The grugq on Reality Winner, the Intercept, and OPSEC

Good commentary.

Posted on June 14, 2017 at 8:15 AM • 36 Comments

Comments

MatteoJune 14, 2017 10:49 AM

i was wondering how is it possible that she got access to secret documents without a minium opsec/training/informations.

shouldn't people that work with secret document gets a training before accessing them? for example "don't do this and that be careful about this..."

how is possible that people working with secret documents don't know basic things? for example google search *from work computer* "Do top secret computers know when a thumb drive is inserted?"

answer: yes, and also normal one and you don't even need gogle for this:
if you plug a usb key for the first time windows say "installing new device..." but if you plug it again it will not install again so it means that windows remember inserted devices and you can also verify this by going in device manager and click show hidden (after setting DEVMGR_SHOW_NONPRESENT_DEVICES=1)

ioerrorJune 14, 2017 11:31 AM

@ Matteo: Just because they have a security clearance doesn't make them IT experts. Even though that is elementary stuff to us IT/infosec folks, it isn't common knowledge to the general public. AND it's obviously in the IC's best interest to make sure their people don't know the details of exfiltrating data. Although it would benefit them to know the basics of opsec...

I?E?June 14, 2017 11:52 AM

Is this THE ioerror? If it is, Sir, notwithstanding your personal troubles, one hopes that you can return to the fray, in some way that makes everyone feel comfortable and safe. As Lincoln said, I can't spare this man, he fights.

Who?June 14, 2017 11:55 AM

Documents classified as TS//SI//ORCON are a nightmare for whistleblowers. Not only because its classification (higher than just "top secret") is troubling itself, but also because documents whose distribution is controlled by the originator are easy to track. Only a few people inside the IC are authorized to read them.

It is obvious that both Ms. Winner and The Intercept made huge OPSEC errors —surprisingly the publication of these tracking dots being the least important of these mistakes— but, in my humble opinion, the document is overclassified. There is nothing on it that was not known or suspected for months. It is sad that Ms. Winner made the mistake of filtering so highly classified document for nothing.

markJune 14, 2017 11:57 AM

Geez, she *really* wasn't thinking. If I had access to that kind of information (I don't), and if I found something I wanted to send to journalists, the first thing I'd do is make a text copy of the document. As in ASCII, or at least 8859-1. NEVER a .pdf.

The second is, geez, she couldn't copy it to a USB key?

The third is, sheesh, I work for a federal contractor; to paraphrase a line from my late wife, I do not speak for my company, the US federal government, or the view out my window. Therefore, I'm on the CentOS mailing list, because that's what we mostly use... and I'm in it through my *personal* "business" email (not the one I use for personal stuff), and she could have uploaded it to an email to herself. Then, at home, do the printing....

And all this is off the top of my head.

Fredric RiceJune 14, 2017 12:13 PM

These leaks are good things, they need to be encouraged. The citizens of countries deserve to know what government agencies are doing to us, what they are trying to hide from us, that's what Democracy is.

Reality Winner is a hero.

RachelJune 14, 2017 12:17 PM

mark

'And all this is off the top of my head.'

indeed. On the other hand, maybe we shouldn't believe everything we read in the newspaper. Of course, people both smarter and more idiotic than me have already had similar insights on this 'story'. Lets remember Bruce Schneier requested no commentary from this angle; at least the issue has stimulated useful discourse of a practical nature which is more than what we can say about other storms in a tea cup. I am sure in a month everyone will have forgotten about it. When confronted by media tempests it would be nice to see the faculty of critical thinking engaged more frequently however.
By the way, is it general practice for the NSA to be so media public about a whistleblower? Maybe only when there is something to gain?

Ms Winner didn't think to buy a SD card and a rubiks cube.

Who?June 14, 2017 12:18 PM

The way NSA protects its own documents is odd. Tracking whistleblowers is ok but wouldn't it be better and more effective setting up internal security so staff do not have access to documents they do not need to know?

Did Ms. Winner had top secret security clearance? Even in this case an ORCON document should be accesible only to a small subset of members of the NSA with top secret accreditation, and this access should be easy to implement at the filesystem level using ACLs, even classical —non-ACL— Unix operating systems would support this feature by means of secondary groups.

Retired Secret SquirrelJune 14, 2017 1:01 PM

@ Matteo
Everyone who works in the Intelligence Community is REQUIRED to go through training on how to handle classified documents, OPSEC, etc. It’s part of the job.
I’m sure wherever you work there are annual training requirements as well.
If someone is intentionally releasing a document to the media or anywhere else, do you really think they care about the training or any laws/regulations at that point? Seriously, this document didn’t get out by some accident. She intentionally STOLE the document, removed it from the NSA facility and gave it to someone else. Criminals commit crimes, regardless of the rules

DanielJune 14, 2017 1:11 PM

I respect thegrugq a great deal but his otherwise through analysis misses a key point about informed consent. Let's examine a point raised by several Twitter commentators and which thegrugq quotes in his article:

The source has given you permission to use the document any way you wish, they are expected to have done the leg work to make sure

Ok Let's assume this is true.

    Where on the website of The Intercept is this stated as an act of fair notice to the whistleblower?
It is not. Here is the webpage for The Intercept leaks: https://theintercept.com/leaks Nowhere on that page is there anything resembling the language quoted above. On the contrary the website brags about its security expertise: "We’ve taken steps to make sure that people can leak to us as safely as possible. Our newsroom is staffed by reporters who have extensive experience working with whistleblowers, as well as some of the world’s foremost internet security specialists."

The Intercept and its defenders are playing a game of "gotcha". They are framing an issue in their favor but omitting important qualifying information; they claim they are not to blame because everybody knows that leaking is a cutthroat business and yet at the same time making no effort to communicate that standard in writing to potential leakers. This is unethical and unfair.


Who?June 14, 2017 1:27 PM

@ Daniel

Don't know a lot about journalists ethic, but I want to believe journalists do their best to protect the sources. If thegrugq is right, and I have no reason to think otherwise, the staff at The Intercept has shown a huge disrespect for the life of his source. As you, I think this is unethical and unfair.

Joshua BowmanJune 14, 2017 1:43 PM

@Who?: Ms. Winner had Top Secret clearance because practically everything she needed to do her job is classified. The logical result of too many things being overclassified is that every employee and contractor will end up having to be given highest permissions, and standards will be loosened, even if they shouldn't have been -- and wouldn't have if documents were regularly classified properly, so that needing access to Top Secret was an exceptional event instead of everyday.

Who?June 14, 2017 2:05 PM

@ Joshua Bowman

This one is a clever thought! I agree with you, overclassified documents require overclassified staff at the agencies. As I see it, the leaked document should be at most "confidential" or "secret" (in this case iff redacted parts earn this classification, the published document is not damaging for national security.)

Sadly, the classification problem will have consequences for Ms. Winner as no one will look at the real value of leaked information that, I would say, is low.

A very good example of overclassified document is the CIA's "NOD Cryptographic Requirements" (TS//SI//NOFORN just because it provides a few tips about the proper use of RC4.) For years the community has been dropping the first 3 kB of RC4 cryptostreams to avoid the well-known Fluhrer, Mantin and Shamir attack. It is even documented at Wikipedia!

Dirk PraetJune 14, 2017 3:06 PM

@ I?E?

Is this THE ioerror?

You're confusing @thegrugq with Jacob Appelbaum (@ioerror).

@ Who?

If thegrugq is right, and I have no reason to think otherwise, the staff at The Intercept has shown a huge disrespect for the life of his source.

Although The Intercept indeed f*cked up, the main operational errors were sadly committed by Ms. Winner herself. It was the audit logs, a previous contact with the Intercept and not keeping her mouth shut that did her in. They would have gotten to her even if The Intercept had played its cards right.

In previous threads about leaked documents, it has been a recurring question why certain whistleblowers sit on documents so long before eventually leaking them. I think you've got your answer here: to avoid being just one out of six persons to have recently accessed a particular document, and as captured in a system's audit logs.

Bruce SchneierJune 14, 2017 3:23 PM

"By the way, is it general practice for the NSA to be so media public about a whistleblower? Maybe only when there is something to gain?"

Yes. One of the goals of arresting and throwing the book at her is to dissuade others. That works best if the punishment is very public.

Bruce SchneierJune 14, 2017 3:25 PM

"The logical result of too many things being overclassified is that every employee and contractor will end up having to be given highest permissions, and standards will be loosened, even if they shouldn't have been -- and wouldn't have if documents were regularly classified properly, so that needing access to Top Secret was an exceptional event instead of everyday."

I have heard this as: "If everything is classified, then nothing is classified."

Bruce SchneierJune 14, 2017 3:25 PM

"Although The Intercept indeed f*cked up, the main operational errors were sadly committed by Ms. Winner herself."

I agree.

EvilKiruJune 14, 2017 4:58 PM

@Dirk: I belive that I?E? was referring to the author of the second comment, ioerror. :-)

DanielJune 14, 2017 5:01 PM

I recognize that this is not my house so I will be as polite as possible though I am actually emotionally upset. I am disappointed in @Bruce's and others victim blaming. It is honestly shocking to me. The argument that "They would have gotten to her even if The Intercept had played its cards right" is an argument that is without any merit. It is the exact same thing as saying, "well your honor, she would have had sex with me even if I hadn't put the date rape drug in her drink." The principle of informed consent is not a principle rooted in security methodology but a principle rooted in social duties. Without informed consent we can't even be certain that Ms. Winner's decision to leak in the first place was a genuine, free consent. If her decision to leak in the first place was rooted in deceptive statements from The Intercept--statements that were deceptive due to lies of omission--then her own operational security errors are besides the point.

The problem with The Intercept behavior isn't isolated to their behavior after they got a hold of the leaked documents. It is the the way The Intercept seduced her into leaking in the first place. If The Intercept had behaved in an ethical manner from the beginning there is a strong possibility--though we will never know for certain--that she may not have even leaked to begin with. That's the point. The defendant doesn't get to come back later and say, "well your honor it's not my problem she didn't test the drink for drugs" or "well your honor she would have had sex with me anyway". By behaving in an underhanded manner to begin with The Intercept assumed that risk: they advertise right on their site that they have the world-level expertise and they advertise that without meaningful qualification.

These lame attempts to shift the blame unto the victim by @Bruce and @Dirk and on Twitter @JosephCox are shameful. Honestly.

norbortoJune 14, 2017 6:55 PM

@Daniel, I agree with putting some blame on the Intercept but not with the idea it's wrong to discuss the errors of anyone who's a "victim". It's true she's a victim, but it's important and well within the scope of this blog to analyze the mistakes she made. Censoring ourselves to spare her feelings would be to the detriment of future leakers. I don't see anyone here saying "it's all Winner's fault".

VJune 14, 2017 7:00 PM

Bruce: "One of the goals of arresting and throwing the book at her is to dissuade others. That works best if the punishment is very public."

On the other hand, Ed Snowden looked at the treatment of previous dissidents and decided to go directly to journalists. Fortunately, he linked up with Laura Poitras, who had been detained at the border enough times she had a good enough handle on ops security. Unintended consequences - squared.

DanielJune 14, 2017 7:38 PM

@Norboto writes, "I agree with putting some blame on the Intercept but not with the idea it's wrong to discuss the errors of anyone who's a "victim". It's true she's a victim, but it's important and well within the scope of this blog to analyze the mistakes she made."

I have never stated or even implied that it is "wrong to discuss the errors of anyone who is a "'victim'". I concur that a discussion of that topic is within the scope of this blog. However, I don't think that such a discussion about her mistakes is informative when it comes to assigning who is to blame for this incident. I worry that this focus on her mistakes twists the narrative away from the ethical responsibility that journalist have towards their sources and the public at large. For in my view it is The Intercept's operational errors--both before and after they received the documents--that are the main cause of her detention.

JonKnowsNothingJune 14, 2017 9:47 PM

So... here's a new idea from Marcy Wheeler

How Did Reality Winner Know to Look for the Russian Hack Document?

So days after a report for which she didn’t have the need to know was completed, she knew the search terms to use to find it.

How did she learn about it?

https://www.emptywheel.net/2017/06/14/how-did-reality-winner-know-to-look-for-the-russian-hack-document/


Blaming the victim is quite common. It detracts from the real issues.

Now if we were discussing 007 or George Smiley or even Johnny Worricker then maybe there might be something useful in blaming the victim, Hollywood and Governments like that, but in Real Life we are ALL victims here.


JoshJune 15, 2017 2:59 AM

I don't see this as blaming the victim, per se. It's pointing out what she did that could have been done differently and make it so she was less likely to get caught. It also outlined where her mistaken faith in the Intercept should have gone differently (i.e. the Intercept really should have handled the leak more securely).

There is literally nothing in the linked article that is akin to "she wouldn't have been raped if she hadn't been wearing that." What is worn has no bearing on whether a rape happens. What you search for on a secure system does have a bearing on if your leak is caught. Even if the system is not classified, she was told in some capacity that everything she did could, and likely would, be monitored and logged. Hell, I'm not working in any semblance of a secured facility, and I assume most of my actions are being logged in some way.

Dirk PraetJune 15, 2017 3:54 AM

@ Daniel

For in my view it is The Intercept's operational errors--both before and after they received the documents--that are the main cause of her detention.

Daniel, nobody here is "blaming" Ms. Winner. We are merely pointing out the lethal mistakes she made as a warning to future whistleblowers.

Despite serious errors on their behalf, I think it's a bridge too far to think of this as some sort of entrapment scenario in which she was deliberately set up by The Intercept, and which you seem to hint at. There is nothing they could have done to prevent her from being identified by a triangulation of the system audit logs and a previous communication trace to The Intercept. On top of that, she panicked and caved in during interrogation instead of adhering to rule number one when dealing with LEO's: NEVER EVER talk to them and NEVER EVER admit or consent to anything. You have the right to remain silent and they cannot force you to incriminate yourself.

The main lesson from these events is: do NOT engage in this sort of activities unless you know darn well what you are doing. A good starting point for which would be to intimately familiarize yourself with @thegrugq's readily available OPSEC guidelines, and which media outlets like The Intercept should link to on their website instead of publishing guidelines of their own that do not sufficiently emphasize the importance of OPSEC on both sides.

Clive RobinsonJune 15, 2017 5:54 AM

@ Josh Bowman,

Overclassification has been a problem forever; as far back as 1994...

Sheesh, you sure know how to make a body feel old...

I was more than "actively" aware of the over the top clasification problem prior to the 1980's.

At one place I worked that thankfully has since been buldozed into the past, I had in my possession a document that was publically available as well as through "learned journals" and contained an extensive list of polynomials you would use for making "maximum length" Linear Feedback Shift Registers[1].

For some reason when it came into a Gov organisation the library staff were ordered to classify it above "confidential". I had a photocopy from the journal --which I had access to via a University library-- in with some other unclassified documents in a filing cabinet. Unfortinatly they also had an "overly officious" security officer with way to much time on his hands, and an obvious attitude and anger managment issues. He decided to be nosey and go through peoples file cabinets when they were not in their offices (technically he did not have the clearance to do that).

Any way he found my photocopy and formally accused me of removing the clasification on a clasified document... I supplied written evidence that this was not the case, but he still insisted on a formal caution to go on my record. What supprised both my superior and me was that he refused to acknowledge my written evidence. I told him that two could play stupid acknowledgment games, and that not only did I not acknowladge his authority I was going to report him for gaining unauthorised access to an area he had no clearance to be in. He made the mistake of "turning aggressively" towards me, raised his hand and started some aggressively verbal nonsense. Thus "fearing a physical attack" I kicked him as hard as I could between the legs, which more or less shut him up.

I then informed my superior that he would be required to provide a witness statment in civil proceedings for common assult I intended to bring against the groaning moron on the floor I had had to defend myself against.

Needless to say being young and of a "bolshie" nature to such moronic behavior, I also pointed out that such proceadings would require a full written statment of facts including those which had led upto the incident, in detail, and including all documents pertaining to be entered into the court records.

Thus the situation got rapidly escalated, and more senior managment types recognised they had a "Mexican Stand Off" to deal with. I decided another industry sector would be more interesting to work in, especially as a friend had been chasing me for a while to go full time with them.

With hindsight I may have been able to deal with it differently, but in all honesty managment was "mamby-pamby time servers" and wanted a quiet life, thus tended to behave like school yard bullies. That is they would kow-Tow to those who took a position and would not shift or be shifted with the usual veiled threats of the incompetent manager, such as those about a persons future re employed / promotion / pension.

[1] Many also work with non-linear feedback as well as long as you take certain precautions (some of which can be found in later journal articles). You can also use them to "shuffle" state arrays to get very non-linear outputs, and importantly would run at reasonable speeds on the early 8bit CPUs, something block ciphers in a counter mode realy would not do, hence the later Co-Pros such as the Z80 compatible DES chip, you could never get hold of ;-)

Clive RobinsonJune 15, 2017 7:00 AM

@ Daniel,

I am disappointed in @Bruce's and others victim blaming. It is honestly shocking to me. The argument that "They would have gotten to her even if The Intercept had played its cards right" is an argument that is without any merit.

Dispassionately, Ms Winner decided to do something she must have known there was a prohibition against in place. Bluntly that knowledge "goes with the job".

Further she failed to aquaint herself with "the rules of the game" even though previous leakers have stated what many of them are.

Yes the Intercept carries blaim, as does the reporter who worked the story. They have absolutly no excuse for not knowing what the rules of the game are, and should not have "Honey-coated" the process. The fact they chose to flagerantly flout them as lets be honest have other journalists has not done them any favours what so ever.

A "golden-rule" as anyone who has ever had knowledge of the IC agencies even at considerable distance should know is "Do Not Reveal Methods or Sources". At closer range most know the lengths that many IC agencies go too to do this. Thus Ms Winter may have made a flawed assumption, but she should not have.

But you have made a couple of assumptions as well.

Firstly Ed Snowden made it fairly clear that the NSA / FBI will leave no stone unturned once they know clasified information has been leaked from within an IC agency, and that they all ways take action unless there is (likely) intervention from another quater. Ed openly publicized that 1, he left the US because of that and 2, he chose to go public to stop others who's accounts he had used etc from getting treated in the way he was expecting to be treated.

Most people can draw a conclusion from that which is the NSA "logs everything" and that the FBI will interogate anyone on the log with the intent of going for "die in jail" sentencing. With a side order of ritual abuse if the suspect is military, who by the way also have no right of silence under interogation by a superior.

Ms Winters would have to have lived a very isolated existance not to have known the above.

Secondly you appear to assume that Ms Winter is not a responsible adult.

Perhaps you should ask yourself, if you would be as forgiving of her actions, if instead she had got intoxicated, stole a car, behaved so recklessly and obviously she caused others to easily see who she was? All because she read on a web page that it was safe to do?

norbortoJune 15, 2017 7:02 AM

@Bruce's and others victim blaming[...] is honestly shocking to me. The argument that "They would have gotten to her even if The Intercept had played its cards right" is[...] the exact same thing as saying, "well your honor, she would have had sex with me even if I hadn't put the date rape drug in her drink."
I have never stated or even implied that it is "wrong to discuss the errors of anyone who is a "'victim'". [...] However, I don't think that such a discussion about her mistakes is informative when it comes to assigning who is to blame for this incident.

Sorry, I don't know how to reconcile these posts. What specifically is wrong with the argument you quoted or anything Bruce said?

The NSA employs smart people. When she's one of 6 people in the printer log for that document, and her work phone log shows contact with journalists, and she's willing to confess with no lawyer present... it would be shocking if they didn't catch her. (It's an anomoly they couldn't figure out what Snowden accessed; that's based on his access as sysadmin, and the nature of his work transferring huge numbers of documents, none of which apply to Winner.) If the Intercept had retyped the document and didn't contact the NSA before publication, the NSA would almost certainly still find the document based on the eventual story, and then check the same logs and talk to the same people.

Maybe if the Intercept did better, Winner wouldn't have confessed or would have used the extra time to leave the country, but we have no evidence of it--if she'd had travel booked, the government would have listed her as a flight risk in the legal papers. This is unlike the date rape example you give, in which the aggressor seeks absolution based on the victim's mental state which we have no way of knowing. "Blame" is a loaded term; nothing in the above implies wrongdoing (in a moral sense) on her part, but we do have a bunch of data we can review to make suggestions for journalists and future leakers.

norbortoJune 15, 2017 7:49 AM

Speaking of blame though, I'm going to blame Xerox and their programmers a bit because not enough people have. People have dispassionately discussed the technology of the tracking-dots, rarely noting they're an intentional user-hostile antifeature added in secret. The lack thereof wouldn't have slowed the NSA's investigation by an hour, but if they weren't there and Winner didn't confess her lawyer might have at least had a way to introduce some reasonable doubt (assuming the NSA wouldn't have added dots to the document itself).

For years I've refused to buy any printer known to have this watermarking. I'd love to see an OpenWRT/CHDK-like project for printers, for this reason and various others.

rJune 15, 2017 7:25 PM

She's a translator, Belize implies that she speaks Spanish among the other lingual disclosures.

Her job title also basically has proven to have printer access and take-home rights too.

:)

rJune 15, 2017 7:37 PM

@those upset for victim blaming,

Go fund her if that's what you feel is right.

@others,

Do any of you really believe the intercept's mailboy really works for the intercept?

Please lol

If i had leaked documents and sources to find one of my first steps would be to backdate their snail for snafus.

Lyon Chewing DogJune 18, 2017 8:15 PM

@Daniel

Ok Let's assume this is true.

Where on the website of The Intercept is this stated as an act of fair notice to the whistleblower?

It is not. Here is the webpage for The Intercept leaks: https://theintercept.com/leaks Nowhere on that page is there anything resembling the language quoted above. On the contrary the website brags about its security expertise

When they released Snowden's docs as non-downloadable PDFs some of us interpreted the writing on the proverbial wall.

Osmotic News ReceiverJune 18, 2017 9:29 PM

@JKN

Blaming the victim is quite common. It detracts from the real issues.

Is it too late to blame the victim's parents? Who names their child "Reality Winner"? Seriously. That kid is going to have lifelong issues no matter what, anybody can see that.

Jared hallJune 20, 2017 10:27 PM

Please send the following email to: mediainquiry@dhs.gov. I did.
____BEGIN----
I have a question for you. In the Reality Winner leak of the NSA document detailing Russian election hacks, the NSA provided the following information:

MD5 Hash: 5617e7ffa923de3a3dc9822c3b01a1fd
SHA-1 Hash: 602aa899a6fadeb6f461112f3c51439a36ccba40
SHA-256 Hash: f48c9929f2de895425bdae2d5b232a726d66b9b2827d1a9ffc75d1ea37a7cf6c

When you got this report, what actions did you take, if any, to provide the malicious file hashes to US AntiVirus companies to help mitigate further attacks?
----END----

This IS a serious matter. Over-classification kills. If President Trump wants to continue a pursuit of cloud/Internet superiority, it has to start at the top.

Since DHS was copied on this memo, I for one, would like to know what they are doing to improve cybersecurity. The US Government is probably the most hacked-at entity in existence; the ultimate "feather in the cap" for the wannabe hacker. Malware hashes that should be welcomed by the community and the American Public have no business being buried inside a classified report.

I'll post back here if I hear anything back from DHS. But this is a simple task that I'd like to see others here repeat. There is strength in numbers.

Spread this around.

Thanks,

Jared

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.