woensdag 7 juni 2017

How To Burn A Source

Do Not Trust The Intercept or How To Burn A Source

Yesterday The Intercept published a leaked five page NSA analysis about alleged Russian interference in the 2016 U.S. elections. Its reporting outed the leaker of the NSA documents. That person, R.L. Winner, has now been arrested and is likely to be jailed for years if not for the rest of her life.

Intercepted source - R.L. Winner
FBI search (pdf) and arrest warrant (pdf) applications unveil irresponsible behavior by the Intercept's reporters and editors which neglected all operational security trade-craft that might have prevented the revealing of the source. It leaves one scratching one's head if this was intentional or just sheer incompetence. Either way - the incident confirms what skeptics had long determinedThe Intercept is not a trustworthy outlet for leaking state secrets of public interests.
The Intercept was created to privatize the National Security Agency documents leaked by NSA contractor Edward Snowden. The documents proved that the NSA is hacking and copying nearly all electronic communication on this planet, that it was breaking laws that prohibited spying on U.S. citizen and that it sabotages on a large scale various kinds of commercial electronic equipment. Snowden gave copies of the NSA documents to a small number of journalists. One of them was Glenn Greenwald who now works at The Intercept. Only some 5% of the pages Snowden allegedly acquired and gave to reporters have been published. We have no idea what the unpublished pages would provide.
The Intercept, a subdivision of First Look Media, was founded by Pierre Omidyar, a major owner of the auctioning site eBay and its PayPal banking division. Omidyar is a billionaire and "philanthropist" who's (tax avoiding) Omidyar Network foundation is "investing" for "returns". Its microcredit project for farmers in India, in cooperation with people from the fascists RSS party, ended in an epidemic of suicides when the farmers were unable to pay back. The Omidyar Network also funded (fascist) regime change groups in Ukraine in cooperation with USAID. Omidyar had cozy relations with the Obama White House. Some of the held back NSA documents likely implicate Omidyar's PayPal.
The Intercept was funded with some $50 million from Omidyar. Its first hires were Greenwald, Jeremy Scahill and Laura Poitras - all involved in publishing the Snowden papers and other leaks. Its first piece was based on documents from the leaked NSA stack. It has since published on this or that but not in a regular media way.  The Intercept pieces are usually heavily editorialized and tend to have a mainstream "liberal" to libertarian slant. Some were highly partisan anti-Syrian/pro-regime change propaganda. The website seemsto have no regular publishing schedule at all. Between one and five piece per day get pushed out, only a few of them make public waves. Some of its later prominent hires (Ken Silverstein, Matt Taibbi) soon left and alleged that the place was run in a chaotic atmosphere and with improper and highly politicized editing. Despite its rich backing and allegedly high pay for its main journalists (Greenwald is said to receive between 250k and 1 million per year) the Intercept is begging for reader donations.
Yesterday's published story (with bylines of four(!) reporters) begins:
Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.
The NSA "intelligence report" the Intercept publishes alongside the piece does NOT show that "Russian military intelligence executed a cyberattack". The document speaks of "cyber espionage operations" - i.e someone looked and maybe copied data but did not manipulate anything. Espionage via computer networks is something every nation in this world (and various private entities) do all the time. It is simply the collection of information. It is different from a "cyberattack" like Stuxnet which are intended to create large damage,
The "attack" by someone was standard spearfishing and some visual basic scripts to gain access to accounts of local election officials. Thee is no proof that any account was compromised. Any minor criminal hacker uses similar means. No damage is mentioned in the NSA analysis. The elections were not compromised by this operation. The document notes explicitly (p.5) that the operation used some techniques that distinguish it from other known Russian military intelligence operations. It was probably -if at all- done by someone else.
The reporters note that the document does not provide any raw intelligence. It is an analysis based on totally unknown material. It does not include any evidence for the claims it makes. The Intercept piece describes how the document was received and "verified":
The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, ...
...
The NSA and the Office of the Director of National Intelligence were both contacted for this article. Officials requested that we not publish or report on the top secret document and declined to comment on it. When informed that we intended to go ahead with this story, the NSA requested a number of redactions. The Intercept agreed to some of the redaction requests.
The piece quotes at length the well known cyber security expert Bruce Schneier. It neglects to reveal that Schneier is a major partisan for Clinton who very early on, in July 2016, jumped on her "Russia hacked the Democratic National Council" claim for which there is still no evidence whatsoever.
The Intercept story was published on June 5. On June 3 the FBI already received a search warrant (pdf) by the U.S. District court of southern Georgia for the home, car and computers of one Reality Leigh Winner, a 25 year old former military language specialist (Pashto, Dari, Farsi) who worked for a government contractor. In its application for the warrant the FBI asserted:
19. On or about May 24, 2017a reporter for the News Outlet (the "Reporter") contacted another U.S. Government Agency affiliate with whom he has a prior relationship. This individual works for a contractor for the U.S. Government (the "Contractor"). The Reporter contacted the Contractor via text message and asked him to review certain documents. The Reporter told the Contractor that the Reporter had received the documents through the mail, and they were postmarked "Augusta. Georgia." WINNER resides in Augusta, Georgia. The Reporter believed that the documents were sent to him from someone working at the location where WINNER works. The Reporter took pictures of the documents and sent them to the Contractor. The Reporter asked the Contractor to determine the veracity of the documents. The Contractor informed the Reporter that he thought that the documents were fake. Nonetheless, the Contractor contacted the U.S. Government Agency on or about June 1, 2017, to inform the U.S. Government Agency of his interaction with the Reporter. Also on June I. 2017, the Reporter texted the Contractor and said that a U.S Government Agency official had verified that the document was real. ...
To verify the leaked document the reporter contacted a person working for the government. He used insecure communication channels (SMS) that are known to be tapped. He provided additional meta-information about the leaker that was not necessary at all for the person asked to verify the documents.
It got worse:
13. On June I, 2017, the FBI was notified by the U.S. Government Agency that the U.S. Government Agency had been contacted by the News Outlet on May 30, 2017, regarding an upcoming story. The News Outlet informed the U.S Government Agency that it was in possession of what it believed to be a classified document authored by the U.S Government Agency. The News Outlet provided the U.S. Government Agency with a copy of this document. Subsequent analysis by the U.S. Government Agency confirmed that the document in the News Outlet's possession is intelligence reporting dated on or about May 5. 2017 (the "intelligence reporting"). This intelligence reporting is classified at the Top Secret level, ...
...
14. The U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased,suggesting they had been printed and hand-carried out of a secured space.15. The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. These six individuals included WINNER. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet.
The source that provided the document had no operational security at all. She printed the document on a government printer. All (color) printers and photo copiers print nearly invisible (yellow) patters on each page that allow to identify the printer used by its serial number. The source used email from her workplace to communicate. Ms. Winner is young, inexperienced and probably not very bright. (She is also said to be Clinton partisan.) She may not have known better.
But a reporter at The Intercept should know a bit or two about operational security. Sending (and publishing) the leaked documents as finely scanned PDF's (which include (de) the printer code) to the NSA to let the NSA verify them was incredibly stupid. Typically one only summarize these or at least converts them into a neutral, none traceable form. Instead the reporters provided at several points and without any need the evidence that led to the unmasking of their source. Wikileaks is offering $10,000 for the exposure and firing of the person responsible for this.
It is also highly questionable why the Intercept contacted the NSA seven days(!) before publishing its piece. Giving the government such a long reaction time may lead to preemptive selective leaks by the government to other news outlets to defuse the not yet published damaging one. It may give the government time to delete evidence or to unveil leakers. The Intercept certainly knows this. It had been burned by such behavior when the National Counterterrorism Center spoiled an Intercept scoop by giving a polished version to the Associate Press. Back then the Intercept editor John Cook promised to give government agencies no longer than 30 minutes for future replies. In this case it gave the NSA seven days!
Besides the failure(?) of The Intercept there are other concerns to note.
  • Why has a 25 year old language specialist for Afghanistan access to Top Secret NSA analysis of espionage in the U.S. election? Where was the "need to know"?
  • Could this espionage -if it happened- have been part of a different plan by whomever? Consider:
@mattblaze
Simple way to hack elections: Compromise some county offices & systems. Do nothing. If election doesn’t go your way, reveal that you hacked.
10:52 PM - 5 Jun 2017
More additional question are asked in this thread.
The lessons learned from this catastrophic -for the source- leak:
  • Start thinking of good op-sec before you think of leaking.
  • Computer access gets logged. Do not leave any suspicious (log) trace at your workplace (or anywhere else).
  • Do not provide any trace from your immediate workplace or any personal metadata with the leaked material.
And last but certainly not least:
  • Do not trust The Intercept.

Posted by b on June 6, 2017 at 06:09 AM | Permalink



Geen opmerkingen: