Without Integrity: The Debunking of the Metadata Debunkers

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

When people have asked me if I’ve gotten a lot of pushback since I revealed that I provided information to the FBI on a matter that became part of the Mueller inquiry, I’ve said that I’m mostly surprised by how little I’ve gotten. While I’ve had a few alarms with respect to my website or device security (which I might attribute to Russians), I’ve had almost no pushback from Republicans accusing me of gunning for the President, not even after I suggested my testimony probably changed the import of publicly available information that implicated the President.

The exception has been a group of Assange loyalists close to Adam Carter — a group of people who have spent a great deal of time trying to undermine the public case implicating Russia in the attack. I have been shocked by the persistence with which Carter loyalists flooded my timeline at certain times in recent weeks, even though nothing I’ve said publicly would indicate Carter’s efforts were put in any great danger because I went to the FBI sometime last year.

Today, Duncan Campbell released a long story on the guy behind the pseudonym Adam Carter, Tim Leonard.

Before I look at it, two comments. First, contrary to some guesses, Leonard is not the person I went to the FBI about. Second, I think there are still details in this story that are not correct (though are far closer than other work thus far); one value of Leonard’s effort was to get some people (including me!) to work through assumptions, something people are still not doing enough on this story.

Campbell’s is an important and successful effort to push back against disinformation (and to get Bill Binney and Ray McGovern to back off their support for it). It does the following:

  • Affirmatively IDs Leonard, demonstrates that he used the facilities of his employer to do some of this work, and shows how he falsely blamed a former co-worker for some of the work
  • Shows how Leonard serially adopted ever new theories, but never the one almost every expert had backed, that Russia had done the hack
  • Shows the co-travelers, including the far right, that Leonard embraced in his efforts to discredit the dominant explanation
  • Tracks some of the false identities Leonard adopted along the way (I believe, given the data in the story, he has adopted false IDs on this site as well)

This work is particularly valuable because it demonstrates how early — by May 2016 — Leonard focused attacks on Clinton before coming out with his debunking site.

As US election campaigns ramped up in May 2016, Leonard’s Defianet email address, [email protected], was used to create a new Twitter account, @with_integrity. The name, he said, was a parody of Clinton’s campaign slogan, “I’m with Hillary”. The profile displayed a WikiLeaks avatar.

For 10 days in 2016, @with_integrity trolled and attacked the Democratic Convention, accusing the Democrats of collusion, conspiracy, cheating, corruption, rigging elections and sabotage.

On 22 July 2016, @with_integrity tweeted a link to the Russian propaganda and news channel, RT, claiming that primary elections had been rigged. On 26 July, as delegates voted, @with_integrity tweeted a new RT attack on Hillary Clinton.

After Clinton was nominated, @with_integrity followed the Russian trolls’ path in supporting Donald Trump, retweeting Trump slogans, including #CrookedHillary, #LockHerUp, #MakeAmericaGreatAgain and #VoteOnlyTrump, and a third link to a “special episode” on RT.

But the core of Campbell’s debunking (and the basis of his success at persuading Binney and McGovern, to the extent he did) pertains to the Forensicator effort to claim that certain files released in September 2016 proved that Russia couldn’t have done the hack because they had been copied in the Eastern time zone. Campbell shows that shows that the data behind the Forensicator effort had been adopted uncritically by Leonard and his allies, and that the most obvious conclusion based on the evidence is that hackers manipulated the timestamps of these files, and only these files.

The team that created Forensicator, including Leonard, gave away that they were not the real authors of the analysis when they inaccurately copied a Linux “Bash” script they had been sent, breaking it. This suggested that they did not write, understand, or test the script before they published. Someone else had sent the script, together with the fake conclusion they wanted discovered and published – that DNC stolen files had been copied in the US Eastern Time zone on 5 July 2016, five days before DNC employee Seth Rich was killed.

Uncritical reporters failed to spot that the Forensicator blog gave no evidence for its conclusion, which was that the data analysed was evidence of theft by local copying happening within the eastern US. The Forensicator report avoided pointing out that the time stamps examined were present only in the special London group of documents, and not in tens of thousands of other DNC files published by WikiLeaks or Guccifer 2.0.

The files were manipulated using an unusual method of file packing, forensic checks show. Because of computer clock settings, the packing operations appeared to have created “evidence” that the stolen files had been copied in the US Eastern Time zone, which includes Washington.

US Eastern Standard Time (EST) is normally five hours behind Coordinated Universal Time (UTC) – better known in Britain as Greenwich Mean Time (GMT). In summer months, clocks are set forward, placing the US Eastern Daylight Time (EDT) four hours behind UTC. The difference between a time zone and UTC is the offset. It is trivially easy for any computer user to change their time, date and time zone offset, using standard controls.

The files released in London, we found, had first been processed in this way to show timestamps for 5 July 2016. Some 13 groups had then been compressed using WinRAR 4.2. Nine additional files were compressed using 7zip. The archive, called 7dc58-ngp-van.7z, was published in this format, as a single file of 680MB.

This dual compression method was unique to the London documents. It was not used in other file dumps released by Guccifer 2.0, WikiLeaks or other publishers of stolen DNC material. The special method used two different file compression systems, 7zip and WinRAR, and required using a four-year-old, superseded version of WinRAR to obtain the required result. The way the Russians did it, the two compression operations appeared to overlap within a single 20-minute period. The tampering may have been done on 1 September, a week before the London conference.


The obvious, simple explanation was that hackers were manipulating computer clock settings. The observed changes would have taken seconds.

In response to Campbell’s piece, Leonard has complained that Campbell doxed him rather than debunk the evidence.

He doesn’t actually tackle what he’s framing as disinformation and instead tries to attack character and tries to dox people rather than discredit or debunk the evidence/research published. You don’t tackle disinfo with smears/distortion/character attacks yet this is what DC did.

This is where I get a little cranky — probably crankier than I otherwise would have been if Leonards fans hadn’t flooded my timelines in recent weeks.

Campbell is actually wrong when he claims that “uncritical reporters” didn’t point out that this file was a unique file. I noted this file was a proxy file back in October, and that before you got into the analysis of its forensics, you first had to account for the provenance of it. I also noted WikiLeaks’ role in sharing the file with the Trump campaign here. In this post, I noted that the files in question weren’t DNC files (nor were the earliest Guccifer 2.0 ones), so the entire exercise said absolutely nothing about who hacked the DNC, purportedly the central project of Leonard and his ilk. And all that’s before I noted, over and over, that copying of files in the US would not prove a damn thing (as the GRU’s use of staging servers in AZ and IL make clear).

I raise these posts not to challenge Campbell’s reporting, but instead to challenge Leonard’s complaint. He has claimed for over a year now that he would respond to legitimate responses to his theories. And while I vaguely recall him making a half-hearted attempt at it on his site, I can’t find it.

Even before you get into the evidence of a concerted disinformation campaign — one that paralleled if it wasn’t coordinated with at least WikiLeaks if not the Russians’ — you’ve got to be arguing facts that might address the questions you claim to. And Leonard quickly strayed from that purported effort, never to return again.

41 replies
  1. Trip says:

    Like SteveB, I had a difficult time muddling through the technical stuff in the article. So here comes the dumb question: Your only quibble on Campbell’s article is that he suggested no one else had discovered the proxy file, is that correct? That the rest still stands in demonstrating technique that even Binney and McGovern were convinced? I’m feeling semi-lost on the complaint.

    • Bob Conyers says:

      Trip – The way I’m reading it, Campbell complained that the press wasn’t examining the details of the file, and EW says that just happens to back up Leonard’s claim that he wasn’t getting any meaningful counterarguments. She points out that she did offer up that pushback, but Leonard probably never lived up to his promise to debate. She’s not challenging the larger body of reporting.

      • DMM says:

        Moreover, it indicates that neither Wm Binney nor Ray McGovern examined the file data before endorsing Leonard’s theory.

        It’s difficult to assess the correctness of the technical aspects of Campbell’s piece, and of Leonard’s/Adam Carter’s arguments, but I note Thomas Drake’s view, cited in the Campbell piece. In proxy credibility, Drake is pretty much occupies the highest rung IMO, and all the more so given that Bill Binney (whom I also have a lot respect for, in general) and McGovern didn’t look at the data but endorsed the “analysis” anyway.

        • David Blake says:

          Campbell seems to have misquoted William Binney. In a response article Disobedient Media say Binney stands by his assessment that G2 is a fabrication:

          “Binney told us that he stands by the assessment made in the VIPS memorandum to President Trump, published last year. He told us that Duncan misrepresented his statements describing Guccifer 2.0  a fabrication. While speaking with us, Binney utterly refuted Campbell’s dishonest portrayal of Binney having changed his stance on the issue.

          Binney told this author that he referred specifically to Guccifer 2.0 as a fabrication, adding that it doesn’t matter where the information was downloaded, or when, or that the information was manipulated, because the point is that it was not hacked, and the who/where does not alter that fact. He said that Guccifer 2.0 was: “Clearly a fabrication, a fake, put out there to confuse. Timing is irrelevant, fake is fake. You can manipulate timing, you can change anything, but it doesn’t matter. It makes no difference.”



        • greengiant says:

          It’s a disruptive technique of saturating a channel with noise so the signal is harder to process. In radar it’s called jamming. In social media it is jamming up the conversations with comments. G-2, Leonard, disobedientmedia all jamming to make it harder to talk about real Russian and GOP crimes and hacking. Fake stories about fake data like the document author data, the time stamps, the Seth Rich conspiracy, what Binney said, all are false targets to distract.

    • emptywheel says:

      There are some details I believe to be incorrect. But it’s closer than a lot of reporting on the subject.

    • bmaz says:

      I tell you what: How about we not wait for what some addled VIPS crazy crank has to say. At least not here. Thanks.

      By the way “James Hester”, after reviewing all ten of your “contributions” here, I have to ask, are you being paid by somebody, or just a privateer troll?

      • Desider says:

        Whew, thank you. If I don’t have to hear about Ray McGovern and his VIPS Stooges again, would be too soon. They provide continuous laughable fodder for the left’s (fellow traveller) conspiracy contingent.

    • greengiant says:

      Ray is past his use by date IMO. The tragedy of the MOUs is that their error rates are so low they don’t get the benefit of practicing detection and correction of errors those with higher error rates usually get, see Tesla for example. Worse still the necessary energy spent on the rise and fall of Trump when even more noxious actors are in play.

  2. Bob Conyers says:

    Campbell’s story is absolutely fascinating. I’m not skilled enough to judge it, but I get the sense that the people working to expose this stuff are outnumbered.

    Leonard undoubtably was more dangerous than the typical Russian disinformation specialist because he has the English language skills to be convincing in a way that a typical Russian would struggle with. I think it’s interesting that their 2016 trolling efforts seem to have been much more effective with Trump supporters than their targets in the Black Lives Matters movement. Don Trump Jr. seem to be far more gullible than anti police violence organizers in Baltimore.

  3. SpaceLifeForm says:

    Leonard pushing disinformation to cover a disinformation campaign?

    Leonard trolls fits.

    Muddy the waters.

  4. jdmckay says:

    Great article Marcy!!!


    the most obvious conclusion based on the evidence is that hackers manipulated the timestamps of these files


    I’ve wondered about this for a long time, surprised it took this long to be discovered.  Good work.

  5. Valley girl says:

    I read the article by Campbell.  Fascinating, even w/o understanding the technical details.

    This is a minor point, but I noted this, as underlined:

    “Both accounts used his Creative Insomnia email address, [email protected]. On Reddit, d3fi4nt posed as a US-based Democrat supporter of Bernie Sanders, publishing hate messages targeted at Clinton, and signed up to The Donald, an exclusive Reddit location for Trump supporters, as well as r/Conspiracy, a notorious watering hole for conspiracy theorists.”

    This guy seemed to have covered all the bases, in a more complete way than GRU could have done  A truly nasty character.

    Marcy: “First, contrary to some guesses, Leonard is not the person I went to the FBI about”  I don’t know who made these guesses (and I’m not asking) but my view is that Marcy would never have taken this guy seriously, ever.  I have my own guess, and it’s eating at me.  Has to be someone with a once-credible and respected reputation.  Has to be someone with insider knowledge, who started to go off the deep end with certain conspiracy theories (not that he thought so) and then went totally off the rails.

  6. Trip says:

    emptywheel‏ @emptywheel 14m14 minutes ago

    emptywheel Retweeted Elizabeth Lea Vos
    Here’s what (I’ll pretend) I don’t understand. If Assange hasn’t shared his alleged source w/the Disobedient folk, how can they be sure the source wasn’t working for Russia?

    Elizabeth Lea Vos‏ @ElizabethleaVos

    Opinion: On The Latest Establishment Attack Launched Against @WikiLeaks, Independent Media

    @Marcy, what’s a disobedient folk?

        • harpie says:

          Yeah, it’s a lot to process. Towards the end of the article, Campbell writes:

          When Leonard was called, he claimed the author of this article was an “American-style Russiagater”. On Imgur, Leonard published all the enquiries sent to “Carter”, accompanied by his own evasive responses. On Twitter, “Carter” published part of an email addressed to Leonard.
          Two days later, the “Carter” operationmerged with Disobedient Media, and Carter appeared on the site as a “technology correspondent”.

          The link is to a tweet by Vos, at 4:49 PM – 21 Dec 2017, welcoming Carter [Leonard] to Disobedient Media.

          Underneath the article [bottom of the page] there’s a section called “The US disinformation team”. 

          Disobedient Media is a so-called “independent media” site that describes “Adam Carter” as its technology correspondent. It claims to “bring honesty and integrity back into journalism”. The site has recycled paedophile allegations directed at Hillary Clinton and fellow democrats, and has made repeated attempts to frame murdered DNC official Seth Rich. […]

        • harpie says:

          No problem…I’ve been muddling around in this story during any spare time I had today. My notes are a mess! :-/

  7. Robert says:

    I’m probably missing something, I’m not a real file-system expert, and I haven’t paid much attention to the Seth Rich/DNC hacking disinformation (seemed obvious to me that the GRU did it). But, if all of the claims rested on nothing more than file-system time stamps, then the media, these ex-NSA/CIA types, and the Republicans should have been grilled over it at the start.

    Depending on which time stamp(s) we are talking about (files have several, depending on the file system), you might not even need to change the system time just to change the apparent time when the files were last copied. You certainly wouldn’t need any complicated, multi-method compression antics (not that I’m sure that I understood the description in the Campbell piece). There are commandline utilities for this. Or, as you and Campbell note, resetting the system time on a non-networked computer is a trivial task.

    Nor does this Leonard character come across as not much of a master hacker, at least in this case. The “evidence” provided to back the claims screams clumsy amateur in a hurry.

    So why didn’t anyone in the mainstream press engage a forensic examiner to check the files as part of fact checking–or at least ask someone in their IT department before accepting date stamps as possible evidence of where/when something was copied? I’d have thought that doing so would have made the whole Rich defamation effort a much bigger, better story and left the “Fake News” demagogues with major egg on their faces back when it might have mattered more.

    • greengiant says:

      You are spouting Trump Russia psychobabble. People talking up time stamps were distractors. G-2 was a distractor. Leonard was a distractor and a sock puppet. Their content is distraction. They gave away their own store by being distractors through their own metadata, through being crazy and through who they networked. The Trump-GRU-Assange nexus is obvious to all as the tide rolls out. Another outing of Leonard’s defenders ongoing now, because they also are either useful fools or on the take.

      • Greenhouse says:

        How is Robert spouting “Trump Russia psychobabble”? His question seems legitimate as regards to the main theme of Campbell’s article and the points Marcy raises, which debunk Leonard’s theories and VIPS who accepted it without proper vetting, (i.e. time stamping). You seem both seem in total agreement aside from you attacking his question as psychobabble. Robert, as regards MSM, they just want a seat at the table, which means being uncritical of “Trump psychobabble”.

  8. pdaly says:

    I read the Duncan Campbell piece emptywheel linked to in the main post describing Adam Carter (pseudonym of Tim Leonard)’s numerous behind the scenes machinations. Great article.

    Tangential to the main point, I noticed Campbell mentions that a Steve McIntyre, a retired engineer:

    “In a bizarre and telling sequel, a retired engineer later spotted that some files released in London had popped up a second time in a batch of so-called “Clinton Foundation” files published by Guccifer 2.0 in October. But the file modification times were one hour different. This happens if computer time zone settings are being manipulated as files are copied and recopied, as described above. This was an inconvenient truth. Accepting that the engineer, Steve McIntyre, was factually correct, the Forensicator came up with a comic and far-fetched explanation to avoid talking about clock tampering.”

    Looks like the same “Steve McIntyre” commenter on this website in the comments section (November 2017) below my question about what/who is  Adam Carter? I wish I could follow all the technical details (edited for clarity: McIntyre’s comment is not answering my question, just that his comment follows mine).

      November 3, 2017 at 8:24 pm  

  9. harpie says:

    A few minutes ago, on Twitter:


    5:59 AM – 2 Aug 2018 That point when “Adam Carter” starts responding to real criticism in precisely the same way Donald Trump does. 

    “Adam Carter”

     5:57 AM – 2 Aug 2018 Replying to @with_integrity @dcampbell_iptv @emptywheel 

    You have demonstrably and objectively libeled me, in this alone, Campbell. // Can’t believe those around you didn’t reign you on such a blatant propaganda effort. // Is this all revenge because I called out your own efforts to propagandize Intercept readers?


    • Trip says:

      I just posted and deleted, when I saw yours. Shit’s gettin’ real between Marcy and Leonard (whatever “Carter”).

  10. Willis Warren says:

    Has anyone done any linguistic analysis (key phrases) on the comments here to put a probability on the pseudonyms he’s possibly using?  it’s not perfect, but it could probably be useful.

        • orionATL says:

          another guess:

          there was one other notable highly active, highly critical, often misleading commenter in march-april, 2016. i can’t recall the name off hand. at times he and lefty almost seemed to be working in tandem.

        • orionATL says:

          this particular commenter also professed to be canadian but was so notably biased one could have guessed a russian gov troll instead. i recall one comment in which he cited a seriously inaccurate article from (i believe) the independent (u. k.).

  11. orionATL says:

    with the background outlined below, one wonders why leonard would not be of as much interest to the fbi and doj as “malwaretech” has been:



    At the start of his career, Leonard (pictured left) helped create a firewall system, PeerGuardian, which was designed to block music industry investigators from infiltrating networks where computer users shared music in breach of copyright laws. Leonard worked with a group of privacy and piracy activists in Europe, Canada and the US. His online name was Method.
    Leonard’s website Methlabs was used to develop and support PeerGuardian. His blog posts on Methlabs promoted Ecstasy test kits, shared cracked programs and hacks, and threatened distributed denial of service (DDOS) attacks on film industry anti-piracy teams.
    Leonard was later hired to run servers for Simplyclick, a now-defunct portal which provided intranets for British schools.
    Evidence recorded by the Internet Archive shows that he hid blocking lists of film industry investigators’ addressesinside Simplyclick’s infrastructure. Archived evidence from Simplyclick also refers to a Methlab tool, XS… ”
    from the computerweekly. com article. 


    i suppose these days it boils down to who’s president.

Comments are closed.