2017-01-04

Vetting information [at all]

First, the usual disclaimers:
  • Nothing posted here is my work at any employer, past or present.
  • Nothing here should be construed as any statement factual, speculative, or opinion that is in line with any employment past or present.
  • My opinions are my own and you are free to mock me or create good feedback and dialogue.  I am fine with mocking, but appreciate more constructive comments.
  • Nothing discussed here was derived from anything but public resources.
  • You should not base anything solely on this post.
  • I distrust all information, especially from a large entity like a government, until sufficient evidence is brought forth and subject to public scrutiny. 
  • Sorry for the longer than usual disclaimers, but it is sadly more necessary and prudent.
And the unusual:
  • I am a US citizen.
  • I vote in all major elections.
  • I voted in the presidential race.
  • I did not vote for Hilary Clinton or Donald Trump.
  • I live in Texas and the electoral college rather makes my vote moot.
  • We all have personal bias - follow the facts and educate yourself.

As part of the evidence showing that Russian nation-state actors interfered with the US election by hacking and leaking information from:
  • The Democratic National Committee (DNC)
    • "hacked"
  • Hilary Clinton's private email server
    • "hacked"
  • John Podesta's email
    • "spearphishing"
The United States Federal Government issued public information through a joint FBI and DHS release about GIZZLY STEPPE.

It should be noted this information was released as TLP:WHITE, which means it is thoroughly public and allowed for all dissemination.  Something like TLP:AMBER would have allowed organizations to vet this information, report back, and a well vetted public release made.  Sadly, this is one of many things that did not happen.  It is also noteworthy that in the opening prelude it notes that this Joint Action Report (JAR) is the first ever to "attribute malicious cyber activity to specific countries or threat actors."  It is certainly one thing to attribute this type of activity to a threat actor *but* the first time they attribute it to anyone, much less a specific country *and* they are so sure of their findings that it can be pinned on Russia.

Alright, lets ignore their mostly useless PDF remarks and look at their indicators.  Alright we have a list of mostly IPs, some domains, and no context other than they are related to malicious Russian campaigns.  This must be some timely and juicy data!  NO!  For a public release of this magnitude to not disable the C&C (C2 if you prefer) machines in advance or in coordination with the release is completely irresponsible.  A giant chunk of these IPs are based in the United States so the FBI should easily be able to obtain a warrant and take over or shut down the machines.  Could they not obtain a warrant?  Were they too lazy to?  Does even the FBI distrust this information?  We are just getting started on how poorly this was executed, even if we take the US government at face value and no questions.

Wait, but surely the USFG couldn't be so bad at vetting the list that a laptop at a Vermont electricity plant checking their Yahoo! mail would be flagged as Russain attacks?  Sorry, but at least someone posted the correction.

"At least 30 percent of the IP addresses listed were commonly used sites such as public proxy servers used to mask a user’s location, and servers run by Amazon.com and Yahoo."  Wow, impressive vetting for such a short list of IPs.  So great was this vetting of this important release that newspapers and tech types alike had to report corrections after *actually* reviewing the data.  I guess the DHS and FBI working together at great taxpayer cost and many hours cannot even do the most simplistic checks on an IP that hasn't changed ownership in sometimes 10+ years.  Even if they are unable to run whois on their windows machine, Google offers plenty of useful whois and nslookup utilities.

Oh, it gets worse: “No one should be making any attribution conclusions purely from the indicators in the [government] report,” tweeted Dmitri Alperovitch, chief technology officer of CrowdStrike, which investigated the DNC hack and attributed it to the Russian government. “It was all a jumbled mess.’’  Yes, the company hired *by* the DNC and concluded it *was* the Russian government agrees that this report is garbage.  Their methods, motivations, and conclusions are all questionable, but apparently even a collection of: Obama, Clintons, DNC, etc. cannot buy approval into this mess.

I am still awaiting the public release promised of the proof of the so called hacking by a nation-state.  However, I am expecting the proof to be increasingly vague and nothing but a desperate attempt to prove a point that lacks evidence.  I don't care what your political disposition is, but at this point either we get the evidence promised or we have to assume the subterfuge alleged by foreign parties is as believable as what our own government tells us.

No comments:

Post a Comment