https://consortiumnews.com/2019/03/13/v ... -findings/
I'll dump it here in full...
The final Mueller report should be graded “incomplete,” says VIPS, whose forensic work proves the speciousness of the story that DNC emails published by WikiLeaks came from Russian hacking.
March 13, 2019
MEMORANDUM FOR: The Attorney General
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Mueller’s Forensics-Free Findings
Executive Summary
Media reports are predicting that Special Counsel Robert Mueller is about to give you the findings of his probe into any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump. If Mueller gives you his “completed” report anytime soon, it should be graded “incomplete.” Major deficiencies include depending on a DNC-hired cybersecurity company for forensics and failure to consult with those who have done original forensic work, including us and the independent forensic investigators with whom we have examined the data. We stand ready to help.
We veteran intelligence professionals (VIPS) have done enough detailed forensic work to prove the speciousness of the prevailing story that the DNC emails published by WikiLeaks came from Russian hacking. Given the paucity of evidence to support that story, we believe Mueller may choose to finesse this key issue and leave everyone hanging. That would help sustain the widespread belief that Trump owes his victory to President Vladimir Putin, and strengthen the hand of those who pay little heed to the unpredictable consequences of an increase in tensions with nuclear-armed Russia.
There is an overabundance of “assessments” but a lack of hard evidence to support that prevailing narrative. We believe that there are enough people of integrity in the Department of Justice to prevent the outright manufacture or distortion of “evidence,” particularly if they become aware that experienced scientists have completed independent forensic study that yield very different conclusions. We know only too well — and did our best to expose — how our former colleagues in the intelligence community manufactured fraudulent “evidence” of weapons of mass destruction in Iraq.
We have scrutinized publicly available physical data — the “trail” that every cyber operation leaves behind. And we have had support from highly experienced independent forensic investigators who, like us, have no axes to grind. We can prove that the conventional-wisdom story about Russian-hacking-DNC-emails-for-WikiLeaks is false. Drawing largely on the unique expertise of two VIPS scientists who worked for a combined total of 70 years at the National Security Agency and became Technical Directors there, we have regularly published our findings. But we have been deprived of a hearing in mainstream media — an experience painfully reminiscent of what we had to endure when we exposed the corruption of intelligence before the attack on Iraq 16 years ago.
This time, with the principles of physics and forensic science to rely on, we are able to adduce solid evidence exposing mistakes and distortions in the dominant story. We offer you below — as a kind of aide-memoire— a discussion of some of the key factors related to what has become known as “Russia-gate.” And we include our most recent findings drawn from forensic work on data associated with WikiLeaks’ publication of the DNC emails.
We do not claim our conclusions are “irrefutable and undeniable,” a la Colin Powell at the UN before the Iraq war. Our judgments, however, are based on the scientific method — not “assessments.” We decided to put this memorandum together in hopes of ensuring that you hear that directly from us.
If the Mueller team remains reluctant to review our work — or even to interview willing witnesses with direct knowledge, like WikiLeaks’ Julian Assange and former UK Ambassador Craig Murray, we fear that many of those yearning earnestly for the truth on Russia-gate will come to the corrosive conclusion that the Mueller investigation was a sham.
In sum, we are concerned that, at this point, an incomplete Mueller report will fall far short of the commitment made by then Acting Attorney General Rod Rosenstein “to ensure a full and thorough investigation,” when he appointed Mueller in May 2017. Again, we are at your disposal.
Discussion
The centerpiece accusation of Kremlin “interference” in the 2016 presidential election was the charge that Russia hacked Democratic National Committee emails and gave them to WikiLeaks to embarrass Secretary Hillary Clinton and help Mr. Trump win. The weeks following the election witnessed multiple leak-based media allegations to that effect. These culminated on January 6, 2017 in an evidence-light, rump report misleadingly labeled “Intelligence Community Assessment (ICA).” Prepared by “handpicked analysts” from only three of the 17 U.S. intelligence agencies (CIA, FBI, and NSA), the assessment expressed “high confidence” in the Russia-hacking-to-WikiLeaks story, but lacked so much as a hint that the authors had sought access to independent forensics to support their “assessment.”
The media immediately awarded the ICA the status of Holy Writ, choosing to overlook an assortment of banal, full-disclosure-type caveats included in the assessment itself — such as:
“When Intelligence Community analysts use words such as ‘we assess’ or ‘we judge,’ they are conveying an analytic assessment or judgment. …Judgments are not intended to imply that we have proof that shows something to be a fact. … Assessments are based on collected information, which is often incomplete or fragmentary … High confidence in a judgment does not imply that the assessment is a fact or a certainty; such judgments might be wrong.”
To their credit, however, the authors of the ICA did make a highly germane point in introductory remarks on “cyber incident attribution.“ They noted: “The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation — malicious or not — leaves a trail.” [Emphasis added.]
Forensics
The imperative is to get on that “trail” — and quickly, before red herrings can be swept across it. The best way to establish attribution is to apply the methodology and processes of forensic science. Intrusions into computers leave behind discernible physical data that can be examined scientifically by forensic experts. Risk to “sources and methods” is normally not a problem.
Direct access to the actual computers is the first requirement — the more so when an intrusion is termed “an act of war” and blamed on a nuclear-armed foreign government (the words used by the late Sen. John McCain and other senior officials). In testimony to the House Intelligence Committee in March 2017, former FBI Director James Comey admitted that he did not insist on physical access to the DNC computers even though, as he conceded, “best practices” dictate direct access.
In June 2017, Senate Intelligence Committee Chair Richard Burr asked Comey whether he ever had “access to the actual hardware that was hacked.” Comey answered, “In the case of the DNC … we did not have access to the devices themselves. We got relevant forensic information from a private party, a high-class entity, that had done the work. …” Sen. Burr followed up: “But no content? Isn’t content an important part of the forensics from a counterintelligence standpoint?” Comey: “It is, although what was briefed to me by my folks … is that they had gotten the information from the private party that they needed to understand the intrusion by the spring of 2016.”
The “private party/high-class entity” to which Comey refers is CrowdStrike, a cybersecurity firm of checkered reputation and multiple conflicts of interest, including very close ties to a number of key anti-Russian organizations. Comey indicated that the DNC hired CrowdStrike in the spring of 2016.
Given the stakes involved in the Russia-gate investigation – including a possible impeachment battle and greatly increased tension between Russia and the U.S. — it is difficult to understand why Comey did not move quickly to seize the computer hardware so the FBI could perform an independent examination of what quickly became the major predicate for investigating election interference by Russia. Fortunately, enough data remain on the forensic “trail” to arrive at evidence-anchored conclusions. The work we have done shows the prevailing narrative to be false. We have been suggesting this for over two years. Recent forensic work significantly strengthens that conclusion.
We Do Forensics
Recent forensic examination of the Wikileaks DNC files shows they were created on 23, 25 and 26 May 2016. (On June 12, Julian Assange announced he had them; WikiLeaks published them on July 22.) We recently discovered that the files reveal a FAT (File Allocation Table) system property. This shows that the data had been transferred to an external storage device, such as a thumb drive, before WikiLeaks posted them.
FAT is a simple file system named for its method of organization, the File Allocation Table. It is used for storage only and is not related to internet transfers like hacking. Were WikiLeaks to have received the DNC files via a hack, the last modified times on the files would be a random mixture of odd-and even-ending numbers.
Why is that important? The evidence lies in the “last modified” time stamps on the Wikileaks files. When a file is stored under the FAT file system the software rounds the time to the nearest even-numbered second. Every single one of the time stamps in the DNC files on WikiLeaks’ site ends in an even number.
We have examined 500 DNC email files stored on the Wikileaks site. All 500 files end in an even number—2, 4, 6, 8 or 0. If those files had been hacked over the Internet, there would be an equal probability of the time stamp ending in an odd number. The random probability that FAT was not used is 1 chance in 2 to the 500th power. Thus, these data show that the DNC emails posted by WikiLeaks went through a storage device, like a thumb drive, and were physically moved before Wikileaks posted the emails on the World Wide Web.
This finding alone is enough to raise reasonable doubts, for example, about Mueller’s indictment of 12 Russian intelligence officers for hacking the DNC emails given to WikiLeaks. A defense attorney could easily use the forensics to argue that someone copied the DNC files to a storage device like a USB thumb drive and got them physically to WikiLeaks — not electronically via a hack.
Role of NSA
For more than two years, we strongly suspected that the DNC emails were copied/leaked in that way, not hacked. And we said so. We remain intrigued by the apparent failure of NSA’s dragnet, collect-it-all approach — including “cast-iron” coverage of WikiLeaks — to provide forensic evidence (as opposed to “assessments”) as to how the DNC emails got to WikiLeaks and who sent them. Well before the telling evidence drawn from the use of FAT, other technical evidence led us to conclude that the DNC emails were not hacked over the network, but rather physically moved over, say, the Atlantic Ocean.
Is it possible that NSA has not yet been asked to produce the collected packets of DNC email data claimed to have been hacked by Russia? Surely, this should be done before Mueller competes his investigation. NSA has taps on all the transoceanic cables leaving the U.S. and would almost certainly have such packets if they exist. (The detailed slides released by Edward Snowden actually show the routes that trace the packets.)
The forensics we examined shed no direct light on who may have been behind the leak. The only thing we know for sure is that the person had to have direct access to the DNC computers or servers in order to copy the emails. The apparent lack of evidence from the most likely source, NSA, regarding a hack may help explain the FBI’s curious preference for forensic data from CrowdStrike. No less puzzling is why Comey would choose to call CrowdStrike a “high-class entity.”
Comey was one of the intelligence chiefs briefing President Obama on January 5, 2017 on the “Intelligence Community Assessment,” which was then briefed to President-elect Trump and published the following day. That Obama found a key part of the ICA narrative less than persuasive became clear at his last press conference (January 18), when he told the media, “The conclusions of the intelligence community with respect to the Russian hacking were not conclusive … as to how ‘the DNC emails that were leaked’ got to WikiLeaks.
Is Guccifer 2.0 a Fraud?
There is further compelling technical evidence that undermines the claim that the DNC emails were downloaded over the internet as a result of a spearphishing attack. William Binney, one of VIPS’ two former Technical Directors at NSA, along with other former intelligence community experts, examined files posted by Guccifer 2.0 and discovered that those files could not have been downloaded over the internet. It is a simple matter of mathematics and physics.
There was a flurry of activity after Julian Assange announced on June 12, 2016: “We have emails relating to Hillary Clinton which are pending publication.” On June 14, DNC contractor CrowdStrike announced that malware was found on the DNC server and claimed there was evidence it was injected by Russians. On June 15, the Guccifer 2.0 persona emerged on the public stage, affirmed the DNC statement, claimed to be responsible for hacking the DNC, claimed to be a WikiLeaks source, and posted a document that forensics show was synthetically tainted with “Russian fingerprints.”
Our suspicions about the Guccifer 2.0 persona grew when G-2 claimed responsibility for a “hack” of the DNC on July 5, 2016, which released DNC data that was rather bland compared to what WikiLeaks published 17 days later (showing how the DNC had tipped the primary scales against Sen. Bernie Sanders). As VIPS reported in a wrap-up Memorandum for the President on July 24, 2017 (titled “Intel Vets Challenge ‘Russia Hack’ Evidence),” forensic examination of the July 5, 2016 cyber intrusion into the DNC showed it NOT to be a hack by the Russians or by anyone else, but rather a copy onto an external storage device. It seemed a good guess that the July 5 intrusion was a contrivance to preemptively taint anything WikiLeaks might later publish from the DNC, by “showing” it came from a “Russian hack.” WikiLeaks published the DNC emails on July 22, three days before the Democratic convention.
As we prepared our July 24 memo for the President, we chose to begin by taking Guccifer 2.0 at face value; i. e., that the documents he posted on July 5, 2016 were obtained via a hack over the Internet. Binney conducted a forensic examination of the metadata contained in the posted documents and compared that metadata with the known capacity of Internet connection speeds at the time in the U.S. This analysis showed a transfer rate as high as 49.1 megabytes per second, which is much faster than was possible from a remote online Internet connection. The 49.1 megabytes speed coincided, though, with the rate that copying onto a thumb drive could accommodate.
Binney, assisted by colleagues with relevant technical expertise, then extended the examination and ran various forensic tests from the U.S. to the Netherlands, Albania, Belgrade and the UK. The fastest Internet rate obtained — from a data center in New Jersey to a data center in the UK — was 12 megabytes per second, which is less than a fourth of the capacity typical of a copy onto a thumb drive.
The findings from the examination of the Guccifer 2.0 data and the WikiLeaks data does not indicate who copied the information to an external storage device (probably a thumb drive). But our examination does disprove that G.2 hacked into the DNC on July 5, 2016. Forensic evidence for the Guccifer 2.0 data adds to other evidence that the DNC emails were not taken by an internet spearphishing attack. The data breach was local. The emails were copied from the network.
Presidential Interest
After VIPS’ July 24, 2017 Memorandum for the President, Binney, one of its principal authors, was invited to share his insights with Mike Pompeo, CIA Director at the time. When Binney arrived in Pompeo’s office at CIA Headquarters on October 24, 2017 for an hour-long discussion, the director made no secret of the reason for the invitation: “You are here because the President told me that if I really wanted to know about Russian hacking I needed to talk with you.”
Binney warned Pompeo — to stares of incredulity — that his people should stop lying about the Russian hacking. Binney then started to explain the VIPS findings that had caught President Trump’s attention. Pompeo asked Binney if he would talk to the FBI and NSA. Binney agreed, but has not been contacted by those agencies. With that, Pompeo had done what the President asked. There was no follow-up.
Confronting James Clapper on Forensics
We, the hoi polloi,do not often get a chance to talk to people like Pompeo — and still less to the former intelligence chiefs who are the leading purveyors of the prevailing Russia-gate narrative. An exception came on November 13, when former National Intelligence Director James Clapper came to the Carnegie Endowment in Washington to hawk his memoir. Answering a question during the Q&A about Russian “hacking” and NSA, Clapper said:
“Well, I have talked with NSA a lot … And in my mind, I spent a lot of time in the SIGINT business, the forensic evidence was overwhelming about what the Russians had done. There’s absolutely no doubt in my mind whatsoever.” [Emphasis added]
Clapper added: “… as a private citizen, understanding the magnitude of what the Russians did and the number of citizens in our country they reached and the different mechanisms that, by which they reached them, to me it stretches credulity to think they didn’t have a profound impact on election on the outcome of the election.”
(A transcript of the interesting Q&A can be found here and a commentary on Clapper’s performance at Carnegie, as well as on his longstanding lack of credibility, is here.)
Normally soft-spoken Ron Wyden, Democratic senator from Oregon, lost his patience with Clapper last week when he learned that Clapper is still denying that he lied to the Senate Intelligence Committee about the extent of NSA surveillance of U.S. citizens. In an unusual outburst, Wyden said: “James Clapper needs to stop making excuses for lying to the American people about mass surveillance. To be clear: I sent him the question in advance. I asked him to correct the record afterward. He chose to let the lie stand.”
The materials brought out by Edward Snowden in June 2013 showed Clapper to have lied under oath to the committee on March 12, 2013; he was, nevertheless, allowed to stay on as Director of National Intelligence for three and half more years. Clapper fancies himself an expert on Russia, telling Meet the Presson May 28, 2017 that Russia’s history shows that Russians are “typically, almost genetically driven to co-opt, penetrate, gain favor, whatever.”
Clapper ought to be asked about the “forensics” he said were “overwhelming about what the Russians had done.” And that, too, before Mueller completes his investigation.
For the steering group, Veteran Intelligence Professionals for Sanity:
William Binney, former NSA Technical Director for World Geopolitical & Military Analysis; Co-founder of NSA’s Signals Intelligence Automation Research Center (ret.)
Richard H. Black, Senator of Virginia, 13th District; Colonel US Army (ret.); Former Chief, Criminal Law Division, Office of the Judge Advocate General, the Pentagon (associate VIPS)
Bogdan Dzakovic, former Team Leader of Federal Air Marshals and Red Team, FAA Security (ret.) (associate VIPS)
Philip Giraldi, CIA, Operations Officer (ret.)
Mike Gravel, former Adjutant, top secret control officer, Communications Intelligence Service; special agent of the Counter Intelligence Corps and former United States Senator
James George Jatras, former U.S. diplomat and former foreign policy adviser to Senate leadership (Associate VIPS)
Larry C. Johnson, former CIA and State Department Counter Terrorism officer
John Kiriakou, former CIA Counterterrorism Officer and former senior investigator, Senate Foreign Relations Committee
Karen Kwiatkowski, former Lt. Col., US Air Force (ret.), at Office of Secretary of Defense watching the manufacture of lies on Iraq, 2001-2003
Edward Loomis, Cryptologic Computer Scientist, former Technical Director at NSA (ret.)
David MacMichael, Ph.D., former senior estimates officer, National Intelligence Council (ret.)
Ray McGovern, former US Army infantry/intelligence officer & CIA analyst; CIA Presidential briefer (ret.)
Elizabeth Murray, former Deputy National Intelligence Officer for the Near East, National Intelligence Council & CIA political analyst (ret.)
Todd E. Pierce, MAJ, US Army Judge Advocate (ret.)
Peter Van Buren, US Department of State, Foreign Service Officer (ret.) (associate VIPS)
Sarah G. Wilton, CDR, USNR, (ret.); Defense Intelligence Agency (ret.)
Kirk Wiebe, former Senior Analyst, SIGINT Automation Research Center, NSA
Ann Wright, retired U.S. Army reserve colonel and former U.S. diplomat who resigned in 2003 in opposition to the Iraq War
Veteran Intelligence Professionals for Sanity (VIPS) is made up of former intelligence officers, diplomats, military officers and congressional staffers. The organization, founded in 2002, was among the first critics of Washington’s justifications for launching a war against Iraq. VIPS advocates a US foreign and national security policy based on genuine national interests rather than contrived threats promoted for largely political reasons. An archive of VIPS memoranda is available at Consortiumnews.com.
Their finding regarding the even-numbered 'seconds' of the file creation times being indicative of the use of a USB stick/drive is spot on:
https://en.wikipedia.org/wiki/Design_of ... IR_OFS_0Eh
(my emph.)Create time (since DOS 7.0 with VFAT). The hour, minute and second are encoded according to the following bitmap:
Bits Description
15-11 Hours (0-23)
10-5 Minutes (0-59)
4-0 Seconds/2 (0-29)
The seconds is recorded only to a 2 second resolution.
USB stick = 'Leak', not 'hack'.
The comments on the above are interesting... one stands out in particular:
Norumbega
March 17, 2019 at 15:28
I’ve touched on this matter in some comments I’ve already left in response to several posts by others, but here I want to outline what Craig Murray has actually claimed in his interview with Scott Horton. If this interview were more widely known, several points of confusion would be cleared up. Here I will summarize the key contents of that interview, and also summarize what we have reason to believe about the identities of the WikiLeaks leakers and Guccifer 2 from this and a few other sources.
See: “December 13, 2016 – Craig Murray: DNC, Podesta emails leaked, not hacked – Episode 4328”: https://www.youtube.com/watch?v=tbOql1gt-8c&t=1455s
I summarize the key points as follows:
1. Murray asserts that the DNC leak and the Podesta leak involved two entirely different sources.
2. Murray flatly asserts that in both cases the leaks were “by Americans” who had access to the information they leaked as part of their jobs.
3. Murray flatly asserts that Guccifer 2.0 was not the source in either case.
4. The person he met in Washington was clearly the Podesta leaker.
5. Murray says this meeting occurred after the Podesta material was already safely with WikiLeaks.
6. Murray insinuates rather plainly that the person was involved (within American intelligence or law enforcement) in monitoring John Podesta’s communications as a registered and paid lobbyist for Saudi Arabia.
7. Murray suggests that the answer to the question “was the leaker someone from intelligence/law enforcement, or was the leaker someone from the Democratic Party/DNC?” that the answer will be different in the two cases – which, given points (1) and (6), implies that the DNC leak was from a Democratic insider.
8. Murray says that Julian Assange’s statement about Seth Rich reflects concern that Rich may have been killed on orders of someone who _thought_ he was the leaker – whether correctly or incorrectly. Thus Murray does not deny that Seth Rich was the DNC leaker but also avoids confirming it. We must still assume _some_ rational basis for so thinking on the part of Rich’s possible killers is being implied by Assange – such as knowledge that Rich had been in touch with WikiLeaks.
9. Turning to other sources of information, it is clear that Murray’s meeting in Washington with the Podesta leaker will have occurred after he left the Sam Adams Award for Integrity in Intelligence banquet early in order to do so. (In other interviews which I haven’t kept track of, Scott Horton says that two other people he’s interviewed (Phil Giraldi and Ray McGovern?) were there at the banquet and witnessed Murray leave early.) This was on September 25, 2016.
10. In video extracted in the course of Bill Binney’s recent interview with Jason Goodman, Murray says that the purpose of the meeting was “administrative” only. He says that “even whistleblowers have administration and bureaucracy.” He says “I never in my life met Seth Rich, and he, of course, had sadly been murdered some months before the occasion on which I was there meeting someone.”
In this latter interview with Binney, Binney reveals “the people I know, they have at least two other avenues of information coming to them that verify what Seth [sic – clearly Sy Hersh, the recording of whom regarding Seth Rich he had just referred to] said about the FBI having the data on Seth Rich’s computer, where he contacted WikiLeaks and transferred some data and wanted money for the rest of the data. I don’t think that’s publicly known yet.” See: https://www.youtube.com/watch?v=mwUoE8UecC0&t=527s
So, summarizing the available information pertaining to the three sources of information (DNC, Podesta and G-2):
We have Julian Assange implying that Seth Rich’s killers would have had reason to suspect a connection between Seth Rich and WikiLeaks.
We have Ambassador Murray claiming to know that both the DNC and Podesta leaks were “by Americans”, implying that the DNC leak was by a Democratic insider, and implying the same thing regarding Seth Rich as Assange does (without actually confirming that such suspicions were fully correct).
We have file-sharing entrepreneur Kim Dotcom claiming that he himself was involved with Seth Rich in the DNC leak, further indicating that he had been in communication with Rich since 2014, and offering to testify in detail to American investigators given assurances against prosecution.
We have Sy Hersh attesting to the existence of FBI knowledge from Seth Rich’s computer implicating Seth Rich in the DNC leak. And now we have Bill Binney saying Hersh’s information has been independently confirmed by people he knows.
We have Ed Butowski claiming that his source who had contacted him after returning from London revealed to him that Seth Rich had been responsible for the WikiLeaks DNC leak along with his brother Aaron, that Seth Rich’s parents at first privately acknowledged this, that Seth had downloaded the emails to a $56 Western Digital hard drive, transferred the trove to WikiLeaks on or about June 23, 2016, and been paid some $48,000 by WikiLeaks.
Murray strongly hints that the person responsible for the Podesta leak was an American intelligence or law enforcement insider. Steve Pieczenik strikes me as someone who’s testimony must be treated with caution. But it must be pointed out that in his (admittedly rather strange in some respects) Youtube video of November 1, 1016, Pieczenik claims that the Podesta leaker was an associate of his in American intelligence or law enforcement. Thus, Murray’s and Pieczenik’s statements are in agreement on this point.
Binney and Johnson’s finding that whereas the WikiLeaks DNC files show FAT formatting, the WikiLeaks Podesta files do not. This is consistent with Murray’s claim that there were two independent sources involved.
Binney has suggested (without claiming to know for sure) that the Guccifer 2 persona was part of a CIA disinformation effort in which Brennan had a hand. The illicit Sy Hersh recording has him also referring to a Brennan disinformation op.
Personally, I think that the Vault 7 revelations about the CIA’s ability to engage in hacks while leaving signs that would cause attribution to others is a red herring. The timing alone suggests hasty responses to Julian Assange’s announcement were involved in the June 14 WP story and the June 15 debut of G-2. There need have been no real hack involved in that case either – as the VIPS’ previous download speed study suggests. The forensics of the first documents released by G-2 – as developed by The Forensicator and Adam Carter – suggest methods of creating the “Russian fingerprints” in the first G-2 were different and less sophisticated.
Comey has testified that “we think they [the Russians] used cutouts of some kind” (or similar wording) to transfer the material to WikiLeaks. This may be as close as he’ll come to admitting that he knows the identities of the real leakers, and also about the Guccifer 2 deception operation used as cover. Note he didn’t say that Guccifer 2 was such a cutout.
(edit: Fix links)
