Forgot your password?
typodupeerror
Security The Military United Kingdom IT

Incomplete PDF Redaction Leaks Data From UK MoD 171

Posted by timothy
from the peekaboo-theory dept.
An anonymous reader writes "The UK Ministry of Defence has been left with egg on its face, after a supposedly redacted PDF detailing secrets related to air defence radar systems was published on a parliamentary website. The problem? Whoever did the redacting simply changed the sensitive text to black on a black background, making it possible for anyone to access the information simply by cutting-and-pasting. The incident is particularly embarrassing for the Ministry, as six months ago precisely the same security screw-up occurred — that time related to sensitive information about nuclear submarines."
This discussion has been archived. No new comments can be posted.

Incomplete PDF Redaction Leaks Data From UK MoD

Comments Filter:
  • by gweihir (88907) on Sunday October 09, 2011 @06:00PM (#37656718)

    At least they are consistent in hiring incompetent amateurs to do important work.

  • rookie mistake
  • by artor3 (1344997) on Sunday October 09, 2011 @06:01PM (#37656724)

    Seriously, this exact mistake seems to occur at least a couple times a year. You would think that anyone with enough security clearance to make redactions would, I don't know, take a 4 hour training course on how to use MS Word? Do they hand this job off to interns, or what?

    • Seriously, this exact mistake seems to occur at least a couple times a year. You would think that anyone with enough security clearance to make redactions would, I don't know, take a 4 hour training course on how to use MS Word? Do they hand this job off to interns, or what?

      It occurs enough that I surprised the PDF companies haven't added a check to detect when the same background and foreground colors are used so that a warning can be displayed.

    • by NeoMorphy (576507)

      Maybe they shouldn't even be using MS Word. There's a lot of silly ways one could leave information in a document after they thought they removed it. And even if they did everything correctly, a bug in MS Word could still leave it in. Oops, don't worry, just apply this update and that problem won't happen again.

    • by Nehmo (757404)

      ... You would think that anyone with enough security clearance to make redactions would, ... take a 4 hour training course on how to use MS Word? ...

      The documents at issue were PDFs, and Word doesn't edit PDFs. The source article suggests using the redaction features in Acrobat X [adobe.com].

      • by artor3 (1344997)

        Word can export files as PDFs, at least as of the 2007 version, and even before that you could use "print to file" addons. The point is, whatever tool they're using, they ought to know how to use it well enough to perform their basic job functions.

    • by tlhIngan (30335)

      Seriously, this exact mistake seems to occur at least a couple times a year. You would think that anyone with enough security clearance to make redactions would, I don't know, take a 4 hour training course on how to use MS Word? Do they hand this job off to interns, or what?

      An easier solution.

      Take document. Print it out on paper. With thick fat black marker, redact away. Then take redacted documents, and scan them in. This is just a modification on the way they used to do it in the old days.

      The problem is p

  • by Dunbal (464142) *
    Where is the document? I call BS.
  • The only safe way to redact sensitive PDFs or Word (or other word-processing doc) is to black out the data, print it out, and rescan a hard-copy "original".

    • by TheSpoom (715771) <slashdot@Nospam.uberm00.net> on Sunday October 09, 2011 @06:03PM (#37656742) Homepage Journal

      Or, y'know, replace the text with "[redacted]". If you black out the text, you're still giving away information on its length.

      • by wvmarle (1070040) on Sunday October 09, 2011 @10:46PM (#37658552)

        Indeed. There has been at least one story here on /. a few years ago detailing how in some cases the missing words could be recovered. In that case a document where place names (cities or countries, I forgot) were removed.

        They were recovered by precisely measuring the distance between the non-blacked-out words, the size of the letters of the font used, and then mixing and matching until you found a word (name) that had the correct length in that font. Usually a few matches were found but from the context the correct one was easily deduced.

      • by AmiMoJo (196126)

        The problem is that can break the formatting. Not a problem for a short email but a longer multi-page report could get screwed up.

        Adobe's software has redaction tools that take care of everything, but a lot of people just print to PDF directly from Word or Outlook.

    • The only safe way to redact sensitive PDFs or Word (or other word-processing doc) is to black out the data, print it out, and rescan a hard-copy "original".

      With PDF's, at least, If you know PostScript, you can actually do it with a text editor, vi, nano, BBEdit, WordPad, etc. Even if you don't know PS, you could probably bumble your way through deleting content... and still be left with a file that opens, even if sort of broken. Your success would depend largely on the size of the document (shorter documents with fewer redactions would be easier to deal with, obviously) and how well you manually parse markup/code. This assumes that the content is not in image

      • by leenks (906881)

        Right. How many people on 15k a year know what Postscript is, let alone how to edit it?

        • by Anonymous Coward

          me

    • by unrtst (777550)

      Huh!?!?!

      As others have noted, you can just replace the text with "[redacted]", which also removes the length guessing.

      Some people have noted some (ridiculous) concerns (like file formats storing changes, which could simply be disabled, and should be caught by the audit procedure afterwards - there is an audit, right?!?). So if you really want the print-out-and-scan-in type of dumbed down method, then:

      * save to a bitmap or jpeg.
      * black out the text in there ...no need for the useless media conversion (print/

      • by mgv (198488)

        Huh!?!?!

        As others have noted, you can just replace the text with "[redacted]", which also removes the length guessing.

        Some people have noted some (ridiculous) concerns (like file formats storing changes, which could simply be disabled, and should be caught by the audit procedure afterwards - there is an audit, right?!?). So if you really want the print-out-and-scan-in type of dumbed down method, then:

        * save to a bitmap or jpeg.
        * black out the text in there ...no need for the useless media conversion (print/scan).

        Of course, that only works if you turn "track changes" off in word... :)

        Michael.

  • Really guys. Maybe you should outsource this.

    • Re:Not again (Score:4, Insightful)

      by Doc Ruby (173196) on Sunday October 09, 2011 @06:21PM (#37656876) Homepage Journal

      Because private businesses are competent? We read on Slashdot about their making this same mistake all the time. Why would some temp working for some defense contractor be any better? Especially when those temps are likely to be not just outsourced, but offshored? I can see plenty of, say, Pakistani office temps caring even less about protecting UK government secrets than their equivalent who is actually a citizen of the country at risk when the secret is divulged.

      • Ok then, how about the total opposite - one single department for the entire government which is responsible for releasing properly redacted documents, no other department is allowed to release redacted documents, everything as to pass through this single department...

        • by JustOK (667959)

          whole new set to vet

        • by rtb61 (674572)

          How about this. A judicial review, where each and every redaction must pass a court of law and fulfil firstly that the redaction would have no impact upon the next election and secondly the redaction is truly in the public interest and date set for the release of the information contained in the redaction.

          No government department should be entitled to keep secrets under it's own authority without judicial review and where information was kept secret that would have an impact on the next election those pe

        • I was thinking an officially sanctioned program or plugin that properly redacts the text. That way you hire one guy to code and maintain the program instead of a whole department.

      • by mug funky (910186)

        whoosh?

  • It takes 30 seconds searching help to find the correct way to redact text. Amazing how lazy people are sometimes.

    • Only the Pro version of Acrobat has a redaction tool. I have the standard version and it's $150 more just to get the redaction tool.
  • Blacking out the secrets clearly isn't a good strategy.
    Next time, they should just put whiteout on the screen to cover up the secret parts.
    • by inviolet (797804)

      Blacking out the secrets clearly isn't a good strategy. Next time, they should just put whiteout on the screen to cover up the secret parts.

      Blacking out the secrets is excellent strategy if the data is actually misinformation.

      The cheapest way to win an arms race is to trick your opponent into believing that you've got better gear, without actually wasting billions of dollars on said gear.

  • If the editor needs a new gig, I'm sure there's room for them at Slashdot!

  • by Anonymous Coward

    Consider "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word 2007 to PDF" at http://www.nsa.gov/ia/_files/support/I733-028R-2008.pdf

  • Isn't this like the third or forth time this has happened? I seem to recall both the FBI and TSA making the same mistake somewhat recently. At least within the last couple of years. I guess people can't learn from others mistakes after all...
    • It's a fact of life that people will screw things up. You can attempt to reduce the number of screwups through training people, disciplining those that refuse to comply and reducing the number of people performing high risk tasks but it's almost impossible to reduce it to zero.

      How many redacted documents do you think are released every year? Frankly i'm surprised we don't see stories like this far more often.

  • Our secret service is just one big trailer for the forthcoming Johnny English sequel.
  • by Animats (122034) on Sunday October 09, 2011 @06:46PM (#37657058) Homepage

    Having worked in the classified world (pre 9/11), it was surprising how little military information was classified. The front-line military view of secrecy is that secrecy is a short-term thing. "Where the ship was last week is unclassified. Where the ship was yesterday is confidential. Where the ship is now is secret. Where the ship will be tomorrow is top secret." Sooner or later, if it matters, the enemy will find out what you're up to. Preferably when your attack hits them.

    On the other hand, what your troops, ships and planes can do is generally well known. Too many people have to know. Secret capabilities do exist, but, again, they're time-sensitive. Eventually you have to use the secret weapon, after which it's no longer secret.

    Vulnerabilities are more of a problem. The U.S. Army tried to keep secret the vulnerable spots on a M-1 Abrams tank. But once Iraqi insurgents had found the places on the turret ring to aim at, trying to suppress the pictures of the damage was sort of stupid.

    When planning proposals, we estimated that running a project at SECRET doubled the cost, and running at TOP SECRET quadrupled it. (The clearance process takes many months, the physical security is expensive and slows you down, and worst of all, the people who spend too much time in classified tanks get out of touch technically.) The intel community was willing to pay that price - the military, not so much.

  • I mean really. Adobe Acrobat has an easy to use Redaction tool specifically designed for this sort of thing. Not only does it properly black out and remove the text underneath, it can also scrub the removed data from the PDF so that some smart fellow cannot undelete the contents. It's really not hard at all... unless of course you're paying peanuts to someone who doesn't give a shit about doing things correctly and instead just wants to give the impression of having done the job.

  • Bruce Schneier said it best:

    The problem with bad security is that it looks just like good security.

    In this respect, the problem comes down to incompetence at some point in the chain of command, and (by transitive closure) lack of effective oversight at all points above that one. But that's not an excuse, just a description of the pathology.

  • Poor receptionist is all I can say. She was trying to do her best but didn't know any better! Shame on them!
  • Adobe Acrobat has a REDACTION feature built specifically to address issues like this.
    It's not hard to use - arguably it's even easier than trying to find the text and putting a black background behind it.
    It not only removes the text (or other objects) on the page that you are redacting, but it provides a very easy interface to use.
    It also removes additional metadata (full text indexes, other personalised information such as document creator etc) and you can do a search and redact to redact specific strings.

  • A few years ago I also found I needed to redact text from a document.  I do most of my document processing in LaTeX, and found that the following works nicely.  It replaces (not overprints) all text inside \redact{...} with a black bar, and copes well with wrapping across lines and pages.

    \RequirePackage{soul,color}
    \sethlcolor{black}
    \makeatletter
    \def\phantom@SOUL@ulunderline#1{{%
         \setbox\z@\hbox{#1}%
         \dimen@=\wd\z@
         \dimen@i=\SOUL@uloverlap
         \advance\dimen@2\dimen@i
         \rlap{%
             \null
             \kern-\dimen@i
             \SOUL@ulcolor{\SOUL@ulleaders\hskip\dimen@}%
         }%
         \phantom{\unhcopy\z@}% \phantom added here
    }}
    \DeclareRobustCommand\redact[1]{\begingroup
       \let\SOUL@ulunderline\phantom@SOUL@ulunderline
       \hl{#1}%
    \endgroup}
    \makeatother
  • making it possible for anyone to access the information simply by cutting-and-pasting.

    Surely it's 'copying-and-pasting'?!

  • The military-industrial complex would much prefer to operate with no oversight at all.

    We have a perverse system where such oversight is acceptable only if it does not compromise security (rather than the other way around.)

    So by screwing this up on purpose, the military can plead security concerns and never publish anything at all, because any public oversight whatsoever will be too risky.

    Never ascribe to malice what can be explained by incompetence? Well, malice exists, even though

  • I know one should'nt attribute to malice what can be explained by incompetence but I can't prevent myself to think that if I wanted to leak fake informations, I would use exactly that kind of procedures.

    Western governments jumped late in the infowar bandwagon but they are going there. Fake leaks are doomed to happen.
  • Maybe next we can see people prosecuted for "hacking" for copying and pasting the text so they can read it. If truncating or guessing an URL can be considered hacking, surely this can be too.

The number of arguments is unimportant unless some of them are correct. -- Ralph Hartley

Working...