Tag Archives: journalism

The devil wears Pravda

Post Syndicated from Robert Graham original https://blog.erratasec.com/2018/05/the-devil-wears-pravda.html

Classic Bond villain, Elon Musk, has a new plan to create a website dedicated to measuring the credibility and adherence to “core truth” of journalists. He is, without any sense of irony, going to call this “Pravda”. This is not simply wrong but evil.

Musk has a point. Journalists do suck, and many suck consistently. I see this in my own industry, cybersecurity, and I frequently criticize them for their suckage.

But what he’s doing here is not correcting them when they make mistakes (or what Musk sees as mistakes), but questioning their legitimacy. This legitimacy isn’t measured by whether they follow established journalism ethics, but whether their “core truths” agree with Musk’s “core truths”.

An example of the problem is how the press fixates on Tesla car crashes due to its “autopilot” feature. Pretty much every autopilot crash makes national headlines, while the press ignores the other 40,000 car crashes that happen in the United States each year. Musk spies on Tesla drivers (hello, classic Bond villain everyone) so he can see the dip in autopilot usage every time such a news story breaks. He’s got good reason to be concerned about this.

He argues that autopilot is safer than humans driving, and he’s got the statistics and government studies to back this up. Therefore, the press’s fixation on Tesla crashes is illegitimate “fake news”, titillating the audience with distorted truth.

But here’s the thing: that’s still only Musk’s version of the truth. Yes, on a mile-per-mile basis, autopilot is safer, but there’s nuance here. Autopilot is used primarily on freeways, which already have a low mile-per-mile accident rate. People choose autopilot only when conditions are incredibly safe and drivers are unlikely to have an accident anyway. Musk is therefore being intentionally deceptive comparing apples to oranges. Autopilot may still be safer, it’s just that the numbers Musk uses don’t demonstrate this.

And then there is the truth calling it “autopilot” to begin with, because it isn’t. The public is overrating the capabilities of the feature. It’s little different than “lane keeping” and “adaptive cruise control” you can now find in other cars. In many ways, the technology is behind — my Tesla doesn’t beep at me when a pedestrian walks behind my car while backing up, but virtually every new car on the market does.

Yes, the press unduly covers Tesla autopilot crashes, but Musk has only himself to blame by unduly exaggerating his car’s capabilities by calling it “autopilot”.

What’s “core truth” is thus rather difficult to obtain. What the press satisfies itself with instead is smaller truths, what they can document. The facts are in such cases that the accident happened, and they try to get Tesla or Musk to comment on it.

What you can criticize a journalist for is therefore not “core truth” but whether they did journalism correctly. When such stories criticize “autopilot”, but don’t do their diligence in getting Tesla’s side of the story, then that’s a violation of journalistic practice. When I criticize journalists for their poor handling of stories in my industry, I try to focus on which journalistic principles they get wrong. For example, the NYTimes reporters do a lot of stories quoting anonymous government sources in clear violation of journalistic principles.

If “credibility” is the concern, then it’s the classic Bond villain here that’s the problem: Musk himself. His track record on business statements is abysmal. For example, when he announced the Model 3 he claimed production targets that every Wall Street analyst claimed were absurd. He didn’t make those targets, he didn’t come close. Model 3 production is still lagging behind Musk’s twice adjusted targets.


So who has a credibility gap here, the press, or Musk himself?

Not only is Musk’s credibility problem ironic, so is the name he chose, “Pravada”, the Russian word for truth that was the name of the Soviet Union Communist Party’s official newspaper. This is so absurd this has to be a joke, yet Musk claims to be serious about all this.

Yes, the press has a lot of problems, and if Musk were some journalism professor concerned about journalists meeting the objective standards of their industry (e.g. abusing anonymous sources), then this would be a fine thing. But it’s not. It’s Musk who is upset the press’s version of “core truth” does not agree with his version — a version that he’s proven time and time again differs from “real truth”.

Just in case Musk is serious, I’ve already registered “www.antipravda.com” to start measuring the credibility of statements by billionaire playboy CEOs. Let’s see who blinks first.

I stole the title, with permission, from this tweet:

Саморегулиране на медиите за борба с онлайн дезинформацията

Post Syndicated from nellyo original https://nellyo.wordpress.com/2018/05/08/jti/


Journalism Trust Initiative (JTI) е  инициатива за саморегулиране на медиите, предназначена да насърчава качествената журналистика в новата информационна екосистема. Това е идея на Репортери без граници  съвместно с партньори като Агенция Франс Прес (АФП) и  Европейския съюз за радио и телевизия (EBU).

В рамките на инициативата ще бъдат създадени система от стандарти, след което ще може да се провежда сертифициране.

Очакваното значение на стандартите  – според първоначалните текстове, свързани с инициативата:

  • ново средство за борба с дезинформацията и  защита на надеждната и качествена информация;
  • ползи за доставчици на съдържание, които се присъединят към инициативата и прилагат стандартите;
  • повече прозрачност по отношение на доставчиците на съдържание;
  • по-добра видимост онлайн за качественото съдържание;
  • повече  рекламни приходи, тъй като рекламодателите ще могат да разпознават  качествени медии;
  • обществена подкрепа за  качествените медии;
  • основа за знак за качество и доверие.

Стандартите ще бъдат разработени за период 12-18 месеца със сътрудничество на френския орган по стандартизация AFNOR  и германския орган за стандартизация Deutsches Institut für Normung (DIN).

Компанията Google е информирала Репортери без граници, че е взела решение да участва в инициативата. 

До 18 май е открита регистрация за участие.

Повече   – на страницата на инициативата в интернет. 

Some notes about the Kaspersky affair

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/10/some-notes-about-kaspersky-affair.html

I thought I’d write up some notes about Kaspersky, the Russian anti-virus vendor that many believe has ties to Russian intelligence.

There’s two angles to this story. One is whether the accusations are true. The second is the poor way the press has handled the story, with mainstream outlets like the New York Times more intent on pushing government propaganda than informing us what’s going on.

The press

Before we address Kaspersky, we need to talk about how the press covers this.
The mainstream media’s stories have been pure government propaganda, like this one from the New York Times. It garbles the facts of what happened, and relies primarily on anonymous government sources that cannot be held accountable. It’s so messed up that we can’t easily challenge it because we aren’t even sure exactly what it’s claiming.
The Society of Professional Journalists have a name for this abuse of anonymous sources, the “Washington Game“. Journalists can identify this as bad journalism, but the big newspapers like The New York Times continues to do it anyway, because how dare anybody criticize them?
For all that I hate the anti-American bias of The Intercept, at least they’ve had stories that de-garble what’s going on, that explain things so that we can challenge them.

Our Government

Our government can’t tell us everything, of course. But at the same time, they need to tell us something, to at least being clear what their accusations are. These vague insinuations through the media hurt their credibility, not help it. The obvious craptitude is making us in the cybersecurity community come to Kaspersky’s defense, which is not the government’s aim at all.
There are lots of issues involved here, but let’s consider the major one insinuated by the NYTimes story, that Kaspersky was getting “data” files along with copies of suspected malware. This is troublesome if true.
But, as Kaspersky claims today, it’s because they had detected malware within a zip file, and uploaded the entire zip — including the data files within the zip.
This is reasonable. This is indeed how anti-virus generally works. It completely defeats the NYTimes insinuations.
This isn’t to say Kaspersky is telling the truth, of course, but that’s not the point. The point is that we are getting vague propaganda from the government further garbled by the press, making Kaspersky’s clear defense the credible party in the affair.
It’s certainly possible for Kaspersky to write signatures to look for strings like “TS//SI/OC/REL TO USA” that appear in secret US documents, then upload them to Russia. If that’s what our government believes is happening, they need to come out and be explicit about it. They can easily setup honeypots, in the way described in today’s story, to confirm it. However, it seems the government’s description of honeypots is that Kaspersky only upload files that were clearly viruses, not data.


I believe Kaspersky is guilty, that the company and Eugene himself, works directly with Russian intelligence.
That’s because on a personal basis, people in government have given me specific, credible stories — the sort of thing they should be making public. And these stories are wholly unrelated to stories that have been made public so far.
You shouldn’t believe me, of course, because I won’t go into details you can challenge. I’m not trying to convince you, I’m just disclosing my point of view.
But there are some public reasons to doubt Kaspersky. For example, when trying to sell to our government, they’ve claimed they can help us against terrorists. The translation of this is that they could help our intelligence services. Well, if they are willing to help our intelligence services against customers who are terrorists, then why wouldn’t they likewise help Russian intelligence services against their adversaries?
Then there is how Russia works. It’s a violent country. Most of the people mentioned in that “Steele Dossier” have died. In the hacker community, hackers are often coerced to help the government. Many have simply gone missing.
Being rich doesn’t make Kaspersky immune from this — it makes him more of a target. Russian intelligence knows he’s getting all sorts of good intelligence, such as malware written by foreign intelligence services. It’s unbelievable they wouldn’t put the screws on him to get this sort of thing.
Russia is our adversary. It’d be foolish of our government to buy anti-virus from Russian companies. Likewise, the Russian government won’t buy such products from American companies.


I have enormous disrespect for mainstream outlets like The New York Times and the way they’ve handled the story. It makes me want to come to Kaspersky’s defense.

I have enormous respect for Kaspersky technology. They do good work.

But I hear stories. I don’t think our government should be trusting Kaspersky at all. For that matter, our government shouldn’t trust any cybersecurity products from Russia, China, Iran, etc.

The Future of Forgeries

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/07/the_future_of_f_1.html

This article argues that AI technologies will make image, audio, and video forgeries much easier in the future.

Combined, the trajectory of cheap, high-quality media forgeries is worrying. At the current pace of progress, it may be as little as two or three years before realistic audio forgeries are good enough to fool the untrained ear, and only five or 10 years before forgeries can fool at least some types of forensic analysis. When tools for producing fake video perform at higher quality than today’s CGI and are simultaneously available to untrained amateurs, these forgeries might comprise a large part of the information ecosystem. The growth in this technology will transform the meaning of evidence and truth in domains across journalism, government communications, testimony in criminal justice, and, of course, national security.

I am not worried about fooling the “untrained ear,” and more worried about fooling forensic analysis. But there’s an arms race here. Recording technologies will get more sophisticated, too, making their outputs harder to forge. Still, I agree that the advantage will go to the forgers and not the forgery detectors.

FBI’s Comey dangerous definition of "valid" journalism

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/05/fbis-comey-dangerous-definition-of.html

The First Amendment, the “freedom of speech” one, does not mention journalists. When it says “freedom of the press” it means the physical printing press. Yes, that does include newspapers, but it also includes anybody else publishing things, such as the famous agitprop pamphlets published by James Otis, John Dickinson, and Thomas Paine. There was no journalistic value to Thomas Paine’s Common Sense. The pamphlet argued for abolishing the monarchy and for American independence.

Today in testimony before congress, FBI directory James Comey came out in support of journalism, pointing out that they would not prosecute journalists doing their jobs. But he then modified his statement, describing “valid” journalists as those who in possession of leaks would first check with the government, to avoid publishing anything that would damage national security. It’s a power the government has abused in the past to delay or censor leaks. It’s specifically why Edward Snowden contacted Glenn Greenwald and Laura Poitras — he wanted journalists who would not kowtow the government on publishing the leaks.

Comey’s testimony today was in regards to prosecuting Assange and Wikileaks. Under the FBI’s official “journalist” classification scheme, Wikileaks are not real journalists, but instead publish “intelligence porn” and are hostile to America’s interests.

To be fair, there may be good reasons to prosecute Assange. Publishing leaks is one thing, but the suspicion with Wikileaks is that they do more, that they actively help getting the leaks in the first place. The original leaks that started Wikileaks may have come from hacks by Assange himself. Assange may have helped Manning grab the diplomatic cables. Wikileaks may have been involved in hacking the DNC and Podesta emails, more than simply receiving and publishing the information.

If that’s the case, then the US government would have good reason to prosecute Wikileaks.

But that’s not what Comey said today. Instead, Comey referred only to Wikileaks constitutionally protected publishing activities, and how since they didn’t fit his definition of “journalism”, they were open to prosecution. This is fundamentally wrong, and a violation of the both the spirit and the letter of the First Amendment. The FBI should not have a definition of “journalism” it thinks is valid. Yes, Assange is an anti-American douchebag. Being an apologist for Putin’s Russia disproves his claim of being a neutral journalist targeting the corrupt and powerful. But these activities are specifically protected by the Constitution.

If this were 1776, Comey would of course be going after Thomas Paine, for publishing “revolution porn”, and not being a real journalist.

Only lobbyist and politicians matter, not techies

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/only-lobbyist-and-politicians-matter.html

The NSA/CIA will only buy an 0day if they can use it. They can’t use it if they disclose the bug.

I point this out, yet again, because of this WaPo article [*] built on the premise that the NSA/CIA spend millions of dollars on 0day they don’t use, while unilaterally disarming tiself. Since that premise is false, the entire article is false. It’s the sort of article you get when all you interview are Washington D.C. lobbyists and Washington D.C. politicians — and no outside experts.

It quotes former cyberczar (under Obama) Michael Daniel explaining that the “default assumption” is to disclose 0days that the NSA/CIA get. This is a Sean Spicer style lie. He’s paid to say this, but it’s not true. The NSA/CIA only buy 0day if they can use it. They won’t buy 0day if the default assumption is that they will disclose it. QED: the default assumption of such 0day is they won’t disclose them.

The story quotes Ben Wizner of the ACLU saying that we should patch 0days instead of using them. Patching isn’t an option. If we aren’t using them, then we aren’t buying them, and hence, there are no 0days to patch. The two options are to not buy 0days at all (and not patch) or buy to use them (and not patch). Either way, patching doesn’t happen.

Wizner didn’t actually say “use them”. He said “stockpiling” them, a word that means “hold in reserve for use in the future”. That’s not what the NSA/CIA does. They buy 0days to use, now. They’ve got budgets and efficiency ratings. They don’t buy 0days which they can’t use in the near future. In other words, Wizner paints the choice between an 0day that has no particular value to the government, and one would have value being patched.

The opposite picture is true. Almost all the 0days possessed by the NSA/CIA have value, being actively used against our adversaries right now. Conversely, patching an 0day provides little value for defense. Nobody else knew about the 0day anyway (that’s what 0day means), so nobody was in danger, so nobody was made safer by patching it.

Wizner and Snowden are quoted in the article that somehow the NSA/CIA is “maintaining vulnerabilities” and “keeping the holes open”. This phrasing is deliberately misleading. The NSA/CIA didn’t create the holes. They aren’t working to keep them open. If somebody else finds the same 0day hole and tells the vendor (like Apple), then the NSA/CIA will do nothing to stop them. They just won’t work to close the holes.

Activists like Wizner and Snowden deliberate mislead on the issue because they can’t possibly win a rational debate. The government is not going to continue to spend millions of dollars on buying 0days just to close them, because everyone agrees the value proposition is crap, that the value of fixing yet another iPhone hole is not worth the $1 million it’ll cost, and do little to stop Russians from finding an unrelated hole. Likewise, while the peacenicks (rightfully, in many respects) hate the militarization of cyberspace, they aren’t going to win the argument that the NSA/CIA should unilaterally disarm themselves. So instead they’ve tried to morph the debate into some crazy argument that makes no sense.

This is the problem with Washington D.C. journalism. It presumes the only people who matter are those in Washington, either the lobbyists of one position, or government defenders of another position. At no point did they go out and talk to technical experts, such as somebody who has discovered, weaponized, used an 0day exploit. So they write articles premised on the fact that the NSA/CIA, out of their offensive weapons budget, will continue to buy 0days that are immediately patched and fixed without ever being useful.

Journalists: How hacking details matter

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/journalists-how-hacking-details-matter.html

When I write my definitive guide for journalists covering hacking, I’m going to point out how easy it is for journalists to misunderstand the details of a story — especially when they change the details to fit the story they want to tell.

For example, there is the notorious “CIA hacked Senate computers” scandal. In fact, the computers in question were owned by the CIA, located in a CIA facility, and managed/operated by CIA employees. You can’t “hack” computers you own. Yes, the CIA overstepped the bounds of an informal agreement with the Senate committee overseeing them, but in no way did anything remotely like “hacking” occur.

This detail matter. If the CIA had truly hacked the Senate committee, that would be a constitutional crisis. A small misstep breaking an informal agreement is not.

A more recent example is this story, which mentions that AlfaBank-Trump connection, claiming the server was in Trump Tower [*]:

What about the computer server at Trump Tower?
Several news media outlets have reported that investigators last year were puzzled by data transmissions between a computer server at Trump Tower and a computer server associated with a Russian bank. Although Mr. Trump on Twitter talked about his “phones,” in theory a judge might determine that the computer address of the server in the tower was a facility being used by a foreign power, Russia, to communicate, and authorize surveillance of it.

No, the server was not located in Trump Tower. It was located outside Philadelphia. It’s owned and operated by a company called Listrak. There’s no evidence anybody in the Trump Organization even knew about the server. It was some other company named Cendyn who decided to associate Trump’s name with the server. There’s no evidence of communication between the server and Alfa — only evidence of communication about the server from Alfa.

The details are important to the story, because it’s trying to show how a judge “might determine that the computer … in the tower was a facility being used by a foreign power”. If it’s not anywhere near or related to the Trump Tower, no such determination could be made.

Then there was that disastrous story from the Washington Post about Russia hacking into a Vermont power plant [*], which still hasn’t been retracted despite widespread condemnation. No such hacking occurred. Instead, the details of what happened is that an employee checked Yahoo mail from his laptop. The night before, the DHS had incorrectly configured its “Einstein” intrusion detection system to trigger on innocent traffic with Yahoo as an indicator of compromise from Russian hackers.

You can see how journalists make these mistakes. If CIA is spying on computers used by Senate staffers, then the natural assumption is that the CIA hacked those computers. If there was a server associated with the Trump Organization, however tenuous, it’s easy to assume a more concrete relationship, such as the server being located in Trump’s offices. You can see how once the DHS claims there was a hack, and you’ve filled your stories with quotes from senators pontificating about the meaning of such hacks, it’s very difficult to retract the story when the details emerge there was nothing remotely resembling a hack.

I’m not trying to claim that journalists need to be smarter about hacking. I’m instead claiming that journalists need to be smarter about journalism. The flaws here all go one way — toward the sensational. Instead of paying attention to the details and questioning whether such sensationalism was warranted, journalists did the reverse.

Also, I’m trying to point out how journalists seem to collude on this. They all piled on with misunderstandings about the “CIA hacking”, such that it became impossible for a journalist not to agree that this is what happened. The original reporting on the Alfa connection was crap, though it becomes real when other reporters repeat the claims. The Vermont hacking story is too juicy for reporters not to repeat, even when they know it’s completely bogus.

"From Putin with Love" – a novel by the New York Times

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/12/from-putin-with-love-novel-by-new-york.html

In recent weeks, the New York Times has written many stories on Russia’s hacking of the Trump election. This front page piece [*] alone takes up 9,000 words. Combined, the NYTimes coverage on this topic exceeds the length of a novel. Yet, for all this text, the number of verifiable facts also equals that of a novel, namely zero. There’s no evidence this was anything other than an undirected, Anonymous-style op based on a phishing campaign.

The question that drives us

It’s not that Russia isn’t involved, it’s that the exact nature of their involvement is complicated. Just because the hackers live in Russia doesn’t automatically mean their attacks are directed by the government.

It’s like the recent Islamic terrorist attacks in Europe and America. Despite ISIS claiming credit, and the perpetrators crediting ISIS, we are loathe to actually blame the attacks directly on ISIS. Overwhelmingly, it’s individuals who finance and plan their attacks, with no ISIS organizational involvement other than inspiration.

The same goes for Russian hacks. The Russian hacker community is complicated. There are lots of actors with various affiliations with the government. They are almost always nationalistic, almost always pro-Putin. There are many individuals and groups who act to the benefit of Putin/Russia with no direct affiliation with the government. Others do have ties with the government, but these are often informal relationships, sustained by patronage and corruption.

Evidence tying Russian attacks to the Russian government is thus the most important question of all — and it’s one that the New York Times is failing to answer. The fewer facts they have, the more they fill the void with vast amounts of verbiage.

Sustaining the narrative

Here’s a trick when reading New York Times articles: when they switch to passive voice, they are covering up a lie. An example is this paragraph from the above story [*]:

The Russians were also quicker to turn their attacks to political purposes. A 2007 cyberattack on Estonia, a former Soviet republic that had joined NATO, sent a message that Russia could paralyze the country without invading it. The next year cyberattacks were used during Russia’s war with Georgia.

Normally, editors would switch this to the active voice, or:

The next year, Russia used cyberattacks in their war against Georgia.

But that would be factually wrong. Yes, cyberattacks happened during the conflicts with Estonia and Georgia, but the evidence in both cases points to targets and tools going viral on social media and web forums. It was the people who conducted the attacks, not the government. Whether it was the government who encouraged the people is the big question — to which we have no answer. Since the NYTimes has no evidence pointing to the Russian government, they switch to the passive voice, hoping you’ll assume they meant the government was to blame.

It’s a clear demonstration that the NYTimes is pushing a narrative, rather than reporting just the facts allowing you to decide for yourself.

Tropes and cliches

The NYTimes story is dominated by cliches or “tropes”.

One such trope is how hackers are always “sophisticated”, which leads to the conclusion they must be state-sponsored, not simple like the Anonymous collective. Amusingly, the New York Times tries to give two conflicting “sophisticated” narratives at once. Their article [*] has a section titled “Honing Stealthy Tactics”, which ends with describing the attacks as “brazen”, full of “boldness”. In other words, sophisticated Russian hackers are marked by “brazen stealthiness”, a contradiction in terms. In reality, the DNC/DCCC/Podesta attacks were no more sophisticated than any other Anonymous attack, such as the one against Stratfor.

A related trope is the sophistication of defense. For example, the NYTimes describes [*] how the DNC is a non-profit that could not afford “the most advanced systems in place” to stop phishing emails. After the hacks, they installed the “robust set of monitoring tools”. This trope imagines there’s a magic pill that victims can use to defend themselves against hackers. Experts know this isn’t how cybersecurity works — the amount of money spent, or the advancement of technology, has little impact on an organization’s ability to defend itself.

Another trope is the word “target” that imagines that every effect from a hacker was the original intention. In other words, it’s the trope that tornados target trailer parks. As part of the NYTimes “narrative” is this story that “House candidates were also targets of Russian hacking” [*]. This is post-factual fake-news. Guccifer2.0 targeted the DCCC, not individual House candidates. Sure, at the request of some bloggers, Guccifer2.0 release part of their treasure trove for some specific races, but the key here is the information withheld, not the information released. Guccifer2.0 made bloggers beg for it, dribbling out bits at a time, keeping themselves in the news, wrapped in an aura of mysteriousness. If their aim was to influence House races, they’d’ve dumped info on all the races.

In other words, the behavior is that of an Anonymous-style hacker which the NYTimes twists into behavior of Russian intelligence.

The word “trope” is normally applied to fiction. When the NYTimes devolves into hacking tropes, like the “targets” of “sophisticated” hackers, you know their news story is fiction, too.

Anonymous government officials

In the end, the foundation of the NYTimes narrative relies upon leaked secret government documents and quotes by anonymous government officials [*]. This is otherwise known as “propaganda”.

The senior government officials are probably the Democrat senators who were briefed by the CIA. These senators leak their version of the CIA briefing, cherry picking the bits that support their story, removing the nuanced claims that were undoubtedly part of the original document.

It’s what the Society of Professional Journalists call the “Washington Game“. Everyone knows how this game is played. That’s why Marcy Wheeler (@emptywheel) [*] and Glenn Greenwald (@ggreenwald) [*] dissected that NYTimes piece. They are both as anti-Trump/anti-Russia as they come, so it’s not their political biases that lead them to challenge that piece. Instead, it’s their knowledge of what bad journalism looks like that motivated their criticisms.

If the above leaks weren’t authorized by Obama, the administration would be announcing an investigation into who is leaking major secrets. Thus, we know the leaks were “authorized”. Obama’s willingness to release the information unofficially, but not officially, means there are holes in it somewhere. There’s something he’s hiding, covering up. Otherwise, he’d have a press conference and field questions from reporters on the topic.


The issue of Russia’s involvement in the election is so important that we should demand real facts, real statements from the government that we can question and challenge. It’s too important to leave up to propaganda. If Putin is involved, we deserve to understand it, and not simply get the “made for TV” version given us by the NYTimes.

Propaganda is what we have here. The NYTimes has written a novel that delivers the message while protecting the government from being questioned. Facts are replaced with distorted narrative, worn tropes, and quotes from anonymous government officials.

The facts we actually see is an attack no more sophisticated than those conducted by LulzSec and Anonymous. We see an attack that is disorganized and opportunistic, exactly what we’d expect from an Anonymous-style attack. Putin’s regime may be involved, and they may have a plan, but the current evidence looks like casual hackers, not professional hackers working for an intelligence service.

This artsy stock photo of FSB headquarters is not evidence.

Note: many ideas in this piece come from a discussion with a friend who doesn’t care to be credited

The false-false-balance problem

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/11/the-false-false-balance-problem.html

Until recently, journalism in America prided itself on objectivity — to report the truth, without taking sides. That’s because big debates are always complexed and nuanced, and that both sides are equally reasonable. Therefore, when writing an article, reporters attempt to achieve balance by quoting people/experts/proponents on both sides of an issue.

But what about those times when one side is clearly unreasonable? You’d never try to achieve balance by citing those who believe in aliens and big-foot, for example.Thus, journalists have come up with the theory of false-balance to justify being partisan and one-sided on certain issues.
Typical examples where journalists cite false-balance is reporting on anti-vaxxers, climate-change denialists, and Creationists. More recently, false-balance has become an issue in the 2016 Trump election.
But this concept of false-balance is wrong. It’s not that anti-vaxxers, denialists, Creationists, and white supremacists are reasonable. Instead, the issue is that the left-wing has reframed the debate. They’ve simplified it into something black-and-white, removing nuance, in a way that shows their opponents as being unreasonable. The media then adopts the reframed debate.
Let’s talk anti-vaxxers. One of the policy debates is whether the government has the power to force vaccinations on people (or on people’s children). Reasonable people say the government doesn’t have this power. Many (if not most) people hold this opinion while agreeing that vaccines are both safe and effective (that they don’t cause autism).
Consider this February 2015 interview with Chris Christy. He’s one of the few politicians who have taken the position that government can override personal choice, such as in the case of an outbreak. Yet, when he said “parents need to have some measure of choice in things as well, so that’s the balance that the government has to decide“, he was broadly reviled as an anti-vaxxer throughout the media. The press reviled other Republican candidates the same way, even while ignoring almost identical statements made at the same time by the Obama administration. They also ignored clearly anti-vax comments from both Hillary and Obama during the 2008 election.
Yes, we can all agree that anti-vaxxers are a bunch of crazy nutjobs. In calling for objectivity, we aren’t saying that you should take them seriously. Instead, we are pointing out the obvious bias in the way the media attacked Republican candidates as being anti-vaxxers, and then hiding behind “false-balance”.
Now let’s talk evolution. The issue is this: Darwinism has been set up as some sort of competing religion against belief in God(s). High-schools teach children to believe in Darwinism, but not to understand Darwinism. Few kids graduate understanding Darwinism, which is why it’s invariably misrepresented in mass-media (X-Men, Planet of the Apes, Waterworld, Godzilla, Jurassic Park, etc.). The only movie I can recall getting evolution correct is Idiocracy.
Also, evolution has holes in it. This isn’t a bad thing in science, every scientific theory has holes. Science isn’t a religion. We don’t care about the holes. That some things remain unexplained by a theory doesn’t bother us. Science has no problem with gaps in knowledge, where we admit “I don’t know”. It’s religion that has “God of the gaps”, where ignorance isn’t tolerated, and everything unexplained is explained by a deity.
The hole in evolution is how the cell evolved. The fossil record teaches us a lot about multi-cellular organisms over the last 400-million years, but not much about how the cell evolved in the 4-billion years on planet Earth before that. I can point to radio isotope dating and fossil finds to prove dinosaurs existed 250,000 million to 60 million years ago, thus disproving your crazy theory of a 10,000 year-old Earth. But I can’t point to anything that disagrees with your view that a deity created the original cellular organisms. I don’t agree with that theory, but I can’t disprove it, either.
The point is that Christians have a good point that Darwinism is taught as a competing religion. You see this in the way books that deny holes in knowledge, insisting that Darwinism explains even how cells evolved, and that doubting Darwin is blasphemy. 
The Creationist solution is wrong, we can’t teach religion in schools. But they have a reasonable concern about religious Darwinism. The solution there is to do a better job teaching it as a science. If kids want to believe that one of the deities created the first cells, then that’s okay, as long as they understand the fossil record and radioisotope dating.
Now let’s talk Climate Change. This is a tough one, because you people have lost your collective minds. The debate is over how much change? how much danger? how much costs?. The debate is not over Is it true?. We all agree it’s true, even most Republicans. By keeping the debate between the black-and-white “Is global warming true?”, the left-wing can avoid the debate “How much warming?”.
Consider this exchange from one of the primary debates:
Moderator: …about climate change…
RUBIO: Because we’re not going to destroy our economy …
Moderator: Governor Christie, … what do you make of skeptics of climate change such as Senator Rubio?
CHRISTIE: I don’t think Senator Rubio is a skeptic of climate change.
RUBIO: I’m not a denier/skeptic of climate change.
The media (in this case CNN) is so convinced that Republican deny climate change that they can’t hear any other statement. Rubio clearly didn’t deny Climate Change, but the moderator was convinced that he did. Every statement is seen as outright denial, or code words for denial. Thus, convinced of the falseness of false-balance, the media never sees the fact that most Republicans are reasonable.
Similar proof of Republican non-denial is this page full of denialism quotes. If you actually look at the quotes, you’ll see that when taken in context, virtually none of the statements deny climate change. For example, when Senator Dan Sulliven says “no concrete scientific consensus on the extent to which humans contribute to climate change“, he is absolutely right. There is 97% consensus that mankind contributes to climate change, but there is widespread disagreement on how much.
That “97% consensus” is incredibly misleading. Whenever it’s quoted, the speaker immediately moves the bar, claiming that scientists also agree with whatever crazy thing the speaker wants, like hurricanes getting worse (they haven’t — at least, not yet).
There’s no inherent reason why Republicans would disagree with addressing Climate Change. For example, Washington State recently voted on a bill to impose a revenue neutral carbon tax. The important part is “revenue neutral”: Republicans hate expanding government, but they don’t oppose policies that keep government the same side. Democrats opposed this bill, precisely because it didn’t expand the size of government. That proves that Democrats are less concerned with a bipartisan approach to addressing climate change, but instead simply use it as a wedge issue to promote their agenda of increased regulation and increased spending. 
If you are serious about address Climate Change, then agree that Republicans aren’t deniers, and then look for bipartisan solutions.

The point here is not to try to convince you of any political opinion. The point here is to describe how the press has lost objectivity by adopting the left-wing’s reframing of the debate. Instead of seeing balanced debate between two reasonable sides, they see a warped debate between a reasonable (left-wing) side and an unreasonable (right-wing) side. That the opposing side is unreasonable is so incredible seductive they can never give it up.
That Christie had to correct the moderator in the debate should teach you that something is rotten in journalism. Christie understood Rubio’s remarks, but the debate moderator could not. Journalists cannot even see the climate debate because they are wedded to the left-wing’s corrupt view of the debate.
The issue of false-balance is wrong. In debates that evenly divide the population, the issues are complex and nuanced, both sides are reasonable. That’s the law. It doesn’t matter what the debate is. If you see the debate simplified to the point where one side is obviously unreasonable, then it’s you who has a problem.

Dinner with Rajneeshees

One evening I answered the doorbell to find a burgundy clad couple on the doorstep. They were followers of the Bagwan Shree Rajneesh, whose cult had recently purchased a large ranch in the eastern part of the state. No, they weren’t there to convert us. They had come for dinner. My father had invited them.
My father was a journalist, who had been covering the controversies with the cult’s neighbors. Yes, they were a crazy cult which later would breakup after committing acts of domestic terrorism.  But this couple was a pair of young professionals (lawyers) who, except for their clothing, looked and behaved like normal people. They would go on to live normal lives after the cult.
Growing up, I lived in two worlds. One was the normal world, which encourages you to demonize those who disagree with you. On the political issues that concern you most, you divide the world into the righteous and the villains. It’s not enough to believe the other side wrong, you most also believe them to be evil.
The other world was that of my father, teaching me to see the other side of the argument. I guess I grew up with my own Atticus Finch (from To Kill a Mockingbird), who set an ideal. In much the same way that Atticus told his children that they couldn’t hate even Hitler, I was told I couldn’t hate even the crazy Rajneeshees.

Debunking Trump’s "secret server"

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/11/debunking-trumps-secret-server.html

According to this Slate article, Trump has a secret server for communicating with Russia. Even Hillary has piled onto this story.

This is nonsense. The evidence available on the Internet is that Trump neither (directly) controls the domain “trump-email.com“, nor has access to the server. Instead, the domain was setup and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump’s hotels. Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in Philidelphia.

In other words,  Trump’s response is (minus the political bits) likely true, supported by the evidence. It’s the conclusion I came to even before seeing the response.

When you view this “secret” server in context, surrounded by the other email servers operated by Listrak on behalf of Cendyn, it becomes more obvious what’s going on. In the same Internet address range of Trump’s servers you see a bunch of similar servers, many named [client]-email.com. In other words, trump-email.com is not intended as a normal email server you and I are familiar with, but as a server used for marketing/promotional campaigns.

It’s Cendyn that registered and who controls the trump-email.com domain, as seen in the WHOIS information. That the Trump Organization is the registrant, but not the admin, demonstrates that Trump doesn’t have direct control over it.

When the domain information was changed last September 23, it was Cendyn who did the change, not the Trump Organization. This link lists a bunch of other hotel-related domains that Cendyn likewise controls, some Trump related, some related to Trump’s hotel competitors, like Hyatt and Sheraton.

Cendyn’s claim they are reusing the server for some other purpose is likely true. If you are an enterprising journalist with $399 in your budget, you can find this out. Use the website http://reversewhois.domaintools.com/ to get a complete list of the 641 other domains controlled by Cendyn, then do an MX query for each one to find out which of them is using mail1.trump-email.com as their email server.

This is why we can’t have nice things on the Internet. Investigative journalism is dead. The Internet is full of clues like this if only somebody puts a few resources into figuring things out. For example, organizations that track spam will have information on exactly which promotions this server has been used for in the recent past. Those who operate public DNS resolvers, like Google’s, OpenDNS, or Dyn, may have knowledge which domain was related to mail1.trump-email.com.

Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story — debunking it. I’ve heard from other DNS malware researchers (names remain anonymous) who confirm they’ve seen lookups for “mail1.trump-email.com” from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June — and thus the claim of successful responses until September are false. In other words, the “change” after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.

Since I wrote this blog post at midnight, so I haven’t confirmed this with anybody yet, but there’s a good chance that the IP address has continued to spew spam for Trump hotels during this entire time. This would, of course would generate lookups (both reverse and forward). It seems like everyone who works for IT for a large company should be able to check their incoming email logs and see if they’ve been getting emails from that address over the last few months. If you work in IT, please check your logs for the last few months and Tweet me at @erratarob with the results, either positive or negative.

And finally, somebody associated with Alfa Bank IT operations confirms that executives like to stay at Trump hotels all the time (like in Vegas and New York), and there was a company function one of Trump’s golf courses. In other words, there’s good reason for the company to get spam from, and need to communicate with, Trump hotels to coordinate events.

And so on and so forth — there’s a lot of information out there if we just start digging.


That this is just normal marketing business from Cendyn and Listrak is the overwhelming logical explanation for all this. People are tempted to pull nefarious explanations out of their imaginations for things they don’t understand. But for those of us with experience in this sort of thing, what we see here is a normal messed up marketing (aka. spam) system that the Trump Organization doesn’t have control over. Knowing who owns and controls these servers, it’s unreasonable to believe that Trump is using them for secret emails. Far from “secret” or “private” servers as Hillary claims, these servers are wide open and obvious.

This post provides a logic explanation, but we can’t count on this being provably debunked until those like Dyn come forward, on the record, and show us lookups that don’t come from Alfa Bank. Or, those who work in big companies can pull records from their incoming email servers, to show that they’ve been receiving spam from that IP address over the last few months. Either of these would conclusively debunk the story.

But experts say…

But the article quotes several experts confirming the story, so how does that jibe with this blog post. The answer is that none of the experts confirmed the story.

Read more carefully. None of the identified experts confirmed the story. Instead, the experts looked at pieces, and confirmed part of the story. Vixie rightly confirmed that the pattern of DNS requests came from humans, and not automated systems. Chris Davis rightly confirmed the server doesn’t look like a normal email server.

Neither of them, however, confirmed that Trump has a secret server for communicating with the Russians. Both of their statements are consistent with what I describe above — that’s it’s a Cendyn operated server for marketing campaigns independent of the Trump Organization.

Those researchers violated their principles

The big story isn’t the conspiracy theory about Trump, but that these malware researchers exploited their privileged access for some purpose other than malware research.

Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google’s public DNS. It’s a huge privacy violation — justified on the principle that it’s for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google’s service. Sometimes people don’t realize how their ISP shares information, or how many of the root DNS servers are monitored.

People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers. People should be angrily asking ICANN, which is no longer controlled by the US government (sic), whether it’s their policy to share DNS lookup information with those who would attempt to change US elections.

There’s not many sources for this specific DNS information. Alfa Bank’s servers do their own resolution, direction from the root on down. It’s unlikely they were monitoring Alfa Bank’s servers directly, or monitoring Cendyn’s authoritative servers. That means some sort of passive DNS on some link in between, which is unlikley. Conversely, they could be monitoring one of the root domain servers — but this monitoring wouldn’t tell them the difference between a successful or failed lookup, which they claim to have. In short, of all the sources of “DNS malware information” I’ve heard about, none of it would deliver the information these researchers claim to have (well, except the NSA with their transatlantic undersea taps, of course).

Update: this tweet points out original post mentions getting data from “ams-ix23” node, which hints at AMS-IX, Amsterdam InterXchange, where many root server nodes are located.

The Yahoo-email-search story is garbage

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/10/the-yahoo-email-search-story-is-garbage.html

Joseph Menn (Reuters) is reporting that Yahoo! searched emails for the NSA. The details of the story are so mangled that it’s impossible to say what’s actually going on.

The first paragraph says this:

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails

The second paragraph says this:

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts

Well? Which is it? Did they “search incoming emails” or did they “scan mail accounts”? Whether we are dealing with emails in transmit, or stored on the servers, is a BFD (Big Fucking Detail) that you can’t gloss over and confuse in a story like this. Whether searches are done indiscriminately across all emails, or only for specific accounts, is another BFD.

The third paragraph seems to resolve this, but it doesn’t:

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

Who are these “some surveillance experts”? Why is the story keeping their identities secret? Are they some whistleblowers afraid for their jobs? If so, then that should be mentioned. In reality, they are unlikely to be real surveillance experts, but just some random person that knows slightly more about the subject than Joseph Menn, and their identities are being kept secret in order to prevent us from challenging these experts — which is a violation of journalistic ethics.

And, are they analyzing the raw information the author sent them? Or are they opining on the garbled version of events that we see in the first two paragraphs.

The confusion continues:

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

What the fuck is a “set of characters”??? Is this an exact quote for somewhere? Or something the author of the story made up? The clarification of what this “could mean” doesn’t clear this up, because if that’s what it “actually means”, then why not say this to begin with?

It’s not just technical terms, but also legal ones:

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company’s legal team, according to the three people familiar with the matter.

What the fuck is a “classified edict”? An NSL? A FISA court order? What? This is also a BFD.

We outsiders already know about the NSA/FBI’s ability to ask for strong selectors (email addresses). What what we don’t know about is their ability to search all emails, regardless of account, for arbitrary keywords/phases. If that’s what’s going on, then this would be a huge story. But the story doesn’t make it clear that this is actually what’s going on — just strongly implies it.

There are many other ways to interpret this story. For example, the government may simply be demanding that when Yahoo satisfies demands for emails (based on email addresses), that it does so from the raw incoming stream, before it hits spam/malware filters. Or, they may be demanding that Yahoo satisfies their demands with more secrecy, so that the entire company doesn’t learn of the email addresses that a FISA order demands. Or, the government may be demanding that the normal collection happen in real time, in the seconds that emails arrive, instead of minutes later.

Or maybe this isn’t an NSA/FISA story at all. Maybe the DHS has a cybersecurity information sharing program that distributes IoCs (indicators of compromise) to companies under NDA. Because it’s a separate program under NDA, Yahoo would need to setup a email malware scanning system separate from their existing malware system in order to use those IoCs. (@declanm‘s stream has further variations on this scenario).

My point is this: the story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story. The story certainly doesn’t say that Yahoo did anything wrong, or that the government is doing anything wrong (at least, wronger than we already know).

I’m convinced the government is up to no good, strong arming companies like Yahoo into compliance. The thing that’s stopping us from discovering malfeasance is poor reporting like this.