The DHS provides no warranties, the FBI is signed on, but the “government” confirms “technical indicators” which just means a Yara signature

Russia doesn’t claim to have a spy group called “Russian Intelligence Services.” Russia has Russian words to name their spies. Oddly, the USA claims that Russian spies phished, but the USA doesn’t know the Russian names of these spies, and they just call them “RIS,” or, more formally:

DISCLAIMER: This report is provided “as is” for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS
does not endorse any commercial product or service referenced in this advisory or otherwise.

This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of
Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document
provides technical details regarding the tools and infrastructure used by the Russian civilian and
military intelligence Services (RIS) to compromise and exploit networks and endpoints
associated with the U.S. election, as well as a range of U.S. Government, political, and private
sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as
Previous JARs have not attributed malicious cyber activity to specific countries or threat actors.
However, public attribution of these activities to RIS is supported by technical indicators from
the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities.

So the FBI is willing to put its name on a very vague report. The DHS has a big honking disclaimer at the top, so if it is all fake, the DHS walks away scot-free. The FBI claims that there are “technical indicators,” and beyond that, the rest of the report is squid ink and smoke clouds.

Read it yourself and tell me if you can find anything that indicates the Russian government authorized any of this.


There are lots of technical terms thrown in, and apparently some PHP code, just for grins.

Feast your eyes:

Yara Signature
description = “PAS TOOL PHP WEB KIT FOUND”
$php = ” 20KB and filesize < 22KB) and
#cookie == 2 and
#isset == 3 and
all of them

So what exactly is a “Yara signature”?

Is that valid PHP code? It looks vaguely like PHP, but I’ve never seen PHP use the “condition:…all of them” syntax.

No, that weird thing at the end is Yara.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

So the FBI is willing to say that somebody somewhere is using malware that is indexed by Yara. Great. That doesn’t prove the Russians did it.

Update: {quoted from Washington’s Blog}

[Bill] Binney is the NSA executive who created the agency’s mass surveillance program for digital information, who served as the senior technical director within the agency, who managed six thousand NSA employees, the 36-year NSA veteran widely regarded as a “legend” within the agency and the NSA’s best-ever analyst and code-breaker, who mapped out the Soviet command-and-control structure before anyone else knew how, and so predicted Soviet invasions before they happened (“in the 1970s, he decrypted the Soviet Union’s command system, which provided the US and its allies with real-time surveillance of all Soviet troop movements and Russian atomic weapons”).

Binney is the real McCoy. As we noted in 2013, Binney has been interviewed by virtually all of the mainstream media, including CBS, ABC, CNN, New York Times, USA Today, Fox News, PBS and many others.

Binney tells Washington’s Blog:

I expected to see the IP’s or other signatures of APT’s 28/29 [the entities which the U.S. claims hacked the Democratic emails] and where they were located and how/when the data got transferred to them from DNC/HRC [i.e. Hillary Rodham Clinton]/etc. They seem to have been following APT 28/29 since at least 2015, so, where are they?


Further, once we see the data being transferred to them, when and how did they transfer that data to Wikileaks? This would be evidence of trying to influence our election by getting the truth of our corrupt system out.


And, as Edward Snowden said, once they have the IP’s and/or other signatures of 28/29 and DNC/HRC/etc., NSA would use Xkeyscore to help trace data passing across the network and show where it went. [Background.]


In addition, since Wikileaks is (and has been) a cast iron target for NSA/GCHQ/etc for a number of years there
should be no excuse for them missing data going to any one associated with Wikileaks.




Too many words means they don’t have clear evidence of how the data got to Wikileaks.

Binney designed the NSA’s electronic surveillance system, so he would know.

This entry was posted in current events. Bookmark the permalink.

4 Responses to The DHS provides no warranties, the FBI is signed on, but the “government” confirms “technical indicators” which just means a Yara signature

  1. Danny Strong says:

    The “yara signature” is for a pattern matcher (called, unsurprisingly, “yara”), to watch for payloads that are naughty, by describing their appearance, if not their behavior.

    The rule described says “If the file’s size is 20-22kb, and the string “_COOKIE” appears exactly twice, and the string “isset” appears exactly 3 times, then you’ve got a match. (Your quotation left out a couple of the lines from the DHS/FBI release.)

    … as a finder-of-naughty-things, this rule is pretty normal, but its pretty clear the Feds wanted to release as little as possible and still claim to have provided “technical details.”

    Hope this helps!

  2. There is no proof the Russians did anything in those 13 pages. This document is technobabble designed to confuse and convince the uninitiated. Disgraceful propaganda as it stands

Comments are closed.