John Durham Is the Jim Jordan of Ken Starrs

Last Thursday, John Durham indicted Michael Sussmann, the Perkins Coie lawyer who advised the DNC, DCCC, and Clinton Campaign about cybersecurity in 2016 as they struggled to deal with a hostile nation-state attack aiming — in part — to help elect their opponent. The indictment accuses Sussmann of lying to FBI General Counsel James Baker at a September 19, 2016 meeting at which Sussmann shared information about the curious DNS traffic between a server used by a Trump marketing contractor and Alfa Bank.

emptywheel’s long history of debunking the Alfa Bank story

Before I unpack the indictment, let me remind readers that when this story first publicly broke, I explained why the Spectrum Health (aka my boob hospital at the time) aspect of the allegations made no sense, criticized Hillary’s team (including Jake Sullivan) for jumping on the story, and echoed Rob Graham’s criticism of the researchers who accessed DNS data to conduct this research.

In addition to his technical debunking, Robert Graham made an equally important point: researchers shouldn’t be accessing this data for ad-lib investigations into presidential candidates, and it’s not even clear who would have access to it all except the NSA.

The big story isn’t the conspiracy theory about Trump, but that these malware researchers exploited their privileged access for some purpose other than malware research.

[snip]

In short, of all the sources of “DNS malware information” I’ve heard about, none of it would deliver the information these researchers claim to have (well, except the NSA with their transatlantic undersea taps, of course).

[snip]

[B]efore Tea Leaves started pushing this story to the press, the FBI had been investigating it for two months.

Which, to my mind, raises even more questions about the anonymous researchers’ identities, because (small world and all) the FBI likely knows them, in which case they may have known that the FBI wasn’t jumping on the story by the time they started pitching it.

Or the FBI doesn’t know them, which raises still more questions about the provenance of these files.

Ah well, if President Hillary starts a war with Russia based off Iraq-War style dodgy documents, at least I’ll have the satisfaction of knowing my boob clinic is right there on the front lines.

In March 2017, I observed that the weird Alfa Bank entry in the Steele dossier suggested a feedback loop between the Alfa Bank server story and the dossier project. Then days after that, I noted all the ways that the packaging of this story made it more suspect.

In 2018, I complained about the way Dexter Filkins had strained to sustain the story, while noting that people ought to look more closely at why Alfa Bank might be the focus here; the Mueller Report since confirmed that within weeks after the story broke publicly, Vladimir Putin pushed Oligarchs from Alfa Bank to fight harder against western sanctions, something that the alleged source for the Alfa Bank entry in the dossier seemed to parrot.

In short, I not only have consistently criticized this story, but done so in ways that anticipate the most justifiable parts of the indictment. It’s only the last bit — how the Alfa narrative echoes Putin’s interests — that this indictment doesn’t incorporate.

I guess with five more years Durham might get there…

So in unpacking this indictment, I’m in no way defending the Alfa Bank – Trump Tower story. It was a sketchy allegation, the packaging of it was suspect, and those who conducted the research arguably violated ethical guidelines.

I got to where Durham got in this indictment years and years ago. But that doesn’t make it a crime.

John Durham’s “narrative”

Moreover, that doesn’t mean Durham should tell as strained a “narrative” as those who packaged up this story. Central to Durham’s indictment is an assumption that if a victim of a crime who believed at the time that the crime had a — since confirmed — political goal reports suspicious, potentially related details, the victim must be motivated exclusively out of self-interest, not good citizenship or a concern about national security. That is, this entire indictment assumes that when Russia attacks a Presidential candidate, that is not itself a national security concern, but instead nothing more than a political dispute.

Effectively, John Durham has made it a crime for someone victimized by a Russian influence operation to try to chase down Russian influence operations.

Tech Executive-1 and Clinton both had retained Perkins Coie long before this, with Sussmann getting involved specifically for cybersecurity help in the wake of the Russian hack

The indictment, perhaps deliberately, obscures the timeline and facts leading up to the charged lie. But here’s the story it tells. First, all of Durham’s subjects established contracts with each other, even though all of those contracts (including Fusion GPS’) had scopes far larger than oppo research on Trump’s relationship with Russia.

  • In February 2015, Tech Executive-1 (whom I’ll call TE-1 for brevity) retained Sussmann to deal with a US government agency [Durham does not say whether this matter was resolved or continued in this period in 2016, which is central to the question of what kind of client of Sussmann’s TE-1 was].
  • In April 2015, the Clinton Campaign retained Perkins Coie and made Marc Elias the Campaign’s General Counsel.
  • In April 2016, the victim of a Russian government election-related attack, the DNC, retained Sussmann to help it deal with aftermath, which included meeting with the FBI. As the indictment describes this was not just legal support but cybersecurity.
  • [After a Republican retained them first and on a date that Durham doesn’t reveal,] Perkins Coie retained Fusion GPS to conduct oppo research on Trump pertaining to Russia [and other topics, though Durham doesn’t mention those other topics].

Durham only mentions in passing, later, that the researchers involved here similarly knew each other through relationships that focused on cybersecurity and predated these events.

Via means and on specific dates that Durham doesn’t always provide, Tea Leaves, TE-1, Sussmann, and two Researchers got the DNS data showing an anomaly

There are two sets of research here: that done in a university setting and that done at companies associated with TE-1, though TE-1 is the pivot to both. As depicted, Durham suggests the former are more legally exposed than the latter.

  • By some time in late July 2016 [the exact date Durham doesn’t provide], a guy who always operated under the pseudonym Tea Leaves but whom Durham heavy-handedly calls “Originator-1” instead had assembled “purported DNS data” reflecting apparent DNS lookups between Alfa Bank and “mail1.trump-email.com” that spanned from May 4 through July 29.
  • Tea Leaves was a business associate of TE-1 and via means Durham doesn’t describe, the data Tea Leaves gathered was shared with TE-1.
  • “In or about July 2016” [at a time that, because of the laws of physics, must post-date the late July date when Tea Leaves collected this data and the date when he shared them with TE-1], TE-1 alerted Sussmann to the data.
  • On July 31, Sussmann billed the Clinton Campaign for 24 minutes with the billing description, “communications with Marc Elias regarding server issue.”
  • At some point [Durham doesn’t provide even a month, but by context it was at least as early as July 2016 and could have been far, far earlier], TE-1’s company provided a university with data for a government contract ultimately not contracted until November 2016, including the DNS data from an Executive Branch office of the US government that Tech Exec-1’s company had gotten as a sub-contractor to the US government. [This date of this is critical because it would be the trigger for a Conspiracy to Defraud charge, if Durham goes there.]
  • In or about August 2016 [Durham doesn’t provide a date], a federal government was finalizing but had not yet signed a cybersecurity research contract with [presumably] that same university to receive and analyze large quantities of public and non-public data “to identify the perpetrators of malicious cyber-attacks and protect U.S. national security.” Tea Leaves was the founder of a company that the university was considering [Durham doesn’t provide the date of consideration, but generally these things precede finalization] for a subcontract with the government contract.

TE-1 directs employees of companies under his control to research this issue

Though Durham’s indictment is somewhat vague, at least one piece of research from companies associated with TE-1 was shared with the FBI; it appears that other threads of research were not shared.

  • In or about early August 2016 [the dates of which Durham doesn’t provide], TE-1 directed personnel at two companies in which he had an ownership interest to search for what the indictment calls, “any Internet data reflecting potential connections or communications between Trump or his associates and Russia,” which Durham describes to be “derogatory information on Trump.” In connection with this tasking, TE-1 later stated [on a date Durham doesn’t describe] he was working with someone who had close ties to the Democratic Party.
  • At some point, an individual tasked with this work described being “uncomfortable regarding this tasking,” [Durham doesn’t describe when he learned this or whether there is any contemporaneous proof].
  • At some point [Durham doesn’t describe the date], TE-1 provided one of his companies with personal (but publicly available) data from six Trump associates and one purported US-based lobbyist for Alfa Bank and directed these individuals should be the focus of that company’s data queries and analysis [Durham doesn’t say whether these six associates overlapped with the people Fusion had been tasked to research, nor does he allege they got included in the eventual reports to the FBI; both details are needed to assess his case].
  • On August 12, 2016, Sussmann, Elias, and TE-1 met in Elias’ office; Sussmann billed his time to the Clinton Campaign describing, “confidential meetings with Elias, others.”
  • On August 15, employees at one of the companies queried their holdings against a set of addresses that referred to Trump and/or Alfa Bank.
  • During the same time period [Durham doesn’t specify when], employees at Internet Company-3 drafted a written paper that included technical observations that Sussmann would later convey to the FBI.

Around the time this started, Sussmann met Fusion and a bunch of meetings happened that were billed to Hillary

  • On July 29, Sussmann and Marc Elias met with Fusion GPS [Durham doesn’t affirmatively claim this data pertained to the server issue], and Sussmann billed his time to the Hillary Campaign under “General Political Advice,” a different description than all the other Fusion meetings that Durham more credibly claims relate to the Alfa Bank allegation.
  • Around “the same [August] time period” [Durham doesn’t provide the date], Sussmann, Elias, and Fusion personnel began exchanging emails with the subject line, “Connecting you all by email;” [Durham doesn’t say who initiated the email, but it suggests that before this period, Sussmann and Fusion did not have direct contact].
  • On August 17, 2016, Sussmann, Elias, and TE-1 conducted an additional conference call, for which Sussmann billed his time to the Clinton campaign, noting “telephone conference with” TE-1 and Elias.
  • On August 19, 2016, Sussman and Elias had another in-person meeting that Sussmann described as a meeting with TE-1, which was billed as a “confidential meeting with Elias, others.”

Researchers 1 and 2 and Tea Leaves worked with TE-1 on a “storyline” and “narrative” with varying degrees of skepticism expressed

This is the stuff Durham–with some justification–will and has used to taint all this as a political project.

  • On July 29, Researcher-2 emailed Researcher-1 the data compiled by Tea Leaves [Durham provides no evidence that TE-1 was involved in this exchange].
  • On August 19, Researcher-1 queried Internet data maintained by TE-1’s company [it is not clear but this suggests it was not the data turned over to the University] for the aforementioned mail1.trump-email.com domain. Researcher-1 then emailed TE-1 with the list of domains that had communicated with it, saying the list, “does not make much sense with the storyline you have.”
  • On August 20, Tea Leaves emailed Tech Exec-1, Researcher-1, and Researcher 2, stating that, “even if we found what [TE-1] asks us to find in DNS, we don’t see the money flow, and we don’t see the content of some message saying, ‘send money here’.” Tea Leaves then explained that one could fill out sales forms and cause them, “to appear to communicate with each other in DNS.” Tea Leaves then noted that “it’s just not the case that you can rest assured that Hillary’s opposition research and whatever professional gov and investigative journalists are also digging come up with the same things.”
  • On August 20, TE-1 clarified that the task was “indeed broad,” and that,
    • Being able to provide evidence of *anything* that shows an attempt to behave badly in relation to this [Durham doesn’t describe what the antecedent of “this” is], the VIPs would be happy. They’re looking for a true story that could be used as the basis for closer examination.
  • Still on August 20, seemingly distinguishing between that task and the Alfa Bank allegations, TE-1 said, “the prior hypothesis was all that they needed: mailserver dedicated or related to trump … and with traffic almost exclusively with Alfa was sufficient to do the job. … Trump has claimed he and his company have had NO dealings with .ru other than the failed Casino, and the Miss universe pageant. He claims absolutely NO interaction with any financial institutions. So any potential like that would be jackpot.” [Ellipses original]
  • On August 21, TE-1 emailed the recipients [but not, apparently, Sussmann], urging them to do further research on Trump which would “given the base of a very useful narrative.” He added that he didn’t believe the trump-email.com domain was a secret communications channel but a “red herring,” because the host was “a legitimate valid company,” stating they could “ignore it, together with others that seem to be part of the marketing world.”
  • On August 22, Researcher-1 raised doubts about whether, using only the tools they were currently using, they could prove their hypothesis. Among the concerns raised is that they couldn’t prove that “this is not spoofed [] traffic.” [brackets original; bolded in the original]
  • Later in or about August 2016 [on dates Durham doesn’t provide], TE-1 exchanged emails with personnel from Fusion.

Sussmann drafts a white paper and (via unstated means) TE-1 gets Researchers 1 and 2 and Tea Leaves to review it

  • Between September 5 and September 14, Sussmann drafted a white paper, generally billing his time to the Clinton Campaign, but on September 14, billing time to both Clinton and TE-1.
  • On September 14, TE-1 [not Sussmann] sent the white paper he had drafted to Researcher 1, Researcher 2, and Tea Leaves to ask them if a review of less than an hour would show this to be plausible. Though some of them noted how limited the standard of “plausibility” was, they agreed it was plausible, and Researcher 2 said [Durham does not quote the specific language here] “the paper should be shared with government officials.”

Sussmann shares this and other information with James Baker and–Durham claims–affirmatively lies about whether he is representing someone

  • Both before the September 19 meeting and after it (notably in a September 12 meeting involving the NYTimes, in which Marc Elias also participated), Sussmann spoke to the press about what Durham credibly suggests was the Alfa Bank white paper. Sussmann billed this to Clinton.
  • On September 19, Sussmann met with Baker and provided him with three white papers and a thumb drive with data. Durham doesn’t actually make clear where all three of these came from.
  • On September 19, Sussmann met with James Baker. Durham claims that “he stated falsely that he was not acting on behalf of any client” [which Durham cannot quote because there’s no contemporaneous record], that he had been approached by multiple cyber experts [Durham doesn’t say whether the three he named were Researcher 1, Researcher 2, and Tea Leaves or other people, as seems to be the case], three white papers [which I may return to because this is another problematic spot in his story], and some of the data, which Durham calls “purported.”
  • Immediately after the September 19 meeting, Baker met with Bill Priestap whose notes read:
    • Michael Sussman[n] — Atty: Perkins Coie — said not doing this for any client
      • Represents DNC, Clinton Foundation, etc. []
      • Been approached by Prominent Cyber People (Academic or Corp. POCs), People like: [three names redacted]
  • Durham substantiates a claim that Sussmann billed the meeting itself to Hillary to a description, “work and communications regarding confidential project,” that does not, at least as he quotes it, mention a meeting with the FBI General Counsel at all.

Some of this — the reference to crafting a narrative and a storyline — is damning and validates my discomfort with the political nature of this project five years ago. Other parts of this emphasize the researchers’ insistence on truth from at least parts of this effort. Still others (such as the recognition that this could be spoofed data) will almost certainly end up being presented as exculpatory if this ever goes to trial, but Durham seems to think is inculpatory.

In one place, Durham describes “aforementioned views,” plural, that the Alfa Bank data was a “red herring,” something only attributed to TE-1 in the indictment, seemingly presenting TE-1’s stated view on August 21 to everyone involved, including Sussmann, who does not appear to have been on that email chain. He claims Sussmann, Researcher 1 and 2, TE-1, and Tea Leaves drafted the white paper(s) shared with the FBI, but all he substantiates is a less than one hour review by everyone but Sussmann. He leaves out a great deal of detail about what Jean Camp and someone using the moniker Tea Leaves did and said, publicly, after the FBI meeting, which may totally undercut Durham’s “narrative.”

But other parts, even of the story that Durham tells, are problematic for his narrative. First, there is not (yet) the least hint that Tea Leaves — whom he calls “The Originator” — fabricated this data (or even packaged it up misleadingly, though I think there is evidence he did). Nor is there the least hint that TE-1 asked Tea Leaves to come up with the data. That part of the story is fundamentally important and Durham simply ignores it with that legally unnecessary — particularly given that Durham clearly labels this person as Tea Leaves — moniker “Originator,” giving the anomalous forensic data a kind of virgin birth. And while two of the four tech experts described herein (there appear to be at least three others not described) expressed some doubt about the meaning of it, none of them seems to have doubted that there was an anomaly in the Trump marketing server and Alfa Bank.

Based on this story, though, Durham insinuates Sussmann fed information that he, Sussmann, knew to be bullshit to the FBI on behalf of both Hillary and TE-1, and in so doing affirmatively hid that the bullshit “storyline” was designed to help Hillary which (he claims) would have led the FBI to treat it differently.

In spite of a lot of thus far extraneous details, that’s the only crime he has alleged.

The existing case is remarkably weak

As a number of people have noted, as charged this is a remarkably weak case. Ben Wittes dedicates a section of his post on this indictment to those weaknesses. They are, succinctly:

  • The evidence regarding the core allegation in the indictment pits Sussmann’s word against James Baker’s; there are no other witnesses.
  • After the meeting with Baker, Sussmann repeatedly admitted under oath he was representing a client, a detail which could be exculpatory or inculpatory.
  • Baker testified to Congress he did believe Sussmann was representing a client (meaning Baker will be used to discredit Baker, the one witness to Sussmann’s alleged lie).
  • Even in Bill Priestap’s nearly-contemporaneous notes which are the only documentation of Sussmann’s comments, he describes Sussmann as Hillary’s lawyer (including for the Clinton Foundation, which may be incorrect), so FBI knew full well that Sussmann represented Hillary.
  • Priestap’s notes may be inadmissible hearsay at trial.

The NYT article predicting these charges also claim Durham is conflating Sussmann’s tracking of his hourly work with the actual money charged to the Hillary campaign.

Moreover, internal billing records Mr. Durham is said to have obtained from Perkins Coie are said to show that when Mr. Sussmann logged certain hours as working on the Alfa Bank matter — though not the meeting with Mr. Baker — he billed the time to Mrs. Clinton’s 2016 campaign.

[snip]

They are also said to have argued that the billing records are misleading because Mr. Sussmann was not charging his client for work on the Alfa Bank matter, but needed to show internally that he was working on something. He was discussing the matter with Mr. Elias and the campaign paid a flat monthly retainer to the firm, so Mr. Sussmann’s hours did not result in any additional charges, they said.

There are a number of other ways that Sussmann’s presumably well-funded defense will combat these charges. But as to the allegation buried amid all these details, Durham’s evidence is weak.

Durham’s materiality broadcasts his bid for a ConFraudUS conspiracy

But that’s not what this is about.

Durham is not just alleging that Sussmann was hiding that he was working for Hillary. He is also claiming that Sussmann was at the same time representing TE-1 at that meeting. In the indictment, I think that’s based on a single data point — that Sussmann billed TE-1’s company for “communications regarding confidential project” on September 14. I’m not sure whether that makes the false statements case still weaker or stronger.

But it’s a key part of where Durham obviously wants to go.

Not only are many of the details Durham included in the indictment irrelevant to the false statements charge, but if they were crimes by themselves, they would have been tolled under any five year statute of limitations already. There are only two conceivable purposes for including them in this indictment. First, to give the Alfa Bank Oligarchs more cause to sue more people, effectively a US prosecutor assisting Russians in cynical lawfare. Durham’s investigation incorporates stuff the Oligarchs have already liberated, so is itself derivative of Russian lawfare. Effectively, that means that a prosecutor working for Bill Barr’s DOJ pursued a prosecution that was complementary to an intelligence-related effort by foreigners who pay Kirkland & Ellis a lot of money. Sussmann will have real cause to question whether Brian Benczkowski (who recused from matters involving this aspect of Alfa Bank) or any other Kirkland & Ellis lawyer had a role in this strand of the investigation.

Then there’s the most obvious way to extend the statute of limitations on the events that happened in July and August 2016: to include them in a conspiracy that continued after those dates (and indeed, Durham refers to Elias, Researcher 1 and 2, and Tea Leaves in the way DOJ often uses to refer to charged or uncharged co-conspirators).

Given the extended statement Durham includes to explain why Sussmann’s alleged lie is material under the charged statute, that’s undoubtedly where Durham wants to head with his investigation.

SUSSMANN’s lie was material because, among other reasons, SUSSMANN’s false statement misled the FBI General Counsel and other FBI personnel concerning the political nature of his work and deprived the FBI of information that might have permitted it more fully to assess and uncover the origins of the relevant data and technical analysis, including the identities and motivations of SUSSMANN’s clients.

Had the FBI uncovered the origins of the relevant data and analysis and as alleged below, it might have learned, among other things that (i) in compiling and analyzing the Russian Bank-1 allegations, Tech Executive-1 had exploited his access to non-public data at multiple Internet companies to conduct opposition research concerning Trump; (ii) in furtherance of these efforts, Tech Executive-1 had enlisted, and was continuing to enlist, the assistance of researchers at a U.S.-based university who were receiving and analyzing Internet data in connection with a pending federal government cybersecurity research contract; and (iii) SUSSMAN, Tech Executive-1, and Law Firm-1 had coordinated, and were continuing to coordinate, with representatives and agents of the Clinton Campaign with regard to the data and written materials that Sussmann gave to the FBI and the media.

Don’t get me wrong. This will clearly pass the incredibly low standard for materiality under existing precedent. Though Sussmann will surely make much of citing the invented standard Billy Barr used to try to dismiss the Mike Flynn prosecution, which first requires the investigation in question to be legitimate.

The Government is not persuaded that the January 24, 2017 interview was conducted with a legitimate investigative basis and therefore does not believe Mr. Flynn’s statements were material even if untrue. Moreover, we not believe that the Government can prove either the relevant false statements or their materiality beyond a reasonable doubt.

[snip]

In any event, there was no question at the FBI as to the content of the calls; the FBI had in its possession word-for-word transcripts of the actual communications between Mr. Flynn and Mr. Kislyak. See Ex. 5 at 3; Ex. 13. at 3. With no dispute as to what was in fact said, there was no factual basis for the predication of a new counterintelligence investigation. Nor was there a justification or need to interview Mr. Flynn as to his own personal recollections of what had been said. Whatever gaps in his memory Mr. Flynn might or might not reveal upon an interview regurgitating the content of those calls would not have implicated legitimate counterintelligence interests or somehow exposed Mr. Flynn as beholden to Russia.

If DOJ had no interest in figuring out whether Trump was undermining sanctions to pay off a quid pro quo, they sure as hell have no interest in launching a 3-year investigation to figure out the tie between these allegations and Hillary that was obvious to Priestap in real time, particularly given how quickly the FBI dismissed the allegations in 2017 and given that the allegations are not publicly known to have had a tie to their larger Russian investigation.

Still, while Durham will have no trouble proving Sussmann’s claimed lie meets the standards of materiality, Durham’s claims for it are ridiculous.

It’s a load of horseshit that FBI would have treated this tip any differently — which amounted to investigating it, alerting the press there was nothing to it, then dismissing it pretty quickly, as far as is public — if they knew that Sussmann was formally being paid at that meeting by Hillary, if he in fact was. Priestap knew Sussmann was representing Hillary and said as much in the best evidence Durham has! In fact, FBI’s warning to the NYT about this story in October could be presented as evidence that FBI already incorporated an assumption this came from Hillary.

Likewise, it’s a load of horseshit that FBI couldn’t know that the Bureau needed to ID the researchers behind the project. If I was able to figure that was important out before the 2016 election, and I did, then the experts at the FBI surely figured that out.

But what Durham’s materiality statement emphasizes — what Durham claims Sussmann intended to hide with his claimed lie — is that, “researchers at a U.S.-based university … were receiving and analyzing Internet data in connection with a pending federal government cybersecurity research contract.” That’s the significance of ¶¶23a through e of the indictment, which describe how TE-1 provided data that included some from an Executive Branch office of the U.S. government, which his company had obtained “as a sub-contractor in a sensitive relationship between the U.S. government and another company,” to the university at which Researcher 1 and 2 were working, and both with his university researcher allies and employees of his own company, he tasked people to research Donald Trump. Durham is suggesting that subset of data taints the whole pool that TE-1 shared, making it a Federal interest.

It’s not just that Durham is working on a theory that Sussmann deliberately dealt garbage to the FBI (which GOP sources also did on the Clinton Foundation) while trying to hide that fact. It’s that data originally sourced from the government was used in doing that research.

It’s actually the kind of argument that DOJ prosecutors typically succeed with. Except it’s all premised on proving that Sussman was trying to hide all this in his meeting with Baker. Even if the evidence surrounding the meeting weren’t so flimsy, this is another degree of motive that Durham is straining mightily to make.

Durham needs Sussmann to have lied, because a deliberate attempt to obscure the rest is necessary for his “storyline.” His evidence that Sussmann lied — much less, deliberately — is shoddy. But if he can’t get that, then his hopes for a larger “narrative” collapse.

The parts of the story Durham doesn’t tell

That becomes more clear when you consider some details that Durham doesn’t include in his indictment.

Two details that were public to everyone involved make it clear why Durham’s silence about the exact dates in July when this operation started is so corrupt.

On July 22, WikiLeaks published emails that were at the time believed and since have been confirmed by the FBI to have been hacked by Russia. Durham hides the dates in July when many of these events transpired, but everything he includes suggests this activity post-dated the time when WikiLeaks published stolen emails and the entire security community in the US, surely including every researcher mentioned in this story, coalesced on the belief that Russia was the culprit. Durham refers to Russia’s attack on Hillary (and therefore on the US) inaccurately as, “the hacking of its email servers by the Russian government” and “a hack” (the hack went well beyond just email and continued through the period of Sussmann’s meeting with Baker). But, amazingly, Durham’s “narrative” doesn’t account for the fact that Hillary was targeted not just with an attack but with an information operation. And the timeline he presents here affirmatively hides that these events took place after the entire security community understood that there was an information operation aspect to the attack.

Then, on July 27, Trump gave a press conference in Florida where he said numerous things that make all the actions of Sussmann and others justifiable on national security grounds. First, Trump raised doubts about the Russian attribution of the DNC hack that, by that point in July, was the consensus among national security experts, undoubtedly including every tech expert mentioned in this indictment.

I watched this guy Mook and he talked about we think it was Russia that hacked. Now, first of all was what was said on those that’s so bad but he said I watched it. I think he was live. But he said we think it was Russia that hacked.

And then he said — and this is in person sitting and watching television as I’ve been doing — and then he said could be Trump, yeah, yeah. Trump, Trump, oh yeah, Trump. He reminded me of John Lovitz for “Saturday Night Live” in the liar (ph) where he’d go yes, yes, I went to Harvard, Harvard, yes, yes. This is the guy, you have to see it. Yes, it could be Trump, yes, yes. So it is so farfetched. It’s so ridiculous. Honestly I wish I had that power. I’d love to have that power but Russia has no respect for our country.

And that’s why — if it is Russia, nobody even knows this, it’s probably China, or it could be somebody sitting in his bed. But it shows how weak we are, it shows how disrespected we are. Total — assuming it’s Russia or China or one of the major countries and competitors, it’s a total sign of disrespect for our country. Putin and the leaders throughout the world have no respect for our country anymore and they certainly have no respect for our leader. So I know nothing about it.

Trump then offered his bullshit explanation for why he wouldn’t release his tax returns, framing it in terms of whether he had business ties to Russia.

TRUMP: Because it’s under order. And I’ll release them when the audits completed. Nobody would release when it’s under — I’ve had audits for 15 or 16 years. Every year I have a routine audit. I’m under audit, when the audits complete I’ll release them. But zero, I mean I will tell you right now, zero, I have nothing to do with Russia, yes?

Trump then said the nation-state hack of his opponent wasn’t the important thing, the content of the emails that were released was, thereby encouraging the press to participate in the information operation aspect of this attack.

He already did something today where he said don’t blame them, essentially, for your incompetence. Let me tell you, it’s not even about Russia or China or whoever it is that’s doing the hacking. It was about the things that were said in those e-mails. They were terrible things, talking about Jewish, talking about race, talking about atheist, trying to pin labels on people — what was said was a disgrace, and it was Debbie Wasserman Schultz, and believe me, as sure as you’re sitting there, Hillary Clinton knew about it. She knew everything.

Trump then asked Russia to further hack his opponent.

Russia, if you’re listening, I hope you’re able to find the 30,000 e-mails that are missing.

Trump then doubled down on the comment he made about his taxes, assuring the press that he had “zero” business ties with Russia.

TRUMP: No, I have nothing to do with Russia, John (ph). How many times do I have say that? Are you a smart man? I have nothing to with Russia, I have nothing to do with Russia.

And even — for anything. What do I have to do with Russia? You know the closest I came to Russia, I bought a house a number of years ago in Palm Beach, Florida.

Palm Beach is a very expensive place. There was a man who went bankrupt and I bought the house for $40 million and I sold it to a Russian for $100 million including brokerage commissions. So I sold it. So I bought it for 40, I told it for 100 to a Russian. That was a number of years ago. I guess probably I sell condos to Russians, OK?

QUESTION: (OFF-MIKE)

TRUMP: Of course I can. I told you, other than normal stuff — I buy a house if I sold it to a Russian. I have nothing to do with Russia. I said that Putin has much better leadership qualities than Obama, but who doesn’t know that?

QUESTION: (OFF-MIKE)

TRUMP: Of course not. I own the Trump organization. Zero, zero. Go ahead.

Trump then reiterated his claim that no one could attribute the DNC hack to Russia.

TRUMP: No, but they seem to be, if it’s Russians. I have no idea. It’s probably not Russia. Nobody knows if it’s Russia. You know the sad thing is? That with the technology and the genius we have in this country, not in government unfortunately, but with the genius we have in government, we don’t even know who took the Democratic National Committee e-mails. We don’t even know who it is.

I heard this morning, one report said they don’t think it’s Russia, they think it might be China. Another report said it might be just a hacker, some guy with a 200 I.Q. that can’t get up in the morning, OK? Nobody knows. Honestly they have no idea if it’s Russia. Might be Russia. But if it’s any foreign country, it shows how little respect they have for the United States. Yes, ma’am.

Finally, Trump also stated that he would consider lifting sanctions on Russia.

QUESTION: I would like to know if you became president, would you recognize (inaudible) Crimea as Russian territory? And also if the U.S. would lift sanctions that are (inaudible)?

TRUMP: We’ll be looking at that. Yeah, we’ll be looking.

Each of these comments, individually, would have raised eyebrows. The same comments, made by an American citizen, would equally have raised alarms among those committed to cybersecurity.

But for a presidential candidate to encourage the hostile nation-state information operation targeting his opponent, then ask the hostile nation-state to further target her, in conjunction with the repeated denials of any business ties to Russia raised real, legitimate questions about whether Trump was putting his own interests above the national security of the country.

You might excuse Durham for excluding this from his indictment because after all he was busy indicting a ham sandwich based on hearsay evidence he might be able to exclude these facts at trial. Except that an August 20 comment from TE-1 that Durham quotes in his indictment may be a direct reference to (and at the least incorporates knowledge of) this press conference.

Trump has claimed he and his company have had NO dealings with .ru other than the failed Casino, and the Miss universe pageant. He claims absolutely NO interaction with any financial institutions. So any potential like that would be jackpot.

That is, Durham included what appears to be a reference to the July 27 press conference. It appears (though Durham obscures this point) that all the actions laid out in this indictment post-date the press conference. Virtually everyone in the US committed to ensuring America’s national security was alarmed by Trump’s comments in this press conference. Yet Durham doesn’t acknowledge that all these actions took place in the wake of public comments that made it reasonable for those committed to cybersecurity to treat Donald Trump as a national security threat, irrespective of partisan affiliation.

Durham will work hard to exclude detail of Trump’s press conference from trial. But I assume that if any of the named subjects of this investigation were to take the stand at trial, they would point out that it was objectively reasonable after July 27 to have national security concerns based on Trump’s encouragement of Russia’s attack on Hillary Clinton and his defensive denials of any business ties. Any of the named subjects of the indictment would be able to make a strong case that there was reason to want to, as a matter of national security, test Trump’s claim to have no financial ties to Russia. Indeed, the bipartisan SSCI Report concluded that Trump posed multiple counterintelligence concerns, and therefore has concluded that Durham’s portrayal of politics as the only potential motive here to be false.

Central to Durham’s theory of prosecution is that there was no sound national security basis to respond to anomalous forensic data suggesting a possible financial tie between Trump and Russia. Except that, after that July 27 speech — and all of these events appear to post-date it — that theory is unsustainable.

The parts of the story Durham doesn’t tell

And not only was it objectively reasonable to test whether Trump’s claims to have “zero” business ties to Russia were false, but those suspecting that Trump was hiding such ties were, in fact, correct.

According to Michael Cohen, when Trump walked off the stage from that July 27 press conference, Cohen asked Trump why he had claimed that he had zero business ties with Russia when he had in fact been pursuing an impossibly lucrative deal to brand a Trump Tower in Moscow. And we now know that within hours of Trump’s request, GRU hackers made a renewed assault on Hillary’s own servers. By the time security researchers pursued anomalous data suggesting covert communications with a Russian bank, Cohen had already participated in discussions about working with two sanctioned Russian banks to fund the Trump Tower deal, had agreed to work with a former GRU officer to broker it, had spoken to an aide of Dmitry Peskov, and had been told that Putin was personally involved in making the deal happen. Just on the Trump Tower basis alone, Trump had publicly lied in such a way that posed a counterintelligence risk to America.

But that was not the only thing that Trump had done by the date when a bunch of security researchers responded to anomalous forensic data to test whether Trump was hiding further ties to Russia’s attack on Hillary Clinton.

In March, Trump hired Paul Manafort, a financially desperate political operative with close ties to a Russian intelligence officer, Konstantin Kilimnik, who (SSCI provided three redacted examples of) may have been involved in the hack-and-leak operation. In April, Manafort started leveraging his relationship with Trump to try to make money. In May, Manafort started regularly sending Kilimnik the campaign’s internal polling data. All that happened before researchers started testing Trump’s claims to have had no tie to Russia. On July 28, Kilimnik emailed Manafort to set up a meeting to talk about the future of Ukraine. Just days after the researchers started the inquiry, on August 2, Manafort met with Kilimnik to discuss carving up Ukraine in the same meeting where he described his strategy to win the election.

In April, an academic with close ties to Russia, Joseph Mifsud, told an unqualified braggart whom Trump had added to his team to pretend he had a foreign policy plan, George Papadopoulos, that Russia had thousands of Hillary’s emails that they intended to release to help Trump.

In May, according to Rick Gates’ testimony, Roger Stone started claiming he had advance knowledge of what would become the WikiLeaks releases. On or about June 15, per Gates, Stone told him that “he had contact with Guccifer 2.” According to a warrant affidavit targeting Stone, he searched Google on “Guccifer” before the Guccifer website went up that day. On June 23, Manafort called Stone and then the two old friends met for 30 minutes in the Trump cafeteria. On June 30, Stone spoke to Trump. According to multiple sources (including Michael Cohen), Stone knew of the DNC drop before it happened.

In June, Don Jr accepted a meeting with Natalia Veselnitskaya at which he believed he would get dirt on Hillary Clinton. At the meeting, Veselnitskaya asked Don Jr to end sanctions on Russia, and the candidate’s son said his dad would reconsider it if he won.

In short, the researchers who, in the wake of Trump’s damning comments, were testing whether Trump had lied about having ties to Russia, not only had objectively reasonable reasons to do that research. But their suspicions were proven correct, over and over again.

Durham describes the outcome of the FBI investigation into the allegations this way:

The FBI’s investigation of these allegations nevertheless concluded that there was insufficient evidence to support the allegations of a secret communications channel with Russian Bank-1. In particular, and among other things, the FBI’s investigation revealed that the email server at issue was not owned or operated by the Trump Organization but, rather, had been administered by a mass marketing email company that sent advertisements for Trump hotels and hundreds of other clients.

Nothing here suggests the FBI disproved that this was an anomaly.

And there’s one more detail that Durham didn’t include in the Sussmann indictment: on July 26, Australia first shared their report about what George Papadopoulos told Alexander Downer in May. The next day, July 27, the FBI Legat in the UK got the tip. On July 31 — before the substantive research into the Alfa Bank allegation began — the FBI opened an UNSUB investigation into who got advance warning about the Russian operation and shared it with George Papadopoulos. In other words, by hiding the dates when Tea Leaves first discovered the anomalous data, Durham is hiding not just the damning things that publicly happened before the Alfa Bank operation got started, but probably details about the tip that turned into the Crossfire Hurricane investigation.

In the wake of the Sussmann indictment, the usual Russian denialists have claimed that this proves that what they call “Russiagate” was all a fraud.

Such claims defy the rules of physics, suggesting that events that happened after the FBI opened an investigation to learn how and why the Trump campaign (via three channels, as it turns out) learned of the Russian attack in advance were in fact the cause of it.

It is likely that Durham will be able to exclude all these details from a Michael Sussmann trial, at least if it remains just a false statements case. He will be able to convince Judge Christopher Cooper, who is presiding over the case, that this information — that the researchers not only had reason to believe Trump presented a cybersecurity risk to the country, but that the researchers turned out to be right, and that FBI had itself determined there was reason to carry out the same kinds of investigations that the researchers did, possibly before any one of them took a single step — is irrelevant to the case against Sussmann. But if Durham charges ConFraudUS based on a claim that it was illegitimate to look into why Donald Trump was inviting Russia to hack his opponent, it will become centrally important that, before these researchers started conducting their investigation, the FBI had likewise decided such an investigation had merit.

The Alfa Bank story was sleazy and unethical. But it was still, nevertheless, an instance where someone representing the victim of a nation-state attack attempted to chase down information that may have pertained to that nation-state attack.

John Durham will go down in history as the guy who decided that torturing detainees, even in excess of legal guidance, was not a crime, but a victim sharing concerns about nation-state hacking is.

Update: It’s likely that Richard Burt was one of the people investigated as part of this effort. Per the Mueller Report, he was the person Petr Aven asked to establish a tie with Trump’s transition in 2016.

After the December 2016 all-hands meeting, A ven tried to establish a connection to the Trump team. A ven instructed Richard Burt to make contact with the incoming Trump Administration. Burt was on the board of directors for LetterOne (L 1 ), another company headed by Aven, and had done work for Alfa-Bank. 1169 Burt had previously served as U.S. ambassador to Germany and Assistant Secretary of State for European and Canadian Affairs, and one of his primary roles with Alfa-Bank and Ll was to facilitate introductions to business contacts in the United States and other Western countries. 1170

While at a L1 board meeting held in Luxembourg in late December 2016, Aven pulled Burt aside and told him that he had spoken to someone high in the Russian government who expressed interest in establishing a communications channel between the Kremlin and the Trump Transition Team. 1171 Aven asked for Burt’s help in contacting members of the Transition Team. 1172 Although Burt had been responsible for helping Aven build connections in the past, Burt viewed Aven’s request as unusual and outside the normal realm of his dealings with Aven. 1173

Burt, who is a member of the board of CNI (discussed at Volume I, Section IV.A.4, supra), 1174 decided to approach CNI president Dimitri Simes for help facilitating A ven’ s request, recalling that Simes had some relationship with Kushner. 1175 At the time, Simes was lobbying the Trump Transition Team, on Burt’s behalf, to appoint Burt U.S. ambassador to Russia.1176

Burt contacted Simes by telephone and asked if he could arrange a meeting with Kushner to discuss setting up a high-level communications channel between Putin and the incoming Administration. 1177 Simes told the Office that he declined and stated to Burt that setting up such a channel was not a good idea in light of the media attention surrounding Russian influence in the U.S. presidential election. 1178 According to Simes, he understood that Burt was seeking a secret channel, and Simes did not want CNI to be seen as an intermediary between the Russian government and the incoming Administration. 1179 Based on what Simes had read in the media, he stated that he already had concerns that Trump’s business connections could be exploited by Russia, and Simes said that he did not want CNI to have any involvement or apparent involvement in facilitating any connection. 118

Update: Corrected scope of Benczkowski’s recusal. His should cover the server issue (and Alfa Bank issues for the first two years he was CRM).

Update: Brian Krebs wrote a post laying out all the people who still believe there’s something going on technically. I don’t think that’s inconsistent, at all, with this one. As noted, everyone who looked at this believes it’s an anomaly. What I keep pointing to is the aftermath of that anomaly got Alfa Bank to act in a certain way that is consistent with Putin’s interests. Krebs notes that it has also led to a lot of scrutiny of security researchers in the US, not unlike the way the aftermath of the Steele dossier discredited most top Russian experts in the US government.

Update: This transcript of Preet Bharara and Joyce Vance discussing the many weaknesses of the Durham indictment largely replicates what I’ve laid out here but is worth a review.

image_print
61 replies
  1. P J Evans says:

    The former guy’s “this is in person and watching television” isn’t the strong statement he thinks it is.
    Neither is Durham’s case. I think he was desperate to get someone, anyone, before the statute of limitations ran out, in order to justify more time to keep the investigation going.

      • gmoke says:

        The mention of Marc Elias, who is now working diligently on protecting voting rights, gave me a twinge. Do you think it is at all possible that Durham’s extended hunting party might have Elias in its sights?

        Just a thought.

      • Rugger9 says:

        Popehat did a pretty good high level analysis as well, and the fundamental focus isn’t Sussman but to raise up the HRC flag to keep the RWNM and rubes engaged. Popehat noted how for a single charge that 27 pages of drivel went well beyond gilding lilies and were irrelevant to the actual allegation raised. In my experience, once I see something like from someone trying to get me to do something, I know there is no pony in the pile of manure. I don’t think Durham and DJT even cares if it is tossed tomorrow, to use the Cokie Roberts Rule, “it’s out there” like the emails were.

        What is Judge Cooper’s reputation?

  2. Terrapin says:

    Durham apparently feels he cannot close up shop without multiple indictments. If this represents the apex of his work, he should write his report and leave government. The taxpayer’s money has been clearly wasted by his probe which was based to begin with on political reliation for the Trump-Russia probe.

  3. Michael says:

    If Durham is going to charge CONFRAUDUS, wouldn’t he have to do it pretty soon? The statute of limitations is going to expire regardless- unless he includes overt acts after Trump was elected.

    • PhoneInducedPinkEye says:

      That would require clear-eyed confident leadership that doesn’t coddle bad-faith political hacks clinging on to the DOJ/FBI like barnacles.

      We don’t have that leadership.

  4. BobCon says:

    Not that Durham’s choo choo has any serious tracks, but if it did, there are a lot of people on Trump’s side who ought to be deeply worried. How many people on his side were approaching federal officials, probably including the FBI, with information about the 2020 election that could easily be proven to be lies?

    And if Sussman is somehow the basis for a conspiracy charge, how hard would it be to roll up the entire Trump operation on the same grounds? I’m not saying that prosecutors should sink anywhere near to Durham’s level, to be clear. I’d want a case against Giuliani to be based on more than him saying something to the FBI that only meets the narrowest definition of material.

    They basically have to hope that Durham’s paper thin case can proceed without lowering the bar on cases that could be brought against them. Although I have to wonder if part of Durham’s role in bringing such a politically tainted case is to provide PR cover against any more substantive cases, in case someone like Giuliani or Powell or anyone else is guilty of more than just blowing hot air to the FBI.

    • Rugger9 says:

      I think the answer to the exposure question is “yes”, and once the precedent has been established by Durham (even though as EW noted in the post, he seems to have changed policy between Flynn and Sussman) it can be used as a stick by Garland or another special counsel.

  5. klynn says:

    IANAL
    Would Sussman have a defense that allows for state of mind or laying the ground work for what Durham is charging as a lie? If yes, with the August 20th quote from TE-1 actually creating a timeline reference, how could a judge be convinced it is irrelevant? Would not Sussman have a right to include the facts timeline you note above as part of his defense?

    • Rugger9 says:

      I think the intent was mentioned in the post as a necessary element, and if so, I’d like to see how the government proves Sussman intended to lie based on a self-contradicting witness (Baker) and likely hearsay evidence (Priestap notes). Lots of appeal points to argue for Sussman if this somehow goes poorly.

      The only reason this isn’t in the same dustbin as a Kraken lawsuit is because Durham is using the power of the government to pursue a grudge for DJT.

      Can Durham himself be prosecuted for abuse of power, even allowing for a pretty high bar on discretion grounds?

        • Badger Robert says:

          True, but the courts are beginning to crack down on the meritless cases inspired by Trump and his conspiracy theories. A politically motivated prosecution based on very thin evidence may expose Durhan to civil liability. At the very least there could be a reverse Saturday night massacre in which the existing DoJ recommends that the special prosecutor be terminated.

          • bmaz says:

            I cannot emphasize this enough, no, there is absolute prosecutorial immunity. And Durham is even further insulated by how Barr set it up. Marcy noted the insanity on the front end. This is exactly why.

    • Ginevra diBenci says:

      klynn, as I understood Marcy’s (amazing) post, Sussman’s avenue to including that material might be predicated on Durham’s indictment itself, in which ” . . . an August 20 comment from TE-1 that Durham quotes in his indictment may be a direct reference to (and at the least incorporates knowledge of) this press conference.

      “Trump has claimed he and his company have had NO dealings with .ru other than the failed Casino, and the Miss universe pageant. He claims absolutely NO interaction with any financial institutions. So any potential like that would be jackpot.

      That is, Durham included what appears to be a reference to the July 27 press conference.”

      The way that Dr. EW foregrounded this detail leads me to conclude it has potential evidentiary consequences. (And also: Durham is a mediocre hack who can’t write.)

      • bmaz says:

        Eh, I’d be wary of too much emphasis on this. Just because it can be extrapolated out of the charging document does not mean it survives a 403 challenge, or other evidentiary challenges, in a trial court. You are right about Durham’s writing though, his document is overblown self serving bunk.

        • Savage Librarian says:

          Ay, there’s the rub. I always appreciate it when you point these kinds of things out to us. (If only I knew then what I know now…) Thanks, bmaz!

  6. Rapier says:

    How many people are working with Durham on this stinker? Anyway I was hoping for a little more ROTFL comedy gold in this post but in the end like everything Trump we are mostly left with slow headshakes and low mordant chuckles.

    • Doctor My Eyes says:

      There is some truth in DJT’s suit against the Times and his disinherited niece–the second paragraph begins, “The brazenness of the defendants’ actions cannot be understated.” Sigh. Amazing how much time and energy are being wasted trying to clean up these incompetent grifter’s messes.

      Sorry for the OT. Thanks as always for the careful reporting, which I read daily. This place remains a haven. For some reason I just thought of the great Patty Griffin song, Mary, with Dr. Wheeler playing the part of Mary:

      While the angels are singin’ his praises in a blaze of glory
      Mary stays behind and starts cleaning up the place

  7. The Old Redneck says:

    So we have the entire false statement case based on James Baker saying – without a transcript or even contemporaneous notes of the meeting – that Sussman claimed he wasn’t working for anyone? And then with Baker testifying later that he never believed it anyway? If that’s true, good luck showing Sussman made that claim in the first place; and even if he did, how that false statement could be “material.”
    If I’m misreading this, someone set me straight.

  8. Spencer Dawkins says:

    I was intrigued by the Alfa Bank story when it came out, but was only reading this blog when someone pointed me to a specific post in 2016, so missed your entire “boob hospital” post. Thanks for including a link to that one, in this post. Five years later, I still learned a lot from the 2016 post, and I’m just getting started on this post!

    • Xboxershorts says:

      I was too, and I’ve been running various corners of the internet since the late 90’s including a number of good sized email systems.

      The page Marcy links to in her 2016 analysis has a lot of good information that explains away almost all the speculative nonsense that folks were putting out there.

      https://krypt3ia.wordpress.com/2016/10/08/gdd53-a-russian-hosted-i2p-site-that-claims-trumps-email-system-had-ties-to-alfabank-russia/

      Includes a screen shot of the Trump org email server’s DNS MX record. MX stands for Mail Exchanger and it includes things like SPF records for the trump org mail system (Sender Policy Framework, in short, IP Addresses and the domain that is authorized to send mail on a Trump’s behalf)

      A quick look at the MX record readily explains why there was a bunch of repeat lookups from Alfa Bank…the Trump MX record kept expiring.

      Trump’s SPAM Factory, if sending bulk mailings to an Alfa Bank receiver, if that Alfa bank receiver doesn’t have a cached record of Trump’s MX record, will then attempt a lookup to see if the server trying to send mail to Alfa is legit. But the Trump org MX record has a TTL (Time to live) of 3600 seconds. Or…1 hour.

      At the major ISP I worked for that I helped run their mail system, our MX record had a TTL of 86400 seconds, or…1 week.

      Having a TTL of 1 hour is what we would have used if we were about to implement a change to our servers that would have affected reachability. A 1 hour TTL ensures our DNS records expire quickly so that those who tried to find us would be forced to load any new records into their Lookup servers. After our change, we would restore the 1 week TTL.

      The ONLY thing anyone can glean from the anomalous DNS traffic is either Trump’s MX record was misconfigured or there was a planned maintenance coming up.

      Everything else the Mensches of the Interwebs were speculating about was just wild assed bullshit. No one can glean anything meaningful from this other than what I mentioned above.

      But I was intrigued by this when it came out, because we are trained to minimize DNS queries.

        • Tom S. says:

          Dexter Filkins, in his 2018 reporting,
          https://www.newyorker.com/magazine/2018/10/15/was-there-a-connection-between-a-russian-bank-and-the-trump-campaign
          Oct 8, 2018 —” Why was the Trump Organization’s domain, set up to send mass-marketing e-mails, conducting such meagre activity? And why were computers at Alfa Bank and Spectrum Health trying to reach a server that didn’t seem to be doing anything? After analyzing the data, Max said, “We decided this was a covert communication channel.” …”
          For some reason, my earlier post is in moderation, so I’m including a link to Filkins’s reporting two years later in reaction to Alpha Bank’s two June, 2020 lawsuits, curiously reviving what it seemed to have successfully put to bed. https://www.newyorker.com/news/news-desk/the-contested-afterlife-of-the-trump-alfa-bank-story

          • Xboxershorts says:

            But it’s all speculative. No payload was collected, therefore no actual info on what was sent between them exists.

            Just DNS lookups to a domain who’s MX record expired every hour.

            But…a 1 hour TTL for a mass mailing (spam) server with an MX record that expires in 1 hour, definitely suggests those who received shit from it in the window in which that DNS record was active…will do a lookup…every hour.

            And the website Marcy linked to for her 2016 analysis even says that other domains were doing lookups at the same time.

            Speculate all you wish. But without an email message payload, we got nothin…

            I wish we had sumthin tho….we just don’t.

            Maybe the NSA does…but the rest of us, do not.

            • Tom S. says:

              Xboxershorts, Alfa Bank had this, “put to bed,”
              https://en.wikipedia.org/wiki/Brian_Benczkowski#Assistant_Attorney_General_for_the_Criminal_Division
              “..During Benczkowski’s confirmation hearing he was emphatic that Stroz Friedberg, like Mandiant, had rejected the possibility of complicity, and the investigation’s report found that “there was no communications link between the Trump Organization and Alfa Bank.”[11] Stroz Friedberg gave the same explanation for why it, along with Mandiant, was “unable to verify” older data in its investigation: it could not inspect the bank’s Domain Name System (DNS) logs from 2016 and before because the bank retained such records at the time for only twenty-four hours.[11]..” So, why, fully 3 years later, would Alfa resurrect the controversy, filing two lawsuits, subpoena L. Jean Camp, appeal the unsuccessful subpoena, telling the court they suspect John Doe Defendants led her and “The Anonymous Researchers to the hack…” @ .pdf page 4,
              https://www.eff.org/files/2021/05/21/20210519_opinion.pdf
              “…she has published the details of her finding (in Aug., 2016, before Sussman met with Baker) at her website, including a graph which shows the timeline of the connections made between the two parties.”

              • Xboxershorts says:

                I do Internet Engineering Have been for over 2 decades.

                I don’t care what Alfa Bank had to say.

                I’m interpreting the DNS record for y’all and what it means.

                You can fact check me and what I posted will hold true,

                The lookups were an anomaly and they are the kind of thing an engineer like me would have picked up on, in light of the fact that the DNC was just hacked and published.

                The DNS MX record of the Trump Spam Server had a TTL of 1 hour. That’s it. That’s all we know for sure.

                Everything else is speculative.

            • emptywheel says:

              And that’s consistent with what Durham has provided, thinking it’s really damning. This is an anomaly, but as they note, no proof of Trump asking for $$.

            • Thomas says:

              Maybe the NSA has something
              Indeed
              Just like they would have a lot of information about Trump’s people having communications with Russians they were monitoring

          • pasha says:

            “After analyzing the data, Max said, “We decided this was a covert communication channel.”

            this Spectrum Health server has always bothered me. headquartered in west michigan, this hospital chain is largely under the control of the intermarried De Vos and Prince families, who were closely involved in trump’s campaign. why would their server be involved? mere coincidence?

            • emptywheel says:

              The DeVoses weren’t Trump supporters until well after this anomalous traffic and Dick, the only one involved, is the Chair but not the day to day head.

              • Ginevra diBenci says:

                My research suggests that once it was obvious their preferred candidate, Ted Cruz, was destined to lose the 2016 primaries, the Prince-DeVos cartel swallowed the acid bile rising up their theocratic throats, grasped the possibilities a Trump presidency might offer (them–not the rest of us), and affiliated with the presumptive nominee.

                Bargains struck in private resulted in EdSec Betsy DeVos, the most visible sign of the affiliation. And then there came the tax cuts and promises to relent on Amway regulation. A win-win that keeps on giving (not to us, of course, just to them), and which as I understand it they divined in the summer of 2016, somewhat earlier than the events Durham is pretending to clarify.

                • emptywheel says:

                  Does your research include non-public data that refutes the public data that showed Betsy was unprecedentedly late in supporting Trump?

                  The DeVoses are closer to Mike Pence. His pick was important in both getting them on board and keeping them there. But that is different than supporting Trump directly.

                  And it is distinct from what Erik Prince, who is an entirely different person, was doing at the time, but Erik has no ties to Spectrum.

                  • Ginevra diBenci says:

                    No, my research does not include any non-public data; I have to work with what I can access online and via those old-fashioned devices, books. I was talking about the DeVos-Amway family more generally, not Betsy specifically; as a conglomerate they did indeed stipulate Pence, but had pivoted before the RNC.

                    • Ginevra diBenci says:

                      Ann Nelson’s book Shadow Network is an invaluable resource on the subject of dark money over the past few decades.

            • Troutwaxer says:

              There’s a 99.99 percent chance that Xboxershorts is right. That being said, it’s worth noting that there are fields in a DNS query that could be filled improperly, and these could, conceivably be used as a communications channel. However, such a channel would be very slow – essentially you’d end up receiving a couple bytes (a couple letters) an hour, or possibly even worse – and NOBODY has come close to either suggesting or proving that this is the case.

              But if I were looking for evidence of coordination between .ru, Trump, and the De Vos’s, I’d look for a much-higher-than-normal rate of malformed DNS query/answer packets and concentrate on those. Once again, this is HIGHLY unlikely. My guess would be that the Trumps hired the cheapest system administrator they could find and that person did a substandard job of setting up their DNS.

              Calling back to to the top post, I can’t see the point of this charge. As you note, the whole thing is, in context, highly suspicious, but it’s not a false report, it’s a useful and intelligent lead that didn’t play out.

  9. gordana says:

    Thank you for you diligent work in analyzing the case. Whether the Alfa Bank server event was a red herring is difficult to swallow. The events (as you pointed out) occurred exactly when Russia was busy hacking & Trump’s men were in contact with Russians. Aside from the timing is the odds of Alfa Bank, Spectrum Health (DeVos link) & Trump Org. Server pinging each other. DeVos’s business (Amway) in Russia was affected by the sanctions & losing over 250 Million a year.

    Who would have knowledge of a Trump Org. Server operated by Cendyn at that time & wasn’t being used as far as they knew? This is a wild speculation on my part but one person that would fit the bill for me would be Erik Prince.

  10. Peterr says:

    But that’s not what this is about.

    Suddenly, I had a vision of Durham sending Sussman over to the Group W bench. . . .

    And I, I walked over to the, to the bench there, and there is, Group W’s where they put you if you may not be moral enough to join the army after committing your special crime, and there was all kinds of mean nasty ugly-looking people on the bench there. Mother rapers. Father stabbers. Father rapers! Father rapers sitting right there on the bench next to me! And they was mean and nasty and ugly and horrible crime-type guys sitting on the bench next to me.

    And the meanest, ugliest, nastiest one, the meanest father raper of them all, was coming over to me and he was mean ‘n’ ugly n’ nasty ‘n’ horrible and all kind of things and he sat down next to me and said, “Kid, whad’ya get?” I said, “I didn’t get nothing, I had to pay $50 and pick up the garbage.” He said, “What were you arrested for, kid?” And I said, “Littering.” And they all moved away from me on the bench there, and the hairy eyeball and all kinds of mean nasty things, till I said, “And creating a nuisance.” And they all came back, shook my hand, And we had a great time on the bench, talkin’ about crime, mother stabbing, father raping, all kinds of groovy things that we was talking about on the bench.

    I am also curious if you have billed Perkins Coie and Sussman for your legal research work here.

    Seriously, the picture you’ve painted is alternately very sloppy legal work by Durham and his team and very suspect legal work. Of course, Durham can be both sloppy and suspect at the same time, as his willingness to let torture slide proved. If this goes to trial, Durham could find himself in very deep trouble as this sloppiness gets exposed in all its glory before a judge.

  11. Badger Robert says:

    OT: maybe Ed Walker could comment on George Will’s rationalization of how the party of Nelson Rockefeller evolved into the party of Trump. I may be old, but I remember 1968 like it was yesterday. Mr. Will should be trying to sell his book, but some push back is in order.

  12. What Constitution? says:

    Heh heh. She said “ham sandwich”. Heh.

    I rest my case. ‘Cept for one other little thing: then there was the time I posted a mercifully short comment about John Eastman being pilloried on his way out of Chapman University over his “she’s not a real citizen” crap and reminding about how that slimeball once set up his former co-clerk (John Yoo) with a hideaway sabbatical from scrutiny at Boalt after the “torture memos” came out, and our own bmaz commented “What Constitution? is absolutely 100% right”. So I got that goin’ for me…. Seems topical this morning, though.

    I’d probably write more, but I’m preemptively taking the advice of royalty this time:
    https://www.youtube.com/watch?v=IoY0Qa0zU0A

    Dr. Emptywheel, you are the best. Thank you.

    • bmaz says:

      It is a long strange trip, isn’t it? But, soon again, it will be time for many legal types to take in spring training. I hope for a couple of them.

  13. Tom S. says:

    EW, Dexter Filkins authored a second article,
    https://www.newyorker.com/news/news-desk/the-contested-afterlife-of-the-trump-alfa-bank-story two years later, Oct. 7, 2020, reporting on the two, curious June, 2020, Alfa Bank filed lawsuits, in Lancaster, PA, and Palm Beach, FL, related to the server exchanges, lawsuits that seem to contradict Alfa Bank’s original explaining away of what Sussman was reporting to James Baker, a defense coinciding (?) with Trump’s appointment to head the Criminal Division at DOJ.
    https://en.wikipedia.org/wiki/Brian_Benczkowski#Assistant_Attorney_General_for_the_Criminal_Division “,,,During Benczkowski’s confirmation hearing he was emphatic that Stroz Friedberg, like Mandiant, had rejected the possibility of complicity, and the investigation’s report found that “there was no communications link between the Trump Organization and Alfa Bank.”[11] Stroz Friedberg gave the same explanation for why it, along with Mandiant, was “unable to verify” older data in its investigation: it could not inspect the bank’s Domain Name System (DNS) logs from 2016 and before because the bank retained such records at the time for only twenty-four hours.[11]..”

    Filkins quotes at least one source observing that it looked like the Barr DOJ and Alfa Bank might be collaborating, seeking the same information.

    In an May, 2021 appeal ruling associated with a subpoena filed by Alfa Bank in the FL lawsuit, the opinion (.pdf page 4 of 11) states,
    https://www.eff.org/files/2021/05/21/20210519_opinion.pdf
    “..The Bank alleges that the John Doe Defendants conspired to commit cyber attacks against the Bank in 2016 and 2017 in order to create DNS records that would “create the illusion of secret communications” between the Bank and the Trump Org., Id. at 35. The Bank does nor allege that (Jean) Camp or Anonymous Researchers participated in these alleged cyber attacks. The complained theorized that the John Doe Defendants “pointed” the Anonymous Researchers in the direction of the planted (DNS) evidence.” Id.
    at 50.
    The subpoena was attempted at Camp, an Indiana cyber researcher who first published some of the server data on her website in August, 2016. More background on the two Alfa Bank lawsuits, here, posted on Sept. 2, 2020:
    https://www.justsecurity.org/72262/the-trump-alfa-bank-server-mystery-resurfaces/

  14. Tony el Tigre says:

    Incredible reporting. I admit I was skimming it toward the end, it’s overwhelming.

    My grandfather offered to put me through law school if I agreed to join his firm, Wainwright, Wainwright, Wainwright, Wainwright and Wainwright. I thank God every day that I said “no”.

  15. Anomalous Cowherd says:

    And here I was thinking that Dull Burham was the Judi “Hunter Biden’s laptop” Ruliani of the Connie-ann “Bowling Green Massacre” Kellways!

  16. OldTulsaDude says:

    From Emptywheel, 2016
    “So for this story to make sense, you’ve got to explain why a children’s hospital and a boob clinic are in cahoots with Trump and a big Russian bank.”

    OK. I’ll take a shot at this. First, Trump has fathered two boobs who both need squished. I’m a little vague, though, on the Russian bank connection…

  17. Bay State Librul says:

    A little off topic, but can I tell you how much I hate Republicans. Senator Dickhead Tom Cotton
    from ‘Bama, is holding up DA Rachael Rollins’s nomination to be US Attorney from Massachusetts. He says her policies “have contributed to an increase in violent crime nationwide”
    “A bird does not sing because it has an answer” writes DeMello, “It sings because it has a song”
    Please, Tom Cotton, take your fucking “song and dance about violent crimes” to your fellow criminals who ransacked the Capitol.
    Stay the fuck out of Massachusetts.

        • Ginevra diBenci says:

          Arkansas, with excursions to attend Harvard (undergrad) and Harvard (law school). Harvard Law School must have a third-year seminar: How to convince deplorables that you are just a folksy small-town lawyer. One credit, pass/fail, offered as an elective. Bring your own wheat stem to chew on.

          • Joseph Andrews says:

            My own day-to-day world does not regularly overlap with political science-type people…but I have a good relationship with the preeminent political scientist at my university, a man with a significant reputation in our region.

            He is a native Arkansan (and proud of it, I suspect).

            He is scrupulously down-the-middle in most of our conversations.

            He has NOTHING good to say about Tom Cotton.

            Nothing.

            • earlofhuntingdon says:

              Who does? His good ole boy schtick makes him look like a Faux Noise host rather than a Harvard magna and HLS grad. But it often hides how intentionally vile his conduct is.

  18. Joseph Andrews says:

    There is so much in this emptywheel article that I don’t know where to begin.

    So I’ll start at the end (of sorts)–the ‘end’ for me, anyway, in terms of what this all means to some of our fellow American citizens.

    I took the time to do a single web search for the following three terms–Clinton Russia collusion

    …and I cannot believe some of what I found (no doubt not ‘news’ to the posters here).

    For example, a WSJ editorial states that ‘Abolish the FBI’ is a reasonable solution to what Durham’s investigation and indictment has uncovered.

    My oh my.

    Sigh.

  19. Leoghann says:

    Let me start with my usual disclaimer, IANAL. But my love of narrative and ability to follow event histories has long made it possible for me to read and grasp indictments. I’m afraid all that failed me on this one. It obviously wasn’t written for the court, but for public consumption, where that public primarily consists of the citizens of Faux Nation. At least there aren’t several references to “Crooked Hillary,” but those may have been edited out at the last minute.

    I always chuckle at Durham’s official portrait (the one you have at the top). Up until his elevation to USACD, he cut a much more mellow figure. The image this picture imparts is a cross between John Bolton and a midnight-cable-channel personal injury lawyer. But, upon reading the indictment, we learn that he’s actually channeling Nancy Grace.

    • Ginevra diBenci says:

      Thanks, Leoghann, for the funniest comment ever! Your description of Durham’s photo (I’ve always seen him as the gynecologist whose office you’d flee without your clothes) and the Nancy Grace line? Spot on.

  20. Zinsky says:

    This is an amazing piece of investigative reporting. The number of strands of information that you weave together in this post is astonishing. If they gave Pulitzer Prizes for on-line investigative reporting, I would nominate this post for an award. Thank you so much.

Comments are closed.