While the document provides a rare window into the NSA’s understanding of the mechanics of Russian hacking, it does not show the underlying “raw” intelligence on which the analysis is based. A U.S. intelligence officer who declined to be identified cautioned against drawing too big a conclusion from the document because a single analysis is not necessarily definitive.
Earlier on Wednesday, Maria Zakharova, a foreign ministry spokeswoman, wrote on Facebook that Snowden’s right to stay had recently been extended “by a couple of years”. Her post came in response to a suggestion from the former acting CIA director Michael Morell that Vladimir Putin might hand over Snowden to the US, despite there being no extradition treaty between the countries.
It’s plausible, and in my opinion likely, that hackers under orders from the Russian government were responsible for the DNC and Podesta hacks in order to influence the U.S. election in favor of Donald Trump. But the Grizzly Steppe report fails to adequately back up this claim. My research, for example, shows that much of the evidence presented is evidence of nothing at all.
The most ironic aspect of all this is that it is mainstream journalists — the very people who have become obsessed with the crusade against Fake News — who play the key role in enabling and fueling this dissemination of false stories. They do so not only by uncritically spreading them, but also by taking little or no steps to notify the public of their falsity.
Those interested in a sober and rational discussion of the Russia hacking issue should read the following:(1) Three posts by cybersecurity expert Jeffrey Carr: first, on the difficulty of proving attribution for any hacks; second, on the irrational claims on which the “Russia hacked the DNC” case is predicated; and third, on the woefully inadequate, evidence-free report issued by the Department of Homeland Security and FBI this week to justify sanctions against Russia.(2) Yesterday’s Rolling Stone article by Matt Taibbi, who lived and worked for more than a decade in Russia, titled: “Something About This Russia Story Stinks.”(3) An Atlantic article by David A. Graham on the politics and strategies of the sanctions imposed this week on Russia by Obama; I disagree with several of his claims, but the article is a rarity: a calm, sober, rational assessment of this debate.
In an executive order accompanied by a series of official statements, US President Barack Obama has sharply escalated the campaign against Russia, based on unsubstantiated claims of Russian government hacking of the Democratic National Committee (DNC) and the Hillary Clinton campaign in the presidential election.
Researchers have expressed concern over Hold Security’s claim that 1.2bn usernames and passwords were stolen by criminal gang
Security researchers have expressed concern over the claim that more than 4.5bn user credentials including 1.2bn unique usernames and passwords have been amassed by a Russian cybercriminal gang.
Security researchers from Kaspersky, Symantec and University College London have questioned the news reported on Tuesday that private security firm Hold Security had identified a Russian cybercriminal gang called CyberVor, which had amassed a database of more than 4.5bn stolen records, including 1.2bn unique usernames and passwords belonging to 500m email addresses.
Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users. “We’ve had very little concrete information released,” said David Emm, senior researcher with security firm Kaspersky, talking to the Guardian.
“I’m inclined to take it with a pinch of salt for now.”
CyberVor raided over 420,000 websites to collect the stolen user information, Hold Security said, initially offering a commercial “breach notification” service requiring consumers and companies to see if they had been affected – but only if they paid a fee.
The company still offers its commercial security services as part of the report, and later said it would allow consumers to check free of charge whether their usernames or passwords had been stolen.
“Nothing has been released by an established security company – I personally haven’t come across Hold Security before – and we’ve had no information on the companies affected, or whether they’re still vulnerable,” said Emm. “There’s just what seems to me to be a pretty vague claim of the largest security breach to date.
‘Plausible but we need more data’
“There hasn’t been very much data released yet on exactly what these guys found,” explained Dr Brad Karp, a reader in computer systems and networks at the computer science department at University College London who researches internet and systems security.
Hold Security allowed an unnamed independent security expert to verify the database of stolen user details at the request of the New York Times.
“It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data,” said Karp. “We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.”
Candid Wueest, principal threat researcher with security firm Symantec agreed.
“Without having actual fact, it’s hard to say whether it happened like they explained or not,” said Wueest. “It is possible, but at the moment it’s speculation by one source and we haven’t seen any secondary proof, so at the moment we have to unfortunately wait and see how it evolves.”
I questioned the Russian president live on TV to get his answer on the record, not to whitewash him
On Thursday, I questioned Russia’s involvement in mass surveillance on live television. I asked Russia’s president, Vladimir Putin, a question that cannot credibly be answered in the negative by any leader who runs a modern, intrusive surveillance program: “Does [your country] intercept, analyse or store millions of individuals’ communications?”
I went on to challenge whether, even if such a mass surveillance program were effective and technically legal, it could ever be morally justified.
The question was intended to mirror the now infamous exchange in US Senate intelligence committee hearings between senator Ron Wyden and the director of national intelligence, James Clapper, about whether the NSA collected records on millions of Americans, and to invite either an important concession or a clear evasion. (See a side-by-side comparison of Wyden’s question and mine here.)
Clapper’s lie – to the Senate and to the public – was a major motivating force behind my decision to go public, and a historic example of the importance of official accountability.
In his response, Putin denied the first part of the question and dodged on the latter. There are serious inconsistencies in his denial – and we’ll get to them soon – but it was not the president’s suspiciously narrow answer that was criticised by many pundits. It was that I had chosen to ask a question at all.
I was surprised that people who witnessed me risk my life to expose the surveillance practices of my own country could not believe that I might also criticise the surveillance policies of Russia, a country to which I have sworn no allegiance, without ulterior motive. I regret that my question could be misinterpreted, and that it enabled many to ignore the substance of the question – and Putin’s evasive response – in order to speculate, wildly and incorrectly, about my motives for asking it.
Edward Snowden calls in to ask a question of the Russian president, Vladimir Putin, during a televised phone-in. Putin denies Russia is involved in ‘mass, indiscriminate’ surveillance but says they use modern means to fight terrorism. Whistleblower Edward Snowden was granted asylum in Russia in 2013