The NYT’s Legitimate Email Detail

The NYT has a long story describing the hack of the Democrats in the most favorable light to the party, one that blames “socialist” Bernie Sanders for the months-long delay before the DNC tech person responded to FBI warnings about being hacked, one that makes no mention of the widely reported detail that Democrats were happy to have an excuse to fire Debbie Wasserman Schultz.

Given that it puts things in a light so favorable to the Democrats, I wanted to look more closely at this passage, which has gotten a lot of attention.

Hundreds of similar phishing emails were being sent to American political targets, including an identical email sent on March 19 to Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr. Podesta received through this personal email account, several aides also had access to it, and one of them noticed the warning email, sending it to a computer technician to make sure it was legitimate before anyone clicked on the “change password” button.

“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”

With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.

It points to a detail that has always struck me about the stories about the hack of John Podesta. They note — as I did — that we can look at the email reportedly used to hack Podesta. Here’s the entirety of what Delavan sent to a woman named Sara Latham, who forwarded it to a woman named Milia Fisher:

This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account.

He can go to this link: https://myaccount.google.com/security to do both. It is absolutely imperative that this is done ASAP.

If you or he has any questions, please reach out to me at [phone].

It may be that he mistyped legitimate for illegitimate. But he also said that Podesta should change his email password and added two-factor authentication. Perhaps the mistake was in forwarding the email with the link, rather than just responding by saying Podesta was being phished.

The part that has always puzzled me about this email — and the likely reason why he’s now telling a story that doesn’t entirely make sense — is that he also did the safe thing. He provided the real GMail address at which staffers could have changed the password and added 2FA. Had those staffers used that link, they could have avoided a whole lot of trouble and made any subsequent hack less likely.

I even, at one point, doubted whether this really could have been the email used to hack Podesta, because it shouldn’t have worked, given that he took the right steps (though the timing of the emails does correlate with the dates of what got released).

What is more likely to have happened is that one of the women used the bad URL to change the password (which would have appeared all shiny in the original), rather than the correct URL that Delavan provided. That is, it may be that Delavan is covering for one of the women.

Update; I realized after posting how the typo thing might make sense, and changed that part, but there’s still the point that he did the right thing here.

Update: Slate interviewed Delavan, who said the NYT got the phrasing wrong. The story still doesn’t seem to make sense entirely.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

18 replies
  1. sponson says:

    Wait a minute, I am an IT worker and deal with these issues constantly. I have no idea if Delavan is lying or not, but it wouldn’t be all that odd for him to think “That’s illegitimate, but it reminds me that in order to avoid future phishing attacks like this, he should add two-factor authentication, and change his password while he’s at it, just in case.” As a professional who does exactly this stuff every day, Delavan’s response looks very much it could be a lazy IT worker’s CYA e-mail. What seems more suspicious to me is that Delavan didn’t immediately bother to go personally to Podesta’s computer and investigate.

    • So Far Right says:

      Going to Podesta’s computer wouldn’t have accomplished anything, this was a phish for his email password, not spyware/malware/virus(as far as we know).

      Most likely scenario is that no one wanted to tell Podesta that his password had been compromised and he needed to create a new one better than runner123.

      Delavan did the right thing in the circumstances, other than the typo. Podesta created a steaming pile of shit with a shared Gmail account, weak password and no 2FA.

  2. makomk says:

    The other odd thing about this is that “illegitimate” is such an unnatural word to use in this context. It reads like he failed to check the link, mistook the phishing email for Google’s genuine warning of account access (which looks almost identical), and is covering for himself.

  3. Tom Maguire says:

    I agree that the entirety of the email makes it seem as if the techie was not entirely caffeine-deprived, but grammaticians will never rest easy on the obvious “a” / “an” problem – who would intend to write “this is a illegitimate email”? (OK, other than people with millionaire uncles in Nigeria who need just a few dollars now.)

    I lean towards a brain-lock theory – Regardless of what he wrote, what he was thinking was “This email has identified a legitimate problem”, after which he provided a sensible solution. Too bad the writer was a bit less verbal and the recipient was a bit (or a lot!) less tech savvy.

  4. bevin says:

    The plot thickens- the story grows ever more complex, the circumstantial detail is just piling up, but the evidence remains…non existent.

    It will be interesting to see if there is ever any evidence adduced to back the assertion that the emails were ‘hacked’ and that Craig Murray’s insistence that they were leaked by an ‘insider’ can be proven wrong.

    In any case the information released was information that the American People had every right to consider before entrusting anyone with the vast powers of the imperial presidency. Powers whose extent is underlined by today’s news that Obama has ordered that the Report of the Committee on the use of torture should not be published until three more Presidential terms have been completed. And the story there is that this, too, is information that the electorate  has a right to be able to consider.

    • greengiant says:

      Seems almost all are conflating two different leaks while ignoring the Clinton foundation server.   First the DNC server leak which preceeded Seth Rich’s July 10th,  2016 murder.  Second the Podesta gmail leak allegedly phished March 2016,   and released by Wikileaks starting October 7th, after the circa September 21 NYPD/NY FBI seizure of the Weiner/Abedin laptops with HRC and DNC emails.

      Were Podesta’s gmails part of the DNC server leak,  were they part of the Weiner/Abedin laptop?  Were they in the cloud?   The consortiumnews article suggests the NSA is not supporting the Neo-liberal the Russians did it script.   At the very least Google read all of Podesta’s emails.   Perhaps the same Podesta leaker leaked to  Eric Prince and Giuliani as well,  or is someone making the argument that Assange preleaked to the Trump campaign?

  5. Evangelista says:

    Does anyone remember Phillip Knightley’s 1975 Book “The First Casualty”?  It had a short vogue and then went timeless.  For most who read it it appears to have gone into a memory-hole limbo;  kind of remembered as read, but the content sorta somewhat vague…  Like most that most read.

    Now, when both Goddesses, Truth and Justice, are being slaughtered with elan and aplomb by armies of propagandists, story-tellers, stretcher-stretchers, “rights” observers, and all manner of other gas-blowers intent on keeping their chosen balloons inflaté and aloft, would be a good time to re-read, or read what is still pretty much the last word on realification of mythographications.  Knightley, among whose last memorable activities was posting bond for Assange, and taking the loss of it when Assange went into embassadic incarceration, died December 7, with not near the notice he deserved, even for the one book, let alone what more he accomplished (to the discomfits of a number of the elites and upper-echelon parasitic and their supporting establishment classes.

    I can imagine it possible that although 87 years old, and so susceptible to natural causes, Knightley died of boredom while reviewing the “Russian Hacking to Harry and Harrass the Harpy for the Humbug” scandal that has all the hounds of the Media-villes in full and bloviate bell just now (and has had since when a diversion was ‘needed’ before the elections, as yet more of “God’s Side” found yet more of their fabric’d constructions going down in flames).  Just too much of the same-old same-old blowing up and gassing out it shorter and shorter cycles…  The mythical mists getting thicker, becoming methane, coalescing to become the smoke of Ragnarók…

  6. Phil Perspective says:

    You forgot the best part.  The DNC’s IT contractor not bothering to figure out if the call from the FBI office was real!!  Do they really get that many phony phone calls to the DNC office claiming to be the FBI?

  7. sponson says:

    Evangelista, I certainly remember Knightley’s book “The Second Oldest Profession,” in which with his unusual iconoclastic style he argues that all the spy agencies of history accomplished very little, even in for example WWII. Unforgettable and had a permanent impact on my assessment of the CIA et al. Recommended reading for anyone old enough to remember the 20th century.

  8. Rayne says:

    Folks are forgetting that even respected info security companies can be spear-phished. Recall first half 2015 when a remote Kaspersky employee was spear-phished by Duqu 2.0, infecting Kaspersky’s entire network, detected only by unusual traffic. If Kaspersky could be infected, why are any of us surprised when a political party is infected during the height of their general election campaign cycle? I’m rather surprised they weren’t riddled with infections.

    As for using Craig Murray of the UK as some expert on conflicts within a U.S. political party — he (as well as those who tout him) doesn’t seem to understand that Bernie Sanders was NOT a Democratic Party member before he chose to run as a Democrat for POTUS. Even now, Sanders has already reverted back to non-Democratic Party status. Why should anyone outside the Democratic Party be surprised that a long-time Democratic Party member — married to a former Democratic Party president, who ran and won a Senate seat as a Democrat, ran as a Democratic Party POTUS candidate in 2008, who worked as cabinet member under  Democratic Party president — should somehow be favored by their own party is beyond comprehension. If Murray can’t grasp this rather unsubtle nuance, what else is he missing?

    • harpie says:

      Hi Rayne,

      hmmm…It seems I have to first do a “trial balloon” comment to get the Respond button to work …[Please see my comment below at 10:09 am]

  9. martin says:

    Can someone point me to any info on this that explains HOW the FBI knew the DNC email system was being attacked.  This part of the story seems highly suspect.  I mean, it suggests the FBI must MONITOR specific email systems ..continuously.  Which suggests.. they are doing exactly what NSA does… DOH!  ..hmmmm, I wonder.. naw.. wait..  could it be.. the NSA tipped off the FBI?  Funny how nary a word has been mentioned about the NSA in all this stuff.  Why is that? I mean, surely, the NSA knows who is at the bottom of this crap, right? And why was the CIA involved in domestic SIGINT?  Doing NSA’s job.

    Something stinks in this whole story. Nevertheless.. the  fact remains. The FBI MUST be monitoring email systems.  But how many, and who’s? Me thinks there is more to this story than meets the eye.

    The other question is..  why would the FBI CALL the DNC? Instead of sending an agent?  I mean..if they KNEW the Russian’s were hacking..a political party during the election campaigns? WTF? This just seems plain bizarre.

    • SpaceLifeForm says:

      Call vs agent visit.

      If no agent visit, maybe call not from fbi.

      If call really from fbi, maybe due to leak
      from nsa person to fbi person. The call
      from fbi (if legit cid) would provide the
      metadata to nsa leaker that the leak was
      passed on. Just a scenario. Many more
      exist but many scenarios you will
      likely not see in the press. Most press
      is not trustable since via leaks.
      Like this entire story is.

      Even the nsa to fbi scenario could also be a
      trap for an nsa leaker depending upon how
      much nsa trusts cid and the switch where the
      call originated. (cid easily forgeable esp if
      you control the telephone switch/pbx/etc)

      There are numerous side scenarios and
      gets back to the now age old question:
      Who is watching the watchers?

      To me, if fbi really knew, it would be a
      multiple agent visit.

  10. martin says:

    Now that I think about it..  how come the FBI DIDN’T warn the RNC of possible hacking of their email system?  After all, at the time, no one knew the contents of the DNC emails.  All the FBI knew was SOMEONE was hacking one  political party email system.. why not the other too?

    Moreover, since Trump was supposedly receiving briefings from the IC..  why wasn’t he informed as well?  His current claim that the Russians were the alleged hackers is ridiculous, that tells me he wasn’t told about it prior to the DNC emails being released by Wikileaks. This is weird in itself.

     

    Again… something stinks.

  11. harpie says:

    Rayne, Hi!
    I’m trying to respond to your comment, [just to agree] but the Reply button doesn’t seem to be working for me.
    *
    Also, [o/t] thanks for the shout-out in June about the Flint Timeline work we did together. :-) I was MIA from lots of stuff for a while, and hadn’t seen it until two days ago.
    *
    Speaking of which, I recently received the latest American Water Works Association report on Flint in the AWWA Journal: “Flint Water Crisis: What Happened and Why?”, by Susan Matsen, et. al; AWWA Journal; 12/2016
    *
    “[…] We have investigated the chemistry and engineering behind what happened to Flint’s water, why it was corrosive, and the extent to which the system appears to be recovering. […]”
    *
    It’s behind a paywall, so I can’t yet access it digitally, but will, if you’re interested. I can also just transcribe the best bits for you here…
    -harpie

  12. Felicia says:

    What strucks me when reading this long reconstruction in the NYT is the way the role of Yared Tamene is described. Sort of downplaying his position and leaving the impression this guy is someone at the IT-helpdesk of the DNC, reacting pretty awkward and lazy on the information he got from the FBI.

    FBI was ‘naturally’ connected with the helpdesk and talked with techsupport contractor, no expertise on cyberattacks, Yared Tamene. After being told about Dukes he decided to google this and search the logs of the DNC.

    facts: Yared Tamene was director of information systems /IT at the DNC. http://www.p2012.org/parties/committees/dnc12.html. If he had not heard about Dukes, which seems highly unlikely taking into account his job, his google search for “Dukes” should have alarmed him if he is not a retard.  At that time  “Dukes” (september 2015) was written about in quite some articles in IT magazines magazins and absolutely showed a link to the Kremlin. e.g http://www.dailydot.com/layer8/russia-apt-the-dukes-f-secure-whitepaper/

    But our Yared was lazy and had no clue and thought the FBI  phonecall probably came from a prank. Let’s do nothing he thought and even after several other phonecalls he seemed obsesssed by the idea he was fooled and just let it go. Okay we read also he does not work full time, so maybe it slipped his attention. But we also learn that the poor Yared had to figure all out by himself. The contractor that works for a firm in Chicago is in fact vice president of this firm.

    At one point, the NYT does not tell us when (but according to the article it must have been after april 2015), he thought let me write a memo. we have to guess who he adressed. But that he had lots of problems with this maybe wannabe FBI-agent is for sure. He could not e-mail anyone about this because of security, and it seems there were no other options to communicate about this.

    But.. in november ADCN computer had a message, normal human-beings only know about from James Bond movies had an alarming message: the computer was calling home .. which means russia. Omg a state sponsored attack! Mr Browm the director technology, said to be the person the director of IT had to report to, was so busy with the mean Bernie Sanders campaign that had improperly gained access to Clintons campaign data that hie could not pay attention to this. (bernie is even more dangerous than russians).

    But end good all good, after 7 months even mister Yared Tamene saw the light and concluded that the guy that gave all these calls was really FBI. Applause, but not to much.

    After the Podesta phising attempt, a second wave mr Yared Tamene forgot all and according to the NYT still “‘ saw no reason to be alarmed….. huh? And then finally in april our anti-hero found suspicious activity when evaluating the logs of the DNC.
    We also learn from an ex-FBI and in the meantime Crowstrike Services president (also investigating all this stuff Shawn Henry, that he was baffled that the F.B.I. did not call a more senior official at the D.N.C. or send an agent in person to the party headquarters to try to force a more vigorous response.
    Who is more senior that the director IT and the director technology?
    Imo this article is part of the disinformation, which is very worrying. The way it frames Yared Tamene just does not fit. It seems ex-FBI Shawn Henry and in the meantime working for the commercial enterprise Crowstrike, blames the FBI ( because of opposing the CIA in their assessment of the hacking?)
    It stinks indeed
     

Comments are closed.