Comment by dmix
8 years ago
Why did she even print it off in the first place? It seems like a unusual way to leak in 2017. Why not take a picture using a cellphone and send it digital to the encrypted dropbox on their website?
Still I don't see how the Intercept could have handled this better. Maybe they should have been looking for printer dots in documents received in the mail and then block it out when they digitize it. But is this really a common practice among news orgs handling leaked docs?
I see people on Reddit attacking The Intercept because, they say, the printer dot thing is 'common knowledge'. But to me this seems like an easy thing to overlook. Especially if most other leaks were digital. News organizations and leakers will certainly all be looking for this going forward (I hope).
As far as I'm concerned all the 'common knowledge' stuff that was overlooked was all via the leaker.
If you are in the business of dealing with such information then yes, printer dots should be on your radar. I know about them, so the Intercept should definitely know about them and many things besides that I probably do not know.
The intercept could have handled this better by describing the article and maybe a citation or two, to pass the originals back in some form to the government is about as stupid as it gets.
If anything this article shows how easy it is to play 33 bits if you have help from the subject or some outsider that is just doing their job in a ham fisted way.
Fair enough. Maybe their experience with already outted leakers like Snowden, where publishing the full docs in original form was common practice, and they never fully developed a security system for handling printed documents. They are no doubt probably better experts at crypto than most of the bigger and older news orgs, I know they have some quality infosec guys, but they were ill-prepared for a traditional style leak.
Everyone is not a hypercompetent superhero / supervillian.
There's a hell of a lot of capability which comes about through opportunity, chance, and simple dumb luck or repeated attempts to do something. This tends to show up frequently in terror and mass-criminal activities. Simply wanting to accomplish some negative effect, and having general means to do so, is frequently enough, particularly if that threat is underappreciated and/or requires a high degree of vigelance.
There are numerous attacks (water, food, infrastructure) which have been highlighted for decades as potential attack vectors, though they appear not to have been undertaken.
Another possiblity, of course, is that there is constant low-level probing of such attacks, which are lost either at the internal or public-discourse level as noise or accidents. There remain cases -- the San Jose electrical power substation attack via small-arms fire, US military seeding of infectious agents over urban populations[1], the CIA's attacks on Soviet gas infrastructure via control equipment[2] and Iranian nuclear material refining via stuxnet[3]. In which case, much of the expressed concern of US intelligence agencies is an awareness of their own capabilities, and practices. Other foreign powers have their own history here -- Russian tea[4], Israeli hotel service[5], and Chinese messenger service[6] come to mind.
Criticisms of The Intercept are validated, IMO, by the Intercept's own positioning of itself as a safe channel for such leaks,[7] and specific in-house expertise on the matter, Micah Lee.[8]
Even if The Intercept's actions didn't directly contribute to identification or confirmation of Ms. Winner as the source of these documents, the fact that they could have is absolutely material, and represents a massive failure on the part of Intercept staff and procedures.
Other points to consider: people's technological savviness is on general exceedingly poor, and even domain experts are generally only experts within that specific domain. At the level of the general population, only 5-8% of users have "advanced" skills -- which means ability to use such features as "sort" or "find and replace" within a word-processing tool.[9]
This means that an organisation such as The Intercept should focus as a principle priority on protecting its sources against themselves.
Ms. Winner's OpSec was poor on multiple counts. The Intercept amplified those weaknesses.
Finally: Information isn't power, but is a force-multiplier. It may amplify either your strength's or your opponents'. In this case, the question (from the NSA's perspective) was to identify just who it was that might have provided the information in question. Any one individual can be uniquely identified by 33 bits of information. In the NSA's case, most of those bits are already defined by a simple basis of access to information. The documents here had only to discriminate amongst the much smaller set of people -- call it 3-6 bits -- who might have supplied them to The Intercept.
Other lessons are that in previous totalitarian societies, registration of typing and duplicating equipment was routinely used to identify a potential source of documents. Because those determinations were based on fixed characteristics, that was all they could divulge. Today's printers define not only the specific machine, but time, and potentially metadata of the document itself or submitting user.
You might want to reflect on that for a bit.
________________________________
Notes:
1. http://blogs.discovermagazine.com/bodyhorrors/2015/06/28/san...
2. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1...
3. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
4. http://www.telegraph.co.uk/news/uknews/law-and-order/1138178...
5. http://www.spiegel.de/international/world/tourists-with-a-li...
6. http://www.foxnews.com/tech/2011/06/01/gmail-compromised-chi...
7. https://theintercept.com/leak/
8. https://theintercept.com/staff/micah-lee/
9. https://www.nngroup.com/articles/computer-skill-levels/
Thank you, that is very well put.