Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Privacy Government Microsoft Security Software Technology

WikiLeaks Reveals the 'Snowden Stopper': CIA Tool To Track Whistleblowers ( 89

schwit1 quotes a report from Zero Hedge: As the latest installment of it's "Vault 7" series, WikiLeaks has just dropped a user manual describing a CIA project known as "Scribbles" (a.k.a. the "Snowden Stopper"), a piece of software purportedly designed to allow the embedding of "web beacon" tags into documents "likely to be stolen." The web beacon tags are apparently able to collect information about an end user of a document and relay that information back to the beacon's creator without being detected. Per WikiLeaks' press release. But, the "Scribbles" user guide notes there is just one small problem with the program: it only works with Microsoft Office products. So, if end users use other programs such as OpenOffice of LibreOffice then the CIA's watermarks become visible to the end user and their cover is blown.
This discussion has been archived. No new comments can be posted.

WikiLeaks Reveals the 'Snowden Stopper': CIA Tool To Track Whistleblowers

Comments Filter:
  • by Alain Williams ( 2972 ) <> on Friday April 28, 2017 @06:46PM (#54322503) Homepage

    LibreOffice is just a Russian tool to help their spies in the USA. Presidential order to ban its use.

  • Air gap? (Score:3, Insightful)

    by Anonymous Coward on Friday April 28, 2017 @06:50PM (#54322521)

    Or just use a machine not connected to any network when you open the files! Anyone who is opening stolen classified docs is going to use an air gapped machine

    • Re:Air gap? (Score:5, Funny)

      by DontBeAMoran ( 4843879 ) on Friday April 28, 2017 @07:43PM (#54322759)

      Or you could simply use a MacBook Air. It's got Air in its name so you know it's secure.

    • by AHuxley ( 892839 )
      A member of the press builds a large Faraday cage vault and walks in with the file on the media given to them.
      Some Faraday textile structure if they are in a hotel? A secure tent is always packed to protect a special computer.
      Using the power of Linux and quality open source software they soon see the links in the MS document to staging servers.
      They copy the document in full onto paper and then send a scan of their own new paper version to a document expert asking for a report.
      The expert asks for the or
  • bacon bait plus Skittles not scribbles. c'mon man.
  • Yeah, sure (Score:5, Interesting)

    by zm ( 257549 ) on Friday April 28, 2017 @07:06PM (#54322605) Homepage

    it only works with Microsoft Office products

    That's what they want you to think.

    • Don't worry, the LibreOffice team is diligently working on a fix for this missing feature.

    • That's why I edit all files with a hex editor on a system running CP/M.

      • That's why I edit all files with a butterfly... ah, fuck it.

      • by rtb61 ( 674572 )

        That reminds me of the old joke about the US spending millions developing a pen that could be used in space, whilst Russia just used an pencil. Sure you can use a hex editor and CP/M or you can just do what Russia does, use typewriters and a filing cabinets.

        The new smart method though is simply to not exchange plots and schemes, simply work with sufficiently intelligent who can formulate their own plans based upon the completely legal open exchange of thoughts and ideas. If it seems to be working in some a

    • by AmiMoJo ( 196126 )

      It's irrelevant anyway because Snowden only accessed the documents on computers not connected to the internet, and told the journalists to do the same. His own computers all run Linux.

      • ...Snowden only accessed the documents on computers not connected...

        Yes, because nobody was to know that Snowden was the leaker... oh, wait.

  • Do the editors think CIA doesn't read slashdot or something? Or that it never heard of Linux or LibreOffice. Why would the beacons be limited to MS-products reading MS Office documents? They are not morons, you know.
    • Re:ha? (Score:5, Informative)

      by vtcodger ( 957785 ) on Friday April 28, 2017 @07:59PM (#54322801)

      "Why would the beacons be limited to MS-products reading MS Office documents?"

      I'd assume the beacons use some sort of macro that's unique to MS products or that works differently in their free software equivalents -- like maybe asking permission before phoning home.

      That's the trouble with being a spook. All those persnickety details one has to worry about.

  • MS's role? (Score:5, Interesting)

    by vistic ( 556838 ) on Friday April 28, 2017 @07:13PM (#54322637)

    Is this suggesting cooperation from MS?

    Is it MS' software that was reading these tags and relaying them to some other process that phones it home to the CIA? Or does MS' software do that directly?

    • by Anonymous Coward

      It might be some kind of VB script embedded in the document.

      • by Anonymous Coward

        Viruses in my macros? It's more likely than you might think.

      • The virus writers went elsewhere and people forgot. The CIA didn't forget.

        But the 'feature' is useless if it's so easy to detect. Bet they never let it into the wide of their own secure networks, for fear of their politicians getting 'caught' and embarrassed.

        • by _KiTA_ ( 241027 )

          The virus writers went elsewhere and people forgot. The CIA didn't forget.

          But the 'feature' is useless if it's so easy to detect. Bet they never let it into the wide of their own secure networks, for fear of their politicians getting 'caught' and embarrassed.

          Embarrassed? They don't embarrass politicians they catch. They secure funding from politicians they catch.

      • by _KiTA_ ( 241027 )

        No? All it has to be is an external image URL.

        hxxp://CIAFRONTWEBSITE .GOV/username=X&IP=Y&OSversion=Z&....

        Obfuscate that enough and put it someplace that Microsoft Office auto-loads and bammo. Instant tracking, no software needed. This is Spam Email 101 tactics here.

        Hell, it's the same trick they used (via a broken flash plugin) in Operation Pacifier to figure out who was connecting to the FBI's child porn server on TOR. You know, the operation that caused them to repeal the 4th Amendment fo []

        • If they did that on me, they would get the IP of the exit server that my TOR virtual machine comes out of.
    • Re:MS's role? (Score:5, Interesting)

      by AHuxley ( 892839 ) on Friday April 28, 2017 @08:08PM (#54322819) Journal
      The understanding that some member of the press will take the document back to work or networked home desktop computer and double click on the icon.
      As they read the document the network makes a connection.
      Its about the idea of the average reader in an average network location given the origin of the documents and their daily habits and the expectation of software they are provided with.

      If a document is ever found the in the wild, it looks like malware with a good cover story to read while the code reports the user.
      Add in OS X, Windows and Linux OS detection, complex ip reporting that works and a lot of different security researchers get interested and that adds interest to the document.
      A "CIA" document with MS malware, thats just malware with better than average bait to get the user to open it.
      A CIA document with unique phone home code that spans different OS's in very interesting ways would add to the CIA part.
      Sometimes simple is better given the tools the reader is expected to use daily. The reader could be expected to us MS software to see all the document and uncover other details in the document.
      A member of the press will want to look for any details in the document. Dates, notes, draft, corrections, history. Names, locations, officials that can be tracked to their job descriptions. If such simple facts hold, it can be passed on to document experts for further consideration.
      A member of the press does not know who else has the document and could be expected to want to read and understand and then get published.
      A security consultant looking over the document first could see rivals publishing first or finding details in the hours the security consultant was working.
      A person who understood security issues could take the document to a special computer and fake network and see how the document responds in a MS Windows and MS application setting.
      Does it phone home, what and how much data does it risk when it phones home.
      Same document, very different first approaches. The understanding of set time to publish and the need to publish will push back decades of expected document security advice.
      The US press does not care if they are tracked to their office as they have freedom to publish and freedom after publication. Read first, have the document looked over, get the story out.

      A CIA version of FIRSTFRUIT. "The Most Intriguing Spy Stories From 166 Internal NSA Reports" (2016-05-16) []
      "scanned 350 press items daily for “cryptologic insecurities” and maintained a database called FIRSTFRUIT with “over 5,000 insecurity-related records” ranging from “espionage damage assessments” to “liaison exchanges.”"
    • Re:MS's role? (Score:5, Informative)

      by Gravis Zero ( 934156 ) on Friday April 28, 2017 @08:44PM (#54322939)

      Is it MS' software that was reading these tags and relaying them to some other process that phones it home to the CIA? Or does MS' software do that directly?

      It's much less nefarious than that but it's criminally stupid on Microsoft's part.

      The article seems to indicate that word documents have the ability to grab online resources that are referenced within documents. I suspect the tool merely embeds a reference to a transparent image that must be grabbed from a CIA controlled server. Effectively, word documents are more like html documents that can embed resources or load them from an URI.

      • by Anonymous Coward

        So, a HOSTS file can stop this, shit don't bring that up.

      • by AHuxley ( 892839 )
        Also a nice way out without a software or hardware outgoing firewall to note a strange and unexpected new connection by something new to the OS.
        An existing user trusted application might have been given more freedom to connect to the internet.
  • It's a little too late to stop Snowden

  • So what's the copyright on this tool? Can I embed it in the reports I write to spot if my competitors steal them? (they're not using LibreOffice or anything, if they were smart enough for basic security, they wouldn't have to steal my stuff...)

    We'll see adaptations of this everywhere in the near future. I know a dozen consulting companies immediately who are afraid that their stuff is stolen by competitors.

  • Create a Canary Token and place it on your server: []

  • by GuB-42 ( 2483988 ) on Saturday April 29, 2017 @09:48AM (#54324827)

    Is there something in the leaked documents that mention Snowden or whistleblowers?
    This is a watermark system system mostly intended to unmask foreign spies. It wouldn't have stopped Snowden since he used airgaps and released everything at once after leaving and was quickly caught after that.
    It looks similar to the kind of tool content owners use to track pirates.
    Not all secret documents are stolen by whistleblowers and journalists, far, far from it.

    • by Striek ( 1811980 )

      1) Snowden didn't "release" anything. He turned it over to Glenn Greenwald, trusting his decision on what to release.
      2) Snowden was never caught.

  • ... say we need a anti-anti-Whistleblowers tool but then I see we already have it. Gotta love open source.

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten