Would Trump be brazen and shameless enough to rescind these measures once in office?
Yup.
1 Like
And from that someone can ascertain my motives for sharing my thoughts better than I.
Yep, the internet is an amazing thing…
Cheers.
I think I agree with this… it sounds pretty much like what I’ve been asking for all along.
1 Like
In all seriousness, it would be nice to see some evidence.
2 Likes
1 Like
You forgot Weapons of Mass Destruction… , but thanks for the ad hom…
A sea of evidence? Yet you quote InfoSec people bemoaning the lack of released “best evidence”, the lack of a “thorough, precise, historically informed and technically honest attribution”… It sounds like Professor Rid is saying what I’ve been saying.
Cheers.
I think I’ve been very consistent here. Info. released by intelligence agencies is typically flawed/untrustworthy. I’ve said this repeatedly. I’ve quoted InfoSec people commenting on releases from the gov’t, and I’ve got plenty of criticisms of the gov’s response.
That’s peripheral to the fact that these same critics of this release accept the attribution of the source as the GRU. There’s still significant amounts of evidence and analysis available from the InfoSec community that is not only less biased, more careful in terms of analysis, and more data centric. I’ve mentioned which sources to turn to, and mentioned the key data points enough times, and none of them have been FBI/DHS/CIA/gov. sources.
4 Likes
vaccines…
I can access medical journals and peruse the data and scientific analysis that vaccine claims are based upon and make an informed opinion (They work, and they don’t cause autism)
global warming…
I can access the scientific journals and peruse the data and scientific analysis that anthropogenic warming claims are based on and make an informed opinion (It’s happening, and we’re pretty well hosed)
creationists [versus evolution]
I can access the scientific journals and peruse the data and scientific analysis that evolution is based upon and make an informed opinion (Evolution for the win)
"Russian hacking"
I can’t access the data or the analysis, I’m just told to believe that the allegations hold water.
One of these things is not like the others…
You can access the data and the analysis any time you feel like it. Like those other topics, there’s homework to do, but the data is not being hidden from you, it’s posted online ready for you to grind through. Security researchers have been posting this stuff for months, presenting both data and analysis. I’ve named the researchers and in past linked posts there are relevant links. It feels to me like you just don’t feel like doing the research. I’ve done what I can, but at this point I’m done.
8 Likes
https://twitter.com/stribika/status/814670425624113152
https://twitter.com/stribika/status/814670546763993088
https://twitter.com/stribika/status/814670617358270464
https://twitter.com/stribika/status/814670722563973124
4 Likes
This is failure by design for convenience. Unfortunately, faced with a choice between convenience and a properly functioning democracy, all the evidence is that the majority will go for convenience.
3 Likes
That’s not even close to being true/correct. The US, as the global superpower that it still is (for the time being–once trump’s in office, all bets are off), holds sway in any number of international avenues that have been/are/will be used to cajole, [bribe], impress, or otherwise convince other nations to act in a particular way.
2 Likes
Overreach!
1 Like
Having some time to codify my thoughts, I think I understand a little more, not specifically about the “election hacking”, but about the bigger questions involved. Perhaps these aren’t the questions you are interested in, and that’s fine, they’re the questions I’m interested in. And I apologize in advance for the length.
First, one thing to keep in mind is that not everyone is an expert in everything. You may be an InfoSec expert, and that serves you well in this particular case, but in the “post fact” world we ALL need means of understanding the world, experts and lay-people alike. And like it or not, the experts need to present their information in a way that lay-people can understand, if it is that important. Some things aren’t that important, and one should let that go. For me, it is important to understand how I think about things, which is one reason I’ve continued in this conversation. If anyone wants to on-line psychoanalyze that, well whoop-de-doo, buck-a-roo…
So you posted something apparently trying to link me to the same thought processes of anti-vaxxers, climate deniers and creationists, implying that anyone who questions the truth of “Russian hacking” can be grouped right along with that ilk. I replied that those are different types of things, a false equivalency, and that provided the key for me. So thank you for that, though not so much for the personal insult. 
Vaccine effectiveness, anthropogenic climate change, evolution –– those are all scientific questions. (And that’s a whole other tome about how the Scientific Method really works and the difference between a scientific law, a theory, and a hypothesis…) To deny them is to deny how science works. Sure, there are niggling questions about certain details, but the foundational science is solid. Someone who denies that foundational science can rightly be called a nutter….
On an even higher level, there is mathematical truth. Someone who denies the Pythagorean theorem, or refuses to split the restaurant bill with you because they don’t believe that addition is commutative can rightly be called a nutter. But even then, Kurt Gödel proved that there are dank corners of mathematics filled with ambiguously true/false statements…
So we can’t apply mathematical or even scientific rigor to this question, and that’s fine (and I have not tried to do that). You said previously that the case can be made that is perhaps 99+% probable, “a really easy conviction in a court”, and I have mentioned many times as well that a judicial model may be better suited, so it looks like we agree there. Woo-hoo!
I’ve also mentioned that the judicial model involves a “sliding scale”, ranging from a “preponderance of the evidence” in civil cases to “beyond a reasonable doubt” in criminal cases. This is because in civil cases the punishment is generally less onerous and more easily rectified in case of error, (a fine may be reimbursed) where as in criminal cases, the punishment is more severe and irreversible (it’s difficult to make restitution for 20 years worth of incarcerated life, and you can’t reverse an execution).
So in this case, where on that scale should we be? My claim is that because the results of the decision are irreversible, and because the results affect hundreds of millions of people, we should be at least at the “beyond a reasonable doubt” level.
Now one difference between international politics and criminal court is that we can lock a person up, and even if it turns out that they were incarcerated unjustly, they are impotent. They can scream “I’m innocent!” or even threaten reprisals all they want, but they are still safely (for society) behind bars. (That would be a horrible situation, I’m just looking at the mechanics of the situation, not the ethics here.)
On the other hand, we can’t do the equivalent of locking up Russia. So if it finally turned out that we’d made a mistake, (or even if we just pissed them off enough) they have every means at their disposal for reprisals, and those means include chemical, biological, and nuclear warfare.
So now we have the question of “what is a reasonable doubt?” and it’s an important one.
A reasonable person can’t just make up objections. If I were claiming that the Russians couldn’t have done it because it was the mole-men operating from their subterranean lair a thousand miles beneath the Atlantic, then I’d be obligated to prove the existence of said mole-men.
Now, CrowdStrike has been one of the main sources of information and analysis in all of this. But CrowdStrike was in the employ of the DNC, so it is unreasonable to question their position?
I liken that to the scientists who said smoking did not cause cancer, and it turned out that they were being paid by tobacco companies.
Is it exactly the same? Of course not, but I maintain that there are enough similarities to raise “reasonable doubts”. I’ve actually been a juror on a couple of cases in which both parties brought in “expert witnesses” who had diametrically opposing conclusions based on the same data. Which one should be believed? I’d say that there’s a reasonable doubt.
There are other issues I think raise “reasonable doubts”, like the difference between simple “day to day cyber-espionage” that all major countries engage in and imputing a particular motive to an action. These seem to often get conflated in the conversation, some might call it FUD, according to my dictionary, “fear, uncertainty and doubt, usually evoked intentionally in order to put a competitor at a disadvantage.” When I see FUD being used, I think reasonable doubt is justified.
Another interesting thing was your post with some quotes from InfoSec expert Thomas Rid:
“The USIC erred on the side of caution today and did not release the best evidence they have—spelling out this limitation would have helped”
“It would’ve helped, really, to publish a thorough, precise, historically informed and technically honest attribution report in plain English”
In our judicial paradigm this sort of sounds like a lawyer claiming that they have some damning evidence but that aren’t going to present it. As a juror, I could not consider evidence that is not presented. It might be the key to the case, but if it isn’t presented, I can’t make a judgement on it.
So I choose not to ride on the “Russian Hacker” bandwagon based on my opinion that we should go well beyond “beyond a reasonable doubt”, while still acknowledging that we can never achieve 100% certainty due to the nature of the beast. Is that your 99+%? Is it 99.99+%? Is it 99.9999+%? That’s a judgement call. Perhaps my threshold is higher than yours, I see the consequences of error going well beyond some individual’s 20 year sentence, or even a life sentence –– they include the possibility of war between two substantial nations with devastating destructive power and a history of having gone to the brink before.
And opinions are like, well, you know. Is my opinion important? In the overall scheme of things, no. Perhaps its only import is that it influences the candidates I vote for.
And if your opinion is that you’re satisfied with a lesser level of certainty, I’m not going to insult you for that. I certainly wouldn’t claim that you were merely interested in justifying a false sense of security…
3 Likes
Doesn’t s/he mean catching them w/ their cyberpants down?
1 Like
Mathematical truth is uninteresting to non-mathematicians because it is tautological (bear with me a moment, I’m not being contrarian.) It is interesting to physicists, chemists and thus engineers because they rely on equations, and the book-keeping of chemical bonds and quantum mechanics, to work; otherwise their work is impossible. But, fundamentally, the “hard” sciences are the relatively easy ones - we put people on the Moon in 1969, after all.
“Infosec” is largely a so-called soft science; it doesn’t deal in exactitudes. Assuming Russia did everything it is claimed (and I am personally quite agnostic on the subject) I think it would be impossible to claim that this caused the election result beyond reasonable doubt. There were so many other factors including social media, the irrationality of the dispossessed, the Electoral College and reporting on domestic and international terrorism, that without being able to re-run the election without the Russian input you could not be sure of the result. This is why I prefer to think of the soft sciences as being the really hard sciences; we have no psychological or sociological equivalent of the moon landings, and it is almost impossible to carry out true experiments - without considering that most of the work done in psychology or sociology is weird*.
Rather than focus on external hacking I think that the Democrats - because the Republican’s wouldn’t do it - need to go back to examine their own organisation and power structures. How is it possible that so many turkeys continue to vote for Thanksgiving? Why is it that the party of the turkeys cannot become the party of government when at least 80% of the population is worse off under the Republicans? As an outside observer and taking the actual economic and social performance of the US into account over the last six decades or so, it’s obvious that the majority do better under Democrat administrations. So the issue should not be, did Russian hacking increase the Republican vote by a critical two or three percent, but why isn’t Trump facing a solidly Democrat House and Senate?
*As in White Educated Industrialised Rich Democracies.
3 Likes
Piggybacking on the theme of
let’s ponder some things that have been done by Russian governments in the last century
Destroying Russia’s food production economy, leading to the Ukrainian famine
Imprisoning and killing millions in the purges and the Gulag
Creating some of the most environmentally lethal industrial complexes in history, and doing little to clean them up
Publishing leaked or phished emails from an American political party
Destroying food production again with the Lysenkoist nonsense
Letting millions die due to incompetence in dealing with Hitler, 1939-42
Ruthlessly suppressing the Hungarian and Czech peoples uprisings
Putting Kim Jong Il in power, with repercussions we still face today
“One of these things is not like the others…”
3 Likes
I’d say so. They had nothing to gain, but much to lose by screwing up their analysis. They’ve been around a long time, and their business is built on clients trusting their integrity and ability to do solid incident response. Consider that if you assume they are playing a nefarious political game is to engage in a kind of conspiracy thinking where the total lack of evidence for such a serious charge was something you are worried about. In their report they shared the attack vector, the payload, C&C IPs, etc. From their analysis APT28 was clearly involved in the DNC attack. They also mentioned APT29 had also penetrated the DNC, but didn’t spend much time on that analysis (APT29 are assumed to be the FSB/KGB based on targets and analysis).
APT28/Fancy Bear/Threat Group-4127/Pawn Storm/Sednit is not some mysterious entity that appeared out of the blue. They have a huge number of designations since they attack so many targets that diff’t InfoSec researchers gave them various labels. The ‘APT’ designation is because they’re an advanced persistent threat that’s been engaging in widespread attacks for nearly a decade, targeting US and European government offices, universities, think tanks, NGOs, and political orgs. There’s been a ton of research on them because they have been attacking so many targets so persistently for so long. The attacks have evolved over time but involve using the same attack vectors, same malware, same C&C IP sets, and in some cases the same crypto keys. It’s clear they’re Russian based on a number of factors. Attributing them as a state actor, and specifically the GRU is a little more complex, but there are very good reasons for that attribution.
F-Secure, SecureWorks, ThreatConnect, and a bunch of other groups have spent a lot of time studying them and reached a loose consensus that they were the GRU based on targets and behavior. To get a sense of how you’d reach that conclusion you’d need to look past CloudStrike and look at their many other attacks, the payloads (which are full of Russian strings), their commonalities, their behaviors (only targeting orgs that would be of interest for some kind of gov’t entity for instance, not engaging in typical hacking patterns of exploiting for profit, taking breaks on Russian state holidays), and consider what kind of organization would have that capacity and motivation. Their engagement in Russian cyberwarfare attacks in Ukraine shifts that attribution from “very, very likely,” to “beyond any reasonable doubt.”
APT28 wasn’t just involved in the DNC attack, but also a previously undetected/unreported DCCC attack, which we know since soon after they were discovered on the DNC system, in June they created the Guccifer 2.0 persona pretending to be a lone Romanian hacktivist. Their first dump was the DNC’s full oppo research file on Trump, but also started to dump DCCC docs to attack House Democrat races, stated they’d sent dumps to Wikileaks, and interacted with people on Twitter and elsewhere. Immediate analysis by researchers looking at metadata in the dumps and other issues (like not knowing Romanian, and docs being edited by teams) pointed to the cover story being BS, and likely Russian involvement. There was a bunch there that showed sloppy Russian OpSec. It was at that point that CloudStrike released their initial report, which also should help illustrate why your idea that CloudStrike’s findings were politically motivated is poorly founded. The DNC and DCCC’s association with APT28 is very clear. The Podesta attacks were attributed by SecureWorks as APT28 from their forensics as well, FWIW.
APT28 had been caught by CloudStrike exfiltrating data from France’s TV5 Monde in 2015 (with the same malware/C&C IPs) and when caught had played the same game of inventing an online persona, FWIW.
So if you want to get a good sense of the APT28, you should look at CloudStrike’s reports, but should also look at F-Secure, ThreatConnect, and all the other researchers dealing with this massive entity engaging in wide-scale attacks. You are right that attribution is not a science. It is much more like criminal forensics (which it sometimes actually is). In this case the forensic data provides a lot of fingerprints for an organized criminal actor who’s been at the game for nearly a decade and whose identity can be established by piecing together findings from behaviors, motivations, scope/scale of activities, and other factors you’d need to consider. I could ramble on a lot more, but I’m beating a dead horse here. If you think there’s a problem with the evidence and method of attribution, you need to be really familiar with both to make a meaningful judgment there.
6 Likes
OT but that’s an interesting one. We all know, I think, why Marxist doctrine led Soviet thinkers to support the idea of environmental adaptation, so I won’t reiterate it - but nowadays we know that gene expression can be to a degree environmentally determined; the overview of heredity I got in 1970 now turns out to have been very simplistic and partial. Lysenko was wrong but his ideas were not complete nonsense. At the time Western biology probably erred in being over-mechanistic, and GM crops have not proven the miracle that Monsanto predicted because the ecosystems they inhabit are too complicated for simplistic approaches. [I had this explained to me at great length by a former principal scientist at Kew and for some reason it stuck].
I have to say British governments did things that were just as bad within living memory. And our secret services have also been notorious for interfering in other people’s governments - it amuses me slightly that we go on about covert Russian action in Donbass when our own dear boys from Hereford have been in there with the heroic “moderate rebels” in Syria.
Also: Algerian Civil War; Vietnam.
Bhopal.
Dustbowl
I will concede happily that on a scale of enormity and given the population of the country the Russians have often been worse than Western countries. Let’s say that, rather than mote and plank it’s plank and plank. But whataboutery is a very two edged sword.
4 Likes
This is very true. The effects of Russian manipulation on the electorate’s choices are unknowable. Their dump of internal campaign docs not just from the DNC but also the DCCC in June gave the GOP a likely advantage (and not just in the Pres. race), but we don’t actually know how they exploited it, or if they were even smart enough to recognize the gift. The email dumps created a lot of buzz and media/social discussion to the apparent harm of the Dems. (esp. in alienating the US left from the DNC), and I do know a few people whose votes went Green naming the DNC (citing Wikileaks) as their reason, but there’s no saying how serious that effect really was. It feels to me like it likely was one of many factors contributing to tipping the scales, but I can’t say it did with any confidence.
The election was a perfect storm of one-off insanities with so many variables that it makes no sense to point to one variable and pretend it was the deciding factor. Comey, the long ugly primary, Clinton’s weakness as a campaigner, her long, heavily funded background as demogorgon-in-chief bringing together the GOP in their shared hatred, Clinton getting pneumonia, the massive disinformation flying around social media (which Russia also appears to have helped enable), the dumb American assumption that wealth=competence, a worthless media constantly manipulated by Trump, and a host of other things all contributed.
But I agree that the biggest problem is the Democratic Party. Since Reagan the Dems. were in a position of not being the New Deal party, the left-wing party, or a party with any many compelling central guiding principles, but a loose coalition of people who aren’t Republicans (whose ideals are ignorant and base, but are largely shared by their constituency), and unless the Dems. figure out a way to pull that together and pull themselves together they’ll be at a constant disadvantage.
5 Likes
