CIA's Pandemic Toolkit

WikiLeaks is still dumping CIA cyberweapons on the Internet. Its latest dump is something called "Pandemic":

The Pandemic leak does not explain what the CIA's initial infection vector is, but does describe it as a persistent implant.

"As the name suggests, a single computer on a local network with shared drives that is infected with the 'Pandemic' implant will act like a 'Patient Zero' in the spread of a disease," WikiLeaks said in its summary description. "'Pandemic' targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine."

The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file.

Version 1.1 of Pandemic, according to the CIA's documentation, can target and replace up to 20 different files with a maximum size of 800MB for a single replacement file.

"It will infect remote computers if the user executes programs stored on the pandemic file server," WikiLeaks said. "Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets."

The CIA describes Pandemic as a tool that runs as kernel shellcode that installs a file system filter driver. The driver is used to replace a file with a payload when a user on the local network accesses the file over SMB.

WikiLeaks page. News article.

EDITED TO ADD: In this case, Wikileaks has withheld the tool itself and just released the documentation.

Posted on June 5, 2017 at 6:16 AM • 34 Comments

Comments

WinterJune 5, 2017 6:37 AM

I wonder whether there are also provisions to alter any checksums downloaded from the same machine on-the-fly? Or even signatures of applications where the private keys have been "obtained"?

Vesselin BontchevJune 5, 2017 7:01 AM

WikiLeaks is still dumping CIA cyberweapons on the Internet.
Well, in this particular case they aren't; they have dumped only the documentation of the tool.

keinerJune 5, 2017 7:41 AM

"...runs as kernel shellcode that installs a file system filter driver."

Hmmm, what are the chances this is delivered by standard Windows/Linux kernel code?

Gerard van VoorenJune 5, 2017 9:28 AM

"The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file."

Which means that what developers and researchers warned for actually took place. Well, TLA's do know how to spend their massive budgets. But if they can infect binaries they also can infect ISO's and the SIG files as well.

Ross SniderJune 5, 2017 12:28 PM

@Bruce Schneier

Do you think Wikileaks is doing good journalism in this case?

They appear to be ethically constrained (regarding dumping the actual tools themselves), have revealed information important and interesting to the public, and have gone to great lengths to edit out the names of agents and other information that could endanger operatives' lives.

Opening these documents up have revealed for other journalists information that has helped them to contextualize cyberintelligence.

On the flip side as a journalism outlet the disclosure of this information has made it both expensive and logistically difficult for CIA to operate on some of its missions, it has questioned the credibility and the efficacy of the organization, and it has embarrassed the Trump Administration by showing how its CIA is circumventing the process for classifying, vetting and controlling cyberarsenals.

If you were a journalist, how would you handle reporting on documents like these?

AnuraJune 5, 2017 1:44 PM

@Ross Snider

In this case, I don't see a problem, but given that in the past they have deliberately misled the public and have timed releases in the past for political impact. This pretty much eliminates their credibility and makes me ask if they have faked any of their leaks? Since they have shown their willingness to be a political organization and play games with the public I have to wonder what are they withholding for political reasons? They aren't transparent themselves, so we have no way of knowing, and I really don't have a reason to see them as more than a propaganda outlet.

Ross SniderJune 5, 2017 2:42 PM

@Anura

> deliberately misled the public

When? This is a misleading narrative that the US government and its partners have sought by suggesting that Wikipedia published fake information, etc. But all of these accusations have thus far proven to be unsubstantiated and motivated purely by how inconvenient the journalism has been for the parties in question. It's not a good idea for us to repeat that here, where we attempt to rise above being manipulated.

Wikileaks 100% is a political journalistic enterprise. It's just that there are (unfortunately) no large scale journalistic enterprises that are not.

The only reason we're talking about Wikileaks is that it "punches above its weight" in that it is willing to publish materials (to the great personal risk of its sources, editors and staff) that no other media outlet today is courageous enough to publish.

I remember when the NYT lied about the Iraq War, when the entire US news industry tried to handwave the contents of the Snowden Documents (even going so far as to adopt the government terminology of "bulk collection" for illegal mass and global surveillance), their role in denigrading civil direct actions like Occupy Wall Street. I'm watching today as the mass media fibs and lies about North Korea, about what's going on in the Middle East and about great power competition and the status of the United States on the world stage.

I've heard the canned responses in your comment before from various pundits and hired smiles, and from those who primarily repeat what they hear from hired smiles.

I personally think Wikileaks does a wonderful job and has a noble purpose and that exhibited in it is the reason the United States has baked into its moral fiber and rule of law the independence of press and freedom of speech. It's record of reporting on impactful, true, non-altered material is manifest for the record and put side to side against other outlets clearly stands above them.

And I personally think that those people who magnify rumors from authoritarian regimes like those run by the Trump Administration, for example implicitly out calling independent media like Wikileaks "fake news" and questioning both freedom of speech and the role of independent journalism is THE primary fascist vein of thought that's been running through America.

It's awful to run into it on a computer security blog as well.

AnuraJune 5, 2017 2:55 PM

@Ross Snider

In at least two of the CIA leaks, Wikileaks claimed they were tools to fake attribution when they were nothing of the sort (one was code snippets of in-the-wild techniques, the other was string obfuscation, neither have much of a use when it comes to faking attribution). This was obviously an attempt to discredit the reports on the DNC/Clinton Foundation hacking, since it's pretty obvious to anyone who looked at the code that they had nothing to do with attribution. Successful too, since the media ran with their narrative and it was old news by the time anyone who knew what they were doing had time to look into them.

Whether it was Russia or not, I don't know, but given that they are deliberately poisoning the well of information, I can only say for sure that Assange does not practice what he preaches and wikileaks has ulterior motives that are not in the interest of the public at large.

Ross SniderJune 5, 2017 3:16 PM

@Anura

> In at least two of the CIA leaks, Wikileaks claimed they were tools to fake attribution when they were nothing of the sort ...

Having read the "Vault7" leaks it is very clear to me (and I would suggest anyone else remotely technically capable) that the CIA is able to fake attribution of their malware. Actually, I don't think that this is surprising, horrible, slanderous, or anything else of that nature. If Wikileaks were making it up (they are not), it seems like they could make up something more slanderous than something you'd obviously expect from an intelligence agency?

> This was obviously an attempt to discredit the reports on the DNC/Clinton Foundation hacking

What?

Do you have a better (i.e. real) instance of Wikileaks' misleading the public?

I mean, I'm defending them here and I can come up with better examples: I would say that their twitter feed is absolutely awful and nothing close to either professionally run or journalistic.

But as far as their actual reporting and publishing in concerned there's nothing to close to evidence for the sort of inappropriate hogwash you're mudslinging. You even came up with an obviously wrong (on multiple points) example where presumably you would try to exhibit the strongest possible argument? It's been funny to watch people parrot the propaganda line as its changed from "Wikileaks publishes everything and that's irresponsible" to "Wikileaks isn't publishing everything and that's irresponsible."

(Hint: been on this block for a long time.)

Anyway, I get your point. You buy the authoratarian propaganda narrative that Wikileaks is all spooky-spooky and illegitimate. It's exhausting dealing with conspiracy theorists so I'll just leave this conversation as it is.

@Bruce Schneier would love to hear your take on the handling of the CIA leaks - how appropriately that has been done thus far, and what you would do if you were in the position of a journalistic outlet.

AnuraJune 5, 2017 3:30 PM

@Ross Snider

Having read the "Vault7" leaks it is very clear to me (and I would suggest anyone else remotely technically capable) that the CIA is able to fake attribution of their malware

The point isn't that they are capable - to do that, you just need to repurpose malware from foreign governments - the point is that Wikileaks was saying that the CIA had built tools specifically to fake attribution, which the tools they said were for faking attribution were nothing of the sort. So tell me, what was the point of lying about that?

> This was obviously an attempt to discredit the reports on the DNC/Clinton Foundation hacking

What?

There was absolutely no reason to bring up attribution except that it casts doubts on the CIA's claim. It was purely a propaganda move, and one that reveals that they do not have credibility and are not concerned about their own stated agenda.

As for their twitter account, I've never looked at it, and I don't care.

Ross SniderJune 5, 2017 4:21 PM

@Anura

> "the point is that Wikileaks was saying that the CIA had built tools specifically to fake attribution, which the tools they said were for faking attribution were nothing of the sort. So tell me, what was the point of lying about that?"

No. I'm going to give you the benefit of the doubt and assume this was a misunderstanding and not a full flat out lie.

Here's what Wikileaks said, in full. The link is here: https://wikileaks.org/vault7/#Marble Framework

"Today, March 31st 2017, WikiLeaks releases Vault 7 "Marble" -- 676 source code files for the CIA's secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA."

"Marble does this by hiding ("obfuscating") text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA."

"Marble forms part of the CIA's anti-forensics approach and the CIA's Core Library of malware code. It is "[D]esigned to allow for flexible and easy-to-use obfuscation" as "string obfuscation algorithms (especially those that are unique) are often used to link malware to a specific developer or development shop.""

"The Marble source code also includes a deobfuscator to reverse CIA text obfuscation. Combined with the revealed obfuscation techniques, a pattern or signature emerges which can assist forensic investigators attribute previous hacking attacks and viruses to the CIA. Marble was in use at the CIA during 2016. It reached 1.0 in 2015."

?The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages."

"The Marble Framework is used for obfuscation only and does not contain any vulnerabilties or exploits by itself."

Wikileaks specifically mentioned that the CIA had the capability to misattribute, given they designed their obfuscation tool to process binaries with signatures in Russian, Farsi, Chinese and others. They did not claim that this was the purpose of the library - in fact they were quite clear about its purpose. Your speculation that this is somehow connected to the DNC or an attack on the credibility of the reports makes it really apparent to other commenters how idiosyncratically paranoid your perspective is.

My guess is that you haven't read any of Wikileaks' journalism and that you are substituting US propaganda material for personal engagement with the journalism. Namely I don't think this is out of malice, but out of innocence. But it's dangerous for you to repeat the lies of brutal organizations so cavalierly. So please reconsider doing it.

I'm assuming you are going to try to reply to this with some sort of word game or deliberate misinterpretation of something Wikileaks has published. I am not going to be trolled into replying to that.

AnuraJune 5, 2017 4:28 PM

@Ross Snider

The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi. This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, --- but there are other possibilities, such as hiding fake error messages.

The bolded is 100% pure unfiltered bullshit.

Ross SniderJune 5, 2017 4:35 PM

@Anura

Is it true that it would permit a forensic attribution double game?

The answer is yes. It would permit a forensic attribution double game.

Do they claim that this is the purpose of the tool? No. Do they claim to have found malware in which there is an evident double attribution game? No.

Are you confused about what they mean? Apparently.

Let's ask one final question: Does the CIA have the capability to misattribute their malware?

Actually let's ask two: Given how wrong you have been, thus far, about what Wikileaks has said and what their intentions have been, who's the one spreading bullshit?

AnuraJune 5, 2017 4:54 PM

@Ross Snider

Is it true that it would permit a forensic attribution double game?

No, it's not even plausible. Why would a malware writer compile strings intended to be read by the development team in the malware? It just doesn't make sense that you would; in fact, if you had malware targeting Chinese systems, regardless of the source you should only expect strings that are either in Chinese or are related to the target in some way (e.g. file paths).

mostly harmfulJune 5, 2017 4:57 PM

@Anura

In this case, I don't see a problem, but given that in the past they have deliberately misled the public and have timed releases in the past for political impact. This pretty much eliminates their credibility and makes me ask if they have faked any of their leaks?

How does a journalistic operation dedicated to providing authentic documents of consequence to the public manage to "eliminate their credibility" if, having published millions of such documents, not a single one has been shown to be inauthentic?

Say what you will about Wikileaks' editorial commentary. Who cares? Editorial commentary is just a fancy word for opinion, and providing opinions is not the mission of Wikileaks. Publishing authentic documents that matter is.

Do you judge the New York Times by its nonexistent funny pages, too? Do you go to art museums and critique the picture frames?

Seriously, what kind of nonsense are you trying to push, here?

But sure, go ahead and ask whether "they have faked any of their leaks". Find a counterfeit. Please do. You will have accomplished something nobody else has managed to do, and this despite great incentive on the part of the most powerful institutions in the world.

Of course, you might also ask yourself why nobody else has managed to do so, including every single institution from which the leaked documents have come.

In at least two of the CIA leaks, Wikileaks claimed they were tools to fake attribution when they were nothing of the sort (one was code snippets of in-the-wild techniques, the other was string obfuscation, neither have much of a use when it comes to faking attribution).

Notice that you were able to arrive at this conclusion contrary to Wikileaks' editorialising, and with such confidence, thanks to the fact that Wikileaks publishes the abundant source material upon which they base their editorial claims.

Show us another journalistic enterprise that has ever facilitated its readership's skepticism to such an extent, or so encouraged healthy curiosity about how the world is actually run.

AnuraJune 5, 2017 5:08 PM

@mostly harmful

The editorial content is what the news picks up and repeats and the more technical the articles, the more important it is that any editorial is correct because most of the population is not going to look at the leaks. And yes, pretty much every single right-wing website had that lie in the headline.

Ross SniderJune 5, 2017 5:09 PM

@Anura

> Why would a malware writer compile strings intended to be read by the development team in the malware?

What?

Are you a non-technical person?

Do you honestly believe that this is the only way for strings and settings to make themselves into a binary? Do you believe that the obfuscation tools do not function also on binary metadata and compiler side-affects? Do you also believe that all strings in a file are intended for “the developer team”? If the CIA (or anyone else) were looking to misattribute, wouldn’t they write the malware such that it contains functional strings in another language as well as compiler and IDE metadata in the other language?

Basically, you’ve made ridiculous assumptions that presuppose your conclusions.

This is the kind of insanity that domestic American propaganda creates. Confused people become so attached to contortions of reality that they actively seek to create a factual basis upon which to support the contortions.

AnuraJune 5, 2017 5:31 PM

@Ross Snider

Do you honestly believe that this is the only way for strings and settings to make themselves into a binary? Do you believe that the obfuscation tools do not function also on binary metadata and compiler side-affects?

Marble comes in before the compiler and works purely on the source code, only obfuscating strings if they are of the CARBLE or WARBLE types, so yeah.

Do you also believe that all strings in a file are intended for “the developer team”?

No, I said that no developer would put strings intended for developers in the code, and thus this framework has nothing to do with that.

If the CIA (or anyone else) were looking to misattribute, wouldn’t they write the malware such that it contains functional strings in another language as well as compiler and IDE metadata in the other language?

Functional strings?

VSJune 5, 2017 6:44 PM

I think that Snowden did public service by letting Americans know that their government had all of them on surveillance without a warrant. Chelsea Manning also tried to do public service but probably should've done a better job deleting individual identifiers that did a lot of harm to legitimate nation statecraft.

Not so sure about Wikileaks:
1) They started releasing Hillary emails right before the election. Seems like they wanted to influence elections towards Trump.
2) Assange said he'd surrender if Manning was released, she was, but he weaseled out of it. What is the man's character if not this?
3) Hard to believe that Wikileaks finds documents against US only. Are we to assume that Russians, Chinese and others are saints or that Wikileaks has an undisclosed political end goal?

We do need more organizations that increase transparency of governments around the world. Wikileaks is not the one I'd support. Just my two cents.

@ Ross Snider and @ Anura: seriously guys/gals, go easy on the bickering above :)

Ross SniderJune 5, 2017 7:01 PM

@VS

Agreed on the bickering front.

1. They released Podesta's emails, right? Which implicated Podesta and Clinton in a corruption scandal in which Podesta had been funneled money by Russia for political favors (during the Clinton-era "reset of relations with Russia"). 100% this was timed for political impact. Wikileaks seeks stories and materials that other news outlets won't cover. It's contract with its sources is that it will get as much publicity for the stories as is possible. The shitty thing about Wikileaks is that it showed itself to be potentially partisan in this case. Being a media outlet dedicated to disclosing crimes by the American government is 100% legitimate. Being a media outlet dedicated to disclosing scandal and biased reporting on one party is 100% legitimate (HuffPo, etc). But it's VERY difficult to do both credibly. In this case Wikileaks I think mismanaged its opportunity to say a lot more about corruption in the United States by showing how deeply corrupt both political parties are.

2. Weren't the specifics that she be released without prison or something and instead her sentence went through but got shortened? I think it would be wise for him to leave the embassy seeing that it's very clear that the sex allegations were invented to defame him (fully withdrawn, etc). The reason not to leave the embassy at this point is that he will be extradicted for running a media outlet that is willing to publish classified material that damages the public position of the United States. Stepping out I think would be the ultimate sort of martyr move to show the world how truly damaged America's sense of justice is.

3. The history of Wikileaks is really interesting. The US used to support Assange and Wikileaks and they did report about US adversaries. It became an idiosyncratic obsession of wikileaks to combat US propaganda about these adversaries and to speak truth to the MOST powerful rather than just truth to all power. Of course, Wikileaks does publish on other nations (Syria and Turkey recently) but nobody in the US hears about it because there's not nearly the same amount of stink. In any case, its perfectly legitimate for Wikileaks to have an idiosyncratic and even effective obsession about detailing US war crimes, lies and hostilities. In many ways, that's the kind of check you do very much WANT on singular superpowers. God forbid China or Russia become leading world powers and there's no media outlets willing to publish damaging classified material on them.

CPJune 5, 2017 9:51 PM

"and it has embarrassed the Trump Administration by showing how its CIA is circumventing the process for classifying, vetting and controlling cyberarsenals."

Ummmmm, yeah, I din't think so. But all past Presidents is factual

OnlookerJune 5, 2017 11:31 PM

> "1) They started releasing Hillary emails right before the election. Seems like they wanted to influence elections towards Trump."

Actually it all began in 2015 when her private email server became known to the public. Wikileaks published their first set of Clinton emails on March 2016 but at that point in time, there were more options in the race besides Clinton and Trump (eg: Sanders, Kasich, Stein, Johnson etc.).

Clinton lost the race on her own, not because of Wikileaks.

> "2) Assange said he'd surrender if Manning was released, she was, but he weaseled out of it. What is the man's character if not this?"

No, Assange said he would surrender if Manning was granted Clemency. The Obama Administration only granted a reduced sentence. Like many of the media outlets, your characterization of it as "weaseled out" is incorrect. The deal was "surrender for clemency" which was not what took place.

> "3) Hard to believe that Wikileaks finds documents against US only. Are we to assume that Russians, Chinese and others are saints or that Wikileaks has an undisclosed political end goal?"

Why does it matter if they have a political end goal if the information they leak is accurate? The US deserves to have its hypocracy, lies and deceit exposed if not for anything but to give it the chance to do the right thing.

D-503June 6, 2017 12:03 AM

"3) Hard to believe that Wikileaks finds documents against US only. Are we to assume that Russians, Chinese and others are saints or that Wikileaks has an undisclosed political end goal?"
It's hard to believe, because it's false.
Wikileaks has released many documents embarrassing for the Russian government and many other governments, and continues to do so. Even documents embarrassing for the government of Ecuador.
It isn't Wikileaks' fault that the US news media only gets worked up about leaks about the US government.

Also, news isn't "against" anyone. Does the public have no right to be informed what's going on in the world or even their own country?

RachelJune 6, 2017 1:12 AM

Ross Snider

"Wikileaks 100% is a political journalistic enterprise. It's just that there are (unfortunately) no large scale journalistic enterprises that are not.

The only reason we're talking about Wikileaks is that it "punches above its weight" in that it is willing to publish materials (to the great personal risk of its sources, editors and staff) that no other media outlet today is courageous enough to publish."

and the exact same can be said about The Intercept

ab praeceptisJune 6, 2017 3:01 AM

Anura, Ross Snider

I don't have a well informed opinion yet on that particular vault7 issue (and won't take any side). A look at executables shows that there is quite little in terms of strings, however (or more than some would think, depending on ones view). Other than, say, sprintf format strings, uris, function names, and the like, there is mostly only strings that were *meant* to be seen.

Given that function names, uris, etc. are usually purely functional and largely language independent (unless, of course, a chinese malware programmer would be stupid enough to use chinese names for functions, etc) I see mainly 2 vectors:

a) strings *meant* to be seen by the user (e.g. error messages)
b) eventual differences when using a nationalized compiler/ide. On this I have to pass as I don't work with those but I wanted to mention them, mainly for the reason that, of course, cia/nsa/fbi would almost certainly know those differences very well; after all, knowing whether a us/uk, a german, a chinese version of say, visual C, was used would be a relatively reliable hint to the origin of some software.

Obviously those make belief tools talked about in vault7 are of type a), it seems.

Whether that vault7 material is believable largely depends on the type of software. Malware, I'd assume, would have a tendency to not be talkative. While it might look for diverse strings it itself would almost certainly communicate through number codes, i.e. it would hardly communicate "windows 7 build a.b.c.d identified. Going to infect xyz" but rather "5.7.a.b.c.d00xyz".

As for those "internal dev. communication strings" that were mentioned here, those a called comments and are *not* compiled.

All of that said, I recommend a healthy dose of mistrust. After all all of that happens in the spook world which has its own set of rules and lots of intransparency.
Keep in mind, for instance, that spooks use make believe since aeons; often it's of little importance whether you really have a given capability or whether you just succeed in convincing your opponent of having it.
Moreover intelligence agencies wouldn't be intelligence agencies if they hadn't picked up the game as soon as there were first leaks. In other words: quite some of wikileaks material might be intentionally feeded. That how those agencies tick; while wikileaks is immensely troubling for them they at the same time cold-bloodedly see a "newspaper" enjoying immense trust and credibility; that is pretty valuable a tool for spooks.

Plus there is, of course, the big fat elephant question in the room, who feeds wikileaks and why wikileaks, both the people and the operation, are still alive.

stevenJune 6, 2017 3:17 AM

"WikiLeaks is still dumping CIA cyberweapons on the Internet"

You're entitled to having bias and/or prejudice, but now having admitted this wasn't true:

"EDITED TO ADD: In this case, Wikileaks has withheld the tool itself"

isn't it reckless, even shameful to keep a false statement in the opening sentence of the article with a retraction only in the last?

Furthermore, was there a prior case where WikiLeaks dumped CIA cyberweapon(s) on the Internet? Or is that part of the accusation (implied by the word "still" and the phrasing "in this case") also false?

I regrettably feel less inclined to trust the information presented in this blog as-given, than I did in previous years.

mostly harmfulJune 6, 2017 11:51 PM

Bill Binney made brief reference to Vault7 tools, and what CIA might have used some of them for, during his June 6, 2017 reddit AMA:

u/theepzaa asks

Do your instincts (or your sources within intelligence agencies) believe Russia 1) is responsible for the DNC leak/hack and/or 2) attempted to hack U.S. election systems in 2016?

u/IamBillBinney replies:

No, not Russia, and if it was there would be direct evidence of it. Also, CIA using Vault 7 tools can make an attack it carries out look like it comes from another nation/party. The fact NSA does not provide a track for the packets reflecting fact of no hack attack means it was an insider job/leak. See Consortium News for related article.

The exchange then continues with more back-and-forth, touching on the topic of (mis)attribution, between Binney other commenters.

WinterJune 7, 2017 3:54 AM

"Do your instincts (or your sources within intelligence agencies) believe Russia 1) is responsible for the DNC leak/hack and/or 2) attempted to hack U.S. election systems in 2016?"

Why not? Trump had business dealings and loans in Russia. It is impossible that the Russian services do not have incriminating material on Trump, everybody and their aunt have incriminating material about Trump. The Russians disliked Hillary with a vengeance. The campaign manager of Trump had worked years for Putin and Yanukovych. Several people high up in the Trump campaign team had contacts with Russian officials. Russian hackers are widely known to be recruited (part-time) for Russian intelligence (do not bother to complain about this).

These circumstances are at the level that we should wonder why the Russians would not interfere in the US elections?

Not that the Russians expected Trump to win, or even wanted him to win. That is a different matter.

rJune 7, 2017 5:01 AM

Jeez,

Response: chaff.

If you're operating within enemy errspace and don't bring some with you?

Doubly (and maybe tripoli so), it's /your/ multi million dollar project that will be downed.

Bruce SchneierJune 7, 2017 9:29 AM

"isn't it reckless, even shameful to keep a false statement in the opening sentence of the article with a retraction only in the last?"

Those feel like weird adjectives to describe it, so no.

In general, I prefer not to rewrite history by correcting mistakes in the text. I prefer to correct them at the end. You're right that the press norm is to correct the text and then explain the correction at the end. I will think about it for future corrections (as opposed to additions).

Thanks for your comment.

Gerard van VoorenJune 7, 2017 2:19 PM

@ mostly harmful, about the DNC hack:

Bill Binney said: "No, not Russia, and if it was there would be direct evidence of it."

I have said it a couple of times now, it's distraction politics and framing. It's the talking heads that are talking, without showing any concrete proof so far. But what's way more important: Don't listen to what they are rambling about, look at what they do!

Reality WinnerJune 7, 2017 3:31 PM

@ VS

3) Hard to believe that Wikileaks finds documents against US only. Are we to assume that Russians, Chinese and others are saints or that Wikileaks has an undisclosed political end goal?

It`s because the US is a democracy [nominally, at least]. They want to point out its contradictions and what they perceive as hypocrisy. You don`t disclose documents of known autocracies/dictatorships because it isn`t fun. Remember, the news is when man bites dog, not the otherwise.

DanielJune 7, 2017 4:36 PM

@Bruce writes, "In general, I prefer not to rewrite history by correcting mistakes in the text. I prefer to correct them at the end. You're right that the press norm is to correct the text and then explain the correction at the end. I will think about it for future corrections (as opposed to additions)."

Let me offer my two cents on this topic. First, you are entitled to edit your blog your way. Everyone who has been around your blog for more than a short period of time understands how you handle corrections. Is it the normal practice? No. But why be normal? Second, I do not find your idiosyncratic editing practices alarming, I find them charming. It is part of what makes your blog your individual blog and not another form of mass media.

GrisuJune 10, 2017 10:13 AM

Did you have a look at the revision info? Version 1.0 ist dated April 2014, version 1.1 in January 2014. something is wrong here

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.