[GekkePrutser]

I don't know the ins and outs about the DNC stuff. Here in Europe all that news got lost in the turbulence around Trump. But I thought Russian influence in that case was certain, the Wikipedia page also mentions it: https://en.m.wikipedia.org/wiki/Democratic_National_Committe... and also the NYT article you quote is all about Russian involvement in that case.

And evidence in cyber security cases is super hard. There's just too much misdirection and ways to obfuscate traffic. Especially for state sponsored actors. Attribution to threat actor groups is often based on methodology and toolsets (also referred to as tactics and techniques) and not on hard traceable evidence.

However I have no political stake in this as a European (who never even visited the US) and it's just what I read. Perhaps I'm wrong. But I know in terms of capability as an EDR product crowdstrike is very highly regarded. I agree the secrecy around this testimony is very weird.

And like I said I do agree with most of his points. Something is brewing there.

[pomdapi]

> However I have no political stake in this and it's just what I read.

Sorry about my tone earlier. It was uncalled for. I edited my comment.

> Wikipedia page also mentions it:

The "talk" section of the page shows vigorous exchanges, as various editors are constantly fighting to erase or put back that part of the story. As the whole case was central to the fight around Trump being an orange but also Russian menace for 4 years, you can easily divine the editors are probably operatives of both parties.

> NYT article you quote is all about Russian involvement in that case.

Yes, that was the first time they publicly lied about it.

[GekkePrutser]

I understand. I had no idea how heavily this was politicized.

For us the DNC thing was just in the news when it happened and quickly overwhelmed by other news in that period.

Thanks for the links, I don't have time now but I'll read them in the days to come. I want to know more about this case. Especially because we use the product at work.

[pomdapi]

> Especially because we use the product at work.

Used to be in the industry, 10+ years ago. Friends tell me goods things about it too.

And anyways, I'm pro-neither party. Both are corrupt to the core. I just hate it when propaganda and lies at this scale works too well.

[r721]

>Thanks for the links

Aaron Mate is a heavily pro-Kremlin voice, so it's not like those were very good sources, just an opinion of a quite biased journalist.

[pomdapi]

That is not opinion :

- I linked the New York articles interviewing Crowdstrike :

"The D.N.C. immediately hired CrowdStrike, [...] It made its first appearance in 2014, said Dmitri Alperovitch, CrowdStrike’s co-founder and chief technology officer.[...] Whenever someone clicked on a phishing message, the Russians would enter the network, “exfiltrate” documents of interest and stockpile them for intelligence purposes. Once they got into the D.N.C., they found the data valuable and decided to continue the operation,” said Mr. Alperovitch, [...]"

There are similar claims elsewhere. You can also find their management in TV interviews or being in TV expert panels.

- The Mate link is only interesting here because of the handy scans of the House Comitee minutes where they answered a direct question by "We did not have concrete evidence that data was exfiltrated from the DNC". You can also go to the original source, if you want.

There are several scanned pages inlined in the middle of that article.

[ryanlol]

But you’re just playing games with meanings of words.

> "We did not have concrete evidence that data was exfiltrated from the DNC"

They did not have pcaps of exfil traffic but did recover the compressed files that had been prepared for exfiltration. Without pcaps there can be no “concrete evidence” that those files were exfiltrated, but we do know that the intruders did prepare data for exfiltration and had nothing stopping them from doing so.

This is basically as good as it ever gets. How about you name examples of some better investigations?

[pomdapi]

> They did not have pcaps of exfil traffic

You are playing into Crowdstrike's own Motte and Baily argument in restricting the words "proof" and "evidence" by substitting their meaning to what amounts to a recording of the attack. That is an impossibly high threshold, but it can more easily defended if you do. They kind of had to considering their actual technical arguments were weak.

"We did not have a sensor in place", as said by Shawn Henry. Yes, Crowdstrike didn't have them, and said they relied on "circumstential evidence", but it seems the DNC did have "sensors" in place, and Crowdstrike had access to them:

From the Mueller report, p. 40 [1], "On April 25, 2016, the GRU collected and compressed PDF and Microsoft documents from folders on the DCCC’s shared file server that pertained to the 2016 election. The GRU appears to have compressed and exfiltrated over 70 gigabytes of data from this file server (See SM-2589105-GJ, serial 649. As part of its investigation, the FBI later received images of DNC servers and copies of relevant traffic logs)" - btw all of this info originally comes from Crowdstrike.

While not pcaps per se, most varieties of such logs would show a different profile for downloading 70Gb "thousands of emails", zip/compressed files, etc, than much shorter instrumentation data for their Malware.

You can't have caught one but not having had the other, X-Tunnel + VPN or not. I mean, there are ways for that to be, but you'd have to have been inept on purpose. I have some trouble believing the DNC IT would considering the general environment back then.

So it followed concerning these point that S. Henry, when pressed for what the circumstantial evidence was for 70Gb to have been exfiltrated, S. Henry said "And there might not be evidence of it being exfiltrated, but they would have knowledge of what was in the email. … There would be ways to copy it. You could take screenshots.".

I mean, c'mon man... "screenshots" ??? You basically got VNC but you "sceenshot" ??? Either Mr. Henry is a fool or takes his House Commitee for one - which the latter may very well be.

IMHO, either of us would have to look at the source code for X-Agent (available) or the Sea Daddy implant (no idea) to see if

1. not having logs of large transfers makes sense in this context, at least in its known variant and

2. are the Crowdstrike declarations coherent in that regard.

Until we do, we're kind of stuck to see whose stretching the argument between you and me.

---

On a related note, but not directly involving Crowdstrike, the Dutch cyberdefense org and the NSA seemingly did have such real-time evidence from 2015-2018.

As far as is publicly known, those particular intercepts weren't shared with the Mueller team, nor the House Commitee inquiry.

It would be interesting to know why if it was not on natsec "ways and means" grounds. If it wasn't, the FBI wouldn't have had to rely on Crowdstrike.

> games with meanings of words.

I don't believe I am.

The context I'm using in both my references above is what is understandable by the layman, not mixing technical "in-knowledge" and what said layman reading the NYT can understand :

- D.A. said to the NYT "the Russians would enter the network, “exfiltrate” documents of interest and stockpile them for intelligence purposes. Once they got into the D.N.C., they found the data valuable and decided to continue the operation". I understand "the operation" is refering to "phishing, exfiltrating, stockpiling".

- Later D.A. says to the commission "We did not have concrete evidence that data was exfiltrated from the DNC". That implies no traffic logs, at all.

But then, we're back, again, to the technical problem outlined earlier.

IMHO, a correct and honest wording to the NYT would have been "We have strong indications Russian hackers may have entered DNC servers, but nothing in logs we do have indicates they did anything with it.

[1] https://www.justice.gov/archives/sco/file/1373816/download

[2] https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-... and https://nos.nl/nieuwsuur/artikel/2213767-dutch-intelligence-...