The perpetual ‘Red Scare’ mentality that has sustained the high levels of US military spending for a century has taken a curious turn. The basic charge is that the Russian government materially involved itself in the US presidential election by hacking into the websites of the Democratic party, and especially the emails of Hillary Clinton’s campaign chair John Podesta, and released those emails through WikiLeaks in order to hurt her campaign and aid in the election of Donald Trump, and that the Russian government was actively in communication with the Trump campaign. An additional charge against the Russians is that they doctored some of the documents leaked through WikiLeaks to make them look worse than the originals and that they also helped in the dissemination of fake news.
It has become almost an article of faith in some liberal and Democratic circles that this charge is true. The problem is that the charges are based on anonymous leaks, some of them of highly dubious origin like the shady group PropOrNot that the Washington Post in particular has heavily promoted, though in recent days the paper has made a cryptic addition to that story distancing themselves from it.
Meanwhile, president Obama has called for a full probe of these charges. This is undoubtedly a good thing but only if, as Jeremy Scahill and Jon Schwarz write, the results of the probe are made public and the evidence is declassified and made public as well. Too often, all we get are the conclusions with all the evidence redacted and the plea to trust the government’s version of events.
HERE ARE TWO of political history’s great constants: first, countries meddling in the internal affairs of others (both enemies and “friends”); and, second, bogus charges from a faction in one country that foreigners are meddling in its internal affairs to help another faction.
Both are poison for any country that wishes to rule itself.
So if we’re serious about being a self-governing republic, we have to demand that President Obama declassify as much intelligence as possible that Russia may have intervened in the 2016 presidential election.
Taking Donald Trump’s position — that we should just ignore the question of Russian hacking and “move on” — would be a disaster.
Relying on a hazy war of leaks from the CIA, FBI, various politicians, and their staff is an equally terrible idea.
A congressional investigation would be somewhat better, but that would take years — like the investigations of the intelligence on Iraq and weapons of mass destruction — and would be fatally compromised by the Democrats’ political timidity and GOP opposition.
The only path forward that makes sense is for Obama to order the release of as much evidence as possible underlying the reported “high confidence” of U.S. intelligence agencies that Russia both intervened in the election and did so with the intention of aiding Trump’s candidacy.
What is curious is how various factions have lined up on this issue. Most Republicans would normally be extremely anti-Russian but in this case many of them, and especially those close to the Trump camp, are decidedly downplaying the charge. The Republican chair of the House Intelligence committee says that he sees no reason to open a new probe. Meanwhile, Democrats are ramping up anti-Russian feeling.
The CIA, another source whose credibility is hardly unimpeachable, has added to the story by anonymous leaks to the media that support the Russian hacking charge. Glenn Greenwald condemns this kind of uncritical reporting of anonymous sources.
THE WASHINGTON POST late Friday night published an explosive story that, in many ways, is classic American journalism of the worst sort: The key claims are based exclusively on the unverified assertions of anonymous officials, who in turn are disseminating their own claims about what the CIA purportedly believes, all based on evidence that remains completely secret.
…Deep down in its article, the Post notes — rather critically — that “there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered.” Most importantly, the Post adds that “intelligence agencies do not have specific intelligence showing officials in the Kremlin ‘directing’ the identified individuals to pass the Democratic emails to WikiLeaks.” But the purpose of both anonymous leaks is to finger the Russian government for these hacks, acting with the motive to defeat Hillary Clinton.
Needless to say, Democrats — still eager to make sense of their election loss and to find causes for it other than themselves — immediately declared these anonymous claims about what the CIA believes to be true, and, with a somewhat sweet, religious-type faith, treated these anonymous assertions as proof of what they wanted to believe all along: that Vladimir Putin was rooting for Donald Trump to win and Hillary Clinton to lose and used nefarious means to ensure that outcome. That Democrats are now venerating unverified, anonymous CIA leaks as sacred is par for the course for them this year, but it’s also a good indication of how confused and lost U.S. political culture has become in the wake of Trump’s victory.
Greenwald also writes that while the ‘fake news’ label has been applied to the output of Macedonian teenagers out to make a quick buck, that label could well be applied to what are considered mainstream US media outlets and even to people supporting the Clinton campaign who spread a false story that Clinton’s speeches to Goldman Sachs had been doctored and placed the blame on WikiLeaks for it, though that organization had never published the document.
But the person who created that forged Goldman Sachs transcript was not a “Trumpist” at all; he was a devoted supporter of Hillary Clinton. In the Daily Beast, the person behind the anonymous “The Omnivore” account unmasks himself as “Marco Chacon,” a self-professed creator of “viral fake news” whose targets were Sanders and Trump supporters (he specialized in blatantly fake anti-Clinton frauds with the goal of tricking her opponents into citing them, so that they would be discredited). When he wasn’t posting fabricated news accounts designed to make Clinton’s opponents look bad, his account looked like any other standard pro-Clinton account: numerous negative items about Sanders and then Trump, with links to many Clinton-defending articles.
As if this whole story is not confusing enough, it further looks like the FBI, or at least many of its senior people, have lined up against Clinton while the CIA has taken her side and against the Russians. We are witnessing a battle of anonymous leaks between two major government agencies and any investigation will have to arbitrate between these two competing powerful organizations.
What is highly disturbing are the charges that are being leveled at anyone who merely asks that the evidence of Russian government hacking be made public, that they are either agents of Russia or dupes. That is a classic and despicable Cold War tactic, where the motives of the US must always be assumed to be noble while that of the enemies are always evil and no evidence need be provided for either claim.
Annoyingly, whether or not Russians were involved, Dems gloss over the fact that Hillary should be held responsible for putting her emails in a position to be hacked. She hurt her chances in the election, not the Russian government or any other bogeyman responsible for the hack.
Is potential election tampering by a foreign power disturbing? Yes. Would Dems be crying foul if the alleged tampering had helped Hillary win? I doubt it. Are Dems learning anything from the election results? I fear not.
Oh no, there’s a lot more than just anonymous leaks. There’s CrowdStrike‘s public statements.
PropOrNot’s findings are backed up by a trio of authors blogging at War On The Rocks, two of which recently did a write-up for Politico.
And while these sources are anonymous, the findings of the CIA seem to be the opinion of European spy agencies too.
Hell, we even know how the hackers got the emails, which is rare for these sort of investigations.
And have you forgotten about the time 17 US intelligence agencies teamed up to issue a joint statement?
While attribution is really hard online, It’s about as obvious as it can get that the Russians were trying to tamper with the election via spreading the DNC emails around, and blasting out fake news.
Also, it’s important to note where the FBI and CIA differ. It’s not over whether or not the Russians engaged in hacking.
[Whoops, one clarification: European intelligence thinks the Kremlin’s plan was to divide the political Left (via Kurt Eichenwald, the FBI thinks the Kremlin was just trying to disrupt the election (New York Times), while the CIA now thinks the goal was to elect Donald Trump (Washington Post). So when I said “the findings of the CIA seem to be the opinion of European spy agencies too,” I meant they agreed that Russia meddled, not the motivations for that meddling.]
Last citation, I promise.
Craig Murray maintains that the DNC emails were provided to Wikileaks by a DNC insider, and that he knows this because he has spoken with the leaker personally. He is quoted in the Guardian here:
Now, Craig may be a lot of things, but he’s not a liar, he’s not gullible, and I’m pretty certain that he’s not a Russian agent. I certainly trust him more than I trust anonymous leaks from the CIA, unnamed “intelligence officials”, or anybody at CrowdStrike.
@HJ Hornbeck:
Okay… That’s a lot of data. Skeptical hat on.
— Crowdstrike: The linked article oddly seems to think basing the investigation on another investigation is the best evidence pointing toward a particular conclusion. Usually this is only considered a loose corroboration. And for the less technical readers, 176.31.112.10 is a French IP address. If it’s a known Kremlin spy gateway then I’d expect a lot more evidence from it or to hear that it had been shut down. I stopped reading at about this point because really… I expect evidence when people say they have evidence, not smoke and mirrors.
— PropOrNot & War On the Rocks: PropOrNot’s credibility has been very effectively eviscerated by this Intercept article. The War On the Rocks piece does not support anything except it’s own existence. It’s a pure sales piece. It doesn’t take much to see that. Look at the language. Or as they prefer, “you just have to open your eyes.” They argue/imply that the Russians are supermen who not only know everything anyone else knows but also that they win even by losing. Whether you agree with the opinion they express or not, I hope you can see how this will never prove anything to me because it’s pure hyperbole.
I stopped digging after this. You may have made a strong point later but this is what you lead with and it was rubbish.
Democrats seem to be using the hack at the moment to shift the blame for their loss to something other than themselves. Whether the hack was by Russians or not, the stuff it revealed was not as bad as what was revealed about Trump, yet the Democrats lost anyway. They really have nobody but themselves to blame for that.
Sam Biddle has taken a close look at the publicly available evidence of Russian involvement in the DNC and DCCC hacks.
Dunc @6:
You didn’t Google CrowdStrike, did you?
I think I’d trust a well-established company that specializes in online security over the former UK ambassador to Uzbekistan, at least when it comes to the topic of online security. If I want to know about Uzbekistan, different story.
Also, you seem to have missed something, in the links I quoted above:
The USIC includes the CIA, part of the FBI, the NSA, the Office of Naval Intelligence, and twelve other intelligence-gathering organizations. Are you telling me every one of those is blindly deferring to the CIA? That the heads of each of those organizations, which must have had a final say in issuing that joint statement, are anonymous? Because I think you just made LtGen Vincent R. Stewart feel sad and ignored.
I didn’t need to Google CrowdStrike, I’ve been aware of them for some time. They have a remarkable ability to almost instantly attribute cyber attacks to whichever nation state the US intelligence community happens to be most interested in at the time. I’ve read some of their papers, and the evidence and arguments they make public are not hugely convincing.
On the other hand Craig Murray claims to have spoken personally to the leaker in this case. It’s not a question of what he knows about online security, because he’s not relying on IT forensics for attribution.
It is, of course, possible that both sides are right. Russian hackers and internal leaks are not necessarily mutually exclusive.
So having just watched Trump win the election using blatant lie after blatant lie left-wingers get a story dropped in their laps which could be used to attack and delegitimize his entire presidency and what do they do with it? Waste their time fretting over whether or not the allegations are true.
God I hate my side sometimes.
lanir @7:
An “investigation on another investigation?” That was a news report of an investigation, by someone technically savvy. The best evidence is in that original investigation from Crow-
Whoops, my mistake. I forgot that multiple private security companies have done investigations into this. In addition to CrowdStrike, we have SecureWorks. They’ve been in the biz since 1999, were purchased by Dell in 2011, claim to have “~4,300 clients in 58 countries,” and raised $112 million in a recent IPO. I don’t see much controversy around them, unlike CrowdStrike.
I didn’t know your CnC had to be in your country of origin by law. Taking over a virtual server used to host someone’s shitty web app sounds like a great way to anonymize your origin. And, wouldn’t you know it, that IP belongs to the “number 3 internet hosting company in the world” (“250 000 servers” and “18M web applications hosted” make for a wonderful place to hide).
It’s shut down as I type this, sorta. No response to pings and none of the usual internet ports are open, though it looks like there’s some activity on the higher ports. That’s probably remote VM maintenance stuff.
SecureWork’s report is rubbish? Looks pretty good to me; one of the Russian hackers got careless and used a public Bitly URL redirection account; once SecureWorks had one of the URLs in their hand, they could track down the account and read what it had done.
Those URLs were sent to Hillary for America and the DNC. SecureWorks say they can link the group behind this to some attacks on the White House, the German parliament, and Angela Merkle’s political party. Hmm, doesn’t Putin have a thing about Merkle?
Hj Hornbeck@#10:
I think I’d trust a well-established company that specializes in online security over the former UK ambassador to Uzbekistan
I wouldn’t. US infosec companies are notorious for letting their marketing departments publish irresponsibly sloppy attributions in order to get media attention. What should matter is what evidence is presented and how the evidence leads to a solid attribution matching events, effect, tools, method, and intent to show benefit.
Not specifically at Hj Hornbeck:
There are so many things about this whole story that are distressingly badly reported. Everyone is doing a terrible job -- including The Intercept, I’m sad to say. For example, Sam Biddle drops this nugget of silliness:
As someone who has worked incident responses for major breaches (including 2 that I am fairly sure everyone on this blog would recognize) that’s exactly the opposite of the truth: the incident responders, whether CrowdStrike or an independent consultant, are trying to figure out events, effects, tools, method, and benefit for an attack — it’s hard to make useful recommendations on how to prevent future attacks unless you figure out those factors. What is not typical is for a consultant to go public about the details of a client’s breach without their permission (I would never dream of even asking!) so my suspicion is that critical information is not being presented and we’re only getting a partial picture at best. At best.
The Russian-ness of “Guccifer” is a farce -- it’s as farcical as the North Korean-ness of the Sony hackers. If I was trying to fuzz attribution for an attack, I’d have a couple of friends I know help me out, friends who are fluent in Heian Period court Japanese. But that’s because I’m a surrealist with a sense of humor. You need to realize that some of these attributions are so poor that they are basically “the computer that created this document had the Korean keyboard setup enabled.” Well, if you want to do that, just click on Control Panel->Region and Language and have fun: it’ll take you at most a minute. As far as Guccifer being Russian: these things are so silly they hurt. How long do you think it would take any of us to find a language-speaking native and set up a chat stream between them and a reporter, and another window to the person feeding them what to say? I could get you an interview with a North Korean-sounding “hacker” in a day, no problem. Russian-sounding would be even easier. And as far as laundering IP addresses, shit, there’s a whole industry around selling proxy server access and a black market for VPN credentials -- you want a romanian IP address? You can have one for under $50 in a couple hours. (take a look at http://gatherproxy.com/proxylist/country/?c=Romania that’s a public-facing example; if you want a nailed IP address you’d have to go on the darkweb and spend a fraction of bitcoin)
With regard:
The U.S. Intelligence Community (USIC) is confident
Most of the USIC couldn’t find its ass in a paper bag if it had a flashlight and a map. But even if they did, they would report based on political considerations, not technical ones. In case it eluded anyone’s attention, the FBI and the CIA are playing politics and both were playing politics in the last election. The NSA was also, BTW. “How so!?” you ask, “the NSA didn’t say anything!!!” you say. Exactly. The USIC is separate fiefdoms that do not cooperate unless it’s in their bureaucratic interest to do so, and when one (e.g.: FBI) starts playing politics, the others which compete with that one may play politics back. Remember Watergate? What took down Nixon was a pissing match between CIA and FBI. This is nothing new.
Craig Murray maintains that the DNC emails were provided to Wikileaks by a DNC insider, and that he knows this because he has spoken with the leaker personally.
I would find an insider leaker vastly more likely than an outside leaker. But I would expect the political reaction to be completely mis-directed because the idea of an insider being disloyal to the machinery: unthinkable. Therefore, it must be Russians.
The Russians managed to send the whole US intelligence apparatus into a feeding frenzy on its own muscles back in the cold war: an agent provocateur convinced James Jesus Angleton (head of CI for CIA) that there was a mole. There was no mole, it was just a way of making Angleton go into paranoid spasms of purging people. Very clever. If there’s a Russian plot going on, it could be simply that the Russians have decided to give the Dems and Repubs and CIA and FBI a good chance to distrust eachother a little bit more, while laughing at the keystone kops routine that ensues. If you want a plausible scenario, that’s one. After all the Russians have done that before. Possibly several times.
SecureWork’s report is rubbish? Looks pretty good to me; one of the Russian hackers got careless and used a public Bitly URL redirection account
If the “Russian” hackers are so good, they would not make such a mistake “accidentally”. Or they’re not so good. So, we have a contradiction: they are fantastic hackers, but they have such bad tradecraft that they make basic mistakes that attribute them as Russian.
The SecureWorks report is not rubbish but it’s rubbish-y -- what they are saying is that certain people were using the same types of attacks and therefore it’s the same people. That doesn’t fly at all. Lots of hackers use bit.ly to shorten and mask URLs. Like, pretty much all of them. Lots of hackers use phishing. Like, pretty much all of them. The only way I’d be willing to attribute specific spearphish attacks to a particular attack group is if the message-IDs mapped to a server log record that had the same originating address, and the messages were the same and fingerprints on the MUA matched and -- even then I’d be skeptical (because it’s really easy to resend someone’s phish!) I know hackers who have done spearphishing campaigns by stealing someone else’s spearphish and just re-launching it at different targets.
Key point from The Intercept article:
much of the evidence has been drawn from publicly available data like the hacked emails and documents.
…. which is why I call bullshit on the whole stinking story. You can’t do anything remotely resembling a good enough attribution based on stuff like message-IDs and server IPs in email headers. At the very least you need corroborating log data from intermediate servers (and intermediate servers are really suspicious)
The sort of things they say, I.e.: “An IP address associated with threat group fuzzy wuzzy”
is complete shit, too. The last time I did forensics on an intermediate hacker system, there were signs of at least 3 and maybe as many as 5 different hacker groups using it. A lot of the time what happens when an intermediate box gets rooted is credentials to the box are sold on the darkweb. So you may have one guy running spearphish from there and another group selling and staging credit cards, and another group using it as a command/control server for a botnet. Sure, sometimes you have an intermediate machine that’s solely owned and operated, but unless you’ve got the forensics from the intermediate machine nobody knows anything.
Let me finish (I could go on all night but it’d be boring) by dissecting a sample fewmet from The Intercept article, to illustrate how sloppily people are thinking about this stuff:
OH IT MUST BE A RUSSIAN BECAUSE HE USED A CYRILLIC CHARACTER SET ON HIS FAKE NAME.
See how stupid this is? The hacker fakes his name and the journalist goes “ooh, how clever” but then assumes that the character set still means something.
It’s all fake.
I didn’t know your CnC had to be in your country of origin by law. Taking over a virtual server used to host someone’s shitty web app sounds like a great way to anonymize your origin.
There are services that facilitate exactly that, though most hackers will take over a computer and use it as an intermediate or buy one on the darkweb. Usually just take one over.
Let me tell you how hard it is: you grab a copy of Nessus and Metasploit and decide what country you want to appear to be in. Did you say Croatia? Ok, an ISP in Croatia is Metronet AS so you look up the address ranges they sell hmmmm…. http://whoisip.ovh/212.92.219.28 looks good! Then you Nessus scan all of 212.92.219 and see if you find a vulnerable system. If you do, you use the vuln identified by Nessus to use an exploit from Metasploit and drop your favorite remote control code on it, perhaps Zeus. Congratulations, you’re now a Croatian hacker. Don’t forget to change your character set in your keyboard mappings and use a name like -- whups bummer “anarchists in croatia” came up dry on google. But you get the idea. jebi sustav!
Marcus Ranum @14:
Well yeah, the two have radically different cultures. The FBI is pretty anti-Clinton, as evidenced by Comey and the folly of their New York office, while the CIA is theoretically non-partisan but would probably favor someone who reads their security briefs and keeps getting called a “hawk.” If the two agencies agree on something, it’s probably not a political power-play but something legit.
Hmmm, but that relies on an anonymous source. At least we have another way to dismiss these changes: if this really was playing politics with the US election, then we shouldn’t be able to find another instance where the Kremlin tried to influence a foreign election. It’s ridiculous to claim Russia tried to interfere with a foreign power, when they have no track record of doing so.
They also tried to fiddle with the Brexit vote and funded Le Pen’s far-Right party in France, too, but I’m on a link budget.
Anyway, there’s one last signal we can rely on: the right-wing Noise Machine would never defect from Herr Trump’s party line, unless the evidence was pretty damn strong.
*throws a sheaf of papers into the air in disgust*