This is theatre. Were Congress to expand tort law to mandate standards and consequences similar to products liability regulations for other products, then the attack surface available to state and non-state actors would meaningfully shrink.
If there is one thing the plaintiff's lawyers excel at, it is inflicting extensive expenses and pain on parties who negligently or fraudulently create, fund creation, or use products that injure property or person; thereby creating effective incentives to harden products.
You will know the USGOV is serious about INFOSEC when they stop issuing reports and start legislating, regulating and enforcing meaningful standards, as they already do for automobiles, drugs, machinery, etc.
> Were Congress to expand tort law to mandate standards and consequences similar to products liability regulations for other products, then the attack surface available to state and non-state actors would meaningfully shrink.
The problem is the organization sizes are the opposite of what works for products liability. It's not Joe Homeowner buying an appliance from Sears or GE, it's an insurance company or government contractor getting software from an individual or a company with nine employees.
You can't use that to force improvements from small entities because they barely even have lawyers to tell them what they have to do, and nobody will actually sue them if they have no money anyway.
What you need isn't for the software vendor to be liable, it's for the company holding all the customer data to be liable to those customers. Then those companies will start caring about actual security instead of "compliance" and figuring out how to pass the buck, and software vendors will still have to make secure software because nobody will buy anything else anymore.
It also forces companies to start treating huge databases as the security liability that they are. And it conveniently applies to the large tech companies that are also data warehousing companies like Yahoo or LinkedIn/Microsoft.
"it's an insurance company or government contractor getting software from an individual or a company with nine employees."
The good news is high-assurance systems have been built with smaller teams than that. We also have cases like Bernstein's where one person builds all kinds of stuff with provably better security using a bit of brains and methods that work. We also have tools like SPARK for static systems and Rust/Eiffel for larger ones that can easily eliminate entire classes of attack. Ada & SPARK have been around decades. Eiffel over a decade. Hardly anyone in security-critical space using them.
Most of what you see is easily prevented. Even with small teams. They just don't care or try. A baseline stopping code injection or insecure configurations would knock out a ton of problems. The next thing that would happen, as did with DO-178B regulation & TCSEC, would be reusable components and consulting services designed to meet the standard where the cost & limited expertise is spread among many customers.
It could be done. Even for smaller players to a large degree.
"What you need isn't for the software vendor to be liable, it's for the company holding all the customer data to be liable to those customers."
Doesn't solve the DDOS problem which can also be used for extortion, interfering with government operations, etc. My approach targeting root cause handles that, too.
Oh absolutely, it isn't that small teams can't create secure software, it's that product liability isn't the way to do it. Because when the lawyers come for the bad coders they just turn their pockets inside out and then go back to writing bad code, while all the HMOs carry on using OpenSSL and vulnerable XML parsers.
> Doesn't solve the DDOS problem which can also be used for extortion, interfering with government operations, etc. My approach targeting root cause handles that, too.
Can you be more specific about your DDOS solution?
"Can you be more specific about your DDOS solution?"
The root cause is 0-days in software or bad configuration of mass-market products in most cases. The former can be detected automatically by many tools. The latter can, given the flaws I've seen so far, be spotted in 5 minute review by an amateur consultant. Mandating such things in a regulation or expecting them as "reasonable, professional standard" during a lawsuit would be a start. Prevents many DDOS bots as a side-effect.
My main solution to DDOS mitigation in the interim & part of long-term package is here:
For every piece of softare they buy from a 9 person ISV they probably run tens of millions of dollars of software from IBM, Oracle, Microsoft, Adobe, etc. Or custom made software developed by one of the large shops. And that's going to be the vast majority of the attack surface.
> For every piece of softare they buy from a 9 person ISV they probably run tens of millions of dollars of software from IBM, Oracle, Microsoft, Adobe, etc. Or custom made software developed by one of the large shops. And that's going to be the vast majority of the attack surface.
Vulnerabilities are not proportional to software price. That's the whole problem. IBM software is very expensive and complicated but you don't see a lot of CVEs. OpenSSL costs no money and much trouble.
Yet you have projects like OpenSSH that are free, by all accounts have a strong security record, but once or twice a decade there is a serious vulnerability. And because of how and where it's used, liability for that would destroy them.
Meanwhile Adobe would sooner stop distributing Flash Player than fix it, and all this does nothing about the admin who leaves the database server open to the internet with the default password.
I don't really see it as a primarily driven by liability. I see various federal agencies as strongly discouraging increased private investment in security infrastructure via very public demands vs Apple to decrypt their devices, and very secret national security letters also requiring decryption. Any company has to see that as a potential risk - after putting in R&D funding to secure their products, they could be then required to break their own encryption or face legal jeopardy.
Several small businesses have been driven out of business by such behavior, and large business have mostly capitulated.
Agreed. I wrote this on FB last year when people were calling hacks 'cyberwar':
I’m still not sure what to think of the Sony hack. I instantly rejected the idea that it amounted to “cyber war”, but beyond that, I think governments can take a legitimate interest in digital attacks on private companies, same as law enforcement would get involved in a physical attack on a corporate building.
I think the main response to IT breaches has to be “defensive”; secure code and networks. You can’t find and retaliate towards every hacker. And the benefit is that unlike retaliatory policy responses, good network security is designed to protect against all third parties, whether it’s your own government, random financial criminals, James Bond villains, whatever the entity or motive.
The Sony hack is a great example. The shareholders, employees and other stakeholders should have enjoyed legal remedies that could have rocked the corporate world into enacting meaningful INFOSEC practices. Instead I've seen reports they paid only $8m USD in a class action settlement. Its not enough to serve the public policy need.
The report also disregards various other sources of foreign manipulation on US networks including spam and propaganda which as everyone knows are also forms of hacking. For instance the 'fake news' on Youtube and spam links on Facebook and Instagram which link to phishing sites. Companies must be held accountable for harboring this type of material.
This is a public service announcement: if you haven't seen enough information to prove to you, independent of the claims of the White House, CIA & FBI, that Russia was behind this, you should file a Freedom of Information Act Request for sufficient evidence to independently reach that conclusion. Citizens of the US in particular should do this to hold their government accountable -- we can not let it be accepted that because POTUS says something, and maybe has confirmation from "anonymous sources" within the CIA & FBI (e.g. as reported by the NYTimes[1]), that it must be true.
Muckrock[2] makes it dirt-simple to file a FOIA request. Hold the government accountable -- they work for us.
While there's no harm in filing additional FOIA requests, let's also add some deductive reasoning to the mix. Is this consistent with Russia's actions in other countries and contexts (as well as their own)? Yes. http://warontherocks.com/2016/11/trolling-for-trump-how-russ...
Have individuals close to the Kremlin strongly implied they had a role in this and have senior Russian officials stated clearly that they had contact with the Trump campaign during the election? Yes. http://www.haaretz.com/world-news/u-s-election-2016/1.752386
Did Russia even object today on the grounds that the allegations about their role were false? On the contrary, they were practically doing a victory lap.
There are plenty of debates still very worth having about whether the actions taken today are appropriate, whether a hostile stance towards Russia is merited, etc. But I've seen enough to convince me that Russia was engaged in an information operations campaign to cast doubt about the U.S. election and help Trump on the margins.
Russia has denied involvement with this incident in the past[1].
I would encourage considering applying the same standard that we would apply to a trial by jury. Simply indicating that someone is a repeat offender, and would have reason to commit an offense again, does not itself meet a standard of evidence of actually committing that offense.
I don't really care that much about this specific event.
It's a bunch of liars (Russian government, various US intelligence services, Russian and American politicians) trying to tell me that "the other guy" is a liar and did something bad.
My life continues as it does, working against all those listed above because none of them particularly deserve my assistance or respect.
on top of that, the leaks were real. If they were "leaking" phony information, I might have an issue. But this "hack" gives high-ranking politicians a taste of their own medicine. What POTUS calls a "hack", I prefer to call "warrant-less wiretapping".
and it's for "security". I'm 'secure' from hillary clinton's corruption, therefore, violating her right to privacy is ok. same thing they do to each US citizen
Sure, you can go ahead and file a FOIA request. But according to the NYT article you linked to, 'the forensic evidence was accompanied by “human and technical” sources in Russia, which appears to mean that the United States’ implants or taps in Russian computer and phone networks helped confirm the country’s role.' [0] CIA will not give you information about its secret agents in the Kremlin just because you ask nicely.
Yes, there are specific exemptions, but a properly worded FOIA request should be able to maneuver around them. For example, Exemption 7[1] would protect "from disclosure information which would reveal techniques and procedures for law enforcement investigations or prosecutions or that would disclose guidelines for law enforcement investigations or prosecutions if disclosure of the information could reasonably be expected to risk circumvention of the law," but a properly worded request would seek the information that those techniques uncovered, not the techniques themselves.
This is predicated on the evidence, should it exist, of a Russia-backed security incursion being classified a national security secret. While such a hypothetical claim would have questionable value, would it be worth classifying a bit of information, say, like "the attack ingress point was IP address x.x.x.x, which is owned by Russian military?"
Of course it is classified. And of course no state backed actor is going to use a military owned IP.
And there won't be one single source of evidence which points to it, it will be hundreds of small circumstantial points which taken together point to the conclusion.
Those won't ever be released because they will give away sources and techniques.
I'm not perpetuating any particular agenda other than that people should request enough information to form their own opinions. Throwaway accounts for political conversations are an occupational necessity for my line of work.
> But why is this so bad? Because it does not follow the intent laid out by the White House and confuses readers to think that this report is about attribution and not the intended purpose of helping network defenders.
Looking at the comments in yesterdays' thread[1], this is absolutely true - many, many people posted some variation of "What? There's no evidence proving Russian involvement in here at all!"
Read the original CloudStrike report. Not the government report but the private security firm report. The government report is really just a restatement of that report. You don't track hackers for a decade to suddenly be wrong because of a governments political stance.
The CrowdStrike report, and subsequent interview in Christian Science Monitor of CrowdStrike CTO Dmitri Alperovitch [1], stated in June 2016 that they had low to medium confidence that the Russian government was involved with either Russian group detected.
The groups haven't changed; why are we so certain in December of Russian involvement that we're willing to sanction, if we knew everything we needed to know in June? The only evidence that they are associated with the government is a claim by FireEye that they "work during normal Russian business hours" of 8am-8pm, and that their targets (known targets I should say) would be of strategic importance to the Russian government - I bet if you asked any hacker in any country whether they'd like to hack the US government, they would tell you hell yes.
There are two possibilities here: 1, the US government is drawing this conclusion and imposing sanctions based on weak circumstantial evidence or 2, they have actual evidence but won't even hint at what it is. Even during the Iraq WMD debacle (which this ordeal is drawing heavy comparison with) they said they had satellite photos.
> All I said was no evidence has been made public by the government
Except that's _explicitly_ not what you said. You said:
>still no public evidence that Russia leaked the DNC and Podesta's e-mails?
Your original claim was that there was _no public evidence_. When that claim was challenged, you pretended your claim was about what evidence was provided by the government.
Sorry, my intention wasn't to move the goalposts, I actually misspoke the second time. Obviously I don't care where the evidence comes from. I did mean "no public evidence" and then the parent made it political, somehow.
I did read the RPT-APT28 report by FireEye on APT28 (all fifty-something pages, surprise!). It did convince me that APT28 has political motivations. What's the connection between that and DNC/Podesta? I don't know, because there's no public evidence on that (that I know of).
Still lacking any evidence that voting machines were hacked or any part of the electoral process was hijacked. The worst damage? Emails related to the actual rigging of the Democrat Party primaries and the collusion of the media with the Democrat party. Its very hard for me to believe that a state actor is behind such seemingly altruistic actions. Voters saw the worst of Trump and Clinton and choose the lessor of two evils. Wikileaks and "the Russians" simply provided a level playing field.
Assuming Clinton had those dirty secrets and Trump had nothing equivalent, that's what a level playing field looks like.
If you want to assume there were also some dirty Trump secrets that didn't come out then it seems like the only way to "level the playing field" would be for e.g. Venezuela to hack the Republicans and air their dirty laundry too.
And people are running around saying how terrible this is and asking "what if everybody did this?" But it seems like the answer to that question is, then people would know more relevant information about their political candidates. Or politicians would get better at computer security. Which of those is supposed to be bad?
> Assuming Clinton had those dirty secrets and Trump had nothing equivalent
Those are two rather incredulous assumptions considering that:
- Clinton released all of her tax returns, whereas Trump didn't release any
- The Clinton Foundation has been audited by at least three well respected, independent, organizations (garnering top ratings from all), whereas we know comparatively little about the Trump Foundation (or whatever it's called), yet it's admitted within the last six months to several inappropriate expenditures or donations, and is likely being investigated for more
- Trump sits atop a network of literally hundreds (if not thousands) of "independent" corporations designed solely to evade disclosure, liability, taxes or some combination thereof
Level is relative here. But remember DNC candidate had 6 or more multibillion dollar mass media corps actively supporting their candidate, POTUS was campaigning for them, had a top strategy team, support from tech giants, Wall St., huge contributions from countries like Saudi Arabia and so on. A few emails leaked I would say still wasn't a level playing field but it was close?
100 minutes of Clinton emails vs. 32 minutes of policy issues for all candidates combined - who do you think benefits from that, the candidate with realistic policy proposals, or the one who wants solve all problems by building a wall?
First off, while there was an irrefutable bias in the DNC during the primaries, and shitty moves made against Sanders as a result of that bias, that is not the same thing in any way to rigging the primaries. That's a much stronger allegation with no evidence I've yet seen provided. The DNC was deplorable and idiotic in its rejection of Sanders and active working against his campaign. But the primaries were not rigged.
Second, how exactly was a level playing field created by leaks that targeted a single party and candidate? Was there some demonstrable advantage HRC and the DNC possessed versus GOP candidates and the RNC, which was neutralized in a fair fashion by the leaks, thus creating an equitable and balanced standing among all the parties and candidates? That seems to require quite a lot of evidence and explaining.
Third, I don't think there has been any stated allegations from the Obama administration or intelligence services regarding hacking voting machines and tallies. I realize some people are suggesting it without any evidence being out there. But the administration doesn't appear to be making those claims from all I've read so far. That's a wholly different issue that would require an incredible amount of organization, effort, and evidence proving it occurred. "Hacking the election" seems to almost be used as a bit of a colloquialism, more akin to "life-hacking", and where administration officials are concerned, specifically focused on the data breaches and leaks in an effort to "life-hack" the election through creative social and political engineering, not manipulating voting tabulations. However, voting machines != electoral process. They are merely the mechanism by which the process culminates in a decision. The machines can be entirely sound, while the process can be hacked and manipulated.
Also, a couple of nitpicks:
- It's the Democratic Party, not Democrat Party. It's members are called Democrats, not the party itself.
- In this instance, you wanted to use "lesser" not "lessor".
I agree not rigged, but giving Hillary debate questions in advance comes pretty close.
In my opinion, the DNC emails and the Trump "grab 'em" tapes are similar -- you can argue that it's private material that should've stayed that way, but you can't argue that the material didn't reveal helpful truths about the candidates.
Finally, a recent poll found 50% of Democrats think that Russia tampered with the vote tallies in the election. This is insane, and the direct result of mainstream media irresponsibly using the phrase "hacked the election" to refer to the (alleged) hacking of DNC emails by Russia.
>"If Bernie Sanders had been the nominee of the party and the Russians hacked my emails instead of John [Podesta]’s, we'd be reading all these notes between Donna and I and they'd say Donna was cozying up to the Bernie campaign. This is taken out of context. I found her to be a fair arbiter, I think she did a good and honest job."
The email contains the exact text of the question submitted to a CNN producer in advance of the town-hall by a moderator; it is very similar to the final question that ended up being asked.
Agreed on the last part. I saw that poll, as well, and couldn't help but shake my head. There's a serious problem with not just the news, but the way people interpret the words used on the news in their own ways, and then spread that interpretation outward without there being any significant checks on the spin getting out of control.
>leaks that targeted a single party and candidate?
Is there any evidence to suggest that the DNC was singled out for attack? We should be careful not to fall victim to pernicious media spin. The claims laid out in the Grizzly Steppe report are very specific:
1. In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link ...
2. ...to over 1,000 recipients, including multiple U.S. Government victims.
3. In the course of that campaign, APT29 successfully compromised a U.S. political party.
We know in retrospect that the compromised party was the DNC, but the claims presented do not indicate that the DNC was the only target. Although this is how good boys and girls are supposed to interpret the evidence, since many news media sources are spinning this as "Russia hacked the electoral process for a Trump victory", we can't start from that conclusion and work backward. Claim #2 in particular seems to indicate that the attack was broad and indiscriminate, with government and non-government targets alike.
Consider also what isn't said in this report. If they could say that the hacker groups singled out the DNC for attack, they would say so. That no such claim is made indicates that the authors know otherwise.
Finally, we have this:
4. In spring 2016, APT28 compromised the same political party, again via targeted spearphishing.
This is a separate group from the one in the previous claims. What they do not speak to is the question of who else was attacked or compromised.
Intelligence and counterintelligence is an endless game of cat and mouse that has been played for millenia. Any indication you can glean on who the next leader of the world's #1 power will be is priceless information, so none of us should be the least bit surprised that any of this is going on or that political parties would be the target of hacking attempts in an election year, by Russia, or any other nation.
Russia putting a targeted hit only on the DNC to swing the election specifically in favor of one candidate is an extraordinary claim and this report doesn't clear the bar IMHO. A far more likely hypothesis is that all renowned political organizations are a target for hacking at all times, and the DNC just had shitty security and got compromised. Too bad. Maybe turn on 2FA next time, and stop storing Top Secret material on your home server. (Even my little unknown personal server gets thousands of login attempts from China every day.)
>stop storing Top Secret material on your home server.
None of the emails on Clinton's email servers were ever compromised, or at least we have no reason to believe they were because no one leaked them.
>Russia putting a targeted hit only on the DNC to swing the election specifically in favor of one candidate is an extraordinary claim and this report doesn't clear the bar IMHO.
This report wasn't meant to provide any evidence of anything.
>The DNC was deplorable and idiotic in its rejection of Sanders and active working against his campaign. But the primaries were not rigged.
But they didn't do any of that either. It's amazing how out of control this narrative has gotten. And this is precisely why we can't justify these sorts of intrusions so close to an election, the stories become such distorted pictures of reality which is antithetical to to rational decision making.
They most certainly did. DWS and company actively worked internally to disparage and scuttle the Sanders campaign and push HRC, ultimately resulting in DWS resigning in shame. The DNC leadership's bias was obvious, and the leaked emails that came out before the convention provided sufficient evidence that Sanders' supporters had been right about the DNC not playing fair with the candidates (though still not rigging the primaries). I don't think the narrative about the DNC's pro-Clinton/anti-Sanders bias and internal activity ever got out of control. Seems it stayed pretty level, and it's ultimately a separate matter from the current issue as far as I'm concerned anyway.
This is absurd. It's clear that people at the DNC preferred Clinton. But the real question is what actions were taken to make Sanders less likely to become nominee? Absolutely none.
Oh, come on. You appear to either be unaware of the DNC's leaked emails before the convention, or are refusing to accept the information that is available and understand what I'm saying. There is a host of internal communication leaked specifically covering the internal conversations of DNC leadership focused on plans to scuttle Sanders campaign and candidacy throughout the primaries. The leaks were then added to the lawsuit that was being brought against the DNC and DWS on the eve of the convention. You can easily look this information up. It's neither absurd nor an out-of-control narrative. The actions people care about on this issue (which are separate from the election leaks people are currently talking about) are the ones that occurred within the DNC.
I'm not sure how to make my statements any clearer. I've even added emphasis to attempt to do so. The actions known about and discussed by which people are upset were actions within the DNC. Given that an action is something a person does, the content of the pre-convention leaked emails, and the act of writing and discussing the contents of those emails, constitutes actions within the DNC. You're attempting to dismiss this as non-action because there perhaps were not actions observable or taken outside the DNC. That's not what people are arguing in this case.
Such as? Further, one person leaking emails is a far cry from "the DNC" being against him. You cannot blame the organization for actions of individuals.
>act of writing and discussing the contents of those emails
But it is absurd to be upset by internal discussions that resulted in no action against the Sander's campaign. When I ask for what action the DNC took as an organization, it is in this manner that I am asking the question. Internal emails does not constitute "actively working against the Sanders campaign". Such a characterization is blatant dishonesty.
So this document was written by security professionals. It's intended for an audience of security professionals. We read it and say, "wait a minute, this is basic script kiddie stuff, this is how the Russian intelligence services operate?" - the breathless description of how advanced the basic tactics are is something I would expect from a security firm who trades on fear. Maybe the unspoken message here is "it's just script kiddies." After all, a major political party is a hell of a get, especially with the amount of dirt in there.
The white house and the document itself never list attribution as the goal. Robert M Lee seems to think because it refers to the attackers as Russia, it is confusing readers. The summary at the beginning makes it clear to me that the document is presupposing the attacker is Russia as to be consistent with all future public reports.
I don't think this is the best written report, but his conjecture around completely leaving out attribution if it doesn't include evidence seems rooted in playing to the lowest common denominator (ie poor media coverage of what this report entails)
The timing of the release of this document, at the same time as the announcement of sanctions on Russia for the hacking, can't be overlooked.
It's quite reasonable to assume the release of this report was intended to create the impression of evidence for attribution, even if it actually contains no such thing. Otherwise why not release it on any other day to avoid confusion? It looks to me like the confusion was quite intentional.
White House stated pretty clearly why the Grizzly Steppe report went out: "to better help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities."
Attribution is sexy and the media likes to talk about it. I don't believe the confusion was intentional. The White House is pretty bad at PR and 'never ascribe to malice that which can be explained by incompetence'
They have a press secretary whose job is, literally, to manage the media. I'm honestly not sure if your post was intended as satire.
The meat of the report might as well have been copy pasted from OWASP. So if it's not to provide political cover for the yet-to-be-proven claims that Russia did it, they didn't get the message out.
It also can be seen as a meaningful signal of attribution capability to certain parties. Think of the form - an official document intended for public consumption - as not really being intended for consumption by the general public.
I question the importance of attribution on this issue. The Office of Personnel Management hack seems far worse than this report's conclusions, but there was a fraction of the outrage. Sadly, the problem is not confined to one state actor. INFOSEC is systemically broken and although the solution is starring Congress in the face, I suspect software/hardware lobbyists will prevent meaningful legislation.
Tort reform that extend products liability to sodtware and hardware developers and their partners. The problem is too complex for corporate or individual end users to manage. This plus retooling NSA through SBA conduit to provide protections to small businesses, law firms, health providers.
Seems to me that the DNC had really sloppy security and that many groups could have compromised their servers. If the government has proof that Russian actors did so, they do not appear to have any proof that the info was used maliciously.
The whole report, and media coverage, and statements by public officials are so confused and confusing that they are useless in regards to security.
I have to compare this to the FDA's HIPAA regulations which mostly are just instructions on how to correctly secure servers and applications. However, I wish that HIPAA did not have these regs in it because they are susceptible to falling out of date.
Rather, I think the public would be better served by an official security standard that can be updated weekly with new advice and requirements. Then an org like the FDA can have one regulation covering security that says something like "all systems must be secured according to Federal Infosec Guidelines level B3 or higher". The specifics of what B3 might mean and higher levels of securing servers and apps, can be in a single document that would, I am sure, become a core part of the curriculum for developers and system administrators.
Moaning and whining about water under the bridge is a waste of energy and of public funds. This is a fixable problem if only someone in leadership is willing to act. Not grandstand or apportion blame, but act to improve infosecurity for everyone.
A well drafted set of infosec guidelines by industry experts along with a process for keeping it up to date will have incredible multiplier effects throughout industry as well as government, because it makes it much easier for management to order that things be secured, and it makes it much easier to get a consultant to validate that the guidelines have been correctly implemented.
Such federal standards have existed for decades now. Have you heard of the NIST Special Publication 800 series? They are quite comprehensive, although prohibitively complex for smaller agencies to implement stand-alone.
I will say this; the Podesta emails revealed a lot about the internal politics of the DNC. Why are we not treating this type of leak with the same level of respect as the Ellsberg leaks? Or for that matter, the Snowden leaks? Who is really controlling the narrative here?
What was the public interest in his lobster recipe? Or creating a paranoid frenzy that got shots fired at a Pizza place?
Randomly dumping personal emails isn't the same as Ellsberg and Snowden working with reporters to blow the whistle on specific transgressions in war and mass surveillance.
> No worries
> Because I have become a hack I will send u the whole section that pertains
> to u
> Please don't share or tell anyone I did this
> Tell me if I fucked up anything
He tried to get out of this by saying he was just fact-checking. But that normally doesn't require a request for secrecy and one would just send specific items they wanted fact checked, not a prerelease copy of the article.
Upvote for link. I had ignored the wikileaks stuff, like I ignored most of the election cycle, because I ignore most current events. But it was time to take a peek to see what everyone got excited about.
I just randomly picked links and citations. Sorry, but I didn't find any there there. (I skipped the secret email server, mostly because I don't care.)
Just one example, in #6 its clear from context that Bill Ivey's use of "we" refers to society as a whole. Further, he's venting about the decline of civic engagement, an opinion shared by many (such as myself).
My primary reaction is "Hate the game, not the players." Politics sucks. All of it. But why is any one surprised by the corruption? This is the system we designed, or at least accepted. If we hate it so much, they we should support publicly financed campaigns, restoring the fairness doctrine, shortening the political cycle, etc, etc. But we don't. Because Freedom Markets™ booyah!
My secondary reaction is "Wow, this InfoWars stuff makes my head hurt." I can never tell if cherry picking quotes out of context and making wild inferences is intentional obfuscation or just how some people process the world.
The secret email server is actually more interesting than you think. They found hundreds of emails containing classified info (including TS info, like a picture of NK that one of the media guys talks about in the dump). We also have an email between Hillary & Colin Powell discussing how to subvert the Presidential Records Act.
This is part of what Colin Powell said that I think it especially illustrative of how big of a security risk people like this are when put in power:
Now, the real issue had to do with PDAs, as we called them a few years ago before BlackBerry became a noun. And the issue was DS would not allow them into the secure spaces, especially up your way. When I asked why not they gave me all kinds of nonsense about how they gave out signals that could be read by spies, etc. Same reason they tried to keep mobile phones out of the suite. I had numerous meetings with them. We even opened one up for them to try to explain to me why it was more dangerous than say, a remote control for one of the many tvs in the suite. Or something embedded in my shoe heel. They never satisfied me and NSA/CIA wouldn't back off. So, we just went about our business and stopped asking. I had an ancient version of a PDA and used it. In general, the suite was so sealed that it is hard to get signals in or out wirelessly.
Obviously the pizzagate stuff is stupid and unfounded. It does a great disservice to people that were victims of real sexual abuse.
But can't you see the vast amount of corruption? The DNC rigged the primary for one candidate. We need to hold our political parties accountable for their actions.
Every time I see someone write something like this my knee jerk reaction is to either assume they're lying or they are clueless. Can you point to the vast amount of corruption you claim is self evident?
1) Selling ambassdor positions to the donors (check the xlsx file which has higher paying donors getting 'better' countries) 2) Co-ordinating with Super PAC
1) This doesn't make it right, but it's a common practice for a President to give a percentage of ambassadorships (typically 30%-40%) to donors and friends. Obama, Clinton, and both Bush's all engaged in this practice. It's unusual though to extend this practice to the Cabinet, as Trump has done.
I could even name some Reagan donors turned unqualified ambassadors.
I can't tell if people hawking such ridiculous ideas are truly naive or are just following a motivated reasoning to reach some post-hoc justification of their dislike.
Brooklyn is one of the parts of the NYC area that have ultra liberal demographics, so one could draw the conclusion that Brooklyn's voting power would have tipped the NY primary towards Sanders.
Rigging doesn't specifically mean manipulating votes. It means taking what is presumably an open and fair contest and taking some actions to ensure it isn't.
The big things that came out of the leaks for me is the explicit and cosy relationship with specific members of the media who were instructed to produce and disseminate certain messaging against Bernie Sanders.
They also asked those "media resources" to prop up Trump, Cruz and Carson because they naively believed that Trump would be a push-over, for example.
...which is not actually part of the government. I expect political parties to have internal politicking, which is somewhat bad. But ultimately parties are private organizations that are subject to quite different laws and obligations than parts of the government.
I'm going to disagree. Both Republican and Democratic parties are effectively part of the government. If you get legalistic, you've got me, legally they're not. But the too-entrenched-to-fail nature of the two parties makes them part of the government. I'll give the example of the Colorado gubernatorial election in 2012. The Republican status quo candidate totally flamed out in the primaries, leaving a weird, not-quite-tea-party R candidate. He sank like a rock in the general due to an amazing number of personal narrative inconsistencies, bizarre public statements and other oddities. Tom Tancredo, noted Republican insurgent, ran on the American Constitution Party ticket, and finished a strong 2nd. The ACP was then a "major party" according to Colorado state law. The ACP got nothing out of it, they were able to make no dent in the next elections. Republican Party assumed it's semi-governmental role in the next elections. The Big Two parties are part of the government for all intents and purposes.
I half agree, but, I'll make 3 (super brief) counter-arguments.
a. Democrats and Republicans are guided by very different moral philosophies - the kind of thing that courts eschew dealing with as 'political questions' because which one you plump for depends less on reasoned argument than on which basic premises you adhere to. As inherently political entities, it's irrational to demand they hew to some objective standard of political behavior as if there were a knowable truth of conduct that transcended politics.
b. Fringe parties are always running colorful candidates for high-visibility executive positions and then complaining than the system is exclusionary when they inevitably fail against better funded and organized opponents from parties with long track records (whether or not you approve, at least you sorta know what you're gonna get). This is a crap strategy and the idea that the fringe party should get some sort of help in the next election cycle for having shown in a previous one is mystifying to me.
The path to power in the US is through legislative capture. That's how the Tea Party hijacked the GOP - not spontaneously but as the culmination of a long, focused effort. Conservatives chose to worth within the framework of an existing party. Leftists have attempted to do the same in the Democratic party but frankly they're not that good at entryism as a political tactic, lack a coherent alternative to liberal capitalism, and so end up demanding change while being unable to articulate a plan for how to achieve it. You will see a redoubling and refinement of these effort sin the next few years. but if you don't want to work within an existing party, then the next best thing is a party that focuses on legislative representation like the Working Families Party, whose principles I only partly agree with but whose tactical instincts are excellent.
c. Brokerage (as in back-room political favor-trading and negotiation) is an unavoidable components of representative democracy and wishing it away is like asking it to only rain at night. If you want to change this then you need to think about changing the basis of of the political system itself. For example, one could have election by sortilege, where legislators were chosen involuntarily, like jury service. Or we could move away from producing laws like books authored by committee and adopt Wikiism, such that instead of legislative debates we have edit wars on the legal corpus. The main problem with Wikiism (or Social Coding or Participativism or some similar autology) is that implementation in the real world lacks authoritative grounding or operational consistency, which is probably why you don't see many corporations using this model to carry on business.
Look at how he calls whistleblowing "organizational doxing" and he urges a swift and exemplary response to the "national security threat". Somewhere along the way, the respectable security writer became a silly neo-mccarthyist pundit.
The results are that someone got into Podesta's gmail for some few days. The pros use methods that allow them to keep long term access and which keep you from knowing that you have been hacked to begin with.
Look at the NSA's TAO catalog for examples of how the pros work. You can wipe your servers and still be hacked.
I don't seriously believe that the NSA is out there sending phishing emails. They're too busy using ECHELON to hunt down sysadmins who are using their social media accounts, then taking over from there.
That was an email with a malicious attachment that appeared legit which did nothing obvious to compromise the system.
Podesta got an email saying that "someone has your password" and pointing at the IP Address: 134.249.139.239, allegedly in the Ukraine[1].
I can see your point, but one attack is a lot quieter than the other. The usual goal is that they don't know they've been compromised so you retain access over a long period of time, rather than triggering all the alarms.
I'm having trouble finding the phishing there? There's a mention of QUANTUM INSERT replacing pages with malicious copies, but that appears to be a man-in-the-middle attack of some kind unless I'm completely misreading it.
It also took them quite long to figure out what was going on.
The results of getting into "Podesta's gmail for some days" is you take the elections. But no, you think it's smarter getting into some nobody sysadmin's social media accounts. Got it.
The first statement is not in evidence. It's amazing how many people believe both that nothing was in there, but also that it swung the election. As opposed to, say, the connections between Hillary's top aide, Huma, and the infamous Anthony Wiener coming to light. Or do you know him better as "Carlos Danger"? Did the Russians also make her avoid any campaign stops in the (not so) "blue firewall"? Or what about when Michael Moore put out a speech that could be chopped in half and turned into a Trump ad? Or what about when they insisted that Hillary's health was perfect, then everyone saw this? https://www.youtube.com/watch?v=9zYthqiLs_I
You can say the polls only took a dive in the last week, but if you really look at them, most polls were oversampled in the Democrat's favor the whole time. There were legitimate reasons they did this in expectations of Obama-like results, but in the end the results speak for themselves.
But yes, the sysadmins hold the keys to the kingdom. Why get one lousy email when you can get the email server via the sysadmin? And every other server.
If you just want one person, there are better ways than noisy phishing attacks. Everyone knows that Podesta's email was phished, not many people realize he also lost his cell phone in a DC cab...
No, the results are that the United States is deep shit, having just elected a serial liar and sexual offender with a little nudge from Russia and Comey. The damage Trump can do is potentially infinite. It's incalculable. If you're Putin, there's never been a bigger payoff for such little effort.
If there is one thing the plaintiff's lawyers excel at, it is inflicting extensive expenses and pain on parties who negligently or fraudulently create, fund creation, or use products that injure property or person; thereby creating effective incentives to harden products.
You will know the USGOV is serious about INFOSEC when they stop issuing reports and start legislating, regulating and enforcing meaningful standards, as they already do for automobiles, drugs, machinery, etc.