> The couple also allegedly photographed hundreds of computer screens containing confidential information from Google and Company 2, in what appeared to be an attempt at circumventing digital monitoring tools.
I guess all the MDM and document restrictions in the world can't help you against photos of screens. Is it even possible to protect against this, short of only allowing access to confidential files in secure no-cell-phone zones?
There's not much you can do about it, as sibling comment mentions it's a known gap. There is some work [0] in this space on the investigative side to trace the leak's source, but again the only way it would work is if you can obtain a leaked copy post hoc (leaked to press, discovered through some other means, etc.).
> There's not much you can do about it, as sibling comment mentions it's a known gap. There is some work [0] in this space on the investigative side to trace the leak's source, but again the only way it would work is if you can obtain a leaked copy post hoc (leaked to press, discovered through some other means, etc.).
Those kinds of watermarks seem like they'd fail to a sophisticated actor. For instance, if that echomark-type of watermark becomes widespread. I supposed groups like the New York Times would update their procedures to not publish leaked documents verbatim or develop technology to scramble the watermark (e.g. reposition things subtly (again) and fix kerning issues).
With generative AI, the value of a photograph or document as proof is probably going to go down, so it probably won't be that big of an issue.
When a competent journalist gets a leaked document, they'll learn to only summarize it, but won't quote it verbatim or duplicate it. That'll circumvent and kind of passive leak-detection system that could reveal their source.
Then the only thing that would reveal the source is if the authority starts telling suspected leakers entirely different things, to see what gets out.
> Then the only thing that would reveal the source is if the authority starts telling suspected leakers entirely different things, to see what gets out.
This is called a canary trap [0], a well-trodden technique in the real world and fiction alike.
No you can’t. It’s formally called “the analog hole” when security folks yap about it. Usually it’s used to end DLP discussions after too many what-ifs
Especially when you consider that a phone can record hd video, so you can make a player that scrolls through pages and pages of pdfs very fast for example, you record the screen in hd video on a phone and then write a decoder that takes video back to a pdf of the images. Literally the only thing you lose is the ability to cut and paste the text of the pdf and you can even get that back if you trouble yourself to put the images through ocr.
Similarly you could hypothetically exfil binary data by visually encoding it (think like a qr code) and video recording it in the same way.
Just remember that it's significantly more time consuming to photograph a screen than steal large group of files. Thus, even though it's not preventable, it adds enough friction to be effective.
As sibling comment mentions, with OCR and video tooling these days I'd imagine you could whip up something pretty easily that can comb through several minutes of video footage and convert it to text/PDF/etc.
A leaker with a smartphone on a tripod capturing video while they scroll through files etc. could probably deal significant damage without much effort.
Yeah, this is why any high security information facility has physical security controls. Give someone infinite time and physical access and they could copy it off with clay tablets and chisels.
Keep in mind that many secure no-cell-phone zones, even those that host classified data are still relatively physically open. The personnel allowed inside them are strictly vetted and trained to be self-policing, but it's only the threat of discovery and harsh punishment stopping someone with the right badge/code from physically bringing in a phone. There generally aren't TSA-style checkpoints or patdowns. Happens accidentally all the time, especially in the winter with jackets.
This is misunderstanding the purpose of the restriction.
The main reason not to bring a phone into the room is that the phone could be compromised. If the person is compromised then a device isn't your problem, because they could view the documents and copy them on paper or just remember the contents to write down later.
Note the "also" in the first sentence. I'm understanding the timeline as them trying normal exfiltration, getting caught by DLP, then moving on to the cell phone method. But the first catch was enough to trigger an investigation.
“Company 2” has to be Qualcomm. Or am I misreading this? The only reason I think I’m misreading is because it’s so obviously Qualcomm that it seems silly for the article to call it “company 2”.
> On the night before the pair traveled to Iran in December 2023, Samaneh allegedly took about 24 photos of Khosravi’s work computer screen containing Company 2′s trade secrets, including *its* Snapdragon SoCs.
That’s the point where I realized how thin the curtain is. Earlier the article talked about “Qualcomm’s Snapdragon” as an example of an SoC, but that could have been just to give the reader an idea of what an SoC is. But this line made it clear it wasn’t just an example.
> so obviously Qualcomm that it seems silly for the article to call it “company 2”
Redactions / aliases are sometimes quite transparent. When policy dictates that it must happen they do it even when it is not hard to puzzle out who the redaction / alias hides.
There is the famous interview where the NTSB was interviewing an expert in relation to the Oceangate tragedy. The expert's name was redacted, but he was described as "Co-Designer / Pilot of the Deepsea Challenger" which is already quite a specific thing. Not a lot of people can claim that. And then the interview started like this:
Q: So how did you get yourself started into submersible operations?
<redacted>: Well, I'm sure you are familiar with my film Titanic.
I'm leaving the solution as an exercise for the reader. But it is a real world "Lisa S. No, that's too obvious. Uh, let's say L. Simpson." situation.
> If convicted, each defendant faces up to 10 years in prison for each trade secret charge and up to 20 years for obstruction of justice, along with fines of up to $250,000 per count.
This is part of why we are where we are as a country. We have this whole web of charging instruments in our legal system that dance around the main thrust of what investigations are about. It makes people who would think of doing these things think that they could get off easy if they were caught.
They're handing over sensitive info (we have sanctions and embargoes on Iran) to an enemy power. If you're an anal-retentive lawyer, you call it "stealing trade secrets". If you're a person with any amount of common sense, you call it espionage. One is something that should be applied when a company steals info from its competitor; the other should be applied when people are handing over sensitive info to an enemy power. One would be punishable by a decade in prison, the other punishable by life in prison or worse.
Corporate espionage. Stealing secrets from a company and sanctions-busting are of course bad things to do, but the legal consequences are not the same as stealing confidential information from the government.
> Corporate espionage. Stealing secrets from a company and sanctions-busting are of course bad things to do, but the legal consequences are not the same as stealing confidential information from the government.
Sort of.
But if the government is hosting its email with Joe, and Joe hires an intern who installs a backdoor for Russia: that would be treason.
Despite the fact that it's a quaint allegory, it's actually a closer one to the reality of the situation.
Scenario: company hires immigrants, and then are surprised and upset immigrants are loyal to their country.
Shocking.
On the other hand, it’s corporate espionage which is actually fairly common. However, due to the influx of immigration around the world you are going to see this occur a lot more often.
We have cases where people grow up in the US, are natural born Americans, and they are taking paychecks to go compete against America in the Olympics. Americans are excusing this as "at least she got her bag". The effects of post-modernism, and this idea that there is no objective truth nor morality is slowly destroying society. When someone immigrates to the US it should be clear to them that their loyalty belongs to the US.
The Olympics are games. No one is hurt by someone playing for another team. Are people disloyal to America if they vacation in a foreign country? They are siphoning American money off to a foreign country instead of patriotically traveling inside the US of A. Don’t watch the Great British Bake Off! You are giving your American attention to a foreign show over the great Home Grown American TV!
And in your mind moral objectivism fixes this how? You equate these things to post-modernism, do you believe disloyalty came to exist in the world for the first time during 1950s?
Its all part of the same idea. The idea that you can be in America, and not be loyal to America, that America is fundamentally evil and not worth loyalty. That things like money are more important than your country.
You know what, I'm going to defend this, because despite how off-colour and bad faith it comes across there's a definite nugget of truth that we have to sit with.
If your hiring program is built around increasing diversity, and you have an enemy state who would count as diverse by default then you have quite literally opened the door for exploitation.
All the handwringing in the sibling comments are not even trying to contend with this.
Also, it seems to be second generation migrants with greater affinity for extremism and patriotism for their parents country - despite never living there (this is the case in Sweden at least), and those are usually full citizens: this is very difficult to contend with for security services who use citizenship as a proxy for weeding out potential disloyalty).
>People loyal to their country tend to stay there.
You'd be surprised. If I were to emigrate because of economic reasons (which is by far the most popular reason to emigrate) my loyalty would stay with my paychecks. I don’t see how it could be otherwise. What binds me to my new country? My history, my character, my race, my religion…? Guess not.
> People loyal to their country tend to stay there.
Not necessarily true. Source: I have friends and family who came to the US from Russia and are still loyal to Russia. When the topic comes up, they tell me they would fight for Russia in a hypothetical US/Russia war.
It's entirely possible to love your country and still seek out a better life elsewhere for practical reasons.
Edit: To clarify, this isn't universal. Some folks who came over absolutely hate the country of their birth, some still love it, while others are ambivalent. But you can't make a blanket statement like "people loyal to their country tend to stay there" when there are stark financial and quality of life advantages to moving from one place to another.
> The couple also allegedly photographed hundreds of computer screens containing confidential information from Google and Company 2, in what appeared to be an attempt at circumventing digital monitoring tools.
I guess all the MDM and document restrictions in the world can't help you against photos of screens. Is it even possible to protect against this, short of only allowing access to confidential files in secure no-cell-phone zones?
There's not much you can do about it, as sibling comment mentions it's a known gap. There is some work [0] in this space on the investigative side to trace the leak's source, but again the only way it would work is if you can obtain a leaked copy post hoc (leaked to press, discovered through some other means, etc.).
0: https://www.echomark.com/post/goodbye-to-analog-how-to-use-a...
> There's not much you can do about it, as sibling comment mentions it's a known gap. There is some work [0] in this space on the investigative side to trace the leak's source, but again the only way it would work is if you can obtain a leaked copy post hoc (leaked to press, discovered through some other means, etc.).
Those kinds of watermarks seem like they'd fail to a sophisticated actor. For instance, if that echomark-type of watermark becomes widespread. I supposed groups like the New York Times would update their procedures to not publish leaked documents verbatim or develop technology to scramble the watermark (e.g. reposition things subtly (again) and fix kerning issues).
With generative AI, the value of a photograph or document as proof is probably going to go down, so it probably won't be that big of an issue.
You could do really sneaky things like alter the space between words or other formatting tricks.
Print it out, scan it back in, and OCR that.
Then have an AI or intern paraphrase it.
Then you fix that loophole by subtlety altering the phrasing or formatting that you send everyone
I think that's exactly what will happen.
When a competent journalist gets a leaked document, they'll learn to only summarize it, but won't quote it verbatim or duplicate it. That'll circumvent and kind of passive leak-detection system that could reveal their source.
Then the only thing that would reveal the source is if the authority starts telling suspected leakers entirely different things, to see what gets out.
> Then the only thing that would reveal the source is if the authority starts telling suspected leakers entirely different things, to see what gets out.
This is called a canary trap [0], a well-trodden technique in the real world and fiction alike.
0: https://en.wikipedia.org/wiki/Canary_trap
No you can’t. It’s formally called “the analog hole” when security folks yap about it. Usually it’s used to end DLP discussions after too many what-ifs
Unless your employer is Google and all those photos are uploaded to its servers
What if you use a film camera?
> Is it even possible to protect against this, short of only allowing access to confidential files in secure no-cell-phone zones?
Isn't that how congressmen and senators view them in the US? At least, that's how I've understood it to be. If so, what's good for the goose...
Especially when you consider that a phone can record hd video, so you can make a player that scrolls through pages and pages of pdfs very fast for example, you record the screen in hd video on a phone and then write a decoder that takes video back to a pdf of the images. Literally the only thing you lose is the ability to cut and paste the text of the pdf and you can even get that back if you trouble yourself to put the images through ocr.
Similarly you could hypothetically exfil binary data by visually encoding it (think like a qr code) and video recording it in the same way.
Even better, there are a bunch of these:
https://github.com/CiscoCXSecurity/QRCode-Video-Data-Exfiltr...
Just remember that it's significantly more time consuming to photograph a screen than steal large group of files. Thus, even though it's not preventable, it adds enough friction to be effective.
As sibling comment mentions, with OCR and video tooling these days I'd imagine you could whip up something pretty easily that can comb through several minutes of video footage and convert it to text/PDF/etc.
A leaker with a smartphone on a tripod capturing video while they scroll through files etc. could probably deal significant damage without much effort.
Yeah, this is why any high security information facility has physical security controls. Give someone infinite time and physical access and they could copy it off with clay tablets and chisels.
Keep in mind that many secure no-cell-phone zones, even those that host classified data are still relatively physically open. The personnel allowed inside them are strictly vetted and trained to be self-policing, but it's only the threat of discovery and harsh punishment stopping someone with the right badge/code from physically bringing in a phone. There generally aren't TSA-style checkpoints or patdowns. Happens accidentally all the time, especially in the winter with jackets.
This is misunderstanding the purpose of the restriction.
The main reason not to bring a phone into the room is that the phone could be compromised. If the person is compromised then a device isn't your problem, because they could view the documents and copy them on paper or just remember the contents to write down later.
Can't you have one or more x-ray tunnels or other scanners? They don't even need to be actively monitored, just treated like CCTV.
"Google said it had detected the alleged theft through routine security monitoring", so it seems it is possible.
Note the "also" in the first sentence. I'm understanding the timeline as them trying normal exfiltration, getting caught by DLP, then moving on to the cell phone method. But the first catch was enough to trigger an investigation.
“Company 2” has to be Qualcomm. Or am I misreading this? The only reason I think I’m misreading is because it’s so obviously Qualcomm that it seems silly for the article to call it “company 2”.
> Company 2, which develops system-on-chip (SoC) platforms such as the Snapdragon series
Only a lawyer could write this with a straight face
> On the night before the pair traveled to Iran in December 2023, Samaneh allegedly took about 24 photos of Khosravi’s work computer screen containing Company 2′s trade secrets, including *its* Snapdragon SoCs.
Keep reading.
That’s the point where I realized how thin the curtain is. Earlier the article talked about “Qualcomm’s Snapdragon” as an example of an SoC, but that could have been just to give the reader an idea of what an SoC is. But this line made it clear it wasn’t just an example.
Yup. It’s like saying Company X which develops the iPhone smartphone.
It’s either extreme incompetence or cheeky disclosure while also technically not naming the company.
> so obviously Qualcomm that it seems silly for the article to call it “company 2”
Redactions / aliases are sometimes quite transparent. When policy dictates that it must happen they do it even when it is not hard to puzzle out who the redaction / alias hides.
There is the famous interview where the NTSB was interviewing an expert in relation to the Oceangate tragedy. The expert's name was redacted, but he was described as "Co-Designer / Pilot of the Deepsea Challenger" which is already quite a specific thing. Not a lot of people can claim that. And then the interview started like this:
Q: So how did you get yourself started into submersible operations? <redacted>: Well, I'm sure you are familiar with my film Titanic.
I'm leaving the solution as an exercise for the reader. But it is a real world "Lisa S. No, that's too obvious. Uh, let's say L. Simpson." situation.
> If convicted, each defendant faces up to 10 years in prison for each trade secret charge and up to 20 years for obstruction of justice, along with fines of up to $250,000 per count.
This is part of why we are where we are as a country. We have this whole web of charging instruments in our legal system that dance around the main thrust of what investigations are about. It makes people who would think of doing these things think that they could get off easy if they were caught.
They're handing over sensitive info (we have sanctions and embargoes on Iran) to an enemy power. If you're an anal-retentive lawyer, you call it "stealing trade secrets". If you're a person with any amount of common sense, you call it espionage. One is something that should be applied when a company steals info from its competitor; the other should be applied when people are handing over sensitive info to an enemy power. One would be punishable by a decade in prison, the other punishable by life in prison or worse.
Corporate espionage. Stealing secrets from a company and sanctions-busting are of course bad things to do, but the legal consequences are not the same as stealing confidential information from the government.
> Corporate espionage. Stealing secrets from a company and sanctions-busting are of course bad things to do, but the legal consequences are not the same as stealing confidential information from the government.
Sort of.
But if the government is hosting its email with Joe, and Joe hires an intern who installs a backdoor for Russia: that would be treason.
Despite the fact that it's a quaint allegory, it's actually a closer one to the reality of the situation.
Treason is very narrowly defined in the US constitution, and has not been prosecuted since WW2.
As long as the US is not at war with Russia, spying for Russia can't be treason.
> "Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort."
Note however that it could still be a violation of other laws.
I imagine the receiving party is an Iranian intelligence agency, due to the interest in sigint adjacent technology (Mobile cryptography).
That probably makes it espionage, not of the corporate kind
They're reporting the statutory maxima, which have practically nothing to do with what the sentences will actually be.
Should be charged under treason with penalty of death
How can it be treason if they’re not even US citizens?
Iran is not our enemy. We are the aggressor.
Scenario: company hires immigrants, and then are surprised and upset immigrants are loyal to their country.
Shocking.
On the other hand, it’s corporate espionage which is actually fairly common. However, due to the influx of immigration around the world you are going to see this occur a lot more often.
We have cases where people grow up in the US, are natural born Americans, and they are taking paychecks to go compete against America in the Olympics. Americans are excusing this as "at least she got her bag". The effects of post-modernism, and this idea that there is no objective truth nor morality is slowly destroying society. When someone immigrates to the US it should be clear to them that their loyalty belongs to the US.
The Olympics are games. No one is hurt by someone playing for another team. Are people disloyal to America if they vacation in a foreign country? They are siphoning American money off to a foreign country instead of patriotically traveling inside the US of A. Don’t watch the Great British Bake Off! You are giving your American attention to a foreign show over the great Home Grown American TV!
And in your mind moral objectivism fixes this how? You equate these things to post-modernism, do you believe disloyalty came to exist in the world for the first time during 1950s?
> When someone immigrates to the US it should be clear to them that their loyalty belongs to the US.
But your example cites a "natural born American", not an immigrant?
I'm guessing this doesn't cut the other way? Like US doesn't have to give back all its foreign-born scientists and engineers (and some athletes).
This is satire right? You're comparing stealing intelligence for Iran to... playing sports in the Olympics?
Its all part of the same idea. The idea that you can be in America, and not be loyal to America, that America is fundamentally evil and not worth loyalty. That things like money are more important than your country.
Hey man, the US is just an economic zone, not a country
You know what, I'm going to defend this, because despite how off-colour and bad faith it comes across there's a definite nugget of truth that we have to sit with.
If your hiring program is built around increasing diversity, and you have an enemy state who would count as diverse by default then you have quite literally opened the door for exploitation.
All the handwringing in the sibling comments are not even trying to contend with this.
Also, it seems to be second generation migrants with greater affinity for extremism and patriotism for their parents country - despite never living there (this is the case in Sweden at least), and those are usually full citizens: this is very difficult to contend with for security services who use citizenship as a proxy for weeding out potential disloyalty).
If immigrants were loyal to their country, they wouldn't do this. The problem is immigrants who don't make it their country.
But hey, they work for 20% off, so there's that.
Unless you’re claiming all immigrants are spies, your logic doesn’t make sense. People loyal to their country tend to stay there.
>People loyal to their country tend to stay there.
You'd be surprised. If I were to emigrate because of economic reasons (which is by far the most popular reason to emigrate) my loyalty would stay with my paychecks. I don’t see how it could be otherwise. What binds me to my new country? My history, my character, my race, my religion…? Guess not.
Many modern immigrants to America are purely economic. The rich are fine with this because they profit, but the labor class suffers.
Some immigrants are loyal to their country.
A company hires immigrants.
It's possible the company has hired immigrants loyal to their country.
Logically, it works like that.
> People loyal to their country tend to stay there.
Not necessarily true. Source: I have friends and family who came to the US from Russia and are still loyal to Russia. When the topic comes up, they tell me they would fight for Russia in a hypothetical US/Russia war.
It's entirely possible to love your country and still seek out a better life elsewhere for practical reasons.
Edit: To clarify, this isn't universal. Some folks who came over absolutely hate the country of their birth, some still love it, while others are ambivalent. But you can't make a blanket statement like "people loyal to their country tend to stay there" when there are stark financial and quality of life advantages to moving from one place to another.