Well, That Escalated Quickly

If you’d asked me about it six months ago, I would have been adamant that we’d never get an email from the Trump camp admitting to collusion. Anyone merely considering collusion would ensure there were multiple layers of plausible deniability, layering on handlers and indirection to throw smoke at anyone on the trail. [Read more…]

When Winning Becomes Everything

Before getting to the point, though, do you mind if I be a little petty? Emphasis mine:

I was asked about my observations on technical details buried in the State Department’s release of Secretary Clinton’s emails (such as noting a hack attempt in 2011, or how Clinton’s emails might have been intercepted by Russia due to lack of encryption). I was also asked about aspects of the DNC hack, such as why I thought the “Guccifer 2” persona really was in all likelihood operated by the Russian government, and how it wasn’t necessary to rely on CrowdStrike’s attribution as blind faith; noting that I had come to the same conclusion independently based on entirely public evidence, having been initially doubtful of CrowdStrike’s conclusions.

MMmmmm.

But on to the main point: the day after Thursday’s revelation that “a GOP operative who presented himself as working with Mike Flynn, … actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government,” one of the anonymous sources became nonymous. Meet Matt Tait, a British cybersecurity researcher who’s covered that angle of American politics. Said GOP operative, Peter Smith, approached him to validate the batch of emails that were claimed to be from Hilary Clinton’s private email server.

In my conversations with Smith and his colleague, I tried to stress this point: if this dark web contact is a front for the Russian government, you really don’t want to play this game. But they were not discouraged. They appeared to be convinced of the need to obtain Clinton’s private emails and make them public, and they had a reckless lack of interest in whether the emails came from a Russian cut-out. Indeed, they made it quite clear to me that it made no difference to them who hacked the emails or why they did so, only that the emails be found and made public before the election.

Ignore the whole attribution angle of the DNC hack. Instead, let’s focus on the actions of the Republicans. They had access to illegally-obtained dirt on a rival party, and didn’t care that this dirt was illegal. All that mattered to them was winning.

This isn’t a one-off, either; yesterday I pointed to an old story about another GOP operative, Aaron Nevins, who struck a deal with “Guccifer 2.0” to use the material they gathered from local DNC chapters in local races. That material wound up being used in attack ads, and may have swayed voters. But there was also a recent report which showed that Republicans had extensively gerrymandered electoral districts, guaranteeing themselves safer seats and a greater odds of winning. This lines up with prior reports. Republicans are also notorious for voter suppression, to the point that they openly brag about it and waste taxpayer funds to do it. Voter disenfranchisement? Also a Republican tactic.

This is a party devoted primarily to winning. Their policies and values are secondary, leading to an unending stream of hypocrisy. This explains a lot about why they have so much difficulty governing, the Republicans lack a unified vision to guide policy and rally everyone around. This makes it easy for outside groups to sway Republicans to their side, to the point that they even rely on them to draft some legislation.

This is poisonous for democracy. It must be opposed, no matter your political leanings.

The Good Ol’ Days

Do you remember the good old days? Back when political parties didn’t team up with foreign powers on multiple occasions to use illegally obtained material for personal gain?

[Aaron] Nevins confirmed to the [Wall Street] Journal that he told hacker Guccifer 2.0 to “feel free to send any Florida based information” after learning that the hacker had tapped into Democratic Congressional Campaign Committee (DCCC) computers last summer. From the DCCC, Guccifer 2.0 released internal assessments of Democratic congressional candidates, known as “self-opposition research,” to GOP operatives using social media. Nevins told the Journal that, after receiving the stolen documents from the hacker, he “realized it was a lot more than even Guccifer knew that he had.” The stolen DCCC documents also contained sensitive information on voters in key Florida districts, breaking down how many people were considered dependable Democratic voters, undecided Democrats, Republican voters and the like. Nevins made a war analogy, describing the data he received to Guccifer 2.0 as akin to a “map to where all the troops are deployed.”

After Nevins published some of the material on the blog HelloFLA.com, using his own pseudonym, Guccifer 2.0 sent a link of the information to close Trump associate Roger Stone — who is currently under federal investigation for potential collusion with Russia.

What the Journal story does indicate, however, is that a GOP operative who presented himself as working with Mike Flynn, a top Trump adviser with numerous dodgy Russian ties himself, actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government. Once he obtained a stash of unverified emails presented as the deleted Clinton emails, this operative then suggested the hackers release the cache to WikiLeaks one month after the DNC WikiLeaks dump and a month before the Podesta WikiLeaks dump.

*sigh*, I sure miss those days.

Russian Hacking and Bayes’ Theorem, Part 4

Ranum’s turn! Old blog post first.

Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.

Here’s the Joint Analysis Report which has been the focus of so much ire, as well as a summary paragraph of what the US intelligence agency is trying to sell:

Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.

They aren’t using IP addresses or attack signatures to sell attribution, they’re pooling all the analysis they can get their hands on, public and private. It’s short on details, partly for reasons I explained last time, and partly because it makes little sense to repeat details shared elsewhere.

I agree with most experts that the suggestions given are pretty useless, but that’s because defending against spearphishing is hard. Oh, it’s easy to white list IP access and lock down a network, but actually do that and your users will revolt and find workarounds that a network administrator can’t monitor.

The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy.

I dunno, there’s a fair bit of creativity involved in trickery. You need to do some research to figure out the target’s infrastructure (so you don’t present them with a Gmail login if they’re using an internal Exchange server); research their social connections (an angry email from their boss is far more likely to get a response); find ways to disguise the URL displayed that neither a human nor browser will notice; construct an SSL certificate that the browser will accept; and it helps if you can find a way around two-factor encryption. The amount of programming is minimal, but so what? Computer scientists tend to value the ability to program above everything else, but systems analysis and design are arguably at least as important.

I wouldn’t be surprised to learn of a 12-year-old capable of expert phishing, any more than I’d be surprised that a 12-year-old had entered college or ran their own business or successfully engineered their own product; look at enough cases, and eventually you’ll see something exceptional.

By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.

And yes, the state of computer security is fairly abysmal. Poor password choices (if people use passwords at all), poor algorithms, poor protocols, and so on. This is irrelevant, though; the fact that house break-ins are easy to do doesn’t refute the evidence that someone burgled a house.

Hey, that was quick. Next post!

Hornbeck left off two possibilities, but I could probably (if I exerted myself) go on for several pages of possibilities, in order to make assigning prior probabilities more difficult. But first: Hornbeck has left off at least two cases that I’d estimate as quite likely:

H) Some unknown person or persons did it
I) An unskilled hacker or hackers who had access to ‘professional’ tools did it
J) Marcus Ranum did it

I’d argue the first two are handled by D, “A skilled independent hacking team did it,” but it’s true that I assumed a group was behind the attack. Could the DNC hack be pulled off by an individual? In theory, sure, but in practice the scale suggests more than one person involved. For instance,

That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. […]

SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.

That SecureWorks report expands on who was targeted.

In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.

Even that glosses over details, as that list also includes Colin Powell, John Podesta, and William Rinehart. Also bear in mind that all these people were phished over roughly nine months, sometimes multiple times. While it helps that many of the targets used Gmail, when you add up the research involved to craft a good phish, plus the janitorial work that kicks in after a successful attack (scanning and enumeration, second-stage attack generation, data transfer and conversion), the scale of the attack makes it extremely difficult for an individual to pull off.

Similar reasoning applies to an unskilled person/group using professional tools. The multiple stages to a breach would be easy to screw up, unless you had experience carrying these out; the scale of the phish demands a level of organisation that amateurs shouldn’t be capable of. Is it possible? Sure. Likely? No. And in the end, it’s the likelihood we care about.

Besides, this argument tries to eat and have its cake. If spearphishing attacks are so easy to carry out, the difference between “unskilled” and “skilled” is small. Merely pulling off this spearphish would make the attackers experienced pros, no matter what their status was beforehand. The difference between hypotheses D and I is trivial.

There’s even more unconscious bias in Hornbeck’s list: he left Guccifer 2.0 off the list as an option. Here, you have someone who has claimed to be responsible left off the list of priors, because Hornbeck’s subconscious presupposition is that “Russians did it” and he implicitly collapsed the prior probability of “Guccifer 2.0” into “Russians” which may or may not be a warranted assumption, but in order to make that assumption, you have to presuppose Russians did it.

Who is Guccifer 2.0, though? Are they a skilled hacking group (hypothesis D), a Kremlin stooge (A), an unknown person or persons (H), or amateurs playing with professional tools (I)? “Guccifer 2.0 did it” is a composite of existing hypothesis subsets, so it makes more sense to focus on those first then drill down.

I added J) because Hornbeck added himself. And, I added myself (as Hornbeck did) to dishonestly bias the sample: both Hornbeck and I know whether or not we did it. Adding myself as an option is biasing the survey by substituting in knowns with my unknowns, and pretending to my audience that they are unknowns.

Ranum may know he didn’t do it, but I don’t know that. What’s obvious to me may not be to someone else, and I have to account for that if I want to do a good analysis. Besides, including myself fed into the general point that we have to liberal with our hypotheses.

I) is also a problem for the “Russian hackers” argument. As I described the DNC hack appears to have been done using a widely available PHP remote management tool after some kind of initial loader/breach. If you want a copy of it, you can get it from github. Now, have we just altered the ‘priors’ that it was a Russian?

This is being selective with the evidence. Remember “Home Alone?” Harry and Marv used pretty generic means to break into houses, from social engineering to learn about their targets, surveillance to verify that information and add more, and even crowbars on the locks. If that was all you knew about their techniques, you’d have no hope of tracking them down; but as luck would have it, Marv insisted on turning on all the faucets as a distinctive calling card. This allowed the police to track down earlier burglaries they’d done.

Likewise, if all we knew was that a generic PHP loader was used in the DNC hack, the evidence wouldn’t point strongly in any one direction. Instead, we know the intruders also used a toolkit dubbed “XAgent” or “CHOPSTICK,” which has been consistently used by the same group for nearly a decade. No other group appears to use the same tool. This means we can link the DNC hack to earlier ones, and by pooling all the targets assess which actor would be interested in them. As pointed out earlier, these point pretty strongly to the Kremlin.

I don’t think you can even construct a coherent Bayesian argument around the tools involved because there are possibilities:

  1. Guccifer is a Russian spy whose tradecraft is so good that they used basic off the shelf tools
  2. Guccifer is a Chinese spy who knows that Russian spies like a particular toolset and thought it would be funny to appear to be Russian
  3. Guccifer is an American hacker who used basic off the shelf tools
  4. Guccifer is an American computer security professional who works for an anti-malware company who decided to throw a head-fake at the US intelligence services

Quick story: I listened to Crowdstrike’s presentation on the Russian hack of the DNC, and they claimed XAgent/CHOPSTICK’s source code was private. During the Q&A, though, someone mentioned that another security company claimed to have a copy of the source.

The presenters pointed out that this was probably due to a quirk in Linux attacks. There’s a lot of variance in which kernel and libraries will be installed on any given server, so merely copying over the attack binary is prone to break. Because of this variety, though, it’s common to have a compiler installed on the server. So on Linux, attackers tend to copy over their source code, compile it into a binary, and delete the code.

You can see how this could go wrong, though. If the stub responsible for deleting the original code fails, or the operators are quick, you could salvage the source code of XAgent.

“Could.” Note that you need the perfect set of conditions in place. Even if those did occur, and even if the source code bundle contains Windows or OSX source too (excluding that would reduce the amount of data transferred and increase the odds of compilation slightly), the attack binary for those platforms usually needs to be compiled elsewhere. Compilation environments are highly variable yet leave fingerprints all over the executable, such as compilation language and time-stamps. A halfway-savvy IT security firm (such as FireEye) would pick up on those differences and flag the executable as a new variant, at minimum.

And as time went on, the two code bases would diverge as either XAgent’s originators or the lucky ducks with their own copy start modifying it. Eventually, it would be obvious one toolkit was in the hands of another group. And bear in mind, the first usage of XAgent was about a decade ago. If this is someone using a stolen copy of APT28/Fancy Bear’s tool, they’ve either stolen it recently and done an excellent job of replicating the original build environment, or have faked being Russian for a decade without slipping up.

While the above is theoretically possible, there’s no evidence it’s actually happened; as mentioned, despite years of observation by at least a half-dozen groups capable of detecting this event, only APT28 has been observed using XAgent.* None of Ranum’s options fit XAgent, nor do they fit APT28’s tactics either; from FireEye’s first report (they now have a second, FYI),

Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.

APT28 malware, in particular the family of modular backdoors that we call CHOPSTICK, indicates a formal code development environment. Such an environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.

And as a reminder, APT28 aka. Fancy Bear is one of the groups that hacked into the DNC, and is alleged to be part of the Kremlin.

Ranum does say a lot more in that second blog post, but it’s either similar to what Biddle wrote over at The Intercept or amounts to kicking sand at Bayesian statistics. I’ve covered both angles, so the rest isn’t worth tackling in detail.

  • [HJH: On top of that, from what I’m reading APT28 prefers malware-free exploits, which use existing code on Windows computers to do their work. None of it works on Linux, so its source code would never be revealed via the claimed method.]

Dreams Come True?

Oh man, that British election… early results are a disaster for the Tories. No time for analysis now, but I’ll try and type something up later. Until then, watch that link.

As I type this, at about 6AM on June 9th in Britain, the Conservatives sit at 307 seats. They need an additional 19 to earn a majority… yet there are only 18 up for grabs. Overall, they’ve lost 12 seats while their rivals the Labour party gained 30. That majority is lost, let alone the gain they wished would signal a mandate. The Scottish National Party has suffered major losses, but UKIP have been wiped out of parliament. The Liberal Democrats, a former powerhouse that’s fallen on hard times, have seen impressive gains. There’s a chance Labour could form a coalition and take control of government.

Add in the record number of women elected as MPs (192, out of 650), and this is a night for progressives to cheer. It’s not a perfect outcome, as Labour also want to leave the EU, but it’ll do nicely.

Rather than chew your ear off with further details, I’ll defer to H. Bomberguy‘s setup for the election.

A Trump Controversy, in Tweets

Donald Trump:
Crooked Hillary Clinton and her team “were extremely careless in their handling of very sensitive, highly classified information.” Not fit!

Washington Post:
President Trump’s disclosures jeopardized a critical source of intelligence on the Islamic State, officials said

CBS News:
“Highly damaging”: Ex-CIA deputy director on WaPo report that Pres. Trump revealed classified info to Russians

TheUnsilentMAJORITY:
Think about this… Lavrov & Kislyak given classified info from #Trump bc his need for their approval is stronger than his loyalty to U.S

Matthew Chapman:
Lavrov will share the classified info Trump gave him with the Syrians and the Iranians. Americans fighting in the region are going to die.

Ricky Davila:
Just to be clear, Reuters, NYT, & Buzzfeed have all confirmed the #WaPo‘s report about trump giving highly classified info to the Russians.

Adrian Carrasquillo:
Per @TreyYingst, Bannon, Mike Dubke, Sarah Sanders and Spicer walked into cabinet room just now. They did not look happy.
Can now hear yelling coming from room where officials are.
WH comms staffers just put the TVs on super loud after we could hear yelling coming from room w/ Bannon, Spicer, Sanders

Hayley Byrd:
Dianne Feinstein exits Senate subway and is surrounded by reporters. “Oh my goodness. What’s happened?” (She hasn’t seen the WaPo story.)
Lindsey Graham tells us the WaPo report is “troubling” if true. I ask him if it’s only troubling. “Yeah, because I don’t know if it’s true.”
I wonder how many GOP senators will say they’re troubled before calling for more information.

Thomas Burr‏:
Asked whether @jasoninthehouse still trusts Trump with classified info, Chaffetz says, “Of Course.”

Scott Wong‏:
.@SpeakerRyan spox on WaPo story: “The speaker hopes for a full explanation of the facts from the administration.”

Alice Ollstein:
.@SenatorRisch defends Trump revealing classified info to the Russians: “It’s no longer classified the minute he utters it.”

Yashar:
Hannity right now: “Clinton Email Server Scandal”

Kurt Schlichter‏:
So: HR McMaster, author of Dereliction of Duty, sat back as Trump disgorged critical classified info, then went outside and lied about it?

The Baxter Bean:
Self-serving Republicans ignoring Trump gave highly classified info to foreign adversaries in the WH, but here’s what they said about email

Tony Posnanski:
“He defended Trump when he gave the Russians classified security info!” – The opening line to everyone running against GOP in 2018

Al Weaver:
MCCONNELL react to Wapo story: “We could do with a little less drama from the White House.”
Full quote. [this is worth clicking through, trust me – HJH]

Norah O’Donnell:
“We had lengthy interactions w/ White House all day yesterday. McMaster never said it was false until after it was published” @gregpmiller

Donald Trump:
As President I wanted to share with Russia (at an openly scheduled W.H. meeting) which I have the absolute right to do, facts pertaining….
…to terrorism and airline flight safety. Humanitarian reasons, plus I want Russia to greatly step up their fight against ISIS & terrorism.
I have been asking Director Comey & others, from the beginning of my administration, to find the LEAKERS in the intelligence community…..

They Got Al Capone on Tax Evasion

I’m not much of a TV watcher, but I think I’ll set aside some time to watch this.

Investigations conducted by ZEMBLA show that Bayrock has formed a business construction in the Netherlands, which may have been used to siphon off one and a half million dollars. In this enterprise, Bayrock collaborated with Viktor Khrapunov, a fugitive ex-mayor and governor from Kazakhstan. The Kazakhstan government accuses Khrapunov of systematically looting hundreds of millions of public assets.

It doesn’t sound like riveting TV, until you read a bit further.

The hub of the enterprise is the Dutch letter box company KazBay B.V. In the act of incorporation it states that KazBay is owned by two companies: the Dutch firm Bayrock B.V. and the Swiss company Helvetic Capital S.A. This email explains that Trump’s business partner Bayrock Group L.L.C. is behind Bayrock BV, and that the actual owner of Helvetic Capital S.A. is none other than the wife of Viktor Khrapunov.

This mail clearly refers to the use of a Dutch go-between company. Its contents also reveal that the Dutch construction was formed by the law firm of Rudy Giuliani who, at the time, was a partner in Bracewell & Giuliani LLP, and is also a Trump confidante.

Trump and Giuliani? Tied up in international money laundering?! It could explain his stance on national monuments, according to James Henry.

“This is a land grab,” said Henry. “If you don’t get that Putin and the Russians transferred a hell of a lot of wealth of the Russian government to a handful of 25 oligarchs. Right now there are five states in the U.S. that are roughly 80 percent or more owned by the federal government. Trump has just issued executive orders that will open up a lot of that land, either to outright privatization or to mining deals like we’ve never seen before.”

“There’s nothing ideological,” Henry said. “What connects all of these people in the Trump government is they are all about money. This is going to be a huge payday for these people and their friends. At the end of the day, they take care of themselves.”

This might also explain why Trump was so eager to fire Comey; the FBI was shifting focus from Russian collusion with Trump to organized crime involvement. It would also explain why Democrats questioned Comey about Felix Sater.

There’s a lot of speculation here, alas, and I’d rather see Trump investigated for collusion. But it might also be solid grounds for impeachment and a major scandal for the Republicans.

What if the simplest solution was just to fire Comey and to pressure McConnell to go along? Not that the Senate Majority Leader needed much persuading.

“McConnell received a million-dollar contribution from Russians back in October that we know about,” Henry said. “There was a million-dollar contribution to the Senate leadership PAC in the name of a New York company owned by Len Blavatnik.” Blavatnik is a Russian-born billionaire-oligarch who invested in aluminum companies in Russia and became a U.S. citizen decades ago.

It’s not the ideal path to get Trump out of office, but it could work.

The Firing of James Comey

Now that I’ve set a CPU on fire, I can start typing up something about this. I’m a bit late to the table, but that means I have a bit more information. In no particular order:

Whew! Capitol Hill is nearly as hot as my CPU right now.
Bonus track!

He had grown enraged by the Russia investigation, two advisers said, frustrated by his inability to control the mushrooming narrative around Russia. He repeatedly asked aides why the Russia investigation wouldn’t disappear and demanded they speak out for him. He would sometimes scream at television clips about the probe, one adviser said. […]

But the fallout seemed to take the White House by surprise. Trump made a round of calls around 5 p.m., asking for support from senators. White House officials believed it would be a “win-win” because Republicans and Democrats alike have problems with the FBI director, one person briefed on their deliberations said. Instead, Senate Minority Leader Chuck Schumer told him he was making a big mistake — and Trump seemed “taken aback,” according to a person familiar with the call.

By Tuesday evening, the president was watching the coverage of his decision and frustrated no one was on TV defending him, a White House official said. He wanted surrogates out there beating the drum. Instead, advisers were attacking each other for not realizing the gravity of the situation as events blew up.”

Last one, promise.

Politico described the mood last night at [Roger] Stone’s house in Florida as “elated.” Another former Trump adviser under investigation as part of the Russia probe, former Trump foreign policy adviser Carter Page, also applauded the move.

While Stone was jubilant, Politico reports that “shock dominated much of the FBI and the White House.”

I LIE, though to be fair that’s currently in style. Also, I have to update a line-item above, Comey’s been invited to testify privately next week and despite early reports it looks like his successor will take his place during the public hearings this week. Plus:

Three interesting items, one of which is only tangentially related to the above.

In the weeks before President Donald Trump fired FBI Director James Comey, a federal investigation into potential collusion between Trump associates and the Russian government was heating up, as Mr. Comey became increasingly occupied with the probe.

Mr. Comey started receiving daily instead of weekly updates on the investigation, beginning at least three weeks ago, according to people with knowledge of the matter and the progress of the Federal Bureau of Investigation probe. Mr. Comey was concerned by information showing possible evidence of collusion, according to these people.

===

Trump was angry that Comey would not support his baseless claim that President Barack Obama had his campaign offices wiretapped. Trump was frustrated when Comey revealed in Senate testimony the breadth of the counterintelligence investigation into Russia’s effort to sway the 2016 U.S. presidential election. And he fumed that Comey was giving too much attention to the Russia probe and not enough to investigating leaks to journalists.

The known actions that led to Comey’s dismissal raise as many questions as answers. Why was Sessions involved in discussions about the fate of the man leading the FBI’s Russia investigation, after having recused himself from the probe because he had falsely denied under oath his own past communications with the Russian ambassador?

Why had Trump discussed the Russia probe with the FBI director three times, as he claimed in his letter dismissing Comey, which could have been a violation of Justice Department policies that ongoing investigations generally are not to be discussed with White House officials?

And how much was the timing of Trump’s decision shaped by events spiraling out of his control — such as Monday’s testimony about Russian interference by former acting attorney general Sally Yates, or the fact that Comey last week requested more resources from the Justice Department to expand the FBI’s Russia probe?

===

When President Donald Trump hosted Russian Foreign Minister Sergey Lavrov in the Oval Office on Wednesday just hours after firing the FBI director who was overseeing an investigation into whether Trump’s team colluded the Russians, he was breaking with recent precedent at the specific request of Russian President Vladimir Putin.

The chummy White House visit—photos of the president yukking it up with Lavrov and Russian Ambassador to the United States Sergey Kislyak were released by the Russian Foreign Ministry since no U.S. press was allowed to cover the visit—had been one of Putin’s asks in his recent phone call with Trump, and indeed the White House acknowledged this to me later Wednesday. “He chose to receive him because Putin asked him to,” a White House spokesman said of Trump’s Lavrov meeting. “Putin did specifically ask on the call when they last talked.”

I didn’t know this.

The most famous leaker in US history — the pseudonymous Deep Throat, who gave sensitive information on the Nixon administration to Washington Post journalists Bob Woodward and Carl Bernstein in 1972-3 during the Watergate scandal — was later revealed to be Mark Felt, who was associate FBI director at the time.

Interestingly, Felt’s motivation for leaking about Watergate wasn’t whistleblowing: He wasn’t motivated by some patriotic sense of duty to protect American democracy. Rather, he believed he was acting to protect the FBI’s independence from Nixon’s attempts to rein it in.

If that culture is still in place, the FBI could go to war with Trump. That seems probable, and the first shots may have already been fired.

FBI agents raided the Annapolis offices of a GOP fundraising outfit, Strategic Campaign Group, with links to Trump. The director, Kelley Rogers, has been employed by Penn National Gaming, a company with ties to the Trump Taj Mahal. The Senate Intelligence Committee reportedly has been looking into money laundering penalties levied against the Taj in 2015.

One of Strategic Campaign Group’s senior advisers, Dennis Whitfield, is also a director of the political consulting firm Black, Manafort, Stone and Kelly. Founders Paul Manafort (a former Trump campaign chairman) and another longtime Trump adviser, Roger Stone, are reportedly under investigation for connections to Russian involvement in the 2016 election.

Remember when Trump said “I greatly appreciate you informing me, on three separate occasions, that I am not under investigation?”

Trump narrated those three occasions to [Lester] Holt. The first came at a dinner between the two men in which Trump said Comey seemed to be trying to keep his job, in the face of Trump’s public criticism.

“I had dinner with him,” Trump said. “He wanted to have dinner because he wanted to stay on … Dinner was arranged. I think he asked for the dinner. And he wanted to stay on as the FBI head, and I said, ‘I’ll consider it. We’ll see what happens.’ But we had a very nice dinner, and at that time he told me you are not under investigation.”

Trump acknowledged that Comey has said the FBI is investigating links between his campaign and Russia, but said he was not personally involved, and that Comey had reiterated that in two separate phone calls. “In one case I called him and one case he called me,” the president said.

Except that directly contradicts what Comey has shared with friends and associates.

As they ate, the president and Mr. Comey made small talk about the election and the crowd sizes at Mr. Trump’s rallies. The president then turned the conversation to whether Mr. Comey would pledge his loyalty to him. Mr. Comey declined to make that pledge. Instead, Mr. Comey has recounted to others, he told Mr. Trump that he would always be honest with him, but that he was not “reliable” in the conventional political sense. […]

By Mr. Comey’s account, his answer to Mr. Trump’s initial question apparently did not satisfy the president, the associates said. Later in the dinner, Mr. Trump again said to Mr. Comey that he needed his loyalty. Mr. Comey again replied that he would give him “honesty” and did not pledge his loyalty, according to the account of the conversation.

But Mr. Trump pressed him on whether it would be “honest loyalty.” “You will have that,” Mr. Comey told his associates he responded.

That New York Times story also drops this interesting tidbit.

Mr. Comey described details of his refusal to pledge his loyalty to Mr. Trump to several people close to him on the condition that they not discuss it publicly while he was F.B.I. director. But now that Mr. Comey has been fired, they felt free to discuss it on the condition of anonymity.

This meshes with what other people have suggested, that Comey is a master at setting up a defensive paper trail. It apparently has Trump spooked and reaching for distractions.

The FBI isn’t exactly elated, either, with some agents scrambling to finish the Russian probe before Trump can kill or starve it.

An intriguing update on Comey’s testimony.

He declined an invitation to speak to a closed session of the Senate Intelligence Committee on Tuesday and was replaced on a panel testifying before that committee last Thursday by his temporary replacement, Andrew McCabe.

Comey’s associates say that he is not seeking publicity and that they believe an open session before Congress is the most appropriate setting. He would not be commenting on specifics of the investigation into Russian interference in the presidential election and would likely discuss issues about his record.

Here we go. It needs independent confirmation, but still:

Mr. Comey wrote the memo detailing his conversation with the president immediately after the meeting, which took place the day after Mr. Flynn resigned, according to two people who read the memo. The memo was part of a paper trail Mr. Comey created documenting what he perceived as the president’s improper efforts to influence a continuing investigation. An F.B.I. agent’s contemporaneous notes are widely held up in court as credible evidence of conversations. Mr. Comey shared the existence of the memo with senior F.B.I. officials and close associates. The New York Times has not viewed a copy of the memo, which is unclassified, but one of Mr. Comey’s associates read parts of the memo to a Times reporter.

“I hope you can see your way clear to letting this go, to letting Flynn go,” Mr. Trump told Mr. Comey, according to the memo. “He is a good guy. I hope you can let this go.” […]

Mr. Comey created similar memos — including some that are classified — about every phone call and meeting he had with the president, the two people said. It is unclear whether Mr. Comey told the Justice Department about the conversation or his memos.

But Everything Worked Out, Right?

The right person won in the recent France election, but the outcome worries me. The polls badly underestimated his win.

The average poll conducted in the final two weeks of the campaign gave Macron a far smaller lead (22 percentage points) than he ended up winning by (32 points), for a 10-point miss. In the eight previous presidential election runoffs, dating back to 1969, the average poll missed the margin between the first- and second-place finishers by only 3.9 points.

That should be a warning flag to the French to take less stock in their polls and weight unlikely outcomes as more likely. It’s doubtful they will, though, because everything turned out all right. That’s no slam against the French, it’s just human nature. Take the 2012 US election:

Four years ago, an average of survey results the week before the election had Obama winning by 1.2 percentage points. He actually beat Mitt Romney by 3.9 points.

If that 2.7-point error doesn’t sound like very much to you, well, it’s very close to what Donald Trump needs to overtake Hillary Clinton in the popular vote. She leads by 3.3 points in our polls-only forecast.

That was Harry Enten of FiveThirtyEight four days before the 2016 US election, four days before Clinton fell victim to a smaller polling error. Americans should have done back in 2012 what the French should do now, but they didn’t. Even the betting markets figured Clinton would sweep, an eerie mirror of their French counterparts.

Overall, there are a higher number of bets on Ms Le Pen coming out on top, than Brexit or Donald Trump – even though the odds are much lower, according to the betting experts.

The moral of the story: don’t let a win go to your head. You might miss a critical bit of data if you do.

76 days

I was wondering how long it would take for Trump to start a war to prop up his approval ratings, and I may have just gotten my answer.

The operation, which the Trump administration authorized in retaliation for a chemical attack killing scores of civilians this week, dramatically expands U.S. military involvement in Syria and exposes the United States to heightened risk of direct confrontation with Russia and Iran, both backing Assad in his attempt to crush his opposition.

President Trump said the strike was in the “vital national security interest” of the United States and called on “all civilized nations to join us in seeking to end the slaughter and bloodshed in Syria. And also to end terrorism of all kinds and all types.”

“We ask for God’s wisdom as we face the challenge of our very troubled world,” he continued. “We pray for the lives of the wounded and for the souls of those who have passed and we hope that as long as America stands for justice then peace and harmony will in the end prevail.”

On the surface, that looks like it could trigger a war with Russia. But:

The Pentagon has confirmed it used a hotline for minimising the risk of aerial combat between US and Russian jets in eastern Syria to alert Russia of the strike against its Syrian client. The Russians are sure to have routed that warning to Assad, raising immediate questions about what the strike will have accomplished, and also signalling that the US does not seek escalation.

The sun is coming up on Russia, so we’ll quickly learn how accurate that is. Still, there’s good reason to think this won’t snowball into war, as well as good reason to think this is Trump shouting “WOLF!!” and pointing in the other direction.

Initial reports from Russia aren’t looking good.

Russia is waking up to news of the strike – though we know military channels were used to alert Moscow before the missiles were launched – and reaction so far has been hostile.

State news agency RIA quoted Viktor Ozerov, head of the defence and security committee at the Russian upper house of parliament, saying the US strikes could undermine the fight against terrorism.

Ozerov said Russia would call for an urgent meeting of the UN security council:

This [the attack] could be viewed as an act of aggression of the US against a UN nation.

In its first public response to the airstrikes, the Kremlin has issued a strong statement condemning the US move as “aggression against a sovereign nation”.

Moscow said the strikes had been carried out on an “invented pretext” and claimed the Syrian army did not have chemical weapons.

The strikes, it said, would do “significant damage to US-Russia ties” and created a “serious obstacle” to creating an international coalition to defeat Isis.

Russian president Vladimir Putin, the Kremlin said, views the strikes as an attempt to deflect world attention from civilian deaths in Iraq – where at least 150 people died in a series of coalition airstrikes in Mosul last month.

This could get ugly, quick, and it’s all for nothing.