Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Republicans Democrats Privacy Security The Almighty Buck News Politics Technology

Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank (slate.com) 548

In light of the Democratic National Committee hack by the Russians earlier this year, a "tightly knit community of computer scientists" working in a variety of fields came up with the hypothesis, "which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump's many servers." In late July, one of the scientists who asked to be referred to as Tea Leaves discovered possible malware emanating from Russia, with the destination domain having Trump in its name. What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": Slate Magazine reports: More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues. The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn't the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation -- conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The server was first registered to Trump's business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. That wasn't the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health.
This discussion has been archived. No new comments can be posted.

Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank

Comments Filter:
  • by ScentCone ( 795499 ) on Monday October 31, 2016 @09:15PM (#53188973)
    I have customers with nearly-abandoned dedicated servers on their own IPs and with some project-related whitelist rules that act very much like what's described in the summary. Those servers do things like wasting their time checking for updates from some custom module authors (some overseas), and some try to connect to long-gone services that have had their domains scooped up by (ready?) Russian typo-squatters and the like, but with IPs that resolve somewhere else entirely because they've been re-assigned to entirely different companies. And no, nobody dares to approve changing the configuration on these legacy servers ... and they keep paying to keep them online, despite the crickets chirping instead of activity on whatever legacy task they once did.

    There are all sorts of reasons this sort of behavior might materialize. You know, sort of like there might be all sorts of reasons that Huma Abedin's trove of email - in the hundreds of thousands - might bey on her creepy, estranged husband's laptop. I'm sorry, did I use her name? Woopsie! Hillary Clinton now calls her "a staffer."
    • Re: (Score:3, Informative)

      by PopeRatzo ( 965947 )

      There are all sorts of reasons this sort of behavior might materialize.

      Are there also "all sorts of reasons" that the peak activity of this server would occur only during dates immediately following dramatic election news?

      Read the whole story. It wasn't "typo-squatters" it was a Russian bank owned by oligarchs that was connecting to Trump's secret private email server.

      It's a well-researched and written story. You might want to check it out unless the news upsets you for some reason.

      That wasn’t the

      • Are there also "all sorts of reasons" that the peak activity of this server would occur only during dates immediately following dramatic election news?

        They didn't. The article says this, but the attached graph shows otherwise.

      • by LordLucless ( 582312 ) on Monday October 31, 2016 @10:55PM (#53189607)

        Read the whole story. It wasn't "typo-squatters" it was a Russian bank owned by oligarchs that was connecting to Trump's secret private email server.

        Uh, by "secret, private email server", do you mean the server openly and publicly registered to the Trump Organisation?

      • by Anonymous Coward on Tuesday November 01, 2016 @01:40AM (#53190085)

        It's a well-researched and written story.

        What a fucking joke. This is still slashdot, right? There are still people here that understand TCP/IP and DNS, right? I only ask because the author of the slate article makes it abundantly clear that he is unaware of the difference between a server and a domain.

        The server was first registered to Trump’s business in 2009

        Does that look well researched to anyone here? If you were consulting with a reporter writing a story about servers and DNS, would you let him leave that sentence in the story? Or would you correct him?

        More:

        But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue.

        What is on 5th Avenue? I'll give you a hint, it isn't the bank, the server or the domain. Someone go stop the presses, I think we just found the mailing address of Trump's office.

        But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. “I get more mail in a day than the server handled,” Davis says.

        That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses.

        Ok, so the server isn't advertising itself with a banner that says "I am a beowolf cluster, and these chumps have be running 5 emails a day." How do these "researchers" know what it is inside? Did they commit some felonies to find out? Do I sense yet another batch of Democrats taking the 5th in the near future?

        Assuming they get in through some means, what do they find? Is it a capacious server with huge operating costs, like geothermal liquid cooling? Or is it a 1U stuffed into a rack somewhere and forgotten until someone walks past and notices that the idiot light is lit, 6 months after it shuts itself off because the PSU fan failed? Or is this server just an A record in DNS somewhere, in a domain that exists mostly so that recipient mailservers have a SPF record to look at? They don't tell us any specifics. My guess is that the "well-researched" writer thinks that each domain name needs a big dedicated server, at least to the extent that he is able to recognize them as distinct concepts and objects.

        I don't know about you guys, but I check my domain names and purge stale domains about once per decade. The $15 per year to leave them on autopilot autorenewal mode is literally less expensive than my effort to sift through the list plucking out the ones that I no longer need.

      • by ScentCone ( 795499 ) on Tuesday November 01, 2016 @02:35AM (#53190253)

        It's a well-researched and written story.

        What it actually does is cherry-pick the wildest speculation they can come up with, and then (if you bother reading all the way through), points out exactly how eye-rollingly silly it is. A little bit of Occam's Razor applied to the situation, along with some actual experience with provisioned-by-third-party marketing mail servers left to rot for six years is instructive.

        Yes, it's well written in the sense that it conforms to Slate's editorial position on trying to get Hillary Clinton elected. It reaches into nothingness in an attempt to construct a narrative desperate to distract from their preferred candidate's flaming case of corruption while actually being a supposed public servant in a position of trust.

    • by hey! ( 33014 ) on Monday October 31, 2016 @09:38PM (#53189115) Homepage Journal

      From a logical standpoint this really tells us nothing. Just like existing the Abedin "trove" really tells us nothing. It's just a tabula rasa onto which people can project what they already believe.

      It wouldn't be surprising for Trump to have some kind of relationship with a Russian bank; that's not necessarily illegal. Now if you were looking for dirt, that'd be a good place to start looking, because there are sanctions against certain Russian firms and individuals. But it doesn't mean you'd find any.

    • by l0n3s0m3phr34k ( 2613107 ) on Monday October 31, 2016 @10:43PM (#53189541)
      Steve, is that you? The sysadmin before me at my current job? Because my firewall was FILLED with address objects, NAT policies, service objects, etc from many years ago that I'm still trying to work my way through. No documentation either...like "Webserver public private public IP" for a name, every address has it's own http and https service object, rules for servers long moved across the ocean...
  • by davide marney ( 231845 ) on Monday October 31, 2016 @09:17PM (#53188987) Journal
    FTA: "Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence." Oh, you mean like the SSH setup I have for all my servers to only listen to known IPs for shell access? Uh, yeah, no kidding. Geez, politics can make people so stupid.
    • by ScentCone ( 795499 ) on Monday October 31, 2016 @09:23PM (#53189025)

      Geez, politics can make people so stupid.

      No, politics makes people PRETEND to be stupid so they can pretend they are outraged by things they are pretending they don't understand well enough, so they can speak their phony outrage out loud in hopes that some other ACTUALLY low-information person will pick up the outrage and run with it all the way to the voting booth. This story is bordering on that. But the credible treatment of it is definitely such.

    • Oh, you mean like the SSH setup I have for all my servers to only listen to known IPs for shell access? Uh, yeah, no kidding.

      I think Trump is an idiot and wanted to find something in this story, but this really is scraping the bottom of the speculation barrel.
      For all we know it is one of the IT staff with a link to torrent seed hosted overseas. There's a ton of reasons to not like Trump, this is not one of them.

    • "Science is the belief in the ignorance of experts." -R. Feynman

      Good quote. This is another good, related one, from Thomas Huxley (great man, agnostic):

      Science seems to me to teach in the highest and strongest manner the great truth which is embodied in the Christian conception of entire surrender to the will of God. Sit down before fact as a little child, be prepared to give up every preconceived notion, follow humbly wherever and to whatever abysses nature leads, or you shall learn nothing. I have only begun to learn content and peace of mind since I have resolved at all risks to do this.

      And this one is good too (from Richard Lindzen):

      Science as a tool is sometimes useful; Science as an institution is always problematic.

    • by ShakaUVM ( 157947 ) on Monday October 31, 2016 @11:27PM (#53189731) Homepage Journal

      >FTA: "Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence." Oh, you mean like the SSH setup I have for all my servers to only listen to known IPs for shell access? Uh, yeah, no kidding. Geez, politics can make people so stupid.

      According to known right-wing rag, the New York Times, the FBI investigated this alleged connection for weeks and decided it was nothing.

      http://www.nytimes.com/2016/11... [nytimes.com]

  • by account_deleted ( 4530225 ) on Monday October 31, 2016 @09:18PM (#53188991)
    Comment removed based on user account deletion
  • by LynnwoodRooster ( 966895 ) on Monday October 31, 2016 @09:22PM (#53189019) Journal
    Turns out it was Huma using Yahoo, and Podesta getting phished... No Russians involved, just plain old incompetence.
  • by ooloorie ( 4394035 ) on Monday October 31, 2016 @09:34PM (#53189075)

    Hey, Slashdot gets visited by Russian IP addresses too! Maybe Slashdot is working with Putin to leak Clinton's E-mails as well?

    Seriously, this bullshit coming from Clinton and her minions only shows how desperate they are.

    • by hey! ( 33014 ) on Monday October 31, 2016 @10:15PM (#53189377) Homepage Journal

      However, Slashdot's servers respond to requests from anywhere, not just a particular Russian bank. So it's not the same thing. The evidence is enough to conclude that the Trump organization probably has some kind of relationship with that bank, which is not illegal per se.

      This is politics; if you leave yourself open to innuendo, you get shellacked. Trump could easily have avoided this by releasing his tax returns, just like Mitt Romney did.

      • This is politics; if you leave yourself open to innuendo, you get shellacked. Trump could easily have avoided this by releasing his tax returns, just like Mitt Romney did.

        And the Democrats wiped the floor with Romney and made him out to be the devil incarnate as well. You cannot placate these people (and they exist in both parties).

        • by hey! ( 33014 )

          Well, that may be true, but again you can't be surprised if the other side uses the ammunition you give them.

          • by stdarg ( 456557 ) on Tuesday November 01, 2016 @12:26AM (#53189937)

            What other side? Hasn't Romney endorsed Clinton? The most amazing thing about this election is the validation of the conspiracy theorists who have been saying we have one party rule. It's true, as unbelievable as that is. Bush? Clinton? Hey they're on the same side. Romney? Yep he's there too.

            Trump is the only major outsider candidate we've seen since at least Bush (senior) and Clinton, so around 30 years.

            The funny thing is how much we criticize places like China for the same kind of crap we have apparently been doing. The media largely functions as propaganda for the establishment. The political parties are basically on the same side. When you read the wikileaks stuff you see the so-called private sector working hand in hand with the government (like google's eric schmidt requesting to be head "outside adviser" to clinton's campaign).. it's like a big joke at this point.

            Voting for Clinton at this point is basically a vote to continue our slide into banana republic status.

            • What other side? Hasn't Romney endorsed Clinton? The most amazing thing about this election is the validation of the conspiracy theorists who have been saying we have one party rule. It's true, as unbelievable as that is.

              Have you ever considered the possibility that Trump is just a completely terrible candidate for President? He is facing a rape trial [theguardian.com] and a fraud trial [bloomberg.com] along with his many other flaws.

            • Trump is the only major outsider candidate we've seen since at least Bush (senior) and Clinton, so around 30 years.

              You consider Bush Sr to be an outside candidate, but not Obama?

          • Well, that may be true, but again you can't be surprised if the other side uses the ammunition you give them.

            Which is why Trump hasn't released his tax returns, and why he is running such a crazy campaign: he was going to be vilified anyway, so why play the game at all? Why not be outrageous and loud? As for Romney, he was about as benign a politician we can ever hope to have; what the Democrats did to him was absolutely disgusting.

            If journalists or the two party establishments think that after this electio

    • by quantaman ( 517394 ) on Monday October 31, 2016 @10:21PM (#53189421)

      Hey, Slashdot gets visited by Russian IP addresses too! Maybe Slashdot is working with Putin to leak Clinton's E-mails as well?

      Seriously, this bullshit coming from Clinton and her minions only shows how desperate they are.

      FTA:

      I also spoke with academics who vouched for Tea Leaves’ integrity and his unusual access to information. “This is someone I know well and is very well-known in the networking community,” said Camp. “When they say something about DNS, you believe them. This person has technical authority and access to data.”)

      The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.

      [...]

      Earlier this month, the group of computer scientists passed the logs to Paul Vixie. In the world of DNS experts, there’s no higher authority. Vixie wrote central strands of the DNS code that makes the internet work. After studying the logs, he concluded, “The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.”

      The real interesting thing is when people started asking about the server the Trump org took it down, renamed it, and somehow the Russian server knew exactly which hostname to access (suggesting someone from Trump org told them).

      Four days later, on Sept. 27, the Trump Organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route.

      These aren't political hacks, nor the result of reporters misunderstanding basic concepts. These are qualified experts with reputations to protect who understand hackers, malware, and misconfigured mail servers. They have looked at the evidence and think this is a secret communication channel.

      • The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. [...] The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project

        Yes. I do the same when I travel to Russia, China, or the EU and connect back to the US; those places are full of spies and crooks

    • Hey, Slashdot gets visited by Russian IP addresses too!

      Hmmm, and the traffic flows across in an encrypted channel, keeping everyone else out. Suspicious.

  • by Okian Warrior ( 537106 ) on Monday October 31, 2016 @09:36PM (#53189087) Homepage Journal

    While this is certainly interesting and deserves attention (I voted it up in the firehose), it's unlikely to be of any use during the campaign.

    For one, the server was registered in 2009 and is unlikely to be anything related to the elections. Trump's business is pretty big, and he has contacts all over the world.

    (For comparison, the Podesta group is registered with the U.S. government as a lobbyist for Sberbank [salon.com]. Google "Podesta Russia" for lots of links and info.)

    For another, if it's nefarious it's more likely to be some sort of mole or agent within Trump's organization. Again, Trump's business is huge, and there are probably one or more foreign government agents working for him (also in Google, Facebook, and a hundred other big organizations).

    Also, there might be a perfectly reasonable explanation. We should wait for the Trump campaign explanation, then see if their explanation seems reasonable. God only knows how many times we've done that for the Clintons!

    And finally, it might be too little too late. Word on the street is that Clinton will be stepping down on Tuesday [newsninja2012.com] (tomorrow), Veritas is planning a "blockbuster" drop this week, Wikieaks is about to start phase three [thehill.com] of its election coverage, and internal leaks from the campaign indicate that Hillary is coming apart at the seams: binge drinking [truepundit.com], uncontrolled anger [rickwells.us], and poor judgement in general.

    As the saying goes, it's not over until its over.

    Let's just wait for the election.

    • Veritas is a scam, so the idea that it has anything other than cleverly edited video is ludicrous, even more unbelievable that it has anything to make Clinton worry. Veritas is a sideshow designed more to keep Trump supporters pumped up.

      "Word on the street"? Really

      • by LynnwoodRooster ( 966895 ) on Monday October 31, 2016 @10:19PM (#53189403) Journal
        I guess having nothing other than cleverly edited videos is why two high-placed DNC operatives are now out of a job...
      • by meta-monkey ( 321000 ) on Tuesday November 01, 2016 @08:39AM (#53191321) Journal

        Why didn't they deny the content of the videos then, and why did Creamer and Foval resign?

        Also, people have matched the girl from the video who said she shut down the Arizona freeway to pictures from the scene, and found her payment records with Hillary's campaign. Everything checks out about the Veritas story so far.

        Also, can you give me a plausible explanation for how "clever editing" makes innocent conversation sound exactly like someone explicitly stating they hire the mentally ill to start fights at their opponents' political events?

    • by skam240 ( 789197 )

      How much money do you want to put on your sources and where can I meet up with you to make the bet and put our money in the hands of a neutral party? If you're willing to bet enough on these sources I will fly to wherever you are to make counter bets on your claims.

      I hate to be rude but I feel that I have to, how can you be so naive as to believe Clinton will drop out less than two weeks before the election when she is clearly ahead in the polls? You're straight up posting celebrity gossip level nonsense he

  • Is it Sberbank, Russia’s biggest financial institution, and the one that The Podesta Group is a registered lobbyist for [battleswarmblog.com]?

    You know, the "Hillary Clinton inner circle" Podestas? Of Wikileaks fame [battleswarmblog.com]?

    Oh, it seems to be a different bank.

  • by Snotnose ( 212196 ) on Monday October 31, 2016 @10:14PM (#53189365)
    HRC is corrupt as fuck, the only thing is she considers business as usual what we plebes see as corrupt.

    Trump is corrupt as fuck, but he hasn't been investigated for 30 years. Not to mention Trump is a 100% asshole who shouldn't even be a choice. Dafuq R-tarded, you can't beat this asshole in a primary? Methinks you need to rethink some fundamental principals. Hint: Neither Ted Cruz nor Marco Rubio are your white knights on white horses running in to save the day.

    I finally voted today, went for Johnson. Yeah, he's a pothead who doesn't know what Aleppo is. But IMHO he's our best chance of not impeaching a president in the next 4 years.
  • This shouldn't be surprising. The only foreign country Trump praises is Russia, every traditional US ally he alienates in one form or another while Russia has shown itself directly antagonistic to Western interests and yet he still heaps praise on them. The only foreign political leader Trump ever praises is Putin. Members of his campaign staff have ties to Putin. Now we have the possibility of sketchy communications between Russia and Trump's campaign.

    I loath conspiracy theories but if there was ever the c

  • The NY Times investigation referred to in the Slate article has now been released. I'm guessing Slate pushed them out a bit quicker than they'd hoped.

    Lots of interesting things in the article, but they feel there's insufficient evidence to claim a link between the Trump server and Alfa.

    http://www.nytimes.com/2016/11/01/us/politics/fbi-russia-election-donald-trump.html [nytimes.com]

  • by Black Parrot ( 19622 ) on Monday October 31, 2016 @11:23PM (#53189715)

    I'm sure everyone will give Trump the same benefit of the doubt that they give Hillary.

  • by dave562 ( 969951 ) on Monday October 31, 2016 @11:31PM (#53189751) Journal

    Do any of you guys remember one of the original Defcon's, where Dan Farmer (I think?) was talking about hiding payloads in the white space of DNS packets?

    This quote from the article made me think about that.

    "Earlier this month, the group of computer scientists passed the logs to Paul Vixie. In the world of DNS experts, there’s no higher authority. Vixie wrote central strands of the DNS code that makes the internet work.

    ---->After studying the logs, he concluded, “The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.” Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence. ---------

  • by TomGreenhaw ( 929233 ) on Tuesday November 01, 2016 @04:52AM (#53190587)
    The server belonged to an email marketing company. In this case here isn't a big deep dark secret Trump-Russian conspiracy.

    If you want an insight into Trump's ties with Russia, look at Paul Manaforte and read Time magazines article on the subject http://time.com/4433880/donald... [time.com]

Remember, UNIX spelled backwards is XINU. -- Mt.

Working...