RussiaGate: Riddle Me This.

RussiaGate: Riddle Me This.

(Upfront disclaimer: I do not subscribe to any conspiracy theories, nor am I promoting any ideology or political agenda. I simply ran across some data that prompts a set of questions that purely from a cybersecurity forensics point of view seem not to have been answered by those running the investigation into the DNC “hack”.)

On the evening of July 5, 2016, 1,976 megabytes of data were transferred (either uploaded or downloaded depending on you review) from the DNC’s server.

The operation took 87 seconds. This yields a transfer rate of 22.7 megabytes per second.

These statistics are matters of record.

No Internet service provider in mid-2016 was capable of uploading data at this speed.

A test published August 3, 2016, by www.speedtest.net/reports can serve as a thumbnail index. Their test upload of a comparable data volume 40 miles from the computer (not in Romania) via a server 20 miles away, averaged a speed of 11.8 megabytes per second—half what the DNC operation would need were it to have been a hack.

That same test indicated that the highest average ISP speeds in the first half of 2016 were achieved by Xfinity and Cox Communications. These speeds averaged 15.6 megabytes per second and 14.7 megabytes per second, respectively.

Peak speeds at higher rates were recorded intermittently but still never reached the required transfer speed of 22.7 megabytes per second.

A speed of 22.7 megabytes was simply unobtainable in 2016, especially if we are to accept the alleged charge that a hacker attacked the DNC server from Romania which would have required a transoceanic data transfer.

Based on the data that has been published, what everyone now is calling a hack is simply impossible. Aka, a claim unsupported by any evidence.

Compounding the physics problem, the FBI (and NSA, CIA, etc.) claimed the hack originated from Romania, which, because of delivery overheads - conversion of data into packets, addressing, sequencing times, error checks, and the like – that degrade all data transfers conducted via the Internet, would have slowed down the speed of a hack even further from the maximum achievable speeds which by themselves were not sufficient to allow an upload of that size in the time-frame recorded (87 seconds).

Time stamps in the metadata additionally indicate that the upload was sourced in the Eastern Daylight Time Zone at approximately 6:45 pm. In theory, the operation could have been conducted from Bangor or Miami or anywhere in between—but not Russia, Romania, or anywhere else outside the EDT zone.

The investigative team performing this analysis consisted of highly regarded cybersecurity-forensics experts led by William Binney, formerly the NSA’s technical director for world geopolitical and military analysis and designer of many agency programs now in use; Kirk Wiebe, formerly a senior analyst at the NSA’s SIGINT Automation Research Center; Edward Loomis, formerly technical director in the NSA’s Office of Signal Processing; and Ray McGovern, an intelligence analyst for nearly three decades and formerly chief of the CIA’s Soviet Foreign Policy Branch.

All four of these men have decades of experience in matters concerning Russian intelligence and the related technologies working in and for the top U.S. counter-intelligence and espionage agencies .

In August of 2016, they reported on another speed test they conducted. “Transfer rates of 23 MB/s (Mega Bytes per second) are not just highly unlikely, but effectively impossible to accomplish when communicating over the Internet at any significant distance,” they wrote. “Further, local copy speeds are measured, demonstrating that 23 MB/s is a typical transfer rate when using a USB–2 flash device (thumb drive).”

In three separate letters written to the NSA and to President Obama, they outlined blueprints of their forensic work in detail and argued that the hack theory was impossible based on the facts, and that a locally executed data transfer was the only likely explanation. In the final letter to Barack Obama dated January 17, three days before he left office, the group explained that the NSA’s known programs are fully capable of capturing all electronic transfers of data.

“We strongly suggest that you ask NSA for any evidence it may have indicating that the results of Russian hacking were given to WikiLeaks,” the letter said. “If NSA cannot produce such evidence—and quickly—this would probably mean it does not have any.”

Subsequently, Obama gave his last press conference as president, at which he delivered the official statement at the time on the DNC e-mail question. “The conclusions of the intelligence community with respect to the Russian hacking, were not conclusive.”

The report as published was based in facts supported by system documentation; it presented compelling evidence of a contrary theory to the official findings; and concluded plainly that the data in question could not have been uploaded by a remote actor using an Internet connection. It further presented evidence that the only way that data could have been transferred would have been through a direct connection to the server (aka, leak or theft, depending on your point of view).

That seems conclusive enough to me.

But if the NSA concluded that there was indeed a hack and that the Russians were responsible, then why haven’t they produced evidence to support that claim? It cannot be related to “national security” because every claim they have made regarding classified material in this matter is already fully known and available in the public domain.

Among at least a dozen other questions, I am confused as to why Crowdstrike, a well-respected cybersecurity forensics company steadfastly avoids the issue of the recorded system facts. “We continue to stand by our report,” CrowdStrike said, upon seeing the blueprint of the investigation.

CrowdStrike in fact argues that by July 5 all malware had been removed from the DNC’s computers. But the presence or absence of malware by that time is entirely immaterial, because the event of July 5 is clearly proven to have been a leak (theft) and not a hack. Given that malware has nothing to do with that leak (theft), CrowdStrike’s logic is bewildering.

I can understand Obama’s desire to avoid the issue during his final moments in office, but I am having trouble understanding why the “ongoing investigation” into Russian hacking continues to … go on. Rosenstein’s indictment announcement on Friday clearly stated, “There’s no allegation in this indictment that any American citizen committed a crime. There’s no allegation that the conspiracy changed the vote count or affected any election result.”

The joker teased us with, “I have billions of eyes, yet I live in darkness. I have millions of ears, yet only four lobes. I have no muscle, yet I rule two hemispheres. What am I?”

I’m a simple man. I just want to know two things:

  1. Why does the FBI refuse to examine the DNC server to this day.
  2. Why does the FBI continue to refer to what is clearly a theft of data by an unknown local actor as a Russian hack.

要查看或添加评论,请登录

Steve King, CISM, CISSP的更多文章

  • Connected Device Security: A Growing Threat

    Connected Device Security: A Growing Threat

    Many cybersecurity analysts have warned of the rapidly emerging threat from an expanded IoT space. And as you have…

    3 条评论
  • China’s Ticking Time-Bomb.

    China’s Ticking Time-Bomb.

    It should now be clear to even the casual observer that China has been spying on us for years and stealing reams of…

    7 条评论
  • Comparing Major Crises To COVID-19: A Teachable Moment

    Comparing Major Crises To COVID-19: A Teachable Moment

    Lessons from past financial crises might prepare us for the long and short-term effects of COVID-19 on the economy and…

  • The Escalating Cyber-Threat From China

    The Escalating Cyber-Threat From China

    A Modern-day Munich Agreement In an article penned back in May of 2015 in a policy brief published by the Harvard…

    1 条评论
  • Cybersecurity: Past, present, future.

    Cybersecurity: Past, present, future.

    We have made a flawed assumption about cybersecurity and based on that assumption we have been investing heavily on…

    15 条评论
  • Three Marketing Tips for Improved Conversion Rates

    Three Marketing Tips for Improved Conversion Rates

    While we are all devastated to one degree or another by this outbreak and with the knowledge that it will likely change…

  • Coronavirus in the Dark.

    Coronavirus in the Dark.

    So, yes. It is now very clear that the outbreak of the COVID-19 virus and the concomitant investor panic leading to a…

    13 条评论
  • Panicky Investors Issue Dire Warning On Coronavirus

    Panicky Investors Issue Dire Warning On Coronavirus

    Sequoia Capital just issued a dire warning to its portfolio companies. “Coronavirus is the black swan of 2020.

    5 条评论
  • AI in Cybersecurity? Closing In.

    AI in Cybersecurity? Closing In.

    "AI Needs to Understand How the World Actually Works" On Wednesday, February 26th, Clearview AI, a startup that…

    8 条评论
  • Do CapitalOne Shareholders Have a Case Against AWS?

    Do CapitalOne Shareholders Have a Case Against AWS?

    An adhesion contract (also called a "standard form contract" or a "boilerplate contract") is a contract drafted by one…

    1 条评论

社区洞察

其他会员也浏览了