Is Salon's Sheffield Skipping & Spinning?

By Adam Carter - September 18th, 2017

Barely a fortnight has passed since I was singing Salon's praises thanks to the open-mindedness of Danielle Ryan. Which makes it all the more disappointing that I find myself having to dismantle an article from a Salon writer after such a short amount of time.

On September 17th, 2016, Matthew Sheffield, wrote an article titled "Was the DNC hack an inside job? It’s a hot theory — but probably not".

As soon as I started reading it, I could tell there were going to be problems. Polarizing partisan political personalities cited from the outset, act-of-war rhetoric getting a platform, some glaring omissions, deviating to topics such as "right-wing conspiracy theorists" (far from relevant to the research and analysis carried out) and presenting only a few parts of Forensicator's analysis (among various other issues).

In response, I have decided to go over Sheffield's latest article to help clarify a few topics he's raised and tackle misconceptions arising from the information he's published or the way in which he's presented information to readers.

For those who are familiar with all the new information about Guccifer 2.0 and just want a brief summary on the issues found in the Sheffield's article, they are:


Initial Framing

When an author starts off introducing the relevant entities directly related to the story - I know I'm likely to find the article informative. Conversely, if the author starts off with politically polarizing personalities that aren't directly relevant to the story, it raises concerns.

Sheffield starts off with...

People were listening to Dick Cheney again.

...which doesn't seem like a promising start!

Cheney continued: “He believed that the end of the Cold War and the end of the Soviet Union was a disaster and I think he has aspirations of trying to correct that, or what he sees to be a disaster.”

He then pivots from the topic of the Cold War, through to Cheney's speculation about Putin and claims about Russian interference to the subject Sheffield's article is apparently about.

“There’s no question that there was a very serious effort made by Mr. Putin and his government and his organization to interfere in major ways with our basic, fundamental democratic processes,” he said. “In some quarters, that would be considered an act of war.”

Sheffield shares speculation from Cheney being made about Putin and the usual hawkish "act of war" rhetoric. Of course, the premise promoted is one that would make America (and I'm sure the UK too) guilty of "waging wars" many times over recent years.

The possibility of Dick Cheney being at least partially correct about something is horrifying to most humans. So it’s no wonder that many otherwise rational people still refuse to believe the large body of evidence showing that Russian hackers infiltrated servers controlled by Democratic Party officials and leaked what they gathered in an effort to undermine the candidacy of 2016 Democratic nominee Hillary Clinton.

Dick Cheney is largely irrelevant to all of this, the link for "large body of evidence" points to another recent article written by Sheffield, which, of course, does not feature evidence of Russia being behind any acquisition of files or emails.

In reality, none of the agencies have categorically stated they have the proof of all of this and Sheffield makes a big leap in assuming that the malware discovered by CrowdStrike must have inherently been linked to the acquisition of files/emails by leakers - all despite a total lack of evidence showing malware relaying large volumes of data or accessing mailboxes, etc.


The Subject Matter

Sheffield proceeds with:

The unbelievers also seem to have overlooked Putin’s admission that last year’s intrusion might have been the work of “patriotic” Russian hackers inspired to act on their own.

What is there really to overlook? Many of us are aware that Putin had said he accepts that "patriotically-minded Russian hackers might target foreign electoral campaigns".

Some of us even pay close enough attention that we know what Putin said and how it differs from the way some writers try to present it.

To refer to what he said as an "admission" and specifically attribute it to last year's apparent lapse of security at the DNC - strongly suggests that Sheffield is trying create miconceptions. His choice of vocabulary and apparent adjustment of context compared to how the story was originally reported back at the beginning of June seems like a red flag.

In his defense, this could actually be worse, Sheffield could have linked to Molly McKew's article in Politico where she outright lied and claimed that Putin had outright admitted Russian hackers were behind the DNC breach.

Numerically speaking, most of the doubters are loyalists of Donald Trump, reluctant to accept the prospect that their beloved president couldn’t have won the White House without Russian assistance. Others are people who were left unconvinced by the strange, abysmal failure of former President Barack Obama’s administration and his intelligence appointees to offer any real evidence of the Russian hacking operation beyond “trust us.”

Regardless of the number of doubters, the new discoveries, research, analysis & initial reporting in 2017, all in relation to the Guccifer 2.0 persona, has mostly come from those that, collectively, lean left more than right.

For most researching the topic - we just want all of the anomalies discovered to be properly investigated. We have no interest in trying to help or hinder political parties through our research.

As I wrote last week, there is considerable evidence that the loquacious Guccifer 2.0 is not what he claims to be. He is probably not Romanian and probably not a single individual.

As I wrote back in February (when I had no idea who Guccifer 2.0 could be), to understand who Guccifer 2.0 is, we need to fully understand what Guccifer 2.0 was.

Since then, we found verifiable evidence demonstrating that Guccifer 2.0's first batch of documents were deliberately tainted with Russian language meta data, behavior you wouldn't expect from anyone loyal to Russia. It also immediately damages the credibility of the leaks and would be an act of them leaving clues pointing to their own nation on purpose while instantly degrading the plausibility of any information they released. - It would be highly counterproductive for a real hacker or leaker to do.

His ungrammatical Romanian parlance,

It is true that his Romanian parlance did seem clunky and was probably the result of using Google translate to respond to the relevant question.

However, Sheffield only reports on doubts over that persona's use of that one language. What he neglects to mention is that there are zero syntactical traits demonstrated by Guccifer 2.0 throughout all of the emails, DMs, tweets, blog posts, interviews, etc that have been published by him or regarding him that indicate he's Russian.

Furthermore, the only language expert apparently willing to be named in all the articles covering throughout 2016 was Associate Professor and Chairman of the Department of Slavic & Eastern Languages at Boston College, Professor M J Connolly. Professor Connolly stated that Guccifer 2.0 lacked any of the traits he would have expected to see from a Russian communicating in English.

The media often overlook this issue completely and, sadly, Sheffield is no exception to that.

his sudden emergence immediately after the Democratic National Committee accused Russia of hacking its computers,

Within 24 hours of a Washington Post article that cited the targeting of the Trump opposition research 3 times, Guccifer 2.0 appeared, lured in press with tainted copies of documents (including the one that was repeatedly mentioned, despite it apparently being something targeted 45 days prior to the article being published)

Guccifer 2.0 then chose to use a publicly accessible IP address from a Russian VPN provider in conjunction with an email service provider in France where the IP address he was using would be forwarded in his emails (rather than use hotmail/gmail/etc, which don't forward such information).

Guccifer 2.0's choice of service providers and the deliberate manipulation of files he first released both serve to mimic a Russian identity but neither is a genuine indicator of Russian hacking or Russian state interference.

the hastily constructed nature of most of his files

It's the apparent deliberate fabrications that were exposed by the way he constructed his first files that is really of most importance in his files.

It also appears Guccifer 2.0 initially transferred a much larger batch of files of which he only chose to release a small selection, taking time to collate the files and, in some cases, having them prepared a week or more ahead of publishing - which is unusual when you consider the consistent low quality of his leaks and lack of impact for people in the DNC's leadership compared to, as an example, the DNC emails or Podesta emails that were leaked.

his changing story about how he compromised Democrats’ computers

Sheffield is referencing something more significant than just a "changing story".

Guccifer 2.0's made implausible and discredited breach claims, none of his claimed hacks could ever be independently verified.

Guccifer 2.0 did change his story, however, Sheffield doesn't explain that he only contradicted those hacking claims in a conversation he had with Robbin Young due to an effort to attribute himself to Seth Rich and that this was done on a day when many on social media were expressing suspicion that Rich may have been the source for the emails leaked by Wikileaks and where Assange was due to give an interview to Fox News later that same day, an interview that many had hoped would provide confirmation of their suspicions.

his usage of a Russian-oriented network privacy service,

It's interesting that Sheffield links to the ThreatConnect article in which they make assumptions about IP exclusivity and yet he fails to mention anything about the fact it was discredited by yours truly about 6 months ago.

and the presence of Russian-language metadata within several files he released all suggest that Guccifer 2.0 is a Russian fabrication.

The Russian language meta data was deliberately placed, it was part of a masquerade.

The only way in which this was a "Russian fabrication", is in the definition of being a fabricated Russian persona - not a fabrication originating in Russia.

Nonetheless, all of the above indications are circumstantial in nature.

Actually, if Sheffield had reported the full story on the meta data, it would be enough to inform his readers that the FBI, CIA and NSA assessments on Guccifer 2.0, despite "high confidence" expressed, are almost certainly flawed.

Cyber intrusions are notoriously difficult to attribute given the ease with which anyone with sufficient computer skills can construct serpentine, ephemeral paths to anywhere.

Indeed, it's possible to evade attribution and prevent end-point discovery, however, there would still be signs of the packets of data being relayed out of the DNC to a C&C server or to a high-traffic public service provider's site (from which they could then be retrieved while remaining obscured). - The NSA would still have evidence of the initial data being relayed though, and this is something that appears to be lacking when all they've been able to provide so far are assessments based on information predominantly coming from private sector firms.

Even though I do agree that hacks by skilled hackers are hard to attribute, Guccifer 2.0 wasn't a real hacker (his breach claims were unverified, some were outright discredited and he mysteriously couldn't hack anyone or anything outside of the Democratic party).

Guccifer 2.0 was an operation trying to undermine WikiLeaks by mimicking a Russian hacker while claiming to be the source of content that WikiLeaks was in possession of, something that only DNC leaders had motive for at that time and something that only they and those providing them with technical assistance would have likely be implicated in. Of those, only a handful would have had the technical knowledge, the skill set needed and be granted access to files required to carry out such an operation.


Seth Rich / "Right-Wing" Conspiracy Theories / etc

Sheffield then returns back to the topic of "Seth Rich" and essentially suggests that those disagreeing with the "botched robbery" theory are predominantly right-wing conspiracy theorists (of course, nothing was actually stolen in the incident and Seth was shot in the back twice, which seem inconsistent with the premise he was shot in a struggle).

He then proceeds to ramble on about RT, Sputnik, Buzzfeed, etc. returning once again to Seth specifically, on which he refers to the premise of Seth's murder not being a simple botched robbery as a "myth".

The myth of Rich’s murder also has some support among jilted supporters of Sen. Bernie Sanders of Vermont, Clinton’s defeated rival for the Democratic nomination.

Again, it's an interesting choice of vocabulary from Sheffield.

The article then gets back on track with something directly relevant to the topic.


VIPS, Forensicator & The Bandwidth Race Straw-Man

First up, Sheffield reminds us of what has been quite a common straw-man attack over the last month:

That confident assessment — with which not all VIPS members agreed — turned out to have been based upon the work of an anonymous analyst calling himself “The Forensicator,” who had examined the contents of a compressed archive file released to the public by Guccifer 2.0 and found several potentially significant details. The most notable of these is that the archive’s metadata suggests that the files within it were added at a rapid rate (around 23 megabytes per second). Additionally, the archive itself appears to have been created on a computer with a clock set to the Eastern time zone of North America, instead of in Romania, Russia or elsewhere.

Most notable was actually the aggregate conclusion. - There were NO indications of files being transferred to or around timezones outside of the US and various indicators of a USB storage device being used from the point of the earliest batch transfer dates.

Sheffield also presents a fraction of Forensicator's 7th conclusion as being most notable, however, it's not really how high the bandwidth rate is that's important. If a high rate was actually the basis of that conclusion, Forensicator would have cited the peak rate of 38MB/s instead.

The fact is, the 7th conclusion actually points out that in testing, the rates observed in Guccifer 2.0's files were most consistent with USB2.0 transfer speeds.

Equally important is the fact that, still in the Eastern time zone, we've got files with FAT filesystem anomalies, which, unless you've got a really antiquated hard disk, is a strong indicator of the use of a USB storage device - happening as late as September.

While Sheffield, to his credit, does make some distinction between Forensicator's analysis and what VIPS have stated, this effort is soon undone due his lack of critical inference later in the article (where he allows ambiguity to blur the lines between which analysis it is he's claiming doesn't stand up to scrutiny).

Sheffield then focuses on the dispute between VIPS members for a few paragraphs.

He cites 3 members of VIPS overall, which is great as it's good for reporters to get statements for articles from several sources. However, when reporting on a dispute in a group, it probably helps make things more balanced if you get your statements from more than one side of the dispute.

We then move on to a statement that definitely could be construed in various ways depending on which author and which claims is being referenced:

Though the original authors’ claims do not hold up to serious scrutiny, the fact remains that the U.S. government needs to be more forthright in pointing the finger at the Russian government.

Considering, by this stage, we are talking about an analysis based on 3rd party analyses, Sheffield, perhaps, should have tried to avoid ambiguity here so as not to accidentally undermine analysis unduly and risk confusing his readers into thinking the original research has in some way been debunked, because that would be far from the truth.

Also, the government does not need to be more "forthright in pointing the finger at the Russian government". Considering what we now know about Guccifer 2.0, a government acting in good faith would investigate the apparent effort to frame Russia and then make a properly informed decision as to exactly how much finger-pointing is appropriate.

That Sheffield lacks the information to recognize the need to investigate before escalating tensions further - seems, to me, to be very unfortunate.

The confusion that currently reigns on the issue is squarely on the shoulders of America’s elected representatives (including, unsurprisingly, President Trump).

Key members of the USIC (some well known for their lying) and propagadists in the mainstream press have sewed more chaos and confusion than anyone.

How much of the blame can be placed on Trump's shoulders is open to debate when much of it seems to be an effort to argue that his presidency is illegitimate.


Summary: Outdated, Omitted, Conflating & Ambiguous

Sheffield's article omits a lot, uses outdated information and misrepresents a few things but curiously also seems to go on a detour to conflate this with contentious and/or partisan-political issues that are not directly related to the main topic of the article.

Sheffield is either cherry-picking, spinning and trying to convince readers rather than inform them or he's trying to inform them while being completely oblivious to many important facts that he manages to breeze past.