Don’t argue as if the world were sane

Glenn Greenwald, in every respect a reputable, diligent and ferociously smart gadfly, continually forgets to remember that few people are as sane and as willing to be led by evidence as he is. It’s his great failing.

Nowhere is it more visible than in his incredulity toward the CIA and the rest of the US state security apparatus concerning their claims of Russian tampering in the election process. He is dead right to mistrust the CIA’s every utterance. Lying, after all, is a large part of what they do for a living. Likewise, a politicised and partisan FBI is not a useful source for agenda-free commentary on Russia’s disinformation campaign.

But none of the above provides a sufficient basis to say that Russia has not played a direct and active role in the subversion of the American democratic process. Using the espionage establishment’s lack of credibility to refute the claim of Russian meddling is completely illogical.

We discount or discard the CIA’s claims precisely because we know that they’ve done far, far worse countless times in the past. We know they’ve planted or spun innumerable stories. To people living in vulnerable parts of the world, it’s simply axiomatic that Voice of America and USAID are tools of American influence. We also know they regularly use economic leverage to bring about certain policies, and they regularly plant stories to tarnish the image of any government that doesn’t toe their line.

Yes, they’re hypocrites and liars. Nobody disputes that. Yes, they’re guilty of exactly the sins of which Russia stand accused. But if anything, that realisation should reinforce the suspicion that Russia might be giving back as good as it gets. (Or better, depending on where you stand and how you feel about the success of the campaign to tarnish Hillary Clinton’s reputation.)

The sins of which the Russians stand accused are exactly the things that powerful countries do. They do it continually, shamelessly and cynically. It’s what they do.

The strong preponderance of evidence points to a multi-pronged, often unmediated Russian campaign to subvert faith in American democratic institutions. On the propaganda front, the weight of it is irrefutable. Just watch a couple of hours of RT. It’s slick, nicely weighted cynical propaganda that is calculated to seduce young, disaffected liberals.

The use of troll accounts to conduct disinformation campaigns is likewise well documented. There is sufficient circumstantial evidence to assume that, absent evidence directly contradicting what we know, that young Russians are being paid by the state to use social media to spread lies, distrust and conspiracy theories.

And if there were any lingering doubt, we’ve got several on-the-record interviews with Russians claiming to be paid trolls, deriving from independent sources.

There is sufficient circumstantial evidence that Russia was behind the DNC hack to convince some of the foremost minds in the IT security establishment. Bruce Schneier may not be perfect, but he is trustworthy. And if he says that there’s significant evidence pointing to Russian involvement in the interception of Democratic National Congress emails, you should listen. And if you don’t possess evidence contradicting his conclusion, you should accept that he’s probably right.

This is a bit of an argument to authority, I’ll admit, but having looked at the evidence he cites, on this and countless other occasions, I can say that statistically, he’s right most of the time, and when he’s not confident about a conclusion, he says so. But in this particular case, having seen the same evidence he has, I also don’t think he’s wrong.

Julian Assange’s claims that he knows his source isn’t Russian is neither credible nor conclusive. He’s locked up in an embassy, for heaven’s sake. He simply cannot know where his source got the data from. Any chain of custody breaks when it reaches him. He’s the weak link in his own argument.

The fact that he is biased, under extreme stress and has a history of paranoid persecution complexes that predate his captivity don’t have to come into it to discard him as a reliable source of evidence.

Most of the debunking of these claims consists of people finding logical inconsistencies in various accounts of the hack. That’s pretty weak tea. Strong evidence can be weakly presented, and usually is, because most reporters just don’t understand tech.

And that ignorance cuts both ways. A lot of the more incredulous posts evince an equal lack of understanding of technology, security and intrusion tactics.

A good example of this is Leonid Bershidsky’s op-ed saying he still doesn’t believe that Russia is behind the DC hack. To his credit, he is clearly keeping a more open mind than many. But his argument runs largely like this:

The evidence so far is from limited sources; and their interpretation of it isn’t iron-clad. Their recent claim to have linked the same malware to attacks on targeting software used by Ukrainian artillery is poor. It consist mostly of the argument that nobody benefits more than the GRU from subverted ballistic calculator software. Besides, the only infected examples were found on an online forum, and who gets their targeting software from an online forum when they can get it from their peers?

Hence,” he writes, “it’s hard for me to believe that this infected app—found somewhere on the internet and likely never used by Ukrainian soldiers—offers evidence tying the GRU to APT28.”

Here, right here, is where the vast majority of spy masters and tactical officers fail. They assume that people are smart and ruled by logic, just as they are. I would never download software from an untrusted source, they say, so who would? And if nobody’s that stupid, why would the Russians bother to show their hand with such a naïve tactic?

But people are that stupid. Repeatedly. Chronically. Historically. And they remain so in the face of every effort IT administrators have made over the decades since malware was first invented (by the Soviets, incidentally).

One of the first rules of intrusion is that you aim for the weak spot. Why the hell would you invest insane amounts of effort attacking the strongest part of the fort when all you have to do is convince some useful idiot to do the work for you? Formal experiments have been conducted to demonstrate how this can work. In one case, the attackers simply dropped a few infected USB sticks on the ground in a parking lot, and let some credulous bumpkin walk their spyware straight into the bank.

This seems to be exactly the same tactic as used with the infected targeting software. Leave a few compromised APK files around in forums, then wait for some idiot to download it and use it. He’ll no doubt be willing to share his copy with others who trust him. In a brief period, it could be possible to compromise and neutralise a number of artillery units.

Assuming that artillery officers are technically sophisticated and operate logically is… er, unwise.

But this is an all-too-common mistake made by people like Glenn and Leonid. They wrongly, and in the face of incontrovertible evidence, persist in wanting the world to operate logically and based on sane impulses. It doesn’t. People don’t.

Using people’s many and obvious inconsistencies to discard or debase their point of view is a silly, fruitless tactic. Yes, the evidence is often argued poorly, but that doesn’t make the evidence poor. Yes, people say one thing and then say another. But that doesn’t make all of what they say untrue.

Yes, a particular attack requires some pretty stupid victims to succeed. But the world has never lacked naïve, credulous people.