« A useful map | Main | "Moroccan" sword tonight. »

02 October 2019


Feed You can follow this conversation by subscribing to the comment feed for this post.


In light of the Ukraine Hoax, I've been anxiously waiting to read the latest from you Larry, but didn't anticipate THIS! LOL, Brennan asked for it, didn't he?


Each piece of insight and information you present has always been interesting. But often almost as stand alone import - it seems now the threads are now explosively coming together. Keep this up - you are a beacon of clarity, LJ.


"For example, when did the U.S. intelligence community discover or learn that the Russians were attacking the DNC network starting in July 2015? Was it July 2015 or was it after the Washington Post reported in June 2016 that Russia had hacked the DNC?"

FBI (at least) supposedly repeatedly called the DNC IT Help Desk to inform them their systems were hacked --in September 2015.

Hmmm. Very memorable tale. Which was why I was able to find it again so easily! Even at the time I firstread it, it struck me that it's a "date shifter" news story. Intended to be memorable and highly searchable, what with the "comedy of error" help desk drama nugget.

So, more probably, July.


I find this to be a useful timeline. I thought others might, too.

From: https://themarketswork.com/2018/05/18/the-fbis-outside-contractors-dnc-servers-crowdstrike/

...the DNC hacking timeline in its entirety – including events overlooked in the DNC Lawsuit.

DNC Lawsuit dates are bolded. Dates relating to NSA Director Rogers actions are italicized:

July 20, 2015 – The Yates Memorandum denying Inspector General Access & Oversight of information collected by the DOJ & FBI under Title III is issued.
July 27, 2015 – Russia’s cyberattack on the DNC began only weeks after Trump announced his candidacy for President of the United States.
September 2015 – the FBI notified the DNC that hackers had compromised “at least one DNC server.” The FBI called the DNC Help Desk.
November 2015 – the FBI notified the DNC one of the DNC’s computers was now transmitting information to Russia.
November 2015-April 2016 – The FBI and DOJ’s National Security Division (NSD) used private contractors to access raw FISA information using “To” and “From” FISA-702(16) & “About” FISA-702(17) queries.
March 9, 2016 – NSA Director Rogers became aware of improper access to raw FISA data...(continues at link above)"


Good stuff
But.... I think it’s spearphis(h)ing
The missing ‘h’ was driving me nuts. Sorry, that’s my neurological problem

Larry Johnson

You're right. Good catch. I always benefit from a sharp-eyed editor.

John Merryman

Lol. Love to see this work its way through the wash cycle.
There is no grand strategy, just a bunch of pawns, dreaming they are kings and queens. One dimensional chess.


How does the timeline of the whole Awan family of Pakistani IT aides to Democrat congress persons, including Debbie Wasserman Schultz fit into this unfolding scenario? Many loose ends here - all Democrats hired them and exempted them from background checks, all involved in multiple nefarious and curious actions, and all left the US without consequence.

We need a spread sheet setting out the overlapping timelines of the Awans, Wikilinks, Seth Rich and the Crowdstrike cover-up:

...."(Prosecutor) Coomey said he would not prosecute Imran Awan for any crimes on Capitol Hill in the plea agreement.

"Particularly, the government has found no evidence that your client illegally removed House data from the House network or from House Members' offices, stole the House Democratic Caucus Server, stole or destroyed House information technology equipment, or improperly accessed or transferred government information, including classified or sensitive information," the prosecution stated in the plea deal......."

The Twisted Genius

Larry, I was sad more than anything else not to see DIA involved in the ICA. DIA had a small, but very competent analytical effort in the cyber field. The analytical side had strong support from leadership. That was before I retired. The one true expert in Russian cyber and IW efforts probably retired soon after me. I don't know where it stood at the end of 2016. The DIA collection side pretty much died when I retired. There was a sizable cabal of Luddites on the operational side that wanted nothing to do with that techno-spookery. They wanted me dead for years. The cyber collection and analytical efforts at CIA, NSA and FBI dwarfed anything we had at DIA. The INR was never a player in this field. I was surprised they didn't make more of an effort since DOS was a punching bag for state and non-state hackers.

Again, the NSA did give a high confidence assessment for Russia/GRU hacking. Their moderate confidence was in the finding that Putin personally directed this effort. Since that was most likely based on human sources rather than technical sources, I can understand the NSA reluctance. The spearphishing attacks were pretty well documented. The spearphishing attacks only allow hackers to gain access to a system. Spearphishing leaves no signatures beyond that initial stage of a hack. In the case of the DNC files, they were compiles and compressed using win.exe and transferred using x-tunnel. Those programs, especially rar.exe, left markers.

Larry Johnson

There is ZERO evidence of spear phishing. None. The metadata in the emails tells what happened. You may not accept the reality of the math, but the math does not lie. You also ignore the huge gaps in the supposed Crowdstrike effort to deal with this threat. Please deal with the facts.
If those emails were snagged via spear phishing then the metadata would show a random distribution of odd and even numbers. They don't.
The Podesta emails, however, were spear phished. They exhibit the odd/even distribution.



What’s your take on what Barr and Durham are up to? Do you have any confidence they’ll get to the bottom of it and hold the putschists accountable. Or will they whitewash it all as is normally the case when high officials are involved. Similar to the Hillary “investigation”. Brennan in an interview today speculated that Durham would be calling him for an interview. I wonder if a grand jury has been empaneled?

As David Habakkuk has noted, where are the servers, what happened to them and the logs on them? It would seem that the FBI & NSA could easily find out considering all electronic communications domestically are hoovered. And as we know Clapper lied under oath on the existence of these programs and got away with it.

Larry Johnson

They are moving methodically and by the book. There will be indictments.



Did you see where the FBI is trolling Facebook with ads trying to recruit Russian spies.




Can one make a definitive determination of how files were exfiltrated without examining the servers and all the log files as well as the firewalls?

One of the startups that I had invested in was a company that helped large enterprises identify and prevent the exit of proprietary information. I invested in them because they showed me data that the vast majority of IP theft were perpetrated by insiders. Mostly due to carelessness not malice. They had a very successful run and Symantec made us an offer we couldn’t refuse. I recall asking one of their top engineers sometime back about who could have done it and he said he wouldn’t even speculate without looking at the computer systems and networks. I’m curious how the IC and FBI could have made any determination without direct examination? I believe in a recent court filing the FBI stated they didn’t even look at the Crowdstrike report details.

I believe stealing digital information through exploitation of network vulnerabilities has only picked up in scale in recent years. Maybe only after guys like you began doing it in earnest 🤣



Brennan on “predication”.

Patrick Armstrong

Certainly hope you're right and they are and there will be (although one can wonder how high they will go with indictments) because, apart from any US domestic implications, the Russofrenzy can have very bad results for the rest of us.


Serious investigative journalists, like John Helmer, identified the links between Ukraine oligarchs and Western politicians years back. See for example: http://johnhelmer.org/?s=hunter+Biden I was thus reading about Burisma corruption and the companies financial links to Hunter Biden and John Kerry's stepson quite dome time back. Also reading about Victor Pinchuk's (check out his reputation) annual "friends party" typically attended by participants like Bill Clinton, Tony Blair, George Soros and Hillary Clinton. And it seems pretty likely to me that his "big name" political guests were not attending because Pinchuk (worth many billions) holds a nice party.

So again, I wonder if the Dems had a clue what would creep out from under the Ukraine rock they are turning over.

FYI, Helmer does amazing work and even though he lives in Moscow, he is clearly an "equal opportunity" investigator and does not hold back on Russian corruption, etc.

The Twisted Genius

Jack, forensic examination of a network’s servers, routers, switches and dedicated firewall boxes offers a wealth of information to determine how data is exfiltrated, but it has serious limitations. Logs are often changed by hackers. That’s all we had for a long time to try to determine how data was taken and who took that data from USG systems. Determining what was taken was still difficult unless you caught them in the act of exfiltration. Attribution was even more difficult. The breakthrough came when we started focusing on the attackers’ infrastructure, their attack points, their drop off and transfer points. That approach gave clear answers to what was taken and by whom. In the case of the DNC, we identified the Russian’s infrastructure used for staging/controlling the attacks, the transfer points for the stolen data and the spear phishing servers. We even hacked back to the GRU computers in Moscow. The Dutch AIVD went further and obtained film of GRU hackers through the GRU’s own Moscow surveillance cameras, but this was prior to the DNC attacks. However, this AIVD penetration was key to stopping an unusually aggressive GRU attack on DOS and JCS systems in 2014.

The Twisted Genius

Larry, I don't think you understand what spear phishing accomplishes. It enables entry into a system by tricking a legitimate user to open an infected email, attachment or connecting to a bogus server where the users credentials are given up (Podesta's case). No data is transferred from the target system (other than a user's credentials) during a spear phishing attack. Data is stolen AFTER a successful spear phishing attack.

In the case of the DNC, APT29 sent spear phishing emails to more than 1,000 addresses. The emails used a common phishing technique: malicious attachments. The recipients were tricked into opening what appeared to be a harmless file but instead was malware. Someone at the DNC must have received and open one of the attachments. This allowed APT 29 to install malware, establish persistence, escalate privileges, steal and exfiltrate emails to the attacker's infrastructure through an encrypted connection.

APT28 also used phishing emails but not with malware attachments. These emails tricked the users into sharing or resetting their passwords. The emails asked users to reset their passwords and provided a link to do so. Clicking the link brought the users to a spoofed webmail domain. There they entered or reset their passwords and gave APT28 the keys to their mailbox. APT28 targeted DNC, hillaryclinton.com and Gmail email addresses. From there, APT28 had access to the DNC network and used their tools to exfiltrate data through the APT28 infrastructure.

I also think your faith in metadata is misplaced. It can be faked including the dates/times of last copy. I didn’t think that was possible until I read this critique of the forensicator work.

To create this archive, the leaker ran the following command (or used GUI to the same effect):
> rar a DNC DNC -r
But wait… the folder he was packaging, along with other enclosed folders, was last modified on September 1, 2016 at 12:47 EDT and packaged into an archive immediately after that at 12:48 EDT, taking into account the time zone difference. Seth Rich was killed on July 10, 2016. So, did he raise from the dead on September 1, 2016 to create the archives???
As a more sane explanation, the hacker copied the files locally on September 1, 2016 then recursively ran a script to change file dates to July 5, 2016, but forgot to change the date for enclosing folders. As a proof of concept, the following script makes a copy of a directory of your choice into a “mytest” folder, then changes the date for files only 2 years back. If you pick a directory which contains other directories, timestamps for those will not change.
> echo “Enter folder name”; read var1; cp $var1 mytest -r — no-preserve=timestamp — remove-destination; cd mytest; find . -type f -exec touch -d “2 years ago” {} \; ; cd ../; ls -lA — time-style=”+%Y-%m-%d %H:%M:%S.%N” — group-directories-first mytest;


Larry Johnson

You familiar with an old Missouri expression, "Thick as mule shit?"
I very well understand. You seem to have the reading comprehension problem. I made a point of separating out the emails that were posted on 22 July by Wikileaks that carried the last modified dates of 23 and 26 May. Also pointed out that additional emails were added to that collection that carried a date in August. I never suggested the emails posted in August were the result of Seth Rich. So, please stop making accusations that are not founded in what I 've written.
To be very candid, you do not have the scientific or math chops that Bill Binney does. That's one reason he was promoted to a position as Technical Director and you were not. You can keep repeating Democrat talking points all day long but it does not change the facts--the DNC emails are in a FAT format. PERIOD. Not my opinion. AN OBJECTIVE FACT.
You do not get a FAT format from spearphishing. Stop trying to complicate what is very simple. You continue to ignore the other FACT that neither the FBI nor anyone in the IC ever examined the DNC servers. Their conclusions are based entirely on a report from Crowdstrike. If you think that is a valid investigative technique then you expose the fact that you know nothing about how to conduct an investigation.

Keith Harbaugh

TTG, is there not an organization in America which tracks, and perhaps archives, ALL packets that move across the web?
Just speculation.....

David Habakkuk


I think it is rather obvious that anyone who thinks it appropriate for the FBI to have relied upon CrowdStrike for the analysis of the evidence provided by the DNC servers rules themselves out as a serious contributor to this investigation.

Among many other things, the Atlantic Council link in itself has always been adequate to establish that Alperovitch could not conceivably claim to be an impartial analyst.

As I have written before, anyone interested in the truth should obviously see it as a top priority to recover the DNC server(s) and have them subjected to an impartial analysis, if they still exist, or establish when, by whom, and in what circumstances they were destroyed, if destroyed they were.

That said, the August emails are clearly very interesting.

Particularly now that Ed Butowsky has showed so much more of his hand, it seems to me clear that the vast bulk of the material produced by WikiLeaks came from downloads by Seth Rich which were completed by late May 2016.

While I may be being stupid, it would appear that there would have had to be some further material supplied after his death.

A question arises as to whether Bill Binney's analysis of the 'scientific forensics' can establish whether this was material downloaded by Rich but not passed on by an intermediary until after his death, or material downloaded by someone else.

It may well be I am thrashing around, and adding 2 + 2 to make 5. And it also may be that there is a simple solution to my puzzle, which there are good reasons to keep 'under wraps', for the moment at least.

However, as this discussion has demonstrated, the fact that some of the materials from the DNC carried dates clearly later than Rich's death has proved enormously helpful to those who want to prevent the conspiracy against the Constituition being exposed.

The Twisted Genius

Keith, I doubt NSA collects and stores every packet crossing the internet. They prioritize. In 2008 they were still trying to just map the internet. Even today I doubt they can analyze all they collect, but I'm sure they can go back and find stuff after the fact in what they do collect.


David Habakkuk, since you raised the issue, for those who think there may be something to the Seth Rich angle, it's purportedly claimed by Julian Assange that Seth's brother Aaron assisted him, which could explain metadata that post-date Seth's death.

Many here may already be familiar with this report which touches on the subject:


The Twisted Genius

David Habakkuk, the DNC servers are still in place in the DNC headquarters. CrowdStrike was brought in specifically to ensure minimal disruption to DNC operations while dealing with the intrusion. If the FBI was responding, they would just investigate without any concern for DNC operations. CrowdStrike rebuilt/cleaned DNC systems with minimal impact on DNC operations. Any FBI examination of those servers now would yield no information on what happened in 2016.

CrowdStrike supposedly took images of the servers. If they did not share those images with the FBI once all realized the gravity of the situation, the FBI, the DNC and CrowdStrike were negligent at best or engaged in conspiratorial criminal activity at worse. I don't know if the images were shared with the FBI. What the FBI did have was access to the hacker's attack server and transfer point servers as well as whatever access NSA developed in the GRU systems in Moscow. That is apparent in the indictment of the GRU 12.

The comments to this entry are closed.

My Photo

February 2021

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
Blog powered by Typepad