Posts

John Durham’s Blind Man’s Bluff on DNS Visibility

On September 16, 2021, John Durham indicted Michael Sussmann on a single count of lying to the FBI, just days before the statute of limitations for that crime expired. Durham accused Sussmann of lying to hide that he had a client or clients on whose behalf he was sharing allegations about DNS anomalies involving Trump Organization and Alfa Bank.

Durham adopts the “DNC fabrication” theory from agents who badly screwed up the original investigation

As I laid out here, the indictment adopted the “DNC fabrication” theory, the “fabrication” part of which was initially espoused in a hasty review by FBI Cyber agents Nate Batty and Scott Hellman by September 21, 2016, just two days after Sussmann shared a white paper describing anomalies involving Alfa Bank.

Durham adopted that theory in spite of proof, in their own summary, that the FBI agents had not closely reviewed the DNS logs included with the allegations, if they ever reviewed them at all. Durham adopted that theory in spite of irregularities in the chain of custody surrounding the handling of a Blue Thumb Drive that reportedly included DNS logs that were never reviewed. Durham adopted that theory in spite of the fact that Batty’s own Lync messages materially conflicted with a claim he made to Durham two years earlier: Batty claimed he had been refused information about the role of Sussmann in the allegations, when in fact his Lync messages showed he had been informed about Sussmann’s role from the start. Durham adopted that theory in spite of the fact that FBI started debunking parts of the “fabrication” story within hours of Batty and Hellman proposing it. Durham adopted that theory in spite of the fact that FBI’s own overt steps (during a pre-election period) and Alfa Bank’s curious lack of DNS logs made pursuing the allegations impossible.

That indictment was an insanely reckless thing for John Durham to do, building as it did on the investigative failures of Batty and Hellman, not to mention Batty’s own materially inconsistent claim.

Several things made that indictment even more reckless.

Durham fails to take basic investigative steps before indicting

First, in spite of the fact that Durham had already been investigating for 28 months by that point — Durham had already been investigating for six months longer than the entire Mueller investigation — there were a whole bunch of obvious investigative steps he had not yet taken. Between the indictment and the May 2022 trial, Durham would do the following:

Durham also revealed two other interviews he only conducted after charging Sussmann: one with someone identified as Listrak Employee-1 and other unidentified personnel on October 27, 2021 and another with the CEO and CTO of Cendyn on November 17, 2021. As described, their interviews pertained exclusively to email, not DNS, and Durham doesn’t appear to have asked Cendyn about the contacts via its Metron messaging product done for some other client with Alfa Bank in the same time period, nor about the contact that did exist between Cendyn and the affected Spectrum IP address. It also doesn’t mention that Listrak reported no emails to Alfa Bank, one of the Bank’s evolving explanations for the anomalies, and any mail to Spectrum was sent elsewhere.

In his report, Durham makes no mention of whether he interviewed anyone at Spectrum Health or Alfa Bank, though a DC judge would observe that it was almost like the Sussmann indictment and an Alfa Bank lawsuit, “were written by the same people in some way.” There were large gaps involved with both entities in the original investigation and it’s not clear Durham made any effort to close them.

Durham accused the FBI of skipping investigative steps on Crossfire Hurricane that might have discovered exculpatory evidence, but none of that comes close to the many investigative steps he had not yet pursued in the 28 months he had already been investigating before indicting Sussmann.

Durham’s indictment of Sussmann piled his own investigative failures on top of those by Batty and Hellman.

Durham discovers his DNC fabrication theory involves real data

More problematic than Durham’s investigative incompetence, though, the Special Counsel charged Michael Sussmann on September 16, 2021, in spite of the fact that a month earlier, by mid-August, 2021, Durham’s team learned that the data Rodney Joffe and others used to conduct their research was absolutely real. The nature of how this came about remains obscure, but in addition to debunking the most simplistic “DNC fabrication” theories, the discovery made it impossible for Durham to continue to rely on the expert his team had been using. The discovery that the data that Batty and Hellman had dismissed in just one day was real should have led Durham to reconsider everything about his case.

Instead, Durham barreled forward with his indictment.

Durham invites the guy who screwed up the investigation to be his expert

Instead of reassessing his case, Durham responded to losing his expert by proposing that Hellman serve as the replacement, even though by Hellman’s own admission he only knows the basics about DNS.

DeFilippis. How familiar or unfamiliar are you with what is known as DNS or Domain Name System data?

A. I know the basics about DNS.

[snip]

Berkowitz. And then, more recently, you met with Mr. DeFilippis and I think Johnny Algor, who is also at the table there, who’s an Assistant U.S. Attorney. Correct?

A. Yes.

Q. They wanted to talk to you about whether you might be able to act as an expert in this case about DNS data?

A. Correct.

Q. You said, while you had some superficial knowledge, you didn’t necessarily feel qualified to be an expert in this case, correct, on DNS data?

A. On DNS data, that’s correct.

Hellman was one of just two people, aside from John Durham himself, who had a stake in sustaining the “DNC fabrication” theory he had floated before closely reviewing the evidence. That Durham even considered making him his expert is a testament that Durham was interested in protecting his “DNC fabrication” theory, not interested in expertise, much less what the actual evidence said.

Durham includes two expert reviews unmoored from any prosecutorial decision

And that’s why Durham’s inclusion of two expert reviews of the allegations Sussmann shared with the government is of interest:

  • 1671 FBI Cyber Technical Operations Unit, Trump/Alfa/Spectrum/Yota Observations and Assessment (undated; unpaginated).
  • 1635 FBI Cyber Division Cyber Technical Analysis Unit, Technical Analysis Report (April 20, 2022) (hereinafter “FBI Technical Analysis Report”) (SCO _ 094755)

With one exception, Durham describes those reviews in a 13-page section of his report that purports to be about the ongoing efforts by Rodney Joffe and others to chase down the Alfa Bank anomalies and some unusual traffic probably reflecting the presence of Yota Phones in the US. The section itself has no place in a prosecutorial memo, because the only interaction with the government described in that section involved a Georgia Tech researcher refusing HPSCI’s request to help chase down these allegations. The rest involves Joffe continuing to chase this issue with his own data, which insofar as it demonstrates Joffe’s sustained concern about this, independent of any election, undermines pretty much all of Durham’s conspiracy theories. The declination decision regarding fraud — which Andrew DeFilippis used to claim that Joffe was still a subject of the investigation more than five years after the events in question, thereby keeping him off the stand in Sussmann’s trial — didn’t even mention Joffe.

But the description of these reviews in this section really doesn’t have a place where Durham put it, because along with the Cendyn and Listrak interviews, one of the reviews appears to have been last minute prep for the Sussmann trial and the other played a key role in an affirmatively misleading court filing that led Trump to make death threats against Sussmann.

These reviews in Durham’s report supported his last-ditch effort to cement the belief that Hillary framed Donald Trump. They’re here to prove, once and for all, that Sussmann was wrong.

Here’s how Durham introduces his efforts to redo the work Batty and Hellman and others botched so many years ago:

This subsection first describes what our investigation found with respect to the allegation that there was a covert communications channel between the Trump Organization and Alfa Bank. It includes the information we obtained from interviews of Listrak and Cendyn employees. It then turns to the allegation that there was an unusual Russian phone operating on the Trump Organization networks and in the Executive Office of the President. We tasked subject matter experts from the FBI’s Cyber Technical Analysis and Operations Section to evaluate both of these allegations.

But as with so much else in this report, they don’t do what they claim to. Durham ensured his experts sustained the blindness that Batty and Hellman willfully adopted so many years ago to avoid concluding that the allegations might be real.

As I noted here, the two reviews purport to review the Alfa Bank allegations — shared with both the FBI and (in updated form) the CIA — and the YotaPhone allegations shared with the CIA. In one place, Durham claims “the same FBI experts” did both reviews, though he attributes them to different groups. But that’s important because if they are the same experts, then they should know of both reviews.

Durham incites death threats because Joffe investigated Barack Obama

The YotaPhone review must have been done first because, as I noted above and show below, the analysis matches claims Durham made in a filing purporting to raise conflicts but mostly airing allegations for which the statute of limitations had just expired. Here’s how Durham describes the allegations in the report:

Specifically, Sussmann provided the CIA with an updated version of the Alfa Bank allegations and a new set of allegations that supposedly demonstrated that Trump or his associates were using, in the vicinity of the White House and other locations, one or more telephones from the Russian mobile telephone provider Yotaphone. The Office’s investigation revealed that these additional allegations relied, in part, on the DNS traffic data that Joffe and others had assembled pertaining to the Trump Tower, Trump’s New York City apartment building, the EOP,1558 and Spectrum Health. Sussmann provided data to the CIA that he said reflected suspicious DNS lookups by these entities of domains affiliated with Yotaphone.1559 Sussmann further stated that these lookups demonstrated that Trump or his associates were using a Yotaphone in the vicinity of the White House and other locations.1560

Durham’s description of these allegations relies on redacted sections of two trial exhibits (but not a related one that shows Sussmann was not hiding having a client). Because the section of these trial exhibits was redacted, it’s not clear whether Durham is representing how these CIA witnesses described Sussmann’s claims fairly. That’s important because — as we’ll see — Durham misrepresents the YotaPhone white paper.

As Durham described, Sussmann provided four documents and 6 data files to the CIA.

During the meeting, Sussmann provided two thumb drives and four paper documents that, according to Sussmann, supported the allegations. 1564

1564 The titles of the four documents were: (i) “Network Analysis of Yota-Related Resolution Events”; (ii) ·’YotaPhone CSV File Collected on December 11th, 2016″; (iii) “Summary of Trump Network Communications”; and (iv) “ONINT [sic] on Trump Network Communications.” The two thumb drives contained six Comma Separated Value (“.CSV”) files containing IP addresses, domain names and date/time stamps.

Unlike the Red and Blue Thumb Drive, Durham makes clear that his experts actually examined these thumb drives.

Here are three of the documents:

I understand the csv files include:

  • yota-eop
  • yota-cpwest
  • yota-spectrum
  • yota-trumporg
  • sipper
  • 2016-05-04_2017-01-15_Trump_server.csv

I’ll say more about them below.

Durham’s description of the analysis, titled, “Trump/Alfa/Spectrum/Yota Observations and Assessment,” generally obscures whether it is rebutting a claim (redacted in the trial exhibits) made by Sussmann (“the presentation”) or included in the white paper and data (“the above-quoted white papers about the Yotaphone allegations” and “Yotaphone-related materials”) provided, and he doesn’t repeat or address the Alfa Bank side of these observations (which have no tie to the YotaPhone claims).

But the technical analysis does not, at all, debunk the YotaPhone observations.

The FBI DNS experts with whom we worked also identified certain data and information that cast doubt upon several assertions, inferences, and allegations contained in (i) the above-quoted white papers about the Yotaphone allegations, and (ii) the presentation and Yotaphone-related materials that Sussmann provided to the CIA in 2017. In particular:

  • Data files obtained from Tech Company-2, a cyber-security research company, as part of the Office’s investigation reflect DNS queries run by Tech Company-2 personnel in 2016, 2017, or later reflect that Yotaphone lookups were far from rare in the United States, and were not unique to, or disproportionately prevalent on, Trump-related networks. Particularly, within the data produced by Tech Company-2, queries from the United States IP addresses accounted for approximately 46% of all yota.ru queries. Queries from Russia accounted for 20%, and queries from Trump-associated IP addresses accounted for less than 0.01 %.
  • Data files obtained from Tech Company-1, Tech Company-2, and University-1 reflect that Yotaphone-related lookups involving IP addresses assigned to the EOP began long before November or December 2016 and therefore seriously undermine the inference set forth in the white paper that such lookups likely reflected the presence of a Trump transition-team member who was using a Yotaphone in the EOP. In particular, this data reflects that approximately 371 such lookups involving Yotaphone domains and EOP IP addresses occurred prior to the 2016 election and, in at least one instance, as early as October 24, 2014. [bold and italics mine]

Compare that to the supposed debunking from the gratuitous conflicts filing that led to death threats.

The Indictment further details that on February 9, 2017, the defendant provided an updated set of allegations – including the Russian Bank-1 data and additional allegations relating to Trump – to a second agency of the U.S. government (“Agency-2”). The Government’s evidence at trial will establish that these additional allegations relied, in part, on the purported DNS traffic that Tech Executive-1 and others had assembled pertaining to Trump Tower, Donald Trump’s New York City apartment building, the EOP, and the aforementioned healthcare provider. In his meeting with Agency-2, the defendant provided data which he claimed reflected purportedly suspicious DNS lookups by these entities of internet protocol (“IP”) addresses affiliated with a Russian mobile phone provider (“Russian Phone Provider-1”). The defendant further claimed that these lookups demonstrated that Trump and/or his associates were using supposedly rare, Russian-made wireless phones in the vicinity of the White House and other locations. The Special Counsel’s Office has identified no support for these allegations. Indeed, more complete DNS data that the Special Counsel’s Office obtained from a company that assisted Tech Executive-1 in assembling these allegations reflects that such DNS lookups were far from rare in the United States. For example, the more complete data that Tech Executive-1 and his associates gathered – but did not provide to Agency-2 – reflected that between approximately 2014 and 2017, there were a total of more than 3 million lookups of Russian Phone-Provider-1 IP addresses that originated with U.S.-based IP addresses. Fewer than 1,000 of these lookups originated with IP addresses affiliated with Trump Tower. In addition, the more complete data assembled by Tech Executive-1 and his associates reflected that DNS lookups involving the EOP and Russian Phone Provider-1 began at least as early 2014 (i.e., during the Obama administration and years before Trump took office) – another fact which the allegations omitted. [bold mine]

The bolded narrative shows these are the same report. If 3 million is 46% of the total of around 6.521 million lookups globally, then 1,000 Trump-related queries would be .01% of the global total.

But it is an innumerate stat. I’m not the FBI, and definitely not a top FBI cyber expert. But even my humble little blog occasionally relies on William Ockham to explain things that should be bloody obvious to the Federal government, such as that 3 million DNS requests amount to one family’s worth of use.

Contra Durham, 3 million DNS requests for a related IP addresses over a four-year period means these requests are very rare.

For comparison purposes, my best estimate is that my family (7 users, 14 devices) generated roughly 2.9 million DNS requests just from checking our email during the same time frame. That’s not even counting DNS requests for normal web browsing.

If you’re going to make a federal case out of this, at least make some attempt to understand the topic.

Durham and his hand-picked experts in the FBI suggest that because, among the very rare number of global requests, almost half appear in the US, it means they aren’t rare. From that, Durham and his experts argue that the fact that Trump’s properties (and Spectrum and the Executive Office of the President) are part of this tiny club is not cause for concern.

They’re doing so even though among the domains included in the CSV tables is wimax-client-yota-ru, which shows up in Wordfence’s IOC lists for the GRU attack on the election. Durham and his FBI experts are arguing that it is not alarming that there would be several look-ups to such a domain in October 2016 from the Executive Office of the President, periodical look-ups to that domain from Trump Organization starting in August 2016, and persistent such look-ups from the suspect Spectrum IP address starting in November 2016.

And about those EOP look-ups. Durham claims, in the italicized language above, that there is an, “inference set forth in the white paper that such lookups likely reflected the presence of a Trump transition-team member who was using a Yotaphone in the EOP.” Sussmann may have said that. But it’s not in the white paper. In fact, there’s just one reference to the EOP in the white paper at all, and it’s not included in the speculative paragraph that there may be a tie between the Spectrum traffic and the Trump traffic.

Network traffic analysis strongly suggests communications between Russian networks and Trump Tower, associated Trump properties, with artifacts also present at EOP. Spectrum Health resolver IP 167.73.110.8 in Grand Rapids MI is also observed making similar queries.

The traffic data indicates: (a) There are Russian-made cellular devices on these networks, seldom seen elsewhere in the US; and (b) these networks appear to be at- tempting SIP-connections to Russian networks which very few IPs globally are seen trying to resolve.

It is possible that one or more devices is at times travelling between locations as there are sometimes gaps possibly correlated to newsworthy events such as New York NY to Grand Rapids MI, lifting of some sanctions on Russia, and the disappearance of the queries from New York in mid December and from Grand Rapids MI in mid January 2017.

In other words, as he did when he invented an allegation against Hillary that the Russians didn’t even make, he’s inventing an inference here, the kinds of inferences he tried to criminalize when Joffe did them. Further, he suggests that Sussmann and Joffe didn’t reveal that the lookups started before the election, even though the CSV data included shows lookups starting on October 2, 2016, which last I checked was before the election.

Durham, who admits in his report that these lookups inexplicably ended before Inauguration, nevertheless falsely insinuated in a court filing that Sussmann and Joffe had based their claims on lookups that post-date Trump’s inauguration. Durham is debunking Durham now! And that false claim from Durham led Trump to suggest that because Joffe found an IOC associated with the people who hacked the election within EOP, Sussmann should be put to death.

That’s one reason that it matters that this technical review is undated. Obviously, it’s crazy enough that an undated unpaginated report would show up in a report like this (I suspect it is intended to make the document hard to find).

But because it is undated and — it appears — Sussmann never got it, Durham doesn’t have to admit that he has included it in his report even after Sussmann pointed out that Durham’s inflammatory claims relied on getting the dates wrong himself.

For example, although the Special Counsel implies that in Mr. Sussmann’s February 9, 2017 meeting, he provided Agency-2 with EOP data from after Mr. Trump took office, the Special Counsel is well aware that the data provided to Agency-2 pertained only to the period of time before Mr. Trump took office, when Barack Obama was President.

After Sussmann and Joffe proved he was wrong, Durham dropped these claims. But then he resuscitated them for his report.

Durham blinds his expert so he can’t see any visibility

The second expert review Durham relied on, “FBI Cyber Division Cyber Technical Analysis Unit, Technical Analysis Report,” does have a date — April 20, 2022 — along with a Bates stamp showing that it was shared with Sussmann. The Cyber Technical Analysis Unit that wrote it is headed by David Martin, the guy who ultimately served as Durham’s expert witness at trial. After months of stalling, Durham first informed Sussmann that he would have an expert and Martin would be that expert on March 30, 2022, just weeks before trial.

Given that the Technical Analysis is dated three weeks after that, it seems exceedingly likely the Technical Analysis was a report done in preparation for Martin’s testimony.

As I noted in this post, this Technical Analysis focuses exclusively on the white paper Sussmann shared on September 19, 2016.

The citations to the Technical Analysis document in footnotes references just 13 pages of material, two pages of which is likely front matter, and one page describing the tasking Durham gave them.

Aside from the four pages of material that Durham doesn’t mention, there are really just two topics: addressing whether or not the Spectrum Health IP address was a Tor node, and using the answers obtained from Listrak (and possibly a broader set of logs than Alison Sands had available in 2016) to make an argument about the kind of visibility one needs to learn anything from DNS records.

These topics generally track Martin’s testimony as well (though Sussmann had opposed Martin’s comments on visibility, and given that it doesn’t appear in Martin’s Powerpoint from the trial, I’m not sure he was supposed to discuss it).

Now, Durham loves this technical analysis on Tor. He cited it first when he described how April Lorenzen was trying to figure out what the Spectrum IP address was in August 2016, and then quotes it again 30 pages later in his general technical discussion. The second time, he added an apostrophe-s which might be misread by the dim-witted people who are the audience of this propaganda to suggest that disproving that the Spectrum IP was a Tor node disproves the rest of the white paper, which it does not.

The FBI experts advised that historical TOR exit node data conclusively disproves this white paper allegation in its entirety and furthermore the construction of the TOR network makes the described arrangement impossible.

[snip]

The FBI experts who examined this issue for us stated that historical TOR exit node data conclusively disproves this white paper’s allegation in its entirety.

It’s really weird that Durham loves this analysis, because it would suggest that he didn’t learn that the Spectrum Health IP was not a Tor node until just weeks before trial — though that same judgement, that it was not a Tor node, is one of the main things the FBI got right when they first investigated this in 2016. There is almost nothing cited from this report that newbie counterintelligence agent Alison Sands hadn’t already laid out by October 5, 2016.

Durham’s fondness for this Tor node analysis is all the more hilarious because Durham tasked this expert review after the review of the files Sussmann shared with the CIA in February 2017. And neither of the files about the Alfa Bank anomaly that Sussmann turned over in 2017 (one, two) mention the Tor node. Researchers actually realized this was not a Tor node around the same time Sussmann originally shared the files. It was long gone, Durham knew it, yet that’s still the primary thing he relies on to claim he has debunked the allegations.

So Durham’s primary debunking of the white paper doesn’t address, at all, what was in the later documents. In fact, that was one effect of tasking the Cyber Technical Analysis Unit with reviewing just the stuff on the Red Thumb Drive: it gave some of FBI’s top experts a really easy way to debunk (part of) the white paper, albeit the only part that was entirely debunked in 2016.

It’s like congratulating yourself because the FBI’s top cyber experts managed to play tiddlywinks as well as a newbie counterintelligence agent did six years earlier during a rush investigation.

The second area of this technical review Durham cites that is still more telling. It purports to rely on information learned in Listrak email (not DNS) records to (effectively)  accuse Joffe and the others of cherrypicking the data.

In addition to investigating the actual ownership and control of the IP address, the Office tasked FBI cyber experts with analyzing the technical claims made in the white paper. 1650 This endeavor included their examination of the list of email addresses and send times for all emails sent from the Listrak email server from May through September 2016, which is the time period the white paper purportedly examined. 1651 The FBI experts also conducted a review of the historical TOR exit node data. 1652

The technical analysis done by the FBI experts revealed that the data provided by Sussmann to the FBI and used to support Joffe and the cyber researchers’ claim that a ‘”very unusual distribution of source IP addresses” was making queries for mail l.trump-email.com was incomplete. 1653 Specifically, the FBI experts determined that there had been a substantial amount of email traffic from the IP address that resulted in a significantly larger volume of DNS queries for the mail 1.trump-email.com domain than what Joffe, University-1 Researcher-2 and the cyber researchers reported in the white paper or included on the thumb drives accompanying it. 1654 The FBI experts reviewed all of the outbound email transmissions, including address and send time for all emails sent from the Listrak server from May through September 2016, and determined that there had been a total of 134,142 email messages sent between May and August 2016, with the majority sent on May 24 and June 23. 1655 The recipients included a wide range of commercial email services, including Google and Yahoo, as well as corporate email accounts for multiple corporations. 1656

Similarly, the FBI experts told us that the collection of passive DNS data used to support the claims made in the white paper was also significantly incomplete. 1657 They explained that, given the documented email transmissions from IP address 66.216.133.29 during the covered period, the representative sampling of passive DNS would have necessarily included a much larger volume and distribution of queries from source IP addresses across the internet. In light of this fact, they stated that the passive DNS data that Joffe and his cyber researchers compiled and that Sussmann passed onto the FBI was significantly incomplete, as it included no A-record (hostname to IP address) resolutions corresponding to the outgoing messages from the IP address. 1658 Without further information from those who compiled the white paper data, 1659 the FBI experts stated that it is impossible to determine whether the absence of additional A record resolutions is due to the visibility afforded by the passive DNS operator, the result of the specific queries that the compiling analyst used to query the dataset, or intentional filtering applied by the analyst after retrieval. 1660

1653 Our experts noted that the assertion of the white paper is not only that Alfa Bank and Spectrum Health servers had resolved, or looked up, the domain [mail-1.trump-email.com] during a period from May through September of 2016, but that their resolutions accounted for the vast majority of lookups for this domain. FBI Technical Analysis Report at 6.

1654 The USB drive that Sussman [sic] provided to the FBI on September 19, 2016, which was proffered as data supporting the claims in the white paper, contained 851 records of DNS resolutions for domains ending in trump-email.com. FBI Technical Analysis Report at 7.

I’ll leave it to William Ockham — who apparently is smarter than the entire FBI — to explain that by looking for emails sent out from an IP rather than DNS for a domain, the FBI was basically searching for all packages from one post office rather than stamps from one house that uses that post office (I’m still working on this analogy, but it’s a start). Plus, at least in real time, the newbie counterintelligence agent who figured out the Tor node information Durham claims to have only learned six years later, Alison Sands, kept complaining that Listrak didn’t provide the network logs they needed.

But as I pointed out here, not only does the FBI change its mind mid-sentence whether there was one thumb drive or two — a problem that has plagued FBI’s Cyber division for six years, apparently –but FBI doesn’t even claim to be looking at all the data that was submitted at trial. FBI’s experts only reviewed the exact same file that Scott Hellman emphasized was a portion of the data submitted; they didn’t review the larger set. They complain they only have 851 lines of data because they’re not reviewing the larger file, much less any csv records turned over on the Blue Thumb Drive, not because the logs didn’t exist.

Remember: these are supposed to be the same people who already reviewed the CIA material by February. And the equivalent of the white paper in those materials has a passage that addresses precisely the visibility of which FBI claims to be ignorant. And the Trump/Alfa csvs included on one of those thumb drives — 2016-05-04_2017-01-15_Trump_server — not only includes almost 25,000 lines of data, but it also shows the collection points. The FBI had a way, in hand, to get that visibility, but Durham told them to look away.

The only thing the FBI’s top experts offer to debunk, other than the Tor node claim that the FBI knew the researchers had dropped, was a complaint about visibility. But their complaints about visibility were entirely manufactured by the scope of the review Durham requested and possibly by the curious status of the Blue Thumb Drive, as well as (if Durham is telling the truth about these being the same experts) willful forgetting of a review they had done on related issues less than a year earlier.

Durham created this blindness. By ensuring all the experts remain blind to visibility, Durham ensured the review would conclude that the researchers didn’t have the visibility that, the FBI knew well, they had.

As I have described, way back in October 2016 — just days after Batty and Hellman did — I too thought that this was a set-up.

But I said that because (as I also noted) no one had seen the evidence. The FBI had the opportunity to look, but instead has spent the last six years deliberately blinding themselves so they can continue to claim it was a set-up.

Update: From pre-trial motions, here are two of the CIA summaries in which Sussmann’s claims about the YotaPhone allegations remain unredacted (one, two). They do tie the presence of the YotaPhone in EOP to Trump. But they also make it clear that the phone couldn’t have been Trump, because it didn’t always move with him, meaning these could easily have been (and still could be) someone attempting to compromise Trump.


Alfa Bank and Yotaphone Allegations

1.Factual background

a. Introduction

b. Sussmann’s attorney-client relationship with the Clinton campaign and Joffe

c. The Alfa Bank allegations

i. Actions by Sussmann, Perkins Coie, and Joffe to promote the allegation

ii. Actions by April Lorenzen and others and additional actions by Joffe

iii. Sussmann’s meeting with the FBI

d. The FBI’s Alfa Bank investigation

i. The Cyber Division’s review of the Alfa Bank allegations

ii. The opening of the FBI’s investigation

e. Actions by Fusion GPS to promote the Alfa Bank allegations

f. Actions by the Clinton campaign to promote the Alfa Bank allegations

g. Sussmann’s meeting with the CIA

h. Sussmann’s Congressional testimony

i. Perkins Coie’s statements to the media

j. Providing the Alfa Bank and Yotaphone allegations to Congress

k. Joffe’s company’s connections to the DNC and the Clinton campaign

l. Other post-election efforts to continue researching and disseminating the Alfa Bank and Yotaphone allegations

i. Continued efforts through Joffe-affiliated companies

ii. Efforts by Dan Jones and others

iii. Meetings by DARPA and Georgia Tech

iv. The relevant Trump Organization email domains and Yotaphone data

2. Prosecution decisions

The Dishonest and Incompetent FBI Work John Durham Learned to Love

In the Durham Report’s telling of the FBI investigation into the Alfa Bank anomalies, it describes that the two cyber agents who conducted the first technical review of the allegations, Scott Hellman (Cyber Agent-1) and Nate Batty (Cyber Agent-2, the guy who appears to have misplaced the Blue Thumb Drive with all the data), congratulated themselves on the fact that they had both come to the same conclusion in spite of “their own very different political views.”

Cyber Agent-1 testified that both he and Cyber Agent-2 did not agree with the conclusion in the white paper and assessed that (i) the authors of the white paper ‘jumped to some conclusions that were not supported by the technical data,” (ii) the methodology was questionable, and (iii) the conclusions drawn did not “ring true at all.” 1479 In interviews with the Office, both Cyber Agent-1 and Cyber Agent-2 said that they were proud of their work because they had both come to the same conclusion despite their own very different political views. [my emphasis]

The interviews at which these men told this story are not cited (elsewhere in this passage, Durham relies on Hellman’s trial testimony rather than any of his interviews for the report, though according to trial testimony, he interviewed with Durham six times).

It’s an odd measure of investigative rigor, particularly in a report complaining that other FBI agents let bias infect their work.

It’s also a good place to start to describe the multiple layers of deceit in which Durham engages to avoid admitting that Batty and Hellman steered him wrong.

  • Durham adopted his “fabrication” theory from Hellman and Batty
  • The “fabrication” theory came with an understanding the DNC was involved
  • Hellman and Batty made materially contradictory comments about politics
  • Durham covered up Cyber’s clear errors
  • Durham’s made post-indictment efforts to sustain his false claims (this will be a follow-up because this got too long)

Durham adopted his “fabrication” theory from Hellman and Batty

As noted, Durham cites Hellman’s trial testimony, rather than those interviews he doesn’t cite, for his description of what Hellman and Batty concluded. At trial, immediately after the exchange cited, Durham lead prosecutor Andrew DeFilippis had Hellman walk through the written summary the two cyber guys wrote.

DeFilippis used that document to improperly cue Hellman, who was not qualified as an expert — someone who had, minutes earlier, admitted he knew only the basics of DNS — to express his opinion about the white paper, which I laid out here. Coming as it did after weeks of wrangling over Durham’s belated attempt to spring a different expert on Sussmann, the stunt unsurprisingly drew an objection.

But DeFilippis wasn’t working with the full summary. A redaction in the Hellman-Batty summary DeFilippis introduced as part of this exchange hid part of Hellman and Batty’s immediate response to the white paper. But a different version of the same document (introduced by the defense), reveals more about their initial conclusion to the anomalies: The otherwise redacted information reveals that Hellman and Batty floated the possibility that the researchers had fabricated the data by spoofing it themselves.

In conclusion, ECOU 1 suggests there is currently no cyber intrusion component in this case and that the report provided contains questionable methods and intentions. Based on the information provided, it also remains a possibility that the report was fabricated. If the domain maill.trump-email.com were discovered by researchers, a computer at Alfa Bank could be configured to conduct multiple DNS inquiries to create the appearance that a Russian bank is communicating exclusively with the domain maill.trump-email.com. Furthermore, it appears suspicious that the presumed suspicious activity began approximately three weeks prior to the stated start of the investigation conducted by the researcher. [emphasis, which marks otherwise redacted language, my own]

Hellman didn’t just share this opinion in the summary, which was sent out to others no later than September 21 at 4;46PMET (some of these time zones are in CDT, so an hour behind). It was the primary conclusion they shared with the Chicago-based agents conducting the actual investigation. As Curtis Heide’s Lync notes show (these are probably UTC, so morning ET), 8 minutes after Heide made a second request for the thumb drives, Batty and Hellman asked Heide to get on the phone. They spoke for five minutes, after which Heide texted Pientka to tell him that “we’re leaning towards this being a fake server not attributed to the trump organization.”

While Hellman was on the phone with Heide, Batty was texting Heide’s boss, Dan Wierzbicki, that, “we think it’s a setup. it smells like a setup.” Minutes after these two exchanges another Cyber guy shared with Joe Pientka Phil Todd’s opinion, described below, that this was a DNC set-up timed for the debate.

In other words, the premature Hellman and Batty opinion that this was a set-up tainted everything that followed in the investigation. And they shared it before anyone else looked at the evidence.

Notably, this opinion led the FBI to take overt acts during a pre-election period that prevented the FBI from conducting a robust investigation afterwards. At 4:22PM ET that same day, Alison Sands wrote from Chicago to New York explaining that this probably wasn’t actually a Trump domain. At 4:53PM ET, Sands wrote back to correct that: Miami FBI agents had taken overt investigative steps during an election season (though they used a ruse as to why they were asking), and learned that it was a legitimate email server. At 1:53PM the next day, Sands wrote back to note that Cendyn had responded to FBI’s overt investigative steps by updating their DNS tables, tainting the investigation and public reporting on it irreparably.

More importantly, the opinion Hellman and Batty formed — that this was a setup — influenced more than the initial investigation. It’s the entire organizing logic of the September 16, 2021 indictment against Michael Sussmann. Durham accused Sussmann of packaging all this up in a “narrative” fed by “purported” data provided by April Lorenzen, whom he called “Originator-1,” and then sharing it with the FBI. That’s why Durham needed it to be the case that Sussmann intentionally hid a tie to the DNC.

And because Durham adopted that hasty Hellman and Batty theory as his own, to the extent that Hellman and Batty made grave errors, Durham had to (and has to) cover those errors up.

The “fabrication” theory came with an understanding the DNC was involved

And that means covering up how politics — or at least a suspicion about politics — played a part.

Durham treated Batty and Hellman’s initial conclusions as reliable, he said, because, “they had both come to the same conclusion despite their own very different political views.”

That’s remarkable because Durham includes something in his report that he chose not to introduce at trial under oath: that Nate Batty told him in 2019 that he and Hellman had considered filing a whistleblower complaint against Jim Baker because FBI’s General Counsel refused to tell them where the tip came from.

Cyber Agent-2 told the Office that he and Cyber Agent-1 considered filing a whistleblower claim about Baker’s failure to provide the information but ultimately decided that they would not because the data provided was not formal evidence in a criminal proceeding. 1492

1492 OSC Report of Interview of Cyber Agent-2 on Sept. 16, 2019 at 2.

This is likely where the whole idea of charging someone for lying to the FBI about this evidence came from.

What Durham didn’t say in his report — but what the public record strongly suggests — is that one or both of these guys were affirmatively dishonest with him about how significantly politics played into this investigation. Three pieces of evidence submitted at trial show that Batty understood this tip to have come from the DNC and one of his colleagues treated it as a set-up by the DNC.

First, there’s the Lync text showing Batty was informed that Sussmann was in the evidentiary chain even before he picked up the thumb drives on September 20 (remember, these are probably UTC).

As this post makes clear, Batty learned that Sussmann was in the chain of custody before he picked up the thumb drives from Baker. He didn’t need Baker to tell him where they came from. He already knew.

Less than a day after being told Sussmann was in the evidentiary chain, Batty wrote Hellman, saying they had been asked to write “a brief summary of what we think about the DNC report,” and then conceded maybe they should look at the actual DNS logs before writing such a summary.

Then, the next morning at 8:09AM, one of the Cyber supervisors, Phil Todd, wrote an email claiming that “the DNC person” who dropped the thumb drives off planned to release the Trump – Alfa Bank tie prior to the Presidential debate that would be on October 4.

The DNC person that provided these thumb drives stated to Baker that he/she was going to release the information concerning the Trump server, and direct contact with the Russians through Alpha Bank in Moscow, to the press on Friday, 9/23/16, prior to the upcoming Trump / Clinton debate this weekend.

Sussmann obviously didn’t tell Baker his outreach to the press was timed for the debate. It’s something the Cyber guys made up and put into writing. But it shows that people in the Cyber division didn’t just make conclusions before investigating, but did so through that political lens, precisely the political lens Durham claimed that Sussmann thwarted by allegedly lying to Jim Baker.

And while there’s no evidence Batty shared the assumed tie between the tip and the DNC with the agents in Chicago, it’s important background to the way Hellman and Batty reached out to Heide and his boss to explain, in a way that would leave no written record, why they believed this was not a real server, an opinion that Heide would cite as one of four reasons he dismissed the allegations. Batty shared that opinion before sharing the substantive materials in the white paper with the Chicago agents.

These records should have led any sane prosecutor to conclude he had no case against Sussmann. These, along with at least two more exhibits (Bill Priestap’s notes and Ryan Gaynor’s briefing notes), show that numerous people in the FBI, including one of the guys who conducted the initial technical review of the anomalies, believed the white paper had a DNC tie. And at least some people at the FBI had concluded, absent evidence, that it was a political hit job.

How could Sussmann’s alleged lie be material if the initial conclusions about the anomaly presumed Sussmann was bringing the white paper for the DNC?

Hellman and Batty made materially contradictory comments about politics

As noted, Batty’s claim, made in a 2019 interview with Durham, seems to conflict with the record showing that he was informed of Sussmann’s involvement before he first obtained the thumb drives.

All the evidence that people in Cyber knew of and considered the role of the DNC in this tip — plus the way Durham measured Batty and Hellman’s reliability based on their partisanship — makes Hellman’s testimony at trial suspect, too. Hellman claimed, under oath, that he and Batty didn’t talk about whether these allegations had political origins in advance.

Q. And you and Special Agent Batty at least talked about whether this had political origins, didn’t you?

A. At that point I think the only thing that came up was just questioning the motive of somebody providing — like, who provided this report? I don’t recall any discussion about political motivations.

Q. Who would it have helped if the allegations were true?

A. It would have helped the opposing — it would have helped the democratic party.

Q. And that didn’t occur to you at all that that motivation might have been involved?

A. No.

This is one of several reasons I find it so curious that Durham didn’t cite the actual interviews in which Hellman and Batty talked about how they responded to the white paper by invoking politics: If Sussmann’s attorneys had received 302s reflecting they had, as Brady or even Jencks in Hellman’s case, you’d think they would have followed up on Hellman’s claim that politics didn’t come up by noting that he and Batty had both told Durham differently.

Hellman also claimed, under oath, that he never saw that text mentioning the DNC screencapped above, to which he responded by writing up a report, until 2020.

Q. All right. And then, with respect to Stranahan, he asks you and Nate to write a report about the — write a summary of the DNC report. Correct? That’s what it says?

A. That’s what it says in this chat, yes.

Q. And did you understand, sir, that the information had come from a DNC, meaning Democratic National Committee, source?

A. I did not understand that, no.

Q. Did you know what Nate Batty knew about it?

A. I don’t think he knew anything about it.

Q. Did you call up Tim and say, what a second. This is a DNC report? That’s political motivation.

A. No.

Q. Didn’t do anything or it didn’t occur to you?

A. The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from the DNC. I don’t remember DNC being a part of anything that we read or discussed.

Q. Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A. It’s in there. I don’t have any memory of seeing it.

Later Berkowitz returned to the text. He asked Hellman how it could be that Batty could refer to the white paper from a lawyer who represented the DNC, in a text to Hellman, as the DNC report, without Hellman becoming aware that someone — his superior — was calling it a DNC report.

Q. And although you were surprised to see it today, it appears that at least somebody, such as Mr. Batty was aware and you were aware that somebody was calling this white paper a DNC report. Correct?

A. I was not aware that anybody was calling it a DNC report, and I don’t believe Mr. Batty knew that either.

Q. But you saw the link message. Right?

A. I did see the link message, yes.

Then Berkowitz asked Hellman how it could be that he would see a reference to a DNC report and not take from that it was a DNC report. Hellman responded by describing “the only explanation that … was discussed” — was that it was a typo.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

Q. Okay. You didn’t think that at the time. Right?

A. I did not. I had never seen it or had any memory of seeing it ever before it was put in front of me.

That is, Hellman responded by explaining that Durham’s lead prosecutor Andrew DeFilippis, rather than asking whether the Lync text refreshed Hellman’s memory that he had been already been told this was a DNC report when he conducted the analysis, rather than recognizing that the evidence actually undermined his entire case, instead scripted an alternate explanation.

Just a typo.

And then Hellman repeated that script on the stand.

Under oath.

There are no declination decisions in Durham’s Report assessing how Hellman and Batty’s statements — in the 2019 interview and under oath on the stand — can be squared with the public record. Of course there aren’t declinations! When faced with documentary evidence that his disclaimer about awareness of a DNC role was suspect, Hellman simply parroted Durham’s own team.

But the fact that Durham didn’t even consider whether there was more evidence that Batty and Hellman lied to him than that Sussmann did is a testament to the fact that any misstatements they made would upend his entire project.

At trial, when Durham was desperate to claim that the five different exhibits that showed the FBI knew this report came from a DNC lawyer didn’t mean that the FBI had treated this as a DNC report, his star witness Scott Hellman said there was no discussion of politics when he and his boss assessed this report.

But in his report itself, Durham’s proof that their analysis was sound was that both FBI agents had told him (in interviews that he doesn’t cite) that they approached the report through a lens of politics.

Durham covered up Cyber’s clear errors

The fact that a supervisor in the Cyber Division concluded that this was a Democratic hit job timed to the debate makes Durham’s silence about Batty and Hellman’s clear errors all the more problematic.

I wrote them up in this post describing Hellman’s advice to newbie agent Alison Sands that, “any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities.”

The two most problematic clear errors bookend the otherwise redacted claim that they suspected this was a set up.

As that Lync text itself above makes clear: Hellman and Batty had already made conclusions about the white paper before he opened the thumb drive with the data that — Hellman later testified — is what made the two of them more qualified to assess this report than the counterintelligence agents who would later conduct the investigation. After having made a conclusion prior to reviewing the logs, Hellman and Batty claimed that the anomaly had only been going on for three weeks before the researchers started looking at it. That was probably a misreading of one of two histographs in the white paper. But it would have easily been debunked had they reviewed just the DNS logs provided, much less the data provided on the misplaced Blue Thumb Drive itself. There’s no way you make that error after having reviewed the DNS logs. Yet they did make that error, an error Durham never mentions in his report.

And Durham knows this claim is wrong, because the expert report he cites in his own report — which examined the smaller set of two logs included on the Red Thumb Drive — notes that the researchers included logs dating from May to September.

Durham repeats in his report, without correction, an even more serious error. Durham states, truthfully, that Batty and Hellman — two of the only FBI agents who investigated anything having to do with Russia in 2016 who haven’t subsequently been disciplined for their fuck-ups — claimed that there was no allegation of hacking in the white paper.

The report’s summary stated that they had “assess[ed] there is no CyD [Cyber Division] equity in this report and that the research conducted in the report reveals some questionable investigative steps taken and conclusions drawn.” 1477 The report acknowledged that there was no allegation of hacking and so there was no reason for the Cyber Division to investigate further.

But Durham doesn’t reveal that this claim — there was no allegation of hacking in the report — was false. Rather, he adopts it as his own.

As a footnote in the white paper Sussmann shared described, one reason the researchers offered that Spectrum might not have known it had this weird occurrence on its network (which the researchers incorrectly concluded was a Tor node) was because they had been hacked.

We discovered that Spectrum Health victim of a network intrusion. Therefore, Spectrum Health may not know what has a TOR exit node on is network. Alternatively. the De Vos family may have people at Spectrum who know here is a TOR node, i.e., TOR node could have been placed there with inside help.

“Network intrusion.” That’s a hack.

Outside researchers informed the FBI of an anomaly involving an IP address known to have been hacked. And yet the cyber guys concluded not just that this white paper was shit, but also that there was no Cyber Division equity — a hack — in it, and did so in just over a day.

The researchers were wrong about Tor, but they were right about the hack. When the FBI checked the Spectrum IP in question, they found that it had been compromised.

One reason this error is so problematic — aside from it discredits everything else Hellman and Batty did — is because it came as supervisors in the Cyber Division were trying to spin off this investigation because they had concluded, with no evidence, that it was a pre-debate set-up. Hellman and Batty concluded there was no hack not because of the evidence, but because they didn’t want to do this case.

John Durham congratulates these men because a Democrat and a Republican agreed about this white paper. But he doesn’t reveal that, in addition to getting several other key technical details wrong, they failed at their one job, to determine whether there was a hack involved. So instead of revealing that they failed in their one job in his report, Durham instead repeats their false claim, “The report acknowledged that there was no allegation of hacking,” and boasts because a Democrat and Republican ended up being badly, embarrassingly wrong together.

Now, as I noted, Durham covers up some of the other problems with this investigation.

The two most important are that the FBI violated the rule prohibiting overt investigative steps during the pre-election period, and perhaps partly because of that (as well as FBI’s failure to act immediately after Sussmann provided Eric Lichtblau’s name on September 22), by the time the FBI spoke to Alfa Bank, the potential suspect in this crime drama — the potential suspect which reached out to FBI rather than vice versa — Alfa had no log files left to review.

That’s the other big error the investigative team made, which Durham also covers up. The FBI didn’t understand that Mandiant’s judgement was useless until a March 2017 interview with Mandiant. Curtis Heide described at trial that he never — never!! — actually learned that the reassurances Alfa Bank had offered were based on a claim that a bank had no log files to review.

Q. And were you aware, while you were doing the investigation, that Mandiant, when it went to talk to AlfaBank to look into these allegations, did not have any historical data, that Alfa-Bank did not provide any historical data to Mandiant? Did you know that?

A. No

Here’s how Durham covered up that embarrassing failure in his report:

Mandiant provided the FBI with its findings, which too concluded that there was no evidence to support the allegations of a secret communications channel nor any evidence of direct communications between the Alfa Bank servers and Trump Organization servers.

In his report, Durham cites only an October 2016 302, not the March 2017 one where the FBI first learned how useless the Mandiant review would have been. Again, he makes absolutely no mention that a potential suspect in this story reached out to the FBI told the FBI that a potential crime scene had been wiped of digital fingerprints and did nothing.

Durham complains about other problems with the part of the investigation conducted by the counterintelligence agents — they made an error in their opening memo, for example.

But rather than bitching and moaning about the outright errors the FBI cyber agents committed during the investigation, like he did for every other FBI agent in his report (including the counterintelligence agents on the Alfa Bank investigation), Durham simply … covered those errors up. Repeated their false claims. Perpetuated the foundational error in the Alfa Bank anomaly investigation.

Durham couldn’t treat Hellman and Batty with the same ruthless contempt as he did all the other FBI agents he interviewed. That’s because the materially inconsistent claims and outright errors they made were all foundational to Durham’s project. Durham can’t admit that Hellman and Batty were among the most suspect and incompetent of every FBI agent involved. That’s because Durham built his entire case on the conclusion they drew before they even opened the thumb drives.

And that’s important for another reason: because of the investigative steps Durham took on DNS-related issues after he indicted Sussmann on September 16, 2021, and what they say about Durham’s efforts to manufacture claims to discredit the anomalies.

FBI Cyber Division’s Enduring Blue Pill Mystery

I’m writing a post on the technical analysis John Durham included in his report purporting to debunk the white papers submitted via Michael Sussmann to, first, the FBI and, then, the CIA. But first I’m going to do something even more tedious: Try to track down FBI’s persistent blue pill problem — or rather, the FBI’s apparent failure to ever analyze one of two thumb drives Sussmann shared with Jim Baker in September 2016, the Blue one.

Last year, before Sussmann’s trial, Durham had FBI’s top technical people review what he claimed were the data Sussmann had shared. He cited those reports in his own report, claiming they debunk the white papers.

Here’s how they are described in footnotes.

  • 1635 FBI Cyber Division Cyber Technical Analysis Unit, Technical Analysis Report (April 20, 2022) (hereinafter “FBI Technical Analysis Report”) (SCO _ 094755)
  • 1671 FBI Cyber Technical Operations Unit, Trump/Alfa/Spectrum/Yota Observations and Assessment (undated; unpaginated).

Not only doesn’t the YotaPhone report have a date, but it doesn’t have a Bates stamp reflecting that it was shared with Sussmann. I’ll get into why that is interesting in my follow-up post.

Below is a summary of the materials Sussmann provided to both agencies. By description, the Technical Analysis Report only reviews the white paper and the smaller of two sets of text DNS logs included on the Red Thumb Drive. By description the Trump/Alfa/Spectrum/Yota Observations only review the Yota White Paper.

The data FBI’s technical people reviewed appear to be restricted to what is marked in blue.

They did review the actual thumb drives turned over to the CIA, because they found hidden data on one; there’s no indication they reviewed the thumb drives provided to the FBI.

In fact, it’s impossible that they reviewed the data included on the second thumb drive Sussmann shared, the Blue one.

That’s because the FBI analysis claims Sussmann only provided 851 resolutions, which is the 19-page collection of text files included on the Red Thumb Drive, not even the larger set.

Similarly, the FBI experts told us that the collection of passive DNS data used to support the claims made in the white paper was also significantly incomplete. 1657 They explained that, given the documented email transmissions from IP address 66.216.133.29 during the covered period, the representative sampling of passive DNS would have necessarily included a much larger volume and distribution of queries from source IP addresses across the internet. In light of this fact, they stated that the passive DNS data that Joffe and his cyber researchers compiled and that Sussmann passed onto the FBI was significantly incomplete, as it included no A-record (hostname to IP address) resolutions corresponding to the outgoing messages from the IP address. 1658 Without further information from those who compiled the white paper data, 1659 the FBI experts stated that it is impossible to determine whether the absence of additional A record resolutions is due to the visibility afforded by the passive DNS operator, the result of the specific queries that the compiling analyst used to query the dataset, or intentional filtering applied by the analyst after retrieval. 1660

1659 The data used for the white paper came from Joffe’s companies Packet Forensics and Tech Company-I. As noted above, Joffe declined to be interviewed by the Office, as did Tech Company-2 Executive-I. The 851 records of resolutions on the USB drive were an exact match for a file of resolutions sent from University-I Researcher-2 to University-I Researcher- I on July 29, 2016, which was referred to as “[first name of Tech Company-2 Executive-l]’s data.” Id. at 7.

1660 Id. [bold]

There’s no way they would have come to this conclusion if they had seen the Blue Thumb Drive, which had millions of logs on it.

In fact, it appears that the FBI never did review that Blue Thumb Drive when they were investigating the Alfa Bank anomaly.

They didn’t do so, it appears, because the Cyber Division Agents who first reviewed the allegations, Nate Batty and Scott Hellman, misplaced the Blue Thumb Drive for weeks.

That may not have been an accident.

Batty and Hellman’s initial review, which they completed in just over a day, was riddled with errors (as I laid out during the trial). Importantly, they could not have reviewed most of the DNS logs before writing their report, because they claimed, “the presumed suspicious activity began approximately three weeks prior to the stated start [July 28] of the investigation conducted by the researcher.”

Even the smaller set of log files included on the Red Thumb Drive showed the anomaly went back to May. A histograph included in the white paper shows the anomaly accelerating in June.

Had anyone ever reviewed the full dataset, the shoddiness of their initial analysis would have been even more clear.

Here’s how the FBI managed to conduct an investigation on two thumb drives without, it appears, ever looking at the second one.

As the chain of custody submitted at trial shows, Jim Baker accepted the thumb drives, then handed them off to Peter Strzok, who then handed them off to Acting Assistant Director of Cyber Eric Sporre, who at first put the thumb drives in his safe, then handed them over to Nate Batty.

Within hours (these logs are UTC), Batty and Hellman started mocking the white paper but also complaining about the “absurd quantity of data.”

Hellman, at least, admitted at trial that he only knows the basics about DNS.

The next day, Batty told Hellman that their supervisor wanted them to write a “brief summary” of what he calls “the DNC report.” Batty appears to have known of Sussmann from other cases and he was informed that Sussmann was in the chain of custody.

In spite of the clear record showing Batty was informed who provided the thumb drives, in 2019, he told Durham that he and Hellman — whose analysis was so shitty — had considered filing a whistleblower complaint because they weren’t told what the documentary record shows he was clearly informed. And Durham thought that was sufficiently credible to stick in his report.

Before writing an analysis of this report, Batty admitted, they should first “plug the thumb drives” in and look at the files before they wrote a summary.

The documentary evidence shows that these guys formed their initial conclusion about the white paper without ever reviewing the data first.

A day later, Curtis Heide texted from Chicago and asked them to upload the thumb drives, plural, so they could start looking at them.

They only uploaded one, the Red Thumb Drive.

That’s clear because when Kyle Steere documented what they had received on October 4, he described that his report is, “a brief summary of the contents of the USB drive,” singular. The contents match what were on the Red Thumb Drive.

Two hours and 16 minutes later, after uploading the Red Drive, Batty asked if he should send the actual thumb drives to Chicago.

48 minutes later, Batty asked Hellman if he had the Blue Thumb Drive.

The chain of custody shows that Batty didn’t send anything on September 22, when he and Hellman were panicking about the missing Blue Thumb Drive. Instead, he put something in storage on October 6, two weeks later. That he put them in storage makes no sense, because when he wrote an Electronic Communication explaining why he was sending the thumb drives to Chicago on October 11 (by that point, 19 days after saying they would send the thumb drives to Chicago that day), he claimed,

Due to case operational tempo, and the need to assess the data at ECOU-1 prior to referring the matter to the [Chicago] division the evidence was not charged into evidence (at the NVRA) until October 6, 2016.

Not a shred of evidence in the available record supports that claim and a great deal shows it to be false.

But he didn’t send the physical thumb drives until October 12, FedEx instead of internal BuMail.

By October 12, the FBI had decided there was nothing to these allegations.

Somewhere along the way, there was some confusion as to whether there was one or two thumb drives. At the time the case ID was added — the case was opened on September 23 — it seems to have been understood there was just one thumb drive.

Batty does seem to have sent two thumb drives, one Red and one Blue, to Chicago after that 20-day delay, though.

At trial on May 23, Alison Sands dramatically pulled two thumb drives — a Red Thumb Drive and a Blue Thumb Drive — out of the evidence envelope where she put them years earlier.

Q. Ms. Sands, I’m showing you what’s been marked for identification as Government’s Exhibit 1. Do you recognize that?

A. Yes.

Q. What is that?

A. This is the la envelope.

Q. Do you know what this envelope contains?

A. Yes, it contains the thumb drives. So I basically took them out of evidence and put it into this envelope.

[snip]

Q. Now, Ms. Sands, do you recall how many thumb drives there were?

A. Yes, there’s two.

Q. Do you recall if they had any particular colors?

A. One is blue and one is red.

On the stand, Sands also introduced Steere’s memo, the one that documented the contents of the Red Thumb Drive. In doing so, though, she falsely claimed (at least per the transcript) that the memo described both thumb drives.

Q. Do you recognize what Government’s 206 is?

A. Yes.

Q. What is that?

A. It is the EC documenting what information was on the thumb drives that were provided.

She also introduced the items included on the Red Thumb Drive, one after another, into evidence.

Except for the 19-page set of text files used for technical analysis.

When prosecutor Brittain Shaw got to that file in Steere’s memo, she tried to move it into evidence, but both Judge Cooper and Sussmann attorney Michael Bosworth noted it was already in evidence.

MS. SHAW: Could we go back to Government’s Exhibit 206, please? Moving down the list —

BY MS. SHAW:

Q. The second item, what is that?

A. It is data that was provided as alleged evidence of these DNS lookup tables.

Q. After number 2, is that the title that was given to the file or is that something you assigned?

A. I believe that’s something we assigned.

Q. Okay.

MS. SHAW: And if I could have Government’s Exhibit 208, please. If you’d just blow that up a little bit. Thank you.

BY MS. SHAW:

Q. And, Ms. Sands, do you recognize what that is?

A. Yes, these are the DNS lookups that I just described.

MS. SHAW: All right. I would move Government’s Exhibit 208 into evidence.

MR. BOSWORTH: It may be —-

THE COURT: I think it’s probably in.

MS. SHAW: All right.

It was already in.

Almost a week earlier, Scott Hellman introduced what he called “a portion” of the data included with the exhibit. It was the 19-page text file of DNS logs that reviewed in the Technical Analysis included on the Red Thumb Drive. He didn’t describe it as one stand-alone document included on the thumb drive. He seemed to imply this was a selection the FBI had made.

Q. And if I could show just to you on your screen what’s been marked Government Exhibit 208. And Agent Hellman, this is about an 18- or 19-page document. But you just see the first page here. Do you recognize this?

A. It appears to be a portion of the technical data that came along with the narrative.

MR. DeFILIPPIS: All right. Your Honor, the government offers Government Exhibit 208.

MR. BERKOWITZ: No objection.

THE COURT: So moved.

Q. And if we look at that first page there, Agent Hellman, what kind of data is this?

A. It appears to be — as far as I can tell, it looks to be — it’s log data. So it’s a log that shows a date and a time, a domain, and an IP address. And, I mean, that’s — just looking at this log, there’s not too much more from that.

Q. And do you understand this to be at least a part of the DNS data that was contained on the thumb drives that I think you testified about earlier?

All the while, he and DeFilippis referred to this as “a part” of the DNS data and referred to the thumb drives, plural.

And that, it appears, may be all the data anyone at the FBI ever analyzed.

Update: I erroneously said there were texts between Batty and Hellman that may have gotten deleted. I’ve corrected that error.

Update: I added details from the Lync files showing Batty provided a claim that conflicts with all public evidence about why he didn’t check the thumb drives into evidence until after the investigation was substantively done.

Update: I’ve updated the table to show what Sussmann shared. Particularly given FBI’s shoddy record-keeping and Durham’s obfuscation, it’s not clear on which drive GX209 was, nor is it clear whether there was a separate set of CSV DNS logs on the Blue Drive and if so how many logs they included.

“Something Like This Has 0 Repercussions if You Mess Up:” John Durham Debunked the Alfa Bank Debunkery

As you know, John Durham failed spectacularly in trying to use a false statement charge against Michael Sussmann to cement a wild conspiracy theory against the Democrats.

But Durham did succeed in one thing (though you wouldn’t know it from some of the reporting from the trial): He utterly discredited the FBI investigation into the Alfa Bank allegations. Lead prosecutor Andrew DeFilippis even conceded as much in his closing argument.

Now, ladies and gentlemen, you have heard testimony about how the FBI handled this investigation. And, ladies and gentlemen, you’ve seen that the FBI didn’t necessarily do everything right here. They missed opportunities. They made mistakes. They even kept information from themselves.

That’s a fairly stunning concession from DeFilippis. After all, DeFilippis asked the guy who was responsible for some of the worst failures in the investigation, Scott Hellman, to be his expert witness, even though Hellman, by his own admission, only “kn[e]w the basics” of the DNS look-ups at the heart of the investigation. Along with Nate Batty, Hellman wrote an analysis of the Alfa Bank white paper in less than a day that:

  • Misstated the methodology behind the white paper
  • Blew off a reference to “global nonpublic DNS activity” that should have been a tip-off about the kinds of people behind the white paper
  • Falsely claimed that the anomaly had only started three weeks before the white paper when in fact it went back months
  • Asserted that there was no evidence of a hack even though a hack is one of the hypotheses presented in the white paper for the anomaly at Spectrum Health (Spectrum itself said the look-ups were the result of a misconfigured application)

Later testimony showed that, after speaking to Hellman and before even checking whois records, the Chicago-based agent who had a lead role in the investigation told a supervisor that “we’re leaning towards this being a false server.”

Within hours, Miami-based agents had confirmed with Cendyn that was false.

In spite of being so egregiously misled from the start by the guys in Cyber, agent Curtis Heide testified in cross-examination by Sussman’s attorney, Sean Berkowitz, that Hellman’s analysis was one of the four things that he believed supported a finding that the anomaly was not substantiated.

Q. Okay. I think near the end of your examination by Mr. Algor he questioned you about your basis for concluding that there was — that the allegations were unsubstantiated. And I think you gave four reasons. I’m going to run through them. If there’s more, that’s okay. Number one, you said the assessment done by Agents Hellman and Batty. Correct?

A. Yes.

Q. Two, the review of the logs. Correct?

A. Yes.

Q. Three, the Mandiant conclusion. Correct?

A. Yes.

Q. And four, the discussions with Spectrum Health about the TOR node. Correct?

A. Yes.

Q. Anything else that you can recall, sir, as to why it was that your investigation, or rather the investigation that you oversaw, suggested that the allegations were unsubstantiated?

A. The only other thing I can think of would be my training and experience with — relating to Russia and cyber investigations.

Q. And is there anything in particular about that that you recall today?

A. With respect to the white paper, it didn’t — when I read through it initially, I had several questions, and it didn’t appear to be consistent with Russian TTPs.

Another thing Heide relied on was the analysis from Mandiant, which Alfa Bank hired to investigate after NYT reached out. According to Franklin Foer’s story, Lichtblau reached out to Alfa on September 21, after Sussmann had given the FBI a heads up but before the FBI asked Lichtblau to hold the story on September 26, so in the window when the FBI had a chance — but failed — to protect the investigation.

One of the truly insane parts of this investigation, by the way — which was conducted entirely during the pre-election window when overt actions were prohibited — was that FBI big-footed to Cendyn and Listrak before sending NSLs to them. And by that point, Alfa Bank was calling the FBI.

A report that was not explained amid the primary resources from the investigation, but which was concluded by October 3, reveals that Chicago’s conclusion was almost entirely based on what Alfa told the FBI and Mandiant.

There was nothing in the case documentation until a 302 for a March 27, 2017 interview done in association with Alfa’s 2017 claims of spoofed DNS traffic (the interview may have been done with Kirkland and Ellis) that documented that, when Mandiant arrived the previous year to investigate, there were no logs to investigate.

Indeed, Heide testified on cross-examination that he had never learned of that fact. At all.

Q. And were you aware, while you were doing the investigation, that Mandiant, when it went to talk to AlfaBank to look into these allegations, did not have any historical data, that Alfa-Bank did not provide any historical data to Mandiant? Did you know that?

A. No

We now know that at a time when “Executives at the highest level of ALFA BANK leadership” had been hoping to “exonerate them[selves]” in 2017, Petr Aven had already started acting on specific directives from Vladimir Putin, including trying to open a back channel to Trump.

Plus, at least as far as Listrak could determine, while the marketing server had sent materials to Spectrum, it had never sent anything to Alfa Bank. The stated explanation that this was spam, then, conflicts with what FBI was seeing in the logs.

As for Spectrum — another of the reasons Heide pointed to — there’s no evidence of anyone reaching out to them (as compared to interactions with agents in Philadelphia and Miami who reached out to Listrak and Cendyn, respectively).

It’s true that the anomaly at Spectrum was not a Tor node (something that researchers came to understand themselves around the time Sussmann shared the allegations with the FBI). But it’s also true that, per Cendyn (which only looked back a month), the identified IP address at Spectrum was reaching out to the Trump server.

The IP address in question showed up in traffic that may be associated with Chinese hacking.

This then might have corroborated the hypothesis, from the white paper, of a hack of Spectrum, but by this point, Hellman had long before decided there was no evidence of a hack and this was, “just garbage.”

That leaves the logs, Heide’s fourth reason for believing FBI had debunked the Alfa Bank allegations. As far as the logs in question, former agent Allison Sands (who was assigned the investigation as a brand new case agent) told one of the tech people on September 26 that, “the end user [possibly Cendyn] is willing to provide logs but they dont have what we need.” Cendyn did share details of their own spam filter, which wouldn’t address the DNS look-ups themselves.

Then, on October 12, Sands told Heide that,

the ‘logs’ we got from Listrak were not network logs

they basically just confirm that trump org is one of their email clients, but they dont show destination email addresses or IPs or anything that we can use to[ ]determine any communications

[snip]

it was two excel spreadsheets

that was all we got

The FBI did get something. Sands testified that the FBI obtained upwards of 600,000 records (she described obtaining records from Cendyn, Listrak, and GoDaddy, but not Spectrum or Alfa Bank). But it’s not clear how useful those records really were. There’s a reference to the “take” elsewhere (see below), and redacted entries that look like intelligence targeting, plus a reference to an OGA partner reporting “no attempts.” (Here’s a reference to the OGA analysis that is redacted in other versions of the same email chain.) So it seems any useful logs came from another agency. But if that’s right, it would be targeted overseas.

In trial testimony, Sands described that her task was to prove that the allegation wasn’t true, not to explain what the anomaly was.

I knew still I had to rebuild from scratch and prove that this allegation wasn’t true.

In real time, too, she saw her task as disproving that emails had been shared, not even disproving that covert communication had occurred.

I have a few more logs to definitely prove there are no emails, and then Im putting it to bed

That’s a particularly problematic description given that the FBI had been told via other channels that there was some activity reflecting more than DNS look-ups.

That leaves, according to Heide’s judgement, just the observation that the DNS traffic was not consistent with known Russian techniques. Newbie agent Sands said something similar to Chris Trifiletti, Joffe’s handler and apparently sensitive for some other reasons. In response, he mused about whether Russia was “trying other things now that look more non traditional.”

We don’t know the answer to that, because the FBI didn’t try to figure it out.

Scott Hellman, the cyber agent who insisted at every opportunity he got that this was garbage was wrong about how long the anomaly had lasted, but he was right about one thing. On October 4, he advised newbie agent Sands that,

any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities

He did mess it up. It wasn’t just his own analysis; his repeated insistence that this was “garbage” appears to have made all the other investigators less careful, too. Six years later, we’re still no closer to understanding what happened.

Hellman was right about facing “zero repercussions if you mess it up.” By all appearances, he’s one of the few people who escaped any consequences for trying to investigate Russia in 2016. We know that several people — including Jim Comey, Andrew McCabe, Peter Strzok, and Bruce Ohr — were fired for their efforts to investigate Russia. We learned at the trial that Ryan Gaynor was threatened with criminal investigation for not answering questions the way Andrew DeFilippis wanted. Curtis Heide remains under FBI Inspection Division investigation for things he did in 2016. Rodney Joffe was discontinued as an FBI informant, according to him, at least, because he refused to cooperate with Durham’s investigation. Everyone who actually tried to investigate Russia in 2016 has faced adverse consequences.

But Hellman appears to have suffered none of those adverse consequences for fucking up an investigation into a still unexplained anomaly. On the contrary, he’s been promoted; he’s now a Supervisory Special Agent, leading a team of people who will, presumably, similarly blow off anomalies that might be politically inconvenient to investigate.

That’s the lesson of the Sussmann trial then: The only people who face zero consequences are the ones who fuck up.

Update: Corrected spelling of Hellman’s last name. Added Comey and McCabe to the list of those fired for investigating Russia. Removed Lisa Page–she quit before she was fired. In this podcast, Peter Strzok said that all FBI agents named in the DOJ IG Report are still under investigation.

Update: All the links to exhibits should be live now.

Update: Added detail that Listrak says Trump never sent marketing mail to Alfa Bank.

Timeline

I’ve put (what I believe are) all the exhibits about the FBI investigation below.

These times are surely not all correct. Durham consistently shared evidence without marking what time zone the evidence reflected. Importantly, some, but probably not all of the FBI Lync messages reflect UTC time; where I was fairly certain, I tried to reflect the time in ET, but in others, the timeline below doesn’t make sense (I’ll keep tweaking it). Some of the emails reflect the Chicago time zone.

September 19, 2:00PM: Sussmann Meeting

September 19: Priestap notes

September 19: Anderson notes

September 19, 3:00PM: Strzok accepts materials

September 19, 4:31PM: Gessford to Pientka: Moffa with info dropped off to Baker

September 19, 5:00PM: Sporre accepts materials

September 20, 9:30AM: Nate Batty to Jordan Smith: A/AD has two thumb drives.

September 20, 12:29PM: Batty accepts materials

September 20, 4:54PM: Batty and Hellman re analysis

September 21, 8:48AM: Batty to Hellman: at least look at the thumb drives [Batty Lync]

September 21, 4:25PM: Pientka Lync to Heide: People on 7th floor fired up about this server

September 21, 4:46PM: Batty to Heide and others: initial assessment

September 21, 1:10PM [time uncertain] Sands to Pape: Director level interest

September 21, 4:57PM: Norwat to Todd: Not a cyber matter

September 21, 5:06PM: Todd to Heide, cc Pientka

September 21, 5:52PM: Pientka to Heide: Nat [sic] Batty ha the thumb drives

September 22, 4:58AM: Hubiak to Heide: Let me know if you need anything from PH

September 22, 8:09AM: Todd to Marasco [noting thumb drives came from DNC, suggesting tie to debate]

September 22, 8:33AM: Pientka to Heide: Less than 24 hours to investigate, determine nexus, before losing traffic, watched by Comey

September 22, 9:30AM: Pientka to Moffa: Cyber, ugh. Read first email.

September 22, 9:59PM: Hellman to Heide: can you talk on link

September 22, 10:23AM: Marasco to Pientka: FYI

September 22, 11:13AM: Sands to Hubiak: Suspect email domain hosted on Listrak server — if you can help out with a knock and talk it would be great.

September 22, 11:14AM: Baker to Comey and others: Reporter is Lichtblau

September22, 11:34AM: Hubiak to Sands: Will start working on this now

September 22, 12:02PM: Batty to Wierzbicki: We think it’s a setup

September 22, 12:10PM: Heide to Pientka: We’re leaning to this being a false server.

September 22, 2:00PM: Pientka to Hubiak: Thanks for all your efforts. The CROSSFIRE HURRICANE Team greatly appreciates you running this to ground.

September 22, 4:22PM: Sands to all: open full investigation, summary of Hellman’s conclusions [OGA partner targeting Alfa?]

September 22, 5:33PM: Heide to Pientka: it’s a legit domain

September 22, 4:53PM: Sands to all: Cendyn agrees to cooperate, legit mail server

September 23, 8:26AM: Sands to Hubiak: Cendyn willing to cooperate and provide logs

September 23, 1:09PM: Heide to Sands: once we get that case opened, let’s cut a lead to the MM division requesting assisting with the interview, etc.

September 23, 1:53PM: Sands to others: Cendyn, as of this morning no longer resolves, picture of Barracuda spam filter

September 23, 4:04PM: Heide to Gaynor: Cyber’s review

September 23: EC Opening Memo [without backup]

September 26: Gaynor notes

September 26: Intelligence Memo

September 26, 8:02AM: Lichtblau to Kortan: You know what time we’re meeting?

September 26, 9:29AM: Kortan to Lichtblau: Baker’s tied up until later this afternoon.

September 26, 10:02AM: Lichtblau to Kortan: planning to bring Steve Myers

September 26, 10:15: Heide to Pientka: We want to interview the source of the whitepaper?

September 26, 12:09: Kortan to Baker and Priestap: some kind of recap later today?

September 26, 12:29: Sands to Hubiak: I’m writing a justification for an NSL to GoDaddy

September 26, 4:19PM: Heide to Shaw: apparently it’s going to hit the times?

September 26, 4:55PM: Heide to Hellman: We think it’s a bunk report still…

September 26, 5:02PM: Soo to Sands: searching current and historical lists of Tor exit nodes

September 26, 6:20PM: Sands to all, cc Heide: Spectrum hit at Cendyn, NSLs for Listrak, GoDaddy, redacted, Tor results

October 2, 12:02PM: Grasso to Wierzbicki: Two IP addresses

October 2, 7:02PM: Heide to Hellman: Check this out….

October 3: Tactical Product

October 3: Communications Exploitation

October 3, 1:48PM: Gaynor to Heide: Did white paper start with person of interest?

October 3, 2:49PM: Heide to Gaynor and Sands: Interview source

October 3, 3:00PM: Wierzbicki to Gaynor, cc Moffa: I agree with Heide, interview source

October 4: Kyle Steere to Wierzbicki and Sands: Documenting contents of thumb drive

October 4, 8:26AM: Sands to Hellman: 2 random IP addresses we got from tom grasso

October 4, 8:28AM: Sands to Hellman: we got a report on the Alfa Bank side that they also think this is nothing

October 4, 8:43AM: Hellman to Sands: any chance you get to work something like this that truly has 0 repercussions if you mess it up ….take those opportunities [alt version]

October 4, 10:00AM: Gaynor to Wierzbicki et al, cc Moffa: We need to know what we can learn from the logs [CT version]

October 4, 9:50PM: Grasso to Sands: SME who can help give context to the data we discussed

October 4, 11:08PM: Sands to Grasso: Sounds great.

October 5, 1:20PM: Trifiletti to Sands: i reminded him once more that he has never proceeded with anything when he wasnt absolutely sure

October 5, 1:33PM: Hosenball request for comment

October 5, 3:02PM: Strzok to Gaynor, forwarding Hosenball with Mediafire package

October 5, 4:08PM: Sands to Trifiletti: We need to speak to Dave dagon now too

October 5, 5:07PM: Sands to all: Update on CHS conversation — redacted explanation for why Alfa changed

October 5, 6:58PM: Grasso to Sands: I told Dagon that you would be able to protect his identity so that his name is not made public

October 6: Gaynor notes and drawing [alt version, more redacted]

October 6, 4:20PM: Materials to storage

October 6, 4:28PM: Christopher Trifiletti: CHS report (Spectrum: misconfigured server)

October 6, 4:54PM: Trifiletti to Sands: Actual text of 1023 submitted

October 6, 6:21PM: Wierzbicki to Gaynor: CHS debrief

October 7, 8:59AM: Sands to Trifiletti

October 12, 8:01AM: Sands to Heide: the “logs” we got from listrak were not network logs

October 13, 5:45PM: Gaynor to Wierzbicki: Mediafire (includes link)

October 19, 8:05AM: Sands to Heide: we spoke to mandiant and that we are talkingt o [sic] the tech people at the ISP today

October 19, 10:15AM: Gaynor to Wierzbicki: 2 IP addresses, Mediafire, Dagon author?

November 1, 3:09PM: Sands to Trifiletti: I have a few more logs to definitely prove there are no emails, and then Im putting it to bed

November 14, 2:52PM: Steere to Sands: [report on September 30 receipt of logs from Cendyn]

January 18, 2017: Closing Memo

March 27, 2017: Sands 302 with Alfa reports that Mandiant reported no historic data

July 24, 2017: Moffa to Priestap: Includes several other reports

July 24, 2017, 3:10PM: Sands accepts custody

The FBI Believed Michael Sussmann Was Working for the DNC … Until Andrew DeFilippis Coached Them to Believe Otherwise

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs of transcripts. But if you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations. This coverage reflects the culmination of eight months work. 

There’s accumulating evidence that at least some people — including some key decision-makers — believed the FBI believed that the Alfa Bank tip came from the DNC — and that Andrew DeFilippis has engaged in a lot of coaching to try to make that evidence go away.

The first time FBI Agent Ryan Gaynor testified to John Durham about the investigation into the Alfa Bank anomaly in October 2020, he told prosecutors that the DNC was the source of the allegation.

Q. Okay. So in your first meeting with the government, you — this is October of 2020, correct?

A. Yes.

Q. You told them multiple times that you believed that the Democratic National Committee was the source of the allegations of connections between Alfa-Bank and Russia, correct?

A. Correct, which was wrong.

Q. Okay. But you said that you thought the Democratic party itself was who provided the information, correct?

A. I did say that in the meeting.

That’s even what he has written down in a briefing document he kept in Fall 2016.

At the end of that October 2020 interview, prosecutors threatened Gaynor with prosecution.

His more recent testimony, starting for the first time on May 13, was that Sussmann was representing himself. The reason he now remembers that to be true goes to the heart of Durham’s materiality: it would have mattered if Sussmann was representing the DNC, so he must have been representing himself.

Q. Okay. I want to ask you, first, about testimony that you gave today where you said that when Mr. Moffa told you that Mr. Sussmann was a DNC attorney, you said, “I understood that to mean that he had been affiliated with the Democratic party but that he had come representing himself on the Alfa-Bank allegations.” Do you remember giving that testimony?

A. That was my take-away.

Q. And you gave that testimony that I just read?

A. Yes; that he was a DNC attorney, but that my take-away from that discussion was that he wasn’t there representing the DNC.

Q. When you were asked, “When Mr. Moffa said Mr. Sussmann was an attorney for the DNC, what impression did you come away with?” what did you understand that to mean? And your answer was: “I understood that to mean that he had been affiliated with the Democratic party, but that he had come representing himself,” right?

A. So he’s affiliated with the Democratic party because he was a DNC attorney.

Q. And your impression was he had come representing himself?

A. My take-away from that meeting, what I recall, is that I did not believe that he was there representing the DNC specifically because, had he been, that would have been information that would have impacted it.

This is a tautology: If Sussmann had been representing the DNC it would have mattered so it must be the case that Gaynor believed he was not representing the DNC. It also happens to be the central argument of DeFilippis’ materiality claim.

Meanwhile, Scott Hellman — Durham’s star cyber witness — received a text from his boss, Nate Batty (with whom he compared notes before his first interview with Durham), referring to the white paper as a “DNC report” on September 21, 2016, two days after Jim Baker received the materials.

Michael Sussmann lawyer Sean Berkowitz asked Hellman about that the other day. At first, Hellman expressed surprise about that text.

Q. All right. And then, with respect to Stranahan, he asks you and Nate to write a report about the — write a summary of the DNC report. Correct? That’s what it says?

A. That’s what it says in this chat, yes.

Q. And did you understand, sir, that the information had come from a DNC, meaning Democratic National Committee, source?

A. I did not understand that, no.

Q. Did you know what Nate Batty knew about it?

A. I don’t think he knew anything about it.

Q. Did you call up Tim and say, what a second. This is a DNC report? That’s political motivation.

A. No.

Q. Didn’t do anything or it didn’t occur to you?

A. The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from the DNC. I don’t remember DNC being a part of anything that we read or discussed.

Q. Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A. It’s in there. I don’t have any memory of seeing it.

Later in Berkowitz’ cross-examination he returned to the text. He asked how it could be that a white paper from a DNC lawyer could be referred to as a DNC report.

Q. And although you were surprised to see it today, it appears that at least somebody, such as Mr. Batty was aware and you were aware that somebody was calling this white paper a DNC report. Correct?

A. I was not aware that anybody was calling it a DNC report, and I don’t believe Mr. Batty knew that either.

Q. But you saw the link message. Right?

A. I did see the link message, yes.

Berkowitz asked Hellman how it could be that he would see a reference to a DNC report and not take from that it was a DNC report. Hellman describes “the only explanation that … was discussed” — which is that it was a typo.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

Q. Okay. You didn’t think that at the time. Right?

A. I did not. I had never seen it or had any memory of seeing it ever before it was put in front of me.

With some prodding, Hellman admitted that when he referred to “discussing explanations,” he meant doing so with Andrew DeFilippis. This exchange was, quite literally, Berkowitz eliciting Hellman to provide an answer that DeFilippis thought up — one necessary to sustain DeFilippis’ narrative — without, at first, admitting it was DeFilippis’ opinion of what the truth must be.

So after DeFilippis threatened Gaynor with prosecution, he came to remember something other than what the note, tying the white paper to DNC lawyer Michael Sussmann, that he used to “refresh his memory” said.

And when faced with the possibility, two years or maybe six after the fact, that Scott Hellman’s epically shitty analysis of the white paper could have been influenced by being told that it was a DNC white paper, Hellman offered up the explanation that DeFilippis offered him.

At least twice, then, under coaching from Durham’s lead prosecutor, key witnesses have come to believe something other than what the documentary evidence suggests.

The fact that DeFilippis has twice coached witnesses to deny any understanding at FBI that this was a DNC tip — whether it was a DNC tip or not — is really telling. That’s because DeFilippis has to try to pitch a nearly unsustainable position: how his single witness to Sussmann’s alleged crime, Jim Baker, can in 2016 have told Bill Priestap the following:

Q. I think you testified yesterday that by this time you were at least generally aware that Mr. Sussmann represented the DNC in connection with hacks; is that right?

A. That’s correct.

Q. And what, if anything, did you say to Mr. Priestap about that?

A. I think I told him like, okay, this is who Michael is. He’s represented the Democratic party in the Russian hack that we were also investigating and/or the Hillary Clinton Campaign. So just, again, to orient Bill to who Michael was. I mean, that’s a serious credential in terms of being a cyber security expert. And then to explain: But in this case he said he’s not appearing on behalf of them. In this case he’s coming in as a good citizen.

And then, in 2018, have told Jim Jordan the following:

Q. Mr. Jordan then says: “And he was representing a client when he brought this information to you or just out of the goodness of his heart? Someone gave it to him and he brought it to you?”

A. In that first interaction, I don’t remember him specifically saying that he was acting on behalf of a particular client.

Q. Did you know at the time that he was representing the DNC in the Clinton campaign?

A. I can’t remember. I had learned that at some point. I don’t, as I said — as I think I n said last time, I don’t specifically remember when I learned that — excuse me — so I don’t know that I had that in my head when he showed up in my office. I just can’t remember.

Q. Did you learn that shortly thereafter if you didn’t know it at the time?

And then testify last week this way.

Q. Okay. Number two, did you know on the September 19th, 2016 meeting that Mr. Sussmann had been representing Hillary For America’s campaign and the DNC in connection with the hack investigation. Did you know that on September 19th when he met with you?

A. Sitting here today, I think the answer is, yes, I did know that by that point in time.

Q. I’ve written down, “yes, DNC and HFA and hack”. I want to be really clear. You’re not saying that he said that in the meeting. correct?

A. Correct.

Q. And you’re not saying he said he was there on behalf of them? You’re just saying that in your mind you knew that he had been acting as a lawyer for those two entities in connection with the hack. Correct?

It’s not just a question of whether Baker will be a credible witness, though his wildly changing claims about the DNC are among the reasons why his testimony is not credible.

It’s also that Durham wants to point to Sussmann’s failure, a year earlier in a Congressional hearing, to offer up his ties with the Democrats as proof he was lying. But Durham is treating Baker’s failure to do so in the same situation as an innocent mistake. For his single witness to be credible, DeFilippis has to find a way to excuse Baker’s failure to offer that up in a far more direct question while pointing to Sussmann’s failure to offer it up as proof of guilt.

He has to do so to defend his prosecutorial decisions, too. Given how much stake DeFilippis has placed on Baker sharing with Priestap that he knew Sussmann represented the Democrats, it makes it far less credible that Baker didn’t knowingly lie to Jordan. Especially given the way Baker responded to a Berkowitz question, suggesting that perhaps he hadn’t been truthful with Jordan, but instead was “careful.”

Q. And when you gave voluntary information to Congress, you understood that you were under oath?

A. I don’t think I was under oath, but I understood that it’s a crime to make false statements to Congress.

Q. So you tried to be as careful as you could. Correct?

A. I tried to be as careful as I could in that environment, yes, sir.

Q. You tried to be as truthful as you could?

A. (No response)

Q. Tried to be as truthful as you could?

A. Yes, sir.

Sussmann’s team is going to argue that there are a long list of people against whom there is far better evidence for false statements or perjury charges than him, with the single difference being that the other people were willing to tell the storytale DeFilippis is using prosecutorial resources to tell. And the first person on that list — it makes me sick to my stomach to say — is Jim Baker.

Finally, it’s a matter of materiality. DeFilippis has to find a way for it to be the case that his single witness knew when he met with Sussmann that Sussmann was a DNC lawyer (because Bill Priestap’s notes reflect that), but didn’t view that to be material to everything that happened next.

And the only way to sustain that rickety narrative is to ensure that no one else — not even the people using documentary proof reflecting a belief that this was a DNC report to refresh faded memories — understood that the white paper came from the DNC.

Thus far, Sussmann’s cross-examination has elicited evidence that at least three witnesses changed their testimony after interviews with DeFilippis, adopting a “memory” that conflicts with the documentary record with regards to whether the FBI believed the white paper to be associated with the DNC.

OTHER SUSSMANN TRIAL COVERAGE

Scene-Setter for the Sussmann Trial, Part One: The Elements of the Offense

Scene-Setter for the Sussmann Trial, Part Two: The Witnesses

The Founding Fantasy of Durham’s Prosecution of Michael Sussmann: Hillary’s Successful October Surprise

With a Much-Anticipated Fusion GPS Witness, Andrew DeFilippis Bangs the Table

John Durham’s Lies with Metadata

emptywheel’s Continuing Obsession with Sticky Notes, Michael Sussmann Trial Edition

Brittain Shaw’s Privileged Attempt to Misrepresent Eric Lichtblau’s Privilege

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Jim Baker’s Tweet and the Recidivist Foreign Influence Cheater

That Clinton Tweet Could Lead To a Mistrial (or Reversal on Appeal)

John Durham Is Prosecuting Michael Sussmann for Sharing a Tip on Now-Sanctioned Alfa Bank

Apprehension and Dread with Bates Stamps: The Case of Jim Baker’s Missing Jencks Production

Technical Exhibits, Michael Sussmann Trial

Jim Baker’s “Doctored” Memory Forgot the Meeting He Had Immediately After His Michael Sussmann Meeting

The Methodology of Andrew DeFilippis’ Elaborate Plot to Break Judge Cooper’s Rules

Thanks to those who’ve donated to help defray the costs of trial transcripts. Your generosity has funded the expected costs. If you appreciate the kind of coverage no one else is offering, we’re still happy to accept donations for this coverage — which reflects the culmination of eight months work. 

When Michael Sussmann attorney Sean Berkowitz was walking FBI Agent Scott Hellman through the six meetings he had with Durham’s team on Tuesday — meetings he first had as a witness about the investigation into the Alfa Bank allegations and later in preparation for his trial testimony — Berkowitz asked Hellman about how, sometime earlier this year, Andrew DeFilippis and Jonathan Algor asked him whether he could serve as their DNS expert for the trial.

Q And then, more recently, you met with Mr. DeFilippis and I think Johnny Algor, who is also at the table here, who’s an Assistant U.S. Attorney. Correct?

A. Yes.

Q. They wanted to talk to you about whether you might be able to act as an expert in this case about DNS data?

A. Correct.

To Hellman’s credit, he told Durham’s prosecutors — who have been investigating matters pertaining to DNS data for two years — that he only had superficial knowledge of DNS and so wasn’t qualified to be their expert.

Q. You said, while you had some superficial knowledge, you didn’t necessarily feel qualified to be an expert in this case, correct, on DNS data?

A. On DNS data, that’s correct.

It wasn’t until the third day of trial before Durham’s team presented any evidence about the alleged crime. Instead, Durham’s first two witnesses were their nominal expert, David Martin, and Hellman, who told Durham he wasn’t an expert but who offered opinions he neither had the expertise to offer nor had done the work to substantiate.

That’s important, because DeFilippis used him to provide an opinion only an expert should give. And virtually everything about his testimony — his claim to have relied on the data in the materials without looking at the thumb drives, an apparently made up claim about the timing of the analysis, and behaviors that the FBI normally finds suspicious — suggest he’s not only not a DNS expert qualified to assess this report, but his assessment of the white paper Sussmann shared also suffers from serious credibility issues.

The battle over an expert

The testimony of the nominal expert, David Martin, was remarkably nondescript, particularly given the fight that led up to his testimony. Durham’s team sprung even having an expert on Sussmann at a really late date: on March 30, after months of blowing off Sussmann’s inquiries if they would. Not only did they want Martin to explain to the jury what DNS and Tor are, Durham’s team explained, but they also wanted him to weigh in on the validity of conclusions drawn by researchers who had found the anomaly.

  • the authenticity vel non of the purported data supporting the allegations provided to the FBI and Agency-2;
  • the possibility that such purported data was fabricated, altered, manipulated, spoofed, or intentionally generated for the purpose of creating the false appearance of communications;
  • whether the DNS data that the defendant provided to the FBI and Agency-2 supports the conclusion that a secret communications channel existed between and/or among the Trump Organization, Alfa Bank, and/or Spectrum Health;

[snip]

  • the validity and plausibility of the other assertions and conclusions set forth in the various white papers that the defendant provided to the FBI and Agency-2;

As Sussmann noted in his motion to limit Martin’s testimony, he didn’t mind the testimony about DNS and Tor. He just didn’t want this trial to be about the accuracy of the data, especially without the lead time to prepare his own expert.

As the Government has already disclosed to the defense, should the defense attempt to elicit testimony surrounding the accuracy and/or reliability of the data that the defendant provided to the FBI and Agency-2, Special Agent Martin would explain the following:

  • That while he cannot determine with certainty whether the data at issue was cherry-picked, manipulated, spoofed or authentic, the data was necessarily incomplete because it was a subset of all global DNS data;
  • That the purported data provided by the defendant nevertheless did not support the conclusions set forth in the primary white paper which the defendant provided to the FBI;
  • That numerous statements in the white paper were inaccurate and/or overstated; and
  • That individuals familiar with these relevant subject areas, such as DNS data and TOR, would know that such statements lacked support and were inaccurate and/or overstated.

Based off repeated assurances from Durham that they weren’t going to make accuracy an issue in their case in chief, Judge Cooper ruled that the government could only get into accuracy questions if Sussmann tried to raise the accuracy of the data himself. But if he said he relied on the assurances of Rodney Joffe, it wouldn’t come in.

The government suggests that Special Agent Martin’s testimony may go further, depending on what theories Sussmann pursues in cross-examination or his defense case. Consistent with its findings above, the Court will allow the government’s expert to testify about the accuracy (or lack thereof) of the specific data provided to the FBI here only in certain limited circumstances. In particular, if Sussmann seeks to establish at trial that the data were accurate, and that there was in fact a communications channel between Alfa Bank and the Trump Campaign, expert testimony explaining why this could not be the case will become relevant. But, as the Court noted above, additional testimony about the accuracy of the data—expert or otherwise—will not be admissible just because Mr. Sussmann presents evidence that he “relied on Tech Executive-1’s conclusions” about the data, or “lacked a motive to conceal information about his clients.” Gov’s Expert Opp’n at 11. As the Court has already explained, complex, technical explanations about the data are only marginally probative of those defense theories. The Court will not risk confusing the jury and wasting time on a largely irrelevant or tangential issue. See United States v. Libby, 467 F. Supp. 2d 1, 15 (D.D.C. 2006) (excluding evidence under Rule 403 where “any possible minimal probative value that would be derived . . . is far outweighed by the waste of time and diversion of the jury’s attention away from the actual issues”).

Then, days before the trial, the issue came up again. Durham sent a letter on May 6 (ten days before jury selection), raising a bunch of new issues they wanted Martin to raise. Sussmann argued that Durham was trying to expand the scope of what his expert could present. Among his complaints, Sussmann argued that Durham was trying to make a materiality argument via his expert witness.

Third, the Special Counsel apparently intends to offer expert testimony about the materiality of the false statement alleged in this case. Indeed, the Special Counsel’s supplemental topic 9 regarding the importance of considering the collection source of DNS data is plainly being offered to prove materiality. But the Special Counsel did not disclose this topic in either his initial expert disclosure or Opposition, and the Court’s ruling did not permit such testimony. The Special Counsel should not now be allowed to offer an entirely new expert opinion under the guise of eliciting testimony regarding the types of conclusions that can be drawn from a review of DNS data.

Judge Cooper considered the issue Tuesday morning, before opening arguments. When asking why Martin had to present the concept of visibility, DeFilippis explained that Hellman–the Agent who’s not an expert on DNS but whom DeFilippis nevertheless had asked to serve as an expert on DNS–would talk about the import of knowing visibility to assess data.

THE COURT: Well, but isn’t the question here whether a case agent — is your case agent later going to testify that that was something that the FBI looked at or wanted to look at in this case and was unable to do so, and that that negatively affected the FBI’s investigation in some way? MR.

DeFILIPPIS: Yes, and I expect Special Agent Hellman, who will testify likely today, Your Honor, I expect that that is a concept that he will say was relevant to the determination that — determinations he was making as he drafted analysis of the data that came in. And, again, I don’t think we — for example, another way in which this comes up is that the FBI routinely receives DNS data from various private companies who collect that data, and it is always relevant sort of the breadth of visibility that those companies have. So it’s relevant generally, but also in this particular case the fact that the FBI did not have insight into the visibility or lack of visibility of that data certainly affected steps that the FBI took.

THE COURT: Okay. But Mr. Sussman has not been accused of misrepresenting who the source is. He’s simply — but rather who the client is. So how do you link that to the materiality of the alleged false statement?

MR. DeFILIPPIS: Because, Your Honor, I think we view them as intertwined. It was because — it was in part because Mr. Sussman said he didn’t have a client that made it more difficult for the FBI to get to the bottom of the source of this data or made it less likely they would, and so — and, again, I don’t think we expect to dwell for a long time on this, but I think the agents and the technical folks will say that that is part of why the origins of the data are extremely relevant when they took investigative steps here.

When Cooper noted Sussmann’s objection to Martin discussing possible spoofing of data, DeFilippis again answered not about what Martin would testify, but what Hellman would.

As DeFilippis explained, he claimed to believe that under Cooper’s ruling, the government could put in any little thing they wanted that they claimed had been part of the investigation.

And Special Agent Hellman, when he testifies today — now, Your Honor’s ruling we understand to permit us to put into evidence anything about what the FBI analyzed and concluded as its investigation unfolded because that goes to the materiality of the defendant’s statement. So Special Agent Hellman — through Agent Hellman we will offer into evidence a paper he prepared when the data first came in, and among its conclusions is that the data might — he doesn’t use the word “spoof” — but might have been intentionally generated and might have been fabricated. That was the FBI’s initial conclusion in what it wrote up.

So in order for the jury to understand the course of the FBI’s investigation and the conclusions that it drew at each stage, those concepts are at the center of it.

[snip]

MR. DeFILIPPIS: Okay. Your Honor, I’m sorry. We understood your ruling to be that the FBI’s conclusions as it went along were okay as long as we weren’t asserting the conclusion that it was, in fact, fabricated. You know, I mean, it’s difficult to chart the course of the FBI’s investigation unless we can elicit at each stage what it is that the FBI concluded.

Judge Cooper ordered that references to spoofing be removed — leading to a last minute redaction of an exhibit — but permitted a discussion of visibility to come in.

After all that fight, Martin’s testimony was not only bland, but it was recycled powerpoint. He not only admitted lifting the EFF description of Tor for his PowerPoint, but he included their logo.

Hellman delivers the non-expert expert opinion Durham was prohibited from giving

As I said, Martin was witness number one, Hellmann — the self-described non-expert in DNS — was witness number two.

Even though Hellman admitted, again, that he’s not a DNS expert, DeFilippis still had him go over what DNS is.

Q. How familiar or unfamiliar are you with what is known as DNS or Domain Name System data?

A. I know the basics about DNS.

Q. And in your understanding, on a very basic level, what is DNS?

A. DNS is basically how one computer would try and communicate with another computer.

After getting Hellman to explain how he purportedly got chain of custody signatures on September 20, 2016 for the materials Michael Sussmann dropped off with James Baker on September 19, DeFilippis walked Hellman through how, he claimed, he had concluded that the allegations Sussmann dropped off were unsupported. Hellman reviewed the data accompanying the white paper, Durham’s star cybersecurity witness claimed on the stand, and after reviewing that data, determined there was no allegation of a hack in the materials and therefore nothing for the Cyber Division to look at. And, as a report he wrote “within a day” summarized, he concluded the methodology was horrible.

As you read the following exchange, know that (as I understand it) some, if not most, of what Hellman describes as the methodology is wrong. Obviously, if Hellman’s understanding of the methodology is wrong, then the opinion that DeFilippis elicits from a guy who admitted he was not an expert on DNS but whom DeFilippis nevertheless asked to serve as his expert witness on DNS before inviting David Martin in to present slides lifted from the Electronic Frontier Foundation instead [Takes a breath] … If Hellman’s understanding of the methodology and the data he’s looking at is wrong, then his opinion about the methodology is going to be of little merit.

With that understanding, note the objection of Sean Berkowitz, who fought DeFilippis’ late hour addition of an expert that DeFilippis wanted to use to opine on the validity of the research, bolded below.

So we looked at the top part, which set out your top-line conclusion. You then have a portion of the paper that says, “The investigators who conducted the research appear to have done the following.” Now, Special Agent Hellman, it appears to be a pretty technical discussion, but can you just tell us, in that first part of the paper, what did you set out and what did you conclude?

A. It looks to be that they were looking for domains associated with Trump, and the way that they did that was they looked at a list of sort of all domains and looked for domains that had the word “Trump” in them as a way to narrow down the number of domains they were looking at.

And then they wanted to find, well, which of that initial set of Trump domains, which of them are email servers associated with those domains. And the way they did that was to search for terms associated with email, like “mail” or other email-related terms to then narrow down their list of domains even further to be Trump-associated domains that were email servers.

Q. And did you opine on the soundness of that methodology? In other words, did you express a view as to whether this was a good way to go about this project?

A. We did not — I did not feel that that was the most expeditious way to go about identifying email servers associated with the domain.

Q. And why was that?

A. You can name an email server anything you want. It doesn’t have to have the words “mail” or “SMTP” in it. And so by — if you’re just searching for those terms, I would wager to guess you would miss an actual email server because there are other — there are other more technical ways that you can use — basically look-up tools, Internet look-up tools where you can say, for any domain, tell me the associated email server. That’s essentially like a registered email server. But the way that they were doing it was they were just looking for key terms, and I think that it just didn’t make sense to me why they would go about identifying email servers that way as opposed to just being able to look them up.

Q. Was there anything else about the methodology used here by the writer or writers of this paper that you found questionable or that you didn’t agree with?

A. I think just the overall assumptions that were being made about that the server itself was actually communicating at all. That was probably one of the biggest ones.

Q. And what, if anything, did you conclude about whether you believed the authors of the paper or author of the paper was fairly and neutrally conducting an analysis? Did you have an opinion either way?

MR. BERKOWITZ: Objection, Your Honor.

THE COURT: Basis?

MR. BERKOWITZ: Objection on foundation. He asked him his opinion. He’s not qualified as an expert for that.

THE COURT: I’ll overrule it.

A. Sorry, can you please repeat the question?

Q. Sure. Did you draw a conclusion one way or the other as to whether the authors of this paper seemed to be applying a sound methodology or whether, to the contrary, they were trying to reach a particular result? Did you —

A. Based upon the conclusions they drew and the assumptions that they made, I did not feel like they were objective in the conclusions that they came to.

Q. And any particular reasons or support for that?

A. Just the assumption you would have to make was so far reaching, it didn’t — it just didn’t make any sense.

That’s how, as his second witness, Andrew DeFilippis introduced the opinion of a guy who admitted he wasn’t an expert on DNS that DeFilippis had asked to serve as an expert even though DeFilippis should have known that he didn’t have the expertise to offer expert opinions like this.

If Sussmann is found guilty, I would bet a great deal of money this stunt will be one part of a several pronged appeal, because Judge Cooper permitted DeFilippis to do precisely what Cooper had prohibited him from doing before trial, and he let him do it with a guy who by his own admission is not a DNS expert.

Cyber Division reaches a conclusion without looking at the thumb drives

Now let’s look at what Hellman describes his own methodology to be.

First, it was quick. DeFilippis seems to think that serves his narrative, as if this stuff was so crappy that it took a mere glimpse to discredit it.

Q. Special Agent Hellman, how long would you say it took you and Special Agent Batty to write this up?

A. Inside of a day.

Q. Inside of a day, you said?

Berkowitz walked Hellman through the timeline of it, and boy was it quick. There’s some uncertainty about this timeline, because John Durham’s office doesn’t feel the need to make clear whether exhibits they’re turning over in discovery reflect UTC or ET. But I think I’ve laid it out below (Berkowitz got it wrong in cross-examination, which DeFilippis used to attack his analysis).

As you can see, not only were FBI’s crack cybersecurity agents making a final conclusion about the data within a day but — by all appearances — they did so before they had ever looked at the thumb drives included with the white papers. From the record, it’s actually not clear when — if!!! — they looked at the thumb drives. But it’s certain they had their analysis finalized no more than one working day after they admitted they hadn’t looked at the thumb drive, which was itself after they had already decided the white paper was shit.

Timeline

September 20, 10:20AM: Nate Batty tells Jordan Kelly they’ll come from Chantilly to DC get the thumb drives

September 20, 10:31AM: Jordan Kelly tells Batty the chain of custody is “Sussman to Strzock to Sporre”

September 20, 12:29PM: Hellman and Nate Batty accept custody of the thumb drives

September 20, 1:30PM: Hour drive back to Chantilly, VA

September 20, 4:44PM: Hellman appears to explain the process of picking up the thumb drives to jrsmith, claiming to have spoken to Baker on the phone. jrsmith jokes about “doctor[ing] a chain of evidence form.”

September 20, 4:58: Hellman says the more he reads the report “it feels a little 5150ish,” suggesting (as he explained to Berkowitz on cross) the authors suffered from a mental disability, and Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

September 21, 8:47AM: Batty tells Hellman their supervisor wants them to “write a brief summary of what we think about the DNC report.” Batty continues by suggesting that “we should at least plug the thumb drives into Frank’s computer and look at the files…”

9/22, 9:44AM: Curtis Heide, in Chicago, asks Batty to send the contents of the thumb drive so counterintelligence agents can begin to look at the evidence. The boys in Cyber struggle to do so for a bit.

9/22, 2:49PM: Batty asks Hellman what he did with the blue thumb drive.

9/22, 4:46PM: Batty sends “analysis of Trump white paper” to others.

In other words, the cyber division spent less than 28 hours doing this analysis.

Yes. The analysis was quick.

Hellman says his analysis is valid because he looked at the data

The hastiness of the analysis and the fact that Hellman didn’t look at the thumb drive before making initial conclusions about the research is fairly problematic, because when he discussed his own methodology, he described the data driving everything.

Q. Now, what principally, from the materials, did you rely on to do your analysis?

A. So it was really two things. It was looking at the data, the technical data itself. There was a summary that it came with. And then also we were comparing what we saw in the data, sort of the story that the data told us, and then looking at the narrative that it came with and comparing our assessment of the data to the narrative.

[snip]

Q. And in connection with that analysis, did you also take a look at the data itself that was underlying this paper?

A. Yes

[snip]

Q. And if we look at that first page there, Agent Hellman, what kind of data is this?

A. It appears to be — as far as I can tell, it looks to be — it’s log data. So it’s a log that shows a date and a time, a domain, and an IP address. And, I mean, that’s — just looking at this log, there’s not too much more from that.

Q. And do you understand this to be at least a part of the DNS data that was contained on the thumb drives that I think you testified about earlier?

A. Yes.

[snip]

A. It would have mattered — well, I think on one hand it would not have mattered from the technical standpoint. If I’m looking at technical data, the data’s going to tell me whatever story the data’s going to tell me independent of where it comes from. So I still would have done the same technical analysis.

But knowing where the data comes from helps to tell me — it gives me context regarding how much I believe in the data, how authentic it is, do I believe it’s real, and do I trust it. [my emphasis]

He repeated this claim on cross with Berkowitz.

I just disagreed with the conclusions they came to and the analysis that they did based upon the data that came along with the white paper.

When Berkowitz asked him why counterintelligence opened an investigation when Cyber didn’t, Hellman suggested that the people in CD wouldn’t understand how to read the technical logs.

A. Um, I think they’d probably be looking at it from the same vantage point, but if you’re not — you don’t have experience looking at technical logs, you may not have the capability of doing a review of those logs. You might rely on somebody else to do it. And perhaps counterintelligence agents are going to be thinking about other investigative questions. So I guess it would probably be a combination of both.

“If I’m looking at technical data,” DeFilippis’ star cybersecurity agent explained, “the data’s going to tell me whatever story the data’s going to tell me.”

Except he didn’t look at the technical data, at least not the data on the thumb drives, before he reached his initial conclusion.

Hellman makes a claim unsupported by the data in his own analysis

I’ll leave it to people more expert than me to rip apart Hellman’s own analysis of the white paper Sussmann shared with the FBI. In early consultations, I’ve been told he misunderstood the methodology, misunderstood how researchers used Trump’s other domains to prove that just one had this anomaly (that is, as a way to test their hypothesis), and misstated the necessity of some long-term feedback loop for this anomaly to be sustained. Again, the experts will eventually explain the problems.

One part of his report that I know damns his methodology, however, is where he says the researchers,

Searched “…global nonpublic DNS activity…” (unclear how this was done) and discovered there are (4) primary IP addresses that have resolved to the name “mail1.trump-email.com”. Two of these belong to DNS servers at Russian Alfa Bank. [my emphasis]

This is the point where every single person I know who assessed these allegations who is at least marginally expert on DNS issues stopped and said, “global nonpublic DNS activity? There are only a handful of people that could be!” See, for example, this Robert Graham post written in response to the original Slate story, perhaps the most influential critique of the allegations, probably even on Durham. Every marginally expert person I know has, upon reading something like that, tried to figure out who would have that kind of visibility on the data, because that kind of visibility, by itself, would speak to their expertise. Those marginally expert people did not have the means to identify the possible sources of the data. But a lot of them — including the NYTimes!! — were able to find people who had that kind of visibility to better understand the anomaly. When Hellman read that, he simply said, “unclear how this was done” and moved on.

Still, Hellman did not contest (or possibly even test) the analysis that said there were really just four IP addresses conducting look-ups with the Trump marketing server. Dozens of people have continued to test that result in the years since, and while there have been adjustments to the general result, no one has disproven that the anomaly was strongest between Alfa Bank and Trump’s marketing domain.

Where Hellman’s insta-analysis really goes off the rails, however, is in his assertion that, “it appears that the presumed suspicious activity began approximately three weeks prior to the stated start date of the investigation conducted by the researcher.”

I’m not a DNS expert, but I’m pretty good at timelines, and by my read here are the key dates in the white paper.

May 4, 2016: Beginning date for look-up analysis

July 28, 2016: Lookup for hostnames yielding Trump

September 4, 2016: End date for look-up analysis

September 14, 2016: Updated search for look-ups covering June 17 through September 14

The start date reflected in this white paper is July 28, 2016. Three weeks before that would be July 7, 2016, a date that doesn’t appear in the white paper. The anomaly started 85 days before the start date reflected in this white paper (and the start date for the research began months earlier, but still over three weeks after the May 4 start date).

I don’t understand where he got that claim. But DeFilippis repeated it on the stand, as if it were reflected in the data, I guess believing it makes his star cybersecurity agent look good.

DeFilippis’ star cybersecurity agent has some credibility problems

There are a few more problems with the credibility of Hellman, DeFilippis’ star cybersecurity agent who is not a DNS expert. One of those is that he compared notes with his boss before first testifying.

Q: And you also spoke with Nate Batty around that time, Right?

A: Yes.

Q: Did you talk to him before the first interview to kind of get ready for it?

A: I think so, but I don’t remember.

Q: Is that something that you encourage witnesses to do, to talk to other witnesses to see if your recollections are consistent?

A: No.

In addition, notwithstanding that Batty was told that Sussmann was in the chain of control, Batty claimed to believe the source was “anonymous” and Hellmann claimed to believe it was sensitive–a human source. Even after comparing notes their stories didn’t match.

There are other problems with Hellman’s memory of the events, notably that in his first interview — the one he did shortly after comparing notes with Batty — he claimed that Baker had told him he was unable to identify the source of the data.

Q. And when you went to Mr. Baker’s office, do you remember what, if anything, was said during that discussion or during that interaction?

A. I remember being in the office, but I don’t distinctly recall what the conversation was. I do remember after the fact, though, that I was frustrated that I was not able to identify who had provided these thumb drives, this information to Mr. Baker. He was not willing to tell me.

At the very least, this presents a conflict with Baker’s testimony, but it’s also another testament to how variable memories can be four years, much less six years, after the fact.

Hellman also claimed, when asked on cross, that the first time he had ever seen the reference to a “DNC report” in September 21 Lync notes he received was two years ago, when he was first interviewed.

A: The first time I saw this was two years ago when I was being interviewed by Mr. DeFilippis, and I don’t recall ever seeing it. I never had any recollection of this information coming from DNC. I don’t remember DNC being a part of anything we read or discussed.

Q: Okay. When you say, the first time you saw it was two years ago when you met with Mr. DeFilippis, that’s not accurate. Right? You saw it on September 21st, 2016. Correct?

A: It’s in there. I don’t have any memory of seeing it.

And when Sean Berkowitz asked about Hellman the significance of seeing the reference to a “DNC report” first thing on September 21, he described that DeFilippis suggested to him that it was likely just a typo for DNS.

Q. What’s your explanation for it?

A. I have no recollection of seeing that link message. And there is — I have absolutely no belief that either me or Agent Batty knew where that data was coming from, let alone that it was coming from DNC. The only explanation that popped or was discussed was that it could have been a typo and somebody was trying to refer to DNS instead of DNC.

Q. So you think it was a typo?

A. I don’t know.

Q. When you said the only one suggesting it — isn’t it true that it was Mr. DeFilippis that suggested to you that it might have been a typo recently?

A. That’s correct.

When asked about a topic for which there was documentary evidence Hellman had seen in real time that he claimed not to remember, Andrew DeFilippis offered up an explanation that Hellman then offered on the stand.

On the stand, DeFilippis also tried to get Hellman to call a marketing server a spam server, though Hellman resisted.

Once you look closely, I don’t think Hellman’s testimony helps Durham all that much. What it proves, however, is that DeFilippis attempted to coach testimony.

One final thing. DeFilippis got his star cybersecurity agent to observe that the researchers didn’t include their name or other markers on their report, as if that’s a measure of unreliablity.

Q. Now, let me ask you, were you able to determine from any of these materials who had actually drafted the paper alleging the secret channel?

A. No.

Q. In other words, was it contained anywhere in the documents?

Here’s what Hellman’s own report looks like:

There’s a unit — ECOU1 — but the names of the individual agents appear nowhere in the report. The report is not dated. It does not specifically identify the white papers and thumb drives by control numbers, something key to evidentiary analysis.

It has none of the markers of regularity you’d expect from the FBI. Hellman’s own analysis doesn’t meet the standards that DeFilippis uses to measure reliability.

This long-time Grand Rapids resident is furious that Hellman judged there was no hack

Everything above I write as a journalist who has tried to understand this story for almost six years. Between that and 18 years of covering national security cases, I hope I now have sufficient familiarity with it to know there are real problems with Hellman’s analysis.

But let me speak as someone who lived in Grand Rapids for most of this period, and had friends who had to deal with the aftermath of Spectrum Health appearing at the center of a politically contentious story.

Hellman had, as he testified, two jobs. First, he was supposed to determine whether there were any cyber equities, then he was supposed to do some insta-analysis of the data without first looking at the thumb drives.

According to Hellman, there was no hack.

I was asked to perform two tasks in tandem with Special Agent Batty, and our tasks were, number one, to look at this data, look at the data and look at the narrative that it came with and identify were there any what’s known as cyber equities. And by that it was, was there any allegation of a hacking. That’s what cyber division does. We investigate hacking. So was there an allegation that somebody or some company or some computer had been hacked. That was first.

[snip]

As I mentioned, the first piece was we had to identify was there any real allegation of hacking; and there was not. That was our first task by our supervisor. There was not.

[snip]

The allegation was that someone purported to find a secret communication channel between the Trump organization and Russia. And so we identified first that, no, we didn’t think that there was any cyber equity, meaning that there was probably nothing more for cyber to investigate further, if there was no hacking crime.

Except here’s what the white paper says about Spectrum, that Grand Rapids business that was swept up in this story.

The Spectrum Health IP address is a TOR exit node used exclusively by Alfa Bank. ie.,  Alfa Bank communications enter a Tor node somewhere in the world and those communications exit, presumably untraceable, at Spectrum Health There is absolutely no reason why Spectrum would want a Tor exit node on its system. (Indeed, Spectrum Health would not want a TOR node on its system because, by its nature, you never know what will come out of a TOR node, including child pornography and other legal content.)

We discovered that Spectrum Health is the victim of a network intrusion. Therefore, Spectrum Health may not know it has a TOR exit node on its network. Alternatively, the DeVos family may have people at Spectrum who know there is a TOR node. i.e.,  could have been placed there with inside help.

When faced with some anomalous activity that seemed to tie into the weird DNS traffic, the experts suggested that maybe the Spectrum hack related to the DNS anomaly.

To be clear, this Tor allegation is the the weakest part of this white paper. You will hear about this to no end over the next week. It was technically wrong.

But the allegation in the white paper is that maybe a recent hack of Spectrum Health is why it had this anomalous traffic with Trump’s marketing server. There’s your hack!!

Had the people at FBI’s cybersecurity side actually treated this as a possible compromise, it might have addressed the part of this story that never made any sense. And we might not, now, six years later, be arguing about what might explain it.

Let me be clear: I do think the white paper overstated its conclusions. I don’t think secret communication is the most obvious explanation here.

But there are hacks and then there are hacks in the testimony of DeFilippis’ star cybersecurity agent.

Update: Corrected an attribution to Batty instead of Hellman.

Update: Fixed my own timeline.

Update: Added link to Robert Graham’s analysis.

Update: This may be where Hellman gets his erroneous three week claim. There were two histograms included with the report. One, the close-up, does start around July 7.

But the broader scope shows look-ups earlier, very actively in June, but with a few stray ones in May.

The government didn’t include the pages and pages of logs that Batty complained about in this exhibit. Had they, it would be clear to jurors that this claim is false.

Update: Correction on two points. First, I think I’ve finally got the Lync exchange above correct between Batty and Hellman. As noted, Hellman complains that “it contains an absurd quantity of data” to which Batty responded, the data seemed “inserted to overwhelm and confuse the reader.”

Second, I was wading through exhibits this morning and found the exhibit of 19 pages of logs. Here’s just a subset of them, including logs that go back to May 2016. Hellman didn’t look even at the printed page of log files closely enough to realize his claim about three weeks was wrong. These data weren’t intended to overwhelm the reader. They were there to show how the anomaly accelerated during the election.