How Document-Tracking Dots Helped The FBI Track Down Russian Hacking Doc Leaker
from the just-metadata-things dept
The surprising story that quickly followed the somewhat-less-surprising Intercept leak was the arrest of Reality Leigh Winner for the leak of the document. It was an incredibly fast leak investigation that apparently began when The Intercept reached out for comment after obtaining the document on May 30th.
There's been a lot of talk that The Intercept acted carelessly when speaking to government officials and burned its source. But the evidence trail laid down by the FBI's affidavit suggests Winner did most of the burning herself. The document given to The Intercept was either an original printout or a scan of it. It showed telltale creases where it had been folded and placed into an envelope by the leaker.
More importantly, the document contained something else: data that indicated where and when the document had been printed. This made it much easier to link Winner to the posted document. Rob Graham of Errata Security walks through the steps he took to decipher the physical metadata created by the NSA printer used by Winner. Printers -- and not just those owned by secretive government agencies -- can help rat out leakers.
The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.
Using a paint program to invert the document's color scheme and the EFF's handy spy-in-the-printer tool, Graham obtained the following information using only the auto-printed dots on the Intercept document:
The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.
Very definitely it does have such records, as do a great many entities not heavily involved in national security. Many documents in many companies are considered "uncontrolled" if printed, and built-in document tracking allows them to track down employees who may have jeopardized nothing more than their own employment.
However, this does bring everything back around to the "just metadata" argument. The government has often claimed the wholesale collection of metadata is harmless, because it's nothing more than transactional records. Obviously, metadata can be quite damaging. Winner's decision to print the document ended her very short stint as a leaker.
Conversely, the government also claims -- when raising the "going dark" specter -- that metadata and other transactional records aren't nearly as useful as intercepted communications and/or device contents. To some extent, that's true. But it's obvious that metadata/transactional records aren't nearly as useless as they're portrayed by law enforcement handwringers. Either way the government spins the metadata argument, it's insulting the intelligence of Americans.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dots, fbi, leaks, metadata, nsa, printers, reality winner, tracking dots
Reader Comments
Subscribe: RSS
View by: Time | Thread
Wikileaks would have scrubbed the documents properly.
/always have someone who understand technology and security on staff
[ link to this | view in chronology ]
Re: Wikileaks would have scrubbed the documents properly.
/always have someone who understand technology and security on staff
For what it's worth, the Intercept employs two of the most well-respected security experts in the world : Morgan Marquis-Boire and Micah Lee. This wasn't for lack of having people on staff who know this stuff. Those guys know. It's not clear what happened here exactly.
[ link to this | view in chronology ]
Re: Re: Wikileaks would have scrubbed the documents properly.
[ link to this | view in chronology ]
Re: Re: Wikileaks would have scrubbed the documents properly.
[ link to this | view in chronology ]
Re: Re: Re: Wikileaks would have scrubbed the documents properly.
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html
[ link to this | view in chronology ]
Re: Re: Re: Wikileaks would have scrubbed the documents properly.
[ link to this | view in chronology ]
Re: Re: Re: Re: Wikileaks would have scrubbed the documents properly.
I almost wonder if Winner knew that. If she knew she'd get caught more or less immediately and so prioritized getting as much as she could over trying to cover her tracks. I mean, if she knew covering her tracks was never going to work anyway...
[ link to this | view in chronology ]
Re: Re: Wikileaks would have scrubbed the documents properly.
Thanks for the correction.
[ link to this | view in chronology ]
Re: Re: Re: Wikileaks would have scrubbed the documents properly.
[ link to this | view in chronology ]
Re: Wikileaks would have scrubbed the documents properly.
Wikileaks has been accused of being in Russia's pockets for over a year, and they've clearly been in Trump's pocket for ages. That doesn't sound like the kind of a person to leak something damaging to both to.
Wikileaks burned a lot of their credibly to half the country in the election.
[ link to this | view in chronology ]
I do this when buying a printer, so that if it is ever stolen, and someone decides to do something illegal like that, ownership of that printer cannot be traced back to me and I avoid going to jail for something I did not do.
This is why you want to pay for any and all printers you buy with cash, no checks or credit cards, so that ownership of that printer cannot be traced back to you. All anyone will know is that someone purchased that printer by plunking down a few Bejamins, and the trail will run cold after that.
[ link to this | view in chronology ]
Re:
Given that the printer's serial number is encoded on the document - how certain are you that your anonymously purchased printer isn't sending that serial number back to the manufacturer when you install or update your driver? Or to Microsoft/Apple/Commodore when you update your OS?
Even if that were the ONLY thing they sent back, no owner information - it would tie the serial number to your IP address.
[ link to this | view in chronology ]
Re: Re:
My issue with these dots is what will happen is the printer is stolen, and someone does something nafarious with it. Having no bank trail leading back to me keeps me out of trouble, if that happens.
That is why you want to buy a that is wired to the computer and not connected directly to the network, and always pay with cash
[ link to this | view in chronology ]
Re: Re: Re:
That doesn't help.
When you install a driver on your PC/Mac/PET for your USB-connected printer, your computer fetches the printer details including the serial number. You can find it in Devices & Printers - if the driver is still installed - even when the printer is long gone.
So when your driver is automatically updated - again, even when the printer is long gone - that serial number could be sent to the manufacturer. When you update your OS, it could be sent to Microsoft/Apple/Commodore. Coming from your IP address. Which Prenda, let alone police, have had no problems tracing back to the user's location if not identity.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Right, except that not all OSes will auto-install drivers like that. USB printers communicate with a standard low-level interface, and if they also support a standard higher-level data format like PJL+Postscript you won't need any driver. You might still get one on Windows if you're not very careful, but Linux would be fine for example. Before obtaining a printer:
And if you're a programmer:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
If it's a government demand, consider talking to an EFF lawyer under attorney/client privilege. (NOT FROM A WORK EMAIL/COMPUTER!) There are 3rd-amendment implications in the US, as Rob noted. Think about becoming a whistleblower/witness/plaintiff.
Secret software to operate laser printers was what caused RMS to start the Free Software movement, so it's strange this doesn't exist.
[ link to this | view in chronology ]
Re: Re: Re: Re:
VPN is your friend on this one.
[ link to this | view in chronology ]
Re: Re: Re:
It's not the IP address of the printer Roger Strong was referring to (I believe), but the IP address of the premises (the internet connection) of where the printer is.
If you install drivers or firmware from the manufacturer, as part of the installation process on the computer attached to the printer could be a 'phone home' step. Or even in the O/S itself, e.g. one of the things Windows 10 (and 7/8 if various telemetry options are enabled) does is send information about installed (i.e. attached via USB) devices to MS - supposedly anonymised.
Auto-updates for installed drivers could, when checking for updates, provide printer details to the update service along with the IP address used to check for the updates, along with anything else the process wants to provide.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
And keep using that VPN until the driver has been uninstalled, and you can confirm there's nothing left over. The "phone home" step isn't necessarily going to happen at installation, or only at installation. (And of course a driver has enough privilege to bypass the VPN if it really wants to.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
But how many people would think of hooking up to a VPN to update/download printer drivers?
You might, I might (if I could be bothered too..), but I doubt most people would even realise.
[ link to this | view in chronology ]
Re:
The shop where you bought it has CCTV, their stock control system says when that serial number printer was sold, at which check-out etc.
The till could well autocheck the notes aren't counterfeit a process that involves them reading the serial numbers. Where did you get those notes? ATM machines are also entirely capable of recording your face, your bank details and the serial numbers.
Meta data is everywhere, most of it isn't collected, but I wouldn't like to bet how much of it actually is!
[ link to this | view in chronology ]
Re: Re:
Not all stores scan the serial numbers of things they sell. I'd expect that at an electronics store, but maybe not the electronic department of a grocery store. CCTV recordings have traditionally been deleted after some time, which could be a few years by now.
To be safe, buy a printer at a garage sale or thrift store, or pick one up at the kerb (I come across a decent laser printer every year or so without even looking for them). Try to get a black-and-white printer to avoid the tracking dots.
[ link to this | view in chronology ]
Re: Re: Re:
Obviously that policy is going to vary from store to store, but that at least illustrates some of the thinking that goes into it, on the retailer's side.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
If your printer (technically now your insurer's printer) is then found to be used for criminal activity after the earliest date at which it could have been stolen, you surely have a valid defense.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"Uncontrolled if printed" is not about access control!
The term "uncontrolled if printed", along with similar forms, is about revision control rather than access control. It indicates that a printed copy might not be the latest version, and that anyone relying on it should beware of the risks of using outdated information. It is totally unrelated to whether the document is classified, proprietary, covered by HIPAA, or whatever.
My acquaintance with the term is in the context of corporate policy documents. At a previous job, the manufacturing side of the company brought in ISO 9000 quality control processes, and all those documents were labeled "uncontrolled if printed". That was to make sure people did not blindly trust a copy of a policy or procedure that might be years out of date (but happened to be in hard copy).
Given that it has nothing to do with classification level or other distribution controls, why mention it at all? It seems likely to mislead people.
[ link to this | view in chronology ]
Re: "Uncontrolled if printed" is not about access control!
[ link to this | view in chronology ]
Re: "Uncontrolled if printed" is not about access control!
Perhaps it misled the authors into thinking that it was important to mention this. While your post makes perfect sense to me, prior to reading it, I too was thinking in terms of access control.
[ link to this | view in chronology ]
Re: Re: "Uncontrolled if printed" is not about access control!
[ link to this | view in chronology ]
Not just the dots
If she is that STUPID I wouldn't hire her as a dog sitter.
[ link to this | view in chronology ]
Re: Not just the dots
[ link to this | view in chronology ]
Just...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So she printed a text document on a colour printer.
Your tax dollars at work.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Hmmmm....
[ link to this | view in chronology ]
Here
[ link to this | view in chronology ]
Re: Here
[ link to this | view in chronology ]
[ link to this | view in chronology ]
so nsa blew another semi secret of yellow dots
[ link to this | view in chronology ]
Re: so nsa blew another semi secret of yellow dots
[ link to this | view in chronology ]
One nit:
How do you insult the intelligence of a country electing Trump? I mean, this is like the "considering himself to be a worthless failure of a human being is not necessarily a sign of depression: maybe he is just right." adage.
The government clearly considers the American public abysmally stupid regarding the garbage they are willing by and large to gobble up without signs of critical thinking.
But it's not as much an insult to the intelligence of Americans as it is an accurate appraisal.
[ link to this | view in chronology ]
she mailed it via postal service, which spies for nsa too
[ link to this | view in chronology ]
Re: she mailed it via postal service, which spies for nsa too
One cousin of mine, who was divorced, did this to avoid having his child support obligation raised, whenever he made more money. He just simply paid for with a money order, using cash only, then mailed that to his ex-wife, putting no return address on the envelope, so his ex-wife could not track him and demand more monthly child support payments. As long as he paid the current amount, which he did, law enforcement had no reason to track him down.
So leaving no return address on the enevelope and/or typing the address where it is supposed to go can make it harder to trace,
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I imagine they might be a bit upset about not being paid for use of their dots. Perhaps the printer manufacturers need to incorporate DRM for their dots because it is obvious they are being pirated - those dirty filthy pirates!!!!
Gotta love those hypocrites
[ link to this | view in chronology ]