Hoisted from Comments: Can We Even Know Who Hacked the DNC Emails?

By Lambert Strether of Corrente.

It is with relief that we turn from last week’s Democrat narrative — that Trump is a fascist — to this week’s narrative[1]: That the DNC email hack is proof that Trump is a Russian agent of influence.[2] Here’s Clinton’s campaign manager, Robby Mook, making the accusation:

Hillary Clinton’s campaign manager is alleging that Russian hackers are leaking Democratic National Committee emails critical of Bernie Sanders in an effort to help Donald Trump win the election in November.

It comes on the heels of “changes to the Republican platform to make it more pro-Russian,” Robby Mook told CNN’s Jake Tapper on “State of the Union” Sunday.

“I don’t think it’s coincidental that these emails were released on the eve of our convention here, and I think that’s disturbing,” he said.

Mook’s “Russians under the bed” gaslighting is useful on a number of fronts: Ginning up war fever for an October surprise; setting up a later McCarthy-ite purge of Trump supporters, Clinton skeptics, or even those prematurely anti-Trump; and if we’re truly blessed, a real shooting war; some damned thing in the Baltic or the Black Sea, or wherever the Kagan clan points to on the map in the war room. And it’s always useful to be able to convert one’s opponents to enemies by accusing them of treason, especially in an election year.

However, in this short post I want to focus on a much narrower question: Can we ever know who hacked the DNC email? Because if we can’t, then clearly we can’t know the Russians did. And so I want to hoist this by alert reader JacobiteInTraining from comments:

Yup, as a former server admin it is patently absurd to attribute a hack to anyone in particular until a substantial amount of forensic work has been done. (read, poring over multiple internal log files…gathering yet more log files of yet more internal devices, poring over them, then – once the request hops out of your org – requesting logfiles from remote entities, poring over *those* log files, requesting further log files from yet more upstream entities, wash rinse repeat ad infinitum)>

For example, at its simplest, I would expect a middling-competency hacker to find an open wifi hub across town to connect to, then VPN to server in, say, Tonga, then VPN from there to another box in Sweden, then connect to a PC previously compromised in Iowa, then VPN to yet another anonymous cloud server in Latvia, and (assuming the mountain dew is running low, gotta get cracking) then RDP to the target server and grab as many docs as possible. RAR those up and encrypt them, FTP them to a compromised media server in South Korea, email them from there to someones gmail account previously hacked, xfer them to a P2P file sharing app, and then finally access them later from a completely different set of servers.

In many cases where I did this sort of analysis I still ended up with a complete dead end: some sysadmins at remote companies or orgs would be sympathetic and give me actual related log files. Others would be sympathetic but would not give files, and instead do their own analysis to give me tips. Many never responded, and most IPs ended up at unknown (compromised) personal PCs, or devices where the owner could not be found anyway.

If the hacker was sloppy and left other types of circumstantial evidence you might get lucky – but that demographic mostly points back to script kiddies and/or criminal dweebs – i.e., rather then just surreptitiously exfiltrating the goods they instead left messages or altered things that seemed to indicate their own backgrounds or prejudices, or left a message that was more easily ‘traced’. If, of course, you took that evidence at face value and it was not itself an attempt at obfuscation.

Short of a state actor such as an NSA who captures it ALL anyway, and/or can access any log files at any public or private network at its own whim – its completely silly to attribute a hack to anyone at this point.

So, I guess I am reduced to LOL OMG WTF its fer the LULZ!!!!!


Just to clarify on the “…If the hacker was sloppy and left other types of circumstantial evidence…” – this is basically what I have seen reported as ‘evidence’ pointing to Russia: the Cyrillic keyboard signature, the ‘appeared to cease work on Russian holidays’ stuff, and the association with ‘known Russian hacking groups’.

Thats great and all, but in past work I am sure my own ‘research’ could easily have gotten me ‘associated’ with known hacking groups. Presumably various ‘sophisticated’ methods and tools get you closer to possible suspects…but that kind of stuff is cycled and recycled throughout the community worldwide – as soon as anything like that is known and published, any reasonably competent hacker (or org of hackers) is learning how to do the same thing and incorporating such things into their own methods. (imitation being the sincerest form of flattery)

I guess I have a lot more respect for the kinds of people I expect to be getting a paycheck from foreign Intelligence agencies then to believe that they would leave such obvious clues behind ‘accidentally’. But if we are going to be starting wars over this stuff w/Russia, or China, I guess I would hope the adults in the room don’t go all apesh*t and start chanting COMMIES, THE RUSSIANS ARE COMING!, etc. before the ink is dry on the ‘crime’.

The whole episode reminds me of the Sony hack, for which Obama also blamed a demonized foreign power. Interestingly — to beg the question here — the blaming was also based on a foreign character set in the data (though Hangul, not Korean). Look! A clue!

JacobiteInTraining’s methodology also reminds me of NC’s coverage of Grexit. Symbol manipulators — like those in the Democrat-leaning creative class — often believe that real economy systems are as easy to manipulate as symbol systems are. In Greece, for example, it really was a difficult technical challenge for Greece to reintroduce the drachma, especially given the time-frame, as contributor Clive remorselessly showed. Similarly, it’s really not credible to hire a consultant and get a hacking report with a turnaround time of less than a week, even leaving aside the idea that the DNC just might have hired a consultant that would give them the result they wanted (because who among us, etc.) What JacobiteInTraining shows us is that computer forensics is laborious, takes time, and is very unlikely to yield results suitable for framing in the narratives proffered by the political class. Of course, that does confirm all my priors!

Readers, thoughts?

Update Addition by Yves:

Another reader, Hacker, observed (emphasis original):

There is a problem with those who argue that these are sophisticated Nation State attackers and then point to the most basic circumstantial evidence to support their case. I’d bet that, among others, the Israelis have hacked some Russian servers to launch attacks from and have some of their workers on a Russian holiday schedule. Those things have been written about in attack analysis so much over the last 15-20 years that they’d be stupid not to.

Now, I’m not saying the Israelis did it. I’m saying that the evidence provided so far by those arguing it is Russia is so flaky as to prove that the Russia accusers are blinded or corrupted by their own political agenda.

Update [Yves, courtesy Richard Smith] 7:45 AM. Another Medium piece by Jeffrey Carr, Can Facts Slow The DNC Breach Runaway Train? who has been fact-checking this story and comes away Not Happy. For instance:

Thomas Rid wrote:

One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address — 176.31.112[.]10 — that was hard codedin a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.

This paragraph sounds quite damning if you take it at face value, but if you invest a little time into checking the source material, its carefully constructed narrative falls apart.

Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”

Mind you, he has two additional problems with that claim alone. This piece is a must read if you want to dig further into this topic.


[1] More than a talking point but, really, less than a narrative. It’s like we need a new word for these bite-sized, meme-ready, disposable, “throw ’em against the wall and see if they stick” stories; mini-narrative, or narrativelette, perhaps. “All the crunch of a real narrative, but none of the nutrition!”

[2] This post is not about today’s Trump moral panic, where the political class is frothing and stamping about The Donald’s humorous (or ballbusting, take your pick) statement that he “hoped” the Russians had hacked the 30,000 emails that Clinton supposedly deleted from the email server she privatized in her public capacity as Secretary of State before handing the whole flaming and steaming mess over to investigators. First, who cares? Those emails are all about yoga lessons and Chelsea’s wedding. Right? Second, Clinton didn’t secure the server for three months. What did she expect? Third, Trump’s suggestion is just dumb; the NSA has to have that data, so why not just ask them? Finally, to be fair, Trump shouldn’t have uttered the word “Russia.” He should have said “Liechtenstein,” or “Tonga,” because it’s hard to believe that there’s a country too small to hack as fat a target as Clinton presented; Trump was being inflammatory. Points off. Bad show.

Print Friendly, PDF & Email
This entry was posted in Guest Post, Politics on by .

About Lambert Strether

Readers, I have had a correspondent characterize my views as realistic cynical. Let me briefly explain them. I believe in universal programs that provide concrete material benefits, especially to the working class. Medicare for All is the prime example, but tuition-free college and a Post Office Bank also fall under this heading. So do a Jobs Guarantee and a Debt Jubilee. Clearly, neither liberal Democrats nor conservative Republicans can deliver on such programs, because the two are different flavors of neoliberalism (“Because markets”). I don’t much care about the “ism” that delivers the benefits, although whichever one does have to put common humanity first, as opposed to markets. Could be a second FDR saving capitalism, democratic socialism leashing and collaring it, or communism razing it. I don’t much care, as long as the benefits are delivered. To me, the key issue — and this is why Medicare for All is always first with me — is the tens of thousands of excess “deaths from despair,” as described by the Case-Deaton study, and other recent studies. That enormous body count makes Medicare for All, at the very least, a moral and strategic imperative. And that level of suffering and organic damage makes the concerns of identity politics — even the worthy fight to help the refugees Bush, Obama, and Clinton’s wars created — bright shiny objects by comparison. Hence my frustration with the news flow — currently in my view the swirling intersection of two, separate Shock Doctrine campaigns, one by the Administration, and the other by out-of-power liberals and their allies in the State and in the press — a news flow that constantly forces me to focus on matters that I regard as of secondary importance to the excess deaths. What kind of political economy is it that halts or even reverses the increases in life expectancy that civilized societies have achieved? I am also very hopeful that the continuing destruction of both party establishments will open the space for voices supporting programs similar to those I have listed; let’s call such voices “the left.” Volatility creates opportunity, especially if the Democrat establishment, which puts markets first and opposes all such programs, isn’t allowed to get back into the saddle. Eyes on the prize! I love the tactical level, and secretly love even the horse race, since I’ve been blogging about it daily for fourteen years, but everything I write has this perspective at the back of it.


  1. Pavel

    For those interested, the excellent interviewer Scott Horton just spoke with Jeffrey Carr, an IT security expert about all this. It’s about 30 mins:

    Jeffrey Carr, a cyber intelligence expert and CEO of Taia Global, Inc., discusses his fact-checking of Josh Marshall’s TalkingPointsMemo article that claims a close alliance between Trump and Putin; and why the individuals blaming Russia for the DNC email hack are more motivated by politics than solid evidence.

    –The Scott Horton Show: 7/25/16 Jeffrey Carr

    Carr makes the point that even supposed clues about Russian involvement (“the default language is Cyrillic!”) are meaningless as all these could be spoofed by another party.

    Separately it just shows again Team Clinton’s (and DNC’s) political deviousness and expertise how they –with the full support of the MSM of course –have managed to deflect the discussion to Trump and Russia from how the DNC subverted US democracy.

    1. pretzelattack

      and again, we see the cavalier attitude about national security from the clinton camp, aggravating the already tense relationship with russia over this bullshit, all to avoid some political disadvantage. clinton doesn’t care if russia gets the nuclear launch codes seemingly, but impact her chances to win the race and it’s all guns firing.

    2. dk

      “… all these could be spoofed by another party.”

      Well yeah, and I could be a bot, how do you know I’m not?

      Absent any other evidence to work with, I can accept it as credible that a clumsy Russian or Baltic user posted viewed and saved docs instead of the originals; par for the course in public and private bureaucracies the world over. It would have been useful to see the original Properties metadata; instead we get crapped up copies. That only tells me the poster is something of a lightweight, and it at least somewhat suggests that these docs passed through multiple hands.

      But that doesn’t mean A) the original penetration occurred under state control (or even in Russia proper), much less B) that Putin Himself ordered the hack attempts, which is the searing retinal afterimage that the the media name-dropping and photo-illustrating conflation produces.

      Unspoofed, the Cyrillic fingerprints still do not closely constrain conclusion to A, and even less to B.

      1. Clive

        Yes, I made the same point below in terms of the intrusion (“hack”) on the DNC itself too. The running away with a conclusion based on easily-created evidence says a lot about the people saying it.

        1. Whine Country

          “The running away with a conclusion based on easily-created evidence says a lot about the people saying it.” Clive, I don’t think that this can be emphasized enough. These are the people representing to be competent to run our country. I made the point yesterday: Trump voters are mostly stupid; this kind of argument will attract those stupid people to Hillary; let’s run with it. God help us.

          1. Direction

            Absolutely agree. Breed the stupid, use the stupid. how long can an idiocratic system last. I need to emigrate.

            1. Ivy

              “If the electorate doesn’t meet your standards, lower them.”
              sage advice from (DNC, RNC, MSM, anyone) elders…

              How can you tell when an MSM journalist is lying to you? When the crawl moves.

              1. John Wright

                Anyone remember the late comedian Pat Paulsen who “ran” for president in 1968,1972,1980, 1988, 1992 and 1996?


                A campaign slogan of his I remember (and it is at the wikipedia link) was

                “I’ve upped my standards. Now, up yours.”

                He lived locally and had a winery. i remember going to a local grocery store for a signing event and he signed two bottles of wine.

                While he was a joke candidate, now we’ve evolved to two major party cruel joke candidates, without the good humor of Paulsen.

    3. notabanker

      1. Who cares if the Russians did it?
      2. Why were they able to?
      3. Are the releases real? Are these actual emails from the DNC? Appears so given their response.
      4. Trump once again bungled a prime opportunity. I’m pretty concerned that if a political strategy cannot be summed up in 140 characters, it’s beyond his ability to cope.

      It’s getting harder and harder to place limits on the catastrophe that either of these “choices” will be.

      1. Yves Smith

        One guy on Twitter, even with 10 million followers, can’t overcome the Mighty Wurlitzer of the media all blasting the “Lookie, over there! Baddie Rooskies!” tout ensemble to divert attention from the content of the DNC e-mails. And the Dems were hitting that theme regularly in the convention speeches, which meant the MSM could replay it that way too.

        1. Procopius

          The thing that most bothers me is that this is supportive of the Kagans and Hillary’s push to foment a shooting war with Russia. The so-called metadata that they point to is all something that could very easily be created by an amateur who was actually given access to the DNC’s server(s). The “investigator” who issued the conclusion has no record of integrity.

          1. PlutoniumKun

            Yes, the logical endgame of a ‘Trump is a Russian stooge’ strategy is that the stronger Trump is in the polls, the greater the incentive to stage an October Surprise with Russia. Something tells me that this lot would quite happily risk a nuclear war if it gave them a better chance of winning an election.

      2. fajensen

        Re: 4. Trump did, in fact, manage to goad “team Hillary” into claiming that all those yoga-lesson-mails were really “a national security issue” ;)

  2. Clive

    The comment I wanted to make was around the “Cyrillic keyboard”. This is interesting because it has all the characteristics of:

    a) an investigation into an intrusion incident being undertaken by someone who is pretty skilled and knows a reasonable amount about how to start their analysis and what to look for, where to look for it and so on

    b) the investigator or investigators finding something interesting — in this case the “Cyrillic keyboard”

    c) non-technical people being told of the investigator’s findings but not getting the technicalities of it or some PR type saying “yeah, but can you tell me what this means in simple terms” and ending up missing an important subtlety and then telling equally ignorant reporters the mis-information who repeat it verbatim

    d) the story or stories, as published, then being wrong in a way that the media outlets telling the stories don’t realise makes them embarrassingly inept to people who really understand the technical side of things

    … all of which does indeed show a smoking gun, but not the same smoking gun as is being reported. What is shown is that, in addition to the fact that a technical investigation being made by reasonably competent people, a PR team has also been brought in to design the messaging, disseminate the message to the public and create the “right” optics for the story. Such PR / media management teams are fully-paid up members of the Credentialed Class. As such, they want to be seen to earn their money and prove they should get more of it from their elite benefactors in the future. This has an almost inevitable consequence that they will seize on what was probably a suggestive-but-not-conclusive piece of evidence from an investigating team and embellish it with a conclusion which isn’t proven or even supported by the actual evidence.

    Saddam Hussein’s “weapons of mass destruction” (which, of course, didn’t exist) is perhaps the best-known example of this phenomena.

    To try to set the record straight, what I think was discovered in the DNC email hack was a file or files (or code in a malicious payload) — the specifics depend on the hack itself and what attack vector it used — which had a Cyrillic code page set.

    This goes back to the mechanics of how you actually write a hack / virus / malicious web page / whatever. You have to, at its most basic, write the code. You don’t do this using a word processor. You do it using a text editor (albeit often a very fancy one in an Integrated Development Environment — a special piece of software to help you write code). But regardless, the code itself is in “plain text”.

    But “plain text” isn’t actually that plain. Non Latin languages use different code pages for 8-bit plain text (I’ll have to skim over the lower level complexity here for the sake of brevity). But this means that a subtle footprint can get left behind on certain types of files which may be used as the payload for an intrusion into a computer system or even end up being compiled into code which delivered into the target system.

    When you set up a new computer, one of the things a setup routine gets the user to answer is the location of the PC and the input language. This, amongst many other things, sets the code pages used for backwards compatibility in text files which don’t support Unicode. It is so easy to forget this has ever been set by a hacker who then merrily goes on to write their hack completely oblivious to the fact they’ve given — if they are not very careful — the location of their home country away. Or, at least, their native language. If I get chance I’ll send a screen shot of a typical application and how a user might be completely unaware of how they are disclosing their location / language if I can hook up to an anonymous hosting service) which might make it a bit clearer for readers.

    (and this can so easily catch out the unwary; I recall one horrid incident I gave Yves when, in trying to submit an article for her to run on Naked Capitalism, I tried to make life easier by submitting it in “plain text” so that WordPress wouldn’t find it so difficult to handle the formatting. Big mistake! I didn’t realise until much grief had been caused that because I’d set my PC up with a Japanese locale, my supposedly nice, simple “plain text” files I was sending had Japanese encoding. WordPress, expecting US English encoding, was completely befuddled and Yves had to try to manually correct dozens of spurious / misplaced characters).

    This is not, though, a “keyboard”. It does affect the “keyboard” setup. But no reasonably sophisticated technical person would ever describe this as a “keyboard”. Hence my conclusion that, following an explanation which I’ve just given readers above (and I’ll happily concede it is a rather tortuous subject to get ones head around if you’re not an IT expert), some fairly inept media manager ran away with the idea this was something to do with a Russian PC being used, because of the “Cyrillic keyboard”.

    So it was the pesky Russians then ?

    Erm, no, not necessarily. As I’ve described above, it is a trivial task to “spoof” a PC into looking like it was being used by a Russian, Korean, Chinese, whatever, based person or group. You either do it during the PC setup process or else you can with a few clicks change the default locale on any PC or other operating system. Hey-presto. You can now produce what looks like “Russian” (or any other language) flavoured text and cunningly have these tell-tale code pages appear in your malicious code or similar.

    But as the comment in the above article makes clear, this is really dumb and not at all the sort of thing a sophisticated state-backed actor would end up doing. It is however precisely the sort of thing that a sophisticated state-backed actor would do if they wanted to make it *appear* as if the Russians were responsible.

    1. dk

      It makes me cry to see clicking on “Properties” equated with “pretty skilled”.

      Also, the docs were last saved through an older version of MSWord, one that the DNC is almost certainly not running in-house (because of licensing and Microsoft Office Update, although it can probably be found on the odd State or County level Party desktop).

      In other words, the Cyrillic attribute indicates that the posted docs are not originals. The DNC could have disavowed the docs as partially or completely fabricated, on that basis alone.

      1. sinbad66

        The DNC could have disavowed the docs as partially or completely fabricated, on that basis alone.

        Which is telling.

        The DNC never disavowed the e-mails. They just simply said “See, it’s those damn Russians up to their old tricks again”. It’s like watching an episode of “Maury” when someone gets caught cheating, then try to 1) blame someone/something else for the cheating 2) then apologize for said cheating (ONLY because they got caught) and say “c’mon, baby, let’s move on from this”…

        1. dk

          Ha, great minds, my friend… this is what I edited out of that post:

          And in the larger context, it’s like my neighbor peering across their driveway seeing me in bed with somebody else’s spouse, and when they tell the not-my-spouse’s spouse about it I respond with “You’re not supposed to be looking in my window!” and calling the cops to arrest my neighbor for snooping (without a FISA permit, egads).

          It’s a deflection. It discredits my neighbor’s story to the not-my-spouse’s spouse.

          And snooping is wrong! Not supposed to do it! Somebody mention this to the NSA as well! Although, granted, so far the NSA seem to be a lot better at keeping everybody’s secrets (assuming they can even sort meaning out of their data, which I question).

          In other words, it’s okay when the NSA does it, because they don’t tell what they know, the way those awful awful Russians do.


          1. Ralph Reed

            the NSA seem to be a lot better at keeping everybody’s secrets (assuming they can even sort meaning out of their data, which I question).

            Between 1984 and 1987 I was stationed at Offutt AFB as a satellite operator. Because my off base roommate worked for Electronic Security Command(ESC) as a cryptologic linguist flying around in unpressurized planes with earphones on, my military social circle consisted largely of airmen(all men) who worked for NSA and some of them would go to Ft. Meade on TDY. They were an elite, heterogeneous, cosmopolitan bunch who shared a common belief that their jobs weren’t directly evil because it was impossible to find the man hours to analyze it: “last night the best thing I picked up in Nicaragua was an abuela giving tips for mole.”

            I wonder if it would be overly technodeterminist to argue one of the primary reasons for displacement of journalists and other human knowledge interpreters by machines and algorythms was the NSA’s secret need to make sense of their massive telemetry and data as the Cold War ended and the Information Age and Comparative Advantage became ossified neoclassical economic theory and practice.

        2. JTMcPhee

          Aren’t these whiners (Weiners? See, selfie dicks on display) the same set of people who tell us the Security State is just fine, because, “if you’re not doing anything wrong, you have nothing to hide, and no reason to be afraid!”?

        3. Code Name D

          The Russians are trying to rig the elections by exposing how we tried to rig the elections! THIS MEANS WAR!

          1. Bev

            Not “tried”…
            Check out the *updated* version of #DemocracyLost, our comprehensive report on election fraud in the 2016 primaries: http://bit.ly/EJUSA_Democracy_Lost

            Democracy Lost: A Report on the Fatally Flawed 2016 Democratic Primaries

            Dear Lambert, thank you for the suggestion which I passed along to Election Justice USA, https://twitter.com/Elect_Justice . A question though, does the HTML format prevent altering text like a PDF does?

            2:00PM Water Cooler 7/27/2016
            Posted on July 27, 2016 by Lambert Strether


            “Democracy Lost: A Report on the Fatally Flawed 2016 Democratic Primaries” (PDF) [Election Justice USA]. Not to seem ungrateful, but if this were not in a no-longer proprietary data format (PDF), but in HTML, I wouldn’t need a special reader for it, I would be able to quote from it easily, and I could link into it.

            1. Lambert Strether Post author

              > “does the HTML format prevent altering text like a PDF does?”

              On your site itself, the text cannot be altered, of course. It’s true that somebody could copy and paste, then alter the text on some other side (although a really determined adversary could do the same with PDF anyhow).

              However, that’s tradeoff for making the material accessible on the web, exactly so people can quote from it and link to it. That quoting and linking guarantees the authenticity of the text far more than walling it off in PDF, IMNSHO. Somewhere in your network, I’m sure you have a site designer. Consider talking to them…

      2. owhat did we do to deserve this?

        Combining two comments as I worry about our country, our democracy: Where have we gone wrong?
        “It makes me cry” as “It’s getting harder and harder to place limits on the catastrophe that either of these “choices” will be.”

    2. JacobiteInTraining

      Absolutely accurate. I fell into the simplification trap myself with my own ‘Cyrillic keyboard’ reference in comment, but your explanation is perfect.

      Admittedly I am getting a little older (and don’t do much work anymore with International OSes) but my own first introduction to a variant of this issue was with older IIS web server ISAPI extensions and other widgets where using something as prosaic as notepad.exe (which you normally don’t expect to do anything nefarious) causing prod web servers at a large corporation to all go ‘boom’ and fall over, dead.

      Turns out that when you modified a previously-working plain-text extension config file originally in (as I recall) ANSI, update it, then accidentally saved it as UNICODE things like quotation marks et al become…different…even, threatening… ;)

      Long since patched of course. Perhaps I need to patch myself too – perhaps with some fine Scotch!

      1. philnc

        Used wordpad for that, eh. Could have been worse. I’ve seen HR guys in the UK running a localized version of Office copy and paste “text” from an Excel sheet originally composed on in a Scandanavian locale completely wreck the rendering of their data. For awhile I tried getting people to use Sublime or Notepad++ set to UTF-8 for that sort of exercise, but the ubiquity of text mangling tools out there is overwhelming.

        The childish, credulous, transparently Machevellian propagandizing by the DNC here, especially the deflection in place of serious scientific analysis, is beyond contemptible: it’s staggering. But it works because over a quarter century after PCs started showing up on desks the vast majority of the public still don’t know as much about how these machines work as most of those living in the 1930’s groked about their automobiles (which were in far shorter supply). The world is becoming more complex by the minute, and unless folks start to knuckle down and start learning how it really works they’re going to be doomed to be mere passengers on a runaway train.

        1. dk


          And, it’s not that hard. But I think people’s mental bandwidths are overloaded with:
          a) work (not pay, just work),
          b) “entertainment”,
          c) media deluge (info+fiction=media!),
          d) magical thinking / myths (only geeks can understand it!),
          e) ever smaller devices with little tiny screens!!!

        2. JacobiteInTraining

          Well, that sort of thing makes life interesting eh? Clive’s horror story of Japanese locale mucking up an article submission made me cringe in sympathy.

          GEDIT OR BUST!!!

          or wait – did gedit go ahead and withdraw, thus endorsing Hillery? In which case I guess its back to the typewriter… :p

              1. hunkerdown

                The only trouble with vim is that every other visual editor is modeless. How many times have I punched “5dd:wq⏎” into the middle of a code block in any other IDE out of sheer habit.

                That said, I have no reason to believe other than that vim author Bram Moolenaar’s Ugandan charity is on the up and up.

                1. inode_buddha

                  It’s been a LONG time since I saw that screen :) truth be told I only use vi and clones when configuring a fresh install, for the day-to-day stuff its nano

        3. shargash

          This is a good point. They are shamelessly preying on naive peoples’ lack of understanding of computers. They are also shamelessly preying on naive peoples’ trust in experts, which has serious downstream effects when these “experts” are debunked.

          1. Ivy

            One moral of the story/stories for us computer age fossils is that WYSIWYG is now really WYSINWYG.

    3. fritter

      Even if there was a way to determine exactly when and were the malicious code was made, wouldn’t there be a good chance it could have been used by someone else. I would imagine everyone in that “industry” would find bits of the others work and incorporate it into their own. What better way to throw people off the trail than to incorporate pieces from different groups for just that purpose. Especially if you know a forensic examination would be looking for those clues. Also how about a “script kiddie” or non-sophisticated actor getting ahold of it and using it like any other tool.

    4. DJG

      Clive: Also, there are varieties of Cyrillic, depending on the language. Bulgarian has a few more characters, as does Ukrainian. So would “Russian” even be identifiable from the settings? Maybe it all went through Montenegro and we are seeing ghosts of Montenengrin.

      To extend the question: If the computer has as its setting the Roman alphabet, I’m assuming that language isn’t identified, because language on a computer is aseparate setting (for the user) from alphabet. So are we in a situation where someone is seeing a Roman letter and then announces that the document was originally in Hungarian?

      1. hunkerdown

        So would “Russian” even be identifiable from the settings

        A pirate copy of Windows or Office cracked by a Russian group some years ago just might.

        If the computer has as its setting the Roman alphabet, I’m assuming that language isn’t identified, because language on a computer is aseparate setting (for the user) from alphabet

        Yes and no. Language setting implies character encoding. You’re not going to have much luck viewing Arabic text under ISO-8859-1, for example (never mind right-to-left-reading support). See ISO-8859’s numerous alternative 8-bit character sets for national alphabets for examples.

      1. Clive

        Thanks Lambert !

        (yep, Clive’s cut-out-and-keep guide to pretending you’re a nefarious Russian sneakypants trying to besmirch the good name of the DNC. Or Trump. Or whoever:

        1) Set up your PC as being located in Russia and having a language of Russian (Cyrillic).
        2) Open notepad (in windows, similar for other O/S’es)
        3) Create your incriminating text (e.g. “I think Bernie is really stinky and we really should make sure Hillary wins because she is a woman and so on, all those other really good reasons… signed Debbie Wasserman Schultz”).
        4) Click “Save”
        5) Change the encoding to something not Unicode-ey e.g. ANSI
        6) Get out your Rolodex and hit the phones of your favourite friendly media outlets

        yeah, the height of sophistication…)

    5. Direction

      Clive, I’m interested in what you think about the apt28 and apt29 intrusions on the DNC servers.

      Hacker’s link to the ars technica article below is the most detailed explanation I have seen relating these intruders to previous attacks, and Yves link to the Carr article is handy for readers because he includes a chart to cross reference the various names that each of the known russian intruders.

      For your convenience, here is the link I am referring to:


      1. Clive

        The main problem I have with it is that it’s long on suggestions but short on hard evidence. And some of the suggestions simply don’t stand up to analysis. Take for example:

        Much of the metadata associated with the documents points to a Russian (or at least Russian-speaking) actor being behind them.

        Now, this sounds really bad for Russia but only if you don’t know what the words mean. “Metadata” is my pet hate word at the moment because lends itself so ably to such abuse of it as performed in the artstechnia piece. The word metadata is essentially meaningless when lacking a context yet it conveys a nuance of something exact, technical and even infallible. But if you look at my guide above to how such “metadata” is createable you can judge for yourself how reliable the possession of such “evidence” is and what it signifies or doesn’t signify.

        Any article which so happily plays fast and loose with what is established and verifiable vs. what is interesting but as-yet unproven conjecture needs to be treated with caution I think.

        1. Direction

          You are referring to their statement on guccifer2.0 being a disinformation play and I couldn’t agree more, the Cyrillic is easily planted, but I don’t really care about that guy. The Clinton campaign could have invented him themselves for all I care, only they are not that clever.

          Ars technica agrees with you as well: “Of course, it’s still possible that the Russian fingerprints were left intentionally by someone who has no connection to Russia, or by a Russian-speaking person with no connection to the Russian government, or any number of other scenarios. The abundance of plausible competing theories underscores just how hard it is to accurately attribute attacks online and how perilous it is to reach summary conclusions.”

          Let us say that guccifer really did hack the DNC, that he really is Romanian and that he really hates Russia so he wants to help Hillary. I don’t care.

          I asked about apt28,29 because l am more interested in the initial breach, which even Jeffrey Carr indicates was russian. this malware dating back to 2004, fancy bear, and 2011, cozy bear, has been tracked for years by phishtank and secureworks. The findings of the investigative company crowdstrike having been backed up by a forensic company, fidelis. Fancy bear was used way back when was even used to target russian dissidents.

          “Cozy Bear implant is a combination of remote access backdoor, keylogger, screenshot capturer, and password stealer. It can also be used to remote-install other malware on the victim’s Windows computer. If Cozy Bear captures the right credentials, it can connect to other systems and spread laterally through a network.”

          This is not just about metadata or one person’s claims. I’m not saying it is the Russian government, perhaps these high dollar malware systems are available to the highest bidder on the dark market. apt28 and apt29 are complex sets of malware that were developed in Russia, that seems to be something the technical people agree upon but also admit that they could now be used by non governmental sources, and possibly by non russian sources. Do you feel apt28 and apt29 are not linked to Russia at all? If so, why?

          I am not asking as a form of criticism, I am genuinely interested in your opinion. When the French TV station was attacked by the supposed “cybercalifate” they eventually assigned that breach to apt28 as well but referred to it at the time as a “group of russian hackers” perhaps that was just a journalists simplification or mistake because Yves link to Jeffrey Carr claims that these threat groups don’t reflect a group of people, but groups of shared indicators. I heard it described as malware not as a group of people. But looking further into the history of sofacy does make it seem to reference a group of hackers, and they, apt28, have traceable code implant signatures and monitor the success of their activity to work around discovery.

          This is why I’m asking what you think about apt28, i don’t think these forensic companies are only dealing with metadata. For example :


          This link describes the code being tracked. And the groups real time responses to being blocked. it’s not just metadata that’s being tracked, it is specific chunks of code, please read and let me know what you think. I was going to cut and paste the 8th paragraph down to illustrate an interesting point but the site won’t allow meet to copy it.

          1. Clive

            Yes, that (the Secure List piece) is an excellent technical description of a hack and a good explanation of who might be behind it (Sofacy or a splinter group).

            The problem with all such insinuations is that criminal allegations (a claimed hacking of their servers by the DNC) requires a criminal standard of evidence (“beyond a reasonable doubt”). The evidence simply isn’t to that threshold (or if it is, it’s not in the public domain) and in any case, even if it is, the case should be made out and a prosecution pursued.

            And I really don’t like the way an opportunity has been given to muddy the waters and open a Pandora’s Box of conspiracy theories. It is all grist to the mill for the DNC who, rather than facing the music of what the emails actually say (and it doesn’t, understating things, put them in a good light), instead can whip up a reds-under-the-bed diversion. A bit like, erm, what we’re doing now, in fact.

            The DNC should put up or shut up. If it has the evidence, it should hand it over to the relevant authorities. Leaking information to the media — especially highly questionable “evidence” like the “Cyrillic keyboard” — is not the way to tackle wrongdoing.

            1. Direction

              Totally agree about the muddy waters. I am trying to help clear the waters by describing the initial hack and deliniating it from the guccifer2.0 nonsense. Because I feel they are two separate but possibility related incidents.

              I have read the leaked emails, not all of course, and feel they are damning but my opinion is not shared by everyone. The ruling machinery chooses the victor before the race. It is well funded and makes demands upon people in the media and this leak makes it transparent. Now quickly truth must be shoved under the rug, the Russian are coming!

              Sofacy =apt 28, but you can’t prosecute a group of nameless hackers.

              I hope our discussion and the provided links will help others understand what has happened. If the discussion here only revolves around guccifer2.0s veracity, then no one will learn about the previous technical hacks. Thank you for writing back to me.

            2. dk

              The Cyrillic setting was not leaked by the DNC, it’s there for all to see in the Guccifer2 dump. They just echoed it. Are you saying that a victim shouldn’t discuss public evidence related to their own victimization?

    6. reslez

      Thanks for explaining this, Clive. I’m fairly technically proficient (programmer by trade, worked in a DOD setting in network security for several years) and I had no idea what the media meant when they talked about the hacker’s “keyboard”. Your explanation makes a lot of sense. I agree this is likely what they mean when they parrot their idiotic talking points.

    7. craazyboy

      So yer say’n real spies might wear a mustache and horn rimmed glasses to deceive us? Yikes. That hardly seems fair.

      It’s nearly as funny our “state actors” would even attempt framing the Ruskies like that. Everyone knows that they drive Aston Martins that do shit you wouldn’t believe, have shoe phone technology, and one should duck if they pull out their cigarette lighter.

  3. ahimsa

    “Symbol manipulators — like those in the Democrat-leaning creative class — often believe that real economy systems are as easy to manipulate as symbol systems are.”

    What a great observation! This speaks to so much of what ails modern western society.

    1. DanB

      “Symbol manipulators” reflects the way lawyers and most policy wonks are trained to believe that the social construction of reality is all that matters.

  4. 4D

    I found this link informative for understanding the actual hack process.


    Thanks JacobiteIn Training for the search tips.

    “One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.”

    Clearly the DNC didn’t.

  5. The Trumpening

    Really the DNC and Hill-bots are looking foolish on this. I have some very well-educated friends going full “red scare” on Facebook. Too easy to troll them by agreeing and exaggerating just a little too much!

    Besides wasn’t Hillary the one against xenophobia? Wasn’t she all about building bridges and not (fire!) walls? Now it seems it’s OK to blame shiit on foreigners! So it becomes a question of WHICH foreigners we should blame. Trump says Saudi Arabia, Mexico, and China while Clinton says Russia. Let the voters decide!

    But while the comparisons to McCarthyism write themselves, another uncanny historic parallel is the run-up to the Iraq War. First we have these damn Hackers of Mass Disruption (HMD) trying to manipulate a US election (by showing the DNC actually did manipulate an election!). Next we will have our intelligence services and perhaps “trusted sources” like Curveball informing us Putin did it. Will Theresa May quickly crank out a dossier and some posh-sounding Brits confirm the HWD allegations? Obama will have to hurry to get the war going in time but Colin Powell will be called out of retirement to present the hacking evidence to the UN. Putin will be given a deadline for surrendering ALL his HMD. UN inspectors will sent in but not find any traces of HMD. Debka and the New York Times will insist Putin is hiding his HMD in the Moscow metro or perhaps he has sent them all to a third-party nation for safekeeping? The Washington Post will remind us of how the Kurds were brutalized by HMD cracking into the PKK’s main servers. The tension will build to an unbearable crescendo.

    Finally, and regretfully, in October, Operation Data Security will be launched. After a very brief but exceedingly violent confrontation, In the end no HMD will be found in Russia. On the other hand since most of the tens of millions of US soldiers who died were drafted from working class families, the war will be declared a victory anyway since now Trump does not have hardly any angry working class whites left to vote for him!

    1. hemeantwell

      yesterday it was “Trump has finally blown up his campaign.”

      CNBC doesn’t think so, but then bogs down in “he grabbed the headlines with the help of tactically foolish Dems.”

      There’s much more to it than that. If you don’t kneejerk it away, it asks you to consider that the government can’t be relied upon to thoroughly pursue the charges against her. It also builds on what has been, to me, the surprising acceptance that the Wikileaks DNC emails are valid, not fabricated. It then dissolves the honorific constraints indignantly invoked by the Times re “investigating a former secretary of state,” exposing those invocations as rationalizing a coverup. In short, it treats her as a perp for whom we need reliable informants to help bring down, and we need to rely on the Russians/Wikileaks, not the Times, or the Post, or the AG.

      I think we’re looking at a 5-star legitimation crisis accelerator.

    2. HotFlash

      On the other hand since most of the tens of millions of US soldiers who died were drafted from working class families, the war will be declaret just think how it willd a victory anyway since now Trump does not have hardly any angry working class whites left to vote for him!

      And bonus! The youth unemployment rate will drop!

  6. notabanker

    Regardless of your political persuasion, do yourself a favor and watch this:
    It’s on netflix.

    Then afterwards ask your self “Do I want a PR Campaign Manager explaining the origin of this hack to me?”

  7. ArkansasAngie

    If Russia has Clinton’s emails … I do want them to release them.

    If Chuck Norris has them I want Chuck to release them.

    The very idea that our Government has them (read NSA) and will not release them because they would damage Clinton scares me a whole lot more than the idea that espionage today includes hacking unsecured servers.

    So … please … pretty please … whoever has them … release them.

  8. EndOfTheWorld

    One of the e mails said the price of a private dinner with Hill is $200,000. Wow. In my case, I wouldn’t give two cents for this. In fact, she would have to pay me at least a few grand, and I would split the scene as soon as possible.

      1. Ivy

        Don’t forget all the leftovers that the Goldman Sachs people took home in doggie bags. One imagines a swag bag with loot including thumb drives loaded with some light reading material.

        Of course, there is that nasty auto-execute file that launches on the unsuspecting hungover Anglo Sachson analyst. Think of Hillary’s information sharing exercises as more opportunities to collect dirt, erm, I mean, input for future “conversations”.

  9. Roger Smith

    Come with me if you will, on a journey…

    1. Donald Trump is a fascist demagogue
    2. Donald Trump is Hitler, Super Hitler, a Devil
    3. Donald Trump is being aided by Russia and loves Putin
    4. Donald Trump is guilt of treason, is a Russian agent
    5. Bill Clinton mostly likely gave Trump advice and/or encouragement to run in the 2016 race

    Break them glass ceilings….

    1. Roger Smith

      …the same way children’s Karate demonstrations use pre-cut boards.

      I am not saying Trump is a spoiler, I am saying this is all planned charade, and an unintentional Monty Python routine.

  10. Hacker


    I apologize for not being able to dig into this as much as I’d like. Yesterday, the loggers at my remote doomstead dropped some trees on one of the garden plots and the day job as an Information Security manager hasn’t been much easier.

    There is a decent, but still biased thus not linked, article on ArsTechnica “How DNC, Clinton campaign attacks fit into Russia’s cyber-war strategy” that provides better evidence that the DNC was targeted by the Russians. That alone doesn’t link the Russians to the release and I haven’t had the time to dig deeply into the evidence to fully understand it.

    That article also goes into stated Russian doctrine about intent to use whatever means necessary to, in my words, protect themselves. As it is pretty obvious to me that America is the global bully these days.

    So we’ve got a DNC using whatever underhanded tactics it can draw upon to corrupt democracy. Yet both Hillary at the State and then the DNC for the primaries do practically nothing to protect themselves from state actors who have declared an intention to do the same? That sounds like a foreign policy blindspot that should be a disqualifier.

      1. Direction

        Not really. Carr is putting down a British professor’s sloppy claims that apt28 and apt29 are related to the GRU. But the agencies analysing the breach never pointed to the GRU. Crowd strike suggests FSB or SVR, and fidelis agrees on the involvement of apt28 and apt29 but does not attribute a source. Carr is saying the hack is russian but could be non governmental.

        Carr is putting up professor rid as a straw man.

        1. Direction

          I’m not sure where this Jeffrey Carr guy came from but his company previously indicated the Russians were behind the Sony hack. And his argument was based on linguistic comparisons of the errors made in the English statements issued by the fake group claiming the hack. Not based on code at all. Seems like he’s a character that shows up to muddy the waters. Don’t assume he’s an ally just because his arguments support your thesis.

          The most interesting thing I ran into when looking up the Sony hack was that Sony told everyone to shut up about it in December and threatened to sue the media it they persisted with the story. Kinda makes you go hmmmm.

          1. TheCatSaid

            An interesting side note to the Sony / N. Korea “situation” was what was revealed in an Inverted Alchemy blog post that December. When I saw it, I immediately saw a similarity–David E. Martin releasing enough information about a planned “event” by bad actors, to prevent them from going forward with it. (He wrote his 2012 book to prevent a massive nuclear incident involving the Santa Ana nuclear reactor. He put it out initially on amazon as a free e-book so he could track who was downloading it, published it with just days to spare before the planned event. While the already-explosives-planted human-generated “earthquake” occurred on schedule, the plotters could no longer go ahead with the actual nuclear “accident”. (The nuclear “accident” was targeted to provide cover for a massive financial heist, with the precisely-timed event destroying the data records; it could not go ahead because the book’s publishing the scenario let them know their activities were being tracked. Martin has discussed this in radio interviews and in person.)

            Martin’s blog post December 20 2014 had a similar feeling to me. It said enough about what was planned–without even mentioning the name of the country that would be claimed as the aggressor, but giving enough data that anyone could go back to the legislative record and find it–that the “project” could no longer go ahead.

  11. Anonymous

    “the blaming was also based on a foreign character set in the data (though Hangul, not Korean).”

    Hangul is the Korean alphabet. Not sure why the distinction.

    1. visitor

      Indeed, probably a glitch in the description.

      I suspect the author meant that the encoding used in the files represented the standard Hangul character set (used in South Korea), and not the variant of the Hangul character set used in North Korea (which differs in the number and ordering of characters, and hence is encoded differently).

      Anyway, CJK character sets and encodings are just hell. I absolutely see Clive’s file encoded in EUC-JP or Shift_JIS royally screwing up the CMS editor of NakedCapitalism.

  12. Roland

    Clinton is trying to market herself as the Serious/Safe candidate, and instead her campaign is acting all CT hysterical. This whole Putin-hack thing is sabotaging her own brand.

    Today, while reading Hawthorne’s The House of the Seven Gables, I unexpectedly came across a passage which fittingly describes the DNC:

    They are practiced politicians, every man of them, and skilled to adjust those preliminary measures which steal from the people, without its knowledge, the power of choosing its own rulers…This little knot of subtle schemers will control the convention, and, through it, dictate to the party.

    And Hawthorne was a Democrat, too!i

    1. JTMcPhee

      Maybe Will Rogers was off the beam, then, given current events and past performance, with his comment that “I don’t belong to any organized political party. I’m a Democrat!”

      At least as to the people close to the center of the beast, the ones who use the parties as just a set of tools to keep the mopes in check…

    2. NotTimothyGeithner

      Hillary’s brand was always just branding. In 2007, she ran as the candidate ready to take that 3 am phone call because of her experience. What experience? Selecting White House China for state functions? Raising money for the White House restoration? I liked the Christmas decorations Hillary had.

      Her followers believed her brand would win the day, and they simply ignored Obama largely won because of Hillary’s poor foreign policy record.

      1. Pat

        So she went out and bargained herself into State to get the foreign policy experience and now has a record on it that should have every sane person saying keep her away from sharp objects and things that go boom. Instead we once again have her running on taking that 3 am phone call while her team is acting like the twelve year old whose parents told her there are monsters home alone for the first time thinking that the refrigerator is a monster because she never heard it cycle on before.

        I have no respect for her average supporter. And even less respect for the press. The contempt the people who really pull the strings in her camp show they obviously have little regard for the intelligence of either group.

  13. John Wright

    After all the “democracy” promotion the USA has done around the world, perhaps the entire DNC hack should be re-cast as an attempt to determine exactly how the USA democracy functions by a curious group.

    This is somewhat akin to an interested grad student, as the hackers may have thought “Why not find how a professional democratic organization, the Democratic National Committee, works?”

    After the hackers were “shocked, shocked” when they saw the true operation of the DNC, then they decided to leak the information.

    This could suggest the leak may have been done, not to harm USA democracy, but to improve it by getting the DNC to behave in a fair and ethical manner in the future.

    Instead, we’ve watched the DNC, while not denying their documented behavior, argue that their behavior should not have been exposed by an alleged “wrong” group.

    Perhaps more damaging blackmail information is being saved to use against HRC if she is elected?

  14. redleg

    If one got in, how many more got in?
    I doubt that it was just one hacker.

    On another different but related topic, would open source software show multiple languages in the code?
    How about Kasperky antivirus software?

  15. lb

    The Democratic Party establishment is selling a used car knowing there’s no way of getting a verifiable title history for the vehicle. To weave the narrative here, a few basic statements are made which may (perhaps) be technically true, as a foundation, but perhaps grossly misleadingly so.

    Perhaps at least one Russian at some point hacked the DNC. It is implied that _only_ this/these Russians hacked the DNC. It is implied that the WikiLeaks doc-dump came from this same set of people. “An IP address was found” is a very passive statement then used similarly. It’s possible a templatized kit had a default address (maybe even commented out) and was used in more than one place. Kits like this may be used by a single player or entity (in the case of a state actor, perhaps, though it seems potentially sloppy) or may be used by someone who purchased them or stole them from someone else. Only a few leading statements, eliding particular details, are necessary to promulgate a crafted narrative, when injected into the echo chamber and laundered through friendly or credulous security firms for expert confirmation.

    I would be curious to know when the Russian hack was supposed to have happened. I would also be curious what other hacks of the DNC are believed to have or known to have happened. It might even be interesting to know whether particular individuals’ accounts or machines were compromised on the way in, as the incestuous relationships between Democratic Party organizations make it quite possible such a compromise might cross to another organization and increase the likelihood of compromise there. I’m imagining a future Clinton Foundation document dump, perhaps.

    1. HotFlash

      I’m imagining a future Clinton Foundation document dump, perhaps.

      Oh, dear goddess, please let it be so!

  16. Watt4Bob

    I haven’t read any comments that highlight the smell of extreme desperation coming from the Clinton camp?

    Sanders efforts had already gotten the DNC droogs soiling their pants, add Trumps momentum and likely trajectory to the mix, and this is what you get, panic, and poor judgement.

    I expect internal leaks and dissertions from the campaign soon.

    1. Torsten

      Just to be explicit about this, I bet the NSA even has some “experts” who know how to set a Moscow location and Cyrillic code page on a forged document.

      1. hunkerdown

        JTRIG is more the organization to suspect for “effects operations” like this one. NSA is good enough at big iron though.

  17. Matthew Saroff

    I think that the big tell on this whole thing is that the Clinton Campaign is so panicked, and so tremulous about their candidate’s abilities that they are Red Baiting.

    Seriously, a Democratic Party nominee for President is red baiting. What the hell is up with that?

  18. Brian G

    Regarding Claudio Guarnieri’s claim.


    While attribution of malware attacks is rarely simple or conclusive, during the course of this investigation I uncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy Group (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of such attribution, previous work by security vendor FireEye suggests the group might be of Russian origin, however no evidence allows to tie the attacks to governments of any particular country.

    Sofacy, aka Fancy Bear, is a well known Advanced Persistent Threat. APTs are generally regarded government backed given their abilities and resources but it is not always verifiable. Sofacy generally focuses on NATO aligned government and military sites and has also focused on Ukrainian targets in recent years.

    So it cannot be 100% confirmed that the Russian government is involved, it is the most likely backer of the hacking group.

    Which does not mean that Trump had any knowledge or involvement in the attack or that the Russians are necessarily backing Trump.

      1. Brian G

        It’s possible that it is someone spoofing the Russians. Not sure why someone would do that. It wouldn’t be easy.

        Sofacy is a Russian organization. That is pretty much certain.

        1. HotFlash

          And do we believe what we are being told? Interesting, BTW, that the DNC hasn’t even tried to deny.

  19. Butch In Waukegan

    Case closed. Three, count ’em, three!

    U.S. Theory On Democratic Party Breach: Hackers Meant To Leave Russia’s Mark Huffpo

    Some U.S. intelligence officials suspect that Russian hackers who broke into Democratic Party computers may have deliberately left digital fingerprints to show Moscow is a “cyberpower” that Washington should respect.

    Three officials, all speaking on condition of anonymity, said the breaches of the Democratic National Committee (DNC) were less sophisticated than other cyber intrusions that have been traced to Russian intelligence agencies or criminals.

    1. Pat

      Dear God, because the NSA and our intelligence operations are filled with idiots they think their Russian equivalents are as well? First off, that is the mind set of twelve year old not that of some mastermind, and one who would not be very good at strategy based computer games. They would be more likely not to leave any fingerprints because you have much more power if the victim doesn’t have a clue how you have done it. I’d be more likely to think it was some half baked NSA idiot who wanted to screw with the DNC, make them look like fools, AND make it look like some Russian did it.

      But as we well know, these guys are speaking to a script for folks who still haven’t found it out that no North Korea did not hack into Sony Pictures because of a really bad James Franco movie.

    2. JTMcPhee

      …and the US Empire dropped the first two nuclear weapons, actual weapons not tests, on two Japanese cities, to, inter alia, let “the Russians” and everyone else know that the Empire was, as of that brief moment, the World Superpower — not digital fingerprints, but charred corpses and people dying of radiation exposure and horrific burns and blast effects.

      Lots of ways for idiots to send idiotic messages, and where did “student” come from, again? Ssssshhhh— not to supposed to talk about the provenance of that bunch of code, or how it was introduced…

  20. sunny 129

    NO has no clue re DNC e-mail leak! how or who did it. Just narration of speculations!

    If one watches ‘ ZERO DAYS’ docu on how STUXNET/worm/olypic game was invented/manufactured by the combined efforts of US – cyber command @NSA, +CIA and Isralei intelligence +UK?) and planted into the NET in bringing down the Iran’s Nucl program, most of us are way, way behind in understanding cyber terrorism! They were clueless and firing their Nucl experts for incompetence!

    There is extensive discussion of that subject by various NET security Cos incl Symantec, Kaparnisky (russia), Israeli cyber terrorism expert, even officials/non officials from NSA, cyber command,CIA, all over the World

    It is NOT THAT EASY to trace the hacker’s foot prints! This was about 6-8 years ago! WE all are just groping in the dark, like 7 blind men describing the ‘elephant’!

    1. Brian G


      That’s simply incorrect. Attribution is one of the jobs of most notable cyber security firms. It’s what they do. They can use MANY different forensic skills to determine who did an attack.

      STUXNET was a VERY complex and directed attack involving some of the talented and well funded attackers on the planet. Of course it was going to be very difficult to identify.

      1. sunny129

        Your comment clearly suggests you apparently haven’t seen the docu ‘ZERO DAYS”

        If ANY ONE ‘knows’ why all these ‘HALLABALOO?

        To each his own

        1. Brian G

          I didn’t see the documentary. I’ve read some technical reports on the STUXNET attack though.

          This is my profession.

        2. hunkerdown

          If ANY ONE ‘knows’ why all these ‘HALLABALOO?

          Two reasons, Zippy:

          1. politics is a performing art, and the “patrons” pay billions to make television happen to order.
          2. those who ‘know’ are completely uninterested in proving anything to you (see “Document Tracking” slides in the first embedded doc at https://nsa.gov1.info/dni/xkeyscore.html: Slide 1: “I have a Jihadist document that has been passed around through numerous people, who wrote this and where were they?” Slide 2: redacted in full)

          Now, having turned away from the television set and its consumerist disposition, and partaken of three or four years advancement in one narrow sliver of the state of the art of operational security, such as in using amenities like proxies, VPNs, Tor, coffee houses, IP spoofing and a million bots for concealment: Attribution is hard when the perps want it to be hard. If they don’t, they don’t, or at least don’t want it badly enough, and it’s worth considering what angle there is there.

    2. TheCatSaid

      sunny129 – Thank you for the heads up on “Zero Days”–I’m watching it now and it’s real food for thought.

  21. MaroonBulldog

    Now Wikileaks has also released DNC VOICEMAIL messages.

    “Who hacked the voicemail servers?” inquiring minds want to know.

      1. hunkerdown

        Many organizations also send sets of login credentials through email as if it were private. Heh heh heh.

        Better idea: send one half (e.g. username) by email and the other half (e.g. password) by text. And force the reader to modify part of the credential according to a simple rule before use (e.g. delete all Rs from the username, add “123987” to the end of the temporary password — a form of “salting”), preferably detailed by a third communication medium.

  22. Oregoncharles

    Whew, a lot of comments on that, most of which I won’t understand.

    What I do understand: Inflammatory is what Trump does. It’s the reason he’s leading in the polls.

    In this case, it comes at the cost of accusations of “TREASON!!!”, which are pretty silly, considering whatever happened already happened and he just wants the results, as do we all.

    And it isn’t treason to put classified material on an unsecured server? But I don’t think I’ll start defending Trump on a hostile venue like Salon; he’s a big boy, he can take care of himself.

  23. DarkMatters

    A few general questions:
    a) Shouldn’t we, as adults, expect all countries to be hacking into each other’s political and security systems?
    b) Would the security team in any self-respecting country not be engaging in this sort of activity at whatever level they’re capable?
    c) Is it reasonable to assume that only one nation/party has succeeded?
    d) Wouldn’t Trump’s specific request, that Russia release hacked material, be helpful to both US security (possibly indicating what they already know) and to the general public (transparency: the “bad guys” already have the info)?
    Enquiring minds want to know.

    1. Watt4Bob

      If you’re intelligent enough to understand and formulate a), b), and c), why would you ask d)?

      Just to be clear, it’s well understood by now that anybody who wanted to hack her server, could have, with very little effort, so no, Trumps joke is only ‘useful’ as played, to highlight the nature of our ‘fixed’
      political systems.

      The crooked FBI making believe they don’t have the evidence, the crooked SOS making believe she did nothing wrong, and the crooked AG making believe there is no crime to prosecute.

      They don’t need any help from the Russians, it’s clear that no body who counts wants to know anything about HRC’s stupid server tricks.

  24. JustAnObserver

    Since we have a fair number of IT security folk commenting on this thread there’s a question I’ve always had on the Clinton email server.

    How long after hooking it to the net would it take before the “bad guys” noticed it and some automated attack s/w would try to get in ?

    How long after that would they correlate the IP address to the physical address and have a “Holy Shit!! We’ve just hacked into the US State Dept” moment ?

    How long after *that* would said hacker be boasting of this on the Dark Web ?

    I ask this ‘cos of a memory from 2003 where I fired up my brand new laptop in Fry’s cafeteria (really just checking to see if there was any charge in the battery) and in less time than it took me to go to the counter and come back with a sandwich the Norton AV/FW s/w was reporting a port scan over the WiFi!

    1. visitor

      If I remember correctly, the server was hosted by an external firm, so correlating the IP address to the physical address would simply have led to some run-of-the-mill ISP, as the IP address did not point to one of the governmental blocks of IP addresses including the State Department.

      With port-scans, followed by penetration through vulnerable ports, either grabbing files from the server or recording the data it exchanges via known protocols, and finally inspecting/searching the collected information, then the hackers might have known what they were onto.

      If Clinton and her team had used those e-mail accounts to send/receive messages to colleagues within the government domain, and if there was a leak somewhere else (such as at OPM — remember that one?) then the hackers might have known beforehand that there were some curious e-mail ids (as extracted from To:, From:, Bcc: fields) of interest. Which would have led them directly to that ISP hosting Clinton’s server, simply by looking up the IP address from the domain name included in the e-mail id.

      I wonder whether we will ever have a thorough post-mortem analysis published on that affair.

      1. KnotRP

        > How long after hooking it to the net would it take before the “bad guys”
        > noticed it and some automated attack s/w would try to get in ?

        Port scans happen to every IP address every day, all day.
        But a scan from a motivated party might take longer to realize what they’ve found, and
        then make plans to exploit it…or they might just get told about it oob by the
        other people who are scanning, since word can travel fast if something interesting turns
        up. The classic SMTP ports would’ve been open for business unless they were running a very tight
        firewall whitelist of specific peer smtp hosts they trusted for sending/receiving (but I doubt it,
        since their server was obviously discovered)…so a port scan could’ve been followed by an automatic &
        simple telnet ip_address 25 (or any of the other common smtp port numbers), at which point the server would’ve accepted the connection and identified itself in the initial response string…maybe
        something looking like “Connected to clintonemail.com”. That might circulate fairly quickly.
        And if Clinton’s IT folks hadn’t taken care to prevent fishing for usernames, it’d get ugly quick.
        In the worst case, pop or imap ports were open so Clinton could access email from outside…and
        anyone want to lay odds that her password is 12345, or something equally bad? One would hope she was on a always-on vpn to home, to help protect her, but it’s possible that she had on-demand vpn, or even no vpn (if she was complaining about having to fire up vpns regularly, somebody should’ve pushed back on her to just deal with it). Never underestimate what powerful people will do to undermine IT

  25. KnotRP

    Clinton’s email most certainly passed through a narus box, so the NSA has a copy of it.
    Chances are the Russians also have a copy of it, given how the server was run and the importance of the target.
    In fact, given Clinton’s gross negligence, I’d venture to guess most nation-state governments have a copy as well. Oh, and wikileaks obviously has it.

    It’s actually easier to list who doesn’t have it: I give you the F….B….I…. (Alan Rickman rocks)

    Now somebody decided to release it to wikileaks, but there are plenty of possibilities.
    I doubt Russian leaked it, because Clinton is incompetent on security and just about everything else…if Russia is actually our enemy, they’d probably want to help her get elected.
    Now an unapproved NSA employee might leak it — perhaps in an attempt to avoid having an incompetent head of the security apparatus. Or maybe the NSA as a whole let it out, to shine light the political capture of the FBI in particular, or also to avoid ending up with a bad boss.
    We can be pretty sure China didn’t expose their pet, of course….why contribute all that money, then leak this?

    Personally, I think it was the man with the red shoe who leaked it.

    (nobody with any skill in this art believes any of the bullshit…particularly the comical foreign keyboard reference….but Clinton’s team is counting on most voters being misinformed for so long that they don’t know which way is up)

  26. temporal

    The reason everyone with a budget of over $200 a month rarely notice when they are being attacked is that they keep at least one router between them and the Internet. One router if there is no port forwarding from the router to the inner network is fairly safe. If you offer services you want two routers and do port forwarding for very specific ports. The outer router is supposed to be offer nothing except port forwarding and is considered to be expendable that’s why it is called a firewall. The inner router is there to avoid problems if the firewall gets compromised. Any unauthorized access to the inner router is suppose to set the alarm bells ringing. Smart admins monitor the firewall logs to see what kinds of attacks are occurring fairly regularly, because all machines accessible via the Internet get attacked all the time. In a dual router setup that is properly configured and monitored the only big worry is a Denial of Service attack from other externally compromised computers, of which there are many. Connecting your computer directly to the Internet, whether you think of it as a server or not, without a locked down router in between is too foolish to contemplate. Of course you have no choice if you are budget constrained and obliged to run a virtual server on somebody else’s rack. But that should not have been the case for either of these servers.

    Being able to get to the servers from the Internet and, at least in the case of the DNC, copy files to and from them suggests that Hillary and the DNC had their admins set up their servers with pretty much no serious concern for security except for what might be there during installation. Either that or their routers forwarded much of their Internet traffic to the servers, which would be really crazy. Windows servers are well known for being easily compromised in their default installation because so many services are turned on, this is based on ease-of-use hold overs from the LAN days. That’s one of the reasons why there are so many courses and certifications associated with being a Windows administrator. I’m not a certified Windows admin.

    Anyone who has ever thought of setting up a public server has a duty to watch for intruders via their logs. If your address can be discovered and it can, even without a public DNS record, it will be attacked. I have setup low bandwidth virtual Linux servers in the past and nearly all of the traffic was filled with attacks. China, Brazil, Russia, Ukraine, the US, Holland and Germany all being popular attack sources. To reduce this problem administrators for low budget servers often decide to blacklist classes of addresses. Removing Russian, countries nearby and Chinese address sources makes for a much smaller log to read.

    In the DNC case of the hardcoded address, whois says that is supposed to be controlled by someone in Paris, France. The server is connected directly to the Internet and is probably compromised. Are we going to invade Paris or would it be easier to talk to a few humans identified as contacts for the server and get this sorted out? If this is a known problem server, as has been suggested, why hasn’t someone important just have it copied and taken down? Servers have been taken down for much less in the past.

    The way they are described these servers sound more like honeypots than real servers. Left open to see what they can attract. I doubt that’s the case but a little fear might have helped a lot. Which in a way goes back to Yves ideas about the problem of too much optimism.

    Via a Unix-like command line there are plenty of ways to change text file encoding, iconv being just one. Anything this easily done cannot be considered useful information by anyone serious.

    But then the fact neither server had encrypted emails with public/private keys means that they were not even trying to play in the big leagues.

    1. dk

      Agreed on all points (and thanks for articulating it clearly).

      Regarding the Command&Control server at, the address common to malware found on both the DNC server and the BfV servers “using an outdated version of OpenSSL vulnerable to Heartbleed attacks”, this suggests to me that the server was/is not well maintained. It’s the second instance of sloppiness on the part of the hackers (the first being the posting by Guccifer2.0 of a modified version of the DNC docs with the Cyrillic language setting and the “Felix Dzerzhinsky” username, one fumble that left two clues).

      So if we are to postulate that these indicators are left to suggest a false trail (pointing to Russian involvement in the DNC hack), the planter of that trail is also 1) painting the picture that the Russians are not very competent hackers, and 2) they actually set up a compromised C&C server to get this point across.

      Granted it’s not impossible. But I think it’s overly complex reasoning, positing an overly complex scenario, using a conviction (belief) to attempting to validate a desired world-view. As Kahneman suggests (https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol.-56-no.-2/thinking-fast-and-slow.html), this is poor analysis, no matter who is doing it.

      It strikes me that the theory that the DNC was not hacked by (incompetent) Russian actors is even weaker than the theory that it was hacked by highly competent/dangerous state-directed actors. What I get as the most likely scenario is a hack by incompetent Russian actors, of an incompetently administered DNC server.

      In other words, barring the unsupported theory of a manipulative agent planting the Russian traces, the common takeaway is massive incompetence in computer security (and by very short extrapolation, document management) on the part of everyone involved. Unfortunately, this also matches up to my own empirical observations over time. The suggestion of a hyper-competent and meticulously thorough third agent comes with no evidence, and has no precedent outside of magical thought.

  27. alex morfesis

    a la patada…what if the dnc emails came from $hillary/podesta…not trying to be foilee…a la patada is a spanish term whereby once you get to the top of the ladder, you start stepping on hands below to make sure they fall and no one can see how you climbed to the top…

    what is the damage done for the release now that Sanders had already noticed he was not going to be allowed to be the democratic nominee for president…she gets rid of the dnc people and “what they know”…at least that is my primary theory…

    besides…how silly is it that one would need to hack into the dnc servers…does anyone think the average parties with regular access to this data are walking around using 17 character passwords ?…how hard would it be to gather up profiles of the 50 to 100 people who probably had access to various pieces of data and figure that 20% had useless passwords…it makes no real sense to hack into the server when it probably would be easier to walk thru the front door by figuring out the passwords of the usual lame political operatives…unless the hack is to cover the walking thru the front door…

    the reason I am thinking this is all coming from $hillary and company is the missing transcripts to the speeches she has given…if she controlled the information via “copyright” claims…who processed the information, since she is so “hands off”…and why is it not popping up ??

    If the Clinton household clinton foundation server was all tied into the $hillary as Secty of State emails…then where was the data kept…the contracts…the contact information…the videos…where were they kept that they have not been “hacked” into yet…??

    is there anything truly unusual that has been placed in the public domain that had not been suggested before…??

    a la patada…get rid of some people now…and maybe do a dying chinese communist central committee move to see who can be trusted and who will speak…

    I just don’t see any foreign or domestic agency leaving fingerprints as suggested…

    and I suspect Joe McCarthy must be spinning in his grave…

    imagine some ruski named dmitri(crowdstrike) telling us that his fellow russians are hacking into the united states…

    no dignity indeed…

    amerika…vat a country…

  28. Okanogen

    Astounded by the naivete in this echo chamber. The likelihood that Russian security services would be able to infiltrate DNC email systems is questioned? If they weren’t trying to do so, they wouldn’t be doing their job. Work like that is in fact, their entire reason for existence.
    In counter-intelligence and forensic tradecraft, it is also standard practice to withhold critical, identifiable information, and/or spread misinformation to your adversaries. It is called “protecting sources and measures”. If the large groups of professional cyber-security firms laid out for you, and the hackers, every flaw that allowed them to be identified, then those companies wouldn’t be doing their job.
    Finally, the rubber-road intersection: why? Indications as reported (horrors!) Are that one Russian group had infiltrated DNC emails undetected as long as a year ago. A second group infiltrated in April, but was detected shortly afterward. Fair enough. The difference however is that this time, rather than hold on to the documents, they risked exposing additional evidence of their identity by quickly releasing the emails to wiki leaks and simultaneously setting up a sock puppet to take credit. Why? Why risk all that? The reason is what we see in this very thread: to sow fear uncertainty and doubt into the legitimacy of our political system.
    It was Clinton! It was Trump! Nevermind! They are all incompetent and corrupt! They subvert our democracy! Look at the emails!

    It’s enough to make a comradsky weep with joy.

    1. temporal

      Funny, I’m getting old but I don’t remember being naive on many technical issues. Would you provide examples of what I said that you know better? (Ah, the joys of rhetoric.)

      The new improved version of sowing fear of the red menace via FUD has very little to do with the issue. These servers were not properly protected. I’m surprised the entire dark net doesn’t own everything they had. So many choices, so little time seems to have been their best hope. Security through obscurity.

      Nearly any script kiddie with the right package and some luck could have gotten in because the firewalls, when turned on, seem to have been on the servers and the servers connected directly to the Internet.

      The funny part to me, is way more money and effort went into the forensic part of this than upfront security. I kind of feel bad for the admins. “You did what? You didn’t do what? You don’t understand what?”

      As for “the legitimacy of our (current) political system”, I’ll leave that as an exercise for the reader since Bernie was pushed or chose to be pushed out. The new reds, whatever they might have done, have nothing to do with this question.

    2. dk

      Some background for this view here:

      You’re worried about “… fear uncertainty and doubt into the legitimacy of our political system”?

      I’m worried people don’t know how computers work. When people working in governments (any governments) don’t know how to use the equipment, fear is appropriate, uncertainty is inevitable, and legitimacy (in terms of competence) should certainly come into question.

      This goes far beyond relative we-said-they-said credibility.

  29. Okanogen

    I recall reading that Assange (true to his self-absorbed sense of cosmic importance and cloak/dagger romance), posted an encrypted, 88 gigabyte file of the entire *cough* “Guccifer2.0” *cough* DNC email submittal to which he holds the key “as insurance” (lol).

    88 gigs. Hmm. Including spam and attachments and voicemails (grrrr! Microsoft! Including children going to the zoo, phone numbers of ordinary citizens). Anyway, Ok. That sounds about right for a few weeks of an organization the size of the DNC.

    1. hunkerdown

      I thought the 88GB insurance file was for Hillary’s server, not the DNC’s. In which case, 88GB sounds about right for 60k messages, some attachments, fat indexes, and the OS image to run it all.

  30. alex morfesis

    while waiting 4 the mod machine to trigger my release…did more research on Dmitri…his blackhat 2009 presentation is interesting…while still at mcafee…he was having a hard time pointing out how there was only 250 million in reported actual losses in 2008…

    but worse…he gives an example of one of the “few people” who actually were caught…

    some guy in romania…

    hmmm…romania….where did I hear that recently……

    he presents something in english, but what looks like DW/tv(Deutshe welle was running on SKY channel 794 until mid 2009) …some type of documentary on some romanian criminal who stole money from people selling them cars…and openly was describing how he had kept the money hidden and would soon be out to cyber steal again…

    the mystery romanian in the documentary is named bogdan paiu…

    small problem…cant find anything for this bogdan…I am not prefect, but i am pretty good…and since he ripped off americans too…why does he not show up…

    about 6 and a half minutes into the talk


    windup the old organ people…play those color coded chords…

  31. Ron

    If you are going to hack, why be so selective? You can bet that the Trump Organization was also hacked! And that one or more actors also have heavy duty crap of all types on Trump and his people.

  32. Tim Lovett

    So surely the hackers tried RNC staffers emails as well. Did they get in? Surely RNC staffers have looked for signs of forced entry, no? What were the results? Has the RNC commented on the sanctity of their peoples emails? If not, why not? Wouldn’t they want to take credit for running a tight ship, compared to those sloppy Dems?

    Or do they know they’ve been hacked but realize that the hackers are only interested in embarrassing Dems?

    1. Yves Smith

      Many media reports said the DNC hack was the result of spear phishing, which is where someone sends an e-mail that looks like it is from someone they know and seeks login info. So this apparently was not someone hacking into the servers or brute-forcing passwords. So it’s not clear that this same type of hack worked at the RNC. Or the Republican may organize their activities differently. The RNC may be all about $ and since the Rs have so many think tanks, the nexus for press messaging may be elsewhere, or distributed, making RNC e-mails less interesting.

Comments are closed.