Mystery Solved

I’m surprised I don’t read Wonkette more often.

Rachel Maddow did a BIG SCOOP on Thursday night, and we think it’s a pretty big fuckin’ deal. To cut to the chase, somebody (she doesn’t know who YET) used her “Send It To Rachel” tool to send her something that looks like a highly classified document about collusion between Donald Trump and Russia, but is actually a FORGERY. WHOA IF TRUE, right?

It is pretty “whoa,” in fact I was about to sit down and type something up on it until I saw Wonkette scooped me.

What’s fascinating about this weird forgery is that it appears to have been copied off the highly classified document NSA contractor Reality Winner sent to Glenn Greenwald’s The Intercept. Remember how The Intercept published a bombshell on Monday, June 5, that Russians had specifically targeted voting machine manufacturers and election officials during their 2016 cyberwar against American democracy, and that they got further than anybody ever knew? […]

Maddow found the EXACT SAME MARKINGS and the EXACT SAME CREASE on the document she got. Forgery detected! (Later in the segment she explained that there were several other screwy things about the document, including that it actually named a high-up American citizen/Trump campaign person. According to the intelligence experts Maddow consulted, this type of document, if real, wouldn’t name an American all willy-nilly like that.)

There was one intriguing mystery left: the file received by Maddow was created on June 5th, 2017, at 12:17:15, yet the Intercept’s article went online at 13:44 15:44. How could the person who sent the document get access to it before the article was published? I was about to sit down and type about that instead, but…

That’s because time stamps on the documents published by The Intercept designate the creation date included in the PDF we publish on DocumentCloud: In this case, that occurred just over three hours prior to publication of our article. Both versions — the one we published and the one Maddow received — reflect the same time to the second: literally the exact moment when we created and uploaded the document.

In other words, anyone who took the document directly from The Intercept’s site would have a document with exactly the same time stamp as the one Maddow showed. Thus, rather than proving that this document was created before The Intercept’s publication, the time stamp featured by Maddow strongly suggests exactly the opposite: that it was taken from The Intercept’s site.

Ah, thank you Glenn Greenwald. It looks like the Intercept has an automated system to process their documents. Downloading the original for myself, I can tell they use an old-ish copy of ImageMagick to do the grunt work. This probably helps them redact information; the boxes they use to cover information look digitally made, yet are burnt into the source images that make up the PDF. This could have the pleasant side-effect of wiping away the original document’s metadata, if it was digital. On the other hand, I also see the original title was “GRU-final,” which probably didn’t come from the Intercept.

I get something slightly different from Greenwald when I dump the document’s info, though.

File Modification Date/Time : 2017:06:05 13:43:03-06:00
PDF Version : 1.4
Linearized : No
Create Date : 2017:06:05 12:17:15
Modify Date : 2017:06:05 12:17:15
Page Count : 5

In his case, the bolded bit reads “2017:07:06 21:33:15-04:00,” the exact time he downloaded his copy. My tool is slightly newer than his, however, which could easily explain the discrepancy.

So, that’s one mystery solved: the person or people who sent the document to Maddow used the Intercept’s document as a base. That still leaves who sent it, though. Was it the Kremlin,  someone associated with Trump, or somebody else? That one is in the hands of Maddow’s team.

(A hat tip to Lynna, OM in PZ’s Political Madness thread, for the Wonkette article.)

[HJH 2017-07-08: Damn time zones. And I was even going to mention them in my original post…]

The Ouroboros of Hate

I’ll confess I’ve said that if bigots were smart, they wouldn’t be bigots. Reality is a bit more complicated than that, but there is a way to rescue the sentiment.

  1. Opponents of Social Justice movements generally have a poor grasp of social justice concepts.
  2. As a consequence, some of them think these concepts lack any firm meaning. They instead act either as in-group/out-group signifiers, or as synonyms for “I don’t like you.”
  3. As a consequence, some of them have difficulty telling if these concepts are used in their proper manner.
  4. A few opponents of social justice, motivated either by a desire to show #2 to be true or simply to grief, will stage faux social justice campaigns.
  5. As a consequence, the subset mentioned in #3 will think the opponents from #4 are sincere, and given enough exposure may start thinking social justice concepts lack meaning.

I’ve seen this in action; while one group of bigots were trolling me, I saw another group think the trolling was sincere. Just recently, I spotted another example.

Older members of the crowd carried Confederate flags, while the younger, internet-driven masses wore patches with 4chan’s Kekistan banner. Rally-goers in homemade armor and semi-automatic rifles paced Houston’s Hermann Park, waiting for an enemy to appear.

The crowd, several hundred strong, gathered in the park on Saturday to defend a statue of Sam Houston, a slaveholder. They had gathered in response to reports that leftist protesters had planned a rally to remove the statue, despite Houston Mayor Sylvester Turner publicly stating that removing the statue wasn’t “even on my agenda.” But as sniper rifles and Infowars-branded jackets crowded the park, it became evident that the left protesters were not coming. They had never planned to come. The rumors of an antifa protest were actually a hoax, orchestrated by an anti-left group defending Confederate monuments.

I suspect these scenarios are more common than we realize, if only because the same thing happened again a month later.

A “patriot” who brought a revolver to Gettysburg National Military Park Saturday amid rumors of desecration of memorials accidentally shot himself in the leg Saturday. […]

Dozens of self-described Patriots came to the park about noon Saturday after hearing rumors that Antifa protesters might crash the park’s events and try to desecrate memorials. Members of Antifa caused a ruckus in Harrisburg recently at an Anti-Sharia rally and one member was arrested for swinging a wooden pole with a nail attached at a police horse.

The rumors on Saturday appeared to be just that: rumors, as no Antifa members were seen at Gettysburg park Saturday.

The result of all this is a self-supporting feedback loop, where people opposed to social justice keep getting fooled by false flags into thinking social justice is as loopy as they’ve been told, and some of them graduate to generate those false flag campaigns.

Look Around You

Let’s say the Kremlin was responsible for the DNC hack, and deployed Twitter bots and trolls to drive disinformation during the recent US election. You wouldn’t expect something like this to pop up overnight, instead it’s likely Russia has practised on its closer neighbours for years. If this were the case, you’d expect them to have plans and organisations set up to counter Kremlin influence.

Sweden has launched a nationwide school program to teach students to identify Russian propaganda. The Defense Ministry has created new units to seek out and counter Russian attempts to undermine Swedish society.

In Lithuania, 100 citizen cyber-sleuths dubbed “elves” link up digitally to identify and beat back the people employed on social media to spread Russian disinformation. They call the daily skirmishes “Elves vs. Trolls.”

In Brussels, the European Union’s East Stratcom Task Force has 14 staffers and hundreds of volunteer academics, researchers and journalists who have researched and published 2,000 examples of false or twisted ­stories in 18 languages in a weekly digest that began two years ago. […]

France and Britain have successfully pressured Facebook to disable tens of thousands of automated fake accounts used to sway voters close to election time, and it has doubled to 6,000 the number of monitors empowered to remove defamatory and hate-filled posts.

The German cabinet recently endorsed legislation — now before Parliament — to impose fines of up to $53 million on social-media companies that fail to remove posts deemed to be “hate speech.” Some especially notorious recent examples concerning migrants have been traced to Russian origins.

You’d also expect the Kremlin to brag about their online savvy. It would be a national source of strength and pride, after all.

Last February, a top Russian cyber official told a security conference in Moscow that Russia was working on new strategies for the “information arena” that would be equivalent to testing a nuclear bomb and would “allow us to talk to the Americans as equals.”

Andrey Krutskikh, a senior Kremlin adviser, made the startling comments at the Russian national information security forum, or “Infoforum 2016,” held Feb. 4 and 5. His remarks were transcribed by a Russian who attended the gathering and translated for me by an independent European cyber expert. […]

According to notes of Krutskikh’s speech, he told his Russian audience: “You think we are living in 2016. No, we are living in 1948. And do you know why? Because in 1949, the Soviet Union had its first atomic bomb test. And if until that moment, the Soviet Union was trying to reach agreement with [President Harry] Truman to ban nuclear weapons, and the Americans were not taking us seriously, in 1949 everything changed and they started talking to us on an equal footing.”

Krutskikh continued, “I’m warning you: We are at the verge of having ‘something’ in the information arena, which will allow us to talk to the Americans as equals.”

Putin’s cyber adviser stressed to the Moscow audience the importance for Russia of having a strong hand in this new domain. If Russia is weak, he explained, “it must behave hypocritically and search for compromises. But once it becomes strong, it will dictate to the Western partners [the United States and its allies] from the position of power.”

If you live in the United States and focus on news relevant to there, it isn’t that hard to dismiss evidence of Kremlin hacking. They haven’t done it before, right? The US is a tech leader, anyway, and would spot any attempts coming from a mile away.

If you step outside of that bubble, though, you find many more people convinced of the Kremlin’s hand, if only because they’ve felt it themselves.

When Winning Becomes Everything

Before getting to the point, though, do you mind if I be a little petty? Emphasis mine:

I was asked about my observations on technical details buried in the State Department’s release of Secretary Clinton’s emails (such as noting a hack attempt in 2011, or how Clinton’s emails might have been intercepted by Russia due to lack of encryption). I was also asked about aspects of the DNC hack, such as why I thought the “Guccifer 2” persona really was in all likelihood operated by the Russian government, and how it wasn’t necessary to rely on CrowdStrike’s attribution as blind faith; noting that I had come to the same conclusion independently based on entirely public evidence, having been initially doubtful of CrowdStrike’s conclusions.

MMmmmm.

But on to the main point: the day after Thursday’s revelation that “a GOP operative who presented himself as working with Mike Flynn, … actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government,” one of the anonymous sources became nonymous. Meet Matt Tait, a British cybersecurity researcher who’s covered that angle of American politics. Said GOP operative, Peter Smith, approached him to validate the batch of emails that were claimed to be from Hilary Clinton’s private email server.

In my conversations with Smith and his colleague, I tried to stress this point: if this dark web contact is a front for the Russian government, you really don’t want to play this game. But they were not discouraged. They appeared to be convinced of the need to obtain Clinton’s private emails and make them public, and they had a reckless lack of interest in whether the emails came from a Russian cut-out. Indeed, they made it quite clear to me that it made no difference to them who hacked the emails or why they did so, only that the emails be found and made public before the election.

Ignore the whole attribution angle of the DNC hack. Instead, let’s focus on the actions of the Republicans. They had access to illegally-obtained dirt on a rival party, and didn’t care that this dirt was illegal. All that mattered to them was winning.

This isn’t a one-off, either; yesterday I pointed to an old story about another GOP operative, Aaron Nevins, who struck a deal with “Guccifer 2.0” to use the material they gathered from local DNC chapters in local races. That material wound up being used in attack ads, and may have swayed voters. But there was also a recent report which showed that Republicans had extensively gerrymandered electoral districts, guaranteeing themselves safer seats and a greater odds of winning. This lines up with prior reports. Republicans are also notorious for voter suppression, to the point that they openly brag about it and waste taxpayer funds to do it. Voter disenfranchisement? Also a Republican tactic.

This is a party devoted primarily to winning. Their policies and values are secondary, leading to an unending stream of hypocrisy. This explains a lot about why they have so much difficulty governing, the Republicans lack a unified vision to guide policy and rally everyone around. This makes it easy for outside groups to sway Republicans to their side, to the point that they even rely on them to draft some legislation.

This is poisonous for democracy. It must be opposed, no matter your political leanings.

The Mechanisation of Hate

Over time, I’ve believed anti-feminism is a cult of sorts. Their use of memes was a deciding factor, but there are other tells. One exploits our instincts as a social species.

In order to encourage those social bonds, we have a need to be loved. This creates a loyalty to a social group, which we repay by advancing the needs of the group. We band together to gather food, fend off predators or other groups, and so on.
But if love forms bonds, couldn’t a lot of love form a really strong bond? Or overcome resistance to forming a bond? This is the rationale behind “love-bombing:” by showering your target with love, you hope to generate a relationship that otherwise wouldn’t happen. The term was even coined by a cult. The flip-side is hate-bombing, or showering someone with hate in the hope of causing emotional distress.

Via PZ, I learned that anti-feminists have a very similar concept: red-pilling.

“Redpill,” for the blissfully unaware, is a slang term in certain alt-right-adjacent internet communities like the men’s rights crew. It refers to that famous Matrix scene where Neo takes the red pill and sees things as they really are. When alt-right dudes use it, they generally mean “convince other white people that we’re better than others,” and many of them are not shy about trying to redpill their friends and families.

“It’s a new label for an old idea,” said Ryan Lenz, who gathers information on hate groups for the Southern Poverty Law Center’s Intelligence Project, and edits their Hatewatch blog.

That Vice article points out some common tactics, like building empathy and using bargaining to expose people to your propaganda. Laci Green appears to be the latest person to fall victim.

In late May, seemingly out of the blue, Green dramatically shifted her tone on harassment. Where once she supported the abused, she suddenly began questioning why there’s “more than two genders” and arguing that “both sides of the argument are valid” for everything from racism to transphobia to misogyny. In a stunning example of her newfound hypocrisy, she called feminist YouTuber and fellow member of her anti-harassment Facebook group Kat Blaque a “sociopath,” […]

In a series of videos, Green revealed that her shift was a result of “red pilling,” the term for a twisted Matrix-inspired recruitment process coined by men’s rights advocates, pick-up artists, and the “alt right.” The process involves a recruiter who attempts to position white supremacists as oppressed truth tellers while spinning phony racial and gender science as “free speech” that’s being trampled on by feminists and the political left.

The parallels between religious cults and the anti-feminist movement are chilling; I didn’t even realise there was a flip-side to love-bombing until I thought of examples drawn from anti-feminism. But there’s an ingredient we can add which makes things oh-so-much worse.

You can see the outlines of it in message boards like 4chan: someone announces a target, and other commenters swarm that person with love or hate. This is the early steps of the mechanisation of hate, in this case the automation of love/hate-bombing, and it’s gotten very sophisticated. The next logical step would be to get money involved in the process, and that’s already happened.

When Green created her anti-harassment Facebook group, it was largely in response to the rising trend of “response videos,” YouTube videos created by trolls who have devoted their lives to attacking feminist content. Creators of these videos often claim that their content does not itself constitute harassment, while simultaneously ignoring the actions of their followers, who frequently bombard their targets with an overwhelming number of slurs and violent messages. […]

Troublingly, up until recently, such videos were not only supported by YouTube, but incentivized. Because response videos are so easy to make, it was easy for reactionary YouTubers to churn out a lot of content, which YouTube then prioritized in an algorithm that favored prolific output, high view counts, and abundant comments — even if those comments were toxic. Gaming the very closely held secret of the YouTube algorithm became a de facto path to internet stardom, and the format was perfect for response-video creators.

This puts a dollar tag on hate. It’s no longer just about promoting your group or winning new members, you can actually make a good living off of hating on feminism. This is yet another parallel to religion, especially Christianity, which has always used various means to extract funds from its supporters to line the pockets of its preachers. It feeds into a self-feeding cycle of hate, where preachers clamber to earn the cash of followers by whipping up their hatred.

There is no easy way to defeat this, as it relies on deeply embedded parts of our psyche. Speaking up about it and educating people is probably the best tactic in the short-term, while in the long-term we work on dismantling or altering systems which promote it.

Russian Hacking and Bayes’ Theorem, Part 4

Ranum’s turn! Old blog post first.

Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.

Here’s the Joint Analysis Report which has been the focus of so much ire, as well as a summary paragraph of what the US intelligence agency is trying to sell:

Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.

They aren’t using IP addresses or attack signatures to sell attribution, they’re pooling all the analysis they can get their hands on, public and private. It’s short on details, partly for reasons I explained last time, and partly because it makes little sense to repeat details shared elsewhere.

I agree with most experts that the suggestions given are pretty useless, but that’s because defending against spearphishing is hard. Oh, it’s easy to white list IP access and lock down a network, but actually do that and your users will revolt and find workarounds that a network administrator can’t monitor.

The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy.

I dunno, there’s a fair bit of creativity involved in trickery. You need to do some research to figure out the target’s infrastructure (so you don’t present them with a Gmail login if they’re using an internal Exchange server); research their social connections (an angry email from their boss is far more likely to get a response); find ways to disguise the URL displayed that neither a human nor browser will notice; construct an SSL certificate that the browser will accept; and it helps if you can find a way around two-factor encryption. The amount of programming is minimal, but so what? Computer scientists tend to value the ability to program above everything else, but systems analysis and design are arguably at least as important.

I wouldn’t be surprised to learn of a 12-year-old capable of expert phishing, any more than I’d be surprised that a 12-year-old had entered college or ran their own business or successfully engineered their own product; look at enough cases, and eventually you’ll see something exceptional.

By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.

And yes, the state of computer security is fairly abysmal. Poor password choices (if people use passwords at all), poor algorithms, poor protocols, and so on. This is irrelevant, though; the fact that house break-ins are easy to do doesn’t refute the evidence that someone burgled a house.

Hey, that was quick. Next post!

Hornbeck left off two possibilities, but I could probably (if I exerted myself) go on for several pages of possibilities, in order to make assigning prior probabilities more difficult. But first: Hornbeck has left off at least two cases that I’d estimate as quite likely:

H) Some unknown person or persons did it
I) An unskilled hacker or hackers who had access to ‘professional’ tools did it
J) Marcus Ranum did it

I’d argue the first two are handled by D, “A skilled independent hacking team did it,” but it’s true that I assumed a group was behind the attack. Could the DNC hack be pulled off by an individual? In theory, sure, but in practice the scale suggests more than one person involved. For instance,

That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. […]

SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.

That SecureWorks report expands on who was targeted.

In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.

Even that glosses over details, as that list also includes Colin Powell, John Podesta, and William Rinehart. Also bear in mind that all these people were phished over roughly nine months, sometimes multiple times. While it helps that many of the targets used Gmail, when you add up the research involved to craft a good phish, plus the janitorial work that kicks in after a successful attack (scanning and enumeration, second-stage attack generation, data transfer and conversion), the scale of the attack makes it extremely difficult for an individual to pull off.

Similar reasoning applies to an unskilled person/group using professional tools. The multiple stages to a breach would be easy to screw up, unless you had experience carrying these out; the scale of the phish demands a level of organisation that amateurs shouldn’t be capable of. Is it possible? Sure. Likely? No. And in the end, it’s the likelihood we care about.

Besides, this argument tries to eat and have its cake. If spearphishing attacks are so easy to carry out, the difference between “unskilled” and “skilled” is small. Merely pulling off this spearphish would make the attackers experienced pros, no matter what their status was beforehand. The difference between hypotheses D and I is trivial.

There’s even more unconscious bias in Hornbeck’s list: he left Guccifer 2.0 off the list as an option. Here, you have someone who has claimed to be responsible left off the list of priors, because Hornbeck’s subconscious presupposition is that “Russians did it” and he implicitly collapsed the prior probability of “Guccifer 2.0” into “Russians” which may or may not be a warranted assumption, but in order to make that assumption, you have to presuppose Russians did it.

Who is Guccifer 2.0, though? Are they a skilled hacking group (hypothesis D), a Kremlin stooge (A), an unknown person or persons (H), or amateurs playing with professional tools (I)? “Guccifer 2.0 did it” is a composite of existing hypothesis subsets, so it makes more sense to focus on those first then drill down.

I added J) because Hornbeck added himself. And, I added myself (as Hornbeck did) to dishonestly bias the sample: both Hornbeck and I know whether or not we did it. Adding myself as an option is biasing the survey by substituting in knowns with my unknowns, and pretending to my audience that they are unknowns.

Ranum may know he didn’t do it, but I don’t know that. What’s obvious to me may not be to someone else, and I have to account for that if I want to do a good analysis. Besides, including myself fed into the general point that we have to liberal with our hypotheses.

I) is also a problem for the “Russian hackers” argument. As I described the DNC hack appears to have been done using a widely available PHP remote management tool after some kind of initial loader/breach. If you want a copy of it, you can get it from github. Now, have we just altered the ‘priors’ that it was a Russian?

This is being selective with the evidence. Remember “Home Alone?” Harry and Marv used pretty generic means to break into houses, from social engineering to learn about their targets, surveillance to verify that information and add more, and even crowbars on the locks. If that was all you knew about their techniques, you’d have no hope of tracking them down; but as luck would have it, Marv insisted on turning on all the faucets as a distinctive calling card. This allowed the police to track down earlier burglaries they’d done.

Likewise, if all we knew was that a generic PHP loader was used in the DNC hack, the evidence wouldn’t point strongly in any one direction. Instead, we know the intruders also used a toolkit dubbed “XAgent” or “CHOPSTICK,” which has been consistently used by the same group for nearly a decade. No other group appears to use the same tool. This means we can link the DNC hack to earlier ones, and by pooling all the targets assess which actor would be interested in them. As pointed out earlier, these point pretty strongly to the Kremlin.

I don’t think you can even construct a coherent Bayesian argument around the tools involved because there are possibilities:

  1. Guccifer is a Russian spy whose tradecraft is so good that they used basic off the shelf tools
  2. Guccifer is a Chinese spy who knows that Russian spies like a particular toolset and thought it would be funny to appear to be Russian
  3. Guccifer is an American hacker who used basic off the shelf tools
  4. Guccifer is an American computer security professional who works for an anti-malware company who decided to throw a head-fake at the US intelligence services

Quick story: I listened to Crowdstrike’s presentation on the Russian hack of the DNC, and they claimed XAgent/CHOPSTICK’s source code was private. During the Q&A, though, someone mentioned that another security company claimed to have a copy of the source.

The presenters pointed out that this was probably due to a quirk in Linux attacks. There’s a lot of variance in which kernel and libraries will be installed on any given server, so merely copying over the attack binary is prone to break. Because of this variety, though, it’s common to have a compiler installed on the server. So on Linux, attackers tend to copy over their source code, compile it into a binary, and delete the code.

You can see how this could go wrong, though. If the stub responsible for deleting the original code fails, or the operators are quick, you could salvage the source code of XAgent.

“Could.” Note that you need the perfect set of conditions in place. Even if those did occur, and even if the source code bundle contains Windows or OSX source too (excluding that would reduce the amount of data transferred and increase the odds of compilation slightly), the attack binary for those platforms usually needs to be compiled elsewhere. Compilation environments are highly variable yet leave fingerprints all over the executable, such as compilation language and time-stamps. A halfway-savvy IT security firm (such as FireEye) would pick up on those differences and flag the executable as a new variant, at minimum.

And as time went on, the two code bases would diverge as either XAgent’s originators or the lucky ducks with their own copy start modifying it. Eventually, it would be obvious one toolkit was in the hands of another group. And bear in mind, the first usage of XAgent was about a decade ago. If this is someone using a stolen copy of APT28/Fancy Bear’s tool, they’ve either stolen it recently and done an excellent job of replicating the original build environment, or have faked being Russian for a decade without slipping up.

While the above is theoretically possible, there’s no evidence it’s actually happened; as mentioned, despite years of observation by at least a half-dozen groups capable of detecting this event, only APT28 has been observed using XAgent.* None of Ranum’s options fit XAgent, nor do they fit APT28’s tactics either; from FireEye’s first report (they now have a second, FYI),

Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.

APT28 malware, in particular the family of modular backdoors that we call CHOPSTICK, indicates a formal code development environment. Such an environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.

And as a reminder, APT28 aka. Fancy Bear is one of the groups that hacked into the DNC, and is alleged to be part of the Kremlin.

Ranum does say a lot more in that second blog post, but it’s either similar to what Biddle wrote over at The Intercept or amounts to kicking sand at Bayesian statistics. I’ve covered both angles, so the rest isn’t worth tackling in detail.

  • [HJH: On top of that, from what I’m reading APT28 prefers malware-free exploits, which use existing code on Windows computers to do their work. None of it works on Linux, so its source code would never be revealed via the claimed method.]

Community Scientism

Existential Comics is… a bit of a weird read. Crudely drawn, a bit obsessed with nihilism, it nonetheless hits some very powerful notes. And in their latest comic, they struck a chord close to home.

At Science HQ. DAWKINS: Philosophy! Ha. Nothing could be more useless. HARRIS: Exactly, all the so called philosophical problems will be solved with science. TYSON: Yes, it's all empty speculation, wheras we scientists us EVIDENCE. DE BEAUVOIR: NO SCIENTIFIC FACT CAN GIVE A PURPOSE TO OUR LIVES! DAWKINS: Who are you? DE BEAUVOIR: WE ARE THE PHILOSOPHY FORCE FIVE!!Confession time: not too long ago, I probably would have been standing next to Science Headquarters. I never would have called philosophy useless, and I thought Harris in particular was underplaying how difficult it would be to create a moral system from science, but I did buy into things like this.

Science is the best method humankind has devised for understanding causality. Therefore the scientific method is our most effective tool for understanding the causes of the effects we are confronted with in our personal lives as well as in nature. There are few human traits that most observers would call truly universal. Most would consent, however, that survival of the species as a whole, and the achievement of greater happiness of individuals in particular, are universals that most humans seek. We have seen the interrelationship between science, rationality, and rational skepticism. Thus, we may go so far as to say that the survival of the human species and the attainment of greater happiness for individuals depend on the ability to think scientifically, rationally, and skeptically.

In the handful of years since then, I’ve realized that science is both a business and a career. That alone is enough to warp the scientific record and induce false results. But the rot extends even further, right into the scientific method itself, and the only way out is through philosophy. If you’d prefer the short version (emphasis mine):

The above derivation is one reason why the frequentist confidence interval and the Bayesian credible region are so often confused. In many simple problems, they correspond exactly. But we must be clear that even though the two are numerically equivalent, their interpretation is very different.

Recall that in Bayesianism, the probability distributions reflect our degree of belief. So when we computed the credible region above, it’s equivalent to saying

“Given our observed data, there is a 95% probability that the true value of μ falls within CRμ” – Bayesians

In frequentism, on the other hand, μ is considered a fixed value and the data (and all quantities derived from the data, including the bounds of the confidence interval) are random variables. So the frequentist confidence interval is equivalent to saying

“There is a 95% probability that when I compute CIμ from data of this sort, the true mean will fall within CIμ.” – Frequentists

Note the difference: the Bayesian solution is a statement of probability about the parameter value given fixed bounds. The frequentist solution is a probability about the bounds given a fixed parameter value. This follows directly from the philosophical definitions of probability that the two approaches are based on.

So while many in the atheo-skeptic sphere are singing the praises of science, I’m filled with existential dread from things like this.

That question has been central to [John] Ioannidis’s career. He’s what’s known as a meta-researcher, and he’s become one of the world’s foremost experts on the credibility of medical research. He and his team have shown, again and again, and in many different ways, that much of what biomedical researchers conclude in published studies—conclusions that doctors keep in mind when they prescribe antibiotics or blood-pressure medication, or when they advise us to consume more fiber or less meat, or when they recommend surgery for heart disease or back pain—is misleading, exaggerated, and often flat-out wrong. He charges that as much as 90 percent of the published medical information that doctors rely on is flawed. His work has been widely accepted by the medical community; it has been published in the field’s top journals, where it is heavily cited; and he is a big draw at conferences. Given this exposure, and the fact that his work broadly targets everyone else’s work in medicine, as well as everything that physicians do and all the health advice we get, Ioannidis may be one of the most influential scientists alive. Yet for all his influence, he worries that the field of medical research is so pervasively flawed, and so riddled with conflicts of interest, that it might be chronically resistant to change—or even to publicly admitting that there’s a problem.

Come to think, that could explain why I read the comics I do.

Squirting Right

Ever heard of the Sea Squirt? It’s a memorable creature.

What’s most fascinating about the sea squirt is that, almost as soon as it stops moving, its brain is absorbed by its body. Being permanently attached to a home makes the sea squirt’s spinal cord and the neurons that control locomotion superfluous. Once the sea squirt becomes stationary, it literally eats its own brain.

This tells us something important: brainpower is strongly related to movement. If you don’t go anywhere, you don’t need that much computational power between your ears.

While there are those like Sean Hannity who are reliable cheerleaders for all things President Trump, much of the conservative news media is now less pro-Trump than it is anti-anti-Trump. The distinction is important, because anti-anti-Trumpism has become the new safe space for the right. […]

For the anti-anti-Trump pundit, whatever the allegation against Mr. Trump, whatever his blunders or foibles, the other side is always worse.

But the real heart of anti-anti-Trumpism is the delight in the frustration and anger of his opponents. Mr. Trump’s base is unlikely to hold him either to promises or tangible achievements, because conservative politics is now less about ideas or accomplishments than it is about making the right enemies cry out in anguish.

There’s been a remarkable shift in US politics. The Right-wing has largely become the “anti-Left:” whatever the Left is in favor of, the Right opposes. This has some advantages, like making it easy to leverage fear and removing the possibility of contradiction. Truth and feelings become synonymous.

[NEWT] GINGRICH: The current view is that liberals have a whole set of statistics that theoretically may be right, but it’s not where human beings are.

CAMEROTA: But what you’re saying is, but hold on Mr. Speaker because you’re saying liberals use these numbers, they use this sort of magic math. These are the FBI statistics. They’re not a liberal organization. They’re a crime-fighting organization.

GINGRICH: No, but what I said is equally true. People feel more threatened.

CAMEROTA: Feel it, yes. They feel it, but the facts don’t support it.

GINGRICH: As a political candidate, I’ll go with how people feel and I’ll let you go with the theoriticians.

But if you define yourself as the opposite of something else, other people define your position for you. If you cannot contradict yourself, you do not have to waste time and energy searching for contradictions. In the intellectual sphere, you drift under the power of others, and otherwise cannot be moved.

If you cannot move, why do you need a brain? No wait, let me rephrase that: why do you need to think? There’s no need to teach critical thought, and plenty of reason to oppose it. Intellectuals become the enemy, experts the target of scorn. This makes you easily manipulated. Hucksters flock in to take advantage of you.

It doesn’t have to be this way. Conservatives used to hold to specific positions in US politics, some of which were progressive. Should any Republicans or conservatives wander onto this post, I implore you: think, before you glue yourself down and lose that ability.

The Intersection of Intersex and Trans*

Shiv blogged about a fascinating article on TransAdvocate. The title gives you a good preview: “An intersex perspective on the trans, intersex and TERF communities.” It seems some intersex people are drawn to “gender critical” feminism; on the surface, they argue against surgery and claim to push back against the notion of binary gender.

But, when you get into the details,

intersex advocates and “gender critical feminists” have very different end positions on medical interventions into the sexed body. Intersex advocates believe that no intervention should be forced–but also that once an intersex person is old enough to give full informed consent, that hormonal, surgical, or others interventions should be performed if that’s what the individual truly wants. Many, many, many intersex people do choose interventions of their own free will. …  Intersex people often seek hormone replacement therapy to masculinize or feminize their bodies, or surgeries to move their urethras to allow neater or standing urination, or any of a wide number of other interventions. And intersex advocates support all of these choices. We just wish them to be free choices, not forced by doctors or parents or social shaming.

Gender-critical feminists, on the other hand, turn out to hold a very different position: that all interventions into the sexed body are mutilations, not just those imposed without consent. Just as it is a mutilation to surgically alter the innocent bodies of intersex babies, they say, it is a pointless self-mutilation for an adult to choose to have their sexed body medically altered, because sex cannot be changed. …  The only healthy and feminist response to unhappiness with one’s body presented is to learn to accept it as it is. For intersex people, this just replaces the rigid regime of forcing medical interventions with a rigid regime of withholding them. Switching one constraint on intersex people for another isn’t the motivation for this gender critical position–I don’t know if they are even aware that intersex people desire some medical interventions. The main purpose of their argument that one must accept the natural body is to tell trans people that they must give up on the “delusion” that one can be born with a penis but really be a woman, or born with a vagina but really be a man, or born a human being and really be a member of some alternative sex.

This is but one of the many insights Cary Costello’s article offers. At one point, I summarised early TERFs as “lesbians squicking out over potential penis.” It was unabashedly superficial, but I’m not the only one to notice the fixation on genitals.

But participating in discussions with gender crits, it quickly becomes apparent that they are indeed transphobic–and apparently obsessed with penises. They talk about them constantly, and presume that all trans women have them (because they say even a trans woman who has genital reconstructive surgery now simply possesses an “inverted penis”). And penises are always presented as dangerous–“natal [cis] girls” might see them in locker rooms and be traumatized, trans-protective laws would mean no woman could ever be sure the person in the next stall didn’t have a penis, and thus pose a threat to her. This obsession with other people’s genitals and validation of the idea that people should be upset by those with the “wrong ones” runs completely counter to the interests of intersex people. …  In painting trans women’s bodies as deceptive, dangerous and disgusting, transphobic feminists paint those born sex variant with the same brush.

But I didn’t point you to the article just because it pokes holes in TERF ideology; there are excellent observations about the overlap between the trans* and intersex communities, with suggestions for improvement. No spoilers, though, you’ll have to read those for yourself. Cary Costello’s article deserves a second shout-out.

Math Can Be Weird

Take the Cantor function, a “Devil’s Staircase.”

The Cantor function, in the range [0:1]. It looks like a jagged staircase.

It looks like a squiggly mess, yet it is continuous and at almost every point there’s a well-defined slope: perfectly horizontal. The only exceptions are at points along the X-axis which are part of the Cantor set, an uncountable number of points with zero length. Even at one of these points, however, the net vertical increase is zero! We can see this by calculating the limits toward a point with a non-zero slope.

Wikipedia has a good write-up on how to evaluate the Cantor function (I used it in the above approximation).

  1. Express x in base 3.
  2. If x contains a 1, replace every digit after the first 1 by 0.
  3. Replace all 2s with 1s.
  4. Interpret the result as a binary number. The result is c(x).

The point x = 1/3 is part of the Cantor set, and thus satisfies our needs. Following the above rules, the output of the function there is 0.1 in binary, or 0.5 in decimal. Let’s calculate both limits, to get a feel for how much vertical is climbed at that point.

Approaching the limits of C(1/3). Spoiler alert, they both wind up equalling 1/2.

If we approach x = 1/3 from the right, we flatline at y = 1/2 . If  we approach it from the left, we wind up evaluating the geometric series y = 1/4 + 1/8 + 1/16 + … to calculate the height, which gets arbitrarily close to y = 1/2 . The height of the “jump” at x = 1/3 vanishes into insignificance! That’s a good thing, as otherwise the Cantor function’s slope would have approached a vertical line and it wouldn’t be a function.

Calculating the slope of the Cantor function at x = 1/3. Spoiler alert, it approaches a perfectly vertical slope.

Yet even though every single vertical hop is arbitrarily small, it’s obvious the Cantor function has some sort of vertical increase. How else could it contain both (0,0) and (1,1)?  In fact, if you measured the arc length of the Cantor function, it would be two units. Every point where the slope isn’t horizontal it is arbitrarily vertical, so no matter where you put the vertical or horizontal bits you wind up travelling the Manhattan distance between (0,0) and (1,1), which is 2. We know the distance of the horizontal components adds to one unit, since the Cantor set has length 0 and the horizontal distance is 1, so the uncountable number of arbitrarily small vertical “hops” must also have a net length of one unit.

The Cantor function manages to climb vertically without actually climbing vertically. Pretty wild, eh?

Oh, and credit where credit is due, I was introduced to the Cantor function by PBS’s Infinite Series. Check it out for a weekly dose of math.