by Declan McCullagh
November 25, 2009
from
CBSNews Website
|
Declan McCullagh is a correspondent for CBSNews.com.
He can be reached at declan@cbsnews.com and can be followed on Twitter as declanm. |
As the World Trade Center and Pentagon were
ablaze on
September 11, 2001, the U.S. Secret Service's presidential
protective detail was informed that a "Korean airliner has been hijacked" en
route to San Francisco, prompting already-skittish agents to worry about
another wave of terrorist attacks.
That morning and afternoon, Secret Service agents assigned to protect the
president and his family found their pagers constantly buzzing with alerts
both true and false.
There was a false alarm about a car bomb in downtown
Washington, D.C., a report of "two Arab males detained" after asking for
directions to the presidential retreat at Camp David, and reassurances that
"Twinkle and Turq" - code names for the Bush daughters - were safe and
accounted for.
This unusual glimpse into the events of 9/11 comes from messages sent to
alphanumeric pagers that were anonymously published on the Internet on
Wednesday. The pager transcripts, which total about 573,000 lines and 6.4
million words, include numeric and text messages also sent to private sector
and unclassified military pagers.
It's impossible to tell whether the logs have been faithfully reproduced in
their entirety. But there's evidence they have been: I spoke to three
journalists working on September 11, 2001 whose correspondence appeared in
the logs or who were familiar with the messages circulated in their
newsrooms that day. All three say the logs appear to be legitimate.
This trove of messages is likely to become a boon for historians, a new
source of concern for privacy advocates, and, depending on the details, a
point of embarrassment or pride for the government agencies and corporations
whose internal conversations have been divulged.
The files were posted on
WikiLeaks.org, which has made a
specialty of disclosing confidential
documents and boasts that it is "uncensorable."
One string of messages hints at how federal agencies scrambled to evacuate
to Mount Weather, the government's sort-of secret bunker buried under the
Virginia mountains west of Washington, D.C.
One message says,
"Jim: DEPLOY
TO MT. WEATHER NOW!," and another says "CALL OFICE (sic) AS SOON AS
POSSIBLE. 4145 URGENT."
That's the phone number for the Federal Emergency
Management Agency's
National Continuity Programs Directorate
- which is
charged with,
"the preservation of our constitutional form of government at
all times," even during a nuclear war.
(A 2006
article in the U.K. Guardian
newspaper mentioned a "a traffic jam of limos carrying Washington and
government license plates" heading to Mount Weather that day.)
FEMA's response seemed less than organized. One message at 12:37 p.m., four
hours after the attacks, says:
"We have no mission statements yet."
Bill Prusch, FEMA's project officer for the
National Emergency Management
Information System at the time, apparently announced at 2 p.m. that the
Continuity of Operations plan was activated and that certain employees
should report to Mt. Weather; a few minutes later he sent out another note
saying the activation was cancelled.
The first pager message reporting the attacks on the World Trade Center
appears to have been sent by Morgan Stanley at 8:50 a.m. ET, saying that "an
Aloha call is starting" due to a fire in the complex's south tower.
Morgan
Stanley leased 840,000 square feet in that building, on over 20 floors.
As the fires spread, and as police and firefighters rushed to the scene,
Wall Street firms activated their emergency response plans.
Shortly after 9
a.m., Fidelity evacuated its nearby offices at 200 Liberty Street, and sent
out a messaging saying:
"Those in the area should meet at the Winter Garden.
Our plan is to meet there and (have most employees) work from home."
(The
Winter Garden is a glass-enclosed atrium that was damaged later in the day
when the towers collapsed.)
"On that particular day, literally within minutes of the first attack, we
already had one of our security people... lining up space outside the New
York area for some of our employees," Anne Crowley, a spokeswoman for
Fidelity who was with the company in September 2001, told CBSNews.com in a
telephone interview.
By 10:29 a.m., Fidelity's Boston offices on Summer St. had been closed, and
an alert went out:
"National Master Console has been re-routed to
Merrimack."
It was followed by:
"The FBSI war room is operational,"
referring to Fidelity Brokerage Services Inc.
"That quick thinking led us to be able to move hundreds of New York
employees to backup locations (and) enabled us to continue to operate some
of our important functions," Crowley said.
Even with U.S. equity markets
closed, Fidelity's phone centers continued to take orders and could even
process some international ones.
Crowley said she didn't know what
Fidelity's war room referred to, but said the National Master Console is the
firm's main phone operation that was shifted to Merrimack, N.H.
Similarly, Bank of America ordered the evacuation of all bank "high rise
buildings only," while noting that there is a "nation-wide run on cash."
Mastercard evacuated its new York and Delaware offices; MBNA decided to
shutter everything but inbound call centers.
Another message says:
"SITUATION LOCK DOWN ALL AT&T LOCATIONS HAVE BEEN EVACUATED."
How the messages were captured
The pager logs seem to represent messages transmitted on September 11, 2001
through the networks of Arch Wireless, Metrocall, Skytel, and Weblink
Wireless.
It's not clear how they were obtained in the first place. One possibility is
that they were illegally compiled from the records of archived messages
maintained by pager companies, and then eventually forwarded to WikiLeaks.
The second possibility is more likely: Over-the-air interception. Each
digital pager is assigned a unique Channel Access Protocol code, or capcode,
that tells it to pay attention to what immediately follows. In what amounts
to a gentlemen's agreement, no encryption is used, and properly-designed
pagers politely ignore what's not addressed to them.
But an electronic snoop lacking that same sense of etiquette might
hook up a
sufficiently sophisticated scanner to a Windows computer with lots of disk
space - and record, without much effort, gobs and gobs of over-the-air
conversations.
Existing products do precisely this. Australia's WiPath Communications
offers
Interceptor 3.0 (there's even a free download).
Maryland-based SWS
Security Products sells something called a "Beeper Buster" that it says,
let
police "watch up to 2500 targets at the same time."
And if you're frugal,
there's a video (below) showing you how to take a $10 pager and modify it to capture
everything on that network.
http://www.adafruit.com/blog/2009/05/12/how-to-make-a-cheap-pager-scanner/
Law enforcement agencies knew of the benefits of monitoring pagers long ago.
A
1997 FBI bulletin describes the,
"use of a clone pager to simultaneously
receive the transmission emitted from the pager's service provider to the
pager," and the federal courts have a
standard form for judges to use when
approving interceptions.
(The American Association of Paging Carriers has,
helpfully, provided its members with a
list of how to comply.)
Whatever their origin, the logs are likely to raise more questions than they
answer.
Take this intriguing message that was sent by Jim Massa, then
Cisco's director of federal operations, at 4:18 p.m.
It said:
"NEED TO
DISCUSS FBI TEN THOUSAND UNIT REQUIREMENT ASAP."
The recipient appears to be
Cisco Chief Development Officer Charlie Giancarlo, who left the company in
2007 and now works at a venture capital firm in Menlo Park, Calif. called
Silver Lake.
A Cisco representative said in e-mail to CBSNews.com:
"I know we worked
closely with law enforcement after the attacks but I don't have any
specifics."
Massa did not immediately respond to a request for comment.
One possibility is that the FBI urgently needed routers or other Cisco gear
to upgrade its own network. But technical experts that CBSNews.com contacted
believed it's more likely that the FBI was working with Internet service
providers to reconfigure their networks with Cisco hardware to allow
wiretaps to be conducted more readily. Around that time, Cisco was beginning
to develop wiretap capabilities for its routers - a concept that eventually
became known as "lawful intercept."
The logs are silent on precisely that point. They do show, however, how U.S.
network providers scrambled to respond to one of the most unexpected and
extensive disruptions in recent memory.
After
7 World Trade Center collapsed (it had been damaged by debris
earlier), Sprint lost its payment-processing system called SpeedPay.
A
subsequent note said:
"SpeedPay is down. Site lost power with further
collapse of building around 5PM. They are mobilizing to relocate equipment
to New Jersey site."
A Sprint spokeswoman said that the executives who were
with the company on 9/11 are on holiday break and unavailable for comment.
The major telecommunications hub at
60 Hudson Street, about eight blocks
from the World Trade Center, was evacuated around 9:20 a.m. About four hours
later, it was starting to show signs of overheating, with temperatures
reaching the 80s.
A WorldCom message worried that New York City might cut
power to 60 Hudson, saying,
"NYC1 has 4 to 8 hours of battery power if main
power was to be cut."
A relieved followup said that the company's network
operations center had learned that the power would remain on.
Air Force One reportedly threatened
Other tidbits from the logs include:
-
A Secret Service page at 10:32 a.m. warned: "ANONYMOUS CALL TO JOC
REPORTING ANGEL IS TARGET." Angel is the Secret Service codeword for Air
Force One; JOC means Joint Operations Center.
When the president's plane had
departed Florida about half an hour earlier, it was en route to D.C. That
anonymous threat seems to be what diverted President Bush on a
high-speed
flight across the country, first to Barksdale Air Force Base in Louisiana,
and then to an underground command center in Nebraska.
-
Amidst the confusion that day, the Secret Service's New York field office
gave contradictory instructions to agents. At 9:06 a.m., their pagers lit up
with these orders:
Ninety minutes later:
Later:
-
One message said:
Metrocall founder Harry Brock
had
been ousted as president six years earlier. Metrocall chief operating
officer Steven Jacoby 'died' on Flight 77 that day.
-
Brinks, the armored car operator, received a series of requests for
immediate deliveries from banks running low on cash after Americans rushed
to withdraw currency:
-
A press aide for then-California governor Gray Davis spent the day fending
off requests for interviews and updates from KABC, the Oakland Tribune, the
Long Beach Press-Telegram, the National Guard, KTTV, Fox News, and someone
who wanted to know,
What's unclear is what the impact of the release of the 9/11 data will be.
Nothing immediately apparent in the 573,000-or-so lines of text suggests a
rethinking of how we view the events of that day (although conspiracy
fanciers are sure to highlight excerpts such as the message suggesting
"military planes" forced down a
commercial jet, and one saying there was an
"explosion and fire at Pentagon").
We've seen something like this before.
A few years ago,
AOL published the
mostly-anonymized search histories of over 650,000 of its users, which gave
rise to the kind of data excavation that's
currently taking place in
connection with the disclosure of the 9/11 pager traffic. In the last few
days, the same kind of collective analysis of thousands of files has
accompanied the
leaked global warming e-mail messages.
This should be a lesson to anyone who would prefer their personal details
not go on public display: Without end-to-end encryption, and perhaps even
with it, your correspondence is vulnerable to interception and publication.
And if you're the Secret Service responding to threats against the
president, or FEMA organizing an evacuation to an underground bunker, why
are you letting anyone with a $10 pager and a Windows laptop watch what
you're doing?
Updates
Update 11:45 a.m. ET: Alert CBSNews.com Reader Ryan R. points out that the
first automated alert relating to the attacks may have come from (see
this
file) Cantor Fitzgerald, which had offices in One World Trade Center.
The
alert is time-stamped 8:46 a.m. and says:
"Market data inconsistent...Cantor
API problem Trading system offline"
Update 11:47 a.m. ET: FEMA spokesman Clark Stevens says "FEMA has no
comment." No word yet from the Secret Service.
Update 1:39 p.m. ET: Alert CBSNews.com Reader Bernie S. reminds me of the
1997 interception of pager messages from President Clinton's entourage,
including messages from Hillary and Chelsea and love letters exchanged
between aides. Here's a
summary from Harper's, and a
longer write-up from
Peter Neumann's always-useful Risks Digest.
Update 3:04 p.m. ET: It didn't take long for the fake 9/11 "Zionist pager
intercepts" to appear.
Another fake:
"WTC south tower will collapse in 1
minute."
On an unrelated note, WikiLeaks spokesman Julian Assange previewed
the files at a conference in Copenhagen last week
(November 2009).
See the video.
And I would be remiss not to mention the remarkable 911stories.net site,
which is displaying animated highlights.