The chart on the screen looks like something out of a TV crime drama: an elaborate web of emails and phone numbers, some names and photos, all connected by a mesh of thin lines.
The man standing in front of the maze is an investigator. But if you met him at a bar, he’d probably tell you he’s a software engineer. That’s because his work is sensitive — but also, because he works for a tech company in Silicon Valley.
As more and more of our lives play out online, so do crimes. This has prompted major tech companies to start growing internal crime-fighting cyber teams, often staffing them with former law enforcement agents.
In this case, the man with the intense chart on his screen works for a security team called “the Paranoids” — a brand started almost 20 years ago by techies at Yahoo, now known as Oath after a merger with Verizon/AOL.
“This is basically a fraud ring that we identified out of South Africa,” says the investigator. (He spoke anonymously to protect his work.)
“We” refers to the “threat investigations unit” at Oath — a team of about 20 people that hunts for fraudsters, identity thieves, child predators and other criminals who might be using Yahoo Mail, messengers, Flickr, Tumblr or other corporate platforms for their illicit acts.
About a third of this team came to Silicon Valley by way of law enforcement — including the man in charge, Sean Zadig. His path to security work began as a federal agent, investigating international cybercrime at the NASA Office of Inspector General, tracking down hackers who tried to hijack NASA computers.
Sean Zadig runs the threat investigations team at Oath, formerly known as Yahoo. He talked about his team’s work at the Center for Long-Term Cybersecurity at the University of California, Berkeley in September.
This is an interesting trend: Silicon Valley has been slowly staffing up with former agents — from the FBI, the Secret Service, or in this case, NASA. The matter even came up at a recent congressional hearing on Russia’s influence campaign on social media, where a Republican lawmaker asked a Facebook executive why his company needed staff with security clearances.
In a way, it’s a reflection of modern crime. Criminals send emails, follow each other on Facebook, find victims on dating sites. Tech companies don’t want to be used for criminal schemes, and hiring highly trained federal investigators helps.
But there’s also something else.
“The government doesn’t always have the birds-eye view anymore,” says Tom Pageler, a former Secret Service agent, who’s now also in the tech industry.
He says it used to be that the government had more of our data: Social Security numbers, driver’s licenses, voter registration. Now, it’s private companies that know where we go online, who we’re talking to.
“I think that actually what is happening today is what we were hoping for back then,” Pageler says, referring to his days in the Secret Service in the the early 2000s. There is now “a really good partnership, where well-trained individuals are going into the private industry and know how to investigate the case and package it properly for law enforcement to do what they need to do,” he says.
Charts on the walls
I met the Zadig, the Oath threat investigations chief, at the company’s Sunnyvale headquarters for essentially a super nerdy ride-along, which is how I found myself staring at that intense chart.
“The chart shows who did what to whom, where they are located, how they are connected to each other,” he says.
His investigators can’t see the content of emails — that’s law enforcement warrant territory — but they can connect email accounts by seeing who’s emailing whom, or whether the same phone number gets used to sign up. They can then scour the Web for social networks or other public digital trails connected to those emails and phone numbers — trying to put emails to names, faces and locations. Occasionally, they find the suspects on Facebook posing with wads of cash.
“We will print these charts out 2, 3 feet wide and they’ll be longer than the conference room table,” Zadig says. “And we’ll often sit down with law enforcement prosecutors and walk them through: Here’s how this account connects to this account, here’s how we identified this person.”
Sometimes, Zadig says, his team would return later for a follow-up “and we’ll see these charts on the walls, law enforcement or prosecutors have marked on them, they’ve made new connections that we hadn’t made.” He says his team’s work has led to more than 150 arrests in about three years.
Zadig’s team usually comes in after something illegal already happened. This includes the giant hacks of Yahoo itself, which happened in 2013 and 2014 and were disclosed by the company in late 2016. The company has not been able to identify the 2013 hack, but for the 2014 breach, the Justice Department has indicted four people: a Canadian hacker, who has pleaded guilty, and three Russians, two of whom are accused as agents of the Russian government.
As a former federal agent, Zadig has a collection of these so-called challenge coins, which are exchanged by law enforcement agents during visits.
‘We are a private company’
Not all investigations end up being shared with law enforcement. Some spammers might simply be shut down by the internal team. Jasdeep Singh Bhalla, a software developer on Zadig’s team, showed me an automated search tool he’s been building for months to dig up all accounts one spammer might create using bots, allowing the team to shut them down in one fell swoop.
“In a matter of 30 seconds, you’ve got 70 associated accounts,” Singh Bhalla says, as a massive web of related accounts populates his screen. This is an extreme case: someone had created some 1,200 related accounts. “If you do this manually,” Singh Bhalla says, “it would take you two months to search.”
And here’s an example of how a case that does end up resulting in arrests might develop inside a tech company.
A few years back, a bank alerted Yahoo that someone was hacking into accounts and switching associated email addresses to Yahoo emails. But when Zadig’s team looked in, they found something else: subject lines indicating that numerous tax filings were being completed.
The bigger scheme was tax return fraud. Yahoo’s investigators could see dozens of Yahoo accounts created to file tax returns with various tax providers, indicating that numerous refunds were being issued and cashed out. (Two guys were later arrested as part of a massive identity-theft sweep in the Miami area.)
For law enforcement, this kind of information is only available with a search warrant — for each email account. They might have never connected these particular dots, and definitely not this fast.
And this can be a touchy comparison.
Here’s a point that Zadig made at least three times in two days: “We are not law enforcement; we work for a private company … We don’t want to be accused of being an agent of law enforcement, of doing things that would normally require a legal process.”
When I asked Zadig and Pageler — who’s now the chief risk and security officer at Neustar — why they’d left public service, both offered similar stories. Those had been dream jobs — Pageler even says he’d felt physically sick to leave the Secret Service. But the hours were extreme, the travel intense, the pay not as good — both men wanted a more family-friendly lifestyle.
When Pageler was a special agent, he established the San Francisco electronic crimes task force, meant to spur exactly what he says is happening now: better coordination and cooperation between the tech companies and the government. “It’s really pretty awesome for me to see,” he says. “I feel like we’re on the path that I was working for and I think it’s working very well.”
In this Nov. 30, 2016, photo, artwork and signatures cover a fence around Pulse nightclub, which was the scene of a mass shooting in Orlando.
The police response to the Pulse nightclub massacre in 2016 followed protocol, but more training and better coordination are needed moving forward, according to a new 200-page review from the Justice Department and the Police Foundation. The deadly mass shooting at what was a popular space for the LGBT community in Orlando left 49 people dead and dozens of others injured.
The report, which was requested by Orlando’s police chief, concluded that the response by that city’s police department was “consistent with national best practices and under extremely volatile and difficult circumstances.”
But there are areas where they could have done better, including coordination, organization and communication among first responders, as Brendan Byrne and Abe Aboraya, of member station WMFE, reported.
There was also little communication ahead of the explosive breach that would lead to the end of the nearly three hour long standoff. Many perimeter officers were caught off guard and unprepared to help survivors rescued by the SWAT team.
The report found many of the first responders were ill-equipped to protect themselves against the gunman. The body armor issued to patrol officers offered little protection from the shooter’s weapons. Orlando Police Chief John Mina said that’s changed in the wake of Pulse. “One of the things we did immediate after the Pulse shooting was outfit our officers with Kevlar helmets and addition body armor,” he said after the report’s release.
According to the report, Orlando Fire Department and EMS were not included in the command center. In fact, because of an outdated paging system, Orlando Fire Department’s chief didn’t arrive at the scene until after the shooter was killed.
— Brendan Byrne (@SpaceBrendan) December 18, 2017
The report calls for more training to better prepare local first responders for escalating terror attacks.
“There is no policy or piece of papers that would have saved lives,” Chief Mina said on Monday. “We adjust training tactics, not only with first responders but for tactical teams, but we are not going to put that on a piece of paper.”
This photo taken last month in San Juan, Puerto Rico, shows roofs damaged by Hurricane Maria and the interior of buildings still exposed to the elements.
An international human rights group, Refugees International, has issued a scathing report on the U.S. response in Puerto Rico to Hurricane Maria. The group says “poor coordination and logistics on the ground” by the Federal Emergency Management Agency and the Puerto Rican government “seriously undermined the effectiveness of the aid delivery process.”
Refugees International is an independent non-profit group that advocates on behalf of displaced people around the world. This was the first time the group had investigated a situation in the U.S.
When its team arrived in Puerto Rico, more than two months after the storm, Refugees International says it was surprised that the relief effort was “uncoordinated and poorly implemented.” The group says the poor response was “prolonging the humanitarian emergency on the ground.”
Puerto Rico was especially vulnerable to a disaster like a hurricane, the group says, because of its aging population, poorly maintained infrastructure and lack of emergency management assets, like helicopters and backup generators. “In light of these known limitations,” the report says, “it is troubling that it took five days before any senior federal official from the U.S. mainland visited the island.”
Comparing it with past natural disasters, such as the 2010 Haitian earthquake, the group found the U.S. response lacking. In Haiti, the group says 8,000 U.S. troops were deployed to the island within two days of the disaster. In Puerto Rico, it took 10 days for 4,500 U.S. troops to arrive. Central to FEMA’s problematic response, Refugees International says, is that the federal agency is designed to supplement local and state disaster response efforts. But in Puerto Rico, the group found, municipalities and the Commonwealth had “limited capacity and ability to respond.”
Now that immediate needs like food and water are taken care of, the group says, Puerto Rico’s greatest need is housing. Puerto Rico’s government says more than 472,000 homes were destroyed or badly damaged in Hurricane Maria. Months after the storm, Refugees International says, housing assistance provided by FEMA and the Puerto Rican government is not reaching the most vulnerable populations. Authorities have failed to distribute tarps and temporary roofs to all who need them, the group says. And the process for receiving assistance is complicated, confusing and poorly executed.
Responding to the Refugees International report, FEMA agreed that coordination of efforts in disaster response is vital. But FEMA said Puerto Rico’s devastation by the hurricane presented a difficult situation. “More than 1,000 nautical miles from the mainland United States with an already fragile infrastructure and facing challenging economic circumstances presented communication and logistical challenges unique to the situation.”
“We regret the loss of life after any disaster and our thoughts and prayers are with the family members affected by the devastation of Hurricane Maria. FEMA continues to work every day to bring back a sense of normalcy to Puerto Rico. …
“Unity of effort is required for disaster response and recovery on any scale, but especially during this historic season. When emergency managers call for unity of effort, we mean that all levels of government, non-profit organizations, private sector businesses, and survivors must work together – each drawing upon their unique skills and capabilities – to meet the needs of disaster survivors.”
Also Monday, Puerto Rico Gov. Ricardo Rossello announced he was ordering a review of all deaths in Puerto Rico following Hurricane Maria. Puerto Rico’s government has listed the official death toll from the hurricane at just 64. Independent reporting from journalists and statistical analyses with past years suggest that more than 1,000 deaths may have been due to Hurricane Maria.
Rossello said by law in Puerto Rico, the cause of death must be certified by a doctor or coroner, something not always possible in the chaos after the storm. Rossello has ordered Puerto Rico’s Demographic Registry and the Department of Public Safety to review all deaths to get “the most accurate count and understanding of how people lost their lives to fully account for the impact of these storms.” The governor has also called for the creation of an expert panel to look at how deaths are certified and make suggestions on how to improve the process in the future.
Matthew Petersen has withdrawn himself from consideration for a U.S. district court position.
Alex Wong/Getty Images
Alex Wong/Getty Images
Matthew Petersen, who starred in an embarrassing video of his own confirmation hearing which showed him unable to answer some basic questions about trial procedures, has withdrawn his name from consideration to be a U.S. district court judge.
A White House official said Petersen withdrew his nomination, which the president has accepted.
Petersen was nominated to fill a vacancy on the district court in Washington D.C., an important posting. But during his confirmation hearing he was unable to answer a series of questioned posed by Sen. John Kennedy, R-La.
— Sheldon Whitehouse (@SenWhitehouse) December 15, 2017
Kennedy, interviewed by New Orleans TV station WWL, said Petersen, a graduate of the University of Virginia Law School, should not have been nominated for the influential position in the first place:
“Just because you’ve seen ‘My Cousin Vinny’ doesn’t qualify you to be a federal judge,” Kennedy said. “And he has no litigation experience. And my job on the judiciary committee is to catch him. I would strongly suggest he not give up his day job.”
Kennedy also said President Trump called him over the weekend to discuss the nomination. Kennedy said Trump told him that he had not met the nominee himself.
“He has told me, ‘Kennedy, when some of my guys send someone who is not qualified, you do your job,’ ” Kennedy added.
Petersen is a member of the Federal Election Commission, where he served with White House counsel Donald McGahn, who reportedly was behind Petersen’s nomination.
Petersen is the third Trump judicial nominee to withdraw his name from consideration in recent days. The White House said on Dec. 13 that the nominations of Brett Talley, rated “unanimously unqualified” by the American Bar Association; and Jeff Mateer, who reportedly said in 2015 that transgender children are part of “Satan’s plan,” would not “be moving forward.”
Charlottesville Police Chief Alfred Thomas listens earlier this month as an independent report on violence at a white supremacy rally is read at a news conference. Thomas announced his retirement Monday.
The Charlottesville, Va., police chief who faced an onslaught of national criticism over the department’s handling of deadly violence at a white nationalist rally in August, announced his retirement Monday.
In a statement, Chief Alfred Thomas wrote, “I will be forever grateful for having had the opportunity to protect and serve a community I love so dearly.”
City officials said Thomas’s departure would take effect immediately. They provided no explanation for the abrupt resignation by the law-enforcement veteran.
But Thomas had been under intense scrutiny for several months following the “Unite the Right Rally” — a demonstration by a coalition of white nationalist, white supremacist, and other Alt-Right groups from across the country — that ended in violence and the death of 32-year-old Heather Heyer. She was struck by a car while counter-protesting.
The bloody hit-and-run was captured on video and broadcast on news outlets for weeks.
An independent report issued earlier this month was sharply critical of Thomas’ leadership. The 220-page document found law enforcement and city officials made several significant mistakes on the day of the rally and in preceding months. It also called Thomas’ response to the escalating chaos “slow-footed.”
The report also said Thomas deleted text messages that were relevant to the independent investigation in the aftermath and created a climate wherein officers were made to feel fearful of retaliation for speaking with investigators. Thomas’ attorney has denied the claims.
Although he did not respond to any of the specific findings, Thomas released a statement saying, “My hope now is that, as we move forward … we can learn from the productive elements of this report, work together to address our shortcomings and recommit ourselves to serving the public in a way that gives our citizens the utmost confidence in their safety and wellbeing.”
Thomas, who was appointed to lead the police department in April 2016, will be succeeded in the interim by Deputy Chief Gary Pleasants.
The city will begin its search for a new chief immediately.
Eugene Kaspersky, founder and head of cybersecurity firm Kaspersky Lab, speaks in Berlin, Germany, last month. Kaspersky’s company filed a lawsuit against the Trump administration today.
Sean Gallup/Getty Images
Sean Gallup/Getty Images
Kaspersky Lab, a massive, Russian cybersecurity company, sued the Trump administration in U.S. federal court on Monday, arguing that the American government deprived it of due process rights when Homeland Security Secretary Elaine Duke banned its software from U.S. government agencies in September.
“Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” said the Department of Homeland Security’s September statement. “The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies.”
The DHS’s directive gave government agencies 30 days to identify any presence of Kaspersky products, 60 days to develop plans to remove them, and 90 days to execute the plans.
President Trump signed the ban into law last week as part of a broad defense policy bill.
“There are concerns on record and some that suggest there has been direct collaboration with certain officials from Kaspersky and from the FSB, which is of course the successor to the KGB,” Sen. Jean Shaheen, D-N.H., told NPR.
As NPR’s David Welna reported in September,
“Kaspersky Lab said it was disappointed by the decision to ban its products. It said the company has never helped any government anywhere with cyber-espionage and added that it’s, quote, ‘disconcerting that a private company can be considered guilty until proven innocent due to geopolitical issues.'”
Kaspersky Lab’s lawsuit also claims that the ban violates the Administrative Procedures Act and the Fifth Amendment. The Administrative Procedures Act controls how agencies like the DHS can establish regulations, and requires that agencies must provide “substantial evidence” for their regulation decisions if questioned by a U.S. court.
The company’s founder, Eugene Kaspersky, issued an open letter condemning the DHS on Monday. “DHS has harmed Kaspersky Lab’s reputation and its commercial operations without any evidence of wrongdoing by the company,” he said.
The lawsuit was filed in the U.S. District Court for the District of Columbia.
Until recently, Kaspersky Lab was among NPR’s underwriters.