Only Thing 'Exposed' By Bad Reporting About Russia/Trump Link Is Malware Researchers' Unethical Behavior
from the so-dumb dept
A lot of Foer's work stems from an anonymous blog post from a few weeks earlier that tries to make a big deal out of some extraordinarily weak connections. The confirmation bias is strong with the folks involved here. The biggest clue? This ridiculous chart that tries to show increased activity between the Trump server and the Russian bank server at key moments, but doesn't actually show that. There seem to be random ups and downs at the conventions, and then a huge spike in the middle of August which corresponds with... nothing. But the researchers and Foer just ignore it. In fact, Foer actually claims that "there were considerably more DNS lookups, for instance, during the two conventions." Except there weren't really. at least six other news outlets had been looking into the same story, and none of them felt comfortable pushing a story, because the details just didn't stack up. The first person I saw to debunk it was Naadir Jeewa, who pointed out that the server was maintainted by Cendyn, a marketing company that handles email spam marketing for tons of hotel chains, including Trump. The "connection" from Alfa-Bank, he suggested, was just a typical email scanner attempting to reverse the connection as a sort of anti-spam tool (basically checking if the email server is real). As Jeewa concludes:
Feel sorry for the person at Alfa who stayed in a Trump hotel, forgot to unsubscribe to cheesy emails and might be in a load of trouble— Naadir Jeewa (@randomvariable) November 1, 2016
This is why we can't have nice things on the Internet. Investigative journalism is dead. The Internet is full of clues like this if only somebody puts a few resources into figuring things out. For example, organizations that track spam will have information on exactly which promotions this server has been used for in the recent past. Those who operate public DNS resolvers, like Google's 22.214.171.124, OpenDNS, or Dyn, may have knowledge which domain was related to mail1.trump-email.com.But Graham also points out that all this fretting about Trump & Russia misses the real story here. The only reason this is a story at all is because some nameless security researchers started abusing the data they were given access to for malware research. Much of what Foer relies on came from an anonymous researcher going by the name "Tea Leaves". But Graham points out that the real story here is how companies are sharing all sorts of information with security researchers under the belief that it will only be used for malware research... and not for spying on what server is connecting to what server:
Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story -- debunking it. I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for "mail1.trump-email.com" from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June -- and thus the claim of successful responses until September are false. In other words, the "change" after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.
Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google's 126.96.36.199 public DNS. It's a huge privacy violation -- justified on the principle that it's for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google's service. Sometimes people don't realize how their ISP shares information, or how many of the root DNS servers are monitored.This is another reason why we've pointed out that all the focus on "information sharing" in various cybersecurity bills from Congress was a red herring. Information sharing can lead to all sorts of questionable activity. It's done in these instances for the purpose of spotting malware, but it appears some researchers went looking for weird Trump conspiracy theories and were so invested in those theories that they didn't even realize how ridiculous it was when looked at in the light of day -- and also forgot that they're not supposed to reveal they have access to this info.
People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers....
Yes, of course, we're at the very peak of the political silly season and lots of people are looking for big breaking stories. But it would be nice if we could keep them in the realm of reality.