In Which I Catch Putin in a Cold Lie


Putin may be great at the dictating and the judo, but for a former KGB officer, his trade-craft is not very good.

Speaking to Megyn Kelly, he allegedly said:

A kid of yours can send it, your girl that is 3-year-old can perpetrate such an attack, they present it like this, they can pass it off like this, and the specialists can invent anything and then they will blame someone else.[beast]

Putin’s wrong. A 3-year-old couldn’t do it. It would take at least a 12-year-old.

Or maybe a precocious 11-year-old with the right tools.

Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.

When the famed journalist, making her debut for NBC News, told Putin during a forum event in St. Petersburg that all evidence “points to Russia,” the Kremlin leader replied with a deflective denial.

I hate the way the unoriginal media loves to portray hackers as wearing hoodies and masks and stuff. Word: you can’t type with that crap on.

I loathe the way the media covers computer security problems; it makes me suspect that their coverage of every other professional field is just as bad. Kelly was accepting the assertions of the US Government Joint Analysis Report (JAR) which basically said, “trust us, it’s Russians” and reflecting those assertions at Putin in the form of “all evidence.”  As I’ve written elsewhere [stderr] the standard for attribution that computer security experts expect is much higher than what the US Government has provided. I can’t even accept the ‘cui bono?’ argument because there were obviously US beneficiaries of the 2016 election hacking, more than there were Russian beneficiaries. Method? Motive? Techniques? Kelly was just regurgitating the output of the US’ relentless propaganda campaign about Russian hacking. I’d be quite willing to believe it was the Russian government, by the way, if the US Government was presenting evidence that was remotely as good as the Shadow Brokers and Wikileaks have been presenting about the CIA and NSA’s efforts to hack the entire planet.

The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy. When you look at the security that American politicians and their aides were using during the 2016 election, I would say that any of my friends who work as professional penetration testers could have taught a 12-year-old how to do it. The hard part wouldn’t be teaching them how to do it, the hard part would be getting them to stop once they had acquired a taste for it.

Hey, a 13 year-old hacker!! He grew up using an ASR-33 terminal, like I did. He did better than I did, though, by a large margin.

My opinion is that Russians probably were involved; I am comfortable assuming that. I get less and less comfortable the more specific we want to get, without evidence. Once you’ve seen a little bit about how covert operations happen, you begin to realize that there are many programs that take on a life of their own, and which are not approved at the highest level.  And that’s without even getting into the deeper gray-zone of contractors, semi-contractors, and ideological fellow-travellers.  Imagine a scenario where Trump says “I wish the Russians would dump Hillary’s emails” and Putin hears about it in a meeting and chuckles, “Heh. Would be funny.” Someone at the meeting hears that and tells someone, who tells someone else, and a friend of a friend drops a wad of data to Wikileaks. It’s not even as overt as “will someone rid me of these troublesome emails?” It’s the crystallization of an emergent conspiracy that happens when an idea meets an opportunity and encounters a capability and something happens that nobody planned or expected.

Meanwhile, when the CIA’s malware vault gets broken open: blame the Russians. Then, when CIA malware gets weaponized into damaging attacks worldwide: blame the Russians. If my car won’t start this afternoon: blame the Russians.

Putin is wrong. Hacking is not within the grasp of most 3-year-olds. Being President of the US is another matter.

------ divider ------

By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.

I wrote: “My opinion is that Russians probably were involved; I am comfortable assuming that.”  And I chose my words very carefully. Not “The Russians.” Not “A Russian.” Not “The Russian Government.” What if the perpetrator is the Russian equivalent of Harold Martin III?

If I may go off into the weeds a bit: one of the topics that comes up a lot in skepticism is Bayesian analysis.  When I was studying stats as an undergrad, we didn’t do much with Bayes Theorem (except in the broader context of conditional probability) so I tend to ignore the math and approach it more like a software developer: it’s “garbage in, garbage out.” When setting up a Bayesian argument, we pick and choose the data that are going to give us the conclusion we expect, it’s just motivated reasoning with some fancy math. Let’s consider a Bayesian “proof” that the Russians hacked the 2016 election: factor in the number of pieces of evidence (method, motive, tools, IP addresses) that point toward Russia and the number of pieces of evidence that point toward the US intelligence community being behind it. Now, we’re into the stuff of conspiracies! But, we can factor out things like “uses phishing attacks: US, Chinese, Russia, UK – check”  “uses remote access trojans: US, Chinese Russia, UK – check” “has an interest in US elections – check” etc. I am not making the argument that the CIA hacked the US election but I think that by setting up my ‘priors’ subconsciously I could ‘prove’ that there was a vanishingly small probability that Russia did it compared to the NSA. Cherry-picking one’s data is a great way to guarantee the correct outputs: Ray Kurzweil’s ‘singularity’ argument could be re-framed as a bunch of Bayesian priors – would it be any more convincing with a bit of math stirred into that festering puddle of bullshit? It would be amusing to set it up, but, eh, why bother? I already know what it would show. [stderr]

Re: Putin’s tradecraft – he shouldn’t be talking about IP addresses and 3-year-olds to the American media! He’s giving away FSB classified information regarding sources and methods.

Comments

  1. jrkrideau says

    In Which I Catch Putin in a Cold Lie
    Putin 1, Trump 1.0^1000
    :)

    Trump says “I wish the Russians would dump Hillary’s emails” and Putin hears about it in a meeting and chuckles, “Heh. Would be funny.” Someone at the meeting hears that and tells someone, who tells someone else, and a friend of a friend drops a wad of data to Wikileaks.

    I still am betting on the teenager in his parents’ basement in Cleveland but the Henry II—Thomas à Becket argument is a reasonable one if one assumes some Russians were involved.

    It certainly removes most of my objections since one does not have to postulate some fantasy where Putin and cabinet decide to a) interfere in a US presidential election where they are unlikely to achieve anything but which if discovered is going to seriously piss off the Americans and boost their paranoia even higher and b)invest in a buffoon with no chance of winning the nomination let alone the election (All commentators and pundits about a year before the nomination convention).

    And it let’s me keep my pet theory that all the “Russian” contacts, the firing of Comey and so on are Trump & Co. desperately trying to hide things like money-laundering.

  2. brucegee1962 says

    My guess is that Putin and company took a long, hard long at the American electoral system in 2016, and said, “If we want to weaken our adversary, we just need to weaken the president. And hey look! There’s all this apparatus of the media and the opposition that’s poised to do most of our work for us. Let’s just do everything we can to smear dirt on both candidates — that way, whoever wins, they’ll be hobbled out of the gate.

    I guess he can’t really go on TV and take credit for everything that’s happened, but I’ll bet he wishes he could. It’s pretty hard not to conclude that, whatever his plan is, it’s working like a charm.

  3. says

    jrkrideau@#1:
    I still am betting on the teenager in his parents’ basement in Cleveland

    It’s most likely to be an information security professional gone rogue. There’s been a fair bit of that sort of thing already, if you want to consider prior probabilities. The stereotypical hacker living in the parents’ basement hasn’t really been a good stereotype for a while: most of them have stock options, high frequent flier miles, and pretty nice apartments.

    Putin and cabinet decide

    Yes, that’s a problem. That’d be very hard to keep secret for more than a decade. Especially since, if it was an official program, it worked beyond anyone’s wildest imaginings. Imagine how that would play out in the US – we’d have guccifer2.0 on “dancing with the stars” etc. I’d buy that the Russians have a greater culture of secrecy than Americans, but that’s just too big an event to keep secret for very long. (Which is another reason I am highly suspicious of the US intelligence community’s utter lack of presentable evidence regarding the alleged events)

  4. says

    brucegee1962:
    I suspect it’d be less a matter of planning and more a matter of “wow, look at that!” Do you remember the scene from Bananas where the CIA sent agents in on both sides of the conflict? That’s plausible here. In the US, it’d look like the CIA backing one side of an election and the FBI another. Oh. Wait. That looks scarily familiar, doesn’t it?

  5. jrkrideau says

    Do you remember the scene from Bananas where the CIA sent agents in on both sides of the conflict?
    Never even heard of the film Bananas, I’m not a great film-goer but it sounds like the CIA and US Army in Syria/Iraq. I am pretty sure I have heard of their respective protégés shooting at each other.

    But still, we all know the CIA and FBI are blood brothers.

    Just like Caine and Abel ?

  6. says

    jrkrideau@#5:
    I am pretty sure I have heard of their respective protégés shooting at each other.

    In Tim Wiener’s Legacy of Ashes there is an account of CIA executing air strikes on its own assets in Malaysia. They’re definitely propping up both Turkey and YPG and other “rebels” as well. Back when both Libya and Syria happened, I was commenting in Ed Brayton’s place that the whole “rebellion” looked like it was straight out of the CIA’s playbook. I still think that (and in the case of Libya at least it appears I was at least partly right) One thing I can say with certainty is that working for those guys means there’s a good chance you’ll either get hung out to dry or you’ll become the next “democratically elected dictator”. Echh.

    we all know the CIA and FBI are blood brothers.
    Just like Caine and Abel

    The word “hate” is too mild for their relationship. You need a Gollum-voice “SPIEEESSSSSSSS WE HATES THEM FOREVERRRRR!!!” of course they’re both spies. It’s professional jealousy more than anything else.

    If you haven’t read Reibling’s Wedge (approved reading list!) it’s horrifying how those agencies have directed their mutual suspicion toward defeating eachother, in spite of it reducing their overall competence. It’s really depressing.

  7. Dunc says

    How’s this for a Bayesian argument: malware of this general type is now so prevalent that a decent security audit of any organisation of any reasonable size has a better than evens chance of turning up something, therefore the presence of malware in and of itself doesn’t really tell you much.

    I also note the nobody has yet made any attempt whatsoever to provide even the haziest of evidence linking the malware to the actual exfiltration of the emails – it’s just assumed that the two are linked – and that all of the people in any position to actually know where the material came from insist that it was an internal leak. Now, sure, I wouldn’t trust most of them to tell me the right time, but an internal leak is entirely plausible, and as I’ve just noted, the presence of malware alone isn’t enough to constitute strong evidence, in my view.

    The main difference between the DNC and any other organisation you care to pick at random out of the phone book is that they called in external experts to conduct a thorough audit. I’ll bet you fifty bucks that if you applied the same degree of scrutiny elsewhere, you can find “evidence” that “the Russians” are hacking the election of the dogcatcher in Bumfuck, Alabama. He’s got “sophisticated malware” on his PC too!

  8. says

    Dunc@#7:
    How’s this for a Bayesian argument: malware of this general type is now so prevalent that a decent security audit of any organisation of any reasonable size has a better than evens chance of turning up something, therefore the presence of malware in and of itself doesn’t really tell you much.

    That seems reasonable to me.

    I also note the nobody has yet made any attempt whatsoever to provide even the haziest of evidence linking the malware to the actual exfiltration of the emails – it’s just assumed that the two are linked – and that all of the people in any position to actually know where the material came from insist that it was an internal leak.

    You have several points embedded in that. You’re correct that nobody has published a detailed forensic analysis. That’s a huge problem since it could easily be the case that the DNC or RNC were owned for a very long time before the incident. That happens a lot with phishing malware compared to targeted exploits of vulnerabilities, because phishing attacks tend to be inherently asynchronous whereas targeted exploits are more often synchronous. If the DNC had competent systems administrators and adequate logging, it would be possible to tell what had happened, but they either don’t or didn’t care to publish the analysis. For one thing, a competent forensic examination might determine, as you say, that it was an insider. There are a lot of things I’d look at/for in that situation, including password sharing – do you want to bet that there was a pretty large chain of people who could access those accounts mailboxes? I’d bet there are over a dozen and there’s a next to nonexistent audit trail. I.e: the system was run by Tweedledee for Tweedledumb.

    I’ll bet you fifty bucks that if you applied the same degree of scrutiny elsewhere, you can find “evidence” that “the Russians” are hacking the election of the dogcatcher in Bumfuck, Alabama. He’s got “sophisticated malware” on his PC too!

    It all depends on your criteria for accepting it was Russians as opposed to anyone else.

    By the way, I’ve seen some Really Crazy Fucked-Up Policy Crap in the last few years, in which organizations decide that “compromise” means “there is evidence that customer data left the network” not “a system was discovered that had a remote access trojan horse on it.” Presto! Way fewer “compromises” that way. But of course anyone who understands transitive trust knows that if you have a remote access trojan on any machine from which transactions are being posted, you have been compromised unless you have audit data that shows you haven’t. It’s a mess.

    The reason I keep railing about this issue is because a very high level of sloppiness is becoming normalized as accepted behavior – and it’s not and it never has been.

  9. Dunc says

    By the way, I’ve seen some Really Crazy Fucked-Up Policy Crap in the last few years, in which organizations decide that “compromise” means “there is evidence that customer data left the network” not “a system was discovered that had a remote access trojan horse on it.”

    Uh huh. I’ll bet they didn’t exactly bust a gut looking for evidence that customer data had left the network either…

  10. says

    Dunc@#9:
    I’ll bet they didn’t exactly bust a gut looking for evidence that customer data had left the network either…

    One cautionary tale is Alcatel – they were so severely owned that they were hemmoraging product plans and business documents for nearly a decade and didn’t notice it until about 8 years in. What did they do? They called it a single breach.