The truth about Trump's secret server and Russia

But if you’re like me, you probably had already seen that same exact tale told in early October, as it was run through the grist mill that is infosec Twitter. You must be wondering, then, why didn’t anyone cover the story before now?

Monday’s article hit just before the week ramped up. Newsrooms were deciding the week’s coverage and PR firms were barraging us with press releases in attempts to get their clients some media attention. Outlets were primed and ready for the election scandal du jour.

A “benevolent posse”

The piece pointed a finger at Trump and Russia sittin’ in a tree, while fawningly describing the security researchers like some kind of dreamy Hollywood team of elite super-good-guys coming together to solve a crime. It began by describing the heroes of its story, a secret group who acts as a “benevolent posse that chases off the rogues and rogue states.”

According to Slate, this plucky, rag-tag bunch “are entrusted with something close to a complete record of all the servers of the world connecting with one another.” Why the benevolent posse hasn’t told us who gave the Clinton emails to Wikileaks, or used their magical (mythical) god-like all-seeing eye superpower to end anonymous online harassment was not explained.

Slate’s piece felt like wishful thinking on a lot of levels, but plenty of major outlets took the provocative question mark and ran with it. By Tuesday night, CNN’s front page slapped Trump and Putin together like a far-right Grindr match.

According to Slate, the researchers found “a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.” Essentially, a bank in Moscow was irregularly pinging a Trump server with small bits of traffic.

The article even brought in a well-respected, bonafide expert, Dr. Paul Vixie, a pioneer of the internet’s domain name system (DNS). “The parties were communicating in a secretive fashion,” Vixie told Slate. “The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.”

There was no doubt in the minds at Slate that this was it, the coup de grâce tying together all the Trump-Russia connections.

But, there were many doubts to be had.

The article consulted some known names in infosec, few of whom actually saw the logs. The original accusations and research came from anonymous sources, and one primary source called “Tea Leaves.” Only one female member of the “benevolent posse” went on record with a name, Professor L. Jean Camp.

The writer assured us that these computer scientists were legit, yet we got no background or skill sets, or real reasons to trust them. In a world where practically anyone with an internet connection can call themselves a security expert, it raises more red flags than an article relying on anonymous sources already would.

In the world of journalism, anonymous sources aren’t something you trifle with, especially if you value your reputation and like not being in jail. Meaning that if you agree to publish the word of your anonymous source, you are saying that you’ve done the research to verify the source is credible, and you are vouching for the information as truth. Making everything worse, the credibility of Slate’s posse of sources was anchored by an endorsement from one of the group’s own members — the aforementioned L. Jean Camp.

It’s this exact cocktail of infosec ignorance and unvetted sources that give us pastebin posts treated as fact and turned into headlines.

Super-secret marketing emails

The sources were actually sketchy. Security researcher Krypt3ia pointed out that no one had any viable docs to look at. “There was a lot of speculation and theory but what Tea had put on the darknet and had been shopping around was not forensically proven and in fact all of the metadata that may have existed had been stamped out of all documents or never existed in the first place as they were using text files.”

Maybe that’s why the New York Times started investigating this story in early October but dropped the story.

It took the infosec community about ten minutes to debunk the Slate story. This entire Twitter thread explains the technical details if you’re curious. What Slate was seeing was actually a marketing email server sending spam. The low level pinging between Trump’s old 2009 mail server and a bank in Russia was just a respondse to marketing spam that had been set up and forgotten about. The so-called “Fifth Avenue server” referred to the WHOIS business address on a reg record, and the whole thing was outsourced to a marketing company.

Researcher Rob Graham wrote, “the domain was setup and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump’s hotels.” He added, “Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in Philidelphia.”

After the blistering debunkings by infosec denizens, there was a second article by the same author arguing against the very thorough debunkings done by the researchers. There is so much effort throughout the follow-up article to confuse the reader into thinking there’s something conspiratorial and unanswerable going on, that one of the debunkers wrote a second debunking of the whole damn thing.

With a little experience in hacking and cybersecurity reporting, it’s easier to see these stories coming from a mile off. What’s troubling here, and especially now, is that Clinton’s camp didn’t. Clinton senior policy adviser Jake Sullivan took Slate’s bottom line and ran with it Monday night, saying it was “the most direct link yet between Donald Trump and Moscow.”

Being a sports and politics writer, experience in hacking and cybersec is exactly what the Slate writer didn’t bring to the table, and like with the Clinton camp, a little would’ve gone a long way.

Giving us the next problem, which I’m going to call “infosec telephone.” It starts when researchers say wild things to reporters who don’t know anything about infosec. Next, the story goes forward without proper research. Then the story turns into a truckload of stupid as it gets blasted from the biggest news outlets.

It’s painful and terrible for those of us in the trenches, in 2016 especially, that big box journalism outlets can’t find the thoughtfulness in reporting on issues about hacking and security to get it right. And how the rush to be the next famous hacking journalist has eclipsed any sense of obligation to do due diligence, tell an objective story, and present readers with complex issues.

Or just chill with the fact that, like with this week’s server story, sometimes a cigar is just a damn cigar. Even if it’s being smoked by Putin’s very own dangerous inbred lap dog.

All I’m saying is that the insanity of this election isn’t being helped by people pushing unresearched infosec hysteria into the headlines.

But hey, don’t let that stop you.

Leave a Reply