On the Joint Analysis Review, AKA the False Tor Node Positives Report

As I noted here, everyone agrees that the Joint Analysis Report released with Obama’s sanctions package is a shitshow (here’s the best explanation of why). But aside from complaining about how the shitshow JAR undermines the Administration’s claims to have confirmed Russia’s role in the DNC hack, no one has tried to explain why the Administration would release such a shitshow report.

Until now. Jonathan Zdziarski argues that the reason the Administration released a shitshow report is because they’re very worried about the extent of Russian infiltration in our infrastructure, and by releasing a bunch of indicators that a probably not Russians but might be, it will get a lot of people (like utility Burlington Electric) looking for things that might be Russia, all while protecting the real intelligence that would expose sources and methods.

One thing that’s been made clear by recent statements by James Clapper and Admiral Rogers is that they don’t know how deep inside American computing infrastructure Russia has been able to get a foothold. Rogers cited his biggest fear as the possibility of Russian interference by injection of false data into existing computer systems. Imagine the financial systems that drive the stock market, criminal databases, driver’s license databases, and other infrastructure being subject to malicious records injection (or deletion) by a nation state. The FBI is clearly scared that Russia has penetrated more systems than we know about, and has put out pages of information to help admins go on the equivalent of a bug bounty.

Everyone knows that when you open a bug bounty, you get a flood of false positives, but somewhere in that mess you also get some true positives; some real data. What the government has done in releasing the JAR is made an effort to expand their intelligence by having admins look for (and report) on activity that looks like / smells like the same kind of activity they found happening with the DNC. It’s well understood this will include false positives; the Vermont power grid was a great example of this. False positives help them, too, because it helps to shore up the indicators they’re using by providing more data points to correlate. So whether they get a thousand false positives, or a few true ones in there, all of the data they receive is helping to firm up their intelligence on Russia, including indicators of where Russia’s interests lie.

Given that we don’t know how strong of a grasp Russia has on our systems, the JAR created a Where’s Waldo puzzle for network admins to follow that highlights some of the looser indicators of compromise (IP addresses, PHP artifacts, and other weak data) that doesn’t establish a link to Russia, but does make perfect sense for a network administrator to use to find evidence of a similar compromise. The indicators that tie Russia to the DNC hack were not included in the JAR and are undoubtedly classified.

There are many good reasons one does not release your evidentiary artifacts to the public. For starters, tradecraft is easy to alter. The quickest way to get Russia to fall off our radars is to tell them exactly how we’re tracking them, or what indicators we’re using for attribution. It’s also a great way to get other nation states to dress up their own tradecraft to mimic Russia to throw off our attributions of their activities. Secondly, it releases information about our [classified] collection and penetration capabilities. As much as Clapper would like to release evidence to the public, the government has to be very selective about what gets released, because it speaks to our capabilities. Both Clapper and Congress acknowledged that we have a “cyber presence” in several countries and that those points of presence are largely clandestine. In other words, we’ve secretly hacked the Russians, and probably many other countries, and releasing the evidence we have on Russia could burn those positions.

I don’t know. I remember that Khalid Sheikh Mohammed had the CIA chasing black Muslim extremists planning to set forest fires in Montana for three months. False positives waste limited resources. Perhaps the intelligence community thinks this is okay because it’s not their resources that will go to waste. But the entire thing seems to have increased the skepticism about the value of the government’s threat reporting, which is all in all a bad thing.

But false positives do have two other purposes. I would hope these two aren’t the reason why the IC released a shitshow report, but it deserves consideration.

First, false positives raise the fear level. Last week’s Vermont false alarm is the perfect example of that: within hours — even on a Friday night — much of the country was worrying about our power grid. And remember, that false alarm was leaked by a Senior Administration Official that chose to leak it to someone who is not an expert in this field.

At that level, this felt like the 2004 leaks about an election year al Qaeda plot that — we now know — were secretly used to reauthorize torture and the dragnet, but which were largely bogus and partly based off torture. I can only imagine the kind of heightened surveillance the IC is putting in place behind all this fearmongering.

But there’s another effect of the false positives that have already been generated by this report: tying a bunch of Tor nodes to Russian spying. Almost immediately after the report came out, Jerry Gamblin found that 21% of the IP addresses were Tor nodes. Micah Lee did more analysis and found that 49% of the IP addresses in the report are or recently have been Tor nodes.

What we don’t know about the Tor nodes, though, is how they came to be included in the report. Did they just happen to be used in a Russian attack; did the Russian hackers just let Tor randomly assign which node they exited from?

Or did the hackers choose — as you can do — which nodes they might use? There are a few reasons to pick a certain node over another. If you’re trying to watch the Beeb’s coverage of the Olympics, for example, you’ve got to pick a node in England.

But a more likely choice, for a smart Russian hacker, is to selectively choose nodes that the hacker believes would not keep logs.

Now consider some of the nodes that have been identified specifically. A Dutch paper made a big stink that the node operated by Rejo Zenger, who works at Europe’s equivalent to EFF, was on the list. Something like 11 of the IP addresses are nodes operated by Calyx Institute, the non-profit ISP operated by Nick Merrill.

Merrill is, as you may remember, the guy who spent a decade challenging a National Security Letter he received back in 2004. A big part of what he exposed is that the FBI was wrongly trying to get data flow with NSLs. In the last year, spooks have made several, thus far unsuccessful, efforts to get legal sanction for what Merrill exposed, the illegal acquisition of Electronic Communication Transaction Records using just an NSL.

Maybe Russian hackers chose to exit through Merrill’s Tor nodes because he doesn’t log traffic. Or maybe the government included him on this list because they know he doesn’t log traffic.

The effect, however, is to (temporarily) burn select Tor nodes, perhaps those that don’t log traffic, making it harder for anyone the government is trying to pursue through Tor to use it (and probably also making it more likely they’ll use one of the many nodes believed to be operated by US intelligence). We know the NSA does a variety of things to force traffic onto switches it has access to; could the JAR just be a very elaborate way of forcing Russian traffic onto Tor nodes the FBI and NSA have access to?

Not to mention tarring the most committed privacy activists with association with Russian hackers.

Maybe that’s not the intended effect of a report designed to generate false positives. But I’m sure the government considers it a happy side effect.

Update: Sounds like just about everyone found these indicators in their logs.

Robert M. Lee, CEO of the Maryland-based industrial security firm Dragos Inc., warned his customers, who span critical infrastructure including water, electric, manufacturing and petro-chemical sites, that the technical information was bad. About one dozen called with concerns.

“Every single company we have as a customer who ran the indicators got alerts, and all the alerts were bad,” Lee said. “These addresses were not only not descriptive of Russian activity, they were not descriptive of malicious activity. They were actually common sites.”


One of the businesses that called Williams reported that an address tracked to Microsoft’s telemetry server, which sends data to Microsoft when an application crashes. That conversation with his client spun into an hour-long discussion of “can we trust this report at all?” Williams said. “My short answer on this is no.”

He added: “This has a real cost to business. I suspect for a lot of them there (was) a lot of money spent chasing ghosts.”

17 replies
  1. Nyna says:

    I rarely post comments on line, but I think the coincidences listed below are germane to the conversation — not about Tor nodes, specifically, but to the Russian hacking claim in general.

    This article was posted by KrebsonSecurity in September 2016:


    It describes how vDOS, an Israeli “online attack service” (aka goon squad) got hacked, its secrets revealed. One of the secrets revealed was this:

    The DDoS-for-hire service is hidden behind DDoS protection firm Cloudflare, but its actual Internet address is

    Does that say what I think it says? That Cloudflare is an outfit that provides cover for malicious activity?

    That’s one point. Here’s another that may or may not be related:

    Someone hired a DDoS attack on Russian banks and the Russian Ministry of Economic Development that lasted from November 8 to 12.


    A hacker going by the handle “vimproducts” bragged about it @ Motherboard.


    The article opens with this paragraph

    Just as Americans are lining up to vote, one DDoS-for-hire service has already claimed responsibility for several brief attacks against Russian targets, apparently in response to the country’s alleged interference throughout the US election.

    which links to a previous Motherboard article from July hyping the Cloudflare accusations against Russia.


    Cloudflare, it seems to me, might be being used as cover for activities more malicious  than just DDoS attacks.

    • Nyna says:


      Pulled the trigger with the gun still in its holster. Quite painful.

      Abject apology to Marcy, her community, and the innocent IT company I have here maligned.

      Cloudflare is not CrowdStrike.

      Please disregard the above comment.

  2. Cujo359 says:

    But there’s another effect of the false positives that have already been generated by this report: tying a bunch of Tor nodes to Russian spying. Almost immediately after the report came out, Jerry Gamblin found that 21% of the IP addresses were Tor nodes. Micah Lee did more analysis and found that 49% of the IP addresses in the report are or recently have been Tor nodes.

    Which makes me wonder how many of the other nodes are those of VPN providers. Many have output nodes all over the world. Assuming that those nodes aren’t as thoroughly documented as Tor nodes are, I suspect they’d be tougher to list, but it leaves open the possibility that nearly every suspect node in the goverment’s list is BS.

  3. arbusto says:

    Wonder when congress will introduce bills mandating all VPN companies (on shore and off)   wishing to continue with onshore clients, log all activity.  The IC would just love more unfettered, unregulated, unreported snooping.   In our Orwellian world, you must be guilty of something if you want your privacy.

  4. Bjorn Jensen says:

    You folks are so smart in your field. However , for luddites like me- although not completely ignorant – but intensely curious to understand this subject-which is why I read empty wheel to educate myself-
    Is there some way this specialist information could be distilled as a type of -hacking for dummies for us? Mr Robot aside- for me – a fictional account of this world which is very intriguing and entertaing- people like me-although not a total dummie-
    ( I lecture in critical theory) so I sure could use some help as news outlets are totally wanting and full of BS- so on this particular subject, I check in with empty wheel and the Intercept –
    This is a serious issue which many others like me – need to know and understand more-
    You provide serious answers – but I sure could use a technical dictionary
    Thank you for your hard work

    • SpaceLifeForm says:

      You can start here:


      After a few weeks of following all of the links around, you will certainly understand how complex the mess is.

      You hopefully will also entertain other scenarios such as:

      How do I know if my network traffic is really going ‘best route’ or is it going through a transparent VPN or through TOR?   (or both in combination)

      Why should I trust a VPN or TOR anyway?

      Why should I trust BGP?

      Why should I trust DNS?

      Why should I trust CDNs?

      Why should I trust RSA?

      Why should I trust CAs?

  5. Nyna says:

    Dear moderator,

    PLEASE disregard the comment I posted earlier re: Cloudflare!

    I was getting it confused with Crowdstrike.

    Most sincere apologies.



  6. martin says:

    In closing, there’s only ONE answer to your future. SURVIVAL by virtue of the 2nd Amendment. Get a gun. You are going to need it..eventually. After all..look around the planet.

  7. lefty665 says:

    There must be huge frustration within the IC. Boobus Americanus cannot be troubled to implement or maintain even modest security. For businesses it costs money and detracts from the quarterly bottom line. From individuals the response is mostly what??? my password can’t be “123456”, and why do I need a password anyway?  The phishing that compromised Podesta and the DNC was dead simple. Click on a link when the email tells you to, or don’t click on a link. Oh dearie me this is all so confusing.  It may be that as a nation we are not bright enough to be connected to the web.

    Is there any reason the shitshow can’t include all of the motivations you cite? Plus at least one you did not. That is sheer personal animosity to Trump from people like Brennan and Clapper. They’re doing all the damage they can on the way out the door.

    Nor do they want anything to get in the way of the neocon, lib hawk rush to war with evil Vlad and his hordes. That may be where we get down to it, a concerted propaganda campaign to back Trump into a corner even before he takes office and impair his ability to rationalize our relations with Russia. That would explain why Trump is pushing back so hard and discounting the crap Brennan et al are blanketing us with. FEAR, PANIC, THE RUSSIANS ARE COMING TO STEAL OUR DEMOCRACY THAT THEY HATE US FOR. BE AFRAID, BE VERY AFRAID.  Sigh, look they’ve even infiltrated the power supply in Bernie’s home town. Dam socialist probably gave them the passwords. Does that leak have Joe Biden’s fingerprints all over it or what?

    • SpaceLifeForm says:

      It is FUD from MIC.
      MIC used to mean Military Industrial Complex
      but these days it may be more accurate to say
      Military Intelligence Community.

      Of course Military Intelligence has always been considered as an oxymoron.

      So, this can explain a lot of current events.

Comments are closed.