Why Some U.S. Ex-Spies Don't Buy the Russia Story

[Shadowmelded]

This article from the Washington Post states that a 'story' casts doubt on Russian hack of the DNC.
https://www.washingtonpost.com/ampht...n-hack-of-dnc/

And one from the New York Post stating the DNC hack was an inside job.
https://www.nypost.com/2017/08/15/ne...ot-russia/amp/

Both links here are based on an article that first appeared in Gateway Pundit.

Twitter thread from someone who works in InfoSec;

THREAD: Just saw this posted by gateway pundit. TL;DR version: This analysis is complete bunk.
I've worked on forensics for multiple hacks, some of them carried out by foreign (state) adversaries.
The rate of the initial copy at the file level is meaningless. Hackers will compromise one or more machines and use them to scan for data.
It is common for data that they identify to be useful to be staged on one of the compromised machines (copied over LAN) before exfiltration
i.e. they'll copy from file servers to a hacked machine, then compress & encrypt it there before sending over the internet.
The really skilled ones trickle out the data slowly, so they don't want it disappearing from the file server before they're done.
So yes, the initial copy WILL be much faster since it's local. But any real infosec person or actual hacker knows that tells you NOTHING.
It's obvious that this "professional" doesn't really know how data exfiltration works in practice, and this is a desperate deflection. /END
PS: There are a variety of reasons to stage data first. One is to guard against access being cut off before the transfer is complete. 1/6
Esp. important if you're automatically snagging files and want to manually filter before sending. You'd stage, prune, then compress 2/6
for transfer (compression is key to keep vol. lower). Using encrypted archive also helps evade detection by net sniffing DLP tools. 3/6
Many payloads include a rar tool, quite popular as it can encrypt and divide archives into even sized chunks for easier xfer. 4/6
Use of *nix-like command-line tools not surprising; they are easy to manage through a C&C channel sending commands to run silently. 5/6
Don't see any evidence Linux was used on the sender side; 'cp' mtime chg is not convincing, commonly used toolkits do this on Win too. 6/6

[BrerBear]

This whole Forensicator and his group's analysis was bullshit anyways. Only two parts to it:
1) Because there are no logs, it tried to use last modified timestamps to make its case. Yes, those same timestamps that are easily or even accidentally touched/changed and rely on the clock of the different host computers. (And forgetting that the file was likely staged to other machines before transfer, see post above.)
2) The ridiculous idea that US intelligence has records of all Internet traffic everywhere, therefore if they didn't produce logs of this file going to Russian servers that claim must be a lie. Yes, just that stupid.

This was a pretty lame attempt to get non-IT people to believe a bunch of official-sounding but ridiculous analysis.

[Edge-]

This was a pretty lame attempt to get non-IT people to believe a bunch of official-sounding but ridiculous analysis.

Soo...



?

[BrerBear]

Soo...



?

Yup, pretty much that.

[Ripster42]

Soo...



?

No no, more like this:

[Shalcker]

This whole Forensicator and his group's analysis was bullshit anyways. Only two parts to it:
1) Because there are no logs, it tried to use last modified timestamps to make its case. Yes, those same timestamps that are easily or even accidentally touched/changed and rely on the clock of the different host computers. (And forgetting that the file was likely staged to other machines before transfer, see post above.)

Can you show plausible scenario which would produce observed timestamps by "accidentally touching them" that would not be copying, and would lead to same conclusion with calculated transfer rate?

To me it looks like you're bullshitting in other direction - exploiting same unfamiliarity with IT to those who seek confirmation of "Russian hack".

And noone "forgets" that files were staged "to other machines" - that scenario just doesn't hold with given data; as far as i remember they do mention different system with different local time was used to produce archive.

[Orbitus]

Can you show plausible scenario which would produce observed timestamps by "accidentally touching them" that would not be copying, and would lead to same conclusion with calculated transfer rate?

To me it looks like you're bullshitting in other direction - exploiting same unfamiliarity with IT to those who seek confirmation of "Russian hack".

And noone "forgets" that files were staged "to other machines" - that scenario just doesn't hold with given data; as far as i remember they do mention different system with different local time was used used to produce archive.

Here comes the Russian apologist trying to change the story.

[Shalcker]

Here comes the Russian apologist trying to change the story.

Fighting bullshit with more bullshit is bad strategy.

[jakeic]

Soo...



?

it's like they copied that line right off the "Visual Basic for Dummies" cover.

[xChurch]

If it's all made up, why is it so damn hard for Trump to say anything negative about Putin or Russia? It's the one thing I just can't get over since it should be the easiest thing in the world at some times.

[Mormolyce]

We're necroing this?

I thought conspiracy theories were against the forum rules...

[Masark]

Veteran Intelligence Professionals for Sanity.

So people found an organisation, and they feel they really need 'for Sanity' in its name.

Sounds almost as trustworthy as Swift Boat Veterans for Truth.

[Orbitus]

Fighting bullshit with more bullshit is bad strategy.

Except this story has been debunked SEVERAL TIMES already. The Russian hacking story has more backing to it than this bullshit story. But, why am I not surprised a Putin apologist is defending Putin?

[Allybeboba]

Why does anyone still link the NY Post?
What's next, The Enquirerer?

Why not attack the source instead of story right?
Four different sources were given to suit different tastes my friend.
Enjoy your week everyone.

[Belize]

Why not attack the source instead of story right?
Four different sources were given to suit different tastes my friend.
Enjoy your week everyone.

Because when all the stories out of a source are garbage, it's easier to throw away the source.

I'm just trying to make your life easier, why can't you just be grateful for once. Gosh.

[Orbitus]

Why not attack the source instead of story right?
Four different sources were given to suit different tastes my friend.
Enjoy your week everyone.

All of the sources were using the one article that has already been debunked. And that article uses a Gateway Pundit link. Gateway Pundit will do anything to make the right wing look like the good guys. That includes trying to excuse away an attack by the Russians. Simply because their, and apparently your guy won.

[Shalcker]

Except this story has been debunked SEVERAL TIMES already.

What exactly out of all claims is debunked though?

Can you tell?

Behaviour of Unix cp utility is obviously true, and consistent with observed timestamps.

[Orbitus]

What exactly out of all claims is debunked though?

Can you tell?

Behaviour of Unix cp utility is obviously true, and consistent with observed timestamps.

Everything. I had a faster connection than what was claimed in this story, I could have downloaded it faster than 87 seconds. And if you read the twitter thread posted by Shadowmelded at the top of the page, that guy knows what he is talking about. And it is clear you have no fucking clue what you are talking about. So I will go with him over a Putin Apologist.

[Slant]

Yeah, well, it right says there that one of the platforms they get a lot attention from is ZeroHedge, a platform that as a typical mission of theirs, praise everyone that is not the US and EU. A classic sheeple waker platform...which usually means a very Putin-friendly slant

I'm never Putin friendly...

[Shalcker]

Everything. I had a faster connection than what was claimed in this story, I could have downloaded it faster than 87 seconds.

Are you sure you're not mistaking bits and bytes? That seems to be common mistake of those claiming to have "faster connection", and one byte is 8 bits in this particular case.

100 Megabit internet connection (i have this) would only allow 12.5 Megabyte per second transfer rate max (probably a bit below that due to protocol overhead).

And if you read the twitter thread posted by Shadowmelded at the top of the page, that guy knows what he is talking about. And it is clear you have no fucking clue what you are talking about.

So, you have gigabit internet connection? Really?

How much do those cost in US?