Totally Plausible

Hey guys. I've been spending way too much time over at Climate Audit this last week or so because they've been discussing the (supposed) Russian hacks of various computer networks within the United States. System security is a topic I've long been interested in so naturally I was curious what people were saying there. I regret have even looked now.

The quality of the discussion for the last few posts at Climate Audit is surprisingly low. It's nothing compared to what used to be found on the site, which is a shame as I alwlays held the site in high regard. Don't worry though. I'm not going to start some inter-blog argument today. Today, I just want to show you one of the most hilarious arguments I have ever seen anyone make, an argumend endorsed by Steve McIntyre, proprietor of Climate Audit.

Before I go on, I want to point out I did try to discuss this issue at Climate Audit. However, what I said on this seems to have been ignored like a number of other clarifications/corrections I have posted. Additionally, I've had two comments get stuck in moderation. One has been in moderation for three days, and the other disappeared at sitting in moderation for a while. I mention this because I really did make a genuine effort at having a reasoned discussion of details and fact.` I'd rather have someone correct an error then have to write a post like this. But alas.

The hilarious argument I want to discuss came about because I criticized the general failure to get basic facts right over at Climate Audit, saying, "I think it would be helpful for people to agree to set of basic facts/terminology." I meant that. If people can't agree on the basics, I don't see how they will agree on the more complex issues. As an example, I quoted Steve McIntyre:

Tools can be used by more than one institution or re-purposed. A key malware example in the DHS report attributed to APT28 (or APT29, I forget) turned out to be publicly available Ukrainian malware.

And noted the "evidence" people relied on to claim the malware in question was Ukrainian ultimately amounted to nothing more than an anonymous hacker claiming to be Ukraining (though I then noted other evidence which hasn't received much attention supports the idea). I thought it was remarkable people at that site showed a great deal of skepticism for official government reports/statements yet seemed to show no skepticism of what some anonymous hacker said.

This example was a minor point made out of convenience, and the factual errors I spoke out against were numerous and of greater importance. However, while most of the errors/inaccuracies I pointed out got ignored, this one got a response:

Petri Krohn plausibly connected the PAS malware to identifiable Ukrainian.

This response blew me away as I hadn't realized anyone took Petri Krohn's argument seriously. I mean, I didn't think many people had read his argument as he's not any sort of expert people would have heard of. Of those who might have stumbled across it, I would have assumed they'd all consider it a joke. The supposedly plausible connection in question is one of the most bizarre things I've ever seen. To understand why, here is the title of the article Krohn wrote:

Did a Ukrainian University Student Create Grizzly Steppe?

This should immediately send up red flags to anyone reading his piece. It's not just a bad headline either. Krohn's first paragraph begins:

1) U.S. Department of Homeland Security claims that the DNC was hacked by Russian intelligence services using a Russian malware tool they have named Grizzly Steppe or "PAS tool PHP web kit".

Pretty much no part of this sentetnce is true. The DHS did not claim the Democratic National Commitee (DNC) was hacked with the PAS web shell in question. What the DHS said is the DNC had been hacked by Russians, and Russians have used the PAS web shell in cyberattacks directed at influencing the United States electoral system/process. That means the malware in question could have been used in attacks against some systems while different malware was used against the DNC.

This is burying the lede though. Petri Krohn calls this software "Grizzly Steppe," talking about the hacker who supposedly created it and how "Grizzly Steppe" was used as a tool to hack into systems. That makes no sense at all. Grizzly Steppe is not software. Grizzly Steppe is, to quote the DHS:

On October 7, 2016, the Department Of Homeland Security (DHS) and the Office of the Director of National Intelligence (DNI) issued a joint statement on election security compromises. DHS has released a Joint Analysis Report (JAR) attributing those compromises to Russian malicious cyber activity, designated as GRIZZLY STEPPE.

Grizzly Steppe is the name the DHS gave to a cybercampaign it claims Russia carried out. The PAS web shell was just one of many tools the DHS says Russia used. I can't begin to imagine how Krohn managed to conflate these two things. That'd be like calling a patriot missile "Operation Enduring Freedom" because it was launched during the war on terror which went by that name.

But things get worse. The next paragraph repeats the claim with a false reference:

2) Security company Wordefence says Grizzly Steppe is actually P.A.S. web shell, a common malware tool on WordPress sites. They have identified its origin to an Ukrainian download site Profexer.name
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/

"Wordefence" never claimed Grizzly Steppe was the name of hte malware so I have no idea why Krohn says they did. There is nothing in the reference he provides which could cause that sort of confusion.

As weird as these errors are though, they are just about what things are named. What's truly astonishing is what follows. Krohn builds a chain of connections between the site the software was available from. I'm going to skip a couple of them because only the last step matters. Step 41 makes a connection:

The contacts given on the pro-os.ru site link to the VK account of Roman Alexeev and the email address roman@pro-os.ru.

Step 5 says:

5) "Roman Alexeev" advertises his skills and services as a web developer, linking to his VK account but also giving a skype account (ya.aalexeev) and an email address (mcmugok@yandex.ru).

The idea being the person who goes by "Roman Alexeev" is the hacker who wrote this software. Krohn suggests that isn't his real name though, that the hacker has created a profile with fake information. He explains:

6) One of the sites where "Roman Alexeev" links to his VK account is Freelancehunt.com. His profile contains a photograph and the nick aazzz. He claims he is from Zaporizhia and 25 years old.

This is the photograph Krohn identifies the hacker as using:

He then notes:

7) The profile photo on Freelancehunt actually belongs to Jaroslav Volodimirovich Panchenko (ПАНЧЕНКО Ярослав Володимирович), an information technology student and member of the student self-government structure of the Poltava National Technical University.

Showing an uncropped version of the photograph (he says was) used by the hacker. This ostensibly shows the hacker took this image of a university student, cropped it and used it in a profile he created with a fake name... therefore the hacker is that university student.

I'm not kidding. That is Krohn's argument. Krohn has "plausibly connected" the hacker to a college student by virtue of the fact the hacker used the student's image on a profile page he created under a fake name. That's it. That's where the piece ends. There's not a single word mentioned of the possibility the guy making a fake profile page might have used an image of someone other than himself.

I don't have words for how absurd that is. What I do have is an image of Cindy Crawford I think would make for a great profile picture.

6 comments

  1. As an interesting aside, Petri Krohn is one of the two co-founders of Citizen's Investigation into War Crimes in Libya, an innocuously named group which likes to tout various conspiracy theories which are aimed at discrediting the United States and other countries who oppose certain Middle Eastern regimes.

    I mean that quite literally. I'm not referring to conspiracy theories as a cheap way of discrediting a group which says things inconvenient to a particular narrative as is often done with global warming skeptics. I'm referring to conspiracy theories because the group quite literally says there are conspiracies. For instance, in a piece published yesterday on a blog they label their "workspace":

    That would obviously be a conspiracy to fake the tests; they knew the truth was not going to get the results they wanted.

    This was part of a piece which said claims the Syrian government used sarin gas against its people were false as tests were faked. In regard to a massacre in which ~150 people died, the group says:

    The ridiculously inconsistent eyewitness accounts suggest a conspiracy of false testimony - a sloppy one,

    so forth and so on. It's interesting to see how often the group claims there are conspiracies behind things given Steve McIntyre, one of the loudest critics of the idea global warming dissidents are conspiracy theorists, promotes the "analysis" of one of their founders. It's worth asking, does McIntyre think people engaged in a conspiracy to fake results of tests to say the Assad regime used sarin gas against its people?

  2. I share your frustration. It's really disappointing to see all of this on a so far highly respectable site. It's almost as if the site has become an affiliate of Russia Today. Steve calls experts into question because they are "anti-Russian" (at the same time taking views of non-experts at face value just because it suites the narrative), he calls the Russian involvement and invasion in Ukraine a Ukrainian coup, his views on Stepan Bandera seem to be copied from a soviet school book, what-ever means are good to prove that there's no Russian hand involved (ever?). It's really disappointing and really not worth while getting involved. For me personally it's a bit like Roy Spencer's creationism moment. Really sad and even shocking

  3. Aye. This isn't anything new to me since I stopped following Steve McIntyre on Twitter over this sort of thing, but it's been a disappointing turn. The worst part is he doesn't even attempt to deal with disagreements/criticisms. I don't mind if a person holds views I'd consider ridiculous as long as they're willing to attempt to have an intelligent discussion of them. He's made numerous errors, and each time I've pointed one out, he's all but ignored the issue. That is, unless he feels he has a retort. Whenever he sees a criticism he thinks he has an answer for, he's quick to respond. If his answer is shown to be nonsense, he promptly says nothing.

    The worst part was when CA regular MrPete wrote a comment showing a leaked chart, saying things like:

    EVERY news report I’ve seen has misinterpreted it.

    What you will discover: there are zero confirmed facts that connect to Russia. Only Analyst assessment and assumed context.

    This was on a post about the DNC hacks. Everyone on the page had been talking about the DNC hacks. Naturally, anyone seeing this chart and comments would assume it was about the DNC hacks. It wasn't. It was about an entirely different set of cyberattacks which have also been attributed to Russia. MrPete never said a word to suggest he was talking about a different issue, he didn't say the chart was for a different issue, and he didn't even provide any sort of link or reference which might have allowed readers to realize it was about a different issue. I responded to point out the undisclosed change of subject, noting how that chart had nothing to do with the DNC hack. McIntyre responded:

    Brandon, you’re wrong and Pete is right.

    I wrote a rather testy response to this as McIntyre had been both rude and wrong, but I instead posted:

    I have a testy comment I wrote, but rather than post it, I’ll try being more diplomatic. Steve McIntyre, would you please point to the portion of this report, from which that chart was taken, which discusses or otherwise deals with the intrusion to the DNC network?

    https://www.documentcloud.org/documents/3766950-NSA-Report-on-Russia-Spearphishing.html#document/p1

    Because I have to say, I can’t imagine how a report about attacks which happened in “August to November 2016” is about the DNC intrusion which was resolved months before.

    I asked McIntyre point-blank how I was wrong. This was his response:

    Brandon, always a good idea to resist the temptation to be testy. Internet doent help. Back in the day when I was young and had to deal with business disputes from time to time – and one still corresponded by written letters or faxes – I learned that, whenever I had a particularly clever repartee, it was always a good idea to sleep on it overnight and remove it in the morning, especially when I was right. Never did any good to annoy a customer or supplier.

    Which completely ignored my question. When discussing issues of accuracy and fact, McIntyre decided to respond to a comment to talk about how it's bad to be testy while ignoring the substance of that comment - a challenge on his claim that a person was wrong. It boggles my mind.

  4. Brandon, I have high regard for your intelligence and voluminous knowledge base. However, you need to admit you are still human. So is Tony Watts, Steve Mosher, Steve Mc and everyone else. Cut them a little slack. Even the most intelligent among us are biased from our life experiences and allegiances to ideas and sources. No idea is pristine and immune from attack. The trick is to keep the conversation progressing.

  5. Ron Graf, I have no problem admitting I am human, but my criticisms of the people you mention have all been well justified. In fact, I have been far tamer in my criticisms of them than is warranted. The criticisms also only came after those individuals behaved in ways which made it impossible for conversations to progress.

    Before telling me I should cut those people some slack, why don't you try speaking out against the many falsehoods they've made which I've pointed out? Alternatively, why don't you ever say the same sort of thing about Michael Mann, John Cook or Stephan Lewandowsky? Other than liking what the people you named have to say, what's the difference?

    If you don't want to answer that, how about this? Can you name one criticism of mine directed at any of the people you named which was out of line in any way? I doubt it.

Leave a Reply

Your email address will not be published. Required fields are marked *