Russia did not hack the DNC. This is not my opinion. It is a conclusion of several cyber security professionals that flows from one very specific, easily tested claim made by the Special Counsel,–that Guccifer 2.0 was a fictional identity created by Russian Military Intelligence, i.e., the GRU. If the GRU had concocted Guccifer 2.0, then the forensic evidence should show that this entity was operating from Russia or under the direct control of entities linked to the GRU.
One type of forensic evidence is meta data. What is meta data? This is geek shorthand to describe physical information or code that is written into a document created by a word processor software when a document is created. This data includes a variety of things, such as the date and time the document was created or modified. It tells you who created the document.
An examination of the Guccifer 2.0 documents shows that the meta data in the Guccifer 2.0 documents were manipulated deliberately to plant Russian fignerprints. This was not an accident nor an oversight due to carelessness by some computer operator.
Special Counsel Robert Mueller is correct in stating that Guccifer 2.0 was a “fictious online persona. ” But he is wrong to claim that Guccifer 2.0 was a creation of the Russian Military Intelligence. Guccifer 2.0 appears to be a creation of the CIA and was one character in a broader scheme assembled to paint Donald Trump as a lackey of Vladimir Putin.
Let us first stipulate that Russia and the United States have engaged in cyber espionage and covert action against each other since the dawn of the internet age. Within the U.S. Intelligence Community cyber ops are carried out by the NSA, the CIA and DIA, just to mention three of the more prominent members of the US Intel Community. These activities generally are referred to with the acronym, CNO—i.e., Computer Network Operations.
CNOs are classified at the highest level in the United States and normally are handled within special restricted categories commonly known as SAPs (i.e, Special Access Programs). A critical element of these kinds of operations is to avoid leaving any fingerprints or clues that would enable the activity to be traced back to the United States. But this is not unique to the United States. All professional intelligence services around the world understand and practice this principle—leave no evidence behind that proves you were there.
The case implicating Russia in the hack of the DNC and Clinton emails, including those of her campaign Manager, John Podesta, rests on suspect meta data in the documents posted by Guccifer 2.0 on line. According to Disobedient Media, “the files that Guccifer 2.0 initially pushed to reporters contained Russian metadata, a Russian stylesheet entry and in some cases embedded Russian error messages.”
Why would the Russians make such a mistake, especially in such a high stake operation (targeting a national election with covert action most certainly is a high stake operation). Mueller and the U.S. intelligence community want you to believe that the Russians are just sloppy and careless buffoons. Those ideologically opposed to the Russians readily embrace this nonsenses. But for those who actually have dealt with Russian civilian and military intelligence operatives and operations, the Russians are sophisticated and cautious.
But we do not have to rely on our personal beliefs about the competence or incompetence of the Russians. We simply need to look at the forensic evidence contained in the documents posted by Guccifer 2.0. We will take Robert Mueller and his investigators at their word:
- Beginning in or around June 2016, the Conspirators staged and released tens of thousands of the stolen emails and documents. They did so using fictitious online personas, including “DCLeaks” and “Guccifer 2.0.” (p. 2-3)
- The Conspirators also used the Guccifer 2.0 persona to release additional stolen documents through a website maintained by an organization (“Organization 1”) [aka WIKILEAKS], that had previously posted documents stolen from U.S. persons, entities, and the U.S. government. (p. 3)
- Between in or around June 2016 and October 2016, the Conspirators used Guccifer 2.0 to release documents through WordPress that they had stolen from the DCCC and DNC. The Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals. (p. 15)
An examination of those documents tells a very different story. While it does not reveal who or what was Guccifer 2.0, it does undermine Mueller’s claim that it was the Russians who did these dastardly deeds.
One independent forensic computer investigator, who uses the name, “The Forensicator,” examined the meta data in some of the documents posted by Guccifer 2.0 and discovered the following:
Guccifer 2.0 published a file on 13 September 2016 that was originally copied on 5 July 2016 at approximately 6:45 PM Eastern time. It was copied and appeared as the “NGP VAN” 7zip file.
The estimated speed of transfer was 23 MB/s. This means that this initial data transfer could NOT have been done remotely over the Internet. Instead, it was likely done from a computer system that had direct access to the data. “By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high-speed network (LAN).”
This initial copying activity was done on a system that used Eastern Daylight Time (EDT) settings and was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy, which is a characteristic of the Linux ‘cp’ command (using default options).
On September 1, 2016, a subset of the initial large collection of DNC related content (the so-called NGP/VAN data), was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.
The alleged Russian fingerprints appeared in the first document “leaked” by Guccifer 2.0– 1.doc—which was a report on Donald Trump. A forensic examination of the documents shows thatgiven the word processor program used to create the Donald Trump Document released by Guccifer 2.0, the author consciously and purposefully used formats that deliberately inserted “Russian fingerprints” into the document. In other words, the meta-data was purposely altered, and documents were pasted into a ‘Russianified’ word document with Russian language settings and style headings.
Here are the key facts:
The meta data shows that Slate_-_Domestic_-_USDA_-_2008-12-20.doc was the template for creating 1.doc, 2.docand 3.doc. This template injected “Warren Flood” as the author value and “GSA” as the company value in those first three Word documents. This template also injected the title, the watermark and header/footer fields found in the final documents (with slight modifications).
The Word documents published in June 2016 by Guccifer 2 also show a “last saved as” user id written in Cyrillic. The Anglicized name is “Felix Edmundovich“, aka “Iron Felix” (the infamous director of an early Soviet spy agency). If you are a Russian cyber spy trying to conduct a covert operation, why do you sign your document with the name of one of the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that this was just Russian audacity.
But the meta data tells a different story. When we examine The Revision Session Identifiers aka ‘RSID’s, in the Guccifer document, we see the same Russian style-headings in 1.doc, 2.doc and 3.doc. The document creation timestamps on docs 1, 2 and 3 also are all identical.
Given that MS word assigns a new random ‘RSID’ with each save when an element is added or edited (this function allows one to track changes made to a Word document), the only way to obtain identical creation timestamps means that someone either directly edited the source document or that there was one empty document open and that individual documents were copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This process also explains identical style-sheet RSIDs.
The document creation timestamps on docs 1, 2 and 3 also are all identical.
Curious, no doubt. But who of us did not consider Guccifer 2 curious. Put another way, what experts considered him solid proof for Russian involvement?
Are you suggesting Winword templates were used for the metadata?
As IT nitwit, how can I save three *doc files or their 2016 word equivalent at the same time? Any way to do that? Windows doesn’t seem to have a solution to that.
Again: This is a nitwit user asking a question.
*******
I admittedly am not overly motivated to read the Mueller report. I’ll read your contribution again to figure out what you may suggest in or between the lines.
The phrase “personal beliefs about the competence or incompetence of the Russians” catches something important. Whether it was the Russians or somebody else that did this, whoever did it was pretty sloppy. What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation. So any theory of who stole and published the documents has to explain a capability to access the data combined with blissful obliviousness about handling them. I know of no reason to think the Russian, US, Israeli, or other intelligence communities incapable of such a combination. All of them have brilliant dedicated people but also seemingly endless supplies of mediocre time-servers.
Equally interesting is the fact that this analysis has come from such a private source. Surely all the major intelligence agencies have the skill to find the same indicators. And all have comparatively endless resources to apply to the analysis. But they all seem to not want to talk about it. For me the most suspicious thing about the handling of the theft was the FBI’s near complete lack of interest in examining the server. I have always assumed that such indifference reflected that they already had all they needed in order to understand what happened. Maybe even watched the theft in real time. But this report demonstrates that you didn’t need any special access to blow up the official story. (Note that the official story may be “true”. It is just not proven by the cited evidence.)
Yet, whatever actually happened, nobody seems interested in challenging the narrative that Russians stole data and routed it through useful idiots to influence the 2016 elections. This report indicates that a persuasive challenge would not have been hard to produce.
Perhaps the false flag was intentionally clumsy, intended to be detected. Bait for a trap that no one wants to fall into. But I don’t see where that thought leads.
https://archive.fo/2dMfC#selection-683.213-687.434
This can be discovered by looking at things called ‘rsid’s or Revision Session Identifiers in Guccifer’s document. In order to track changes, MS word assigns a new random ‘rsid’ with each save upon each element added or edited. The rsids for the Russian style-headings in 1.doc, 2.doc and 3.doc are all the same (styrsid11758497 in the raw source).
Moreover, the document creation timestamps on 1,2, and 3.docs are all identical too. This might imply there was one empty document open, with individual documents being copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This is the only way to go about obtaining identical creation timestamps short of direct editing of the source, and would also explain identical style-sheet RSIDs.
Scenario? Shutdown, closing of words with documents being automatically saved? Ok, otherwise there is apparently no precise saving time stamp on Winwords latest version. How much changed since 2016?
Empty doc open? What would that change?
But good to see that Winword now integrated some type of automatic saving option, didn’t have it when I gave it up and shifted to Open Office.
On the other hand, can I trust it to not confront me with an earlier revision version? I admittedly asked myself lately. In a 200 page file, mind you.
As someone with a little bit of experience in that area I can assure you that language metadata artifacts are practically worthless for attribution. You would mention it in a report, but from it you can only conclude that.
– either the creator was an amateur and used his own language environment
– or actually selected this particular language environment, either by running a – in this case – Russian copy of Office, or by changing the metadata manually.
– or he used his own language environment because he doesn’t care, and because he knows that this information is worthless for any forensics expert.
The Vault7 leak of CIA tools also contained information on how to select any language environment. It’s really a standard practice, even for normal criminals.
Attribution is really hard and usually amounts to a lot of guessing who might be interested in the target of an attack, correlating information from other campaigns, and is only rarely based on hard evidence. Big state actors probably can do a little bit better when they have access to enough network taps. But in the end one bit looks like any other, and properties of static documents can always be forged and made to look real. Or simply buy a copy of MS Office in
The document creation timestamps on docs 1, 2 and 3 also are all identical.
Ok doc creation times.Could one create a Winword Makro? That does exactly that. ok, why would one do this? True.
Minor detail, I know. But I see we have experts around now.
*******
More generally. Guccifer 2.0 was a bit of an odd occurrence, not least due to US intelligence considering Guccifer one or zero, if you like.
fredw,
“..nobody seems interested in challenging the narrative that Russians…”
That’s precisely what Larry has been doing for some time.
“Equally interesting is the fact that this analysis has come from such a private source.”
How dare a private citizen challenge the narrative!
“Perhaps the false flag was intentionally clumsy…”
False flag, let’s discuss that idea, brought up solely by you, and not discuss Larry’s analysis.
Fred, I think you’re missing fredw’s point. He’s praising the fact that private researchers are shedding more light on this issue. Along that line, I suggest following the work of another private researcher in this area. Stephen McIntyre, who has offered useful and cogent commentary here in the past, raised several insightful points about the DNC hack in his twitter feed (@ClimateAudit). Actually it’s about the Podesta hack, but he promised more on the DNC hack later.
“1/ Hypothesis: Mueller indictment (inadvertently?) revealed a strong infrastructure link between CyberBerkut and Podesta hack, but nonetheless attributed Podesta hack to Lukashev of GRU. Is this attribution KNOWN or arm-saving?
2/ in addition to infrastructure, DCLeaks/Podesta leak fit CyberBerkut profile much better than prior APT28/Fancy Bear practices. Previously, APT28 had spied, but hadn’t “weaponized” data. That’s why Marc Elias of Perkins Cole was unconcerned when he was informed that DNC hacked.
3/ in contrast, opposing cyber factions in Ukraine (Cyber Berkut on one side, CyberHunta/Informnapalm on other) outdid one another in publishing hacked documents to embarrass other side. DCLeaks/Podesta fit much more neatly into that ongoing battle than into prior APT28 practice”
https://twitter.com/ClimateAudit/status/1115644673404444674
https://twitter.com/ClimateAudit/status/1114236075096989696
These entire threads are enlightening. It also highlights the nature of Russian cyberwarfare. Unlike in the US, where hackers are kept at arms length from CYBERCOM and NSA organizations, Russia has incorporated hackers and cybercriminals into its structure. (China does it , too.)
Another example of this is the case of Dimitry Dokuchaev, a Russian hacker charged with various cyber crimes by US authorities, was also an FSB major arrested by Russian authorities for treason. He was reportedly suspected, with several others, of tipping off US intelligence of Russian involvement in the DNC hacks.
I read fredw’s comment “What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation.” to mean Larry Johnson’s blog post not the Mueller report. In a similar vein I think his comments fit the democratic party’s narrative that ‘We didn’t lose the election, Russia hacked it!’ Of course that would mean it was proven by the Mueller Report! Except it found no collusion and begs the question of why Nadler and the rest of the House leadership demanding further information from Trump and anyone associated with him?
fredw also stated: “Surely all the major intelligence agencies have the skill to find the same indicators.”
The Mueller team, like the FBI before it, had no access to the DNC servers to conduct an actual forensic investigation of the equipment and relied upon what was provided by Cloudstrike, an entity contracted by the DNC to do the investigation. That is the evidence upon which the “12 Russians” were charged with “Conspiring to defraud the US”
https://www.justice.gov/file/1035477/download
What is the likelihood of any of them being in court to address that charge and have their lawyers demand to see the evidence? Zero? Thus Trump and company are, by association, guilty, since Mueler charged 12 Russians!
The point of the recently concluded two years of federal investigation was not finding out details about DNC meta data, Gucifer 2.0’s identity etc. but rather determining if Trump and his associates colluded with agents of the Russian Federation to win the presidential election. What is also not discussed by fredw or yourself is the multiple employees of the US Government who have used thier official positions to interfere in an election in the US and in apparent coordination with citizens of foreign nations; some of whom were formerly, or perhaps are still, employed by their nation’s governments and often were even paid “informants” of the FBI. We should all be thanking Susan Rice, Jessica Lynch, John Brennan, Comey, Clapper, Page and Strzock for bringing “change” to how the US government handles elections in America. Oh, and that scandal free guy too.
Don’t these details, well summarized by Larry Johnson, about how the “Russian fingerprints” were ACTUALLY added to the first documents released by Guccifer 2.0, lay to rest the possible association of these Guccifer 2.0 “Russian fingerprints” with the “obfuscation” capabilities of Vault 7’s Marble Framework software (presented again in the VIPS memo of March 13, “Mueller’s Forensics-Free Findings”)? Isn’t the purpose of the obfuscation tool in Marble Framework TOTALLY DIFFERENT, i.e. to disguise the author of a hack, or the origins of malware used – as opposed to changing language characteristics in the metadata of particular written documents?
Why then keep introducing the Marble Framework notion as if it would possibly be relevant to Guccifer 2.0? Shouldn’t there be pushback within VIPS against continuing to put forward what looks to be a red herring?
No. This is consistent with a Vault 7 process. It was the twist to make it look like it was Russian when it was not.
Fred, I’ll let fredw defend his own comments if he so desires. I still think he was quite supportive of Larry and other independent researchers.
The evidence presented in the GRU 12 indictment is almost exclusively derived from intelligence collection operations outside the DNC/DCCC networks. The activities of the GRU 12 as detailed in the indictment are not something that can be derived from a forensic examination of target computers by CrowdStrike or the FBI. In any case a forensic examination is conducted on images of target computers, not the target computers themselves. The FBI had those images from CrowdStrike. The indictment of foreign hackers, including state hackers, is a fairly recent phenomena. However, it is becoming a more normal procedure withthe improvement in attribution methods. Those methods invariably involve a lot more than a forensic examination of targeted computers. You are right in noting these indictments are more political than judicial.
Mueller and the U.S. intelligence community want you to believe that the Russians are just sloppy and careless buffoons.
Thank you LJ for pointing that out. It is remarkable, especially considering that the other half of the time, the Russians are supposed to be evil geniuses. In both this scenario and the Skirpal incident, the Russians were supposedly both at different times, depending on the demands of the official narrative.
I agree they are consistent in the bare respect in that the one identified Vault 7 program can make something look Russian when it was not – with a different “something” and different details.
It would belong in a VIPS memo that outlines ALL attempts and abilities to falsely attribute things to Russia, from New Knowledge in Alabama to the claimed sources of the Steele Dossier, etc., etc.
But in my opinion, space in the March 13 memo would have been better used with a brief outline of what you have outlined in your article above.
ok, that’s the much better archive.fo link. The earlier one deeply puzzled me:
https://archive.fo/2dMfC#selection-683.150-683.447
… way too strong associations … to a fictive detective in the 40s.
This is an interesting topic:
Unlike in the US, where hackers are kept at arms length from CYBERCOM and NSA organizations, Russia has incorporated hackers and cybercriminals into its structure. (China does it , too.)
Who but Mark Galeotti would be an expert on these somewhat lax legal standards of Russian vs US cyberintelligence? Used as epigraph and thus probably as some type of guardian angle here:
https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
it feels to me, fredw has no need to defend himself.
But it gets awfully tiring to see debates descend into simple partisan layers based on the by now solidly established truth vs fake news lines. You’re either with or against us?
TTG,
“In any case a forensic examination is conducted on images of target computers, not the target computers themselves.”
And the chain of custody to ensure there was no tampering with evidence prior to imaging the computers? I ask that becasue page 24 of the indictment states: “In order to avoid detection and impede investigation by U.S. authorities of Defendants’ operations, Defendants and their co-conspirators deleted and destroyed data, including emails,
social media accounts, and other evidence of their activities.”
I seem to remember something about bleachbit, hammers, etc. I just can’t seem to recall what case all that evidence was related too. Regardless, nobody would erase anything off a DNC computer prior to having Cloudstrike image it for the FBI to determine that why yes, it was the Russians! just like the Democrats said. You know, the guys colluding with Trump.
Fred, you’re still ignoring the evidence presented in the indictment and Mueller report. If you’re watching the hackers themselves and their traffic as it passes through proxy computers and control computers, CrowdStrike’s work on the target computers is almost immaterial. CrowdStrike could only diddle with the DNC computers (if they were so diabolically inclined). That would become obvious when compared to the traffic captured by intelligence collection between the DNC network and all the hops made to the GRU computers.
Speaking of bleachbit and hammers, I was desperately hoping Comey was goung to nail Clinton for destroying evidence or obstruction of justice. That would have ended her run right there and we would have had a whole different election. Maybe not a different result, but definitely a different election.
TTG,
Mueller presents NO EVIDENCE in the indictment nor the report. He has lots of assertions. The computer experts I know and am dealing with, including Bill Binney, note that Mueller is relying on claims, also unsubstantiated, by Crowd Strike. Crowd Strike lied.
Real evidence would include the actual packets from the original “hack.” But that was never pursued nor obtained.
Stop being an apologist for these fraudsters.
Larry, our ability to determine attribution improved dramatically when we moved beyond just examining the packets of the hack to the more aggressive hunting for the hackers and their infrastructure. What AVID did to the APT29 FSB hackers is a prime example of that. They were key to us mitigating extremely aggressive and brazen attacks on JCS and DOS systems in 2014. Before that, my team added a HUMINT element to this hunt and solved several attribution questions without even looking at any packets. These new methods are the reason behind the growing number of indictments of Chinese, Russian, Iranian and other hackers. I’m sure those methods have improved since I retired and are way beyond anything CrowdStrike can do. They are limited to making assertions.
Brother Genius,
Look. Neither the FBI nor NSA actually got access to the event. If NSA really had obtained the intel evidence then their declaration in the ICA would not have been “moderate confidence.” If you know and have proof you don’t have “moderate confidence”, you know
The only key judgement that the NSA had moderate confidence was “Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him.” That doesn’t surprise me. That’s a plans and intentions type finding. All three agencies had high confidence in this judgement. “We assess with high confidence that Russian military intelligence (General Staff Main Intelligence Directorate or GRU) used the Guccifer 2.0 persona and DCLeaks.com to release US victim data.” That strikes at the heart of what I’m talking about. I guess that means they know and have proof. Even though we often disagree, I enjoy our discussions. Cheers, brother Johnson.
You are ignoring the key point and clear empirical evidence–Guccifer 2.0 was a creation of someone other than the Russians. Guccifer 2.0 was deliberately created to appear as a Russian. That doesn’t bother you? You accept that bullshit? Please be serious.
TTG,
“aspired ” is not “conspired”, thus “No collusion”. Case against Trump closed.
Fred, that’s the ICA about Russian interference. It was Putin and the Russian government who aspired. What Trump or his campaign did or didn’t do was not addressed in the ICA. Nor was the question of the effectiveness of the Russian interference addressed. The ICA specifically stated that matter was outside their perview.
Larry, blatant Russian fingerprints in in G2 files is not proof of anything. You only make assumptions of why those fingerprints were there. Assuming that Russian hackers are godlike and incapable of leaving such things in a file, deliberately or not, is pure wishful thinking. The whole G2 episode did nothing but sow confusion and doubt into the public discussion of Russian interference. I’d say it worked brilliantly.
you surely can’t be that gullible. It is not only the deliberately placed Russian fingerprints. The transfer rate, which cannot be faked, was not done over the internet. You will be proven wrong. I hope you are man enough to admit it when the full data is released.
“”…nobody seems interested…”
As TTG has pointed out, you missed the point. And I guess I overstated it. As you point out. “Nobody” did not include the authors of the report being discussed. But what is striking to me is that the discrepancies were raised to consciousness by perhaps the the smallest and least well resourced people with an interest. The discovery seems almost accidental. The world is full of professional well resourced intelligence agencies who should very quickly have noticed the same things and probably much more, None of them raised these easily discoverable facts,
“How dare…”. Seems to be attributing motives to me. I try very hard to stick to facts as much as we know them. I welcome having my failures in this re3gard pointed out, but this is not that.
As for “false flag”, I maintain that that is an accurate description of the planting of Cyrillic meta data.
Sorry to have taken a while to respond. I do have a fairly intense day job.
“Felix Edmundovich”
OK, this bothered me. Am I overestimating someone? This level of clumsiness suggests to me that it was intended to be detected. Am I the only one to think so? If so, then what was the actual motive for doing this? Perhaps some of the professionals at SST can help me out.
Larry, nobody transfered files like that since the days of Kermit and Xmodem. They are gathered on the local network, tarballed and then transferred. Forensicator focused on the copy rate, not the transfer rate. I’d be much more impressed if he could technically disprove the government’s claim that the GRU used x-agent, rar.exe and x-tunnel to conduct the hack. I understand that’s a tall order, but it would be impressive. Maybe I will be proven wrong. Maybe the GRU12 and IRA indictments are based on pure fiction and end up as the basis to charge Mueller with massive criminal fraud. It’s all possible.
I suppose the sloppy “Russian” metadata insertions could be a blind 2x, making it obvious so everyone will believe it’s fake.
Q: if this were the case, what were/are/would be the advantages/disadvantages to Russia?
I have been a Russiagate skeptic since about day one, and reading the Mueller report has been mostly an eye-roller for me, but he makes one allegation that I have yet to see anybody comment on/refute: his claim that the GRU did internet searches for several phrases that appeared in Guccifer 2.0’s initial communique before that communique was published. One one hand, this sounds like something that the US government’s computer hackers could do, but on the other hand, it kind of blows the NSA’s cover if it’s true. Your comments? Thank you!
The problem is that no evidence is offered to back up the assertion. Given the history of lying by both CIA and FBI I am not willing to give them the benefit of the doubt.
For my part this is not about trying to prove you wrong for the sake of humiliating you. I know from people with current access to the “so-called intel” that this who thing was a fabrication. They almost got away with it. Mike Rogers, former NSA Director, will emerge as sort of a good guy in this sordid affair.
Galloway and Bannon working hand in hand somewhat toward re-nationalization:
https://eurasiafuture.com/2019/05/25/watch-george-galloway-vs-steve-bannon-at-the-eurasia-media-forum/
Querfront. I am hesitant of such approaches. Not that the English link could convey what I associate with it on my own home ground.
https://en.wikipedia.org/wiki/Third_Position
“..nobody seems interested in challenging the narrative that Russians…”
That’s precisely what Larry has been doing for some time.
As Larry has been doing for some time, as has Publius Tacitus been doing for some time before him …
…
His master’s voice only?
https://en.wikipedia.org/wiki/His_Master%27s_Voice#/media/File:His_Master%27s_Voice.jpg