How Document-Tracking Dots Helped The FBI Track Down Russian Hacking Doc Leaker
from the just-metadata-things dept
The surprising story that quickly followed the somewhat-less-surprising Intercept leak was the arrest of Reality Leigh Winner for the leak of the document. It was an incredibly fast leak investigation that apparently began when The Intercept reached out for comment after obtaining the document on May 30th.
There’s been a lot of talk that The Intercept acted carelessly when speaking to government officials and burned its source. But the evidence trail laid down by the FBI’s affidavit suggests Winner did most of the burning herself. The document given to The Intercept was either an original printout or a scan of it. It showed telltale creases where it had been folded and placed into an envelope by the leaker.
More importantly, the document contained something else: data that indicated where and when the document had been printed. This made it much easier to link Winner to the posted document. Rob Graham of Errata Security walks through the steps he took to decipher the physical metadata created by the NSA printer used by Winner. Printers — and not just those owned by secretive government agencies — can help rat out leakers.
The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.
Using a paint program to invert the document’s color scheme and the EFF’s handy spy-in-the-printer tool, Graham obtained the following information using only the auto-printed dots on the Intercept document:
The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.
Very definitely it does have such records, as do a great many entities not heavily involved in national security. Many documents in many companies are considered “uncontrolled” if printed, and built-in document tracking allows them to track down employees who may have jeopardized nothing more than their own employment.
However, this does bring everything back around to the “just metadata” argument. The government has often claimed the wholesale collection of metadata is harmless, because it’s nothing more than transactional records. Obviously, metadata can be quite damaging. Winner’s decision to print the document ended her very short stint as a leaker.
Conversely, the government also claims — when raising the “going dark” specter — that metadata and other transactional records aren’t nearly as useful as intercepted communications and/or device contents. To some extent, that’s true. But it’s obvious that metadata/transactional records aren’t nearly as useless as they’re portrayed by law enforcement handwringers. Either way the government spins the metadata argument, it’s insulting the intelligence of Americans.
Filed Under: dots, fbi, leaks, metadata, nsa, printers, reality winner, tracking dots
Comments on “How Document-Tracking Dots Helped The FBI Track Down Russian Hacking Doc Leaker”
Wikileaks would have scrubbed the documents properly.
Considering how many documents they’ve handled over the years, it’s astounding how good their record on this is.
/always have someone who understand technology and security on staff
Re: Wikileaks would have scrubbed the documents properly.
/always have someone who understand technology and security on staff
For what it’s worth, the Intercept employs two of the most well-respected security experts in the world : Morgan Marquis-Boire and Micah Lee. This wasn’t for lack of having people on staff who know this stuff. Those guys know. It’s not clear what happened here exactly.
Re: Re: Wikileaks would have scrubbed the documents properly.
It almost looks like they let this one through, just to see what would happen.
Re: Re: Wikileaks would have scrubbed the documents properly.
I think she screwed up multiple times in the process. Left too many footprints that could be traced back to her. I personally didn’t know about those fingerprints. I wonder if every printer out there has this ‘feature’ and if their security experts were aware of it. How long has it been known in the wild?
Re: Re: Re: Wikileaks would have scrubbed the documents properly.
Its been known about for around 20 years. The EFF “cracked the code” in 2005 and made the knowledge more widespread.
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html
Re: Re: Re: Wikileaks would have scrubbed the documents properly.
I also think that is the case. If another story I read about all this is true then it sounds like she would have been caught pretty quick anyways. From what I saw they narrowed it down to about 6 people just by looking at who accessed the documents recently. She was then the only one out of the 6 who printed it.
Re: Re: Re:2 Wikileaks would have scrubbed the documents properly.
Yeah, the Intercept was sloppy, but ultimately it probably didn’t change anything.
I almost wonder if Winner knew that. If she knew she’d get caught more or less immediately and so prioritized getting as much as she could over trying to cover her tracks. I mean, if she knew covering her tracks was never going to work anyway…
Re: Re: Wikileaks would have scrubbed the documents properly.
You’re right, I had forgotten about those two guys.
Thanks for the correction.
Re: Re: Re: Wikileaks would have scrubbed the documents properly.
how stupid was it to scan paper with visible folds and then send to nsa for comment?
Re: Wikileaks would have scrubbed the documents properly.
I doubt Winner trusted Wikileaks to even report on this.
Wikileaks has been accused of being in Russia’s pockets for over a year, and they’ve clearly been in Trump’s pocket for ages. That doesn’t sound like the kind of a person to leak something damaging to both to.
Wikileaks burned a lot of their credibly to half the country in the election.
That is one reason to pay for printers with cash, no checks or credit cards.
I do this when buying a printer, so that if it is ever stolen, and someone decides to do something illegal like that, ownership of that printer cannot be traced back to me and I avoid going to jail for something I did not do.
This is why you want to pay for any and all printers you buy with cash, no checks or credit cards, so that ownership of that printer cannot be traced back to you. All anyone will know is that someone purchased that printer by plunking down a few Bejamins, and the trail will run cold after that.
Re: Re:
Apparently the tracking dots originated with worries about people using their color printers to counterfeit money.
Given that the printer’s serial number is encoded on the document – how certain are you that your anonymously purchased printer isn’t sending that serial number back to the manufacturer when you install or update your driver? Or to Microsoft/Apple/Commodore when you update your OS?
Even if that were the ONLY thing they sent back, no owner information – it would tie the serial number to your IP address.
Re: Re: Re:
Simple don’t buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go. Doing that, and paying with cash will guarantee that nothing will trace back to you if your printer is stolen and someone does something illegal with it.
My issue with these dots is what will happen is the printer is stolen, and someone does something nafarious with it. Having no bank trail leading back to me keeps me out of trouble, if that happens.
That is why you want to buy a that is wired to the computer and not connected directly to the network, and always pay with cash
Re: Re: Re: Re:
That doesn’t help.
When you install a driver on your PC/Mac/PET for your USB-connected printer, your computer fetches the printer details including the serial number. You can find it in Devices & Printers – if the driver is still installed – even when the printer is long gone.
So when your driver is automatically updated – again, even when the printer is long gone – that serial number could be sent to the manufacturer. When you update your OS, it could be sent to Microsoft/Apple/Commodore. Coming from your IP address. Which Prenda, let alone police, have had no problems tracing back to the user’s location if not identity.
Re: Re: Re:2 Re:
Right, except that not all OSes will auto-install drivers like that. USB printers communicate with a standard low-level interface, and if they also support a standard higher-level data format like PJL+Postscript you won’t need any driver. You might still get one on Windows if you’re not very careful, but Linux would be fine for example. Before obtaining a printer:
And if you’re a programmer:
Re: Re: Re:3 Re:
If it’s a government demand, consider talking to an EFF lawyer under attorney/client privilege. (NOT FROM A WORK EMAIL/COMPUTER!) There are 3rd-amendment implications in the US, as Rob noted. Think about becoming a whistleblower/witness/plaintiff.
Secret software to operate laser printers was what caused RMS to start the Free Software movement, so it’s strange this doesn’t exist.
Re: Re: Re:2 Re:
Just turn off automatic updating. And when you do updates manually, just a VPN to hide your IP address. Just make sure to use one that does not keep logs.
VPN is your friend on this one.
Re: Re: Re: Re:
It’s not the IP address of the printer Roger Strong was referring to (I believe), but the IP address of the premises (the internet connection) of where the printer is.
If you install drivers or firmware from the manufacturer, as part of the installation process on the computer attached to the printer could be a ‘phone home’ step. Or even in the O/S itself, e.g. one of the things Windows 10 (and 7/8 if various telemetry options are enabled) does is send information about installed (i.e. attached via USB) devices to MS – supposedly anonymised.
Auto-updates for installed drivers could, when checking for updates, provide printer details to the update service along with the IP address used to check for the updates, along with anything else the process wants to provide.
Re: Re: Re:2 Re:
That IP dddress, however, could be obfuscated by using a VPN. When installing the driver, just connect your PC to a VPN, then the “phone home” step will go through the VPN, and you will be sending the IP address of the VPN, instead of yout IP address
Re: Re: Re:3 Re:
And keep using that VPN until the driver has been uninstalled, and you can confirm there’s nothing left over. The "phone home" step isn’t necessarily going to happen at installation, or only at installation. (And of course a driver has enough privilege to bypass the VPN if it really wants to.)
Re: Re: Re:3 Re:
Absolutely.
But how many people would think of hooking up to a VPN to update/download printer drivers?
You might, I might (if I could be bothered too..), but I doubt most people would even realise.
Re: Re:
How cold?
The shop where you bought it has CCTV, their stock control system says when that serial number printer was sold, at which check-out etc.
The till could well autocheck the notes aren’t counterfeit a process that involves them reading the serial numbers. Where did you get those notes? ATM machines are also entirely capable of recording your face, your bank details and the serial numbers.
Meta data is everywhere, most of it isn’t collected, but I wouldn’t like to bet how much of it actually is!
Re: Re: Re:
Not all stores scan the serial numbers of things they sell. I’d expect that at an electronics store, but maybe not the electronic department of a grocery store. CCTV recordings have traditionally been deleted after some time, which could be a few years by now.
To be safe, buy a printer at a garage sale or thrift store, or pick one up at the kerb (I come across a decent laser printer every year or so without even looking for them). Try to get a black-and-white printer to avoid the tracking dots.
Re: Re: Re: Re:
I used to work at a small computer store at a large university. It’s been 12 years but my recollection is that we only scanned serial numbers for things that cost over $100. So yes for the high-dollar office printers, no for the cheap inkjets students were buying.
Obviously that policy is going to vary from store to store, but that at least illustrates some of the thinking that goes into it, on the retailer’s side.
Re: Re: Re:
CCTV cameras are probably wireless. Just have a jammer that will prevent the CCTV cameras from being able to record your face. To the security detail in the store, it will simply appear to be malfunction, and they will have no idea the camera was being jammed. CCTV cameras use the same frequencies as WiFI, so a Wifi jammer would suffice for this. This would prevent your face from being recorded at the checkout counter. Security would never be the wiser.
Re: Re:
If your printer gets stolen, report the theft to the police as soon as possible. If it is insured, make a claim.
If your printer (technically now your insurer’s printer) is then found to be used for criminal activity after the earliest date at which it could have been stolen, you surely have a valid defense.
Re: Re:
And tilt down your hat so the cameras don’t photograph your face at the register.
"Uncontrolled if printed" is not about access control!
The term "uncontrolled if printed", along with similar forms, is about revision control rather than access control. It indicates that a printed copy might not be the latest version, and that anyone relying on it should beware of the risks of using outdated information. It is totally unrelated to whether the document is classified, proprietary, covered by HIPAA, or whatever.
My acquaintance with the term is in the context of corporate policy documents. At a previous job, the manufacturing side of the company brought in ISO 9000 quality control processes, and all those documents were labeled "uncontrolled if printed". That was to make sure people did not blindly trust a copy of a policy or procedure that might be years out of date (but happened to be in hard copy).
Given that it has nothing to do with classification level or other distribution controls, why mention it at all? It seems likely to mislead people.
Re: "Uncontrolled if printed" is not about access control!
When it comes to policies, the ONLY ones to count are the ones in print… with a signature on it. 🙂
Re: "Uncontrolled if printed" is not about access control!
Perhaps it misled the authors into thinking that it was important to mention this. While your post makes perfect sense to me, prior to reading it, I too was thinking in terms of access control.
Re: Re: "Uncontrolled if printed" is not about access control!
Maybe, but that is why people who want to be taken seriously should check their facts before making them significant parts of their claims. It took me about 60 seconds with a Google search to confirm that my understanding was far and away the most common one, even though a lot of people had questions about what it meant.
Not just the dots
The dots were important but not the only thing that sealed her fate. She was also the only one using that printer that had contact with ‘The Intercept’ using their work email account.
If she is that STUPID I wouldn’t hire her as a dog sitter.
Re: Not just the dots
And she was logged as one of only 6 people accessing the document, unlike Snowden who used admin credentials to “access” documents without that being logged.
Just...
…connect the dots.
Dumb leaker is dumb.
Yellow Dots?
So she printed a text document on a colour printer.
Your tax dollars at work.
Re: Re:
There’s nothing wrong with using a color laser printer for this. When printing a black-and-white document, they’ll use black toner only, just like any other printer—except for a tiny bit of yellow toner to add the tracking information. But that’s an antifeature Xerox decided to add; nobody’s aware of any law requiring it, and not all printer makers do it.
Hmmmm....
From the girl’s name, to her getting caught so quickly, the whole thing just looks too conveniently staged, to me. That this happened a couple of days before Comey testifies to Congress? My Spider Sense is tingling on this situation…
Here
That’s not the only metadata assigned to a file print, check your document reader. Who what where time unit etc…all listed. Unsupervised contractor in a secure location? Really unsupervised? There are other devices watching. Plus, other companies looking. They want their contractor there. So, was it really her?
Re: Here
fishy indeed.
Just another diversion – Ohhhh look over there
so nsa blew another semi secret of yellow dots
how stupid was that? free advertisement and warning for future crooks (and terrorists).
Re: so nsa blew another semi secret of yellow dots
Not a secret just not widely remembered.
One nit:
How do you insult the intelligence of a country electing Trump? I mean, this is like the "considering himself to be a worthless failure of a human being is not necessarily a sign of depression: maybe he is just right." adage.
The government clearly considers the American public abysmally stupid regarding the garbage they are willing by and large to gobble up without signs of critical thinking.
But it’s not as much an insult to the intelligence of Americans as it is an accurate appraisal.
she mailed it via postal service, which spies for nsa too
http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html
Re: she mailed it via postal service, which spies for nsa too
One way is to not put a return address on, and always type, instead of write the address
One cousin of mine, who was divorced, did this to avoid having his child support obligation raised, whenever he made more money. He just simply paid for with a money order, using cash only, then mailed that to his ex-wife, putting no return address on the envelope, so his ex-wife could not track him and demand more monthly child support payments. As long as he paid the current amount, which he did, law enforcement had no reason to track him down.
So leaving no return address on the enevelope and/or typing the address where it is supposed to go can make it harder to trace,
We cannot allow these document-tracking dots the safe space they need to breed – yet that is precisely what printing, and the big companies that provide printers provide.
Who owns the copyright on these dots anyway?
I imagine they might be a bit upset about not being paid for use of their dots. Perhaps the printer manufacturers need to incorporate DRM for their dots because it is obvious they are being pirated – those dirty filthy pirates!!!!
Gotta love those hypocrites