So, IMO (as a security researcher familiar with DNS) this article was pretty terrible.
Here's a mirror of the actual source site, with links to the "data". http://gdd.i2p.xyz/ "Data" in quotes because it's just easily falsifible text files. (From the content on the mirror, and this reddit account [1], I'm guessing that the original site was at http://gdd.i2p )
You can find a diagram [2] provided by "Tea Leaves" that purports to show what was going on. Tea Leaves claims to have access to logs from CDCServices (which are included on the mirror), who are the authoriative DNS servers for "Trump-Email.com". Tea Leaves also claims that Trump-Email.com is owned by Trump (with 100% certainty... because of the WHOIS record... you can form your own opinion on that).
Tea Leaves also claims that only three IP addresses have made DNS requests for Trump-Email.com. Two of which (Tea Leaves claims) are associated with Alfa Bank in Russia, and one of which is associated with Spectrum Health. (See http://gdd.i2p.xyz/ for a conspiracy theorist rant about Spectrum Health.)
Tea Leaves claims -- but does not provide evidence for (neither does Slate) -- that mail1.Trump-Email.com somehow restricts access to only these IP addresses. Tea Leaves claims -- but also does not provide evidence for -- that the DNS records for Trump-Email.com were pulled after Alfa Bank was contacted for a statement.
I agree (and I am no fan of Trump, and would never vote for him).
"Tea Leaves" makes one other interesting claim:
>Different in every way from traffic seen on adjacent servers managed by the same server company, this specially configured server has been exclusively corresponding with Alfa-Bank and Spectrum
If he can back up the claims about IP restriction (how could he really prove this, anyway?) & the traffic truly being different from all other Cendyn mail domains, then this does deserve some further scrutiny.
>Tea Leaves claims -- but also does not provide evidence for -- that the DNS records for Trump-Email.com were pulled after Alfa Bank was contacted for a statement.
I actually have access to some of the same research systems and can confirm that that part is accurate. (I can provide full evidence if you like.) It doesn't necessarily mean anything nefarious, though. The Trump campaign formally stated it was an old record that's no longer in use, so decommissioning the domain isn't necessarily unusual.
> decommissioning the domain isn't necessarily unusual
It is the timing that is unusual: The Trump organization decommissioned the domain right after Alfa Bank - and only Alfa Bank, not the Trump organization - was asked about it. It's very unlikely to be coincidence.
And according to the source, the Trump org setup a new domain to replace it and it was first contacted by Alfa.
Both are strong evidence of coordination between humans at Alfa Bank and Trump org. to secure and continue the communication. What they were communicating, of course, is unknown to us.
What I want to know: who is creating these logs where, why are they allowing the researchers that have access to them to talk about such details, and what does privacy legislation in the areas they operate in has to say about it?
The article is incredibly vague and they say the data is incredibly sparse. My sense is that they should release the data if they want to make a claim as they are. It could just as easily be a software vendor in Russia.
Consider if the company used Kaspersky anti virus, for example. You would see very rare transmissions (checking for virus updates). They could restrict their firewall to only allow IP's for the antivirus. And it would show connections to Russia (where Kaspersky is located). And you could easily construct the narrative found in the linked article.
Now I'm mot saying it was Kaspersky, I'm saying that this example would produce the same fact pattern as the one in the linked article, so we can't assume that the fact pattern implies what they're implying.
The servers were registered to Alfa Bank, and the DNS traffic showed communication between the two servers in question.
It could have been done by some Trump employee checking his bank balance, but what's unusual is that no one else seemed to be using it and it never sent traffic anywhere else but that Russian bank.
What I find more interesting than the story itself is how this DNS technique could be used for surveillance.
Could anyone elaborate at a technical level what someone could do to prevent this kind of metadata in communications from being detected? E.g. are there any messaging apps that can obscure traffic analysis like this?
> I find it ironic this article cites Snowden while literally sounding like the very spying that Snowden exposed and fought.
I agree, but at the same time Snowden also fought conspiracies of powerful government actors, such as the Russian government and Trump, against the public's interest.
Shane Harris from the Intercept said the following on Twitter: "FWIW at least five outlets including The Intercept have been looking at this for weeks and decided it didn't add up"
Why is this on HN? If we are going to open Pandora's Box here, we need to be posting regularly about how HC is breaking the law and how Google, Facebook, and Twitter are suppressing free speech. I don't think anyone wants to go there so these posts should be removed.
I found the article interesting in the forensic details (in spite of the political details), in the same way I found Mark Bowden's "Worm" interesting. I can see how some might not.
> we need to be posting regularly about how HC is breaking the law
This article details an interesting technical investigation by leading security experts and also it bears more analysis, resulting in some interesting discussion. Clinton's email servers were also discussed. When Trump or Clinton do something non-technical, it's not discussed.
> and how Google, Facebook, and Twitter are suppressing free speech
"They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses."
If it is true that there was not just communication but also ip address filters that protected this communication it would be an indicator for a ongoing and deliberate business relationship.
Also, there is evidence of ongoing human activity to protect and continue the communication:
1) When Alfa Bank and only Alfa Baink, not the Trump organization, was asked about the communication, the Trump organization decommissioned the domain.
2) The Trump organization then setup a new domain, apparently as a replacement, and Alfa Bank was the first to connect to it (or DNS lookup, I'm not sure of that detail).
I think there has been an interesting pattern with Trump. His choice of Manafort (Kremlin Insider) and Cater Page (Kremlin Insider), his daughter vacationing with Putin's Family, his son involved in business ventures in Russia. Trumps dealings with Russian Oligarchs concerning Real Estate in NY and Miami.
I suppose someone might find it interesting when a Presidential candidate has a great affinity for what some consider a foreign adversary and has taken deliberate steps in changing policy to align with Kremlin's/Putin.
If Trump is elected it will be interesting to see how it plays out with the Kremlin. Is he part of a 5th column?
I find the author's fogginess about DNS infuriating. I think if he's going to cover something this important in such a suggestive manner he does have a duty to get to grips with what it is and roughly how it works and make that plain to a lay audience.
Your comment prompted me to read the article in question. I did so with an eye out for the descriptions of DNS. I didn't get the impression of DNS being sinister. Writing about a technical topic like DNS for a largely lay audience (slate.com) can be challenging, but nothing stood out as particularly grievous to me. I'm admittedly not an expert. What about the article did you take to be foggy or sinister?
You know what I've just re-read the article and I have to climb down on this. You're right, he really doesn't do a bad job of describing DNS - or at least he doesn't mis-describe it. Also he doesn't make it sound intrinsically sinister.
I'm not sure what gave me this impression on first reading - except perhaps the feeling that the word "lookup" seemed charged with an evidential meaningfulness that bothers me. Perhaps it was just the general feeling of vagueness hanging over what could be concluded from what he wrote.
But overall, you're right. I'm wrong on this. I'll blame a very bad hangover.
Cool. Thanks for taking the time to review it! I appreciate it and your willingness to reassess and share your take. It helps me learn to evaluate what I read. Good stuff :)
So someone at a bank in russia stayed at a trump hotel once, and now he gets spam from a trump marketing server. Can someone explain how this is a sinister consiracy to stop Hillary's war with Russia in Syria and Ukraine?
If we're going to have discussions on Hacker News about this, we can't let them immediately devolve into conclusions supported by such things as "bromances".
Here's a mirror of the actual source site, with links to the "data". http://gdd.i2p.xyz/ "Data" in quotes because it's just easily falsifible text files. (From the content on the mirror, and this reddit account [1], I'm guessing that the original site was at http://gdd.i2p )
You can find a diagram [2] provided by "Tea Leaves" that purports to show what was going on. Tea Leaves claims to have access to logs from CDCServices (which are included on the mirror), who are the authoriative DNS servers for "Trump-Email.com". Tea Leaves also claims that Trump-Email.com is owned by Trump (with 100% certainty... because of the WHOIS record... you can form your own opinion on that).
Tea Leaves also claims that only three IP addresses have made DNS requests for Trump-Email.com. Two of which (Tea Leaves claims) are associated with Alfa Bank in Russia, and one of which is associated with Spectrum Health. (See http://gdd.i2p.xyz/ for a conspiracy theorist rant about Spectrum Health.)
Tea Leaves claims -- but does not provide evidence for (neither does Slate) -- that mail1.Trump-Email.com somehow restricts access to only these IP addresses. Tea Leaves claims -- but also does not provide evidence for -- that the DNS records for Trump-Email.com were pulled after Alfa Bank was contacted for a statement.
I do recommend reading http://gdd.i2p.xyz/ if this is interesting to you.
[1] https://www.reddit.com/user/LeavesTeaLeaves
[2] https://imgur.com/SCv8X9n