Slashdot Mirror
How a Few Yellow Dots Burned the Intercept's NSA Leaker (arstechnica.com)
On Monday, news outlet The Intercept released documents on election tampering from an NSA leaker. The documents revealed that a Russian intelligence operation sent spear-phishing emails to more than 100 local election officials days before the election, which ran through a hack of a U.S. voting software supplier. Hours later, the Department of Justice charged 25-year-old government contractor Reality Leigh Winner with sharing top secret material with the media. The DoJ said it Winner had "printed and improperly removed classified intelligence reporting, which contained classified national defense information" before mailing the materials. But how could the DoJ know that it was Winner who had printed the documents, or that the documents were printed at all? ArsTechnica explains: [...] The Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed -- and it included encoded watermarking that revealed exactly when it had been printed and on what printer. The watermarks in the scanned document The Intercept published yesterday -- were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation have reverse-engineered the grid pattern employed by this class of printer; using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218. Further reading: How The Intercept Outed Reality Winner.
Millennial Alert!!!
If you're going to leak documents, take a photo and crank up the jpeg compression level to help hide the watermarks.
Your color printer does it too. Treacherous hardware.
Do not use colour printers.
#DeleteFacebook
Yellow, then orange (once convicted) is the new black
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Okay, who leaked the information about how they spotted the leak source?
-Bob-
Dang. Found on the PDF scans even though you can't see them. Lessons learned:
1. make sure to take really really low quality scans only of senstitive printouts.
2. Use someone else's printer
3. The "swamp" being drained is evidently people who are reporting on wildly unethical things the government is doing.
Obligatory yes the last guy did it too. STFU and focus on the current abomination in office, maligning the last guy doesn't help anything more than you losing sleep at night.
As a non-native english speaker, I ask: is this an actual, socially acceptable name in english-speaking countries? "Reality Winner", just like somebody who won a reality show?!
While not everybody knows about the yellow dots, almost everybody involved with infosec does. How can The Intercept can be trusted to hold or publish any leakers' information securely?
Was this one reporter who screwed up? Didn't he have a second person reviewing his work? Isn't there a team of people at The Intercept who discuss whistleblowing publications? Isn't anybody on such a team aware of digital privacy issues?
This will be a huge loss if The Intercept becomes useless as it was basically founded to handle stories like this. But given that, how could the outcome have been so bad in this case?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Or, get this, they checked the printer logs. You think the NSA doesn't already have a log of every document that every device prints?
SELECT user FROM printer_logs WHERE document_id = 'greased_up_yoda_doll.pdf'
Your hair look like poop, Bob! - Wanker.
While interesting, and certainly providing confirmation, this wasn't the primary mechanism that was used to track her down according to the affidaivat. Before even IDing a specific printer, they simply looked for someone that had printed it out, period.
Internal auditing showed that only six employees had printed out the item in question. A search of the six computers showed that she had emailed The Intercept from her work computer (and that no one else had). Coded metadata just backs it up, but it's dumber than that.
Hire a Linux system administrator, systems engineer,
I remember this is how they caught the BTK killer too, he had printed a letter to police from a church office.
For the last hour I've been trying to figure out the leakers name and what reality show they won.
Once they figured out that the document was taken all they had to do was look and see who accessed the document. They did that and showed that 6 people printed the document. They did a forensic scan of all 6 desktops and found that one had a record of emailing the Intercept.
She was busted without needing the microdots at all. The only thing the microdots did was nail her ass to the wall. It was her own stupidity that put her against the wall to begin with.
I was shocked at first when I saw her photo, but now it all makes sense
Sure... it was the yellow dots - not her confession on a Saturday.
Please stop with speculative nonsense stories.
Even the arstechnica story cited says:
"The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet."
Yes, the document was watermarked - and shame on the Intercept for not catching it and removing it - but it's not necessarily the way she was caught.
List of Printers Which Do or Do Not Display Tracking Dots
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots
There are several articles on this. One of stories says the investigators called up everyone who printed the document, it was only a few people. They checked emails and found the individual among the few that had accessed/printed and had email contact with the news agency that had the leaked document. No dots forensic need be required if there are print/access logs. So while the dots make for a more sensational story it may not have been the dots that actually caught the leaker.
Ah, the Intercept... founded by our dear friend Pierre Omidyar.. Of course they have no agenda.
*Leaker leaks fake planted documents*
Gee? How old is that trick?
The EFF decoded the dots years ago.
This story makes quite a bit about "hidden" printer steganography. But the real way this idiot got caught was from server access and printer logs. The spooks narrowed it down to six people, only one of which had contact with the Intercept.
How is it this person had a top secret clearance in the first place? She is "nice to look at"...
If you want news from today, you have to come back tomorrow.
I wouldn't bet my freedom on it.
this is obviously either fake news OR a fake person they are saying got caught
I don't think that there's much difference in appearance between holders of clearances and those who don't. I suppose physical attractiveness might have some correlation to things that are important in the clearance getting process:
1) if you are "the Elephant Man" and in a locked basement all the time, you'll have fewer potential connections to investigate
conversely,
2) clearance investigations are all about figuring out what kind of person you are from talking to people who know you. Attractive people know more people, so there's more people to talk to about their activities.
and then
3) is attractiveness correlated to participating in activities that make you "not clearable"? yeah, the mugshots of people arrested for meth sales are often pretty unattractive, but then, those people probably aren't applying for clearances int he first place.
they all can do watermarks they can even detect when you place money in them and will mess your printer up in ways you take it in the repair guy knows what you been up too
also adobe photoshop post version 7 isalso in on this
they got all the angles covered
you need to go back to xp days hardware and software to be um er safer
IIRC, they put this tech in to stop counterfeiters from printing HQ currency with color laser printers. At least this invasive, Big Brother-like technology was used for a good purpose this time.
If she had just put the documents down her pants like the Sandy Burger did, this would be a much more interesting story!
"I say we take off, nuke the site from orbit. It's the only way to be sure."
People never got caught because of them.
They share the whole thing and even work with newspapers that stab them in the back.
I always check SchneierFacts
https://www.schneierfacts.com/
Back in the day, we used a scanner with a red light instead of white to scan in forms printed with red ink. This way only the handwritten information would be scanned in, making the files smaller.
Using a yellow backlight should eliminate any such watermark--providing only yellow is used.
RRK
I was shocked at first when I read your post, but now it all makes sense.
List of Printers Which Do or Do Not Display Tracking Dots
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots
A very limited list.
Printing on yellow paper might not work, as the dye in the paper might reflect different parts of the spectrum than the dye in the printer ink (or pigment; not sure if this was color laser or ink jet). Exposing the paper to specific wavelengths of light (much more narrow than that produced by a blue LED) could still bring out the dots that came from the printer.
Another solution (and I welcome attacks on this idea) would be to print on paper on which you had previously printed random yellow dot patterns covering the entire page, from the same make/model of printer, but of course not on the NSA's network where every job is logged.
Failed to protect a source?!
Could have run it through GIMP, or a POS copier, converting to black-and-white, and messing with contrast settings, cropping out anywhere not needed, and vetting the images with a team of in-house experts before publication.
Could have faxed it low-rez, black-and-white, within the news office, to another in-house fax, and used the poor-quality fax image in publication, to also help wipe any tracers.
Ugh!
Uh, Linux geek since 1999.
lol, i have the one HP with a no.
On the other hand, it is the biggest, noisiest beast for what you get when you eventually get it. Also old enough HP doesn't even make toner anymore and they don't give up easily :(
She should have just openly taken a copy of the document, posted it to her private server, and demanded the Hillary treatment!
Remove the originals, then put some other pattern. This opens up a new level of trolling posibility. So you can annoy someone at the other side of the world?
List of Printers Which Do or Do Not Display Tracking Dots
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots
FWIW, there is a strong belief that in black and white, similar data is encoded steganographically.
As an example as to how that can be accomplished, intrinsically, all common laser printers exhibit banding artifacts. A horizontal projection of the printed image followed by some frequency analysis shows characteristic peaks created by the gear-train mechanisms. Careful modulation of the micro-feeds with steganographic encoded data can introduce other embedded frequency peaks that appear as common intrinsic banding artifacts.
Even without embedded stegano data, a forensic fingerprint of the printer's banding can be usually extracted from a BW printed document and compared to the one confiscated with a search warrant. Of course a sparse text page makes the signal harder to extract in BW, but a few well place border lines, or an embedded continuous tone image (which can have additional embedded signals placed into it via the half-toning algorithm on the printer) would make it a dead-giveaway.
All this talk about how the documents were leaked and very little talk about what is in them. The Russians hacked our voting machines! That is the story here.
Yeah, that's not what Hillary did.
These leakers need to get a clear message that it is not acceptable, this kind of breach of secrecy must be punished. I think they should also sanction the register for publishing what was known to be a secret document. Like sue them for damages or something. We seem to have a disease and unless they start addressing it more seriously it will not stop.
The worst thing is not only that the Intercept was exceptionally careless, the worst thing is that this specific attack technique has been known for decades. It is used in color-printers to detect what machine paper-money (e.g.) was copied or printed on. My guess is this use here was just a side-effect.
Lets hope the Intercept fixes their act and goes back to manual copying (i.e. typing it in) for things where their sources really need to be protected.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Moral: Never publish an analog copy made by an untrusted device. There is just too much unused bandwidth that can be used to embed something.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
There I said it. Now everyone talking shit about the law can go fuck yourself. FREE WINNER! IMPEACH LITTLE FINGERS! CAFEFE BITCHES!
Here is the EFF's guide on yellow dots.
And it's not in any way limited to Xerox.
You can test it yourself by photographing a piece of paper from a suspect printer, loading it into the GIMP and showing just the blue channel. The "yellow" dots will show up as a darker shade of blue than the surrounding page.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
I was going to ask 'shoulda arrested Hillary,' but your post made a very good point.
Gawd I will was clever enough to make Reality jokes...
Right, she just had uncleared people print everything for her.
The document wasn't scanned at high enough resolution to properly show the yellow dots. They are single pixels.
Winner, Winner Chicken dinner.
In GOD we trust, all others we monitor.
You may be interested to hear that Hillary lost the election and is no longer in any position of power. Perhaps you'd like to talk about the guy in the White House, or does he embarrass you so much that Hillary is still your only talking point?
Print Greyscale. Fax. Print Greyscale %80 size.
Some of the documents that we previously received through FOIA suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable.
Moral: Buy Chinese.
That is why you photocopy with a black and white rough copier (say 10-15 years old) all documents and use that to be published. After that your yellow dots are invisible.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Leak revealed alleged hacking.. I don't see the word alleged in the post. Bad form, op.
Leaker could have had built one of theseand went about leakers daily business for weeks with it in his breast pocket, raising no suspicions whatsoever.
"what's that thing?"
"Fitness tracker"
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
The yellow dots theory is interesting, but The Intercept shared a copy with the government, which I presume was a scan or a photocpy of the original. Maybe their scanners & copiers are much better than mine but those yellow dots are really tiny. Would they survive a scan or photcopy intact?
Check out this copy of the search warrant which discusses a different method of how they identified her:
https://d3vv6lp55qjaqc.cloudfr...
Starting on page 11, they describe:
"Government Agency conducted an internal audit to determine who had accessed the intelligence reporting since its publication ... determined that six individuals had printed this reporting"
"A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the news outlet."
Sounds like they saw a crease in the copy provided by TI which clued them in that it was a printer & identified her from there.
Unnecessarily complicated. For a document sent as text+layout information, then you could do things like messing with the horizontal character spacing to encode data. For images, ... hmm, that's harder. But I'm sure still doable.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Overall the dots don't really prove any wrongdoing. Just because someone printed it, doesn't mean they're the one who took it and mailed it to someone who shouldn't have it.