Donate for the Cryptome archive of files from June 1996 to the present

28 June 2013

Two NSA IG Reports ST-09-0002 Reports Differ

Guardian and Washington Post versions of the NSA IG Reports ST-09-0002 differ in content, format and page numbers. The Guardian file is locked, WaPo file not. Both contain a single redaction in slightly different form. It is not clear how the PDFs were generated and from what original file. There appears be nothing in their properties' metadata to indicate the source.

The two NSA PRISM files published by the two newspapers also differed.

It is common source-cloaking to reformat files, and differing files and distribution aids source-cloaking. For example, WikiLeaks has stated that it reformats the bulk of the files it receives for this purpose. The risk of reformatting is to undermine confidence in the authenticity of documents to protect the source. This tampering shifts the burden of authenticity to the reputation of the media outlet.

Tradecraft of spies includes duplicitious tampering to reduce confidence in sources and media outlets. In digital documents various security techniques are use to authenticate, such as encryption and hashes, however these techniques are themselves tamperable in particular by over-valorizing their security and concealing vulnerabilities. In an instance revealed in the Stratfor files hack, both WikiLeaks and Glenn Greenwald were named as potential targets for planting erroneous information to be later revealed that they had been duped in order to diminish their reputation.

If not traceable to origin by file and reformatting characteristics, comsec experts claim that digital documents can be traced by network forensics of pathways and IP addresses to the origin, then by other forensics triangulated to the computer and its likely operator. Forensic techniques for this tracing and identification of Bradley Manning were released during his trial by the US Army on June 27, 2013:

First pages of two reports and general properties. Similar differences of content and format throughout the reports.


File properties, Guardian at left, WaPo at right. Note times created and modified (the latter time when Cryptome downloaded). Note huge difference in file size: Guardian 25MB, WaPo 538KB, perhaps caused by Guardian locking. Location given is Cryptome's. Cryptome viewed the files with Acrobat X Pro.