I've seen some variation of this article around for the past week or so, usually stemming from foreign nationals who...
I've seen some variation of this article around for the past week or so, usually stemming from foreign nationals who are still butt hurt Hillary Clinton beat out Bernie Sanders for the Democratic nominee to run for the presidency against #DonaldTrump and then had the audacity to lose. I've also seen these "the DNC wasn't hacked" headlines coming from #TrumpNation as a chance to swivel the light focused on Russia's involvement in the 2016 election towards the Democrats or Hillary Clinton.
I can't remember which link I tried reading on the subject but the article was horrendous at making it's case and, therefore, I didn't feel the need to pass it along. And I hadn't planned to until I read Andreas Schou's wonderful takedown posted below.
via Cara Evangelista
Originally shared by Andreas Schou
This article is terrible. Let's recap why we think that Russia was involved:
(1) We currently have a Ukrainian hacker in custody who believes he was working for the Russian government on that hack. It would be peculiar for him to turn himself in if everyone involved was in the US.
(2) The same malware implant was used in the Ukrainian election hack of 2014, the Bundestag hack in 2014, and a variety of other hacks against Ukrainian civil society organizations, US and Ukrainian military officers, US defense contractors, Russian journalists, and State Department officials.
(3) The documents released by Guccifer 2.0 were accessed by a role account named after Felix Dzerzhinsky, the founder of the Russian intelligence services. Preserved error messages in some Excel files indicate that the computer's language was set to Russian.
(4) DNC server logs indicate that the attackers, whomever they were, worked from 9 to 5 in Moscow's timezone.
(5) Guccifer 2.0 claims to be Romanian. The few short utterances he produced in Romanian dropped articles and misused prepositions in a way which indicates that the speaker probably speaks a Slavic language.
(6) There appears to be a great deal of SIGINT indicating that people in the Russian government were trying to find the "33,000 deleted emails" at Flynn's request.
(7) The Podesta emails, which could not have been leaked (they're from a private account) appear to have passed through the same channels as the emails now alleged to have been leaked. I have no reason to believe that the media narrative around these emails is false, and I implicitly trust the people who would have reviewed the forensic evidence. (They came from a gmail account, and while I have no specific knowledge of literally anything involved, suspected sovereign hacks are treated with special attention by a dedicated team.)
(8) Three independent outside reviews -- ThreatConnect, Mandiant, and CrowdStrike -- concur, on the basis of forensic evidence from the server logs, with the more elaborate review done by US intelligence agencies and law enforcement.
This article is largely incoherent from a technical perspective, and as someone who's worked in computer security and is now the privacy lead for a lot of people who do computer security, I really couldn't make heads or tails of it. But here's why it's so utterly uncompelling.
(1) The people writing the "report," and I'm going to get into them later, didn't actually have access to any of the malware samples, server logs, or disk images which were used in the hack.
(2) What they did have, however, was the original zip file which Guccifer 2.0 used to distribute a bunch of stolen DNC files. The files inside the ZIP are timestamped at an interval which implies a transfer rate of 22 MB/s, which is extremely high for a consumer-grade Internet connection. (It's also not the usual way you'd measure network speed, which is generally measured in Mbs rather than MBs, but... well... there's a reason for that.)
(3) This is not particularly important because neither the DNC nor the FSB nor the GRU would be operating on consumer-grade Internet connections. They'd be operating on fat commercial connections instead, which can easily reach that speed.
(4) Okay, but maybe it couldn't get to Russia at that speed. This is kind of a legit criticism, because transpacific capacity is actually bad enough that Google sometimes has problems with it. And of course there would be some latency. But this article confuses latency ("how long it takes to get there") with bandwidth ("how much gets there at the same time").
If you've got dedicated, leased fiber, of course you could get it to RU at that speed.
(5) Anyway, that doesn't matter. There are good reasons to exfil in a burst transmission from a staging server rather than exfiltrating in one step. The NSA operates network logs of data leaving and entering the US. If you send your data from the DNC to RU in one stage, that might attract some attention. If you first move the data to a staging server on a rack somewhere in the US, pause, and later burst-transmit it to Russia, it looks like a US --> US network transaction, and then an unrelated US --> RU network transaction.
(6) But that doesn't even matter, because it gets worse: while I can think of some reasons why those timestamps might correspond to a network speed, they probably don't: unless you're doing some Windows copying to a remote disk, it's going to preserve the same timestamp.
You know what that speed does correspond to? It's a little slow for a disk from five years ago (which you might expect to be in the ~80-100 MB/s range), but it really does look like roughly the speed that a slightly out-of-date computer might write to a ZIP file.
Which would change the timestamps.
So why did this article happen:
(1) There are some mostly-decent people in VIPS. Drake and Binney were both utterly humiliated by NSA's overreach, and Ray McGovern is a lefty activist. But Tice is insane -- I do not mean this in a metaphorical sense; he was dismissed for mental illness -- and Johnson is a serial fabricator who is responsible for the 2008 "whitey tape" rumors, Hersh's unpublishable story about us not really killing Bin Laden, and the Seth Rich murder conspiracy theory.
Also, Binney's primary source of income is Russian state media. So. Uh.
(2) You know who "Forensicator" is? A blog obfuscating screenshots from /r/the_donald/, not a computer security researcher at all. There is no reason to believe they have any idea what they're talking about.
(3) Patrick Lawrence is a pen name for Patrick L. Smith, used when he wants to obfuscate his own prior work for Russian state media.
https://www.thenation.com/article/a-new-report-raises-big-questions-about-last-years-dnc-hack/
I can't remember which link I tried reading on the subject but the article was horrendous at making it's case and, therefore, I didn't feel the need to pass it along. And I hadn't planned to until I read Andreas Schou's wonderful takedown posted below.
via Cara Evangelista
Originally shared by Andreas Schou
This article is terrible. Let's recap why we think that Russia was involved:
(1) We currently have a Ukrainian hacker in custody who believes he was working for the Russian government on that hack. It would be peculiar for him to turn himself in if everyone involved was in the US.
(2) The same malware implant was used in the Ukrainian election hack of 2014, the Bundestag hack in 2014, and a variety of other hacks against Ukrainian civil society organizations, US and Ukrainian military officers, US defense contractors, Russian journalists, and State Department officials.
(3) The documents released by Guccifer 2.0 were accessed by a role account named after Felix Dzerzhinsky, the founder of the Russian intelligence services. Preserved error messages in some Excel files indicate that the computer's language was set to Russian.
(4) DNC server logs indicate that the attackers, whomever they were, worked from 9 to 5 in Moscow's timezone.
(5) Guccifer 2.0 claims to be Romanian. The few short utterances he produced in Romanian dropped articles and misused prepositions in a way which indicates that the speaker probably speaks a Slavic language.
(6) There appears to be a great deal of SIGINT indicating that people in the Russian government were trying to find the "33,000 deleted emails" at Flynn's request.
(7) The Podesta emails, which could not have been leaked (they're from a private account) appear to have passed through the same channels as the emails now alleged to have been leaked. I have no reason to believe that the media narrative around these emails is false, and I implicitly trust the people who would have reviewed the forensic evidence. (They came from a gmail account, and while I have no specific knowledge of literally anything involved, suspected sovereign hacks are treated with special attention by a dedicated team.)
(8) Three independent outside reviews -- ThreatConnect, Mandiant, and CrowdStrike -- concur, on the basis of forensic evidence from the server logs, with the more elaborate review done by US intelligence agencies and law enforcement.
This article is largely incoherent from a technical perspective, and as someone who's worked in computer security and is now the privacy lead for a lot of people who do computer security, I really couldn't make heads or tails of it. But here's why it's so utterly uncompelling.
(1) The people writing the "report," and I'm going to get into them later, didn't actually have access to any of the malware samples, server logs, or disk images which were used in the hack.
(2) What they did have, however, was the original zip file which Guccifer 2.0 used to distribute a bunch of stolen DNC files. The files inside the ZIP are timestamped at an interval which implies a transfer rate of 22 MB/s, which is extremely high for a consumer-grade Internet connection. (It's also not the usual way you'd measure network speed, which is generally measured in Mbs rather than MBs, but... well... there's a reason for that.)
(3) This is not particularly important because neither the DNC nor the FSB nor the GRU would be operating on consumer-grade Internet connections. They'd be operating on fat commercial connections instead, which can easily reach that speed.
(4) Okay, but maybe it couldn't get to Russia at that speed. This is kind of a legit criticism, because transpacific capacity is actually bad enough that Google sometimes has problems with it. And of course there would be some latency. But this article confuses latency ("how long it takes to get there") with bandwidth ("how much gets there at the same time").
If you've got dedicated, leased fiber, of course you could get it to RU at that speed.
(5) Anyway, that doesn't matter. There are good reasons to exfil in a burst transmission from a staging server rather than exfiltrating in one step. The NSA operates network logs of data leaving and entering the US. If you send your data from the DNC to RU in one stage, that might attract some attention. If you first move the data to a staging server on a rack somewhere in the US, pause, and later burst-transmit it to Russia, it looks like a US --> US network transaction, and then an unrelated US --> RU network transaction.
(6) But that doesn't even matter, because it gets worse: while I can think of some reasons why those timestamps might correspond to a network speed, they probably don't: unless you're doing some Windows copying to a remote disk, it's going to preserve the same timestamp.
You know what that speed does correspond to? It's a little slow for a disk from five years ago (which you might expect to be in the ~80-100 MB/s range), but it really does look like roughly the speed that a slightly out-of-date computer might write to a ZIP file.
Which would change the timestamps.
So why did this article happen:
(1) There are some mostly-decent people in VIPS. Drake and Binney were both utterly humiliated by NSA's overreach, and Ray McGovern is a lefty activist. But Tice is insane -- I do not mean this in a metaphorical sense; he was dismissed for mental illness -- and Johnson is a serial fabricator who is responsible for the 2008 "whitey tape" rumors, Hersh's unpublishable story about us not really killing Bin Laden, and the Seth Rich murder conspiracy theory.
Also, Binney's primary source of income is Russian state media. So. Uh.
(2) You know who "Forensicator" is? A blog obfuscating screenshots from /r/the_donald/, not a computer security researcher at all. There is no reason to believe they have any idea what they're talking about.
(3) Patrick Lawrence is a pen name for Patrick L. Smith, used when he wants to obfuscate his own prior work for Russian state media.
https://www.thenation.com/article/a-new-report-raises-big-questions-about-last-years-dnc-hack/
Comments