Schneier on Security

GreenSquirrel • January 10, 2017 2:03 AM

@Ron Helwig et al:

What I really want to know is did the Russians (or whoever did this) do anything other than expose the bad things that the democrats did.

As others have said, “exposing the bad things” one party does, but not others, during an election campaign is pretty much the definition of influencing the election.

Trump and his campaign took advantage of the emails to rubbish and diminish the Democrats in the eyes of the nation so it appears he believed the information was in his favour.

For me, that is a strong indicator that the release of the emails influenced the election – I dont have an opinion on “was it enough to tip the balance one way or another?” though.

GreenSquirrel • January 10, 2017 2:31 AM

All,

There is a lot of probably justified doubt about the US Intelligence Communities ability to provide trustworthy intelligence. This appears to be driven by what is seen as deceitful reporting in the run up to previous military operations. As a result, people are claiming that the current attribution of the DNC hack to Russia is untrustworthy.

I have two issues with this:

1) The historical lies were largely the result of political / media spin on fairly bland intelligence reporting. The IC gave the right information but the public (or at least the press representing the public) didnt bother to check this, instead they listened to the well spun headlines and got burned. This does not, on the whole, invalidate the IC reporting capabilities.

2) a huge amount of attribution in this case comes from the private sector and non-US companies. This has produced a wealth of information which connects the attacks to APT28 / APT29 who were comfortably (and without challenge) identified as Russian actors as far back as 2014. It should also be highlighted that no security company has come up with an alternative theory, even though there would be massive publicity and lucrative contracts for a credible assessment of it not being Russians.

So, as a public, we are faced with a decision:

Do we accept that multiple security companies, with multiple sources of information have collated the attack data across multiple targets and agreed (even between competing companies) that the source of the attack is a group identified in 2014 (and probably active since as least 2010) acting on behalf of the Russians.

Or, do we ignore all that and shout It wasnt the Russians, I dont care what you say until it goes away?

Genuinely, if you believe commentators with no access to the data or infosec background over Fireeye, Kaspersky etc., then there are bigger problems at play.

As a last point, if you want to know more about how the attack was attributed then it is worth watching this webcast by Robert Lee: https://www.sans.org/webcasts/analyzing-dhs-fbis-grizzly-steppe-report-103312

He is very critical of the report but explains why that isnt as important as lots of people think.

GreenSquirrel • January 10, 2017 2:47 AM

@tyr

If some random drunk in a bar is the best Mossad can field

Why would he be the best? Surely the best would be used against harder targets in more hostile environments.

Every course, even Mossad, has a people who only just pass and get sent on starter assignments which can then be fucked up.

Assuming any mistake, misstep or unguarded moment means Not Mossad is a bit of a mistake, don’t you think?

Maybe it’s fake news, I hear there’s a lot going around these days.

Always possible, but there is video and the Israeli government have largely accepted it. If this was fake news, wouldnt they be the first to say that rather than “sorry our guy was a dick” comments?

GreenSquirrel • January 10, 2017 9:17 AM

@Clive

The reason is it’s a “Turkey Shoot” out there, many nations are at it. Even Obama tried to manipulate the UK EU referendum in a way favourable to the US just a very very short time before Obama started getting hot under the collar about Russia.

This is true but it is a different method of manipulation and, at least I’d like to think, that most observers would see a difference between the President of the US saying he thought the EU referendum vote should go a certain way and a suspected state sponsored cyber team breaking into IT systems and leaking the data found to provide political capital for one side or another.

If the NSA had hacked into Farage / UKIPs email and leaked the contents to discredit their Leave position, I would be equally outraged.

But the more covert side is where the supposed evidence falls flat on it’s face. Way to many people were not just aware of the alleged Russian APT groups. They had the MO and Tools well pined down long before hand. Thus there are a great many people that could “Make like a cosybear” before the name was even coined.

It isnt as simple as that.

The technical links to APT28 are fairly robust, so the only argument really is do you think APT28 is sponsored by the Russian government? This group’s activity has been monitored by Crowdstrike / Fireeye / Kaspersky etc since 2010 and reported on since 2014.

The forensic investigation of this hack has been carried out by countless private sector employees with different national and political affiliations. The confidence with which they call “APT28” is too high to dismiss easily.

Other than that, the only question is, is it a false flag? To go back to first principles, which group benefits from any of this? There is a clear and obvious link between Trump (and his team) and the Russians which even if there is no collusion or espionage at this level, indicates it was in Putin’s interests for Trump to be elected.

What value is there in any other organisation getting trump elected and making it look like Russia? Especially any organisation able to correctly recreate the TTPs used by APT28 to enough of a level of detail that no world class DFIR team has spotted it?

GreenSquirrel • January 10, 2017 3:05 PM

Oops – sorry for the nesting failure. Obviously getting past my bedtime.

GreenSquirrel • January 10, 2017 3:13 PM

Always be suspicious of “a clear and obvious link” when playing at this level.

Turn the question on it’s head and ask “In who’s interests is it that Hillary did not get ellected?”

You will then start down on a more interesting path… But beware of the obvious it will lead you astray.

Just remember they are all assumptions as well.

Yes, be suspicious of the clear and obvious link but if you spend your life ignoring the obvious because you are searching for hidden meaning you miss the thing hidden in plain sight.

GreenSquirrel • January 12, 2017 1:51 AM

@Clive

I’m actually quite serious about asking not “Who Wants Trump” but asking “Who Does Not Want Hillary”.

I know you are. I am not saying that this isn’t a valid line of reasoning, but it isn’t automatically a better way of establishing things than basing it on who wants Trump.

The reality is that the choice of who wants trump/who doesn’t want hillary is almost certainly going to be driven by which gives the outcome you prefer.

It’s a point everybody realy should be considering, because the “Putin wants Trump” argument is actually not a particularly good one, and they should stop being “led by the nose” on this and start actually taking a look around.

Except it is actually a good argument. Putin had a better working relationship with Trump prior to his entry into the race and the indications are very strong that this will continue and build during Trump’s presidency. Trumps viewpoints regarding things like Nato and other geopolitical areas are much more aligned with Putin’s interests than (for example) Clintons – as she largely represented the US political status quo.

I will agree that Putin wants Trump isn’t a good enough argument for “Russia Did It” on its own, but it isn’t on its own. That’s the point.

Further it raises the question of why the NSA is not agreeing with the Russia hacked the election rehtoric

Except the NSA does agree with almost all of the APT28 attribution. There is one area where they only agree with medium confidence. That is significantly different from saying they dont agree.

Personally I think people in the US should stop looking half way around the world chasing grandiose accusations that actually amount to next to nothing and look a lot closer to home.

This sounds reasonable but flies in the face of the available information and, at the moment, largely amounts to a conspiracy theory which would require Machiavellian planning and a level of secrecy largely unknown across the world.

While it can be argued that no single bit of evidence is overwhelming, the problem I have with the “someone else did it” (or even the implied FBI did it from here) is that, for it to be valid, you have to ignore 99.99% of the evidence and give greater credence to the 0.01% which is largely supposition and assumptions.

Saying people should think that the FBI hacked Clinton because the CIA supported her is beyond an extraordinary claim. Believing this on the basis that the evidence looks like the Russians makes close to no sense.

If you feel there isn’t enough evidence to say the Russians did it, you have to bear in mind that every competing theory has less evidence.

GreenSquirrel • January 12, 2017 3:26 PM

@Dirk Praet

For me, the most likely theory still is that it was done by a disgruntled Sanders supporter and I find it pretty odd that despite being so obvious it almost bites you in the nose, this venue nowadays seems to have been abandoned by all but a few lone conspiracy theorists like @Clive and myself.

It has possibilities but things like Occams Razor tend to get applied.

Every suggested alternative to APT28-Russians adds layers of complexity which fail to align to the available evidence.

When the IR people started looking at this, they will have considered the insider threat first and been busy capturing data to see if they could prove that. So, in this instance, it is a disgruntled Sanders supporter who is technically literate enough to exfiltrate data without leaving any traces which could be recovered by some leading digital forensics companies.

While this is possible, it feels less likely than “It was the Russians” and would need some extraordinary evidence to make me believe it.

I believe the discovery of APT28/29 on the DNC servers for the IC represented a golden opportunity to spin the entire story into a narrative that not only furthers anti-Russia hysteria but also discredits a president-elect many within the US IC and political establishment perceive as a clear and imminent danger both to national security and their own interests.

The first reports of this were from private sector companies. In this instance the US IC jumped on the bandwagon rather than led the narrative.

It’s probably safe to assume that in the time to come we can expect more “leaks” like the report of that former MI6 person, and which I highly doubt the Russians had anything to do with. Making it again quite obvious that there’s more at work here than meets the eye.

I agree we will see more leaks like this but I don’t think they do anything to change the attribution of the DNC hack. They are unrelated events and show more the susceptibility of the press and the public to jump at the hint of a news item.

GreenSquirrel • January 13, 2017 8:26 AM

@Dirk Praet

Only on high-assurance systems. The system/audit logs of traditional COTS operating systems in a default setup do not automatically log who has touched what data and when.

The issue here is the level of detail needed. As an example,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

does capture the USB activity and you would expect a competent DFIR investigator to check this and try and correlate the connections with other timestamps to establish the events leading up to the data loss. It wont say who but it will say USB device connected on $date.

I am not disagreeing for even a nanosecond the fact that audit and logging is invariably crap, however it is one of many tools available to an investigator – and even though I am not a seasoned digital forensics expert, I have carried out incident investigations where we have been able to identify insider misuse despite poor logging.

But that still doesn’t prove the Russian government was also behind the release of those documents, and which may account for the NSA’s “moderate confidence” assessment.

I agree.

This is a very different issue though and isn’t one supported by saying the private sector work was wrong.

Worryingly it also smacks a little bit of the god of the gaps in that we are now looking for more and more specific edge cases to try and disprove the overall assessment.

Is this really a case of us saying that the Russians hacked the DNC, accessed the data which was leaked to Wikileaks and by a lucky coincidence an insider took the same data and leaked it without any interaction with the Russians.

It is possible.

However – there is no evidence which currently supports this theory and it adds extra layers of complexity with an associated reduction in probability.

GreenSquirrel • January 13, 2017 11:07 AM

@Sancho_P

To be evidence it must comply with at least three points:

I think you are focussing on evidence admissible to a court here and like I said, every court has different rules around this.

Inadmissable evidence is still evidence.

For the intangible digital information this is nearly infeasible,

Yet digital evidence is often collected in an admissible manner and can be used in some court cases (again, depends on jurisdiction). Even when the subject of the evidence is COTS gear evidence can be collected and used in court.

The alternative would be for every criminal to simply turn logging off on their devices so the evidence collected gets thrown out…. this doesn’t happen.

What was made public fails all three points.

Because what was made public wasn’t legally admissible evidence being used for a court case. It was presented in a largely botched attempt to provide assistance for network defenders.

The evidence connecting the activity to a Russian, probably state sponsored APT group, was not published in that report. This is why I am intrigued when people say “it isn’t good enough.” Most haven’t seen it…

If they work for Mandiant / Crowdstrike / Kaspersky etc., and have been involved then fair enough but in that case, I’d suggest the best way to put their competing theory forward would be to publish it rather than comment on a blog.

On the contrary, it might be a smokescreen to hide the undemocratic actions in the democratic party, or their (TLAs) own incompetence (they did not protect America).

Ok – in the spectrum of options, this is possible. Where is the evidence to support this claim? How is it stronger evidence then we have for it being Russian-led APT groups?

And I concur with @Dirk, how can one think Putin is that stupid? Ever heard that guy speaking? Watched his actions?

Why is it stupid?

If it was Putin, he has successfully influenced the election of the worlds last remaining superpower and assisted in ensuring the President of the US is someone more aligned to his interests.

Yes, there is some political fall out from the attack being investigated but it is trivial. Some diplomats being PNG’d will disrupt the FSB/SVR/GRU activities for a while but it is trivial compared to the benefits – not least of which is the demonstration that their tactics are successful.

Any repercussions are naturally limited – not least because so many people refuse to accept the data and create enough FUD that no Government will really take action about this.

It’s a huge failure to go public with suspicions instead of confronting your [fillinwhatyouwant] directly, face to face.

I don’t agree. Apart from anything else, the US government doesn’t feel this is a suspicion, they believe it is a solid attribution and have responded in the manner normally associated with Diplomatic engagements.

It isn’t a sign of weakness or cowardice.

GreenSquirrel • January 13, 2017 5:46 PM

@Clive

The word “Evidence” has fairly strict definitions in the fields of endevor it has meaning in such as the legal profession and the scientific profession, medicine etc. Each time you get challenged on this you lower the bar, to the point you are now arguing in effect “It’s evidence because that’s what I chose to call it”.

Not once have I changed my definition of evidence. I have said, on each occasion that evidence cant be simply defined as what is acceptable by the court of a chosen country. I haven’t lowered the bar once.

I get that people are getting pissed because their chosen conspiracy theory isn’t particularly sound, but that doesn’t mean I’ve changed the definition of evidence as used here.

You are doing this sight unseen on multiple assumptions most of which can be shown to be irrelavent or false.

Saying this doesn’t make it true. Can be shown to be irrelevant or false isn’t the same as it is shown to be irrelevant or false. I could show that the Earth resolves around the moon…. if that were true, but it isn’t.

Outside of law “Evidence” is something that can be tested and verified by any competent practicioner in the field of endevor.

There is nothing wrong with that definition of evidence and it is probably applicable to a lot of situations – including the research into the compromise of the DNC systems.

In that case, the evidence was provided to multiple competent practitioners in the field of DFIR and they have unanimously (at least so far) agreed it was the Russians.

Are you going to continue with the God of the Gaps and now say they are no longer competent because they’ve taken this stance or accept the fact the Evidence has been reviewed by people who are competent and they have all come to the same conclusion?

In law there is an acception for “eyewitness testimony” that is it has to be first hand knowledge and sworn to in court or where that is not possible by written and witnessed statment.

No one is arguing with the application of law in countries which follow the English tradition.

As I said to others, that isn’t relevant. Nothing published in the DHS report claims to be evidence for a court case. No one has ever said it was, so arguing that it isn’t, is just a strawman.

Even you have admitted that you have not seen the supposed facts, you just assume they are factual. Further you assume that commercial entities are trust worthy, most people these days would ask you something along the lines of “do you know about the bank crashes and to big to fail?” or “What about Enron” or a multitude of other commercial organisations.

You’ve gone off on multiple tangents here and conjoined a lot of concepts in an attempt to make a coherent argument.

For simplicity I will break it down:

1) I was not, and have never claimed to be, involved directly in the DFIR response to the DNC hack.

2) The facts reported by the DFIR companies are not “supposed” facts any more than the evidence provided to a trial by a Forensic Sciences Services Lab is a “supposed” fact.

3) I do not have to assume commercial entities are trustworthy just that they are competitive. To reiterate the bit everyone ignores, there is a monumental commercial advantage for any one of these companies to create a counter argument. As I said some time ago, no one with access to the evidence has doubted the connection with Russian sponsored advanced threat groups.

Further you talk of assumptive events not being questioned in 2014 and make unwarranted forward assumptions.

No. You are the one with a string of assumptions here.

You are heading down the path of a conspiracy theory supported by the argument conspiracy therefore conspiracy with the assumption any thing the government, or commercial entities say must be untrue. You claim to be avoiding assumptions but the reality is very much the opposite.

Having not seen them you say those allegadly taken on behalf of the Russian Government are the same as those hand delivered to Wikileaks.

I say that people who have been part of the investigation have stated publicly that they are the same. I am sorry if that wasn’t clearer.

You have assumed they are all lying or in the pay of a secret cabal of the US government which is more able to keep secrets than any other cabal in history.

That is an assumption.

Most people around here would know that that is an unsustanable view point because it’s well known that Wikileaks has a history of selective release and there had been know release from the Signals Agencies to compare anything against. So it’s not a supportable statment plain and simple.

Again, no.

The reporting, webcasts and conferences discussing the DFIR involving the commercial organisations involved all report that the documents on Wikileaks are in the set of data accessed by the Russian-state sponsored advanced threat group.

Now it is entirely possible that Wikileaks have more documents which would prove a different theory but you haven’t seen them either.

Your assumption here is that they have them. That is an assumption without any evidence other than the believe Wikileaks have withheld something for some unknown reason and this withheld data will be miraculously something outside the datasets captured by the APT group.

Big assumption.

However you then go on with some realy odd claim that this proves it must be the Russians because two seperate entaties grabbing the documents is to much of a coincidence. When you keep claiming that atleast two APT organisations were after the same data… According to what you assume are trusted sources…

Try again.

The use of APT28/29 is a nomenclature term which doesn’t indicate two different organisations.

Just to be clear, I haven’t made a claim on this – I asked you which scenario was the most likely, most credible, least extraordinary.

Coincidences do happen but based on the available evidence, the probability is against it. Your argument to the contrary is simply one which assumes there is more evidence which no one has seen that totally disproves the evidence everyone has seen.

Again, a big assumption.

That is they are at best “arms length” organisations or “contractors”, payed by results, not working by allegiance or as part of the command structure.

Wait. I am confused. We cant trust the IC because they are part of the government and we cant trust the private sector because they aren’t part of the government….? Ok, good job we can trust the Russian Government then.

On a serious note – the DFIR organisations involved in this have accessed more than the DNC systems. They have spent months collating data between different companies which saw different aspects of the attack. Most weren’t funded by the US government to do this and lots of the data has been gathered from multinational clients.

Seriously, rather than focus on the DHS report mixed in with some conspiracy theory, check out the publications, podcasts, webinars etc. Go to SANS DFIR Austin in June and ask Rob Lee directly why the whole security industry (including Russian companies) are happy with the attribution here.

Thus the probability is that all political party campaign systems have attracted their attention.

Agreed. Which implies the release of one parties data rather than others implies a political motivation.

Most people outside of the US do not see Hillary Clinton in a favourable light for various reasons, not least of which is she makes some War Hawks look tame.

An awful lot of people inside the US dont view here in a favourable light but that doesn’t change the fact it was a Russian associated advanced threat group which hacked the DNC.

Thus the APT organisations may have more customers than “Mother Russia”…

Agreed, but the APT groups identified in this instance do not appear to have any history of being “mercenary” or organised crime groups. They are a Russian state-sponsored group.

So we could argue that the Russians did the hack on behalf of the Somalian war lords but, honestly, we are moving further and further away from the evidence into the land of hearsay which everyone seems to object to.

Thus it might not be an assumption to far off the mark that the Democratic Campaign IT systems had poor or worse security.

It might not be an assumption far off the mark, but it is still an assumption isn’t it? Isn’t that what you keep chastising me for?

However, I don’t actually doubt that the DNC IT systems had average (poor) security.

That doesn’t matter. We aren’t talking about the controls able to prevent the attack because we know the attack happened. The techniques used by the APT group were not witchcraft but were a step above a teenager with a kali distro and some spare time. They indicate a resourced and persistent attacker.

Now the thing is if two or more people steal archives then even if done at seperate times they will have a very high degree of commonality, the only difference is that the one taken later will have more information in it.

Agreed. So what files released to wikileaks weren’t taken by the advanced threat group? You seem confident that these exist but have remained undetected by the DFIR people. Have you seen them or are you making an assumption here?

As for auditing the systems, you can easily get around those if you know how the backups are done. It’s a simple exploit I’ve demonstrated rather more times than I can remember, it’s the vulnerability that most Admins and the like don’t think about.

You can, as I said days ago, with the correct level of technical knowledge you can subvert the system to the point at which a forensic investigator cant detect your activity.

However, in this case the correct level is very, very high and it isn’t about attacking the backups.

One very relevant example is in the Shadowbrokers file dump – they appear to have a tool which is able to selectively edit the windows event logs without leaving an event log. If true this has significant impact for digital forensics investigators and it appears which ever insider pwnd the DNC also had this close-to-zero-day ability.

Thus a pissed of insider is rather more likely than you give credit for, and as we are talking archives you would have near identical document sets.

The concern I have regarding the insider threat is the assumption that no leading DFIR company considered this or checked for this – or that they all have such woeful abilities they can never detect insider threats. Neither of these statements is likely to be true.

There are too many assumptions in the “it wasnt the Russians” argument…..

Thus your argument it has to be the Russian’s is actually not water tight by any measure of the meaning.

This is very obviously your opinion. There is no amount of evidence or argument which will convince you otherwise because there is always the missing evidence which points to your theory and simply hasn’t been found yet.

No one has shown these three statements to be false:

1) An advanced threat group accessed the data which was leaked to Wikileaks.
2) the advanced threat group has been attributed to the Russian government since at least 2014 and possibly as far back as 1998.
3) There is no evidence of an insider threat actor.

Until you can do this, the strongest argument is that the group is the group which leaked the data to wikileaks.

What you do have is a lot of handwaving and vague references to other situations and allusions to conspiracies, assumptions that its not in the Russian interests or that the Russians wouldnt be so stupid etc.

If I go to the news pages right now and discover that Person X has been identified as the leak and that the APT activity was a genuine red herring then I am happy to reappraise my position.

Until then, it makes no sense to assume the scenario without evidence is the true one.

In fact you could argue more favourably that the Russian’s would not leak the archive documents, because it would be like trying to play poker with your hand face up on the table.

This assumes (get the general trend here?) that we fully understand the Russian motivations. If it was as simple as “we’d rather have our mate the Donald in the seat than that madwoman who bombs babies” then leaking the data makes more sense than trying to threaten Clinton during negotiations. In very practical terms, the data had a genuine lifespan – if Hillary had won the election, the leaked data would have been pretty useless. Its only value was to attempt a disruption on her campaign.

As for Russia spying on US Politicos, yup the US does it to, so do many other nations, that’s the Great Game in action.

So if we can agree that nations spy on other nations, why do you find it so hard to believe that the Russians hacked the DNC systems?

The US would certainly do it in a heartbeat if they thought they could influence the Russian government……

This is an argument that neither you nor Obama&Co can win except by trying to “talk fast whilst running with the goal posts” and you are going to get out of breath faster than those who are watching the entettainment for it’s comedy value.

This makes no sense to me, sorry.

I am not trying to win an argument that the US holds the moral high ground. I am trying to explain the fallacies in the conspiracy theories which build convoluted scenarios involving multiple threat actors with different agendas when the available evidence indicates something else.

However I am aware I am not going to win that argument either. As I said before there is no amount of evidence which will convince you that the SVR/FSB/GRU have carried out an operation they frequently do in other countries and similar to the ones the US/UK governments do. Its almost as if you have assumed the Russians take the moral high ground….

The apparent argument that it cant have been the Russians because the US doesn’t have the moral high ground seems a bit weird to me, so I might have misunderstood the relevance of this. If so, sorry.

GreenSquirrel • January 13, 2017 7:10 PM

@Sancho_P

No, unfortunately there is no court involved (which should follow civilized rules).

There is no commonly agreed set of rules. Public opinion cant ever agree on the standard of evidence and a large swath of the public has demonstrated a lack of regard for any evidence anyway.

This isn’t being tried in public, people are debating (fundamentally) whether or not they believe the reports produced by global security companies. Some do, some don’t. No one has any evidence to counter the claims made by the US government they just have supposition and a claim that the US doesn’t have enough evidence. It feels like an ironic stance to take to me.

To me it seems the sentence tries to combine the advanced threat group with the leaker.
Or did you mean “the same data”?

I meant the advanced threat group had access to the same data which ended up in Wikileaks. If the group were the leaker, then it reduces the complexity in the situation and removes the need for the invisible hand of an extra actor.

However, that hasn’t been confirmed by non US IC sources.

GreenSquirrel • January 14, 2017 2:09 PM

@Dirk Praet

It certainly does, but there is no shred of proof for that and thus with what we currently know is every bit as much conjecture as the insider theory.

Not quite.

The insider needs one extra layer of conjecture over what information is available – there is currently no evidence that an insider took the data.

Its a bit like saying an previously undetected alien species is just as likely to have wanted to influence the election – we have no evidence to disprove it and no evidence to support it but I don’t think anyone would say it was in the same ball park conjecture wise as the more rational alternatives.

However much I (reluctantly) agree to that idea, it will still have to be better than sworn statements of known liars or going with one possible explanation by lack of evidence for others.

I agree in principle with this. In the event that this were a criminal trial then yes, the burden of proof needs to meet the requirements of the court in which it is tried. If this were a civil case, then the burden of proof is often different and in most courts it changes from “beyond reasonable doubt” to “on balance of probabilities.”

For me, the situation with the DNC hack isn’t in a criminal court. At best I’d concede it should be treated like a civil case but the reality is there is no court, no jury, no judge.

This is a government making some information public and taking a decision on how to respond. I don’t think they are ever going to care enough to burn some sensitive human sources so that they can make their evidence court-room worthy just to attract public support from people who will still likely call it in to question.

Human intelligence sources are, generally, very poor witnesses in a court room which is why most of the time a court will trust their handlers report on what they have said and how trustworthy they are.

If the US government came out and said “we confirmed this from a well placed, trusted source in the Russian government who had sight of the instruction to hack the DNC and leak it to WIkileaks” – would you be happy to accept that a suitable evidence?

GreenSquirrel • January 14, 2017 4:30 PM

@Dirk Praet

Then you are asking more than the current requirement for most western courts regarding human intelligence sources in a criminal case. It is also more than the legal requirement for lots of technically collected evidence.

In the US, witness protection is a favoured avenue but even then it isn’t a cast iron requirement as human intelligence can be presented by the handler.

In the UK is it routine for a source handler to be the one providing the evidence with a description of the source, their access and their trustworthiness. This is then assessed by the judge who may, on occasion, demand to know the identity of the source but this isn’t normally disclosed to the Jury and never to the public.

Additionally, Police forces in most nations effectively take executive action on covert human intelligence often without a requirement to go to the courts if the need is to disrupt and prevent criminal activity or gather further evidence of criminal behaviour.

So, a police force which gets a “tip” that a gang have committed a crime or are planning to do, has some latitude around disrupting this based on the report as it provides a greater benefit for society. There may well be extensive arguments around how just this is, but it happens across the world.

For completeness, however, what international body would you feel was independent in this situation?

GreenSquirrel • January 14, 2017 6:23 PM

@Sancho_P

I’ll forget the “evidence”, but why do you ignore:

I assume you mean this bit “I know who leaked them,” Murray said. “I’ve met the person who leaked them, and they are certainly not Russian and it’s an insider. It’s a leak, not a hack; the two are different things.

If so, yes, this is someone making a claim that they have met the insider. Is this evidence? Is it stronger evidence than the dozens of private sector technical people who have looked at the systems and say it wasn’t?

Your call.

I will give you that we now have one item of evidence that an insider leaked the data. Do you agree?

or did I get that wrong, too?

I will try again.

The data wikileaks have released so far doesn’t contain anything which wasn’t in the set of data believed to be exfiltrated by the advanced threat group.

Does that help?

There is no _evidence_ but a public claim to have met the insider,
so your statement is doubtful, to say the least, but it smells like deception if you repeat doubtful statements.

I can show you public claims of people who have met aliens. Does that make them real?

What we have here is a claim by one person to have met the insider and “received a package” from them in September 2016 while in the US. If we accept this as evidence that the insider was active, then how do we dismiss the evidence from the CIA that a well placed source has indicated it was a Russian directed operation?

Do we say “Oh its the CIA they must be liars but this British ex-Ambassador must be telling the truth”? Do we say the multiple people within the US IC mean they are all liars but this one person is true?

I had largely steered away from any of the hearsay evidence around human sources because you objected to it as unreliable – and I was focused on what the technical people (independent of any particular government and from multiple nationalities) reported.

– The absence of knowledge is not proof of absence. –

I agree. I agree that the lack of any technical evidence (to be pedantic) of an insider isn’t proof there wasn’t one but it also isn’t proof there was one.

I will publicly say that Aliens from Rigel 5 visited Earth and decided to play games with the US elections and I met with them when they told me. Using your criteria this now carries the same weight as the insider threat angle and the lack of proof that I am telling the truth can’t cause people to doubt me.

GreenSquirrel • January 16, 2017 1:52 AM

@r

Trump’s right, we should stand down from NATO and middle eastern interdictions – we’ve got enough on our plate here at home and south of the border.

For me, this is a good indicator that the Russians would have a valid reason to have influenced the campaign in order that Trump was elected.