back to article How CIA betrayed informants with shoddy front websites built for covert comms

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities. The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front …

  1. elDog

    Hiring contractors to do important/sensitive/deadly work without oversight and accountability

    I would say that you get what you paid for, but these contractors (their companies) are getting $200+/hour.

    And there is no accountability to the contractors or even the gov't COs who authorized the work. So if 1 or 10 or 20 assets were compromised - what's the penalty?

    1. ThatOne Silver badge
      Unhappy

      Re: Hiring contractors to do important/sensitive/deadly work without oversight and accountability

      > So if 1 or 10 or 20 assets were compromised - what's the penalty?

      None, apparently it's considered an occupational hazard (and they're foreigners anyway). Besides whoever knows a little History, knows CIA has proven many times not to care about their foreign agents. As a local, working for CIA or even helping them is a sure way to come quickly to a sticky end as you're considered utterly unimportant and disposable.

  2. Anonymous Coward
    WTF?

    I am reminded of

    The old proverb that the shoemaker's children go barefoot.

  3. Yet Another Anonymous coward Silver badge

    So which is worse

    That CIA, MI5, etc are all operating at about the level of efficiency you would expect from the driving licence agency

    OR all the official intelligence agencies are just a bluff to cover up the fact that there is some real secret government organisation (probably the MMB) that is so good at spying you've never heard of it?

    1. martinusher Silver badge

      Re: So which is worse

      Its only in the movies that three letter agencies are all seeing and all knowing. Its not that individual parts can do really clever work but the overall performance is about what you'd expect from a large, unwieldy, organization. This article is proof itself -- the idea of using innocent, generic, websites as a channel for covert communications is brilliant and must have been demonstrated in a proof of concept form at one time using a dummy password like "password". The complete lack of inspiration and finesse comes from the implementation, replicating potentially flawed techniques over numerous websites with no mechanism for monitoring for, and reporting, problems.

      Unless the sites were dummies, that is.

    2. Anonymous Coward
      Anonymous Coward

      Re: So which is worse

      I don't know about you, but here in Norway, the 'Driving License agency' people would already be deleting your license and marking your car as 'wrecked and crushed, no plates to be issued' for the insult of being compared to the CIA. Those guys are scary.

      Also, our E14 agency did a bang up job everywhere they went. No, you probably haven't heard about them. They were somewhat of a secret while they operated...

      1. J. Cook Silver badge

        Re: So which is worse

        Also, our E14 agency did a bang up job everywhere they went. No, you probably haven't heard about them. They were somewhat of a secret while they operated...

        Since no one heard of them, I can only assume that they did a really good job?

        (kind of like the old gag of Not Being Seen, I think...)

        1. Trygve Henriksen

          Re: So which is worse

          You might want to read the wiki article about them.

          https://en.wikipedia.org/wiki/E_14_(Norway)

    3. JimboSmith Silver badge

      Re: So which is worse

      Should have stuck to Shortwave Numbers stations for transmission to the spies instead.

      https://en.wikipedia.org/wiki/Lincolnshire_Poacher_(numbers_station)

  4. An_Old_Dog Silver badge

    This Smells Like

    corrupt deals with shoddy contractors.

    1. iron Silver badge

      Re: This Smells Like

      No, it smells like typical government IT.

      Bought from the cheapest supplier by someone who had no understanding of what they wanted, what they bought or what was delivered.

      1. Anonymous Coward
        Anonymous Coward

        Re: This Smells Like

        more than likely... a bit of both

      2. veti Silver badge

        Re: This Smells Like

        Right. And because it's all Classified, the only person who's cleared to know what's actually going on - is either totally unqualified to run a Web design project, or criminally overworked having to run 40 of them at once.

  5. Anonymous Coward
    Anonymous Coward

    Devil....Spoon....and so on......

    Quote: "...websites built for covert comms..."

    Laughable really!! The so-called "intelligence services" really don't get it do they?

    ARPANET was NEVER designed to be secure.....and so it is with ARPANET's distant descendent...the internet.

    Here's a quote from a qualified observer...from 1999:

    - [Scott McNealy] "You have zero privacy anyway", https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    Or this in 2015:

    - [NSA quote] https://www.wired.com/2015/11/yes-the-nsa-worried-about-whether-spying-would-backfire/

    Yup...some of the observers out there (Scott McNealy, Edward Snowden to name two) have told us that there's a simple expression:

    INTERNET + SOFTWARE != PRIVACY

    Why the three-letter agencies think that this logic does not apply to their own operations is a mystery.

    But then again, arrogance might be an answer....

    I have some suggestions, and most of them involve little or no "technology":

    (1) One time pads

    (2) Dead letter boxes

    (3) Face time in public places (preferably away from CCTV)

    (4) Air gapped devices devoid of WiFi, Bluetooth etc

    (5) Mobiles mostly switched off (and mostly "burners")

    (6) Ban on "Find My" devices, or similar

    (7) Ban on "Ring" doorbells, or similar

    (8) ....and so on.......

    If you sup with the devil.....you need a (very) long spoon!!!!

    1. vtcodger Silver badge

      Re: Devil....Spoon....and so on......

      Anything you put on a computer connected to a public communications network is public knowledge?

      Yep. Sounds right to me. Even in the unlikely event that you don't screw up somehow in configuring your device(s), whoever you are talking to probably will expose your data. So any information you actually put on the network might as well be stamped on your forehead for all to read. And the network itself and its access tools are surely flawed. Maybe intentionally. So even the stuff you don't put on the network is probably vulnerable if anyone cares to do the work required to access it.

      My guess is that the Cloud folks and others who NEED a public network will spend the next few decades deploying increasingly complex and user hostile technologies to "protect" things. Plan A will be replaced by Plan B then Plan C and D and ... , eventually, Plan Z. None of them will really work. Users who can't tolerate external attacks will simply move most (or all if possible) their operation off the public networks. Even private local networks may well be discouraged.

      What's Plan Z? Reduce attack surfaces -- dramatically. Externally managed Over The Air updates? Of course not. Scripting of HTML? Mostly gone -- maybe a tiny, well vetted, subset remains. Firmware updates? Hard to see how changing the underlying operation of your hardware can ever be compatible with security.

      That's very likely the future. It will not be all that much fun. We are living in the good old days of a internet that is perceived as being secure/securable. Enjoy it while it lasts. Which may not be all that long.

      1. Anonymous Coward
        Anonymous Coward

        Re: Devil....Spoon....and so on......

        and most of us have UEFI now too...

  6. Anonymous Coward
    Anonymous Coward

    If only they had not registered the sites and obtained certificates in the name of the CIA...

    Hmm... wonder if 'definitelynotcovertcomms.cia.gov' is available?

  7. Danny 2 Silver badge

    "more than two dozen sources died in China in 2011 and 2012"

    I'd assumed this article was about the late eighties, early nineties.

    I can explain why MI5/GCHQ were negligent in the first decade of this century, they were solely focussed on British peace protesters like me.

    1. Yet Another Anonymous coward Silver badge

      Re: "more than two dozen sources died in China in 2011 and 2012"

      Well by that point all their highly trained KGB senior officers had retired and the new bosses were presumably all Al Qaeda agents

      1. Anonymous Coward
        Anonymous Coward

        Re: "more than two dozen sources died in China in 2011 and 2012"

        I remember my old tutor tried to recruit me for the ministry of sound, of course he was going a bit senile by then

  8. goodjudge

    "Investigative research group Bellingcat"

    = security service asset Bellingcat. Even if you believe their supposed 'independent' origin story, if they were then they aren't now.

    1. MacroRodent

      Re: "Investigative research group Bellingcat"

      > if they were then they aren't now

      Any grounds for that claim?

      1. Anonymous Coward
        Anonymous Coward

        Re: "Investigative research group Bellingcat"

        https://indienewsnetwork.substack.com/p/beware-of-bellingcat-a-pro-war-propaganda

        https://www.wsws.org/en/articles/2016/10/13/bell-o13.html

        1. veti Silver badge

          Re: "Investigative research group Bellingcat"

          I took the trouble of reading those links.

          Well for you that you posted anon, or I'd be billing you for wasting my time.

          Sure, Bellingcat has links to the "security establishment". Of course it does. Anyone with a functional brain knows that. But if you don't know the difference between "independent" and "completely isolated", you should maybe learn.

      2. Peter2 Silver badge

        Re: "Investigative research group Bellingcat"

        If you look back on the Novichok poisoning affair a while back, IIRC the director general of MI5 claimed credit in a public speech afterwards for the wholesale dismantling of the Russian propaganda front story, turning it into a humiliation for Russia.

        The information that did this was released by Bellingcat. Ergo, it's reasonable to assume that either Bellingcat is usable to disseminate information to the public from the intelligence services via journalists in a "here's where you can publicly find verifiable information" manner rather than BBC press release saying "MI5 says..."

        ...Or the head of MI5 is a lying incompetent.

        My personal assumption would be some variant of the former rather than the latter.

        1. Yet Another Anonymous coward Silver badge

          Re: "Investigative research group Bellingcat"

          >MI5 claimed credit in a public speech afterwards for the wholesale dismantling of the Russian propaganda front story,

          You mean those 2 Russian agents weren't really cathedral enthusiasts visiting Salisbury?

          What a brilliant piece of intelligence work.

          Next they will be uncovering who the enemy were in WWII

    2. Anonymous Coward
      Anonymous Coward

      Re: "Investigative research group Bellingcat"

      I have no evidence at all, but I have always been suspicious of 'one man bands' who work out of a bedroom somewhere who always seem to only ever conveniently confirm or feed official narratives from governments who would like people to believe what they claim.

      They usually seem to be entities founded by those who share a perspective with the governments they align with, are often granted more credibility and authority then they perhaps deserve.

      The Syrian Observatory for Human Rights springs to mind.

  9. FlamingDeath Silver badge

    Unintelligent services

    Insecurity services

    That is all I have to say on this matter

  10. Anonymous Coward
    Anonymous Coward

    CIA?

    Central Incompetence Agency?

    Anonymus because I don't want them after me. Not that they'd be able to find me, but...

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: CIA?

        I read it. I just don't think that the CIA will be able to track me down. One of the other 3letter agencies, yes, but not that stack of dry wood...

  11. Doctor Huh?

    Yet another reboot/remake

    So that's how Three Days of the Condor gets updated for the 21st century.

  12. Tam Lin

    Ex-Generals

    It's always retired generals (or equivalent top-level government jobs) that get these easy-yacht-money contracts.

    Oligarchs are universal, comrade.

  13. The_Wisest_One

    Who cares about the treacherous.

    The majority of countries shoot their traitors. So I won't cry over what happens to Iranian traitors.

    It's only in the West do we glorify traitors. Look at Corbyn for example. Anywhere else he'd be shot. But here a bunch of woke clowns chant his name at a festival.

    Should round all those up too.

    1. Cav Bronze badge

      Re: Who cares about the treacherous.

      So anyone who stands up to an oppressive government is a traitor that deserves to be shot?

      Round up those you disagree with? You're a fascist fool.

      1. Yet Another Anonymous coward Silver badge

        Re: Who cares about the treacherous.

        Captain Darling: So you see, Blackadder, Field Marshall Haig is most anxious to eliminate all these German spies.

        General Melchett: Filthy hun weasels, fighting their dirty underhand war!

        Captain Darling: And fortunately, one of our spies...

        General Melchett: Splendid fellows, brave heroes risking life and limb for Blighty!

      2. Michael Wojcik Silver badge

        Re: Who cares about the treacherous.

        TWO is a right-wing troll, recently arrived in these parts, who has yet to demonstrate anything of value to contribute to the conversation.

  14. Aussie Doc
    Black Helicopters

    Shhhhh...

    "The CIA did not respond to a request for comment. ®"

    ...yet!

    Because, well, you know ---->

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like