Posts

Three Things: Still Active Measures

[Note the byline. This post contains some speculative content. / ~Rayne]

Whether counter-arguments or conspiracy theories, it’s interesting how certain narratives are pushed when tensions rise. But are they really theories or conditioning? And if conditioning, could other media infrastructure changes create more successful conditioning?

~ 3 ~

In an interview with Fox News post-Helsinki summit, Vladmir Putin made a point of blaming the Democratic Party for “manipulations of their party.”

…“The idea was about hacking an email account of a Democratic candidate. Was it some rigging of facts? Was it some forgery of facts? That’s the important thing that I am trying to — point that I’m trying to make. Was this — any false information planted? No. It wasn’t.”

The hackers, he said, entered “a certain email account and there was information about manipulations conducted within the Democratic Party to incline the process in favor of one candidate.” …

Have to give Putin props for sticking with a game plan — increase friction within the American left and fragment Democratic Party support to the benefit of Trump and the Republican Party at the polls and ultimately Putin himself if sanctions are lifted. Christopher Steele indicated in the Trump-Russia dossier that the Kremlin was using active measures to this effect in 2016 to widen the divide between Sanders and Clinton supporters; apparently left-splitting active measures continue.

But this is only part of an attack on the Democratic Party; another narrative undermines both the DNC and the FBI by questioning the investigation into the DNC’s hacking. Why didn’t the FBI take possession of the server itself rather than settle for an image of the system? A key technical reason is that any RAM-resident malware used by hackers will disappear into the ether if the machine is turned off; other digital footprints found only in RAM memory would likewise disappear. “The server” isn’t one machine with a single hard drive, either, but 140 devices — some of which were cloud-based. Not exactly something the FBI can power down and take back to a forensic lab with ease, especially during the hottest part of a campaign season.

But these points are never effectively made as a counter narrative, though some have tried with explainers, and certainly not featured in broadcast or cable news programs. The doubt is left to hang in the public’s consciousness, conditioning them to question FBI’s competence and the validity of their investigative work.

If Putin is still using active measures to divide Democratic Party voters, is it possible this narrative about the hacked DNC server is also an ongoing active measure? What if the active measure isn’t meant to undermine the FBI by questioning its actions? What if instead the lingering doubt is intended to shape future investigations into hacked materials which may also rely on server images rather than physical possession of the hardware? What if this active measure is pre-crime, intended to tamper with future evidence collection?

~ 2 ~

I’d begun drafting this post more than a week ago, but came to a halt when FCC chair Ajit Pai did something surprisingly uncorrupt by putting the brakes on the Sinclair-Tribune merger.

Sinclair Broadcast Group is a propaganda outlet masquerading as a broadcast media company. The mandatory airing of Boris Epsteyn’s program across all Sinclair stations offers evidence of Sinclair’s true raison d’etre; Epsteyn is a Russian-born former GOP political strategist who has been responsible for messaging in both the McCain-Palin campaign and the Trump administration, including the egregious 2017 Holocaust Remembrance Day statement which omitted any mention of Jews. The mandatory statement Sinclair management forced its TV stations to air earlier this year about “fake news” is yet another. The forced ubiquity and uniformity of messaging is a new element at Sinclair, which already had a history of right-wing messaging including the attempt to run a Kerry-bashing political movie to “swiftboat” the candidate just before the 2004 elections.

Sinclair and Tribune Media announced a proposed acquisition deal last May. If approved, the completed acquisition would give Sinclair access to 72% of U.S. homes — an insanely large percentage of the local broadcast TV market effectively creating a monopoly. There was bipartisan Congressional pushback about this deal because of this perceived potential monopoly.

FCC’s Ajit Pai wanted to relax regulations covering UHF stations — they would be counted as less than a full VHF station and therefore appear to reduce ownership of marketshare. Democrats protested this move as it offered Sinclair unfavorable advantage when evaluating stations it would acquire or be forced to sell during its Tribune acquisition.

Fortunately, Pai had “serious concerns” about the Sinclair-Tribune deal:

We have no idea to which administrative judge this deal may be handed, let alone their sentiments on media consolidation. We don’t know if this judge might be Trump-friendly and rule in favor of Sinclair, taking this horror off Ajit Pai’s back — which might be the real reason Pai punted after his egregious handling of net neutrality and the pummeling he’s received for it, including the hacking of the FCC’s comments leading up to his decision to end Obama-era net neutrality regulations and subsequent “misleading” statements to the media about the hack. New York State is currently investigating misuse of NY residents’ identities in the hack; one might wonder if Pai is worried about any personal exposure arising from this investigation.

BUT WAIT…the reason I started this post began not in New York but in the UK, after reading that Remain turnout may have been suppressed by news reports about “travel chaos,” bad weather, and long lines at the polls. Had the traditional media played a role in shaping turnout with its reporting?

I went looking for similar reports in the U.S. — and yes, news reports of long lines may have discouraged hundreds of thousands of voters in Florida in 2012. This wasn’t the only location with such reports in the U.S. during the last three general elections; minority voters are also far more likely to experience these waits than voters in majority white areas.

Probabilistic reports about a candidate’s win/loss may also suppress turnout, according to a Pew Research study.

Think about low-income voters who can’t afford cable TV or broadband internet, or live in a rural location where cable TV and broadband internet isn’t available. What news source are they likely to rely upon for news about candidates and voting, especially local polling places?

Hello, local broadcast network television station.

Imagine how voter turnout could be manipulated with reports of long lines and not-quite-accurate probabilistic reports about candidates and initiatives.

Imagine how a nationwide vote could be manipulated by a mandatory company-wide series of reports across a system of broadcast TV stations accessing 72% of U.S. homes.

How else might a media company with monopolistic access to American households condition the public’s response to issues?

~ 1 ~

There was all kinds of hullabaloo about the intersection of retiring Justice Anthony Kennedy, his son Justin, and Justin’s employment at Deutsche Bank at the same time DB extended financing to Donald Trump. It looks bad on the face of it.

And of course one prominent defense-cum-fact-check portrays Justin’s relationship to DB’s loans to Trump as merely administrative:

The extent to which Kennedy worked with Trump on this loan, or possibly on other Deutsche Bank matters, is unclear. “In that role, as the trader, he would have no contact with Trump … unless Eric [Schwartz] was trying to get Justin in front of Trump for schmoozing reasons,” Offit said, adding that he had recently spoken with former colleagues at the bank about Kennedy’s work.

Seems odd there has been little note made of Jared Kushner’s relationship with LNR Partners LLC — a company which Manta says has only 17 employees — and its subsidiary LNR Property which financed the Kushner 666 Fifth Avenue property in 2012. There was a report in Medium and another on DailyKos but little note made in mainstream news media.

I’m sure it’s just a coincidence that along with his business partner, Justin Kennedy was named 26th on the 50 Most Important People in Commercial Real Estate Finance in 2013 by the Commercial Observer — a publication of Observer Media, then owned by Jared Kushner.

I wonder what Justin’s rank was on this list while he worked at Deutsche Bank (also with current business partner Toby Cobb).

How odd this deal and the relationship wasn’t defended. I guess it’s just coincidence all the amphibians and reptiles know each other well in the swamp.

~ 0 ~

Let’s not forget:

587 Puerto Rican homes still don’t have electricity.

All asylum seeking families haven’t been reunited. Children may still be in danger due to poor care and lack of adequate tracking. As of yesterday only 364 children of more than 2500 torn from their families were reunited.

Treat this as an open thread.

The Macron Hack: Sometimes the Metadata Is (Part of) the Message

After he claimed he hadn’t been hacked, 4Chan released documents from some of Emmanuel Macron’s associates (along with a whole lot of crap) last night, just minutes before by French law the candidates and press have to stop talking about the election. Given that the hacking group believed to be associated with Russia’s military intelligence GRU had been trying to phish Macron’s campaign, it is widely assumed that these files came from GRU. That’s a safe starting assumption but it has not been proven.

Here’s one review of what we know about the documents so far. Here’s advice for France on how to avoid having this become the centerpiece of the next few days.

Thus far, the most remarked aspect of individual documents from the dump (which I haven’t started reading yet) is the metadata. For example, a good number of the Microsoft documents have Russian names or metadata in them. In addition, some people are claiming that metadata associated with forgeries in the dump point to specific equipment.

As a result, a number of people have uncritically said that this makes the dump just like the DNC dump, which is further proof that the same sloppy Russians did it.

Except in doing so, most reveal untested assumptions from that DNC dump.

Back when the DNC documents came out, a number of (these very same) people noted that there was Russian metadata in those documents, as well as the name Felix Drzezhinsky, the founder of the Soviet secret police. This was described, persistently, as an accident.

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.

I noted, even at the time, the claim that someone who deliberately adopted the name of Iron Felix just accidentally saved the document with cyrillic characters made zero sense.

Particularly with regards to the Russian metadata, you don’t both adopt a notable Russian spook’s ID while engaging in a false flag but then “accidentally” leave metadata in the files, although the second paragraph here pertains to Guccifer 2 and not the Crowdstrike IDed hackers.

Moreover, Guccifer 2 himself pointed out what Sam Biddle had already reported: the identity metadata was not limited to Iron Felix, but included Che Guevara and (I’ve been informed) Zhu De.

Since then, some folks have looked closer and compellingly argued that the Russian metadata “accidentally” left in the documents was actually made at significant effort by opening a word document, putting some settings onto Russian language, and then copying one after another document into that document.

That said, that doesn’t mean — as some of the same folks suspect — that a Hillary staffer made the documents. This post provides five alternative possibilities.

And one thing that those arguing the Guccifer figure was created to obfuscate Russia’s role didn’t connect that claim that — as I’ve heard and Jim Comey recently confirmed — this second DNC hacker was obnoxiously loud in the DNC servers.

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

Effectively, then, the second DNC hacker (usually attributed to GRU) was leaving graffiti inside the DNC servers and Guccifer 2 effectively left graffiti on the documents he released.

In any case, the same rush to interpret the metadata is happening now on the Macron hack as it did with the DNC hack, with repeated claims the hackers — whom people assume are the same as the ones that targeted DNC — are sloppily leaving metadata again.

If they are the same hackers (which has not yet been proven) then we sure as hell ought not assume that the metadata is there accidentally. Again, that doesn’t mean this isn’t GRU. But it does mean the last time people made such assumptions they ended up arguing ridiculously that someone trying to obscure his ties to Russia was at the same time paying tribute to them.

Sometimes, it turns out, the metadata is the message.

The DNC’s Evolving Story about When They Knew They Were Targeted by Russia

This week’s front page story about the Democrats getting hacked by Russia starts with a Keystone Kops anecdote explaining why the DNC didn’t respond more aggressively when FBI first warned them about being targeted in September. The explanation, per the contractor presumably covering his rear-end months later, was that the FBI Special Agent didn’t adequately identify himself.

When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee in September 2015 to pass along some troubling news about its computer network, he was transferred, naturally, to the help desk.

His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named “the Dukes,” a cyberespionage team linked to the Russian government.

The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government’s best-protected networks.

Yared Tamene, the tech-support contractor at the D.N.C. who fielded the call, was no expert in cyberattacks. His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion. By his own account, he did not look too hard even after Special Agent Hawkins called back repeatedly over the next several weeks — in part because he wasn’t certain the caller was a real F.B.I. agent and not an impostor.

This has led to (partially justified) complaints from John Podesta about why the FBI didn’t make the effort of driving over to the DNC to warn the higher-ups (who, the article admitted, had decided not to spend much money on cybersecurity).

This NYT version of the FBI Agent story comes from a memo that DNC’s contractor, Yared Tamene, wrote at some point after the fact. The NYT describes the memo repeatedly, though it never describes the recipients of the memo nor reveals precisely when it was written (it is clear it had to have been written after April 2016).

“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

[snip]

“The F.B.I. thinks the D.N.C. has at least one compromised computer on its network and the F.B.I. wanted to know if the D.N.C. is aware, and if so, what the D.N.C. is doing about it,” Mr. Tamene wrote in an internal memo about his contacts with the F.B.I. He added that “the Special Agent told me to look for a specific type of malware dubbed ‘Dukes’ by the U.S. intelligence community and in cybersecurity circles.”

[snip]

In November, Special Agent Hawkins called with more ominous news. A D.N.C. computer was “calling home, where home meant Russia,” Mr. Tamene’s memo says, referring to software sending information to Moscow. “SA Hawkins added that the F.B.I. thinks that this calling home behavior could be the result of a state-sponsored attack.”

[DNC technology director Andrew] Brown knew that Mr. Tamene, who declined to comment, was fielding calls from the F.B.I. But he was tied up on a different problem: evidence suggesting that the campaign of Senator Bernie Sanders of Vermont, Mrs. Clinton’s main Democratic opponent, had improperly gained access to her campaign data.

[snip]

One bit of progress had finally been made by the middle of April: The D.N.C., seven months after it had first been warned, finally installed a “robust set of monitoring tools,” Mr. Tamene’s internal memo says. [my emphasis]

The NYT includes a screen cap of part of that memo (which reveals that the DNC had already been exposed to ransomware attacks by September 2015), but not the other metadata or a link to the full memo.

One reason I raise all this is because the evidence laid out in the story contradicts, in several ways, this August report, relying on three anonymous sources (at least some of whom are probably members of Congress, but then so was the DNC Chair at the time).

The FBI did not tell the Democratic National Committee that U.S officials suspected it was the target of a Russian government-backed cyber attack when agents first contacted the party last fall, three people with knowledge of the discussions told Reuters.

And in months of follow-up conversations about the DNC’s network security, the FBI did not warn party officials that the attack was being investigated as Russian espionage, the sources said.

The lack of full disclosure by the FBI prevented DNC staffers from taking steps that could have reduced the number of confidential emails and documents stolen, one of the sources said. Instead, Russian hackers whom security experts believe are affiliated with the Russian government continued to have access to Democratic Party computers for months during a crucial phase in the U.S. presidential campaign, the source said.

[snip]

In its initial contact with the DNC last fall, the FBI instructed DNC personnel to look for signs of unusual activity on the group’s computer network, one person familiar with the matter said. DNC staff examined their logs and files without finding anything suspicious, that person said.

When DNC staffers requested further information from the FBI to help them track the incursion, they said the agency declined to provide it. In the months that followed, FBI officials spoke with DNC staffers on several other occasions but did not mention the suspicion of Russian involvement in an attack, sources said.

The DNC’s information technology team did not realize the seriousness of the incursion until late March, the sources said. It was unclear what prompted the IT team’s realization.

In August, anonymous sources told Reuters that FBI never told DNC they were being attacked by Russians until … well, Reuters doesn’t actually tell us when the FBI told DNC the Russians were behind the attack, just that Democrats started taking it seriously in March.

But in the pre-Trump Russian hack bonanza, the NYT has now revealed that an internal memo says that the DNC had been informed in November, not March.

And even that part of the explanation doesn’t make sense. As a number of people have noted, Brown is basically saying he didn’t respond to a warning — given in November — that a DNC server was calling home to Russia because he was dealing with a NGP-VAN breach that happened on December 18. He would have had over two weeks to respond to Russia hacking the DNC before the NGP-VAN issue, and that would have been significantly handled by NGP.

Moreover, even the September narrative invites some skepticism. Tamene admits the FBI Special Agent, “told me to look for a specific type of malware dubbed ‘Dukes’ by the U.S. intelligence community and in cybersecurity circles.” And he describes “His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion.” Had Tamene Googled for “dukes malware” any time after September 17, 2015, this is what he would have found.

Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. [my emphasis]

So had this initial report taken place after September 17, Tamene would have learned, thanks to the second sentence of a top Google return, that he was facing a “highly dedicated, and organized cyber-espionage group that has been working for the Russian government. ” Had he done the Google search he said he did, that is, he would almost certainly have learned he was facing down Russian hackers.

Had he clicked through to the report — which is where he would have gone to find the malware signatures to look for — he would have seen a big pink graphic tying the Dukes to Russia.

It’s certainly possible the alert came before the white paper was released (though if it came after, it explains why the FBI would have thought simply mentioning the Dukes would be sufficient). But that would suggest Tamene remembered the call and his Google search for the Dukes in detail sometime in April but not in September when this report got a fair amount of attention.

None of this is to excuse the FBI (I’ve already started a post on that part of this). But it’s clear that Democrats have been — at a minimum — inconsistent in their story to the press about why they didn’t respond to warnings sooner. And given the multiple problems with their explanation about what happened last fall, it’s likely they did get some warning, but just didn’t heed it.

Update: When I wrote this this morning, I had read this tweet stream and this story but not the underlying Shadow Brokers related post, by someone writing under the pseudonym Boceffus Cleetus it relates to, which is basically a Medium post introducing the latest sale of Shadow Broker tools. It wasn’t until I read this post — and then the second Boceffus Cleetus post that I realized Boceffus Cleetus posted (his) original post — along with a reference to the name magnified back when this hack started — the day after the NYT wrote a story of the hack from DNC’s perspective.

As the tweet stream lays out, Boceffus Cleetus is a play on ventriloquism, (duh, speaking for others) and the Dukes of Hazard. Both analyses of this argue that the reference to “Dukes of Hazard” is, in turn, a reference to the name given to the FSB hacking efforts (the other I’ve used is “Cozy Bear”) in the report I linked above — that is, to the name F-Secure had given the FSB hackers, most notably in the report I linked above. I didn’t make too much of it until I read this second Boceffus Cleetus post, which in seemingly one sentence lays out Bill Binney’s theory of the DNC hack (that is, that NSA handed it on) with a country drawl and a lot of conspiracy theory added.

After my shadow brokers tweet I was contacted by an anonymous source claiming to be FBI. Yep I know prove it? I wasn’t able to get’em to verify their identity. But y’all don’t be runnin away yet, suspend yer disbelief and check out their claims. What if the Russian’s ain’t hacking nothin? What if the shadow brokers ain’t Russian? Whatcha got as the next best theory? What if its a deep state civil war tween CIA and ole NSA? A deep state civil war to see who really runs things. NSA is Department of Defense, military. The majority of the military are high school grads, coming from rural “Red States”, conservatives. The NSA has the global surveillance capabilities to intercept all the DNC and Podesta emails. CIA is college grads only and has the traditions of the urban yankee northeastern and east coast ivy leaguers, “Blue State”, liberals.

It’s all mostly gratuitous — an attempt to feed (as explicitly named “fake news”) some of the alternate explanations out there right now.

But I find the portrayal of an NSA-CIA feud notable, in part, because the mostly likely reason FBI (which is where Boceffus Cleetus’ fictional source came from) didn’t tell the DNC who was hacking them back in September 2015 is because the actual tip — that Russia was hacking the DNC — came from the NSA. But FBI had to hide that. So instead, they used the name for FSB that was current at the time.

I’ll add, too, that this plays on Craig Murray’s claim that a national security person leaked him the Podesta documents.

So what’s the point? Dunno. I defer to theGrugq’s third post, in which he argues this post is signaling to show NSA the Russian hackers must have access to NSA’s classified networks, because they’ve accessed a map of everything.

This dump has a bit of everything. In fact, it has too much of everything. The first drop was a firewall ops kit. It had everything that was supposed to be used against firewalls. This dump, on the other hand, has too much diversity and each tool is comprehensive.

The depth and breadth of the tooling they reveal can only possibly be explained by:

  1. an improbable sequence of hack backs which got, in sequence, massive depth of codenamed implants, exploits, manuals,
  2. access to high side data

[snip]

It is obvious that this data would never leave NSA classified networks except by some serious operator error (as I believe was the case with the first ShadowBrokers leak.) For this dump though, it is simply not plausible. There is no way that such diverse and comprehensive ops tooling was accidentally exposed. It beggars belief to think that any operator could be so careless that they’d expose this much tooling, on multiple diverse operations.

There are, based on my count, twenty one (21) scripts/manuals for operations contained in this dump. They cover too many operations for a mistake, and they are too comprehensive for a mistake.

Remember, Obama has been stating assuredly that the US has far more defensive and offensive capability than Russia. The latter might well be true. But the latter is nuts, if for no other reason than we have so much more to secure. The former might be true. But not if hackers can log into NSA’s fridge and steal their beer.

I’m not entirely sure what to make of this. But against the background of increasing dick-wagging, it’ll be interesting to see how it plays out.

Or Maybe the FBI Really Did Have a Reason to Stay Off the Russian Attribution?

The Comey whiplash continues.

In the latest development, a single source — a “former FBI official,” offered with no description of how he or she would know — told CNBC that weeks ago Jim Comey refused to join onto the Intelligence Community’s attribution of the DNC hacks to Russia because it was too close to the election.

FBI Director James Comey argued privately that it was too close to Election Day for the United States government to name Russia as meddling in the U.S. election and ultimately ensured that the FBI’s name was not on the document that the U.S. government put out, a former FBI official tells CNBC.

The official said some government insiders are perplexed as to why Comey would have election timing concerns with the Russian disclosure but not with the Huma Abedin email discovery disclosure he made Friday.

In the end, the Department of Homeland Security and The Office of the Director of National Intelligence issued the statement on Oct. 7, saying “The U.S. intelligence community is confident that the Russian Government directed the recent compromises of emails from US persons and institutions, including from US political organizations…These thefts and disclosures are intended to interfere with the US election process.”

[snip]

According to the former official, Comey agreed with the conclusion the intelligence community came to: “A foreign power was trying to undermine the election. He believed it to be true, but was against putting it out before the election.” Comey’s position, this official said, was “if it is said, it shouldn’t come from the FBI, which as you’ll recall it did not.”

In spite of what Hillary said at the most recent debate, the statement was billed as a “Joint Statement,” though it did claim to represent the view of the intelligence community.

Until someone else confirms this story — preferably with more than one source, one clearly placed in a position to know — I advise caution on this.

That’s true, first of all, because a bunch of people who likely harbor grudges against Jim Comey are coming out of the woodwork to condemn Comey’s Friday statement. Given the reasons they might resent Comey, I really doubt Alberto Gonzales or Karl Rove were primarily motivated to criticize him out of a concern for the integrity of our election process.

The same could be true here.

The other reason I’d wait is because of reporting going back to this summer on the case against Russia. As I’ve noted, reporters repeatedly reported that while there seemed little doubt that Russia had hacked the Democrats, the FBI had not yet proven some steps in the chain of possession. For example, at the end of July, FBI was still uncertain who or how the emails from DNC were passed onto WikiLeaks.

The FBI is still investigating the DNC hack. The bureau is trying to determine whether the emails obtained by the Russians are the same ones that appeared on the website of the anti-secrecy group WikiLeaks on Friday, setting off a firestorm that roiled the party in the lead-up to the convention.

The FBI is also examining whether APT 28 or an affiliated group passed those emails to WikiLeaks, law enforcement sources said.

As I noted, the IC attribution statement actually remained non-committal on precisely this step of the process, finding that the leaks of emails were consistent with stuff Russia’s GRU has done in the past, but stopping short of saying (as they had on the hack itself) that it is confident that Russia leaked the files.

Which is to say the same thing the FBI had questions about in July is something that remained non-committal in the October statement, which might be one of a number of reasons (including that FBI wants to retain the ability to prosecute whoever they charge with this, including if it is a currently unknown middleman) that the FBI might not want to be on the attribution. FBI was unwilling to fully commit to the accusation in July, and apparently unwilling to do so in October.

Note that CNBC’s anonymous source, even when confirming that Comey backed the statement, didn’t confirm he backed the whole content of it. The person contrasts the most aggressive quote from the IC statement:

… the U.S. intelligence community is confident that the Russian Government directed the recent compromises …

With this, allegedly from Comey:

A foreign power was trying to undermine the election

Those statements are not the same thing, and it may be that FBI continued to have perhaps not doubts, but unproven holes in the case, that led to caution on the Russia statement.

In any case, it’s not that I believe the anonymous CNBC statement to be impossible. But there is another perfectly consistent explanation for Comey hesitating to name FBI on that IC attribution.

Update: Ellen Nakashima has a version of this story (sourced to more than one person) now. Here’s an excerpt, but definitely read the whole thing for the logic (or lack thereof) FBI used.

In the debate over publicly naming Russia, the FBI has investigative interests to protect, officials said. At the same time, other officials said, the aim of public attribution was to stop Russia from undermining confidence in the integrity of the election.

[snip]

But the White House, Justice Department, State Department and other agencies debated for months whether to officially blame Moscow or not.

Comey’s instincts were to go with the public attribution even as late as August, said one participant in the debate. But as the weeks went by and the election drew nearer, “he thought it was too close,” the official said.

When, by early October, the decision was made, the talk shifted to who would make the announcement. In December 2014, it was the FBI that publicly pointed the finger at North Korea for hacking Sony Pictures Entertainment and damaging its computers. That was because the attribution to Pyongyang was based on the FBI investigation, said a senior administration official.

[snip]

The announcement did not mention the White House, which also had been very concerned about appearing to influence the election.

Argument: The DNC Hack Attribution Was A Response to Brick and Mortar Events

Last week, ODNI and DHS released a statement widely viewed as attributing the hack and leak of DNC and other Democratic materials to Russia. The statement was actually a bit more nuanced than that:

Assertion 1: Russia compromised DNC and other political organizations

The statement starts with a comment that is spook speak for “we’ve proven this.”

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

Mind you, this is the bit the IC has been confident of all along: they found hackers at the DNC and the hackers have all the attributes of two different Russian hacking groups.

Assertion 2: The leaking is consistent with stuff Russia has done elsewhere

The next move is the most interesting, in my opinion. The IC strongly suggests the leaking of those hacked files is Russia, but doesn’t use the same spook speak confidence language.

The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts.

Here, the IC is not saying “we are confident Russia then handed all these files to WikiLeaks, as well as created two cover identities through which to leak them.” Instead, they are saying Russia has done similar things before and has the motivation to do so here. As they have for months, the spooks still appear not to have the same level of proof tying the hacking to the leaking that would allow them to say “we are confident” for this assertion, at least not that they’re willing to admit, which I find incredibly interesting.

Assertion 3: Russia is trying to interfere with the election

Having stated very confidently Russia did the hack and less confidently that it did the leak, the statement brings the nugget language: basically accusing Putin of masterminding the whole thing.

These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.

For my purposes here, I’m not interested in testing the truth of this statement — though I am a bit interested in how “influencing public opinion” is deemed to be “interfering with the US election,” because it’s something many people don’t seem to have thought through (nor have they thought through how it differs from the US’ own information operations or PR involvement of other foreign powers in our elections).

Especially given this bit:

Assertion 4: Hackers operating through a Russian server hacked some state election websites, but that may not be the Russian state

The statement goes out of its way to note that the Russian-attributed activity most directly connected to the election, the voter rolls, may not actually be the Russian state, but instead just servers operated by a Russian company.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government.

Remember, identity thieves have in the past stolen far more voter registration records for identity theft. It’s certainly possible that’s what went on here. More importantly, the IC appears to have nothing from collection on Russia they’re willing to share to claim that this hacking is part of Putin’s mastermind plot.

The rest of the statement goes on to talk about the ways (which I’ve talked about as well) that our localized system of elections makes it really hard to hack an election (though that also makes it really easy to botch an election or even to tamper with elections by disenfranchising select voters, which is what people should be far more concerned about, given that we know such efforts are effective and ongoing).

The IC has long known this but chose to release this statement now

The reason I’ve broken this out into four parts — 1) we know Russia hacked the DNC, 2) the leaks of hacked material is consistent with stuff Russia has done in the past, 3) Putin is in charge, 4) Russia may not have hacked the state websites — is to call attention to the fact that the IC has been leaking assertions 1, 2, and 4 for months. The stated (leaked) reason to hold off on a formal attribution was the uncertain status of assertion 2: the IC doesn’t yet know how the files got from the DNC hackers into Julian Assange’s hands.

But the IC chose to release this statement without growing any more certain about assertion 2 and without solving assertion 4.

In my opinion, that means the IC released this statement to get to assertion 3. Putin is trying to “interfere” in our election by “influencing public opinion.”

The release timing is more about kinetic events elsewhere than it is about IC certainty

So why release this statement now, when the IC doesn’t seem to have gotten any more certain about assertion 2 or 4?

At the end of what I think is an overly pessimistic piece on America’s inability to deter hacking, Jack Goldsmith considers the possibility that undeterred cyberattacks may be a response to brick and mortar conflict.

Without robust defenses or effective deterrence, the United States can expect many more, and more harmful, cyber intrusions by adversaries who are asymmetrically empowered by the rise of digital networks.  There is no end to the ways that they might spy in, steal from, or disrupt U.S. networks, public and private.  That sounds bad, buts the implications are worse.  Asymmetric offensive cyber operations by our adversaries can be an effective response to every element of U.S. foreign and military power.  For all we know the Russian DNC hack is a response to sanctions for Ukraine and an attempt to win leverage in Syria.  Imagine the United States wanted to do more—via sanctions, or through military operations, or in cyber—to slow Russian operations in Eastern Europe or Syria.  The Russians could easily respond via cyber, where it appears to have an asymmetrical advantage.  Indeed, the relatively tepid USG response to Russian aggression in Eastern Europe and Syria may be a result of USG worries about the implications of the DNC hack.  In other words, the Russians may already be using cyber to deter the United States from seemingly unrelated foreign policy actions it might otherwise take.

Aside from his totally inappropriate use of “asymmetric” here — there’s no lack of potential symmetry between the cyber capabilities of the US and Russia, just an emphasis of one tool over another — I agree with this passage. Indeed, I’ve been saying for a long time that the most obvious explanation for why Putin would do all this so blatantly is because in his view the US carried out a coup in Ukraine and is attempting regime change in Syria to choke Russia strategically.

And as Goldsmith argues, the US’ weak spot is its vulnerability to cyber attacks, absolutely. That weakness is made worse, too, by continued  US insistence on retaining access to all potential offensive tools, even if they can be most dangerous against US targets if they ever, say, show up on an online sale (Goldsmith was curiously silent about the Shadow Brokers release here).

I suspect China, in particular, has done the same kind of mapping we have with Treasure Map, with a focus on having cyberattacks ready to launch that would neutralize us if we ever got into a hot war.

But Goldsmith doesn’t consider the possibility that things may also work in the reverse way.

The US released this statement at a time when it was also making a big diplomatic push against Russia — proposing a ceasefire at the UN it knew Russia would veto, after having failed to negotiate a ceasefire with Russia directly because it asked for things (a no fly zone, basically) that Russia has neither the interest nor the legal necessity to agree to, because Russia is in Syria at the behest of the still-recognized government of the state, we’re not. As it happens, the US is ratcheting up this effort at a time when our Saudi allies’ activities in Yemen make it hard to make a principled stance against Russia, because we’re implicated in Yemen in the same way Russia is in Syria.

More importantly, things are getting very very hot, with Russia moving missiles to Kaliningrad and threatening retaliation for any strikes on Syrian controlled territory.

So I would suggest the timing of this announcement — basically confirming the same certainty and uncertainty the IC has had for months, then using it to accuse Putin of trying to intervene directly in our country — is actually our response to more concrete events elsewhere, not the reverse (though there admittedly may be some chicken-and-egg stuff here, in that we may have held off on attribution in hope we could negotiate directly with Russia).

That is, both sides seem intent on ratcheting up the conflict between Russia and the US, and blaming Putin for interfering in our elections is one tool to do that.

If I’m right, the statement may have nothing to do with deterrence. Rather, it may have everything to do with escalation of other conflicts, providing a reason to pitch Russia’s strategic moves elsewhere as a direct threat to the US. I’m not saying Russia isn’t a dangerous adversary. I’m saying that the release of this statement will do nothing to prevent more hacks, but it will provide cause to claim the increasingly hot conflict with Russia directly threatens the US.

Yahoo’s Three Hacks

As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

2012 alleged Peace affiliated hack

In August, Motherboard reported — and reported to Yahoo — that the hacker known as Peace, who may have ties to Ukrainian and/or organized crime and also sold the MySpace and Linked In credentials, was selling credentials from what he said were 200 million accounts hacked in 2012. But when Motherboard tried to verify the data, some of it came back as out of date or invalid.

According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses. The data is being sold for 3 bitcoins, or around $1,860, and supposedly contains 200 million records from “2012 most likely,” according to Peace. Until Yahoo confirms a breach, however, or the full dataset is released for verification, it is possible that the data is collated and repackaged from other major data leaks.

[snip]

Motherboard obtained a very small sample of the data—only 5000 records—before it was publicly listed, and found that most of the two dozen Yahoo usernames tested by Motherboard did correspond to actual accounts on the service. (This was done by going to the login section of Yahoo, entering the email address, and clicking next; when the email address wasn’t recognised, it was not possible to continue.)

However, when Motherboard attempted to contact over 100 of the addresses in the sample set, many returned as undeliverable. “This account has been disabled or discontinued,” read one autoresponse to many of the emails that failed to deliver properly, while others read “This user doesn’t have a yahoo.com account.”

2014 state actor hack

Yahoo claims it discovered the 500 million user hack in its investigation of the Peace allegations in August. The details being released now, in particular the encryption used with the account, vary from what Peace claimed in August.

A source familiar with the investigation told Motherboard on Thursday that, although no direct evidence was found to support Peace’s claims, Yahoo conducted a broader investigation, and during that time, they found the attack from what they described as a state-sponsored actor in 2014. The source declined to provide any evidence that the attack was state-sponsored, but said that the company strongly believed it to be the case.

According to Yahoo’s announcement, the majority of passwords were hashed with the strong hashing function bcrypt, meaning that hackers will have a much harder time at obtaining many users’ real passwords. The source claimed that only a very small percentage of password hashes were not bcrypt.

Note, while Yahoo is claiming this was a hack done by a state actor, it has not said what state actor.

Also, Yahoo appears to be suggesting that Peace’s claim he had Yahoo credentials was not true. Though, given that Yahoo is being acquired by Verizon at the moment, they would have an incentive to claim they didn’t know about this massive hack earlier.

2016 individual hack tied to DNC

Finally, an individualized hack of a Yahoo user — DNC consultant Alexandra Chalupa — was an independent source of the claim that DNC hackers might have ties to Russia or Ukraine. While the hack was evident from emails released by WikiLeaks, Chalupa had worked with Yahoo’s Michael Isikoff previously and he added details explaining her suspicions about the timing.

“I was freaked out,” Chalupa, who serves as director of “ethnic engagement” for the DNC, told Yahoo News in an interview, noting that she had been in close touch with sources in Kiev, Ukraine, including a number of investigative journalists, who had been providing her with information about Manafort’s political and business dealings in that country and Russia.

“This is really scary,” she said.

[snip]

Chalupa’s message, which had not been previously reported, stands out: It is the first indication that the reach of the hackers who penetrated the DNC has extended beyond the official email accounts of committee officials to include their private email and potentially the content on their smartphones. After Chalupa sent the email to Miranda (which mentions that she had invited this reporter to a meeting with Ukrainian journalists in Washington), it triggered high-level concerns within the DNC, given the sensitive nature of her work. “That’s when we knew it was the Russians,” said a Democratic Party source who has knowledge of the internal probe into the hacked emails. In order to stem the damage, the source said, “we told her to stop her research.”

A Yahoo spokesman said the pop-up warning to Chalupa “appears to be one of our notifications” and said it was consistent with a new policy announced by Yahoo on its Tumblr page last December to notify customers when it has strong evidence of “state sponsored” cyberattacks.

Significantly, this story, at least, claims this (and not cyber consultant CrowdStrike) is where DNC certainty that the hack was perpetrated by Russians came from.

Note that Chalupa’s Yahoo address was also affected in the Linked In hack, which exposed a simple password.

For now, I’m just presenting these three separate hacks as data points of interest.

Did Wikileaks Do US Intelligence Bidding in Publishing the Syria Files?

Consider this nutty data point: between CNN’s Reliable Sources and NBC’s Meet the Press, Julian Assange was on more Sunday shows today than John McCain, with two TV appearances earlier this week.

Sadly, even in discussions of the potential that the DNC hack-plus-publication amounts to tampering with US elections, few seem to understand that evidence at least suggests that Wikileaks — not its allegedly Russian source — determined the timing of the release to coincide with the Democratic National Convention. Guccifer 2, at least, was aiming to get files out earlier than Wikileaks dumped them. So if someone is tampering, it is Julian Assange who, I’ve noted, has his own long-standing gripes with Hillary Clinton (though he disclaims any interest in doing her harm). If his source is Russia, that may just mean they had mutual interest in the publication of the files; but Assange claims to have determined the timing.

Since Wikileak’s role in the leak has been downplayed even as Assange has made the media rounds, since the nation’s spooks claim that publishing these documents is what makes it different, I want to consider this exchange Assange had with Chuck Todd:

CHUCK TODD:

All right. Let me ask you this. Do you, without revealing your source on this, do you accept information and leaked documents from foreign governments?

JULIAN ASSANGE:

Well, our publishing model means that what we publish is guaranteed to be true. That’s what we’re concerned about. That’s what our readers are concerned about. That’s the right of the general public, to not–

[snip]

CHUCK TODD:

Does that not trouble you at all, if a foreign government is trying to meddle in the affairs of another foreign government?

JULIAN ASSANGE:

Well, it’s an interesting speculative question that’s for the press and others to perhaps–

CHUCK TODD:

That doesn’t bother you? That is not part of the WikiLeaks credo?

JULIAN ASSANGE:

Well, it’s a meta story. If you’re asking would we accept information from U.S. intelligence that we had verified to be completely accurate, and would we publish that, and would we protect our sources in U.S. intelligence, the answer is yes, of course we would. [my emphasis]

Sure, at one level this is typical Assange redirection. When Todd asked if he’d accept files from Russia, Assange instead answered that he would accept them from the United States.

But it may not be so farcical as it seems. Consider the case of the Syria Files Wikileaks posted in spring 2012, at the beginning of the time the US was engaging in covert operations in Syria. They contained embarrassing information on Bashar al-Assad, his wife, and close associates, as well as documents implicating western companies that had facilitated Assad’s repression. Even at the time, people asked if the files were a western intelligence pys-op, though they were explicitly sourced to various factions of Anonymous. Then, between Jeremy Hammond and Sabu’s sentencing processes, it became clear that in January 2012, the latter identified targets for Anonymous hackers, targets that include the Syrian government.

An informant working for the F.B.I. coordinated a 2012 campaign of hundreds of cyberattacks on foreign websites, including some operated by the governments of Iran, Syria, Brazil and Pakistan, according to documents and interviews with people involved in the attacks.

Exploiting a vulnerability in a popular web hosting software, the informant directed at least one hacker to extract vast amounts of data — from bank records to login information — from the government servers of a number of countries and upload it to a server monitored by the F.B.I., according to court statements.

[snip]

The sentencing statement also said that Mr. Monsegur directed other hackers to give him extensive amounts of data from Syrian government websites, including banks and ministries of the government of President Bashar al-Assad. “The F.B.I. took advantage of hackers who wanted to help support the Syrian people against the Assad regime, who instead unwittingly provided the U.S. government access to Syrian systems,” the statement said.

What’s not known (as multiple reports say is still not known about the DNC hack) is whether the specific files the Sabu-directed Anonymous hackers obtained were the same ones that Wikileaks came to publish, though the timing certainly works out. It’s a very distinct possibility. In which case Assange’s comment may be more than redirection, but instead a reminder that Wikileaks has played the analogous role in US-directed hack-and-publish operation, one designed to damage Assad and his western allies. If those documents did ultimately come via FBI direction of Sabu, then Assange might be warning US spooks that their own similar actions could be exposed if he were asked to reveal more about any Russian role in the DNC hack.

Was “Computer Network” “Analytics Data Program” Hacked at Hillary HQ VAN or Something Else?

Several outlets have reported that Hillary’s campaign — or rather, a network the Hillary campaign uses — got hacked along with the DNC and DCCC, presumably by the same APT 28 group presumed to be Russia’s military intelligence GRU. But reports on this, coming after a day of equivocation about whether Hillary’s campaign had been hacked at all, are unclear.

Reuters explains hackers accessed an “analytics program server” for five days (though doesn’t provide a date for that access).

A Clinton campaign spokesman said in a statement late on Friday that an analytics data program maintained by the DNC and used by the campaign and a number of other entities “was accessed as part of the DNC hack.”

[snip]

Later, a campaign official said hackers had access to the analytics program’s server for approximately five days. The analytics data program is one of many systems the campaign accesses to conduct voter analysis, and does not include social security numbers or credit card numbers, the official said.

KTLA (working off a CNN feed, I think) described the target as a “dynamic voter database — with voter participation, voter contact information and voter files all campaign organizations use.”

A person familiar with the Clinton campaign program described it as essentially a dynamic voter database — with voter participation, voter contact information and voter files that all campaign organizations use. It’s a list — but a dynamic one with key voter data.

A Clinton aide said the hackers had access to the analytics program’s server for approximately five days. The analytics data program is among many systems accessed to conduct voter analysis. It does not include social security numbers or credit card numbers.

The aide noted further that according to the campaign’s outside cyber security expert, the hack of this analytics data program could not have resulted in access to Clinton campaign internal emails, voicemails, computers or other internal communications and documents. Those are completely independent systems.

Some, though not all, of those reports is based off this circumspect statement from Nick Merrill.

An analytics data program maintained by the DNC, and used by our campaign and a number of other entities, was accessed as part of the DNC hack. Our campaign computer system has been under review by outside cyber security experts. To date, they have found no evidence that our internal systems have been compromised.

Meanwhile, the FBI sources in these stories seem hesitant to definitively tie this hack to the others.

I raise all this because the KTLA description of the program sounds a lot like VAN, the voter management program that has already made the news several times this election year. VAN is dynamic and accessible to all Democratic campaigns so they can share data about voter participation, contacts, and enthusiasm for one or another candidate.

But if it were VAN it’d be of particular interest for two reasons. First, because a firewall between Hillary and Bernie’s campaigns went down in December, just as Bernie’s campaign finished up an utterly historic fundraising day. A few of Bernie’s staffers accessed some of Hillary’s data — they said to monitor the extent of the breach, which they claimed was the second time it had happened. Bernie sued the DNC over the insecurity of the VAN, but ultimately he ended up punishing several staffers.

In other words, by December, if not before, the DNC had warning that the VAN was unstable. If the hack was of VAN and if it was in any way associated with this time period — or if it was a response to DNC taking no action to force VAN to improve security — then it would be very damaging to the Democrats.

If this hack was of VAN, it would also be significant given that Guccifer 2’s technically bogus explanation of how “he” hacked the DNC claimed he got in through VAN.

How did you break into the DNC network? And are you still in?

These questions are also very popular. I’ve already said about the software vulnerabilities. The DNC had NGP VAN software installed on their system so I used the 0-day exploit and then deployed my backdoor. The DNC used Windows on their server, so it made my work much easier. I installed my Trojan like virus on their PCs. I just modified the platform that I bought on the hacking forums for about $1.5k.

I’ve been inside the network for pretty long time, so I downloaded a lot of files. I lost access after they rebooted the system on June 12. But after all, if they’ll carry on like this it won’t be a problem to get in again and again.

I’ve worked with VAN (albeit in a county party office) and I can’t think of a way it would be hooked up to more substantive computers (hmm–except perhaps within a computer and from there back up through a network). And the explanation appears bogus for a number of other reasons. But it would be interesting if Guccifer 2 had pointed to VAN weeks before the campaign decided to check whether VAN had been accessed (after having been proven to be unstable in the primary).

Finally, it would be interesting if it were VAN for one more reason: because after the December incident, Bernie moved off of VAN. Which means he has files protected from whatever the Russians or whoever else have been up to.