How EFF cracked printers' "hidden dots" code in 2005

Originally published at: http://boingboing.net/2017/06/10/reality-winner.html

…

No, she wasn’t. She was caught by basic investigational skills, basic IT practices, and poor opsec. It wasn’t the damn printer dots.

Cory. No.

@ficuswhisperer: got a link to specifics? I haven’t googled long and hard, but what I’ve read all discuss the dots.

@mufflebutt: how is she not an NSA whistleblower? (I’m not saying she is, just that what I’ve read says she is, and I’m curious what you mean when you say she isn’t).

When I’m not mobile I’ll look.

Everything I’ve read stated that the most likely way she was caught was by: the scans showing folds (thus showing its a printout), there being an audit log of her accessing the document, and an audit log of her being one of only a few people that printed the document. Combined with her using a work computer to contact The Intercept, this all left a pretty big trail of breadcrumbs to follow.

Note that everything I’ve mentioned above could have been easily tracked by a low level IT person - no magic tracking dots required.

But didn’t they help to confirm which printer printed it? Even that alone is worth knowing if so. Hell it’s interesting either way, but it sounds like it still played a part, if only a small part.

It could have been a final bit of corroborating evidence but it seems to me that any one of the other, more conventional things would have been adequate for a warrant and possible conviction (INAL so I’ll defer to someone like @waetherman on that assertion).

I fully sympathize with Ms Winner and hope she’s not ruined by this, but it doesn’t seem at all like she took any precautions to protect herself before leaking those documents and that’s a shame.

She’d be a whistleblower if NSA was denying that there was interference in the election. Trump is denying it, but NSA has been publicly confirming it since last year. Ironically, the Intercept has been pushing back against that story, and if I were to speculate, I’d say that played a part in Ms. Winner’s decision to leak to them.

I feel bad for her. What she disclosed was of little consequence. The content had already been leaked, just not the report itself. But actual documents are pursued more aggressively than memorizing something and talking to a reporter. Now she’s lost her career and is looking at 1-3 years in prison. Potentially more.

The final piece was the postmark that the reporter disclosed. Only one of the six people who accessed and printed the report was at that location, and it was the same one who had been in touch with the Intercept.

She also admitted it when the investigating agent asked.

Nothing you’ve said detracts from her status as a whistleblower (or a hero), that I can see at least. She’s established a firm baseline of what the NSA knows to have happened, which makes it a lot harder for the Whitehouse and the Alt Right to obfuscate and deny.

Its not needed. Printers are smart machines now. They keep a record of what they printed and who they printed it for. At my last workplace where we did reasonably sensitive work you had to physically log in to the printer to get your print job. Nothing was ever left sitting on the printer waiting to be collected.

There was already a firm baseline established here and here.

The classified report that was leaked doesn’t disclose abuse of authority, mismanagement, waste of funds or breach of law committed by anyone in the federal government. It’s not whistleblowing.

It is in the public interest to disclose precisely what went on last year, but not like this. There are ongoing investigations, and it’s not helpful to give those being investigated a peek behind the scenes.

except there is a very real fear that information relating to the extent of russian hacking will be suppressed.

i think we should have no expectation that the administration will cooperate with the investigation, and one way of ensuring critical information reaches the people is through journalists and their sources.

the intercept - all experienced reporters - decided along with winner that this leak was worth relaying to the public.

indeed, it shows russian hacking went beyond a disinformation campaign and into voter rolls. it shows actual votes were at risk. these are things 2 administrations have denied.

for my part, i hope it raises awareness that electronic voting is not as secure as paper voting. something that goes well beyond any one president or election.

There have been denials about vote totals being changed, and this report doesn’t contradict that.

There haven’t been denials regarding the voter rolls being targeted. CNN covered it in October, while it was ongoing. The BBC confirmed it was one of the focuses of the investigation in March. I think it was WSJ that wrote about it a few weeks ago, and somebody else last week.

I understand the concerns about a cover up, but as long as Bob Mueller’s investigation isn’t shut down, which is something Trump can’t do himself, I’m not worried about it.

[quote=“ficuswhisperer, post:2, topic:102495”]
No, she wasn’t. She was caught by basic investigational skills, basic IT practices, and poor opsec. It wasn’t the damn printer dots.
[/quote]You forgot “Poor source protection practices.”

If the crew at The Intercept knew what they were doing, the government wouldn’t have had the first thread to pick at that they used to unravel the whole thing. At best, they might have figured it out after a long, long slog of an investigation, and even that’s doubtful - a lot of the evidence they found relied on knowing where to look in the first place, which The Intercept handed them on a silver platter.

Like, for fuck’s sake, they try to position themselves as the go-to people for handling sensitive leaks, and yet they make enormous mistakes that I wouldn’t have(and frankly, didn’t, in similar situations) made as a green-as-fresh-bamboo reporter. They showed original documents, they gave identifying information that gave away the location, Not doing shit like that is literally the basic of basics when it comes to source protection, what the absolute goatshitting fuck were they even thinking?

agree. the thing winner has shown is that it might have been possible, and more importantly, how it could be possible.

i think the conclusion of the washpost? analysis was that only in 1 of the 7,8? states would have it been undetectable. but, so far as i know, no state has actually done an audit to detemine if the vote was altered.

everyone’s too afraid about undermining the idea of the will of the people to even bother checking.

at this point we don’t know how much of the details of the trump investigation will be made public. even if everything becomes available, it’d be reasonable to conclude that mueller’s investigation won’t have unfettered access to all branches and offices of government.

the trump russia connection is important, but so are the methods by which the vote can be changed…by anyone.

whistleblowing is about bringing wrongdoers to justice, but it’s also about making sure that the people ( which the government is supposed to represent ) have access to the appropriate amount of information they can use so they can act.

probably some sorts of information should be hidden away - but, not too much, nor for too long - otherwise government diverges from the direction of those who have agreed to be governed.

i honestly think this woman’s act is part of keeping that balance.

She’s kind of a whistleblower.

She was hearing in the media that “Russia had not, as yet, come close to affecting our actual voting machines.” Yet she had evidence Russia had successfully spearphished an American voter machine software company. So, rather than let this evidence eventually percolate to the surface, as it probably would have, she took it into her own hands. And now will be spending 10-20 the hard way.

Well, she was helped in her ineptitude by the ineptitude of Greenwald at The Intercept.

Why the fuck did he give the actual copy he received to the NSA?

Sure, the prosecutors would’ve had some evidence against her, in any case. But the Intercept’s evidence buries her.

If she’d been smart, she would have thrown it to Wikileaks and let Wikileaks manage disbursement.

[quote=“petzl, post:18, topic:102495”]
Sure, the prosecutors would’ve had some evidence against her, in any case. But the Intercept’s evidence buries her.
[/quote]If they even had that. Greenwald and co also handed them a very valuable clue in where to start looking, without which, their job would have been orders of magnitude harder, meaning it might have been months before they figured it out, as they investigated everyone with access to that set of documents, if they figured it out at all.

[quote=“petzl, post:18, topic:102495”]
If she’d been smart, she would have thrown it to Wikileaks and let Wikileaks manage disbursement.
[/quote]Wikileaks, with evidence that Russia successfully spearfished an American voter machine software company? It’d never see the light of day. She’d have had sweet promises told to her, and the leak itself would have been filed straight to Julian’s rubbish bin. Wikileaks is Putin’s pet errand-boy, they’re as in the pocket as RT and Sputnik are.

If she was smart, she wouldn’t have gone to The Intercept, and especially not Wikileaks. She’d have taken it to organizations with experience and a proven record of handling and protecting sensitive sources - for example, The Guardian. Or basically any one of the other reputable mainstream press outlets. You might not like the mainstream media - and I’m pretty sure it’s that same thinking that has now essentially made Ms Winner the loser in this situation - but you can’t deny, they’ve the history of protecting sources, along with the muscle and experience to back it up.

What makes you say that?

I can easily see people who don’t like Wikileaks discrediting them by saying that, so I’m curious if there’s anything substantiated.

Read through the actual report. If this is the conclusion you draw from it, you also have to conclude that it shows it might have been possible to get access to BoingBoing, bank accounts, the Pentagon, or practically anything else accessed by someone with an email address.

That’s still a technically valid conclusion, in a broad sense, because spear-phishing can contribute towards getting access to most things, but there’s nothing in the report itself to suggest BoingBoing, bank accounts, the Pentagon, or vote tallies were affected, or even targeted.

I can’t argue with a desire for more transparency, particularly when it comes to voting machines, but this is a classified document which has no urgent need to be made public.

They don’t make voter machine software. They make voter registration software. That’s still a big deal, because control of it would (theoretically) allow specific people to be prevented from voting, as well as for fictitious voters to be created, allowing co-conspirators to cast multiple fraudulent votes.