Slashdot Mirror

← Back to Stories (view on slashdot.org)

How a Few Yellow Dots Burned the Intercept's NSA Leaker (arstechnica.com)

Posted by msmash on from the tech-101 dept.

On Monday, news outlet The Intercept released documents on election tampering from an NSA leaker. The documents revealed that a Russian intelligence operation sent spear-phishing emails to more than 100 local election officials days before the election, which ran through a hack of a U.S. voting software supplier. Hours later, the Department of Justice charged 25-year-old government contractor Reality Leigh Winner with sharing top secret material with the media. The DoJ said it Winner had "printed and improperly removed classified intelligence reporting, which contained classified national defense information" before mailing the materials. But how could the DoJ know that it was Winner who had printed the documents, or that the documents were printed at all? ArsTechnica explains: [...] The Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed -- and it included encoded watermarking that revealed exactly when it had been printed and on what printer. The watermarks in the scanned document The Intercept published yesterday -- were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation have reverse-engineered the grid pattern employed by this class of printer; using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218. Further reading: How The Intercept Outed Reality Winner.

41 of 308 comments (clear)

  1. Take a photo by hawguy · · Score: 3, Interesting

    If you're going to leak documents, take a photo and crank up the jpeg compression level to help hide the watermarks.

    1. Re:Take a photo by DaHat · · Score: 2

      Or just don't print in color.

      --
      Help Brendan pay off his student loans
    2. Re:Take a photo by PolygamousRanchKid+ · · Score: 5, Informative

      Or ask The Bruce: https://www.schneier.com/blog/...

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:Take a photo by green1 · · Score: 2

      They also don't allow top secret printouts to leave, but obviously they weren't too successful there. Why are you so sure they would be successful the other way?

    4. Re:Take a photo by green1 · · Score: 3, Interesting

      That's been standard process for many decades, but it's actually less likely now because it's harder to implement than these technological solutions, even though it's more likely to actually catch the party involved (because even if they take every precaution listed so far here, they'd still be caught simply by the wording used.)

    5. Re:Take a photo by Train0987 · · Score: 3, Insightful

      Or maybe don't leak classified information that you're sworn to protect in the first place?

    6. Re:Take a photo by Bodhammer · · Score: 2

      Oh sure! That is just racist, there.

      --
      "I say we take off, nuke the site from orbit. It's the only way to be sure."
    7. Re:Take a photo by Koby77 · · Score: 2

      It certainly seems trivial to defeat to people such as you and me. But based on her profile, it seems to me that she was likely a linguist, doing translation work from Farsi into English (I could be wrong about her job, but that's my best guess). She might not have been technical at all, the way Snowden is. In all likelihood, she probably didn't even know about the watermarks, let alone considered how to defeat them.

    8. Re:Take a photo by Koby77 · · Score: 4, Informative

      Nothing, the President of the United States has the authority to declassify anything at any time.

  2. More Leaks than a Porcupine's Rain Coat by sinequonon · · Score: 2

    Okay, who leaked the information about how they spotted the leak source?

    --
    -Bob-
  3. PDFs too? by interkin3tic · · Score: 2

    Dang. Found on the PDF scans even though you can't see them. Lessons learned:
    1. make sure to take really really low quality scans only of senstitive printouts.
    2. Use someone else's printer
    3. The "swamp" being drained is evidently people who are reporting on wildly unethical things the government is doing.

    Obligatory yes the last guy did it too. STFU and focus on the current abomination in office, maligning the last guy doesn't help anything more than you losing sleep at night.

    1. Re:PDFs too? by asdfman2000 · · Score: 2

      3. The "swamp" being drained is evidently people who are reporting on wildly unethical things the government is doing.

      Pray tell, what "wildly unethical things the government is doing" were uncovered by her leak? Is it unethical to have an ongoing investigation into hack attempts?

    2. Re:PDFs too? by interkin3tic · · Score: 2

      You're drawing a false equivalence. You don't like the Clintons or Trump, fine. The Clintons made some mistakes, sure. What Trump is doing daily though is willfully weakening the US. It's not at all similar.

  4. "Reality Winner"?! by Anonymous Coward · · Score: 3, Interesting

    As a non-native english speaker, I ask: is this an actual, socially acceptable name in english-speaking countries? "Reality Winner", just like somebody who won a reality show?!

    1. Re:"Reality Winner"?! by sconeu · · Score: 5, Funny

      She should have kept it. Remember, everybody doesn't like something, but nobody doesn't like Sara Leigh...

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    2. Re:"Reality Winner"?! by will_die · · Score: 2

      No laws on what you can name your kid, so almost anything goes. On one good note this was a name she had gone and legally changed her name to.

    3. Re:"Reality Winner"?! by Ungrounded+Lightning · · Score: 4, Informative

      As a non-native English speaker, I ask: is this an actual, socially acceptable name in English-speaking countries?

      Unlike, say, French, American English does not have a ruling body. It's whatever the speakers of it chose to say.

      That includes names. You can call your child or yourself anything you chose - as long as you do not do so to defraud.

      (My wife's career was blighted by an abusive father - a professor - who solicited name suggestions from his students. Though she is native born and a native speaker of American English, she missed out on a lot of job interviews because HR droids thought, from the name he hung on her, that she was a new immigrant who would have communication problems.)

      If you go through a legal name change you may run into issues with not being able to switch your name to something that amounts to a title of nobility (due to article 1 section 9 paragraph 8: No Title of Nobility shall be granted by the United States: ..."). Immigration had a history of misapplying that to strip things like "von" from immigrants' names as they filled out their paperwork.

      As for "socially acceptable", that depends on the prejudices of the particular social subgroups in question. Regardless of what they might think of neologisms labeling a person, any name from any established cultural group anywhere in the world is necessarily acceptable.

      If Frank Zappa can name his son "Dweezil" and his daughter "Moon Unit", it's easy to see that anything goes. B-)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. Trusting The Intercept? by bill_mcgonigle · · Score: 5, Interesting

    While not everybody knows about the yellow dots, almost everybody involved with infosec does. How can The Intercept can be trusted to hold or publish any leakers' information securely?

    Was this one reporter who screwed up? Didn't he have a second person reviewing his work? Isn't there a team of people at The Intercept who discuss whistleblowing publications? Isn't anybody on such a team aware of digital privacy issues?

    This will be a huge loss if The Intercept becomes useless as it was basically founded to handle stories like this. But given that, how could the outcome have been so bad in this case?

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:Trusting The Intercept? by sims+2 · · Score: 2

      /. posted about it 11 years ago.
      https://yro.slashdot.org/story...

      I haven't seen much about it in a while so I suppose maybe people have just forgotten about it since then.

      --
      Minimum threshold fixed. Thanks!
    2. Re:Trusting The Intercept? by acrimonious+howard · · Score: 4, Funny

      It's official, the trump administration is officially at war with Reality!

  6. This wasn't the only way by Etcetera · · Score: 5, Informative

    While interesting, and certainly providing confirmation, this wasn't the primary mechanism that was used to track her down according to the affidaivat. Before even IDing a specific printer, they simply looked for someone that had printed it out, period.

    Internal auditing showed that only six employees had printed out the item in question. A search of the six computers showed that she had emailed The Intercept from her work computer (and that no one else had). Coded metadata just backs it up, but it's dumber than that.

    --
    Hire a Linux system administrator, systems engineer,
    1. Re:This wasn't the only way by Jason+Levine · · Score: 4, Insightful

      How can someone work for the NSA and NOT be aware that they track everything? If I was an NSA leaker, I certainly wouldn't be e-mailing my leaks from my work computer/e-mail account. I'd set up a throwaway account (and even then would be looking over my shoulder every second).

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:This wasn't the only way by Train0987 · · Score: 2

      "How can someone work for the NSA and NOT be aware that they track everything?" Maybe she assumed her employer would be OK with it. Such are the times we live in. They did give her a security clearance even though there's a ton of stuff in her background that would have disqualified her back when I went through the process.

    3. Re:This wasn't the only way by phantomfive · · Score: 2

      I don't know about her office, but some government offices don't allow USB drives or cell phones into the workplace, and such devices can be destroyed if they are brought in.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:This wasn't the only way by dunkindave · · Score: 4, Informative

      How can someone work for the NSA and NOT be aware that they track everything?

      She didn't work for the NSA; so was employed by a contractor that provides classified translation services, and apparently for that work had access to the NSA's network (either NSANet or JWICS since SIPRnet is only secret). Not realizing they track shows she isn't terribly bright.

      If I was an NSA leaker, I certainly wouldn't be e-mailing my leaks from my work computer/e-mail account. I'd set up a throwaway account (and even then would be looking over my shoulder every second).

      OK, she is VERY dumb. And I agree with your tactics - as a good first measure, but nowhere near all I would do.

    5. Re:This wasn't the only way by Etcetera · · Score: 2

      Epoxy is typically used to plug up ports. That's not a horrible idea restricting things to PS/2 keyboards and mice though... Certainly safer than letting badUSB load.

      --
      Hire a Linux system administrator, systems engineer,
    6. Re:This wasn't the only way by Bite+The+Pillow · · Score: 3, Informative

      USB drives should set off monitoring alerts. Plugging in a cell phone to charge, to a USB port, will likely get both devices confiscated. If the employer is following the rules. Portable electronic devices should not be allowed anywhere that has potential connections to secret information. Metal detectors and all.

      There should be a review of internet logs, which would have revealed personal email access as described here. Most likely it was overlooked as harmless, or it happened to match a local exception set up as requested.

      You people have no idea how this stuff works. It's free on disa.mil and private enterprise can implement most of these security protocols themselves.

      It's not 100% foolproof, and its a lot easier to identity a leaker than to stop it. But you need to do a lot of reading before commenting on this stuff.

    7. Re:This wasn't the only way by Motherfucking+Shit · · Score: 2

      How can someone work for the NSA and NOT be aware that they track everything?

      One, she was a linguist, not a spook. Highly specialized individuals are often obtuse in matters outside their areas of expertise. If I needed brain surgery, I'd eagerly seek out the brilliant neurosurgeon Dr. Ben Carson. Likewise, I'd probably trust Ms. Winner to accurately translate a five-party Farsi dialogue in real time. I wouldn't want either of them advising me on matters of, say, agricultural food storage or information security.

      Two, she was a contractor. The curriculum and rigor of the on-boarding process at Pluribus are unknown quantities to us. Contracting is a big fucking problem, and it's not going to get any better as long as there are politicians determined to privatize and profiteer from essential government functions.

      Finally, her age is of some relevance. She's young enough to have grown up in a world where "everything is tracked" has been normal for most of her life. The ubiquitous and commonplace are far easier to gloss over and forget: when was the last time you really noticed a cell tower? Training is required to overcome complacency. This, too, is a problem that will only get worse. People give me funny looks when I tell them I've never had a pizza delivered, yet think nothing of giving away their most personal of data in exchange for a few more gems on the latest iPhone game.

      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
  7. Re:Lesson to learn by Fire_Wraith · · Score: 2

    In fairness to them, she also (reportedly) violated some of the things they suggest, like emailing them from her computer at work.

    Then again, they also (reportedly) gave away her location (Augusta GA) to the government person they were trying to verify the documents with.

  8. Re:Lesson to learn by s_p_oneil · · Score: 3, Informative

    "The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet."

    Also, don't use your work computer or email account to send/receive emails to the organization you're leaking classified documents to.

  9. Re:Am I the only one? by Headw1nd · · Score: 2

    In The Year Two Thouuuusand....

  10. Re: Reality Winner by Anonymous Coward · · Score: 5, Insightful

    Sadly, she is being charged under the Espionage Act. There is no defense, no mitigating circumstances, and she will spend many long years in prison as an example. Even if you disagree with her actions , this sounds inappropriate. Like the Soviet Union or China.

  11. Re:Lesson to learn by Gr8Apes · · Score: 3, Insightful

    Then again, they also (reportedly) gave away her location (Augusta GA) to the government person they were trying to verify the documents with.

    Wait, they have top secret government documents, and they're going to verify them with the government? And then give information of their source to the government? And then release the original photos of documents to the public? Did they also hand over the originals to the government so they could grab fingerprints and other forensic evidence off of them?

    There is no excuse for how many failures the Intercept committed in protecting a formerly anonymous source. I'm going out on a limb here and say that this will be the last time they receive info from an actual anonymous source that isn't a complete idiot. Then again, as noted, Winner appears to qualify as a complete idiot, emailing them from work in the first place.

    --
    The cesspool just got a check and balance.
  12. Re:Reality Winner by Anonymous Coward · · Score: 4, Informative

    > and picked a more socially acceptable name

    Her birth name is Sara, not "Reality". She chose to be Reality Winner instead of the normal name her parents had chosen.

  13. Re: Reality Winner by AutodidactLabrat · · Score: 2

    Yeah, like Daniel Ellsberg, she broke the law to serve the law
    With THIS supreme Court however, she won't even get a hearing, even if Trump is finally implicated, impeached, convicted, tried, convicted and hanged.

  14. Re: Reality Winner by zedaroca · · Score: 2

    Trey Gowdy on Hillary emails
    He talks about intent around 1:55, but the lead up is not bad either. They chose to pretend there was no intent. There was proof of intent, but no prosecutor to prosecute her.

  15. Re: Reality Winner by bongey · · Score: 2

    She did nothing but to serve her own interests of hating the President.

  16. For those who don't already know about it by Trogre · · Score: 2

    Here is the EFF's guide on yellow dots.

    And it's not in any way limited to Xerox.

    You can test it yourself by photographing a piece of paper from a suspect printer, loading it into the GIMP and showing just the blue channel. The "yellow" dots will show up as a darker shade of blue than the surrounding page.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  17. Re:Server Logs Busted This Idiot, Not Dots by gweihir · · Score: 2

    You are confused. "The Law" is not a description of "right" and "wrong".

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. Re:Reality Winner by ebvwfbw · · Score: 2

    What a waste. She could have told us who really killed JFK, that Obama really was born in Kenya, who really shot JR (Probably too long ago for /. people).

    Well she'll have a while to think about it. Maybe she'll get Chelsea Manning's old cell.

  19. Re:Reality Winner by RockDoctor · · Score: 2

    I can't believe no one here is being more skeptical of this.

    You're right to be sceptical. Maybe most of the sceptics aren't bothering to post, for whatever reason.

    The contractor and the Intercept should have known about the watermarks.

    Oh fuck aye. Of course they should, if they were competent at InfoSec, an had been aware for the 15-odd years that this technology has been deployed.

    All they had to do was transcribe the documents into a plain text document.

    Ah, you don't understand how it works. There is nothing in the document that stores this watermarking information. It is ADDED to the document BY the printer, AFTER the printer has rendered the provided information to being an image. In fact, one of the methods promoted years ago for identifying which printers did this (and for obtaining enough information to crack their steganography encoding), was to print a blank document on pale blue paper - which made the contrast of the pale yellow dots much more visible.

    The information in the steg encoding included the printer's serial number, date and time, and quite conceivably, the printer-user's network authentication. Which I assume is how they nailed the perpetrator.

    As a corollary, whoever was publicising this should have known to photocopy the documents provided onto monochrome (ie black/white, not grey-scale) output, then burned the originals. Precisely to avoid having to hand over such steg to agents.

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"