This is my copy from the larger paper "A Leak or a Hack? A Forum on the VIPS Memo", by Various Contributors, SEPTEMBER 1, 2017

I embedded the film "A Good American", because in it three of the authors of the following paper explain how they (in particular William Binney) have in the past successfully revealed covert operations by state and non-state actors, e.g. during the Cold War and the Vietnam War. The method they developed and successfully implemented is now called "automated meta data analysis". ThinThread is the corresponding program that they had operational about a year before 9/11. They proved that ThinThread would have prevented 9/11, had it not been shut down by Michael Hayden about 2 weeks before the attacks.

In their recent analysis mentioned below they again reveal covert political activities by using metadata. 

J. Gruber



We Veteran Intelligence Professionals for Sanity (VIPS) scientists make our technical judgments based on given facts and do not speculate without a factual basis. The main issue here is: Who gave the DNC e-mails to WikiLeaks? “Handpicked” analysts from three intelligence agencies “assess” that the Russians hacked into the DNC, but provide no hard evidence for this.

We think back to the evidence-free “assessments” 15 years ago before the attack on Iraq. Several “high-confidence” intelligence judgments had been fraudulently “fixed” to dovetail with the Bush/Cheney agenda for war. In June 2008, the chair of the Senate Intelligence Committee released a bipartisan report five years in the making. Mincing no words, he wrote: “In making the case for war, the Administration repeatedly presented intelligence as fact when in reality it was unsubstantiated, contradicted, or even non-existent.”

We worry that this may be happening again. Adding to our concern, in recent years we have seen “false-flag” attacks carried out to undergird a political narrative and objective—to blame the Syrian government for chemical attacks, for example. Forensic evidence suggests that this tried-and-tested technique (in this instance, simply pasting in a Russian template with “telltale signs”) may have been used to “show” that Russia hacked into the DNC computers last June.

For more than a year, we have been pointing out that any data acquired by a hack would have had to come across the Internet. The blanket coverage of the Internet by the NSA, its UK counterpart GCHQ, and others would be able to produce copies of that data and show where the data originated and where it went. But US intelligence has produced no evidence that hacking by Russia led to it acquiring the DNC e-mails and passing them on to WikiLeaks.

Historically, the United States has disclosed classified information when it has suited its purposes. One need not go all the way back to the release of U-2 photography during the Cuban missile crisis, or to President Ronald Reagan’s decision to sacrifice a lucrative source (which enabled us to intercept and decipher Libyan communications) to prove that Libya was behind the April 5, 1986, bombing of a Berlin disco that killed two and wounded 79 US servicemen. Much more recently, in 2014 and 2015, the United States released significant details to verify the successful hack by which China stole over 21.5 million official records, including security background investigations, from the Office of Personnel Management.

Independent research into the metadata associated with the July 5, 2016, cyber-event that was blamed on “Russian hacking” shows that what actually took place was a copy onto an external storage device, and that the copy took place on the East Coast of the United States by someone with physical access to the DNC server or computers. Most curiously, the FBI did not have access to the DNC computers to do its own forensics, even though prominent politicians were calling the alleged Russian hack “an act of war.”

After examining the recent forensic findings, Skip Folden, co-author of the VIPS memo titled “Was the ‘Russian Hack’ an Inside Job?,” sent a more detailed technical report to the offices of Special Counsel Robert Mueller and of Attorney General Jeff Sessions, asking them to investigate the latest findings.

We will not dwell on the nontechnical evidence at hand, but we would be remiss if we did not mention something that has recently been in the public eye. Julian Assange has denied that the source is the Russian government or any other state party, and, truth be told, his record of credibility compares favorably with the records of those who demonize him. An associate of Assange, former UK ambassador Craig Murray, has said the WikiLeaks source was a leak from an insider. “To my certain knowledge,” said Murray, “neither the DNC nor the Podesta leaks involved Russia.” Oddly, Murray has not been questioned by any US official or journalist.

Commentary on the Dissenting Memo

What follows are our comments on the dissenting memo written by Thomas Drake, Lisa Ling, Cian Westmoreland, Philip M. Giraldi, and Jesselyn Radack 

[I changed the comments format into a table, J. Gruber]

In the words of the memo

Our reply

[T]he intelligence-community assessment from January 6, 2017, which reflects the judgment of the CIA, the FBI, and the NSA, asserts as fact (absent categorical proof or evidence) that “Guccifer 2.0” accessed data from the DNC through a “cyber operation.” This could mean via the network, the cloud, computers, remote hacking, or direct data removal. However, “Guccifer 2.0” claimed access to the DNC server through remote hacking.

With this statement at the outset, the dissent injects uncertainty about what the words “cyber operation” might include in a way that clearly implies that the Russians could have gotten the DNC e-mails in some way other than through an Internet hack—a very key point. Yes, the January 6 report does use the phrase “cyber operation,” but President Obama’s intelligence chiefs, including former FBI director James Comey, have testified under oath that they accept CrowdStrike’s analysis regarding a “hack.” Moreover, intelligence officials have briefed The New York Times, The Washington Post, and other major news outlets about the alleged Russian role in a hack. In this light, focusing on the phrase “cyber operation” amounts to a word game.

Moreover, does the dissent have proof that the “Guccifer 2.0” “claim” is not fake news? Is the writer of the post at “Guccifer 2.0” actually the person(s) responsible for the data heist? The intelligence-community assessment was not backed up with facts; we cannot believe what it says until technical evidence is provided to prove it.

The third-party analysis of the “Guccifer 2.0” claims (including Adam Carter’s ( and the Forensicator’s ( analyzed in the VIPS memo directly contradict these conclusions (while raising legitimate questions), but the VIPS memo asserts as a “slam dunk” fact the categorical conclusion of a local leak that is also not supported by the third-party analysis, either.

If we understand this sentence correctly, and the “third-party” analysis refers to the Forensicator, this assertion is wrong. From the data given, the analysis does support the conclusion, as it demonstrates that the Internet on July 5, 2016, could not support such an international hack.

There is also no evidence from the available metadata that can definitively state when the transfer or copying of the data took place, nor does the data prove that “Guccifer 2.0” had direct access to the DNC server or that the data was located on the DNC system when it was allegedly copied on July 5, 2016.

We have no evidence that the July 5 data was manipulated. Nor does the dissent present any. Furthermore, “Guccifer 2.0” bracketed it with his July 4 and 6 posts, which are repeatedly ignored by the dissent. The independent analysis makes no claim that “Guccifer 2.0” had direct access to the DNC server or that the data was located on the server at that time. The transfer rate was independent of the physical location of the data at the time of copy.

There is also no evidence from the available metadata that can definitively state when the transfer or copying of the data took place, nor does the data prove that “Guccifer 2.0” had direct access to the DNC server or that the data was located on the DNC system when it was allegedly copied on July 5, 2016.

We have no evidence that the July 5 data was manipulated. Nor does the dissent present any. Furthermore, “Guccifer 2.0” bracketed it with his July 4 and 6 posts, which are repeatedly ignored by the dissent. The independent analysis makes no claim that “Guccifer 2.0” had direct access to the DNC server or that the data was located on the server at that time. The transfer rate was independent of the physical location of the data at the time of copy.

The implications of this leap-to-conclusions analysis of the VIPS memo—which centers on claiming as an unassailable and immutable fact that the DNC “hack” was committed by an insider with direct access to the DNC server, who then deliberately doctored data and documents to look like a Russian or Russia-affiliated actor was involved, and therefore no hack occurred (consequently, ipso facto, the Russians did not do it)—are contingent on a fallacy.

There had to be direct access to the DNC server at some point, for that repository was the source of the data. The authors of the dissent are confusing the July 5 and June 15 incidents, for it was the latter that experienced the deliberate insertion of Russian “fingerprints.”

Data-transfer speeds across networks and the Internet measured in megabits per second (or megabytes per second) can easily achieve rates that greatly exceed the cited reference in the VIPS memo of 1,976 megabytes in 87 seconds (22.71 megabytes per second or 181.7 megabits per second), and well beyond 50 megabytes depending on the capacity of the network and the method of access to that network. Speeds across the network vary greatly, and sustained write speeds copied out to local devices are often quite a bit slower.

The dissent misses the key point of the difference between available speeds in early July 2016 and now. In addition, the above shows no awareness of the degradation of speed with distance and no awareness of the problem of transoceanic connections.

The environment around Trump, Russia, et al. is hyperpolarized right now, and much disinformation is floating around, feeding confirmation bias, mirroring and even producing conspiracy theories.

However, this VIPS memo could have easily raised the necessary and critical questions without resorting to law-of-physics conclusions that claim to prove beyond any shadow of a doubt that it was an inside-network copy only and then asserting the “fact” that the Russians (or anybody else for that matter) did not hack the DNC.

The authors of the dissent may not like the conclusions, but that is exactly what the independent analysis demonstrated, not just via metadata but also by actual network field tests.

In addition, no qualifiers, disclaimers, or dissenting views are provided in the VIPS memo, nor is any alternative theory presented.

The conclusions of our VIPS memo were definitive and included extensive support data if one looks at the websites that were referred to. The writers of the dissent made no attempt to weigh in on the article with a dissenting view or an alternate theory prior to publication of the VIPS memo. Like everyone else, they had two weeks.

It is important to note that it’s equally plausible that the cited July 5, 2016, event was carried out on a server separate from the DNC or elsewhere, and with data previously copied, transferred, or even exfiltrated from the DNC.

Yes, the claimed “hack” could have been done on a secondary computer (not “server”), but in either case had to come originally from the DNC server. This has no effect on the transfer rate, which precluded a “hack”—a point the authors of the dissenting memo keep missing.

However, independent of transfer/copy speeds, if the data was not on the DNC server on July 5, 2016, then none of this VIPS analysis matters (including the categorically stated fact that the local copy was acquired by an insider) and simply undermines the credibility of any and all analysis in the VIPS memo when joined with this flawed predicate.

The dissent refers to “independent of transfer/copy speeds,” but one cannot simply ignore them, as if they were irrelevant. Also, again, the “Guccifer 2.0” July 4 and 6 posts are being ignored. The dissent’s argument ignores the fact that on July 5, the data was transferred at a speed not obtainable from East Coast ISPs. The transfer rate, however, is entirely consistent with a USB port connected to a portable device such as a thumb drive.

As the author of The Nation article pointed out, our investigations continue. Recent data analysis gives additional support to our key finding—namely, that the speed of the data transfer from the DNC server (22.7 megabytes per second) far exceeded the capability of the Internet in early July 2016. We have now learned that the 22.7-megabytes-per-second speed was merely the average rate for the duration of the data transfer, and that a peak rate of 38 megabytes per second was reached during that transfer. A copy to a thumb drive could handle that peak speed; an Internet hack attempted from abroad could not.

In addition, a subsequent post by the “Forensicator” actually backs away from the VIPS memo and provides additional caveats, including the following statements (among several):

“The Guccifer 2.0 NGP/VAN Metadata Analysis describes a copy operation that (based on the metadata) occurred in the early evening on July 5, 2016. No claim is made in the report that the data might not have been copied earlier nor whether it might have been copied or leaked.”

This is correct, but has no bearing on the conclusions. Direct access was required in either case, whether the alleged “hack” occurred on the DNC server or on a copy made earlier by a person with direct access. The Forensicator is trying, with these later details, to assist those who were confused.

Furthermore, a recent article in the New York Post raises the specter of yet other alternative paths for one or more DNC data breaches. Scott Ritter, a VIPS member, also wrote an article in Truthdig that takes issue with the centerpiece claims of the VIPS memo.

He did, and without mentioning it to VIPS colleagues more technically experienced in these issues. And the Truthdig article contained misstatements of fact, as detailed in e-mails sent within VIPS, including to Ritter, on July 31 regarding claims that the VIPS conclusions are not supported by data, that the transfer rate is irrelevant, etc. It is not clear why the authors of the dissent think that referring to that article poses any challenge to the technical basis for the conclusion that the July 5 metadata was extracted onto a thumb drive. Again, no facts are presented to infer another path.

The bottom line: This VIPS memo was hastily written based on a flawed analysis of third-party analyses and then thrown against the wall, waiting to see if it would stick. This memo could have cited the critical questions raised in the third-party analyses of “Guccifer 2.0” while also asking why the three US intelligence agencies have yet to provide any actual hard proof following their January 6, 2017, assessment.

Flawed analysis? The dissent has presented no evidence of that. Many of the points raised suggest the authors do not fully understand the analysis. With respect to the alleged hacking and the intelligence-community assessment, the VIPS memo pointed to the parallel report to both the Office of Special Counsel and the attorney general, which covers those issues.

[remark added by J. Gruber:

"[Skip Folden] has drafted a more detailed technical report titled “Cyber-Forensic Investigation of ‘Russian Hack’ and Missing Intelligence Community Disclaimers," Source:

The VIPS memo is now increasingly politicized because the analysis itself was politicized. It deals only with alleged “Guccifer 2.0” hacking and makes the classic apples-versus-oranges mistake. In an ideal world, VIPS would at least retract its assertion of certainty. Absent real facts regarding proof of leaks or hacks (or both), how many hypotheses can one copy onto the head of a digital pin?

This paragraph is not only misleading, it also impugns the core apolitical nature of VIPS. Again, the dissent seems confused about the main subjects of this discussion and the VIPS memo’s key conclusion—that the July 5, 2016, intrusion into the DNC e-mails, which was blamed on Russia, could not have been a hack—by Russia or anyone else. In that very important forest it is difficult to see through all the bushes and trees on which the dissent chooses to focus.

William Binney was a civilian employee of the National Security Agency from 1970 to 2001. He held numerous positions, including technical director of the World Geopolitical and Military Analysis Reporting Group; Operations Directorate analysis skill field leader; member of the NSA Senior Technical Review Panel; chair of the Technical Advisory Panel to the Foreign Relations Council; co-founder of the SIGINT Automation Research Center; NSA representative to the National Technology Alliance Executive Board; and technical director of the Office of Russia, as well as working as a senior analyst for Warning for over 20 years. After retiring, Binney blew the whistle on the unconstitutional surveillance programs run by the NSA. His outspoken criticism led to an early-morning FBI raid on his home in 2007. Even before Edward Snowden’s whistle-blowing, Binney publicly revealed that the NSA had access to telecommunications companies’ domestic and international billing records, and that since 9/11 the agency has intercepted some 15 to 20 trillion domestic communications. The documents released by Edward Snowden confirmed many of the surveillance dangers about which Binney had been warning under both the Bush and Obama administrations.

Skip Folden (Associate VIPS) retired from IBM after 25 years. His last position there was as IBM program manager for information technology, US.

Ed Loomis is a former NSA technical director for the Office of Signals Processing. From 1996 to 2001, he led the SIGINT Automation Research Center. He retired in 2001 as senior cryptologic computer scientist after 37 years at the agency. He worked for the NSA as an enterprise senior system architect from 2002 to 2007 following retirement, and he was professionally certified in multiple fields at the NSA: mathematician, computer systems analyst, operations research analyst, and system acquisition manager. Loomis applied technical knowledge and experience in developing automated systems focused on producing intelligence supporting military operations and top US decision-makers from 1964 to 2001.

Ray McGovern worked as a CIA analyst under seven presidents and nine CIA directors after serving as a US Army infantry/intelligence officer in the 1960s, McGovern. His concentration was on Russia, one of the foreign posts in which he served. He was chief of the CIA’s Foreign Policy Branch in the 1970s and acting national intelligence officer for Western Europe in the ’80s. He prepared the President’s Daily Brief for Presidents Nixon, Ford, and Reagan. During Reagan’s first term, McGovern conducted the early-morning CIA substantive briefings, one-on-one, to the president’s five most senior foreign-policy advisers. At retirement, he was awarded the Intelligence Commendation Medallion for “especially meritorious service,” but gave it back in March 2006 to dissociate himself from an agency engaged in torture. After retirement, he co-founded Veteran Intelligence Professionals for Sanity.

Kirk Wiebe is a former senior analyst at the SIGINT Automation Research Center, NSA. He led the center’s response to National Security Decision Directive 178, ordering the NSA to develop a program to counter the threat posed by foreign relocatable targets, which earned him the DCI’s National Meritorious Unit Citation. Wiebe was awarded the NSA’s second-highest honor, the Meritorious Civilian Service Award, together with numerous other awards for work on the challenges of digital-age strategic planning. He held the NSA’s professional certification as a Russian linguist.

Version: 11.11.2017

Address of this page


Joachim Gruber