A New Report Raises Big Questions About Last Year’s DNC Hack

Research into the DNC case took a fateful turn in early July, when forensic investigators who had been working independently began to share findings and form loose collaborations wherein each could build on the work of others. In this a small, new website called www.disobedientmedia.com proved an important catalyst. Two independent researchers selected it, Snowden-like, as the medium through which to disclose their findings. One of these is known as Forensicator and the other as Adam Carter. On July 9, Adam Carter sent Elizabeth Vos, a co-founder of Disobedient Media, a paper by the Forensicator that split the DNC case open like a coconut.

By this time Binney and the other technical-side people at VIPS had begun working with a man named Skip Folden. Folden was an IT executive at IBM for 33 years, serving 25 years as the IT program manager in the United States. He has also consulted for Pentagon officials, the FBI, and the Justice Department. Folden is effectively the VIPS group’s liaison to Forensicator, Adam Carter, and other investigators, but neither Folden nor anyone else knows the identity of either Forensicator or Adam Carter. This bears brief explanation.

The Forensicator’s July 9 document indicates he lives in the Pacific Time Zone, which puts him on the West Coast. His notes describing his investigative procedures support this. But little else is known of him. Adam Carter, in turn, is located in England, but the name is a coy pseudonym: It derives from a character in a BBC espionage series called Spooks. It is protocol in this community, Elizabeth Vos told me in a telephone conversation this week, to respect this degree of anonymity. Kirk Wiebe, the former SIGINT analyst at the NSA, thinks Forensicator could be “someone very good with the FBI,” but there is no certainty. Unanimously, however, all the analysts and forensics investigators interviewed for this column say Forensicator’s advanced expertise, evident in the work he has done, is unassailable. They hold a similarly high opinion of Adam Carter’s work.

Forensicator is working with the documents published by Guccifer 2.0, focusing for now on the July 5 intrusion into the DNC server. The contents of Guccifer’s files are known—they were published last September—and are not Forensicator’s concern. His work is with the metadata on those files. These data did not come to him via any clandestine means. Forensicator simply has access to them that others did not have. It is this access that prompts Kirk Wiebe and others to suggest that Forensicator may be someone with exceptional talent and training inside an agency such as the FBI. “Forensicator unlocked and then analyzed what had been the locked files Guccifer supposedly took from the DNC server,” Skip Folden explained in an interview. “To do this he would have to have ‘access privilege,’ meaning a key.”

What has Forensicator proven since he turned his key? How? What has work done atop Forensicator’s findings proven? How?

Forensicator’s first decisive findings, made public on July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate.

Forensicator’s first decisive findings, made public in the paper dated July 9, concerned the volume of the supposedly hacked material and what is called the transfer rate—the time a remote hack would require. The metadata established several facts in this regard with granular precision: On the evening of July 5, 2016, 1,976 megabytes of data were downloaded from the DNC’s server. The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.

These statistics are matters of record and essential to disproving the hack theory. No Internet service provider, such as a hacker would have had to use in mid-2016, was capable of downloading data at this speed. Compounding this contradiction, Guccifer claimed to have run his hack from Romania, which, for numerous reasons technically called delivery overheads, would slow down the speed of a hack even further from maximum achievable speeds.

Time stamps in the metadata indicate the download occurred somewhere on the East Coast of the United States—not Russia, Romania, or anywhere else outside the EDT zone.

What is the maximum achievable speed? Forensicator recently ran a test download of a comparable data volume (and using a server speed not available in 2016) 40 miles from his computer via a server 20 miles away and came up with a speed of 11.8 megabytes per second—half what the DNC operation would need were it a hack. Other investigators have built on this finding. Folden and Edward Loomis say a survey published August 3, 2016, by www.speedtest.net/reports is highly reliable and use it as their thumbnail index. It indicated that the highest average ISP speeds of first-half 2016 were achieved by Xfinity and Cox Communications. These speeds averaged 15.6 megabytes per second and 14.7 megabytes per second, respectively. Peak speeds at higher rates were recorded intermittently but still did not reach the required 22.7 megabytes per second.

“A speed of 22.7 megabytes is simply unobtainable, especially if we are talking about a transoceanic data transfer,” Folden said. “Based on the data we now have, what we’ve been calling a hack is impossible.” Last week Forensicator reported on a speed test he conducted more recently. It tightens the case considerably. “Transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance,” he wrote. “Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when using a USB–2 flash device (thumb drive).”

Time stamps in the metadata provide further evidence of what happened on July 5. The stamps recording the download indicate that it occurred in the Eastern Daylight Time Zone at approximately 6:45 pm. This confirms that the person entering the DNC system was working somewhere on the East Coast of the United States. In theory the operation could have been conducted from Bangor or Miami or anywhere in between—but not Russia, Romania, or anywhere else outside the EDT zone. Combined with Forensicator’s findings on the transfer rate, the time stamps constitute more evidence that the download was conducted locally, since delivery overheads—conversion of data into packets, addressing, sequencing times, error checks, and the like—degrade all data transfers conducted via the Internet, more or less according to the distance involved.

“It’s clear,” another forensics investigator wrote, “that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.”

In addition, there is the adulteration of the documents Guccifer 2.0 posted on June 15, when he made his first appearance. This came to light when researchers penetrated what Folden calls Guccifer’s top layer of metadata and analyzed what was in the layers beneath. They found that the first five files Guccifer made public had each been run, via ordinary cut-and-paste, through a single template that effectively immersed them in what could plausibly be cast as Russian fingerprints. They were not: The Russian markings were artificially inserted prior to posting. “It’s clear,” another forensics investigator self-identified as HET, wrote in a report on this question, “that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings.”

To be noted in this connection: The list of the CIA’s cyber-tools WikiLeaks began to release in March and labeled Vault 7 includes one called Marble that is capable of obfuscating the origin of documents in false-flag operations and leaving markings that point to whatever the CIA wants to point to. (The tool can also “de-obfuscate” what it has obfuscated.) It is not known whether this tool was deployed in the Guccifer case, but it is there for such a use.

It is not yet clear whether documents now shown to have been leaked locally on July 5 were tainted to suggest Russian hacking in the same way the June 15 Guccifer release was. This is among several outstanding questions awaiting answers, and the forensic scientists active on the DNC case are now investigating it. In a note Adam Carter sent to Folden and McGovern last week and copied to me, he reconfirmed the corruption of the June 15 documents, while indicating that his initial work on the July 5 documents—of which much more is to be done—had not yet turned up evidence of doctoring.

In the meantime, VIPS has assembled a chronology that imposes a persuasive logic on the complex succession of events just reviewed. It is this:

On June 12 last year, Julian Assange announced that WikiLeaks had and would publish documents pertinent to Hillary Clinton’s presidential campaign. On June 14, CrowdStrike, a cyber-security firm hired by the DNC, announced, without providing evidence, that it had found malware on DNC servers and had evidence that Russians were responsible for planting it. On June 15, Guccifer 2.0 first appeared, took responsibility for the “hack” reported on June 14 and claimed to be a WikiLeaks source. It then posted the adulterated documents just described. On July 5, Guccifer again claimed he had remotely hacked DNC servers, and the operation was instantly described as another intrusion attributable to Russia. Virtually no media questioned this account.

It does not require too much thought to read into this sequence. With his June 12 announcement, Assange effectively put the DNC on notice that it had a little time, probably not much, to act preemptively against the imminent publication of damaging documents. Did the DNC quickly conjure Guccifer from thin air to create a cyber-saboteur whose fingers point to Russia? There is no evidence of this one way or the other, but emphatically it is legitimate to pose the question in the context of the VIPS chronology. WikiLeaks began publishing on July 22. By that time, the case alleging Russian interference in the 2016 elections process was taking firm root. In short order Assange would be written down as a “Russian agent.”

By any balanced reckoning, the official case purporting to assign a systematic hacking effort to Russia, the events of mid-June and July 5 last year being the foundation of this case, is shabby to the point taxpayers should ask for their money back. The Intelligence Community Assessment, the supposedly definitive report featuring the “high confidence” dodge, was greeted as farcically flimsy when issued January 6. Ray McGovern calls it a disgrace to the intelligence profession. It is spotlessly free of evidence, front to back, pertaining to any events in which Russia is implicated. James Clapper, the former director of national intelligence, admitted in May that “hand-picked” analysts from three agencies (not the 17 previously reported) drafted the ICA. There is a way to understand “hand-picked” that is less obvious than meets the eye: The report was sequestered from rigorous agency-wide reviews. This is the way these people have spoken to us for the past year.

Behind the ICA lie other indefensible realities. The FBI has never examined the DNC’s computer servers—an omission that is beyond preposterous. It has instead relied on the reports produced by Crowdstrike, a firm that drips with conflicting interests well beyond the fact that it is in the DNC’s employ. Dmitri Alperovitch, its co-founder and chief technology officer, is on the record as vigorously anti-Russian. He is a senior fellow at the Atlantic Council, which suffers the same prejudice. Problems such as this are many.

“We continue to stand by our report,” CrowdStrike said, upon seeing the VIPS blueprint of the investigation. CrowdStrike argues that by July 5 all malware had been removed from the DNC’s computers. But the presence or absence of malware by that time is entirely immaterial, because the event of July 5 is proven to have been a leak and not a hack. Given that malware has nothing to do with leaks, CrowdStrike’s logic appears to be circular.

In effect, the new forensic evidence considered here lands in a vacuum. We now enter a period when an official reply should be forthcoming. What the forensic people are now producing constitutes evidence, however one may view it, and it is the first scientifically derived evidence we have into any of the events in which Russia has been implicated. The investigators deserve a response, the betrayed professionals who formed VIPS as the WMD scandal unfolded in 2003 deserve it, and so do the rest of us. The cost of duplicity has rarely been so high.

I concluded each of the interviews conducted for this column by asking for a degree of confidence in the new findings. These are careful, exacting people as a matter of professional training and standards, and I got careful, exacting replies.

All those interviewed came in between 90 percent and 100 percent certain that the forensics prove out. I have already quoted Skip Folden’s answer: impossible based on the data. “The laws of physics don’t lie,” Ray McGovern volunteered at one point. “It’s QED, theorem demonstrated,” William Binney said in response to my question. “There’s no evidence out there to get me to change my mind.” When I asked Edward Loomis, a 90 percent man, about the 10 percent he held out, he replied, “I’ve looked at the work and it shows there was no Russian hack. But I didn’t do the work. That’s the 10 percent. I’m a scientist.”

Editor’s note: In its chronology, VIPS mistakenly gave the wrong date for CrowdStrike’s announcement of its claim to have found malware on DNC servers. It said June 15, when it should have said June 14. VIPS has acknowledged the error, and we have made the correction.

It's easy to see why the Nation, a prog. magazine, would publish this article. A lot of Berners are so infuriated over the Witch allegedly stealing the nomination from Bernie that a number of them even have a class action pending against the DNC and others.

Seth Rich apparently was a Berner who was deeply angered by how the Witch and DWS were stealing the nomination. He reacted by leaking the subject emails, something that dovetails with the transfer rates noted in this article. Thus, by ascribing the revelations to a leak, this article advances the case that Rich was assassinated in retaliation for leaking the emails. That, in turn, advances the Berners' cause for discrediting the Witch and DNC.

Remember, the left can be as internally vicious as it is externally vicious, as the Bolsheviks were in their liquidation of the Menshiviks.

"One nit to pick. Transfer rate is in bits per second (bps) vice bytes per second."

1976 megabytes in 87 s is indeed 22.71 megabytes/sec. Do you think the units used casts doubts on the validity or what?

As an engineer, I'm used to dealing with odd units but as a nonIT type, I don't quite follow your objection.

Another very interesting article:

“Why Some U.S. Ex-Spies Don’t Buy the Russia Story”

https://www.bloomberg.com/view/articles/2017-08-10/why-some-u-s-ex-spies-don-t-buy-the-russia-story

Unfortunately, it’s on Bloomberg, so I can’t post it. But it says that at least one of the hacks had to be an inside job because of the download speed that was used. It could not have been done via the web, and more likely with a thumb drive.

As an engineer, I'm used to dealing with odd units but as a nonIT type, I don't quite follow your objection.

I am an IT Engineer. They simply used an incorrect phrase. The author was writing this as a supposed expert and I indicated that it was a small nit.

thanks.
copy\paste from the NYC PC to the thumb drive.
Someone takes out the thumb drive.

When I use Microsoft Remote Access to my home P.C., whatever I do regardless of where i am at, timestamp is from my home PC.

Where would meta data show something different ? Thumb drive ? that would be gone.

"Spam this to that bundle of sticks Drudge. Maybe he’ll get off his ass..."

It's really surprising how Drudge has taken a pass on all of this. The former headline-maker has acted like this stuff doesn't even exist. I don't know if maybe he just has some assistant managing his page now and doesn't care, or if he's just decided to be nothing more than the online Weekly World News with a couple of mundane news stories mixed in.

Maybe if there was a chubby girl giving a blowjob in the story, perhaps he'd perk up...

Fiber or FIOS? Hell, there are decades old copper services that well exceeded 25mB/s. They talk like 2016 is ancient history too. *head scratch* Even your average high-end residential ISPs which tend to offer asynchronous services will still let you download much faster then that. So I could maybe buy the hypothesis that the speeds were close to USB2.0 but not that it was too fast for readily available internet speeds.

Many businesses, especially ones that aren't major IT users, don't have speeds like that. They buy the cheapest internet possible because they only need it for email.

But the big thing I don't get with this story is why are they talking about download speed? The big point should be upload speed. Most internet packages (residential or commercial) generally have a much lower upload bandwidth than down. Newer fiber providers don't do this, but it used to be a 20Mb connection would only have maybe 5Mb up. Most packages were 2-8x slower on the upstream connection versus the advertised number, the downstream. So the big thing would be, is how fast could the DNC internet package have uploaded the files? When I download stuff, Steam can hit 40+ MB/s, because they upload a LOT, and have the infrastructure and connection to hit those numbers. But other sites might only hit 1-2 Mb/s, because they don't have much stuff to download. It's not my connection, it's the content providers'.

A number of file transfer tools preserve timestamp; and making things a little more complex, some filesystems have multiple timestamps on files (create, modify, access).

In order to have confidence in the timestamps as an analytical tool, one would have to know or assume the tools and means used to effect the transfer, copy, and compress operations.

The most common effect is the one you describe - timestamps reflect the time the copy is made. Timestamps are usually preserved (not updated) when a file is copied/compressed into an archive. Timestamps are generally preserved by backup software too.

I often use "wget" to get remote files. "By default, when a file is downloaded, its timestamps are set to match those from the remote file." That is what I would call preserving the original timestamp in the copy.

I also use "scp" which is a sort of remote copy. By default, "scp" updates file timestamps to the time the copy operation is performed.

Also consider that "archive before transfer" can give different results from "archive after transfer," and the possibility of transferring (copying) files over a local network; from a host to a destination machine.

Of course it depends on the type, but most business do not use their internet just for email. A lot of traffic is two way and many businesses use cloud based services, which include email (like office365), file/project collaboration, data backups, and even IP based telecommunications. It’s really not hard to choke a small to moderate bandwidth connection with multiple users online and making calls, which doesn’t bother to take into account browsing, or the fact that many businesses attach a wifi connection which even if used only by employee devices can and isn’t public can hunk into that pipe too. If your IT guy/dept has moderately austere policies, the firewall will be blocking all the favorite music and video app/browser streaming services. lol

VIPS = Veteran Intelligence Professionals for Sanity

Here is an earlier article on this topic from ZeroHedge, on July 24:

NSA Officials and Computer Expert: Forensic Evidence Proves DNC Emails Were LEAKED, Not Hacked

Wikipedia summary:

William Binney (U.S. intelligence official)
Former U.S. intelligence official and cryptoanalyst; whistleblower
William Edward Binney is a former highly placed intelligence official with the United States National Security Agency (NSA) turned whistleblower who resigned on October 31, 2001, after more than 30 years with the agency. He was a high-profile critic of his former employers during the George W. Bush administration.Binney continues to speak out during Barack Obama's presidency about the NSA's data collection policies, and continues to give interviews in the media regarding his experiences and his views on interception of communication of American citizens by governmental agencies. In a legal case, Binney declared in an affidavit that the NSA is acting in deliberate violation of the U.S. Constitution.

“So you doubt the veracity of the forensic experts in the story?”

Which ones? The anonymous “expert” sources mentioned have 0 provable credibility. We can’t even prove they exist; let alone that they know anything regarding electronic forensics.

There is zero, actual - verifiable - facts listed in this progressive-linked “article.” The author doesn’t even know bits from bytes? C’mon.

I would like for it to be true, but that is irrelevant.

Critical thinking has died.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.