Online Document Search Reveals Secrets

An anonymous reader writes "New Scientist is reporting that many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher. Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques." Update: 08/16 19:06 GMT by H : The story is originally from Crypto-gram, not New Scientist.

Nothing New

[JRHelgeson]

Just go into the document properties section. This is why I publish everything to Adobe Acrobat before posting online.

Prediction

[JessLeah]

This will become a common way for 'big' corps to spy on 'small' corps (and individual users?), to find new ways to both screw them over, and appear 'omniscient'. They'll never (or rarely) get called on it. Meanwhile, anyone who tries to reveal information discovered in this way which is incriminating towards said big corps will get sued for being "hackers" and/or "terrorists".

It's been said hundreds if not thousands of times:

[NightSpots]

It doesn't matter how good your corporate security is if you don't train your users (including managers) in basic security practices.

Lots of people put sensitive documents in public webspace, primarily because they don't know any better. Eventually the cost-benefit analysis will be done, and corporations will pay to have their users trained. Until then, this type of thing will continue to happen.

Re:It's been said hundreds if not thousands of tim

[TMB]

Sure, but they point they're making is that it's not intuitively obvious to most people that there could be text in a Word document other than what appears.

So a relatively security-conscious person who just doesn't know anything about Word file formats could easily publish something online on purpose without knowing that there is (invisible) sensitive information in it, even if they'd never put that information in a public place on purpose.

[TMB]

Re:Prediction

[TopShelf]

This is "Insightful"??? Yeesh!

I had no idea that the sloppy handling of non-displayed data in output files (not just Word, mind you), and their publication on the web was actually Another Way For The Man To Keep Us Down...

Re:WHAT?!??

[zedmelon]

"You only have the convenience while the file is open. If you could undo after you re-opened a file, these "hidden secrets" wouldn't be hidden at all!"

Exactly. I knew that to begin with, but I did it and then vi'd the file to confirm. If I delete text from a document, that means I don't want that text in the document. Neil Laver says "...hidden information can "incredibly useful" in improving the functionality of the software."

So my main point is, if I am being supposedly CONVENIENCED by this "feature," HOW is the software helping me by storing these things in my document?

OH NO!

[SatanicPuppy]

NOT MY PERSONAL INFO! NOOOOOOOOO!

This isn't just nothing new, it's old news. Wasn't this how they caught the guy who wrote the melissa virus? When that little popup window from MS Office came up asking for their personal info, did they just think Office was trying to get to know them better, in order to be their friend?

It's just silly pressmongering. Those dumbasses have to come up with a terrifying computer factoid every day, or the ignorant compu-phobes they prey on might come to their senses.

Just my opinion.

Re:crypto

[randyest]

Well, not sure about what the OP through was funny, but I sure do think this is, from the article:

"It is feasible that an individual may include their social security number on copies of a resume sent to prospective employers, but delete it from the version put online to guard against identify theft," Byers writes.

Who in their right mind puts their SSN in any version of a resume??!

I hate to state the obvious but,

[pair-a-noyd]

how many incidents will it take before people realize that ALL Microsoft products are insecure?

What will it take? What happens when a script kiddie hacks a hospital and shuts down the life support systems in ICU? Or just juggles the meds for the patients so that everyone in the hospital gets the wrong meds?

Or perhaps they glitch the Air Traffic Control system and airplanes rain down from the sky and tens or hundreds of thousands of people die??

Before the last war in Iraq started they showed the "state of the art" US command center just across the border in a big tent.

Tens of dozens or more, soldiers and dozens upon dozens of PC's. You could clearly see on the displays that they were *ALL* running Windows.

I though, "Oh shit, the security of this country is being placed in the trust of the worst product ever..."

Those PC's I saw were NOT Tempest, for one, and then add the Windows factor in plus the state of war and you're asking for serious trouble.

Windows will at some point cause a massive catastrophe and cause great loss of life and property. You can bet on it.

This country is far too dependent upon computers to operate. When the computer goes down, well, sit on your hands for awhile...
I remember the days before computers, everyone got things done just fine. Now no one knows how to function without them..

Re:Prediction

[Spunk]

You don't think that it's possible?

I recall an article (possibly here) about companies using this "feature" on job applicants to read what was in previous versions. For example, you overwrite this letter

Dear IBM,

Thanks for the Linux job offer. Gimme $60,000 and I'm yours.
Love, Spunk

with

Dear Microsoft,

You guys are the best. I'll take that C# coder job for $70,000.
Love, Spunk

It would be easy for MS to see that you are asking IBM for $10,000 less. Letter-writing skills notwithstanding, I don't expect this would help your negotiating position.

Re:Why Word Does This

[Psychic Burrito]

What I don't understand is why Microsoft even does this distinction between fast and full save when it would be possible to create a single save mode that is both fast and full, bear with me for a moment:

At the moment the user hits "save", "fast save" is faster because Word doesn't has to do any re-interpreting of what is already in memory. This step is what makes full save slower. But the re-interpreting doesn't has to happen at the moment the user hits "save", it can happen all the time while the user is editing his document. During editing, the performance of the machine is largely unused anyway. And when the user hits "save" in this better version of Word, the application can just save the interpreted data to disk, which is even faster than "fast save", since it's less data!

Any comments? Thanks! :-)