28 June 2013
Two NSA IG Reports ST-09-0002 Reports Differ
Guardian and Washington Post versions of the NSA IG Reports ST-09-0002 differ
in content, format and page numbers. The Guardian file is locked, WaPo file
not. Both contain a single redaction in slightly different form. It is not
clear how the PDFs were generated and from what original file. There appears
be nothing in their properties' metadata to indicate the source.
The two NSA PRISM files published by the two newspapers also differed.
It is common source-cloaking to reformat files, and differing files and
distribution aids source-cloaking. For example, WikiLeaks has stated that
it reformats the bulk of the files it receives for this purpose. The risk
of reformatting is to undermine confidence in the authenticity of documents
to protect the source. This tampering shifts the burden of authenticity to
the reputation of the media outlet.
Tradecraft of spies includes duplicitious tampering to reduce confidence
in sources and media outlets. In digital documents various security techniques
are use to authenticate, such as encryption and hashes, however these techniques
are themselves tamperable in particular by over-valorizing their security
and concealing vulnerabilities. In an instance revealed in the Stratfor files
hack, both WikiLeaks and Glenn Greenwald were named as potential targets
for planting erroneous information to be later revealed that they had been
duped in order to diminish their reputation.
If not traceable to origin by file and reformatting characteristics, comsec
experts claim that digital documents can be traced by network forensics of
pathways and IP addresses to the origin, then by other forensics triangulated
to the computer and its likely operator. Forensic techniques for this tracing
and identification of Bradley Manning were released during his trial by the
US Army on June 27, 2013:
First pages of two reports and general properties. Similar differences of
content and format throughout the reports.