Common Criteria-certificering gekregen. Daarmee zijn die versies goedgekeurd voor gebruikt in bepaalde gevoelige(re) omgevingen in de VS. Een positieve resultaat van een Common Criteria-certificeringstraject, zoals in Nederland uitgevoerd door het AIVD-NBV en onder het BSPA-programma via geaccrediteerde bedrijven, betekent niet dan een product foutloos is. Het komt vaker voor dat in goedgekeurde producten kwetsbaarheden worden gevonden — ook ernstige. Dat houdt verband met scoping, beschikbare tijd, kennis, vaardigheden, apparatuur, documentatie, en (on)beschikbaarheid van broncode. Iets dat in de nabije toekomst weer ‘s zelfstandig aandacht verdient.

* Het publiceren van deze blogpost — terwijl er nog kwetsbare systemen zijn — gebeurt met gemengde gevoelens. Bad Packets heeft al gepubliceerd dat wereldwijd liefst 14.500 (!) kwetsbare instances actief zijn. Mede daarom lijkt verder wachten ons, en de personen bij wie we een zienswijze hebben gevraagd, méér onverantwoordelijk dan nu naar buiten te treden met de actuele aantallen; zonder daarbij IP-adressen of namen van organisaties te benoemen.

Detecting corruption & money laundering: 72 potential indicators, from the perspective of Financial Intelligence Units (FIUs)

Front page of public summary document released by the Egmont Group.

The Egmont Group (Twitter: @EGFIU) is a platform for exchange of expertise and financial intelligence that consists of 164 (!) Financial Intelligence Units (FIUs) worldwide. In mid-July 2019, it released a public summary (.pdf, 22 pages; mirror) of the “FIU Tools and Practices for Investigating Laundering of the Proceeds of Corruption”. The release stems from an initiative started by the FIUs of Israel (IMPA), the Netherlands (FIU-Nederland), Russia (Rosfinmonitoring) & Ukraine (SFMS).

The summary provides, notably, a list of 72 indicators (pp.16-22; a ‘checklist’, if you will) to identify possible cases of corruption and money laundering. Be reminded that the latter is also relevant to combat terrorist financing. The indicators are grouped as follows:

  • Indicators of Corruption in Public Procurement
  • Indicators of Unexplained Wealth or Income
  • General Indicators

They serve as potential triggers for FIU investigations and can be used by banks and accountancy firms — but investigative journalists (‘follow the money’) and others may also want to take note. For the latter and other purposes I (re)post the indicators below as quick reference.

NOTE #1: there is no substitute for reading original documents in full, so do read the original public summary in full. Context always matters.

NOTE #2: for some historic reading and background on FIUs, see the IMF publication Financial Intelligence Units: An Overview (.pdf, 2004, 149 pages; mirror).


Egmont Group Set of Indicators for Corruption Related Cases From the FIUs’ Perspective

Indicators of Corruption in Public Procurement

  1. Services provided to state-owned companies or public institutions by shell companies, offshore companies or formations, companies in registration offices or P.O. companies.
  2. Services provided to state-owned companies or public institutions by companies registered in high-risk jurisdictions.
  3. Long-term contracts are repeatedly awarded to the same subcontractor, or a certain legal entity or legal arrangement consistently winning a majority of the largest contracting authority tenders/public procurement bids.
  4. The issuance of unreasonable specifications for the performance of the contract (including restrictive conditions for the location of the contractor, restrictive conditions for the materials needed for the performance of the contract, particularly tight deadlines, etc.) by the procuring authority.
  5. Subcontractors have common director(s), beneficial owner(s) and/or are related with the management of the contractor.
  6. Subcontractors/intermediaries brought in on business deals once a contract has already been agreed and for no obvious reason.
  7. Contractors, subcontractors or their counterparties (within the timeframe for completion of the state contract) are linked by address, telephone number, IP-address, etc.
  8. Procurement projects which are funded through loan agreements by governing bodies such as development institutions but where the eventual tender price put out is significantly higher than the loan amount requested.
  9. Deposits in public officials’ accounts with checks issued by construction companies, individuals or non-governmental entities that previously benefited from public works contracts.
  10. Legal entities with little or limited experience receiving highly complex and technical government contracts/projects (not compatible with the size or experience of the entity) or receiving government contracts/projects that are not related to their field of business.
  11. A certain legal entity or arrangement, which is a contractor to a state-owned company, usually receives payments of higher amounts for goods or services which normally should cost less (when compared to the normal market prices for equivalent products or services).
  12. Funds received by a contractor of public procurements are not spent within a reasonable timeframe to fulfil the contract needs.
  13. Checks issued in favor of public officials and come from accounts of persons that benefited from public procurements/funds, without an evident justification.
  14. Checks issued by a public entity being cashed out and subsequently deposited to accounts of public officials or entities related to public officials.
  15. Public officials, especially those having a role in government contract management or public procurement of high-value assets, receive funds transfer instructions:
    • from business and/or personal accounts, where these funds appear to be excessive in value;
    • according to in-built distribution methods or contractors or intermediaries;
    • from distributors used at the request of the contracting party;
    • according to existence of rebate arrangements, particularly if agreed outside the contract;
    • under requirements to obtain licenses and other government permits as a pre-requisite of doing business.
  16. Use of third parties, such as contractors, consultants, vendors, suppliers and advisor/intermediaries, in order to facilitate procurement contracts fulfilment:
    • Requests for compensation not explicitly contemplated in the third party contract
    • Requests that payments be made to different third parties
    • Third party requests for charitable or political contributions
    • A third party is in a different line of business than that for which it is engaged
    • The third party has little or no experience in the relevant industry or activity
    • The third party does not have an office in the country where services will be performed
    • The third party was recently formed or incorporated
    • The third party has poor financial stability or credit record
    • The third party has a high level of reliance on subcontractors or intermediaries (so-called “fourth parties”)
    • The third party became part of a transaction at the express request or insistence of a public official
    • The third party is recommended or referred by a public official
    • Third party commissions are unreasonably large or based on inaccurate or incomplete invoices
  17. Contracting party issues commercial cards to individuals that are not employees of contracting party and are used to purchase luxury goods, make payments for high-cost services or other transactions that are not normal business expenses.
  18. Payments based on a public procurement contract are conducted at a price higher than originally contracted.
  19. Payments conducted according to public procurement contracts where there was only a single bid for a government procurement tender, which signals a lack of competition and closed access.
  20. Receipt of commission or fees before signing of agreement for services or carrying out a function or process in relation to public procurement contract.
  21. Commissions, interest or payments under commercial terms of public procurement contract are increased, reduced or restructured in a manner that is not commercially viable.
  22. Repeated or subsequent purchases of low-quality goods, works and services at market prices of goods of higher quality or purchases of goods, works and services at higher than market prices.
  23. Payments for goods according to public procurement contracts without delivery of such goods to customs territory of the country.
  24. Payments are conducted to accounts of providers of goods, works and services, which are opened in countries different from where such goods, works and services are originated or provided.

Indicators of Unexplained Wealth or Income

  1. The subjects in a transaction are domestic or foreign public officials and receive and/or send unusually large amounts of funds in different currencies.
  2. Funds received in accounts of persons, legal entities, or legal arrangements with no visible connection to public officials, but known to be controlled by such, or persons related to them (a frontman, a strawman, or legal entity established to conceal the beneficial ownership), where the funds have been sent by a shell company. The additional information provided with regard to the funds refers to “loans”, “investment purposes”, or “purchase of real estate property”, or otherwise reveal an irreconcilable conflict of interest involving commercial business between a private enterprise and a public official.
  3. Representative of a public official (i.e. lawyer, secretary, accountant) opens account and purchases expensive property or luxury goods with the express intent of bypassing Customer Due Diligence (CDD) process screening for public officials.
  4. “Straw men” (especially in the remittance sector) can be used to obfuscate the beneficial ownership of the assets by involving public officials’ employees i.e. cleaner/ gardener/driver. Usually, the funds received on the accounts of such straw men significantly exceed their legitimate employment income.
  5. Public officials receive or purchase shares (or the option to purchase shares):
    • In a company in exchange for services; or
    • In a company where the purchase is financed by the vendor; or
    • In a company where the purchase price is below the net asset value of the company; or
    • In a company and receives a dividend from the company which is disproportional to the purchase price; or
    • Which give the right to sell shares at a price which is higher than either the current market value or the price at which the shares were purchased; or
    • And profit from a share transaction where the purchase and selling dates of shares are within a short time period.
  6. Public officials receive loan guarantees from a public corporation or government body, or a loan under favorable conditions.
  7. Public officials receive large amounts of money for their attendance in workshops, conferences or as consultants to projects, in order to disguise the origin of the funds from being seen as a payment of corruption.
  8. Public officials receive debt forgiveness or repayment requirements are waived by the creditor.
  9. Public officials perform transactions with sovereign wealth funds or government-linked companies.
  10. Misrepresentation and/or inconsistency between the declared source of wealth of public officials through their sworn asset declarations, and those established during the due diligence process.
  11. Public officials have purchased virtual assets in a total amount higher than their legally declared income.
  12. The purchase of goods or services, or transfer of payments, or the receipt of any other benefits (i.e. rental payments, school fees, chauffeur fees, fees for private healthcare, funding of private jets, consultancy fees, high commissions, etc.) for or on behalf of a public official, from the contracting authority, or a contractor in the period of the execution of the state contract.
  13. Transactions that take place in accounts of public officials involving cash deposits or withdrawals in unusual frequency and amounts.
  14. Incoming transactions from foreign jurisdictions (specifically from high-risk jurisdictions) on accounts of public officials, which are intended for real estate purchases or purchases of high-value or luxury goods, typically contain no additional information about the transaction itself, and the necessary remittance information is vague (e.g. refers to ‘consultancy fees’). Such situations result in a lack of transparency with regard to the transaction and difficulty determining the source of funds.
  15. Purchases or leases of movable or immovable assets by public officials which do not coincide with the subject’s income.
  16. The use of hawala type mechanisms (especially through the remittance sector) by public officials to move money abroad.
  17. Fixed Term Deposit Certificates made by companies with the main purpose that the capital and interest generated from the investment should be transferred immediately to accounts of a political party.
  18. Cash deposits with no rationale:
    • Credit card/ home loan applications (even if declined) are useful to find out what the public official earns versus what is deposited into their account; or
    • Cash deposits made into the same public official’s account from different locations.
  19. The immediate transfer of funds from a private entity’s account to a personal account of a public official and the subsequent movement of the funds to third party accounts. These funds are eventually moved abroad, which indicates the use of the aforementioned accounts as a temporary node. Some of the persons in the described chain may deduct a percentage of the amount before transferring it further, which indicates that these persons have received a commission for their services.
  20. Incoming cash or electronic transfers from different external sources on accounts of public officials are later spent at online gambling sites – credit from the same site or different online gambling sites can then be seen.
  21. Transferring of funds from accounts of public officials to high-risk vehicles abroad, such as corporate trusts.
  22. Public officials establish legal entities or legal arrangements, which have purchased land and buildings of significant value (as is evident from their accounting documents), despite the absence of any other commercial activity, or without a justifiable source of funds.
  23. Public officials have made cash transactions involving large amounts (e.g. currency exchange, use of cash to purchase high value goods, etc.).
  24. Transaction payments of unusual amounts or frequency from public officials to lawyers, accountants, or other professional intermediaries.
  25. Payments in favor of public officials are made to facilitate or expedite a government service.
  26. Use of state funds to purchase shares in private companies or private companies belonging to public officials, at prices above market value.
  27. Issuance of sovereign debt to public officials or entities known to be controlled by them, at interest rates above the prevailing market rate.
  28. Use of Joint Venture (JV) structures for government contracts in which public officials or a company belonging to them are silent partners. For example, in a JV between a state-owned company and a private company, a third silent shareholder owned or controlled by a public official is inserted in order to allow the public official to take a share of the profit.
  29. Payments by entities to NPOs that public officials are known to be associated with.
  30. A transaction or financial activity, which involves foreign nationals with no significant link (apart from the financial) to the country where the transactions took place. These foreign nationals are known to be active consultants or employees of lobbying organizations and are sometimes reluctant to explain the source of wealth/funds or give unsatisfactory explanations.
  31. Financial flows, which reveal complex financial mechanisms and intervention by foreign legal entities or arrangements, are received in an account in another jurisdiction, where the account is related to a public official.
  32. International transfer from the Treasury of a foreign country to shell companies, to entities with no public profile, or no physical or online presence, or to individuals who are not known employees of the government.
  33. The stated source of wealth of funds received to an account of a public official may be inconsistent with the client’s stated career history, expertise, or age. In this regard a mismatch may exist between the applicant’s stated career history and their total net worth.
  34. Transactional activity usually characterized by first party payments to and from accounts in the same name or between offshore company and trust structures (linked or known to be linked to public officials).
  35. Customer, especially when it is a public official, transferring funds to/from other public officials, including law enforcement officers.

General Indicators

  1. Open source information, which can relate specific financial activity to ongoing investigations into individuals, and concerns about corruption.
  2. An entity that receives public contracts and its legal representative/s appear in media reports, which link/s him/her/them to corruption or other financial crimes.
  3. Payments made by contractors for consultancy services, particularly in industries with a higher risk to corruption, such as arms, mineral extraction, telecoms, public infrastructures, where the amount paid appears to be outside the normal price range for consultancy services.
  4. A fiduciary service company which set up the structure for the applicant may be the subject of negative press reporting.
  5. Close family members or associates of public officials are appointed as senior management officials in private companies without meeting the necessary requirements for taking up the position or the hire’s salary or compensation package is not commensurate with market conditions.
  6. Applicant wants to open an account with an unnecessarily complex structure of economic and beneficial ownership possibly involving eclectic wealth planning arrangements or bearer share companies (known to be linked to a public official).
  7. Applicant (who is a public official) expresses urgency on an application (e.g. completion on a mortgage or other time critical transaction).
  8. Explanations for transactions may include the use of words and phrases often used as euphemisms for bribes (for example commission, marketing fees, surcharge, etc.).
  9. Public officials increase their standard of living after the expiration of the officials’ mandate without any legally justifiable reasons. Another possibility would be an inability or refusal by these persons to provide a credible account regarding how the wealth was generated or to provide corroborative support for the source of wealth. In other cases, the corroborative documentation provided raises concerns about authenticity or is otherwise inconsistent with the source of wealth statement.
  10. Opaqueness of government business schemes used to encourage diversity, which should be overtly transparent.
  11. Companies which pay other firms to perform logistical roles in countries where there is a high degree of perceived corruption and which they could perform themselves, in order to transfer the risk to the other firm.
  12. Companies changing the terms of agreements and definitions of intermediaries to avoid registration and regulatory oversight in other countries.
  13. Company wins a public tender with short submission period (i.e. number of days between publication of a call for tenders and the deadline for submission of the bid).

EOF

The Twenty-Five Rules of Disinformation — H. Michael Sweeney, 2001

Here’s a shameless rip of Twenty-Five Ways To Suppress Truth: The Rules of Disinformation (last updated 2001) as permitted by the copyright notice of its author H. Michael Sweeney (Twitter: @PPPBooks). Reasons for reposting it on my blog are that 1) it has gained renewed relevance in recent years, and 2) Lots of Copies Keeps Stuff Safe. I left out references to the author’s original domain (proparanoid dot com) because it is no longer under his control.

Click here to jump directly to the 25 rules, each with explanation, an example, and a proper response.

Quick overview:

  1. Hear no evil, see no evil, speak no evil
  2. Become incredulous and indignant
  3. Create rumor mongers
  4. Use a straw man
  5. Sidetrack opponents w name calling, ridicule
  6. Hit and Run
  7. Question motives
  8. Invoke authority
  9. Play Dumb
  10. Associate opponent charges with old news
  11. Establish and rely upon fall-back positions
  12. Enigmas have no solution
  13. Alice in Wonderland Logic
  14. Demand complete solutions
  15. Fit the facts to alternate conclusions
  16. Vanish evidence and witnesses
  17. Change the subject
  18. Emotionalize, Antagonize, and Goad
  19. Ignore facts, demand impossible proofs
  20. False evidence
  21. Call a Grand Jury, Special Prosecutor
  22. Manufacture a new truth
  23. Create bigger distractions
  24. Silence critics
  25. Vanish

 

Twenty-Five Ways To Suppress Truth: The Rules of Disinformation

by H. Michael Sweeney
[…]
(c) 1997, 2000, 2001 All rights reserved

Permission to reprint/distribute hereby granted for any non commercial use provided information reproduced in its entirety and with author information in tact. […]

Built upon Thirteen Techniques for Truth Suppression by David Martin, the following may be useful to the initiate in the world of dealing with veiled and half-truth, lies, and suppression of truth when serious crimes are studied in public forums. This, sadly, includes every day news media, one of the worst offenders with respect to being a source of disinformation. Where the crime involves a conspiracy, or a conspiracy to cover up the crime, there will invariably be a disinformation campaign launched against those seeking to uncover and expose the truth and/or the conspiracy. There are specific tactics which disinfo artists tend to apply, as revealed here. Also included with this material are seven common traits of the disinfo artist which may also prove useful in identifying players and motives. The more a particular party fits the traits and is guilty of following the rules, the more likely they are a professional disinfo artist with a vested motive. People can be bought, threatened, or blackmailed into providing disinformation, so even “good guys” can be suspect in many cases.

A rational person participating as one interested in the truth will evaluate that chain of evidence and conclude either that the links are solid and conclusive, that one or more links are weak and need further development before conclusion can be arrived at, or that one or more links can be broken, usually invalidating (but not necessarily so, if parallel links already exist or can be found, or if a particular link was merely supportive, but not in itself key) the argument. The game is played by raising issues which either strengthen or weaken (preferably to the point of breaking) these links. It is the job of a disinfo artist to interfere with these evaluation… to at least make people think the links are weak or broken when, in truth, they are not… or to propose alternative solutions leading away from the truth. Often, by simply impeding and slowing down the process through disinformation tactics, a level of victory is assured because apathy increases with time and rhetoric.

It would seem true in almost every instance, that if one cannot break the chain of evidence for a given solution, revelation of truth has won out. If the chain is broken either a new link must be forged, or a whole new chain developed, or the solution is invalid an a new one must be found… but truth still wins out. There is no shame in being the creator or supporter of a failed solution, chain, or link, if done with honesty in search of the truth. This is the rational approach. While it is understandable that a person can become emotionally involved with a particular side of a given issue, it is really unimportant who wins, as long as truth wins. But the disinfo artist will seek to emotionalize and chastise any failure (real or false claims thereof), and will seek by means of intimidation to prevent discussion in general.

Twenty-Five Rules of Disinformation ~

  1. Hear no evil, see no evil, speak no evil
  2. Become incredulous and indignant
  3. Create rumor mongers
  4. Use a straw man
  5. Sidetrack opponents w name calling, ridicule
  6. Hit and Run
  7. Question motives
  8. Invoke authority
  9. Play Dumb
  10. Associate opponent charges with old news
  11. Establish and rely upon fall-back positions
  12. Enigmas have no solution
  13. Alice in Wonderland Logic
  14. Demand complete solutions
  15. Fit the facts to alternate conclusions
  16. Vanish evidence and witnesses
  17. Change the subject
  18. Emotionalize, Antagonize, and Goad
  19. Ignore facts, demand impossible proofs
  20. False evidence
  21. Call a Grand Jury, Special Prosecutor
  22. Manufacture a new truth
  23. Create bigger distractions
  24. Silence critics
  25. Vanish

Eight Traits of The Disinformationalist ~

  1. Avoidance
  2. Selectivity
  3. Coincidental
  4. Teamwork
  5. Anti-conspiratorial
  6. Artificial Emotions
  7. Inconsistent
  8. Newly Discovered: Time Constant

It is the disinfo artist and those who may pull their strings (those who stand to suffer should the crime be solved) MUST seek to prevent rational and complete examination of any chain of evidence which would hang them. Since fact and truth seldom fall on their own, they must be overcome with lies and deceit. Those who are professional in the art of lies and deceit, such as the intelligence community and the professional criminal (often the same people or at least working together), tend to apply fairly well defined and observable tools in this process. However, the public at large is not well armed against such weapons, and is often easily led astray by these time-proven tactics. Remarkably, not even media and law enforcement have NOT BEEN TRAINED to deal with these issues. For the most part, only the players themselves understand the rules of the game.

This why concepts from the film, Wag-The-Dog, actually work. If you saw that movie, know that there is at least one real-world counterpart to Al Pacino’s character. For CIA, it is Mark Richards, who was called in to orchestrate the media response to Waco on behalf of Janet Reno. Mark Richards is the acknowledged High Priest of Disinformation. His appointment was extremely appropriate, since the CIA was VERY present at Waco from the very beginning of the cult to the very end of their days — just as it was at the People’s Temple in Jonestown. Richards purpose in life is damage control.

For such disinformationalists, the overall aim is to avoid discussing links in the chain of evidence which cannot be broken by truth, but at all times, to use clever deceptions or lies to make select links seem weaker than they are, create the illusion of a break, or better still, cause any who are considering the chain to be distracted in any number of ways, including the method of questioning the credentials of the presenter. Please understand that fact is fact, regardless of the source. Likewise, truth is truth, regardless of the source. This is why criminals are allowed to testify against other criminals. Where a motive to lie may truly exist, only actual evidence that the testimony itself IS a lie renders it completely invalid. Were a known ‘liar’s’ testimony to stand on its own without supporting fact, it might certainly be of questionable value, but if the testimony (argument) is based on verifiable or otherwise demonstrable facts, it matters not who does the presenting or what their motives are, or if they have lied in the past or even if motivated to lie in this instance — the facts or links would and should stand or fall on their own merit and their part in the matter will merely be supportive.

Moreover, particularly with respects to public forums such as newspaper letters to the editor, and Internet chat and news groups, the disinfo type has a very important role. In these forums, the principle topics of discussion are generally attempts by individuals to cause other persons to become interested in their own particular position, idea, or solution — very much in development at the time. People often use such mediums as a sounding board and in hopes of pollination to better form their ideas. Where such ideas are critical of government or powerful, vested groups (especially if their criminality is the topic), the disinfo artist has yet another role — the role of nipping it in the bud. They also seek to stage the concept, the presenter, and any supporters as less than credible should any possible future confrontation in more public forums result due to their early successes. You can often spot the disinfo types at work here by the unique application of “higher standards” of discussion than necessarily warranted. They will demand that those presenting arguments or concepts back everything up with the same level of expertise as a professor, researcher, or investigative writer. Anything less renders any discussion meaningless and unworthy in their opinion, and anyone who disagrees is obviously stupid — and they generally put it in exactly those terms.

So, as you read any such discussions, particularly so in Internet news groups (NG), decide for yourself when a rational argument is being applied and when disinformation, psyops (psychological warfare operations) or trickery is the tool. Accuse those guilty of the later freely. They (both those deliberately seeking to lead you astray, and those who are simply foolish or misguided thinkers) generally run for cover when thus illuminated, or — put in other terms, they put up or shut up (a perfectly acceptable outcome either way, since truth is the goal.) Here are the twenty-five methods and seven traits, some of which don’t apply directly to NG application. Each contains a simple example in the form of actual (some paraphrased for simplicity) from NG comments on commonly known historical events, and a proper response. Accusations should not be overused — reserve for repeat offenders and those who use multiple tactics. Responses should avoid falling into emotional traps or informational sidetracks, unless it is feared that some observers will be easily dissuaded by the trickery. Consider quoting the complete rule rather than simply citing it, as others will not have reference. Offer to provide a complete copy of the rule set upon request (see permissions statement at end):

Twenty-Five Rules of Disinformation ~

Note: The first rule and last five (or six, depending on situation) rules are generally not directly within the ability of the traditional disinfo artist to apply. These rules are generally used more directly by those at the leadership, key players, or planning level of the criminal conspiracy or conspiracy to cover up.

  1. Hear No Evil, See No Evil, Speak No Evil ~ Regardless of what you know, don’t discuss it — especially if you are a public figure, news anchor, etc. If it’s not reported, it didn’t happen, and you never have to deal with the issues.
    • Example: Media was present in the courtroom (Hunt vs. Liberty Lobby) when CIA agent Marita Lorenz ‘confession’ testimony regarding CIA direct participation in the planning and assassination of John Kennedy was revealed. All media reported was that E. Howard Hunt lost his libel case against Liberty Lobby (Liberty Lobby’s newspaper, The Spotlight, had reported Hunt was in Dallas that day and were sued for the story). See Mark Lane’s remarkable book, Plausible Denial, for the full confessional transcript.
    • Proper response: There is no possible response unless you are aware of the material and can make it public yourself.. In any such attempt, be certain to target any known silent party as likely complicit in a cover up. In this case, it would be the entire Time-Warner Media Group, among others. This author is relatively certain that reporters were hand-picked to cover this case from among those having intelligence community ties.
  2. Become Incredulous and Indignant ~ Avoid discussing key issues and instead focus on side issues which can be used show the topic as being critical of some otherwise sacrosanct group or theme. This is also known as the ‘How dare you!’ gambit.
    • Example: ‘How dare you suggest that the Branch Davidians were murdered! the FBI and BATF are made up of America’s finest and best trained law enforcement, operate under the strictest of legal requirements, and are under the finest leadership the President could want to appoint.’
    • Proper response: You are avoiding the Waco issue with disinformation tactics. Your high opinion of FBI is not founded in fact. All you need do is examine Ruby Ridge and any number of other examples, and you will see a pattern of abuse of power that demands attention to charges against FBI/BATF at Waco. Why do you refuse to address the issues with disinformation tactics (rule 2 – become incredulous and indignant)?
  3. Create Rumor Mongers ~ Avoid discussing issues by describing all charges, regardless of venue or evidence, as mere rumors and wild accusations. Other derogatory terms mutually exclusive of truth may work as well. This method which works especially well with a silent press, because the only way the public can learn of the facts are through such ‘arguable rumors’. If you can associate the material with the Internet, use this fact to certify it a ‘wild rumor’ from a ‘bunch of kids on the Internet’ which can have no basis in fact.
    • Example: ‘You can’t prove his material was legitimately from French Intelligence. Pierre Salinger had a chance to show his ‘proof’ that flight 800 was brought down by friendly fire, and he didn’t. All he really had was the same old baseless rumor that’s been floating around the Internet for months.’
    • Proper response: You are avoiding the issue with disinformation tactics. The Internet charge reported widely is based on a single FBI interview statement to media and a similar statement by a Congressman, neither of which had actually seen Pierre’s document. As the FBI is being accused in participating in a cover up of this matter and Pierre claims his material is not Internet sourced, it is natural that FBI would have reason to paint his material in a negative light. For you to assume the FBI to have no bias in the face of Salinger’s credentials and unchanged stance suggests you are biased. At the best you can say the matter is in question. Further, to imply that material found on Internet is worthless is not founded. At best you may say it must be considered carefully before accepting it, which will require addressing the actual issues. Why do you refuse to address these issues with disinformation tactics (rule 3 – create rumor mongers)?
  4. Use a Straw Man ~ Find or create a seeming element of your opponent’s argument which you can easily knock down to make yourself look good and the opponent to look bad. Either make up an issue you may safely imply exists based on your interpretation of the opponent/opponent arguments/situation, or select the weakest aspect of the weakest charges. Amplify their significance and destroy them in a way which appears to debunk all the charges, real and fabricated alike, while actually avoiding discussion of the real issues.
    • Example: When trying to defeat reports by the Times of London that spy-sat images reveal an object racing towards and striking flight 800, a straw man is used. The disinformationalist, later identified as having worked for Naval Intelligence, simply stated: ‘If these images exist, the public has not seen them. Why? They don’t exist, and never did. You have no evidence and thus, your entire case falls flat.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. You imply deceit and deliberately establish an impossible and unwarranted test. It is perfectly natural that the public has not seen them, nor will they for some considerable time, if ever. To produce them would violate national security with respect to intelligence gathering capabilities and limitations, and you should know this. Why do you refuse to address the issues with such disinformation tactics (rule 4 – use a straw man)?’
  5. Sidetrack Opponents with Name-Calling and Ridicule ~ This is also known as the primary ‘attack the messenger’ ploy, though other methods qualify as variants of that approach. Associate opponents with unpopular titles such as ‘kooks’, ‘right-wing’, ‘liberal’, ‘left-wing’, ‘terrorists’, ‘conspiracy buffs’, ‘radicals’, ‘militia’, ‘racists’, ‘religious fanatics’, ‘sexual deviates’, and so forth. This makes others shrink from support out of fear of gaining the same label, and you avoid dealing with issues.
    • Example: ‘You believe what you read in the Spotlight? The Publisher, Willis DeCarto, is a well-known right-wing racist. I guess we know your politics — does your Bible have a swastika on it? That certainly explains why you support this wild-eyed, right-wing conspiracy theory.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your imply guilt by association and attack truth on the basis of the messenger. The Spotlight is well known Populist media source responsible for releasing facts and stories well before mainstream media will discuss the issues through their veil of silence. Willis DeCarto has successfully handled lawsuits regarding slanderous statements such as yours. Your undemonstrated charges against the messenger have nothing to do with the facts or the issues, and fly in the face of reason. Why do you refuse to address the issues by use of such disinformation tactics (rule 5 – sidetrack opponents with name calling and ridicule)?’
  6. Hit and Run ~ In any public forum, make a brief attack of your opponent or the opponent position and then scamper off before an answer can be fielded, or simply ignore any answer. This works extremely well in Internet and letters-to-the-editor environments where a steady stream of new identities can be called upon without having to explain criticism reasoning — simply make an accusation or other attack, never discussing issues, and never answering any subsequent response, for that would dignify the opponent’s viewpoint.
    • Example: ”This stuff is garbage. Where do you conspiracy lunatics come up with this crap? I hope you all get run over by black helicopters.’ Notice it even has a farewell sound to it, so it won’t seem curious if the author is never heard from again.
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your comments or opinions fail to offer any meaningful dialog or information, and are worthless except to pander to emotionalism, and in fact, reveal you to be emotionally insecure with these matters. If you do not like reading ‘this crap’, why do you frequent this NG which is clearly for the purpose of such discussion? Why do you refuse to address the issues by use of such disinformation tactics (rule 6 – hit and run)?’
  7. Question Motives ~ Twist or amplify any fact which could be taken to imply that the opponent operates out of a hidden personal agenda or other bias. This avoids discussing issues and forces the accuser on the defensive.
    • Example: ‘With the talk-show circuit and the book deal, it looks like you can make a pretty good living spreading lies.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your imply guilt as a means of attacking the messenger or his credentials, but cowardly fail to offer any concrete evidence that this is so. If you think what has been presented are ‘lies’, why not simply so illustrate? Why do you refuse to address the issues by use of such disinformation tactics (rule 6 – question motives)?’
  8. Invoke Authority ~ Claim for yourself or associate yourself with authority and present your argument with enough ‘jargon’ and ‘minutia’ to illustrate you are ‘one who knows’, and simply say it isn’t so without discussing issues or demonstrating concretely why or citing sources.
    • Example: ‘You obviously know nothing about either the politics or strategic considerations, much less the technicals of the SR-71. Incidentally, for those who might care, that sleek plane is started with a pair of souped up big-block V-8’s (originally, Buick 454 C.I.D. with dual 450 CFM Holly Carbs and a full-race Isky cams — for 850 combined BHP @ 6,500 RPM) using a dragster-style clutch with direct-drive shaft. Anyway, I can tell you with confidence that no Blackbird has ever been flown by Korean nationals nor have they ever been trained to fly it, and have certainly never overflown the Republic of China in a SR or even launched a drone from it that flew over China. I’m not authorized to discuss if there have been overflights by American pilots.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your imply your own authority and expertise but fail to provide credentials, and you also fail to address issues and cite sources. You simply cite ‘Jane’s-like’ information to make us think you know what you are talking about. Why do you refuse to address the issues by use of such disinformation tactics (rule 8 – invoke authority)?’
  9. Play Dumb ~ No matter what evidence or logical argument is offered, avoid discussing issues except with denials they have any credibility, make any sense, provide any proof, contain or make a point, have logic, or support a conclusion. Mix well for maximum effect.
    • Example: ‘Nothing you say makes any sense. Your logic is idiotic. Your facts nonexistent. Better go back to the drawing board and try again.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. You evade the issues with your own form of nonsense while others, perhaps more intelligent than you pretend to be, have no trouble with the material. Why do you refuse to address the issues by use of such disinformation tactics (Rule 9 – play dumb)?’
  10. Associate Opponent Charges with Old News ~ A derivative of the straw man — usually, in any large-scale matter of high visibility, someone will make charges early on which can be or were already easily dealt with – a kind of investment for the future should the matter not be so easily contained.) Where it can be foreseen, have your own side raise a straw man issue and have it dealt with early on as part of the initial contingency plans. Subsequent charges, regardless of validity or new ground uncovered, can usually then be associated with the original charge and dismissed as simply being a rehash without need to address current issues — so much the better where the opponent is or was involved with the original source.
    • Example: ‘Flight 553’s crash was pilot error, according to the NTSB findings. Digging up new witnesses who say the CIA brought it down at a selected spot and were waiting for it with 50 agents won’t revive that old dead horse buried by NTSB more than twenty years ago.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your ignore the issues and imply they are old charges as if new information is irrelevant to truth. Why do you refuse to address the issues by use of such disinformation tactics (rule 10 – associate charges with old news)?’
  11. Establish and Rely Upon Fall-Back Positions ~ Using a minor matter or element of the facts, take the ‘high road’ and ‘confess’ with candor that some innocent mistake, in hindsight, was made — but that opponents have seized on the opportunity to blow it all out of proportion and imply greater criminalities which, ‘just isn’t so.’ Others can reinforce this on your behalf, later, and even publicly ‘call for an end to the nonsense’ because you have already ‘done the right thing.’ Done properly, this can garner sympathy and respect for ‘coming clean’ and ‘owning up’ to your mistakes without addressing more serious issues.
    • Example: ‘Reno admitted in hindsight she should have taken more time to question the data provided by subordinates on the deadliness of CS-4 and the likely Davidian response to its use, but she was so concerned about the children that she elected, in what she now believes was a sad and terrible mistake, to order the tear gas be used.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your evade the true issue by focusing on a side issue in an attempt to evoke sympathy. Perhaps you did not know that CIA Public Relations expert Mark Richards was called in to help Janet Reno with the Waco aftermath response? How warm and fuzzy it makes us feel, so much so that we are to ignore more important matters being discussed. Why do you refuse to address the issues by use of such disinformation tactics (rule 11 – establish and rely upon fall-back positions)?’
  12. Enigmas Have No Solution ~ Drawing upon the overall umbrella of events surrounding the crime and the multitude of players and events, paint the entire affair as too complex to solve. This causes those otherwise following the matter to begin to loose interest more quickly without having to address the actual issues.
    • Example: ‘I don’t see how you can claim Vince Foster was murdered since you can’t prove a motive. Before you could do that, you would have to completely solve the whole controversy over everything that went on in the White House and in Arkansas, and even then, you would have to know a heck of a lot more about what went on within the NSA, the Travel Office, and the secret Grand Jury, and on, and on, and on. It’s hopeless. Give it up.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your completely evade issues and attempt others from daring to attempt it by making it a much bigger mountain than necessary. You eat an elephant one bite at a time. Why do you refuse to address the issues by use of such disinformation tactics (rule 12 – enigmas have no solution)?’
  13. Alice in Wonderland Logic ~  Avoid discussion of the issues by reasoning backwards or with an apparent deductive logic which forbears any actual material fact.
    • Example: ‘The news media operates in a fiercely competitive market where stories are gold. This means they dig, dig, dig for the story — often doing a better job than law enforcement. If there was any evidence that BATF had prior knowledge of the Oklahoma City bombing, they would surely have uncovered it and reported it. They haven’t reported it, so there can’t have been any prior knowledge. Put up or shut up.’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. Your backwards logic does not work here. Has media reported CIA killed Kennedy when they knew it? No, despite their presence at a courtroom testimony ‘confession’ by CIA operative Marita Lornez in a liable trial between E. Howard Hunt and Liberty Lobby, they only told us the trial verdict. THAT, would have been the biggest story of the Century, but they didn’t print it, did they? Why do you refuse to address the issues by use of such disinformation tactics (rule 13 – Alice in Wonderland logic)?’
  14. Demand Complete Solutions ~  Avoid the issues by requiring opponents to solve the crime at hand completely, a ploy which works best with issues qualifying for rule 10.
    • Example: ‘Since you know so much, if James Earl Ray is as innocent as you claim, who really killed Martin Luther King, how was it planned and executed, how did they frame Ray and fool the FBI, and why?’
    • Proper response: You are avoiding the issue with disinformation tactics. It is not necessary to completely resolve any full matter in order to examine any relative attached issue. Discussion of any evidence of Ray’s innocence can stand alone to serve truth, and any alternative solution to the crime, while it may bolster that truth, can also stand alone. Why do you refuse to address the issues by use of such disinformation tactics (rule 14 – demand complete solutions)?
  15. Fit the Facts to Alternate Conclusions ~ This requires creative thinking unless the crime was planned with contingency conclusions in place.
    • Example: ‘The cargo door failed on Flight 800 and caused a catastrophic breakup which ruptured the fuel tank and caused it to explode.’
    • Proper response: The best definitive example of avoiding issues by this technique is, perhaps, Arlan Specter’s Magic Bullet from the Warren Report. This was eloquently defeated in court but media blindly accepted it without challenge. Thus rewarded, disinformationalists do not shrink from its application, even though today, thanks in part to the movie, JFK, most Americans do now understand it was fabricated nonsense. Thus the defense which works best may actually be to cite the Magic Bullet. ‘You are avoiding the issue with disinformation tactics. Your imaginative twisting of facts rivals that of Arlan Specter’s Magic Bullet in the Warren Report. We all know why the impossible magic bullet was invented. You invent a cargo door problem when there has been not one shred of evidence from the crash investigation to support it, and in fact, actual photos of the cargo door hinges and locks disprove you. Why do you refuse to address the issues by use of such disinformation tactics (rule 15 – fit facts to an alternate conclusion)?’
  16. Vanish Evidence and Witnesses ~ If it does not exist, it is not fact, and you won’t have to address the issue.
    • Example: ‘You can’t say Paisley is still alive… that his death was faked and the list of CIA agents found on his boat deliberately placed there to support a purge at CIA. You have no proof. Why can’t you accept the Police reports?’ This is a good ploy, since the dental records and autopsy report showing his body was two inches too long and the teeth weren’t his were lost right after his wife demanded inquiry, and since his body was cremated before she could view it — all that remains are the Police Reports. Handy.
    • Proper response: There is no suitable response to actual vanished materials or persons, unless you can shed light on the matter, particularly if you can tie the event to a cover up other criminality. However, with respect to dialog where it is used against the discussion, you can respond… ‘You are avoiding the issue with disinformation tactics. The best you can say is that the matter is in contention ONLY because of highly suspicious matters such as the simultaneous and mysterious vanishing of three sets of evidence. The suspicious nature itself tends to support the primary allegation. Why do you refuse to address the remaining issues by use of such disinformation tactics (rule 16 – vanish evidence and witnesses)?’
  17. Change the Subject ~ Usually in connection with one of the other ploys listed here, find a way to side-track the discussion with abrasive or controversial comments in hopes of turning attention to a new, more manageable topic. This works especially well with companions who can ‘argue’ with you over the new topic and polarize the discussion arena in order to avoid discussing more key issues.
    • Example: ‘There were no CIA drugs and was no drug money laundering through Mena, Arkansas, and certainly, there was no Bill Clinton knowledge of it because it simply didn’t happen. This is merely an attempt by his opponents to put Clinton off balance and at a disadvantage in the election: Dole is such a weak candidate with nothing to offer that they are desperate to come up with something to swing the polls. Dole simply has no real platform.’ Assistant’s response. ‘You idiot! Dole has the clearest vision of what’s wrong with Government since McGovern. Clinton is only interested in raping the economy, the environment, and every woman he can get his hands on…’ One naturally feels compelled, regardless of party of choice, to jump in defensively on that one…
    • Proper response: ‘You are both avoiding the issue with disinformation tactics. Your evade discussion of the issues by attempting to sidetrack us with an emotional response to a new topic — a trap which we will not fall into willingly. If you truly believe such political rhetoric, please drop out of this discussion, as it is not germane, and take it to one of the more appropriate politics NGs. Why do you refuse to address the issues by use of such disinformation tactics (rule 17- change the subject)?’
  18. Emotionalize, Antagonize, and Goad Opponents ~ If you can’t do anything else, chide and taunt your opponents and draw them into emotional responses which will tend to make them look foolish and overly motivated, and generally render their material somewhat less coherent. Not only will you avoid discussing the issues in the first instance, but even if their emotional response addresses the issue, you can further avoid the issues by then focusing on how ‘sensitive they are to criticism.’
    • Example: ‘You are such an idiot to think that possible — or are you such a paranoid conspiracy buff that you think the ‘gubment’ is cooking your pea-brained skull with microwaves, which is the only justification you might have for dreaming up this drivel.’ After a drawing an emotional response: ‘Ohhh… I do seem to have touched a sensitive nerve. Tsk, tsk. What’s the matter? The truth too hot for you to handle? Perhaps you should stop relying on the Psychic Friends Network and see a psychiatrist for some real professional help…’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. You attempt to draw me into emotional response without discussion of the issues. If you have something useful to contribute which defeats my argument, let’s here it — preferably without snide and unwarranted personal attacks, if you can manage to avoid sinking so low. Your useless rhetoric serves no purpose here if that is all you can manage. Why do you refuse to address the issues by use of such disinformation tactics (rule 18 – emotionalize, antagonize, and goad opponents)?’
  19. Ignore Proof Presented, Demand Impossible Proofs ~ This is perhaps a variant of the ‘play dumb’ rule. Regardless of what material may be presented by an opponent in public forums, claim the material irrelevant and demand proof that is impossible for the opponent to come by (it may exist, but not be at his disposal, or it may be something which is known to be safely destroyed or withheld, such as a murder weapon.) In order to completely avoid discussing issues, it may be required that you to categorically deny and be critical of media or books as valid sources, deny that witnesses are acceptable, or even deny that statements made by government or other authorities have any meaning or relevance.
    • Example: ‘All he’s done is to quote the liberal media and a bunch of witnesses who aren’t qualified. Where’s his proof? Show me wreckage from flight 800 that shows a missile hit it!’
    • Proper response: ‘You are avoiding the issue with disinformation tactics. You presume for us not to accept Don Phillips, reporter for the Washington Post, Al Baker, Craig Gordon or Liam Pleven, reporters for Newsday, Matthew Purdy or Matthew L. Wald, Don Van Natta Jr., reporters for the New York Times, or Pat Milton, wire reporter for the Associated Press — as being able to tell us anything useful about the facts in this matter. Neither would you allow us to accept Robert E. Francis, Vice Chairman of the NTSB, Joseph Cantamessa Jr., Special Agent In Charge of the New York Office of the F.B.I., Dr. Charles Wetli, Suffolk County Medical Examiner, the Pathologist examining the bodies, nor unnamed Navy divers, crash investigators, or other cited officials, including Boeing Aircraft representatives a part of the crash investigative team — as a qualified party in this matter, and thus, dismisses this material out of hand. Good logic, — about as good as saying 150 eye witnesses aren’t qualified. Then you demand us to produce evidence which you know is not accessible to us, evidence held by FBI, whom we accuse of cover up. Thus, only YOU are qualified to tell us what to believe? Witnesses be damned? Radar tracks be damned? Satellite tracks be damned? Reporters be damned? Photographs be damned? Government statements be damned? Is there a pattern here?. Why do you refuse to address the issues by use of such disinformation tactics (rule 19 – ignore proof presented, demand impossible proofs)?’
  20. False Evidence ~ Whenever possible, introduce new facts or clues designed and manufactured to conflict with opponent presentations — as useful tools to neutralize sensitive issues or impede resolution. This works best when the crime was designed with contingencies for the purpose, and the facts cannot be easily separated from the fabrications.
    • Example: Jack Ruby warned the Warren Commission that the white Russian separatists, the Solidarists, were involved in the assassination. This was a handy ‘confession’, since Jack and Earl were both on the same team in terms of the cover up, and since it is now known that Jack worked directly with CIA in the assassination (see below.)
    • Proper response: This one can be difficult to respond to unless you see it clearly, such as in the following example, where more is known today than earlier in time… ‘You are avoiding the issue with disinformation tactics. Your information is known to have been designed to side track this issue. As revealed by CIA operative Marita Lorenz under oath offered in court in E. Howard Hunt vs. Liberty Lobby, CIA operatives E. Howard Hunt, James McCord, and others, met with Jack Ruby in Dallas the night before the assassination of JFK to distribute guns and money. Clearly, Ruby was a coconspirator whose ‘Solidarist confession’ was meant to sidetrack any serious investigation of the murder AWAY from CIA. Why do you refuse to address the issues by use of such disinformation tactics (rule 20 – false evidence)?’
  21. Call a Grand Jury, Special Prosecutor, or Other Empowered Investigative Body ~ Subvert the (process) to your benefit and effectively neutralize all sensitive issues without open discussion. Once convened, the evidence and testimony are required to be secret when properly handled. For instance, if you own the prosecuting attorney, it can insure a Grand Jury hears no useful evidence and that the evidence is sealed an unavailable to subsequent investigators. Once a favorable verdict is achieved, the matter can be considered officially closed. Usually, this technique is applied to find the guilty innocent, but it can also be used to obtain charges when seeking to frame a victim.
    • Example: According to one OK bombing Federal Grand Juror who violated the law to speak the truth, jurors were, contrary to law, denied the power of subpoena of witness of their choosing, denied the power of asking witnesses questions of their choosing, and relegated to hearing only evidence prosecution wished them to hear, evidence which clearly seemed fraudulent and intended to paint conclusions other than facts actually suggested.
    • Proper response: There is usually no adequate response to this tactic except to complain loudly at any sign of its application, particularly with respect to any possible cover up. This happened locally in Oklahoma, and as a result, a new Grand Jury has been called to rehear evidence that government officials knew in advance that the bombing was going to take place, and a number of new facts which indicate it was impossible for Timothy McVeigh to have done the deed without access to extremely advanced explosive devices such as available ONLY to the military or intelligence community, such as CIA’s METC technology. Media has refused to cover the new Oklahoma Grand Jury process, by they way.
  22. Manufacture a New Truth ~ Create your own expert(s), group(s), author(s), leader(s) or influence existing ones willing to forge new ground via scientific, investigative, or social research or testimony which concludes favorably. In this way, if you must actually address issues, you can do so authoritatively.
    • Example: The False Memory Syndrome Foundation and American Family Foundation and American and Canadian Psychiatric Associations fall into this category, as their founding members and/or leadership include key persons associated with CIA Mind Control research. Read The Professional Paranoid or Phsychic Dictatorship in the U.S.A. by Alex Constantine for more information. Not so curious, then, that (in a perhaps oversimplified explanation here) these organizations focus on, by means of their own “research findings”, that there is no such thing as Mind Control.
    • Proper response: Unless you are in a position to be well versed in the topic and know of the background and relationships involved in the opponent organization, you are not well equipped to fight this tactic.
  23. Create Bigger Distractions ~ If the above does not seem to be working to distract from sensitive issues, or to prevent unwanted media coverage of unstoppable events such as trials, create bigger news stories (or treat them as such) to distract the multitudes.
    • Example: To distract the public over the progress of a WTC bombing trial that seems to be uncovering nasty ties to the intelligence community, have an endless discussion of skaters whacking other skaters on the knee. To distract the public over the progress of the Waco trials that have the potential to reveal government sponsored murder, have an O.J. summer. To distract the public over an ever disintegrating McVeigh trial situation and the danger of exposing government involvements, come up with something else (Flight 800?) to talk about — or, keeping in the sports theme, how about sports fans shooting referees and players during a game and the focusing on the whole gun control thing?
    • Proper response: The best you can do is attempt to keep public debate and interest in the true issues alive and point out that the ‘news flap’ or other evasive tactic serves the interests of your opponents.
  24. Silence Critics ~ If the above methods do not prevail, consider removing opponents from circulation by some definitive solution so that the need to address issues is removed entirely. This can be by their death, arrest and detention, blackmail or destruction of their character by release of blackmail information, or merely by destroying them financially, emotionally, or severely damaging their health.
    • Example: As experienced by certain proponents of friendly fire theories with respect to flight 800 — send in FBI agents to intimidate and threaten that if they persisted further they would be subject to charges of aiding and abetting Iranian terrorists, of failing to register as a foreign agents, or any other trumped up charges. If this doesn’t work, you can always plant drugs and bust them.
    • Proper response: You have three defensive alternatives if you think yourself potential victim of this ploy. One is to stand and fight regardless. Another is to create for yourself an insurance policy which will point to your opponents in the event of any unpleasantness, a matter which requires superior intelligence information on your opponents and great care in execution to avoid dangerous pitfalls (see The Professional Paranoid by this author for suggestions on how this might be done). The last alternative is to cave in or run (same thing.)
  25. Vanish ~ If you are a key holder of secrets or otherwise overly illuminated and you think the heat is getting too hot, to avoid the issues, vacate the kitchen.
    • Example: Do a Robert Vesco and retire to the Caribbean. If you don’t, somebody in your organization may choose to vanish you the way of Vince Foster or Ron Brown.
    • Proper response: You will likely not have a means to attack this method, except to focus on the vanishing in hopes of uncovering it was by foul play or deceit as part of a deliberate cover up.

EOF

Essay by Charles S. Viar: “The Dark Art: Intelligence, Counterintelligence, and the Mind of the State” (2009)

Repost of an essay from 2009 by Charles S. Viar (Twitter: @Charles_S_Viar), present chairman of the Center for Intelligence Studies in Washington D.C. (reposted here for layout reasons; in accordance with the copyright notice at the bottom of the essay):

THE DARK ART

Intelligence, Counterintelligence, and the Mind of the State

Charles S. Viar

Although the origins of intelligence have been lost in the mists of time, the practice is at least as ancient as warfare. In what is perhaps the oldest written reference to an intelligence operation, The Book of Numbers recounts God’s command that Moses dispatch a reconnaissance team to scout the Israelite advance upon the Promised Land:

Send thou men, that they may search the land of Canaan, which I give unto the Children of Israel. Of every tribe of their fathers shall ye send a man, everyone a ruler among them…

Had the Canaanites possessed an effective counterintelligence capability, the story of the Israelite assault might have ended differently. For even a minimal foreknowledge of their intentions and capabilities would have made it possible for the Canaanites to organize a more effective defense. But as may be inferred from the Bible, they failed to detect the operation directed against them.

For that, they paid a fearsome price.

II.

Narrowly defined as “evaluated information,” intelligence is a dynamic process that involves the collection, analysis, and dissemination of data to national policymakers and other government officials of lesser rank. Intelligence serves to forewarn them of likely actions, events, and developments within their sphere of responsibility; and aids in matching available resources to threats and opportunities alike. As such, it is the sine qua non of effective statecraft.

More broadly, intelligence also serves as a force-multiplier. Much as Archimedes Lever makes it possible to magnify mechanical force transmitted across space, covert and clandestine intelligence operations make it possible for states to enhance the power they project beyond their frontiers. History is littered with examples of small and middling states exercising disproportionate influence through the deft application of secret intelligence.

Given the enormous – and occasionally decisive – advantages conferred by effective intelligence in the Great Game of Nations, well-governed states seek to maximize the effectiveness of their own intelligence services and to protect themselves against hostile services deployed against them. Domestic security typically provides one level of defense, and counterintelligence another.

III.

Although counterintelligence has been recognized as an integral component of state security since the Chinese military scholar Sun Tzu published The Art of War in the Fourth or Fifth century BC, the concept remains muddled. For almost two and a half millennia, the term itself has defied definition.

According to James Angleton, the legendary former Chief of CIA Counterintelligence, the term is ineffable. Although Angleton’s Deputy Chief for Operations generally concurred, he believed counterintelligence could nonetheless be described in terms of core functions. Angleton’s Deputy Chief for Analysis, however, disagreed with both. According to Raymond G. Rocca, counterintelligence is self-defined: it applies to any action undertaken to counter, i.e., negate, the efforts of hostile intelligence services.

Having studied under all three of the practitioners listed above, the writer of this paper eventually concluded Rocca’s understanding is more nearly correct; and has since argued that counterintelligence can be best illustrated by contrast. Where counterespionage – or security – seeks to neutralize individual spies and spy rings, counterintelligence attempts to neutralize hostile intelligence services as a whole.

IV.

In a more perfect world, intelligence services would aspire to comprehensive coverage of their targets. But in actual practice, physical, organizational, political, and budgetary constraints have traditionally forced them to limit their collection activities to data pertaining to the targeted state’s organization, capabilities, and intentions. More recently, intelligence services have been tasked with gathering financial, economic, and technical data as well; and with the development of remote collection techniques, the amount of raw data collected by major intelligence services has become staggering in both scope and volume.

From a theoretical standpoint, intelligence collection and analysis should not be especially difficult. But given the fact that intelligence services routinely devote a substantial portion of their resources to deception operations designed to deceive their adversaries, the task is far more difficult than it first appears. Tables of organization and orders of battle can be faked, deployment patterns and readiness indicators manipulated, and communications traffic played for purpose. Indeed, almost any sort of intelligence data can be fabricated and fed to foreign intelligence services through sacrificial spies, dangles, false defectors, and dispatched agents.

This inherent vulnerability to hostile deception operations lays bare what Angleton formally referred to as the Epistemological Problem:

Given the fact that foreign intelligence services routinely mount large and carefully crafted deception operations against us, how can we know what we believe to be true is actually so?

In less guarded moments, he called it “That damnable question.”

V.

As intelligence practitioners will attest, it is a damnable question indeed. Nonetheless, there are two solutions to the problem – one partial, the other complete.

The first solution is to look at intelligence data in terms of a jigsaw puzzle extending across time. After fitting together as many of the pieces as possible, one may flag those that are known to be true beyond doubt. Subsequent pieces that fit with those may be presumed true, in the absence of contrary evidence.

Although this approach has considerable merit – including especially the way it facilitates intuitive judgments – the results it generates are both probabilistic and tentative. The likelihood that new data may significantly alter the pattern is high.

In contrast, the second solution can provide definitive answers – but only rarely, when two relatively unlikely events occur simultaneously: 1) a high-level penetration agent confirms the validity of specific intelligence data, and 2) a code break “backstops” the veracity of the confirming agent. In the world of intelligence, certainty depends upon serendipity.

The recruitment of high-level penetration agents is rare, and code breaks are even more so. They occur together perhaps once a decade, and when they do intelligence analysts emerge from their garrets to enjoy a brief moment of clarity. But when the agent is lost or the codes are changed, they are condemned to wander once more through what Angleton termed “The Wilderness of Mirrors” – an Epistemological Hell from which neither truth nor falsehood may be surely obtained.

VI.

Determining the validity of intelligence data thus depends in part on recruiting from the enemy’s ranks senior political office holders or high-ranking government officials, and in part upon breaking their codes. But once affected, these unlikely circumstances open a window to other intriguing possibilities – including, specifically, offensive counterintelligence operations designed to penetrate, infiltrate, and suborn the target’s intelligence service in order to play it back against the state it serves. The ultimate goal of such operations is to entice or provoke the targeted state into undertaking ruinous and self-destructive actions.

As Angleton observed, successful politicians and senior government officials are a remarkably homogenous lot. For the most part, they derive from roughly comparable social circumstances and share core formative experiences in common. They attend the same schools – or at least the same types of schools – and are imbued with the same canon. They also hold remarkably similar beliefs and values, and share certain characteristic attitudes regarding the larger world. Together these form something akin to a collective psyche, or what Angleton termed the “Mind of the State.”

If states have minds, they also have states of mind – and as with individuals, it is their state of mind that makes them most vulnerable to deception. For a state of mind is a predisposition to belief or action; and if that predisposition can be accurately gauged, tempting or provoking the targeted decision-makers to ruin becomes a plausible exercise in perception management.

VII.

If there is a single failing common to decision-makers throughout history, it is an excessive faith in intelligence. For reasons that remain obscure, decision-makers seem unable or unwilling to grasp the implications of the Epistemological Problem Angleton described. Despite ample warnings, they almost invariably place far more credence in intelligence reports than they deserve; and it is upon this most basic failing that offensive counterintelligence plays.

In The Art of War, Sun Tzu wrote “Supreme excellence is to subdue the enemy without fighting” and argued this end may best be achieved by manipulating the “Golden Threads” of intelligence – that is, the lines of communications that connect agents recruited from within the enemy’s camp to one’s own.  The first Golden Thread may be activated by sacrificing deliberately misinformed low-level agents for capture, dangling double agents for enemy recruitment, and dispatching false defectors to the enemy’s camp. The second is brought into play by querying the agent-in-place to determine how the enemy decision-makers have interpreted the false information they delivered. If the information evokes the intended state of mind, the false message can be reinforced by repeating the process in different ways. If not, it can be modulated until it does.

By these means offensive counterintelligence operations can create a false picture of reality in the minds of targeted decision-makers, much as an artist paints an image upon a sheet of canvass. Brush stroke by brush stroke, the attacking service can exploit the enemy intelligence service it suborned to systematically manipulate the Mind of the State.

VIII.

The many critics of offensive counterintelligence argue that strategic deception operations of the size and scale suggested above are far too complex and complicated to be practical, as they are doomed to eventually collapse under their own weight. The criticism is true at least in part, but nonetheless disingenuous. Intelligence operations of any sort have a relatively short shelf life; and unless shut down by those who initiated them or uncovered by their intended targets, they will ALL eventually collapse for similar cause.

Perhaps more to the point, modern history is strewn with examples of successful strategic deceptions including the TRUST operation of the 1920’s, which saved the nascent Soviet state from ruin; the Soviet-sponsored WIN operation that forced the United States to abandon its post-war efforts to liberate Eastern Europe; and the Anglo-American deception operation that made possible the successful invasion of Normandy in 1944. All of these operations were conducted in the manner outlined above, and each inflicted massive damage upon the states they targeted.

Unfortunately, the United States abandoned its national counterintelligence capability in December of 1974 – and with it, the ability to mount large-scale strategic deception operations. Redefined and re-envisioned by successive administrations, counterintelligence had been reduced to little more than a security function until the Clinton Administration partially resurrected it after disastrous and overlapping penetrations of the CIA and the FBI were uncovered in the 1990’s. Expanded and reorganized in the aftermath of 9-11, a National Counterintelligence Executive now exists as a semi-autonomous supervisory agency. And yet despite the many long overdue reforms that have been undertaken since 2001, U.S. counterintelligence remains hobbled by an obtuse and legalistic definition, conceptual confusion, tangled jurisdictions, and – above all – by institutional timidity. For while offensive counterintelligence operations are now officially recognized, they remain tightly controlled and rarely sanctioned. They are tactical operations, most often mounted in reprisal.

Despite ample modern precedents, strategic deception operations of the sort advocated by Sun Tzu and refined by Angleton remain beyond the pale. This is unfortunate and – for those that seek to limit the suffering caused by armed conflict – deeply disconcerting.

For in the Great Game of Nations, offensive counterintelligence remains the only plausible means for achieving victory without war. For if only in theory, it is the primary offensive instrument of state.
________________

Published by the Center for Intelligence Studies.
1016 K Street NE. Washington, DC. 20002
202 / 399-0292

Copyright 2009. This paper may be reproduced in part or in whole for civic or educational purposes, provided that context is preserved and full attribution is given

EOF