07/25/16 – Jeffrey Carr – The Scott Horton Show

Hey y'all, Scott Horton here for wallstreetwindow.com.
Mike Swanson knows his stuff.
He made a killing running his own hedge fund and always gets out of the stock market before the government generated bubbles pop, which is, by the way, what he's doing right now, selling all his stocks and betting on gold and commodities.
Sign up at wallstreetwindow.com and get real-time updates from Mike on all his market moves.
It's hard to know how to protect your savings and earn a good return in an economy like this.
Mike Swanson can help.
Follow along on paper and see for yourself, wallstreetwindow.com.
Alright y'all, Scott Horton Show.
I'm him.
Check out the website at scotthorton.org.
More than 4,000 interviews going back to 2003 there.
And sign up for the podcast feed as well.
You can follow me on Twitter, at Scott Horton Show.
Introducing Jeffrey Carr.
He writes at medium.com slash at Jeffrey Carr.
He is the author of Inside Cyber Warfare.
And he's the CEO of Taya Global, Inc.
And a couple of interesting articles to talk about here.
First of all, there's fact-checking that Trump and Putin thing about an article that Josh Marshall wrote.
But then, first of all, there's the DNC breach and the hijacking of common sense.
And this is actually a guest piece by David McRaney about the allegations of the Russians being responsible for the breach of the Democratic National Committee's email accounts and their leak to WikiLeaks.
Welcome back to the show, Jeffrey.
How are you, sir?
I'm doing well, thanks.
I appreciate you.
I appreciate you.
Yeah, yeah.
I appreciate you joining us.
It's always nice to have, you know, level 25 computer geniuses like yourself to debunk the common narrative.
I believe the last time we spoke it was over the Sony hack or one or another hack that was blamed on China or something.
I forget.
But anyway, it's nice to have a little bit of discernment out there from the people who are capable of it, because, you know what, you ask me who hacked who and I just can't tell you.
But so I guess, first of all, what do we know about this DNC hack and who was behind it?
I think the best thing to do is start just with the assumption that we can attribute a cyber attack.
So that's the first thing, is that we really can't attribute a cyber attack unless the person who's done the attack acknowledges that it was me.
You know, that's the only way that you know for sure who did it.
Otherwise, you're always looking at the possibility that you're being fooled in cyberspace or that you're simply making a guess.
And that's the most important point here, in my opinion, is that any time you read an article that says North Korea or China or Russia or whomever hacked, fill in the blank.
It's imperative that you are skeptical around that claim, because for a variety of technical reasons, there is no evidence or no proof in nine, nine and a half times out of 10.
And that's just because people can use so many different proxies and ways to hide themselves, make it look like others are doing what they're doing, that kind of thing?
Yeah, you can buy, you know, the only thing that a CrowdStrike or a FireEye or any other or my cybersecurity company, I mean, any cybersecurity company, the first thing we all look at is the technical data around the attack.
We look at the network data and and the malware, but that because that's all you've got.
But that's like, as I pointed out, one of my articles, it's like going to the over to the DNC headquarters where there was a shooting.
And the only thing you have is the rifle.
And it was a Russian made Kalashnikov rifle.
Well, in real life, if that were the case, would you then say, oh, it must be a Russian that shot that that was responsible because it was a Russian made rifle?
Well, you know, it's possible.
Maybe it was a Russian or maybe it was somebody else who just likes Kalashnikovs.
Yeah.
And Lord knows the world's lousy with Kalashnikovs.
Yeah, yeah.
You know, or if it was a break in and all you've got is the car, the car was a Japanese car.
Are you going to say it was a Japanese thief who robbed the bank?
You know, of course not.
And yet these ridiculous assumptions is precisely what we accept as reasonable in the world of cybersecurity.
It's that's what that's what makes me crazy about this.
Well, you make you make the great metaphor there with a Kalashnikov or or a Japanese car.
But can you tell us a little bit more about what CrowdStrike and the others have said about what it is that they know about this hack and how it is that they've concluded it's the Russians so that you can kind of finish showing that that analogy really is pretty much right.
That all they have is a Japanese car or a Russian gun and no more.
Sure.
Sure.
So, yeah.
So.
So what they have is the way that cybersecurity works is we'll investigate a hack and we'll look at what was the malware that was used and then details around the malware.
I don't want to get into those details because it's too technical.
And they'll look at the time of day that the software was compiled and they'll look at a few other technical indicators.
And then they'll take that ball of indicators, right?
It's like imagine they're all ingredients for a pie and the indicators are the recipe.
And then they'll put a name on it and they'll call it APT28 or they'll call it Fancy Bear or they'll call it whatever.
Some crazy name.
And now this becomes a threat group.
And so, you know, when people read about APT28 in their mind, they're thinking it's is this like a club, like a group, like a gang?
And there's people, you know, there are members to this gang and they go around doing these attacks.
No, it isn't.
They're not people.
It is simply a group of indicators that now has been labeled with this name.
That's all.
We don't know who's behind it.
Anybody.
Because anybody could use that same malware.
Anybody could compile it during certain times of day.
And I write, Jeffrey, that and listen, I'm a level one computer genius here.
I'm the worst.
But they said in there, one of the things I read had them saying, well, you know, there are some smiley face emoticons in there that have extra parentheses.
And that tends to be a Russian thing.
Oh, and also they use a hacked version of Word 97 off of the Pirate Bay.
That a hundred zillion other people on the planet have also used.
And so, boy, yeah.
And their computer was on a default Cyrillic setting.
I mean, this is the kind of thing where if it was a Taiwanese guy, he would have done this on purpose just to make it look like the Russians, right?
And that's what's so scary about this to me is that what happened every time that it's sort of like they're saying it looked like a Japanese car from here, but we don't even know if it was a Japanese car.
It sounds like to me, you know, I agree.
And that's exactly right.
So what happens is that these become a matter of record.
So every time that a FireEye or CrowdStrike or another large respected company, I mean, CrowdStrike has former high level FBI employees working for them.
So there's a lot of credibility there.
And the people that work at CrowdStrike have come from government work in some cases, or they have 20 years experience in cybersecurity.
So when they publish something, it has weight.
And so what happens then is when they publish a report like this and they make the claim that it was Russian intelligence, it's simply accepted.
And then down the road, a year from now, somebody else, some, you know, Iranian hacker or some North Korean or South Korean or American hacker, you know, could simply acquire that same tool set and the same malware and run an attack and make it look like it was this group and it would automatically be assumed that this was another attack by Russian intelligence.
Because we never have a way of disproving a claim.
Once that claim is out there, it stays out there.
And then a researcher down the road is just simply going to say, oh, look, they were proven to be blah, blah, blah, you know, and so therefore it must be fill in the blank.
It's just it's a terrible system with zero controls over it.
So in other words, you're saying each time this happens, they can refer back to a previous case for premise number one.
We already know that it was this group that did it the last time, so we can work off of that.
But they don't really know that their premise one is fake and really it's like turtles all the way down.
It's just kind of a made up thing from the get go.
Exactly right.
That's the danger.
That's why I'm so passionate about.
I really don't care.
You know, I honestly I don't give a shit.
If the DNC got hacked or if any other political organization got hacked, that that's every day that happens to companies every day.
What concerns me is that we're setting precedents and we're making assumptions that are going to impact our own national policy years to come because nobody is questioning the leaps of judgment being made by these firms.
So what about the free market competition in, well, I mean, I understand what you said.
They're government contractors a lot of times, but aren't there enough security firms and enough different Jeffrey cars out there competing for credibility in this market that, I mean, aren't there many more people like you taking these kind of assumptions down and saying in order to impress their own clients that look at these cloud strike guys and all their bogus assumptions?
It seems like there should be a real fight over this.
Yeah, but it's not public.
So privately, I hear from people all the time.
I mean, I'm one of the few people that will make a public display of skepticism.
And that has cost.
I mean, that's certainly cost me doing that.
Nobody nobody likes to have their report criticized.
And I happen, unfortunately, happen to be somebody that, you know, is feels passionate about this.
And I'll go ahead and I try to make the criticism fair on the facts and not attack individuals, you know, and just address the facts.
But still, nobody likes it.
And it does have ramifications.
And so people will tell me privately that they agree, but they won't go public.
Their employer might not want them to go public.
They may not want to hurt their professional career by going public.
So you just simply don't, you know, you guys in outside of our world don't really hear about it.
So in other words, your your company might get a little bit more publicity for your for corporate clients.
But at the same time, you've kind of hurt your reputation with other security industry people who would give you referrals, for example, and that kind of thing.
Yeah.
Yeah.
You're for one thing.
You know, my business is not in attribution.
My business helps companies identify their critical assets.
That's all.
So so my being public about it doesn't really help my business at all.
It's I'm not in the business of cyber intelligence.
And from that respect, I simply try to we try to help companies identify the assets on their network that are going to be of interest to foreign governments.
And but but for companies that are in that business where they were threat cyber threat intelligence is is important if they can make a connection that is sort of very spectacular and they can get a headline out of it from on The New York Times or The Washington Post or The Wall Street Journal or or PBS, you know, that's huge, huge bank for them business wise.
So and there's no downside because nobody can say otherwise.
You know, that's that's the thing in the US, in the intelligence community.
They make guesses.
You know, they there's rarely a smoking gun.
But in what happens then is if they're wrong, if they say that there were weapons of mass destruction in Iraq and they're proven wrong, then there's a commission hearing.
If they miss India's five nuclear bomb tests in 1998, there's a commission hearing and there's blowback.
Right.
There's fallout.
There's repercussions that the intelligence agency who missed their call suffers.
And therefore, they now look at how to improve their training or how to make sure that mistake does not happen again.
In the world of private cyber intelligence, there is zero blowback.
There are zero repercussions.
Nobody will.
CrowdStrike will never one time suffer because they made a sensational attribution claim.
It will only serve to help them.
It will never serve to hurt them.
So there's no that's that's just going to continue.
Yeah.
Well, on the surface, we're talking about ones and zeros and science and math here.
So how can it all be conjecture and speculation and guessing?
It seems on the face of it like when they say, yeah, the Russians did it.
They must know what they're talking about.
I can tell you this.
I know, you know, Twitter is convinced, boy, if somebody said Russia, there's no chance that they would have said that unless they knew it for one hundred and ten percent fact.
Well, but, you know, and in all fairness, that's just how human beings work.
That's how we work.
So but I don't believe that I'm going to change anybody's mind.
Facts generally don't change people's minds when, you know, if you believe that Hillary Clinton, you know, is an awful person and you can demonstrate facts to the opposite, it's not going to change your opinion.
If you think Trump is, you know, a buffoon, it you just you sort of you get you get locked in and that's OK.
I don't mind that.
I don't expect to change anybody's mind.
My only concern is that down the road, this does not lead to a national policy nightmare because somebody, anybody didn't question, you know, those those claims of attribution as a matter of record, especially when we're talking about, you know, possibly picking a fight with Russia.
I mean, if all of these rumors stand, then this is the basis supposedly for a new Cold War, which, of course, you know, our government started a long time ago.
But still, that's how it works with this kind of demonization.
We're not talking about, you know, they're complaining about some company did this or an allied state that the South Koreans have been messing around.
Well, that's not going to lead to a war.
But the Russians, why they're the Russians and they're led by Putin, the greatest villain since, you know, I don't know, Judas or something, apparently, according to TV.
So he's certainly worse than Stalin.
But anyway.
So, yeah, I mean, it can be very important as far as as building up that narrative.
I want to mention here that Time magazine quote some other experts agreeing with you just so that the audience is aware of this.
Oh, I didn't even I didn't even know Time had a story.
I've been so inundated.
Yeah.
That's interesting.
I'll send it to you.
I found it from Justin Raimondo's column today at Antiwar.com.
It's Nathaniel Gleicher, head of cybersecurity strategy at Illumio.
He told Time that investigations like this do not wrap up quickly and often do not wrap up at all because it's very hard to tell where they came from.
And then Amit Yoran, the president of the cybersecurity firm RSA, was also noncommittal about whether there would ever be a smoking gun.
And the quote continues from there.
So they sound just like you on the issue there.
Yeah.
And I appreciate that.
And I'm always happy to hear other experts, well-regarded experts come out and and and encourage skepticism.
Now, I mean, I have to admit, in my imagination, I figure that, you know, if somebody is messing around on their computers, they're hiding behind different proxies and this and that, that ultimately all the Snowden's at the NSA are going to be able to track that down.
Right.
It is all ones and zeros.
It is all math and science.
So how come it's so difficult, really?
You hate government.
One of them libertarian types, maybe you just can't stand the president.
Gun grabbers are warmongers.
Me, too.
That's why I invented Liberty Stickers dot com.
Well, Rick owns it now and I didn't make up all of them.
But still, if you're driving around, I want to tell everyone else how wrong their politics are.
There's only one place to go.
Liberty Stickers dot com has got your bumper covered.
Left right.
Libertarian Empire.
Police state founders quote central banking.
Yes.
Bumper stickers about central banking.
Lots of them.
Well, everything that matters.
Liberty Stickers dot com.
Everyone else's stickers suck.
Well, you know, the the the Internet is an insecure, is an insecure structure is never built with security in mind.
And if you're savvy enough to know how information is communicated online and how software is written and how to find the vulnerabilities and in software that can be exploited and and how to get access to a network, there's all kinds of things that you can do.
It's just I mean, about how easy it is to hack.
I mean, how why is it so difficult to find out who did the hack when it comes to tracing it back?
Right.
Because it well, it's it's difficult because you can route an attack from anywhere in the world and you can disguise the routing and you can take over somebody else's machine and route it from that.
You can.
There's just so many different ways.
Furthermore, you have to consider that you're talking about people whose job is to operate covertly and that, you know, with with enough time and money, you can operate completely silently.
The fact that a hack is ever caught is is actually a failure.
I mean, the idea is to go in, steal the information, get out and not be caught.
So so we're building sort of this body of information on failures.
We're counting on failures that will allow us to catch and analyze an attack.
But you just never know who's driving the wheel.
You know, you're always from a cybersecurity perspective.
You're always finding the car at the scene.
You're never finding the driver.
Anybody as a driver could slip in behind the wheel.
That's how it works.
And so in the software world, you know, anybody can be running.
Anybody could be seated at the laptop that you don't even need to be at the at the computer.
You can be doing it remotely.
And then I guess just enough proxies in a row and you're effectively masked.
So it's funny that that being the case that anyone would claim that they have some high level of certainty that it was the Russian government that was behind something like this.
They sound stupid then, don't they?
When they make a claim like that.
Well, I don't want to use, you know, words like loaded words like that.
I think I would say.
I would say that it's anybody who says that is not being naive at best.
But but I'll give you another example.
A recent recent article just came up today in Motherboard Advice by Thomas Ridd, where he quoted a he quoted a researcher saying that a document from the DNC in the metadata of the document, there was the name of a Russian that was that founded the Russian Secret Service.
And that that so so think about that for a minute.
So somebody to me, the first time I saw that, I thought this is wonderful humor.
Some hacker decided to insert the name of the founder of Russia's security services in a document.
That's clearly a joke.
And yet Ridd and other people saw that and thought that proof somebody signed their name or somebody, you know, without thinking.
Declared that the Russian security service had their hands on this document.
I mean, talk about naive.
How is it that that could who in their right mind would accept that as proof?
Right.
Well, and especially when, you know, as as and this is kind of transition segue over here into your other article about all these supposed links here, Putin is supposedly behind every nefarious thing going on on the planet.
His FSB, they're like the KGB on steroids and human growth hormone and that stuff that makes your memory better that they saw on our Bell show.
And yet somehow they left all these cookie crumbs in their hack of these emails.
Like excellent point.
Yeah, I agree with you 100 percent.
And you see that all the time.
So you'll security research will start by saying highly sophisticated and they'll use a bunch of technical language to impress you.
But those same people will insert the name of their of their security service in a document.
I mean, you're so are you either are you either a brilliant technician or are you a complete moron, you know, to do both of those things at the same time?
Exactly.
It's it makes no sense.
And.
When I don't know if you want it, I'm not I really don't have much too much time left to share.
But, you know, Josh Marshall, my dispute with Josh Marshall, frankly, was that he said that he based his Trump Putin or Trump Putin collaboration on facts.
And and of course, there really there weren't any.
You know, there are a few things out of seven that I identified.
He got two of them right.
He got one of them.
One of them you could debate is the Moscow Times state run or is it privately owned?
That's good.
OK, I'm happy to concede that.
But the bottom line is, is that there were very few facts that supported such a claim.
And I think that the Hillary camp is using this to garner sympathy or for some other political end.
And I think it's it's a disgraceful it's a disgraceful step to to to to create a precedent that could harm national security in the future.
Yeah.
Well, and, you know, I mean, that's the thing of it, too, is and as you say here, you despise Donald Trump.
I'm certainly not a tank for Donald Trump.
I sort of think I oppose Hillary a little bit more, but I sure ain't voting for the dude or support him in any way.
But the truth is the truth.
And one thing that really does bother me is people smearing Russia, as we talked about before, making it sound like Russia is an enemy state of the United States of America.
Now, we don't have to be allies with them, but we certainly can be friends with them.
And the idea that, oh, you know, that Putin, as Hillary put it, is like Hitler and is, you know, on the aggressive march to do all these things, including manipulate our, you know, virgin, pure democratic elections with all their nefarious FSB, this and that kind of mendacity.
That's a really ugly narrative to stick if it sticks.
And it could be the basis for a lot of horrible policies coming this way, too, if people really believe that stuff.
Yeah, I agree.
So that's that's the biggest problem of all, and I appreciate the way you say at the end of here, hey, look, I despise Trump.
I hate saying that.
But come on, there's no reason to make up stuff about him.
If anything, that'll help him anyway, right?
Well, that's right.
I mean, it's.
You know, we in the business world, large corporations, multinational corporations, they understand that we we have to do business globally.
You know, war is bad for everybody.
Economic sanctions hurt everybody.
We need to find ways to make money in a global marketplace to keep employment up, to keep wages up, to make life better for real people.
And so when you start pissing off governments for no reason.
You know, there's there are plenty of good reasons to to run sanctions against Russia, like what's going on in Ukraine or for other or for other things, for real things, you know, let's stick to those.
Let's we don't need to invent shit to cause further problems, to make it harder for people around the world to enjoy their day to day life and to do it safely and with, you know, with a sense of of of security.
Well, and even then, all the problems in Ukraine and how they got that way, you know, notwithstanding, the solution clearly is talk more and be friends more, not even necessarily sanctions for that, but find ways that we can all agree about, you know, let's Finland eyes Ukraine so that nobody fights about it or something.
Come up with something instead of all this strife.
So, yeah, I'm with you totally there.
Listen, I appreciate your time and even staying over time with us today, Jeffrey.
It's really good one.
Thanks so much, Scott.
I appreciate the invitation.
Bye bye.
Bye.
All right.
So that's Jeffrey Carr, author of Inside Cyber Warfare, CEO of Taya Global, Inc.
And you can check out these articles at medium dot com slash at Jeffrey Carr, fact checking that Trump and Putin thing.
And then this other one was the DNC breach and the hijacking of common sense.
All right.
So that's the show.
Thanks for listening.
Scott Horton dot org for the archives and the podcast feed.
Sign up there.
Help support at Scott Horton dot org slash donate and follow me on Twitter at Scott Horton Show.
Hey, I'll Scott here.
If you've got a band, a business, a cause or campaign and you need stickers to help promote, check out the bumper sticker dot com at the bumper sticker dot com.
They digitally print with solvent ink.
So you get the photo quality results of digital with the strength and durability of old style screen printing.
I'm sure glad I sold the bumper sticker dot com to Rick back when he's made a hell of a great company out of it.
There are thousands of satisfied customers who agree with me to let the bumper sticker dot com help you get the word out.
That's the bumper sticker dot com at the bumper sticker dot com.
Hey, I'll check out the audio book of Lou Rockwell's fascism versus capitalism narrated by me, Scott Horton at audible dot com.
It's a great collection of his essays and speeches on the important tradition of liberty from medieval history to the Ron Paul revolution.
Rockwell blasts our status enemies, profiles our greatest libertarian heroes and prescribes the path forward in the battle against Leviathan fascism versus capitalism by Lou Rockwell for audio book.
Find it at Audible, Amazon, iTunes or just click in the right margin of my Web site at Scott Horton dot org.
Hey, I'll Scott Horton here.
It's always safe to say that once you keep at least some of your savings and precious metals is a hedge against inflation.
If this economy ever does heat back up and the banks start expanding credit, rising prices could make metals a very profitable bet.
Since 1977, Roberts and Roberts Brokerage Inc.has been helping people buy and sell gold, silver, platinum and palladium, and they do it well.
They're fast, reliable and trusted for more than 35 years.
And they take Bitcoin.
Call Roberts and Roberts at 1-800-874-9760 or stop by RRBI.co.