Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Online Document Search Reveals Secrets

simoniker posted more than 11 years ago | from the when-is-delete-not-delete? dept.

Privacy 271

An anonymous reader writes "New Scientist is reporting that many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher. Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques." Update: 08/16 19:06 GMT by H : The story is originally from Crypto-gram, not New Scientist.

Sorry! There are no comments related to the filter you selected.

crypto (1, Informative)

Feyr (449684) | more than 11 years ago | (#6708172)

funny how the lastest cryptogram treats of exactly the same subject, i just received it an hour ago

http://www.schneier.com/crypto-gram.html

Re:crypto (1)

peculiarmethod (301094) | more than 11 years ago | (#6708182)

why exactly is that funny, again?

p

Re:crypto (4, Funny)

xv4n (639231) | more than 11 years ago | (#6708242)

No one can tell, man. That post is encrypted in itself.

I'm seeing a weird problem... (0)

Anonymous Coward | more than 11 years ago | (#6708301)

I think it might be a new virus attack.

It seems that goatse [goatse.cx] is down.

Can anyone check to see if it's still working?

thx!

Re:I'm seeing a weird problem... (-1)

handybundler (232934) | more than 11 years ago | (#6708352)

yep, goatse is definitely down. here is a mirror [klerck.org] .

Re:I'm seeing a weird problem... (0)

Anonymous Coward | more than 11 years ago | (#6708403)

It is not down! I have been reloading it, just to make sure. I IM it to all my friends, and they all can see it... are you sure there is a problem with goatse or with your computer? Let me check once more... yep, it is online. Once more... yep! online!

Re:crypto (2, Insightful)

randyest (589159) | more than 11 years ago | (#6708380)

Well, not sure about what the OP through was funny, but I sure do think this is, from the article:

"It is feasible that an individual may include their social security number on copies of a resume sent to prospective employers, but delete it from the version put online to guard against identify theft," Byers writes.

Who in their right mind puts their SSN in any version of a resume??!

in html (1)

SHEENmaster (581283) | more than 11 years ago | (#6708220)

http://www.schneier.com/crypto-gram.html [schneier.com]

To do this yourself, just type:
<a href="http://foo/">bar</a>

Re:in html (0, Offtopic)

Feyr (449684) | more than 11 years ago | (#6708237)

i know, i just don't care to provide clickable links.

beside, i DID get first post didn't i? :)

Re:in html (1)

zedmelon (583487) | more than 11 years ago | (#6708262)

Heheh, yeah, and you probably oughta send an apology to the admins at schneier.com. I just subscribed to their newsletter with a sendmail -v and watched the progress, and it was S-L-O-W.
;)

Fire when ready.
Slashdotting in progress, sir.

Re:crypto (1)

broken.data (603253) | more than 11 years ago | (#6708252)

Funny.. the article f*cking says that!!!

Oh wait.. this is /.

Re:crypto (1)

jovlinger (55075) | more than 11 years ago | (#6708391)

cryptogram-filter

3y3 p0st pr3tty (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708173)

0h s0 pr3tty.. 3y3 p0st pr3tty.. and f1st p0st.. 0h y4y!!#^! and 3y3 f33l l1k3 3y3'm f1r4st p0sting 2day!#^!^

I HAVE A HAIRY SWEATY BALLSACK, JA? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708175)

JA. IT SMELLS OF PRAWNS. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708215)

OR WET CAT FOOD, YOU SICK FUCK (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708303)

Re:OR WET CAT FOOD, YOU SICK FUCK (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708330)

IT SMELLS LIKE HAM AND FEET

Nothing New (4, Insightful)

JRHelgeson (576325) | more than 11 years ago | (#6708181)

Just go into the document properties section. This is why I publish everything to Adobe Acrobat before posting online.

Re:Nothing New (4, Informative)

Sky-217 (44374) | more than 11 years ago | (#6708217)

In the article they mentioned that this applies to pdf files too...

"For example, in 2002 the Washington Post published a version of a letter sent by the Washington sniper in Adobe PDF format. Names and telephone numbers were visibly blacked out, but still found embedded in the file."

Re:Nothing New (4, Funny)

Frymaster (171343) | more than 11 years ago | (#6708293)

In the article they mentioned that this applies to pdf files too...

which is why you should use latex [acm.org] ! nobody understands that stuff. security through obscurity!

Re:Nothing New (5, Informative)

gblues (90260) | more than 11 years ago | (#6708427)

That is because the people who published the PDF were idiots.

Acrobat has a number of commenting tools. What the Washington Post staff did in that case was use the Highlight tool, set the color to black, and use it to draw over the names.

Only problem? The highlighter is an object that is drawn on top of the text object it is attached to. The underlying text is not modified at all. In fact, if you watch closely, you can see the name for a split second before the renderer draws the highlights.

If the Washington Post had used the TouchUp Text tool to delete the names, the information would not have been leaked.

Nathan

Re:Nothing New (1)

I8TheWorm (645702) | more than 11 years ago | (#6708290)

Of course, that makes the text unsearchable by google.

eh? (2, Interesting)

DrSkwid (118965) | more than 11 years ago | (#6708320)

google indexed PDF documents, it even turns them into HTML

of course you could always try http://searchpdf.adobe.com/

Now there's a way to search through more than a million summaries of Adobe(R) Portable Document Format (PDF) files on the Web. Your search results will allow you to see the summaries before deciding to view the original Adobe PDF.

Re:eh? (1)

I8TheWorm (645702) | more than 11 years ago | (#6708328)

Crap! Maybe I should use google more often then.

Re:eh? (1)

DrSkwid (118965) | more than 11 years ago | (#6708385)

once would work

8)

Re:Nothing New (1)

rf0 (159958) | more than 11 years ago | (#6708300)

cat filename | strings.

Edit in vi
Run over custom script to add basic HTML

Works for me

or Just use LaTex

Rus

OH NO! (2, Insightful)

SatanicPuppy (611928) | more than 11 years ago | (#6708341)

NOT MY PERSONAL INFO! NOOOOOOOOO!

This isn't just nothing new, it's old news. Wasn't this how they caught the guy who wrote the melissa virus? When that little popup window from MS Office came up asking for their personal info, did they just think Office was trying to get to know them better, in order to be their friend?

It's just silly pressmongering. Those dumbasses have to come up with a terrifying computer factoid every day, or the ignorant compu-phobes they prey on might come to their senses.

Just my opinion.

WHERE ARE THE WMD'S (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708184)

How many people must die before we hold Dubya accountable?

Niger uranium...lies
WMD's...lies or at least heavily exaggerated
OIL..Dick's companies are pumping plenty.
Average Iraqi quality of life vs. before saddam..About the same, except they had reliable water and electricity before

Average of one US soldier getting killed per day, many more wounded.

Re:WHERE ARE THE WMD'S (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708374)

Dubya will never be held accountable because he makes his primitive followers feel proud. Face it:

  • Liberating poor countries of their oil is cool. It makes citizens with a low self-esteem feel like THEY PERSONALLY rule the world.
  • Firing a few hundred missiles from a safe distance is very heroic.
  • All of the soldiers who killed their own comrades and allies were heroes.
  • That blonde chick who failed her mission because she was too dumb to find her way is definitely a hero.
  • You don't need to be worth something to be accepted. You just need to wave a flag and shout "God bless America!"
  • Every failure can be a hero in Bush's America!
  • Seeing Dubya in a fligh suit on board a carrier makes republicans shoot their load in seconds!
And as long as all of the above is true, the lies will go on.

*BSD is fucking DYING, OK??? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708187)

It is now official - Netcraft has confirmed: *BSD is dying

Yet another crippling bombshell hit the beleaguered *BSD community when IDC recently confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming hot on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by coming dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

WHAT?!?? (5, Funny)

zedmelon (583487) | more than 11 years ago | (#6708189)

From the article:

  • "He says hidden information can "incredibly useful" in improving the functionality of the software. "But if some of that data is sensitive, there have to be ways of ensuring that it isn't distributed where it shouldn't be," he says."

I just created a Word document, blah.doc and put some text into it. I made sure I had a couple of undo points. I closed it and opened it back up, I couldn't undo SHIT. So where the hell am I being granted this mysterious "convenience?"

I know that the guy stressed the fact that Micrsoft isn't alone in this disctinction, but this is just another example of why Microsoft SUCKS.

I put the doc in a samba share and viewed it with vi. I found the path to the doc, the original name, my userid on my laptop, and the company name. All were hidden from the simple searches like this:

s.l.a.s.h.d.o.t...o.r.g

WTF?!?

Oh, WAIT a minute! This is also from the article:

  • "The next edition of Office 2003 will include tools that will allow users to remove personal information from a document. It will also include new "information rights management" that will let an author specify who can read or forward a document."

WHEW! I feel so much better. Please disregard the first six paragraphs. Thanks.

Re:WHAT?!?? (1)

zedmelon (583487) | more than 11 years ago | (#6708201)

And yes, I know. I'm a fucking idiot for assuming ANYTHING or taking anything for granted when it comes to good ol' Billy.

Re:WHAT?!?? (1)

brondsem (553348) | more than 11 years ago | (#6708260)

"He says hidden information can "incredibly useful" in improving the functionality of the software. "But if some of that data is sensitive, there have to be ways of ensuring that it isn't distributed where it shouldn't be," he says."
I just created a Word document, blah.doc and put some text into it. I made sure I had a couple of undo points. I closed it and opened it back up, I couldn't undo SHIT. So where the hell am I being granted this mysterious "convenience?"

You only have the convenience while the file is open. If you could undo after you re-opened a file, these "hidden secrets" wouldn't be hidden at all!

I put the doc in a samba share and viewed it with vi. I found the path to the doc, the original name, my userid on my laptop, and the company name. All were hidden from the simple searches like this:

s.l.a.s.h.d.o.t...o.r.g

It's probably unicode, which uses multi-byte characters, and vi displays each one seperately.

Re:WHAT?!?? (5, Insightful)

zedmelon (583487) | more than 11 years ago | (#6708304)

"You only have the convenience while the file is open. If you could undo after you re-opened a file, these "hidden secrets" wouldn't be hidden at all!"

Exactly. I knew that to begin with, but I did it and then vi'd the file to confirm. If I delete text from a document, that means I don't want that text in the document. Neil Laver says "...hidden information can "incredibly useful" in improving the functionality of the software."

So my main point is, if I am being supposedly CONVENIENCED by this "feature," HOW is the software helping me by storing these things in my document?

Re:WHAT?!?? (1)

Koyaanisqatsi (581196) | more than 11 years ago | (#6708319)

All were hidden from the simple searches like this: s.l.a.s.h.d.o.t...o.r.g

It's not hidden. It's unicode (double-byte), just that;

Re:WHAT?!?? (5, Funny)

wortelslaai3434 (447900) | more than 11 years ago | (#6708332)

As a sidenote...

I. .t.h.i.n.k. .y.o.u.r. .s.e.e.i.n.g. .u.n.i.c.o.d.e. .t.e.x.t.

Re:WHAT?!?? (1)

zedmelon (583487) | more than 11 years ago | (#6708388)

MOD PARENT UP

pahahahah! That ruled!

Okay, no, I didn't know that was unicode, and I'm sure that security gurus will scoff at my use of the word "hidden," but what I meant by that is still true:

You can't just search for a string you're seeking. In vi, you can't go "/slashdot.org," because the string won't turn up.

Same thing in most apps, even if they WILL let the user search for "hidden text."

Are you Gay? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708376)

Really I wan't to know. Do you get turned on by gerbals?

Re:Mleh (1)

shades66 (571498) | more than 11 years ago | (#6708397)

The next edition of Office 2003 will include tools that will allow users to remove personal information from a document. It will also include new "information rights management" that will let an author specify who can read or forward a document."

So microsoft are going to add tools to remove what shouldn't be there in the first place? Can't they just fix their software to not include it in a first place! What is next? INTERNET EXPLORER 2008 will have a new feature that allows the user to stop virus's being automatically executed. Order now at $399 to protect your computer from our shoddy software!

Re:flamebait ?!?? (1)

zedmelon (583487) | more than 11 years ago | (#6708433)

Kiss my ass. How is this flamebait?

Prediction (2, Insightful)

JessLeah (625838) | more than 11 years ago | (#6708190)

This will become a common way for 'big' corps to spy on 'small' corps (and individual users?), to find new ways to both screw them over, and appear 'omniscient'. They'll never (or rarely) get called on it. Meanwhile, anyone who tries to reveal information discovered in this way which is incriminating towards said big corps will get sued for being "hackers" and/or "terrorists".

Re:Prediction (2, Insightful)

TopShelf (92521) | more than 11 years ago | (#6708272)

This is "Insightful"??? Yeesh!

I had no idea that the sloppy handling of non-displayed data in output files (not just Word, mind you), and their publication on the web was actually Another Way For The Man To Keep Us Down...

It's been said hundreds if not thousands of times: (5, Insightful)

NightSpots (682462) | more than 11 years ago | (#6708192)

It doesn't matter how good your corporate security is if you don't train your users (including managers) in basic security practices.

Lots of people put sensitive documents in public webspace, primarily because they don't know any better. Eventually the cost-benefit analysis will be done, and corporations will pay to have their users trained. Until then, this type of thing will continue to happen.

Re:It's been said hundreds if not thousands of tim (5, Insightful)

TMB (70166) | more than 11 years ago | (#6708249)

Sure, but they point they're making is that it's not intuitively obvious to most people that there could be text in a Word document other than what appears.

So a relatively security-conscious person who just doesn't know anything about Word file formats could easily publish something online on purpose without knowing that there is (invisible) sensitive information in it, even if they'd never put that information in a public place on purpose.

[TMB]

P2P has be doing htis for a long itme (1)

genner (694963) | more than 11 years ago | (#6708194)

Idiotic use of P2P software has lead to stuff like this more than once. People often overlook the document tab on Kazaa.

Re:P2P has be doing htis for a long itme (2, Interesting)

ComaVN (325750) | more than 11 years ago | (#6708231)

Indeed. Search for system.dat, user.dat or pwl on Kazaa, there are always some files found.

Although I cannot guess how many of those are honeypots.

Re:P2P has be doing htis for a long itme (1)

Chess_the_cat (653159) | more than 11 years ago | (#6708267)

Even better, search for *.eml.

Slow news day (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708196)

In related news, people die from snake poison. Avoid messing around with the snakes, more people die from being bit by a snake than by any other animal.

Anyone wants to guess what's the second most dangerous animal for human beings?

Re:Slow news day (1)

zcat_NZ (267672) | more than 11 years ago | (#6708307)

Anyone wants to guess what's the second most dangerous animal for human beings?

Other human beings?

Re:Slow news day (0)

Anonymous Coward | more than 11 years ago | (#6708314)

It's probably something like a jellyfish. But I'm going to guess that it's those vile bugs that live inside the beards of Linux Communist Hippies.

I thought this was common knowledge? (4, Interesting)

26199 (577806) | more than 11 years ago | (#6708198)

Well, it is amongst people who object to being mailed Word documents, anyway. They're just a really bad format for publishing information in.

See Richard Stallman's [gnu.org] 'no-word-attachments' article, for example...

Re:I thought this was common knowledge? (3, Interesting)

broken.data (603253) | more than 11 years ago | (#6708292)

This is not limited to Word. This trick has been around for ages with PDF and everything else I can think of.

Hell, this is how slashdot figured out that the Microsoft Switch [slashdot.org] was a fake.

Re:I thought this was common knowledge? (1)

worm eater (697149) | more than 11 years ago | (#6708353)

You can't count on anything being 'common knowledge' among many of today's office workers.

Example:
"My document won't open..."
"Type of file is it?"
"Huh?"
"Which application was the file made in?"
"Microsoft."
"Which Microsoft application?"
etc.

The user should be somewhat responsible for knowing how to use the machine, just like with any other machine. However, many of today's operation systems and applications were designed so that the user doesn't have to think or know about what they are doing. So be it. Who is going to think for them? Microsoft? Obviously in this case, Microsoft failed to think through what they were doing 'for the user.' This is a common problem with them... AutoCorrect in Word drives me nuts. I know I can turn that off, but many features like this cannot be turned off.

Re:I thought this was common knowledge? (2, Funny)

Aidtopia (667351) | more than 11 years ago | (#6708418)

My friend go so tired of people on his team sending him word docs, that he learned TeX and started sending his replies that way. When he feels really nasty about it, he sends the .dvi files.

An Important Question (3, Interesting)

linuxislandsucks (461335) | more than 11 years ago | (#6708206)

How many word processing progreams do place hidden meta data within theri formats?

For example does OpenOffice/StarOffice and other open source programs have the saem security problem?

Repost for people without subscription (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708211)

Online document search reveals secrets

00:01 15 August 03

NewScientist.com news service

Many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher.

Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques.

Sophisticated editing programs will often store information in a document file that the end user will not see. Storing recently deleted text can, for example, make editing a more efficient process. But Byers says it could also expose unaware users to significant risks.

In his report, Byers suggests that a cock could anal-yse electronic documents to gather information that could help them carry out corporate espionage or steal someone else's identity to commit fraud.

"It is feasible that an individual may include their social security number on copies of a resume sent to prospective employers, but delete it from the version put online to guard against identify theft," Byers writes.

Random words

Using an ordinary online search engine and a random selection of keywords, Byers was able to find more than 100,000 Word documents including business documents and individual resumes. He chose to examine Word files because they are so common and stresses that other document formats can contain similar hidden information.

For example, in 2002 the Washington Post published a version of a letter sent by the Washington sniper in Adobe PDF format. Names and telephone numbers were visibly blacked out, but still found embedded in the file. However, Byers's new research reveals how widespread such problems could be.

After downloading the Word files, Byers used the free software tools "antiword" and "catdoc" to convert them to plain text. He then wrote a simple script to locate text that was not displayed in the original Word format. Byers discovered a wealth of deleted text and potentially sensitive information including people's names, email headers, network paths and text from related documents.

Bruce Schneier, of US security consultants Counterpane, discusses the research in the latest edition of his computer newsletter Crypto-Gram, published on Friday. He says it raises an important risk with using some document formats. "The worst is erased text," Schneier told New Scientist. "This has bitten people surprisingly often."

Blacked out

Neil Laver, UK group marketing manager for Microsoft Office products, says the software company is working to develop better ways for customers to ensure sensitive information is not inadvertently left in files.

Subscribe to New Scientist for more news and features

Related Stories

Hackers turn to Google to find weakest links
1 August 2003

'Cleaned' hard drives reveal secrets
16 January 2003

Crypto lockdown secures lost laptop data
15 August 2002

For more related stories
search the print edition Archive

Weblinks

Research, AT&T

Microsoft

Crypto-Gram

IEEE Security and Privacy

He says hidden information can "incredibly useful" in improving the functionality of the software. "But if some of that data is sensitive, there have to be ways of ensuring that it isn't distributed where it shouldn't be," he says.

The next edition of Office 2003 will include tools that will allow users to remove personal information from a document. It will also include new "information rights management" that will let an author specify who can read or forward a document.

Other software programs can already be used to strip concealed text from documents. But Schneier says for the time being it may be best to convert documents to plain ASCII text before publishing online. "I don't know of any programs that effectively clean out the extra text," he says.

Byers' paper has been submitted for publication in the IEEE journal Security and Privacy.

nice subtle modification of the article (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708238)

He says hidden information can "incredibly useful" in improving the functionality of the software. "But if some of that data is sensitive, there have to be ways of ensuring that linux users can still suck cock and it isn't distributed where it shouldn't be," he says.

-1 Troll, -1 Overrated, -1 Redundant (-1, Offtopic)

zedmelon (583487) | more than 11 years ago | (#6708366)

Even without reading the above "Repost for people without subscription" post, I knew that the mod giving this an "informative" is an idiot.

Even WITH a subscription, you can't POST a comment until the article is made PUBLIC!

If this guy had been trying to HELP, he'd still be doing nothing productive.

-1, Troll! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708245)

Mods read the parent again slowly, then mod troll!

Re:Repost for people without subscription (-1)

Anonymous Coward | more than 11 years ago | (#6708251)

Erm? I didn't need a subscription to view the document....Maybe it's because I manually disable cookies for sites that I don't want to set them? At any rate, I was able to read the article without doing anything special.

Re:Repost for people without subscription (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708273)

Maybe it's because of your cookie settings, but probably it is because the parent was a TROLL. The mods don't really read things they mod, so TROLLs subtly (?) modify the content of the article. Hillarious.

Well... (3, Funny)

CGP314 (672613) | more than 11 years ago | (#6708218)

Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques.

Are you going to share that info or what?

Throw it up on freenet man!

infrastructure data? (2, Offtopic)

at_kernel_99 (659988) | more than 11 years ago | (#6708239)

An accomplished searcher can learn much about the world we live in, as slashdot reported some time ago [slashdot.org] .

An interesting reminder, to be sure, given yesterday's blackout [slashdot.org] .

Makes a guy wonder just how much is still available regarding key electrical and telephone infrastructure. Emergency power capabilities of broadcasters (radio, television, mobile phone). Gas lines, in the parts of the country that have them. Water systems. There's likely a bunch of data out there, ready to be mined.

LaTeX (4, Funny)

ParadigmLA (142734) | more than 11 years ago | (#6708240)

Everyone should just be forced to use LATeX and then there won't be any hidden information. . .

Re:LaTeX (5, Funny)

GarvMaster (697978) | more than 11 years ago | (#6708342)

Because 99.9% of the world would go back to pen and paper

OMG (3, Funny)

Anonymous Coward | more than 11 years ago | (#6708248)

Stupid people messing stuff up? I'm SHOCKED!

How long until someone blames Microsoft, I wonder...

Here's An Idea (0)

msblaster.exe (698549) | more than 11 years ago | (#6708250)

Some needs to script a open source program that searches for this information on the web. Could you imagine knowing all the financial information about microsoft. We could use this information against companies we dont like and the open source revolation will spawn to mass amounts.

True story. (4, Interesting)

oni (41625) | more than 11 years ago | (#6708256)

A sysadmin once sent me a form letter type thing with my new password in it. The username/password was a spreadsheet object and I was able to open it to see everyone's passwords. He changed them all when I pointed this out. BTW, why do people send email messages that just say "see attached file" and the attached file is a memo with some trival content that could have been the text of the email??

Anyway, I have to admit that I was also burned by word. I was in the habit of opening the last memo I wrote from the recent documents list and using it as the starting point for newer ones. At some point, I put a bunch of policy statements on a CD and was later told that everyone was reading the hidden text. Doh!

This was back in the days of office 97 I believe. I'm not sure if Office 2k or XP still have this feature/bug.

Re:True story. (2, Informative)

DrSkwid (118965) | more than 11 years ago | (#6708343)

why do people send email messages that just say "see attached file"

because they select "send document" form the file menu and get a blank email with the document attached

Re:True story. (3, Interesting)

homer_ca (144738) | more than 11 years ago | (#6708399)

Saving Word to HTML gets rid of the hidden text, but it does still save Author information. I got this HTML spam where he saved a Word file to HTML and sent that as the message. Sure enough, the dumbass's real name was in the source as the author.

Re:True story. (1)

Li0n (110271) | more than 11 years ago | (#6708400)

Even worse is when people send me a 4 MB email because they attached a word document with a pasted BMP screenshot of a full 1280x1024 desktop to see the text "404 page not found".

Gibson's movie (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708258)

"We fully understand that the crucifixion is central to the belief of more than a billion Christians...the Jewish people are not yet again falsely singled out as being responsible for the death of Jesus," Hier concluded.

As a protestant Christian I find this argument absurd. Of course the jewish society of that time was responsible for the cricifxiation of Jesus. How can you even claim something to the contrary? That's not to say that modern day jews should be blamed, but there's no doubt about it that without the pressure from the local jewish religious elite, the Romans would have never gone and crucified this man.

Dang... (4, Funny)

DarkBlackFox (643814) | more than 11 years ago | (#6708265)

Remind me not to save my importand documents to C:\My Documents\Porn\Annual Budget Report.doc anymore.

Tools (1)

rf0 (159958) | more than 11 years ago | (#6708274)

See Google. It can read word/pdf etc. Sure there is a mountain of information there if you look

Rus

Job Recruiters (5, Interesting)

Anonymous Coward | more than 11 years ago | (#6708280)

I have received two such word documents from two seperate job recruiters. The actual companies looking for the employee were hidden in the document, as well as contact information for the person at the company. Screw the middle man

their fucking spawn of satan track changes (0, Troll)

Unknown Poltroon (31628) | more than 11 years ago | (#6708283)

is probably whats doing this. GOD it sucks. Theyve manged to make it more confusing and less useable in XP than ever before. You ever tried to tell a user what to click on in a toolbar? WTF happened to putting the goddamn command in the toolbar???

What exactly's the big deal here? (0)

GillBates0 (664202) | more than 11 years ago | (#6708288)

Using an ordinary online search engine and a random selection of keywords, Byers was able to find more than 100,000 Word documents including business documents and individual resumes.

No really, what IS the big deal? So supposedly, he did an online search, and did some text-extraction from Word docs, which Google helpfully does for you anyway, and came up with some "secrets" which were published online anyway, thus contradicting the term itself. Google also indexes PDF, DOC, PPT and many other formats anyway.

Moreover, if the information was indexed, it was either put online intentionally (either because it wasn't secret data, or out of malicious intent), or unintentionally. The latter case was probably because of poor sysadmining/webmastering, which isn't a big secret anyway.

Sorry for the sorry rant, but it's yet another friday evening with nothing to do.

Re:What exactly's the big deal here? (1)

Li0n (110271) | more than 11 years ago | (#6708425)

It isn't the text but the metadata what's this all about.

For example, the article mentions the case of the Washington sniper. Some data of a published PDF was blacked out but if you opened the file in a text editor, you could still see the fields.

Helpful Hint (4, Funny)

cgreuter (82182) | more than 11 years ago | (#6708291)

Remember kids: strings is your friend. If you happen to get a job offer in the form of a Word document and the HR drone who sent it to you wasn't careful, you can often see the version that got sent to other candidates and, more importantly, how much money they were offered. It can do wonders for your bargaining position.

passwords.txt (1)

mindsuck (607395) | more than 11 years ago | (#6708299)

Oh, so I'm not supposed to save all my important passwords in plaintext in a clearly marked "passwords.txt" file in my webserver for easy access?

Oh damn.

Not just documents (3, Informative)

I8TheWorm (645702) | more than 11 years ago | (#6708308)

It doesn't pertain to just documents. I've seen code samples posted to sites like experts-exchange where DB connection strings still had UID and PW data in them. Seems people don't re-read before they post very often.

Clippy did it (5, Funny)

sbillard (568017) | more than 11 years ago | (#6708309)

It looks like you're trying to post a document on the web.
Would you like to...
1. Divulge corporate secrets?
2. List your passwords?
3. Remove KB823980 and open port 135?


It looks like your trying to close Clippy.
Would you like to...
1. Shit in your hat?
2. Put fist through bling bling flat panel?
3. Go home for teh weekend?

google (0)

FFON (266696) | more than 11 years ago | (#6708327)

how did he get paid so much to his research?
i'm a doofus and came up with this search
"index of" secret .doc
google it baby [google.com]

Check this out... (4, Informative)

Geminatron (616988) | more than 11 years ago | (#6708329)

View some of the past word docs you've received in a hex editor...

Near the bottom there is often information from other documents of the sender that they were recently working on. I don't know why it saves this. Maybe something to do with the undo buffer?

At work I used to look at internal memos that would be sent out on a weekly basis and find out all sorts of other stuff that was going on.

Repost or just a big DUH! (0, Redundant)

jriskin (132491) | more than 11 years ago | (#6708334)

You mean word documents/[INSERT alternative MS product here] may contain crap you didn't think they did?! NO SH*T...

This has been a problem and reported for years now...

It's called Save As...

Oh? You say end users can't be trusted to understand technology and or can't be trusted to dispose of or not reveal sensitive information? Another...DUH!

Hmm.. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708337)

I've been doing a similar project myself. You might want to take a look at my Pillow Fight [nero-online.org] System.

WARNING! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6708351)

WARNING! The above link is a link to a shot from CmdrTaco's webcam after he apprently had sex with Kate Fent

Old News! (1)

ivanmarsh (634711) | more than 11 years ago | (#6708344)

The fact that MS "productivity" products store user information in the files they produce hit the news very shortly after MS Office '95 came out.

It seems no one much cared back then because MS has obviously left this serious security flaw in their software.

Imagine that?

Re:Old News! (1)

ivanmarsh (634711) | more than 11 years ago | (#6708368)

Thought I'd follow that up with a link from the hourse's mouth:

http://msdn.microsoft.com/library/default.asp?ur l= /library/en-us/dnword2k2/html/odc_ProtectWord.asp

My 2c.. and a terrible pun. (4, Interesting)

zcat_NZ (267672) | more than 11 years ago | (#6708348)

It's only going to get worse; google's really expanded on the number of File types [google.com] it indexes and caches.

One of my clients was recently caught out when google indexed private metadata she didn't know was still there, so I can well understand the gravity [google.com] of this situation.

Basic programming techniques, eh? (1)

Xeth (614132) | more than 11 years ago | (#6708355)

Is that all it takes to hack into Microsoft's file servers anymore?

i have my own special program that does this... (4, Funny)

jkitchel (615599) | more than 11 years ago | (#6708357)


it's called http://www.google.com and you search by "top secret documents filetype:doc" [google.com] .

Is this news to anyone? (0)

Anonymous Coward | more than 11 years ago | (#6708365)

I mean, c'mon. Anyone with half a brain can open a M$ Word document in a plain text editor and without and work whatsoever find out what the SMB name of that computer is, on what drive the OS is installed, what printer and what the name of that printer is and so on and so forth.

If this is newsworthy, so is telling "If you press F3 in Explorer, or if you start DirectPlay, your computer will try to connect to Microsoft servers to do stuff behind your back".

It's easy... (4, Informative)

inertia@yahoo.com (156602) | more than 11 years ago | (#6708375)

This is the easy way:
"Index of" "Name Last modified Size Description"
Then you add file extensions or other things. For example:
  • mpg [google.com]
  • mov [google.com]
  • mp3 [google.com]
  • secret [google.com] - doesn't have to be file extensions...
  • "My Documents" [google.com] - yeah, that's secure...
  • etc
Anyway, as you can see, it's pretty effective. Sometimes admins wise up, and all you have is the Google cache. But sometimes they don't, and you get to look. Thanks Google!

I hate to state the obvious but, (2, Insightful)

pair-a-noyd (594371) | more than 11 years ago | (#6708382)

how many incidents will it take before people realize that ALL Microsoft products are insecure?

What will it take? What happens when a script kiddie hacks a hospital and shuts down the life support systems in ICU? Or just juggles the meds for the patients so that everyone in the hospital gets the wrong meds?

Or perhaps they glitch the Air Traffic Control system and airplanes rain down from the sky and tens or hundreds of thousands of people die??

Before the last war in Iraq started they showed the "state of the art" US command center just across the border in a big tent.

Tens of dozens or more, soldiers and dozens upon dozens of PC's. You could clearly see on the displays that they were *ALL* running Windows.

I though, "Oh shit, the security of this country is being placed in the trust of the worst product ever..."

Those PC's I saw were NOT Tempest, for one, and then add the Windows factor in plus the state of war and you're asking for serious trouble.

Windows will at some point cause a massive catastrophe and cause great loss of life and property. You can bet on it.

This country is far too dependent upon computers to operate. When the computer goes down, well, sit on your hands for awhile...
I remember the days before computers, everyone got things done just fine. Now no one knows how to function without them..

Don't worry (2, Interesting)

ratfynk (456467) | more than 11 years ago | (#6708409)

Gates and co will take care of all your sensitive info, very soon. With the help of the DMCA Sen. Fritz and MS servers we all will be so secure that no one other than MS and the right Government agencies will be able to unlock your lock online .docs. So smarten up bow to Redmond and pay up suckers! Its upgrade or lose mania time again can your business not afford the wonderfull new security thats coming? Good luck getting your secretaries to use anything other than MS orafice!

Update: Because he confessed... (1)

finallyHasANickname (559395) | more than 11 years ago | (#6708411)

...that he did that in public, a swarm of black helicopters arrived immediately in front of the laboratory. He was promptly hauled to jail for violating the DMCA.

At the courthouse, all people who use Google and who got caught were also standing in a queue to await indictment proceedings before a federal grand jury...

Microsoft blames the slowup on commodity protocols and recommends MS-Jailer 2.0 (just released) to speed up the whole process "with only one degree of separation".

Scott McNealy's face turned red, and he proclaimed, "Look. Those people are standing out there in the heat, which is about all you should expect with the power efficiency levels of throwback 32-bit CISC technology throwing the book at them and with Microsoft's jailing software countercompetitively tied to the kernel, which is in C++, not C, not Java, not standard, not open like..."

Another way to find "secret" data (4, Informative)

cnb (146606) | more than 11 years ago | (#6708412)

How many people actually protect their website
statistics?

Adding a simple /stat/ or /stats/ or a variation
with a combination of "web" or the name of any of
the common statistic generation programs gets you
access to the statistics of a *lot* of websites.

Then from the stats you could find any "hidden"
data which is not linked on the site including
internal company documents, girlfriend's nude
photos or mp3s.

Alternately you could just google for the
statistic reports of sites and get there
more easily.

This is another case of ill informed or lazy
users not following what should be a simple
security policy which could cause serious
repercussions.

For those who want to know how to protect
yourself, read this link [apache.org] .

Word documents are stupid. (1)

rice_burners_suck (243660) | more than 11 years ago | (#6708415)

This is WONDERFUL!!! This information should be pointed out to those annoying people who email you those annoying Microsoft Word documents, when the content could have been presented just as effectively (or more so) in plain ASCII text.

But instead of explaining it all technical and telling people how they can strip private information, you should use Microsoft's own techniques of FUD against them by telling people that Microsoft Word files contain all their private information and that information is gathered into a database by a ring of 1337 h4x0rz around the world, who then use the information to steal your credit card numbers.

People are so stupid that they will actually believe that.

you don't have to be a trained talknician (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6708432)

to smell which way the winds of change are bullowing.

is there any DOWt about the nefarious behaviors of the walking dead?

being as we're in this cesspool of whoreabull deceptive execrable together, shouldn't the increasingly popular planet/population rescue initiative, formerly unknown as the oil for babies mandate, take precedence?

it'll take quite a chunk of change (but little monIE) to disempower the unbridled/unprecedented evile that threatens to destroy the planet/population.

no problem. those fauxking thieving murderers best get ready to see the light, as their legacy will be that they were known as the walking dead, & did immeasurable damage to all of us, to satiate their whoreabully excessive, greed/fear based squanderage.

the lights are coming up now.

you can pretend all you want. our advise is to be as far away from the walking dead contingent as possible, when the big flash occurs. you wouldn't want to get any of that evile on you.

as to the free unlimited energy plan, as the lights come up, more&more folks will stop being misled into sucking up more&more of the infant killing barrolls of crudeness, & learn that it's more than ok to use newclear power generated by natural (hydro, solar, etc...) methods. of course more information about not wasting anything/behaving less frivolously is bound to show up, here&there.

cyphering how many babies it costs for a barroll of crudeness, we've decided to cut back, a lot, on wasteful things like giving monIE to felons, to help them destroy the planet/population.

no matter. the #1 task is planet/population rescue. the lights are coming up. we're in crisis mode. you can help.

the unlimited power (such as has never been seen before) is freely available to all, with the possible exception of the aforementioned walking dead.

consult with/trust in yOUR creator. more breathing. vote with yOUR wallet. seek others of non-aggressive intentions/behaviours. that's the spirit, moving you.

pay no heed/monIE to the greed/fear based walking dead.

each harmed innocent carries with it a bad toll. it will be repaid by you/us. the Godless felons will not be available to make reparations.

pay attention. that's definitely affordable, plus you might develop skills which could prevent you from being misled any further by phonIE ?pr? ?firm? generated misinformation.

good work so far. there's still much to be done. see you there. tell 'em robbIE.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?