When is a hack not a hack?

BY David Waywell   /  11 August 2017

If you can take a moment from prepping your fallout shelter and/or stitching North Korean flags into your underwear, I want to tell you about exciting news breaking in the world of cybersecurity, where arguments currently blaze over the meaning of MB/s and Mb/s. I know that doesn’t sound too exciting but, according to some, this could make or break a presidency.

The story has been gestating for months but emerged fully grown, yesterday, in a piece by Patrick Lawrence at The Nation. Lawrence reports the findings of independent (though anonymous) forensic investigators examining the data files leaked by Guccifer 2.0, the person(s) claiming to have hacked the servers of the Democratic National Committee last year. The trail of links is worth following if you’re interested in the hard computer science of the case, and deeper articles in the thread do get particularly meaty about Linux time formats and .7z files.

In short, however, it would seem that some of what we know about “Russiagate” is, in fact, false. According to Lawrence:

Forensic investigators, intelligence analysts, system designers, program architects, and computer scientists of long experience and strongly credentialed are now producing evidence disproving the official version of key events last year.

The key event was the theft of emails from the Democratic National Headquarters, which, it had been concluded, was the work of a remote hacker, possibly in Russia. This claim is now questioned with the forensic examiners pointing out that the files could not have been transferred via the internet. The leaked data was at least 1,976 megabytes in size (there is only doubt since some suspect the theft involved even more data), which was downloaded in just 87 seconds. Dividing the number of megabytes by the time it took gives us the data transfer rate, which works out at just over 22.7 megabytes of data per second. Much of the argument has since revolved around this simple number. Can data be transferred across the internet and, more specifically, across the Atlantic, at that speed?

The short answer is yes: 22.7 megabytes per second is a relatively trivial speed for data transmitted down the Atlantic “pipes”, the more recent of which can handle speeds running to many terrabits a second. The longer answer begins: but individual users don’t have access to the infrastructure needed to perform that kind of data transfer. More problematic is whether the DNC servers were even linked to a local network capable of sustaining that kind of speed. This, the investigators conclude, makes it unlikely that the data was stolen by somebody outside the DNC, and, given that the actual data transfer rate is much closer to that which we’d normally associate with a USB pen drive, it adds further credence to the theory that the theft was done on site.

There is, admittedly, more to the analysis than I’ve outlined here and, on the whole, the conclusions are very convincing. Much of the counter argument is riddled with confusions of nomenclature. Many of the copious comments hanging beneath these articles are about data transmission and how many million bits can be sent per second. Critics point out that data transmission is calculated in Mb/S (mega bits per second) and say other people are confusing it with megabytes per second, usually written MB/s.

Confused? Don’t be. The central point is that some aspects of the case being forwarded are very strong. Where is it weak, however, is in some of the assumptions.

For example, many of the conclusions are gleaned by examining the ‘metadata’, yet elsewhere in the article, the “Russian fingerprints” are considered false because “that metadata was deliberately altered and documents were deliberately pasted into a Russianified [W]ord document with Russian language settings and style headings”. It is also noted that among the CIA tools leaked via WikiLeaks was a tool “called Marble that is capable of obfuscating the origin of documents in false-flag operations and leaving markings that point to whatever the CIA wants to point to”. In other words: some metadata is considered as evidence whilst other metadata compromised. Contradiction? Perhaps.

Elsewhere, it is assumed that the hacker(s) worked by transferring files immediately from the DNC remote server to their home machine. It’s sometimes true that hackers would do this but, when the files are extremely large or extremely sensitive, there are better alternatives, such as transferring them to a server geographically closer to the target. The proximity usually means faster file transfer speeds. This other machine will usually have less security than the target machine and provides a level of abstraction between the hacker and their target. Files might even be passed between multiple machines before being recovered in order to obscure the tracks.

Lawrence makes his case brilliantly, as do his sources, but one might still wonder how much of this still rests on unverifiable assumptions. The analysis argues, for example, that the data was handled on a machine with a clock set to Eastern Standard Time. Concludes “The Forensicator”:

This initial copying activity was done on a system where Eastern Daylight Time (EDT) settings were in force. Most likely, the computer used to initially copy the data was located somewhere on the East Coast.

This might well be a good assumption but it can still only be that. Hackers can (and do) change their computer clocks to ensure that even this small detail can’t be later used to reveal their geographic location. There is also no absolute proof when or where these time-stamps were set. Is it beyond the realms of possibility that a hacker, somewhere in Eastern Europe, was working from a machine set to EST? Unlikely, perhaps, but we have already fallen into an area of speculation. Was this the work of a data thief located in the vicinity of 430 South Capitol Street, or was it the work of somebody good enough at their work to make it look like a simple data theft?

More importantly: does it even matter? The way the data was hacked does nothing to discredit the fact that the data was stolen. Kevin Mitnick is one of the most famous hackers turned authors, and his book, Ghost in the Wires, is an excellent introduction to the psychology and practises of hackers. It also makes the very clear argument that hacking is often a social and not electronic skill. Data was retrieved from DNC servers but the method has not yet been determined. Whether it was “an inside job” or something more esoteric, the point is still the same: data found its ways into the hands of Wikileaks and, most likely, agents acting on behalf of the Russian government.

Rewriting the narrative to the “Russiagate” hack does not invalidate the entire Russian story. Robert Mueller’s investigation will be dealing only tangentially with the stolen emails because very little is specifically predicated on the hacked data. Trump officials have admitted meetings with the Russians and Donald Trump Jr has admitted that he was interested in getting information meant to compromise the Clinton campaign. The evidence of the past few days, with Paul Manafort’s  home being targeted for a “no-knock” raid, suggests that investigators are already beyond arguing esoterics and have hard evidence to justify warrants.

Lawrence’s story and the articles it is built upon are a fascinating – dare one say exciting – insight into this puzzling case, but the information emerging about the nature of the hack doesn’t provide some magic bullet that destroys the Russian enquiry. Rather, it underlines the complexity of the investigation and why Robert Mueller will not be performing any miracles overnight.