Confused Reporter Doubles Down On Bogus Trump/Russian Server Story With 'I'm Just Asking Questions' Non-Apology

from the this-fucking-election dept

Franklin Foer is a pretty famous reporter. But this week he totally blew a story that a ton of other media operations had passed on (for good reason), claiming that there was an internet server out there owned by Donald Trump, that was communicating almost exclusively with a server for a Russian bank. It took all of a few minutes to debunk this as technological confusion on the part of Foer, and a whole heck of a lot of confirmation bias between Foer and the security researchers who had concocted this conspiracy theory with data that they're only supposed to be using for malware research. Of course, in this stupid election season where both candidates simply love to fling ridiculous accusations at one another, Hillary Clinton herself tweeted out two separate tweets about the article, and called it "the most direct link yet between Donald Trump and Moscow."

Except, of course, that was bullshit. It was nothing of the sort. It was some confused security researchers, teaming up with a reporter who famously doesn't like the internet or technology, getting a story so ridiculously wrong that it hurts. Some of us kept waiting for Slate to correct or just pull down the story, but they didn't. They put one small update and one small correction that didn't even touch on the core elements of the story that Foer completely flubbed.

On Thursday, instead, Foer released a new story, which he claims is him "revisiting" the story to evaluate "new evidence and countertheories." But that's also bullshit. The original theory made no sense at all. The "countertheories" are perfectly logical explanations backed up by data -- but Foer basically puts them all on equal footing and claims he stands by his original reporting. Ridiculously, Foer tries to debunk the claims that everyone made that this was just an outsourced Trump hotel spam server, by arguing that it never appeared on any spam blackhole lists:

Was the server sending spam—unsolicited mail—as opposed to legitimate commercial marketing? There are databases that assiduously and comprehensively catalog spam. I entered the internet protocal address for mail1.trump-email.com to check if it ever showed up in Spamhaus and DNSBL.info. There were no traces of the IP address ever delivering spam. Perhaps the spam went uncataloged because it was being sent to a single bank in Russia, but L. Jean Camp, an Indiana University computer scientist and a source in my original story, thought that possibility unlikely. “It’s highly implausible that spam would continue for so many months, that it would never be reported to spam blocker, or that nobody else in the world would see the spam during that time frame,” she told me.

Wait, what? This seems to be Foer doubling down on his ignorance and confusion about the story. Almost everyone discussing how this was a spam server was using "spam" in the colloquial sense of "marketing emails." They weren't arguing that it was a literal unsolicited email server spewing things like fake Viagra or fake diplomas (though, with Trump, I guess that last one is a possibility too). It's just a marketing server. People who stay at Trump hotels get on a mailing list. I get that kind of spam all the time from hotels or hotel chains I've stayed at. I don't categorize it as outright spam in the purely scammy sense, but it's marketing spam. But Foer and Camp seem to act as if everyone meant the scammy kind of spam.

And, as Rob Graham notes in yet another debunking of Foer, this shows a serious misunderstanding of how spam blacklists work anyway:

Cendyn is constantly getting added to blocklists when people complain. They spend considerable effort contacting the many organizations maintaining blocklists, proving they do "opt-outs", and getting "white-listed" instead of "black-listed". Indeed, the entire spam-blacklisting industry is a bit of scam -- getting white-listed often involves a bit of cash.

Those maintaining blacklists only go back a few months. The article is in error saying there's no record ever of Cendyn sending spam. Instead, if an address comes up clean, it means there's no record for the past few months. And, if Cendyn is in the white-lists, there would be no record of "spam" at all, anyway.

Later, Foer does consider the marketing email idea, but also tries to discount it.

Still, the marketing email theory has a few holes. A typical marketing campaign would involve the wide distribution of emails, spreading word of discounted prices and hotel openings far and wide. It seems unlikely that a campaign would so exclusively focus its efforts on a bank in Russia and a health care company in Michigan (which received a small batch of DNS look-ups), even if, as one critic has claimed, executives from Alfa Bank had a penchant for staying in Trump hotels.

Except that's misleading too. Because the information that has been revealed publicly does not prove that the server in question only communicated with the Russian server. In fact, others have argued it's not true.

Graham also raises some pretty serious questions about one of the "DNS experts" that Foer relies on, Jean Camp:

Jean Camp isn't an expert. I've never heard of her before. She gets details wrong. Take for example in this blogpost where she discusses lookups for the domain mail.trump-email.com.moscow.alfaintra.net. She says:

This query is unusual in that is merges two hostnames into one. It makes the most sense as a human error in inserting a new hostname in some dialog window, but neglected to hit the backspace to delete the old hostname.

Uh, no. It's normal DNS behavior with non-FQDNs. If the lookup for a name fails, computers will try again, pasting the local domain on the end. In other words, when Twitter's DNS was taken offline by the DDoS attack a couple weeks ago, those monitoring DNS saw a zillion lookups for names like "www.twitter.com.example.com".

He then goes on to reproduce that kind of merged hostname situation. Graham has a number of other examples of technical points that Foer just gets totally wrong. It's kind of embarassing actually. Rather than admit he's wrong, Foer tries to just post these "countertheories" and then pulls out a "well, I just hope that my reporting gets us closer to the truth."

I pursued this story because I was impressed by the emphatic belief of the experts I consulted, my suspicions were raised by the evidence they presented, and I thought I would be remiss if I sat on data that I believed deserves to be evaluated and understood before we elect the next president. The underlying context for the piece is that Donald Trump has cultivated a troubling relationship with Russia, and the U.S. government has identified Russia as trying to meddle in this election. Not every nexus between the candidate and Russia is nefarious. This one might well be entirely innocent or even accidental. As the New York Times reported on Tuesday, after my story published, the FBI looked into the server activity but “ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.” Or maybe it’s less than innocent, as the computer scientists suggested and still believe. (I’ve checked back with eight of the nine computer scientists and engineers I consulted for my original story, and they all stood by their fundamental analysis. One of them couldn't be reached.) I concluded my account of these scientists’ search for answers by arguing that the servers and their activity deserved further explanation. Hopefully my story and the debate that has followed will move us closer to a fuller understanding.

Except, it seems like "the truth" almost certainly is that there's no story at all here, and in publishing as if it was a story, a whole bunch of people are making questionable claims. The whole "Russian connection" thing that keeps popping up in this election is getting pretty ridiculous. It may very well be that the Russians are trying to muck with our election. Lots of credible people are suggesting that's the case. But then coming up with a bunch of weak conspiracy theories based on technical ignorance and confirmation bias is just like being scared of monsters in the shadows.

Filed Under: donald trump, emails, franklin foer, reporting, rob graham, russia, spam
Companies: alfa bank, slate

Only Thing 'Exposed' By Bad Reporting About Russia/Trump Link Is Malware Researchers' Unethical Behavior

from the so-dumb dept

On Monday evening, you may have seen news of a "big scoop" at Slate by famed reporter Franklin Foer, about how Donald Trump had a server that was "communicating" with a Russian server. Foer, who famously got pushed out of The New Republic for not being very with it on technology on the internet (among other things), makes a really big deal out of some really weak tea. After reading the article (along with another one alleging Russian spies had been "cultivating" Trump) I tweeted out that the evidence on both was super weak. I kept expecting a smoking gun in the Foer piece, but instead got a lot of handwaving and confusion about DNS. Of course, Clinton supporters were quick to jump on the article as some sort of proof, despite the really weak claims.

A lot of Foer's work stems from an anonymous blog post from a few weeks earlier that tries to make a big deal out of some extraordinarily weak connections. The confirmation bias is strong with the folks involved here. The biggest clue? This ridiculous chart that tries to show increased activity between the Trump server and the Russian bank server at key moments, but doesn't actually show that. There seem to be random ups and downs at the conventions, and then a huge spike in the middle of August which corresponds with... nothing. But the researchers and Foer just ignore it. In fact, Foer actually claims that "there were considerably more DNS lookups, for instance, during the two conventions." Except there weren't really. And, of course, within a few hours, people were debunking basically every aspect of the story. The Intercept notes that at least six other news outlets had been looking into the same story, and none of them felt comfortable pushing a story, because the details just didn't stack up. The first person I saw to debunk it was Naadir Jeewa, who pointed out that the server was maintainted by Cendyn, a marketing company that handles email spam marketing for tons of hotel chains, including Trump. The "connection" from Alfa-Bank, he suggested, was just a typical email scanner attempting to reverse the connection as a sort of anti-spam tool (basically checking if the email server is real). As Jeewa concludes: The Intercept actually reached out to Alfa-Bank... and got the hotel spam that it had received from Trump. They also received the similar spam from Spectrum Health (who is included in Foer's story for reasons too pointless to explain). Guess what: spam. Rob Graham from Errata Security went even deeper in explaining how this was a giant nothing grown out of a reporter getting confused. Cendyn doesn't just control the mail1.trump-email.com domain, but also controls a variety of other hotel domains, including hyatte-concierge.com, reservertravelonline.com, sheratonmenus.com, westinmenus.com, hyattmenus.com, cphollywoodbeach.com (CP = Crown Plaza), hayattproposal.com and a bunch of others as well. It's not Trump using this, it's a marketing company that specializes in spamming hotel customers. From Graham:

This is why we can't have nice things on the Internet. Investigative journalism is dead. The Internet is full of clues like this if only somebody puts a few resources into figuring things out. For example, organizations that track spam will have information on exactly which promotions this server has been used for in the recent past. Those who operate public DNS resolvers, like Google's 8.8.8.8, OpenDNS, or Dyn, may have knowledge which domain was related to mail1.trump-email.com.

Indeed, one journalist did call one of the public resolvers, and found other people queried this domain than the two listed in the Slate story -- debunking it. I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for "mail1.trump-email.com" from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June -- and thus the claim of successful responses until September are false. In other words, the "change" after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.

But Graham also points out that all this fretting about Trump & Russia misses the real story here. The only reason this is a story at all is because some nameless security researchers started abusing the data they were given access to for malware research. Much of what Foer relies on came from an anonymous researcher going by the name "Tea Leaves". But Graham points out that the real story here is how companies are sharing all sorts of information with security researchers under the belief that it will only be used for malware research... and not for spying on what server is connecting to what server:

Malware research consists of a lot of informal relationships. Researchers get DNS information from ISPs, from root servers, from services like Google's 8.8.8.8 public DNS. It's a huge privacy violation -- justified on the principle that it's for the general good. Sometimes the fact that DNS information is shared is explicit, like with Google's service. Sometimes people don't realize how their ISP shares information, or how many of the root DNS servers are monitored.

People should be angrily calling their ISPs and ask them if they share DNS information with untrustworthy researchers....

This is another reason why we've pointed out that all the focus on "information sharing" in various cybersecurity bills from Congress was a red herring. Information sharing can lead to all sorts of questionable activity. It's done in these instances for the purpose of spotting malware, but it appears some researchers went looking for weird Trump conspiracy theories and were so invested in those theories that they didn't even realize how ridiculous it was when looked at in the light of day -- and also forgot that they're not supposed to reveal they have access to this info.

Yes, of course, we're at the very peak of the political silly season and lots of people are looking for big breaking stories. But it would be nice if we could keep them in the realm of reality.

Filed Under: cybersecurity, dns, donald trump, franklin foer, malware, privacy, research, rob graham, russia
Companies: cendyn