THREAD on Mueller & Guccifer2.0
1/ Mueller has gone on a Phishing trip, and like most anglers likes to boast about the size of the big one. But there's no evidence of the catch, not even how he reeled them in. We are expected to take his word that "It was *this* big".
1/ Mueller has gone on a Phishing trip, and like most anglers likes to boast about the size of the big one. But there's no evidence of the catch, not even how he reeled them in. We are expected to take his word that "It was *this* big".
2/ I have a *long* standing project in the works looking at Guccifer2.0's documents which is proving to be more than interesting. It should settle it once and for all.
But in the meantime I'd like to look at a few aspects of the new indictment that do not compute.
But in the meantime I'd like to look at a few aspects of the new indictment that do not compute.
3/ What Mueller appears to have done is to pick some names that he claims are hackers from "Unit 26165" and "Unit 74455" and claim they hacked the DNC & DCCC. We have no way of knowing if they did, he presents no evidence of *how* they claim to *know* it was these people.
4/ These two units are said to be both in Moscow. This happens to be a problem for the Mueller indictment.
Moscow is naturally in the MCT timezone: GMT +3. I did an analysis on that aspect of the first Guccifer 2.0. document, available here:
loadedforguccifer.wordpress.com/2018/02/16/doc…
Moscow is naturally in the MCT timezone: GMT +3. I did an analysis on that aspect of the first Guccifer 2.0. document, available here:
loadedforguccifer.wordpress.com/2018/02/16/doc…
5/ The first .doc documents released by Guccifer2.0. were numbered 1.doc, 2.doc, through to 5.doc weren't actually Microsoft .doc documents at all.
You can verify this in your browser. Try viewing the source of 1.doc:
view-source:guccifer2.files.wordpress.com/2016/06/1.doc
It's text, not binary
You can verify this in your browser. Try viewing the source of 1.doc:
view-source:guccifer2.files.wordpress.com/2016/06/1.doc
It's text, not binary
6/ With hindsight we now know that 1.doc started life as a file called "12192015 Trump Report.docx" it's available via the Podesta documents on wikileaks:
wikileaks.org/podesta-emails…
So WHY change it to this new "hybrid" format? Why bother? Why do it DELIBERATELY?
To leave clues.
wikileaks.org/podesta-emails…
So WHY change it to this new "hybrid" format? Why bother? Why do it DELIBERATELY?
To leave clues.
7/ The .docx was changed to a .rtf (Rich Text Format) which renders in text, then changed to a .doc. Why?
a) Make the metadata more visible: in text format
b) To show language clues, and
c) Make it possible to calculate a timezone. A TIMEZONE
To "guide" us to a conclusion...
a) Make the metadata more visible: in text format
b) To show language clues, and
c) Make it possible to calculate a timezone. A TIMEZONE
To "guide" us to a conclusion...
8/ It's vital to understand that these changes were completely UNNECESSARY. If a hacker wants to release documents, and have them verified as genuine, just release the documents as they are.
It's illogical. It's stupid.
The only reason why is to leave those clues ON PURPOSE.
It's illogical. It's stupid.
The only reason why is to leave those clues ON PURPOSE.
9/ All the metadata, apart from the time and date are false trails. Warren Flood will be happy to know that. The "Феликс Эдмундович" in the metadata is a blatant, and pathetic, effort to have you thinking "must be Putin". Would the CIA sign a hack of RU docs "John Wayne"? Nah.
10/ More interesting than the standard metadata is what Microsoft does to "help" the user.
When a .docx document is saved as an .rtf is that sections that can't be converted to text are saved as binary (base64 encoded). This is exactly what's happened here. A few times in fact.
When a .docx document is saved as an .rtf is that sections that can't be converted to text are saved as binary (base64 encoded). This is exactly what's happened here. A few times in fact.
11/ The two most important sections for us are the "theme" and "MSODatastore". What to do to get something useful out of them is covered in my blogpost. Involves geekdom. But they decode back to what they once were into either binary or XML depending.
12/
Once the "theme" is converted back to XML from the binary it appears as a *genuine* Russian language theme for "Тема Office", the Russian name for Microsoft's product.
Case closed, right?
Well wait a minute.
Once the "theme" is converted back to XML from the binary it appears as a *genuine* Russian language theme for "Тема Office", the Russian name for Microsoft's product.
Case closed, right?
Well wait a minute.
13/ Once the "Datastore" is converted we have the meat and potatoes. We have the whole reason for this little charade.
Drumroll please.
C0 C2 C9 45 F6 C6 D1 01
Drumroll please.
C0 C2 C9 45 F6 C6 D1 01
14/ Doesn't look like much does it? But these 8 bytes are a Win32FileTime. This gives the number of 100-nanosecond intervals since 1601 that have passed since this file was modified. And it's in UTC - ignoring leap seconds. They just get in Microsoft's way.
Why is it important?
Why is it important?
15/ Because we know it's in UTC, and there's another modified file time, in plain text, in the code of the .rtf file. It's this:
{\revtim\yr2016\mo6\dy15\hr14\min8}
14:08 but in what timezone?
{\revtim\yr2016\mo6\dy15\hr14\min8}
14:08 but in what timezone?
16/ By comparing the two we can find out the Timezone that the document was saved in. Right?
Right! And Wrong.
It works out at 14:08 - 11:08:41 GMT, giving us a timezone of GMT+3. That's Eastern Europe, including Romania, some parts of the Middle East, but also MOSCOW..!
But..
Right! And Wrong.
It works out at 14:08 - 11:08:41 GMT, giving us a timezone of GMT+3. That's Eastern Europe, including Romania, some parts of the Middle East, but also MOSCOW..!
But..
17/ But there's two problems.
The first is: It's virtually meaningless. This result can be recreated either by setting the computer clock at boot to be on Moscow time, or by specifying the time-zone via a script command like say "TZ=utc+3" on Linux.
The first is: It's virtually meaningless. This result can be recreated either by setting the computer clock at boot to be on Moscow time, or by specifying the time-zone via a script command like say "TZ=utc+3" on Linux.
18/
The second is: One of the numbered documents doesn't give GMT+3. 4.doc gives GMT+4 . Unless Guccifer2.0 is coding while riding a Kawazaki Ninja Z110000 running pure nitrox, or is perhaps aboard the international space station, the upload times make it impossible to be 1 guy
The second is: One of the numbered documents doesn't give GMT+3. 4.doc gives GMT+4 . Unless Guccifer2.0 is coding while riding a Kawazaki Ninja Z110000 running pure nitrox, or is perhaps aboard the international space station, the upload times make it impossible to be 1 guy
19/
And *this* is the point.
This is what they *wanted to show*.
They wanted to show he wasn't Romanian, as GMT+4 takes it outside of Romania into nearly uniquely Russian territory. It takes it away from being just one hacker.
And *this* is the point.
This is what they *wanted to show*.
They wanted to show he wasn't Romanian, as GMT+4 takes it outside of Romania into nearly uniquely Russian territory. It takes it away from being just one hacker.
20/
All very clever of them right? Well, if it wasn't just for the question of logic - a hacker changing documents to incriminate himself - then we have the problem of Mueller's claim about Units 26165 and 74455.
They are BOTH in Moscow. They are BOTH in timezone GMT+3
All very clever of them right? Well, if it wasn't just for the question of logic - a hacker changing documents to incriminate himself - then we have the problem of Mueller's claim about Units 26165 and 74455.
They are BOTH in Moscow. They are BOTH in timezone GMT+3
21/ But one of Guccifer's documents uploaded seconds after the others was "modified in timezone GMT+4" so Mueller's claim looks dubious.
And we haven't even got started. I doubt there's a sentence that stands up to scrutiny.
More coming on Guccifer2.0.
And we haven't even got started. I doubt there's a sentence that stands up to scrutiny.
More coming on Guccifer2.0.
