Online Document Search Reveals Secrets

An anonymous reader writes "New Scientist is reporting that many documents published online may unintentionally reveal sensitive corporate or personal information, according to a US computer researcher. Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques." Update: 08/16 19:06 GMT by H : The story is originally from Crypto-gram, not New Scientist.

Nothing New

[JRHelgeson]

Just go into the document properties section. This is why I publish everything to Adobe Acrobat before posting online.

Re:Nothing New

[Sky-217]

In the article they mentioned that this applies to pdf files too...

"For example, in 2002 the Washington Post published a version of a letter sent by the Washington sniper in Adobe PDF format. Names and telephone numbers were visibly blacked out, but still found embedded in the file."

Re:Nothing New

[Frymaster]

In the article they mentioned that this applies to pdf files too...

which is why you should use latex [acm.org]! nobody understands that stuff. security through obscurity!

Re:Nothing New

[neitzsche]

That's overkill. How about

$ strings filename.doc

It works for me.

Re:Nothing New

[gblues]

That is because the people who published the PDF were idiots.

Acrobat has a number of commenting tools. What the Washington Post staff did in that case was use the Highlight tool, set the color to black, and use it to draw over the names.

Only problem? The highlighter is an object that is drawn on top of the text object it is attached to. The underlying text is not modified at all. In fact, if you watch closely, you can see the name for a split second before the renderer draws the highlights.

If the Washington Post had used the TouchUp Text tool to delete the names, the information would not have been leaked.

Nathan

Re:Nothing New

[dvdeug]

That is because the people who published the PDF were idiots.

Acrobat has a number of commenting tools. What the Washington Post staff did in that case was use the Highlight tool, set the color to black, and use it to draw over the names.

And that makes you an idiot? Not tech savey, maybe, but that's the exact thing you'd do in releasing hardcopy, and unless you think in terms of the internals of a computer, there's no reason you'd think twice about doing that.

Re:Nothing New

[jovlinger]

And under infra-red light, you can see trough the black highlighter (well, ink at least. I'm guessing this applies to dried ink as well). If your job is to redact documents, and you do that poor a job of it, you may not be an idiot, but you are incompetent.

Or is competence no longer a job requirement?

Re:Nothing New

[aengblom]

That is because the people who published the PDF were idiots.

And that makes you an idiot?

Yes, we were idiots. I work for the Post in a limited degree and we now have a sheet of paper on a quite visible bulletin board describing how we were idiots.

The .com folks who would post such a document are well aware to checkout if blacking it out was done correctly....now.

Re:Nothing New

[rf0]

cat filename | strings.

Edit in vi
Run over custom script to add basic HTML

Works for me

or Just use LaTex

Rus

Re:Nothing New

[mistered]

But that just shows all the text in the document. Most of the strings returned will be what's supposed to be public, which is therefore not interesting. The technique mentioned is basically the same, but eliminates the public text, leaving only the good bits.

Anyway, you don't need the cat -- strings filename does what you want.

Re:Nothing New

[merlyn]

That'd be a useless use of cat [netsonic.fi]. Simple "strings < filename" would work. Probably don't even need the <.

OH NO!

[SatanicPuppy]

NOT MY PERSONAL INFO! NOOOOOOOOO!

This isn't just nothing new, it's old news. Wasn't this how they caught the guy who wrote the melissa virus? When that little popup window from MS Office came up asking for their personal info, did they just think Office was trying to get to know them better, in order to be their friend?

It's just silly pressmongering. Those dumbasses have to come up with a terrifying computer factoid every day, or the ignorant compu-phobes they prey on might come to their senses.

Just my o

eh?

[DrSkwid]

google indexed PDF documents, it even turns them into HTML

of course you could always try http://searchpdf.adobe.com/

Now there's a way to search through more than a million summaries of Adobe(R) Portable Document Format (PDF) files on the Web. Your search results will allow you to see the summaries before deciding to view the original Adobe PDF.

WHAT?!??

[zedmelon]

From the article:

• "He says hidden information can "incredibly useful" in improving the functionality of the software. "But if some of that data is sensitive, there have to be ways of ensuring that it isn't distributed where it shouldn't be," he says."

I just created a Word document, blah.doc and put some text into it. I made sure I had a couple of undo points. I closed it and opened it back up, I couldn't undo SHIT. So where the hell am I being granted this mysterious "convenience?"

I know that the guy stressed the fact that Micrsoft isn't alone in this disctinction, but this is just another example of why Microsoft SUCKS.

I put the doc in a samba share and viewed it with vi. I found the path to the doc, the original name, my userid on my laptop, and the company name. All were hidden from the simple searches like this:

s.l.a.s.h.d.o.t...o.r.g

WTF?!?

Oh, WAIT a minute! This is also from the article:

• "The next edition of Office 2003 will include tools that will allow users to remove personal information from a document. It will also include new "information rights management" that will let an author specify who can read or forward a document."

WHEW! I feel so much better. Please disregard the first six paragraphs. Thanks.

Re:WHAT?!??

[Koyaanisqatsi]

All were hidden from the simple searches like this: s.l.a.s.h.d.o.t...o.r.g

It's not hidden. It's unicode (double-byte), just that;

Re:WHAT?!??

[wortelslaai3434]

As a sidenote...

I. .t.h.i.n.k. .y.o.u.r. .s.e.e.i.n.g. .u.n.i.c.o.d.e. .t.e.x.t.

Re:WHAT?!??

[Pieroxy]

Just a small post to notify you that (...).y.o.u.'.r.e. (...) is the correct wording.

Thanks

Re:WHAT?!??

[whoever57]

I just created a Word document, blah.doc and put some text into it. I made sure I had a couple of undo points. I closed it and opened it back up, I couldn't undo SHIT. So where the hell am I being granted this mysterious "convenience?"

You have to turn on the "Track Changes" (under "tools") feature and then make some changes (then save it, etc.)

Why Word Does This

[spectecjr]

I just created a Word document, blah.doc and put some text into it. I made sure I had a couple of undo points. I closed it and opened it back up, I couldn't undo SHIT. So where the hell am I being granted this mysterious "convenience?"

You're not.

There are two ways of saving a word document:

• Fast Save
• Full Save

Fast Save dumps the binary from memory into the file. Full Save compacts the binary image, and reorders it. This takes time.

Word's text stream is stored using a piece table [unm.edu]. One of the benefits of a piece table is that if you keep the meta information about the text, you can get nearly infinite undo. The way it does this is by having an original data stream, and an appended data stream. Whenever you add data to the file, it gets added as a chunk to the end of the appended data stream. Whenever you delete, the meta table is updated to remove the text from the stream, but otherwise the text itself is left unaffected.

As a result, text is never removed from the document. A Fast Save (which is the default) under Word dumps the Piece Table as-is (there is probably some compaction over time to remove the no-longer-used data, but it probably only occurs above a given threshold of used to unused text). A full save deconstructs the piece table's meta information, and turns it back into one contiguous stream of data.

It's all just a function of the way the text is stored while it's being edited. Different editors have different mechanisms; some store data based on lines, and some store it using a gap buffer. But ultimately, the problem exists because Word uses a piece table, and it dumps the entire table to a file by default.

It's actually a sensible way of handling the text data. However, whoever designed the Fast Save algorithm probably didn't consider the ramifications of the text still being stored in the document. The best workaround? Wipe the unused sections of the piece table. But then you might as well return to using a Full Save, as you'll be ditching the performance benefits anyway.

Simon

Re:Why Word Does This

[Psychic Burrito]

What I don't understand is why Microsoft even does this distinction between fast and full save when it would be possible to create a single save mode that is both fast and full, bear with me for a moment:

At the moment the user hits "save", "fast save" is faster because Word doesn't has to do any re-interpreting of what is already in memory. This step is what makes full save slower. But the re-interpreting doesn't has to happen at the moment the user hits "save", it can happen all the time while the user is

Re:WHAT?!??

[zedmelon]

"You only have the convenience while the file is open. If you could undo after you re-opened a file, these "hidden secrets" wouldn't be hidden at all!"

Exactly. I knew that to begin with, but I did it and then vi'd the file to confirm. If I delete text from a document, that means I don't want that text in the document. Neil Laver says "...hidden information can "incredibly useful" in improving the functionality of the software."

So my main point is, if I am being supposedly CONVENIENCED by this "feature," HOW is the software helping me by storing these things in my document?

Word attachments

[BrokenHalo]

I've started getting nasty about Word attachments. I've set up my mail transport agent to send automatically send spurious responses to messages with .doc attachments with a polite policy message to the effect that their attachment had been rejected as being prepared with potentially insecure and malicious code, and if they care to send it in a sensible format I might deign to read it. If the sender isn't in my whitelist, I just consign it to the spam bin. Saves a lot of time, and some people have got the m

Prediction

[JessLeah]

This will become a common way for 'big' corps to spy on 'small' corps (and individual users?), to find new ways to both screw them over, and appear 'omniscient'. They'll never (or rarely) get called on it. Meanwhile, anyone who tries to reveal information discovered in this way which is incriminating towards said big corps will get sued for being "hackers" and/or "terrorists".

Re:Prediction

[TopShelf]

This is "Insightful"??? Yeesh!

I had no idea that the sloppy handling of non-displayed data in output files (not just Word, mind you), and their publication on the web was actually Another Way For The Man To Keep Us Down...

Re:Prediction

[Spunk]

You don't think that it's possible?

I recall an article (possibly here) about companies using this "feature" on job applicants to read what was in previous versions. For example, you overwrite this letter

Dear IBM,

Thanks for the Linux job offer. Gimme $60,000 and I'm yours.
Love, Spunk

with

Dear Microsoft,

You guys are the best. I'll take that C# coder job for $70,000.
Love, Spunk

It would be easy for MS to see that you are asking IBM for $10,000 less. Letter-writing skills notwithstanding, I don'

if anything, the opposite

[siskbc]

This will become a common way for 'big' corps to spy on 'small' corps (and individual users?), to find new ways to both screw them over, and appear 'omniscient'. They'll never (or rarely) get called on it. Meanwhile, anyone who tries to reveal information discovered in this way which is incriminating towards said big corps will get sued for being "hackers" and/or "terrorists".

Aside from the paranoia overtones, I still disagree. The tools for doing this are on the web. Right now. So in other words, a w

It's been said hundreds if not thousands of times:

[NightSpots]

It doesn't matter how good your corporate security is if you don't train your users (including managers) in basic security practices.

Lots of people put sensitive documents in public webspace, primarily because they don't know any better. Eventually the cost-benefit analysis will be done, and corporations will pay to have their users trained. Until then, this type of thing will continue to happen.

Re:It's been said hundreds if not thousands of tim

[TMB]

Sure, but they point they're making is that it's not intuitively obvious to most people that there could be text in a Word document other than what appears.

So a relatively security-conscious person who just doesn't know anything about Word file formats could easily publish something online on purpose without knowing that there is (invisible) sensitive information in it, even if they'd never put that information in a public place on purpose.

[TMB]

It comes down to one question

[Alethes]

Is security the responsibility of the software of the users? Should we point the finger at that horribly insecure software that shouldn't allow this sort of thing to happen or the ignorant users who put the sensitive data in the document? Both?

I thought this was common knowledge?

[26199]

Well, it is amongst people who object to being mailed Word documents, anyway. They're just a really bad format for publishing information in.

See Richard Stallman's [gnu.org] 'no-word-attachments' article, for example...

Re:I thought this was common knowledge?

[broken.data]

This is not limited to Word. This trick has been around for ages with PDF and everything else I can think of.

Hell, this is how slashdot figured out that the Microsoft Switch [slashdot.org] was a fake.

Re:I thought this was common knowledge?

[Aidtopia]

My friend go so tired of people on his team sending him word docs, that he learned TeX and started sending his replies that way. When he feels really nasty about it, he sends the .dvi files.

An Important Question

[linuxislandsucks]

How many word processing progreams do place hidden meta data within theri formats?

For example does OpenOffice/StarOffice and other open source programs have the saem security problem?

Re:An Important Question

[__past__]

The OOo file format it just a bunch of zipped XML files, you can easily look for yourself. Deleted text is not in it, as it seems. Unless you turned on version tracking, of course.

It does, however, save things like when the document was last printed, how often it has been edited and by whom, etc. unless you tell it otherwise. It's easy to get rid of the data (there is a huge "Delete" button in the properties dialog), but not many people will be aware of it.

So, basically, if you don't know what you are doing, you could give out more information than you want to with you OOo files.

Re:An Important Question

[shaitand]

copyleft = freedom
bsdtype license = free to steal

Re:An Important Question

[shaitand]

copyleft = freedom for code and THE ONES WHO CODE IT
bastype license = freedom for coder who would like to make that code their own.

As to which is free in the sense of no cost for those who want to use it, without a doubt it's BSD. Those who release gpl'd code aren't working for free, they want their payment in code instead of cash. Considering human nature, I find the gpl to be an ideal that is definattely in closser harmony with a man, and at the same time still an ideal of what will benefit mankind.

But

Re:An Important Question

[__past__]

At least the 1.1 betas have an option to save as "flat xml". The format is basically the same as the zipped one, but uncompressed and in a single file (binary files like embedded images seem to be base64 encoded).

In principle there is no problem using that with any version management system, CVS, RCS, Subversion etc should work fine with it. You'll be more happy to have an XML-aware diff at least, though - my simple test doc ended up with all content in a single long line.

Well...

[CGP314]

Simon Byers, at AT&T's research laboratory in the US, was able to unearth hidden information from many thousands of Microsoft Word documents posted online using a few freely available software tools and some basic programming techniques.

Are you going to share that info or what?

Throw it up on freenet man!

infrastructure data?

[at_kernel_99]

An accomplished searcher can learn much about the world we live in, as slashdot reported some time ago [slashdot.org].

An interesting reminder, to be sure, given yesterday's blackout [slashdot.org].

Makes a guy wonder just how much is still available regarding key electrical and telephone infrastructure. Emergency power capabilities of broadcasters (radio, television, mobile phone). Gas lines, in the parts of the country that have them. Water systems. There's likely a bunch of data out there, ready to be mined.

LaTeX

[ParadigmLA]

Everyone should just be forced to use LATeX and then there won't be any hidden information. . .

Re:LaTeX

[GarvMaster]

Because 99.9% of the world would go back to pen and paper

OMG

[Anonymous Coward]

Stupid people messing stuff up? I'm SHOCKED!

How long until someone blames Microsoft, I wonder...

Re:OMG

[psoriac]

You forget, this is Slashdot. Blame of Microsoft is understood to apply whenever possible.

True story.

[oni]

A sysadmin once sent me a form letter type thing with my new password in it. The username/password was a spreadsheet object and I was able to open it to see everyone's passwords. He changed them all when I pointed this out. BTW, why do people send email messages that just say "see attached file" and the attached file is a memo with some trival content that could have been the text of the email??

Anyway, I have to admit that I was also burned by word. I was in the habit of opening the last memo I wrote from the recent documents list and using it as the starting point for newer ones. At some point, I put a bunch of policy statements on a CD and was later told that everyone was reading the hidden text. Doh!

This was back in the days of office 97 I believe. I'm not sure if Office 2k or XP still have this feature/bug.

Re:True story.

[DrSkwid]

why do people send email messages that just say "see attached file"

because they select "send document" form the file menu and get a blank email with the document attached

Re:True story.

[homer_ca]

Saving Word to HTML gets rid of the hidden text, but it does still save Author information. I got this HTML spam where he saved a Word file to HTML and sent that as the message. Sure enough, the dumbass's real name was in the source as the author.

Dang...

[DarkBlackFox]

Remind me not to save my importand documents to C:\My Documents\Porn\Annual Budget Report.doc anymore.

Tools

[rf0]

See Google. It can read word/pdf etc. Sure there is a mountain of information there if you look

Rus

Job Recruiters

[Anonymous Coward]

I have received two such word documents from two seperate job recruiters. The actual companies looking for the employee were hidden in the document, as well as contact information for the person at the company. Screw the middle man

Re:Job Recruiters

[bird]

Back in 1997, we were interviewing my putative replacement, and one fine fellow sent us a Word resume and cover letter. In the cover letter, he shared with us the delightful sentiment that-- while he was interviewing several other places (1997, remember), we were his current top choice.

A colleague on the review team who didn't use Windows turned to strings(1) to get the data from these documents, which yielded us the information that a *lot* of this guy's other prospects were also his current top choice. M

Helpful Hint

[cgreuter]

Remember kids: strings is your friend. If you happen to get a job offer in the form of a Word document and the HR drone who sent it to you wasn't careful, you can often see the version that got sent to other candidates and, more importantly, how much money they were offered. It can do wonders for your bargaining position.

Re:Helpful Hint

[Reziac]

Or for us DOS folks, there's XRay, last seen floating around Simtel (xray102.zip or something like that, in /textutils). It does a nice job pulling text strings out of any binary, and redirects handily to a file or your fave viewer (frex, LIST). I've used it to retrieve the complete content from a Word document that was hopelessly corrupted, and to see what fun was to be had in another document's "deleted" space.

XRAY is also handy for pulling text out of executables. Frex, a brief rant about upper manageme

Not just documents

[I8TheWorm]

It doesn't pertain to just documents. I've seen code samples posted to sites like experts-exchange where DB connection strings still had UID and PW data in them. Seems people don't re-read before they post very often.

Clippy did it

[sbillard]

It looks like you're trying to post a document on the web.
Would you like to...
1. Divulge corporate secrets?
2. List your passwords?
3. Remove KB823980 and open port 135?


It looks like your trying to close Clippy.
Would you like to...
1. Shit in your hat?
2. Put fist through bling bling flat panel?
3. Go home for teh weekend?

Check this out...

[Geminatron]

View some of the past word docs you've received in a hex editor...

Near the bottom there is often information from other documents of the sender that they were recently working on. I don't know why it saves this. Maybe something to do with the undo buffer?

At work I used to look at internal memos that would be sent out on a weekly basis and find out all sorts of other stuff that was going on.

My 2c.. and a terrible pun.

[zcat_NZ]

It's only going to get worse; google's really expanded on the number of File types [google.com] it indexes and caches.

One of my clients was recently caught out when google indexed private metadata she didn't know was still there, so I can well understand the gravity [google.com] of this situation.

Re:My 2c.. and a terrible pun.

[randyest]

Whoa, that's very cool. I love it when I learn a new google goodie.

If you didn't try that 'gravity' link in the parent, check this out [google.com]. Google calculator -- takes input in standard algebraic format, and knows some variables and units too (such as "G" being the universal gravitational constant, "mass of earth", and "radius of earth"), so you can just use the variable name and google fills in the values, converts units as needed, and gives a numeric result. Nice.

However, unless I'm doing something w

Re:My 2c.. and a terrible pun.

[pherris]

Just to build on this thought try searching google for +"internal use only" filetype:doc [google.com] or +"internal use only" site:.gov filetype:doc [google.com].

i have my own special program that does this...

[jkitchel]

it's called http://www.google.com and you search by "top secret documents filetype:doc" [google.com].

It's easy...

[inertia187]

This is the easy way:

"Index of" "Name Last modified Size Description"

Then you add file extensions or other things. For example:

• mpg [google.com]
• mov [google.com]
  
• mp3 [google.com]
• secret [google.com] - doesn't have to be file extensions...
• "My Documents" [google.com] - yeah, that's secure...
• etc

Anyway, as you can see, it's pretty effective. Sometimes admins wise up, and all you have is the Google cache. But sometimes they don't, and you get to look. Thanks Google!

Re:It's easy...

[CSG_SurferDude]

OMG!!!

I'm ashamed to say that I never even thought of that one.

Thanks for the it, Now I have a chance of completing my bootleg collection of Pink Floyd albums ;-)

Re:It's easy...

[Reziac]

On substituting "hidden" for "secret", one of the first results was this amusing bit:

Index of /Courses/S03/ECSE-4961/Finding Hidden Things

Well, yeah, that was the whole idea... ;)

I hate to state the obvious but,

[pair-a-noyd]

how many incidents will it take before people realize that ALL Microsoft products are insecure?

What will it take? What happens when a script kiddie hacks a hospital and shuts down the life support systems in ICU? Or just juggles the meds for the patients so that everyone in the hospital gets the wrong meds?

Or perhaps they glitch the Air Traffic Control system and airplanes rain down from the sky and tens or hundreds of thousands of people die??

Before the last war in Iraq started they showed the "state

Don't worry

[ratfynk]

Gates and co will take care of all your sensitive info, very soon. With the help of the DMCA Sen. Fritz and MS servers we all will be so secure that no one other than MS and the right Government agencies will be able to unlock your lock online .docs. So smarten up bow to Redmond and pay up suckers! Its upgrade or lose mania time again can your business not afford the wonderfull new security thats coming? Good luck getting your secretaries to use anything other than MS orafice!

Re:Don't worry

[ratfynk]

Wow I pulled a good spelling error SECRETARIES, a new job classification, for employees who do all your dirty work and keep their mouths shut!

Another way to find "secret" data

[cnb]

How many people actually protect their website
statistics?

Adding a simple /stat/ or /stats/ or a variation
with a combination of "web" or the name of any of
the common statistic generation programs gets you
access to the statistics of a *lot* of websites.

Then from the stats you could find any "hidden"
data which is not linked on the site including
internal company documents, girlfriend's nude
photos or mp3s.

Alternately you could just google for the
statistic reports of sites and get there
more easily.

This is another case of ill informed or lazy
users not following what should be a simple
security policy which could cause serious
repercussions.

For those who want to know how to protect
yourself, read this link [apache.org].

Word documents are stupid.

[rice_burners_suck]

This is WONDERFUL!!! This information should be pointed out to those annoying people who email you those annoying Microsoft Word documents, when the content could have been presented just as effectively (or more so) in plain ASCII text.

But instead of explaining it all technical and telling people how they can strip private information, you should use Microsoft's own techniques of FUD against them by telling people that Microsoft Word files contain all their private information and that information is gath

MS Word got Tony Blair busted in the WMD case

[leoaugust]

Tony Blair got busted in the WMD case because of the names of the people who revised the WMD Documents were still in the Word file. Now, it seems, that the Downing Street only puts PDF files on the web - and has removed all the MS word documents that were already there ....

Tools reveal secret life of documents - Documents like in Word save too much Info - Blair Episode [bbc.co.uk]

By Mark Ward

July 03, 2003

The UK Government was just the latest in a long line of organisations that has learned to its cost just how much information can be gleaned from innocent looking files. Earlier this year it issued a document called the 'dodgy dossier" about Iraq's concealment of weapons of mass destruction that was written using Microsoft Word. Every Word document remembers who made the last few revisions to it. The log reveals the names of four of the people who prepared the Iraq document for publication and the government Communications Information Centre that some of them work for. It was this log that Number 10 press chief Alastair Campbell had to explain to the House of Commons Foreign Affairs Select Committee in late June as part of its investigation into the Iraq dossier's history. Some of this information can be seen simply by right-clicking to view the properties of the downloaded document in a file listing. Utility programs can get even more information from Word revision logs.

The life stories of the documents we create are becoming increasingly important as the scrutiny of industries and governments gathers pace. Every time you write or edit these files you leave a trail of information revealing what you did and when you did it. With the right tools it is possible to extract this data and work out the trail of authors and workers who created a document. That is why we should all use opensource and open data formats - so that we can humanly read what all we are "putting" into the document. The Word version of this document has now been removed from government websites but copies of it are still available elsewhere on the net.

Unabridged and unedited article at

http://news.bbc.co.uk/2/hi/technology/3037760.stm

Here's the doc

[Pentagram]

The Word version of this document has now been removed from government websites but copies of it are still available elsewhere on the net.


Here's a copy of the document [computerbytesman.com]. Should save anyone else the trouble of googling for it </karmawhore>.

You belive the FBI ? ? Re:MS Word got Tony Blair

[leoaugust]

Well, interesting that you should hit BBC where it hurts, an in some cases maybe they deserve it. But, I think this "story" that you talk of is not one of those. Look at my take of the story behind the story behind the story .... The Blair-Bush team is more devious than you might want to believe ...

ALL Quotations below are from the MSNBC article ... my comments are in the [TT] [/TT] format ....

At the end of the day, officials say, the Lakhani case remains a story about potential threats and not the rea

The British experience - government stupidity

[pyrotic]

Have to post a link to this famous example, the dodgy dossier. [casi.org.uk] There was a writeup here [computerbytesman.com]. If you're thinking of making the case for war, don't release Word documents to the press - unless they're very very docile.

DMCA violation?

[notcreative]

By using tools that break the "encryption" on, for examply, the Washington Post .pdf file mentioned in the article, isn't the researcher violating the DMCA? Isn't his whole project bragging about doing this, a la 2600?

I hope he remembers a few packs of cigarettes in order to buy himself a few nights of sleep in the Big House.

Didn't I already write about something similar?

[NewtonsLaw]

This isn't really new -- check out this story [com.com] I wrote for CNet/ZDNet over a year ago.

This not anything new.

[gnuforpresident2004]

This type of thing happens all the time but just with digital media but with other media also. People go through others garbage recreating shredded documents, camcorders catching people in the act, carbon paper, copying machines. You always need to be careful when dealing yours and others information.

Newsflash: People shoot themselves in feet

[darthwader]

... then suffer foot wounds.

At the risk of being moderated Troll and Redundant,
Why are these people posting Word Documents online?

The Word Wide Web is not the Microsoft Wide Web.

Post in plain ASCII text, or HTML if you feel the need to pretty it up.

People keep using tools that are far more powerful and complex than they need, then they screw up, and blame the tools. Pick a simple tool to do a simple job, and you don't need to worry about your ignorance of the tools you are using causing you problems.

UK govt caught out

[g_attrill]

This has happened to the UK government several [theregister.co.uk] times [computerbytesman.com]. The latter link shows whose sticky fingers were on the infamous "dodgy dossier".

Gareth

It Must Be A "Technological Measure"

[John Hasler]

So who is going to be the first to claim that running a Word document through strings violates the DMCA?

Heh

[dodell]

He says hidden information can "incredibly useful" in improving the functionality of the software. "But if some of that data is sensitive, there have to be ways of ensuring that it isn't distributed where it shouldn't be," he says.

Apparently they need to use some of the software he used to get a conjugation of the infinitive "to be" back into their text.

Sanitizer

[Spunk]

Certainly, the best solution would be not to use proprietary formats.

But for those who don't want to change, is there a "Word sanitizer" tool available? Something that will convert one Word doc to another, minus the hidden text?

up to parent directory leaks

[whovian]

Finding personal information in the document metadata is one thing, but finding the documents is another.

I still find user accounts on which if you do a manual "up to parent directory" and the user has no index.htm{,l} file, you often get a fully navigable listing of their entire html directory.

Sometimes you find personal files that were never directly linked to, nor intended to be.

Word doc Cleaning Program?

[superyooser]

Does anybody know of a program that can clean up deleted info in Word docs? I'm thinking of something like Ad-Aware that scans for certain files, shows you possible security issues (supposedly deleted text, metadata in document properties, etc.), and asks you what action it should take (wipe out/edit text, delete file, etc.).

Microsoft's article on reducing MS Word metadata

[200_success]

It has been known for a long time that metadata are hidden within Microsoft Word documents. Microsoft even has Knowledge Base article 237361 [microsoft.com] explaining how to reduce the amount of metadata appearing in MS Word 2000 documents. Here's an excerpt:

This step-by-step article explains various methods that you can use to minimize the amount of metadata in your Word documents.

Whenever you create, open, or save a document in Microsoft Word 2000, the document may contain content that you may not want to share with others when you distribute the document electronically. This information is known as "metadata". Metadata is used for a variety of purposes to enhance the editing, viewing, filing, and retrieval of Office documents.

Some metadata is easily accessible through the Microsoft Word user interface; other metadata is only accessible through extraordinary means, such as opening a document in a low-level binary file editor. Here are some examples of metadata that may be stored in your documents:

• Your name
• Your initials
• Your company or organization name
• The name of your computer
• The name of the network server or hard disk where you saved the document
• Other file properties and summary information
• Non-visible portions of embedded OLE objects
• The names of previous document authors
• Document revisions
• Document versions
• Template information
• Hidden text
• Comments

• Metadata is created in a variety of ways in Word documents. As a result, there is no single method to remove all such content from your documents. The following sections describe areas where metadata may be saved in Word documents.

I'll bet there are more, but they won't disclose them.

It's a pity that more people don't just save as RTF. It's just as good for most uses, and it's a less obscure format.

Not Just for Fast Save Anymore?

[ewhac]

Back in the days of Word 5.1a (the last good version), I recall hidden data only getting saved if you used Word's "Fast Save" feature. Since Fast Save wasn't measurably faster, I turned it off. Is this no longer the case? (A quick look through the preferences panel in my copy of Word reveals a Fast Save option; it's turned off.)

Schwab

Best way to avoid this

[foniksonik]

The absolute best way to avoid this happening.

Copy your final text from your working draft into a brand new document. Yep good ol' copy and paste. You will only copy the selected text. All the auto-save data and edit history will not be copied into the new document. If your document has charts/graphs/placed images, etc. You will need to do a select all to be sure you got it.

If you always do this for final drafts you won't ever have a problem again. If in doubt of whether your current copy is clean.. just

There are advantages!

[oren]

Once, when negotating an investment deal, we got a Word document with the investment bank's comments on our proposed contract.

They tracked changes. All we needed to do was display them... and we got juicy stuff like "if they accept either our fix for clause X or for clause Y we can still s---w them royally in scenario Z".

Made for a very effective negotiation. For us.

Oh, wait, the article was about the problems this raises for the document's _author_.

Never mind :-)

Re:crypto

[peculiarmethod]

why exactly is that funny, again?

p

Re:crypto

[xv4n]

No one can tell, man. That post is encrypted in itself.

Re:crypto

[BrokenHalo]

I waw the article at New Scientist earlier yesterday, and my immediate reaction was the thought "and this is news?". Let's face it, anybody who has ever run a .doc file through a hex dump or even a text editor (this is not new) should be aware that there's a lot more information than appears on the screen in MS Word. And I fail to see how Microsoft's incorporating DRM into their files is going to improve matters. Their claim that all the editing history being present in the file is "useful" is specious. It

Re:crypto

[randyest]

Well, not sure about what the OP through was funny, but I sure do think this is, from the article:

"It is feasible that an individual may include their social security number on copies of a resume sent to prospective employers, but delete it from the version put online to guard against identify theft," Byers writes.

Who in their right mind puts their SSN in any version of a resume??!

Re:crypto

[Waffle Iron]

I would never put my SSN on a resume, but the last time I made a resume I ran the .doc file through 'less'. Sure enough, most all of my edit history was in there.

I exported it to RTF then reimported before saving it again as .doc. This erased other people's access to my thought processes, and it reduced the file size by 80% to boot.

In the end it didn't matter much, though. I usually include a plain text version of the resume right in my email as a backup along with the .doc attachment. On interviews, I'

in html

[SHEENmaster]

http://www.schneier.com/crypto-gram.html [schneier.com]

To do this yourself, just type:
<a href="http://foo/">bar</a>

Re:crypto

[jovlinger]

cryptogram-filter

Re:P2P has be doing htis for a long itme

[ComaVN]

Indeed. Search for system.dat, user.dat or pwl on Kazaa, there are always some files found.

Although I cannot guess how many of those are honeypots.

Re:P2P has be doing htis for a long itme

[mccrew]

From the be-careful-what-you-search-for department:
Search for *anything* on Kazaa, and there are always some files found. However, upon closer inspection, you'll see that they really are hidden pornography URLs, viruses, and other poison payloads, definitely not what you were really looking for.

Re:Slow news day

[zcat_NZ]

Anyone wants to guess what's the second most dangerous animal for human beings?

Other human beings?

Re:What exactly's the big deal here?

[William Tanksley]

Incorrect. You didn't read the article.

He did the search, as you said, but he didn't use Google's conversion; instead, he looked directly inside the DOC file, where Word keeps a bunch of information for its own purposes -- stuff that was deleted, stuff that was just in the wrong memory location when the save happened -- whatever.

He found legitimate docs, with legit contents; but they also contained some stuff that the authors didn't intend to publish.

-Billy

Re:What exactly's the big deal here?

[B3ryllium]

I haven't read the article - nor do I intend to - but I gather that the information in question is NOT displayed when viewing the document in Word, but has been "deleted" by the user. Word preserves the deleted text, it seems, as part of the undo feature - and yet, the undo feature doesn't work if you have freshly opened a file.

Sort of like deleting password emails from Outlook Express, and then having someone retreive them from the .mbx file despite the fact that you deleted them.

Re:What exactly's the big deal here?

[ratfynk]

So you load a word .doc it contains some nice little mail macros and bingo because you are stupid enough to use an unpatched illegal copy of word 97, (which is what one hell of alot of small business owners do); MS word to open it you get slammed. End of story. Go buy longhorny and help microsoft control stupid users! Pay Pay Pay

Re:Old News!

[ratfynk]

The reason is obvious why they leave the security flaws intact. They are going to need to sell LONGHORNY big time to show corporated software sales growth to the stock holders. Their Xbox is still costing them money every time someone buys one, they are not making huge enough money from educational certification extortion any more, they are having a hard time keeping up with the number of software violation of patent law suits. They realy need to eat Symantec's lunch again without getting sued to the nines.

Re:Here's An Idea

[shaitand]

Microsoft has alot of money, don't you think they can afford to buy a decent wordprocessor instead of word?

oh wait...