By Lambert Strether of Corrente.
It is with relief that we turn from last week’s Democrat narrative — that Trump is a fascist — to this week’s narrative: That the DNC email hack is proof that Trump is a Russian agent of influence. Here’s Clinton’s campaign manager, Robby Mook, making the accusation:
Hillary Clinton’s campaign manager is alleging that Russian hackers are leaking Democratic National Committee emails critical of Bernie Sanders in an effort to help Donald Trump win the election in November.
It comes on the heels of “changes to the Republican platform to make it more pro-Russian,” Robby Mook told CNN’s Jake Tapper on “State of the Union” Sunday.
“I don’t think it’s coincidental that these emails were released on the eve of our convention here, and I think that’s disturbing,” he said.
Mook’s “Russians under the bed” gaslighting is useful on a number of fronts: Ginning up war fever for an October surprise; setting up a later McCarthy-ite purge of Trump supporters, Clinton skeptics, or even those prematurely anti-Trump; and if we’re truly blessed, a real shooting war; some damned thing in the Baltic or the Black Sea, or wherever the Kagan clan points to on the map in the war room. And it’s always useful to be able to convert one’s opponents to enemies by accusing them of treason, especially in an election year.
However, in this short post I want to focus on a much narrower question: Can we ever know who hacked the DNC email? Because if we can’t, then clearly we can’t know the Russians did. And so I want to hoist this by alert reader JacobiteInTraining from comments:
Yup, as a former server admin it is patently absurd to attribute a hack to anyone in particular until a substantial amount of forensic work has been done. (read, poring over multiple internal log files…gathering yet more log files of yet more internal devices, poring over them, then – once the request hops out of your org – requesting logfiles from remote entities, poring over *those* log files, requesting further log files from yet more upstream entities, wash rinse repeat ad infinitum)>
For example, at its simplest, I would expect a middling-competency hacker to find an open wifi hub across town to connect to, then VPN to server in, say, Tonga, then VPN from there to another box in Sweden, then connect to a PC previously compromised in Iowa, then VPN to yet another anonymous cloud server in Latvia, and (assuming the mountain dew is running low, gotta get cracking) then RDP to the target server and grab as many docs as possible. RAR those up and encrypt them, FTP them to a compromised media server in South Korea, email them from there to someones gmail account previously hacked, xfer them to a P2P file sharing app, and then finally access them later from a completely different set of servers.
In many cases where I did this sort of analysis I still ended up with a complete dead end: some sysadmins at remote companies or orgs would be sympathetic and give me actual related log files. Others would be sympathetic but would not give files, and instead do their own analysis to give me tips. Many never responded, and most IPs ended up at unknown (compromised) personal PCs, or devices where the owner could not be found anyway.
If the hacker was sloppy and left other types of circumstantial evidence you might get lucky – but that demographic mostly points back to script kiddies and/or criminal dweebs – i.e., rather then just surreptitiously exfiltrating the goods they instead left messages or altered things that seemed to indicate their own backgrounds or prejudices, or left a message that was more easily ‘traced’. If, of course, you took that evidence at face value and it was not itself an attempt at obfuscation.
Short of a state actor such as an NSA who captures it ALL anyway, and/or can access any log files at any public or private network at its own whim – its completely silly to attribute a hack to anyone at this point.
So, I guess I am reduced to LOL OMG WTF its fer the LULZ!!!!!
Just to clarify on the “…If the hacker was sloppy and left other types of circumstantial evidence…” – this is basically what I have seen reported as ‘evidence’ pointing to Russia: the Cyrillic keyboard signature, the ‘appeared to cease work on Russian holidays’ stuff, and the association with ‘known Russian hacking groups’.
Thats great and all, but in past work I am sure my own ‘research’ could easily have gotten me ‘associated’ with known hacking groups. Presumably various ‘sophisticated’ methods and tools get you closer to possible suspects…but that kind of stuff is cycled and recycled throughout the community worldwide – as soon as anything like that is known and published, any reasonably competent hacker (or org of hackers) is learning how to do the same thing and incorporating such things into their own methods. (imitation being the sincerest form of flattery)
I guess I have a lot more respect for the kinds of people I expect to be getting a paycheck from foreign Intelligence agencies then to believe that they would leave such obvious clues behind ‘accidentally’. But if we are going to be starting wars over this stuff w/Russia, or China, I guess I would hope the adults in the room don’t go all apesh*t and start chanting COMMIES, THE RUSSIANS ARE COMING!, etc. before the ink is dry on the ‘crime’.
The whole episode reminds me of the Sony hack, for which Obama also blamed a demonized foreign power. Interestingly — to beg the question here — the blaming was also based on a foreign character set in the data (though Hangul, not Korean). Look! A clue!
JacobiteInTraining’s methodology also reminds me of NC’s coverage of Grexit. Symbol manipulators — like those in the Democrat-leaning creative class — often believe that real economy systems are as easy to manipulate as symbol systems are. In Greece, for example, it really was a difficult technical challenge for Greece to reintroduce the drachma, especially given the time-frame, as contributor Clive remorselessly showed. Similarly, it’s really not credible to hire a consultant and get a hacking report with a turnaround time of less than a week, even leaving aside the idea that the DNC just might have hired a consultant that would give them the result they wanted (because who among us, etc.) What JacobiteInTraining shows us is that computer forensics is laborious, takes time, and is very unlikely to yield results suitable for framing in the narratives proffered by the political class. Of course, that does confirm all my priors!
Update Addition by Yves:
Another reader, Hacker, observed (emphasis original):
There is a problem with those who argue that these are sophisticated Nation State attackers and then point to the most basic circumstantial evidence to support their case. I’d bet that, among others, the Israelis have hacked some Russian servers to launch attacks from and have some of their workers on a Russian holiday schedule. Those things have been written about in attack analysis so much over the last 15-20 years that they’d be stupid not to.
Now, I’m not saying the Israelis did it. I’m saying that the evidence provided so far by those arguing it is Russia is so flaky as to prove that the Russia accusers are blinded or corrupted by their own political agenda.
Update [Yves, courtesy Richard Smith] 7:45 AM. Another Medium piece by Jeffrey Carr, Can Facts Slow The DNC Breach Runaway Train? who has been fact-checking this story and comes away Not Happy. For instance:
Thomas Rid wrote:
One of the strongest pieces of evidence linking GRU to the DNC hack is the equivalent of identical fingerprints found in two burglarized buildings: a reused command-and-control address — 176.31.112[.]10 — that was hard codedin a piece of malware found both in the German parliament as well as on the DNC’s servers. Russian military intelligence was identified by the German domestic security agency BfV as the actor responsible for the Bundestag breach. The infrastructure behind the fake MIS Department domain was also linked to the Berlin intrusion through at least one other element, a shared SSL certificate.
This paragraph sounds quite damning if you take it at face value, but if you invest a little time into checking the source material, its carefully constructed narrative falls apart.
Problem #1: The IP address 176.31.112[.]10 used in the Bundestag breach as a Command and Control server has never been connected to the Russian intelligence services. In fact, Claudio Guarnieri, a highly regarded security researcher, whose technical analysis was referenced by Rid, stated that “no evidence allows to tie the attacks to governments of any particular country.”
Mind you, he has two additional problems with that claim alone. This piece is a must read if you want to dig further into this topic.
 More than a talking point but, really, less than a narrative. It’s like we need a new word for these bite-sized, meme-ready, disposable, “throw ’em against the wall and see if they stick” stories; mini-narrative, or narrativelette, perhaps. “All the crunch of a real narrative, but none of the nutrition!”
 This post is not about today’s Trump moral panic, where the political class is frothing and stamping about The Donald’s humorous (or ballbusting, take your pick) statement that he “hoped” the Russians had hacked the 30,000 emails that Clinton supposedly deleted from the email server she privatized in her public capacity as Secretary of State before handing the whole flaming and steaming mess over to investigators. First, who cares? Those emails are all about yoga lessons and Chelsea’s wedding. Right? Second, Clinton didn’t secure the server for three months. What did she expect? Third, Trump’s suggestion is just dumb; the NSA has to have that data, so why not just ask them? Finally, to be fair, Trump shouldn’t have uttered the word “Russia.” He should have said “Liechtenstein,” or “Tonga,” because it’s hard to believe that there’s a country too small to hack as fat a target as Clinton presented; Trump was being inflammatory. Points off. Bad show.