The Nation's Independent Review & RSIDs

By Adam Carter - September 2nd, 2017

On September 1st, 2017, The Nation published an article titled "A Leak or a Hack? A Forum on the VIPS Memo" (archived) featuring a letter from dissenting members of VIPS, a reply from VIPS signatories and the results of an independent review written by Nathanial Freitas.

I understand that Katrina vanden Heuvel (editor & publisher of The Nation) and her husband have both come under pressure from elements within the Democratic party and mainstream media with some political attack dogs already snarling their names and trying to make things personal - so I'm not surprised to see how things have turned out.

To be fair, the article itself is actually quite reasonable, shows arguments from both sides and the VIPS signatories, if anything, get to strengthen their case with further information, which is positive for them.

Before I get into the main issue, I will also say I've no issue with their independent expert (he's clearly got technical expertise) and in general, to his credit, he tried to give a fair appraisal, however, there is something important that needs clarifying...


RSIDs & Document Specifications - OOX vs RTF

Did you know there are different RSID implementations?

Did you know RSIDs behave differently depending on the document format?

After seeing Freitas claim RSIDs could be duplicated across documents by simply copying and pasting content between documents (which doesn't work with RTF documents), I questioned (on Twitter) the assertions he had made in his review, asking if anyone knew about the behavior he was referencing.

It was soon pointed out to me why Freitas was making assertions that conflicted with my experience and testing:

It turns out that Freitas is familiar with the behavior of RSIDs in the context of the OOX (Open Office XML) format used as the default for Microsoft Office 2007's compressed document format (that uses the extension .docx) and that he linked to.

This isn't applicable with the RTF format (where RSIDs are not preserved when copying and pasting).

So, the deliberately placed fingerprints and the document construction process outlined both remain valid (the former now remaining unchallenged for 197 days at the time of writing this).

I've also tested copying between these OOX format documents first and then converting to RTF documents afterwards. This also produced differing RSIDs.

I've emailed Katrina vanden Heuvel and have asked for this mistake to be corrected.


A Russian Keyboard?

Just before getting to the RSIDs, I also noticed something else mentioned by Freitas.

While I had heard mention of this, I know that neither myself nor Forensicator ever concluded this so wondered where it had come from, after all, it's rare for people outside of Russia to have a Russian keyboard.

Having looked around for details on this, it looks a lot like this was just a misconception caused by assuming the language of the metadata was proof of the type of keyboard used by the person placing it there.

This (which Politico, Ars Technica and others reported) actually serves as a nice example of where The Nation's conclusion is most relevant.



The Nation concludes its piece with a closing statement:

I'll continue to take such care and will remain hopeful that Ars Technica, Politico & others will endeavour to follow this advice at some point in the near future.