How a Few Yellow Dots Burned the Intercept's NSA Leaker

On Monday, news outlet The Intercept released documents on election tampering from an NSA leaker. The documents revealed that a Russian intelligence operation sent spear-phishing emails to more than 100 local election officials days before the election, which ran through a hack of a U.S. voting software supplier. Hours later, the Department of Justice charged 25-year-old government contractor Reality Leigh Winner with sharing top secret material with the media. The DoJ said it Winner had "printed and improperly removed classified intelligence reporting, which contained classified national defense information" before mailing the materials. But how could the DoJ know that it was Winner who had printed the documents, or that the documents were printed at all? ArsTechnica explains: [...] The Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed -- and it included encoded watermarking that revealed exactly when it had been printed and on what printer. The watermarks in the scanned document The Intercept published yesterday -- were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation have reverse-engineered the grid pattern employed by this class of printer; using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218. Further reading: How The Intercept Outed Reality Winner.

This wasn't the only way

[Etcetera]

While interesting, and certainly providing confirmation, this wasn't the primary mechanism that was used to track her down according to the affidaivat. Before even IDing a specific printer, they simply looked for someone that had printed it out, period.

Internal auditing showed that only six employees had printed out the item in question. A search of the six computers showed that she had emailed The Intercept from her work computer (and that no one else had). Coded metadata just backs it up, but it's dumber than that.

Re:This wasn't the only way

[dunkindave]

How can someone work for the NSA and NOT be aware that they track everything?

She didn't work for the NSA; so was employed by a contractor that provides classified translation services, and apparently for that work had access to the NSA's network (either NSANet or JWICS since SIPRnet is only secret). Not realizing they track shows she isn't terribly bright.

If I was an NSA leaker, I certainly wouldn't be e-mailing my leaks from my work computer/e-mail account. I'd set up a throwaway account (and even then would be looking over my shoulder every second).

OK, she is VERY dumb. And I agree with your tactics - as a good first measure, but nowhere near all I would do.

Re:This wasn't the only way

[Bite+The+Pillow]

USB drives should set off monitoring alerts. Plugging in a cell phone to charge, to a USB port, will likely get both devices confiscated. If the employer is following the rules. Portable electronic devices should not be allowed anywhere that has potential connections to secret information. Metal detectors and all.

There should be a review of internet logs, which would have revealed personal email access as described here. Most likely it was overlooked as harmless, or it happened to match a local exception set up as requested.

You people have no idea how this stuff works. It's free on disa.mil and private enterprise can implement most of these security protocols themselves.

It's not 100% foolproof, and its a lot easier to identity a leaker than to stop it. But you need to do a lot of reading before commenting on this stuff.

Re:Take a photo

[PolygamousRanchKid+]

Or ask The Bruce: https://www.schneier.com/blog/...

Re:Lesson to learn

[s_p_oneil]

"The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet."

Also, don't use your work computer or email account to send/receive emails to the organization you're leaking classified documents to.

Re:"Reality Winner"?!

[Ungrounded+Lightning]

As a non-native English speaker, I ask: is this an actual, socially acceptable name in English-speaking countries?

Unlike, say, French, American English does not have a ruling body. It's whatever the speakers of it chose to say.

That includes names. You can call your child or yourself anything you chose - as long as you do not do so to defraud.

(My wife's career was blighted by an abusive father - a professor - who solicited name suggestions from his students. Though she is native born and a native speaker of American English, she missed out on a lot of job interviews because HR droids thought, from the name he hung on her, that she was a new immigrant who would have communication problems.)

If you go through a legal name change you may run into issues with not being able to switch your name to something that amounts to a title of nobility (due to article 1 section 9 paragraph 8: No Title of Nobility shall be granted by the United States: ..."). Immigration had a history of misapplying that to strip things like "von" from immigrants' names as they filled out their paperwork.

As for "socially acceptable", that depends on the prejudices of the particular social subgroups in question. Regardless of what they might think of neologisms labeling a person, any name from any established cultural group anywhere in the world is necessarily acceptable.

If Frank Zappa can name his son "Dweezil" and his daughter "Moon Unit", it's easy to see that anything goes. B-)

Re:Reality Winner

> and picked a more socially acceptable name

Her birth name is Sara, not "Reality". She chose to be Reality Winner instead of the normal name her parents had chosen.

Re:Take a photo

[Koby77]

Nothing, the President of the United States has the authority to declassify anything at any time.