Skip to comments.A New Report Raises Big Questions About Last Year’s DNC Hack
Posted on 08/10/2017 8:09:02 AM PDT by outinyellowdogcountry
Research into the DNC case took a fateful turn in early July, when forensic investigators who had been working independently began to share findings and form loose collaborations wherein each could build on the work of others. In this a small, new website called www.disobedientmedia.com proved an important catalyst. Two independent researchers selected it, Snowden-like, as the medium through which to disclose their findings. One of these is known as Forensicator and the other as Adam Carter. On July 9, Adam Carter sent Elizabeth Vos, a co-founder of Disobedient Media, a paper by the Forensicator that split the DNC case open like a coconut.
By this time Binney and the other technical-side people at VIPS had begun working with a man named Skip Folden. Folden was an IT executive at IBM for 33 years, serving 25 years as the IT program manager in the United States. He has also consulted for Pentagon officials, the FBI, and the Justice Department. Folden is effectively the VIPS groups liaison to Forensicator, Adam Carter, and other investigators, but neither Folden nor anyone else knows the identity of either Forensicator or Adam Carter. This bears brief explanation.
The Forensicators July 9 document indicates he lives in the Pacific Time Zone, which puts him on the West Coast. His notes describing his investigative procedures support this. But little else is known of him. Adam Carter, in turn, is located in England, but the name is a coy pseudonym: It derives from a character in a BBC espionage series called Spooks. It is protocol in this community, Elizabeth Vos told me in a telephone conversation this week, to respect this degree of anonymity. Kirk Wiebe, the former SIGINT analyst at the NSA, thinks Forensicator could be someone very good with the FBI, but there is no certainty. Unanimously, however, all the analysts and forensics investigators interviewed for this column say Forensicators advanced expertise, evident in the work he has done, is unassailable. They hold a similarly high opinion of Adam Carters work.
Forensicator is working with the documents published by Guccifer 2.0, focusing for now on the July 5 intrusion into the DNC server. The contents of Guccifers files are knownthey were published last Septemberand are not Forensicators concern. His work is with the metadata on those files. These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server, Skip Folden explained in an interview. To do this he would have to have access privilege, meaning a key.
What has Forensicator proven since he turned his key? How? What has work done atop Forensicators findings proven? How?
Forensicators first decisive findings, made public on July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate.
Forensicators first decisive findings, made public in the paper dated July 9, concerned the volume of the supposedly hacked material and what is called the transfer ratethe time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNCs server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.
These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed. Compounding this contradiction, Guccifer claimed to have run his hack from Romania, which, for numerous reasons technically called delivery overheads, would slow down the speed of a hack even further from maximum achievable speeds.
Time stamps in the metadata indicate the download occurred somewhere on the East Coast of the United Statesnot Russia, Romania, or anywhere else outside the EDT zone.
What is the maximum achievable speed? Forensicator recently ran a test download of a comparable data volume (and using a server speed not available in 2016) 40 miles from his computer via a server 20 miles away and came up with a speed of 11.8 megabytes per secondhalf what the DNC operation would need were it a hack. Other investigators have built on this finding. Folden and Edward Loomis say a survey published August 3, 2016, by www.speedtest.net/reports is highly reliable and use it as their thumbnail index. It indicated that the highest average ISP speeds of first-half 2016 were achieved by Xfinity and Cox Communications. These speeds averaged 15.6 megabytes per second and 14.7 megabytes per second, respectively. Peak speeds at higher rates were recorded intermittently but still did not reach the required 22.7 megabytes per second.
A speed of 22.7 megabytes is simply unobtainable, especially if we are talking about a transoceanic data transfer, Folden said. Based on the data we now have, what weve been calling a hack is impossible. Last week Forensicator reported on a speed test he conducted more recently. It tightens the case considerably. Transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance, he wrote. Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when using a USB2 flash device (thumb drive).
Time stamps in the metadata provide further evidence of what happened on July 5. The stamps recording the download indicate that it occurred in the Eastern Daylight Time Zone at approximately 6:45 pm. This confirms that the person entering the DNC system was working somewhere on the East Coast of the United States. In theory the operation could have been conducted from Bangor or Miami or anywhere in betweenbut not Russia, Romania, or anywhere else outside the EDT zone. Combined with Forensicators findings on the transfer rate, the time stamps constitute more evidence that the download was conducted locally, since delivery overheadsconversion of data into packets, addressing, sequencing times, error checks, and the likedegrade all data transfers conducted via the Internet, more or less according to the distance involved.
Its clear, another forensics investigator wrote, that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.
In addition, there is the adulteration of the documents Guccifer 2.0 posted on June 15, when he made his first appearance. This came to light when researchers penetrated what Folden calls Guccifers top layer of metadata and analyzed what was in the layers beneath. They found that the first five files Guccifer made public had each been run, via ordinary cut-and-paste, through a single template that effectively immersed them in what could plausibly be cast as Russian fingerprints. They were not: The Russian markings were artificially inserted prior to posting. Its clear, another forensics investigator self-identified as HET, wrote in a report on this question, that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.
To be noted in this connection: The list of the CIAs cyber-tools WikiLeaks began to release in March and labeled Vault 7 includes one called Marble that is capable of obfuscating the origin of documents in false-flag operations and leaving markings that point to whatever the CIA wants to point to. (The tool can also de-obfuscate what it has obfuscated.) It is not known whether this tool was deployed in the Guccifer case, but it is there for such a use.
It is not yet clear whether documents now shown to have been leaked locally on July 5 were tainted to suggest Russian hacking in the same way the June 15 Guccifer release was. This is among several outstanding questions awaiting answers, and the forensic scientists active on the DNC case are now investigating it. In a note Adam Carter sent to Folden and McGovern last week and copied to me, he reconfirmed the corruption of the June 15 documents, while indicating that his initial work on the July 5 documentsof which much more is to be donehad not yet turned up evidence of doctoring.
In the meantime, VIPS has assembled a chronology that imposes a persuasive logic on the complex succession of events just reviewed. It is this:
On June 12 last year, Julian Assange announced that WikiLeaks had and would publish documents pertinent to Hillary Clintons presidential campaign. On June 14, CrowdStrike, a cyber-security firm hired by the DNC, announced, without providing evidence, that it had found malware on DNC servers and had evidence that Russians were responsible for planting it. On June 15, Guccifer 2.0 first appeared, took responsibility for the hack reported on June 14 and claimed to be a WikiLeaks source. It then posted the adulterated documents just described. On July 5, Guccifer again claimed he had remotely hacked DNC servers, and the operation was instantly described as another intrusion attributable to Russia. Virtually no media questioned this account.
It does not require too much thought to read into this sequence. With his June 12 announcement, Assange effectively put the DNC on notice that it had a little time, probably not much, to act preemptively against the imminent publication of damaging documents. Did the DNC quickly conjure Guccifer from thin air to create a cyber-saboteur whose fingers point to Russia? There is no evidence of this one way or the other, but emphatically it is legitimate to pose the question in the context of the VIPS chronology. WikiLeaks began publishing on July 22. By that time, the case alleging Russian interference in the 2016 elections process was taking firm root. In short order Assange would be written down as a Russian agent.
By any balanced reckoning, the official case purporting to assign a systematic hacking effort to Russia, the events of mid-June and July 5 last year being the foundation of this case, is shabby to the point taxpayers should ask for their money back. The Intelligence Community Assessment, the supposedly definitive report featuring the high confidence dodge, was greeted as farcically flimsy when issued January 6. Ray McGovern calls it a disgrace to the intelligence profession. It is spotlessly free of evidence, front to back, pertaining to any events in which Russia is implicated. James Clapper, the former director of national intelligence, admitted in May that hand-picked analysts from three agencies (not the 17 previously reported) drafted the ICA. There is a way to understand hand-picked that is less obvious than meets the eye: The report was sequestered from rigorous agency-wide reviews. This is the way these people have spoken to us for the past year.
Behind the ICA lie other indefensible realities. The FBI has never examined the DNCs computer serversan omission that is beyond preposterous. It has instead relied on the reports produced by Crowdstrike, a firm that drips with conflicting interests well beyond the fact that it is in the DNCs employ. Dmitri Alperovitch, its co-founder and chief technology officer, is on the record as vigorously anti-Russian. He is a senior fellow at the Atlantic Council, which suffers the same prejudice. Problems such as this are many.
We continue to stand by our report, CrowdStrike said, upon seeing the VIPS blueprint of the investigation. CrowdStrike argues that by July 5 all malware had been removed from the DNCs computers. But the presence or absence of malware by that time is entirely immaterial, because the event of July 5 is proven to have been a leak and not a hack. Given that malware has nothing to do with leaks, CrowdStrikes logic appears to be circular.
In effect, the new forensic evidence considered here lands in a vacuum. We now enter a period when an official reply should be forthcoming. What the forensic people are now producing constitutes evidence, however one may view it, and it is the first scientifically derived evidence we have into any of the events in which Russia has been implicated. The investigators deserve a response, the betrayed professionals who formed VIPS as the WMD scandal unfolded in 2003 deserve it, and so do the rest of us. The cost of duplicity has rarely been so high.
I concluded each of the interviews conducted for this column by asking for a degree of confidence in the new findings. These are careful, exacting people as a matter of professional training and standards, and I got careful, exacting replies.
All those interviewed came in between 90 percent and 100 percent certain that the forensics prove out. I have already quoted Skip Foldens answer: impossible based on the data. The laws of physics dont lie, Ray McGovern volunteered at one point. Its QED, theorem demonstrated, William Binney said in response to my question. Theres no evidence out there to get me to change my mind. When I asked Edward Loomis, a 90 percent man, about the 10 percent he held out, he replied, Ive looked at the work and it shows there was no Russian hack. But I didnt do the work. Thats the 10 percent. Im a scientist.
Editors note: In its chronology, VIPS mistakenly gave the wrong date for CrowdStrikes announcement of its claim to have found malware on DNC servers. It said June 15, when it should have said June 14. VIPS has acknowledged the error, and we have made the correction.
Is this why Russia news is fading? A progressive magazine printing something like this seems like an earthquake for the Democrats. I pray that the whole truth will out on all of them: HRC, JP, DWS, Awans, JC, etc., etc., etc.!
One nit to pick. Transfer rate is in bits per second (bps) vice bytes per second.
It is painfully obvious to anyone with an IQ that allows them to tie their shoes that the Uniparty is completely uninterested in pursuing any of this.
Fiber or FIOS? Hell, there are decades old copper services that well exceeded 25mB/s. They talk like 2016 is ancient history too. *head scratch* Even your average high-end residential ISPs which tend to offer asynchronous services will still let you download much faster then that. So I could maybe buy the hypothesis that the speeds were close to USB2.0 but not that it was too fast for readily available internet speeds.
To Romania? Yes, that’s more implausible. Not impossible though.
So you doubt the veracity of the forensic experts in the story? I do not know anything about the speed. I thought the case they presented coordinates with what has been reported here and the fact a progressive magazine printed the story at all was interesting.
That darn flash drive got Seth Rich killed.
I’m sure one of the Awan brothers know.
And remember, Podesta said leaked should be killed.
He’s probably confusing something. I am not aware of any internet providers that can provide that speed, especially not “decades ago.”
...and that is most likely why Seth Rich was killed.
Somebody doesn't know what they are talking about. Transmission rates are usually quoted in megaBITS per second, not megabytes. Is there a units error here?
I subscribe to Xfinity "Blast" service and SpeedTest just a moment ago shows I got 118 megabits//sec or 14.75 megabytes/sec.
Megabytes per second is correct in this situation. Normally when you buy Internet speed it is calculated in bps or kbps but as speeds have increased it is now being discussed in Mbps. However, you will note that your computer reports speeds in MBytes per second. Thus a 5Mbps connection only yields 625K Bytes per sec. A 22.7 MBps connection would be 180Mbps (megabits) and generally you can't buy more than a 100Mbps Fiberoptics connection unless you are in the NOC.
Veracity, no, not necessarily.
TBH I skimmed and gleaned. I’m not trying to throw water on this, but just the technical conclusions I saw getting jumped to in various spots were far closer to opinion than they were to facts.
But also, not only did I skim, I did not click the link and read the rest. I’m just saying... it casts a LOT of doubt. But that’s what it seems to do at best. So if you ask if I doubt, then yes, it’s easy to doubt doubt
Speeders typically are optimized to go from a server to a client. You’ll find real world speeds quite different. Not to mention, due to business rates, it’s more than likely they had a 10mb or possibly a 100mb link. Unlikely to have a gigabit link.
Neat tool to do all the conversions and calculate outcomes.
near as I can figure 1,976 megabytes of data is about 2 gb and the 87 seconds speed is nothing I can get from Comcast.
my speed tests done 08/10/2017 11:33 CDT:
Xfinity: 155 Mbps download - too funny !~ ( probably computer to Internet ? not to network ?)
AT&T: 87 Mbps
Ookla: 88 Mbps
That depends on what software you use to effect the transfer.
George Webb had this a long time ago.
The framing of the Russians has Brennan’s smell all over it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.