, , , ,

In Franklin Foer’s defence, I can see an attempt at investigative journalism and fact checking in the Slate article, but it still doesn’t prove a conspiracy between Donald Trump and Alfa Bank. It’s heavy on appeals to authority, though.

As far as I can tell, the the person(s) making this claim weren’t involved in the investigation of the DNC compromise, even if Foer would have us believe the two are related.
The malware that allegedly infected the DNC servers has been extensively researched, documented and the finer details posted by many credible researchers. Anyone can review the material and come to their own conclusions. The culprits were creating their own stuff from scratch, using non-standard infection methods and the SeaDuke code was professionally structured… In short, we could objectively say that a state-sponsored Russian group is the likely culprit, but even with all that, it hasn’t been proven beyond reasonable doubt. This is important, because Foer’s article gives us third-hand conjecture on DNS logs that might well be interpreted to suit a political agenda. There are no actual emails, no information on how the Trump Organisation and Alfa Bank servers were configured.

The next red flag was the following statement in the article:
‘Hunting for malware requires highly specialized knowledge of the intricacies of the domain name system—the protocol that allows us to type email addresses and website names to initiate communication.’
Of course, it helps to have a basic understanding of the DNS, but anyone with the right tools can extract IP addresses and domain names from a malware sample and follow them up – this is only a small and incidental part of malware analysis.

‘In late July, one of these scientists—who asked to be referred to as Tea Leaves, a pseudonym that would protect his relationship with the networks and banks that employ him to sift their data—found what looked like malware emanating from Russia. The destination domain had Trump in its name, which of course attracted Tea Leaves’ attention.’
That’s kind of the opposite of what would happen if Trump’s server was infected and beaconing to a C&C server in Russia. I’m more inclined to think the server actually was sending clickbait emails.

He goes on to say that a bank in Russia was occasionally pinging a server registered to the Trump Organisation. If it was a ‘ping’, it’s checking whether the server’s up, and maybe using the DNS to verify the source of the hypothetical emails. What I find odd about this is that the bank would need to query the DNS each time. Surely the IP address is cached on the server and the source network?

‘I communicated extensively with Tea Leaves and two of his closest collaborators, who also spoke with me on the condition of anonymity, since they work for firms trusted by corporations and law enforcement to analyze sensitive data.’
Sounds pretty shady. There are countless security professionals working for government and law enforcement agencies putting their names to their research, as they did with the substantiated intel relating to the DNC compromise. Which aspects of the Slate story did the named computer scientists confirm?

‘It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.’
Trump’s server was used for sending relatively large volumes of marketing emails since 2009, but now handles only low level traffic, we’re told. It is configured also to only accept traffic from a limited set of IP addresses. Admittedly I don’t have an explanation for that. There are a few intriguing claims in the story, but nothing verifiable.
We can, however, determine something about the relationship between the servers. A couple minutes’ research indicates they were indeed looking at one of Trump’s marketing servers. The domains trump1.contact-client.com and trump-email.com were registered by cdcservices.com.


The cdcservices.com domain, in turn, was registered to cendyn.com, owned by a company that provides a ‘Hospitality Marketing Cloud’ service.



Therefore the likely explanation is that Alfa Bank’s employees stayed at a Trump hotel, and were being followed up by the usual marketing emails.

‘[…] the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence.’
Erm, well yes, but… no. It was ‘shutting out the rest of the world’ rather like the firewalls protecting most public-facing servers.

‘The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.’
I have no idea what’s meant by this. Was the traffic encrypted, and how is that abnormal? What’s been described so far suggests the opposite – If they were looking at criminal activity, they’d almost certainly be looking at crims who made an effort to prevent attribution. The NSA would certainly have intercepted the traffic also.

‘The conversation between the Trump and Alfa servers appeared to follow the contours of political happenings in the United States. “At election-related moments, the traffic peaked,” according to Camp. There were considerably more DNS lookups, for instance, during the two conventions.’
Aside from the ‘correlation doesn’t equal causation’ argument, the problem here is that ‘contours of political happenings’ is very, very subjective. It varies according to news sources and what one considers noteworthy. A similar correlation could be found with events anywhere in the world.

‘[…] shortly after [The Times] reached out to Alfa, the Trump domain name in question seemed to suddenly stop working[…] Four days later […] the Trump Organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route.’
There are a number of possible explanations. The timing could have been a coincidence, and Cendyn had shifted the service to a subdomain, perhaps to make it easier to manage. Cendyn or Alfa could also have communicated the change through a third-party email service. This isn’t evidence that anyone was conspiring out-of-band.

In conclusion, this doesn’t add up to incontrovertible evidence of a link between Trump and Alfa Bank, much less evidence of a conspiracy involving Trump. As it is, they have only DNS log data, which needs to be correlated with other sources.