A New Report Raises Big Questions About Last Year’s DNC Hack
The Nation ^ | 8/9/2017 | Patrick Lawrence
Posted on 8/10/2017, 11:09:02 AM
Research into the DNC case took a fateful turn in early July, when forensic investigators who had been working independently began to share findings and form loose collaborations wherein each could build on the work of others. In this a small, new website called
www.disobedientmedia.com proved an important catalyst. Two independent researchers selected it, Snowden-like, as the medium through which to disclose their findings. One of these is known as Forensicator and the other as Adam Carter. On July 9, Adam Carter sent Elizabeth Vos, a co-founder of Disobedient Media, a paper by the Forensicator that split the DNC case open like a coconut.
By this time Binney and the other technical-side people at VIPS had begun working with a man named Skip Folden. Folden was an IT executive at IBM for 33 years, serving 25 years as the IT program manager in the United States. He has also consulted for Pentagon officials, the FBI, and the Justice Department. Folden is effectively the VIPS group’s liaison to Forensicator, Adam Carter, and other investigators, but neither Folden nor anyone else knows the identity of either Forensicator or Adam Carter. This bears brief explanation.
The Forensicator’s July 9 document indicates he lives in the Pacific Time Zone, which puts him on the West Coast. His notes describing his investigative procedures support this. But little else is known of him. Adam Carter, in turn, is located in England, but the name is a coy pseudonym: It derives from a character in a BBC espionage series called Spooks. It is protocol in this community, Elizabeth Vos told me in a telephone conversation this week, to respect this degree of anonymity. Kirk Wiebe, the former SIGINT analyst at the NSA, thinks Forensicator could be “someone very good with the FBI,” but there is no certainty. Unanimously, however, all the analysts and forensics investigators interviewed for this column say Forensicator’s advanced expertise, evident in the work he has done, is unassailable. They hold a similarly high opinion of Adam Carter’s work.
Forensicator is working with the documents published by Guccifer 2.0, focusing for now on the July 5 intrusion into the DNC server. The contents of Guccifer’s files are known—they were published last September—and are not Forensicator’s concern. His work is with the metadata on those files. These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server,” Skip Folden explained in an interview. “To do this he would have to have ‘access privilege,’ meaning a key.”
What has Forensicator proven since he turned his key? How? What has work done atop Forensicator’s findings proven? How?
Forensicator’s first decisive findings, made public on July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate.
Forensicator’s first decisive findings, made public in the paper dated July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate—the time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.
These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed. Compounding this contradiction, Guccifer claimed to have run his hack from Romania, which, for numerous reasons technically called delivery overheads, would slow down the speed of a hack even further from maximum achievable speeds.
Time stamps in the metadata indicate the download occurred somewhere on the East Coast of the United States—not Russia, Romania, or anywhere else outside the EDT zone.
What is the maximum achievable speed? Forensicator recently ran a test download of a comparable data volume (and using a server speed not available in 2016) 40 miles from his computer via a server 20 miles away and came up with a speed of 11.8 megabytes per second—half what the DNC operation would need were it a hack. Other investigators have built on this finding. Folden and Edward Loomis say a survey published August 3, 2016, by
www.speedtest.net/reports is highly reliable and use it as their thumbnail index. It indicated that the highest average ISP speeds of first-half 2016 were achieved by Xfinity and Cox Communications. These speeds averaged 15.6 megabytes per second and 14.7 megabytes per second, respectively. Peak speeds at higher rates were recorded intermittently but still did not reach the required 22.7 megabytes per second.
“A speed of 22.7 megabytes is simply unobtainable, especially if we are talking about a transoceanic data transfer,” Folden said. “Based on the data we now have, what we’ve been calling a hack is impossible.” Last week Forensicator reported on a speed test he conducted more recently. It tightens the case considerably. “Transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance,” he wrote. “Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when using a USB–2 flash device (thumb drive).”
Time stamps in the metadata provide further evidence of what happened on July 5. The stamps recording the download indicate that it occurred in the Eastern Daylight Time Zone at approximately 6:45 pm. This confirms that the person entering the DNC system was working somewhere on the East Coast of the United States. In theory the operation could have been conducted from Bangor or Miami or anywhere in between—but not Russia, Romania, or anywhere else outside the EDT zone. Combined with Forensicator’s findings on the transfer rate, the time stamps constitute more evidence that the download was conducted locally, since delivery overheads—conversion of data into packets, addressing, sequencing times, error checks, and the like—degrade all data transfers conducted via the Internet, more or less according to the distance involved.
“It’s clear,” another forensics investigator wrote, “that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.”
In addition, there is the adulteration of the documents Guccifer 2.0 posted on June 15, when he made his first appearance. This came to light when researchers penetrated what Folden calls Guccifer’s top layer of metadata and analyzed what was in the layers beneath. They found that the first five files Guccifer made public had each been run, via ordinary cut-and-paste, through a single template that effectively immersed them in what could plausibly be cast as Russian fingerprints. They were not: The Russian markings were artificially inserted prior to posting. “It’s clear,” another forensics investigator self-identified as HET, wrote in a report on this question, “that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.”
To be noted in this connection: The list of the CIA’s cyber-tools WikiLeaks began to release in March and labeled Vault 7 includes one called Marble that is capable of obfuscating the origin of documents in false-flag operations and leaving markings that point to whatever the CIA wants to point to. (The tool can also “de-obfuscate” what it has obfuscated.) It is not known whether this tool was deployed in the Guccifer case, but it is there for such a use.
It is not yet clear whether documents now shown to have been leaked locally on July 5 were tainted to suggest Russian hacking in the same way the June 15 Guccifer release was. This is among several outstanding questions awaiting answers, and the forensic scientists active on the DNC case are now investigating it. In a note Adam Carter sent to Folden and McGovern last week and copied to me, he reconfirmed the corruption of the June 15 documents, while indicating that his initial work on the July 5 documents—of which much more is to be done—had not yet turned up evidence of doctoring.
In the meantime, VIPS has assembled a chronology that imposes a persuasive logic on the complex succession of events just reviewed. It is this:
On June 12 last year, Julian Assange announced that WikiLeaks had and would publish documents pertinent to Hillary Clinton’s presidential campaign. On June 14, CrowdStrike, a cyber-security firm hired by the DNC, announced, without providing evidence, that it had found malware on DNC servers and had evidence that Russians were responsible for planting it. On June 15, Guccifer 2.0 first appeared, took responsibility for the “hack” reported on June 14 and claimed to be a WikiLeaks source. It then posted the adulterated documents just described. On July 5, Guccifer again claimed he had remotely hacked DNC servers, and the operation was instantly described as another intrusion attributable to Russia. Virtually no media questioned this account.
It does not require too much thought to read into this sequence. With his June 12 announcement, Assange effectively put the DNC on notice that it had a little time, probably not much, to act preemptively against the imminent publication of damaging documents. Did the DNC quickly conjure Guccifer from thin air to create a cyber-saboteur whose fingers point to Russia? There is no evidence of this one way or the other, but emphatically it is legitimate to pose the question in the context of the VIPS chronology. WikiLeaks began publishing on July 22. By that time, the case alleging Russian interference in the 2016 elections process was taking firm root. In short order Assange would be written down as a “Russian agent.”
By any balanced reckoning, the official case purporting to assign a systematic hacking effort to Russia, the events of mid-June and July 5 last year being the foundation of this case, is shabby to the point taxpayers should ask for their money back. The Intelligence Community Assessment, the supposedly definitive report featuring the “high confidence” dodge, was greeted as farcically flimsy when issued January 6. Ray McGovern calls it a disgrace to the intelligence profession. It is spotlessly free of evidence, front to back, pertaining to any events in which Russia is implicated. James Clapper, the former director of national intelligence, admitted in May that “hand-picked” analysts from three agencies (not the 17 previously reported) drafted the ICA. There is a way to understand “hand-picked” that is less obvious than meets the eye: The report was sequestered from rigorous agency-wide reviews. This is the way these people have spoken to us for the past year.
Behind the ICA lie other indefensible realities. The FBI has never examined the DNC’s computer servers—an omission that is beyond preposterous. It has instead relied on the reports produced by Crowdstrike, a firm that drips with conflicting interests well beyond the fact that it is in the DNC’s employ. Dmitri Alperovitch, its co-founder and chief technology officer, is on the record as vigorously anti-Russian. He is a senior fellow at the Atlantic Council, which suffers the same prejudice. Problems such as this are many.
“We continue to stand by our report,” CrowdStrike said, upon seeing the VIPS blueprint of the investigation. CrowdStrike argues that by July 5 all malware had been removed from the DNC’s computers. But the presence or absence of malware by that time is entirely immaterial, because the event of July 5 is proven to have been a leak and not a hack. Given that malware has nothing to do with leaks, CrowdStrike’s logic appears to be circular.
In effect, the new forensic evidence considered here lands in a vacuum. We now enter a period when an official reply should be forthcoming. What the forensic people are now producing constitutes evidence, however one may view it, and it is the first scientifically derived evidence we have into any of the events in which Russia has been implicated. The investigators deserve a response, the betrayed professionals who formed VIPS as the WMD scandal unfolded in 2003 deserve it, and so do the rest of us. The cost of duplicity has rarely been so high.
I concluded each of the interviews conducted for this column by asking for a degree of confidence in the new findings. These are careful, exacting people as a matter of professional training and standards, and I got careful, exacting replies.
All those interviewed came in between 90 percent and 100 percent certain that the forensics prove out. I have already quoted Skip Folden’s answer: impossible based on the data. “The laws of physics don’t lie,” Ray McGovern volunteered at one point. “It’s QED, theorem demonstrated,” William Binney said in response to my question. “There’s no evidence out there to get me to change my mind.” When I asked Edward Loomis, a 90 percent man, about the 10 percent he held out, he replied, “I’ve looked at the work and it shows there was no Russian hack. But I didn’t do the work. That’s the 10 percent. I’m a scientist.”
Editor’s note: In its chronology, VIPS mistakenly gave the wrong date for CrowdStrike’s announcement of its claim to have found malware on DNC servers. It said June 15, when it should have said June 14. VIPS has acknowledged the error, and we have made the correction.
https://www.thenation.com/article/a-new-report-raises-big-questions-about-last-years-dnc-hack/?platform=hootsuite
