The DHS-FBI intel assessment of the DNC hack concluded with “high confidence” that Guccifer 2 was a Russian operations, but provided (literally) zero evidence in support of their attribution. Ever since Guccifer 2’s surprise appearance on June 15, 2016 (one day after Crowdstrike’s announcement of the DNC hack by “Russia”), there has been a widespread consensus that Guccifer 2 was a Russian deception operation, with only a few skeptics (e.g. Jeffrey Carr questioning evidence but not necessarily conclusion; Adam Carter challenging attribution).
Perhaps the most prevalent argument in attribution has been the presence of “Russian” metadata in documents included in Guccifer 2’s original post – the theory being that the “Russian” metadata was left by mistake. I’ve looked at lots of metadata both in connection with Climategate and more recently in connection with the DNC hack, and, in my opinion, the chances of this metadata being left by mistake is zero. Precisely what it means is a big puzzle though.
Reliance on “Russian Metadata” in Attribution
Lest anyone believe that it is wildly improbable that US attribution is based on anything as flimsy as such metadata, I’ll provide a series of excerpts from leading articles. In making this selection, I’ve tried to find relatively authoritative articles. I’m unaware of any dissenting articles in mainstream media.
Motherboard, June 16 url
However, considering a long trail of breadcrumbs pointing back to Russia left by the hacker, as well as other circumstantial evidence, it appears more likely that Guccifer 2.0 is nothing but a disinformation or deception campaign by Russian state-sponsored hackers to cover up their own hack—and a hasty and sloppy one at that…
it’s “more likely than not” that the whole operation, including the Guccifer 2.0 part, was orchestrated by Russian spies, according to Thomas Rid, a cybersecurity expert…
The leaked documents contain metadata indicating they’ve been opened and processes on multiple virtual machines, as the independent cybersecurity researcher known as Pwn All The Things pointed out on Twitter on Wednesday. Some of these machines had different configurations, including one with the Cyrillic language setting and the username of “Iron Felix,” referencing Felix Dzerzhinsky, the first head of the Soviet intelligence services.
Vocativ, June 16 url
But there’s something funny about those Word files. While most are listed as originally written by Warren Flood, the name of a political strategist for the Democratic party, all five are listed as being most recently revised by someone named “Феликс Эдмундович,” an apparent pseudonym and reference to early Soviet hero Felix Dzerzhinsky.
Other firms agreed that it was possible, if not likely, that Guccifer 2.0 was created by the same Russian state-sponsored actors originally described in the hack.
Arstechnica, June 16 url
We still don’t know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country’s lost Soviet era.
Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name “Феликс Эдмундович.” That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, “Феликс Эдмундович” is the colloquial name that translates to Felix Dzerzhinsky, the 20th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)
Exhibit B is this opposition research document on Donald Trump, the presumptive Republican presidential nominee. Exhibit B is also written in Word. Several of the Web links in it are broken and contain the error message “Error! Hyperlink reference not valid.” But in a PDF-formatted copy of the same document published by Gawker a few hours before Guccifer 2.0’s post went live, the error messages with roughly the same meaning appear in Russian.
The most likely explanation is that the Russian error messages are an artifact left behind when the leaker converted the Word document into a PDF. That kind of conversion would be expected if the leaker’s PC was set up to use Russian.
All three pieces of evidence were teased out of the documents and noted on Twitter by an independent security researcher who goes by the handle PwnAllTheThings. ..
CSO Online, June 23 url
Metadata found within the leaked DNC documents included snippets of Russian.
Threat Connect, June 29 url
Although the proof is not conclusive, we assess Guccifer 2.0 most likely is a Russian denial and deception (D&D) effort that has been cast to sow doubt about the prevailing narrative of Russian perfidy.
There are signals that appear purposefully left behind to make a compelling case for a non-state Russian or Eastern European actor operating independently, such as cyrillic references to Felix Dzerzhinsky.
Rid, Motherboad Vice, July 25
The evidence linking the Guccifer 2.0 account to the same Russian operators is not as solid, yet a deception operation—a GRU false flag, in technical jargon—is still highly likely….
The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.
NYT, Dec 13, 2016 url
Cyberresearchers found other clues pointing to Russia. Microsoft Word documents posted by Guccifer 2.0 had been edited by someone calling himself, in Russian, Felix Edmundovich — an obvious nom de guerre honoring the founder of the Soviet secret police, Felix Edmundovich Dzerzhinsky. Bad links in the texts were marked by warnings in Russian, generated by what was clearly a Russian-language version of Word.
Washington Post July 2017 url
The accidental inclusion of Russian-language metadata in some of the leaked files, as well as some error messages that were printed in Russian. In later releases of the same files, those messages were removed.
Guccifer 2’s June 15 Cut-and-Paste
Adam Carter (g-2.space) has been the leading critic of the above theory. I’ve relied on his ideas in the following exposition, but my approach is also heavily influenced by my Climategate experience.
First of all, the metadata in controversy is not the file metadata which one sees in directory listings, but internal Word metadata (e.g. author, default language). If you simply upload a Word document to a public location, you don’t change its internal Word metadata. There are dozens of such examples both in Climategate and even in the Guccifer 2 cf.7z and ngpvan.7z dossiers.
In Guccifer 2’s first drop (June 15), Word metadata was changed in four documents (1.doc, 2.doc, 3.doc and 5.doc). In the first three documents, G2 successively cut-and-pasted the contents of three documents (Donald Trump Report, Dec. 19, 2015; 2016 GOP Presidential Candidates, May 26, 2015; HRC Election Plans, May 26, 2015) into a single (older) document template (perhaps emptied document), which had originated with Warren Flood, a former employee of Joe Biden, and which had been modified prior to insertion of the fresh contents. G2 set the user name for the Word session as Феликс Эдмундович, Felix Edmundovich [Dzershinski, the first Cheka director.] The default language of the Warren Flood template had been modified to Russian. The document itself is in RTF (readily readable in Notepad using techniques described by Carter at g-2). Originals of the three documents later traced by Jimmysllama to Podesta emails 30498, 55782, 3405
For all three documents, the very first line of the RTF sets default language to Russian (lang1049):
Later in the RTF, Felix Edmundovich in Cyrillic is introduced through the following line:
A fourth Word document in the June 15 dump (Promises and Proposals – National Security and Foreign Policy, Sep 4, 2008) was opened and saved by user “user” without corresponding changes to metadata.
The fifth Word document in the June 15 dump (National Security Transition Planning, undated) originates from the 2008 Obama transition. It does not use the Warren Flood template. User Феликс Эдмундович changed the default language to Russian and saved.
These operations all took place in a single half-hour in the early afternoon of June 15. The Warren Flood template was “created” at 13:38 with the first three documents saved by Феликс Эдмундович at 14:08, 14:11 and 14:12 respectively. The fifth document was created by jbs836 at 14:13 and saved by Феликс Эдмундович at 14:13.
None of these operations were required in order to upload the documents – indeed, they required additional, otherwise pointless work. The only changes to the documents were the setting of the default language to Russian and setting of the username to Феликс Эдмундович. When these metadata were (quickly) discovered, the discoverers proclaimed that these metadata had been exposed to them by “mistake” – a wardrobe malfunction, so to speak.
Pwnallthings
Within a few hours, Matt Tait (blogging as @pwnallthings) noticed the “Russian” metadata in the G2 documents, pronouncing it as a laughable “Russian opsec fail” by the very same Russians to whom Crowdstrike had attributed “superb” “tradecraft”:
The other “smoking gun” was the appearance of Cyrillic characters in the version of the Trump oppo research published by Gawker as a pdf – occurring in converting the Word document to pdf (with Russian default language).
Follow-up Guccifer 2 Posts
When the Феликс Эдмундович alias was “discovered”, Guccifer 2 reacted by posting up 8 documents on June 17 with username Ernesto Che [Guevara], 10 documents on June 30 with username Chen Du and 4 documents on July 6 with username Nguyen Van Thang, after which he didn’t bother with such artifices.
In an “interview” on June 21, Guccifer 2 said that these usernames were a form of “watermark” [translated from Romanian filigranul”].
Adam Carter
At his webpage, Adam Carter has eloquently ridiculed the idea that Guccifer2’s “Russian” metadata was left by “mistake”. Whereas Jeffrey Carter has stated that there is nothing in Guccifer 2’s conduct that is inconsistent with him being an unaffiliated hacker, Carter has argued that Guccifer 2 is a false flag operation carried out by Crowdstrike on behalf of the DNC (rather than a false flag operation carried out by the Russians.)
Conclusion
If I encountered a document which had been most recently modified by a user using the pseudonym “J. Edgar Hoover”, I would not jump to the conclusion that the document originated with U.S. counter-intelligence or police. If anything, I would presume the opposite – that the username was satirical.
When a document is opened in Word for no purpose other than to change the default language to Russian and change the user name to Феликс Эдмундович, I would not jump to the conclusion that they had done so accidentally or attribute the subsequent exposure of “Russian” metadata to a sort of wardrobe malfunction. I would presume the opposite: that whatever I saw was being shown to me intentionally.
To the extent that exposure by mistake is being relied on for attribution of Guccifer 2 to Russian intelligence services, it is worthless as evidence and an embarrassment to the security firms and intel community who promulgate it.
Could one picture a circumstance in which an insouciant Russian intelligent service intentionally signed their own name to the Guccifer 2 hack? Why would they want to stick a finger in the US eye so ostentatiously?
Can one picture a circumstance in which a hacker (US or eastern European) might want to misdirect towards Russia? Hackers don’t want to be caught and put in jail. Anything that they say has to be taken with one or more grains of salt. Guccifer 2 has no obligation to say things that would help him get caught. If the US intel community is convinced that “Russia” hacked the DNC, they aren’t going to look for hackers in the US Eastern time zone. At the time, there was no “Russia, Russia” hysteria and little reason for G2 to think that a little misdirection could cascade into an international incident. Or the explanation may be something else entirely.
The bottom line is that the “Russian metadata” (“breadcrumbs”) are worthless for attribution, let alone attribution at “high confidence”. I’ll survey other lines of G2 attribution separately, but they are, if anything, even worse.
Climate Audit 
317 Comments
Dumb and metadumber.
Excellent post, as always.
Questions: 1. Would changing the default language to Russian change the warning hyperlink language in the pdf to Russian? IOW, is it possible Guccifer 2 did not directly type in the Russian warnings?
2. Can the Russian language Felix Edmundovich where shown be a product of cutting and pasting, or does it have to be keyed in directly?
1. as I understand it, the Russian warnings were automatically generated in pdf conversion and do not exist in doc version. I.e. NOT typed in.
2. Probably can be done by cut-and-paste. I cut-and-paste Cyrillic text into my post though not exactly the same. I suspect that one can do so into Username as well.
After reading Steve’s words and the many comments on attribution, I now think it UNLIKELY that Russian fingers were the first ones messing around. I suspect 2 or more to have gamed the system with false flag stuff, tongues in cheeks, just wanting to put the cat amongst the pigeons
At this point, “don’t know” seems appropriate except to someone wanting to sling mud. YMMV
“Why would they want to stick a finger in the US eye so ostentatiously?”
In other circumstances, I can think of many reasons why the Russians might want to “stick a finger in the US eye” but none of those reasons apply if the main point of the whole operation was to get Donald Trump elected President. None of the material provided by G2 was damaging to Hillary; the material was somewhat damaging to Trump and, more importantly, could be used to discredit the Wikileaks release. Whoever he was and whatever else he was doing, G2 was trying to get Hillary elected.
“At the time, there was no “Russia, Russia” hysteria and little reason for G2 to think that a little misdirection could cascade into an international incident.”
The hysteria has certainly grown over time but this was obviously not an accident caused by a “private hacker’s” attempt at misdirection. The Crowdstrike attribution to Russian was made public on June 15 and, as if by magic, G2 appears the same day to apply dirty Russian fingerprints to the metadata. That timing might possibly be an amazing coincidence but please note that, prior to G2’s appearance, Crowdstrike and the DNC had no basis for asserting that the Wikileaks source was a hacker at all, to say nothing of a Russian hacker. G2’s claim to be the Wikileaks source (in the face of Wikileaks’ denial) is the sole reason that anyone has to connect Russian hacking to the 2016 Presidential election. From the point of view of a hacker who was also the real Wikileaks source (whether that person was a Bernie supporter, a Trump supporter, a non-political private hacker or even the GRU) any “Russian hacker” misdirection was unnecessary and only tended to increase the chances of getting caught by, among other things, causing the authorities to look a hackers rather than leakers.
Although somewhat OT from the subject of hacking, the famous Trump Tower meeting with Donald Jr. and others has a similar issue. If the Russians set up the meeting to help Trump get elected, why didn’t they deliver the “incriminating” documents which were supposed to be the point of the meeting? If they didn’t have incriminating documents to deliver, why pretend otherwise to get a meeting with Trumpites when, at best, the existence of the meeting only provides an excuse for further FBI surveillance?
speaking of surveillance, I wonder if there’s a FISA warrant on Michael Cohen, mentioned in the fraudulent Steele dossier – to go with Manafort and Carter Page.
Secret wiretapping is a great way to circumvent attorney-client privileges in US: as here Donald Trump is the client is would be a supreme catch for those officials possessed with the Edgar J. Hoover “spirit”. Micheal D. Cohen practically denied he ever drank Vodka in front of a Senate committee 🙂 https://www.justsecurity.org/45169/federal-prosecutor-dissects-trump-lawyer-michael-cohens-statement-senate/
I did not find this “justsecurity” writer impressive at all. It is clear he is aware of some of the general allegations against Cohen in the dossier, like travelling to Prague, but has not read the dossier on details of the criminal and suspicious activities alleged. A bunch of his early questions would be answered if he read the dossier. I don’t think he read it at all.
The private meeting of the Senate Intelligence committee and Micheal Cohen never happened as his 4 page statement leaked out before hand. Now he will get a public hearing on Oct 25.http://abcnews.go.com/Politics/michael-cohen-trumps-lawyer-confidant-senate-investigators/story?id=49945844
Yes, the Russian whiskers were obviously intentional and highly visible goading, made most apparent by choice of author AKAs, screaming, “I’m Russian.” But there is another more sophisticated trail to Russia laid by G2 in his email electronic trail, as outlined by cyber security company Threatconnect’s article updated 7-26-16.
It’s fairly technical and I would like Brandon or other techies to give the article a read. But I see the bottom line is that G2 used a French AOL server from a VPN traced to a domain name registered under the name James Dermount in NYC.
Without burdening with a very technical article quote, it seems that although the domain cannot be traced to Russia the pre-2004 registrant of the domain is connected with Russian online scams. So this deeper analysis is likely what the IC has been relying on. But for a reporter to include this in their story they would have to say: “The DNC hacker goaded by leaving a Russian business card but when the card was further analyzed we, through sophisticated analysis, unmistakable Russian fingerprints were found.” It doesn’t exactly sing.
Why would the GRU or FSB put cheap Russian make-up on their own job? Is the NSA or CIA going to copy cat this next time they hack a foreign leader’s mobile phone (J.Edgar on Angela’s)?
One disgrunted ex-Russian grown up wizkid has much better motive: Dmitri A. He had opportunity plenty too.
mulling this over, there’s another possibility. I can picture the “cheap Russian make-up” as an anti-Crowdstrike joke by a reddit-type hacker – not really expecting the joke to be taken seriously. The Guccifer persona also being a clown costume.
Steve,
Wouldn’t it have to be a “pro-Crowdstrike” joke? G2 is ersatz confirmation of everything Crowdstrike claimed about Russian hacking (except the donor lists which are subject to periodic release anyway) and discredited the Wikileaks release of Crowdstrike’s client’s e-mails (mostly collected after Crowdstrike’s involvement). What hacker makes “pro-Crowdstrike” or “pro-Hillary” jokes?
The story does not sing (even without my typing). But the question then becomes how air tight is Threatconnect’s Russian connection. In reading again it seems they are claiming the previous VPN domain name’s registrant, who is apparently Russian, is currently associated with a common host, Elite VPN Service, through the secure shell host (SSH) and Point-to-Point Tunneling Protocol (PPTP) fingerprint. Apparently this shows that G2’s VPN host server is a clone of servers used by Elite VPN Service. But Threatconnect could not get access to this server by subscribing to Elite and this shows that the server is for exclusive use. (Or, it means G2 is an extremely sophisticated spoof of a Russian actor.)
Questions to Brandon and others” Can hacked servers be cloned? Is Threatconnect’s analysis airtight? If Russian, is it the FSB? If so, what is G2’s mission? Threatconnect claims it’s “denial and deception” (D&D). If that is correct then perhaps skeptics like Adam Carter and Jeff Carr were supposed to punch through the obvious Russian whiskers, and it was foreseen G2 would provide strong confirmatory narratives for both sides of the political divide in the US. If this is true it’s incredibly ingenious. Perhaps the Russians even deceived Assange and murdered Rich to stir the pot more.
If G2 is the creation of the DNC of Crowdstrike then it was also a success (unless tumbling down in the Awan or Rich investigations).
The only G2 motive that doesn’t make sense is to help Trump.
Crowdstrike/ DNC came out with their Russian hack story on June 14 2016; on the 15th G2 popped up. Only on the 16th Trump announced his candidacy. https://en.wikipedia.org/wiki/Donald_Trump_presidential_campaign,_2016#Announcement
Can G2’s publications be described as pro Trump? He published Trump’s tax return for 2014 – real friendly: https://guccifer2.wordpress.com/2016/10/18/trumps-taxes/
They are also not anti HRC: just a string of innocent DNC stuff with a Russian smell, to get the hounds off real nasty US tracks.
Trump announced in 2015, not 16.
As Follow the money also mentioned, Adam Carter contacted Elite-VPN, and it turned out that few assumptions made by ThreatConnect were wrong.
http://g-2.space/#4
IP used was default Elite-VPN IP. IT is not seen on ThreatConnect screenshot becasue its default one. So this was not “clone of server”.
And even more surprising: neither ThreatConnet nor CIA/NSA never contacted admins of elite-VPN and asked for any logs.
You should update yourself with Adam Carter’s investigation. Not only has he debunked Threatconnect’s vpn story, he’s shown by contacting the relevant host that Threatconnect never bothered to do the same.
Could you provide a link/reference for the intel assessment alluded to in the first sentence of this post?
https://www.threatconnect.com/blog/guccifer-2-all-roads-lead-russia/
“It is important to note that the IP address seen in the Guccifer 2.0 AOL communications – 95.130.15[.]34 – is not listed as an option within Elite VPN Service. Although it has an identical SSH fingerprint and has the exact same port (1723, PPTP) open as the listed options. This demonstrates the server was cloned from the same server image as all the Elite VPN servers but may be a private or dedicated version of the service.”
!!!BUT THIS WAS PROVEN TO BE WRONG!!!
See: http://g-2.space/#4
Whatever value that link may have, it does not represent the intelligence community’s assessment of Guccifer 2.0’s involvement with the intrusion into the DNC’s server. My question was asking after what government agencies have concluded/stated not what a single cybersecurity firm has concluded/stated.
I was not sure what sentence you are referring to.
On that I have this links:
Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution (ICA in VIPS report)
Click to access ICA_2017_01.pdf
GRIZZLY STEPPE – Russian Malicious Cyber Activity
Click to access JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
Enhanced Analysis of GRIZZLY STEPPE
Click to access AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf
Open them and ctrl-f for what you are looking for. Guccifer 2.0 is barely mentioned.
“We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data obtained in cyber operations publicly and in exclusives to media outlets and relayed material to WikiLeaks.”
“Public Disclosures of Russian – Collected Data. We assess with high confidence that the GRU used the Guccifer 2.0 persona , DCLeaks.com , and WikiLeaks to release US victim data obtained in cyber operations publicly and in exclusives to media outlets. Guccifer 2.0, who claimed to be an independent Romanian hacker, made multiple contradictory statements and false claims about his likely Russian identity throughout the election. Press reporting suggests more than one person claiming to be Guccifer 2.0 interacted with journalists.”
Or maybe this one:
https://www.threatconnect.com/blog/guccifer-2-0-dnc-breach/
I dont know of any factual mistakes in this one.
Don’t you love the “False Dmitry’s” -shiny objects to distract? After 400 years it might be one with a US passport! https://en.wikipedia.org/wiki/False_Dmitry
The DNC didn’t allow anybody (including the FBI!) to touch their server. This was in one way problematic for Crowdstrike as one of their main advertised business treats is to attribute intrusions and “fight back”. http://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america/
Quick solution: create a dummy hacker with Russian make-up while showing some real but run-of-the-mill DNC material containing nothing problematic. Laughable for serious peer review but good enough for HRC friendly press. Who else benefited from this “guccifer 2”?
Attributing this story to Russian agencies was a good deflection from the DNC’s internal troubles (leakers?), good for Crowdstrike’s business model and good for US agencies (see, we need more money).
That’s very interesting. Maybe the appearance of G2 was not due to or only due to Assange’s announcement. Perhaps it was also a response to government inquiries to examine the server.
Here are few other interesting details.
Pretty much everything (regarding Guccifer 2.0) you look at closer points towards DC and away from Moscow.
Another motive to attribute this DNC breach to “Russia”: preemptively smear Wikileaks, that nasty club that showed too much of US gov. cyber offensive tools / Ops, both international as well as domestic .
“When a document is opened in Word for no purpose other than to change the default language to Russian and change the user name to Феликс Эдмундович, I would not jump to the conclusion that they had done so accidentally or attribute the subsequent exposure of “Russian” metadata to a sort of wardrobe malfunction. I would presume the opposite: that whatever I saw was being shown to me intentionally.”
I agree. I think the question is who would want to implicate the Russians. Everybody seems to have forgotten that allegedly the same actor tried to break into the RNC. Cover all the bases so as to stir the pot between the US and Russia. A rich disgruntled Russian exile? An eastern European nation? Maybe both.
An obvious possibility to me is Guccifer 2.0 wasn’t involved with the intrusion into the DNC servers at all. People familiar with the original Guccifer will remember back in May 2016, he claimed to have repeatedly hacked into Hilary Clinton’s private server, a claim which was an obvious lie. June 2016 is when Guccifer 2.0 showed up claiming to have hacked into the DNC servers, a claim accompanied by documents stated to be from this intrusion. In reality, the documents Guccifer 2.0 disseminated were not taken from the DNC servers.
As far as I can tell, there is no evidence Guccifer 2.0 broke into the DNC servers. It seems possible he was simply a person taking credit for something he never did. Under this view, the choice of his name, Guccifer 2.0, was an apt reference to the original Guccifer making similar false claims just a few weeks before. Adding Russian metadata to the documents he released would have been him creating a smokescreen to make his story seem more believable (to some people). That would seem in-character given the other lies he has told. Referencing the Russian version of J. Edgar Hoover would just be further gamesmanship on his part.
Which is why I asked above for a link/reference for the claim the “DHS-FBI intel assessment of the DNC hack concluded with ‘high confidence’ that Guccifer 2 was a Russian operations” I am not aware of any meaningful evidence Guccifer 2.0 was involved with the hack, and I certainly haven’t seen any official report stating he was.
I realized it has been a long time since I looked at the history of Guccifer 2.0’s actions, and I realized my memory of things was faulty. My comment (currently in moderation) is wrong to say Guccifer 2.0 didn’t release DNC documents. He did. The documents he lied about were the ones he claimed to take from the Clinton server.
So he did have access to (at least some) material from the DNC servers. That doesn’t mean he had to have been involved with the hack, however. Below, Lurker explains one theory about who Guccifer 2.0 might have been that a number of people believe.
Personally, I don’t care about who Guccifer 2.0 may or may not have been (hence me posting with a sloppy memory). I haven’t seen the intelligence community make any claims about his identity, and his identity has had no influence on my views on what may or may not have happened. When a person repeatedly lies and even goes as far as creating fake evidence, you obviously can’t trust anything they say. Maybe you can draw conclusions from examining his lies for clues, but I’m skeptical.
To show why, consider this fun theory a friend of mine suggested: Imagine two Russian groups broke into the DNC servers. One group, which had greater access to the network, planned to release a large amount of material to the public in order to hurt the Democrats. The other group, seeing they were going to lose any role in the ongoing discussion, pre-emptively released material they had obtained under the Guccifer 2.0 identity. In the process, they created a smokescreen so as to be able to continue to have a role in discussions via that controversy since they knew the other group had a monopoly on releasing content due to it having had greater access. Silly? Sure. But is it any sillier than the idea the DNC is behind Guccifer 2.0?
And I’m an idiot. It turns out my memory may not have been as faulty as I feared. This link:
Seems to support my recollection that nothing in Guccifer 2.0’s early releases were taken from the DNC server. According to the author, the source of about half the documents is not known, but those documents never showed up in the release at Wikileaks. That would seem to make using any information about Guccifer 2.0 to draw conclusions about whether or not the Russians released a trove of documents to Wikileaks more difficult.
I suppose it shows how muddled things are (for me) that even when I think I’m wrong, I can wind up being wrong. I’ll try to do a better job of reviewing/checking any information I might post from here on.
Brandon, it’s easy to miss things if you’re not following them. You say: “I haven’t seen the intelligence community make any claims about his identity, and his identity has had no influence on my views on what may or may not have happened.” As noted in a separate comment, the DNI intel assessment attributed Guccifer 2 to Russian intelligence. I believe that it is therefore relevant both in terms of what might have happened and in terms of assessing the quality of IC assessments.
Yup. I agree. That’s why I asked for it and said I hadn’t seen it, not that it didn’t exist. I haven’t been following this all that closely so I’m fully aware there may be things I missed.
The report doesn’t explain why they think Guccifer 2.0 was a Russian ploy (or their reasoning on much of anything, for that matter) so we can’t know what their reasoning was, but I am rather skeptical of their conclusion on this point.
yes, I entirely appreciate the difference when you’re not following something. I hadnt followed Syria at all prior to this year and knew nothing about issues that had been intensely debated.
I’m strongly influenced in my perspective by my Climategate experience, where, on the one hand, the climate community’s reaction was to blame it on “Russia” trying to hack Copenhagen and because it was “sophisticated”, and, on the other hand, the skeptic community’s preference was for a leak. Both tendencies obviously apparent in DNC hack attribution.
Fairly soon in the process, I arrived at the conclusion that it was a hack by a lone individual who was a thorough reader of skeptic blogs. The selection of emails – attention to Climate Audit interests, especially Yamal, and lack of interest in temperature dataset controversies – made sense for a Climate Audit reader, but not for Russian intelligence services. That was clinched when metadata on Yamal documents showed access shortly after a CA post on the topic. When metadata on document access showed that access began in mid-September, it made impossible the police and counter-intel suggestion that the incursion began as a hack against Copenhagen, which didn’t make sense anyway (Why choose UEA?) I have no idea who Mr FOIA is, but I’d be amazed if he hadn’t commented at WUWT or CA over the years in some name that we’d recognize.
When people talk about risks taken by G2: remember that Mr FOIA first placed the dossier on RealClimate. There was a kind of madness to that. I’m increasingly persuaded the idea that the “Russian metadata” was a joke. Nothing as grand as a Crowdstrike misdirection or GRU “mistake”.
“But is it any sillier than the idea the DNC is behind Guccifer 2.0?”
Yes, actually it is quite a bit sillier.
Both the Wikileaks source and G2 had access to the DNC server but the Wikileaks source provided information which was damaging to the Clinton campaign and G2 provided information which was helpful to the Clinton campaign (in part, by discrediting the Wikileaks source as a Russian hacker). I assume that the Russians IC is attempting to hack the DNC everyday of the week and twice on Sunday. However, the only connection between “Russian hacking” and the 2016 US Presidential election is provided by G2. G2’s claim that he was the Wikileaks source produced: (1) an Independent Counsel, FBI and IC investigation of the Trump campaign and multiple anti-Trump leaks of information obtained during the investigation; (2) at least four Congressional investigations of the Trump campaign; (3) lots bad press for the Trump administration; and (4) anti-Russian sanctions for interference in the election.
The DNC had motive, means and opportunity for all of the foregoing. Best of all, it would not even be against the law if the perpetrators were caught by some ultra-secret NSA spook-tech. If there was no hack, there was no crime. It is not against the law to put false information on the internet. There is no false police report, Crowdstrike merely reported a hack which they attributed to Russians, good luck proving it even if it wasn’t true. Crowdstrike did not vouch for G2 or for his claim that he was the Wikileaks source.
A rogue element of the Russian IC would not only be thwarting the interest of another branch the Russian Intelligence Community and the Russian State in the short term (and making exploitation of potentially the greatest coup in history of intelligence operations impossible in the long term), it would also directly damage the economic and political interests of the Russian State regardless of the outcome. If found out, and they would certainly be found out if the hypothetical were true, they would likely all be shot as traitors after a secret trial. Does the actual GRU put “Russian fingerprints” on the metadata under those circumstances?
Steve, along the lines of what you said, I came up with a way to identify FOIA, but never posted it because I didn’t want to help with that task.
yes. I was very reluctant to write up my ideas for the same reason. Not that my ideas rose beyond general characterizations – that Mr FOIA was a CA reader. He must have been diligently reading CA all through that September. UK counter-intelligence were so fixated on something HUGE that they never examined the chain of events at CA.
Another important point: I am convinced that the timing relates to the Mole Incident in August, when we were having fun with UEA and all sorts of readers were foraging through their FTP site following my Mole post. A couple of readers told me that they stumbled into private areas of the website and notified UEA as well. My guess is that another reader had the same experience and followed his nose deeper into the system. If and when we ever learn the identity of Mr FOIA, my guess is that he’ll turn out to be someone who commented occasionally and whose handle we’d recognize, but I suspect that he was a very-seldom commenter and not a commenter with a reputation in his own right. Just a guess.
The CA audience was very large at the time and there were a lot of commenters with serious computer skillz.
Now that I think about, your theory is close to mine but the difference would have made my method fail.
I found out there is some interesting information if you examine the Climategate dossiers closely for forensics. I don’t know if anyone else has made the same observations, but nobody has talked about them in public.
And I’m fine with that.
the most detailed discussion of forensics was by “Frank” at iji (or similar). Although Mr FOIA had bleached access times for emails as documents, he didn’t bleach access times for documents, which showed access beginning in mid-September, concentrated in early October, through to release. Some unbleached Yamal data was literally within a few hours of a major Yamal post. This was “public” information though you have to know the topic to look for it. These access times are conclusive (to me) that Mr FOIA was not a Russian intelligence service operation against Copenhagen, since it was far too late in the day to commence such an esoteric operation for such a purpose.
Though I also think that Mr FOIA worked rapidly to get the dossier out before Copenhagen because of the interest – something to bear in mind when one thinks of a probable rush to get the DNC emails online before the DNC convention. The timing of the release doesn’t necessarily shed light on the original motive.
Yes, it never made any sense that the Russians would be against Copenhagen anyway.
I had a pretty specific method worked out based on the profile and the info that was likely available. However it wouldn’t work for someone like Bender.
Click to access ICA_2017_01.pdf
Thanks. It’s a shame they don’t provide much, if any, explanation/evidence for pretty much anything in that report.
So, is the US Intelligence Community really this dumb or are they just pretending? If they are only pretending to dumb, why?
I can think of answers but they all make me sick to my stomach.
almost exactly at the same time as G2 events, memoranda in the fraudulent Steele dossier were peddled to the US intel community. I’m convinced that the hair-on-fire CIA task force in August 2016 was based on Steele memoranda. I’m certain that fraudulent Steele dossier memoranda were used in the Gang of Eight briefing in August 2016 and for FISA warrants on Manafort and Carter Page. Comey was knee-deep, no waist-deep, in Steele dossier fantasies when he first met Trump. He deceived Trump about how the FBI viewed the dossier. Then immediately after the meeting, the fact that Trump had been briefed on the dossier was leaked to CNN, thus enabling the media to publish the dossier.
It all seems straight out of a LeCarre novel.
I once had business experience in which executives of a money-losing operation seemed impossibly stupid. They weren’t. They were crooks and very smart at acting stupid.
one of the oddities (to me) of climate academics is that they are so invested in being “smart” that they do things that make them look crooked, rather than just admitting that they’d done something stupid. Exact opposite of businessmen.
“So, is the US Intelligence Community really this dumb or are they just pretending? If they are only pretending to dumb, why?”
Let’s say Edward Snowden is correct and the IC should have the tools to trace the G2 emails even better than Threatconnect, and that it really is the GRU behind FB, CB, G2 and DNC WL. Then we have the following:
1) Embarrassment to US cyber security and the disruption caused by insecurity.
2) Embarrassment to the Clinton campaign and DNC through WL.
3) Embarrassment to Trump by being connected with circumstantial evidence of Russian contacts and perhaps being helped by a foreign US adversary.
4) Disruption of the US in general by media and government distraction and exploitation of political divisions by leaving evidence pointing to Russians for a MSM honeypot, evidence which falls apart on the slightest rigor of forensics, which enrages Trump voters.
This would be the perfect Russian black op except for Russia taking the blame for it and suffering sanctions.
The key is the Elite VPN Services clue. If Threat connect is right then we have to lean toward Russia. If they are wrong it must point to a sophisticated framing of Russia, which it is hard to believe that Russia would do even in the Alice and Wonderland world of intelligence.
I have some notes on the Elite VPN incident and will try to write them up.
But a Climategate example that prevents me from drawing too much of a conclusion. In 2013, Mr FOIA sent an email to me and a couple of other bloggers, saying that he was a lone individual and not from the UK (i.e. a hack, not a leak). He sent the email from a “burner” email address from an easily registered address (think something like Yahoo – but not Yahoo) in a foreign jurisdiction which would not readily yield to US or UK police inquiries. My guess is that he probably set up the account through one or more proxy servers. Secondly, Mr FOIA’s initial upload to realclimate was through proxy server in Turkey or Saudi Arabia and his second upload was to a Russian server, presumably through one or more proxy servers.
Leaving aside the later “Russia, Russia” stuff, using a burner email address in a jurisdiction that is somewhat jealous of independence (France) through one or more proxy servers is how Mr FOIA approached contact as well.
There are also important differences. Mr FOIA’s email contacts were with sympathetizers, while G2’s were with US political websites (The Smoking Gun, Gawker, Motherboard Vice, Vocativ, The Hill). Seemingly too many, but Mr FOIA contacted or linked at multiple blogs over the years.
I’m not trying to exaggerate the parallels, merely trying to elucidate characteristics for comparison.
Something that makes me wonder,
Thinking back, I don’t remember that the DNC hack being such a huge issue in real time.
Didnt it first become an issue because of the October 7 intel community finding. At that time, the intel community, especially John Brennan, was consumed by teasers from the fraudulent Steele dossier which was the first document that purported to link Trump to the DNC hack. The development of the DNC hack theory and the fake dossier seem to go hand in hand.
How come John Brennan is still in play? He even had the US Senate Intelligence Committee hacked. https://www.newyorker.com/magazine/2015/06/22/the-inside-war
Brennan was person who lit everyone’s hair on fire using early memos from fraudulent Steele dossier – as early as August 2016.
I have a response stuck in moderation bill hunter. Hopefully it clears before too long.
I am following this since beginning of 2017.
My conclusion is that it was DNC and probably CrowdStrike.
APT28 and APT29 probably indeed had malware on DNC servers. But CrowdStrike was not able to detect what files have been stolen and they didnt have any good proofs that Russians were indeed involved.
Plan was to not mention this hack at all.
After Assange announced he has DNC documents, they scrambled and in two days DNC and CrowdStrike both released statements that Hack happened. (see tweets I linked in in comment). Both mentioned that file “Trump opposition report” was stolen.
One day after this Guccifer appeared and was mocking CrowdStrike and talking to journalists, and wasnt able to convincingly explain how he hacked servers. And he releases “Trump opposition report”.
Based on resutls of Guccifers publications and actions I believe that his purpose was:
1. Convincingly assert attribution to hacking to Russia, by fooling/convincing few tech journalists and general public
2. Divert attention from WikiLeaks documents (that were released 5 weeks later), by publishing not damaging documents. First thing he published was “Trump opposition report”. That contained only bad things about Trump. Do you think this damaged DNC?
3. Guccifer claimed he was source of WikiLeaks, but never proved it in any way.
4. Guccifer claimed he has access to DCLeaks (known Russian controlled leaks webpage). But again all he had was password to part of site where he uploaded documents. He failed to provide any other proof that he admins that page. (DCLeaks shares passwords with journalists too if they promise coverage)
5. All other documents Guccifer released were unimportant or very old
6. Guccifer 2.0 contacted and was in communication with few poeple, Oliver Stone for example, was later accused of colluding with Russians based on this.
So if we ask who benefited from G2? There is only one answer.
Why would real hacker expose himself so much and risk getting caught?
There is a lot more evidence that all points towards this scenario. Its all found on: http://g-2.space
Here is shorter recap:
http://g-2.space/sixmonths/
the seemingly pointless risks taken by Guccifer 2 are a large puzzle. On the other hand, there are some very self-confident people with hacker capability – Kim Dotcom comes to mind, but lots of redditors seem in that type.
Steve,
First, the risks aren’t pointless (and also aren’t even risks) if G2 is the DNC/Crowdstrike. If G2 is the DNC or Crowdstrike the “risks” are absolutely necessary and/or helpful (depending on which risk we are talking about) to discredit the Wikileaks disclosures, gin up an FBI investigation and create a “Russian election hack” narrative.
Second, although I do agree that there are actual hackers (and others) who might take risks of this nature out of ego driven anti-authority sensibilities, it seems to me that a hacker with that motivational base would not not be “objectively pro-Crowdstrike” as this hacker is. Consider, for example, your observation (which I missed until your post) that a majority of the DNC e-mails, including some of the most damaging ones, were taken from DNC servers only after Crowdstrike arrived to fight the filthy Russian menace. If the Wikileaks source was a hacker he should have been laughing his a$$ off at Crowdstrike’s self-described heroism. It seems to me that the type of person we are talking about would have been pointing and laughing at the Crowdstrike goons during his first public appearance and every day thereafter. Would a hacker with the usual anti-authority feelings and a big ego leave it to a semi-retired Canadian mining executive to tell the world how thoroughly he had humiliated Crowdstrike?
hmmm, good point. Seems like the G2 persona of June 15, gloating against Crowdstrike, ought to have rubbed it in.
Reminds me of another point when I compare Mr FOIA to G2. Mr FOIA’s curation of CG1 emails was really insightful given what seems to have been a very short editing period. (Mr FOIA appears to have obtained access only in mid-September.) Mr FOIA had a thorough grasp of the issues from Climate Audit perspective – far better than nearly all commentators.
As compared to Mr FOIA’s insightfulness, G2 seems completely hamfisted. His selection of documents seems uninspired. Makes me think that he might have delivered a much bigger bundle to Wikileaks, which was edited down.
Nor did the DNC hack really have any impact on the election. There was nothing relevant in it about Hillary. IT caused a little embarrassment for Wasserman Schultz, but nothing that hurt the Clinton campaign. I’m trying to remember who first pointed out the more damaging emails. In Climategate, Mosher played an important role in shaping perception: he had the dossier for about 2-3 days before it was in the wild and on the first day, set out what he thought were the Greatest Hits at Lucia’s, at CA and at WUWT. Anything that didn’t get oxygen in those first days never really got much traction as an issue. It would be a useful dig-here to see who spotted the Greatest Hits in the DNC hack, such as they were.
The DNC hacks did a little damage to Hillary – it showed the Sanders supporters that they were not really welcome, and this may have led to a smaller turnout for her in the election.
The longer term damage is going to come to light in the next election cycle, when the DNC rules will be challenged to reduce the influence of the super delegates.
at the time, there was no “Russia, Russia” hysteria. What if the Russia metadata was inserted as a joke against Crowdstrike?
That’s pretty much what I had in mind. Using the Guccifer name a month after the original Guccifer lied about having broken into Hilary Clinton’s server seems noteworthy. There was no record of Guccifer 2.0 until a month after Guccifer was caught lying about having broken into a server, a server owned by Clinton. Guccifer 2.0 then showed up the next month, claiming to have broken into the DNC network while using documents as “proof” which may well not have come from that network. Not that long after, he then lied about having broken into Clinton’s server, the very thing the original Guccifer lied about, while providing “proof” which clearly wasn’t taken from her server.
I haven’t seen anyone mention this rather remarkable coincidence. I think that’s weird. I mean, if my political/social inclinations were different, and I had lower ethical standards, I could see myself trying to pull off a prank resembling what Guccifer 2.0 has done. That’d be hilarious. Some random nobody just shows up and manages to convince half the world he’s either a secret Russian agent or a false flag operative?
That’d be on of the greatest pranks ever.
Please remember that even if the server used by G2’s AOL email to The Smoking Gun was not a Russian government exclusive use server of Elite VPN Service, but was a publicly available server from that Russian malware associated host, this puts sophisticated fingerprints to G2.
Questions:
1) Would a pranking Brandon or a Reddit hacker have been so detailed to leave the Elite VPN forensic trail to Russia?
2) The DNC hack and resulting “Russia, Russia” has dominated US news for a year. Considering the importance and that MSM still cites the Russian clown makeup as evidence, and the technical journals still point to Threatconnect’s analysis, why is Adam Carter [a pseudonym] the only good source of information?
3) If Threatconnect is wrong why isn’t there pressure for them to update their blog?
4) If the US IC is protecting their sources and methods why don’t they at least weigh in on the veracity of the Threatconnect and other analysis published by security firms?
Even without these answers we know that the FB, CB and G2 were top level actors, not pranksters or even Kim Dotcom. There is no way for the US IC to have a “high confidence” of anything only using secondhand information and Crowdstrike supplied forensics. Anyone disagree?
This is a separate story and all aspects need to be parsed before trying to arrive at conclusions. the original Climategate dossier was posted on a Russian server. Didn’t mean that Mr FOIA was Russian intelligence.
http://www.dailymail.co.uk/news/article-1233562/Emails-rocked-climate-change-campaign-leaked-Siberian-closed-city-university-built-KGB.html
I think that there’s considerable amount of deception in US intel community assessments, in which they imply supersecret “sources” but in reality they have little more than open source content. I agree that it is impossible for US IC to VALIDLY have high confidence using “using secondhand information and Crowdstrike supplied forensics”, but think that it is entirely possible for them to say that they have “high confidence” despite only using using secondhand information and Crowdstrike supplied forensics”.
My interest in Syria largely arose from puzzlement on low quality of IC assessment of DNC hack. I decided to look at another IC assessment and looked at their assessment of the 2013 chemical attack in Syria. I’m persuaded that the IC assessment made grossly false claims to knowledge of the origin of rockets supposedly used in the 2013 Ghouta attack, which was key evidence in the public conviction of the Assad government as perpetrator. Their represented origin, used in subsequent anti-Syria propaganda, can be shown to be wrong using susequent public information, but has never been retracted. These false claims do not result in opposite attribution, but the next tranche of evidence is much weaker, making “high confidence” impossible.
Imagine that the US governmental IC is quite happy with this Russia-Trump link through Crowdstrike and want to keep it as murky as it is: than most pieces of this puzzle fall in place. Keep The Boss on your leash just like in the good old 1950s and 60s.
For those interested in the sarin attack in Ghosts in 2013, Wikipedia provides an interesting and quite detailed article. French and UK intelligence made the same assessment as U.S. intelligence.
Given the fissures in Syrian society, I would imagine that human intelligence was a factor in the conclusions, although such sources would not be something made public.
The article also details efforts by the Syrian government to obstruct and curtail the U.N. investigation, and these efforts succeeded to a large degree.
It was concluded that several hundred kilograms of sarin were used in the attack.
The Syrian government was known to possess many tonnes of sarin (as “precursors” or ingredients;sarin is never made up until just prior to use),whereas the rebels were never known to have such quantities.
Not Ghosts, but Gouta.
Ha! _Ghouta_
Brandon, have you read The Bourne Identity(not the movie)?
MikeN, I can’t say that I have. Is it better than the movie? The movie drove me crazy with how they kept saying Bourne was so amazing at spy stuff yet he did things like walk around in public while making no effort to disguise his appearance. And somehow it worked!
(Though it was nowhere near as bad as the later movies. Trying to work out the logic of the characters in the last couple Bourne movies gives me a migraine.)
of all the dozens of spy and mystery novels that I’ve read over the years, I found Bourne novels unreadable. I hated the short, unliterary sentences. Unsurprisingly, LeCarre is far and away my favorite. A geologist who worked for me about 25 years ago was a friend of Len Deighton’s – I read all of his stuff. I liked Ross Macdonald mysteries and read all of them. All of Dashiel Hammett. I’ve been meaning to take a look at John D MacDonald again – my father used to read them at the cottage and I remember that one of the common themes was crooked developers getting variances to build in areas vulnerable to hurricanes, especially the “big one”.
Vastly better than the movie. It’s amazing how it has almost the same scenes and a completely different plot. Matt Damon is going to have anti-CIA stuff in any movie, including his script of Good Will Hunting. I agree with the non-literary critique, with characters making exposition of psychological analysis, but overall I enjoy the books. Your posts reminded me of the first book.
Regarding Syria: PRISM info used by US to undermine president Assad apart from weapons, “advisors”, Gulf allies and Turkey. Coup by proxy http://www.zerohedge.com/news/2017-10-28/shocking-viral-interview-qatar-confesses-secrets-behind-syrian-war
There was a Wikileaks document released as part of Vault that described tools the CIA uses to do false flag hacking operations…
MikeN, I think it is remarkable how many people are certain they know who Guccifer 2.0 was. The idea we could conclude Russians were involved based on any information available about that identity seems silly, but at the same time, I don’t think we can conclude it was anyone else either.
Personally, I like my friend’s theory: APT-28 is the Russian group which gave material to Wikileaks. APT-29 is a second Russian group which had managed to gain less access into the DNC servers and has created the Guccifer 2.0 so it can play its own role in how things play out. It’s silly, but think about it. What would you do if you were the less successful Russian group to break into the DNC servers? Would you just give up and let the other group do everything from here on, or would you perhaps make a fake identity you can use to cast doubt and uncertainty on all future discussions?
I think it tracks.
Or, the NSA and CIA treated the poorly secured DNC server as their honeypot to catch opponents: Wikileaks, Russians, …
Tracks better.
Are you suggesting the NSA and CIA did this with the DNC’s cooperation or without their knowledge?
Did they inform Microsoft or any other US company about the zero day exploits they found in their software?
As a rule, I believe you will find discussions more productive if you answer direct questions with a straightforward answer. Responding to questions with other questions, even if to imply some point you think may be clear, will rarely lead to useful conversations.
Ron Graf, that is simply not true. APTs are identified threats, usually groups, not just MOs. You cannot copy an APT. You cannot copy methods and techniques used by an APT, but that does not mean you ate using the APT.
That’s just how APTs are defined.
Brandon, there’s a need to distinguish between the use of the tools and hypothesized organizations/individuals using the tools. All that can be observed on the server are indicators of compromise – which points to use of tools. Tools can be used by more than one institution or re-purposed. A key malware example in the DHS report attributed to APT28 (or APT29, I forget) turned out to be publicly available Ukrainian malware.
Jeffrey Carr has acutely observed that people e.g. Crowdstrike too quickly and easily elide between methods and institutions.
Steve McIntyre:
Yes. That is why I corrected Ron Graf when he used terminology for groups as referring to tools those groups use. I think it would be helpful for people to agree to set of basic facts/terminology.
See, this is what I am talking about. The malware you refer to is P.A.S. web shell, which in casual narratives keeps getting described as Ukrainian software based on nothing more than the fact the guy who made it claimed to be Ukrainian. People show great skepticism toward official government reports then turn around and state as fact things which an anonymous hacker says.*
For another fact, the report you refer to was not a report on the DNC hack. It was a report on the attempted attacks against U.S. electoral systems. There was a different DHS report released for the DNC attack(s), but it didn’t include the example you refer to. I doubt anyone who read your comment except me knew that. I think most people would assume when you say “the DHS report” you were referring to the one on the DNC hack, the subject of this post.
*This example is a bit bad because the hacker in question surrendered himself to Ukraine authorities who have reported he told them he was hired to customize his program (a service he offered to people who would pay) without knowing he was being hired by Russians, finding out Russians used the customized code in hacks after-the-fact.
On the one hand, that would support the idea this program was Ukrainian as claimed. On the other hand, it would make the conclusion Russians used that software in their hacking, as reported by the DHS report you referred to, seem correct. Either way, unless someone knew about this part of the story, they would be assuming the malware was Ukrainian simply because an anonymous hacker said he was Ukrainian. That seems unwise.
I should correct/clarify something I said in my above comment:
The code in question was initially released along with a December 29th, 2016 report. That report was about Russian cyberattacks against the United States in general, but it gave focus to the DNC hack since that was a major story at the time. What’s important to note is while this report was accompanied by an sample of the P.A.S. code, the report itself contained no discussion of it.
February 10th, 2017, a follow-up report described as an “enhanced analysis” was released to provide an “enhanced analysis” of those Russian cyberattacks. That report did not focus on the DNC hacks, and it contained a fairly detailed discussion of the P.A.S. code in question. It also contained numerous technical details about the government’s case for claiming Russia was engaged in a cyber campaign against the United States electoral process.
The reason I want to clarify this is when I said the report Steve McIntyre referred to was not about the DNC hacks, I said that because the previous report did not discuss the P.A.S. malware. A sample of the malware was included in a reference document for the report. The malware itself was not discussed in a report until two months later when it was covered in some detail in a report which did not cover the DNC hacks.
It’s possible McIntyre was referring to a sample of code included in a reference document for the first report rather than anything said in that report itself. However, the December 29th report did not attribute the P.A.S. malware to APT-28 or APT-29. Only the February 10th report did. If McIntyre meant to refer to the December 29th report, he misdescribed what it said.
I’m not sure why we would want to refer to the earlier report though. The February 10th “enhanced analysis” is far more detailed.
Wordfence convincingly likned the PAS malware to the indicators of compromise published in the DHS report. The failure of DHS to accomplish Wordfence’s analysis speaks to their limitations.
Petri Krohn plausibly connected the PAS malware to identifiable Ukrainian.
Steve McIntyre:
What “failure” are you referring to? The initial report was not meant to examine things at such a fine level of detail. It didn’t claim to do so. I don’t see how failing to do something you didn’t set out to do constitutes a “failure” in any meaningful sense. When the DHS set out to give a detailed analysis, it did a better job of than Wordfence.
Moreover, Wordfence did not link “the PAS malware to the indicators of compromise published in the DHS report.” The report itself didn’t list and IOCs. Assuming you mean to include the accompanying data files, Wordfence didn’t link that malware to any of them. It didn’t even attempt to. It discussed IP addresses listed as IOCs, but that it discussed them and also discussed the malware does not mean it “convincingly likned” the two together.
Are you referring to this post where he begins by claiming the DHS says “the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe”? Because that post was funny. The DHS never labeled that software Grizzly Steppe. Grizzly Steppe was the name given to the cybercampaign the DHS claimed to have identified, a campaign which used that software as one of its many tools.
If that is the post you have in mind, I don’t see how it “plausibly connected” the hacker to anyone. The final step of the analysis in it is the picture used in a profile by the person who supposedly made the software isn’t a picture of the person whose name is given, but another individual. The implication seems to be that other individual is the hacker. But why? If we believe the hacker was using fake information in his profile page, why should we assume he used an actual image of himself? He could have easily stolen someone else’s photo off the internet and used it as his own.
If there was something more than that you are thinking of, I’d love to hear it. If not, I can’t say I find the idea a hacker using a person’s photograph means the hacker is that person very convincing.
I agree. None of the theories fully hang together. My issue is that the US intel community has assigned “high confidence” that it was the Russian GRU on what seems to be flimsy evidence.
I think that it’s plausible that Guccifer 2 and what Crowdstrike calls Cozy Bear/APT29 are the same. As I understand it, APT28 is observed as family of tools, but some specialists e.g. Jeffrey Carr do not agree that the use of these tools implies “Russia”. The tools are in the wild.
There are important aspects of Alperovitch that I find exceedingly unsavory as a basis for major foreign policy decisions. He’s a member of neocon Atlantic Council, which is a leader of US Russophobia and he himself is virulently anti-Russian. He’s been severely (and in my opinion convincingly) criticized by Jeffrey Carr for major attribution errors, including a subsequent attribution error involving APT28 and Ukraine. He follows Ukrainian hackers who are virulently anti-Russian, but not Wikileaks. One cannot safely rely on him for an anti-Russia diagnosis. Which is different from saying that Russians were not involved. As a parallel, one cannot safely rely on Michael Mann on hockey stick reconstructions, since he’s overinvested in the answer.
Stepping back to what we “know”: we don’t actually “know” that APT28/Fancy Bear was in the system when Crowdstrike arrived. To my knowledge, they didn’t distribute any mirrors of the system as it was when they arrived. While we don’t know for sure what they distributed to other analysts, it appears to be the system as it was later.
Under-analysed in my opinion is the potential role of Ukrainian hackers – both anti-Russian and pro-Russian. They seem to be extremely skillful, with some major exploits e.g. the Surkov hack. Over the past few years, Ukraine has disproportionately driven US foreign policy. Like the Syrian “rebels”, they have a vested interest in getting the US to accomplish things that they can’t do on their own. Could there be some bizarre dynamic here?
Here are some of Alperovitch’s follows:
Alperovitch’s “Atlantic Council” determined this Surkov hack material as genuine. The motive was to discredit president Putin’s efforts to keep Ukraine politically close to Russia. https://www.nytimes.com/2016/10/28/world/europe/ukraine-russia-emails.html
Another character in this “Atlantic Council” is the Brit Eliot Higgins who joined them formally in 2016. He started his anti Russia phobia while studying the Syrian conflict, then focused on the Ukraine conflict and even went into the MH17 controversy https://en.wikipedia.org/wiki/Eliot_Higgins
Atlantic Council is not only anti-Russia, but anomalously committed to Ukrainian “nationalism”, even to the extent of trying to launder Stepan Bandera. They have been very active in promoting Ukrainian interests to US congress, with leaders of the Feb 2014 coup being introduced by Atlantic Council to Congressional leaders the following month. These leaders were already well-known to the administration, which had regularly met with them prior to and during the coup,
Steve and Brandon,
What is the argument against G2 being the DNC/Crowdstrike (essentially as outlined by Adam Carter on G2 space)?
bmcburney, despite what people say, documents shared by Guccifer 2.0 were not, on balance, helpful for the DNC. Additionally, if Guccifer 2.0 were a false flag operation, why would he have contacted the journalists he contacted? He tried to get local/state reporters interested in material. Why target people on those levels if you’re a false flag operation? Plus, if it was a false flag operation created by the DNC or Crowdstrike, why share documents which weren’t ever shared by the real hacker?
I’m sure there are plenty of other reasons one could bring up. For instance, if the DNC wanted to make it look like Russians hacked them, why do such a bad job of it? Nobody could have anticipated the crumbs in the Guccifer 2.0 documents would have been convincing.
I agree. A DNC false flag sort-of fits some elements, but not enough.
One of the lines of argument in attribution articles was “precedent”, but their examples were bizarre: e.g. TV5Monde.
If one begins with cases in which emails have been published to embarrass US political figures, the hacks (to my knowledge) are uniformly by individual hackers or small groups, often of a somewhat anarchistic bent. Think hacks of John Brennan, Colin Powell, Sidney Blumenthal, Sarah Palin, .. . but also Breedlove,… It would be instructive to make an inventory. It’s hard to think why the “Russians” would bother would such chickenfeed as routine administrative documents of the Democratic Party of Virginia in 2010-13.
I think that it’s a fair assumption that the DNC would avoid any disclosures that were truly embarrassing with potential for damage. And “proof is in the pudding”, that is, the DNC did not need to make a “better job” of a Russian hacking. Success was theirs. They knew that their sympathizers in the MSM would respond appropriately. In this view, the DNC reckoned that their advantages would carry the day and they were right.
I see you are talking about Atlantic Council. They are quite involved in attempts to shut down this investigation in Gucciferr 2.0.
Adam Parkhomenko
Ballots, Bullies, and Bots
Atlantic Council’s OS/360 Meeting in Warsaw, Poland, July 2017.
Its interesting how well informed Adam Parkhomenko (also Ukrainian and strategist of Hillary campaign) was with Adam Carters research in July 2017.
Note that ha was liking tweets of trolls (that he follows and were reporting to him when they were blocked) that were posting lame gifs in Adam Carters twitter threads.
This and much more details in this two threads on 8chan:
https://8ch.net/pol/res/10640424.html#10643056
https://8ch.net/pol/res/10630540.html#10642479
I see you are talking about Atlantic Council. They are quite involved in attempts to shut down this investigation in Gucciferr 2.0.
Adam Parkhomenko
Ballots, Bullies, and Bots
Atlantic Council’s OS/360 Meeting in Warsaw, Poland, July 2017.
Its interesting how well informed Adam Parkhomenko (also Ukrainian and strategist of Hillary campaign) was with Adam Carters research in July 2017.
Note that ha was liking tweets of trolls (that he follows and were reporting to him when they were blocked) that were posting lame gifs in Adam Carters twitter threads.
My comment is awaiting moderation so I put link to two 8ch threads and all relevant pictures confirming my statements: https://imgur.com/a/oHYw4
I should enumerate the DNC advantages: 1, the MSM ready to follow its lead (very big advantage); 2, CrowdStrike, hotshot cyber security firm with big previous success reported in the media, the shine still on them; 3, U.S. intelligence community ready to chip in and add confirmation; 4, Fancy Bear and Cozy Bear and any fool knows that this means Russians.
Brandon,
Respectfully, I am just not seeing it.
Although I don’t agree, I understand why you might say that the G2 documents didn’t help Hillary. It’s certainly true that the vast majority of G2 documents are completely innocuous. But that fact itself points toward G2 being a DNC/Crowdstrike false flag. As Steve has pointed out, however, the e-mail curation is curious. G2 supposedly released the DNC’s entire raw, unedited, opposition research file and there was hardly anything in it worth reading. Where, for example, is a reference to the “grab them by the p***y” videotape which appeared in October? Where is all the Steele Dossier stuff? I find it hard to believe that the DNC was unaware of those things prior to June, 2017. These people are supposed to be professionals.
Again, there is the baseline question, if you are trying to help elect Donald Trump (or hurt Hillary) making the DNC opposition research file on Trump the only meaningful contribution to public discourse is hardly the way to do it.
Similarly, I don’t see why G2 agreeing to speak to lower profile reporters shows it was not a false flag. As a false flag or a ego driven hacker, you want maximum publicity (assuming the hacker is sure he won’t get caught) either way and I would kinda get an argument that maybe a Russian or Romanian wouldn’t know who to contact for maximum exposure. But the evidence that G2 isn’t really a Russian or a Romanian is compelling and, even it wasn’t, G2’s English skills are obviously sufficient to figure out which reporters and publications are worth his time and which are not.
As a false flag, however, you should remember that the DNC has to live with the big time journalists after this particular election is over. If the false flag is ever detected, major journalists are not going to like it that the DNC used them to propagate a hoax. The DNC could calculate that a few local reporters would be sufficient to get the story out to the point that major journalists could report it without putting their own credibility at risk should the hoax be discovered. Again, this evidence actually tends to support the false flag theory.
From the point of view of a DNC false flag operation, as long as the additional documents were innocuous (and all were) sharing a few on the G2 site which did not appear on Wikileaks just adds credibility to the G2 hoax without hurting the candidate. The G2 release is the Wikileaks release, minus the damaging e-mails, plus authentic e-mails that don’t matter to anyone. Doesn’t that sound like a DNC false flag?
Steve,
The problem with claiming that the application of Russian whiskers was too amateurish to be a DNC false flag is that it worked. It continues to work. As of today, I believe a majority of the public and media regard the fact that the Russians “hacked” the election as undoubted truth but the only reason anyone has to connect Russian hacking to the the election is that G2 says he hacked the DNC and the whiskers prove he is Russian.
As far as the DNC was concerned, they only had to make the deception last from mid-June till early-November.
The original Guccifer was certainly a hacker and other hackers were hackers. Hackers certainly exist. None of these things is evidence showing G2 is a hacker.
you say: “the only reason anyone has to connect Russian hacking to the the election is that G2 says he hacked the DNC and the whiskers prove he is Russian”
you’re not correctly representing original Crowdstrike article: they said that APT28 and APT29 hacked DNC and that they were Russian – before Guccifer.
They then said that G2 was deception operation by Russians.
Pro-Western Ukrainian hackers got their political angle since at least 2004 (Orange revolution) locally and were supported for that by US agencies. Plenty of convenient leaks/hacks there ever after = lots of experience gained.
Steve,
I’m not incorrect. Even if all of Crowdstrike’s claims regarding APT28 and APT29 were correct (and that’s not impossible) this would only prove that Russians hacked into the DNC servers. Crowdstrike can’t say, and didn’t say, that APT28 or APT29 provided e-mails obtained during the hacking to Wikileaks. Only G2 says he is both the hacker and the Wikileaks source. Only his whiskers say he is Russian. Only the Wikileaks documents matter; the non-Wikileaks G2 documents are meaningless and wouldn’t have any affect on the election.
“Even if all of Crowdstrike’s claims regarding APT28 and APT29 were correct (and that’s not impossible) this would only prove that Russians hacked into the DNC servers”
Right, the whole basis for claiming “interference” in reality rests on the publicity generated by G2.
Reflect, if the announcement that the DNC servers had been hacked by Russia were followed by no other news then the incident would be totally forgot in a week or two. But G2 kept stirring up publicity. Repeat, G2 was the vehicle that publicity was repeatedly stirred up and the means by which the “interference” myth was fixed in the public’s mind. Without G2, there would have been no clamor of interference.
G2 = interference; if no G2 then no clamor, no Mueller, no Special Counsel. The G2 was a stroke of genius.
The G2 persona was instrumental to generating the “interference” clamor. I believe this persona fulfilled the role of shaping the mind of the public and that the persona was contrived and operated for that specific purpose; this was achieved by a months long campaign of public “appearances”, all newsworthy.
It cannot be over emphasized that G2 is the whole basis for the claim of “Russian interference”.
Steve comments: “Stepping back to what we “know”: we don’t actually “know” that APT28/Fancy Bear was in the system when Crowdstrike arrived. To my knowledge, they didn’t distribute any mirrors of the system as it was when they arrived. While we don’t know for sure what they distributed to other analysts, it appears to be the system as it was later.”
Sept. 2015 — The FBI contacts the Democratic National Committee’s help desk, cautioning the IT department that at least one computer has been compromised by Russian hackers. A technician scans the system and does not find anything suspicious.
Nov. 2015 — The FBI reaches out to the DNC again, warning them that one of their computers is transmitting information to Russia. DNC management later says that IT technicians failed to pass along the message.
March 19, 2016 — John Podesta, HRC campaign chair, falls for phishing attack.
April 19, 2016 — The start of high volume, (425 emails,) in the WL DNC archive.
April 29, 2016 — DNC IT staff brought anomalous activity to the attention of DNC officials.
May 4-5, 2016 — Crowdstrike contacted by DNC who installs monitoring software.
May 25, 2016 — The last DNC WL email and end of high bell shape volume distribution since 4-19.
June 10, 2016 — Crowdstrike shuts down the DNC network and rebirths from scratch to expel Bears.
June 12, 2016 — Julian Assange tells interviewer that WL is going to release trove of more Clinton emails from her days as US secretary of state. (He does not mention DNC.)
June 14, 2016 — The DNC and Crowdstrike jointly announce they have been hacked by the Russians. Alperovitch says that the FSB’s Cozy Bear had been in the network since the prior summer and that the GRU’s Fancy Bear accessed the system only just before he arrived and only obtained opposition research files, which would likely have become public at some point anyway.
The next Day, June 15, 2016 — Guccifer 2.0 releases the DNC’s Trump dossier, claiming to be the hacker but not Russian, Romanian. Alperovitch comments that he stands behind his Russian attribution.
Why hasn’t Guccifer 2.0 been squarely linked to Fancy Bear just as Alperovitch set up? If everyone missed this Alperovitch certainly didn’t. Why didn’t he make the connection clear to others?
Ron, nice summary. Two points- John Podesta did not fall for the phishing attack. He caught it but the IT staff told him it was legit(now claiming it was a typo). Also, I think a key detail that Steve has identified should be getting more attention, April 19 is also when Hillary’s e-mails first appear in the Wikileaks.
Thanks, Ron. That timeline info indicates that the FBI had concluded in Sept. 2015 that the DNC was being hacked by Russians and the hacking was still going on in Nov. 2015. This is well before Crowdstrike came into the picture. If this is true, I am going to believe it was most likely the Russians. DNC should be prosecuted for being unbelievably incompetent. Somebody tell Hillary. Another excuse for her ignoble loss.
Andrei Derkach, an independent Ukrainian MP publicly complained that Ukrainian forces had been interfering in the US elections (pay back time?): http://www.politico.com/story/2017/08/16/ukraine-andrei-derkach-clinton-investigation-241704
Ron Graf, thanks for your timeline.
I would make a slight amendment:
March 19, 2016 – John Podesta _claims_ a phishing attack for this date.
We cannot verify this claim. Possibly the emails were exfiltrated by other methods, which methods the DNC is motivated to hide. Wikileaks claims that the emails were obtained by an insider who had legal access. If Wikileaks is truthful, then Podesta is not.
Also, I believe that the Podesta emails are all dated prior to March 19. This fact does not square with the phishing claim, as I understand.
there is a phishing email in the Wikileaks archive.
Thanks for that information, Steve. I assume it was the March 19 attack. Do you know the date of the last Podesta email?
a couple of days later. looks like Podesta changed password and cut off access. Seems odd tho that phishing email would be included in collection
April 19, 2016, the date of the successful breach is also the date DCleaks.com domain is registered. This seems to link WL to DC leaks. Does anyone know if there was overlap between DC leaks and WL?
Is there any indication from the forensics or circumstances that the Podesta WL is not connected to the DNC WL? If they are connected then it looks like they both would have been a hack, contrary to Assange’s claim of a leak.
Also, the Podesta breach coincides with a massive phishing effort in which about 20 out of a 100 DNC staffers click on malware links in email, providing another indication it was outsiders attacking.
Steve, how did the hacker continue with Podesta infiltration after the password change? What stopped the Podesta attack?
looks to me like Podesta changed his password a couple of days after being phished (perhaps 2nd time).
one of the early articles on DNC hack said that large-scale phishing attack had far more attacks on hillaryclinton.com than on dnc.org, including clicks. Nothing ever leaked from hillaryclinton.com. Seems odd
April 2015: ‘Are we witnessing a cyber war between Russia and Ukraine?’ https://www.csoonline.com/article/2913743/cyber-attacks-espionage/are-we-witnessing-a-cyber-war-between-russia-and-ukraine-dont-blink-you-might-miss-it.html
Does anybody believe that the CIA / NSA stayed mute spectators in that cyber theater?
Correction: The Podesta breach was one month earlier than the DC leaks registration of April 19.
DCLeaks is linked to Fancy Bear and G2 by Theatconnect’s analysis. It makes little sense to me that Russia is going to proceed with an active measures campaign that has footprints leading to their own door in all breaches and tools used.
Yet is also makes little sense that Podesta has never seen a phishing attempt or has ever been warned, along with a score of other campaign officials, never to click on unknown email links or attachements and Never never change a password by clicking on a supplied link. Even the bonehead tech that wrote Podesta it is a “legitimate” email, (meaning illegitimate,) wrote instructions to copy and past the link he was providing. But instead, Podesta must have clicked on the fake link.
It’s scary that these people control our nukes.
Jeffrey CArr’s first suspicion about the whole Russia thing is that supersecret Putin-directed operation would have used CIA’s own Vault 7 tools.
Mpainter, if they wanted to make up a phishing claim, I don’t think they would concoct a story that makes them look so incompetent. Old guy Podesta falling for a trick, sure. But Podesta catches it, sends it to IT, and they tell him it’s legit and change his password(which was p@ssw0rd)?
password was actually runner6789 or something like that.
Politifact reports the e-mail password is unknown. P@ssw0rd was in another e-mail as his Windows login password. Runner4567 was his Apple login.
MikeN, it is important to note there is no evidence his password actually was “p@ssword” in any meaningful sense for his Windows account. An e-mail was sent to him where he was told that was the password on a computer which had just been set up for him. That is, it was the default password assigned to his account. He could have changed it as soon as he logged in.
There is no evidence Podesta ever used “p@ssword” as a functional password. All we know is it was the password assigned to his Windows account before he ever logged into it. We have no way to know whether he left such a terrible password on the account or if he changed it to something more secure.
Did anyone find that Warren Flood was the author of the DNC anti-Trump dossier? Is this real or G2? The date in the document meta-data is December 19, 2015. This is the first that I have seen that Warren Flood was actually a DNC hired op.
Also this June 15 Gawker article shows G2 as the first to broadcast that the DNC docs are in WL hands. One has to admit that G2 has strong connections with WL then as he does with DCleaks, controlling the administrative interface tools to provide credentials to selected media to login for exclusive access to particular docs.
IMO Warren Flood stuff is total red herring. My interpretation is that G2 picked up an old Warren Flood document to modify template; changed default language to Russian, then successively cut-and-paste three other unrelated documents into the Russified “Warren Flood” template, one of which was the Trump oppo research.
Assange, instead of announcing the DNC leak says he has HRC emails from her SoS era private server. This makes sense if Assange believes he must give the DNC leaker some cover until the release date. If G2 is the WL source he presented himself to Assange as a leaker, not a hacker. Yet he turns around the next day and reveals he is a crazy, malicious hacker and reveals WL has DNC docs. Yet G2 never is able to provide evidence by documentation that he is the source of the WL. Anybody else find this odd?
as I mentioned on another occasion, in October, G2 posted up a screenshot of a DNC email from right period that wasnt in Wikileaks archive
In Dec 2016 Julian Assange came on Hannity’s radio show to make it clear that G2 was not his source, breaking from his longstanding policy on not making any comment toward source identities. Assange elaborated:
So Assange is denies also receiving the Flood 200-page Trump opposition strategy paper.
Steve, I’ve seen experts say that the Warren Flood documents were created on July 5 but I realize now from the Forensicator article that one can reset the creation date by using the Linux type copy command. So the only thing this proves is that G2 was very conscious of his meta-data trail, except perhaps the effect on the time zone of the Linux copy versus MS products.
Steve, you commented: “as I mentioned on another occasion, in October, G2 posted up a screenshot of a DNC email from right period that wasn’t in Wikileaks archive.”
If G2’s purpose was to bolster his standing as the WL source then choosing to publish a document he neglected to give them would be an odd choice, unless it was damaging and he said he forgot to include it to WL. Am I missing your point?
On the Podesta documents, I notice that G2 has more overlap there as he supplied many of the email attachments from the WL Podesta file days before WL published them. I also notice that Assange never claims that the DNC and Podesta files are from the same source. Although I realize Assange does not talk about sources, he made the exception to disclaim G2 from being the DNC source but remained mum on the Podesta file.
Has anyone seen where Assange groups the two sources?
you say:
you’re mixing several things together here incorrectly.
1) you have to distinguish between file metadata and internal document metadata. I don’t think that the document creation date is necessarily reset with a Unix copy operation, only the document modification date.
2) the Warren Flood documents occurred on June 15 (At the blog), not July 5 (a date arising in ngpvan.7z).
From security firm assessments of the DNC/Podesta attacks it seems DNC was initially ill-prepared for cyber-attack. There were over 200 exfiltrations via MS OneDrive as well as other means. We know that training and precautions were lax and that and that there was ongoing compromise for 9-12 months. The possibility seems plausible that the DNC decided to try to make lemonade out of the lemons. After all, they found out that they were breached by multiple groups. And although APT28 and APT29 were likely created by the Russians they were open source tools that could be used by any sophisticated actor. I am going to quote from career intelligence expert Scott Ritter, who is a member of VIPS. He did not sign onto the the recent Forensicator analysis but he also does not buy the “Russia Russia”.
Here is one possible scenario that fits the evidence:
FSB Hacks DNC with Cozy Bear and is quietly consuming information for internal use for routine espionage from summer 2015 to CrowdStrike (CS) intervention. They never leak.
Seth Rich hacks DNC internally on May 25 after presumably the IT staff alerted everyone of recent attacks by giving anti-malware safety talk. Rich is a big Bernie Sanders supporter and perhaps has seen firsthand the internal favoritism to Clinton. He thus used the opportunity of the outside breach to provide cover for an inside breach that he can leak to WL, which he manages some time in early June.
Now stepping back to the Podesta gmail spear phishing breach on March 19, we can presume that Podesta and IT staff realize they have been breached. They do not call in security firm because all they needed to do was have everyone change gmail passwords. But the information is out and the Clinton campaign needs to build a defense plan for a possible hacked doc dump. They come up with the G2 playbook, especially since Trump is going around claiming Putin is calling him a genius and such. They register DCleaks.com on April 19 to use as their own fake WL.
Two months later, Clinton campaign is thinking they dodged a bullet when WL make the bombshell press announcement on June 12 that Hillary emails will be coming out. By this time Clinton has clinched the nomination and thus coordinates with DNC heads and CrowdStrike (CS) to put G2 plan into action. Fancy Bear attack is simulated on the server and the press is told on June 14-15 that FB only got Trump opposition research document. The DNC server is held by CS who supplies all the analysis and data for the IC and other security firms to concur.
G2 does his thing and the breaches get accepted as Russian. the Anti-Russian Ukranians, seeing this, and not caring as much about HRC and hurting Russia relations, supply the Podesta emials to WL. Assange is either duped or holds his nose to accept the valuable offering.
Seth Rich is distraught and conflicted about accepting job offer from Hillary and goes out drinking and chatting on phone into the early a.m. of July 10, where he runs into muggers and gets shot while foolishly fighting them. Two weeks later Assange name Rich as example of dangers his sources face and offers $20K reward for information leading to a conviction in Rich’s murder.
A lot of speculation
Ron Graf, there seems to be a rather serious misunderstanding here. You say:
APT-28 and APT-29 are no programs or software. They’re groups of people. They couldn’t be used by anyone except people who could hire/give them orders.
Brandon, they are more akin to modus operandi MO, which can be copied, and are copied as in the example of the US IC’s Vault 7.
Brandon: “Ron Graf, that is simply not true. APTs are identified threats, usually groups, not just MOs. You cannot copy an APT. You cannot copy methods and techniques used by an APT, but that does not mean you are using the APT.”
Here is a definition from Techtarget.com:
So the type of APT I believe are classified by associating past recognized MOs with particular APTs. Attribution of these specific APT types is another matter. But do you have any particular point regarding the logic or facts in my proposed scenario?
I commented that I had just learned in a Gawker article of June 15, 2015 that G2’s debut on June 15, 2016 was with the leak of the DNC Trump opposition research 237-page document dated December 19, 2015, authored by Warren Flood. Realizing that Warren Flood was the meta-data original author of the G2 MS Office templates created on June 15 I was wondering if there was any doubt that Flood was the author of the Trump-oppo research document. I just found that Lauren Dillon, another DNC staff member was the author, not Flood.
Steve commented: “IMO Warren Flood stuff is total red herring. My interpretation is that G2 picked up an old Warren Flood document to modify template[I presume the Trump oppo document]; changed default language to Russian, then successively cut-and-paste three other unrelated documents into the Russified “Warren Flood” template, one of which was the Trump oppo research.”
I concurred that the template date was likely updated by G2 from copying. But I mistakenly referenced the Forensicator, who analyzed the July 5 dated NGPVan.7z. I confused it with Adam Carter’s analysis of G2’s Warren Flood documents dated June 15 here.
Steve commented: “I don’t think that the document creation date is necessarily reset with a Unix copy operation, only the document modification date.”
I am understanding the following dates associated with G2 Doc1:
12/19/15 — Doc1 date in the text header of the 237-page report
6/15/16 — Doc MS metadata creation date
6/15/16 — Doc1 MS metadata last modification date
Steve, if you are saying the MS metadata creation date cannot be changed by Unix copy or other means, which I see is Adam Carter’s assertion, that would imply that G2 had use Warren Flood’s computer or install Windows on an a computer using Warren Flood as the user name, install MS Office, create a fresh Word template, copy and paste the 237-page body of the 12/19/15 document, all to have Warren Flood’s name as the original author, instead of DNC staffer Lauren Dillon.
Steve, are you saying that G2 researched and found Warren Flood would make an ideal suspect, being a self employed whiz kid for Dem campaign IT? G2 wanting to create a false flag of being a DNC inside job with a false flag of a Romanian hacker as a false flag for a Fancy Bear is a little steep. Or, what am I missing?
I think the Warren Flood memo was random as template, but who knows
Steve, I don’t think you understood Adam Carter’s point. The Warren Flood documents were not only modified on June 15, they were created on June 15. This makes it impossible to be random. Carter asserts the only way to set the creation date June 15 and original author Warren Flood in the metadata is to have the computer be Flood’s or, as I offered, to install the operating system using Flood’s name as user.
Also, when you say random, from where do you speculate Warren Flood’s name came? He is not in any of the DNC or Podesta files or in any documents for G2 except inadvertently in the metadata of the first three G2 leaks.
Steve: Read Alan Furst’s novels. Start with The Polish Officer and move on from there. He is a fine writer.
Could I just ask, given Russia’s record, why is is so doubtful that they perpetrated the DNC hack. Two Russian agents and a Kazakh-Canadian man have been indicted for hacking Russian and US businesses and officials in the Yahoo email hack. The Canadian man has been arrested and is in custody. He is additionally accused of using the Yahoo hack for his own private benefit outside of the work for the Russian government.
The Russian government hacked an Email provider. Why could they not have hacked the DNC servers.
Cui bono
TAG, personally, I don’t think there should be any doubt Russia would want to break into the DNC’s servers. The only questions are, Did they succeed, and if so, are they the ones who released this material?
When I read these finely detailed analyses, my memory goes back to the George W. Bush National Guard fitness report controversy. I read detail after detail that typewriters were available at that time that could create documents that resembled those from modern word processors. Each typewriter had some feature required but not all.These would have been highly expensive and uncommon. I brought up the point on one mailing list that the secretary from the base was alive and had been quoted in newspaper reports about the fitness report issue. if such a fancy typewriter was at the base and being used to create documents that would only be filed away, the base secretaries would know of its existence. I suggested just asking her. My contribution was not published to the list.
the George W Bush typewriter controversy was, in an important way, one of the first examples of social media influence. The actual document was shown on the internet, making it available to someone who actually knew about typewriter and wordprocessor fonts – things that were not known by national television reporters.
Many of my criticisms of Mann, Briffa and other climate scientists are of this type: they didn’t investigate the details of their proxies. Otherwise, they wouldn’t use them upside down etc
It didn’t matter what the media knew about typewriters. They had no interest in verifying. The sudden appearance of the documents after they said they needed something more for a story was evidence enough for a normal reporter to be suspicious, plus they were dealing with copies not originals. It was too good to check. Now that they do know, they(Rather and Mapes) insist the story is still true.
TAG,
As I say above, I am sure Russians are trying to hacking the DNC every day of the week and given the apparent attitude of the DNC towards cyber security, I would be amazed if they had not succeeded at some point. The issue is not really whether the Russians were hacking the DNC or even whether they are a possible candidate for the Wikileak source. Although the nature and timing of the e-mails released through Wikileaks suggests a Bernie supporter was the leaker/hacker, I would agree that there is no conclusive evidence on this point.
The issue under discussion here is whether G2 is the Wikileaks source and also a Russian government hacker. In other words, whether there is any basis for the “Russians hacked the election” narrative and the resulting investigations/hysteria. On those points, a cui bono analysis points decisively towards the DNC/Crowdstrike as G2. See this and related threads.
I agree that there are similarities between this situation and the Bush National Guard forgeries. Among other things, some observers (Dan Rather for one) took (and take) the content of the memos as “self-authenticating” proof of their authenticity and then conclude that their authenticity is proof of their content. Thus, even if the memos are fake, their content is accurate because it confirms what we already know about George Bush. Similarly, if we turn the proxies upside down they confirm what we already know about modern temperatures. Since we can use modern records to check the modern portion of the proxy record, its okay to use them upside down in our reconstructions. Used in that way, they prove scientifically that modern temperatures are unprecedented in the proxy record.
I should have said there is no conclusive evidence that the Russians are not the Wikileaks source except that Wikileaks says they are not. This would be conclusive except that Wikileaks doesn’t explain (and likely can’t explain without exposing the source) how they know.
What of the claim that DNC emails were stored on Google servers, hence, inaccessible to the DNC hackers. Has this claim been verified?
Anybody?
Interesting. Could be confusion with Podesta’s Google gmail account that was accessed?
Could be, I would like to know one way or the other. Who can answer this question?
Anyone?
I definitely read somewhere that dnc.org emails used google service up to the hack, but not sure where I read it. I also recall reading that RNC didn’t use google service.
Likewise, myself, but I can’t recall where.
I consider it a most important question that could resolve definitely whether the DNC emails were hacked or downloaded.
The assertions by Wikileaks and Craig Murray are mostly ignored, but I have never seen any cogent argument against these.
http://www.thesmokinggun.com/documents/investigation/rnc-e-mail-was-hacked-901763
This page says the RNC was hosted by Smartech, the GOP’s by Amazon.
I think this needs development to a logical conclusion:
If the emails were stored on Google servers, then they could not be hacked from the DNC. Therefore, G2’s claim of being the source of the Wikileaks is prima facie false. Hence, he had no emails to release. But in fact he did release emails but it follows he got them by methods other than a hack.
If one is prepared to believe that G2 is a Russian cyber operative tasked with a “deny and deceive” operation, then one accepts the premise that Russian Intelligence is a tribe of clumsy bunglers. Because, G2 bungled at the outset and his superiors simply brazened it out, trying to make a blown operation work.
I believe that the operators of the G2 persona had two objects: one, to show that it was the Russians, and two, that they were also the source of the Wikileaks DNC emails. The claim by Wikileaks undermines this effort (recall, it was not until January this year that Wikileaks spoke out). If the DNC leaker were to come forward, the G2 persona would crash and burn.
I don’t have the intellectual chops to comment here. But I will anyhoo.
I wonder what George Smiley would think of all this and (stretch) which of the dogs “did not bark”?
Here is CNN’s timeline of Russia hacks. Since the FBI gave the DNC a heads up that their system was compromised by Cozy Bear, aka, Apt29, aka, Dukes, 6 months prior to the DNC calling Crowdstrike to verify the breach I find it compelling that Crowdstrike could not be the source of Cozy Bear. The declassified US intelligence report, published by the NYT, says CB was a project of the FSB, whereas FB was a product of the GRU. I find it hard to believe that these organizations would not be reporting to Putin or their equivalent to a DNI in order to coordinate. As it happened, if the new activity of FB was what sounded the DNC alert to call Crowdstrike it means that one Russian group would have initiated the discovery and expulsion of both (somebody’s up for severe punishment for that). I find it implausible FB and CB were both Russian, especially considering the lax DNC security beforehand.
Does anyone know how much document overlap is there between WL DNC and G2, between WL Podesta and G2, between DCLeaks and G2? Also, how damaging were the DCleaks?
I think the strongest connection of G2 with WL by the US IC is simply the implausibility that a hacker not having inside knowledge of the DNC breach before the WL announcement could have mapped out a plan of action in two days. I think CrowdStrike is simply beyond suspicion. One could imagine that every top cyber security company is capable to installing a CB or FB or being a G2. But notwithstanding that the US federal government just banned Kapersky from their computers last month, the admission that we rely on Russian and Ukrainian security experts to protect us from Russian and Ukranian breaches is clearly something that would rather not be dealt with (publicly).
If G2 was not WL leaker how does G2 know the real leaker would not expose him/her?
There isnt much overlap.
Some documents released by Guccifer 2.0 had changed metadata since they were apparently re saved. Some of those documents are also in attachments in DNC emails on WikiLeaks.
Iirc WikiLeaks didnt release any documents only DNC emails and later Podesta emails. Some documents were in attachments of those emails.
I was doing some comparison of emails on DCLeaks and WikiLEaks and hadnt found any overlap. But I havrnt documented it. Recheck to be sure.
This blogger was documents in on overlap of Guccifer documents and WikiLeaks email attachments.
I post some mistakes in previous post:
There was no overlap between documents Guccifer 2.0 released and attachments of DNC LEaked emails of WikiLEaks.
There was overlap between Guccifer 2.0 files and attachments in WikiLeaks Podesta emails.
Here is quote from https://jimmysllama.com/2017/05/28/9867/ explaining this.
“What I’ve done is cross reference these leaks, which Guccifer 2 himself/herself said were from the DNC, with Wikileaks’ DNC email publication. My research shows that none of these Guccifer 2 DNC documents are in Wikileaks’ DNC documents. That’s not to say they didn’t show up at all in Wikileaks. They did. They showed up in Wikileaks’ Podesta emails, not the DNC emails. At least almost half of them did. The other half I was not able to locate at all in Wikileaks. Please feel free to cross reference this list yourself with Wikileaks (sometimes you have to be creative in your search or use the attachment or filename search) because I’m only human here, folks. Furthermore, I believe that debunking information only gets us closer to the truth.”
-jimmysllama
Lurker, I am assuming that the Podesta WL was after the G2 release of the docs that overlapped, or if they were released after that they had more original meta-data than the WL version. One should keep in mind that a DNC insider might not have a clue about which DNC documents might get released but a Clinton insider could more easily determine what was the Podesta set would include. Clearly, the best Podesta material was in WL and not G2.
Ron Graf:
Why? The United States has equally bad coordination on any number of projects, even now, with 15 years of people calling for it to be fixed as a response to the terrorist attacks of September 11th, 2001. Do you really think Russia must have been coordination than the United States does? The country is a kleptocracy with constant in-fighting and back-biting as people jockey for power.
Not that this is just a matter of incredulity. Russian intelligence/military has created separate groups to work independently of one another in things which overlap many times.
I would think that state sanctioned cyber attacks would need to get approval from a higher up since intelligence burglaries can be seen as a quasi-acts of war, especially if caught in the act.
Cyber attack groups have standing orders regarding what they can/cannot do and who they should/should not target. There’s no reason to have them get permission for each attack against each target. It wouldn’t even be feasible When they target hundreds of networks.
I imagine the groups would report to higher ups about successes/material they’ve gained access to, but that doesn’t mean those higher ups would then pass that information to other groups. That doesn’t mean the information would get passed along to other groups though. Unless the information gets passed quite a ways up the chain, the people who get the reports might not even have any oversight of the other group.
I don’t even know what the upside of the coordination you describe would be.
More serious intelligence burglaries than this have been claimed loudly. I think the intercepted Jan/Feb 2014 Nuland / Pyatt phone call on US interference in the 2014 Election in the Ukraine is a very apt example as it is my current opinion that much of this Russia hacking fact and fiction / spy vs spy goes back to these events.
Avoiding links…
“The recording “was first noted and tweeted out by the Russian government. I think it says something about Russia’s role,” White House press secretary Jay Carney told reporters.”
From Rueters:
“The leaked conversation appeared certain to embarrass the United States and seemed designed to bolster charges – from Russia, among others – that the Ukrainian opposition is being manipulated by Washington, which President Barack Obama’s administration strenuously disputes.”
There is most definitely Ukraine & Clintons vs Russia, US Conservatives and Business Interests mess to untangle here. Strange bedfellows.
back to the subject of intelligence gathering and acts of war… during the cold war it was assumed that state actors were everywhere collecting everything they could. it is no different today.
Today the world is much more complex in that technically sophisticated and much less rational non-state actors can also cause havoc. As many have pointed out these must be considered here. Finally, I also have no idea who is behind any of this but it is a mistake to assume that state actors require some concrete objective. The sowing of FUD in the election process and results and gumming up the government with byzantine suspicions and there investigations is reward enough.
Eric:
Yup. This is why I wish people would at least try to be more rigorous in their analyses. Too much of what people publish winds up being shoddy work, and that is exactly the sort of thing the “bad guys” want. If the situation is such people can’t even agree on basic facts, the truth ceases to matter. Every narrative becomes equally valid – as long as it caters to someone’s preconceived perceptions.
“Every narrative becomes equally valid – as long as it caters to someone’s preconceived perceptions.”
Do you agree with my analysis that the Russian clown makeup gave the quick confirmation of the Russian pre-conceived perception for the left? If that was true then the use of the Russian associated VPN service would be giving confirmation to the those looking for a more technical confirmation. All the while the invalidity of those pieces of evidence would work to raise skepticism by Trump supporters, causing a deep division of domestic dispute and weakening the US.
As I commented earlier, this would be a perfect Russian operation but for the fact that Russia takes the blame for it. Do you think they wouldn’t mind taking the blame among at least half of the US? My objections of G2 being able to plan out and commit to his/her operation in just two days vanishes if the overall mission was for Russia to take the fall for the hack with the use of false flags to itself so it could maintain deniability. Certainly Russia does not care significantly who is in power in the US as much as it cares about weakening the US.
By the way, if anyone feels exonerated by my analysis they are just bending it to “preconceived perceptions,” because everyone loses, probably even Russia.
Ron Graf, I think that is a reasonably accurate description of what happened, but I don’t think it’s something which could have been predicted. Even if it could have, what you describe doesn’t seem to fit Guccifer 2.0’s behavior in regard to who he reached out to. For instance, if that was the goal, why reach out to state/local reporters?
I can’t rule a possibility like you describe out, but I don’t see any particular reason to believe it is what happened. There is simply too little information for me to draw much in the way of conclusions. I mean, we don’t even know where some of the released documents came from.
Brandon, operations with political objectives, programmed based on predictable psychological responses, is what covert operations divisions do. I admit that it is not easy work but they are given state resources, and in countries like China, Russia and NK such groups command the top of the food chain. This does not mean that every event effecting the gameboard is planned, but when all other better explanations fail once should not shy from considering it.
Do you dare to test a scenario that explains all the facts we know?
Ron Graf, I think if you examine actual intelligence operations, you will find they fall far short of the goals you lay out. Operations involving the risks and complexity of the false-false-flag operation you describe may happen on occasion, but they are not commonplace. I doubt you could find many, if any, examples of them being carried out in the past.
As for theories, I don’t care to put much effort into explaining things when I have little to no information. As it stands, the theory which seems to track best as far as I can tell is the one I mentioned being suggested to me by a friend. Namely, APT-28 and APT-29 broke into the DNC network with APT-29 gaining greater access. APT-28 disseminated material from the network to Wikileaks while APT-29, partially in competition with APT-28, created the Guccifer 2.0 persona. The primary difference between this scenario and the one you describe is the disparate approaches were not planned out in advance or with any great amount of coordination.
But even as I say that, I can pose a number of questions for that narrative which I cannot offer answers for. The same is true of any scenario I’ve seen. I don’t think there is enough information to reach any real conclusions. It could well be “mysteries” in some of the narratives posed thus far would be resolved if we had more information than we do now.
“As for theories, I don’t care to put much effort into explaining things when I have little to no information.”
This has not stopped the U.S. MSM or IC.
Obviously, I was not talking about domestic leaking from a western IC to its own press. And, I also was not talking about reporter’s known sources supplied with condition of anonymity. In that case the reporter becomes the source and their organization’s credibility must stand behind the authenticity and validity of the source. In the WL case the reporter is Assange and he says his source was not a state actor but otherwise non-attributed. It raises a good question though; how can we trust the media not to be reporting foreign state’s supplied mis-information under the flag of domestically supplied mis-information?
Brandon,
Your theory of multiple Russian IC groups working against each other requires more than a lack of coordination. The GRU must actively be thwarting the FSB for your theory to work. I see that kind of thing in the movies, I haven’t seen evidence of it happening in real life.
Nothing about that proposed explanation requires the groups work against one another. In fact, they would be working together in all broad senses. The only conflict it suggests between the two groups is a competitive rivalry.
All the explanation posits is both groups wound up infiltrating the same network, and when they got booted from the network, they wanted to go public. The group that was more successful with its infiltration went public by simply releasing material it obtained. The other group, recognizing it couldn’t compete in terms of material to release, when with a public deception designed to muddle and confuse matters. Both approaches ultimately serve the same goals of disruption and creating mistrust. Neither approach harms the other.
Brandon, that fruits of foreign state espionage are anonymously leaked to the world is almost unheard of. If Russia or another state were behind the DNC/Podesta WL, (despite Assange’s claims,) then it might well be a first. But for argument let’s say that’s what happened. Then you are saying that the same foreign state allowed once of its agencies to undermine the credibility of that leak while risk exposing the state. And, if it was Russia they allowed G2 to fly the flag of Russia, even if it was a forgery. If this is your scenario what was their intention?
“that fruits of foreign state espionage are anonymously leaked to the world is almost unheard of.”
In fact such leaking is very common, even standard operating procedure. Maybe many leaks are not attributed to state intelligence sources but much of the news we read every day comes from intelligence service or ‘foreign state espionage’ leaks. Think even how often have you seen something attributed to “anonymous intelligence service sources”.
The United States, Russia, and Israel in particular are notorious for using this method to manipulate public opinion at home and abroad.
Thank you Eric. I was going to comment to say the same thing.
Brandon, I replied on the thread above. https://climateaudit.org/2017/09/23/guccifer-2-and-russian-metadata/#comment-775254
Brandon,
The Wikileaks release and the G2 release are at cross purposes. The Wikileaks release was obviously intended to hurt Clinton by demonstrating that the DNC and various journalists colluded with Clinton against Sanders. The G2 release was obviously intended discredit the Wikileaks release by suggesting it was the work of the GRU. Without G2 and his Russian whiskers there is no basis at all for the “Russian election hacking” narrative. There would have been no FBI investigation, no surveillance of Trump associates, no leaks of information obtained during the surveillance of Trump associates, no Independent Counsel investigation, no four Congressional investigations of Russian election hacking, no sanctions against Russia for election hacking, no anti-Russian hysteria of any kind.
Assuming, for the sake of argument, that two groups of Russian operatives separately obtained the same set of documents from the DNC (something which, taken in isolation, can neither be proven or disproven) and further assuming that the two groups released those documents to the public, via Wikileaks in one case and via G2 in the other, the only possible conclusion is that both groups of Russians are insane and, if their activities were coordinated in some way, the coordinators are also insane. This seems unlikely to me.
I am open to the suggestion that the Russians actually favored Hillary (there actually is some evidence for that possibility) but, if so, why provide the initial set of damaging emails to Wikileaks? I am open to the suggestion that the Russians favored Trump but, if so, why discredit the Wikileaks release by suggesting that Russian spies were trying to swing the election to him? No matter which candidate the Russians favored, however, I cannot believe that Russian intelligence operatives actually tried to make themselves appear to be the villains in an “election hacking” scenario. Russia is now subject to sanctions for election hacking which Trump did not dare to veto. Now and for the foreseeable future, Trump is unable to make any deals with Russia to roll back the original post-Crimea sanctions, or the new election hacking sanctions, or make a deal on the Syrian disaster or on Ukraine or on the recent “open skies” dispute without leaving himself open to suggestion that the deal was payback for Russian election hacking. The idea that the FSB and GRU were working against each other is fanciful. The idea that this is all part of a coordinated Russian master plan is ludicrous.
The original Wikileaks source(s) were pro-Bernie hackers or leakers. G2 was created by Crowdstrike and the DNC to: (1) discredit the original Wikileaks sources; (2) create an excuse for renewed and expanded FBI surveillance of Trump associates; and (3) to create a “Russian election hacking” narrative. The Russians themselves had nothing to do with any of it.
bmcburney
I understand now that there were Federal investigations running long before this DNC breach against for example Manafort’s and Flynn’s advisory efforts in Ukraine/ Russia. Funnily also the Podesta brothers were involved.
So both HRC and Trump hired marked presidential campaign managers without realizing.
On the other hand, who knows which politically relevant US citizens are not under the secret microscope with those thousands of FISA rubber stamps?
AnthonyIndia,
I am aware of an FBI investigation of Manafort in 2014 prior to these events. However, that investigation was closed without charges when the original warrant expired. The renewed FBI investigation, and FISA warrant of 2016, were clearly based on suspicions raised by the “election hacking” narrative supplied by G2.
As far as I know, there was no Flynn investigation prior to 2016. That investigation was evidently triggered by Flynn’s contact with Ambassador Kislyak.
somebody from the Obama admin – Rice, Power ? – unmasked Flynn, who was then leaked to press. Nothing wrong with Flynn being in contact with Kislyak, but Flynn lied to Pence about discussion, so Trump fired him. Comey also lied to Trump, so Trump fired him.
bmcburney
How did anybody besides Flynn and Kislyak knew about their conversation? They were spied upon by the FBI & co, the same people who claimed to have wiretapped some Eastern Europeans busy contacting their old advisor Manafort again (or the other way around). Nothing to do with either Trump or the DNC breach.
https://www.circa.com/story/2017/06/27/nation/did-the-fbi-retaliate-against-michael-flynn-by-launching-russia-probe
AntonyIndia,
“How did anybody besides Flynn and Kislyak knew about their conversation?”
All of Kislyak’s communications with everyone are monitored by US intelligence to the extent they are able to do so. Presumably, this is something both Flynn and Kislyak knew (but forgot?) at that the time of their conversation.
perfectly appropriate for Flynn to talk to Russian ambassador. Incoming Obama admin did same thing in Dec 2008.
This paints a very dim picture of the “intelligence community”. From an “abundance of caution” they included the totally unverified Steele dossier in their assessment. An important function of intelligence agencies is to separate disinformation from information. They failed miserably. Intelligence? Dimwits.
What we are witnessing is the politicization of U.S. intelligence that started under Bush and proceeded under O’bumma. I feel sure that there are many dedicated professionals who deplore this. I am not ready to write off as incompetent the whole U.S.IC, but only as partly corrupt.
Good rule of thumb: if IC releases have political impact, a skeptical reception is in order.
Steve: please use the term Obama – to be a little more couth
Obama brings moderation, but I’ll avoid any objectionable usages henceforth.
Steve: I’ve taken “Obama” out of moderatino.
Ah! Has your list of forbidden words been changed?
‘This paints a very dim picture of the “intelligence community”.’
Wait. Let’s reflect a moment on all the historical successes that did not result in national embarrassment or creation of eternal enemies. Okay, done.
I’ve been mulling over the idea of a connection between the end of the Cold War ~1989-90 and the amazing amount of bombing and regime change wars involving the US from 1992 on, beginning back to Gulf War, Bosnia, Kosovo, bombing of Iraq under Clinton, Iraq, Libya, Syria, Sudan, Yemen… When did US start amassing military bases in Saudi and the Middle East?
Before the end of the Cold War, the US seems to have mostly left interference in the Middle East to UK and France.
Did the end of the Cold War remove a previous restraint on the US military, which, now unthreatened by Russia, was free to expand into the Middle East to “protect” against some supposed threat, while actually creating resentments that grew into the previously non-existent threats?
Why didnt the end of the Cold War result in reduced military spending rather than increased military spending?
Also since the end of the Cold War, the entire US economy has been reorganized with the abandonment of large swathes of industrial sector to Chinese imports, accompanied by huge government deficits funded largely by China. Meanwhile, Russia is fiscally solvent, with negligible government deficits or foreign debt.
There was ethnic cleansing and mass murder occurring in Bosnia and Kosovo. It wasn’t just the US responding to that. It was NATO with UK, French, Canadian .. forces responding. The Dutch UN forces abandoned thousands of men and boys in Srebrenica who were later found in mass graves. In Libya, it was France taking the lead with the traditional interest in North Africa. Obama wanted to keep teh US out until Gaddafi prepared an assault on Benghazi that would have led to mass murder.
American man
American manufacturing has significant upward growth only interrupted by the 2008 recession.
Check the chart in
http://www.businessinsider.com/manufacturing-output-versus-employment-chart-2016-12
Other sources I’ve read indicate that the decline in American manufacturing employment is due much more to automation than to china
Just to add a personal note. A colleague of mine visited factories in China around 2001. He was amazed at the amount of automation in the factories he visited. He has stories about large factories full of robots and empty of people. The manufacturing success of China is not due solely to cheap labor and currency manipulation ala Trump
TAG, critical thinking is the key. On any question you can find published in the media contrary points of view. Such as your referred “automation is the reason for decline of U.S. manufacturing”. Go into Wal-Mart and try to find a product that is not made in China. Then reflect on how much of the typical automobile is made elsewhere and then shipped to the U.S. for assembly. Continue this method of thought for about a minute. It will help your understanding and you will avoid the pitfalls of propagating special interest, ah, “inspirations”.
In regard to US auto manufacturing and automation on blue collar jobs
From MIT – mid skill jobs such as those in manufacturing are particularly susceptible to automation. Other sources indicate that this has become especially true since the deep learning revolution started in 2010 with improvements in computer vision allowing robots to be better able to understand scenes
https://www.technologyreview.com/s/602869/manufacturing-jobs-arent-coming-back/
Boston Consulting Group reports that it costs barely $8 an hour to use a robot for spot welding in the auto industry, compared to $25 for a worker—and the gap is only going to widen. More generally, the “job intensity” of America’s manufacturing industries—and especially its best-paying advanced ones—is only going to decline. In 1980 it took 25 jobs to generate $1 million in manufacturing output in the U.S. Today it takes five jobs.
Another example is the furniture industry. After 2000 the U.S. furniture factories were packed up and shipped to China. North Carolina was the source of over half of the fine furniture manufactured in the U.S. The fine Appalachian hardwood lumber that provided the raw material for this fine furniture is all shipped overseas these days. The lumber is returned as furniture.
Did the end of the Cold War remove a previous restraint on the US military, which, now unthreatened by Russia, was free to expand into the Middle East to “protect” against some supposed threat, while actually creating resentments that grew into the previously non-existent threats?
No. The U.S. military didn’t invite Saddam Hussein to invade Kuwait, his potential threat against Saudi Arabia and other states in the region was real rather than “supposed,” Iran was not serving as a counterweight against his ambitions, and no one in the U.S. military relished, or in my experience ever relishes, the idea of going to the Middle East. (If we want a sparsely populated oilstate of our own, we’ve got Alaska.)
Also, while bin Laden’s fatwas do partly castigate the U.S. for its “occupation” (i.e., defense) of Saudi territory, and its supposed role in the massacres in Bosnia, they also attack the U.S. for its alliance with Israel, which covers the last half of the Cold War. So there was plenty of resentment there already.
It would be nice if great conflicts could end with a final peace, but instead they end with realignments and new conflicts…the Soviets don’t have to fight the Germans anymore, so they can concentrate on their rivalry with the West; the jihadists don’t have to fight the Soviets anymore (I remember when “mujahedin” was a term of accolade in the U.S.), so can concentrate on more distant infidels.
Why didnt the end of the Cold War result in reduced military spending rather than increased military spending?
It did, at first. See the chart. It went from $409 billion in 1990 down to below $300 billion in 1999 (A big rhetorical point in the Clinton years was how to spend the “peace dividend.”) But it skyrocketed after 9/11.
TAG, I copy your comment above:
Posted Sep 25, 2017 at 3:16 PM | Permalink
Just to add a personal note. A colleague of mine visited factories in China around 2001. He was amazed at the amount of automation in the factories he visited. He has stories about large factories full of robots and empty of people. The manufacturing success of China is not due solely to cheap labor and currency manipulation ala Trump.
###
TAG, now you need to explain how automation added 100 million manufacturing jobs to the Chinese economy while in the U.S. automation subtracted 5 million jobs.
Imagine no US reaction to Saddam’s invasion of Kuwait in 1990; next he takes KSA. No more Wahhabi poison spreading around the world: secularism growing in the ME, be it under force – the horror. No more dancing to Saudi Elite’s fiddles by the US and UK. Saddam could have been strong enough to keep the Russians or Chinese out too…
Yugoslavia with less external forces splitting in 1991 – less violence. No self-embarrassment for NATO inside of Europe. No Pakistan – North Korea barter of N-bomb technology for long range missile technology or centrifuge tech. to Iran.
Quite an opportunity missed for “a few dollars more”.
Under your scheme rape and plunder get the green light because it makes a better world. Well, let’s all get busy and help ourselves to our weaker neighbors. Let us not dawdle lest another pirate snatch the boodle from us.
Claims like these are easy to say. The media will never verify. Inaction in Libya would have led to mass slaughter of civilians is just assumed true at this point.
The action in Libya was led by France and the UK. The US under Obama had little to do with the decision to intervene except to oppose it. US foreign policy is influential but not decisive. Under Trump, as Angela Merkel noted, it is becoming irrelevant except where Trump’s blunderings (North Korea) has made things much worse than they should be.
Merkel has just been upended and her party might not be able to form a coalition. Germany has taken a right turn. Big change and it is attributed to the “Trump factor”.
Merkel quotes on Trump are good for revealing her misjudgment.
There was a substantial reduction in military spending immediately following the end of the cold war. So much so that the US actually achieved a small budget surplus in the mid-1990s. The increase in Defense spending which took place after 9/11 was from a lower base.
The main drivers of US military involvement in the greater Middle East during the post-cold war period were that Saddam invaded Kuwait and 9/11 happened. The break up of Yugoslavia and the collapse of the Somali government resulted in fairly minor US military activity. Libya and Syria even less.
fair enough
TAG:”Trump’s blunderings (North Korea) has made things much worse than they should be.” That is some real foolishness. Can you explain how Trump is even remotely responsible for the N Korean thugocracy possessing and promising to use nuclear weapons and ICBMs? Could it be that you wanted Trump to be nicer to those monsters? His predecessors played that foolish game.
Trump’s standard negotiating position is to start at an extreme. As distasteful as I find his NoKo melodramatics, I harbor some hope that there’s posturing in it
He has got the Red Chinese thugocracy worried enough to take serious measures to discourage N Korean nuke foolishness for the first time in history.
Steve wrote: “I’ve been mulling over the idea of a connection between the end of the Cold War ~1989-90 and the amazing amount of bombing and regime change wars involving the US from 1992 on, beginning back to Gulf War, Bosnia, Kosovo, bombing of Iraq under Clinton, Iraq, Libya, Syria, Sudan, Yemen… When did US start amassing military bases in Saudi and the Middle East? Before the end of the Cold War, the US seems to have mostly left interference in the Middle East to UK and France.”
France and the UK probably ceded primary leadership in the Middle East after being opposed by the US during their attempt (with Israel) to regain control of the Suez Canal from the Egyptians in 1956. In 1956, Nasser was playing the Americans off vs the Soviets, but by the 1967 Arab-Israel war, Nasser was firmly in the Soviet camp and that war put the US squarely in the Israel camp.
The 1970’s brought the Arab oil embargoes and the recognition that the West (especially Europe) was extremely vulnerable to the potential loss of Middle Eastern oil to a Soviet land attack through Iran (then our ally). That was when the US set up “Central Command” (to supplement Pacific Command and NATO) to run all military actions in the Middle East (from Lebanon to Afghanistan). That was when the US set up bases in the Gulf States. CentCom ran brief operations in Lebanon and they protected “neutral shipping” in the Persian Gulf during the Iran-Iraq was in the 1980’s. However, the US didn’t have the resources to take on the Russians in both Europe and Iran, making CentCom a backwater until Saddam invaded Kuwait, just as the Cold War ended.
Immediately before the Clinton administration began new adventures in the Balkans, Somalia, and Haiti; the Reagan and Bush administration had been involved in Afghanistan, Lebanon, Grenada, Nicaragua, Angola and finally the Gulf War. So US involvement overseas GRADUALLY shifted to mostly anti-Soviet to a diverse set of engagements in the 1990’s.
Mpainter commented
From an article in MIT Technology Review – there is a comment on the effect of automation on American manufacturing jobs. Productivity is rising with the effect of automation:
TAG, the key to critical thought is to conduct one’s own evaluations. Simple math is all that’s needed.
The U.S. trade deficit with China in 2016 was $347 billion in the goods category.
Using your figure of five jobs per $ million of product value, I calculate that the U.S. trade deficit with China cost 1.74 million U.S. manufacturing jobs.
To recap, TAG your claim that the U.S. has not lost manufacturing jobs to China is shown as false through the application of simple math.
Okay happy reflections time is over. 🙂
Steve, always in search of the truth.
You are a true hero.
Brotherly love from Norway.
Here is some important context. Please examine the following leaked chart carefully.
EVERY news report I’ve seen has misinterpreted it.
What to ask yourself: how certain is it that the Russians were involved?
I will comment after this… (click on the chart for full size)
The key to more in-depth understanding, is the fine print that most people ignore. Look at the key. Which lines are confirmed facts, which are assumptions, which are conjecture?
What you will discover: there are zero confirmed facts that connect to Russia. Only Analyst assessment and assumed context.
Just sayin’.
Exactly, and this chart is incontrovertible proof of the corruption of U.S. intelligence. It is meant for the gullible, not for intelligence professionals.
This chart has absolutely nothing to do with the DNC hack. It’s not meant for the gullible either. It was classified and intended to be seen only by people who would understand what it shows.
Brandon, you’re wrong and Pete is right. Here’s my answer to Pete’s question: the yellow arrow on left shows weak confidence in attribution of APT28 to Russian GRU. I’m trying to remember where I read this connection between Reality Winner disclosure and DNC hack.
I have a testy comment I wrote, but rather than post it, I’ll try being more diplomatic. Steve McIntyre, would you please point to the portion of this report, from which that chart was taken, which discusses or otherwise deals with the intrusion to the DNC network?
https://www.documentcloud.org/documents/3766950-NSA-Report-on-Russia-Spearphishing.html#document/p1
Because I have to say, I can’t imagine how a report about attacks which happened in “August to November 2016” is about the DNC intrusion which was resolved months before.
Brandon, always a good idea to resist the temptation to be testy. Internet doent help. Back in the day when I was young and had to deal with business disputes from time to time – and one still corresponded by written letters or faxes – I learned that, whenever I had a particularly clever repartee, it was always a good idea to sleep on it overnight and remove it in the morning, especially when I was right. Never did any good to annoy a customer or supplier.
Ordinarily, documents that are classified are not seen by the public. My understanding is that only POTUS may legally authorize public release of a classified document such as this. It is a safe assumption that Obama released this for political effect. That is a political decision. Such an act carriers with it the possibility that this chart was devised with the purpose of public effect.
As I said, the IC has been politically corrupted. Who disagrees? The campaign to pin Trump as “colluding” with Russia did not get underway until he had been elected.
This document made be seen as part of that campaign.
snip
First off, the classification of this document is listed in the document, meaning we can tell what type of official could de-classify. The president is not the only one. I’m not sure there is even a type of document only the president has the authority to de-classify.
As for Obama releasing this document, there is nothing safe about that assumption. In fact, that assumption is insane. The document explicitly states it uses information obtained in April 2017, months after Obama had left office. It would have been impossible for Obama to have even seen this report while he was in office. He certainly couldn’t have released it.
Not only would it have been impossible for Obama to order the release this document, we know exactly who “released” it. I put the word “released” in quotation marks because it was actually leaked a news website by a military contractor named (I kid you not) Reality Winner. Winner is currently awaiting trial after having confessed to leaking this report.
snip
snip
The WaPo has reported that Mike Pompeo has taken direct control off the CIA Counterintelligence Mission Center, in August. This is the division responsible for investigating Russian-Trump “collusion”, according to the article. The article spun it anti Trump ugly and attributed to the head of that division profound mistrust of Trump. Hopefully, Trump will share with the public what he now learns about this division’s investigation.
Steve McIntyre:
That’s nice and all, but would you please answer the question I asked you? I don’t appreciate having someone, especially the host of a site, jump into a discussion to say, “You’re wrong, he’s write” and nothing more. Not only is that rude, but it renders it impossible for any useful discussion to be held.
I have a lot of respect for work you’ve done on issues like paleoclimatology, but to be honest, your writing on “hot topic” issues has been incredibly shoddy. Taking to Twitter to label a story #FakeNews based on nothing more than a self-serving statement which was confirmed to be false within a couple days? Writing a post with a narrative lambasting a company while leaving out crucial information which not only makes the company look far less bad, but likely resolves a mystery you raise in the post? Here, defending MrPete’s posting of a chart with every implication that it was about the DNC hack when in reality it had nothing to do with that?
If not for the respect I have for work you’ve done in the past, I wouldn’t even look at this site with this level of discussion. It’s not like I can even expect errors or inaccuracies (of which there are many more than I’ve pointed out) to get corrected.
May be seen, not made be.
The attribution by CrowdStrike of APT 28 to Russian state cyber operatives has the same flimsy support as this report (that contained the above chart).
“Watermarks” of G2:
Felix Edmundovich [Dzerzhinsky] Bolshevist and founder of Checka, the origin of today’s Russian intelligence service.
Ernesto Che [Guevara] Castro communist and revolutionary figure
Chen Du [Xiu] founder of the Chinese communist party and its first Secretary General.
Thus we are told that G2 is a Russian operative. My view is that any publicity from the U.S. IC concerning Russian cyber activities is to be treated with skepticism.
Steve: also Nguyen van Trang. Later pseudonyms only used after Felix was already an issue and thus discounted by IC. But yes, skepticism warranted
Pretty chart, though.
I’m not sure of the sense of saying, “EVERY news report I’ve seen has misinterpreted” a chart when you present it in a way that begs people to misinterpret it. Anyone reading your comment would assume the chart which follows was made in reference to the DNC hack since that is the subject of the post you’ve commented on. Your introduction, “Here is some important context,” does nothing to suggest to readers it is about anything but the DNC hack.
However, the chart you’ve posted has nothing to do with the DNC hack. The report it was taken from is about (supposed) Russian attempts to compromise aspects of the United States elector system (computer systems involved, not voting machines themselves). These are two entirely different things. Nobody reading your comment could be expected to realize that.
You might be right in that one attack may provide context for the other, but nobody reading your comment would interpret it that way.
What about the red lined box: GRU is “the adversary” but this only substantiated with yellow lines -analyst judgments. No other options or error bars at all. Other adversaries love this kind of stuff.
They should hire Dmitri Alperovitch directly, as he can produce red lines within 1 or 2 days or less, guaranteed desired attribution.
That is not an appropriate reading of the chart. The chart uses a natural layout for diagramming attacks, showing the adversary space, the neutral space and the target space. Those are three categories one could include in a diagram of any attack like this. If you believe an organization or individual was responsible for an attack, his systems would be classified as being in the “adversary space.”
That doesn’t mean you are saying that organization or individual is “the adversary” in some over-arching policy sense. It just means that, in the case of this attack, they are the adversary that was behind it.
Also, the report never once says “the adversary.” It only uses phrase adversary space.” Altering quotes in a way which distorts their meaning is not something we should do.
A followup. I apologize that I didn’t take time to more fully explain in the original… yet I wanted others to reflect on it a bit more before I added any additional thoughts.
1) As I said, I provided the diagram for context. Brandon is correct that it’s not directly about the DNC hack. However, it provides important context for understanding a bit better how these things work — in general. Obviously, it is quite rare for us to see documents like this! [Added in edit: I would expect that a similar document exists for the DNC situation… and from what I’ve seen, the levels of confidence are likely similar.]
2) Something very important to understand, that can be read directly from the diagram if you have eyes to see… there is quite a lot of interpretation involved in this work. As Brandon noted quite rightly, one must be careful not to go beyond that in our own conclusions of what is fact.
3) Something worth considering: sometimes (I have no idea how often), material may be classified NOT because the material is secret… but because our knowledge is minimal and conclusions are much-less-than 100% certain. 60% this, 70% that. VERY easy to misunderstand, VERY easy to draw inappropriate conclusions. And therefore dangerous in the hands of those who are quick to jump to conclusions. Thus, a “national security risk” if the assessment is made public.
Hopefully that helps explain why I shared this in the context of DNC hack discussions. We easily misinterpret evidence based on too many assumptions.
For a fascinating read, including the sleuthing part of the story, on an unrelated yet very revealing series of events that help explain just how much power is in the hands of people around the world in the online realm, I commend the following links:
1) Last year, Brian Krebs was hit with a HUGE attack (600+ Gbps incoming data)
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
2) In further analysis of these kinds of things, experts like Bruce Schneier concluded it was nation-states testing their power to potentially take down the whole Internet
https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/
3) Krebs invested a huge amount of time to find the real — and surprising — answer.
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
Please don’t spoil it for others for at least a day or two 🙂
Thanks for the excellent information Pete. I’m looking forward to reading this in more detail this evening.
So it took Krebs almost 4 months (and luck) to find out who was behind that attack, while it took Alperovitch ~ 24 hours for his attribution. One big difference is that the latter saw a huge opportunity for personal (business) PR plus blackening his favourite adversary Russia so in his haste swallowed (or made up?) some ridiculous clues plus some additional amateur false tracks.
Thank Pete for this glimpse of a real cyber sleuth and his work.
MrPete, I have a more substantive response to follow, but I feel it is important to stress what you’re saying. You say you “wanted others to reflect on it a bit more before [you] added any additional thoughts” yet you went out of your way to talk about how the media has supposedly misinterpreted the material . I find it difficult to understand why you would feel criticizing the media merits time and space before allowing people to reflect on the issue while telling people the report is not about what they think it is ab out did not.
That seems unbelievable to me. You didn’t even provide any sort of link so people could possibly have figured out what the report was about. Your actions ensured nobody could possibly tell what the chart you were showing was in reference to meaning everyone would assume it was about the DNC hack. The idea is you apparently didn’t want to distract people by bothering them with little details like, “This report is not about the topic you guys are all discussing, it’s about a different one which nobody here has mentioned but is somewhat related” yet you felt it important to tell them:
While not bothering to add even just these four words “in a different attack.” That is ludicrous. Even Michael Mann would blush at this. If you didn’t know what the report was about when you made your original comment, that would make far more sense given what you wrote. The idea you knew what the report was about but intentionally hid it from everyone would mean you intentionally deceived readers. I don’t believe that’s the case.
Thanks for not getting testy, Brandon. Your juvenile outrage is far more entertaining.
Brandon, my point is identical for both the situation where we DO have a leaked assessment document (the one I shared), and the situation where we do NOT have one (the DNC hack):
– The underlying factual situation tends to be far more nuanced than how the media (and most of the rest of us) interpret it.
– In the case of the events for the document I shared, I still have not found a media report that got it right: 100% of the reports I have seen presume that we have a “smoking gun” of factual evidence that nails “the Russians.” No caveats are provided. Now I haven’t continued to search so who knows, maybe there are a thousand such reports now. I’ve not seen them.
As for your accusation that I didn’t provide a handy-dandy link so people could do their own research… I guess I have more respect for the intelligence of the average CA reader. After all, the image I posted contained lots of hints. It’s quite easy to find everything needed. I tried a few google searches and they all worked fine. For example: spear phishing nsa
MrPete:
It is interesting to see you talk about how nuanced things are after claiming to have intentionally withheld information in a way which made it impossible for anyone to realize the material you were showing was not for the DNC hack, but rather, an entirely different set of cyberattacks.
Steve McIntyre should feel free to tell me how wrong I am in saying this, but I think any regular reader of this site would say choosing not to provide any reference, citation or link to material is not okay simply because a person can use internet searches to try to find the material being displayed. I am certain regular readers would not say it is okay to jump into a discussion of one topic with an unsourced, unreferenced figure for a different topic without saying a single word to indicate to readers you are introducing a new topic.
If you have any “respect for the intelligence of the average CA reader,” you should stop pretending what you did was normal or right. They aren’t dumb enough to fall for it.
Brandon, you couldn’t be more wrong. A topic is easily researched without links. Pete is right: intelligent readers know how to use the internet and links often turn out to be biased and worse than no link.
Steve McIntyre left a message for you up thread. It seems that you missed it. I urge you to look for it study it. He meant it kindly.
In the meantime, you should tender an apology to Pete for your rudeness.
One PS: I’m curious how many are aware of the available right-click menu on most browsers?
“(Google) Reverse Image Search” is a nice little feature… helps you find the primary websites where an image – or something very very similar – can be found.
On matters of substance:
I have never said this. It might be something I agree with, and it is somewhat similar to things I have said, but I do not appreciate having people put words or ideas in my mouth.
I have never heard this idea before. Do you have any reference for the legal absis for it being done? I know classification can be misused, but you didn’t mention this being done without legal basis so I assume that’s not what you have in mind.
This is misleading. There is no connection between the two things you refer to here. The first item is about a (massive) DDoS against a blog which discusses cybersecurity; the second is about DDoS attacks (and other related probes) against networks that manage parts of the internet. The only similarity is they both involve DDoS attacks. There is no reason to believe they are connected to one another.
As for Bruce Schneier’s conclusions, he did not conclude “it was nation-states” doing anything. He said “it feels like a large nation state.” That is not a conclusion but an impression. And according to his portrayal, only one nation state is involved, not many as you claim. Not that there is any evidence or analysis in the article to support anything it actually says. There isn’t.
This is grossly misleading. Not only do we not know “the real – and surprising” answer is true as all there is is an analysis by one person claiming to show who the perpetrator was, but the analysis in question does nothing to implicate that person in any matter of the other two examples you mentioned. This is telling as the author is the same for each of the three articles you link to.
If there was some over-arching narrative to eb found between these three examples, the author who discusses all three would have brought it up. He hasn’t because there is none. Only you have suggested there is. You seem to have strung together three separate things into a narrative as though they were all highly connected when in reality they were entirely disjoint. There is nothing tying your narrative’s threads together. These three examples are not connected to one another.
Brandon,
Attribution: Not sure if it is worth responding to your comment on item 2. I was actually attempting to be friendly/nice in giving you credit for the idea 🙂 — while saying it in my own way: “one must be careful not to go beyond that in our own conclusions of what is fact.”
You’ll note that I didn’t put quote marks around the statement, thus I was not quoting you. What you explicitly DID say was that it “is not an appropriate reading of the chart” to interpret “adversary space” as “the adversary,” and you concluded with: “altering quotes in a way which distorts their meaning is not something we should do.” That’s what I was thinking of.
If you don’t want to receive credit for the idea, it’s no skin off my teeth 🙂
Reasons for classifying: My point is that AFAIK there are multiple dimensions of characteristics that can create “risk to national security.” One such category can relate to risk of misinterpretation. Enough said.
Krebs: Are you truly so certain in your assertion that “there is no connection” between these? Krebs discusses the connection in one of the articles I linked. Other posts go far more into it. This is one of his major ongoing topics. This post discusses and provides links to even more. As Schneier states about DDoS attacks and their recent patterns:
* “largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”
* “attacks are significantly larger than the ones they’re used to seeing.”
* “And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.”
Not-so-funny thing… Krebs described in significant detail (gotta keep digging, similar to CA 🙂 )… 300Gbps attack prior to 620Gbps attack on Krebs, prior to about double again, against OVH in France, and on and on.
Linkage: Brandon, you’re smarter than this. Are you truly so confident that: “These three examples are not connected to one another.”??!! Just google: Mirai DDoS. 250k hits…
This isn’t three isolated events. This is a tip of an iceberg. There are multiple investigators involved, multiple corporate research teams, multiple incidents on multiple continents. It’s not just one guy making spurious accusations against a kid. You can find discussion by people at Flashpoint, Level3, etc etc etc. Sorry, I don’t have time to do other’s homework.
Bottom line:
* Sophisticated, massive, ever-more-powerful attack tools have become generic
* They are created, deployed, and used, by kids, and grownups, and state actors… worldwide
* The impact is far bigger than most people can imagine
* There’s little reason to assume “state actors” are necessarily involved
Oh. Schneier: Was Schneier really open to other options in his “impression” (should I accuse you of a misquote?) of the recent developments? Did he imagine it could be anything OTHER than one or more “state actors?”*** (Schneier’s actual term.)
He never hinted at such. Nowhere did Schneier hint that these huge, rapidly doubling in scale and sophistication, DDoS attacks could be anything other than “state actors.” He certainly didn’t suggest undergrad college students. Funny thing: Since he wrote that, Schneier has never again even “felt” that a DDoS attack was likely a state actor. He’s no dummy! The evidence is obvious.
***FWIW, “state actors” is a non-specific plural form, which could be one, could be many, it’s unspecified. Every author quoted by Krebs used that form… including Schneier… and me.
I’m done. No more time for this. Any more and we really lose value.
my first instinct in Climategate was that Mr FOIA was young, university age. Parking the Climategate file at Realclimate reminded me of a famous Oxbridge incident in which a car was put on the roof of a college. It was an insouciant gesture that someone is more likely to do when young than old. Also, the familiarity with proxy servers, foreign to me, was apparently common knowledge among young people from handling music and videos and didn’t necessarily imply state intelligence agencies.
MrPete:
You made a very specific claim regarding how classification get used. I asked you if had any6 source showing the legal basis for such. This response doesn’t offer any. You can end a discussion fork with, “Enough said,” but if you choose not to provide any sort of basis for your claims, shutting off discussion of them will leave people with no reason to believe what you say.
No he did not. I’ll note despite your many claims, you have not provided a single quotation or direct reference showing what you claim. The three examples you provided were not connected to one another by any of the reporting on them. The author of the three pieces did not claim they were part of one campaign like you have potrayed.
You can claim this all you want, but the articles you’ve relied on do not do nothing to support your claims. Even your latest link does nothing to make this connection. It doesn’t even state the Mirai malware was involved in the example in question, instead reporting only that some people think it was.
More importantly, the author goes out of his way to point out the creator of the Mirai malware released the code for it, allowing anyone to use it. This means even if the Mirai malware was used in the first example, there is no reason to think that has anything to do with the third example. The third example discusses the original creator of the malware, not every person who has ever used it.
Yes, as long as you keep making things up, this will continue to be a waste of our time. That’s all you have done. You have not done a single thing to link any of your examples together except point to a link which says software developed by one person (supposedly) identified in one example was (supposedly) used in one of the other examples. Given that link explicitly states “anyone [could] build their own attack army using Mirai,” that (supposed) connection is disingenuous at best.
Hey, would you look at that? Two weeks after I first submitted that comment, had it go into moderation then disappear, I was able to get it through. Funny that. Too bad anyone reading the discussion will have moved on long before I was able to get this posted.
I recently removed some political words from moderation greylist since too many triggers for political as opposed to climate discussion.
It might be useful for someone to parse the upcoming testimony of Roger Stone to the House Intel Comm, especially with respect to Guccifer. Stone released it yesterday.
http://dailycaller.com/2017/09/25/stone-releases-his-opening-statement-before-house-intel-committee-appearance/
I’ll parse it: Stone rams their Russia Russia Russia BS down their throats.
I gave this a quick read, and I think it’s unfortunate there are so few sources/quotations/references for what he says. One which jumped out at me right away was:
Claiming the intelligence community had records “which proved” such collusion seems like an enormous stretch for a news outlet like the New York Times to make. I find it difficult to believe it would have made such a claim back in January of this year. I tried finding the article he referred to, but the closest I could find was this one dated January 19th, 2017. It says things like:
Which make me think it may be what he is referring to in his opening statement since it mentions all three names and discusses the same general topic. However, that article repeatedly makes it clear no proof had been found at that time, and that people were merely being investigated. Either the New York Times published another article the next day which I didn’t find which gave a wildly different narrative than this one, or Roger Stone has simply fabricated this claim.
There are quite a few claims worth checking in his statement, but it seems like it may not be easy to do so.
I should mention Roger Stone attached some supporting documents which cover certain examples he discusses. That makes it easy to examine what he says about them. From what I can tell, his descriptions of those few events appear to be accurate other than him insisting untrue things other people said were lies. I don’t think he has any evidence to shoe those people lied as opposed to just making mistakes.
I tried checking into some of the other examples, but because of how vaguely many of them are described, I couldn’t make quick progress on the ones I tried. I think the New York Times article is the only one he provided a date for. That may turn out to be an unfortunate example to provide a specific date for if it turns out he was referring to the article I found.
Brandon, I am only a casual follower of this discussion. Stone is a flamboyant, but experienced operator. He will not risk perjury before an Intel Comm., so I surmise he can back up his testimony.
Perjury requires intentionally lying. It is often difficult to prosecute people who say untrue things because of the possibility of them simply making a mistake. Going by his reputation, it wouldn’t surprise me if Roger Stone intentionally shaded the truth because he knew he could get away with it by just saying, “I guess my memory was wrong.”
Granted, I don’t know if his reputation has been fairly earned.
I suspect Stone is needling the committee, and referring to Adam Schiff’s comments to media about what the evidence shows.
Brandon, the NYT has been taking enormous leaps for some time, now, never failing to hide or simply fail to make, their retractions.
So, possibly the NYT pulled the original story? If so, Stone should have a copy. Stone admits to partisanship, but I would be surprised if he squanders this opportunity through a bunch of falsehoods.
Yeah, Stone should amend that to read “The New York Times is hoping, praying and insinuating that the intel community has evidence to destroy the Presidency of Donald Trump. Where is the evidence? If they had it, it would have been leaked long ago.
“Where is the evidence?”
They did leak it. And released it in two publications. No one else believed it. Even Trump’s loudest enemies think there must be something more. The correct answer may be: there is not anything more. That is why the agencies are so obsessed about finding something new. They did get something on Flynn, but unrelated to pre-election. They are still looking, maybe Mr. Mueller will bail them out with fresh sets of eyes.
BS wrapped in conjecture and wishful thinking is not evidence. We are looking for real evidence. What has been leaked so far is fake.
“BS wrapped in conjecture and wishful thinking is not evidence.”
That is probably what Mr. Manafort’s lawyer will argue at the end of an expensive trial. They may win.
Maybe the government has been using this Crowdstrike-like product as “evidence” for a long time in many situations.
That could be an expensive history to reopen. And could be dangerous to the wallets of many Beltway Bandits.
Brandon,
here is the first paragraph of the article you cite,
“American law enforcement and intelligence agencies are examining intercepted communications and financial transactions as part of a broad investigation into possible links between Russian officials and associates of President-elect Donald J. Trump, including his former campaign chairman Paul Manafort, current and former senior American officials said.”
“Associates” is in the plural, indicating not just Manafort. Stone is later named. He is correct, he is included in the article’s first allegation.
By the way, distrust the articles at the website “just security.” They are consistently wrong, shallow and don’t appear to read deeply the documents they comment on.
The article doesn’t say anything about “proof”. Stone is being persecuted and he has a tendency to go hyperbolic. Unless he has some other article in mind, his statement is incorrect.
“The article doesn’t say anything about “proof”.”
And your point here is?
Mine is about Brandon’s suggestion Stone’s statements are not backed up by a real article in the newspaper. My contrary “proof” is that article’s introductory paragraph. The fact that specific communications are not mentioned in the body of the article does not undermine the fact the article insinuates they exist.
The NYT article did not say anything about anybody having proof of anything. Stone’s statement on that was obviously incorrect. He got that wrong. Are you keeping up? The NYT did not say that the alleged intel community info they were reporting was proof. Read the article.
I am on Stone’s side, but when you are accusing the NYT of getting it wrong, get your own facts straight. Otherwise you hurt your own credibility and shoot your self in your little foot.
Roger Stone claimed the New York Times said there was proof he and the others mentioned colluded with Russia. The article I linked to mentioned the named individuals, but it does not say anything about there being proof those individuals colluded. What the article said is those individuals are being investigated for possible collusion.
There is an enormous difference between saying people are being investigated for collusion and saying there is proof they colluded. Stone’s claim seems to be completely baseless.
To be investigated there must be proof of probable cause. Where is that proof?
Probable cause can be rather flimsy, Ron. In this case it is just that. The fact remains that Stone was incorrect/hyperbolic in claiming that the NYT reported there was proof of Trump campaign collusion. Let’s give Brandon a cookie on this one and move on.
There is no need for probable cause to launch an investigation. Probable cause is what is needed to get search warrants and arrest people. Investigations can be started based on almost nothing. Many investigations are started because of a single complaint from a single person.
Be careful about giving away the 4th Amendment (against unreasonable search). You or your children might want it back.
Ron Graf, whatever you may think about it, what I said is how law enforcement works throughout the nation. It has worked that way for decades. Whether or not you like it, I would hope you could at least recognize that is how things work and have worked for quite some time.
With the “Russia Russia” we are seeing federal investigations for treason and/or espionage launched against citizens with little of no evidence except for their voiced political views or that they have talked with foreigners. Today Senators Whitehouse and Blumenthal are announcing their certainty of Manafort’s and Flynn’s criminal wrongdoing.
Sen. Whitehouse 2 years ago called for RICO prosecutions for “climate deniers.”
Ron, those Dim Senators have not said that Manafort and Flynn are going to be prosecuted for treason or espionage. Any charges against them that come out of Mueller’s BS investigation will most likely involve some alleged financial/tax shenanigans unrelated to the campaign, or failure to register as a foreign agent.
I would like to see someone explain how the collusion alleged by the hysterical anti-Trump dim losers falls under treason or espionage statutes. DNC and Podesta emails are not state secrets.
What do the dim losers mean by collusion? Helping or encouraging the Russians to do some hacking? What kind of assistance could the Trump campaign give to the Russians, who are quite capable of hacking on their own? What if Trump promised to help the Russians, if they helped him? It’s remotely possible there is something there. Billionaire tycoon living the good life risks it all with a crazy gamble on trusting the Russians. Uh, huh. What we have here is a political witch hunt. Ask Alan Dershowitz.
PS: That Yahoo News! rag couldn’t be more blatant in promoting whatever anti-Trump crap they can dig up. Pathetic. There ought to be a law.
Democrats on the defensive: “Nobody ever said that we had actual proof.”
Collusion to obstruction to bribery to not paying taxes on the bribes.
relevant article
I think similarities to climate hype are very interesting. There is a clear confirmation bias for anything hinting at russian interference. It seems a significant portion of the media consuming public just can’t stomach the idea that Trump is legitimately president of the USA.
Of course, none of that disproves anything.
I wish somebody on any side of the discussion would at least try to give a fair and clear depiction of things. Leaving aside the biased rhetoric of that piece which should be enough to disqualify it in a reasoned discussion, the claims it makes are disingenuous. Consider this:
If we assume all of that piece’s claims are true, what happened is of the 21 states identified as having electoral systems targeted by Russians, two did not. That’s saying less than 10% of the examples for a story are false therefore the story is false. That’s nonsense.
And that’s assuming both examples actually were false. The article offers no actual evidence to support that claim. A Californian official issued a statement denying its systems had been targeted, but that’s not evidence. Maybe that guy is right and the DHS is wrong. Maybe the DHS is right and that guy is wrong. You can’t say a story “collapsed completely” because one of 21 examples in it was false and another has been challenged.
Nevermind that the DHS never admitted it was wrong about Wisconsin electoral systems being targeted as that article implies. The DHS acknowledged the electoral systems were not directly targeted, but it says the Wisconsin systems which were targeted were targeted in order to try to find vulnerabilities in the electoral systems. That a cyber attack doesn’t directly target one system in no way means it is not directed at breaking into that system.
People keep talking about how the “Russia, Russia” hysteria comes from biased such and such, but at the same time they keep putting forth shoddy analyses filled with obvious errors, distortions and outright misrepresentations.
You’re right though, that is exactly like how things are with “climate hype.”
I agree that Greenwald’s very editorial writing style detracts from the content.
But you know where he stands. He is as close to an honest broker as anybody publishing these days.
Eric, I generally don’t care to speak about people as individuals. Whatever that guy may be in general, the reality is that article is complete garbage. If people can’t recognize that (or explain how his claims are in any way coherent/justifiable), I don’t see how a useful discussion can be held. Crying foul over supposed bias on the other “side” rings hollow when one promotes blatantly incorrect material like this from their own “side.”
Greenwald may be better than most. If so, that just speaks to how low standards are all around.
Brandon, Greenwald is right on this one. Since 2 states say the DHS is wrong, that should cause us to question why the story was quickly published without the most rudimentary attempts at verification or any presentation of contrary evidence. That represents the deterioration of journalistic standards. You might not have been alive, but in the 1970’s people like Bob Woodward took months to check stories before publishing them.
And the track record of the media on Russia is terrible. The best evidence of their guilt is what happened at CNN when Scaramucci threatened to sue them. Summary firings of the reporters. Why would they do that if the article was accurate? There is no actual evidence of collusion between the Trump campaign and the Russian government. It’s a lie invented by Clinton campaign operatives on the night they lost the election.
dpy6629, I have no problem with questioning the DHS conclusions. I’d have had no problem with people questioning those conclusions had no state disagreed with them. Skepticism is healthy.
That’s not what Glenn Greenwald did though. He didn’t “question” the DHS conclusions. He said the DHS narrative completely fell apart. Saying something like, “The DHS conclusions are completely and utterly wrong!” is not questioning anything.
Steve, Re: Flood…
Flood’s comments on Tucker Carlson after his committee testimony pretty much agrees with your thoughts about his role in the whole thing. Fiction that will likely never be illuminated via “other” cable news or print media outlets.
Read it again, Brandon. Greenwald is never disingenuous. He is a lot smarter and in the know snip The DHS has obviously walked back/failed to support the claims regarding CA and WI, who say they were not hacked. So we are not too impressed with the claims on the other states allegedly attacked by Russian hackers. Greenwald provides an impressive list of the Russia hysteria stories that have already been proven to be false. We have still not seen any actual freaking evidence on any of this Russia BS.
For Brandon and MikeN, Glenn Greenwald has an excellent summary piece on the way Russian collusion stories tend to collapse when the slightest bit of skepticism is used.
I personally haven’t seen this level of media hysteria in my lifetime. It is right out of the 19th Century yellow journalism genre. People are becoming increasingly distrustful of corporate media and its totally justified.
Attribution of APT 28 & 29 is based on metadata “fingerprints” and ignores the possibility of false flag diversions. I am skeptical that any state intelligence apparatus would neglect to cover their cyber intrusions with false flags.
Jeffrey Carr’s satire https://medium.com/@jeffreycarr/does-the-gru-know-what-covert-means-1e5f35e92309
Greenwald has been a beacon of sanity. I am very impressed with him. Each day that one thinks that media hysteria could not become worse, it does.
The whole Russian bot thing looks to me like a house of cards – in which twitter feed opposing US policy in Syria (which I, for example, have done) gets DEFINED as spreading Russian disinformation – without determining that the accounts actually are “Russian”.
The deletion of offending twitter/facebook accounts without preserving them makes it impossible to verify. I scraped some recently deleted “antifa” twitter accounts deleted as being “Russian” from Google cache. They all looked to me like US-based satires of antifa – the humor seemed very up=to-date and local. Accounts like Beverly Hills Antifa, Mar-A-Lago Antifa, Honolulu Antifa (surfing against fascism). If a location is shown as “Russian”, it looks more likely to me to be a joke, than a deep revelation. The humor looks entirely American (in a good sense).
I won’t speak toward Glenn Greenwald’s writing on this topic as a whole, but the article linked to in the comment you’re responding to is complete rubbish. The facts he alleges in no way supports his argument.
This is a non-sequitur. There is no reason an account spreading Russian disinformation must be Russian. Russian disinformation is disinformation created by Russians. It remains Russian disinformation if and when non-Russians spread it. From what yo usay here, you seem to be complaining people are failing to determine accounts are Russian before not saying those accounts are Russian.
I don’t know if you meant to make some other point than what you wound up writing, but seeing as you’ve highlighted yourself as an exemplar, I’ll point out you have in fact spread Russian disinformation on your Twitter feed before. me saying so doesn’t mean I’m calling you Russian though.
dpy6629, that article is not a great summary of anything. Even if one assumes the most favorable facts possible for Glenn Greenwald’s claims (that two states disagree with an assessment does not mean we should automatically assume those states are correct), his article is disingenuous rhetoric, at best.
There was an assessment which said 21 states had electoral systems targeted by Russians. Greenwald argues two states say they weren’t targeted, therefore the entire is collapsing. That’s nonsense. If 2 of the 21 examples were incorrect, that would leave 19 examples. Having fewer than 10% of one’s examples be wrong doesn’t mean a person’s case has completely collapsed.
And that’s assuming the facts most favorable for Greenwald. The best case interpretation is he has grossly exaggerated things.
Brandon, I think you are “casting atoms of scripture as dust before mens eyes” and ignoring the “main design.” Greenwald has seen so many Russia narrative stories collapse that he can see that this one may be proven false too.
The main design is that the Russian collusion and hacking narrative is frankly partisan media propagandizing in favor of a narrative invented by Hillary campaign operatives to explain her loss and Obama holdovers such as Clapper who recently was shown to be a liar concerning the trump tower wiretapping issue. Greenwald is expressing justified outrage at a corrupt media who simply serves their own partisan interests and biases.
I am mystified by the antipathy that Alperovitch bears toward his homeland. His family has no experience with today’s Russia, having emigrated from Russia upon the demise of the Soviet Union. The Russia of today is much different from its former self as a Soviet Republic. So why does Alperovitch hate it? Most Russians do not long for the old days of the Soviet Union. Alperovitch’s hate for Russia does not add up, considering the circumstances.
Thanks, Antony. Your link confirms that all of the Alperovitch grievance belonged to the Soviet era. The Soviet Union was formally dissolved in December, 1991.
Chernobyl is in the Ukraine.
The question remains, why does Dimitri Alperovitch hate Russia?
Also relevant is “Does Dimitri Alperovitch hate Russia?”
From his membership on the Atlantic Council till today it certainly seems so. This pro perpetual NATO club got funds from many countries and companies but non from Russia(n). Today the reach is far beyond the North Atlantic ocean’s coasts. http://www.atlanticcouncil.org/support/supporters
Maybe for business purposes. Like the exterminator who needs to find termites to make $, Alperovitch needs to find “Russians” in your computer. Spook the customer beforehand, show that his concerns are yours and rake it in. Never mind that no state intelligence service is dumb enough to smear its sticky fingers all over the heist, what does the customer know, anyway.
Given all the discussion here, I am surprised that more attention is not being applied to the Awan group as a possible source. They had it all and more.
I see Imran’s name mentioned in two email chains on DNC WL under the subject headings DWS [Debbie Wasserman Schultz] Movements 5-4-16 and ditto 4-12-16.
So Awan was right there in the center of it all, mentioned by first name by DWS staff to handle their cell phones and ipads and apps.
Key quote from the 5-4-16 email re DWS shows that Awan had DWS’s ipad password. I see on Google I’m not the first to have this:
With that kind of access it just shows how lax on security DWS was. (But we and Cozy Bear knew that.) It doesn’t indicate Awan had anything to do with G2 or hacks. If Awan was blackmailing DWS for a huge pay rate, extended employment and protections from police it could’ve been for many types of damaging insider info. We can only hope Awan eventually talks and does so truthfully. Also, the police are fighting legal battles right now with DWS to access the laptop that Awan left in what used to be a phone booth in a congressional office building.
I know they had access. I am asking why no one suspects them as original source of data dumps. They are first class cons and could have been playing many different angles.
Awan does appear to be unscrupulous. He had the complete confidence of DWS. Perhaps he was willing to do favors like reporting dirt he found while electronic eavesdropping on the DNC members through its offices and network. That type of thing may have led to DWS feeling comfortable to having him do tasks if the they were part of the G2 operation. Of course, he could have been recruited for cash by a foreign power. But Awan lacked the motivation or skills to be the DNC leaker, the Podesta hacker, G2 and DCleaks.com proprietor.
Does anyone else have a theory that explains all the evidence? Again, my proposed scenario is 1) Russian Cozy Bear stealthily collecting info for internal use, 2) Anti-Russian foreign state hack of Podesta, 3) Clinton damage control by registering DCleaks.com as contingent op to discredit Podesta doc should the appear, 4) Crowdstrike arrives and kicks neutralizes Cozy Bear, 5) Seth Rich under cover of the DNC Cozy Bear breach collects damaging material for leak to WL. 6) After WL announcement of Clinton emails coming out Clinton springs G2 plan into action for damage control. Clinton, then the nominee and new head of the party finds out from DWS of the DNC CB hack and possibly the Seth Rich incursion as well. Clinton hires Crowdstrike to implement G2 plan. Crowdstrike either uses a Fancy Bear attack or fabricates one to give G2 a plausible footprint. They say all FB got was Trump opposition research. On que the next day G2 debues with Trump oppo document, staking the media to be invested in the G2 as DNC hacker. 7) Anti-Russian hacker, seeing all of this and the Russians taking all the blame, goes to WL with the Podesta cache, which Assange accepts since it’s not Russia. 8) Seth Rich is murdered, and whether Clinton hired the killer or not everyone assumes he is the latest number on the list, including Assange and the Dem controlled DC Metro Police, everyone acts under that assumption.
G2 was steadily accumulating data starting at least as early as January 2016. Convincing evidence that G2 had installed exfiltration software. I haven’t published this yet, but have work in inventory
“G2 was steadily accumulating data…”
Your comment pre-supposes that G2 needed to accumulate documents and was not being fed documents by the DNC/Clinton campaign. If Adam Carter is correct most all of G2’s documents were already in the public domain (or of low value) except WL.
We know G2 did summer-salts to claim both WL were his, yet he was unable to present direct evidence to DNC and only connection to Podesta by releasing email attachments in common with WL in advance of WL. But, those Podesta WL documents were mixed about equally with documents not in WL. And all were labeled DNC WL docs when none where. This is according to https://jimmysllama.com/2017/05/28/9867/
The last comment on that Jimmysllama’s blog points out that two of the G2 June 15, 18 released documents were also on the cf.7z and ngp-van.7z dossiers, showing that all the docs might be part of a larger archive that G2 was seemingly selecting from.
I don’t see how G2 having harmless documents dated January documents is evidence of anything. If G2 had made an appearance in January that would be different but the first we see of him is June 15, the day after the DNC press release of the hack. More importantly, G2 profile does not fit anything but a DNC/Clinton mis-information operation, and I suspect you agree.
I await your findings when you are ready to share.
you say:
did you notice who wrote this comment?
you say :”most all of G2’s documents were already in the public domain (or of low value) except WL” These are very different points. Very few G2 documents in the ngpvan and cf dossiers were “already in the public domain”.
I agree that G2 documents are uninteresting, but perhaps that’s because Democratic Party of Virginia documents (pdf, doc, xls) tend to be uninteresting. Climategate DOCUMENTS, as opposed to emails, were pretty uninteresting as well.
In Climategate, the two extreme positions were leak vs Russian intelligence service, while the correct answer was lone wolf hacker. I may be over-extrapolating from previous experience, but I see the same here. I’ve seen no evidence that convincingly points to DNC false flag while excluding lone wolf hacker.
Steve,
“G2 was steadily accumulating data starting at least as early as January 2016. Convincing evidence that G2 had installed exfiltration software. I haven’t published this yet, but have work in inventory”
I have boundless faith in your acumen but:
1. Does the fact that data originating in January 2016 was collected show that it was collected in January 2016? Assuming there is something in the metadata which can be used to identify when “collection” occurs, can’t the dates of “collection” be manipulated like any other piece of metadata?
2. Assuming the data was collected in January 2016, how can this show that exfiltration software was used when another candidate for the “data collector” is the DNC itself which might “collect” the same data for its own purposes? (I do not mean they would have done so originally for use in a hoax, or some other nefarious purposes, six months later. I mean that once a set of e-mails was collected the data could have been used to support a G2 hoax afterwards.)
3. Assuming exfiltration software was sitting on the DNC’s servers and that data was found collected and ready to be exfiltrated, couldn’t Crowdstrike repurpose that data to create a G2 hoax?
I’m not saying you are wrong about G2 being a third party hacker but, if that is the case, these are the questions I would be asking.
I’ve written up this reasoning in new blogpost. It’s new territory for me and I could easily have goofed somewhere, but it sets out in more specifics what I had in mind.
Imran Awan appears to have been managing their endpoint security.
It is incredible that this hasn’t gotten more public examination.
“Did you notice who wrote the comment [on Jimmysllama]?”
It would have been as hard to miss your mug as to miss my pug.
Your comment shows that you acknowledge that G2 is not acting like a typical hacker/leaker who would be motivated by to both make an impact and in G2’s case gain the credit. G2 seems to have and endless archive of documents at his disposal, overtly is attempting to claim credit while while covertly acting in a way that undermines that aim.
Consider the following:
1) He has many of the WL Podesta email attachments and wants to claim credit for the Podesta WL but fails to mention before Assange does. Even when he is doing back flips to gain attention and gain credit for WL all he would have to do after the June 15 appearance is to say, “By the way, not only did I hack the DNC but also the Clinton Campaign and here is a couple of samples of a cache that will be appearing in the future on WL.”
2) Instead, after Assange announces “Hillary Clinton emails” will be released, G2 assumes they are DNC emails that WL will release despite Assange not mentioning the DNC.
3) Despite this G2 never is able to cough up a match of a WL DNC email or attachment.
4) After the Crowdstrike and DNC say the only document Fancy Bear exfiltrated was the Trump oppo research G2 then releases it the next day, presumably to take credit yet has no DNC WL documents despite trying to take credit for DNC WL.
5) Every claim G2 makes appears to be a lie yet the US intelligence community and MSM accept him at his word except that he is Romanian.
6) The only reason anyone even accepts G2 as a hacker is his production of documents. But G2’s knowledge is incomplete on each attack and WL. He has a large archive of documents but never releases a damaging document to Clinton or DNC even when ones were going to be released on WL. He knows Assange has DNC docs before the public or DNC. He does not know WL has Podesta emails until Assange announces it.
Whether G2 is responsible for Wikileaks DNC or Podesta is a different issue than whether G2 is a hacker. Notwithstanding your comments, he feels more like a hacker to me than a DNC false flag. But there are more issues.
Tony Shaffer: Sean, we did it. Not me, but our guys, former members of NSA, retired intelligence officers used these tools to break in there and get the information out. That’s what the Democrats don’t want to talk about because it doesn’t fit their narrative.
Lt. Colonel Tony Shaffer NSA (ret) on Hannity, Fox News March 9, 2017. First I’ve heard this one. He refers to former NSA types who hated Hillary.
Steve, have your heard back from Adam Carter since you emailed him with your questions? I would love to have him participate in the discussion here and have many questions for him.
1) Why does Adam clear Warren Flood just because there are no visible records of Flood working on the 2016 election?
2) Which player does Adam think registered the domain DCLeaks.com on April 19, 2016? This is two weeks before Crowdstrike is said to have been hired by the DNC.
3) This is the same day that heavy volume is seen to begin in later WL released emails of DNC. Is there any significance to the volume distribution of emails seen in the DNC leak?
4) Does Adam think Seth Rich was the DNC WL source?
5) Who does Adam think the Podesta WL source could be?
6) How did G2 have the Podesta email attachments to release in advance of the WL release?
7) Would a hacker as flamboyant as G2 sign off for good after the election is over never to be heard from again?
I’m not interested in Warren Flood theories. G2 had access to hundreds of stale Word documents. He used one of these documents (originally authored by Warren Flood) to do a cut-and-paste. If you open old document and save, you get identical results e.g. I opened a G2 document in which metadata unchanged (most of them) and saved it: Presto.
re 7: we haven’t heard from Mr FOIA since he signed off. HE didn’t want to be caught.
“…saved it: Presto.”
Did it change the creation date?
“We haven’t heard from Mr FOIA since he signed off. HE didn’t want to be caught.”
I have a feeling that the FBI has as much interests in catching G2 as you have in exploring the Warren Flood document.
except that I’ve looked at Warren Flood documents in detail
Also, if anybody is interested in putting up money for a reward to convict Seth Rich’s killer you money is safe.
I think this is pertinent to your metadata attribution discussion.
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
A Bloomberg article reports that the Equifax hack was perpetrated by state actors. A security tol was present on teh Equifax network which recorded all activity by the hackers down to key stroke. Two teams of hackers were involved. The first was much less skilled than the second. The state actor hypothesis is supported by the facts that none of the stolen information has turned up in criminal channels and the tools used were originally used by Chinese state hackers.
Are comments closed on the October 2, post thread? I was trying to post this:
Steve,
“My own working hypothesis is that G2 was a lone wolf hacker. This is a surmise only. This surmise is NOT proven by the analysis provided above, but I do not believe that it is inconsistent with the information marshalled here. I’ll try to outline why I believe G2 to have been a lone wolf hacker on another occasion.”
The Adam Carter analysis still seems more convincing to me. If G2 was a lone wolf hacker, the DNC/Crowdstrike has been incredibly lucky. This lone wolf just happened to appear, at just at the right time, with a supply of meaningless DNC documents, a (sanitized?) version of the DNC’s Trump opposition file and a feeble Boris Badenov disguise. I think I will always favor a cui bono analysis over most computer metadata analysis because metadata is so easy to fake.
That having been said, the weakness of any cui bono style analysis is that sometimes coincidences do happen and sometimes people do get lucky (or unlucky). I admit you make a very reasonable case and I now see what you mean about some of these details not really fitting a false flag. I agree it doesn’t “feel” like the metadata discussed in your post has been faked, the observations seem too subtle for that.
I also think there is only one “l” in “marshaled” (unless this is one of those Canadian spelling things).
For what it’s worth, I just posted a comment to that thread so comments there don’t appear to be closed.
One Trackback
[…] came about because I criticized the general failure to get basic facts right over at Climate Audit, saying, "I think it would be helpful for people to agree to set of basic facts/terminology." I meant that. […]