Sunday, May 12, 2019

Roger Stone Questions DOJ on Predicate of Russia DNC Hack

That's the exact title of CTH's post: Roger Stone Questions DOJ on Predicate of Russia DNC Hack. This is, IMO, an important development. There are many--including acknowledged experts in the field such as William Binney--who have challenged the entire "Russian hacking" narrative. That narrative--bolstered by the tendentious and misleading (at best) IC "assessment" and by repeated hacking hoaxes falsely attributed to Russia--is finally being challenged in court. Here's the Wikipedia summary of Binney's position:

Binney claims the U.S. intelligence community's assessment that Russia interfered in the 2016 presidential election is false, and that the Democratic National Committee e-mails were leaked by an insider instead.[23][24][25] He has appeared on Fox News at least ten times between September 2016 and November 2017 to promote this theory.[18][23][24] Binney said that the "intelligence community wasn't being honest here".[23] He has also been frequently cited on Breitbart News.[18] In November 2017 it was reported that a month earlier, Binney had met with CIA Director Mike Pompeo at the behest of President Trump.[23]

Stone's motion to suppress contains two attachments that provide technical support for his position. The first is a Declaration by Binney that provides his background and expertise hand his opinions and conclusions regarding the purported hack of the DNC server. The second attachment is the statement of another acknowledged expert who presents his analysis and conclusions, which agree with those of Binney.

Sundance makes important points about this:

In essence Roger Stone is challenging the U.S. government to prove the DNC was hacked by Russians; and further he is refuting the validity of the FBI using a private organization, Crowdstrike, as a valid investigative and determinative body. 
The suppress motion argues it was the responsibility of the FBI to secure and investigate the hacking evidence and not rely upon the word of a private party hired by the DNC (an opposing political entity). If the government cannot prove the Russian’s hacked the DNC, and subsequently attempted to work with Wikileaks for the distribution therein, then the basis for government claims about Stone seeking to engage with Wikileaks diminishes.

If the DOJ and FBI are independently certain Russian’s hacked the DNC servers, there should be no issue in providing the evidence toward that claim. It will be interesting to see how the DOJ responds; and how the judge rules on the responsibilities of the FBI.

I'm not going to claim expertise regarding the presentation of evidence at a trial, but it does appear to me that when the government has the greatest expertise in the subject matter that the evidence in question pertains to, the government should not be allowed to present as evidence the claims of a private firm (Crowdstrike) that was paid by an interested party (the DNC and Clinton campaign). In my view, the government should be required to demonstrate that their far greater expertise has been used to examine and confirm the evidence in question.

The reasoning in Stone's motion to suppress evidence deriving from government searches is roughly as follows.

While Stone is being charged with obstruction, in fact the government was investigating Stone on various legal theories and relied on its assumptions regarding the DNC server "hack" in obtaining its search warrants:

The search warrant applications however, allege that the FBI was investigating various crimes at different times, such as Stone for accessory after the fact, misprision of a felony, conspiracy, false statements, unauthorized access of a protected computer, obstruction of justice, witness tampering, wire fraud, attempt and conspiracy to commit wire fraud, and foreign contributions ban. The uncharged conduct particularly relied upon the assumptions the Russian state is responsible for hacking the DNC, DCCC,1 and even (although not as clear) Hillary Clinton campaign manager, John Podesta.

However, the government is arguing that it need not prove the Russian hacking--which their search warrants assumed to be fact based on an examination by a private party:

The Government stated in its Opposition to Stone's Motion to Dismiss (Dkt # 99) that it will not be required to prove that the Russians hacked either the Democratic National Committee (“DNC”) or Democratic Congressional Campaign Committee (“DCCC”) from outside their physical premises or that the Russians were responsible for delivering the data to WikiLeaks. These assumptions formed the inadequate basis for the search warrants conducted in this case and the Indictment of Defendant.

Stone then argues that the government has failed to preserve the evidence that it relied upon and that Crowdstrike failed to follow standard procedures for preserving the evidence in its original form. Therefore, Stone concludes, all material seized in the searches must be suppressed as fruit of the poisonous tree:

There is a certain forensic methodology that the FBI, Secret Service, or any other law enforcement agency conducting a computer forensic analysis follows. The first, and arguably most crucial step in the evidence gathering process, is to preserve the evidence. The imaging of the forensic data in its native format is key to preserving forensic evidence so as to allow agents to present authentic evidence in Court. Federal Rule of Evidence 902(14) permits authentication through a “process of digital identification by a qualified person” as long as it complies with Rule 902(11).2 That Rule requires compliance with the business records exception of hearsay: “the record was made at or near the time by – or from information transmitted by someone with knowledge.” Fed.R.Evid. 803(6)(a). Neither the Mueller report (from what we can tell), nor the CrowdStrike Reports (also heavily redacted) provide sufficient indicia of authenticity. 
... It is clear, however, that the government has relied on the assumptions made by a source outside of the U.S. intelligence community that the Russian State was involved in the hacking and that the data taken from the various servers were given to WikiLeaks. The government cannot prove either since it did not participate in the investigation at the earliest stage. The government does not have the evidence, and it knew it did not have the evidence, when it applied for these search warrants. Now the government confesses: “The Office cannot rule out that stolen documents were transferred to WikiLeaks through intermediaries who visited during the summer of 2016.” (Mueller Report at 47). ... 

... The first step in any computer fraud case is to encase and image the "attacked"  computer. (Exhibit, DOJ Digital Forensic Analysis Methodology). CrowdStrike failed to encase the subject computers. This failure was fatal to any effort undertaken to ensure that investigation about whether the Russian government hacked the DNC, DCCC, or Podesta's computers was competent, thorough, and done by the book. 
The raison d'etre of the Special Counsel's investigation was to pursue the claims that the Russians hacked and delivered the stolen data to WikiLeaks. (See Order appointing Special Counsel, Dkt. # 69-4). The foundation of all the search warrants was similar. If that foundation collapses, then the warrants must fail for lack of probable cause.

And, separately, in a footnote, Stone notes;

Footnote 3: 
CrowdStrike is not a government agency. It did not conduct its investigation at the behest of the government. The DNC and DCCC hired CrowdStrike to investigate the alleged theft of its data from its servers. (Indictment, ¶¶ 1-3). The CrowdStrike draft reports do not support its conclusions with evidence. In short, if this were an elementary school math problem, CrowdStrike not only does not show its work, it does not show the question – only its answer. 

To me, this appears to be a very strong argument, and one that is long overdue.


  1. I am glad that the Stone legal team saw that same damning sentence from the Mueller Report. I highlighted that sentence in my comments made here the day the report was released- at the end of it all, Mueller threw up his hands and stated that they couldn't prove how the DNC material reached Wikileaks, which pretty much has to mean that they can't prove any of the assertions made before that sentence.

    1. Yancey, that was a great catch. I think several of us have discussed the frustration that that whole narrative--created IMO by the Deep State--isn't being challenged. It's high time.

  2. An absolutely critical question I've never seen asked or answered is this: if the DNC and Crowdstrike had been willing to monkey with the server in ways that produced an image not faithful to the server's true state upon Crowdstrike's beginning its analysis, would this have been technologically possible? IOW, if Crowdstrike and the DNC had *wanted* to pull a fast one, could they actually have done so?

    If the answer to this is 'yes,' then all the "Russia did it" claim has to go on is Crowdstrike's word. No way is this sufficient, especially given the existence of what are, at a minimum, highly plausible alternative explanations.

    1. I can't answer that entirely. It's known that some State actors, like the CIA, are able to fake the "fingerprint origin" for a hack.

    2. Of course you can edit an "original" disk and make it contain anything you want.

      You just remove the disk from the original computer, place it in your computer that you use for this purpose, and edit the disk with a disk-editing application. You don't boot up the disk or anything as dumb as that. You edit the disk with special-purpose disk editor. Nobody could tell you've done this, because your disk-editor doesn't modify anything you don't want to modify (like filenames & timestamps).

    3. Brad's question may be somewhat different. I think what he's getting at is covering up "fingerprint origins" for intrusions on a network to fake the origin of the intruder.

  3. It's all electronic, and a mirror is a copy. There are definitely ways to fake everything in a copy.

  4. First, the DNC communications server system was not a single computer with a single hard drive, and the system was backed up to both an offsite hard memory managed by their IT service and a cloud resource; so there were many data clones of various vintages in existence. In addition, their IT defenses against intrusion were meager at best and the culture within both the Clinton Campaign and DCC was not particularly strict about security enforcement. They all just assumed that someone else was taking care of the problem. In addition, all traffic in and out of these systems was cloned and archived by NSA (and other foreign intelligence services) in real-time; so they all have access to the original data streams. Last, and most importantly, despite what Crowdstrike, DOJ/FBI, Mueller, and members of Congress have reported about the Russians, it is a known fact that Seth Rich copied these files and passed them on (just like Chelsea Manning and Reality Winner, and many others). This entire charade is primarily about preventing the public from becoming aware that privacy became extinct nearly two decades ago.

    1. Well said. And of course that means there was no good reason for the FBI and later Mueller not to have examined this situation. And that NSA's less than ringing endorsement of the IC "assessment" is a definite tell.

  5. I wish that William Binney received more attention in the media. He contributes a lot of expertise to an arcane topic.

    Any criminal charges brought with the DNC server as a foundation are building their case on sand.

    Increasingly, the media and Democrats have no credibility. Historians will look back at this as a time when ignorance and lies flourished. We are really living in interesting times.