Putin may be great at the dictating and the judo, but for a former KGB officer, his trade-craft is not very good.
Speaking to Megyn Kelly, he allegedly said:
A kid of yours can send it, your girl that is 3-year-old can perpetrate such an attack, they present it like this, they can pass it off like this, and the specialists can invent anything and then they will blame someone else.[beast]
Putin’s wrong. A 3-year-old couldn’t do it. It would take at least a 12-year-old.
Or maybe a precocious 11-year-old with the right tools.
Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.
When the famed journalist, making her debut for NBC News, told Putin during a forum event in St. Petersburg that all evidence “points to Russia,” the Kremlin leader replied with a deflective denial.
I loathe the way the media covers computer security problems; it makes me suspect that their coverage of every other professional field is just as bad. Kelly was accepting the assertions of the US Government Joint Analysis Report (JAR) which basically said, “trust us, it’s Russians” and reflecting those assertions at Putin in the form of “all evidence.” As I’ve written elsewhere [stderr] the standard for attribution that computer security experts expect is much higher than what the US Government has provided. I can’t even accept the ‘cui bono?’ argument because there were obviously US beneficiaries of the 2016 election hacking, more than there were Russian beneficiaries. Method? Motive? Techniques? Kelly was just regurgitating the output of the US’ relentless propaganda campaign about Russian hacking. I’d be quite willing to believe it was the Russian government, by the way, if the US Government was presenting evidence that was remotely as good as the Shadow Brokers and Wikileaks have been presenting about the CIA and NSA’s efforts to hack the entire planet.
The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy. When you look at the security that American politicians and their aides were using during the 2016 election, I would say that any of my friends who work as professional penetration testers could have taught a 12-year-old how to do it. The hard part wouldn’t be teaching them how to do it, the hard part would be getting them to stop once they had acquired a taste for it.
My opinion is that Russians probably were involved; I am comfortable assuming that. I get less and less comfortable the more specific we want to get, without evidence. Once you’ve seen a little bit about how covert operations happen, you begin to realize that there are many programs that take on a life of their own, and which are not approved at the highest level. And that’s without even getting into the deeper gray-zone of contractors, semi-contractors, and ideological fellow-travellers. Imagine a scenario where Trump says “I wish the Russians would dump Hillary’s emails” and Putin hears about it in a meeting and chuckles, “Heh. Would be funny.” Someone at the meeting hears that and tells someone, who tells someone else, and a friend of a friend drops a wad of data to Wikileaks. It’s not even as overt as “will someone rid me of these troublesome emails?” It’s the crystallization of an emergent conspiracy that happens when an idea meets an opportunity and encounters a capability and something happens that nobody planned or expected.
Meanwhile, when the CIA’s malware vault gets broken open: blame the Russians. Then, when CIA malware gets weaponized into damaging attacks worldwide: blame the Russians. If my car won’t start this afternoon: blame the Russians.
Putin is wrong. Hacking is not within the grasp of most 3-year-olds. Being President of the US is another matter.
By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.
I wrote: “My opinion is that Russians probably were involved; I am comfortable assuming that.” And I chose my words very carefully. Not “The Russians.” Not “A Russian.” Not “The Russian Government.” What if the perpetrator is the Russian equivalent of Harold Martin III?
If I may go off into the weeds a bit: one of the topics that comes up a lot in skepticism is Bayesian analysis. When I was studying stats as an undergrad, we didn’t do much with Bayes Theorem (except in the broader context of conditional probability) so I tend to ignore the math and approach it more like a software developer: it’s “garbage in, garbage out.” When setting up a Bayesian argument, we pick and choose the data that are going to give us the conclusion we expect, it’s just motivated reasoning with some fancy math. Let’s consider a Bayesian “proof” that the Russians hacked the 2016 election: factor in the number of pieces of evidence (method, motive, tools, IP addresses) that point toward Russia and the number of pieces of evidence that point toward the US intelligence community being behind it. Now, we’re into the stuff of conspiracies! But, we can factor out things like “uses phishing attacks: US, Chinese, Russia, UK – check” “uses remote access trojans: US, Chinese Russia, UK – check” “has an interest in US elections – check” etc. I am not making the argument that the CIA hacked the US election but I think that by setting up my ‘priors’ subconsciously I could ‘prove’ that there was a vanishingly small probability that Russia did it compared to the NSA. Cherry-picking one’s data is a great way to guarantee the correct outputs: Ray Kurzweil’s ‘singularity’ argument could be re-framed as a bunch of Bayesian priors – would it be any more convincing with a bit of math stirred into that festering puddle of bullshit? It would be amusing to set it up, but, eh, why bother? I already know what it would show. [stderr]
Re: Putin’s tradecraft – he shouldn’t be talking about IP addresses and 3-year-olds to the American media! He’s giving away FSB classified information regarding sources and methods.