Happy New Year!

Happy New Year everybody!

With it being New Year's Eve, I didn't intend to write any posts. I've started my annual funeral pyre for the year since passed, and I plan on sitting outside and enjoying it for the evening. That'll be followed by celebrations and gatherings tomorrow. I hope you guys have plans you'll enjoy as much.

The point is, I'm a bit rushed. I just want to make a quick post because of a recent exchange on Twitter. Steve McIntyre, who runs the Climate Audit blog, posted a tweet:

You've probably heard claims in the news about how Russia was behind some recent hacks. I'm not going to go into it right now as I don't have a lot of time to spare, but the exchange I had with Steve made me feel it'd be important to highlight something right away. I'll try to have a more detailed post in a couple days, but for now, I want to make something clear. As I explained on Twitter:

Long story short, a government report was released detailing aspects of how Russian-connected individuals and groups (supposedly) performed a number of cyberattacks. People have misinterpreted that as a report providing evidence of Russian involvement. That is incorrect.

This report made no attempt to provide evidence of Russian involvement. That was not the purpose of the report. The purpose of the report was merely to describe what cyberattacks happened and how people could defend against them. People, especially in the mainstream media, have falsely claimed the report provides evidence of Russian involvement. Other people have disagreed, saying the "evidence" the report provides doesn't prove anything.

What nobody seems to be saying is, "The report is not intended to provide evidence of Russian involvement." We have thousands of people working on news articles and blog posts without any seeming to take note of that simple fact. Tens, if not hundreds, of thousands of people are discussing this topic without many people noting that simple fact. It is bizarre.

It is also the sort of thing which can happen with crowds. Once enough people participating in a discussion accept a certain framework (in this case, that the report seeks to provide evidence of Russian involvement), people will naturally tend to accept the framework. For the average person or an interested onlooker, there's little reason to question the framing used by the crowd.

I don't fault people in general for this. It's a strange phenomenon, but it is an understandable one. I wouldn't expect people like Steve McIntyre to necessarily spend the time or energy doing the work to properly understand what this report says. However, there are two groups I do think deserve criticism:

1) Journalists, bloggers or anyone else "reporting" on this report.
2) People as a whole.

For the first group, if you plan on reporting on a topic, you ought to understand the basics of it. Anyone who fails to deserves criticism. I am especially critical of people in the government who have exaggerated the purpose and findings of this report.

For the second group, this goes back to the old adage: "People are stupid." Or as Tommy Lee Jones explains:

So remember, that a narrative is popular doesn't mean it makes any sense, much less that it is correct. The "wisdom of the crowd" can often be quite dumb. That's why you should question everything.

And have fun. Definitely do that too.


  1. Oh, one last quick remark. If you go to the link I provided for this report, you'll see this text:

    On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.

    Take note of how it says a report was released "attributing those compromises to Russian" involvement. The report does in fact attribute the cyberattacks to Russian-affiliated individuals and groups. That's not the point of the report though. Watch the pea carefully. That paragraph says the report attributes the attacks while the next paragraph says:

    The JAR package offers technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS).

    This paragraph moves the discussion away from attribution of who performed the attacks to details of how the attacks were carried out. May people have likely been misled by this change of subject. That may have been the point. A person has to read carefully to recognize this report is not stated to provide evidence of Russian involvement.

    This is like me saying, "There is evidence Bob robbed my house. Here are details about how he broke a window, disarmed my security system and blah, blah, blah." A person might understandably think the second sentence is meant to follow from the first. You can't be that naive when dealing with government officials though. Follow the pea closely.

  2. Attribution (just like the A in AGW), or providing proof of someone's involvement, is tricky with cyber attacks. What does not mean that we do not have an understanding of what happened. Like the president of Estonia saying after the massive DDoS attacks in 2007 "I'm pretty sure it was not Uruguay". From the IP addresses we know that there were computers from Kremlin involved but it does not "prove" anything. But the trick is, in this case it does not have to.

  3. Sven, that is definitely true. There is almost no information created by an attack which cannot be faked. In some extreme cases, it can even be possible to fake IP addresses. I don't mean that as in using a proxy server to hide your IP address. I mean, it is possible to completely. manufacture your IP trace. It's incredibly unlikely because of what servers you'd have to successfully penetrate to set it up (and consequently, the risk of exposing such a valuable resource in your arsenal any time you use it), but it is a frightening possibility.

    It's also possible for it to happen on a more mundane fashion. It's quite possible to launch attacks from other people's networks. You could obviously do it by breaking into their network, but you could also just ask them to use it. I don't know of any cases where major groups have done it, but I do know of botnet farmers who would sell people access to slave machines. It's not the sort of thing I'd expect important hacking groups to bother with, but if you want to do hide your trail while doing something, it's a reasonable option.

  4. Szilard, thanks for that. I had completely forgotten I was working on that after my hard drive died, even though I had several write-ups started. One of the things I wanted to discuss is how little work the journalists seemed to have done regarding their data set. While they claimed to do all sorts of checking on their data set, from what I could tell, the one they used matched the one they took from their source 100%, including both the same errors and gaps. (In fairness, the particular group which got me interested in the topic seems to put way less work into it than a number of other groups I discovered later.)

    The government effort you link to seems much better at first glance. I'll have to look into it some after working on the current series of posts.

Leave a Reply

Your email address will not be published. Required fields are marked *