The Volokh Conspiracy

“Syria is Iran’s only ally in the Arab world. It’s their route to the sea.” So said Mitt Romney at the Monday debate. The Associated Press, The Guardian, The Telegraph, New York, U.S. News,  Brad DeLong, Rachel Maddow’s Maddowblog,  Comedy Central, and The Daily Kos promptly seized the opportunity to show off their superior geographical knowledge, pointing out that Iran has a coastline. The explicit or implicit explanation was that Romney does not even know basic geography. “Romney Flubs Geography” announced the A.P. headline on the Washington Post website. Readers in search of more sophisticated coverage  might have turned to Yahoo! Answers:

Q. Why did Romney say that Syria is Iran’s “route to the sea”? ...when 1) Iraq stands between Syria and Iran, and 2) Iran already has the Persian Gulf, not to mention the Indian Sea?

A. Romney was speaking in the context of the debate topic on foreign policy and the sanctions restricting the finances and trade of Iran. Although Iran is indeed located on the seacoast of the Indian Ocean and the Persian Gulf, the international trade sanctions have restricted and impeded its ability to transport armaments and other goods through its own seaports. To defeat these trade sanctions, Iran has resorted to using its air transportation to transport goods through an air corridor in Iraqi airspace into Syria and its seaports, such as Latakia.

Fact-checkers who actually investigate the facts might have started with expert websites such as StrategyPage. A 2006 article titled Syrian Delivery System for Iranian Nukes details the extensive seaborne smuggling operations carried out by Syrian companies operating out of Syrian ports. The article concludes:

Iran was generous with its “foreign aid” because Syria provided support for terrorists Iran backed. Now Iran is keen on getting nuclear weapons. The first ones Iran will get will be large and delicate. The only feasible intercontinental delivery system will be a ship. A ship that is accustomed to moving illicit goods.

Stratfor, which is an outstanding site for the collection and analysis open source intelligence, has the following reports involving Syria/Iran sea-related collaboration: An Iranian ship at the Syrian port of Tartus (also spelled “Tartous”) picked up Syrian oil for delivery to China, to evade the economic sanctions on Syria (Mar. 30, 2012). Iran warships docked at the port of Latakia in early 2012 (Feb. 18, 2012), and in early 2011 (Feb. 22, 2011; Feb. 24, 2011). During the 2011 visit, the Iranian navy’s commander, Admiral Habibollah Sayyari, announced that Iran was ready to help Syria improve its port facilities, and to collaborate on technical projects with Syria. (Feb. 26, 2011). (All the Stratfor articles are behind a paywall.)

So in short, Syria is Iran’s route for the projection into the Mediterranean Sea (and from there, the Atlantic Ocean) of conventional naval power, and, perhaps soon, of nuclear weaponry.

Post-debate, the Washington Post‘s Glenn Kessler at least made a start towards a serious factcheck of the Romney quote. He published an updated and condensed version of a longer piece he had written last April about Romney’s repeated use of the phrase.

In the April piece, Kessler wondered what difference Syria made, since Iranian ships can enter the Mediterranean via the Suez Canal. True, but anyone with even a mild knowledge of naval affairs could explain the utility of a Mediterranean port, as a opposed to a Persian Gulf port, for ships operating in the Mediterranean. In April and in October, Kessler wrote:

We also checked with other experts, many of whom confessed to being puzzled by Romney’s comments.  [DK: Kessler should have named all the "other" experts, and should also have included the explanation of at least one of the experts who was not among the "many" were were confused.] Tehran certainly uses Syria to supply the militant groups Hezbollah and Hamas, but that has little to do with the water. The relationship with Syria could also effectively allow Iran to project its power to the Mediterranean and the border with Israel. But does that really mean, “a route to the sea”?

The last two sentences are really the buried lede of the story: Romney is raising a very important issue (Syria as the base for the projection of Iranian naval power), but Romney is not explaining himself in a manner which the less well-informed members of the public (e.g., the sources linked in the 1st paragraph of this post) can understand. If Romney were a better communicator, he would have laid out the facts in greater detail, as Ronald Reagan and Winston Churchill did in their own time, when warning their countrymen about the military dangers of aggressive totalitarian regimes. As Kessler wrote in April, “If Romney is elected president, he will quickly learn that words have consequences. Precision in language is especially important in diplomacy, and here Romney used a phrase that left people befuddled as to his intent and meaning, especially since he did not even make a distinction between the Mediterranean and Arabian seas.”

If you’re a journalist or a commentator, there’s no reason be ashamed just because a Washington Post writer reported a story much better than you did. But when you find yourself being outclassed by Yahoo! Answers, perhaps it’s time to rethink your assumptions that you’re much smarter and better informed than Mitt Romney.

Here’s the photo of Netanyahu’s Iranian bomb / red line image, from his speech today to the UN:

And here’s a version by David Ferguson (Snicker Snack Baby):

Thanks to Powerline and Instapundit for the pointer.

UPDATE: A commenter asked why I thought the cartoon was interesting; I hope that others perceive some of this themselves — a joke isn’t really funny if it has to be explained, and a picture is worth a thousand words — but for those who are curious, my thinking is that this cartoon works well because it packs in so many mutually interacting messages (whether or not intended by the author).

1. First, focusing on Netanyahu, imagine Netanyahu actually displaying this cartoon in the UN, especially with the serious facial expression that he’s wearing. That’s pretty absurd, given the meltdown that it would generate, which is a bit funny by itself.

2. But at the same time, while it’s absurd that Netanyahu would show the cartoon, the cartoon likely captures pretty well (I can’t read Netanyahu’s mind, but it’s a good inference) what Netanyahu is actually thinking. To him Ahmadinejad and much of the rest of Iran’s hardliners are exactly the Turban Bomb Mohammeds that the cartoon depicts.

3. What’s more, deep down inside (or maybe not so deep) Netanyahu and many other Israelis, especially ones on Netanyahu’s side of the political divide, likely secretly wish that someone would indeed go into the UN chamber and show the Turban Bomb Mohammed = Iran cartoon. In a sense, the cartoon is thus a picture of what might be (again, no-one knows, but political cartoons like this aren’t about conveying provable information) Netanyahu’s dream the night before his speech: That he might go into the UN and thumb his nose at his enemies this way.

4. Now let’s set aside Netanyahu, and focus just on the cartoon. I’m confident that most Muslims have no wish to be Turban Bomb Mohammeds themselves — most of nearly any large religious group just want to live calm, peaceful lives, and in fact do indeed lead such lives. Many Muslims don’t support terrorist attacks on civilians, or even nonterrorist wars against Israel and America.

But Mahmoud Ahmadinejad fits the cartoon (in attitude, not appearance) quite nicely. He’s literally trying to develop a bomb. And his past rhetoric suggests that he might well light the figurative fuse on it. As I mentioned in item 2, Turban Bomb Mohammed is a pretty good representation of him. And there’s even a bonus subtwist in the form of his name, which as I understand it is a derivative of Mohammed, though the cartoon would work well even without that.

5. What’s more, the Iranian hardliners were among those who went apoplectic over the Mohammed cartoons — this cartoon tweaks them by using the same image to refer to them, and in a context where some of the criticisms of the original cartoon (that it doesn’t fairly represent the great bulk of peaceful Muslims) are inapt (see item 4).

6. Finally — and this is likely in the eye of the beholder — the Mohammed cartoon, used in this context, very much reminded me of a young (more Ahmadinejad-like) version of the iconic photos of Khomeini, the symbol of modern Iranian Muslim extremism.

Political cartoons, I think, are especially interesting when there’s a lot going on conceptually in a very limited visual composition. This one, it seems to me, is an especially good example of that.

Iran is to cyberwar what 1930s Spain was to airwar – contested ground where everyone tries out new technology and tactics.  After being on the receiving end of Stuxnet, which sabotaged the Natanz enrichment plant and showed that cyberweapons could replace cruise missiles, it looks as though the Iranian government has gone on the offensive.

The Dutch government’s electronic certification authority, DigiNotar, was compromised by a hacker in July of this year.  DigiNotar handled the hack badly, trying to fix the problem without disclosing it. As a result, DigiNotar’s credentials are being revoked by all of the major browsers.  This means that most web users will not be able to verify the bona fides of any site that DigiNotar has vouched for.  That includes a lot of Dutch government sites, and there are some reports that the Dutch government is leaning on Microsoft to keep the credentials operative for another week.  It also means that DigiNotar will be either out of business or buried in lawsuits that could also reach its parent, VASCO Data Security International.

The hacker who pulled off the compromise has posted messages claiming that the hack was revenge for Dutch peacekeepers’ surrender of thousands of Muslim men to Serb militias during the Balkan wars; the men were executed. The hacker says nothing about Iranian government sponsorship.

So why do I think the Iranian government was involved?

To understand that requires a bit of background about the role of certificate authorities on the Internet.  One of Netscape’s cleverest technological innovations was its solution to the problem of Internet eavesdropping.  It used public key encryption to encrypt the channel between a website and each user.  The user could look up a site’s public key and use that key to encrypt all of the user’s communications with the site.  (I’m oversimplifying here, but that’s the idea.)

The only problem was that the system was open to a “man in the middle” attack, where Mallory turns what’s meant to be a secure link between Alice and Bob into two secure links with himself as a secret hub and Alice and Bob as unsuspecting spokes.

Put another way, if an Iranian user asks Google for its public key, and he uses it to encrypt his communications, how does he know that he’s really using Google’s key?  If the Iranian government wants to read his Gmail, it could intercept his request and send him its own key.  He’d set up a secure channel with the government, which would then simply pass his login credentials on to Google.  For the rest of the session the government would sit in the middle, reading and passing on all the packets from both sides of the transaction.  Not good.

To prevent that, Netscape decided to bake a set of public keys into its browser.  The companies with the baked-in keys were certification authorities.  They could issue certificates vouching for the credentials of every site that wanted to offer secure, encrypted communications.

It was a great system, lightweight and very secure.  But only if the certification authorities kept their credential-signing process completely secure.  If they didn’t, then users would not know who was at the other end of the line, the website they wanted or a man in the middle.

Occasionally, of course, some fraudster would use fake documents to persuade a certification authority to sign credentials for a site the fraudster didn’t own.  That sort of thing could be fixed pretty easily.  Browser providers had already recognized that there had to be a way to revoke website certificates obtained by fraud, so browsers now do an online check each time they use a certificate; in essence, they ask an online server whether the certificate they are about to use has been revoked. So a single fraudulently obtained credential can be rendered harmless as soon as the fraud is discovered.

What happened to DigiNotar was not so easily fixed.  It appears that the hacker gained control of the credential-signing process for some weeks during July of this year, and he signed credentials for hundreds of online sites, including Google, Microsoft, and the CIA.

Now, that’s deeply embarrassing, and it probably would have been enough on its own to spell the end of DigiNotar.  But what came next was even worse.

Starting in August, according to investigators, online revocation checks for DigiNotar certificates jumped. Suddenly lots of people wanted to know whether the DigiNotar certificate for Google had been revoked.  This meant that hundreds of thousands of users were sure that DigiNotar was the authority that had signed Google’s credentials.  (In fact, Google signs its own credentials.) And 99% of the users asking about DigiNotar’s certificate for Google came from Iran. (Even the 1% of requests that didn’t come from Iran seem to have come from proxies and TOR routers in other countries, meaning they too could have been Iranian users.)

Clearly a lot of Iranian users had been fooled into thinking that DigiNotar had issued Google’s credentials.  I can only think of one way that could happen – if the Iranian government and ISPs were systematically intercepting packets bound for Google and saying, in effect, “I’m Google. Here are my credentials, signed by DigiNotar.  Let’s go secure and foil any eavesdroppers.” The user’s browser would say, “Wait a minute while I check to make sure DigiNotar hasn’t revoked your DigiNotar credentials, Google… Ok, you check out, let’s talk.”  As soon as the user started sending his login name and password to the fake Google, the middleman would use those credentials to log in to Google, which would set up a secure communications channel with the middleman.  The entire session would be encrypted unbreakably at every point in the chain save the one that mattered:  the government listening post in the middle. The Iranian government would be sitting pretty — Mallory between Alice and Bob.

Some observations, mostly additional reasons for thinking that this was an Iranian government operation, and what that means:

• The notes posted by the DigiNotar hacker make him sound like a flake and a braggart, hardly the kind of postings you’d expect from the Iranian secret police. Maybe this is misdirection, or maybe he pulled off the exploit and then handed over his loot to the Iranian government, voluntarily or involuntarily. But the implementation of the man-in-the-middle attack was so quick and so smooth that it looks to me as though the hacker was working with the government from the start.
• The same hacker who compromised Diginotar claims to have carried out attacks on Comodo and Globalsign, two other certification authorities. Both companies agree that they were hacked, although Globalsign is not admitting that its credentials were compromised. Again, compromising certification authorities is a great idea if you’re in the business of man-in-the-middle attacks; otherwise it’s got mostly nihilistic look-at-me-trashing-your-infrastructure appeal, which might make you wonder why this hacker has specialized in such attacks if he doesn’t work for the government.
• If this were an Iranian government op, the websites for which fake credentials were issued should be an Iranian government wish list — all the places where it most wants to be in the middle between the site and Iranian users. If so, the point of the fake CIA certificate wasn’t help hackers break into the CIA’s network. The point was to impersonate the CIA on line – to lure dissidents into setting up an apparently secure communications channels with a foreign intelligence service.  Iranian government paranoia about the CIA’s influence is so profound it’s almost flattering, and the Iranian government probably is kidding itself that the election protests were the result of foreign meddling, not the government’s unpopularity.
• In fact, the domains whose credentials were falsified do seem to be a kind of museum of Iranian government paranoia. Along with Google, Microsoft, and the CIA, the hacker made fake credentials for Mossad, MI6, Facebook, Skype, WordPress, Twitter, azadegi.com (an Iranian dissident site in Persian), Walla.co.il (a site in Hebrew), torproject.org, and Yahoo, along with others.  The full list is here.  In some ways, it’s an honor roll.
• It’s also a tell — more evidence that the attack on DigiNotar was government sponsored.  After all, if the DigiNotar hacker was really acting on his own, without government guidance, how did he manage to create so many certificates that would have so much value for an Iranian government man-in-the-middle attack?
• If this is cyberwar, it’s an Iranian government war against its own people.  And a very dangerous one. The flood of revocation checks coming from Iran continued all through August, meaning that anyone in that country who logged on to Gmail or Hotmail or the other honor-roll sites has probably lost control of everything – not just emails they sent in August but their passwords, their stored emails, their stored files, anything that could be accessed by passwords they used in August.
• As a result, DigiNotar’s security breakdown could foretell a new human rights disaster, with hundreds of thousands of victims. And, since we know the IP addresses that checked DigiNotar’s certificates, we could probably identify each victim individually.
• Which raises this question: We know from the online revocation checks that three hundred thousand Iranian users were fooled into using fake  DigiNotar certificates for Google. The same information should be available for Microsoft, Facebook, and every other fake certificate that was issued by the hacker.  Those numbers are the big story, and I don’t understand why reporters have dropped the ball on it, unless they don’t appreciate its significance.
• Mozilla has done a particularly good job of dealing with this issue, communicating more details earlier than most browser companies. Most recently, it called on the certification authorities it bakes into its browser to audit their security — and to put automatic blocks on some of the names, such as Google or Facebook, that are most likely to inspire man-in-the-middle attacks and least likely to change certificate authorities on short notice.  In contrast, Apple handled the whole affair pretty badly, taking days longer than the other big browsers to announce that it was revoking DigiNotar’s credentials.
• Iranian dissidents probably could protect themselves from these attacks by installing a browser extension called CertPatrol, which warns you if a site you’ve visited before has suddenly changed its certificate authority.  CertPatrol likely would have told all those Gmail users that, instead of going to a “Google” site that Google vouched for, they were instead going to a “Google” site that DigiNotar vouched for. They could also protect their Google account by turning on Google’s two-step verification process, which won’t let you log on from strange IP addresses until you’ve typed in a separate code sent directly to your phone.

As always when I venture too far into technical territory, I am quite aware that there are fine points I may be missing.  I welcome corrections and comments.

So say documents leaked by Wikileaks. This shouldn’t be very surprising, but over the last several years I’ve seen many, many commentators (update: as has Jeffrey Goldberg) claiming that the only parties plugging for U.S. military action against Iran are Israel and its American “Likudnik” supporters. [Update: Omri Ceren provides some examples of "experts" who claimed that the Saudis opposed U.S. military action against Iran. For examples of focus on the "Israel lobby" with no mention of Arab support, see Stephen Walt and Joe Klein. Andrew Sullivan, however, suggests that it's "preposterous" to think that such people exist. It would be nice if they were actually just products of Jeffrey Goldberg's Zionist imagination, but no such luck.] Don’t expect many mea culpas, either.

In other Wikileaks news, Iran used the services of the Iranian Red Crescent, including Red Crescent ambulances, to smuggle men and weapons into Lebanon during the Israel-Lebanon War in 2006. Expect no condemnatory press releases from Human Rights Watch.

UPDATE: It’s quite a blow to conspiracy theorists, is it not, that the combined weight of two of their favor bogeymen, “the Zionists” and “the Arabs” haven’t been able to get the U.S. to take military action against Iran.