How a Few Yellow Dots Burned the Intercept's NSA Leaker (arstechnica.com) 308
On Monday, news outlet The Intercept released documents on election tampering from an NSA leaker. The documents revealed that a Russian intelligence operation sent spear-phishing emails to more than 100 local election officials days before the election, which ran through a hack of a U.S. voting software supplier. Hours later, the Department of Justice charged 25-year-old government contractor Reality Leigh Winner with sharing top secret material with the media. The DoJ said it Winner had "printed and improperly removed classified intelligence reporting, which contained classified national defense information" before mailing the materials. But how could the DoJ know that it was Winner who had printed the documents, or that the documents were printed at all? ArsTechnica explains: [...] The Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed -- and it included encoded watermarking that revealed exactly when it had been printed and on what printer. The watermarks in the scanned document The Intercept published yesterday -- were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation have reverse-engineered the grid pattern employed by this class of printer; using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218. Further reading: How The Intercept Outed Reality Winner.
Take a photo (Score:4, Interesting)
If you're going to leak documents, take a photo and crank up the jpeg compression level to help hide the watermarks.
Re: (Score:2)
Or print on yellow paper.
Re: (Score:3)
Or just don't print in color.
Re:Take a photo (Score:5, Informative)
Or ask The Bruce: https://www.schneier.com/blog/... [schneier.com]
Re: (Score:2)
On secure printers that keep logs they might not have options for disabling the watermark that easily.
Re: (Score:3, Insightful)
Re: (Score:3)
Re:Take a photo (Score:5, Informative)
Re: (Score:2)
Nothing, the President of the United States has the authority to declassify anything at any time.
And thousands of government workers have the *ability* to declassify anything at any time... and most of the time they won't even get caught, so those in power should not disillusion those that work for them.
Re: (Score:3)
Re: (Score:2)
Re:Take a photo (Score:4, Interesting)
That's been standard process for many decades, but it's actually less likely now because it's harder to implement than these technological solutions, even though it's more likely to actually catch the party involved (because even if they take every precaution listed so far here, they'd still be caught simply by the wording used.)
Re: (Score:2)
That's been standard process for many decades, but it's actually less likely now because it's harder to implement than these technological solutions, even though it's more likely to actually catch the party involved (because even if they take every precaution listed so far here, they'd still be caught simply by the wording used.)
These technical solutions only matter if you see the copy somehow, the changing text is for when it is referenced by news media, in reports by foreign agencies and such. IIRC from a previous article usually the base document is the same, but there are summaries that subtly swap words. They're also "juicy" hoping that you'll end up with direct quotes, since actual scans are usually rare because of the reasons above. Unlike say a movie OCR to get a plaintext file is pretty destructive to all other clues.
Re: (Score:3)
They also don't allow top secret printouts to leave, but obviously they weren't too successful there. Why are you so sure they would be successful the other way?
Re: Take a photo (Score:2)
So certain are you, with black and white, it cannot be done.
If tptb can do this with colour printers, it can be done with black and white.
Re: (Score:2)
The days of walking out of a secure vault, making as many photocopies in the same building as could be carried in a briefcase per day should have ended in the 1970's given spying issues in the UK.
Lesson to learn (Score:2)
Do not use colour printers.
Re:Lesson to learn (Score:4, Informative)
"The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet."
Also, don't use your work computer or email account to send/receive emails to the organization you're leaking classified documents to.
Re: (Score:3)
Then again, they also (reportedly) gave away her location (Augusta GA) to the government person they were trying to verify the documents with.
Re: (Score:3, Insightful)
Then again, they also (reportedly) gave away her location (Augusta GA) to the government person they were trying to verify the documents with.
Wait, they have top secret government documents, and they're going to verify them with the government? And then give information of their source to the government? And then release the original photos of documents to the public? Did they also hand over the originals to the government so they could grab fingerprints and other forensic evidence off of them?
There is no excuse for how many failures the Intercept committed in protecting a formerly anonymous source. I'm going out on a limb here and say that thi
Yes - put in to stop counterfeiters (Score:2)
It seems in this case (Score:2)
Yellow, then orange (once convicted) is the new black
More Leaks than a Porcupine's Rain Coat (Score:2)
Re: (Score:2)
Well, this has been public knowledge for a while. Most famously, Tom Clancy wrote about it Patriot Games. It usually comes up in real life when idiots try to print money with a desktop printer.
PDFs too? (Score:3)
1. make sure to take really really low quality scans only of senstitive printouts.
2. Use someone else's printer
3. The "swamp" being drained is evidently people who are reporting on wildly unethical things the government is doing.
Obligatory yes the last guy did it too. STFU and focus on the current abomination in office, maligning the last guy doesn't help anything more than you losing sleep at night.
Re: (Score:3)
3. The "swamp" being drained is evidently people who are reporting on wildly unethical things the government is doing.
Pray tell, what "wildly unethical things the government is doing" were uncovered by her leak? Is it unethical to have an ongoing investigation into hack attempts?
Re: (Score:2)
No there are only very specific "classified approved printers" , which always have the watermarking. You cannot just use any printer. She is idiot for not realizing that.
Re: (Score:3)
"Reality Winner"?! (Score:3, Interesting)
As a non-native english speaker, I ask: is this an actual, socially acceptable name in english-speaking countries? "Reality Winner", just like somebody who won a reality show?!
Re: (Score:2)
Re: (Score:2)
[signed] Moon Unit, Diva, and Dweezil Zappa
FTFY.
Re: (Score:2)
[signed] Moon Unit, Diva, and Dweezil Zappa
That should read "Diva Muffin".
Re: (Score:2)
her parents are probably hippies
Re: (Score:2)
Re:"Reality Winner"?! (Score:5, Funny)
She should have kept it. Remember, everybody doesn't like something, but nobody doesn't like Sara Leigh...
Re: (Score:2)
She should have kept it. Remember, everybody doesn't like something, but nobody doesn't like Sara Leigh...
She probably got tired of people offering to eat her pie
Re: (Score:2)
Re: (Score:2)
I was acquainted with three brothers named James, Jim and Jimmy. Yes, this was in Georgia.
Re: (Score:2)
You'd be surprised what some parents name their kids. I was once responsible for uploading baby photos and one of the names was "Secret Angel" (first and middle name). This was long ago enough that Secret would be a teen now. Knowing how kids are, I can't help but feel sorry for all of the teasing she probably gets over her name.
Re: (Score:2)
I checked the US Census and as of 2010 there are 3,853 people with the last name Winner. The most babies named Reality in one year has been 17. I'm going to guess she is the only one with that combination.
They should have given her the middle name Show.
Re: (Score:2)
As a non-native english speaker, I ask: is this an actual, socially acceptable name in english-speaking countries? "Reality Winner", just like somebody who won a reality show?!
You know those subtle clues that let you know you're actually living in the Matrix? Like the same cat walking by twice in a row?
This is one of those -- except it's not a clue that we're living in The Matrix -- it's a clue that we're living in Idiocracy. Pass the Brawndo.
Re:"Reality Winner"?! (Score:5, Informative)
As a non-native English speaker, I ask: is this an actual, socially acceptable name in English-speaking countries?
Unlike, say, French, American English does not have a ruling body. It's whatever the speakers of it chose to say.
That includes names. You can call your child or yourself anything you chose - as long as you do not do so to defraud.
(My wife's career was blighted by an abusive father - a professor - who solicited name suggestions from his students. Though she is native born and a native speaker of American English, she missed out on a lot of job interviews because HR droids thought, from the name he hung on her, that she was a new immigrant who would have communication problems.)
If you go through a legal name change you may run into issues with not being able to switch your name to something that amounts to a title of nobility (due to article 1 section 9 paragraph 8: No Title of Nobility shall be granted by the United States: ..."). Immigration had a history of misapplying that to strip things like "von" from immigrants' names as they filled out their paperwork.
As for "socially acceptable", that depends on the prejudices of the particular social subgroups in question. Regardless of what they might think of neologisms labeling a person, any name from any established cultural group anywhere in the world is necessarily acceptable.
If Frank Zappa can name his son "Dweezil" and his daughter "Moon Unit", it's easy to see that anything goes. B-)
Re: (Score:2)
As a non-native english speaker, I ask: is this an actual, socially acceptable name in english-speaking countries? "Reality Winner", just like somebody who won a reality show?!
In most English-speaking countries it is considered socially offensive to complain about people's names. It is not socially acceptable to covet the naming of other people's babies, or if they changed their name, their own sense of self.
That's why the people doing it are also generally engaging in name-calling and other socially abhorrent behaviors. Polite people "don't go there." It is a basic and obvious matter of personal freedom.
Re: (Score:3)
Trusting The Intercept? (Score:5, Interesting)
While not everybody knows about the yellow dots, almost everybody involved with infosec does. How can The Intercept can be trusted to hold or publish any leakers' information securely?
Was this one reporter who screwed up? Didn't he have a second person reviewing his work? Isn't there a team of people at The Intercept who discuss whistleblowing publications? Isn't anybody on such a team aware of digital privacy issues?
This will be a huge loss if The Intercept becomes useless as it was basically founded to handle stories like this. But given that, how could the outcome have been so bad in this case?
Re: (Score:2)
Re: (Score:2)
Possibly thought that anybody in infosec sending them this stuff would have already thought of that and cleaned or otherwise created a false trail. Still, i wonder if there is something they could get stuck with by destroying the originals that they get after transcribing them.
Maybe this was a false trail and the real informant is still at large...
Re: (Score:2)
He was framed, framed I tell you...
Re: (Score:3)
/. posted about it 11 years ago.
https://yro.slashdot.org/story... [slashdot.org]
I haven't seen much about it in a while so I suppose maybe people have just forgotten about it since then.
Re: (Score:2)
Re: (Score:2)
Heck, even under the relatively sane last administration, Snowden didn't seem to have much hope of remaining covert. He seems to have been extremely meticulous, careful, and well versed in remaining [theintercept.com]
Re:Just Dangerously Careless (Score:2)
Re: (Score:2)
Re:Trusting The Intercept? (Score:5, Funny)
Re: (Score:2)
She took an oath to uphold our national security and compromised it to cause political mischief.
I would like to hear more on this subject sir.
Way to go Reality. You really made a big difference.
LOL
Re: (Score:2)
People screwed up, news at 11.
Or (Score:2)
Or, get this, they checked the printer logs. You think the NSA doesn't already have a log of every document that every device prints?
SELECT user FROM printer_logs WHERE document_id = 'greased_up_yoda_doll.pdf'
Re: (Score:2)
They did... and noticed 6 people had printed the doc, one of which was Miss Winner... who later confessed to being the one who mailed it.
Re: (Score:2)
That's my point, they probably didn't need the microdots because they could already easily find which printer and when based on the document.
This wasn't the only way (Score:5, Informative)
While interesting, and certainly providing confirmation, this wasn't the primary mechanism that was used to track her down according to the affidaivat. Before even IDing a specific printer, they simply looked for someone that had printed it out, period.
Internal auditing showed that only six employees had printed out the item in question. A search of the six computers showed that she had emailed The Intercept from her work computer (and that no one else had). Coded metadata just backs it up, but it's dumber than that.
Re:This wasn't the only way (Score:5, Insightful)
How can someone work for the NSA and NOT be aware that they track everything? If I was an NSA leaker, I certainly wouldn't be e-mailing my leaks from my work computer/e-mail account. I'd set up a throwaway account (and even then would be looking over my shoulder every second).
Re: (Score:2)
Re: (Score:2, Insightful)
Diversity hire. Someone with her background definitely should not have received a Top Secret clearance.
Re:This wasn't the only way (Score:5, Informative)
How can someone work for the NSA and NOT be aware that they track everything?
She didn't work for the NSA; so was employed by a contractor that provides classified translation services, and apparently for that work had access to the NSA's network (either NSANet or JWICS since SIPRnet is only secret). Not realizing they track shows she isn't terribly bright.
If I was an NSA leaker, I certainly wouldn't be e-mailing my leaks from my work computer/e-mail account. I'd set up a throwaway account (and even then would be looking over my shoulder every second).
OK, she is VERY dumb. And I agree with your tactics - as a good first measure, but nowhere near all I would do.
Re: (Score:2)
Re: (Score:3)
How can someone work for the NSA and NOT be aware that they track everything?
One, she was a linguist, not a spook. Highly specialized individuals are often obtuse in matters outside their areas of expertise. If I needed brain surgery, I'd eagerly seek out the brilliant neurosurgeon Dr. Ben Carson. Likewise, I'd probably trust Ms. Winner to accurately translate a five-party Farsi dialogue in real time. I wouldn't want either of them advising me on matters of, say, agricultural food storage or information security.
Two, she was a contractor. The curriculum and rigor of the on-boarding
Re: (Score:3)
Re: (Score:3)
Epoxy is typically used to plug up ports. That's not a horrible idea restricting things to PS/2 keyboards and mice though... Certainly safer than letting badUSB load.
Re: (Score:2)
The printout itself was not exfiltrated. It was re-scanned and emailed.
Re:This wasn't the only way (Score:4, Informative)
USB drives should set off monitoring alerts. Plugging in a cell phone to charge, to a USB port, will likely get both devices confiscated. If the employer is following the rules. Portable electronic devices should not be allowed anywhere that has potential connections to secret information. Metal detectors and all.
There should be a review of internet logs, which would have revealed personal email access as described here. Most likely it was overlooked as harmless, or it happened to match a local exception set up as requested.
You people have no idea how this stuff works. It's free on disa.mil and private enterprise can implement most of these security protocols themselves.
It's not 100% foolproof, and its a lot easier to identity a leaker than to stop it. But you need to do a lot of reading before commenting on this stuff.
It was inevitable (Score:2)
Once they figured out that the document was taken all they had to do was look and see who accessed the document. They did that and showed that 6 people printed the document. They did a forensic scan of all 6 desktops and found that one had a record of emailing the Intercept.
She was busted without needing the microdots at all. The only thing the microdots did was nail her ass to the wall. It was her own stupidity that put her against the wall to begin with.
Re: (Score:2)
And to think she worked for an Intel contractor. No wonder Russia, China and all these other people eat our lunch. The entire Intel community is incompetent. They leak like a sieve.
Re: (Score:2)
I would really hope your wrong, however I have a bad feeling your not....
Server Logs Busted This Idiot, Not Dots (Score:2)
This story makes quite a bit about "hidden" printer steganography. But the real way this idiot got caught was from server access and printer logs. The spooks narrowed it down to six people, only one of which had contact with the Intercept.
How is it this person had a top secret clearance in the first place? She is "nice to look at"...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The mistake is not hers. The mistake is on the side of the Intercept. Sources usually do not know and cannot reasonably be expected to know how to protect themselves.
Re: (Score:3)
You are confused. "The Law" is not a description of "right" and "wrong".
If she had just... (Score:2, Funny)
Wikileaks (Score:2)
People never got caught because of them.
They share the whole thing and even work with newspapers that stab them in the back.
Fail (Score:2)
Failed to protect a source?!
Could have run it through GIMP, or a POS copier, converting to black-and-white, and messing with contrast settings, cropping out anywhere not needed, and vetting the images with a team of in-house experts before publication.
Could have faxed it low-rez,
Re: (Score:2)
Indeed. But these are all low-cost, low security approaches, as more sophisticated watermarks exist. What you want to do is manually copy the text by typing it in again if you want to be really sure. Even OCRing it has risks as some watermarks can survive that.
The really bad thing is that the yellow dots are a really old and well-known security measure introduced with digital color copiers to allow the tracing of counterfeit paper money to the machine it was printed on.
This is a pretty bad mess-up (Score:2)
The worst thing is not only that the Intercept was exceptionally careless, the worst thing is that this specific attack technique has been known for decades. It is used in color-printers to detect what machine paper-money (e.g.) was copied or printed on. My guess is this use here was just a side-effect.
Lets hope the Intercept fixes their act and goes back to manual copying (i.e. typing it in) for things where their sources really need to be protected.
For those who don't already know about it (Score:3)
Here is the EFF's guide on yellow dots [eff.org].
And it's not in any way limited to Xerox [eff.org].
You can test it yourself by photographing a piece of paper from a suspect printer, loading it into the GIMP and showing just the blue channel. The "yellow" dots will show up as a darker shade of blue than the surrounding page.
Re: (Score:2)
Okis don't. Per the EFF.
Re: (Score:2)
It's not just you. One of the headlines on Google News right up top was "Who is Reality Winner?" I kept wondering why Google News would put reality TV show news at the top of my feed. "I don't care who won the latest Reality TV show... Just tell me about the NSA leaking story." It's like a bad version of Who's On First.
Re: (Score:3)
Re: Reality Winner (Score:5, Insightful)
Sadly, she is being charged under the Espionage Act. There is no defense, no mitigating circumstances, and she will spend many long years in prison as an example. Even if you disagree with her actions , this sounds inappropriate. Like the Soviet Union or China.
Re: (Score:3)
With THIS supreme Court however, she won't even get a hearing, even if Trump is finally implicated, impeached, convicted, tried, convicted and hanged.
Re: (Score:3)
She did nothing but to serve her own interests of hating the President.
Re: (Score:2)
Ask a lawyer
Lack of demonstrations of intent where intent is part of the statutory definition = no crime.
Re: (Score:3)
Trey Gowdy on Hillary emails [youtube.com]
He talks about intent around 1:55, but the lead up is not bad either. They chose to pretend there was no intent. There was proof of intent, but no prosecutor to prosecute her.
Re: (Score:2)
Even worse she worked for an NSA contractor. So she's incompetent as well. Of all people someone working in Intel should know about those watermarks, they have been around for over a decade. But Black? I've seen her picture and it's always possible she has black ancestors but you'd never know it from her picture. Maybe Black like Rachel Dolezal?
Re: (Score:2)
I can't believe no one here is being more skeptical of this. The contractor and the Intercept should have known about the watermarks. All they had to do was transcribe the documents into a plain text document. In addition, there is no actual information revealed other than again supposed hacking, without any information on what that hacking did before or during the election. Nothing about what systems were compromised, or what became of that. Why do I think that "Reality" is not going to jail? Because she w
Re: (Score:3)
You're right to be sceptical. Maybe most of the sceptics aren't bothering to post, for whatever reason.
Oh fuck aye. Of course they should, if they were competent at InfoSec, an had been aware for the 15-odd years that this technology has been deployed.
Ah, you don't understand how it works. There is nothi
Re:Reality Winner (Score:4, Informative)
> and picked a more socially acceptable name
Her birth name is Sara, not "Reality". She chose to be Reality Winner instead of the normal name her parents had chosen.
Re: (Score:2)
I wouldn't bet my freedom on it.
Re: (Score:2)
List of Printers Which Do or Do Not Display Tracking Dots
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots
FWIW, there is a strong belief that in black and white, similar data is encoded steganographically.
As an example as to how that can be accomplished, intrinsically, all common laser printers exhibit banding artifacts. A horizontal projection of the printed image followed by some frequency analysis shows characteristic peaks created by the gear-train mechanisms. Careful modulation of the micro-feeds with steganographic encoded data can introduce other embedded frequency peaks that appear as common intrinsic
Re: (Score:2)
Moral: Never publish an analog copy made by an untrusted device. There is just too much unused bandwidth that can be used to embed something.
Re: (Score:2)
I agree that it will not stop. As long as decent people are around, information that the government would keep secret to hide its dirty laundry will get leaked. Fortunately, no government in history has ever managed to get rid of decent people, despite most of them having tried.