"MEMORANDUM FOR: The President
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Was the “Russian Hack” an Inside Job?
Executive Summary
Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computers, and then doctored to incriminate Russia.
After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device, and that “telltale signs” implicating Russia were then inserted.
Key among the findings of the independent forensic investigations is the conclusion that the DNC data was copied onto a storage device at a speed that far exceeds an Internet capability for a remote hack. Of equal importance, the forensics show that the copying and doctoring were performed on the East coast of the U.S. Thus far, mainstream media have ignored the findings of these independent studies [see here and here].
Independent analyst Skip Folden, a retired IBM Program Manager for Information Technology US, who examined the recent forensic findings, is a co-author of this Memorandum. He has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers,” and sent it to the offices of the Special Counsel and the Attorney General. VIPS member William Binney, a former Technical Director at the National Security Agency, and other senior NSA “alumni” in VIPS attest to the professionalism of the independent forensic findings.
The recent forensic studies fill in a critical gap. Why the FBI neglected to perform any independent forensics on the original “Guccifer 2.0” material remains a mystery – as does the lack of any sign that the “hand-picked analysts” from the FBI, CIA, and NSA, who wrote the “Intelligence Community Assessment” dated January 6, 2017, gave any attention to forensics." VIPS
-------------
This makes a good "for the record" summary. pl
https://consortiumnews.com/2017/07/24/intel-vets-challenge-russia-hack-evidence/
If it is so then we are all in deep dodoo in Planet Earth.
Posted by: Balint Somkuti, PhD | 31 July 2017 at 12:32 PM
Sir,
I don't see how there can be any resolution to the alleged Russian hacking of the election and Trump colluded with the Russians to steal the election memes, unless all federal government information around these matters are de-classified and released. Everyone will confirm their own biases with whatever story gets published in this opaque information environment. This is part and parcel of what Alastair Crooke notes is the self-destruction of the "center".
https://consortiumnews.com/2017/07/28/how-the-center-is-spinning-apart/
"...the disputed vision which encapsulates the present U.S. civil stand-off: On the one side, the notion that diversity, freely elected sexual orientation, and identity rights, equals societal cohesion and strength. Or, on the other hand, the vision encapsulated by Pat Buchanan: that a nation (including its new-comers) are bound more by the possession of a legacy of memories, a heritage of manners, customs and culture, and an attachment to a certain “way-of-being,” and principles of government. And it is this that constitutes the source of a nation’s strength."
Posted by: Jack | 31 July 2017 at 01:04 PM
This is excellent work. Big kudos to VIPS. Thank you for sharing.
Posted by: Greco | 31 July 2017 at 01:33 PM
Do we know whether or not President Trump actually received and read the memo?
Posted by: Eric Newhill | 31 July 2017 at 02:00 PM
Meanwhile, a story of the greatest breach of the cybersecurity has been ignored by the MSM
'"The Awan brothers had complete and direct access to information of three extremely sensitive committees: The House Permanent Select Committee on Intelligence, the Homeland Security Committee, and the House Foreign Affairs Committee.”http://www.zerohedge.com/news/2017-05-23/congressional-aides-fear-suspects-it-breach-are-blackmailing-members-their-own-data
"...on March 22, 2016, eight democrat members of the House Permanent Select Committee on Intelligence issued a letter, requesting that their staffers [Awan brothers] be granted access to Top Secret Sensitive Compartmented Information (TS/SCI)."
https://californiajimmy.com/2017/05/22/muslim-awan-bros-may-blackmailing-dem-congress-members-may-22-2017/
https://spectator.org/the-invisible-awan-brothers-scandal/
Posted by: Anna | 31 July 2017 at 02:01 PM
Colonel,
You're absolutely right.
For the record it is; for the record it'll remain. No mountain of evidence can turn the Russia hack freak show into a debate over facts.
Posted by: Emad | 31 July 2017 at 02:44 PM
Balint,
Debbie Wassermann-Schultz certainly is though there is nary a peep out of the MSM over her IT staff member transferring a third of a million dollars to Pakistan, a country his wife already fled to, before being caught at the airport by police. With $12,000 in cash on hand too. I wonder if the congresswoman was'colluding', a victim of extortion or just plain stupid? Then these is the question of who shot Seth Rich and why.
Posted by: Fred | 31 July 2017 at 02:48 PM
The Pakistani IT guys Wasserman-Schultz hired (starting in 2004 - that will have legs) had a lot of access, reportedly including TS/SCI and Debbie's iPad. It would be a neat trick if they used her as the vehicle to gain trusted access to the DNC network and her iPad to download DNC data. She would even bring it back to them on the Hill. Very convenient.
Binney has been adamant since the beginning this was not a Russian web based hack. He was sure NSA would have seen the traffic and we would have heard about it one way or another if they had. NSA's "Moderate Confidence" in CIA's conclusions also seems to be damning with faint praise.
Posted by: Lefty | 31 July 2017 at 03:08 PM
Off-topic, but timely in regard to the General and the Mooch: https://tinyurl.com/ybqo5ffv
Trump fires the Mooch.
Posted by: Haralambos | 31 July 2017 at 03:22 PM
General kicked the Mooch out on the first day, happy to see that the less is sleazy Goldmaniers the better for the deplorables
Posted by: Kooshy | 31 July 2017 at 03:27 PM
This firing was the general'
Posted by: Kooshy | 31 July 2017 at 03:28 PM
It is a sorry state of affairs when various conspiracy theories are given prominence. It is starting to look like a repeat of "Who Killed Kennedy?" Something that is still alive.
It is a good sign that Scaramocci did not survive the first day of Gen. Kelly on the job. Whether is that is enough is questionable since it is rather apparent where the main problem is.
The Chinese knew what they were talking about when they mentioned "living in interesting times". It seems we are very much there nowadays.
Posted by: Lars | 31 July 2017 at 06:26 PM
Unfortunately VIPS built this assessment on the evidence provided by the Forensicator concerning a file in possession of Guccifer 2.0. The key finding was printed in bold by VIPS in their letter. Their claim that a remote hack could not have been the source of the info was based on the belief that the data was copied "at a speed that far exceeds an Internet capability for a remote hack." Richardstevenhack and I had a vigorous conversation about this under one of Publius Tacitus' posts ((What are the Democrats hiding?). My point was that a remote hack can easily achieve those speeds and provided an example from my experiences that achieved those speeds of data transfer. I did this fifteen years ago and did it on a regular basis.
Scott Ritter wrote a column addressing the VIPS letter. Although he fully agrees that the government explanation is totally insufficient, he notes the VIPS forensic evidence is equally insufficient. He contacted the Forensicator who backtracked on his claims. "They [the forensic analysts] have stated that there is no way to use the available metadata to determine where the copying of the data was done. In short, one cannot state that this data proves Guccifer 2.0 had direct access to the DNC server or that the data was located in the DNC when it was copied on July 5, 2016. These same analysts also note that the July 5 date that is pervasive on the metadata probably overwrote all prior modification times, meaning it is impossible to ascertain if there were any prior copy operations." Ritter noted other problems in the VIPS letter.
http://www.truthdig.com/report/item/time_to_reassess_roles_of_guccifer_20_and_russia_in_dnc_hack_20170727
So the VIPS screwed the pooch on this one just like CrowdStrike screwed the pooch on their analysis of the Ukrainian artillery app. Neither was totally wrong, but they did make serious errors. I have no reason to doubt the professionalism and dedication of those in VIPS. They just made a mistake. I feet the same way about the dedicated professionals of CrowdStrike. All this also points to a key point noted by Ritter and others. There is no forensic data in the public domain to prove anybody's claims. In fact there is no publicly available data of any kind to prove the government's claim. So the wisest words on the subject belong to Jeffery Carr. "I encourage my colleagues to leave attribution to the FBI and the agencies of the Intelligence Community, and I implore everyone else to ask for proof, even from the U.S. government, whenever you read a headline that places blame on a foreign government for an attack in cyberspace."
Posted by: The Twisted Genius | 31 July 2017 at 06:57 PM
For those thinking the Kelly/Mooch selections were about going to war - you're probably right. It's just not the war you were thinking of:
"The departments of State and Defense have drafted a proposal to send Ukraine weapons to help in its fight against Russia-backed separatists, The Wall Street Journal reported Monday.
The proposal reportedly recommends sending antitank missiles and other armaments, which American military and diplomatic officials say would be used for defensive purposes as Kiev fights back against rebels in its eastern region widely believed to be supported by Moscow."
http://thehill.com/homenews/administration/344652-report-pentagon-state-dept-draft-plan-to-send-weapons-to-ukraine
Given the indecision about the course in Afghanistan, I'll go with Kelly wanting another surge. Or maybe a lighter fair... Venezuela is in some real need for some Nation Building.
Posted by: Fellow Traveler | 31 July 2017 at 06:59 PM
Colonel,
It is admirable for the VIPS to do this.
However, I would not be so sure about this statement (from Disobedientmedia):
"an independent researcher known as The Forensicator, which suggests that files eventually published by the Guccifer 2.0 persona were likely initially downloaded by a person with physical access to a computer possibly connected to the internal DNC network. The individual most likely used a USB drive to copy the information. The groundbreaking new analysis irrevocably destroys the Russian hacking narrative, and calls the actions of Crowdstrike and the DNC into question."
I don't think the analysis by "The Forensicator" can be fully trusted as independent (unless the VIPS know this Forensicator personally) or groundbreaking (the analysis is not that good). The author(s) seems to be bias toward the conclusion that the files were copied locally. I'm not saying there is any motive. I'd just like to point out that many conclusions in that analysis could be interpreted a different way.
Posted by: TonyL | 31 July 2017 at 07:44 PM
Yea NOW the intel vets are important,
Posted by: raven | 31 July 2017 at 07:52 PM
Kooshy another take: C'est un chemin de quatre voies. Mooch was Trump's hit man from the start. Day one he slapped McConnell and his RNC daisy chain Republicans by thumping Priebus in broad daylight. Kelly's hands never touched his pockets..not once. Mooch was a walk-on. McConnell & the RNC got slapped on MSM. But does it really all matter..or is it just more diversion? Okay, for what? Ivanka 16 years out? Is there a serious "what"? Punt.
Posted by: Hood Canal Gardner | 31 July 2017 at 09:11 PM
I'm waiting to hear TTG's take on this.
Posted by: Larry Kart | 31 July 2017 at 10:21 PM
HCG
IMO an interesting fantasy, the Occam explanation is that as I wrote earlier, the Mooch is Trump's Trump, but he threw him under the bus when Kelly demanded it as a pre-condition for taking the job. the problem with this from Kelly's POV is that Trump's favor will not last long. pl
Posted by: turcopolier | 31 July 2017 at 10:51 PM
Maybe, maybe not but one thing is sure now , that is President DT demands and asks for a lot of loyalty but
he has zero loyalty to anyone, at least in his political life. So IMO people accepting jobs from him they should watch their back.
Posted by: Kooshy | 31 July 2017 at 10:53 PM
According to CNN (sources) the Mooch was fired after he and Kelly had an exchange very similar to the one you forecast in your previous post. (However, DJT kept Kelly and let him fire the Mooch - which you didn't expect. Don't know if that signifies anything particular).
I also think that Trump will remember that Kelly forced him to fire the Mooch, and will pretty soon pay him back in the same coin.
Interesting that the Mooch's wife filed for divorce because he was going to work for Trump - for all of 10 days!
Posted by: FB Ali | 31 July 2017 at 11:20 PM
FB Ali
Yes. This is all psychodrama and personal search for power. IMO there is not a lot of ideology in any of this and it is just a matter of time before DJT abandons Kelly. pl
Posted by: turcopolier | 31 July 2017 at 11:42 PM
luxetveritas
"But why did Washington launch McCain’s War in the first place?" Israel wanted it. If you actually knew Washington you would know that. All that tortured nonsense about Cheney, Wolfowitz, etc., is just a reflection of Israel's long standing desire to destroy the Syrian government. I have worked this problem for thirty years and senior Israelis and their agents are always after the same thing in Syria. you must be a professor. pl
Posted by: turcopolier | 31 July 2017 at 11:52 PM
No. Ritter disagrees with most of what TTG wrote. TTG mischaracterises Ritter when writing Ritter made the "key point" that "[t]here is no forensic data in the public domain to prove anyone's claims." Ritter didn't write that at all. Instead Ritter wrote there is no public data backing up US government claims. Allow me to quote Ritter fully. He wrote:
"On Oct. 6, 2016, the Office of the Director of National Intelligence and the Department of Homeland Security published a joint statement that noted that the “recent disclosures of alleged hacked e-mails” by Guccifer 2.0 (and others) “are consistent with the methods and motivations of Russian-directed efforts,” without further elaboration beyond declaring that “the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”
Rep. Schiff, the aforementioned Democratic co-chair of the House Intelligence Committee, stated in March 2017 that “a hacker who goes by the moniker, Guccifer 2.0, claims responsibility for hacking the DNC and giving the documents to WikiLeaks. … The U.S. intelligence community also later confirmed that the documents were in fact stolen by Russian intelligence, and Guccifer 2.0 acted as a front.”
The problem is that there simply isn’t any hard data in the public domain to back up these statements of fact. What is known is that a persona using the name Guccifer 2.0 published documents said to be sourced from the DNC on several occasions starting from June 15, 2016. Guccifer 2.0 claims to have stolen these documents by perpetrating a cyber-penetration of the DNC server. However, the hacking methodology Guccifer 2.0 claims to have employed does not match the tools and techniques allegedly uncovered by the cybersecurity professionals from CrowdStrike when they investigated the DNC intrusion. Moreover, cyber-experts claim the Guccifer 2.0 “hack” could not have been executed as he described.
What CrowdStrike did claim to have discovered is that sometime in March 2016, the DNC server was infected with what is known as an X-Agent malware. According to CrowdStrike, the malware was deployed using an open-source, remote administration tool known as RemCom. The malware in question, a network tunneling tool known as X-Tunnel, was itself a repurposed open-source tool that made no effort to encrypt its source code, meaning anyone who gained access to this malware would be able to tell exactly what it was intended to do.
CrowdStrike claimed that the presence of the X-Agent malware was a clear “signature” of a hacking group—APT 28, or Fancy Bear—previously identified by German intelligence as being affiliated with the GRU, Russian military intelligence. Additional information about the command and control servers used by Fancy Bear, which CrowdStrike claims were previously involved in Russian-related hacking activity, was also reported.
The CrowdStrike data is unconvincing. First and foremost, the German intelligence report it cites does not make an ironclad claim that APT 28 is, in fact, the GRU. In fact, the Germans only “assumed” that GRU conducts cyberattacks. They made no claims that they knew for certain that any Russians, let alone the GRU, were responsible for the 2015 cyberattack on the German Parliament, which CrowdStrike cites as proof of GRU involvement. Second, the malware in question is available on the open market, making it virtually impossible to make any attribution at all simply by looking at similarities in “tools and techniques.” Virtually anyone could have acquired these tools and used them in a manner similar to how they were employed against both the German Parliament and the DNC.
The presence of open-source tools is, in itself, a clear indicator that Russian intelligence was not involved. Documents released by Edward Snowden show that the NSA monitored the hacking of a prominent Russian journalist, Anna Politkovskaya, by Russian intelligence, “deploying malicious software which is not available in the public domain.” The notion that the Russians would use special tools to hack a journalist’s email account and open-source tools to hack either the DNC or the German Parliament is laughable. My experience with Soviet/Russian intelligence, which is considerable, has impressed me with the professionalism and dedication to operational security that were involved. The APT 28/Fancy Bear cyber-penetration of the DNC and the Guccifer 2.0 operation as a whole are the antithesis of professional.
Perhaps more important, however, is the fact that no one has linked the theft of the DNC documents to Guccifer 2.0. We do not know either the date or mechanism of penetration. We do not have a list of the documents accessed and exfiltrated from the DNC by APT 28, or any evidence that these documents ended up in Guccifer 2.0’s possession. It is widely assumed that the DNC penetration was perpetrated through a “spear-phishing” attack, in which a document is created that simulates a genuine communication in an effort to prompt a response by the receiver, usually by clicking a specified field, which facilitates the insertion of malware. Evidence of the Google-based documents believed to have been the culprits behind the penetration of the Democratic Congressional Campaign Committee (DCCC) and John Podesta’s email servers have been identified, along with the dates of malware infection. No such information has been provided about the DNC penetration."
Ritter clearly states that Russia didn't do it because open source tools were used and the Russians use their own tools, not open source tools. Additionally, he states that no one can attribute open source code to an specific entity because once its open source, anyone could be using it. He is in effect saying if someone is killed by being struck in the head with a common hammer, that fact does not provide enough information for anyone to identity who swung the hammer.
Posted by: TimmyB | 01 August 2017 at 12:01 AM
I would agree that there is no public evidence whatsoever, either way. No public proof that it was copied locally or transferred over the Internet.
Assuming if the server was hacked and the attacker has gained root access, then the Forensicator analysis is totally invalid, and it is not worth anything. But a lot of people have been using it as an important data point in their judgment that it was a leak. Unfortunately this analysis has become some kind of "proof" for a lot of people.
I'm waiting for some definitive public evidence whether this server has been pwned by hackers (any hacker). That would invalidate the entire Forensicator's analysis.
Posted by: TonyL | 01 August 2017 at 12:02 AM