Comment by kibwen
8 years ago
Not that that makes it any less concerning that The Intercept forgot to scrub the dots, unless the email in question contained instructions along the lines of "lol dont worry bout opsec i dont care if i get caught kthx <3 <3".
From The Intercept's "how to pass on tips" page [1]:
> We’ve taken steps to make sure that people can leak to us as safely as possible. Our newsroom is staffed by reporters who have extensive experience working with whistleblowers, as well as some of the world’s foremost internet security specialists. Our pioneering use of the SecureDrop platform enables you to communicate with our reporters and send documents to us anonymously.
I think it's shocking that nobody at The Intercept was aware of the yellow dots, or other metadata (eg printer-specific output artifacts) that might facilitate the revelation of the anonymous source. This is so careless of them that I'm led to believe that they don't have a formal scrubbing step at all.
Of course, I might be biased a bit here because I dislike Greenwald so much for how he handled the Snowden leaks. The risks Snowden took and the sacrifices he made are incomparable, but "it took Greenwald several more months and help from experts before he could learn relatively basic tools like PGP encryption."
[1] https://theintercept.com/leak/
[2] https://www.dailydot.com/layer8/edward-snowden-gpg-for-journ...
Edit: I think it's shocking because assisting whistleblowers and protecting their anonymity seems central to The Intercept (which I believe is commendable), so they, of all people, should know better -- if not best.
Despite my criticisms of other comments of yours, this is an extremely cogent point. The Intercept should, nay, must have policies, procedures, and checks in place to prevent foul-ups of this nature. And must also produce a post-mortem on this incident.
Screw-ups happen. Repeated screw-ups show a systemic failure.
> other metadata (eg printer-specific output artifacts)
This is actually a really good point. I've been rolling my eyes a bit at people smugly pretending they knew what DocuColor was last week, or equating it with things like EXIF data that are far more widely known.
But you don't have to know about DocuColor specifically to avoid this issue, you just have to suspect that printer outputs are a threat vector for something identifiable.
It's worse than that. OK, so someone contacts The Intercept, claiming to have juicy NSA documents. Before anything gets shared, don't they have a duty to make sure that the source has good OPSEC?
You kid right ?
Snowden had to hand-hold the guy at Intercept to use GPG. Guardian leaked encryption keys in a book, before/after handing all of Wikileaks' stash to the Mossad.
At this point all we have left is 4chan, and anons like myself (who then get blocked by @dang after he's logged the IP addresses). /s
I'm being a bit pedantic but The Intercept didn't exist when Snowden leaked to Greenwald.
Also, many thanks to @dang for keeping 4chan out of HN.
2 replies →
No, I don't. Not here, anyway.
The Intercept does have that duty. And at least some of their staff know it. But maybe they get overruled.
It wasn't the publicated images that set off the investigation, but the images they sent to their sources in the NSA for verification. Verification is obviously hindered by sending manipulated documents, so they might simply have trusted their source not to pass them on.