Comment by dredmorbius
8 years ago
Everyone is not a hypercompetent superhero / supervillian.
There's a hell of a lot of capability which comes about through opportunity, chance, and simple dumb luck or repeated attempts to do something. This tends to show up frequently in terror and mass-criminal activities. Simply wanting to accomplish some negative effect, and having general means to do so, is frequently enough, particularly if that threat is underappreciated and/or requires a high degree of vigelance.
There are numerous attacks (water, food, infrastructure) which have been highlighted for decades as potential attack vectors, though they appear not to have been undertaken.
Another possiblity, of course, is that there is constant low-level probing of such attacks, which are lost either at the internal or public-discourse level as noise or accidents. There remain cases -- the San Jose electrical power substation attack via small-arms fire, US military seeding of infectious agents over urban populations[1], the CIA's attacks on Soviet gas infrastructure via control equipment[2] and Iranian nuclear material refining via stuxnet[3]. In which case, much of the expressed concern of US intelligence agencies is an awareness of their own capabilities, and practices. Other foreign powers have their own history here -- Russian tea[4], Israeli hotel service[5], and Chinese messenger service[6] come to mind.
Criticisms of The Intercept are validated, IMO, by the Intercept's own positioning of itself as a safe channel for such leaks,[7] and specific in-house expertise on the matter, Micah Lee.[8]
Even if The Intercept's actions didn't directly contribute to identification or confirmation of Ms. Winner as the source of these documents, the fact that they could have is absolutely material, and represents a massive failure on the part of Intercept staff and procedures.
Other points to consider: people's technological savviness is on general exceedingly poor, and even domain experts are generally only experts within that specific domain. At the level of the general population, only 5-8% of users have "advanced" skills -- which means ability to use such features as "sort" or "find and replace" within a word-processing tool.[9]
This means that an organisation such as The Intercept should focus as a principle priority on protecting its sources against themselves.
Ms. Winner's OpSec was poor on multiple counts. The Intercept amplified those weaknesses.
Finally: Information isn't power, but is a force-multiplier. It may amplify either your strength's or your opponents'. In this case, the question (from the NSA's perspective) was to identify just who it was that might have provided the information in question. Any one individual can be uniquely identified by 33 bits of information. In the NSA's case, most of those bits are already defined by a simple basis of access to information. The documents here had only to discriminate amongst the much smaller set of people -- call it 3-6 bits -- who might have supplied them to The Intercept.
Other lessons are that in previous totalitarian societies, registration of typing and duplicating equipment was routinely used to identify a potential source of documents. Because those determinations were based on fixed characteristics, that was all they could divulge. Today's printers define not only the specific machine, but time, and potentially metadata of the document itself or submitting user.
You might want to reflect on that for a bit.
________________________________
Notes:
1. http://blogs.discovermagazine.com/bodyhorrors/2015/06/28/san...
2. http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1...
3. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
4. http://www.telegraph.co.uk/news/uknews/law-and-order/1138178...
5. http://www.spiegel.de/international/world/tourists-with-a-li...
6. http://www.foxnews.com/tech/2011/06/01/gmail-compromised-chi...
7. https://theintercept.com/leak/
Thank you, that is very well put.