BEWARE of Lindell's pcap data! (but, we're still OK)

Posted by DC on Sun, 06/06/2021 - 08:43

I have to apologize for posting this article a few days ago before looking at Lindell's video.  I listen to videos in the background while I work, so when I played Lindell's "9-0", I took a glance and saw that data stream and assumed it's what he said it was.

It's not.  What clued me in was listening to this podcast this morning with an attorney interviewing a white hat named Joshua Merritt about Lindell's drop.  The attorney was having Merritt verify that this is indeed pcap data.  Merritt confirmed it was, and said "that's the time signature on the left".

That column on the left isn't a time signature.  It's the byte offset from the beginning of the file.  Each line is 16 bytes, and that field tells you where you are in the file.  If you've been in this business as long as he has, and certainly as long as I have, you've seen hex dump output a million times.  This may seem insignificant, but it would be like someone calling your odometer the oil gauge.  It's not even close.

I almost spit up my coffee, and just pulled up the video to give it a looksie.  When I looked closer and saw most of the bytes in ASCII range (0x20 to 0x7e (for the chars you'd care about)), that told me this is NOT encrypted data.

"Come on DC, you mean you can read that goobly gook?"  Yes, which also means it's not encrypted.

If the data was "raw" and encrypted, the values would be all over the place, not just mostly in ASCII range for chars we read.

The other thing that was obvious, and obvious to anyone who's worked with data for more than five minutes is this data (or the sections I looked at it) is CSV data.  You can tell that by the abundance of 27 2c 27, which is ',' in ASCII, and it wraps other values in ASCII range.  You also see a lot of 2c 27 27 2c values, which is an empty field (nothing between the 0x27 single quote).

So, this is unencrypted CSV data.  The tech guy speaking with Lindell said it's encrypted, but it's not.

Also, if this were "raw" pcaps, you'd see headers.  I don't see headers.  That's OK (expect lefties to make a big deal out of this) and doesn't mean these aren't pcaps because you can simply strip out headers (tcpdump -s).  Or, this is just a hex dump of a file that contains the data plucked from the pcaps.

So, why do I say to beware?  This may be data used to bait Dominion or someone to continue with their suit, e.g. "hey, look, Lindell doesn't have the data!! Let's keep suing!!", but Lindell whips out the real evidence at trial.  Or, Lindell was set up (which I think is unlikely).

Was Mike Lindell wrong when he said this is raw encrypted pcap data?  Yes.  It's not.  No headers, and unencrypted means it's not raw data.

Yes, his tech guy told him it is, but he knows it's not.  Why did he tell him that?  Here are a few things that bother me:

  • Lindell's cyber guy also said these are the raw captures.  They're not.
  • Joshua Merritt said those are "time signatures" on the left.  They're not.
  • They're streaming unencrypted data to millions of people watching.  What is this data?

I love Lindell and am his biggest fan, but as a conservative, we have to be fact based.  Let's keep our guard up for the time being until we learn more about this data and his cyber guys, because my spidey-sense is throbbing right now.


Share on Telegram

Recent Articles