[This post is based on a comment I made over at Pharyngula. Also, content warning for TERF bullshit. ALSO also, edits at the very end.]
Get your thinking cap out, I’ve got a puzzle for you. Can you spot what’s wrong here? It’s a response to Trump’s proposed banning of trans* people from the military. [Read more…]
I just sort of glanced past this in my post about Laci Green, but I think it’s worth circling back for. I mentioned that, as of the post, Green’s latest thing was ranting about this tweet.
I’ve had a draft cooking for a while over Laci Green’s view of trans* people. I don’t claim to know why she’s hanging out with MRAs or treating TERFs as if they were feminists, but if she’s going to sit down and attempt to make logical arguments the least I could do is return the favor.
But then this happened. [Read more…]
[CONTENT WARNING: TERFs]
Gendered restrooms are a relatively recent phenomenon. Before then restrooms were unisex, but not in the way you’re thinking.
… public facilities in Western nations were male-only until the Victorian era, which meant women had to improvise. If they had to be out and about longer than they could hold their bladders, women in the Victorian era would urinate over a gutter (long Victorian skirts allowed for some privacy). Some would even carry a small personal device called a urinette that they could use discretely under their skirts and then pour out, [Sheila] Cavanagh said. […]
This lack of female facilities reflected a notable attitude about women: that they should stay home. This “urinary leash” remains a problem in some developing nations, said Harvey Molotch, a sociologist at New York University and co-editor of “Toilet: The Public Restroom and the Politics of Sharing” (New York University Press, 2010). Women in India today, for example, often have to avoid eating or drinking too much if they have to be out in public, because there is no place for them to go, Molotch told Live Science.
But with the rise of the Industrial Revolution and changing attitudes towards gender, forcing women back into the home wasn’t tenable. Instead, during the last quarter of the 19th century a new philosophy became dominant.
Scientific discoveries at the time showed that working women were “unable to [physically] withstand strains, fatigues, and privations as well as [men],” so sex-separated restrooms provided “a protective haven . . . where a woman could seek comfort and rest when her weak body gave out on the job.” Maintaining separate facilities that were “properly screened” also provided more privacy to both men and women with regard to their bodies and bodily functions, an obsession derived from Victorian society. By providing a separate space for the special needs of women and protecting the privacy of all workers, sex-separated bathrooms upheld “[l]ate nineteenth century concerns about germs and sanitation . . . [and] early nineteenth century ideological concerns of pure womanhood.”
Governments began mandating sex-segregated washrooms in the workplace, starting with Massachusetts in 1887. As attitudes towards women changed, however, the reasons for segregation shifted.
Though modern thinking has certainly progressed and women are not treated as inherently inferior as they once were, the current argument that sex-separated restrooms provide greater safety for women harkens back to the nineteenth century justifications for separate restroom facilities. For example, literature opposing transgender bathroom access focuses heavily on protecting the safety, privacy, and dignity of women and girls, yet rarely mentions any issues men might have with sharing a restroom with a female-to-male transsexual. Even some transsexual women wish to maintain the “safe haven in a male dominated world” of a women’s restroom “where women can have their own space without needing to worry what a man might do (in front of them, to them, or to their daughters and young sons.)” At the very least, these opinions expose an underlying belief that women and girls are more fragile than men, have a deeper need of privacy than men, and are more likely than men to be afraid or offended by the notion of sharing a restroom with a male-born transgender woman.
Faced with this information, you’d think a feminist would tread very carefully. Yes, there’s a gender imbalance in who commits sexual assault, but the historic use of washrooms to control women should give pause about banning someone else from using them.
TERFs don’t pause, they’re fully in favour of “bathroom bills.” Even when a butch lesbian gives a convincing plea against this legislation, they still find a way to justify support.
Those of us who believe that men belong in the men’s washroom come in two major types—conservatives and feminists—but this author doesn’t distinguish between the two groups. Conservatives understand that certain men will use any excuse to prey on women and children and they want to protect them. They are also homophobic and do not accept ordinary lesbians and gays, and they promote traditional gender roles and marriage. Feminists know that men with sexual fetishes like to declare that they have a gender identity and therefore have a right to expose themselves in women’s locker rooms. We differ completely from conservatives because we are against gender roles and sex stereotypes. We want the entire range of women in all our diversity to feel comfortable in women’s spaces, which will be accomplished by eliminating sexism and homophobia. […]
She’s implying here that the reason for sex-segregated facilities is the misguided notion that women need protection from men, and that people only believe that women need protection because of gender roles/stereotypes about women. But in the real world, women do need protection from men, because men abuse women on a regular basis through assault, rape, harassment, stalking, flashing, taking photos without consent, and the list goes on. Unfortunately this writer didn’t check the stats on violence against women before writing her article.
This is evidence that TERFs are not truly feminists: they advocate for the elimination of sex stereotypes, yet push a stereotyped view of sex. They are ignorant of feminist history, and advocate for sexist policies that date back to the Victorian era. The aforementioned division between “conservatives” and “feminists” is rich, especially since the two love to team up to oppose the rights of trans* people.
The real issue behind “bathroom bills” is control over who gets to enjoy the public sphere, security is secondary at best.
I’m surprised I don’t read Wonkette more often.
Rachel Maddow did a BIG SCOOP on Thursday night, and we think it’s a pretty big fuckin’ deal. To cut to the chase, somebody (she doesn’t know who YET) used her “Send It To Rachel” tool to send her something that looks like a highly classified document about collusion between Donald Trump and Russia, but is actually a FORGERY. WHOA IF TRUE, right?
It is pretty “whoa,” in fact I was about to sit down and type something up on it until I saw Wonkette scooped me.
What’s fascinating about this weird forgery is that it appears to have been copied off the highly classified document NSA contractor Reality Winner sent to Glenn Greenwald’s The Intercept. Remember how The Intercept published a bombshell on Monday, June 5, that Russians had specifically targeted voting machine manufacturers and election officials during their 2016 cyberwar against American democracy, and that they got further than anybody ever knew? […]
Maddow found the EXACT SAME MARKINGS and the EXACT SAME CREASE on the document she got. Forgery detected! (Later in the segment she explained that there were several other screwy things about the document, including that it actually named a high-up American citizen/Trump campaign person. According to the intelligence experts Maddow consulted, this type of document, if real, wouldn’t name an American all willy-nilly like that.)
There was one intriguing mystery left: the file received by Maddow was created on June 5th, 2017, at 12:17:15, yet the Intercept’s article went online at 13:44 15:44. How could the person who sent the document get access to it before the article was published? I was about to sit down and type about that instead, but…
That’s because time stamps on the documents published by The Intercept designate the creation date included in the PDF we publish on DocumentCloud: In this case, that occurred just over three hours prior to publication of our article. Both versions — the one we published and the one Maddow received — reflect the same time to the second: literally the exact moment when we created and uploaded the document.
In other words, anyone who took the document directly from The Intercept’s site would have a document with exactly the same time stamp as the one Maddow showed. Thus, rather than proving that this document was created before The Intercept’s publication, the time stamp featured by Maddow strongly suggests exactly the opposite: that it was taken from The Intercept’s site.
Ah, thank you Glenn Greenwald. It looks like the Intercept has an automated system to process their documents. Downloading the original for myself, I can tell they use an old-ish copy of ImageMagick to do the grunt work. This probably helps them redact information; the boxes they use to cover information look digitally made, yet are burnt into the source images that make up the PDF. This could have the pleasant side-effect of wiping away the original document’s metadata, if it was digital. On the other hand, I also see the original title was “GRU-final,” which probably didn’t come from the Intercept.
I get something slightly different from Greenwald when I dump the document’s info, though.
File Modification Date/Time : 2017:06:05 13:43:03-06:00 PDF Version : 1.4 Linearized : No Create Date : 2017:06:05 12:17:15 Modify Date : 2017:06:05 12:17:15 Page Count : 5
In his case, the bolded bit reads “2017:07:06 21:33:15-04:00,” the exact time he downloaded his copy. My tool is slightly newer than his, however, which could easily explain the discrepancy.
So, that’s one mystery solved: the person or people who sent the document to Maddow used the Intercept’s document as a base. That still leaves who sent it, though. Was it the Kremlin, someone associated with Trump, or somebody else? That one is in the hands of Maddow’s team.
(A hat tip to Lynna, OM in PZ’s Political Madness thread, for the Wonkette article.)
[HJH 2017-07-08: Damn time zones. And I was even going to mention them in my original post…]
I’ll confess I’ve said that if bigots were smart, they wouldn’t be bigots. Reality is a bit more complicated than that, but there is a way to rescue the sentiment.
I’ve seen this in action; while one group of bigots were trolling me, I saw another group think the trolling was sincere. Just recently, I spotted another example.
Older members of the crowd carried Confederate flags, while the younger, internet-driven masses wore patches with 4chan’s Kekistan banner. Rally-goers in homemade armor and semi-automatic rifles paced Houston’s Hermann Park, waiting for an enemy to appear.
The crowd, several hundred strong, gathered in the park on Saturday to defend a statue of Sam Houston, a slaveholder. They had gathered in response to reports that leftist protesters had planned a rally to remove the statue, despite Houston Mayor Sylvester Turner publicly stating that removing the statue wasn’t “even on my agenda.” But as sniper rifles and Infowars-branded jackets crowded the park, it became evident that the left protesters were not coming. They had never planned to come. The rumors of an antifa protest were actually a hoax, orchestrated by an anti-left group defending Confederate monuments.
I suspect these scenarios are more common than we realize, if only because the same thing happened again a month later.
A “patriot” who brought a revolver to Gettysburg National Military Park Saturday amid rumors of desecration of memorials accidentally shot himself in the leg Saturday. […]
Dozens of self-described Patriots came to the park about noon Saturday after hearing rumors that Antifa protesters might crash the park’s events and try to desecrate memorials. Members of Antifa caused a ruckus in Harrisburg recently at an Anti-Sharia rally and one member was arrested for swinging a wooden pole with a nail attached at a police horse.
The rumors on Saturday appeared to be just that: rumors, as no Antifa members were seen at Gettysburg park Saturday.
The result of all this is a self-supporting feedback loop, where people opposed to social justice keep getting fooled by false flags into thinking social justice is as loopy as they’ve been told, and some of them graduate to generate those false flag campaigns.
Let’s say the Kremlin was responsible for the DNC hack, and deployed Twitter bots and trolls to drive disinformation during the recent US election. You wouldn’t expect something like this to pop up overnight, instead it’s likely Russia has practised on its closer neighbours for years. If this were the case, you’d expect them to have plans and organisations set up to counter Kremlin influence.
Sweden has launched a nationwide school program to teach students to identify Russian propaganda. The Defense Ministry has created new units to seek out and counter Russian attempts to undermine Swedish society.
In Lithuania, 100 citizen cyber-sleuths dubbed “elves” link up digitally to identify and beat back the people employed on social media to spread Russian disinformation. They call the daily skirmishes “Elves vs. Trolls.”
In Brussels, the European Union’s East Stratcom Task Force has 14 staffers and hundreds of volunteer academics, researchers and journalists who have researched and published 2,000 examples of false or twisted stories in 18 languages in a weekly digest that began two years ago. […]
France and Britain have successfully pressured Facebook to disable tens of thousands of automated fake accounts used to sway voters close to election time, and it has doubled to 6,000 the number of monitors empowered to remove defamatory and hate-filled posts.
The German cabinet recently endorsed legislation — now before Parliament — to impose fines of up to $53 million on social-media companies that fail to remove posts deemed to be “hate speech.” Some especially notorious recent examples concerning migrants have been traced to Russian origins.
You’d also expect the Kremlin to brag about their online savvy. It would be a national source of strength and pride, after all.
Last February, a top Russian cyber official told a security conference in Moscow that Russia was working on new strategies for the “information arena” that would be equivalent to testing a nuclear bomb and would “allow us to talk to the Americans as equals.”
Andrey Krutskikh, a senior Kremlin adviser, made the startling comments at the Russian national information security forum, or “Infoforum 2016,” held Feb. 4 and 5. His remarks were transcribed by a Russian who attended the gathering and translated for me by an independent European cyber expert. […]
According to notes of Krutskikh’s speech, he told his Russian audience: “You think we are living in 2016. No, we are living in 1948. And do you know why? Because in 1949, the Soviet Union had its first atomic bomb test. And if until that moment, the Soviet Union was trying to reach agreement with [President Harry] Truman to ban nuclear weapons, and the Americans were not taking us seriously, in 1949 everything changed and they started talking to us on an equal footing.”
Krutskikh continued, “I’m warning you: We are at the verge of having ‘something’ in the information arena, which will allow us to talk to the Americans as equals.”
Putin’s cyber adviser stressed to the Moscow audience the importance for Russia of having a strong hand in this new domain. If Russia is weak, he explained, “it must behave hypocritically and search for compromises. But once it becomes strong, it will dictate to the Western partners [the United States and its allies] from the position of power.”
If you live in the United States and focus on news relevant to there, it isn’t that hard to dismiss evidence of Kremlin hacking. They haven’t done it before, right? The US is a tech leader, anyway, and would spot any attempts coming from a mile away.
If you step outside of that bubble, though, you find many more people convinced of the Kremlin’s hand, if only because they’ve felt it themselves.
Before getting to the point, though, do you mind if I be a little petty? Emphasis mine:
I was asked about my observations on technical details buried in the State Department’s release of Secretary Clinton’s emails (such as noting a hack attempt in 2011, or how Clinton’s emails might have been intercepted by Russia due to lack of encryption). I was also asked about aspects of the DNC hack, such as why I thought the “Guccifer 2” persona really was in all likelihood operated by the Russian government, and how it wasn’t necessary to rely on CrowdStrike’s attribution as blind faith; noting that I had come to the same conclusion independently based on entirely public evidence, having been initially doubtful of CrowdStrike’s conclusions.
MMmmmm.
But on to the main point: the day after Thursday’s revelation that “a GOP operative who presented himself as working with Mike Flynn, … actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government,” one of the anonymous sources became nonymous. Meet Matt Tait, a British cybersecurity researcher who’s covered that angle of American politics. Said GOP operative, Peter Smith, approached him to validate the batch of emails that were claimed to be from Hilary Clinton’s private email server.
In my conversations with Smith and his colleague, I tried to stress this point: if this dark web contact is a front for the Russian government, you really don’t want to play this game. But they were not discouraged. They appeared to be convinced of the need to obtain Clinton’s private emails and make them public, and they had a reckless lack of interest in whether the emails came from a Russian cut-out. Indeed, they made it quite clear to me that it made no difference to them who hacked the emails or why they did so, only that the emails be found and made public before the election.
Ignore the whole attribution angle of the DNC hack. Instead, let’s focus on the actions of the Republicans. They had access to illegally-obtained dirt on a rival party, and didn’t care that this dirt was illegal. All that mattered to them was winning.
This isn’t a one-off, either; yesterday I pointed to an old story about another GOP operative, Aaron Nevins, who struck a deal with “Guccifer 2.0” to use the material they gathered from local DNC chapters in local races. That material wound up being used in attack ads, and may have swayed voters. But there was also a recent report which showed that Republicans had extensively gerrymandered electoral districts, guaranteeing themselves safer seats and a greater odds of winning. This lines up with prior reports. Republicans are also notorious for voter suppression, to the point that they openly brag about it and waste taxpayer funds to do it. Voter disenfranchisement? Also a Republican tactic.
This is a party devoted primarily to winning. Their policies and values are secondary, leading to an unending stream of hypocrisy. This explains a lot about why they have so much difficulty governing, the Republicans lack a unified vision to guide policy and rally everyone around. This makes it easy for outside groups to sway Republicans to their side, to the point that they even rely on them to draft some legislation.
This is poisonous for democracy. It must be opposed, no matter your political leanings.
Over time, I’ve believed anti-feminism is a cult of sorts. Their use of memes was a deciding factor, but there are other tells. One exploits our instincts as a social species.
Via PZ, I learned that anti-feminists have a very similar concept: red-pilling.
“Redpill,” for the blissfully unaware, is a slang term in certain alt-right-adjacent internet communities like the men’s rights crew. It refers to that famous Matrix scene where Neo takes the red pill and sees things as they really are. When alt-right dudes use it, they generally mean “convince other white people that we’re better than others,” and many of them are not shy about trying to redpill their friends and families.
“It’s a new label for an old idea,” said Ryan Lenz, who gathers information on hate groups for the Southern Poverty Law Center’s Intelligence Project, and edits their Hatewatch blog.
That Vice article points out some common tactics, like building empathy and using bargaining to expose people to your propaganda. Laci Green appears to be the latest person to fall victim.
In late May, seemingly out of the blue, Green dramatically shifted her tone on harassment. Where once she supported the abused, she suddenly began questioning why there’s “more than two genders” and arguing that “both sides of the argument are valid” for everything from racism to transphobia to misogyny. In a stunning example of her newfound hypocrisy, she called feminist YouTuber and fellow member of her anti-harassment Facebook group Kat Blaque a “sociopath,” […]
In a series of videos, Green revealed that her shift was a result of “red pilling,” the term for a twisted Matrix-inspired recruitment process coined by men’s rights advocates, pick-up artists, and the “alt right.” The process involves a recruiter who attempts to position white supremacists as oppressed truth tellers while spinning phony racial and gender science as “free speech” that’s being trampled on by feminists and the political left.
The parallels between religious cults and the anti-feminist movement are chilling; I didn’t even realise there was a flip-side to love-bombing until I thought of examples drawn from anti-feminism. But there’s an ingredient we can add which makes things oh-so-much worse.
You can see the outlines of it in message boards like 4chan: someone announces a target, and other commenters swarm that person with love or hate. This is the early steps of the mechanisation of hate, in this case the automation of love/hate-bombing, and it’s gotten very sophisticated. The next logical step would be to get money involved in the process, and that’s already happened.
When Green created her anti-harassment Facebook group, it was largely in response to the rising trend of “response videos,” YouTube videos created by trolls who have devoted their lives to attacking feminist content. Creators of these videos often claim that their content does not itself constitute harassment, while simultaneously ignoring the actions of their followers, who frequently bombard their targets with an overwhelming number of slurs and violent messages. […]
Troublingly, up until recently, such videos were not only supported by YouTube, but incentivized. Because response videos are so easy to make, it was easy for reactionary YouTubers to churn out a lot of content, which YouTube then prioritized in an algorithm that favored prolific output, high view counts, and abundant comments — even if those comments were toxic. Gaming the very closely held secret of the YouTube algorithm became a de facto path to internet stardom, and the format was perfect for response-video creators.
This puts a dollar tag on hate. It’s no longer just about promoting your group or winning new members, you can actually make a good living off of hating on feminism. This is yet another parallel to religion, especially Christianity, which has always used various means to extract funds from its supporters to line the pockets of its preachers. It feeds into a self-feeding cycle of hate, where preachers clamber to earn the cash of followers by whipping up their hatred.
There is no easy way to defeat this, as it relies on deeply embedded parts of our psyche. Speaking up about it and educating people is probably the best tactic in the short-term, while in the long-term we work on dismantling or altering systems which promote it.
Ranum’s turn! Old blog post first.
Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.
Here’s the Joint Analysis Report which has been the focus of so much ire, as well as a summary paragraph of what the US intelligence agency is trying to sell:
Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.
They aren’t using IP addresses or attack signatures to sell attribution, they’re pooling all the analysis they can get their hands on, public and private. It’s short on details, partly for reasons I explained last time, and partly because it makes little sense to repeat details shared elsewhere.
I agree with most experts that the suggestions given are pretty useless, but that’s because defending against spearphishing is hard. Oh, it’s easy to white list IP access and lock down a network, but actually do that and your users will revolt and find workarounds that a network administrator can’t monitor.
The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy.
I dunno, there’s a fair bit of creativity involved in trickery. You need to do some research to figure out the target’s infrastructure (so you don’t present them with a Gmail login if they’re using an internal Exchange server); research their social connections (an angry email from their boss is far more likely to get a response); find ways to disguise the URL displayed that neither a human nor browser will notice; construct an SSL certificate that the browser will accept; and it helps if you can find a way around two-factor encryption. The amount of programming is minimal, but so what? Computer scientists tend to value the ability to program above everything else, but systems analysis and design are arguably at least as important.
I wouldn’t be surprised to learn of a 12-year-old capable of expert phishing, any more than I’d be surprised that a 12-year-old had entered college or ran their own business or successfully engineered their own product; look at enough cases, and eventually you’ll see something exceptional.
By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.
And yes, the state of computer security is fairly abysmal. Poor password choices (if people use passwords at all), poor algorithms, poor protocols, and so on. This is irrelevant, though; the fact that house break-ins are easy to do doesn’t refute the evidence that someone burgled a house.
Hey, that was quick. Next post!
Hornbeck left off two possibilities, but I could probably (if I exerted myself) go on for several pages of possibilities, in order to make assigning prior probabilities more difficult. But first: Hornbeck has left off at least two cases that I’d estimate as quite likely:
H) Some unknown person or persons did it
I) An unskilled hacker or hackers who had access to ‘professional’ tools did it
J) Marcus Ranum did it
I’d argue the first two are handled by D, “A skilled independent hacking team did it,” but it’s true that I assumed a group was behind the attack. Could the DNC hack be pulled off by an individual? In theory, sure, but in practice the scale suggests more than one person involved. For instance,
That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. […]
SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.
That SecureWorks report expands on who was targeted.
In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.
Even that glosses over details, as that list also includes Colin Powell, John Podesta, and William Rinehart. Also bear in mind that all these people were phished over roughly nine months, sometimes multiple times. While it helps that many of the targets used Gmail, when you add up the research involved to craft a good phish, plus the janitorial work that kicks in after a successful attack (scanning and enumeration, second-stage attack generation, data transfer and conversion), the scale of the attack makes it extremely difficult for an individual to pull off.
Similar reasoning applies to an unskilled person/group using professional tools. The multiple stages to a breach would be easy to screw up, unless you had experience carrying these out; the scale of the phish demands a level of organisation that amateurs shouldn’t be capable of. Is it possible? Sure. Likely? No. And in the end, it’s the likelihood we care about.
Besides, this argument tries to eat and have its cake. If spearphishing attacks are so easy to carry out, the difference between “unskilled” and “skilled” is small. Merely pulling off this spearphish would make the attackers experienced pros, no matter what their status was beforehand. The difference between hypotheses D and I is trivial.
There’s even more unconscious bias in Hornbeck’s list: he left Guccifer 2.0 off the list as an option. Here, you have someone who has claimed to be responsible left off the list of priors, because Hornbeck’s subconscious presupposition is that “Russians did it” and he implicitly collapsed the prior probability of “Guccifer 2.0” into “Russians” which may or may not be a warranted assumption, but in order to make that assumption, you have to presuppose Russians did it.
Who is Guccifer 2.0, though? Are they a skilled hacking group (hypothesis D), a Kremlin stooge (A), an unknown person or persons (H), or amateurs playing with professional tools (I)? “Guccifer 2.0 did it” is a composite of existing hypothesis subsets, so it makes more sense to focus on those first then drill down.
I added J) because Hornbeck added himself. And, I added myself (as Hornbeck did) to dishonestly bias the sample: both Hornbeck and I know whether or not we did it. Adding myself as an option is biasing the survey by substituting in knowns with my unknowns, and pretending to my audience that they are unknowns.
Ranum may know he didn’t do it, but I don’t know that. What’s obvious to me may not be to someone else, and I have to account for that if I want to do a good analysis. Besides, including myself fed into the general point that we have to liberal with our hypotheses.
I) is also a problem for the “Russian hackers” argument. As I described the DNC hack appears to have been done using a widely available PHP remote management tool after some kind of initial loader/breach. If you want a copy of it, you can get it from github. Now, have we just altered the ‘priors’ that it was a Russian?
This is being selective with the evidence. Remember “Home Alone?” Harry and Marv used pretty generic means to break into houses, from social engineering to learn about their targets, surveillance to verify that information and add more, and even crowbars on the locks. If that was all you knew about their techniques, you’d have no hope of tracking them down; but as luck would have it, Marv insisted on turning on all the faucets as a distinctive calling card. This allowed the police to track down earlier burglaries they’d done.
Likewise, if all we knew was that a generic PHP loader was used in the DNC hack, the evidence wouldn’t point strongly in any one direction. Instead, we know the intruders also used a toolkit dubbed “XAgent” or “CHOPSTICK,” which has been consistently used by the same group for nearly a decade. No other group appears to use the same tool. This means we can link the DNC hack to earlier ones, and by pooling all the targets assess which actor would be interested in them. As pointed out earlier, these point pretty strongly to the Kremlin.
I don’t think you can even construct a coherent Bayesian argument around the tools involved because there are possibilities:
- Guccifer is a Russian spy whose tradecraft is so good that they used basic off the shelf tools
- Guccifer is a Chinese spy who knows that Russian spies like a particular toolset and thought it would be funny to appear to be Russian
- Guccifer is an American hacker who used basic off the shelf tools
- Guccifer is an American computer security professional who works for an anti-malware company who decided to throw a head-fake at the US intelligence services
Quick story: I listened to Crowdstrike’s presentation on the Russian hack of the DNC, and they claimed XAgent/CHOPSTICK’s source code was private. During the Q&A, though, someone mentioned that another security company claimed to have a copy of the source.
The presenters pointed out that this was probably due to a quirk in Linux attacks. There’s a lot of variance in which kernel and libraries will be installed on any given server, so merely copying over the attack binary is prone to break. Because of this variety, though, it’s common to have a compiler installed on the server. So on Linux, attackers tend to copy over their source code, compile it into a binary, and delete the code.
You can see how this could go wrong, though. If the stub responsible for deleting the original code fails, or the operators are quick, you could salvage the source code of XAgent.
“Could.” Note that you need the perfect set of conditions in place. Even if those did occur, and even if the source code bundle contains Windows or OSX source too (excluding that would reduce the amount of data transferred and increase the odds of compilation slightly), the attack binary for those platforms usually needs to be compiled elsewhere. Compilation environments are highly variable yet leave fingerprints all over the executable, such as compilation language and time-stamps. A halfway-savvy IT security firm (such as FireEye) would pick up on those differences and flag the executable as a new variant, at minimum.
And as time went on, the two code bases would diverge as either XAgent’s originators or the lucky ducks with their own copy start modifying it. Eventually, it would be obvious one toolkit was in the hands of another group. And bear in mind, the first usage of XAgent was about a decade ago. If this is someone using a stolen copy of APT28/Fancy Bear’s tool, they’ve either stolen it recently and done an excellent job of replicating the original build environment, or have faked being Russian for a decade without slipping up.
While the above is theoretically possible, there’s no evidence it’s actually happened; as mentioned, despite years of observation by at least a half-dozen groups capable of detecting this event, only APT28 has been observed using XAgent.* None of Ranum’s options fit XAgent, nor do they fit APT28’s tactics either; from FireEye’s first report (they now have a second, FYI),
Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.
APT28 malware, in particular the family of modular backdoors that we call CHOPSTICK, indicates a formal code development environment. Such an environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.
And as a reminder, APT28 aka. Fancy Bear is one of the groups that hacked into the DNC, and is alleged to be part of the Kremlin.
Ranum does say a lot more in that second blog post, but it’s either similar to what Biddle wrote over at The Intercept or amounts to kicking sand at Bayesian statistics. I’ve covered both angles, so the rest isn’t worth tackling in detail.
