Dirty Techniques

By Adam Carter --- August 20th, 2017 (Updated July 2021)


On August 16, 2017, Tech Dirt published an article written by Karl Bode that made a false and easily debunked allegation in it's headine:

A few key facts about this:

  1. Forensicator's research doesn't rely on or include any conversion error. Bode's gripe is simply that the unit of measurement used was in bytes-per-second rather than bits-per-second. All values cited by Forensicator were correct and in keeping with the unit of measurement specified. There was no conversion error demonstrated at all, it was just something Bode made up.
  2. "Stupid", "No 'Forensic Expert'", etc are nothing more than slurs and propaganda based on Bode's false and idiotic assertion of an error that he can't actually demonstrate the existence of.
  3. "DNC Hack" is vague and leaves the door open to conflation with the malware discovered and other elements of the hacking that are unrelated to Guccifer 2.0 and aren't things that Forensicator's analysis covered. Neither Forensicator nor myself made sweeping assertions about the DNC hack on the basis of the NGP-VAN archive analysis that Bode's allegations relate to.
  4. Forensicator had already addressed the use of bits and bytes measurements specifically and corrected where others were mixing these up over a month prior to Bode publishing his piece, so, Bode should have known better than to make bogus arguments like this.
  5. Bode was challenged to substantiate his allegation but was unable to do so and then subsequently stonewalled further inquiries. He now hides behind a block on Twitter because I kept challenging the falsehoods, distortions and straw man attacks he relied upon.


Attacking The Nation Article To Try To Discredit Forensicator Isn't Legitimate

Bode's article attacks claims made in The Nation article that weren't in Forensicator's report as though the claims came from Forensicator.

This is problematic because the article in The Nation goes beyond Forensicator's conclusions and Bode does not disclose what Forensicator's actual conclusions were and doesn't provide a link for readers to view it and make their own judgements.

The reports lean heavily on anonymous cybersecurity experts calling themselves "Forensicator" and "Adam Carter," who purportedly took a closer look at the metadata attached to the stolen files. Said metadata, we're breathlessly informed, indisputably proves that the data had to have been transferred from inside of the DNC network and not over the internet, since the internet isn't supposedly capable of such transfer speeds:

Forensicator didn't claim that the data had been transferred from inside the DNC and he subsequently spoke out against how others had interpreted his report on this matter.

Forensicator's conclusion regarding the rates observed was simply that the rate aligned neatly with the speed of thumbdrive transfers which was determined by testing various scenarios using the full set of files found in Guccifer 2.0's NGP-VAN archive.

If this was really about whether speeds can be beaten, Forensicator could have used the peak rate which is up near 36MB/sec (288mbps) or even 49MB/sec if you wish to include an outlier.


Attacking Averages, Passing Peaks

22.7 megabytes per second (MB/s) sounds impossibly fast if you don't know any better. But if you do the simple conversion from megabytes per second to megabits per second necessary to determine the actual speed of the connection used, you get a fairly reasonable 180 megabits per second (Mbps).

22.7MB/s was the average rate observed and matched up with USB2.0 transfer rates, in testing, which was the conclusion made by Forensicator in his analysis.

(He did mention, in passing, that this seems to be too fast to have been a remote transfer at the time this happened, especially to anywhere overseas, however, this was not the argument of the conclusion in which this comment appeared).

Also, speeds expressed as MB/s and Mbps can both be used considering the context.

Forensicator made references to the observed rates which come from disk writing operations and as both transfer rates and disk writing rates are being discussed (rather than connection speed as a primary focus), it's perfectly legitimate for Forensicator to opt for using MB/s.

Bode's objection is silly and to portray it as a conversion error is beyond moronic because no error was made.

Even then, the hacker in question could have used any number of tricks to hide his or her location and real identity from a high-bandwidth vantage point, so the claim that the hacker couldn't achieve 180 Mbps through a VPN is simply nonsense.

Bode provides nothing to support his claim that 180Mbps via VPN for this set of files was possible in mid-2016 and, of course, Bode sets the bar using the average rates rather than peak rate.

Forensicator also considered VPN and reported on this in an article called "The Need For Speed" that was published just over two weeks prior to Bode disgracing TechDirt with his article.

Obviously this raises some questions about what kind of cyber-sleuths we're talking about when they can't do basic conversions or look at some fairly obvious broadband speed availability charts.

There was no conversion error. Bode could not demonstrate one when challenged to. Forensicator even addressed other people's mistakes in relation to this as can be seen in his article concerning bits and bytes measurements.

It's interesting to see how much Bode repeats this allegation that he can't actually demonstrate when challenged (and that TechDirt's readers called out in comments).

And it also raises some questions about why reporters thought flimsy anonymous experts were the perfect remedy to the other flimsy anonymous leaks they hoped to debunk.

If we were 'flimsy', Bode wouldn't be attacking Forensicator over a third party's interpretations and would actually challenge the analysis itself.

I think if anything is 'flimsy' here, it's Bode's effort to undermine Forensicator using false allegations, slurs and propaganda where he lacks legitimate criticism.


Reaching The Peaks

While The Nation couldn't even be bothered to do the simple calculation to determine the speed of the connection used by the hacker was relatively ordinary, in a story titled "Why Some U.S. Ex-Spies Don't Buy the Russia Story," Bloomberg actually did the conversion to get the 180 Mbps speed, and still somehow told readers that such speeds were impossible.

180Mbps would have been too high for a transoceanic transfer of the files in question in Summer 2016.

Also, this is the average rate observed in the NGP-VAN archive's files and we have peak rates reported as 36MB/s and 49MB/s. (The lower value came from Forensicator and excluded an outlier while the higher figure came from Campbell/Binney).

Converting to Mbps, that gives us peak rates of 288Mbps (Forensicator) and 392Mbps (Binney/Campbell).

These are the values Bode should have addressed but made no mention of.

Returning to Bode's broadband speed availability argument, let's take a look at SpeedTest.net's 2016 report on broadband speeds in America.

It seems that reaching the peak speeds observed, even domestically in the US, would have been challenging and transoceanic transfers at these rates would have been out of the question in Summer 2016.

Additional research from Akamai and their 2016 Q3 State of the Internet report also gives a good idea of what rates were achievable at the time.

Yes, all but impossible! Provided you ignore that DOCSIS 3.1 cable upgrades and fiber connections deliver speeds consistently faster than that all around the world every day -- including Romania. False claims and sloppy math aside, after the Bloomberg column ran, several actual, identifiable intelligence experts also came forward doubting the legitimacy of the supposed intelligence sources for these stories altogether:

While DOCSIS 3.1 compatible hardware was being rolled out in 2016, the first US provider to fully transition to DOCSIS 3.1 was Mediacom and this didn't happen until the end of 2016.


UPDATE (July 2021)

Several VIPS members and associates carried out tests with several providers (with no involvement from myself) to see if they could get transoceanic transfer rates that matched or exceeded those seen in the 2016 data and they couldn't get close (this was back in 2017/18). Even the average rate wasn't possible for them at that time, never mind the peak rates.

Following publication of this article in 2017, Karl Bode continued to push lies and distortions about Forensicator and myself in public. He does this on Twitter but has me blocked to prevent me challenging his allegations.

(As an example, Forensicator and I have not claimed that the DNC hacked themselves, yet, this is a claim Bode repeatedly attributes to us.)

It seems Bode opposes open-source investigations into Guccifer 2.0 which have been very fruitful and, lacking legitimate criticism, has had no choice but to resort to false allegations and smears in his efforts to undermine others.


This article was updated in July 2021 to remove unhelpful rhetoric, to focus on the key facts, to provide some extra information about broadband speeds in 2016 and to provide an update regarding Bode's conduct following publication.