×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Incomplete PDF Redaction Leaks Data From UK MoD

timothy posted more than 2 years ago | from the peekaboo-theory dept.

Security 171

An anonymous reader writes "The UK Ministry of Defence has been left with egg on its face, after a supposedly redacted PDF detailing secrets related to air defence radar systems was published on a parliamentary website. The problem? Whoever did the redacting simply changed the sensitive text to black on a black background, making it possible for anyone to access the information simply by cutting-and-pasting. The incident is particularly embarrassing for the Ministry, as six months ago precisely the same security screw-up occurred — that time related to sensitive information about nuclear submarines."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

171 comments

Don't hide information. (0)

Anonymous Coward | more than 2 years ago | (#37656702)

They should not be trying to hide information from the people they govern.

Re:Don't hide information. (4, Insightful)

JoshuaZ (1134087) | more than 2 years ago | (#37656816)

There are types of information that every sane person thins should be classified. For example, the engineering details of how to make nuclear weapons should probably be classified. There's a limit to how much of that can be practically classified because those secret are so old, but a similar remark about hydrogen bombs would apply. Similarly, if one country has a high ranking spy in another country's government (say for example the Brits having a North Korean colonel giving them information from the inside), wanting to keep that information secret is reasonable. These are but two of the more clear cut examples. There's a lot of information about the specs of military hardware that could give an enemy advantages if they knew about it. Radar used in defense systems (which is what was leaked in this context) is exactly that sort of thing.

There are examples where governments try to classify things that they shouldn't. Sometimes they use that as a way of disguising violations of their citizens rights. Other times they use it as a way of covering their asses after they do something incompetent. But it is a mistake to look at the examples where governments have abused their ability to classify things and then conclude that all classification is bad.

Re:Don't hide information. (-1, Troll)

tech4 (2467692) | more than 2 years ago | (#37656984)

No, they only "need" to be classified if a country constantly tries to force their views and politics down everyone else's throats (US and Christian "crusades", I'm looking at you!). It just shows that these secrets are used for evil and bad things, for murdering people.

If you worry that some nuclear designs leak out, what about not creating them in the first place? Their only purpose is to mass kill thousands of people. And US is still the ONLY country in the history to even use nuclear weapons against another country. It's such a fucking huge hypocrisy. "Protecting from evil countries" while US itself is the root of evil and has always been. But what more can you expect from a country made of Christians and their beliefs in some imaginary god in the sky.

Maybe I'm being too harsh on US though, as it's clear this has roots all the way back to ancient European beliefs, Rome and Christianity. At least Buddhism teaches real things, real values and there's no imaginary persons, as Buddha himself has actually lived. And he said to think and evaluate things with your own brains, instead of following some stupid book.

Re:Don't hide information. (1, Flamebait)

nedlohs (1335013) | more than 2 years ago | (#37657052)

They already exist. So not creating them isn't an option obiously. But don't let that stop you being retarded.

Re:Don't hide information. (2, Insightful)

Nutria (679911) | more than 2 years ago | (#37657060)

Christian "crusades"

As opposed to the Muslim invasions of the Palestine, Egypt, whatever the rest of North Africa was called 1300 years ago, Iberia, France, Babylon, Persia, Afghanistan, India, etc, etc, etc?

Re:Don't hide information. (2)

SwedishPenguin (1035756) | more than 2 years ago | (#37657152)

How does the existence Christian crusaders negate the existence of Muslim crusaders, or any other type of crusaders for that matter? History is filled with religiously motivated war, regardless of religion.

Re:Don't hide information. (1)

Nutria (679911) | more than 2 years ago | (#37657366)

How does the existence Christian crusaders negate the existence of Muslim crusaders

Who says I did?

But I do know that while in school the evils of the Christian Crusaders was repeated many times, while even the very *fact* that Muslims invaded Holy Land was *completely* glossed over as if they had always been there. And this was 35 years ago in a sectarian school with no Anti-Christian bias.

Likewise the Eeeevils of the Iberian Reconquista.

Thus, I'm betting that most everyone else in the US was not taught the same things.

Re:Don't hide information. (2)

Jah-Wren Ryel (80510) | more than 2 years ago | (#37657428)

But I do know that while in school the evils of the Christian Crusaders was repeated many times, while even the very *fact* that Muslims invaded Holy Land was *completely* glossed over as if they had always been there. And this was 35 years ago in a sectarian school with no Anti-Christian bias.

What you are describing is actually a pro-christian bias.
Since pretty much everything the muslims did is left out of high-school history courses that really shouldn't be much of a surprise.

Re:Don't hide information. (1)

Nutria (679911) | more than 2 years ago | (#37657522)

What you are describing is actually a pro-christian bias.

Eurocentric, not pro-Christian.

Re:Don't hide information. (1)

ganjadude (952775) | more than 2 years ago | (#37658974)

exactly true. I graduated highschool in 2003, and I remember all we were taught was the ottoman empire took over alot of land. It took research on my own to find out that the ottoman empire was the muslim crusaders. However they always pointed out the evils of the christian crusaders without hesitation.

Re:Don't hide information. (1)

Anonymous Coward | more than 2 years ago | (#37657074)

If you worry that some nuclear designs leak out, what about not creating them in the first place?

Yes! And then we can all ride rainbow unicorns to the land at the end of the rainbow and eat candy and play with kittens! I think you should run for President of the World, Mr. tech4; your intellect is so brilliant, your insight so stunning, you just made me spunk.

Re:Don't hide information. (2)

DarwinSurvivor (1752106) | more than 2 years ago | (#37657484)

Right, because spies only kill people. There is no way they could be monitoring hostile countries to ensure *they* aren't planning to kill people. And while we're at it, let's just publish the full list of names and locations of everyone in witness protection, they're all criminals anyways. As a show of good faith, why don't you post you full name, date of birth, mother's maiden name, current place of residence, credit card number and annual income? It's not like the government is keeping any of THAT data secret for you.

I find it absolutely stupid when people chant "Secrets are bad, mmmkay" while using an online pseudonym.

Re:Don't hide information. (1)

hairyfeet (841228) | more than 2 years ago | (#37658062)

Would you have been happier if American soldiers in the Pacific were having to gut little kids and ended up shell shocked? try looking up "The World At War: Japan 1941-45" and see for yourself, they have film footage of the Japanese training little girls with bamboo spears and it is pretty common knowledge that even AFTER dropping two bombs upon them the high command had to broadcast the surrender in BOTH English AND Morse Code because there were a couple of Army Generals that tried to take over the radio station and broadcast they were gonna fight to the last Japanese!

The US has a lot of things they did wrong but I'd say dropping the bombs is not among them. look at the footage of Saipan, of Iwo jima, when there was NO hope of victory, no hope of even a draw they still fought on.

Re:Don't hide information. (1)

MightyYar (622222) | more than 2 years ago | (#37658128)

It just shows that these secrets are used for evil and bad things, for murdering people.

Secrets are important for defense as well. Even if the US were to completely abandon a foreign intelligence service, there would still need to be counter-intelligence services. And those activities and such would be necessarily secret. Or forget foreign interaction altogether. An ongoing corruption investigation needs to be secret. Wiretapping of a mob boss needs to be secret. The President's schedule details often need to be secret. Many, many, completely legitimate government functions need to be secret.

At least Buddhism teaches real things, real values and there's no imaginary persons, as Buddha himself has actually lived.

Right, and Buddhists have never fought any wars. And they don't keep secrets. And they never get all authoritarian or anything like that. BTW, Jesus was also a real guy. So was Mohammad. Buddha may have "actually lived", but the first written account of his life seems to have occurred hundreds of years after his death. And this written account includes Buddha being advised by invisible men.

Re:Don't hide information. (1, Offtopic)

Doc Ruby (173196) | more than 2 years ago | (#37656848)

Actual secrets of military technology are legitimate secrets, as long as the military secrets are being overseen by competent people with power independent of the military - who are themselves catchable when they're corrupt.

But the problem isn't this secret. It's the vast abundance of secrets in governments like the UK's. Some percentage of secrets are going to be divulged when they shouldn't. Having millions of secrets means that percentage results in a lot of divulged secrets.

Perhaps the large number of secrets that are worthless, or are secret only to protect someone who did something wrong rather than to protect the country, means that most divulged secrets harm no one - or harm people who did wrong. But the large number of secrets makes the percentage divulged increase. Especially when the worthless ones divulged get everyone used to divulging secrets. Then the percentage goes way up. And the secrets worth keeping do a lot of damage.

Proper management calls for reducing the amount of secrets to the minimum. This is a fundamental principle known to any competent info security professional, and to many amateurs - in any field. But governments keep increasing their trove of secrets. Mostly because governments keep increasing the number of things they do wrong. And keeping too many secrets, many (if not most) of them worthless or even beneficial to reveal, is just one of the things they're doing wrong.

It's the worst kept secret in the secrecy business.

Re:Don't hide information. (1)

That Guy From Mrktng (2274712) | more than 2 years ago | (#37656936)

Information wants to be leaked.

Really, who can tell if they didn't want this to be leaked? This is probably a disinformation gig, because such screw up it's just too lame to have happened on a such level, I mean, you can do it like it should be done in effing MS paint.

Re:Don't hide information. (1)

Pieroxy (222434) | more than 2 years ago | (#37657388)

This is probably a disinformation gig, because such screw up it's just too lame to have happened on a such level

The higher the level, the stupidest the screwup, specially a tech one. That's because the higher level, the higher n00bness.

Re:Don't hide information. (2)

MightyYar (622222) | more than 2 years ago | (#37658012)

That's perhaps one of the most naive things I've ever heard. If it came from a child, it would be adorable.

At least consistent (2)

gweihir (88907) | more than 2 years ago | (#37656718)

At least they are consistent in hiring incompetent amateurs to do important work.

Re:At least consistent (0)

Anonymous Coward | more than 2 years ago | (#37656770)

Well, at least they have moved past putting white-out on the screen.

Re:At least consistent (0)

Anonymous Coward | more than 2 years ago | (#37656888)

I doubt they were employed based on ability. It's the UK.

Re:At least consistent (0)

Anonymous Coward | more than 2 years ago | (#37657914)

More likely than not, it is the same secretary who can't find the time for a computer literacy course because of the demand for the excellent blowjobs.

Who is in charge of redactions? (4, Insightful)

artor3 (1344997) | more than 2 years ago | (#37656724)

Seriously, this exact mistake seems to occur at least a couple times a year. You would think that anyone with enough security clearance to make redactions would, I don't know, take a 4 hour training course on how to use MS Word? Do they hand this job off to interns, or what?

Re:Who is in charge of redactions? (0)

Anonymous Coward | more than 2 years ago | (#37656750)

Is there a technique that doesn't involve printing it out and scanning it back in? removing text affects spacing. i'd be interested in knowing what the 'proper' way to do this is.

Re:Who is in charge of redactions? (2)

EdIII (1114411) | more than 2 years ago | (#37657024)

Use a PDF printer driver to print the document all over again. Export it out as a graphic and then put that up on the website.

Basically, there are quite a few different ways to change the elements in a PDF doc before publishing.

The largest problem is that PDF is so freaking complicated to the average person and it is not intuitive in the least that there would be data in the document not visible on the screen. You can embed entire books into an HTML document that don't get rendered in the browser, but the data is still there isn't it?

I'm a developer and using documentation on how to construct PDF documents and spreadsheets for data exports can be fairly complicated and look like complete gibberish to anyone walking by. Not to mention how many different versions and formats there are for documents to begin with.

If you are not an "IT person" the safest, and most assured way, to be completely certain that the document on your screen is what gets sent to the recipient is to print it out and scan it back it in. The method I mentioned first is a compromise, but you can be fairly certain that everything is rendered as a graphic in the printer driver before it gets printed back into a document.

You're technique, although inefficient and a blunt instrument, is actually the best one there is if you are that concerned about security.

Re:Who is in charge of redactions? (1)

Anonymous Coward | more than 2 years ago | (#37657330)

Well Adobe PDF Pro has built in redaction tools. Redact, select, save. Can't make it much simpler than that.

Re:Who is in charge of redactions? (1)

mlts (1038732) | more than 2 years ago | (#37658380)

Acrobat has a built in redaction mechanism, as of 3 years ago. It isn't just a black bar over text which is how some places used to do redactions... it actually destroys all what is under it, be it text or graphics. Once the document is resaved, the changes are permanent (no undo available, etc.)

There is just no excuse for improper redactions. It is built into Acrobat, as well as Wordperfect. Word, you install an add-on so you get non-undoable black boxes where the juicy info used to be.

Re:Who is in charge of redactions? (1)

BradleyUffner (103496) | more than 2 years ago | (#37656966)

Seriously, this exact mistake seems to occur at least a couple times a year. You would think that anyone with enough security clearance to make redactions would, I don't know, take a 4 hour training course on how to use MS Word? Do they hand this job off to interns, or what?

It occurs enough that I surprised the PDF companies haven't added a check to detect when the same background and foreground colors are used so that a warning can be displayed.

Re:Who is in charge of redactions? (0)

Anonymous Coward | more than 2 years ago | (#37657332)

Nobody reads warnings.

Re:Who is in charge of redactions? (0)

Anonymous Coward | more than 2 years ago | (#37657410)

Similar.... a slight variation and you'd have a problem too. The eye won't pick up slight variations.

Re:Who is in charge of redactions? (0)

Anonymous Coward | more than 2 years ago | (#37657712)

You would think that anyone with enough security clearance to make redactions would, I don't know, take a 4 hour training course on how to use MS Word? Do they hand this job off to interns, or what?

It was a PDF. Interns actually take the MS Word course.

Re:Who is in charge of redactions? (1)

NeoMorphy (576507) | more than 2 years ago | (#37658336)

Maybe they shouldn't even be using MS Word. There's a lot of silly ways one could leave information in a document after they thought they removed it. And even if they did everything correctly, a bug in MS Word could still leave it in. Oops, don't worry, just apply this update and that problem won't happen again.

Re:Who is in charge of redactions? (1)

Nehmo (757404) | more than 2 years ago | (#37658482)

... You would think that anyone with enough security clearance to make redactions would, ... take a 4 hour training course on how to use MS Word? ...

The documents at issue were PDFs, and Word doesn't edit PDFs. The source article suggests using the redaction features in Acrobat X [adobe.com] .

Only safe way to do it... (1)

Frosty Piss (770223) | more than 2 years ago | (#37656736)

The only safe way to redact sensitive PDFs or Word (or other word-processing doc) is to black out the data, print it out, and rescan a hard-copy "original".

Re:Only safe way to do it... (3, Informative)

TheSpoom (715771) | more than 2 years ago | (#37656742)

Or, y'know, replace the text with "[redacted]". If you black out the text, you're still giving away information on its length.

Re:Only safe way to do it... (1)

MichaelKristopeit410 (2018830) | more than 2 years ago | (#37656776)

because, y'know, word and pdf file editors routinely save change information with the file... (as demanded by moronic users incapable of implementing their own "rollback" functionality outside of the file itself)... giving away information on the exact and total contents of the information.

you're an idiot.

Re:Only safe way to do it... (1)

TheSpoom (715771) | more than 2 years ago | (#37657240)

I wouldn't use Word were I working on a Secret or higher level document. See my sibling post for more details. I don't respond to ad hominem.

Re:Only safe way to do it... (1)

MichaelKristopeit412 (2018834) | more than 2 years ago | (#37657942)

PDF editors are much more notorious for providing in file rollback functionality than word editors.

you're an idiot.

see my original post for the exact same statement.

you're also an ignorant hypocrite... would you like to respond again to let me know you don't respond?

cower in my shadow some more behind your chosen singular determiner based pseudonym, feeb.

you are the completely pathetic.

Here I thought you had left us! (0)

Anonymous Coward | more than 2 years ago | (#37658868)

You 500+ Fucking Asshole Kristopeit!

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37658344)

I wouldn't use Word were I working on a Secret or higher level document.

LOL, you make it sound like you'd have a choice in the matter.

But I do agree replacing the text with "[redacted]" or something similar is probably the best way to go.

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37657128)

1. And how does that help if you have a need to show the non-redacted text in its original form?
2. You're suggesting telling an employee: "Just copy the information to Word, and replace the sensitive info with '[redacted]'. "? What could possibly go wrong?

I always love it when the snarky "y'know" is followed by pure stupidity.

Re:Only safe way to do it... (1)

TheSpoom (715771) | more than 2 years ago | (#37657216)

1. Produce the original.
2. I am? Where? Did I mention Word at all? (No.)

Were I in charge of such a division, I would have a process put in place to guarantee that no information that was redacted could be found in the redacted copy before it was released. But then, you're just looking for a way to feel superior.

Re:Only safe way to do it... (3, Informative)

wvmarle (1070040) | more than 2 years ago | (#37658552)

Indeed. There has been at least one story here on /. a few years ago detailing how in some cases the missing words could be recovered. In that case a document where place names (cities or countries, I forgot) were removed.

They were recovered by precisely measuring the distance between the non-blacked-out words, the size of the letters of the font used, and then mixing and matching until you found a word (name) that had the correct length in that font. Usually a few matches were found but from the context the correct one was easily deduced.

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37656812)

Errrrr, not it's not. You should replace the text with a fixed-width field, e.g. [ REMOVED ] and print that.
Otherwise spacing/kerning analysis etc. can be used to derive potential original text.

Re:Only safe way to do it... (1)

catmistake (814204) | more than 2 years ago | (#37656838)

The only safe way to redact sensitive PDFs or Word (or other word-processing doc) is to black out the data, print it out, and rescan a hard-copy "original".

With PDF's, at least, If you know PostScript, you can actually do it with a text editor, vi, nano, BBEdit, WordPad, etc. Even if you don't know PS, you could probably bumble your way through deleting content... and still be left with a file that opens, even if sort of broken. Your success would depend largely on the size of the document (shorter documents with fewer redactions would be easier to deal with, obviously) and how well you manually parse markup/code. This assumes that the content is not in image scans.... you go and delete the OCRed txt from scans, but not the scanned pages, that won't do much good.

Re:Only safe way to do it... (2)

leenks (906881) | more than 2 years ago | (#37657092)

Right. How many people on 15k a year know what Postscript is, let alone how to edit it?

Re:Only safe way to do it... (1)

Anonymous Coward | more than 2 years ago | (#37657130)

me

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37656894)

The only safe way to redact sensitive PDFs or Word (or other word-processing doc) is to black out the data, print it out, and rescan a hard-copy "original".

+1

Re:Only safe way to do it... (1)

unrtst (777550) | more than 2 years ago | (#37656940)

Huh!?!?!

As others have noted, you can just replace the text with "[redacted]", which also removes the length guessing.

Some people have noted some (ridiculous) concerns (like file formats storing changes, which could simply be disabled, and should be caught by the audit procedure afterwards - there is an audit, right?!?). So if you really want the print-out-and-scan-in type of dumbed down method, then:

* save to a bitmap or jpeg.
* black out the text in there ...no need for the useless media conversion (print/scan).

Re:Only safe way to do it... (1)

mgv (198488) | more than 2 years ago | (#37658622)

Huh!?!?!

As others have noted, you can just replace the text with "[redacted]", which also removes the length guessing.

Some people have noted some (ridiculous) concerns (like file formats storing changes, which could simply be disabled, and should be caught by the audit procedure afterwards - there is an audit, right?!?). So if you really want the print-out-and-scan-in type of dumbed down method, then:

* save to a bitmap or jpeg.
* black out the text in there ...no need for the useless media conversion (print/scan).

Of course, that only works if you turn "track changes" off in word... :)

Michael.

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37656950)

I'm told that either Adobe Reader or Acrobat actually have a button for doing proper redactions.

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37658040)

Acrobat has built in redaction functions. They are actually pretty good, can be automated and they prevent many common errors. However, I still receive PDFs with sections marked as redacted in the comments, but are not actually applied. Another is the OCR overlay is still there with the text because they just blacked out the image portion. The latest versions have prompts to do it properly, but you cannot fix stupid. (of course you say yes to remove information. That is the whole point of redactions!)

A good site I use whenever I have to do it: http://blogs.adobe.com/acrolaw/2010/06/ricks-guide-to-using-redaction-in-acrobat-x-pro/

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37658310)

http://blogs.adobe.com/acrolaw/2010/06/ricks-guide-to-using-redaction-in-acrobat-x-pro/

RTFA

Re:Only safe way to do it... (0)

Anonymous Coward | more than 2 years ago | (#37658444)

Acrobat includes tools to properly redact content, by removing any semblance of the bits, text, and information from the file. These issues are all caused because people are not using those tools.

Not again (1)

ColdWetDog (752185) | more than 2 years ago | (#37656738)

Really guys. Maybe you should outsource this.

Re:Not again (3, Insightful)

Doc Ruby (173196) | more than 2 years ago | (#37656876)

Because private businesses are competent? We read on Slashdot about their making this same mistake all the time. Why would some temp working for some defense contractor be any better? Especially when those temps are likely to be not just outsourced, but offshored? I can see plenty of, say, Pakistani office temps caring even less about protecting UK government secrets than their equivalent who is actually a citizen of the country at risk when the secret is divulged.

Re:Not again (1)

Richard_at_work (517087) | more than 2 years ago | (#37657014)

Ok then, how about the total opposite - one single department for the entire government which is responsible for releasing properly redacted documents, no other department is allowed to release redacted documents, everything as to pass through this single department...

Re:Not again (0)

Anonymous Coward | more than 2 years ago | (#37657156)

that just means all the incompetency will be centered in one department.

Because you wouldn't hire new people, you'd just move all redacters into one building. the incompetent redactors are still incompetent ,they just now sit next to semicompetent ones they dont talk to or interact with.

You think reorganizing fixes things?

Re:Not again (2)

rtb61 (674572) | more than 2 years ago | (#37657494)

How about this. A judicial review, where each and every redaction must pass a court of law and fulfil firstly that the redaction would have no impact upon the next election and secondly the redaction is truly in the public interest and date set for the release of the information contained in the redaction.

No government department should be entitled to keep secrets under it's own authority without judicial review and where information was kept secret that would have an impact on the next election those person should be charged with treason for attempting to pervert the course of democracy. After all that is the only acceptable reason for keeping secrets from the public, those secrets must be in the interests of protecting that democracy and never ever should those secrets instead be an attack in that democracy.

The funny thing is, Acrobat has a redaction tool (1)

Anonymous Coward | more than 2 years ago | (#37656782)

It takes 30 seconds searching help to find the correct way to redact text. Amazing how lazy people are sometimes.

Re:The funny thing is, Acrobat has a redaction too (2)

MicroSlut (2478760) | more than 2 years ago | (#37658450)

Only the Pro version of Acrobat has a redaction tool. I have the standard version and it's $150 more just to get the redaction tool.

Whiteout (2)

naroom (1560139) | more than 2 years ago | (#37656784)

Blacking out the secrets clearly isn't a good strategy.
Next time, they should just put whiteout on the screen to cover up the secret parts.

Re:Whiteout (2)

inviolet (797804) | more than 2 years ago | (#37657184)

Blacking out the secrets clearly isn't a good strategy. Next time, they should just put whiteout on the screen to cover up the secret parts.

Blacking out the secrets is excellent strategy if the data is actually misinformation.

The cheapest way to win an arms race is to trick your opponent into believing that you've got better gear, without actually wasting billions of dollars on said gear.

it's all the same root cause (0)

Anonymous Coward | more than 2 years ago | (#37656824)

Stuff like this, or all the people getting their machines jacked by malware, it's all the same root cause: people who have no understanding whatsoever of how computers work, and don't want to learn. You'd figure that here in 2011, computers are SUCH a key part of modern society that people would want to become competent at using them, but this does not appear to be the case.

Re:it's all the same root cause (1)

nurb432 (527695) | more than 2 years ago | (#37656904)

You could say the same about most any technology.

The simple fact is most people don't care how most things work, and in reality they shouldn't have to care. Computers are now a commodity appliance, not much different in concept than a toaster or TV, and should 'just work' until they die and then get replaced.

Re:it's all the same root cause (1)

McDutchie (151611) | more than 2 years ago | (#37657002)

The toaster or TV analogy only works for computers that are restricted to walled gardens, such as the iPad. A real computer is more analogous to a car. You have to know how to drive it in order to use it safely. You have to build up experience in order to use it effectively.

Re:it's all the same root cause (1)

nurb432 (527695) | more than 2 years ago | (#37657098)

Driving and understanding how it works for maintaining are 2 different things. Most take it somewhere to do the maintenance. By taking it to the 'service guy' you assume the car is mechanically safe to drive. The same should go for the computer.

You can safely drive a car and not even know how to put gas in it, let alone something more esoteric like a head gasket replacement.

Re:it's all the same root cause (1)

McDutchie (151611) | more than 2 years ago | (#37657354)

Yes, and? "Redacting" a PDF by changing the text colors is not a computer maintenance issue, it's a basic failure to understand the fundamentals of using a computer. It's the equivalent of driving into a house because you don't know how the steering wheel works.

Re:it's all the same root cause (1)

bmo (77928) | more than 2 years ago | (#37657016)

>and in reality they shouldn't have to care.

Having a working knowledge of how a car works sometimes means the difference between a thinner wallet and an empty wallet when dealing with a mechanic.

There is no excuse for stuff like this, and your assertion is stupid.

--
BMO

Re:it's all the same root cause (1)

marcosdumay (620877) | more than 2 years ago | (#37657820)

Well, I'd ask you to enumerate what other technologies are as central to daily life as computers, but you already did it. That saves time.

Next time I'm searching for a job I'll make sure to put "toaster expertize" in my CV.

Re:it's all the same root cause (2)

Alain Williams (2972) | more than 2 years ago | (#37657122)

Very true ... people are not taught how to use the computers, it is kind of assumed that they know. So they mess up. The MOD would never get someone to drive a truck without first sending them on an appropriate driving course, so why are computers that different ?

Unless you TEACH people how to use the tools that you give them - you must expect them to use them poorly and occasionally screw up big time.

This is a management problem, but, as ever, they will blame it on some lowly paid, under trained minion and sack them. The real cuplrits much further up the management chain will get away scott free.

Re:it's all the same root cause (0)

Anonymous Coward | more than 2 years ago | (#37657148)

Most people have no interest in computers. Most people want to do what they worked to achieve qualifications in. For the most part, this does not include computers. Sure, they have to use them as part of their job and during degree/training/whatever, but that doesn't mean they have any interest in them.

For most admin staff, they use computers as a means to and end, not because they want to learn how they work. They are trained to use systems. They have no interest in learning how to black out text in a secure manner, or how to use computers in a secure manner. They just want to turn up to work, do a set of tasks, and return home just as they've always done.

Cheap labour comes at a cost.

A NSA approach (1)

Anonymous Coward | more than 2 years ago | (#37656942)

Consider "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word 2007 to PDF" at http://www.nsa.gov/ia/_files/support/I733-028R-2008.pdf

I just don't get this redaction thing (0)

Anonymous Coward | more than 2 years ago | (#37656946)

What's so hard about just... deleting the sensitive words?

Who cares about the formatting or not being able to see the words if they're not supposed to know? If it's a matter where someone has to put in a password to reveal the secret words, then... just send an encrypted file to a person securely without having to redact anything. Otherwise I don't see why there can't be two versions of the document. One that's hopefully secure enough to not get leaked out, and the redacted sensitive-info-deleted version for anybody else.

Re:I just don't get this redaction thing (1)

Nutria (679911) | more than 2 years ago | (#37657116)

Screws up pagination, image location, etc. That's my guess.

Re:I just don't get this redaction thing (1)

petermgreen (876956) | more than 2 years ago | (#37657612)

What's so hard about just... deleting the sensitive words?

The trouble is if you simply delete text from a word processor document you are likely to change the formatting and pagination. This can be an issue for two reasons

1: Page numbers are often used to make references to a document and therefore it may be important that they match between the unredacted and the redacted versions.
2: Depending on how the original author formatted images, tables etc they may end up in a jumbled mess when the word processor reflows the text.

So people black stuff out rather than removing it. This was fine in the days when the document released to the public was a printed document but when the document released to the public is a pdf the original text can remain under the blacking out..

The correct thing to do of course is to remove the unwanted information and fix up the formatting and pagination (either by inserting dummy stuff or otherwise). Then as a second line of defense run the tool in acrobat to check for "hidden text".

The difficult bit is explaing to non-technical users WHY this effort is necessary and making sure that they actually do it. Especially when PDF has built-in protection features that give people a false sense of security.

Seriously, again? (1)

Thruen (753567) | more than 2 years ago | (#37656954)

Isn't this like the third or forth time this has happened? I seem to recall both the FBI and TSA making the same mistake somewhat recently. At least within the last couple of years. I guess people can't learn from others mistakes after all...

Re:Seriously, again? (1)

petermgreen (876956) | more than 2 years ago | (#37657236)

It's a fact of life that people will screw things up. You can attempt to reduce the number of screwups through training people, disciplining those that refuse to comply and reducing the number of people performing high risk tasks but it's almost impossible to reduce it to zero.

How many redacted documents do you think are released every year? Frankly i'm surprised we don't see stories like this far more often.

Dupe (0)

Anonymous Coward | more than 2 years ago | (#37656970)

Ha, when I started reading TFS, I thought to myself: "Damn, this is a pretty bad case of dupe!" Then I read:

The incident is particularly embarrassing for the Ministry, as six months ago precisely the same security screw-up occurred — that time related to sensitive information about nuclear submarines.

So, the fault does rest not with Slashdot but with the MoD after all ...

Re:Dupe (1)

PPH (736903) | more than 2 years ago | (#37657888)

We learn from our mistakes. That way when we make them again, we'll recognize them.

Again? (0)

Anonymous Coward | more than 2 years ago | (#37657050)

But they said lessons had been learned! And new procedures had been put in place! I'm shocked, just shocked...

Classification paranoia (5, Interesting)

Animats (122034) | more than 2 years ago | (#37657058)

Having worked in the classified world (pre 9/11), it was surprising how little military information was classified. The front-line military view of secrecy is that secrecy is a short-term thing. "Where the ship was last week is unclassified. Where the ship was yesterday is confidential. Where the ship is now is secret. Where the ship will be tomorrow is top secret." Sooner or later, if it matters, the enemy will find out what you're up to. Preferably when your attack hits them.

On the other hand, what your troops, ships and planes can do is generally well known. Too many people have to know. Secret capabilities do exist, but, again, they're time-sensitive. Eventually you have to use the secret weapon, after which it's no longer secret.

Vulnerabilities are more of a problem. The U.S. Army tried to keep secret the vulnerable spots on a M-1 Abrams tank. But once Iraqi insurgents had found the places on the turret ring to aim at, trying to suppress the pictures of the damage was sort of stupid.

When planning proposals, we estimated that running a project at SECRET doubled the cost, and running at TOP SECRET quadrupled it. (The clearance process takes many months, the physical security is expensive and slows you down, and worst of all, the people who spend too much time in classified tanks get out of touch technically.) The intel community was willing to pay that price - the military, not so much.

What morons (1)

rapidreload (2476516) | more than 2 years ago | (#37657302)

I mean really. Adobe Acrobat has an easy to use Redaction tool specifically designed for this sort of thing. Not only does it properly black out and remove the text underneath, it can also scrub the removed data from the PDF so that some smart fellow cannot undelete the contents. It's really not hard at all... unless of course you're paying peanuts to someone who doesn't give a shit about doing things correctly and instead just wants to give the impression of having done the job.

"Looks good to me" doesn't work in security (2)

starfishsystems (834319) | more than 2 years ago | (#37657394)

Bruce Schneier said it best:

The problem with bad security is that it looks just like good security.

In this respect, the problem comes down to incompetence at some point in the chain of command, and (by transitive closure) lack of effective oversight at all points above that one. But that's not an excuse, just a description of the pathology.

Sorry, funniest thing I read for a Monday morning (1)

bgibby9 (614547) | more than 2 years ago | (#37658188)

Poor receptionist is all I can say. She was trying to do her best but didn't know any better! Shame on them!

Maybe this was intentional? (1)

GoodnaGuy (1861652) | more than 2 years ago | (#37658890)

This seems such an elementary mistake that I tend to believe it isn't a mistake. Most people like to believe that their governments and security agencies are incompitent so they easily believe the obvious explanation as it fits their view of the world. Maybe someone in the MOD wanted this information known. What was in the hidden information anyway?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...