Guccifer 2.0's Final Messenger: Mainstream Media & Their "Russian Fingerprints"

Authored by Elizabeth Vos via DisobedientMedia.com,

Disobedient Media has consistently covered the work of The Forensicator over the last nine months. Our previous report focused on the first in a series of findings made by the analyst, which reveal intricate issues stemming from the Guccifer 2.0 persona’s earliest publications, as well as the establishment media’s culpability in broadcasting the documents as part of a larger Russian hacking narrative.

This article will focus on the second work published by the Forensicator in his ongoing series, titled: Media Mishaps: Early Guccifer 2 Coverage. The Forensicator sums up the results of his latest work:

Wittingly, or not, the media served a critical role in getting the message out that there were “Russian fingerprints” inside the first document that Guccifer 2 disclosed.

The media became Guccifer 2.0’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called “Russian fingerprints”).

As described by the Forensicator, the emergence of wide public exposure to Guccifer 2.0’s first document and the Cyrillic error messages embedded within it depended solely on the work of establishment media. The outlets involved worked to make the technical details of the matter digestible for broad public consumption, and concluded that the errors in the document constituted evidence of a successful Russian-state-sponsored hack of the DNC.

While this may not represent a shocking revelation to those who have followed the lumbering progress of the Russian hacking narrative, the Forensicator’s new report indicates the degree to which there may have been active or unwitting cooperation between the Guccifer 2.0 persona and key press outlets who published the earliest reports on the alleged hacker’s publication of the ‘Trump Opposition report.’

Leading the charge in such press coverage was The Washington Post, who reported on June 14, 2016, that the DNC alleged that it had been hacked by Russian operatives. The following day, Guccifer 2.0 made his official debut.  He shared several documents with at least two media outlets: The Smoking Gun and Gawker. The outlets focused on Guccifer 2.0’s first document, a doctored version of a Trump Opposition Report that the DNC claimed had been stolen by Russian hackers. Both media outlets published Guccifer 2.0’s first publication as a PDF file on their websites.

As discussed by the Forensicator and Disobedient Media, the fact the email to which the opposition report was attached was later published in the Podesta Email collection by Wikileaks does not prove that Guccifer 2.0 and Wikileaks shared a source on the document. However, it does suggest that either the DNC, the operators of the Guccifer 2.0 person, or both parties had access to Podesta’s emails. This raises questions as to why the DNC would interpret the use of this particular file as evidence of Russian penetration of the DNC.

Returning to the timeline of events surrounding media coverage of the Guccifer 2.0 persona’s debut, one recalls that the following day, on June 16, 2016, Ars Technica published an article, titled “Guccifer” leak of DNC Trump research has a Russian’s fingerprints on it.  The “Russian fingerprints” cited were the error messages, written in the Cyrillic alphabet, which were included near the end of Gawker’s PDF printout of the opposition report. The errors are presented, with notation via the Forensicator, below:

Image via The Forensicator

The Forensicator’s findings describe the procedure by which Ars Technica opened Guccifer 2’s document, seeing the error messages in English despite Gawker’s PDF showing them in Russian. In response to this inconsistency, Ars Technica argued that the Russian error messages must have appeared when the file was printed as a PDF. The outlet also made the surprising claim that Gawker got its PDF file directly from Guccifer 2.0. This statement, as highlighted by the Forensicator in the following image, raises serious questions regarding the relationship between major press outlets and supposed Russian hackers.

It is important to not that the possibility that the respective outlets worked directly with those responsible for the Guccifer 2.0 persona cannot be proven, or ruled out, based on the currently available evidence.

 

It is also highly interesting that in this incredibly early Ars Technica report on the Guccifer 2.0 persona’s publication of an attachment from a Podesta email would use the term “leaker,” as opposed to “hacker,” in coverage which ultimately implied the DNC had been hacked by Russians. In fact, the article did not use the term one, but three times, including the article’s subtitle. One can only wonder if this apparent Freudian slip represented an unintentional admission of the real circumstances of the initial security breach at the DNC from which all later ‘Russian hacking’ controversy stems.

The Forensicator’s latest work provides a close reading of the metadata for the PDF’s published by The Smoking Gun and Gawker, shown in the table below. In reviewing his work, one notices that Gawker used LibreOffice and that The Smoking Gun used Word for Mac to create their PDF files.

The Forensicator’s analysis destroys Ars Technica’s speculative theory, by pointing out that Gawker‘s PDF has Russian error messages because Guccifer 2’s 1.doc was opened in LibreOffice:

If we open 1.doc in LibreOffice, the Russian error messages are visible.  They will be displayed in Russian, independent of the user’s language settings.  Why?  This behavior derives from the fact that LibreOffice handles these invalid (empty) URL’s differently than Microsoft Word for Windows.

We observe that LibreOffice does not issue an error when it encounters an empty URL inside a HYPERLINK field; it simply prints the text defined by \fldrslt.  The \fldrslt value in this case is the display text for the URL, which happens to be the Russian error message.  LibreOffice prints that Russian error message independent of the user’s current language setting; it thinks it is simply the URL’s display text.

The above explanation iterates the method by which Gawker created its PDF with “Russian fingerprints”, but leaves one wondering how The Smoking Gun produced its PDF containing Russian error messages?  The Smoking Gun did not use LibreOffice – they used Word for Mac instead.  The Forensicator runs this down, writing:

“Surprisingly, Word for Mac behaves differently from Word for Windows, when it encounters an empty URL.  Word for Mac behaves similarly to LibreOffice; it quietly accepts the empty URL and simply displays the hyperlink text (defined by the \fldrslt function code) inside the document.  This text happens to be a Russian error message, written in Cyrillic.”

The Forensicator points out that if both media outlets had opened Guccifer 2’s 1.doc in Word for Windows, the error messages would have appeared in English, and there would never have been any “Russian fingerprints” – and therefore Russian hacking – story.  Given that the vast majority of users have Microsoft Word for Windows, it is especially surprising that both Gawker and The Smoking Gun used a different word processing application.

In his previous report, the Forensicator explained the multi-step complex process used to embed the Russian error messages into 1.doc, in other words, the Guccifer 2.0 persona’s side of the operation in producing the initial Russian hacking ‘evidence.’  Now, we learn from his newest report, that a final critical final step was needed to have those Russian error messages appear in the published PDF’s – the journalists had to print those PDF’s with either LibreOffice or Word for Mac. Given this, the Forensicator makes this critical summary point:

“The media became Guccifer 2’s assistant by completing the long path from the original Trump opposition report to the final published PDF’s with Russian error messages in them (the so-called Russian fingerprints).”

The Forensicator mentions that his analysis depends on the assumption that both Gawker and The Smoking Gungenerated their own PDF’s.  If instead, they received their PDF documents from those behind the construction of the Guccifer 2.0 persona or a third party and didn’t inform their readers of this ‘chain-of-custody’ of their evidence, serious questions as to the integrity of their reporting process are inevitably raised.

In this way, the respective media outlets can be said to have taken an active role (wittingly or not) in advancing the “Russian fingerprints” narrative. They achieved this by describing Guccifer 2.0’s publication of the Trump Opposition report as an incident related to Russian hacking, and most importantly, by using the required operating systems and settings to create Cyrillic error messages used to substantiate these claims. Placing the intent of the journalists involved and the ominous reference by Ars Technica to a ‘leaker’ aside, Gawker and The Smoking Gun can be said to have acted as final messengers of the Guccifer 2.0 persona and those behind it.