Guccifer 2.0 - Game Over

[RandomGuy]

The report would be laughable, were it not for the fact that it is being played up for propaganda effect, bypassing logic and appealing directly to unexamined emotion. The 2016 election should have been a wake-up call for the Democratic Party. Instead, predictably enough, no self-examination has taken place, as the party doubles down on the neoliberal policies that have impoverished tens of millions, and backing military interventions that have sown so much death and chaos. Instead of thoughtful analysis, the party is lashing out and blaming Russia for its loss to an opponent that even a merely weak candidate would have beaten handily.

So let's put this information in perspective. Let's put on our critical thinking hats.

What I know:
Russia has both official and unofficial cyberwarfare capabilities. Unofficial capabilities are always very useful as it gives the primary actor plausible deniability. Pay sympathetic private parties to do dirty-work is one of the oldest tricks in the book.

The linked website in the OP obviously displays a sophisticated understanding of a skillset I do not possess.
The author has a very definite point of view, and that is very markedly anti-Clinton. It drips of scorn, in passages like the above, which is why alt-right websites have picked this up and ran with it.

In the full context of a nation-state actor with a clear capability and motive, one has to be skeptical to some degree of the analysis as presented, especially when one lacks the professional skillset to evaluate the technical aspects of the claims.

[RandomGuy]

A simple yes or no will not do.

No they did not have access to the full range of classified data. Yes they had full access to the CrowdStrike report that we know the FBI (and quite possibly the CIA) was forced to use for their assessment.

Have you read the original CrowdStrike report?
Have you read the dismantling of the original CrowdStrike report?
Have you read the revised CrowdStrike reports due to said dismantling?
Having read the above three do you still have the same confidence in the FBI's assessment in the DNI report?

So we don't have full access to the range of items.

I read through the Crowdstrike material. It earned some valid criticisms.

No, I do not have the same confidence in the FBI's assessment.

I still am, however, forced to accept their assessment, and am inclined to agree with it, given all available information that I have seen. Your linked article is something to assign some modest credibility to, but leaves a lot to be desired in terms of credibility itself, especially given the current information warfare environment.

[RandomGuy]

Cybersecurity analyst Robert Graham was particularly blistering in his assessment of the government’s report, characterizing it as “full of garbage.” The report fails to tie the indicators of compromise to the Russian government. “It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and maladvertising. It doesn’t mean every access of Yahoo is an ‘indicator of compromise’.” Graham compared the list of IP addresses against those accessed by his web browser, and found two matches. “No,” he continues. “This doesn’t mean I’ve been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzly Steppe IoCs are garbage.” Graham goes on to point out that “what really happened” with the supposed Russian hack into the Vermont power grid “is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid)” is U.S. government “misinformation.” [27]

The DNC hacks have strong evidence pointing to Russia. Not only does all the malware check out, but also other, harder to "false flag" bits, like active command-and-control servers. A serious operator could still false-flag this in theory, if only by bribing people in Russia, but nothing in the CIA dump hints at this.

http://blog.erratasec.com/2017/03/a-...l#.WRNDb1XyuM8

[RandomGuy]

Again, I am at the mercy of the determinations of experts. This is outside my skillset.

People with more knowledge, and more information than I can possibly have available, barring re-entering the intelligence community, have reached a fairly strong conclusion.

The OP material does not outweigh that.

[TSA]

Reading all of your material requires more time than I have available, and exceeds my interest bandwidth for the minutae.

Does seem like there is a decided effort afoot in the rightwing blogosphere to pick apart the Crowdstrike report, based on the sheer number of links that came up when I did a search for "Crowdstrike repor

Saw a few things that looked like the report, but if you have a quick link or two that might help.

I have some financial analyses I have to knock out today, but if you could provide a specific link I will get reading.

Guardian, The Intercept, tech dirt, tech crunch, ars technica aren't rightwing blogosphere.

[TSA]

http://blog.erratasec.com/2017/03/a-...l#.WRNDb1XyuM8

Robert Graham is all over the place.

http://blog.erratasec.com/2017/01/de...1#.WItOqlUrKM8

[RandomGuy]

Robert Graham is all over the place.

http://blog.erratasec.com/2017/01/de...1#.WItOqlUrKM8

LOL TSA

http://blog.erratasec.com/2017/01/de...1#.WItOqlUrKM8
Tuesday, January 03, 2017
"Obama, release the data so we can look at it ourselves, otherwise your claims aren't credible"

http://blog.erratasec.com/2017/03/a-...l#.WRNDb1XyuM8
Wednesday, March 08, 2017
"I looked at the data and the evidence is pretty strong that Russia did it."

Sure, he's all over the place.

[RandomGuy]

Look on the Brightside TSA... at least Obamacare will cover that burn, for now.

[TSA]

LOL TSA




Sure, he's all over the place.

Graham provides no evidence for his below claim. And he's dismissing it being a CIA false flag. The OP does not make that claim.

"The DNC hacks have strong evidence pointing to Russia. Not only does all the malware check out, but also other, harder to "false flag" bits, like active command-and-control servers. A serious operator could still false-flag this in theory, if only by bribing people in Russia, but nothing in the CIA dump hints at this"


The OP actually took the time to back his claim and did so with great detail.

[RandomGuy]

The OP actually took the time to back his claim and did so with great detail.

Do you have the technical expertise to evaluate that detail?

How have you ruled out that something important, yet vital, got missed?

How have you ruled out that something important, yet vital, was deliberately withheld?

Graham was cited by your own OP's author, which I would assume assigns some credibility. He seems knowledgeable enough to accept as such.

[RandomGuy]

Was this author's review of "Guccifer 2.0"'s activities the sum total of the evidence that Russia hacked the DNC?

My understanding is that there were two different episodes and actors doing so.

[TSA]

Was this author's review of "Guccifer 2.0"'s activities the sum total of the evidence that Russia hacked the DNC?

My understanding is that there were two different episodes and actors doing so.

OP was just on 2.0

[RandomGuy]

OP was just on 2.0

So, your whole thing here is based on part of the evidence, and nothing on the classified supporting the report.

Gotcha.

[TSA]

So we don't have full access to the range of items.

I read through the Crowdstrike material. It earned some valid criticisms.

No, I do not have the same confidence in the FBI's assessment.

I still am, however, forced to accept their assessment, and am inclined to agree with it, given all available information that I have seen. Your linked article is something to assign some modest credibility to, but leaves a lot to be desired in terms of credibility itself, especially given the current information warfare environment.

Updates from same author


Guccifer 2.0: Game Over - Intent Concluded

This page covers conclusions that relate to the evidence highlighted here and here.

If you don't know about the RTF/RSID evidence already - please read this first.

Having seen the initial evidence of intent - we know that the first 3 do ents were all created from the same blank Russian-language template and that contents from original do ents were then copied into each at a later stage.

Now we can take a look at the metadata - and see that it corroborates and helps provide more detail to what we know about the process used.

File Created By Time Modified By Time
1.doc Warren Flood 1:38pm Феликс Эдмундович 2:08pm
2.doc Warren Flood 1:38pm Феликс Эдмундович 2:11pm
3.doc Warren Flood 1:38pm Феликс Эдмундович 2:12pm
We can see that a copy of MS-Word registered to "Warren Flood" was apparently used to create all 3 do ents at the same time, this would seem odd usually - but we know he was just saving a tainted blank template as multiple files.

We then see that "Феликс Эдмундович" (the founder of the soviet secret police and someone who has been deceased for 90 years!) opens the files in sequence 30 minutes later, doing something (copying in the contents from original do ents into the blank 'pre-tainted' template) and then saving the files, within the space of a few minutes.

SUMMARY: The files were constructed from the same template do ent with a Russian stylesheet entry in it and then each file, in sequence, was opened to add a secondary layer (writing the Russian name to metadata) when content was copied into them. - TWO layers of Russian "fingerprints", with one existing in the do ents even before the main content was present in them!

Guccifer 2.0, from day one, was intending to be identified as a Russian and knew anything he could forge a perceived attribution with would later be easy to discredit because of their association with the 'Russian Hacker' persona.

Update March 18th: u/tvor_22 has confirmed that there are no textual differences between these files and the original files they were copied from. - So, it seems the only reason for the edit was pasting the content in and placing the Russian name.

1.doc did have some additional errors in Russian language but these are likely to be errors generated when pasting in the do ent between 2:08 and 2:11 (the 2nd phase) due to the process of converting a modern .docx file's content into the RTF format.
This research has been shared with a few independent security experts and they too have struggled to find any reasonable & substantiated alternative explanations for what we have discovered.

Everything we have shown you on RTF/RSID & metadata can be CHECKED and VERIFIED by ANYONE independently and immediately!

WHAT YOU HAVE BEEN TOLD FOR THE LAST 9 MONTHS IS NOT WHAT THE EVIDENCE SUPPORTS

http://g-2.space/intent-conclusion.html

[RandomGuy]

Updates from same author


Guccifer 2.0: Game Over - Intent Concluded

This page covers conclusions that relate to the evidence highlighted here and here.

If you don't know about the RTF/RSID evidence already - please read this first.

Having seen the initial evidence of intent - we know that the first 3 do ents were all created from the same blank Russian-language template and that contents from original do ents were then copied into each at a later stage.

Now we can take a look at the metadata - and see that it corroborates and helps provide more detail to what we know about the process used.

File Created By Time Modified By Time
1.doc Warren Flood 1:38pm Феликс Эдмундович 2:08pm
2.doc Warren Flood 1:38pm Феликс Эдмундович 2:11pm
3.doc Warren Flood 1:38pm Феликс Эдмундович 2:12pm
We can see that a copy of MS-Word registered to "Warren Flood" was apparently used to create all 3 do ents at the same time, this would seem odd usually - but we know he was just saving a tainted blank template as multiple files.

We then see that "Феликс Эдмундович" (the founder of the soviet secret police and someone who has been deceased for 90 years!) opens the files in sequence 30 minutes later, doing something (copying in the contents from original do ents into the blank 'pre-tainted' template) and then saving the files, within the space of a few minutes.

SUMMARY: The files were constructed from the same template do ent with a Russian stylesheet entry in it and then each file, in sequence, was opened to add a secondary layer (writing the Russian name to metadata) when content was copied into them. - TWO layers of Russian "fingerprints", with one existing in the do ents even before the main content was present in them!

Guccifer 2.0, from day one, was intending to be identified as a Russian and knew anything he could forge a perceived attribution with would later be easy to discredit because of their association with the 'Russian Hacker' persona.

Update March 18th: u/tvor_22 has confirmed that there are no textual differences between these files and the original files they were copied from. - So, it seems the only reason for the edit was pasting the content in and placing the Russian name.

1.doc did have some additional errors in Russian language but these are likely to be errors generated when pasting in the do ent between 2:08 and 2:11 (the 2nd phase) due to the process of converting a modern .docx file's content into the RTF format.
This research has been shared with a few independent security experts and they too have struggled to find any reasonable & substantiated alternative explanations for what we have discovered.

Everything we have shown you on RTF/RSID & metadata can be CHECKED and VERIFIED by ANYONE independently and immediately!

WHAT YOU HAVE BEEN TOLD FOR THE LAST 9 MONTHS IS NOT WHAT THE EVIDENCE SUPPORTS

http://g-2.space/intent-conclusion.html

So there were some copy/pasting errors? That is proof positive of what exactly? Be specific.


How have you evaluated that this is more credible than publicly available statements by the US intelligence community?

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and ins utions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process. Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there. We believe, based on the scope and sensitivity of these efforts, that only Russia's senior-most officials could have authorized these activities.

Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company. However, we are not now in a position to attribute this activity to the Russian Government. The USIC and the Department of Homeland Security (DHS) assess that it would be extremely difficult for someone, including a nation-state actor, to alter actual ballot counts or election results by cyber attack or intrusion. This assessment is based on the decentralized nature of our election system in this country and the number of protections state and local election officials have in place. States ensure that voting machines are not connected to the Internet, and there are numerous checks and balances as well as extensive oversight at multiple levels built into our election process.

[RandomGuy]

"This research has been shared with a few independent security experts and they too have struggled to find any reasonable & substantiated alternative explanations for what we have discovered."

This stands out to me.

Conspiracy theorists rely on this kind of flawed logic all the time.

This is called a "argument from ignorance" fallacy.

"I don't know what the explanation is, so therefore the explanation must be X".

Argument from Ignorance

ad ignorantiam

(also known as: appeal to ignorance)

Description: The assumption of a conclusion or fact based primarily on lack of evidence to the contrary. Usually best described by, “absence of evidence is not evidence of absence.”

Logical Forms:

X is true because you cannot prove that X is false.
X is false because you cannot prove that X is true.
Example #1:

Although we have proven that the moon is not made of spare ribs, we have not proven that its core cannot be filled with them; therefore, the moon’s core is filled with spare ribs.

[monosylab1k]

I know it's game over and all but it just doesn't feel like it, fwiw tbh imho

[TSA]

So there were some copy/pasting errors? That is proof positive of what exactly? Be specific.


How have you evaluated that this is more credible than publicly available statements by the US intelligence community?

More than just copy/paste errors. The Russian "fingerprints" were purposely put there. Do you really find it plausible Russia's highly sophisticated state run hacking groups would leave these easily found breadcrumbs to expose themselves?



SUMMARY: The files were constructed from the same template do ent with a Russian stylesheet entry in it and then each file, in sequence, was opened to add a secondary layer (writing the Russian name to metadata) when content was copied into them. - TWO layers of Russian "fingerprints", with one existing in the do ents even before the main content was present in them!

Guccifer 2.0, from day one, was intending to be identified as a Russian and knew anything he could forge a perceived attribution with would later be easy to discredit because of their association with the 'Russian Hacker' persona.


The statements from the USIC don't do much for me as they do not go into any detail on attribution other than saying they are consistent with Russian methods. Also the vault 7 release by Wikileaks showed how just how easy it was to "fake" attribution to another actor.

[RandomGuy]

Quote Originally Posted by RandomGuy

So there were some copy/pasting errors? That is proof positive of what exactly? Be specific.


How have you evaluated that this is more credible than publicly available statements by the US intelligence community?

More than just copy/paste errors. The Russian "fingerprints" were purposely put there. Do you really find it plausible Russia's highly sophisticated state run hacking groups would leave these easily found breadcrumbs to expose themselves?



SUMMARY: The files were constructed from the same template do ent with a Russian stylesheet entry in it and then each file, in sequence, was opened to add a secondary layer (writing the Russian name to metadata) when content was copied into them. - TWO layers of Russian "fingerprints", with one existing in the do ents even before the main content was present in them!

Guccifer 2.0, from day one, was intending to be identified as a Russian and knew anything he could forge a perceived attribution with would later be easy to discredit because of their association with the 'Russian Hacker' persona.


The statements from the USIC don't do much for me as they do not go into any detail on attribution other than saying they are consistent with Russian methods. Also the vault 7 release by Wikileaks showed how just how easy it was to "fake" attribution to another actor.

So you don't know what the relevance of the copy/paste errors is, and this provided link just addresses part of the evidence of hacking.

What other possible explanations for those copy/paste errors, or alternatively data aspect (may not have even been an error, no data as to intent was presented), have you considered?

[TSA]

So you don't know what the relevance of the copy/paste errors is, and this provided link just addresses part of the evidence of hacking.

What other possible explanations for those copy/paste errors, or alternatively data aspect (may not have even been an error, no data as to intent was presented), have you considered?

Everything on RTF/RSID & metadata can be checked and verified. I don't know enough about it so I'm not going to bother. You should check it out for yourself.

[RandomGuy]

So you don't know what the relevance of the copy/paste errors is, and this provided link just addresses part of the evidence of hacking.

What other possible explanations for those copy/paste errors, or alternatively data aspect (may not have even been an error, no data as to intent was presented), have you considered?

Everything on RTF/RSID & metadata can be checked and verified. I don't know enough about it so I'm not going to bother. You should check it out for yourself.

So:

1. you don't know what the relevance of the copy/paste errors is,
2. the provided link just addresses part of the evidence of hacking, and
3. you haven't looked into anything in the link you provided to see if the claims about the data might be explained by something other than a cover up by some secret person at the DNC.

I am content to accept that the features of the data are there, on a tentative basis, since the person doing the claiming appears to be technically competent. That seems reasonable to me.

I am, however, not the one making claims based on this material. You are.

It is your responsibility to show that you did the legwork on this to see if the conclusions drawn by your expert are good ones, not mine. There are, further, reasons to be more than a little skeptical of their conclusions, reasons that you appear to have actively ignored.

Sorry.

As I said, what you provided doesn't go nearly as far as you think it does.

[TSA]

So:

1. you don't know what the relevance of the copy/paste errors is,
2. the provided link just addresses part of the evidence of hacking, and
3. you haven't looked into anything in the link you provided to see if the claims about the data might be explained by something other than a cover up by some secret person at the DNC.

I am content to accept that the features of the data are there, on a tentative basis, since the person doing the claiming appears to be technically competent. That seems reasonable to me.

I am, however, not the one making claims based on this material. You are.

It is your responsibility to show that you did the legwork on this to see if the conclusions drawn by your expert are good ones, not mine. There are, further, reasons to be more than a little skeptical of their conclusions, reasons that you appear to have actively ignored.

Sorry.

As I said, what you provided doesn't go nearly as far as you think it does.

Honestly I haven't read the whole thing again since we last discussed it. I will try to get back around to it soon.

[monosylab1k]

[RandomGuy]

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many en ies out there the Russians specifically targeted in that time frame?

COMEY: It's hundreds. I suppose it could be more than 1,000, but it's at least hundreds.

BURR: When did you become aware that data had been exfiltrated?

COMEY: I'm not sure exactly. I think either late '15 or early '16.

BURR: And did you, the director of the FBI, have conversations with the last administration about the risk that this posed?

COMEY: Yes.

BURR: And share with us, if you will, what actions they took.

COMEY: Well, the FBI had already undertaken an effort to notify all the victims, and that's what we consider the en ies attacked as part of this massive spear-phishing campaign so we notified them in an effort to disrupt what might be ongoing, and then there was a series of continuing interactions with en ies through the rest of '15 into '16, and then throughout '16, the administration was trying to decide how to respond to the intrusion activity that it saw.

[TSA]

More than just copy/paste errors. The Russian "fingerprints" were purposely put there. Do you really find it plausible Russia's highly sophisticated state run hacking groups would leave these easily found breadcrumbs to expose themselves?



SUMMARY: The files were constructed from the same template do ent with a Russian stylesheet entry in it and then each file, in sequence, was opened to add a secondary layer (writing the Russian name to metadata) when content was copied into them. - TWO layers of Russian "fingerprints", with one existing in the do ents even before the main content was present in them!

Guccifer 2.0, from day one, was intending to be identified as a Russian and knew anything he could forge a perceived attribution with would later be easy to discredit because of their association with the 'Russian Hacker' persona.


The statements from the USIC don't do much for me as they do not go into any detail on attribution other than saying they are consistent with Russian methods. Also the vault 7 release by Wikileaks showed how just how easy it was to "fake" attribution to another actor.

More updates

https://www.reddit.com/r/The_Donald/..._dnc/?sort=new