The Proxy Step Ignored in the NGP/VAN Analysis

I’m working on a longer post on the two reports that went into this VIPS letter and in turn this even more breathless Nation article.

One of two underlying reports those pieces rely on to raise doubts about the Intelligence Community’s conclusion that Russia hacked the DNC was written by a pseudonymous person under the name The Forensicator. It argues that data “published by a persona named Guccifer 2” on September 13, 2016 was first copied, probably in Linux, locally on July 5, 2016. On September 1, 2016, the data was then transferred on a Windows system. Both those events probably took place in the Eastern Timezone. The derivative reporting on this analysis claims, unjustifiably, that because the first event happened locally and both happened in the Eastern Timezone, they couldn’t have been done by people associated with Russia.

The analysis of the data is worth reviewing, though some people quibble with the analysis that claims the first event had to have happened “locally” (that is, over a LAN or similar direct access rather than over the Internet). Even there, there’s no reason to believe that that event happened involving a DNC (or other Democratic) computer; the files could (and according to the IC’s narrative about the hack, would) have been moved to a second server before July. Nor is there any reason to assume events that took place in the Eastern Timezone could not involve people tied to Russia.

But even with those ready explanations that could align this forensic analysis with the IC’s analysis, there’s a step of the analysis that is entirely missing.

The Forensicator explains that the files were “published by a persona named Guccifer 2” and “disclosed by Guccifer 2.0 on 9/13/2016.” But that’s not true. Instead, the files were posted during a speech given in London by another hacker as a proxy for G2.0 on that day. The Forensicator relies on a copy posted by NatSecGeek. And while on Twitter G2.0 pointed to the speech the day before it was given, he never actually pointed back to the data on his WordPress site.

It’s true that the “speech” that was read for G2.0 relied on and posted a link to these files at the conference.

This scheme shows how NGP VAN is incorporated in the DNC infrastructure. It’s for detailed examination, if you are interested. And here are a couple of NGP VAN’s documents from their network. If you r interested in their internal documents, you can have them via the link on the screen. The password is usual. It’s also on the screen. You may also ask the conference producers for them later.

But at the very least, it seems any analysis of these forensics needs to account for the hand-off and proxy involved.

One person I spoke to about these forensics described that they looked like a skilled Linux user followed by an unskilled Windows user (because the latter copied the files via drag and drop). Perhaps. But given that we know there was a proxy step involved in the release, it seems any analysis of why this several step process took place would have to account for the fact that other people were involved in the release of the files.

27 replies
  1. seedeevee says:

    “Nor is there any reason to assume events that took place in the Eastern Timezone could not involve people tied to Russia.”

    Nor Santa Claus either.

  2. Rapier says:

    I have always been agnostic on this point, hack vs leak. I still am. I think a mistake is made to just say “Russia” this or “Russia hacked”. To me it’s just the buzz from grifters, self styled players and drama queens of all sorts of every nationality that are attracted to Trump like,,,, well you know the moth thing.

  3. lefty665 says:

    Dunno how the integration of NGP and VAN was handled. I do know that prior to the merger NGP systems were on their own servers in D.C.  As a user of both systems I found NGP and VAN data sets and software missions to be profoundly different. That is what made the merger attractive. It would not surprise me to learn that they are still separate systems, but linked at the end user level to provide access to both.  Email is also likely a separate system that rides under the heading of VAN.  Until we hear differently from someone who knows, the history suggests that NGP/VAN/Email may not be monolithic.

    Marcy, as much as I value your weedy analysis and analytic skills, it has to be pretty dramatic findings to supersede Binney. He’s a gold standard on nat sec tech.  I look forward to seeing your findings.  I am sure they will be interesting.

    Question, what do you think of Binney’s comments that NSA would have the traffic if there had been a web based data exfiltration from the DNC, and that if they had it we would have heard that at least indirectly. Since we have not, his answer is that they do not have that traffic because it never occurred. We have inferential confirmation of that with NSA’s “Moderate Confidence” in Brennan’s cherry picked analysis because the information in it came from “foreign sources”. That implies NSA does not have the confirming web data streams.  But, that goes to methods, not who or why.

    I’m betting on Debbie Wasserman-Schultz and the Dem’s Pak IT experts, con artists and thieves or Seth Rich for the first leak. Cloudstrike seems the likely suspect for the July 5th download that was done to be cooked into anti Russian propaganda and to deflect criticism of the DNC for its corrupt handling of the primaries. Just another of their services and a twofer given their orientation. That was also a reason to keep the FBI away from the DNC servers, wouldn’t want them inadvertently tripping over loose ends.



    • greengiant says:

      Each time anyone repeats the same propaganda point as Alex Jones,  Breitbart and other team Trump oligarch sources to me it is not only the propaganda,  it is the source of the propaganda.   Trying to bring in the bent NSA as a deus ex machina has some issues.  Does anyone expect the NSA to reveal the extent of extra legal “wiretapping” just so to prove one theory or another on any matter of interest?  What should drive anyone wild is the extent to which other actors, big data,  DNS lookup providers,  the DNC ISP,  I imagine internet plumbing routers ( read the same ones the NSA vacuums up) ,  etc have information and are not talking.   Foreign sources may include GCHQ tasked with sorting US data stepping around US executive orders.

      I will take your paranoia and double down.  Cloudstrike joined at the hip with Neo**** Atlantic Council, Turkey, KSA, Flynn, Mattis,  and pretty soon back full circle to Gucifer 2.0, other hackers,  Assange, and the oligarchs.

      • lefty665 says:

        Dunno about any of those sources you cite or what they tout, I don’t watch/read/listen to them. They apparently mean more to you than to me. Much of the propaganda I have seen has come from the likes of ex CIA director Brennan, ex DNI Clapper, and that Obama fellow had his fist in it too.

        Once traffic exits the US it is fair game for NSA, there’s no extra legal about it. That’s not paranoia, it’s law since 1952.  Same is true for GCHQ in the US. If there had been a big data dump out of the DNC over the web to Russia we’d have heard about it, even if indirectly. Too many people wanted it to be so. But nothing, nada, just a lot of hysterical screeching based mostly on smoke and mirrors.

        Cosmic man. But you missed a few, Putin, Kim, Bibi, the Saudis, McMaster, Kelly, the military industrial complex. But wait, there’s more, the Clintons, Wall Street, neolib elites…

        • greengiant says:

          Lefty,  if you don’t keep track of the narratives, then you have no idea who your compatriots are when your narrative is the same.   “heard about it by now”  just like we would have heard all about the oligarchs, Madoff, BCCI, 2008 financial crimes, Mercer, KSA, JSOC, CIA, GS, FBI revolving door with oligarchs by now from the TLAs?  You expect them to drop a dime on every politician at once? From where I sit, the NSA in general does not know what it has, the highest classified, read illegal, do not have classifications.  Just for fun, it would not be the first time an agency has bought a data store system that was write only.

          • lefty665 says:

            I try not to confuse coincidence and causality. Expect you are right that NSA is collecting traffic faster than they can analyze it, so we agree on that. But once something happens they are apparently very good at following the trail of bread crumbs backwards. If there had been approaching 2o gigs of data flowing out of the DNC over the web to Russia that would have likely gotten their attention and we would have heard about it.  Or, once it became an issue they would have gone back and looked and we would have heard about it if they found it. In either case Brennan would have had it plastered all over the front page of the Wash Post. Pretty simple, there was no big data stream out of the country over the web from the DNC to Russia or anywhere else.  It is like the Sherlock Holmes story about the dog that did not bark.

            How the local copy was made is an interesting question. It is possible that the copy Wikileaks got was made by the Pak IT crew on Wasserman-Schultz’s iPad, maybe even while she was using it to screw Sanders. That’s more likely than the Russians, but not as likely as that someone like Rich did it. It does make one wonder what the Paks scraped off Hillary’s network when Wasserman-Schultz took her iPad there after she got fired from the DNC, and who they sold it to. The July 5th DNC download and subsequent adulteration seems likely a Crowdstrike/DNC propaganda operation to change the subject. Worked pretty well.


            • greengiant says:

              Having the DNC data leave the US is a strawdog,  refute the negative argument.  For someone in the US under oligarch influence to have been the closest actor/recipient can be completely separate of the APT actor(s).  The whole DNC is a whataboutthis argument either way,  when the most pernicious damage was the Podesta hack,  the Weiner hack,  and Clinton’s email server.   More often attention paid to the DNC hacks/leaks serves the Trump oligarch net.  This is seen by the Trump political operatives celebrating the Nation’s article.  In the absence of hard data the truest compass is the reverse of the political operatives’ and your narratives.

    • Charles says:

      It’s worth reading The Forensicator. He says:

      On 7/5/2016 at approximately 6:45 PM Eastern time, someone copied the data [presumably from the DNC] that eventually appears on the “NGP VAN” 7zip file (the subject of this analysis).  This 7zip file was published by a persona named Guccifer 2, two months later on September 13, 2016.

      The link you provide has to do with hacking that was detected in May. The software on DNC computers was replaced by about June 12 or so.

      This is a story with many twists and turns. I find it hard to keep up with, too.

    • emptywheel says:

      No. Crowdstrike is wrong on a number of points. Unfortunately, the DNC used a contractor that is well-respected but actually not well loved by people who aren’t on the dole.

      That’s part of the problem. I’d love to get beyond it, even if with nothing else than their admission  that their GRU attribution was medium and remains medium. I’d love to get them to admit they got the cooperation between the two hackers wrong.

      Absent that, and a few other things, they are part of the problem.

  4. Charles says:

    Although it makes a difference in who can be prosecuted for a crime, I don’t think “leaked” vs. “hacked” makes any difference as to the political case against Trump and Russia. What matters is who was active in facilitating the dissemination of this material and what their motives were.


    For example, suppose a DNC staffer downloaded the material intending to provide it to the Sanders camp, but the material was then stolen by Russians and, pursuant to an agreement reached with Trump, released in order to tilt the election. In this scenario, the staffer probably could not be charged with a serious crime, though s/he might be pursued in civil court.  The Russians, likewise. But politically, that’s clearly an impeachable offense. Depending on the nature of the agreement, it’s likely Trump could be prosecuted for, say, bribery.


    The Forensicator also says:


    This initial copying activity was done on a system where Eastern Daylight Time (EDT) settings were in force. Most likely, the computer used to initially copy the data was located somewhere on the East Coast.

    While this would undermine the forensic analysis, this certainly does not exclude that the hacking might have been done by Trump or the Russians. And the hackers could have left bread crumbs to distract. For that matter, the use of the word “likely” acknowledges that there might have been tampering with the time stamps or that there could have been a “pivot computer”, which the Forensicator notes:

    Given those complications, some reviewers have posited a “local pivot”, where the files are first copied in bulk to a local directory on a DNC server and then uploaded back to wherever Guccifer 2 is located. As I mentioned in another comment, unexplained in that scenario is why would a remote hacker need to make that local copy, or want to? It leaves a large footprint (perhaps 20 GB per the analysis) and is unnecessary.

    But (a) the data could have been off-site (for example, from a mirror or other backup),or  (b) the LAN at the DNC could have been physically compromised, or (c) this conclusion leans on an absence of information (why would a remote hacker need to make that local copy).


    Finally, a lot of the interpretation that is being done presupposes ill intent on the part of the DNC, Crowdstrike, etc.  This deserves ridicule. The DNC may be (is) venal and Crowdstrike may be less than genius, but the release of these files helped elect a white supremacist who appears to be on the edge of starting a nuclear holocaust perhaps to avoid the disclosure of his crooked business dealings.

    The release of the files was a truly evil act. There is no comparison with the dirty politics of the DNC. We need a serious investigation by known and named professionals, not a replay of the 9/11 Truther movement.

    • lefty665 says:

      That is most curious logic. Revealing the corrupt rigging of the Democratic primaries by the DNC “was a truly evil act” because it might have helped defeat Hillary and elect Trump is breath taking in its immorality. It is even more startling than your assumption that warmonger, neocon Hillary would be less likely to embrace Armageddon than loose cannon Trump to stumble into it.

      Puts some perspective on the rationality of the rest of your analysis and comments. Thank you for providing the point of reference.


    • emptywheel says:

      Your last paragraph is logically problematic.

      You’re taking an event in November and applying the morals of it to events in June. That doesn’t work.


      • Charles says:

        I am not sure that I follow that, Marcy.


        If I cut your brake line at 8AM and you go out at noon and crash, is there no logical connection between cutting the brakeline and the crash?  Is cutting the brake line morally neutral because the consequences are separated from the act? If you got a flat tire and discovered the brake line and were spared the crash because of the flat tire, would that change the morality of cutting the brake line?


        In the same way, we know that the Russian government and Donald Trump were seeking to damage Hillary Clinton in order to end up with the trainwreck known as Donald Trump. We also know the result.


        Now, is it possible that Julian Assange intended to reform the American government, not to install Donald Trump? Is it possible that Guccifer 2.0 is just a Romanian hacker intent solely on hijinks and truthtelling?  Anything is possible. However, neither one of those two–not to mention the Russians, who have done nothing but fleer at the American people– have shown any remorse, even when Trump was threatening nuclear war. I think we can safely infer their motives, that they are quite willing for uncountable innocents to die as long as Hillary Clinton is kept from the presidency.


        Now what remains is a serious investigation, to bring belief to certainty and to fully expose the motives of the players.


        If you can instruct me on how my logic is flawed, I will be in your debt.

        • Evangelista says:


          You wrote:   “If you can instruct me on how my logic is flawed, I will be in your debt.”

          Let’s start here:   “If I cut your brake line at 8AM and you go out at noon and crash, is there no logical connection between cutting the brakeline and the crash?  Is cutting the brake line morally neutral because the consequences are separated from the act?”

          First, brakelines can be cut in a variety of ways, accidentally, unintentionally, through ignorance, intentionally.  The only one of these ways that would not be “morally neutral” would be deliberately.  This regardless of consequences

          Second, it is highly unlikely Marcy would crash for a breakline being cut, because brakes are twin-circuit safetied.  She would notice excessive pedal-travel, compared to her usual pedal-feel.  Her brakes would be less effective, requiring more pressure, but would produce normal results in normal applications.  To crash for a brakeline being cut (by whatever means) Marcy would have to be driving at or near the absolute margin, where full-max braking would be required to avoid crashing.  On a racetrack, where such braking is normal she would have a run-off area.  On the street she would be a contributor, and would have a moral responsibility, herself, for driving in a manner inappropriate for the time and place.

          What does this explanation say?  It says that you have to know something of the technical elements and actualities of brakesw and braking, the construction of brakes, their operations, their effects and relational interactions in vehicle operations, and the changes of those in different usages and environments before you can begin to provide analysis, and before you can critique analyses.  Plus you have to obtain accurate information in regard to causalities, actions and intentions, before you can legitimately address secondary elements, such as moral responsibilities.

          Next you wrote:   “If you got a flat tire and discovered the brake line and were spared the crash because of the flat tire, would that change the morality of cutting the brake line?”

          The morality of the “cutting the brakeline” would not enter into a logical analysis that Marcy might carry out in such a situation.  This because she would have no way of knowing from the cut, itself, if the cutting was an immoral act, or an accident, or by a person or an event.

          A question of morality would arise if she decided immediately on seeing a cut brakeline then that “Someone did this to me!”, or “I know who did this!  And I know he was trying to kill me!”:  You might have done  inadvertently while removing a tangle of fence-wire wrapped around the axle;  or the wire might have done it and you only did not think to look for damage to notice.  It takes neutral inspection, looking for cause, not to blame, to discover actual causes and effects.  Looking to blame interferes, since it urges to premature decision, and biases that decision.


          You then wrote:  “In the same way, we know that the Russian government and Donald Trump were seeking to damage Hillary Clinton…”   This examples premature assumption, and a biased assignment of bias.  Your statement here is equivalent to my example Marcy-response, “I know who did this!  And I know he was trying to kill me!” , groundlessly assigning blame, and equally groundlessly assigning motive.

          The problem illustrated by my preceeding build on your brakeline example, that without understanding of the mechanics of the mechanisms that are subject in a discussion one cannot rationally and logically, and therefore legitimately, address the subject and conclusions derived from study of the mechanics of such mechanisms, is found in both your and Marcy’s arguments against the analyses offered by “Forensicator”:  Your and Marcy’s arguments both illustrate that neither of you understands the mechanisms involved in electronic data file transfer, including, and especially, those involved in transmission transfers, and those that are responsible for differentials in direct (local) transfers and in transmission transfers.  For a quick example, consider an aftermath for your Marcy-car-accident scenario:  Marcy calls 911 and declares a brakeline was cut and you did it, you being someone she saw driving away from where she was parked earlier, whose vanity license-plate she read and remembered.  She gives a cop arriving at the scene the same information and he calls the plate sequence in to DMV.  Your lawyer has no records of the two calls except time-stamps.  How does he know which call was whose?  Answer, the cop’s call would take longer, because the cop would word-spell, “A as in Able, B as in Baker, C as in Charlie…”, or “Alpha, Whiskey, Esspresso…”  On a poor connection the cop and DMV operator might spell-back to assure correct transmission:  Cop:  “Alpha.”  Op:  “Alpha.”  Cop:  “Whiskey” etc.

          That is also how analysts can tell if a file was locally transferred, or transmitted, and also how far, or how many gate-transfers, by indications of degradation (how many ‘handshakes´ repeats, etc.).

          Does that help?  If so, you can repay your debt by telling bmaz how wonderfully helpful my post here was, despite it going to some length to provide appreciated clarification in a complete and readable form, etc. etc. (I leave the choice of honorifics and superlatives to you)…

          • Charles says:

            I’m glad that the half hour or so you spent spinning wildly kept you off the streets, Evangelista.


            You can let Marcy answer for herself. She might be able to persuade me of my error, but you are not.

    • SpaceLifeForm says:

      Commission good selling that Red Herring stock?

      Must be, because I can smell it everywhere.

    • pseudonymous in nc says:

      If you wanted to offload a large amount of data quickly from a source with unreliable access — whether nefariously or not — while operating at a distance, then it would be trivial to spin up a cloud VPS instance with good bandwidth and ping time, then re-transfer it at leisure using protocols that you decide (e.g. SSH tunnelling on non-standard ports or a VPN) as opposed to ones dictated by the point of origination. I’ve done this for legit reasons a number of times, usually to make emergency backups when either a site is being shut down on short notice or a server has failing hardware.

  5. Charles says:

    Lefty665 says

    “Revealing the corrupt rigging of the Democratic primaries by the DNC “was a truly evil act” because it might have helped defeat Hillary and elect Trump is breath taking in its immorality.”

    If I wasn’t familiar with your postings, I’d call that a breathtakingly dishonest parsing of my post. Since I am familiar with your posts, the world-class dishonesty in it does not surprise me at all.

    What the DNC did to hamper Sanders–ugly and dishonest as it was– is politics as usual in America. The DNC regulars did far, far worse to McGovern. But exposing the DNC’s politics as usual in order to help install a mafiosi in the White House is evil.

    Lefty further says.

    ” It is even more startling than your assumption that warmonger, neocon Hillary would be less likely to embrace Armageddon than loose cannon Trump to stumble into it.”

    Clinton, for all her sins–and in my analysis of Honduras, I have written about some of the worst she has done–is not the sort of person willing to sacrifice hundreds of thousands of innocent Korean lives for the sake of her political career. Trump is not just a loose cannon. He is a man who revels in violence, a man who despises any human life except his own, as he has already shown it in Yemen and in Syria and has threatened with Korea.

    If innocent blood is shed, it will not only be on the heads of Trump supporters, but on the Russians who helped mislead them, and on those enablers of the Russians.

  6. Mark says:

    @ Charles:
    “someone copied the data [presumably from the DNC] ”
    Your added text in brackets is a big presumption, one The Forensicator doesn’t make explicit. As Marcy says, the data could have been taken from the DNC server long before July 5.

    • Charles says:

      Mark, you’re missing the point. There were a lot of data breaches. Guccifer 2.0 said he was behind the DCCC hack as well. Because people cc one another, documents originating at the documents might also have existed on, say, the DCCC server as well. By inserting the square brackets, I am simply clarifying that the documents Forensicator is referring to presumably arose from the hack against the DNC. He failed to make it clear.


  7. orionATL says:

    i think david ignatius ( see thursday wapo, 8-17-17) must be reading the emptywheel website.

    some new info in the russian puzzle may be:

    “…Investigations have exposed groups and companies with alleged links to Russia’s hacking campaign, such as WikiLeaks. The Russia-WikiLeaks connection is explored in a new edition this month of “The Red Web,” the superb book by Russian investigative journalists Andrei Soldatov and Irina Borogan. Among their claims is that WikiLeaks moved at least part of its Web hosting to Russia in August 2016… “

Comments are closed.