Comment by dmix
8 years ago
I don't know why everyone is blaming The Intercept for publishing a document leaked to them anonymously for that exact purpose. They always publish the source document. So does NYTimes and WaPo and other news orgs. It's common practice.
Assuming The Intercept detected the printer dot, how could they possibly know the printer dot wasn't some random one from a printer a library vs her work computer?
If I was The Intercept receiving a document from someone claiming to be an intelligence officer I would assume they used some very basic OPSEC - such as not printing the document out on a MONITORED WORK COMPUTER. This is basic stuff.
I don't see what more The Intercept could have done here to protect her.
She messed up, not them.
Whether she got caught because of her own mistakes is immaterial.
What matters is that if she had not made any mistakes the intercept made it trivially easy to reduce the pool of possible suspects. That´s fairly stupid if your whole reason for existence is to handle documents sent to you by vulnerable people.
If this is not the last article by the Intercept based on stuff leaked to them it would highly surprise me.
They totally messed this up.
Why did she even print it off in the first place? It seems like a unusual way to leak in 2017. Why not take a picture using a cellphone and send it digital to the encrypted dropbox on their website?
Still I don't see how the Intercept could have handled this better. Maybe they should have been looking for printer dots in documents received in the mail and then block it out when they digitize it. But is this really a common practice among news orgs handling leaked docs?
I see people on Reddit attacking The Intercept because, they say, the printer dot thing is 'common knowledge'. But to me this seems like an easy thing to overlook. Especially if most other leaks were digital. News organizations and leakers will certainly all be looking for this going forward (I hope).
As far as I'm concerned all the 'common knowledge' stuff that was overlooked was all via the leaker.
If you are in the business of dealing with such information then yes, printer dots should be on your radar. I know about them, so the Intercept should definitely know about them and many things besides that I probably do not know.
The intercept could have handled this better by describing the article and maybe a citation or two, to pass the originals back in some form to the government is about as stupid as it gets.
If anything this article shows how easy it is to play 33 bits if you have help from the subject or some outsider that is just doing their job in a ham fisted way.
1 reply →
Everyone is not a hypercompetent superhero / supervillian.
There's a hell of a lot of capability which comes about through opportunity, chance, and simple dumb luck or repeated attempts to do something. This tends to show up frequently in terror and mass-criminal activities. Simply wanting to accomplish some negative effect, and having general means to do so, is frequently enough, particularly if that threat is underappreciated and/or requires a high degree of vigelance.
There are numerous attacks (water, food, infrastructure) which have been highlighted for decades as potential attack vectors, though they appear not to have been undertaken.
Another possiblity, of course, is that there is constant low-level probing of such attacks, which are lost either at the internal or public-discourse level as noise or accidents. There remain cases -- the San Jose electrical power substation attack via small-arms fire, US military seeding of infectious agents over urban populations[1], the CIA's attacks on Soviet gas infrastructure via control equipment[2] and Iranian nuclear material refining via stuxnet[3]. In which case, much of the expressed concern of US intelligence agencies is an awareness of their own capabilities, and practices. Other foreign powers have their own history here -- Russian tea[4], Israeli hotel service[5], and Chinese messenger service[6] come to mind.
Criticisms of The Intercept are validated, IMO, by the Intercept's own positioning of itself as a safe channel for such leaks,[7] and specific in-house expertise on the matter, Micah Lee.[8]
Even if The Intercept's actions didn't directly contribute to identification or confirmation of Ms. Winner as the source of these documents, the fact that they could have is absolutely material, and represents a massive failure on the part of Intercept staff and procedures.
Other points to consider: people's technological savviness is on general exceedingly poor, and even domain experts are generally only experts within that specific domain. At the level of the general population, only 5-8% of users have "advanced" skills -- which means ability to use such features as "sort" or "find and replace" within a word-processing tool.[9]
This means that an organisation such as The Intercept should focus as a principle priority on protecting its sources against themselves.
Ms. Winner's OpSec was poor on multiple counts. The Intercept amplified those weaknesses.
Finally: Information isn't power, but is a force-multiplier. It may amplify either your strength's or your opponents'. In this case, the question (from the NSA's perspective) was to identify just who it was that might have provided the information in question. Any one individual can be uniquely identified by 33 bits of information. In the NSA's case, most of those bits are already defined by a simple basis of access to information. The documents here had only to discriminate amongst the much smaller set of people -- call it 3-6 bits -- who might have supplied them to The Intercept.
Other lessons are that in previous totalitarian societies, registration of typing and duplicating equipment was routinely used to identify a potential source of documents. Because those determinations were based on fixed characteristics, that was all they could divulge. Today's printers define not only the specific machine, but time, and potentially metadata of the document itself or submitting user.
You might want to reflect on that for a bit.
________________________________
Notes:
1. http://blogs.discovermagazine.com/bodyhorrors/2015/06/28/san...
2. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1...
3. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
4. http://www.telegraph.co.uk/news/uknews/law-and-order/1138178...
5. http://www.spiegel.de/international/world/tourists-with-a-li...
6. http://www.foxnews.com/tech/2011/06/01/gmail-compromised-chi...
7. https://theintercept.com/leak/
8. https://theintercept.com/staff/micah-lee/
9. https://www.nngroup.com/articles/computer-skill-levels/
1 reply →
It's certainly not immaterial.
The Intercept did not encourage her to steal this information, nor did it give her any direction on how to do so. She chose her own method of exfiltrating the data, and in this case it turned out to be an quickly identifiable one. She knew this document was going to be published by the Intercept; that was the entire point of leaking it. Once published, regardless of form, you can bet that the FBI would have agents knocking on the Intercept's door asking to see the physical source material.
Furthermore, In order to prove the veracity of its published claims, the Intercept provides its source documents - if they do not, they simply open themselves up to accusations of fake news and falsified material. Any editing they do to the document will be ammunition for the FAKE NEWS crowd - so where is the compromise here?
The compromise is that you should assume that if the material is genuine that someone will end up in a large amount of trouble if you go about your verification round in a dumb way. That she stole the information and made mistakes does not excuse the Intercept for making mistakes of their own.
Greenwald is not located in the United States for a reason (so good luck knocking on that door), and if they wanted to verify the documents they could have done so with a bit more care.
Assuming the text did not contain steganographic tricks (yes, that works) they could have cited back a few paragraphs and the document title. That would have been enough.
3 replies →
oCR and reprint.
Maybe. How does one know that when the document is viewed, random synonyms of certain words aren't used specific to that viewing, and logged along with the identity of the viewer.
Corporate emails sometimes use this trick to catch company leakers.
> She messed up, not them.
If only there were like.... some group of people who cared about the privacy of others.
The Intercept claims it's a safe place for people to leak to.
It isn't if they make blunders like this.
Are you sure this is something NYTimes/WaPo/WSJ/etc would have detected and removed? I'm not familiar with the established practices for news orgs handling leaked documents arriving the mail from intel officers. It seems a lot of people are, so I'm curious to hear more about it...
It's not just some dots, although that's a massive failure too, of course. TheIntercept reporter contacted some random govt contractor to see if they could verify the documents. Ok so far. But the reporter also revealed the mail was sent from Augusta, Georgia, which is a major breach of confidentiality.[0]
[0] https://d3vv6lp55qjaqc.cloudfront.net/items/1k2I053M3J2z0f47... PDF page 12, paragraph 19
> Are you sure this is something NYTimes/WaPo/WSJ/etc would have detected and removed?
No, I'm not sure about that, and if they'd made the mistake after having claimed to be safe for whistleblowers I'd be gently complaining about them on an Internet message board too.