There's a lotta stupid in this post that anyone who has taken a Networking 101 course could identify.
'Emails being passed across the World Wide Web are broken down into smaller segments called packets...To accomplish this, all the packets that form a message are assigned an identifying number that enables the receiving end to collect them for reassembly. Moreover, each packet carries the originator and ultimate receiver Internet protocol number (either IPV4 or IPV6) that enables the network to route data...The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.'
Er, what? I don't know who wrote that, but this is not how it works.
They seem to be saying that TCP sequence numbers allow tracing of SMTP messages as they are forwarded around the web. But...no, they don't. They allow tracing a single SMTP connection from source to destination host, but that's it.
If the attackers forwarded exfiltrated emails via SMTP (which I doubt), those messages would have a different TCP sequence (obviously), so would not be trivially traceable as described.
More likely, the attackers downloaded the target mailbox and then uploaded it via some other connection at some other time, providing no consecutive action to trace.
The whole description here of how "packets" work is both wrong and idiotically wrong. I don't think this is intentional, because it's just too stupid. But it doesn't have the meaning they say it has.
Also, reading the names of the signers, they're all long-retired and/or formerly senior, i.e., people who probably don't know how this whole Internet thing works.
There's no actual technical claim here, other than, "The NSA should be 100% sure, and they said they were less than 100% sure, so they aren't sure."
But the point isn't that they dumbed it down. It's that the crux of their argument is basically, "You should be able to track the stolen emails." Which is fundamentally not true.
Easy example:
1. Download emails via IMAP
2. Disconnect from Tor
3. Copy emails via FTP to wherever
#1 and #3 have different IP addresses and TCP connections. The whole "packet number" thing is just ludicrous--that's not how the Force works!
There are of course lots of details here about potentially piercing Tor with traffic analysis and compromised onion routers, etc, etc. But their description of how the system works and why the NSA should definitely be able to give 100% attribution is literally wrong. It's not a simplification--it's just literally not how the code works.
I read it differently. They present three hypothetical sources for the emails:
Leak at DNC
Hacking
Leak at NSA
The reconstruction of emails explains why an NSA employee could be the leaker. The technical argument about detecting hacking is unrelated (except that a packet reconstruction of all DNC traffic would contain evidence of the attack and data transfer, which the NSA can supposedly reliably data mine).
Most important comment from the article:
"... would we really care so much if it was Woodward & Bernstein that did this? Was there a crime they committed other than breaking into some computers to copy data that voters should have been made aware of anyway? "
'Emails being passed across the World Wide Web are broken down into smaller segments called packets...To accomplish this, all the packets that form a message are assigned an identifying number that enables the receiving end to collect them for reassembly. Moreover, each packet carries the originator and ultimate receiver Internet protocol number (either IPV4 or IPV6) that enables the network to route data...The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.'
Er, what? I don't know who wrote that, but this is not how it works.
They seem to be saying that TCP sequence numbers allow tracing of SMTP messages as they are forwarded around the web. But...no, they don't. They allow tracing a single SMTP connection from source to destination host, but that's it.
If the attackers forwarded exfiltrated emails via SMTP (which I doubt), those messages would have a different TCP sequence (obviously), so would not be trivially traceable as described.
More likely, the attackers downloaded the target mailbox and then uploaded it via some other connection at some other time, providing no consecutive action to trace.
The whole description here of how "packets" work is both wrong and idiotically wrong. I don't think this is intentional, because it's just too stupid. But it doesn't have the meaning they say it has.