How Document-Tracking Dots Helped The FBI Track Down Russian Hacking Doc Leaker

from the just-metadata-things dept

The surprising story that quickly followed the somewhat-less-surprising Intercept leak was the arrest of Reality Leigh Winner for the leak of the document. It was an incredibly fast leak investigation that apparently began when The Intercept reached out for comment after obtaining the document on May 30th.

There's been a lot of talk that The Intercept acted carelessly when speaking to government officials and burned its source. But the evidence trail laid down by the FBI's affidavit suggests Winner did most of the burning herself. The document given to The Intercept was either an original printout or a scan of it. It showed telltale creases where it had been folded and placed into an envelope by the leaker.

More importantly, the document contained something else: data that indicated where and when the document had been printed. This made it much easier to link Winner to the posted document. Rob Graham of Errata Security walks through the steps he took to decipher the physical metadata created by the NSA printer used by Winner. Printers -- and not just those owned by secretive government agencies -- can help rat out leakers.

The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.

Using a paint program to invert the document's color scheme and the EFF's handy spy-in-the-printer tool, Graham obtained the following information using only the auto-printed dots on the Intercept document:

The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

Very definitely it does have such records, as do a great many entities not heavily involved in national security. Many documents in many companies are considered "uncontrolled" if printed, and built-in document tracking allows them to track down employees who may have jeopardized nothing more than their own employment.

However, this does bring everything back around to the "just metadata" argument. The government has often claimed the wholesale collection of metadata is harmless, because it's nothing more than transactional records. Obviously, metadata can be quite damaging. Winner's decision to print the document ended her very short stint as a leaker.

Conversely, the government also claims -- when raising the "going dark" specter -- that metadata and other transactional records aren't nearly as useful as intercepted communications and/or device contents. To some extent, that's true. But it's obvious that metadata/transactional records aren't nearly as useless as they're portrayed by law enforcement handwringers. Either way the government spins the metadata argument, it's insulting the intelligence of Americans.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ThaumaTechnician (profile), 6 Jun 2017 @ 6:25pm

    Wikileaks would have scrubbed the documents properly.

    Considering how many documents they've handled over the years, it's astounding how good their record on this is.

    /always have someone who understand technology and security on staff

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 6 Jun 2017 @ 9:21pm

      Re: Wikileaks would have scrubbed the documents properly.

      /always have someone who understand technology and security on staff

      For what it's worth, the Intercept employs two of the most well-respected security experts in the world : Morgan Marquis-Boire and Micah Lee. This wasn't for lack of having people on staff who know this stuff. Those guys know. It's not clear what happened here exactly.

      reply to this | link to this | view in chronology ]

      • identicon
        My_Name_Here, 7 Jun 2017 @ 3:15am

        Re: Re: Wikileaks would have scrubbed the documents properly.

        It almost looks like they let this one through, just to see what would happen.

        reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 7 Jun 2017 @ 3:59am

        Re: Re: Wikileaks would have scrubbed the documents properly.

        I think she screwed up multiple times in the process. Left too many footprints that could be traced back to her. I personally didn't know about those fingerprints. I wonder if every printer out there has this 'feature' and if their security experts were aware of it. How long has it been known in the wild?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Jun 2017 @ 4:46am

          Re: Re: Re: Wikileaks would have scrubbed the documents properly.

          Its been known about for around 20 years. The EFF "cracked the code" in 2005 and made the knowledge more widespread.
          http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html

          reply to this | link to this | view in chronology ]

        • identicon
          Machin Shin, 7 Jun 2017 @ 6:20am

          Re: Re: Re: Wikileaks would have scrubbed the documents properly.

          I also think that is the case. If another story I read about all this is true then it sounds like she would have been caught pretty quick anyways. From what I saw they narrowed it down to about 6 people just by looking at who accessed the documents recently. She was then the only one out of the 6 who printed it.

          reply to this | link to this | view in chronology ]

          • identicon
            Thad, 7 Jun 2017 @ 10:52am

            Re: Re: Re: Re: Wikileaks would have scrubbed the documents properly.

            Yeah, the Intercept was sloppy, but ultimately it probably didn't change anything.

            I almost wonder if Winner knew that. If she knew she'd get caught more or less immediately and so prioritized getting as much as she could over trying to cover her tracks. I mean, if she knew covering her tracks was never going to work anyway...

            reply to this | link to this | view in chronology ]

      • icon
        ThaumaTechnician (profile), 7 Jun 2017 @ 5:47am

        Re: Re: Wikileaks would have scrubbed the documents properly.

        You're right, I had forgotten about those two guys.

        Thanks for the correction.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Jun 2017 @ 6:24am

          Re: Re: Re: Wikileaks would have scrubbed the documents properly.

          how stupid was it to scan paper with visible folds and then send to nsa for comment?

          reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 7 Jun 2017 @ 5:59am

      Re: Wikileaks would have scrubbed the documents properly.

      I doubt Winner trusted Wikileaks to even report on this.

      Wikileaks has been accused of being in Russia's pockets for over a year, and they've clearly been in Trump's pocket for ages. That doesn't sound like the kind of a person to leak something damaging to both to.

      Wikileaks burned a lot of their credibly to half the country in the election.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jun 2017 @ 6:45pm

    That is one reason to pay for printers with cash, no checks or credit cards.

    I do this when buying a printer, so that if it is ever stolen, and someone decides to do something illegal like that, ownership of that printer cannot be traced back to me and I avoid going to jail for something I did not do.

    This is why you want to pay for any and all printers you buy with cash, no checks or credit cards, so that ownership of that printer cannot be traced back to you. All anyone will know is that someone purchased that printer by plunking down a few Bejamins, and the trail will run cold after that.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 6 Jun 2017 @ 7:22pm

      Re:

      Apparently the tracking dots originated with worries about people using their color printers to counterfeit money.

      Given that the printer's serial number is encoded on the document - how certain are you that your anonymously purchased printer isn't sending that serial number back to the manufacturer when you install or update your driver? Or to Microsoft/Apple/Commodore when you update your OS?

      Even if that were the ONLY thing they sent back, no owner information - it would tie the serial number to your IP address.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Jun 2017 @ 7:40pm

        Re: Re:

        Simple don't buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go. Doing that, and paying with cash will guarantee that nothing will trace back to you if your printer is stolen and someone does something illegal with it.

        My issue with these dots is what will happen is the printer is stolen, and someone does something nafarious with it. Having no bank trail leading back to me keeps me out of trouble, if that happens.

        That is why you want to buy a that is wired to the computer and not connected directly to the network, and always pay with cash

        reply to this | link to this | view in chronology ]

        • icon
          Roger Strong (profile), 6 Jun 2017 @ 8:08pm

          Re: Re: Re:

          Simple don't buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go.

          That doesn't help.

          When you install a driver on your PC/Mac/PET for your USB-connected printer, your computer fetches the printer details including the serial number. You can find it in Devices & Printers - if the driver is still installed - even when the printer is long gone.

          So when your driver is automatically updated - again, even when the printer is long gone - that serial number could be sent to the manufacturer. When you update your OS, it could be sent to Microsoft/Apple/Commodore. Coming from your IP address. Which Prenda, let alone police, have had no problems tracing back to the user's location if not identity.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Jun 2017 @ 5:01am

            Re: Re: Re: Re:

            That doesn't help. When you install a driver on your PC/Mac/PET for your USB-connected printer, your computer fetches the printer details including the serial number.

            Right, except that not all OSes will auto-install drivers like that. USB printers communicate with a standard low-level interface, and if they also support a standard higher-level data format like PJL+Postscript you won't need any driver. You might still get one on Windows if you're not very careful, but Linux would be fine for example. Before obtaining a printer:

            • Browse EFF's site and make sure it doesn't print tracking dots. As far as people know, only color printers do it, and only some brands.
            • Make sure it directly supports PostScript or PDF with no vendor-supplied driver.
            • Make sure it has no network support, or that any support can be disabled. Network support isn't necessarily a tracking feature but it will be a security hole unless you and the manufacturer keep on top of firmware updates until the printer is discarded. You can still network-print via a USB cable from your router or another computer, as long as it's getting security updates.

            And if you're a programmer:

            • Consider creating an OpenWRT-like project for printer firmware. Even if manufacturers like Xerox weren't adding user-hostile features, they don't have great security records and they like to keep "high-end" features out of their cheap printers.
            • If you work for a company that asks you to add tracking/"metadata" features, remember these may be used to imprison people--or even torture/kill them.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 7 Jun 2017 @ 5:41am

              Re: Re: Re: Re: Re:

              If you work for a company that asks you to add tracking/"metadata" features

              If it's a government demand, consider talking to an EFF lawyer under attorney/client privilege. (NOT FROM A WORK EMAIL/COMPUTER!) There are 3rd-amendment implications in the US, as Rob noted. Think about becoming a whistleblower/witness/plaintiff.

              Consider creating an OpenWRT-like project for printer firmware

              Secret software to operate laser printers was what caused RMS to start the Free Software movement, so it's strange this doesn't exist.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Jun 2017 @ 8:55am

            Re: Re: Re: Re:

            Just turn off automatic updating. And when you do updates manually, just a VPN to hide your IP address. Just make sure to use one that does not keep logs.

            VPN is your friend on this one.

            reply to this | link to this | view in chronology ]

        • icon
          Eldakka (profile), 6 Jun 2017 @ 8:31pm

          Re: Re: Re:

          Simple don't buy a printer that has an IP address. Buy one that is hard-wired to the computer using a USB cable is the way to go.

          It's not the IP address of the printer Roger Strong was referring to (I believe), but the IP address of the premises (the internet connection) of where the printer is.

          If you install drivers or firmware from the manufacturer, as part of the installation process on the computer attached to the printer could be a 'phone home' step. Or even in the O/S itself, e.g. one of the things Windows 10 (and 7/8 if various telemetry options are enabled) does is send information about installed (i.e. attached via USB) devices to MS - supposedly anonymised.

          Auto-updates for installed drivers could, when checking for updates, provide printer details to the update service along with the IP address used to check for the updates, along with anything else the process wants to provide.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 7 Jun 2017 @ 8:59am

            Re: Re: Re: Re:

            That IP dddress, however, could be obfuscated by using a VPN. When installing the driver, just connect your PC to a VPN, then the "phone home" step will go through the VPN, and you will be sending the IP address of the VPN, instead of yout IP address

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 7 Jun 2017 @ 10:14am

              Re: Re: Re: Re: Re:

              When installing the driver, just connect your PC to a VPN

              And keep using that VPN until the driver has been uninstalled, and you can confirm there's nothing left over. The "phone home" step isn't necessarily going to happen at installation, or only at installation. (And of course a driver has enough privilege to bypass the VPN if it really wants to.)

              reply to this | link to this | view in chronology ]

            • icon
              Eldakka (profile), 7 Jun 2017 @ 9:22pm

              Re: Re: Re: Re: Re:

              Absolutely.

              But how many people would think of hooking up to a VPN to update/download printer drivers?

              You might, I might (if I could be bothered too..), but I doubt most people would even realise.

              reply to this | link to this | view in chronology ]

    • icon
      Jeff Green (profile), 7 Jun 2017 @ 3:23am

      Re:

      How cold?
      The shop where you bought it has CCTV, their stock control system says when that serial number printer was sold, at which check-out etc.
      The till could well autocheck the notes aren't counterfeit a process that involves them reading the serial numbers. Where did you get those notes? ATM machines are also entirely capable of recording your face, your bank details and the serial numbers.
      Meta data is everywhere, most of it isn't collected, but I wouldn't like to bet how much of it actually is!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jun 2017 @ 7:07am

        Re: Re:

        The shop where you bought it has CCTV, their stock control system says when that serial number printer was sold, at which check-out etc.

        Not all stores scan the serial numbers of things they sell. I'd expect that at an electronics store, but maybe not the electronic department of a grocery store. CCTV recordings have traditionally been deleted after some time, which could be a few years by now.

        To be safe, buy a printer at a garage sale or thrift store, or pick one up at the kerb (I come across a decent laser printer every year or so without even looking for them). Try to get a black-and-white printer to avoid the tracking dots.

        reply to this | link to this | view in chronology ]

        • identicon
          Thad, 7 Jun 2017 @ 10:57am

          Re: Re: Re:

          I used to work at a small computer store at a large university. It's been 12 years but my recollection is that we only scanned serial numbers for things that cost over $100. So yes for the high-dollar office printers, no for the cheap inkjets students were buying.

          Obviously that policy is going to vary from store to store, but that at least illustrates some of the thinking that goes into it, on the retailer's side.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Jun 2017 @ 9:05am

        Re: Re:

        CCTV cameras are probably wireless. Just have a jammer that will prevent the CCTV cameras from being able to record your face. To the security detail in the store, it will simply appear to be malfunction, and they will have no idea the camera was being jammed. CCTV cameras use the same frequencies as WiFI, so a Wifi jammer would suffice for this. This would prevent your face from being recorded at the checkout counter. Security would never be the wiser.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Howard II, 7 Jun 2017 @ 4:55am

      Re:

      If your printer gets stolen, report the theft to the police as soon as possible. If it is insured, make a claim.

      If your printer (technically now your insurer's printer) is then found to be used for criminal activity after the earliest date at which it could have been stolen, you surely have a valid defense.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Jun 2017 @ 1:30pm

      Re:

      And tilt down your hat so the cameras don't photograph your face at the register.

      reply to this | link to this | view in chronology ]

  • identicon
    Michael P, 6 Jun 2017 @ 6:47pm

    "Uncontrolled if printed" is not about access control!

    Many documents in many companies are considered "uncontrolled" if printed

    The term "uncontrolled if printed", along with similar forms, is about revision control rather than access control. It indicates that a printed copy might not be the latest version, and that anyone relying on it should beware of the risks of using outdated information. It is totally unrelated to whether the document is classified, proprietary, covered by HIPAA, or whatever.

    My acquaintance with the term is in the context of corporate policy documents. At a previous job, the manufacturing side of the company brought in ISO 9000 quality control processes, and all those documents were labeled "uncontrolled if printed". That was to make sure people did not blindly trust a copy of a policy or procedure that might be years out of date (but happened to be in hard copy).

    Given that it has nothing to do with classification level or other distribution controls, why mention it at all? It seems likely to mislead people.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 6 Jun 2017 @ 7:42pm

      Re: "Uncontrolled if printed" is not about access control!

      When it comes to policies, the ONLY ones to count are the ones in print... with a signature on it. :)

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jun 2017 @ 8:07pm

      Re: "Uncontrolled if printed" is not about access control!

      Given that it has nothing to do with classification level or other distribution controls, why mention it at all? It seems likely to mislead people.

      Perhaps it misled the authors into thinking that it was important to mention this. While your post makes perfect sense to me, prior to reading it, I too was thinking in terms of access control.

      reply to this | link to this | view in chronology ]

      • identicon
        Michael P, 7 Jun 2017 @ 3:29am

        Re: Re: "Uncontrolled if printed" is not about access control!

        Maybe, but that is why people who want to be taken seriously should check their facts before making them significant parts of their claims. It took me about 60 seconds with a Google search to confirm that my understanding was far and away the most common one, even though a lot of people had questions about what it meant.

        reply to this | link to this | view in chronology ]

  • icon
    lars626 (profile), 6 Jun 2017 @ 8:19pm

    Not just the dots

    The dots were important but not the only thing that sealed her fate. She was also the only one using that printer that had contact with 'The Intercept' using their work email account.

    If she is that STUPID I wouldn't hire her as a dog sitter.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jun 2017 @ 5:05am

      Re: Not just the dots

      And she was logged as one of only 6 people accessing the document, unlike Snowden who used admin credentials to "access" documents without that being logged.

      reply to this | link to this | view in chronology ]

  • icon
    TechDescartes (profile), 6 Jun 2017 @ 8:37pm

    Just...

    ...connect the dots.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jun 2017 @ 9:02pm

    Dumb leaker is dumb.

    reply to this | link to this | view in chronology ]

  • identicon
    Annonymouse, 7 Jun 2017 @ 4:31am

    Yellow Dots?

    So she printed a text document on a colour printer.

    Your tax dollars at work.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jun 2017 @ 5:09am

      Re:

      There's nothing wrong with using a color laser printer for this. When printing a black-and-white document, they'll use black toner only, just like any other printer—except for a tiny bit of yellow toner to add the tracking information. But that's an antifeature Xerox decided to add; nobody's aware of any law requiring it, and not all printer makers do it.

      reply to this | link to this | view in chronology ]

  • icon
    DarkKnight (profile), 7 Jun 2017 @ 5:25am

    Hmmmm....

    From the girl's name, to her getting caught so quickly, the whole thing just looks too conveniently staged, to me. That this happened a couple of days before Comey testifies to Congress? My Spider Sense is tingling on this situation...

    reply to this | link to this | view in chronology ]

  • identicon
    Jim, 7 Jun 2017 @ 5:54am

    Here

    That's not the only metadata assigned to a file print, check your document reader. Who what where time unit etc...all listed. Unsupervised contractor in a secure location? Really unsupervised? There are other devices watching. Plus, other companies looking. They want their contractor there. So, was it really her?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2017 @ 5:59am

    Just another diversion - Ohhhh look over there

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2017 @ 6:30am

    so nsa blew another semi secret of yellow dots

    how stupid was that? free advertisement and warning for future crooks (and terrorists).

    reply to this | link to this | view in chronology ]

  • identicon
    David, 7 Jun 2017 @ 6:45am

    One nit:

    Either way the government spins the metadata argument, it's insulting the intelligence of Americans.

    How do you insult the intelligence of a country electing Trump? I mean, this is like the "considering himself to be a worthless failure of a human being is not necessarily a sign of depression: maybe he is just right." adage.

    The government clearly considers the American public abysmally stupid regarding the garbage they are willing by and large to gobble up without signs of critical thinking.

    But it's not as much an insult to the intelligence of Americans as it is an accurate appraisal.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2017 @ 6:50am

    she mailed it via postal service, which spies for nsa too

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Jun 2017 @ 4:52pm

      Re: she mailed it via postal service, which spies for nsa too

      One way is to not put a return address on, and always type, instead of write the address

      One cousin of mine, who was divorced, did this to avoid having his child support obligation raised, whenever he made more money. He just simply paid for with a money order, using cash only, then mailed that to his ex-wife, putting no return address on the envelope, so his ex-wife could not track him and demand more monthly child support payments. As long as he paid the current amount, which he did, law enforcement had no reason to track him down.

      So leaving no return address on the enevelope and/or typing the address where it is supposed to go can make it harder to trace,

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2017 @ 8:34am

    We cannot allow these document-tracking dots the safe space they need to breed - yet that is precisely what printing, and the big companies that provide printers provide.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2017 @ 1:02pm

    Who owns the copyright on these dots anyway?

    I imagine they might be a bit upset about not being paid for use of their dots. Perhaps the printer manufacturers need to incorporate DRM for their dots because it is obvious they are being pirated - those dirty filthy pirates!!!!

    Gotta love those hypocrites

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.