'The McAllen Project': New Forensic Details on How the Government Spied on Me and My CBS Computers
Never-before-released details of the behind-the-scenes investigations
“I personally advised Ms. Attkisson at the time that I, and my associates involved, were quite shocked at what we found [in her CBS computer]; and that we felt what was transpiring, and had transpired, was outrageous. I personally could not imagine that something like this could ever happen in the United States of America.”
—Former FBI Unit Chief in the Electronic Surveillance Technology Section, January 2013
How it Started
“Reeeeeeeee.”
The noise is coming from my personal Apple desktop computer in the small office adjacent to my bedroom. It’s starting up.
On its own.
“Reeeeeeeee…chik chik chik chik,” says the computer as it shakes itself awake.
The electronic sounds stir me from sleep. I squint my eyes at the clock radio on the table next to the bed. The numbers blink back: “3:14 a.m.”
Only a day earlier, my CBS-issued Toshiba laptop, perched at the front of my bed, had whirred to life on its own, untouched by human hands. What time was that? I think it was 4 a.m.
Some nights, both computers spark to life, one after the other. After thirty seconds, maybe a minute, they go back to sleep. I know this is not normal computer behavior.
It’s October 2012. I try to remember how long ago my computers started going rogue. A year? Two? It no longer startles me. But it’s definitely piquing my curiosity.
I’ve been reporting on the deadly, September 11 Islamic extremist terrorism attacks on Americans in Benghazi—a follow on to my reporting that exposed the government’s Fast and Furious scandal in which the Department of Justice secretly facilitated the delivery of thousands of weapons to Mexico’s killer cartels.
Both stories would garner recognition from the Emmys and other journalism awards. But along with other reporting I’d done at CBS News, they also put me in the crosshairs of shady officials who don’t want me to tell these stories. And they don’t want whistleblowers sharing the government’s dirty secrets with me—or other reporters.
Now my computers offer a new mystery for me to unravel.
There are other electronic disruptions in my home. My home phone has become practically unusable. Often, when I call home, it only rings once on the receiving end. But on my end, it keeps ringing and then connects somewhere else. Nobody’s there. On the receiving end, my husband or daughter pick up and hear only a dial tone. My calls frequently disconnect midstream. At times, I and the people I’m speaking to on the phone hear other voices bleeding through in short bursts like an AM radio being tuned. There are clicks and buzzes so loud that a CBS lawyer I’m speaking with about a story jokes, “Jeez, is your phone tapped?”
The television is misbehaving, too. It spontaneously jitters, mutes, and freeze-frames. My neighbors aren’t experiencing similar interruptions.
On top of that, my home alarm system has begun chirping a nightly warning that my phone line is having “trouble” of an unidentified nature. Every night. Different times.
I’m losing sleep.
All of the troubled devices are connected to Verizon. Their technicians have answered multiple calls to my home in the past year and a half but are unable to troubleshoot whatever is wrong. We’ve tried switching out the TV, the FiOS box, and all the cables, to no avail.
Contacts in the spy world of the three letter agencies have begun approaching me, unsolicited. They tell me I’m likely being “monitored” because of the nature of my reporting. They tell me that somebody is making my devices behave the way they are. They say the public would be shocked at the extent to which the Obama administration has begun spying on Americans.
At the time, it sounds far-fetched. Edward Snowden hadn’t yet made his public revelations about the NSA’s massive surveillance of Americans. We didn’t yet know the Obama administration had secretly confiscated phone records of AP journalists, tracked the movements of Fox News reporter James Rosen, and gone to extraordinary efforts to stop insiders and whistleblowers from exposing the government’s skeletons.
And we didn’t yet know details of the government’s efforts to spy on me.
All these facts and more would make headlines in the coming months.
A decade later, I continue a fight for accountability in the courts. New information is still coming to light after all these years. But the hard truth that I’ve learned is that airtight forensics, and even a confession from one of the spies who worked for the government, aren’t enough to get justice.
Especially when those who would hold them accountable are the ones who committed the deeds in the first place.
Read on for details.
Forensics I
An intel community insider helped me get the very first, informal forensics done on my CBS laptop in January 2013. It was a personal favor. I never met the actual examiner. The computer was handed off to him through a third party.
My direct contact was a former unit chief with the FBI. He was speechless at what he said had been found in my computer. He told me he’d never expected the “positive” results—meaning evidence of government spying. He said he was shocked, and that “this was worse than Watergate, worse than anything Nixon had done.” He told me that the FBI he once knew would never have done this to a journalist, but that now things had obviously changed.
This contact was not only once an FBI Unit Chief in the Electronic Surveillance Technology Section, he’s also a lawyer and was the FBI liaison for national and international law enforcement in implementing a wiretapping law that required Verizon and other carriers to start allowing “built-in surveillance capabilities enabling federal agencies to monitor all telephone, broadband internet, and VoIP [voice over the internet] traffic.”
The official also conducted special agent work with the FBI in criminal and national security matters as well as counterintelligence; was a legal advisor to FBI field office personnel; and took part in the management of classified interagency technical programs; among other assignments.
The analysis he provided me showed that software proprietary to the government had been remotely installed onto my CBS computer and was operating for a long time— longer than the normal time period that would be authorized if it were an official FISA court-approved wiretap. This wasn’t an authorized wiretap, he told me. This was an illegal act.
“I advised Ms. Attkisson that the internal investigation and analysis of her computer yielded clear evidence that the computer was infiltrated by a sophisticated person or entity that used commercial, non-attributable spyware that was proprietary to only government agencies, including the CIA, FBI, or the National Security Agency (NSA). This particular intrusion entered the computer silently and was attached to an otherwise innocuous email that Ms. Attkisson likely received and opened sometime in February, 2012…The uninvited programs were running constantly on the laptop, and included a keystroke program that monitored everything typed on the computer, visited online, and viewed on the screen…I informed Ms. Attkisson that she should assume that her smart phones were also impacted…The analysis also revealed that the intruder accessed Ms. Attkisson’s Skype account, stole the password, activated the audio, and made heavy use of both, presumably as a listening tool…According to the evidence, the intrusion stopped abruptly about the time Ms. Attkisson noted her computers stopped self-starting at night.”
—Former FBI Unit Chief in the Electronic Surveillance Technology Section
Later, forensics were able to identify one exact time the remote intruders got in, piggy-backing invisibly on an email sent to my personal hotmail account. The tools used to spy on me were “redone” in July of 2012 using a BGAN satellite terminal. The intruders also accessed my computers through a Ritz Carlton wifi connection.
The intruders had accessed my Fast and Furious documents, and more.
The forensics showed that three classified documents had been planted deep in my operating system.
Without checking with me, the unnamed forensics examiner had returned the CBS computer to me “clean,” meaning he had wiped off the bad stuff. That removed a lot of evidence. I was surprised by this, but, indeed, I had never discussed with my contact what might happen if they found evidence like they had.
Fortunately, further exams would recover crucial data and uncover much more.
Forensics II
I immediately reported the news of the computer intrusions to my CBS bosses in early 2013. Since my initial forensics were conducted unofficially by someone who could not come forward publicly at the time, CBS hired an independent firm to conduct a separate examination. That firm was CyberPoint, Inc.
Initially, a CyberPoint forensics expert came to my house and conducted a quick exam of one of my CBS computers and my personal Apple desktop. In both cases, he reported finding on the spot evidence of suspicious activity, as well as sophisticated efforts to cover it up using capabilities he said were typically only available to the government.
Forensics III: The McAllen Project
At that point, CBS hired CyberPoint to conduct a more in-depth probe and look for “attribution,” to see if the computer spies could be named with specificity. CyberPoint examined two laptops I had been using at CBS.
The company named the investigation “The McAllen Project.”
Over the next few months, CBS kept publicly mum on the computer intrusions as a flood of government spy scandals came to be revealed, one right after the other. Snowden. AP. Rosen. The CIA’s James Clapper, exposed for giving false testimony to Congress denying there was massive government surveillance of American citizens.
Meantime, CyberPoint provided CBS and me with an interim report, unearthing additional suspicious evidence, such as the computer intruders changing the time stamp in my main CBS computer thousands of times—apparently to confuse any attempt to build a reliable history of what they had done and when.
The CyberPoint expert later answered questions about this in a recent deposition for my lawsuit against the government.
CyberPoint: My observation, based on my experience at the time, is that an abnormally large number of system time changes occurred…
Tab Turner, Attkisson’s Attorney: So that was something odd or unusual?
CyberPoint: Extremely unusual…
Tab Turner, Attkisson’s Attorney: Okay. So, in other words, it sort of scrambled the eggs so that you can't -- if you are trying to figure out what happened, you can't find the time sequence to be of any assistance?
CyberPoint: That’s correct…
——
Tab Turner, Attkisson’s Attorney (reading from CyberPoint report): “CyberPoint believes that Laptop B was subject to unauthorized interactions”…Was that your conclusion?
CyberPoint: Yes…
——
Tab Turner, Attkisson’s Attorney: This program was run, and neither Ms. Attkisson or CBS launched it. So somebody was running it, but neither the user nor the owner were doing it?
CyberPoint: That's correct.
——
Tab Turner, Attkisson’s Attorney (reading from CyberPoint report): Now, you make the comment on forensic finding at the bottom of 4.7 that “the prefetch history for all commands executed on 12 December of 2012 has been securely erased from Laptop B. It is unlikely this can be anything other than the result of deliberate action.” Why did you reach that conclusion?
CyberPoint: Because, like I said, it's not uncommon for a file to be deleted. But all files for a day, effectively, would only occur if it was done artificially or by a person or by a program under the direction of a person.
Tab Turner, Attkisson’s Attorney: And did that indicate to you, as a professional, that someone was attempting to cover their tracks?
CyberPoint: I do have to be specific, someone or something at the direction of a person was attempting to cover its tracks.
CBS ultimately seemed to stall in getting a full, final written report from CyberPoint in 2013. There were budget constraints and concerns about the cost of the CyberPoint analysis.
On my own, I took steps to report the crime. The question was: Who in the government agencies do you report a crime to when government agents committed the crime?
Forensics IV
My sources told me that it was a fool’s errand for me to report the computer intrusions to the Department of Justice Inspector General (IG). After all, “it’s the same agency responsible for the intrusions,” they told me.
But the way I saw it, there was a chance that there would be someone honest within the IG’s office. There was a chance that they would be familiar with the government’s software and capabilities, and would unearth even more information than we could get on our own. There was a chance they would truly seek accountability and hold the guilty parties responsible. And in the (admittedly likely) event the IG didn’t help with the case, I figured there was no harm done: We already had the evidence, so they couldn’t destroy it.
However, when the IG asked for access to my CBS computers, CBS would not hand them over.
So the Department of Justice Inspector General’s office never inspected the computers at issue.
(Later, the partisan smear group Media Matters, and some in the media that repeated its propaganda, would falsely report that the IG had inspected the CBS computer(s) and debunked the notion of computer intrusions. As recently as last month, NBC justice reporter Ryan Reilly repeated this false information.)
Forensics V
With CBS declining to give the CBS computers to the IG for examination, I asked the agency to at least look at my personal Apple desktop. While it wasn’t the main computer involved, I already knew from that computer’s behavior and from the initial CyberPoint exam that there was some evidence on this computer, too. Maybe it could add to our knowledge base.
Over the next few months, the IG examiners kept me updated as they said that, like the other examiners, they documented the suspicious activities on my Apple desktop. They provided me with information along the way.
But midway through their investigation, they informed me that an unnamed person had stepped in and “narrowed the scope” of the IG investigation. They also told me that the IG’s general counsel had decided to withhold their final report from me, and was going to withhold any documentation—even though I was the one who had requested the exam and had been promised a report. Why?
Much later, when pressed by Congress, the IG’s office released only a scrubbed summary of their investigation into my personal Apple desktop. It didn’t reflect the information that the IG investigators had told me they’d discovered. The scrubbed summary was apparently written by someone for the purposes of implying they didn’t find any firm evidence that “remote” intrusions had occurred. Then, the IG summary was falsely promoted in the media as if it were an examination of the CBS computers—which the IG had never seen!
Forensics VI
Separately, I hired a lawyer and yet another independent forensics examiner. This expert conducted additional in depth exams and was, again, able to expose crucial details about the intrusions. Even more than we’d already learned.
Among other facts, he identified several government controlled IP addresses from the US Postal Service (USPS) that were used to accomplish some of the illegal intrusions. This was considered to be “as solid as fingerprint evidence.”
“The presence of these USPS addresses on the Plaintiff’s computer is not a mistake; it is not a random event; and it is not technically possible for these IP addresses to simply appear on her computer systems without activity by someone using them as part of the cyber-attack,” said the forensic specialist.
The expert later testified in court documents that he is familiar with the types of Advanced Persistent Threat (“APT”) cyber-attacks that were conducted against me and my family because, as a contractor for the NSA and the CIA, and as a Department of Defense civilian employee, he “developed and deployed similar APT cyber-attacks overseas against foreign government, commercial, insurgent, and terrorist targets.”
“There can be no reasonable question that an APT-style cyber-attack was carried out on Attkisson’s computer systems and Internet connection…Specifically, the APT methods deployed against the Plaintiff’s computers and Internet connection during the period of time identified in the underlying litigation were sophisticated and of the type only available to government-type activities and operations.”
—Computer Forensics Expert and former contractor for NSA, CIA and DoD
CyberPoint Warning
At the time of my computer intrusions, CBS had recently hired a top security official who happened to have worked for the National Security Agency (NSA) and came straight to his position at CBS from an assignment at the Obama White House. A little odd, said my intel sources, for a news network to bring in a government-connected specialist to oversee computer security and related matters. At the same time, the CBS news division president was David Rhodes, brother of Obama adviser and operative Ben Rhodes.
The computer security official was now involved in the most serious known security breach of CBS News computers. But, to me, his behavior and actions seemed counterintuitive.
It seems that one of his top priorities upon confirmation of the computer intrusions should have been to meet with me, offer assistance in my family’s security, and launch an analysis of what news information and sources in the CBS system had been compromised.
Strangely enough, none of that happened.
The CBS security official and his team never reached out to me. They asked me no questions. And when I reached out to them to even see if they were aware of or working the case, they seemed indifferent and provided no follow up.
Meanwhile, after much back and forth with CBS for some months about a budget, CyberPoint finally finished what work it was able to accomplish on the CBS computers.
On June 10, 2013, CyberPoint’s main forensic examiner issued an email to CBS and its security experts titled “URGENT.” The email confirmed that CyberPoint had obtained “definitive evidence” that there was an “unauthorized third party” that had accessed my computers and run commands. The email stated that what was “even more concerning” was that the commands were “standard fare for a remote user trying to learn about the network configuration of a system” and “this history has been securely removed,” “deliberately,” from the hard drive. The expert said there was reason to be concerned about “the integrity of your employer machines” and suggested CBS take certain security actions.
From: JUNE 10 2013 REPORT by CyberPoint
While performing final analysis of the customer primary subject original laptop we have discovered:
New analysis shows evidence of at least two (2) successful attempts of unauthorized access of the primary subject computer between 12 December and 31 December 2012.
This evidence shows execution of system profiling commands.
These commands are not normally run and are reserved for learning about a system configuration
Evidence suggests these commands were run directly from the account of the customer primary subject, not a customer administration account.
This evidence has been deliberately and securely removed from the primary computer hard drive.
CBS Announcement
CyberPoint issued its final report to CBS and, within days of that “URGENT” email, CBS News finally made a public announcement confirming the computer intrusions. It was August 7, 2013, a full seven months after I first learned of the illegal actions.
The day before the public announcement, the president of the CBS News division, Rhodes, and the Washington Bureau Chief met with me and promised to leave no stone unturned in trying to identify the names of the culprits.
But that was the last time anyone at CBS ever spoke to me about it.
My investigation
Naturally, as an investigative reporter, I continued my own investigation— at my own expense. When I filed a Freedom of Information Act (FOIA) request with the FBI for information relating to the intrusions of my computers, and for any information referring to me generally, the FBI falsely replied that it had no such information.
I knew the FBI’s response was false, and eventually sued the agency. The scant, relevant documents the agency did eventually turn over, under pressure from my FOIA lawsuit, confirmed that the FBI had, indeed, opened a case regarding my computer intrusions back in summer of 2013. The FBI case listed me as the “victim.” Yet the FBI never notified me, interviewed me, offered assistance, or took any steps that I know of to identify the perpetrators.
I assume it’s because the FBI already knew that the government’s own agents were responsible.
Strange Video
Months after the computer intrusions had been forensically proven and publicly confirmed, I was working on a story related to the Islamic extremist terrorist attacks on Americans in Benghazi, Libya. It was yet another story very sensitive for the Obama administration. Insiders and whistleblowers had provided me with evidence, and I exposed the fact that the US Ambassador to Libya had begged for additional security prior to the attacks but the State Department denied the requests. I reported that there had been very specific warnings of an impending attack (apparently disregarded by Hillary Clinton’s State Department at headquarters). Additionally, I revealed that US officials had turned back help that was close enough to have potentially rescued some of the Americans who were killed over the course of that long siege. And documents showed the Obama White House conspired with various federal officials and agencies to cover up the Islamic extremist terrorist nature of the attacks, less than two months before a new presidential election where Obama was seeking a second term and had claimed that he had sent terrorists on the run.
By now, I was using a new and different home computer: a MacBook Air. Working at home at night, I watched incredulously as someone apparently took remote control of my computer and began deleting material at a super high speed that’s not possible by holding down the delete key (or any other method available to a casual user).
I was able to grab my phone and video a bit of the action. The next day, when I showed the video clip to several forensics experts, they said they took it to mean that someone was sending a message to me that, “This is what we can do. We’re still watching.” I posted the video clip online.
I already knew from my sources that it was simple for government infiltrators to operate computers remotely, “as if they were sitting at the keyboard.” They had downloaded programs and exfiltrated files in this way over many months.
But again, the propaganda group Media Matters stepped in with their spin, once again deflecting for the guilty government agents. Media Matters fabricated a false claim that the video I’d captured simply showed a “stuck backspace key.” And once again, the group falsely implied that the “stuck backspace key” proved there had been no computer intrusions at all. Why is Media Matters so intent on covering up for the perpetrators?
Forensics VII
With the government in cover up mode, not helping the search for accountability, I filed a series of lawsuits against the Department of Justice, FBI, and various officials. Over the years, the government has been able to spend unlimited taxpayer money to stall, delay, and obfuscate. Although the forensics are irrefutable, getting them before a jury’s eyes has proven to be impossible. The technical hurdles that must be crossed to get to that point are insurmountable for ordinary citizens.
Still, as part of the lawsuit, we continued on with deeper forensics exams that added to the evidence pool with more specifics of the intrusions. And we have turned up some startling new facts late in the game.
For example, a USPS official testified in a deposition. He confirmed that the government IP addresses we’d discovered in my computers had been wholly controlled by the government and could not have been spoofed or accessed by third parties outside the government. (Oddly, this official was hit by a truck and killed shortly after his testimony.)
Also, another break came when a controversial figure named Ryan White stepped forward and admitted to taking part in one of the spy efforts against me. He said the operation was run under the office of then-US Attorney Rod Rosenstein out of the Baltimore, Maryland, office. He indicated that the operation used him and other agents tasked from various federal agencies including the Secret Service (which the Department of Justice denies), and that they spied on hundreds of US citizens.
I found evidence that White, indeed, had a relationship working under Rosenstein. That was confirmed in a 2015 court filing (below), in which Rosenstein asked for certain documents to be sealed, stating that White was “assisting law enforcement in an unrelated investigation.”
As part of my current lawsuit, I received a clerk’s default against White. It is believed to be the first case of a journalist getting a favorable court decision in a case of government spying. (Oddly, White supposedly died before we could have a trial to determine damages. His untimely disappearance and reported death also meant we couldn’t probe to get details that could lead to higher-up government officials.)
The Mysterious Government Visit
Another stunner came not long ago as part of my current lawsuit. CyberPoint’s forensic specialist testified to something I hadn’t known before.
He said that back in 2013, when he found evidence that a crime had been committed regarding my computer intrusions, CyberPoint decided to secretly notify the government and give them time to weigh in on what was found in my computers before CyberPoint issued its report to CBS. CyberPoint top officials had connections to government agencies.
The CyberPoint forensic specialist further testified that someone from the government did visit the company’s offices, regarding my computers, at the behest of a top CyberPoint official. The forensic specialist says he doesn’t know the government man’s name or the specific agency he came from, but that he provided the government man with “raw evidence.” The government man took “handwritten notes” and left—never to be seen by the CyberPoint forensic specialist again.
CyberPoint: We believed a crime had taken place [regarding Sharyl Attkisson’s computers]…
Tab Turner, Attkisson’s Attorney: And did you actually or did someone actually at CyberPoint notify the Government?
CyberPoint: Yes, we did…
Tab Turner, Attkisson’s Attorney: And at that point in time, it concerned you enough that communications within CyberPoint were had to the effect that ‘somebody needs to alert the Government to this?’
CyberPoint: Yes.
Tab Turner, Attkisson’s Attorney: And you set aside two days, basically, 48 hours for somebody from the Government to either contact you or reach out to you or some sort of communication to occur before you passed on information to the client, CBS News?
CyberPoint: Yes…someone came to CyberPoint, and did not tell me their name. And I explained the situation to them. And I gave them the raw digital evidence. They thanked me for the evidence and went away. And we waited two days. And we never heard anything about, ‘Wait, stop, go talk to the FBI, go talk to this person or that person.’ So I considered the matter closed at that point…
Tab Turner, Attkisson’s Attorney: And then you waited to hear back from the Government and never heard anything?
CyberPoint: I never heard anything, correct…So my two days -- in a sense, I allotted that window to seek guidance on what I should do because I wasn't sure what I should do. When the window expired, we sent the data on to [CBS].
How It’s Going
And so, it’s been more than a decade. The legal process is nearing a final end. Even with a victory of sorts in our column— the clerk’s default I received against White who was involved in the computer spying— the search for accountability has yet to be fully satisfied. It’s been an expensive and agonizing process.
In the near future, there should be a damages trial in my case to determine how much money White technically owes me for the intrusions. It isn’t likely to net a penny since White is now reported to be dead.
But this was never about the money and the hundreds of thousands of dollars spent trying to unravel this mystery. It was about forcing accountability.
Over the past ten years, much of the public has gone from being incredulous about allegations of government spying on citizens…to largely numb to them as reports have become sadly commonplace. The bad behavior is almost expected. The government has been exposed spying on members of Congress, its staff, other political figures, the Trump campaign, and more. The Foreign Intelligence Surveillance Court has caught federal agencies, including the FBI and NSA, violating rules intended to protect us all from having our rights and privacy violated. In every wiretap examined, the FBI got caught violating its own rules intended to protect Americans from improper spying. The FBI got caught falsifying evidence in order to effectively wiretap the Trump campaign and presidency in 2016 and 2017 through Trump supporter Carter Page.
More spying, more intrusions, more violations of our freedoms and our Constitution, are the only outcomes we can expect when there’s been so little accountability.
I think initially, people cared very much as they learned of the government’s unconscionable acts. I think they cared a lot about the monumental revelations brought forward by NSA whistleblower Edward Snowden in 2013. But a propaganda machine kicked in and quickly distracted the media and public from Snowden’s shocking revelations. Instead, the media became convinced that story was the search for Snowden’s precise whereabouts. That overtook the headlines. He was demonized. “The story” came to be all about Snowden and how he got his documentary evidence rather than about the government’s egregious violations.
After Snowden exposed how far the government had secretly gone to allow itself to spy on us, he expressed that his biggest fear was the revelations would be dismissed or ignored. Or that nothing would come of them.
And here we are.
Now tell me that the FBI and the CIA didn't know that Hillary had classified documents on her DIY server.
Thank You Sharyl! Good luck!