by Declan McCullagh

November 25, 2009
from CBSNews Website

 

Declan McCullagh is a correspondent for CBSNews.com.

He can be reached at declan@cbsnews.com and can be followed on Twitter as declanm.

 

As the World Trade Center and Pentagon were ablaze on September 11, 2001, the U.S. Secret Service's presidential protective detail was informed that a "Korean airliner has been hijacked" en route to San Francisco, prompting already-skittish agents to worry about another wave of terrorist attacks.

That morning and afternoon, Secret Service agents assigned to protect the president and his family found their pagers constantly buzzing with alerts both true and false.

 

There was a false alarm about a car bomb in downtown Washington, D.C., a report of "two Arab males detained" after asking for directions to the presidential retreat at Camp David, and reassurances that "Twinkle and Turq" - code names for the Bush daughters - were safe and accounted for.

This unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet on Wednesday. The pager transcripts, which total about 573,000 lines and 6.4 million words, include numeric and text messages also sent to private sector and unclassified military pagers.

It's impossible to tell whether the logs have been faithfully reproduced in their entirety. But there's evidence they have been: I spoke to three journalists working on September 11, 2001 whose correspondence appeared in the logs or who were familiar with the messages circulated in their newsrooms that day. All three say the logs appear to be legitimate.

This trove of messages is likely to become a boon for historians, a new source of concern for privacy advocates, and, depending on the details, a point of embarrassment or pride for the government agencies and corporations whose internal conversations have been divulged.

 

The files were posted on WikiLeaks.org, which has made a specialty of disclosing confidential documents and boasts that it is "uncensorable."

One string of messages hints at how federal agencies scrambled to evacuate to Mount Weather, the government's sort-of secret bunker buried under the Virginia mountains west of Washington, D.C.

 

One message says,

"Jim: DEPLOY TO MT. WEATHER NOW!," and another says "CALL OFICE (sic) AS SOON AS POSSIBLE. 4145 URGENT."

That's the phone number for the Federal Emergency Management Agency's National Continuity Programs Directorate - which is charged with,

"the preservation of our constitutional form of government at all times," even during a nuclear war.

(A 2006 article in the U.K. Guardian newspaper mentioned a "a traffic jam of limos carrying Washington and government license plates" heading to Mount Weather that day.)

FEMA's response seemed less than organized. One message at 12:37 p.m., four hours after the attacks, says:

"We have no mission statements yet."

Bill Prusch, FEMA's project officer for the National Emergency Management Information System at the time, apparently announced at 2 p.m. that the Continuity of Operations plan was activated and that certain employees should report to Mt. Weather; a few minutes later he sent out another note saying the activation was cancelled.

The first pager message reporting the attacks on the World Trade Center appears to have been sent by Morgan Stanley at 8:50 a.m. ET, saying that "an Aloha call is starting" due to a fire in the complex's south tower. Morgan Stanley leased 840,000 square feet in that building, on over 20 floors.

As the fires spread, and as police and firefighters rushed to the scene, Wall Street firms activated their emergency response plans.

 

Shortly after 9 a.m., Fidelity evacuated its nearby offices at 200 Liberty Street, and sent out a messaging saying:

"Those in the area should meet at the Winter Garden. Our plan is to meet there and (have most employees) work from home."

(The Winter Garden is a glass-enclosed atrium that was damaged later in the day when the towers collapsed.)

 

"On that particular day, literally within minutes of the first attack, we already had one of our security people... lining up space outside the New York area for some of our employees," Anne Crowley, a spokeswoman for Fidelity who was with the company in September 2001, told CBSNews.com in a telephone interview.

By 10:29 a.m., Fidelity's Boston offices on Summer St. had been closed, and an alert went out:

"National Master Console has been re-routed to Merrimack."

It was followed by:

"The FBSI war room is operational," referring to Fidelity Brokerage Services Inc.

"That quick thinking led us to be able to move hundreds of New York employees to backup locations (and) enabled us to continue to operate some of our important functions," Crowley said.

Even with U.S. equity markets closed, Fidelity's phone centers continued to take orders and could even process some international ones.

 

Crowley said she didn't know what Fidelity's war room referred to, but said the National Master Console is the firm's main phone operation that was shifted to Merrimack, N.H.

Similarly, Bank of America ordered the evacuation of all bank "high rise buildings only," while noting that there is a "nation-wide run on cash." Mastercard evacuated its new York and Delaware offices; MBNA decided to shutter everything but inbound call centers.

 

Another message says:

"SITUATION LOCK DOWN ALL AT&T LOCATIONS HAVE BEEN EVACUATED."

 


How the messages were captured

The pager logs seem to represent messages transmitted on September 11, 2001 through the networks of Arch Wireless, Metrocall, Skytel, and Weblink Wireless.

It's not clear how they were obtained in the first place. One possibility is that they were illegally compiled from the records of archived messages maintained by pager companies, and then eventually forwarded to WikiLeaks.

The second possibility is more likely: Over-the-air interception. Each digital pager is assigned a unique Channel Access Protocol code, or capcode, that tells it to pay attention to what immediately follows. In what amounts to a gentlemen's agreement, no encryption is used, and properly-designed pagers politely ignore what's not addressed to them.

But an electronic snoop lacking that same sense of etiquette might hook up a sufficiently sophisticated scanner to a Windows computer with lots of disk space - and record, without much effort, gobs and gobs of over-the-air conversations.

Existing products do precisely this. Australia's WiPath Communications offers Interceptor 3.0 (there's even a free download).

 

Maryland-based SWS Security Products sells something called a "Beeper Buster" that it says,

let police "watch up to 2500 targets at the same time."

And if you're frugal, there's a video (below) showing you how to take a $10 pager and modify it to capture everything on that network.

 

 

 

http://www.adafruit.com/blog/2009/05/12/how-to-make-a-cheap-pager-scanner/

 

Law enforcement agencies knew of the benefits of monitoring pagers long ago.

 

A 1997 FBI bulletin describes the,

"use of a clone pager to simultaneously receive the transmission emitted from the pager's service provider to the pager," and the federal courts have a standard form for judges to use when approving interceptions.

(The American Association of Paging Carriers has, helpfully, provided its members with a list of how to comply.)

Whatever their origin, the logs are likely to raise more questions than they answer.

 

Take this intriguing message that was sent by Jim Massa, then Cisco's director of federal operations, at 4:18 p.m.

 

It said:

"NEED TO DISCUSS FBI TEN THOUSAND UNIT REQUIREMENT ASAP."

The recipient appears to be Cisco Chief Development Officer Charlie Giancarlo, who left the company in 2007 and now works at a venture capital firm in Menlo Park, Calif. called Silver Lake.

A Cisco representative said in e-mail to CBSNews.com:

"I know we worked closely with law enforcement after the attacks but I don't have any specifics."

Massa did not immediately respond to a request for comment.

One possibility is that the FBI urgently needed routers or other Cisco gear to upgrade its own network. But technical experts that CBSNews.com contacted believed it's more likely that the FBI was working with Internet service providers to reconfigure their networks with Cisco hardware to allow wiretaps to be conducted more readily. Around that time, Cisco was beginning to develop wiretap capabilities for its routers - a concept that eventually became known as "lawful intercept."

The logs are silent on precisely that point. They do show, however, how U.S. network providers scrambled to respond to one of the most unexpected and extensive disruptions in recent memory.

After 7 World Trade Center collapsed (it had been damaged by debris earlier), Sprint lost its payment-processing system called SpeedPay.

 

A subsequent note said:

"SpeedPay is down. Site lost power with further collapse of building around 5PM. They are mobilizing to relocate equipment to New Jersey site."

A Sprint spokeswoman said that the executives who were with the company on 9/11 are on holiday break and unavailable for comment.

The major telecommunications hub at 60 Hudson Street, about eight blocks from the World Trade Center, was evacuated around 9:20 a.m. About four hours later, it was starting to show signs of overheating, with temperatures reaching the 80s.

 

A WorldCom message worried that New York City might cut power to 60 Hudson, saying,

"NYC1 has 4 to 8 hours of battery power if main power was to be cut."

A relieved followup said that the company's network operations center had learned that the power would remain on.
 

 


Air Force One reportedly threatened

Other tidbits from the logs include:

  • A Secret Service page at 10:32 a.m. warned: "ANONYMOUS CALL TO JOC REPORTING ANGEL IS TARGET." Angel is the Secret Service codeword for Air Force One; JOC means Joint Operations Center.

     

    When the president's plane had departed Florida about half an hour earlier, it was en route to D.C. That anonymous threat seems to be what diverted President Bush on a high-speed flight across the country, first to Barksdale Air Force Base in Louisiana, and then to an underground command center in Nebraska.
     

  • Amidst the confusion that day, the Secret Service's New York field office gave contradictory instructions to agents. At 9:06 a.m., their pagers lit up with these orders:

     

    • "MEET AT THE BASEBALL FIELD BEHIND THE EMBASSY SUITES HOTEL ON WEST STREET NY."

     

    Ninety minutes later:

     

    • "ALL NEW YORK FIELD OFFICE PERSONNEL RESPOND TO STUYVESANT HIGH SCHOOL AT THE CORNER OF CHAMBERS AND WEST STREET ASAP."

     

    Later:

     

    • "ALL NYFO PERSONNEL ARE TO DISREGARD THE LAST PAGE REGARDING STUVYSANT HIGH SCHOOL."
       

  • One message said:

     

    • "#2 MCLL EXEC WAS ABOARD ONE OF THE PLANES. 1 OF THE ONES WHO BETRAYED HARRY. NO TEARS HERE."

     

    Metrocall founder Harry Brock had been ousted as president six years earlier. Metrocall chief operating officer Steven Jacoby 'died' on Flight 77 that day.
     

  • Brinks, the armored car operator, received a series of requests for immediate deliveries from banks running low on cash after Americans rushed to withdraw currency:

     

    • "Micheal, branch officer, is requesting a same day cash delivery. His branch is low on cash. The charge will be $50.00. Please respond to confirm."
       

  • A press aide for then-California governor Gray Davis spent the day fending off requests for interviews and updates from KABC, the Oakland Tribune, the Long Beach Press-Telegram, the National Guard, KTTV, Fox News, and someone who wanted to know,

     

    • "Are the schools going to be closed for the rest of the week?"

What's unclear is what the impact of the release of the 9/11 data will be.

 

Nothing immediately apparent in the 573,000-or-so lines of text suggests a rethinking of how we view the events of that day (although conspiracy fanciers are sure to highlight excerpts such as the message suggesting "military planes" forced down a commercial jet, and one saying there was an "explosion and fire at Pentagon").

We've seen something like this before.

 

A few years ago, AOL published the mostly-anonymized search histories of over 650,000 of its users, which gave rise to the kind of data excavation that's currently taking place in connection with the disclosure of the 9/11 pager traffic. In the last few days, the same kind of collective analysis of thousands of files has accompanied the leaked global warming e-mail messages.

This should be a lesson to anyone who would prefer their personal details not go on public display: Without end-to-end encryption, and perhaps even with it, your correspondence is vulnerable to interception and publication.

 

And if you're the Secret Service responding to threats against the president, or FEMA organizing an evacuation to an underground bunker, why are you letting anyone with a $10 pager and a Windows laptop watch what you're doing?

 

 

Updates

Update 11:45 a.m. ET: Alert CBSNews.com Reader Ryan R. points out that the first automated alert relating to the attacks may have come from (see this file) Cantor Fitzgerald, which had offices in One World Trade Center.

 

The alert is time-stamped 8:46 a.m. and says:

"Market data inconsistent...Cantor API problem Trading system offline"

Update 11:47 a.m. ET: FEMA spokesman Clark Stevens says "FEMA has no comment." No word yet from the Secret Service.

Update 1:39 p.m. ET: Alert CBSNews.com Reader Bernie S. reminds me of the 1997 interception of pager messages from President Clinton's entourage, including messages from Hillary and Chelsea and love letters exchanged between aides. Here's a summary from Harper's, and a longer write-up from Peter Neumann's always-useful Risks Digest.

Update 3:04 p.m. ET: It didn't take long for the fake 9/11 "Zionist pager intercepts" to appear.

 

Another fake:

"WTC south tower will collapse in 1 minute."

On an unrelated note, WikiLeaks spokesman Julian Assange previewed the files at a conference in Copenhagen last week (November 2009). See the video.

 

And I would be remiss not to mention the remarkable 911stories.net site, which is displaying animated highlights.