Open in app

Sign in

Write

Sign in

Take 5 — Break time for speculation

David Schiminovich
5 min readNov 7, 2016

--

(Note — this entry was written pre-election. See my dailykos entries under dsko for a few additional updates.)

With the election upon us, I’m going to wrap up this series of posts on the Trump and Alfa Bank connection, based on news first reported in Slate (F. Foer, 10/31/16). In Take 3 and Take 4 I wrote about the identification of periodic and non-periodic events in the Trump-email DNS log file.

Now we get into murky waters… interpretation.

Let’s start with a working hypothesis: The non-periodic DNS event data are associated with human activity. Periodic data are automated. With this in mind, we’ll look more closely at the plot presented in Take 4, reproduced below for convenience.

A Rise in Human Activity

From the plot we can infer that on June 23 (point ii), the rate of human activity between Alfa Bank and Trump servers increased significantly. What news events happened on or around that day?

  • June 20–22 — Trump campaign shakeup, Lewandowski resigns and Trump major speech.
  • June 23 — Brexit vote
  • June 23–24 — Trump in Scotland visiting golf courses

The Start of Automated Activity

The next major point in the data stream came on the weekend of July 23–24 (point A), between the Republican and Democratic National Conventions. The data show that all activity stopped (including to Spectrum Health) during most of that weekend. When events returned, additional new activity commenced, this time automated. After the break, there was no change in the rate of human activity between Trump and Alfa Bank.

The new automated activity with Alfa Bank was similar to the activity between Trump and Spectrum Health servers (see figure in Take 3), with events on a 1 hour cycle. A key difference is that the when there was increased human activity to Alfa Bank, the automated activity to Alfa decreased. This balance results in a nearly constant total activity rate each day (see gray histogram above).

Whether or not there was human activity, the connection remained active, with a rate of 20–25 events per day.

The Mysterious Gaps

Take 4 describes the mysterious gaps that occurred on Aug 9–17 (point B) and Sep 13–20 (point C) for what we’re now calling human activity. Why did the human activity drop out during those periods?

Gap 1 is particularly puzzling, because it contrasts the plot of the overall DNS activity shown in Slate and Take 3, which exhibit peak activity during the first two weeks of August followed by a steep drop-off. Some have speculated that the decline in the overall log activity could be associated with Paul Manafort’s departure from the Trump campaign.

On the other hand, in the plot above, human activity instead falls off to a minimum in the second week of August (Gap 1). Human activity returns mid-August, around the time Paul Manafort left the campaign. Sort of the opposite story… and seems to have nothing to do with Manafort’s departure.

But then a twist. On Friday Eichenwald came out with his Newsweek story where he wrote that that after Trump’s attack on the Khan family (~Jul 31) the Russians started to worry that Trump was unreliable and might even withdraw from the campaign. Eichenwald writes: “As a result, Moscow put its hacking campaign temporarily on hold, ending the distribution of documents until Trump stabilized, both personally and in the polls, according to reports provided to Western intelligence.”

Interesting. We’ll get back to this below.

September’s mysterious Gap 2 in human activity is less defined, beginning gradually, and with an end that was followed abruptly by the server shut-down on Sept. 23. It has been suggested that the shut-down of the server might have been related to inquiries into the Trump-email and Alfa bank connection. Could these inquiries also be associated with Gap 2?

Some Key Questions

Putting all of this together, we’re left with two key questions, the answers for which may already be known, or in easy reach of those who have been reporting on this election.

1. Does Eichenwald (or any one else) have more precise dates on when the Russian hacking campaign went on hold and when it came back? The time period indicated in the Newsweek article suggests that it could match Gap 1. If that were the case, it would be extremely suggestive of a connection. (And very different dates could falsify some hypotheses).

2. What is the timeline of actions that might be linked to Gap 2, starting in mid-September and up to the shut-down on Sep 23? For example on what day did first questions or postings about the server begin? The Slate article states that there were posts about the Trump-email server in September. When did NYT start to ping Alfa bank with inquiries before they met?

There are many other questions that could be asked, more than any of us will have time to address. So let’s leave it at these.

(Some of you who already know too much about this story might be wondering… how about the automated activity to Spectrum Health, how does that fit in? An exercise for the reader. I’m happy to send you my data file and code. But don’t forget ye conspirators out there, that Trump is finishing his campaign tonight (11/7/16) in Grand Rapids, Michigan. Go figure!)

Final Thoughts

I mentioned in Take 4 that I went on vacation this past weekend with some long-time buddies. I won’t mention them by name, but will note that while they are not astrophysicists, they are some of the smartest people I know.

In some of our other conversations they expressed some skepticism, as others have, about whether a convincing conclusion can be obtained from these data. A number of alternate explanations were offered which can be divided into four groups, ranging from the mundane to the nefarious:

  • Business as usual: The activity we are seeing in periodic and non-periodic signals is not uncommon and the peaks and gaps are coincidental. None of the Trump, Alfa Bank or Spectrum Health activity would surprise an IT or other employee.
  • Fake: The data are fabricated or highly incomplete.
  • One sided secret: One side is performing secret activity on the other side (hacking or secret mole in either direction).
  • Two-sided secret: Certain actors within or connected to Trump and Alfa Bank servers know that secret data are being transmitted on this server.

Based on what I’ve read so far, I’m skeptical that we’re seeing business as usual, or fake or incomplete data, but happy to be convinced otherwise.

That said, I also agree with my friends that even if ‘secret’ human activity is suggested by correlations between the data and other external events — as described above — it will be very hard to pinpoint the nature of that activity.

If astronomers were looking at data from a distant star system and found hitherto-unexplained non-random or periodic signals (aliens?), we would initially jump for joy, but then do everything possible to falsify the hypothesis that we were seeing evidence of an extraterrestrial intelligence. Before reporting a discovery it would be essential to confirm that the suggestive signals did not originate in the recording instrument, or as a result of some physical process that doesn’t require intelligence, or as a hoax. Extraordinary claims require extraordinary evidence.

But let’s be real. Is a Trump server secretly communicating with Russia really an extraordinary claim? After everything else you’ve heard this year?

Donald Trump
Politics
Data Science
2016 Election
Russian

--

--

David Schiminovich

Written by David Schiminovich

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams