Monday, June 05, 2017

How The Intercept Outed Reality Winner

Today, The Intercept released documents on election tampering from an NSA leaker. Later, the arrest warrant request for an NSA contractor named "Reality Winner" was published, showing how they tracked her down because she had printed out the documents and sent them to The Intercept. The document posted by the Intercept isn't the original PDF file, but a PDF containing the pictures of the printed version that was then later scanned in.

As the warrant says, she confessed while interviewed by the FBI. Had she not confessed, the documents still contained enough evidence to convict her: the printed document was digitally watermarked.

The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.

In this post, I show how.

You can download the document from the original article here. You can then open it in a PDF viewer, such as the normal "Preview" app on macOS. Zoom into some whitespace on the document, and take a screenshot of this. On macOS, hit [Command-Shift-3] to take a screenshot of a window. There are yellow dots in this image, but you can barely see them, especially if your screen is dirty.

We need to highlight the yellow dots. Open the screenshot in an image editor, such as the "Paintbrush" program built into macOS. Now use the option to "Invert Colors" in the image, to get something like this. You should see a roughly rectangular pattern checkerboard in the whitespace.

It's upside down, so we need to rotate it 180 degrees, or flip-horizontal and flip-vertical:

Now we go to the EFF page and manually click on the pattern so that their tool can decode the meaning:

This produces the following result:
The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017 at 6:20. The NSA almost certainly has a record of who used the printer at that time.

The situation is similar to how Vice outed the location of John McAfee, by publishing JPEG photographs of him with the EXIF GPS coordinates still hidden in the file. Or it's how PDFs are often redacted by adding a black bar on top of image, leaving the underlying contents still in the file for people to read, such as in this NYTime accident with a Snowden document. Or how opening a Microsoft Office document, then accidentally saving it, leaves fingerprints identifying you behind, as repeatedly happened with the Wikileaks election leaks. These sorts of failures are common with leaks. To fix this yellow-dot problem, use a black-and-white printer, black-and-white scanner, or convert to black-and-white with an image editor.

Copiers/printers have two features put in there by the government to be evil to you. The first is that scanners/copiers (when using scanner feature) recognize a barely visible pattern on currency, so that they can't be used to counterfeit money, as shown on this $20 below:


The second is that when they print things out, they includes these invisible dots, so documents can be tracked. In other words, those dots on bills prevent them from being scanned in, and the dots produced by printers help the government track what was printed out.

Yes, this code the government forces into our printers is a violation of our 3rd Amendment rights.





While I was writing up this post, these tweets appeared first:








Comments:
https://news.ycombinator.com/item?id=14494818


89 comments:

popsiq said...

Poof goes a darn fine tracking tool.

vliam said...

Not really.

This has been a pretty standard thing for the last decade or so and even NSA contractors forget, or are simply unaware, that it exists.

Anonymous said...

3rd amendment? Really? You'll liken these yellow dots to quartering soldiers?

KiTA said...

It's forcing you to run software on behalf of the US Government. That's against the 3rd Amendment.

Unknown said...

Simply converting to b/w is not sufficient!
http://imgur.com/a/kLovh

And even when you mask them out so that they are no longer visible in the "all white" (paper) background, e.g. by messing with the white/black point of the image there's still the possibility that they could be recovered with correlation methods in grey areas where they aren't visible to the naked eye or just by increasing the contrast.

jgury said...

Technically I think she had already outed herself in multiple and more obvious ways like using her gmail to communicate with the Intercept, social media activities, etc. Still, a mistake on the part of the Intercept in providing evidence to finger and prosecute her.

erroneus said...

Don't print in color or on a color printer unless the document warrants it. Black monochrome only people. It's also cheaper. Have two printers.

Anonymous said...

That's why, when Greenpeace leaked the TTIP documents, they first manually re-typed a copy of the original document that was then released.

Especially The Intercept should had have known better.

A terrible professional error that not only destroyed the life of one of the rare courageous citizens, but also shows that The Intercept cannot be considered as safe “whistle blower” platform anymore.

This is sad and very dangerous, as we need independent human rights defending journalism more than ever - and this can only work if these journalists are able to protect their sources.

shevy said...

I consider it highly illegal that people are trackable that way in general.

That this is possible shows that the goverments do not work for the people but for other interest groups.

Unknown said...

black and white is not greyscale, btw.

Lavandou said...

I don't think anti-counterfeiting measures mean the government is being evil to me.

Matt said...

Wrong amendment! No Constitutional violation. What you expose to public even unknowingly is not protected. Government has to protect itself from saboteurs. Writer has head screwed on wrong if he thinks this is evil.

codetaku said...

"Forcing"? ... no it isn't. You are buying a printer that chooses to run that software. You can overwrite the software yourself if you have the motivation to do so.

codetaku said...

(that comment was directed to KiTA--the interface I was using had a reply-to-comment button and I wasn't sure how obvious it would be that I was replying to them)

DJ said...

Christian Vogel, black and white means indexed (1-bit color palette). Every pixel is either pure black or pure white. There are no gray pixels. I believe this does defeat printer dots. The leaker should have done this themselves rather than trusting the journalist.

Anonymous said...

Nice work. How could The Intercept be so naive by seeking contact with the NSA? I don’t get it, Glenn Greenwald, you know better. Do you?

timb said...
This comment has been removed by the author.
timb said...

Is there any chance people would realize the Amendment comment was a joke and stop failing to be pedantic with their "corrections."

Bill Owen said...

#JWICs is a thing. Winner outed herself.

Bob R. said...

Great article, but there is no such built in program called Paintbrush on macOS.

Angelique said...

This was not a courageous citizen! She was a deranged anti American communist like 90% of the journalist today. This leak does nothing but alert foreign gov't of our capabilities. Claiming to be helping when your actually sabotaging our country is Straight out of the Alinsky playbook acuse others of what your actually doing

Sojack.blogspot.com said...

Spell check. Try it.

haithabu said...

She may have assumed that secrecy laws are a dead letter with all the consequence-free leaking going on.

Random Libertarian said...

Nothing wrong with microdots - especially when run on government hardware to protect government property from criminal intent.

Unknown said...

Someone was definitely either careless or maliciously trying to out Winner, but I'm not sure we can jump to blaming The Intercept just yet. A WashPo article said the FBI questioned Winner -- who admitted everything -- on June 3rd, two days before the Intercept story went live.

YourLocalGP said...

The specific constitutional rights violation is not of consumers, it is of private companies who manufacture printers being compelled to add this technology. Familiar to many following the case with Apple and encryption recently.

Ellen P. said...

Or the know-how..... said the extremely tech-challenged 67 year old.... me.

Unknown said...
This comment has been removed by the author.
Eric said...

Angelique is slightly right but mostly wrong. I agree that leaks can harm our ability to legitimately intercept nefarious foreign governments and foreign individuals seeking to harm our republic and citizens. On the other hand the fact that a foreign power has corrupted our election process in numerous ways and may very likely put in power an illegitimate president is a serious concern. When the only authority and oversight is the same president and his cronies then turning to the free press seems like a pretty good idea. This woman was very brave for bringing forth this information.

Divemedic said...

Yes. The reason why the third Amendment is there is not because the founders were angry at being forced to run a hotel for British troops. It is because a common way of quelling dissent was to place soldiers in the homes of rabble rousers, and have them report on the dissenters' activities. Nowadays, the just do the same thing electronically with NSA email intercepts and the like.

Sum_ID said...

Michael, fyi, the reason they questioned the girl is because The Intercept contacted them to see if they wanted anything redacted before printing, they gave them a copy of the document so as to not release sensitive information. It is common in media these days.

Mitch said...
This comment has been removed by the author.
ashley said...

I don't know that this would be any more a violation of 3rd Amendment rights than, for example, the ability to trace typewriting to a specific old-school typewriter would be. Let's put aside this specific case for a moment, given that she printed the doc on an NSA/work printer. If, say, the FBI wanted to track a specific printed document to a specific printer, there would need to be one of the following: 1) a catalog of all dotmark patterns, presumably registered by the manufacturers, or b) a record maintained by each individual manufacturer which the FBI could access, possibly with a warrant, that would narrow the printer to the retail location but possibly no further, or c) the FBI would have to match the document to the exact printer-- in which case, they perhaps have narrowed the search down to a possible printer and this is used for confirmation. This is quite different from planting either a government agent or a form of bug (computer, audio, whatever) in a private residence.

Don Clifton said...
This comment has been removed by the author.
RobPaulGru said...

DESTROY THIS BEAST

articulett said...

A point of consideration is that the the Intercept knows this because of Snowden and they purposefully outed Winner as a message to leakers.

articulett said...

http://observer.com/2017/06/reality-winner-intercept-nsa-leak-explained/

Socialist Avenger said...

they v much want you to think this. her gmail was used for a completely unrelated communication with TI

Unknown said...

This document is a PDF.. there is no scanner that can acctually capture those dotes even in 1600P.. so HOW was that scanned?

Socialist Avenger said...

this is because TI shared documents on 5/30 with the NSA who notified the FBI. winner was already in custody when the article was finally run

Unknown said...

Is it because it was OUR election and Trump won that has all you people so upset, or is the general principle of thing — in which case, were all of you equally upset about Obama's 2015 attempts to influence Israeli elections (using US taxpayer dollars), and all the other US attempts to influence foreign elections between 1947 and 2000?

https://townhall.com/tipsheet/mattvespa/2016/12/16/flashback-that-time-the-obama-administration-spent-hundreds-of-thousands-of-dollars-to-defeat-benjamin-netanyahu-n2260711

http://www.latimes.com/nation/la-na-us-intervention-foreign-elections-20161213-story.html

Just curious...........

Charlie McHenry said...

Please read Alinsky's work. His "playbook" is all about how to give powerless people organizing tools to stand up to authority to protect their rights. If that is evil, or communist in some way, then I'm also guilty - as are many others.

haithabu said...

But when these people attain power and continue to use Alinskyite tactics - that's a problem as we found out during the Obama administration.

jon191 said...


This could all be elaborate theater - cleverly designed to help the oligarchy/establishment achieve certain objectives. It's good to be open minded, but not too gullible. Just because 300 million people believe a pack of lies, does not change the matter.

@primesuspect said...

To people who think this is a newer innovation: This has been going on since at least the late 1990s when consumer color laser printers became viable. I had a leadership role at a retail copy chain and one of my stores was involved in a counterfeit money situation; the US Secret Service came in to verify serial numbers of our color laser printers and sat down with me to explain the yellow dots. This was in 1998.

@primesuspect said...

https://en.wikipedia.org/wiki/Printer_steganography

Bradh MacBradh Cernunnos [born Brad Hartliep] said...

As long as you accept the fact that Hillary Clinton and the DNC are just as Corrupt and Evil as Donald Trump and the RNC you have an argument for returning our Nation to Civil, Honorable, Citizenship-based Rule. If you're still brainwashed by either Party - or ANY Party - than you need to have your brain deprogrammed ..

Brad Hartliep. America's Independent Candidate 2020

Amanda from Georgia said...

Things are different if you're working for the government with security clearance.

Anonymous said...

they had one successful leaker - one who did reveal himself publicly because journalist were conspiring with him to create this (TI) medium and provide him with money for life. otherwise he would leak it on cryptome which had long tradition of sucessful leaking

Anonymous said...

also dont forget wikileaks

Anonymous said...

Amendment comments should be mandatory so they have more clicks and shares😋

Anonymous said...

exactly, so intercept can not be sued or shutdown

Anonymous said...

youre naive, if they wanted what you wrote, then they will sanitize leak then sent it to state and thats it. they didnt do it they sent documents with identificators so they wont be sued or shot down or living on ecuadorean embassy

Anonymous said...

yes but this article is about toxic culture in your media industry so you wont forget that its not only about "fakenews"

Anonymous said...

yes if leaker sends them materials its problem for them bcs they have to deal with government instead of cashing hundreds of thousands dollar checks every month from fearmongering

Anonymous said...

you have truly american mind

tone said...

Look on the bright side... she didn't have to pay for the toner.

Slink_J said...

Haithabu could you explain what you mean there. I'm unsure of whom you are referring to.

News76 said...

Who cares who the brave person who leaked this, the question remains, did the hackers change the outcome of the election, and if so what, should be done next.

Lynne said...

Thanks, that's interesting

Kev Wells said...

Everyone is discussing Microdots on printers?
That she printed a document on a secure printer and then snail mailed it is mind boggling to me. I am a Network Engineer and there is really nothing that she could have done to have not been discovered. They conveniently get admit to microdots on pdf's in this case. I am sure that the NSA is relieved that they do not need to own up to spyware built into firmware on pc's now. No electronic communication is secure at all period.

The bigger question for me is this: How does a radicalized 25 year old Anti-Trumper find out that a 4 day old document like this even exists in the first place? No one is talking about the DNC server breach any longer. She is obviously a patsy and was used by the Feds to release this information. This is a certainty. And it is unfortunate that her life is over and this might have been prevented. She was used and will be tossed aside.

I want to reiterate: THERE IS NO FORM OF ELECTRONIC COMMUNICATION THAT IS SECURE AT ALL. Believe this because it is the truth.

Mickster said...

Printer dots save lives. Can you imagine the unscrupulous people who would steal government and industrial secrets if they could! She was a vindictive little bitch who gave out a Top Secret document--she has earned her jumpsuit and jail cell!

Unknown said...

Assume that anything outed on the general Internet has already been detected by ISIL and similar entities who aim to do us harm.

Unknown said...

It's [Command-Shift-4]. Also I'm only ever leaking anything to Cory Doctorow (hacker + journalist) or Bruce Schneier (straight up security expert and privacy advocate)--not that anyone trusts me with anything worth leaking.

Anonymous said...

Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
gclub จีคลับ
gclub online
gclub online

Unknown said...

Thank you for sharing

Obat Penyakit Sipilis Raja Singa
Pengobatan Kencing Nanah Atau Gonore
Cara Mengobati Sipilis
Obat Sipilis Dan Kencing Nanah
Obat Kencing Nanah Dan Gonore
Obat Herbal Sipilis
Obat Kencing Nanah Denature
Obat Sipilis Denature
Obat Sipilis Kencing Nanah
Obat Herbal Kencing Nanah

Lmingle said...

If you print on an employers printer don't expect ANY right to privacy! They own the hardware you're using and can monitor how it is used as they wish, including the microdots and logging. Besides, I'm pretty confident every federal employee/contractor signs a legal contract stating they will keep confidential, secret and top secret documents as just that. If they don't want to then they shouldn't have access to those documents.

aaa' said...

here's an obvious opportunity for a graphics developer:

salt-n-peppa! add random yeller dots of the same color and size all over the place,
expecially in the tagged area!

if the color is an exact match then the data goes poof!

Unknown said...

In the old days, typewriters were identified because of slight differences in the alignment of the typebars and imperfections and wear on each letter. Microdots are an update for technology.

Society's gravest danger is from non-public organizations, within the government or outside it. Tools like these to enable "us" to discover who did what are important for the continuance of our culture.

BobP said...

Not if she's working at NSA...

Shalom Systems said...

Really i like your site...
I enjoyed...
boom barriers

kdw159 said...

What happens if you print on yellow paper or use a yellow background of some kind?

Golden Slot said...
This comment has been removed by a blog administrator.
Unknown said...
This comment has been removed by a blog administrator.
BClub said...
This comment has been removed by a blog administrator.
ok said...
This comment has been removed by a blog administrator.
ok said...
This comment has been removed by a blog administrator.
ok said...
This comment has been removed by a blog administrator.
Tanathip Mahatep said...
This comment has been removed by a blog administrator.
Tanathip Mahatep said...
This comment has been removed by a blog administrator.
Tanathip Mahatep said...
This comment has been removed by a blog administrator.
Tanathip Mahatep said...
This comment has been removed by a blog administrator.
จีคลับ said...
This comment has been removed by a blog administrator.
DigitalGet.com said...
This comment has been removed by a blog administrator.
Bazoo said...
This comment has been removed by a blog administrator.
RacyLadies said...

It's actually a violation not of the Third Amendment but of the Fourth Amendment to the U.S. Constitution: the right to be secure in your home. If downloaded the document to a flash drive and printed it on your home hardware, this tracking/spying device would violate your safety and privacy in your home.

felisha green said...
This comment has been removed by a blog administrator.
Cosmo789 said...
This comment has been removed by a blog administrator.
New Movies said...

That's why, when Greenpeace leaked the TTIP documents, they first manually re-typed a copy of the original document that was then released.

Especially The Intercept should have known better.

A terrible professional error that not only destroyed the life of one of the rare courageous citizens but also shows that The Intercept cannot be considered a safe “whistleblower” Tech nukti platform anymore.

This is sad and very dangerous, as we need independent human rights defending journalism more than ever - and this can only work if these journalists are able to protect their sources.