Over the weekend John Durham released an indictment of Michael A. Sussman, an attorney at a high profile DC law firm who represented the Hillary Clinton campaign. The questions that swirl around the indictment are being mined currently for stories about the media. But there are some hidden nuggets here which should cause questions to be asked about the tech industry as well.

On page 11 of the indictment a “Researcher-1 queried internet data maintained by Internet Company-1 for [the]… mail1.trump-email.com domain that was the subject of the allegations.” [Note: the domain is ‘trump-email.com’. The ‘mail1’ name creates a ‘fully qualified domain name’ (FQDN) and refers to a ‘host’ on the domain. In this case it would be a server used to handle e-mail traffic.]

A WHOIS query for ‘trump-email.com’ shows the domain registration is maintained by GoDaddy.

A ‘dig’ query for Name Server records (NS) — a command executed on a Linux machine as follows: ‘dig trump-email.com NS’ — shows the NS records for the domain point to two servers at the ‘domaincontrol.com’ domain.

A Google search identifies the owner of domaincontrol.com to be WildWestDomains, a GoDaddy white label reseller. The website at https://www.wildwestdomains.com/about-us/ lists the following as the company’s physical address:

2150 E Warner Road
Tempe, AZ 85284

GoDaddy’s Tempe, AZ headquarters is at the same address. The indictment (at page 8) refers to “Internet Company-2” and “Internet Company-3” in which “Tech Executive-1” had an ownership interest. This leads us to ask whether “Internet Company-2” is WildWestDomains. According to the indictment, Internet Company-3 used data from Internet Company-2 “or its parent” to provide private sector companies intelligence on cybersecurity risks. Tech Executive-1 directs both Internet Company-2 and -3 to examine their data for derogatory information about Donald Trump.

Understanding DNS and “Internet Data”

On page 12 of the indictment, a person identified as “Originator-1” emails “Tech Executive-1” and others about the limits of the “DNS” data they are examining. DNS stands for Domain Name Service. When a domain is registered with a registrar like GoDaddy, the registrar includes a primary and secondary (and in some cases a tertiary) fully qualified domain names which identify the servers providing Domain Name Services (DNS) for the domain. The ‘dig’ query noted above returns ns34.domaincontrol.com and ns33.domaincontrol.com. The additional alias (the first part of the address — ns34 and ns33 here) each isolates a single server instance and ‘fully qualifies’ the domain name.

As information transits the Internet, it is routed according to tables of information which translate the human readable address domain to a digital Internet Protocol (IP) address. (The NS33 FQDN translates to 97.74.106.17 and NS34 to 173.201.74.17.) Internet routers maintained by a customer’s Internet Service Providers (ISP) will maintain these records so when the customer goes to view a website with a domain registered with GoDaddy, the traffic will go from the customer’s ISP to the registrar’s DNS server(s). (The secondary server is a failover in case the first is not available.) The domain owner will have configured the domain with what is known as an ‘A record’ (also an IP address). The traffic will then be routed from the registrar’s DNS server to the address of the ‘A record’. That server will then serve up the requested content.

The same pattern applies to email. The domain owner will configure the domain records with ‘MX’ (mail exchange) record(s) to route email traffic coming to the registrar’s network to the server providing email services. Email providers often make as many as five such servers available and indicate the order in which they should be queried.

It is possible, however, for the owner of the domain to change the Name Server records for their domain. This is most often done when the website and email services for the domain are hosted by a different company than the domain registrar. In this case, the customer’s ISP routes the traffic to the hosting company’s infrastructure based on the NS lookup. The hosting company will often provide the tools necessary for the domain owner to configure the ‘A’ and ‘MX’ records to point to the servers hosting the website and email services, respectively.

The “Internet data” referred to in the indictment are essentially records of DNS hosts (i.e. servers) routing traffic to and from the ‘mail1.trump-email.com’ server — almost certainly a server to which at least one of the domain’s MX records were pointed.

Conspiracy Theory Becomes Conspiracy Fact

Imagine the ridicule heaped on someone claiming in the runup to the 2016 election that tech industry people were conspiring to manufacture false scandals about Mr. Trump. That this is, in fact, what was going on is clear from the indictment. It is also clear that persons otherwise read by the public as mainstream journalists were in on the effort. In order for the non-technical reader to intelligently consume what is presented to them as “news” it is helpful to understand the mechanics of this effort to manufacture an “inference” of scandal.

The people referred to in the indictment were tasked with developing data which could be used to plausibly report possible “secret” communications between the Trump Organization and a bank in Russia. The people tasked to this effort were told to examine DNS data records. One of the persons involved (“Originator-1”) cautioned that it would be possible to “fill out a sales form on two websites, faking the other company’s email address in each form… [causing them] to appear to communicate with each other in DNS.” What would actually be happening is this:

When you enter your contact info in a “Contact Us” form on the web, it is almost certain you will receive a confirmation email at the email address you provide. So if I go to a bank’s website and enter contact information with a fake email address like ‘someone@trump-email.com’ what will happen is the bank’s website will send an email to the address I provide. Even if the email address does not exist on the domain, the traffic will be routed to the server identified in the MX record(s) for ‘trump-email.com’ (e.g. ‘mail1.trump-email.com’). That server will then either route the email to the username before the ‘@’ sign in the email address, or respond to the sender with an email saying the user could not be found.

In the DNS traffic, the server identified as the “Name Server” for the domain ‘trump-email.com’ will show record of traffic from the bank’s domain. Assume the bank is based in Russia and put all of this together with the domain itself — ‘trump-email.com’ — and the “inference” is clear. Bring this to the attention of the FBI and a reporter who has already written his or her “fill in the blanks” story of an “explosive FBI investigation” now has everything needed to fill in those blanks.

But there’s more: Further questions to be asked

The indictment charges the lawyer with lying to the FBI about whether he was representing a client when coming forward with this information. This limits the nature of the information contained in the indictment. The larger question here — especially for investigative journalism as a profession — is: “Who registered ‘trump-email.com’?” A dig of the MX records show the email servers as being on the domain ‘secureserver.net’. A dig of ‘secureserver.net’ resolves to 208.109.192.71. A dig of ‘godaddy.com’ resolves to 208.109.192.70.

Each of these four numbers in an Internet Protocol address is known as an ‘octet’ and can be between 0 and 255. These addresses default into one of three ‘classes’ (A, B, and C). Anything with a first octet of 192 or higher is known as a ‘Class C’ address. An IP address is split between the ‘network’ (the first part of the address) on which a ‘host’ (synonymous with ‘server’ in this case — the second part) can be located. Think of a network address as a street and the host address as the house number on the street. For Class C addresses, the first three octets locate the network and the fourth locates the host on the network. (A later advance called ‘sub-netting’ allows for the network/host segmentation to be more finely grained that this.)

So when we see the MX records for ‘trump-email.com’ resolving to hosts on the ‘secureserver.net’ domain, and then see that secureserver.net resolves to a network address of 208.109.192.x (x being the fourth octet for the host), and further see that godaddy.com resolves to the same network address (208.109.192.x), we know that both are on GoDaddy’s network. Indeed, trump-email.com is served by the host at x.x.x.71 and godaddy.com’s main website by the host at x.x.x.70 — ‘next door neighbors’ if we continue with the ‘street name/house number’ metaphor.

As a matter of general practice, it is hard to understand why an organization would register a domain with ‘-mail’ after the organization name. It is normal to have one server host websites and another email services. But it is neither necessary nor normal to have two domains, one for web and the other for email. As noted above, this is not necessary because the domain’s MX record tells the router where to send emails and the A record where to send requests for website resources.

This leads us to the larger question which journalism must ask, and which goes beyond lying to the FBI: Who registered ‘trump-email.com’? Was it registered for the sole purpose of manufacturing a suspicious DNS trail to then report to the FBI? A large organization such as the Trump Organization does not come even close to matching the profile of the small business customer most likely to use GoDaddy’s email services. The closest a large organization might come to this is having registered its domain with GoDaddy, but then changing the MX records to something like Microsoft’s Office 365 or Google’s Workspace.

A Final Word on Journalism and Fascism

It is not hard to understand the worries surrounding Mr. Trump and Fascism. As far back as 1993, political science was capturing the characteristics of Fascist rhetoric as combining a myth of rebirth (“Make America Great Again”), a sense of ultra-nationalism (“America First”), and a myth of current decadence (“Drain the Swamp”).

I stick ‘academic definition’ in quotes as if to air quote in conversation because, like all academic definitions, it allows people to pass right by the observation that “actions speak louder than words.” If we identify Fascism first by actions, some very uncomfortable truths are uncovered.

The word ‘Fascism’ comes from a Latin word meaning ‘bundle of sticks’. If we view government as either a function of authority or of consent, and see consent as 12 o’clock and authority as 6 o’clock, we can begin to imagine politics not as a linear spectrum of Left/Right, but a circle of consent/authority. This means, unlike the ‘academic’ view of Fascism which tends to equate it with right-wing politics, you can get there either by going hard Left or hard Right. We can start imagining the traditional Right at 3 o’clock going clockwise and the traditional Left at 9 o’clock moving counter-clockwise. Any movement further left or right is to begin abandoning ‘Liberal Democracy’— where the authority to govern arises from the consent of the governed — in favor of authority enforced by a ‘bundle of sticks’ — the sticks being the banking sector, the tech sector, the mainstream media, and the government in power.

---

If we view government as either a function of authority or of consent, and see consent as 12 o’clock and authority as 6 o’clock, we can begin to imagine politics not as a linear spectrum of Left/Right, but a circle of consent/authority.

---

It is also necessary to revisit the Progressive Movement of the early 1900’s. Woodrow Wilson was the first national politician in America to openly question the usefulness of a constitution which limits government power. The classic Liberal and classic Conservative both agree on these constitutional limits, per se. The Liberal wants to draw the limits wide to allow for government action to provide for public goods. The Conservative wants to draw the limits narrowly to preserve individual liberties. The classic Progressive is something altogether different. In the early 1900’s we saw the same anti-constitutional Progressive impulse from Wilson as well as from the Republican Teddy Roosevelt.

When Wilson did not run for a third term (this was before the presidential two-term limit) and Teddy Roosevelt had already died, Republicans had no one of national prominence and Progressive sensibilities. The electorate rebelled against Progressive reforms and Republican Warren Harding trounced Democrat James Cox in 1920, but died in office in 1923. His Vice President, Calvin Coolidge, won re-election and developed a reputation as a small-government conservative — a view anathema to Progressives. Coolidge was replaced by Herbert Hoover, also a conservative Republican until defeated by Franklin D. Roosevelt in the midst of the Great Depression.

FDR — the lion of classical Liberalism once synonymous with the Democratic Party — assumed office in 1933. That same year a group of businessmen — including one Prescott Bush, grandfather of former President George W. Bush — attempted to conscript Marine Corp General Smedly Butler in a coup to replace FDR with a dictator along the lines of Italy’s Mussolini. The story of this “Business Plot” (or Wall Street Putsch)— if reported today — would almost certainly be called a ‘conspiracy theory’. But there is it; the history of Progressivism in United States politics is right there for all to read.

Why four-in-ten Americans no longer trust the media

There is a grave deficit of both self-awareness and historical literacy in journalism today. The deficit in historical literacy shows up when Liberal and Progressive are used as if they are interchangeable. The lack of self-awareness is seen in how the Internet has disrupted the economics of journalism such that one must have access to the government in power to have any hope of writing meaningful stories (at least about politics). This ‘access journalism’ predisposes today’s mainstream media to becoming the Progressive’s version of Josef Stalin’s ‘useful idiots’.

The indictment of the Clinton campaign lawyer is must-reading for anyone among today’s mainstream media who genuinely wonder how it is four of every ten Americans do not trust the media. But the story it tells about the mainstream media is nowhere near as condemning as the story it tells of the tech industry. They know the power in data, and how it can be wielded by those who understand where in the data to look. That power now rivals the power of the financial sector among the ‘bundle of sticks’ that makes up a Fascist regime. (Where are the voices so concerned about Trump’s Fascist rhetoric now that we are seeing actual, Fascist actions?)

The question is whether the media can break away from the bundle and regain its independence and trust. It cannot be any simpler now. Is “Internet Company-1” GoDaddy? Is “Tech Executive-1” a GoDaddy executive? Who registered “trump-email.com” — and why? Is there anyone in the mainstream media left with the integrity to ask?