A few hours ago I fielded a question about the twenty nine months of phone logs that were part of the data in MIOS: Iran’s PressTV. By the time I was asked to look at this material someone had already identified the phone logs and made them a separate subset of files. The question I was asked tonight was this:
“How can I establish the legitimacy of the call records?”
Providing a fulsome answer took just half an hour …
Attention Conservation Notice:
I’m just pleased with myself another story is going to break based on this data. I’m going to show a few screen shots and talk methods, then once the story breaks I’ll come back and edit this to include the link. No reporters were harmed in the creation of this article.
Legitimacy:
How could I show that the logs were part of the overall intrusion, which has been validated to the satisfaction of the editors at the Washington Post?
What I had to do here was show the path those logs took from the intrusion to the single CSV file I had made of them. This isn’t a thing someone with access to the Disinfodrome data for PressTV could do, it required file system access on the server.
I searched for one PressTV extension (1466), found some PDFs of the call logs, and I copied the hashed file name. It looks something like this, but I’ve taken the liberty of munging this a bit so nobody can back track it:
4bf41ab6d4ee6207t585r2f7472q155fez69cae0063da5c17bk611y7f880f44b.pdf
Once I had the PDF, I knew that there would be an XLSX format file with the same name. I used the Unix find command to locate it, and that led to the work directory I’d used, which had the original twenty nine files in XLSX format. Those went up in a Dropbox folder, and that’s that - quad era demonstrandum.
PBX Logs:
The details are available to reporters and researchers, but since I don’t know who I’d be exposing, we’ll keep this high level.
The logs are twenty nine months of calls that originated from an internal system and reached numbers globally. Since this is a PBX - private branch exchange - all we know about the callers are their four digit numbers within the PressTV system. There were also a small set of eight digit numbers beginning with “22”, which I believe are radio show call in numbers within Iran itself.
Overall there were 4,425 unique phone numbers called. Most of this originated from extensions 7901 - 7906. There are 36 other four digit extension numbers and fifteen of the eight digit numbers beginning with “22” that I think are local to Tehran.
I examined the top thirty U.S. destinations and made a graph of them. I could identify most of the owners of the numbers and I was surprised to find that several of them are on the nuclear non-proliferation mailing list I used to maintain for the Institute for Policy Studies.
While the reporters focused on the numbers that were most contacted and the big name players they could identify, I went to the other end of the pool, looking at the LEAST active extensions. There were 134 U.S. numbers called and among them I found a couple instances of sanction violations - U.S. companies that sold internet presence related services. I haven’t reported them yet, but since I’m reviewing this I probably should.
One of the things I did with this data, in which nobody has taken an interest (yet), was to identify the carrier for each called number. There were 162 of them all together. I was thinking I’d make a map using the country data and Orange Data Mining, but there are only just so many hours in each day.
Conclusion:
Getting data like this is one thing, curating it is another, exploiting it a third, and the final step is fusing it with other material in order to gain insight. Our emaciated journalism sector has largely stopped doing the deeper work. This should have been news in 2022 when it happened, instead it took a couple NAFO pooches with their noses to the ground to make something of it.
I like what I do, don’t get me wrong, but that something so important could come down to a couple weirdos in a Signal chat room not letting go … kinda makes me nervous when I stop to consider it.
So there you have it, another nice surprise for people working against U.S. interests.
Coda:
Here’s a peek behind the curtain. There should be two stories this week, one for PressTV, one for a Russian thing. The four with a trailing [x] are in the hands of reporters and they may or may not progress, because complex and everybody is busy.
The last three are a mixed bag. The first two are substantial enough that I just have to find the right reporter to take on the problem. And there at the end, my problem child investigation, the reason I reopened this Substack at the start of September last year.