Trump And The DNC Servers

Though Trump's a disaster, he's sometimes right, and often far less wrong (or less obviously so) than his political opponents make him out to be. Prima facie, the following is important if true: the DNC refused to turn the physical server(s) in question over to the FBI. Most of the media, leaning left as usual, is deriding Trump for harping on this, for various reasons, some reasonable-sounding, some not so much.
   Here's the ambiguously-named Politifact insisting that Trump gets "all" the "details" wrong...if we interpret his words in the most unfavorable way--i.e., to mean that the DNC servers disappeared. Note that other parts of the quote aren't consistent with that interpretation--e.g. the bit where he asks "why haven't they [the FBI] taken the server?" [my emphasis], clearly indicating that it's still there and could be taken.
   Here's some dude at the Daily Beast:
Both the DNC and the security firm Crowdstrike, hired to respond to the breach, have said repeatedly over the years that they gave the FBI a copy of all the DNC images back in 2016. The DNC reiterated that Monday in a statement to the Daily Beast.
Ah! So both the DNC and the people they hired said that they gave up all the information! Gosh, I could hardly be more convinced. The emerging line seems to be: there's no reason for the FBI to get the hardware in question, and a lot of the servers are cloud-based, and having the hardware wouldn't be any better, and in fact the images are more important and it's actually worse to get the hardware too! Obviously, I exaggerate...but not a whole lot. For all I know, the unexaggerated version is true. But...the FBI did, apparently, ask for the hardware. And was turned down. One needn't wear a tinfoil MAGA hat to be suspicious about that. In order to explain away skepticism about the DNC, we have to believe that the FBI cyber crimes people don't know the the allegedly basic, obvious facts that the Daily Beast has to patiently explain to us. Why ask for something you don' t need? One answer might be: you ask for everything and take what you can get. If I had to bet, that's the explanation I'd bet on.
   Why didn't the DNC comply? One explanation is that they didn't want to part with the hardware so close to an election. Which seems reasonable.. Though, what with all the images lying around, couldn't they just buy new hardware and restore everything? (Mystic?) And, if the efforts to meddle in the election really were so profoundly important, the DNC couldn't take the hit? It's kind of hard to accept both of the things we're being asked to accept: (a) the Russian meddling struck at the very heart of American democracy, and (b) it was just fine for the DNC to refuse to cooperate fully with the FBI. I don't see how people in panic mode about (a) can accept (b) so readily.
   Anyway, my interest in defending Trump has worn as thin as it could get. But, as is so often the case, his position is being treated as absurd when that isn't obvious. At least not to the layperson, and not on the basis of the information that can be gleaned from the sneering dismissals. This sort of "detail" (it's not really a detail, is it? It's a huge, obviously salient fact) is exactly the sort of thing that can signal shenanigans. If shenanigans by the DNC were to be uncovered, people would say that there was just no reasonable way it could have been ignored. And they'd be right. Reasonable people--reasonable laypeople, at any rate--ought to see it as significant. Perhaps IT types all see it as entirely irrelevant. But if it is, I don't know enough to know that. 
   Needless to say, Trump's performance in Helsinki was still a disaster. He doesn't seem to understand that he's got certain institutional responsibilities whatever his personal views might be. It's hard for me to see his actions as being excusable. But the concerns on which his actions were based seem reasonable. He should have shoved them to the side in that context. But that's a different issue.
Anonymous Anonymous said...

The thing that actually bugs me the most is that metadata change the media keeps on mentioning. It's actually not that easy to change file metadata, and if you're just looking to remotely transfer documents, you'll basically never perform any write operation that would mark them as modified. Also, they gained access by spearfishing for credentials, so the user shouldn't have been named the same as the actual attacker (they would have been logged in under the compromised user). It's either a colossal blunder, or it's a fake, and I find it really implausible that professionals would make such an obvious blunder.

Then again, I've worked with plenty of developers who could barely tie their own shoes technically, so you can't assign too low a probability to incompetence. But the fact that there's been so little skepticism about that evidence is striking.

As far as the machine image vs physical server question, you could certainly recover enough information of malware infection just from a snapshot (although there is more information on the actual server, for instance in deallocated sectors of disk). If they really were using cloud infra, there would be no way to pin it to a single machine either (and the machines the vms run on are multi-tenant, so giving it to the FBI would be giving innocent customer information to them). But if they were really using a cloud email service like GSuite, the spearfishing attacks shouldn't have given them server access (since it's fully managed by google, so no customer is given server creds). I haven't been paying close enough attention to glean the exact technical details of the DNC's system though.

Blogger The Mystic said...

I see I have been summoned! I haven't really been paying direct attention to the trump fiasco as of late, but I can say this:

The PolitiFact article actually seems to me a lot less bad than you indicate for the following reasons:

1) Trump's words can't be interpreted in the charitable manner you indicate to be possible:

Specifically, you assert that the author uncharitably (or less-than-maximally-charitably) construes trump's words to imply "the DNC servers disappeared" based on your assessment that trump later asks why the FBI hasn't taken the server, and this would be internally inconsistent. The problem is, trump makes his "missing" assertion regarding a separate set of (non-DNC) servers administered by a Pakistani guy:

"What happened to the servers of the Pakistani gentleman that worked on the DNC? Where are those servers? They're missing; where are they?"

He doesn't make that assertion about the DNC server. Regarding those, Trump stated/asked:

"You have groups that are wondering why the FBI never took the server -- haven't they taken the server. Why was the FBI told to leave the office of the Democratic National Committee? I've been wondering that, I've been asking that for months and months and I've been tweeting it out and calling it out on social media. Where is the server? I want to know where is the server and what is the server saying?"

The author states "You could take Trump's words to mean a DNC server has gone missing, but that's not true." This is accurate. The author appropriately distinguishes between the servers being referenced and reports that the set of (non-DNC) servers Trump indicates has "gone missing" has not.

2) It's not just the DNC and CrowdStrike (a respected IT Security firm which is entirely independent of the DNC) which assert they have provided all the information requested by the FBI:

You say:

"Ah! So both the DNC and the people they hired said that they gave up all the information! Gosh, I could hardly be more convinced."

But in the PolitiFact article, Comey himself is quoted saying:

"We got the forensics from the pros that they hired which -- again, best practice is always to get access to the machines themselves, but this, my folks tell me, was an appropriate substitute,"

So the DNC, CrowdStrike, and the FBI do appear to agree that they have been provided with the data they requested. I don't know why the DNC did not hand over the hardware, but I talk about that later in (5) below.

3) Your admittedly-exaggerated representation of the "emerging line" seems confused:

You represent the position as including "a lot of the servers are cloud-based", but there's only a single actual DNC server in the PolitiFact article being referenced as an item requested by the FBI and referenced by trump. I don't know if you're talking about additional information of which I'm unaware (like I said: I haven't been following this), but if not, that might be a confusion on your end.

Blogger The Mystic said...

4) You're confusing kinds of "images":

So, "image" is a non-technical term used to reference a variety of things. One of those things is a component of a deployment mechanism in which a "base image" is constructed of a computer system (generic components such as the OS, software, drivers, etc., are installed and configured as will be applicable to all systems making use of the base image for deployment) and then extracted into a file (or set of files) from the system used to build the image. That set of files can then be used to reduce work required during any given server's deployment by allowing you to copy the general build from the image and then have only to configure any custom needs for that system. That's what you're thinking about.

The kind of image provided to the FBI, on the other hand, is a "forensic image", which is supposed to be a bit-by-bit copy of a hard disk (or set of hard disks) used by the imaged computer. You can then make copies from the copy, build a computer with identical hardware, and proceed to boot that new system into the state of the system being investigated at the point at which the image was captured. This is almost always done to investigate computers which have been targeted with malicious software so that your findings can be checked against the original copy of the disk to ensure that your investigative actions didn't inadvertently produce or disrupt any of your findings (since everything you do on a computer alters things, and software changes states as the system runs, etc.).

Blogger The Mystic said...

5) That said:

Comey and the FBI seem satisfied with being given the forensic image(s), and I don't know why the DNC didn't hand over the hardware. But, if they were still actively using the hardware that was targeted, it's likely that handing over the hardware at that point in time (after it had been running for who-knows-how-long, and after being subjected to who-knows-what remedial actions) would be far less useful than giving the FBI the image taken as soon as the DNC was made aware of the breach (hopefully that's when they did it, anyway).

But: if I were investigating that thing, I'd want to make sure that the firmware in each hardware component was checked for sanity. You won't get any of the firmware in your forensic image of the hard disks. The IT Security world got a huge wake-up call to what's possible with state-sponsored attackers when the NSA's junk was dumped to the Interwebs. They had designed software, for instance, which actually persists on hardware through even rewriting your entire hard disks by commiting a bootstrapper (something which has just enough code to, say, re-download the full malicious software package and re-install it) to the hard disk firmware, itself. Hard disks have tiny little pieces of code which run directly on them, independently of the operating system, which allow them to function (e.g. by fielding requests to read and write data from the OS) which we call firmware. Operating systems can, with appropriate privileges, upgrade firmware on hard disks, and that mechanism was used to "upgrade" the firmware with compromised firmware which included the bootstrapper. The malicious firmware version even had code in it to alter the way new firmware upgrades were handled against the disk, preventing it from being overwritten by future legitimate firmware upgrade attempts.

So if I ever knew hardware to be compromised by a state-sponsored actor like Russia, you can be damn sure I'd be decommissioning the hardware. If it was super, super valuable hardware, then I wouldn't put it back in action until all of the firmware on its various components had been examined. Then, I'd be confident it can be returend to service.

So if the DNC didn't turn over the hardware to the FBI, the only legitimate-ish reason I can imagine is that they were continuing to make use of that hardware. If the FBI allowed that to happen, or the DNC didn't listen when the FBI advised against that, then that's the real problem, if you ask me.

But I think the PolitiFact article does a fine job.

Also, trump's an unbelievable ignoranus (both a moron and an asshole).

Blogger The Mystic said...

Sorry; had to split comments due to length restrictions.

Blogger Winston Smith said...

That's all extremely helpful, Mystic.

But I'm not sure I buy your defense of the Politifact article. It concludes "Trump got all the details wrong"--but it seems as obvious as it could be (to me, anyway) that he didn't. He's right about the main "detail"--that the FBI didn't take the physical servers. Now, there's also the suggestion that there are missing servers (possibly the same ones referred to above)...but that's another "detail." He's apparently wrong about the latter one, but right about the first one.

You can't put a contentious interpretation on someone's words and then claim that they're wrong about all the details..."details" they wouldn't be wrong about without the contentious interpretation.

Blogger The Mystic said...

Well, isn’t trump only asserting that the set of allegedly DNC servers managed by some Pakistani guy has gone missing?

If so, he is wrong about the following details:
1) The servers are not DNC
2) The servers are are not missing.
3) The FBI expresses no interest in obtaining the servers as they were not known to be targeted by the Russians.

So... that’s all of the details except for the fact that there is a Pakistani guy involved, right?

Blogger Winston Smith said...

The FBI didn't take the DNC servers...which is the most important part of what he said.

Also: "You *could* take Trump's words to mean a DNC server has gone missing..." and if you do, *then* all the details are wrong...but...y'know...not if you don't adopt that contentious interpretation.

So...I'm not seeing how to make "he gets all the details wrong" a reasonable claim.

He gets several wrong...he speaks, as usual, in a sloppy way, and God knows what he actually thinks...but...all the details wrong? No.

