Only Thing 'Exposed' By Bad Reporting About Russia/Trump Link Is Malware Researchers' Unethical Behavior

from the so-dumb dept

Wed, Nov 2nd 2016 8:27am — Mike Masnick

On Monday evening, you may have seen news of a "big scoop" at Slate by famed reporter Franklin Foer, about how Donald Trump had a server that was "communicating" with a Russian server. Foer, who famously got pushed out of The New Republic for not being very with it on technology on the internet (among other things), makes a really big deal out of some really weak tea. After reading the article (along with another one alleging Russian spies had been "cultivating" Trump) I tweeted out that the evidence on both was super weak. I kept expecting a smoking gun in the Foer piece, but instead got a lot of handwaving and confusion about DNS. Of course, Clinton supporters were quick to jump on the article as some sort of proof, despite the really weak claims.

A lot of Foer's work stems from an anonymous blog post from a few weeks earlier that tries to make a big deal out of some extraordinarily weak connections. The confirmation bias is strong with the folks involved here. The biggest clue? This ridiculous chart that tries to show increased activity between the Trump server and the Russian bank server at key moments, but doesn't actually show that. There seem to be random ups and downs at the conventions, and then a huge spike in the middle of August which corresponds with... nothing. But the researchers and Foer just ignore it. In fact, Foer actually claims that "there were considerably more DNS lookups, for instance, during the two conventions." Except there weren't really.

And, of course, within a few hours, people were debunking basically every aspect of the story. The Intercept notes that at least six other news outlets had been looking into the same story, and none of them felt comfortable pushing a story, because the details just didn't stack up. The first person I saw to debunk it was Naadir Jeewa, who pointed out that the server was maintainted by Cendyn, a marketing company that handles email spam marketing for tons of hotel chains, including Trump. The "connection" from Alfa-Bank, he suggested, was just a typical email scanner attempting to reverse the connection as a sort of anti-spam tool (basically checking if the email server is real). As Jeewa concludes:

Feel sorry for the person at Alfa who stayed in a Trump hotel, forgot to unsubscribe to cheesy emails and might be in a load of trouble
— Naadir Jeewa (@randomvariable) November 1, 2016

The Intercept actually reached out to Alfa-Bank... and got the hotel spam that it had received from Trump. They also received the similar spam from Spectrum Health (who is included in Foer's story for reasons too pointless to explain). Guess what: spam.

Rob Graham from Errata Security went even deeper in explaining how this was a giant nothing grown out of a reporter getting confused. Cendyn doesn't just control the mail1.trump-email.com domain, but also controls a variety of other hotel domains, including hyatte-concierge.com, reservertravelonline.com, sheratonmenus.com, westinmenus.com, hyattmenus.com, cphollywoodbeach.com (CP = Crown Plaza), hayattproposal.com and a bunch of others as well. It's not Trump using this, it's a marketing company that specializes in spamming hotel customers. From Graham:

This is why we can't have nice things on the Internet. Investigative journalism is dead. The Internet is full of clues like this if only somebody puts a few resources into figuring things out. For example, organizations that track spam will have information on exactly which promotions this server has been used for in the recent past. Those who operate public DNS resolvers, like Google's 8.8.8.8, OpenDNS, or Dyn, may have knowledge which domain was related to mail1.trump-email.com.

Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story -- debunking it. I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for "mail1.trump-email.com" from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June -- and thus the claim of successful responses until September are false. In other words, the "change" after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.

But Graham also points out that all this fretting about Trump & Russia misses the real story here. The only reason this is a story at all is because some nameless security researchers started abusing the data they were given access to for malware research. Much of what Foer relies on came from an anonymous researcher going by the name "Tea Leaves". But Graham points out that the real story here is how companies are sharing all sorts of information with security researchers under the belief that it will only be used for malware research... and not for spying on what server is connecting to what server:

Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google's 8.8.8.8 public DNS. It's a huge privacy violation -- justified on the principle that it's for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google's service. Sometimes people don't realize how their ISP shares information, or how many of the root DNS servers are monitored.

People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers....

This is another reason why we've pointed out that all the focus on "information sharing" in various cybersecurity bills from Congress was a red herring. Information sharing can lead to all sorts of questionable activity. It's done in these instances for the purpose of spotting malware, but it appears some researchers went looking for weird Trump conspiracy theories and were so invested in those theories that they didn't even realize how ridiculous it was when looked at in the light of day -- and also forgot that they're not supposed to reveal they have access to this info.

Yes, of course, we're at the very peak of the political silly season and lots of people are looking for big breaking stories. But it would be nice if we could keep them in the realm of reality.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, dns, donald trump, franklin foer, malware, privacy, research, rob graham, russia
Companies: cendyn

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Mason Wheeler (profile), 2 Nov 2016 @ 6:52am

> Yes, of course, we're at the very peak of the political silly season and lots of people are looking for big breaking stories. But it would be nice if we could keep them in the realm of reality.

It's not about reality; it's about influencing perception. With all the trouble Hillary's in for her abysmal email mishandling, it suddenly makes her look a lot less bad by comparison if her opponent was also doing bad things with email. (Nevermind the fact that Trump's email didn't contain any classified information; we can just neglect to mention that little detail.)
[ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2016 @ 9:27am
  
  Re:
  Exactly. It was a smokescreen from the left to distract from their actual problems. Since the Clinton News Network won't cover the real issues with HRC and the entire DNC, she will sneak into office and quell the investigations before they can do much more damage.
  [ link to this | view in chronology ]
  - Thad, 3 Nov 2016 @ 5:24pm
    
    Re: Re:
    > It was a smokescreen from the left to distract from their actual problems.
    
    I'd say it was more of a tit-for-tat from the Clinton campaign trying to push one vague, innuendo-laden narrative about an FBI investigation over another.
    
    If by "actual problems" you mean Clinton's poll numbers, then yeah, this is to distract from her actual problems. If by "actual problems" you mean the latest vague allegations of wrongdoing coming from Comey by way of Chaffetz have some merit to them, well, I remain skeptical, and I think if there were really anything damaging there we would have heard something more substantive than "there may be something in there, maybe, we don't know."
    
    I find the "media doesn't report on Clinton scandals" narrative to be baffling. From where I'm sitting, the media's been reporting on Clinton scandals for 25 years. A few of them have been legitimately scandalous; most have been exaggerated; a few have been outright fabricated.
    [ link to this | view in chronology ]
That Anonymous Coward (profile), 2 Nov 2016 @ 8:44am

Perhaps the game plan was to just beat us down to the point where we no longer care that both sides have put up shitty candidates we just will vote and pray that it stops.

Of course, its not going to stop because politics has turned into a zero sum game where you have to destroy the other guy and salt the ground.... forgetting you needed that ground to feed yourself. As your enemies burn you laugh not noticing how hot your getting as well.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2016 @ 9:38am
  
  Re:
  The entire idea is to never to beat us down... just keep us busy and distracted.
  
  Political Parties were entirely designed to usurp the will of the people while making them feel good about it. But you are definitely right about the desire to destroy the other party and salting the earth in a pyrrhic victory.
  [ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2016 @ 10:02am
  
  Re:
  Scorched or salted.
  
  Zero sum is an inevitable consequence of a two-party system. Salting the ground should in an ideal world make opportunistic "politicians" able to grow, but the lack of grassroots (and or PACs/super PACs) daring to think outside of the big two is what is making things burn.
  [ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2016 @ 10:10am
  
  Re:
  They distracting people from looking at the candidates being elected to the actual law making bodies, the senate and the house.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Nov 2016 @ 8:59am

i love the fact you had to clarify cphollywoodbeach
[ link to this | view in chronology ]
Anonymous Coward, 2 Nov 2016 @ 9:12am

I knew it was probably nothing because I could never find any solid information on what these "connections" were, other than those people who said it had something to do with spam email. I can imagine that people thought it was something like in 24 and Trump had ordered a protocol opened with the Russian bank's socket and they only had 30 seconds to decrypt the datafile before its own internal functions deleted itself.
[ link to this | view in chronology ]
Anonymous Coward, 2 Nov 2016 @ 9:42am

Calling ISPs

People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers....

If someone's technically knowledgeable enough to know to ask this question, why would they waste the time? I imagine they'll spend half an hour on hold, then talk to someone who has no idea what "DNS" is, then maybe get bounced around awhile after resetting their modem/router/PC... and if they're lucky enough to find someone at the ISP who knows about technology, what are the chances that they also know about data-sharing policy?

If you know what DNS stands for, you probably know enough to set up your own recursing server or point to an open one that's not your ISP's.
[ link to this | view in chronology ]
- orbitalinsertion (profile), 2 Nov 2016 @ 12:03pm
  
  Re: Calling ISPs
  Except other public resolver providers share data too. Although they are generally easier to get an answer from.
  [ link to this | view in chronology ]
- Anonymous Coward, 2 Nov 2016 @ 3:45pm
  
  Re: Calling ISPs
  
  If you know what DNS stands for, you probably know enough to set up your own recursing server
  
  However some domains have a short TTL like 300 seconds or even 30 seconds in which case you'll still get a lot of DNS leakage.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Nov 2016 @ 1:02pm

It all makes a good story though doesn't it.

Everybody LOVES a good conspiracy. A Trump / Alfa Bank one would've been like a cold war Bond film in real life.
[ link to this | view in chronology ]
Anon, 2 Nov 2016 @ 4:01pm

One concern
I agree there is very little evidence of anything nefarious, I wonder why they removed the server right after the initial report came out in September. A few days later it was back up with a different name.

Using Trump logic, they must have something to hide, right?
[ link to this | view in chronology ]
Anonymous Coward, 2 Nov 2016 @ 4:27pm

I'm not yet convinced that this amounts to nothing
I'll give you that Foer's story is rather breathless and does a lot of hand-waving. But that's a reporter's take on an intricate technical issue, and the way he uses terminology is sufficient to convince me that he probably doesn't truly understand it.

However, I'm acquainted with some of the technical people behind this, and they are not newbies, nor capricious, nor prone to confirmation bias, nor easily misled by garden-variety deception/obfuscation such as we see all day, every day. I strongly suspect that there is SOMETHING here, but the evidence available to me doesn't yet make it possible to identify it or discern whether it's something innocuous or something nefarious.

You can dismiss this, if you want. But if Paul Vixie told me the sun was going to rise in the west tomorrow morning -- I'd get up early and check. So I'm going to look into this too, and see if any conclusions are supported by the evidence.
[ link to this | view in chronology ]