On Wednesday, 9 August, 2017, Patrick Lawrence wrote an article that featured in The Nation. The following day, Brian Feldman, writing for New York Magazine, wrote a hostile review attacking the character of Lawrence and ignoring various factors in an effort to frame the research Lawrence was referring to unfavorably, creating a straw man argument and ignoring some of the key points relevant to the actual research that was being referenced, this is something that I wrote about a couple of days ago.
Now we're seeing an escalation of this and so, I'm forced again to write another article to dismantle the bullshit from those wanting to protect the illusion of Guccifer 2.0 being some sort of GRU/FSB related entity when I know that such a premise is absolute bullshit.
Much of the teeth-gnashing, poutrage and coerced calling for writers to be burned at the stake has quickly become savage and the response from certain critics in response to the sheer volume of information countering the legitimacy of the premise that Guccifer 2.0 was a real hacker working for FSB/GRU/etc. is something they feel naturally inclined to push back against (or in many cases, ignore so they can pursue a strawman argument). After all, what alternative do they have? They can hardly accept that they were duped by someone working at the behest of the DNC back in 2016.
This fervor to push back has led some to latch on, isolate, and even strip qualifiers from a single observation made as the basis of a solitary conclusion made in one of the multiple pieces of research that Lawrence references overall - and that is, whether speeds are obtainable on the Internet in 2017 (missing out qualifiers relating to distances, such as "transoceanic" and working on a basis that what is possible now was also possible a year ago).
Most are making the ultimate strawman argument in an effort to shut this down, something I've tried to point out with a little levity using a pilfered and modified "missing the point" cartoon on Twitter (if you're the original author, please let me know who you are so I can give you credit and/or know if you object to this modification & use):
The point that seems to be consistently overlooked is that the speeds were compliant with USB2.0 transfer rates in-practice (under test conditions using the specific files from the archive rather than the theoretical maximum rate of 480mbps), files had FAT filesystem anomalies (where timestamp resolution is low and times are rounded up to the nearest 2 seconds, implying a USB memory stick was used) and that this was in the Eastern time zone. (Some will argue a FAT partition as a possibility but it's a technology that was becoming redundant 20 years ago and isn't corroborated by the transfer speeds like a USB stick is)
Most of the critics also fail to make any mention of the rest of the research referenced (fingerprint fabrications on June 15th, 2016 being another significant piece of the puzzle) and so we currently have a situation that looks a lot like the following:
Many articles are pushing this frame because it's an argument they can win. To be fair, this may be more in line with the way Lawrence wrote his article, but just to be very clear, neither my nor Forensicator's work claims to "prove that the DNC wasn't hacked", what we've studied is specifically to do with the Guccifer 2.0 entity and the fact it was a fake "Russian Hacker" persona.
Forensicator's analysis demonstrates there's a higher probability that someone in the US was moving files around by USB device as late as September and that these files were subsequently released by Guccifer 2.0 in the NGP-VAN archive. The overall observations have absolutely no indicators that the files were acquired by hackers in a foreign nation or moved about through the use of any remote hacking tools, in fact, various observations made suggest otherwise.
The research on my site comes from several sources and covers many sub-topics, but in general, it demonstrates from numerous angles that Guccifer 2.0 was a fake "Russian hacker" persona and was in reality likely to have been working at the behest of the Democratic party leadership in an effort to undermine Wikileaks and give leaks a bad reputation (and the critics haven't even started with this yet).
While the presence of malware is used to argue that the DNC had its emails hacked, the truth is that there's no indication that the malware was used to access or relay any internal DNC emails to unauthorized parties, so there's actually NO proof that the DNC was hacked in relation to the emails that were later released by Wikileaks.
On Monday, 14 August, 2017, Joe Uchill of The Hill responded, fortunately, Uchill has chosen to tackle this subject in a more professional manner than Feldman, so I have to give him credit for that. However, there are a few things I'd like to go over here, if I may...
We see the "Doesn't Prove DNC Wasn't Hacked" framing in the headline, we've covered the issues there already and with so much to cover we may as well move straight on to:
The theory behind the report is that it would have been impossible for information from the DNC to have been hacked due to upload and download speeds.
That's a misrepresentation created by isolating a single factor considered in a conclusion that takes into consideration a number of different factors, the same strawman construction we saw employed by Feldman by focusing on Lawrence's references only but not actually looking at what the underlying research actually states.
The claims have slowly trickled through the media, finding backers at the right -wing site Breitbart in early June.
In early June, are you sure? Either way, Breitbart did cover it recently but it is only one of many that have reported on this story, including The Nation, Salon, Bloomberg, and various independent media outlets including those who originally brought attention to it (Disobedient Media). It seems as though the Hill is portraying Breitbart (renowned for being right-wing) as though it was related to the origination of the story.
The claims are based on metadata from the leaked files, which were published on WikiLeaks during the 2016 presidential election.
That's incorrect, this was metadata from the 'leaked' files, which Guccifer 2.0 released in September of 2016 and had absolutely nothing to do with Wikileaks, this conflation of Wikileaks and Guccifer 2.0 is a mistake many in the MSM have made throughout 2016-2017 and one I had hoped some may have learned from but evidently they haven't.
Metadata is information recorded in a file for archiving purposes and is not displayed when a file is open.
Not technically quite right but whatever, let's just move on...
A blogger named "The Forensicator" analyzed the "last modified" times in one set of documents released by Guccifer 2.0. Based on the size of the documents and the times they were downloaded, Forensicator calculated that a hacker was able to copy the files at a speed of more than 20 megabytes per second.
That is faster than consumer internet services in the United States can upload documents.
As a result, Forensicator concluded that the documents could not have been copied over the internet. Instead, someone with physical access to the network must have copied them in person to a USB drive, the blogger concluded.
1. It wasn't that the rate is over a certain speed that's the important thing here, it's that the speed matched with what USB2.0 transfer rates were, when tested, using the exact same files (from Guccifer 2.0's archive). Uchill fails to mention this at all.
2. This excludes the FAT filesystem anomalies observed that are a part of the basis for the conclusion.
3. This excludes the timezone information that is also part of the basis for the conclusion.
But, said Barger and other experts, that overlooks the possibility the files were copied multiple times before being released, something that may be more probable than not in a bureaucracy like Russian intelligence.
Forensicator refers to multiple copying operations and doesn't rule out the possibility of files being transferred prior to the earliest dates observed. The assumption made here is not made in Forensicator's work. This response from Rich Barger (director of security research at Splunk) also includes a needless and highly speculative statement trying to link things back to Russian intelligence without any basis.
"A hacker might have downloaded it to one computer, then shared it by USB to an air gapped [off the internet] network for translation, then copied by a different person for analysis, then brought a new USB to an entirely different air gapped computer to determine a strategy all before it was packaged for Guccifer 2.0 to leak," said Barger.
Wow, so, lots of stuff we've no indication of and a convoluted sequence of events is this security expert's rebuttal? This is the sort of thing we see on social media frequently so I think I should make something clear:
Forensicator analyzed, made observations and gave the most probable explanations based on those observations. It is NOT incumbent on him to disprove convoluted and unsubstantiated theories people can imagine in order to demonstrate that his findings are the most probable.
If Barger sees anything that indicates an alternate theory is more probable, he's welcome to contribute his evidence/observations and a counter-argument to help improve everyone's understanding here.
Hultquist said the date that Forensicator believes that the files were downloaded, based on the metadata, is almost definitely not the date the files were removed from the DNC.
That's not the point, the point is that the files were still being moved around, apparently by USB device in the Eastern timezone as late as September 2016. This basically tells us Guccifer 2.0 was highly unlikely to be someone in Russia pretending to be a Romanian (as is what we have been told repeatedly over the last year).
Even if there were no other scenarios that would create the same metadata, experts note that metadata is among the easiest pieces of forensic evidence to falsify.
That's funny because many 'experts' were easily duped by fabricated Russian fingerprints that I personally had a hand in helping to expose and explained to others how they could check and verify this for themselves.
Shouldn't it be us lecturing your 'experts' about metadata integrity here?
In Forensicator's case, we are talking about relative time differences between file modification timestamps, this is something that would rarely be noticed even by cybersecurity experts and so it is an unlikely candidate for forging metadata. Altering timezones, etc. would also have made no impact on the outcome of the transfer speed analysis.
The work presented on both Forensicator's and my site, demonstrate far greater consideration given to the integrity of metadata than I've seen in any of the work that preceded our efforts.
It would be far more difficult to fabricate other evidence pointing to Russia, including the malware only known to be used by the suspected Russian hackers, and internet and email addresses seen in previous attacks by that group.
This is where the debunking of Guccifer 2.0 takes a back seat so that they can argue that the research fails to entirely disprove that the DNC was hacked, pointing to the malware discovered and other things that are unrelated to Guccifer 2.0.
It's also interesting to see a claim that the malware discovered was "only known to be used by the suspected Russian hackers" when it's been shown that at least some of the malware attributed to Russian hackers actually has Ukrainian origins, was dated and has been used by other malicious entities online.
Forensicator's claim that 20 to 25 megabyte per second downloads would be impossible over the internet also raised eyebrows.
I'm not surprised, that wasn't his actual claim and is a misrepresentation of it, which makes subsequent statements from John Bambenek (of Fidelis) become irrelevant.
In the end, Fidelis, FireEye, SecureWorks, Threat Connect and other CrowdStrike competitors all confirmed Crowdstike's results.
I don't see them concluding that the Trump Opposition Research was 'targeted' and if any have concluded Guccifer 2.0 was a GRU/FSB associate, they're demonstrably wrong as verifiable evidence shows a framing effort that GRU/FSB and associates would never engage in.
The intelligence community, including the CIA, FBI and NSA, also claims to have evidence the attacks were coordinated by Moscow, though they have not released their evidence to the public.
So we're seeing both logical fallacies in quick succession, the "appeal-to-authority" and just before it, the "band-wagon" - both used against readers when the actual research Forensicator and I have done and the things we have discovered all came AFTER those assessments were made.
"I find it interesting that people are so eager to believe that Dmitri Alperovitch is biased, but willing to accept the forensics of an anonymous blogger, with no reputation, that no one knows anything about," said Hultquist.
I find it interesting that Hultquist is defending Dmitri considering Dmitri's public track record of blaming things on Russian hacking, often providing little more than speculation to support his assertions.
"When this many brands agree on something, come together to provide several different aspects of the attack, sometimes it's true."
And sometimes, they're wrong and their collective wrongness becomes the basis of the bandwagon logical fallacy.
Editorial Note: It appears Joe didn't see fit to link to Forensicator's, my own or Lawrence's The Nation article to return the favor, I've used an archive.is link for his article in this article but hey, at least I'm providing a link to all sources I'm directly citing. :)
On Tuesday, 15 August, 2017, Erik Wemple of the Washington Post, wrote an article titled "The Nation is reviewing a story casting doubt on Russian hack of DNC", skipping past the introduction that just serves to drag Katrina vanden Heuvel (the Nation’s editor and publisher) into the spotlight, we get straight down to misrepresentations.
the piece relies to a significant degree on a finding that hackers working remotely couldn’t possibly have downloaded all the information that they allegedly secured and passed along to WikiLeaks.
Whether speeds were obtainable or not misses the point and misrepresents what the findings actually implied.
Forensicator mentioned nothing about Wikileaks, in fact, there's nothing to demonstrate Guccifer 2.0 and Wikileaks had any connection except for Guccifer 2.0's repeated false claims. Wemple, like Uchill, is conflating two separate entitites without any causative link to substantiate it.
The next part is more substantive because Lawrence's framing adds specificity which the original research doesn't claim to demonstrate:
Though Lawrence’s writing on this topic is impenetrable, he cites a number of researchers and groups — including Veteran Intelligence Professionals for Sanity (VIPS) — who have examined the official case for a DNC hack. Among the key actors is someone known as the “Forensicator,” an independent researcher of unknown identity. Here’s how Lawrence frames this individual’s contributions:
Forensicator’s first decisive findings, made public in the paper dated July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate—the time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.
These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed. Compounding this contradiction, Guccifer claimed to have run his hack from Romania, which, for numerous reasons technically called delivery overheads, would slow down the speed of a hack even further from maximum achievable speeds.
Due to the files actually contained in the archive, we have to leave open the possibility that the files could have been downloaded from a number of locations, however, this whole crusade to determine if transfer speeds are attainable continues to blindly overlook an incredibly significant point:
In testing (emulating various different transfer methods on the files involved), the speeds observed in the timestamps coincided with the results from testing USB2.0 memory stick devices. This is a fundamental point that critics are tripping over themselves to ignore and while they misrepresent this, they also tend to omit the FAT filesystem indicators discovered and more.
I've found myself having to point these additional factors out consistently to those coming away from reading articles such as Uchill's and Wemple's because they are emboldened by nothing more than misrepresentations being weaved to further an illusion by a litany of parties that are resistant to conceding fault.
To save time, for the remainder of this article, I'm going to breeze past the griping over whether speeds were obtainable as it's just a misrepresentation of Forensicator's actual conclusions and the basis for them.
Maybe the Nation should have done the technical patdown prior to publication. “Most households don’t get internet speeds that high, but enterprise operations, like the DNC — or, uh, the [Russian] FSB — would have access to a higher but certainly not unattainable speed like that,” wrote Brian Feldman in a debunking in New York Magazine.
Feldman didn't debunk anything (as I've already covered), he misrepresented things to create a strawman, just like Uchill did for TheHill and just like Wemple has already done in this piece.
Further into the piece we see Breitbart get dragged in.
Let me just stop here to make a statement to the partisan hacks out there that are running with this sort of framing:
Of all those collectively involved in the research that has gone into debunking the premise of Guccifer 2.0 being a FSB/GRU-linked entity, there are more left-leaners than right-leaners.
This strategy of politicizing the research has absolutely no relevance (those involved know that partisanship is poison to meaningful investigation) and is just cheap, lazy, deceptive framing from cheap, lazy, deceptive pundits who have no interest in the true volume and breadth of research that has been carried out and what has been learned by individuals working together to carry out research of their own over the past six months.
So what next? Wemple presents his readers with Sam Biddle mistaking a salutation to someone who's username ends in "martyr" as being a statement from Patrick Lawrence about Seth Rich being a marytr, just to try to undermine him.
Of course, you need to be observant to spot the mistake, something that Wemple and Biddle both demonstrate they are clearly incapable of.
On the subject of Sam Biddle, let us not forget that this is the journalist that reported a date in the body content of the Trump Opposition Research document as "metadata" (it was not and the *actual* metadata was alarming because it showed the document created on 15th of June 2016).
Biddle misreported some critical data back in 2016 and within the last couple of months he's also written a highly speculative piece trying to tie Don Trump Jr to Guccifer 2.0's activities that happened days apart from each other with no causative link demonstrated.
That's enough about Biddle for now, moving on...
A January report from the U.S. intelligence community found that Russia had indeed mounted a campaign to influence the election, and numerous investigations
The usual appeal-to-authority logical fallacy emerges. In this instance it's referencing the ICA from January that told us that yes, Russia Today is Kremlin-linked, which is irrelevant to Guccifer 2.0 being exposed as a fake and came BEFORE the research cited in the article in The Nation was carried out.
The rest of the article veers off into another topic that it seems to try to conflate this with (in which a broader range of dissent was shown on the subject of The Nation's coverage of Donald Trump and his alleged ties to the Russian government), no doubt confusing their readers even further in the process.
On Tuesday, 15 August, 2017, Matthew Tait (@pwnallthethings, on Twitter), so eager to try to lay the boot in, fell on his face by the time he got to the 2nd tweet of his thread and proceeded to "pwn" precisely none of the things he was trying to tackle. Let's take a look:
1. The research doesn't cover the rate at which files were added to an archive.
2. There's no switcheroo, the whole point is that, in testing, this was consistent with USB2.0 and there appears to have been USB memory stick usage occurring based on FAT filesystem anomalies noted as late as September 2016, with transfers apparently occurring in the Eastern time zone.
3. Actually, Forensicator's site covers an analysis of the NGP-VAN archive relating to Guccifer 2.0 specifically (and mine relates to Guccifer 2.0). Neither site makes any effort to tackle the malware discovery that CrowdStrike reported, so Matt is making an incorrect generalization.
1. Actually, Forensicator is only interested in what is most probable, he doesn't have a history of propping up either side of the argument and so isn't personally invested in the outcomes, unlike, say, Matt Tait.
2. There is nothing to show that the malware relayed any of the files or accessed emails. The information from CrowdStrike was a bunch of IOCs without any context and without identifying which ones were related to which alleged incident that occurred. This is something I tried asking them about a long time ago and even queried in an open-letter to them over 3 months ago and they've not been forthcoming with anything to demonstrate what Matt is claiming here.
Let's not forget this is all coming from Matt Tait, who recently published an article on Benjamin Wittes' blog making sure everyone knew that he thought Peter Smith's deep web contact was Russian because, well, that's just what Tait assumes.
I'm sure there will be plenty more of this to come and I'll be sure to keep responding for as long as people are trying to (or are paid to) unduly degrade the research and many discoveries made since both the JAR report (from December) and the ICA (from January) were published.