Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Yellow Printer Dots Reveal Identity of NSA Leaker

June 12, 2017

Ars Technica reported (thanks Dave Ries) last week on how NSA leaker Leigh Winner was identified. When reporters at The Intercept approached the National Security Agency on June 1st to confirm a document that had been anonymously leaked to the publication in May, they handed over a copy of the document to the NSA to verify its authenticity. When they did so, The Intercept inadvertently exposed its source because the copy showed fold marks that indicated it had been printed—and it included encoded watermarking that revealed exactly when it had been printed and on what printer.

The watermarks, which are visible in the article, were from a Xerox Docucolor printer. Many printers use this or similar schemes, printing faint yellow dots in a grid pattern on printed documents as a form of steganography, encoding metadata about the document into its hard-copy output. Researchers working with the Electronic Frontier Foundation reverse-engineered the grid pattern employed by this class of printer. Using the tool, Ars (and others, including security researcher Robert Graham) determined that the document passed to The Intercept was printed on May 9, 2017 at 6:20am from a printer with the serial number 535218 or 29535218.

The NSA quickly determined who had printed the document by checking audit logs. NSA investigators identified the leaker as Reality Leigh Winner, a 25-year-old contractor for Pluribus International Corporation, a company that provides analytical, translation, and cyberwarfare development services to the intelligence community. Winner was working at the NSA's Fort Gordon, Georgia facility. Her identification was apparently aided, according to the Justice Department's arrest warrant affidavit, by her contacting The Intercept from her work e-mail.

When confronted by the FBI, Winner confessed to being the source of the leak.

If you didn't know that printers were capable of this kind of "testimony", you are now aware. I had heard of this long ago and actually forgotten how damning this evidence could be.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Yellow Printer Dots Reveal Identity of NSA Leaker

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer