- Spitfire List - https://spitfirelist.com -

FTR #930 The Trumpenkampfverbande, Part 9: Alfa Males, Part 3 (German Ostpolitik, Part 3)

Dave Emory’s entire life­time of work is avail­able on a flash dri­ve that can be obtained HERE [1]. The new dri­ve is a 32-giga­byte dri­ve that is cur­rent as of the pro­grams and arti­cles post­ed by ear­ly win­ter of 2016. The new dri­ve (avail­able for a tax-deductible con­tri­bu­tion of $65.00 or more.) (The pre­vi­ous flash dri­ve was cur­rent through the end of May of 2012.)

WFMU-FM is pod­cast­ing For The Record–You can sub­scribe to the pod­cast HERE [2].

You can sub­scribe to e‑mail alerts from Spitfirelist.com HERE [3].

You can sub­scribe to RSS feed from Spitfirelist.com HERE [3].

You can sub­scribe to the com­ments made on pro­grams and posts–an excel­lent source of infor­ma­tion in, and of, itself HERE [4].

This broad­cast was record­ed in one, 60-minute seg­ment [5].

NB: This descrip­tion con­tains mate­r­i­al not con­tained in the orig­i­nal broad­cast.

alfa-group [6]welcome-to-terrorland [7]Intro­duc­tion: With the (jus­ti­fi­able) out­rage swirling around FBI direc­tor (and Mitt Rom­ney backer) James Comey’s pub­lic dis­cus­sion of the dis­cov­ery of more of Hillary Clin­ton’s e‑mails hav­ing been dis­cov­ered, anoth­er elec­tion-relat­ed inves­ti­ga­tion has gone large­ly unex­am­ined. Indeed, the impor­tance of the inves­ti­ga­tion has been down­played.

Com­put­er experts dis­cov­ered a link between a serv­er reg­is­tered to the Trump orga­ni­za­tion and two servers reg­is­tered to the Alfa Bank in Moscow, a bank that is part of the Alfa con­glom­er­ate dis­cussed in FTR #‘s 530 [8] and 573 [9].

In the Foer piece, and in attempt­ed dis­cred­it­ing arti­cles of same, it is appar­ent that the inves­ti­ga­tors do not under­stand the nature of the enti­ty they are inves­ti­gat­ing. The jour­nal­is­tic “spin” put on Alfa in the cov­er­age is “Russia/Putin/Kremlin” new Cold War con­text. Alfa is very, very dif­fer­ent.

Excerpt­ed from the descrip­tion for FTR #530 [8]: 

Intro­duc­tion: This broad­cast sets forth ele­ments of a net­work that Mr. Emory believes to be a Bormann/Underground Reich net­work. This net­work was part of the appa­ra­tus involved in the exe­cu­tion of the 9/11 attacks.

Begin­ning with review of the Carl Duis­berg Gesellschaft and its role in bring­ing 9/11 hijack ring­leader Mohamed Atta to Ger­many, the pro­gram traces the evi­den­tiary trib­u­taries run­ning out of that orga­ni­za­tion. In addi­tion to a fel­low­ship oper­at­ed on behalf of the Russ­ian Alfa con­glom­er­ate, the CDG net­work also encom­pass­es the Robert Bosch Foun­da­tion Fel­low­ship.

The Alfa firm, in turn, has pro­found links to crim­i­nal syn­di­cates in Asia, Rus­sia and Latin Amer­i­ca, as well as ele­ments that par­tic­i­pat­ed in activ­i­ties over­lap­ping both the Iran-Con­tra and Iraq­gate affairs. One of the cen­tral ele­ments in this net­work is the roy­al fam­i­ly of Liecht­en­stein, a tiny Euro­pean coun­try that is an epi­cen­ter for mon­ey laun­der­ing.

In addi­tion to par­tic­i­pat­ing in a front com­pa­ny that was part of the Al Taqwa con­stel­la­tion that fund­ed Bin Laden, the Liecht­en­stein roy­al fam­i­ly (in 2001) assumed the pow­ers of absolute monar­chy, just in time to inter­dict any legal inves­ti­ga­tions that might have gone in the direc­tion of 9/11. The head of the polit­i­cal par­ty that front­ed for Prince Hans Adam’s assump­tion of absolute pow­er is a pow­er­ful lawyer who works for an Alfa sub­sidiary!

The dove­tail­ing of pow­er­ful Ger­man cap­i­tal inter­ests appar­ent­ly linked to the Bor­mann milieu with Russ­ian oli­garchic and crim­i­nal ele­ments appears to be an out­growth of tra­di­tion­al Ger­man “Ost­poli­tik.” For more about Ost­poli­tik, be sure to access Ger­many Plots with the Krem­lin by T. H. Tetens [10], avail­able for free down­load­ing at: Spitfirelist.com/Books [11].

Pro­gram High­lights Include: The Ger­man indus­tri­al fig­ures on the board of direc­tors of the CDS; a his­to­ry of the Carl Duis­berg Gesellschaft and its Amer­i­can sub­sidiary, the CDS; the Alfa Group’s links to Cheney’s Hal­libur­ton Oil com­pa­ny; the Alfa Group’s links to Iraq­gate arms traf­fick­ing; the Alfa Group’s links to the oil-for-food scan­dal in Iraq; Alfa’s links to the Cali cocaine car­tel of Colom­bia; Alfa’s links to hero­in traf­fick­ing; Attor­ney Nor­bert Seeger’s role with Alfa sub­sidiary Crown Resources; Nor­bert Seeger’s role as head of the Pro­gres­sive Cit­i­zens Par­ty in Liecht­en­stein; links between Liecht­en­stein and the milieu of the CDU fund­ing scan­dal; Atta’s father’s friend­ship with the Ger­man cou­ple that spon­sored Atta’s entry into Ger­many under the aus­pices of the Carl Duis­berg Gesellschaft; review of John P. Schmitz’s links to many of the enti­ties and per­son­al­i­ties dis­cussed in the pro­gram. . . . .

More about this line of inquiry, excerpt­ed from the descrip­tion for FTR #573 [9]:

Intro­duc­tion: Con­tin­u­ing analy­sis of what British Prime Min­is­ter Tony Blair described as a “glob­al net­work” behind the 9/11 attacks, this pro­gram details evi­den­tiary trib­u­taries between the pow­er­ful, well-con­nect­ed and crim­i­nal Alfa con­sor­tium and peo­ple and insti­tu­tions con­nect­ed to the events of 9/11. A Russ­ian com­pa­ny with what Mr. Emory describes as “more con­nec­tions than a switch­board,” Alfa has links to Vik­tor Kozeny, the Carl Duis­berg Gesellschaft and to pow­er­ful peo­ple and insti­tu­tions con­nect­ed to the Bush admin­is­tra­tion. Kozeny is alleged to have par­tic­i­pat­ed in an Alfa scheme to defraud numer­ous U.S. investors and com­pa­nies and is also the man who employed Wolf­gang Bohringer, one of 9/11 hijack­er Mohamed Atta’s Ger­man asso­ciates in Flori­da. The Carl Duis­berg Gesellschaft spon­sored Mohamed Atta’s entrance into Ger­many and, per­haps, Flori­da. That same Carl Duis­berg Gesellschaft also main­tains a fel­low­ship on behalf of Alfa Group. Alfa’s activ­i­ties in the Unit­ed States are aid­ed and abet­ted by the pow­er­ful lob­by­ing firm of Bar­bour, Grif­fith and Rogers, inti­mate­ly con­nect­ed to the admin­is­tra­tion of George W. Bush. Hans Bod­mer and Pyotr Aven (two of Kozeny’s asso­ciates in a scheme to gain con­trol of the state oil com­pa­ny of Azer­bai­jan) are also alleged to have worked with Kozeny and Alfa in the defraud­ing of IPOC. The glob­al net­work to which Blair referred and that sup­port­ed the 9/11 hijack­ers embod­ies a fusion of the under­world and the over­world. Engaged in drug traf­fick­ing on sev­er­al con­ti­nents, this net­work also oper­ates in con­junc­tion with pow­er­ful cor­po­rate enti­ties in Europe, the Mid­dle East, Latin Amer­i­ca and the Unit­ed States. FTR#’s 433 [12], 530 [8], 536 [13], 570 [14] sup­ple­ment the infor­ma­tion pre­sent­ed here and should be exam­ined in order to gain a firmer under­stand­ing of this com­plex net­work. As Mr. Emory not­ed in the broad­cast, “If this seems con­fus­ing, it is meant to be!”

Pro­gram High­lights Include: Links between the Alfa group and the roy­al fam­i­ly of Liecht­en­stein; links between the roy­al fam­i­ly of Liecht­en­stein and the milieu of 9/11; Haley Bar­bour (of Bar­bour, Grif­fith and Rogers) and his busi­ness con­nec­tions with com­pa­nies belong­ing to the busi­ness empire of for­mer Nazi spy and appar­ent Al Qae­da financier Youssef Nada; the appar­ent­ly ille­gal oper­a­tions per­formed by GOP big­wig Ed Rogers’ Dili­gence Inc. secu­ri­ty firm on behalf of Alfa; the wall of secre­cy sur­round­ing the iden­ti­ty of the Ger­mans spon­sors of Atta’s activ­i­ties under the aus­pices of the Carl Duis­berg Gesellschaft. . . .”

Listeners/readers are emphat­i­cal­ly encour­aged to exam­ine the descrip­tions and audio files of these linkjed pro­grams to fur­ther flesh out their under­stand­ing of the Alfa group.

Suf­fice it to say, this is NOT “Kremlin/Putin/Russia” new Cold War stuff at all. Rather, the Alfa Fel­low­ship and the many links of this orga­ni­za­tion sug­gest that this is a Bormann/Underground Reich enti­ty.

The orig­i­nal Foer [15] piece sets forth a num­ber of inter­est­ing aspects of the Trump/Alfa Bank serv­er link:

After high­light­ing the Foer sto­ry on the Trump/Alfa con­nec­tion, the pro­gram notes the offi­cial dis­missal [20] of the sto­ry. “. . . . Foer men­tions in his piece that the New York Times was inves­ti­gat­ing the link. On Mon­day, the paper report­ed [21] that the FBI had looked into and dis­missed the idea that the two servers rep­re­sent­ed a secret com­mu­ni­ca­tions chan­nel. Inves­ti­ga­tors “con­clud­ed that there could be an innocu­ous expla­na­tion, like a mar­ket­ing email or spam, for the com­put­er con­tacts,” the Times’ Eric Licht­blau and Steven Lee Myers report­ed. . . . 

The con­clud­ing por­tion of the pro­gram notes that there are inter­est­ing evi­den­tiary trib­u­taries between Alfa, the busi­ness enti­ties of com­modi­ties deal­er Marc Rich and the inves­ti­ga­tions into Rich and Bill Clin­ton’s par­don of Marc Rich.

Pro­gram High­lights Include:

This dis­cus­sion will be con­tin­ued at greater length in the next pro­gram.

1. The orig­i­nal sto­ry about the Trump organization/Alfa Bank servers was bro­ken by Franklin Foer.

“Was a Trump Serv­er Com­mu­ni­cat­ing With Rus­sia?” by Franklin Foer; Slate; 10/31/2016. [15]

This spring, a group of com­put­er sci­en­tists set out to deter­mine whether hack­ers were inter­fer­ing with the Trump cam­paign. They found some­thing they weren’t expect­ing.

The great­est mir­a­cle of the inter­net is that it exists—the sec­ond great­est is that it per­sists. Every so often we’re remind­ed that bad actors wield great skill and have lit­tle con­science about the harm they inflict on the world’s dig­i­tal ner­vous sys­tem. They invent virus­es, bot­nets, and sundry species of mal­ware. There’s good mon­ey to be made deflect­ing these incur­sions. But a small, tight­ly knit com­mu­ni­ty of com­put­er sci­en­tists who pur­sue such work—some at cyber­se­cu­ri­ty firms, some in acad­e­mia, some with close ties to three-let­ter fed­er­al agencies—is also spurred by a sense of shared ide­al­ism and con­sid­ers itself the benev­o­lent posse that chas­es off the rogues and rogue states that try to pur­loin sen­si­tive data and infect the inter­net with their bugs. “We’re the Union of Con­cerned Nerds,” in the wry for­mu­la­tion of the Indi­ana Uni­ver­si­ty com­put­er sci­en­tist L. Jean Camp.

In late spring, this com­mu­ni­ty of mal­ware hunters placed itself in a high state of alarm. Word arrived that Russ­ian hack­ers had infil­trat­ed the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee, an attack per­sua­sive­ly detailed by the respect­ed cyber­se­cu­ri­ty firm Crowd­Strike [28]. The com­put­er sci­en­tists posit­ed a log­i­cal hypoth­e­sis, which they set out to rig­or­ous­ly test: If the Rus­sians were worm­ing their way into the DNC, they might very well be attack­ing oth­er enti­ties cen­tral to the pres­i­den­tial cam­paign, includ­ing Don­ald Trump’s many servers. “We want­ed to help defend both cam­paigns, because we want­ed to pre­serve the integri­ty of the elec­tion,” says one of the aca­d­e­mics, who works at a uni­ver­si­ty that asked him not to speak with reporters because of the sen­si­tive nature of his work.

Hunt­ing for mal­ware requires high­ly spe­cial­ized knowl­edge of the intri­ca­cies of the domain name system—the pro­to­col that allows us to type email address­es and web­site names to ini­ti­ate com­mu­ni­ca­tion. DNS enables our words to set in motion a chain of con­nec­tions between servers, which in turn deliv­ers the results we desire. Before a mail serv­er can deliv­er a mes­sage to anoth­er mail serv­er, it has to look up its IP address using the DNS. Com­put­er sci­en­tists have built a set of mas­sive DNS data­bas­es, which pro­vide frag­men­tary his­to­ries of com­mu­ni­ca­tions flows, in part to cre­ate an archive of mal­ware: a kind of cat­a­log of the tricks bad actors have tried to pull, which often involve mas­querad­ing as legit­i­mate actors. These data­bas­es can give a use­ful, though far from com­pre­hen­sive, snap­shot of traf­fic across the inter­net. Some of the most trust­ed DNS specialists—an elite group of mal­ware hunters, who work for pri­vate contractors—have access to near­ly com­pre­hen­sive logs of com­mu­ni­ca­tion between servers. They work in close con­cert with inter­net ser­vice providers, the net­works through which most of us con­nect to the inter­net, and the ones that are most vul­ner­a­ble to mas­sive attacks. To extend the traf­fic metaphor, these sci­en­tists have cam­eras post­ed on the internet’s stop­lights and over­pass­es. They are entrust­ed with some­thing close to a com­plete record of all the servers of the world con­nect­ing with one anoth­er.

In late July, one of these scientists—who asked to be referred to as Tea Leaves, a pseu­do­nym that would pro­tect his rela­tion­ship with the net­works and banks that employ him to sift their data—found what looked like mal­ware ema­nat­ing from Rus­sia. The des­ti­na­tion domain had Trump in its name, which of course attract­ed Tea Leaves’ atten­tion. But his dis­cov­ery of the data was pure happenstance—a sur­pris­ing nee­dle in a large haystack of DNS lookups on his screen. “I have an out­lier here that con­nects to Rus­sia in a strange way,” he wrote in his notes. He couldn’t quite fig­ure it out at first. But what he saw was a bank in Moscow that kept irreg­u­lar­ly ping­ing a serv­er reg­is­tered to the Trump Orga­ni­za­tion on Fifth Avenue.

More data was need­ed, so he began care­ful­ly keep­ing logs of the Trump server’s DNS activ­i­ty. As he col­lect­ed the logs, he would cir­cu­late them in peri­od­ic batch­es to col­leagues in the cyber­se­cu­ri­ty world. Six of them began scru­ti­niz­ing them for clues.

(I com­mu­ni­cat­ed exten­sive­ly with Tea Leaves and two of his clos­est col­lab­o­ra­tors, who also spoke with me on the con­di­tion of anonymi­ty, since they work for firms trust­ed by cor­po­ra­tions and law enforce­ment to ana­lyze sen­si­tive data. They per­sua­sive­ly demon­strat­ed some of their ana­lyt­i­cal meth­ods to me—and showed me two white papers, which they had cir­cu­lat­ed so that col­leagues could check their analy­sis. I also spoke with aca­d­e­mics who vouched for Tea Leaves’ integri­ty and his unusu­al access to infor­ma­tion. “This is some­one I know well and is very well-known in the net­work­ing com­mu­ni­ty,” said Camp. “When they say some­thing about DNS, you believe them. This per­son has tech­ni­cal author­i­ty and access to data.”)

The researchers quick­ly dis­missed their ini­tial fear that the logs rep­re­sent­ed a mal­ware attack. The com­mu­ni­ca­tion wasn’t the work of bots. The irreg­u­lar pat­tern of serv­er lookups actu­al­ly resem­bled the pat­tern of human conversation—conversations that began dur­ing office hours in New York and con­tin­ued dur­ing office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sus­tained rela­tion­ship between a serv­er reg­is­tered to the Trump Orga­ni­za­tion and two servers reg­is­tered to an enti­ty called Alfa Bank.

The researchers had ini­tial­ly stum­bled in their diag­no­sis because of the odd con­fig­u­ra­tion of Trump’s serv­er. “I’ve nev­er seen a serv­er set up like that,” says Christo­pher Davis [16], who runs the cyber­se­cu­ri­ty firm HYAS InfoS­ec Inc. and won a FBI Direc­tor Award for Excel­lence for his work track­ing down the authors of one of the world’s nas­ti­est bot­net [16] attacks. “It looked weird, and it didn’t pass the sniff test.” The serv­er was first reg­is­tered to Trump’s busi­ness in 2009 and was set up to run con­sumer mar­ket­ing cam­paigns. It had a his­to­ry of send­ing mass emails on behalf of Trump-brand­ed prop­er­ties and prod­ucts. Researchers were ulti­mate­ly con­vinced that the serv­er indeed belonged to Trump. (Click here [17] to see the server’s reg­is­tra­tion record.) But now this capa­cious serv­er han­dled a strange­ly small load of traf­fic, such a small load that it would be hard for a com­pa­ny to jus­ti­fy the expense and trou­ble it would take to main­tain it. “I get more mail in a day than the serv­er han­dled,” Davis says.

That wasn’t the only odd­i­ty. When the researchers pinged the serv­er, they received error mes­sages. They con­clud­ed that the serv­er was set to accept only incom­ing com­mu­ni­ca­tion from a very small hand­ful of IP address­es. A small por­tion of the logs showed com­mu­ni­ca­tion with a serv­er belong­ing to Michi­gan-based Spec­trum Health. (The com­pa­ny said in a state­ment: “Spec­trum Health does not have a rela­tion­ship with Alfa Bank or any of the Trump orga­ni­za­tions. We have con­clud­ed a rig­or­ous inves­ti­ga­tion with both our inter­nal IT secu­ri­ty spe­cial­ists and expert cyber secu­ri­ty firms. Our experts have con­duct­ed a detailed analy­sis of the alleged inter­net traf­fic and did not find any evi­dence that it includ­ed any actu­al com­mu­ni­ca­tions (no emails, chat, text, etc.) between Spec­trum Health and Alfa Bank or any of the Trump orga­ni­za­tions. While we did find a small num­ber of incom­ing spam mar­ket­ing emails, they orig­i­nat­ed from a dig­i­tal mar­ket­ing com­pa­ny, Cen­dyn, adver­tis­ing Trump Hotels.”)

Spec­trum account­ed for a rel­a­tive­ly triv­ial por­tion of the traf­fic. Eighty-sev­en per­cent of the DNS lookups involved the two Alfa Bank servers. “It’s pret­ty clear that it’s not an open mail serv­er,” Camp told me. “These orga­ni­za­tions are com­mu­ni­cat­ing in a way designed to block oth­er peo­ple out.”

Ear­li­er this month, the group of com­put­er sci­en­tists passed the logs to Paul Vix­ie [18]. In the world of DNS experts, there’s no high­er author­i­ty. Vix­ie wrote cen­tral strands of the DNS code that makes the inter­net work. After study­ing the logs, he con­clud­ed, “The par­ties were com­mu­ni­cat­ing in a secre­tive fash­ion. The oper­a­tive word is secre­tive. This is more akin to what crim­i­nal syn­di­cates do if they are putting togeth­er a project.” Put dif­fer­ent­ly, the logs sug­gest­ed that Trump and Alfa had con­fig­ured some­thing like a dig­i­tal hot­line con­nect­ing the two enti­ties, shut­ting out the rest of the world, and designed to obscure its own exis­tence. Over the sum­mer, the sci­en­tists observed the com­mu­ni­ca­tions trail from a dis­tance.

* * *

While the researchers went about their work, the con­ven­tion­al wis­dom about Russ­ian inter­fer­ence in the cam­paign began to shift. There were reports [29] that the Trump cam­paign had ordered the Repub­li­can Par­ty to rewrite its plat­form posi­tion on Ukraine, maneu­ver­ing the GOP toward a pol­i­cy pre­ferred by Rus­sia, though the Trump cam­paign denied hav­ing a hand in the change. Then Trump announced in an inter­view [30] with the New York Times his unwill­ing­ness to spring to the defense of NATO allies in the face of a Russ­ian inva­sion. Trump even invit­ed Russ­ian hack­ers to go hunt­ing for Clinton’s emails, then passed the com­ment off as a joke. (I wrote [31] about Trump’s rela­tion­ship with Rus­sia in ear­ly July.)

In the face of accu­sa­tions that he is some­how backed by Putin or in busi­ness with Russ­ian investors, Trump has issued cat­e­gor­i­cal state­ments. “I mean I have noth­ing to do with Rus­sia,” he told [32] one reporter, a flat denial that he repeat­ed over [33] and over [34]. Of course, it’s pos­si­ble that these state­ments are sin­cere and even cor­rect. The sweep­ing nature of Trump’s claim, how­ev­er, prod­ded the sci­en­tists to dig deep­er. They were increas­ing­ly con­fi­dent that they were observ­ing data that con­tra­dict­ed Trump’s claims.

In the par­lance that has become famil­iar since the Edward Snow­den rev­e­la­tions, the DNS logs reside in the realm of meta­da­ta. We can see a trail of trans­mis­sions, but we can’t see the actu­al sub­stance of the com­mu­ni­ca­tions. And we can’t even say with com­plete cer­ti­tude that the servers exchanged email. One sci­en­tist, who wasn’t involved in the effort to com­pile and ana­lyze the logs, ticked off a list of oth­er pos­si­bil­i­ties: an errant piece of spam car­oming between servers, a mis­di­rect­ed email that kept try­ing to reach its des­ti­na­tion, which cre­at­ed the impres­sion of sus­tained com­mu­ni­ca­tion. “I’m see­ing a pre­pon­der­ance of the evi­dence, but not a smok­ing gun,” he said. Richard Clay­ton, a cyber­se­cu­ri­ty researcher at Cam­bridge Uni­ver­si­ty who was sent one of the white papers lay­ing out the evi­dence, acknowl­edges those objec­tions and the alter­na­tive the­o­ries but con­sid­ers them improb­a­ble. “I think mail is more like­ly, because it’s going to a machine run­ning a mail serv­er and [the host] is called mail. Dr. Occam says you should rule out mail before pulling out the more exot­ic expla­na­tions.” After Tea Leaves post­ed his analy­sis on Red­dit, a secu­ri­ty blog­ger who goes by Krypt3ia [35] expressed ini­tial doubts—but his analy­sis was tar­nished by sev­er­al incor­rect assump­tions, and as he exam­ined the mat­ter, his skep­ti­cism of Tea Leaves soft­ened some­what.

I put the ques­tion of what kind of activ­i­ty the logs record­ed to the Uni­ver­si­ty of California’s Nicholas Weaver, anoth­er com­put­er sci­en­tist not involved in com­pil­ing the logs. “I can’t attest to the logs them­selves,” he told me, “but assum­ing they are legit­i­mate they do indi­cate effec­tive­ly human-lev­el com­mu­ni­ca­tion.”

Weaver’s state­ment rais­es anoth­er uncer­tain­ty: Are the logs authen­tic? Com­put­er sci­en­tists are care­ful about vouch­ing for evi­dence that emerges from unknown sources—especially since the logs were past­ed in a text file, where they could con­ceiv­ably have been edit­ed. I asked nine com­put­er scientists—some who agreed to speak on the record, some who asked for anonymity—if the DNS logs that Tea Leaves and his col­lab­o­ra­tors dis­cov­ered could be forged or manip­u­lat­ed. They con­sid­ered it near­ly impos­si­ble. It would be easy enough to fake one or maybe even a dozen records of DNS lookups. But in the aggre­gate, the logs con­tained thou­sands of records, with nuances and pat­terns that not even the most skilled pro­gram­mers would be able to recre­ate on this scale. “The data has got the right kind of fuzz grow­ing on it,” Vix­ie told me. “It’s the inter­pack­et gap, the spac­ing between the con­ver­sa­tions, the total vol­ume. If you look at those time stamps, they are not sim­u­lat­ed. This bears every indi­ca­tion that it was col­lect­ed from a live link.” I asked him if there was a chance that he was wrong about their authen­tic­i­ty. “This pass­es the rea­son­able per­son test,” he told me. “No rea­son­able per­son would come to the con­clu­sion oth­er than the one I’ve come to.” Oth­ers were equal­ly emphat­ic. “It would be real­ly, real­ly hard to fake these,” Davis said. Accord­ing to Camp, “When the tech­ni­cal com­mu­ni­ty exam­ined the data, the con­clu­sion was pret­ty obvi­ous.”

It’s pos­si­ble to impute polit­i­cal motives to the com­put­er sci­en­tists, some of whom have crit­i­cized Trump on social media. But many of the sci­en­tists who talked to me for this sto­ry are Repub­li­cans. And almost all have strong incen­tives for steer­ing clear of con­tro­ver­sy. Some work at pub­lic insti­tu­tions, where they are vul­ner­a­ble to polit­i­cal pres­sure. Oth­ers work for firms that rely on gov­ern­ment contracts—a rela­tion­ship that tends to squash posi­tions that could be mis­in­ter­pret­ed as out­spo­ken.

* * *

Alfa’s oli­garchs occu­pied an unusu­al posi­tion in Putin’s fir­ma­ment. They were insid­ers but not in the clos­est ring of pow­er. “It’s like they were his judo pals,” one for­mer U.S. gov­ern­ment offi­cial who knows Frid­man told me. “They were always wor­ried about where they stood in the peck­ing order and always feared expro­pri­a­tion.” Frid­man and Aven, how­ev­er, are adept at stay­ing close to pow­er. As the U.S. Dis­trict Court for the Dis­trict of Colum­bia once ruled [36], in the course of dis­miss­ing a libel suit the bankers filed, “Aven and Frid­man have assumed an unfore­seen lev­el of promi­nence and influ­ence in the eco­nom­ic and polit­i­cal affairs of their nation.”

Unlike oth­er Russ­ian firms, Alfa has oper­at­ed smooth­ly and effort­less­ly in the West. It has nev­er been slapped with sanc­tions [37]. Frid­man and Aven have cul­ti­vat­ed a rep­u­ta­tion as benef­i­cent phil­an­thropists. They endowed a pres­ti­gious fel­low­ship [38]. The Woodrow Wil­son Inter­na­tion­al Cen­ter for Schol­ars, the Amer­i­can-gov­ern­ment fund­ed think tank, gave Aven its award [39] for “Cor­po­rate Cit­i­zen­ship” in 2015. To pro­tect its inter­ests in Wash­ing­ton, Alfa hired as its lob­by­ist for­mer Rea­gan admin­is­tra­tion offi­cial Ed Rogers [40]. Richard Burt [41], who helped Trump write the speech in which he first laid out his for­eign pol­i­cy, serves on Alfa’s senior advi­so­ry board. The brand­ing cam­paign has worked well. Dur­ing the first Oba­ma term, Frid­man and Aven met with offi­cials in the White House on two occa­sions, accord­ing to vis­i­tor logs [42].

Frid­man and Aven have sig­nif­i­cant busi­ness inter­ests to pro­mote in the West. One of their hold­ing com­pa­nies, Let­terOne, has vowed to invest as much as $3 bil­lion in U.S. health care. This year, it sank $200 mil­lion into Uber [43]. This is, of course, mon­ey that might oth­er­wise be invest­ed in Rus­sia. Accord­ing to a for­mer U.S. offi­cial, Putin tol­er­ates this con­di­tion because Alfa advances Russ­ian inter­ests. It pro­motes itself as an avatar of Russ­ian prowess. “It’s our moral duty to become a glob­al play­er, to prove a Russ­ian can trans­form into an inter­na­tion­al busi­ness­man,” Frid­man told the Finan­cial Times [44].

* * *

Tea Leaves and his col­leagues plot­ted the data [19] from the logs on a time­line. What it illus­trat­ed was sug­ges­tive: The con­ver­sa­tion between the Trump and Alfa servers appeared to fol­low the con­tours of polit­i­cal hap­pen­ings in the Unit­ed States. “At elec­tion-relat­ed moments, the traf­fic peaked,” accord­ing to Camp. There were con­sid­er­ably more DNS lookups, for instance, dur­ing the two con­ven­tions.

In Sep­tem­ber, the sci­en­tists tried to get the pub­lic to pay atten­tion to their data. One of them post­ed a link to the logs in a Red­dit thread. Around the same time, the New York Times’ Eric Licht­blau and Steven Lee Myers began chas­ing the sto­ry.* (They are still pur­su­ing it.) Licht­blau met with a Wash­ing­ton rep­re­sen­ta­tive of Alfa Bank on Sept. 21, and the bank denied hav­ing any con­nec­tion to Trump.(Licht­blau told me that Times pol­i­cy pre­vents him from com­ment­ing on his report­ing.)

The Times hadn’t yet been in touch with the Trump campaign—Lichtblau spoke with the cam­paign a week lat­er—but short­ly after it reached out to Alfa, the Trump domain name in ques­tion seemed to sud­den­ly stop work­ing. When the sci­en­tists looked up the host, the DNS serv­er returned a fail mes­sage, evi­dence that it no longer func­tioned. Or as it is tech­ni­cal­ly diag­nosed, it had “SERV­FAILed.” (On the time­line above, this is the moment at the end of the chronol­o­gy when the traf­fic abrupt­ly spikes, as servers fran­ti­cal­ly attempt to resend reject­ed mes­sages.) The com­put­er sci­en­tists believe there was one log­i­cal con­clu­sion to be drawn: The Trump Orga­ni­za­tion shut down the serv­er after Alfa was told that the Times might expose the con­nec­tion. Weaver told me the Trump domain was “very slop­pi­ly removed.” Or as anoth­er of the researchers put it, it looked like “the knee was hit in Moscow, the leg kicked in New York.”

Four days lat­er, on Sept. 27, the Trump Orga­ni­za­tion cre­at­ed a new host name, trump1.contact-client.com, which enabled com­mu­ni­ca­tion to the very same serv­er via a dif­fer­ent route. When a new host name is cre­at­ed, the first com­mu­ni­ca­tion with it is nev­er ran­dom. To reach the serv­er after the reset­ting of the host name, the sender of the first inbound mail has to first learn of the name some­how. It’s sim­ply impos­si­ble to ran­dom­ly reach a renamed serv­er. “That par­ty had to have some kind of out­bound mes­sage through SMS, phone, or some non­in­ter­net chan­nel they used to com­mu­ni­cate [the new con­fig­u­ra­tion],” Paul Vix­ie told me. The first attempt to look up the revised host name came from Alfa Bank. “If this was a pub­lic serv­er, we would have seen oth­er traces,” Vix­ie says. “The only look-ups came from this par­tic­u­lar source.”

Accord­ing to Vix­ie and oth­ers, the new host name may have rep­re­sent­ed an attempt to estab­lish a new chan­nel of com­mu­ni­ca­tion. But media inquiries into the nature of Trump’s rela­tion­ship with Alfa Bank, which sug­gest­ed that their com­mu­ni­ca­tions were being mon­i­tored, may have deterred the par­ties from using it. Soon after the New York Times began to ask ques­tions, the traf­fic between the servers stopped cold.

* * *

Last week, I wrote to Alfa Bank ask­ing if it could explain why its servers attempt­ed to con­nect with the Trump Orga­ni­za­tion on such a reg­u­lar basis. Its Wash­ing­ton rep­re­sen­ta­tive, Jef­frey Birn­baum of the pub­lic rela­tions firm BGR, pro­vid­ed me the fol­low­ing response:

Alfa hired Man­di­ant, one of the world’s fore­most cyber secu­ri­ty experts, to inves­ti­gate and it has found noth­ing to the alle­ga­tions. I hope the below answers respond clear­ly to your ques­tions. Nei­ther Alfa Bank nor its prin­ci­pals, includ­ing Mikhail Frid­man and Petr Aven, have or have had any con­tact with Mr. Trump or his orga­ni­za­tions. Frid­man and Aven have nev­er met Mr. Trump nor have they or Alfa Bank had any busi­ness deal­ings with him. Nei­ther Alfa nor its offi­cers have sent Mr. Trump or his orga­ni­za­tions any emails, infor­ma­tion or mon­ey. Alfa Bank does not have and has nev­er had any spe­cial or exclu­sive inter­net con­nec­tion with Mr. Trump or his enti­ties. The asser­tion of a spe­cial or pri­vate link is patent­ly false.

I asked Birn­baum if he would con­nect me with Man­di­ant to elab­o­rate on its find­ings. He told me:

Man­di­ant is still doing its deep dive into the Alfa Bank sys­tems. Its lead­ing the­o­ry is that Alfa Bank’s servers may have been respond­ing with com­mon DNS look ups to spam sent to it by a mar­ket­ing serv­er. But it doesn’t want to speak on the record until it’s fin­ished its inves­ti­ga­tion.

It’s hard to eval­u­ate the find­ings of an inves­ti­ga­tion that hasn’t end­ed. And of course, even the most rep­utable firm in the world isn’t like­ly to loud­ly broad­cast an opin­ion that bites the hand of its client.

I posed the same basic ques­tions to the Trump cam­paign. Trump spokes­woman Hope Hicks sent me this in response to my ques­tions by email:

The email serv­er, set up for mar­ket­ing pur­pos­es and oper­at­ed by a third-par­ty, has not been used since 2010. The cur­rent traf­fic on the serv­er from Alphabank’s [sic] IP address is reg­u­lar DNS serv­er traffic—not email traf­fic. To be clear, The Trump Orga­ni­za­tion is not send­ing or receiv­ing any com­mu­ni­ca­tions from this email serv­er. The Trump Orga­ni­za­tion has no com­mu­ni­ca­tion or rela­tion­ship with this enti­ty or any Russ­ian enti­ty.

I asked Hicks to explain what caused the Trump Orga­ni­za­tion to rename its host after the New York Times called Alfa. I also asked how the Trump Orga­ni­za­tion arrived at its judg­ment that there was no email traf­fic. (Fur­ther­more, there’s no such thing as “reg­u­lar” DNS serv­er traf­fic, at least not accord­ing to the com­put­er sci­en­tists I con­sult­ed. The very rea­son DNS exists is to enable email and oth­er means of com­mu­ni­ca­tion.) She nev­er pro­vid­ed me with a response.

What the sci­en­tists amassed wasn’t a smok­ing gun. It’s a sug­ges­tive body of evi­dence that doesn’t absolute­ly pre­clude alter­na­tive expla­na­tions. But this evi­dence arrives in the broad­er con­text of the cam­paign and every­thing else that has come to light: The efforts of Don­ald Trump’s for­mer cam­paign man­ag­er [45]to bring Ukraine into Vladimir Putin’s orbit; the oth­er Trump advis­er whose com­mu­ni­ca­tions [46] with senior Russ­ian offi­cials have wor­ried intel­li­gence offi­cials; the Russ­ian hack­ing of the DNC and John Podesta’s email.

We don’t yet know what this serv­er was for, but it deserves fur­ther expla­na­tion.

“Ear­li­er this month, the group of com­put­er sci­en­tists passed the logs to Paul Vix­ie [18]. In the world of DNS experts, there’s no high­er author­i­ty. Vix­ie wrote cen­tral strands of the DNS code that makes the inter­net work. After study­ing the logs, he con­clud­ed, “The par­ties were com­mu­ni­cat­ing in a secre­tive fash­ion. The oper­a­tive word is secre­tive. This is more akin to what crim­i­nal syn­di­cates do if they are putting togeth­er a project.” Put dif­fer­ent­ly, the logs sug­gest­ed that Trump and Alfa had con­fig­ured some­thing like a dig­i­tal hot­line con­nect­ing the two enti­ties, shut­ting out the rest of the world, and designed to obscure its own exis­tence. Over the sum­mer, the sci­en­tists observed the com­mu­ni­ca­tions trail from a dis­tance.”

Well, that is quite a bomb­shell if it pans out. Maybe not exact­ly the bomb­shell that the emerg­ing cov­er­age of the sto­ry will depict, but still quite [8] a bomb­shell [9]

2. Offi­cial­dom, includ­ing the main­stream media, have (accord­ing to the FBI) dis­missed any notion of a Trump/Alfa link:

“. . . . Foer men­tions in his piece that the New York Times was inves­ti­gat­ing the link. On Mon­day, the paper report­ed [21] that the FBI had looked into and dis­missed the idea that the two servers rep­re­sent­ed a secret com­mu­ni­ca­tions chan­nel. Inves­ti­ga­tors “con­clud­ed that there could be an innocu­ous expla­na­tion, like a mar­ket­ing email or spam, for the com­put­er con­tacts,” the Times’ Eric Licht­blau and Steven Lee Myers report­ed. . . . 

“That Secret Trump-Rus­sia Email Serv­er Link Is Like­ly Nei­ther Secret Nor a Trump-Rus­sia Link” by Philip Bump; The Wash­ing­ton Post; 11/01/2016. [20]

Of all the things that were going to get Don­ald Trump into trou­ble over the course of this elec­tion, I would have put “auto­mat­ed com­put­er serv­er activ­i­ty” pret­ty low on the list. But here we are.

On Mon­day night, Slate pub­lished [15] a lengthy sto­ry writ­ten by Franklin Foer explor­ing an odd con­nec­tion between Trump’s busi­ness­es and a bank in Rus­sia. . . . .

. . . . Foer men­tions in his piece that the New York Times was inves­ti­gat­ing the link. On Mon­day, the paper report­ed [21] that the FBI had looked into and dis­missed the idea that the two servers rep­re­sent­ed a secret com­mu­ni­ca­tions chan­nel. Inves­ti­ga­tors “con­clud­ed that there could be an innocu­ous expla­na­tion, like a mar­ket­ing email or spam, for the com­put­er con­tacts,” the Times’ Eric Licht­blau and Steven Lee Myers report­ed. . . .

3a. Crown Resources and oth­er Crown enti­ties are part of the Alfa Group, one of whose out­growths is the CDS sub­sidiary pro­gram the Alfa Fel­low­ship. Note that Mark Rich’s com­modi­ties oper­a­tion was nego­ti­at­ing with Alfa sub­sidiary Crown resources over a buy­out. That buy­out did­n’t hap­pen, but anoth­er one did.

“Mark Rich Deal to Sell Com­modi­ties Oper­a­tion to Russ­ian Group Fails” [AP]; 6/8/2001. [22]

. . . .  A deal to sell the Swiss-based com­modi­ties oper­a­tion of for­mer U.S. fugi­tive financier Marc Rich to Rus­sia-owned ener­gy trad­ing group Crown Resources is off. . . . Crown is owned by the Alfa Group con­glom­er­ate. . . . .

3b. Alfa play­er Mikhail Frid­man did pur­chase Marc Rich’s firm. (Most out­lets spell Rich’s first name as “Marc.”)

“ ‘Defen­dants’ Ten­ta­cles Reach Into and Injure Numer­ous Amer­i­cans’” [PRNewswire]; Forbes; 6/9/2006. [23]

 . . . . Mikhail Frid­man: ‘Defen­dant Mikhail Frid­man cur­rent­ly serves as Chair­man of the Board of Direc­tors of co-con­spir­a­tor Alfa Bank and as Chair­man of the Board of Direc­tors of Defen­dant Con­sor­tium Alfa Group. Frid­man fur­ther served on the Board of Vim­pel­Com, a NYSE com­pa­ny, and has con­trol over Gold­en Tele­com, a NASDAQ com­pa­ny ... pur­chased the Unit­ed States trad­ing firm owned by Amer­i­can, Mark Rich, the one time com­modi­ties baron par­doned by Pres­i­dent Clin­ton with much con­tro­ver­sy. Frid­man pur­ports to have become a phil­an­thropist in the Unit­ed States’ and is a mem­ber of the Board of the Coun­cil on For­eign Rela­tions based in New York. [pgs. 6–7] Pyotr Aven: ‘Defen­dant Pyotr Aven also has been a major par­tic­i­pant in the scheme and worked direct­ly with Rozhet­skin and Frid­man in the mis­ap­pro­pri­a­tion and theft of IPOC monies. Aven is a direc­tor of Gold­en Tele­com, a NASDAQ com­pa­ny, which reg­u­lar­ly files with the Unit­ed States Secu­ri­ties Exchange Com­mis­sion. He is a con­tro­ver­sial fig­ure: As observed by the Unit­ed States Dis­trict Court for the Dis­trict of Colum­bia, a Russ­ian ‘cor­rup­tion task force informed [the gov­ern­ment] that Aven was engaged in var­i­ous mis­deeds, includ­ing drug traf­fick­ing. See OAO Alfa Bank v. Cen­ter for Pub­lic Integri­ty, Civ. Action No. 00–2208 (JDB), Mem. Op., Sept. 22, 2005 at 11 n.26.’ [pg. 8] . . . .

4. Right around the same time peo­ple start­ed won­der­ing if the rea­son James Comey threw Hillary’s email serv­er inves­ti­ga­tion right into the mid­dle of the cam­paign, some­one at the FBI decides to throw a whole bunch of oth­er old Clin­ton inves­ti­ga­tions into the cam­paign.

Also note regard­ing the tweet about Marc Rich that James Comey over­saw Rich’s pros­e­cu­tion from 1987–1993 and took over the inves­ti­ga­tion of Bill Clinton’s Marc Rich par­don in 2002 [27]. So it sounds like a fac­tion of the FBI agents has decid­ed to join the Team Trump Troll Squad [47] a week before the elec­tion. It rais­es the ques­tion of whether or not these agents are dri­ven more by a case of Clin­ton Derange­ment Syn­drome or are just real­ly intense Trump fans. It’s prob­a­bly [48] a bit of both [49].

“Is Some­body at the F.B.I. Try­ing to Throw the Elec­tion?” by Emi­ly Jane Fox; Van­i­ty Fair; 11/1/2016. [24]

A series of tweets from a long-dor­mant F.B.I. Twit­ter account sug­gest an ulte­ri­or motive.

The Fed­er­al Bureau of Inves­ti­ga­tion, while under the aegis of the Jus­tice Depart­ment, is nom­i­nal­ly an inde­pen­dent orga­ni­za­tion, allow­ing it to remain non­par­ti­san. This explains in part the out­rage on the left (and by some on the right) when F.B.I. direc­tor James Comey sent a let­ter Fri­day noti­fy­ing Con­gress that the agency had renewed its inves­ti­ga­tion into Hillary Clinton’s pri­vate e‑mail serv­er, a case it had closed months ear­li­er. Comey was imme­di­ate­ly derid­ed for his deci­sion to send the let­ter with so few specifics so close to the elec­tion, effec­tive­ly rais­ing all sorts of flags and chang­ing the cam­paign dia­logue with­out expla­na­tion. Sen­a­tor Har­ry Reid wrote a let­ter of his own, argu­ing [50] that Comey’s “par­ti­san actions” may have vio­lat­ed fed­er­al law. He also made the point of ask­ing why the F.B.I. direc­tor didn’t give sim­i­lar treat­ment to what he called “explo­sive infor­ma­tion” link­ing Trump and his cam­paign staff to the Russ­ian gov­ern­ment. Now, a new inter­a­gency mys­tery is rais­ing ques­tions about whether the F.B.I. has become politi­cized, just days before the pres­i­den­tial elec­tion. On Sun­day, a long-dor­mant F.B.I. Twit­ter account sud­den­ly sprung to life, blast­ing out [25] a series of links to case files that cast the Clin­tons in a decid­ed­ly neg­a­tive light. One tweet links to pub­licly avail­able doc­u­ments relat­ed to the agency’s inves­ti­ga­tion into Hillary Clinton’s pri­vate e‑mail serv­er, fol­lowed imme­di­ate­ly by anoth­er tweet link­ing to the inves­ti­ga­tion of for­mer gen­er­al David Petraeus for com­pro­mis­ing clas­si­fied material—a jar­ring jux­ta­po­si­tion giv­en the alle­ga­tions against Clin­ton. Then, on Tues­day, the “FBI Records Vault” account—which had not tweet­ed at all between Octo­ber 2015 and Sunday—published a link to records relat­ed to the 15-year-old, long-closed inves­ti­ga­tion into for­mer Pres­i­dent Bill Clinton’s par­don­ing of one­time com­modi­ties trad­er turned fugi­tive Marc Rich. The post, which was quick­ly retweet­ed thou­sands of times [26], links to a heav­i­ly redact­ed doc­u­ment that repeat­ed­ly ref­er­ences the agency’s “Pub­lic Cor­rup­tion” unit—less-than-ideal optics for Hillary Clin­ton, who has spent her entire cam­paign fight­ing her image as a cor­rupt politi­cian.

5. As it hap­pens, James Comey is a long-time tor­menter of the Clin­tons, going back to the White­wa­ter inves­ti­ga­tion. Comey was also in charge of the inves­ti­ga­tions into Marc Rich and Bill Clin­ton’s par­don of Marc Rich.

Is there a con­nec­tion between the offi­cial dis­missal of the inves­ti­ga­tion into the Alfa/Trump link by the FBI, the tweet­ing by the FBI of the files on the Clin­ton par­don of Marc Rich and the fact that it was Comey who presided over the Marc Rich inves­ti­ga­tions?

” . . . . In 2002, Comey, then a fed­er­al pros­e­cu­tor, took over an inves­ti­ga­tion into Pres­i­dent Bill Clin­ton’s 2001 par­don of financier Marc Rich, who had been indict­ed on a laun­dry list of charges before flee­ing the coun­try. The deci­sion set off a polit­i­cal firestorm focused on accu­sa­tions that Rich’s ex-wife Denise made dona­tions to the Demo­c­ra­t­ic Par­ty, the Clin­ton Library and Hillary Clin­ton’s 2000 Sen­ate cam­paign as part of a plan to get Rich off the hook. Comey ulti­mate­ly decid­ed not to pur­sue the case. The kick­er: Comey him­self had over­seen Rich’s pros­e­cu­tion between 1987 and 1993. . . .”

“Who Is James Comey? Sev­en Things to Know About the FBI Direc­tor” by Gre­go­ry Krieg; CNN; 1/30/2016. [27]

. . . . . His first run-in came in the mid-1990s, when he joined the Sen­ate White­wa­ter Com­mit­tee as a deputy spe­cial coun­sel. There he dug into alle­ga­tions that the Clin­tons took part in a fraud con­nect­ed to a Arkansas real estate ven­ture gone bust. No charges were ever brought against either Clin­ton, but the scan­dal would even­tu­al­ly lead to inde­pen­dent coun­sel Ken­neth Star­r’s probe that would result in the Lewin­sky scan­dal.

In 2002, Comey, then a fed­er­al pros­e­cu­tor, took over an inves­ti­ga­tion into Pres­i­dent Bill Clin­ton’s 2001 par­don of financier Marc Rich, who had been indict­ed on a laun­dry list of charges before flee­ing the coun­try. The deci­sion set off a polit­i­cal firestorm focused on accu­sa­tions that Rich’s ex-wife Denise made dona­tions to the Demo­c­ra­t­ic Par­ty, the Clin­ton Library and Hillary Clin­ton’s 2000 Sen­ate cam­paign as part of a plan to get Rich off the hook. Comey ulti­mate­ly decid­ed not to pur­sue the case.

The kick­er: Comey him­self had over­seen Rich’s pros­e­cu­tion between 1987 and 1993. . . .