- > The couple also allegedly photographed hundreds of computer screens containing confidential information from Google and Company 2, in what appeared to be an attempt at circumventing digital monitoring tools.
I guess all the MDM and document restrictions in the world can't help you against photos of screens. Is it even possible to protect against this, short of only allowing access to confidential files in secure no-cell-phone zones?
- There's not much you can do about it, as sibling comment mentions it's a known gap. There is some work [0] in this space on the investigative side to trace the leak's source, but again the only way it would work is if you can obtain a leaked copy post hoc (leaked to press, discovered through some other means, etc.).
0: https://www.echomark.com/post/goodbye-to-analog-how-to-use-a...
- > There's not much you can do about it, as sibling comment mentions it's a known gap. There is some work [0] in this space on the investigative side to trace the leak's source, but again the only way it would work is if you can obtain a leaked copy post hoc (leaked to press, discovered through some other means, etc.).
Those kinds of watermarks seem like they'd fail to a sophisticated actor. For instance, if that echomark-type of watermark becomes widespread. I supposed groups like the New York Times would update their procedures to not publish leaked documents verbatim or develop technology to scramble the watermark (e.g. reposition things subtly (again) and fix kerning issues).
With generative AI, the value of a photograph or document as proof is probably going to go down, so it probably won't be that big of an issue.
- > I supposed groups like the New York Times would update their procedures to not publish leaked documents verbatim or develop technology to scramble the watermark
Like knuckleheads, The Intercept provided the Pentagon a copy of a scanned document they received from a whistleblower, which directly led to Reality Winner's identity being discovered.
- You could do really sneaky things like alter the space between words or other formatting tricks.
- Print it out, scan it back in, and OCR that.
Then have an AI or intern paraphrase it.
- I think that's exactly what will happen.
When a competent journalist gets a leaked document, they'll learn to only summarize it, but won't quote it verbatim or duplicate it. That'll circumvent and kind of passive leak-detection system that could reveal their source.
Then the only thing that would reveal the source is if the authority starts telling suspected leakers entirely different things, to see what gets out.
- > Then the only thing that would reveal the source is if the authority starts telling suspected leakers entirely different things, to see what gets out.
This is called a canary trap [0], a well-trodden technique in the real world and fiction alike.
- Then you fix that loophole by subtlety altering the phrasing or formatting that you send everyone
- That's why I said you paraphrase, rather than using the exact phrasing and formatting of the original doc.
- Include slightly different details in each version. Then if the paraphrase mentions one of them, you've identified the source.
- Yes, I'm aware of that approach.
It's likely tougher than it seems; the big important bits that the news will care about have to match up when checked, and anyone with high-level access to this stuff likely has a significantly sized staff who also has access to it. Paraphrasing reduces the chance of some minute detail tweak being included in the reporting at all.
You also have to actively expect and plan to do it in advance, which takes a lot of labor, time, and chances of people comparing notes and saying "what the fuck, we're being tested". You can't canary trap after the leak.
- Keep in mind that many secure no-cell-phone zones, even those that host classified data are still relatively physically open. The personnel allowed inside them are strictly vetted and trained to be self-policing, but it's only the threat of discovery and harsh punishment stopping someone with the right badge/code from physically bringing in a phone. There generally aren't TSA-style checkpoints or patdowns. Happens accidentally all the time, especially in the winter with jackets.
- This is misunderstanding the purpose of the restriction.
The main reason not to bring a phone into the room is that the phone could be compromised. If the person is compromised then a device isn't your problem, because they could view the documents and copy them on paper or just remember the contents to write down later.
- In a corporate environment no-camera/no-phone policies are sometimes also used for DLP reasons, out of expediency. Oftentimes it is more profitable to hire less trustworthy people (read: cheap labor) and simply make it inconvenient to steal data. This usually works good enough when you're trying to protect widget designs and not human lives.
- Can't you have one or more x-ray tunnels or other scanners? They don't even need to be actively monitored, just treated like CCTV.
- Receving a full body x-ray every day just for a week would exceed the yearly federal occupational dose for radiation workers. You would add an additional 26% lifetime chance of getting cancer doing this for a year.
The yearly limit for rad workers is 5000 mrem with most receiving none. Receiving any dose is usually a cause for concern at most facilities that handle radioactive materials. A full body x-ray would dose you with about 1000 mrem. For about every 10000 mrem you receive, you gain an additional 1% chance of lifetime cancer risk. There's a reason why you wear a lead apron when getting X-rays at the doctor's office and why the technician leaves the room.
Metal detectors would be a much more reasonable method. People that work at airports, courts, jails, some schools, and even some manufacturing facilities walk through metal detectors daily.
- Great points. Do metal detectors provide imaging capabilities? Would want to confidently move beyond belt buckle false positives...
- No you can’t. It’s formally called “the analog hole” when security folks yap about it. Usually it’s used to end DLP discussions after too many what-ifs
- Unless your employer is Google and all those photos are uploaded to its servers
- Does Google force all their employees to use and Android phone provided by them?
You could use an Apple or an alternative to Android like Fairphone or even load GrapheneOS on that Google Pixel phone. Even better would be a Linux phone that uses an Android VM so it looks like a bare metal installation.
Could go old school and just get a digital only camera that is not even part of a smartphone. An hidden camera in a pen or shirt button would work too.
Has anyone hacked the Meta glasses so they don't communicate with Meta and allow for communication to your own designated servers?
- What if you use a film camera?
- Especially when you consider that a phone can record hd video, so you can make a player that scrolls through pages and pages of pdfs very fast for example, you record the screen in hd video on a phone and then write a decoder that takes video back to a pdf of the images. Literally the only thing you lose is the ability to cut and paste the text of the pdf and you can even get that back if you trouble yourself to put the images through ocr.
Similarly you could hypothetically exfil binary data by visually encoding it (think like a qr code) and video recording it in the same way.
- Even better, there are a bunch of these:
https://github.com/CiscoCXSecurity/QRCode-Video-Data-Exfiltr...
- Just remember that it's significantly more time consuming to photograph a screen than steal large group of files. Thus, even though it's not preventable, it adds enough friction to be effective.
- As sibling comment mentions, with OCR and video tooling these days I'd imagine you could whip up something pretty easily that can comb through several minutes of video footage and convert it to text/PDF/etc.
A leaker with a smartphone on a tripod capturing video while they scroll through files etc. could probably deal significant damage without much effort.
- Yeah, this is why any high security information facility has physical security controls. Give someone infinite time and physical access and they could copy it off with clay tablets and chisels.
- > Is it even possible to protect against this, short of only allowing access to confidential files in secure no-cell-phone zones?
Isn't that how congressmen and senators view them in the US? At least, that's how I've understood it to be. If so, what's good for the goose...
- "Google said it had detected the alleged theft through routine security monitoring", so it seems it is possible.
- Note the "also" in the first sentence. I'm understanding the timeline as them trying normal exfiltration, getting caught by DLP, then moving on to the cell phone method. But the first catch was enough to trigger an investigation.
- [flagged]
- So, non-immigrants can't take pics of screens? I think you answered the wrong question (on purpose).
- [flagged]
- > the loyalty an American will have for this or that foreign adversary will trend to 0
Yeah. National loyalty is not the only motivating force why someone would leak something. The common reasons why someone becomes an insider treat is MICE: Money, Ideology, Compromise, and Ego. It is not specific to immigrants.
- It doesn't have to be loyalty even, it could just be authoritarian leverage.
- I would argue the word loyalty can encompass external pressures like that or internal affinity, ethnic tribalism and everything in between but yes, agreed.
- “Company 2” has to be Qualcomm. Or am I misreading this? The only reason I think I’m misreading is because it’s so obviously Qualcomm that it seems silly for the article to call it “company 2”.
- > Company 2, which develops system-on-chip (SoC) platforms such as the Snapdragon series
Only a lawyer could write this with a straight face
- > On the night before the pair traveled to Iran in December 2023, Samaneh allegedly took about 24 photos of Khosravi’s work computer screen containing Company 2′s trade secrets, including *its* Snapdragon SoCs.
Keep reading.
- That’s the point where I realized how thin the curtain is. Earlier the article talked about “Qualcomm’s Snapdragon” as an example of an SoC, but that could have been just to give the reader an idea of what an SoC is. But this line made it clear it wasn’t just an example.
- Yup. It’s like saying Company X which develops the iPhone smartphone.
It’s either extreme incompetence or cheeky disclosure while also technically not naming the company.
- Good morning, class. A certain… agitator—for privacy's sake, let's call her Lisa S. No, that's too obvious. Uh, let's say L. Simpson—has raised questions about certain school policies…
- > so obviously Qualcomm that it seems silly for the article to call it “company 2”
Redactions / aliases are sometimes quite transparent. When policy dictates that it must happen they do it even when it is not hard to puzzle out who the redaction / alias hides.
There is the famous interview where the NTSB was interviewing an expert in relation to the Oceangate tragedy. The expert's name was redacted, but he was described as "Co-Designer / Pilot of the Deepsea Challenger" which is already quite a specific thing. Not a lot of people can claim that. And then the interview started like this:
Q: So how did you get yourself started into submersible operations? <redacted>: Well, I'm sure you are familiar with my film Titanic.
I'm leaving the solution as an exercise for the reader. But it is a real world "Lisa S. No, that's too obvious. Uh, let's say L. Simpson." situation.
- "Soroor was in the U.S. on a nonimmigrant student visa."
At age 32? That's a bit old for a student, though possible I guess. But also working at Google? Student visas severely restrict employment options, as far as I understand it.
- Linkedin says she obtained a Master's between 2020 and 2022 at Santa Clara University.
- OK so she was a student 4 years ago? But still here on a student visa, and employed at Google? Some of that information is either wrong or Google wasn't verifying work eligibility.
- The article describes events that were discovered in 2023.
- > If convicted, each defendant faces up to 10 years in prison for each trade secret charge and up to 20 years for obstruction of justice, along with fines of up to $250,000 per count.
This is part of why we are where we are as a country. We have this whole web of charging instruments in our legal system that dance around the main thrust of what investigations are about. It makes people who would think of doing these things think that they could get off easy if they were caught.
They're handing over sensitive info (we have sanctions and embargoes on Iran) to an enemy power. If you're an anal-retentive lawyer, you call it "stealing trade secrets". If you're a person with any amount of common sense, you call it espionage. One is something that should be applied when a company steals info from its competitor; the other should be applied when people are handing over sensitive info to an enemy power. One would be punishable by a decade in prison, the other punishable by life in prison or worse.
- Corporate espionage. Stealing secrets from a company and sanctions-busting are of course bad things to do, but the legal consequences are not the same as stealing confidential information from the government.
- I imagine the receiving party is an Iranian intelligence agency, due to the interest in sigint adjacent technology (Mobile cryptography).
That probably makes it espionage, not of the corporate kind
- > Corporate espionage. Stealing secrets from a company and sanctions-busting are of course bad things to do, but the legal consequences are not the same as stealing confidential information from the government.
Sort of.
But if the government is hosting its email with Joe, and Joe hires an intern who installs a backdoor for Russia: that would be treason.
Despite the fact that it's a quaint allegory, it's actually a closer one to the reality of the situation.
- Treason is very narrowly defined in the US constitution, and has not been prosecuted since WW2.
As long as the US is not at war with Russia, spying for Russia can't be treason.
> "Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort."
- Note however that it could still be a violation of other laws.
- They're reporting the statutory maxima, which have practically nothing to do with what the sentences will actually be.
- [dead]
- [flagged]
- [flagged]
- We have cases where people grow up in the US, are natural born Americans, and they are taking paychecks to go compete against America in the Olympics. Americans are excusing this as "at least she got her bag". The effects of post-modernism, and this idea that there is no objective truth nor morality is slowly destroying society. When someone immigrates to the US it should be clear to them that their loyalty belongs to the US.
- The Olympics are games. No one is hurt by someone playing for another team. Are people disloyal to America if they vacation in a foreign country? They are siphoning American money off to a foreign country instead of patriotically traveling inside the US of A. Don’t watch the Great British Bake Off! You are giving your American attention to a foreign show over the great Home Grown American TV!
- > When someone immigrates to the US it should be clear to them that their loyalty belongs to the US.
An immigrant who hasn't at least applied for citizenship definitely doesn't owe loyalty to their country of residence.
- > When someone immigrates to the US it should be clear to them that their loyalty belongs to the US.
But your example cites a "natural born American", not an immigrant?
- From your perspective I feel like you have not spoken to many immigrants. Loyalty over ones own home country because you get a paycheck through some semi-exploitative H1B scheme cannot reasonably be expected.
- And in your mind moral objectivism fixes this how? You equate these things to post-modernism, do you believe disloyalty came to exist in the world for the first time during 1950s?
- This is satire right? You're comparing stealing intelligence for Iran to... playing sports in the Olympics?
- Its all part of the same idea. The idea that you can be in America, and not be loyal to America, that America is fundamentally evil and not worth loyalty. That things like money are more important than your country.
- When Albert Einstein fled germany to help the USA build nukes to destroy germany, was that good or bad?
- I'm guessing this doesn't cut the other way? Like US doesn't have to give back all its foreign-born scientists and engineers (and some athletes).
- Eileen Gu, who you are talking about here, is a prime example of the strange issue of misplaced loyalty to a country that is far more abusive than USA
- If immigrants were loyal to their country, they wouldn't do this. The problem is immigrants who don't make it their country.
- Hey man, the US is just an economic zone, not a country
- You know what, I'm going to defend this, because despite how off-colour and bad faith it comes across there's a definite nugget of truth that we have to sit with.
If your hiring program is built around increasing diversity, and you have an enemy state who would count as diverse by default then you have quite literally opened the door for exploitation.
All the handwringing in the sibling comments are not even trying to contend with this.
Also, it seems to be second generation migrants with greater affinity for extremism and patriotism for their parents country - despite never living there (this is the case in Sweden at least), and those are usually full citizens: this is very difficult to contend with for security services who use citizenship as a proxy for weeding out potential disloyalty).
- But hey, they work for 20% off, so there's that.
- Unless you’re claiming all immigrants are spies, your logic doesn’t make sense. People loyal to their country tend to stay there.
- >People loyal to their country tend to stay there.
You'd be surprised. If I were to emigrate because of economic reasons (which is by far the most popular reason to emigrate) my loyalty would stay with my paychecks. I don’t see how it could be otherwise. What binds me to my new country? My history, my character, my race, my religion…? Guess not.
- Many modern immigrants to America are purely economic. The rich are fine with this because they profit, but the labor class suffers.
- > People loyal to their country tend to stay there.
Not necessarily true. Source: I have friends and family who came to the US from Russia and are still loyal to Russia. When the topic comes up, they tell me they would fight for Russia in a hypothetical US/Russia war.
It's entirely possible to love your country and still seek out a better life elsewhere for practical reasons.
Edit: To clarify, this isn't universal. Some folks who came over absolutely hate the country of their birth, some still love it, while others are ambivalent. But you can't make a blanket statement like "people loyal to their country tend to stay there" when there are stark financial and quality of life advantages to moving from one place to another.
- Some immigrants are loyal to their country.
A company hires immigrants.
It's possible the company has hired immigrants loyal to their country.
Logically, it works like that.
125 points by giuliomagnifico 11 hours ago | 77 comments