Wired Cover Story and Our Film

Yesterday’s cover story in Wired by James Bamford was epic in many ways. Jim, a friend of the film’s, spent three days with Edward Snowden in Moscow and came away with brilliant new insights into Snowden’s character and motivations.

Beyond that, Snowden dropped two new revelations. One was about the NSA having systems that can automatically fire back against foreign cyber attacks without waiting for any human decision-making.

Vanity Fair said this about the second Snowden disclosure: “The juiciest of those new revelations pertains to Syria, a country from which Snowden says the United States government was keen to gain more information — through expectedly nefarious means.”

When the Internet went down in Syria for three days at the end of 2012 it was not due to the Assad regime pulling the plug on activists and opponents. It was due to the NSA screwing up its attempt to implant surveillance software on the Syrian pipes. Instead of being able to siphon all the data coming out of Syria, the NSA bricked the pipeline altogether. Whoops.

We were actively filming at the time with three of our characters during the Syrian Internet failure. None of them had any idea it was the NSA. Now we know the truth. This ironic twist will add plenty of drama to the film. And help build a bridge between the story of Syrian Internet surveillance and the NSA.

Shuffling the Cards

Preparing to edit a new rough cut. Which means playing with virtual 3×5 cards in Scrivener, our favorite app for organizing thoughts. Hat tip to editor Summers Henderson for that suggestion.


This particular shuffle is intended to map a tighter, leaner film. While delivering the story cleanly with the right emotional rhythm.

Stay tuned for more details as we begin the march to completion.


Film and Real Life

Our documentary, like most, has a mind of its own. Especially since the topic is Internet security and surveillance. Real life has a way of making the rules.

We cannot reveal some new producing hurdles which are giving us heartburn, under our attorney’s advice. Some day, all will be revealed.

On a more positive note, Zero Day will be the first documentary film to put human faces on the consequences of online state-sponsored surveillance.

We just returned from Europe filming with someone we have been trying to reach for nearly a year — thanks to frequent flyer miles and hosting by our gracious extended family. This person is giving us his amazing, heart-breaking and courageous story, which is still unfolding as we write this.

We cannot post sample film clips, as some have requested, due to the unpredictable nature of how online material gets circulated. Especially for an unfinished film with extraordinary sensitivities. Likewise, distributors hate it when footage leaks out before a release.

Thanks to all our friends and supporters for their continued patience and understanding. Finishing a film is always hard. No dates yet. The film will be delivered.

Where We Are Now

An update from the trenches. Magnolia Films, on screening the rough cut/assembly, decided they do not want to distribute the film. They will not provide more funding. They canceled their distribution deal and the distribution rights revert to me.

BBC Storyville, which also provided funding, though far less than Magnolia, screened the same cut and liked it. However, their series, the Dark Side of the Internet, for which the film was intended, concluded its run. The new head of BBC4 which oversees Storyville is not interested in airing any more programs regarding the Internet.

Storyville will not provide more funding. They did refer us to two other BBC4 programs: NewsNight and Panorama and I will introduce the film to those divisions shortly.

We sent the cut to Al Jazeera America and last week they called to say they like it. While AJA has very little viewership they do have resources. I am hoping their interest leads to an offer for U.S. TV rights in the coming weeks. Independent Lens/PBS also has the cut and I am supposed to hear from them shortly. I also plan to show the cut to HBO, CBS Films and CNN.

The good thing is there is a cut, the subject is ever so timely, and people seem to like it. We struggle to finish the film. We will finish the film.



Rough Cut Done

Glad to report our first rough cut is completed. We’re very excited about how this story about cyber-surveillance and threats to Internet security evolved to be even more relevant, topical and timely.

We’ve screened the unfinished version for a few friends in the film world. Their response has been very favorable — both in terms of story and character.

We await word from our partners, BBC Storyville and Magnolia Pictures, before moving on to finishing. Stay tuned.

More News About Our Film and the Syrian Electronic Army

The New York Times published a major story Saturday, “Hunting for Syrian Hackers’ Chain of Command,” about the cyberwar in Syria. Seeing the focus of our film on the front page of the Business Section is a morale boost and confidence builder.

NYT SEA storyIn a previous post we wrote, “Little has been said about the more serious damage the S.E.A. (Syrian Electronic Army) and its compatriots in the Assad regime are doing online… Too bad the mainstream press chooses to ignore those more deadly aspects of the story.”

Recent S.E.A. hacks on the Associates Press, The OnionThe Guardian and the Financial Times are shout-outs for media attention. And they worked.

The NYT story makes a breakthrough connection tying the Assad regime with online intrusions and attacks done by the S.E.A. Instead of simply being a rogue hacking group of pro-regime supporters it now seems certain that the S.E.A. is working in cahoots with the regime, as many human rights and Internet activist assumed.

Just as compelling, for us, is how three of our principal characters are sources, on-the record, in the story. Dlshad Othman, Morgan Marquis-Boire and John Scott-Railton figure prominently in the article. We also filmed with reporter Nicole Perlroth in San Francisco as she worked on this piece. The elements for a dramatic, timely, character-driven sequence are in the can. We are excited about how this is going to play in the finished film.

There’s still more to be filmed as this subplot film plays out. So stay tuned.

Our Film and the Syrian Electronic Army Hack

Interesting about the hack yesterday on the Associated Press Twitter account by the Syrian Electronic Army (SEA). The mainstream media covered this extensively. Here in the New York Times and here, from Helen A.S. Popkin at NBCNews.com, who dug deeper then most.


By and large very little was reported about the source of the attack. And what the SEA regularly does besides posting fake tweets. Much of the news in the U.S. had to do either with how one fake tweet about an attack on the White House and the President impacted financial markets, or why Twitter needs to improve its security.

The markets recovered immediately. And Twitter, according to Wired, is rolling out two-step authentication to improve its security.

Little has been said about the more serious damage the SEA and its compatriots in the Assad regime are doing online. And their lethal consequences.

Our film concerns security online and threats from cyber-surveillance. In particular, how these collide in a very real way right now in the Syrian civil war. Sources have told us about the ways in which activists and members of the opposition are compromised by malware and surveillance software. Facebook and Skype have been used extensively by the SEA and others for this purpose. The consequences can be detention, torture and death.

We have this on-camera.

Too bad the mainstream press chooses to ignore those more deadly aspects of the story. But the film will address them, be sure of that. And threats from cyber-surveillance in other countries as well.


Mikko Hypponen on RATs, Syria and Ft. Meade

We had the opportunity to do a formal interview with Mikko Hypponen of F-Secure at the conclusion of our week filming at the 2013 RSA Conference. We wanted to learn how he and his colleagues (the “Three Mikko’s”) helped decipher surveillance malware being used against Syrian activists and regime opponents.

Mikko Hypponen of F-Secure, interviewed during RSA.

This story about a human rights activist inside Syria who was targeted by the regime will be central to our film. Mikko blogged about the investigation at the time.

Mikko helped fill in the blanks, a few of which we can spell out here. The rest will have to wait until the film is released. Probably near the end of the year.

The attacker used Xtreme RAT (remote access trojan) which like Poison Ivy, Ghost Rat, and Dark Comet takes over a computer without the user knowing — controlling it, seeing the screen, recording every keystroke, and accessing files. It can even turn on the microphone and webcam to record a user’s words and actions.

The hard drive shipped to Mikko and his colleagues which they analyzed for surveillance malware.

“Sounds sinister,” Mikko said. “But we don’t know if it is a private IP (Internet provider), if it’s run by the regime, or by companies — or who the end users are. But it looks like [the data] went back to the Syrian regime.”

In this case data was sent to an Internet provider (IP: identified as belonging to the Syrian Telecom Establishment. We looked it up. It’s still reported active — in Damascus. Here.

In relation to increasing levels of Internet-based surveillance and espionage, Mikko told us lately he’s been browsing online recruitment pages of military contractors such as Lockheed Martin. “They’re hiring exploit writers for offensive cyber operations by the dozens. In Ft. Meade Maryland [home of the NSA]! It doesn’t get much more open than that.”

“If someone told me five years ago [offensive cyber operations] would be this active, I wouldn’t have believed it. We’re definitely in a cyber arms race now.”

“I feel deeply about this. I’ve worked with viruses since the ’90s. So much has changed. Governments come in using the same tools that were used by kids for fun. Now it’s deadly serious things.”

Blue Coat and Stonesoft Surveillance Software: Admissions and Denials

Steps away from the Narus booth on the RSA Expo floor was the booth for Stonesoft. This Finnish company develops and sells commercial security software including deep inspection technology.

QuickTime PlayerScreenSnapz033

Our source had heard a rumor that the U.S. State Department uses Stonesoft to prevent WikiLeaks from being accessed by its employees. When asked, the Stonesoft representative readily admitted this was true. He did the coding! It does not block each and every WikiLeaks document, just the landing pages of WikiLeaks mirror sites. But still…

Down the way from Stonesoft was the booth of Blue Coat, the Silicon Valley-based company which got caught with its surveillance software in use by the Assad regime in Syria. Our friends at the Citizen Lab did a ground-breaking report about Blue Coat a few months ago, and that in turn generated a New York Times story about Blue Coat and cyber-surveillance in Syria.

QuickTime PlayerScreenSnapz031

The Wall Street Journal did its own investigation confirming Blue Coat’s devices were recording and/or blocking a huge amount of Internet traffic inside Syria, especially among opposition activists.

Blue Coat blamed its distributor in Dubai for re-selling to Syria, instead of Iraq, the intended buyer. Their representative said Blue Coat requires clients to declare the end user of their products abroad. However, as with arms sales, it’s easy to route goods through third parties or re-sellers.

Google ChromeScreenSnapz001

The Blue Coat representative conceded its proxy servers can still be found inside Syria but their capabilities are turned off. We are looking into this now with the help of a malware researcher.

When asked if Blue Coat sells to repressive regimes such as Bahrain, the representative pointed to the official U.S. sanction list as being their litmus test. Those trade restrictions may be strict when it comes to North Korea and Cuba, but are less so for other countries. Enforcement is notoriously spotty. And those trade sanctions do not include Bahrain. Our friends at Bahrain Watch will be watching, we’re sure.

New Details About Narus Surveillance Technology

More details from our walk-about on the floor of the RSA Conference, just concluded in San Francisco.

Narus, which builds and sells surveillance software, is a wholly owned subsidiary of Boeing, and is based in Sunnyvale, CA. Narus has long been the focus of privacy concerns. Especially since 2006 when it was revealed in Wired that the Narus STA 6400 installed in ATT’s Internet backbone operation in San Francisco was collecting and analyzing network and customer information in real time for the NSA.

Here’s what Narus is up to now, based on a source who spoke with a Narus representative on the floor of the trade show.

Narus software is capable of, “full packet capture… when we want to go after a specific target, based on a keyword, user ID or an IP address. We decide to target [this] person, we go in and create target, and we can target e-mail, Facebook…”

QuickTime PlayerScreenSnapz035

Narus products capture and retain data for later analysis. We were told, for example, “if six months from now Twitter goes off the edge of the earth, we can render stuff exactly as it happened. We can do the same with email, Facebook, IM, and a lot of chat.”

As for Tor, the program which protects activists and journalists worldwide by hiding their physical location and encrypting their online activities, people Narus talks to in the Middle East are “very interested” in trying to break that capability.

There’s more. Narus can do sentiment analysis on e-mail, and Facebook and Twitter posts to determine the “mood” of a particular post or user. This is useful to predict behavior, such as a nascent protest movement that might otherwise escape notice. Where is the next Arab Spring going to occur? “We have the metadata around the session, now we know who the players were and who they are related to.”

If you are in the U.S. working in the private sector you are at risk from Narus technology. Companies use Narus to monitor employee activities online to determine if they’re doing something on the network they shouldn’t be, or if they’re removing unauthorized data.