Schneier on Security

A blog covering security and security technology.

« October 2005 | Main | December 2005 »

November 2005 Archives

Google and Privacy

Daniel Solove on Google and privacy:

A New York Times editorial observes:

At a North Carolina strangulation-murder trial this month, prosecutors announced an unusual piece of evidence: Google searches allegedly done by the defendant that included the words "neck" and "snap." The data were taken from the defendant's computer, prosecutors say. But it might have come directly from Google, which -- unbeknownst to many users -- keeps records of every search on its site, in ways that can be traced back to individuals.

This is an interesting fact -- Google keeps records of every search in a way that can be traceable to individuals. The op-ed goes on to say:

Google has been aggressive about collecting information about its users' activities online. It stores their search data, possibly forever, and puts "cookies" on their computers that make it possible to track those searches in a personally identifiable way -- cookies that do not expire until 2038. Its e-mail system, Gmail, scans the content of e-mail messages so relevant ads can be posted. Google's written privacy policy reserves the right to pool what it learns about users from their searches with what it learns from their e-mail messages, though Google says it won't do so. . . .

The government can gain access to Google's data storehouse simply by presenting a valid warrant or subpoena. . . .

This is an important point. No matter what Google's privacy policy says, the fact that it maintains information about people's search activity enables the government to gather that data, often with a mere subpoena, which provides virtually no protection to privacy -- and sometimes without even a subpoena.

Solove goes on to argue that if companies like Google want to collect people's data (even if people are willing to supply it), the least they can do is fight for greater protections against government access to that data. While this won't address all the problems, it would be a step forward to see companies like Google use their power to foster meaningful legislative change.

EDITED TO ADD (12/3): Here's an op ed from The Boston Globe on the same topic.

Posted on November 30, 2005 at 03:08 PM • 57 Comments • View Blog Reactions

Hacking Wiretapping Systems

This is absolutely fascinating research by Matt Blaze on evading telephone wiretapping systems. Here's the paper. Here's a news article.

Posted on November 30, 2005 at 12:13 PM • 9 Comments • View Blog Reactions

Open-Source Intelligence

How here's a good idea:

US intelligence chief John Negroponte announced Tuesday the creation of a new CIA-managed center to exploit publicly available information for intelligence purposes.

The so-called Open Source Center will gather and analyze information from a host of sources from the Internet and commercial databases to newspapers, radio, video, maps, publications and conference reports.

Posted on November 30, 2005 at 10:42 AM • 39 Comments • View Blog Reactions

Cybercrime Pays

This sentence jumped out at me in an otherwise pedestrian article on criminal fraud:

"Fraud is fundamentally fuelling the growth of organised crime in the UK, earning more from fraud than they do from drugs," Chris Hill, head of fraud at the Norwich Union, told BBC News.

I'll bet that most of that involves the Internet to some degree.

And then there's this:

Global cybercrime turned over more money than drug trafficking last year, according to a US Treasury advisor. Valerie McNiven, an advisor to the US government on cybercrime, claimed that corporate espionage, child pornography, stock manipulation, phishing fraud and copyright offences cause more financial harm than the trade in illegal narcotics such as heroin and cocaine.

This doesn't bode well for computer security in general.

Posted on November 30, 2005 at 06:05 AM • 21 Comments • View Blog Reactions

Counterfeiting Ring in Colombia

Interesting:

Police assisted by U.S. Secret Service agents on Sunday broke up a network capable of printing millions of dollars a month of excellent quality counterfeit money and arrested five suspects during a raid on a remote village in northwest Colombia, officials said.

It's a big industry there:

Fernandez said Valle del Cauca, of which Cali is the state capital, has turned into a center of global counterfeiting. "Entire families are dedicated to falsifying and trafficking money."

And:

Colombia is thought to produce more than 40 percent of fake money circulating around the world.

Posted on November 29, 2005 at 04:29 PM • 27 Comments • View Blog Reactions

Miami Police Stages "Random Shows of Force"

They actually think this is a good idea:

Miami police announced Monday they will stage random shows of force at hotels, banks and other public places to keep terrorists guessing and remind people to be vigilant.

Deputy Police Chief Frank Fernandez said officers might, for example, surround a bank building, check the IDs of everyone going in and out and hand out leaflets about terror threats.

"This is an in-your-face type of strategy. It's letting the terrorists know we are out there," Fernandez said.

The operations will keep terrorists off guard, Fernandez said. He said al-Qaida and other terrorist groups plot attacks by putting places under surveillance and watching for flaws and patterns in security.

Boy, is this one a mess. How does "in-your-face" affect getting the people on your side? What happens if someone refuses to show an ID? What good is demanding an ID in the first place? And if I were writing a movie plot, I would plan my terrorist attack for a different part of town when the police were out playing pretend.

The response from the ACLU of Florida is puzzling, though. Let's hope he just didn't understand what was being planned.

EDITED TO ADD (11/29): This article is in error.

EDITED TO ADD (11/30): more info.

Posted on November 29, 2005 at 01:07 PM • 52 Comments • View Blog Reactions

Missed Cellphone Calls as Bomb Triggers

What is it with this week? I can't turn around without seeing another dumb movie-plot threat:

A Thai minister has claimed that by returning missed calls on their cell phones people from the Muslim-majority southern provinces could unintentionally trigger bombs set by Islamic militants.

Thai authorities have begun tracing cell phone calls in a bid to track down suspects who use mobiles to detonate bombs across three provinces along the Malaysian border.

But the minister for information and communication warned that militants could try to foil the two-week-old cell phone registry by calling a random number, hanging up and then wiring the handset to a bomb.

If someone returned to the call, the bomb would blow up and authorities would trace the call to an innocent person, Sora-at Klinpratum told reporters.

Posted on November 29, 2005 at 10:01 AM • 46 Comments • View Blog Reactions

A Science-Fiction Movie-Plot Threat

This has got to be the most bizarre movie-plot threat to date: alien viruses downloaded via the SETI project:

In his [Richard Carrigan, a particle physicist at the US Fermi National Accelerator Laboratory in Illinois] report, entitled "Do potential Seti signals need to be decontaminated?", he suggests the Seti scientists may be too blase about finding a signal. "In science fiction, all the aliens are bad, but in the world of science, they are all good and simply want to get in touch." His main concern is that, intentionally or otherwise, an extra-terrestrial signal picked up by the Seti team could cause widespread damage to computers if released on to the internet without being checked.

Here's his website.

Although you have to admit, it could make a cool movie

EDITED TO ADD (12/16): Here's a good rebuttal.

Posted on November 29, 2005 at 07:16 AM • 59 Comments • View Blog Reactions

Interdicting Terrorist Funding

Want to make the country safer from terrorism? Take the money now being wasted on national ID cards, massive data mining projects, fingerprinting foreigners, airline passenger profiling, etc., and use it to fund worldwide efforts to interdict terrorist funding:

The government's efforts to help foreign nations cut off the supply of money to terrorists, a critical goal for the Bush administration, have been stymied by infighting among American agencies, leadership problems and insufficient financing, a new Congressional report says.

More than four years after the Sept. 11 attacks, "the U.S. government lacks an integrated strategy" to train foreign countries and provide them with technical assistance to shore up their financial and law enforcement systems against terrorist financing, according to the report prepared by the Government Accountability Office, an investigative arm of Congress.

More:

One unidentified Treasury official quoted anonymously in the report said that the intergovernmental process for deterring terrorist financing abroad is "broken" and that the State Department "creates obstacles rather than coordinates effort." A State Department official countered that the real problem lies in the Treasury Department's reluctance to accept the State Department's leadership in the process.

In another problem area, private contractors used by the Treasury Department and other agencies have been allowed to draft proposed laws in foreign countries for curbing terrorist financing, even though Justice Department officials voiced strong concerns that contractors should not be allowed to play such an active role in the legislative process.

The contractors' work at times produced legislative proposals that had "substantial deficiencies," the report said.

The administration has made cutting off money to terrorists one of the main prongs in its attack against Al Qaeda and other terrorist groups. It has seized tens of millions of dollars in American accounts and assets linked to terrorist groups, prodded other countries to do the same, and is now developing a program to gain access to and track potentially hundreds of millions of international bank transfers into the United States.

But experts in the field say the results have been spotty, with few clear dents in Al Qaeda's ability to move money and finance terrorist attacks. The Congressional report- a follow-up to a 2003 report that offered a similarly bleak assessment - buttresses those concerns.

Posted on November 28, 2005 at 09:44 PM • 17 Comments • View Blog Reactions

Giving the U.S. Military the Power to Conduct Domestic Surveillance

More nonsense in the name of defending ourselves from terrorism:

The Defense Department has expanded its programs aimed at gathering and analyzing intelligence within the United States, creating new agencies, adding personnel and seeking additional legal authority for domestic security activities in the post-9/11 world.

The moves have taken place on several fronts. The White House is considering expanding the power of a little-known Pentagon agency called the Counterintelligence Field Activity, or CIFA, which was created three years ago. The proposal, made by a presidential commission, would transform CIFA from an office that coordinates Pentagon security efforts -- including protecting military facilities from attack -- to one that also has authority to investigate crimes within the United States such as treason, foreign or terrorist sabotage or even economic espionage.

The Pentagon has pushed legislation on Capitol Hill that would create an intelligence exception to the Privacy Act, allowing the FBI and others to share information gathered about U.S. citizens with the Pentagon, CIA and other intelligence agencies, as long as the data is deemed to be related to foreign intelligence. Backers say the measure is needed to strengthen investigations into terrorism or weapons of mass destruction.

The police and the military have fundamentally different missions. The police protect citizens. The military attacks the enemy. When you start giving police powers to the military, citizens start looking like the enemy.

We gain a lot of security because we separate the functions of the police and the military, and we will all be much less safer if we allow those functions to blur. This kind of thing worries me far more than terrorist threats.

Posted on November 28, 2005 at 02:11 PM • 36 Comments • View Blog Reactions

Safecracking with Thermal Imaging

Interesting.

Posted on November 28, 2005 at 11:37 AM • 31 Comments • View Blog Reactions

European Terrorism Law and Music Downloaders

The European music industry is lobbying the European Parliament, demanding things that the RIAA can only dream about:

The music and film industries are demanding that the European parliament extends the scope of proposed anti-terror laws to help them prosecute illegal downloaders. In an open letter to MEPs, companies including Sony BMG, Disney and EMI have asked to be given access to communications data - records of phone calls, emails and internet surfing - in order to take legal action against pirates and filesharers. Current proposals restrict use of such information to cases of terrorism and organised crime.

Our society definitely needs a serious conversation about the fundamental freedoms we are sacrificing in a misguided attempt to keep us safe from terrorism. It feels both surreal and sickening to have to defend our fundamental freedoms against those who want to stop people from sharing music. How is it possible that we can contemplate so much damage to our society simply to protect the business model of a handful of companies?

Posted on November 27, 2005 at 12:20 PM • 83 Comments • View Blog Reactions

Hoofnagle's Consumer Privacy Top 10

Chris Hoofnagle is the West Coast Director for EPIC. It's his list.

I've been working for some time on writing easy-to-understand guides for protecting privacy. Here's my "top 10" things you can do with very little money or effort to protect your privacy.

Good stuff.

Posted on November 25, 2005 at 08:46 AM • 17 Comments • View Blog Reactions

Vote Someone Else's Shares

Do you own shares of a Janus mutual fund? Can you vote your shares through a website called vote.proxy-direct.com? If so, you can vote the shares of others.

If you have a valid proxy number, you can add 1300 to the number to get another valid proxy number. Once entered, you get another person's name, address, and account number at Janus! You could then vote their shares too.

It's easy.

Probably illegal.

Definitely a great resource for identity thieves.

Certainly pathetic.

Posted on November 24, 2005 at 10:41 AM • 41 Comments • View Blog Reactions

Twofish Cryptanalysis Rumors

Recently I have been hearing some odd "Twofish has been broken" rumors. I thought I'd quell them once and for all.

Rumors of the death of Twofish has been greatly exaggerated.

The analysis in question is by Shiho Moriai and Yiqun Lisa Yin, who published their results in Japan in 2000. Recently, someone either got a copy of the paper or heard about the results, and rumors started spreading.

Here's the actual paper. It presents no cryptanalytic attacks, only some hypothesized differential characteristics. Moriai and Yin discovered byte-sized truncated differentials for 12- and 16-round Twofish (the full cipher has 16 rounds), but were unable to use them in any sort of attack. They also discovered a larger, 5-round truncated differential. No one has been able to convert these differentials into an attack, and Twofish is nowhere near broken. On the other hand, they are excellent and interesting results -- and it's a really good paper.

In more detail, here are the paper's three results:

1. The authors show a 12-round truncated differential characteristic that predicts that the 2nd byte of the ciphertext difference will be 0 when the plaintext difference is all-zeros except for its last byte. They say the characteristic holds with probability 2^-40.9. Note that for an ideal cipher, we expect the 2nd byte of ciphertext to be 0 with probability 2^-8, just by chance. Of course, 2^-8 is much, much larger than 2^-40.9. Therefore, this is not particularly useful in a distinguishing attack.

   One possible interpretation of their result would be to conjecture that the 2nd byte of ciphertext difference will be 0 with probability 2^-8 + 2^-40.9 for Twofish, but only 2^-8 for an ideal cipher. Their characteristic is just one path. If one is lucky, perhaps all other paths behave randomly and contribute an additional 2^-8 factor to the total probability of getting a 0 in the 2nd byte of ciphertext difference. Perhaps. One might conjecture that, anyway.

   It is not at all clear whether this conjecture is true, and the authors are careful not to claim it. If it were true, it might lead to a theoretical distinguishing attack using 2⁷⁵ chosen plaintexts or so (very rough estimate). But I'm not at all sure that the conjecture is true.

2. They show a 16-round truncated differential that predicts that the 2nd byte of the ciphertext difference will be 0 (under the same input difference). Their characteristic holds with probability 2^-57.3 (they say). Again, this is not very useful.

   Analogously to the first result, one might conjecture that the 2nd byte of the ciphertext difference will be 0 with probability 2^-8 + 2^-57.3 for Twofish, but probability 2^-8 for an ideal cipher. If this were true, one might be able to mount a distinguishing attack with 2¹⁰⁰ chosen plaintexts or so (another very rough estimate). But I have no idea whether the conjecture is true.

3. They also show a 5-round truncated differential characteristic that predicts that the input difference that is non-zero everywhere except in its 9th byte will lead to an output difference of the same form. This characteristic has probability 2^-119.988896, they say (but they also say that they have made some approximations, and the actual probabilities can be a little smaller or a little larger). Compared to an ideal cipher, where one would expect this to happen by chance with probability 2^-120, this isn't very interesting. It's hard to imagine how this could be useful in a distinguishing attack.

The paper theorizes that all of these characteristics might be useful in an attack, but I would be very careful about drawing any conclusions. It can be very tricky to go from single-path characteristics whose probability is much smaller than the chances of it happening by chance in an ideal cipher, to a real attack. The problem is in the part where you say "let's just assume all other paths behave randomly." Often the other paths do not behave randomly, and attacks that look promising fall flat on their faces.

We simply don't know whether these truncated differentials would be useful in a distinguishing attack. But what we do know is that even if everything works out perfectly to the cryptanalyst's benefit, and if an attack is possible, then such an attack is likely to require a totally unrealistic number of chosen plaintexts. 2¹⁰⁰ plaintexts is something like a billion billion DVDs' worth of data, or a T1 line running for a million times the age of the universe. (Note that these numbers might be off by a factor of 1,000 or so. But honestly, who cares? The numbers are so huge as to be irrelevent.) And even with all that data, a distinguishing attack is not the same as a key recovery attack.

Again, I am not trying to belittle the results. Moriai and Yin did some great work here, and they deserve all kinds of credit for it. But even from a theoretical perspective, Twofish isn't even remotely broken. There have been no extensions to these results since they were published five years ago. The best Twofish cryptanalysis is still the work we did during the design process: available on the Twofish home page.

Posted on November 23, 2005 at 12:15 PM • 33 Comments • View Blog Reactions

Today's Movie-Plot Threat: Electronic Pulses from Space

No. Really:

The United States is highly vulnerable to attack from electronic pulses caused by a nuclear blast in space, according to a new book on threats to U.S. security.

A single nuclear weapon carried by a ballistic missile and detonated a few hundred miles over the United States would cause "catastrophe for the nation" by damaging electricity-based networks and infrastructure, including computers and telecommunications, according to "War Footing: 10 Steps America Must Take to Prevail in the War for the Free World."

"This is the single most serious national-security challenge and certainly the least known," said Frank J. Gaffney Jr. of the Center for Security Policy, a former Pentagon official and lead author of the book, which includes contributions by 34 security and intelligence specialists.

The "single most serious national-security challenge." Absolutely nothing more serious.

Sheesh.

Posted on November 23, 2005 at 07:39 AM • 57 Comments • View Blog Reactions

Australian Minister's Sensible Comments on Airline Security Sparks Outcry

I'm the first to admit that I don't know anything about Australian politics. I don't know who Amanda Vanstone is, what she stands for, and what other things she's said about any other topic.

But I happen to think she's right about airline security:

In a wide-ranging speech to Adelaide Rotarians, Senator Vanstone dismissed many commonwealth security measures as essentially ineffective. "To be tactful about these things, a lot of what we do is to make people feel better as opposed to actually achieve an outcome," Senator Vanstone said.

And:

During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy.

Implied? I'll say it outright. It's stupid. For all its faults, I'm always pleased when Northwest Airlines gives me a real metal knife, and I am always annoyed when American Airlines still gives me a plastic one.

"Has it ever occurred to you that you just smash your wine glass and jump at someone, grab the top of their head and put it in their carotid artery and ask anything?" Senator Vanstone told her audience of about 100 Rotarians. "And believe me, you will have their attention. I think of this every time I see more money for the security agencies."

The Immigration Minister also told of a grisly conversation with Mr Howard during a discussion on increased spending on national security.

Senator Vanstone said: "I asked him if I was able to get on a plane with an HB pencil, which you are able to, and I further asked him if I went down and came and grabbed him by the front of the head and stabbed the HB pencil into your eyeball and wiggled it around down to your brain area, do you think you'd be focusing? He's thinking, she's gone mad again."

Okay, so maybe that was a bit graphic for the Rotarians. But her comments are basically right, and don't deserve this kind of response:

"(Her) extraordinary outburst that airport security was a sham to make the public feel good has made a mockery of the Howard Government's credibility in this important area of counter-terrorism," Mr Bevis said yesterday. "And for Amanda Vanstone to once again put her foot in her mouth while John Howard is overseas for serious talks on terrorism is appalling. She should apologise and quit, or if the Prime Minister can't shut her up he should sack her."

But Mr. Bevis, airport security is largely a sham to make the public feel better about flying. And if your Prime Minister doesn't know that, then you should worry about how serious his talks will be.

Vanstone has been defending herself:

Vanstone rejected calls from the Labor Party opposition for her resignation over the comments they said trivialised an important issue, saying she was not ridiculing security measures.

"If the day has come when a minister can't say what every other Australian says and that is that plastic knives drive us crazy, I think we're in desperate straits," the minister told commercial radio on Monday.

Vanstone said she did not believe the security measures should be scrapped.

"What I have said is that putting a plastic knife on a plane doesn't necessarily make you very much safer. Bear in mind there are other things that are on planes," she said.

"People should not feel that because plastic knives are there, the world has dramatically changed -- because there are still HB pencils."

Plastic knives on airplanes drive me crazy too, and they don't do anything to improve our security against terrorism. I know nothing about Vanstone and her policies, but she has this one right.

Posted on November 22, 2005 at 01:41 PM • 96 Comments • View Blog Reactions

Surveillance and Oversight

Christmas 2003, Las Vegas. Intelligence hinted at a terrorist attack on New Year's Eve. In the absence of any real evidence, the FBI tried to compile a real-time database of everyone who was visiting the city. It collected customer data from airlines, hotels, casinos, rental car companies, even storage locker rental companies. All this information went into a massive database -- probably close to a million people overall -- that the FBI's computers analyzed, looking for links to known terrorists. Of course, no terrorist attack occurred and no plot was discovered: The intelligence was wrong.

A typical American citizen spending the holidays in Vegas might be surprised to learn that the FBI collected his personal data, but this kind of thing is increasingly common. Since 9/11, the FBI has been collecting all sorts of personal information on ordinary Americans, and it shows no signs of letting up.

The FBI has two basic tools for gathering information on large groups of Americans. Both were created in the 1970s to gather information solely on foreign terrorists and spies. Both were greatly expanded by the USA Patriot Act and other laws, and are now routinely used against ordinary, law-abiding Americans who have no connection to terrorism. Together, they represent an enormous increase in police power in the United States.

The first are FISA warrants (sometimes called Section 215 warrants, after the section of the Patriot Act that expanded their scope). These are issued in secret, by a secret court. The second are national security letters, less well known but much more powerful, and which FBI field supervisors can issue all by themselves. The exact numbers are secret, but a recent Washington Post article estimated that 30,000 letters each year demand telephone records, banking data, customer data, library records, and so on.

In both cases, the recipients of these orders are prohibited by law from disclosing the fact that they received them. And two years ago, Attorney General John Ashcroft rescinded a 1995 guideline that this information be destroyed if it is not relevant to whatever investigation it was collected for. Now, it can be saved indefinitely, and disseminated freely.

September 2005, Rotterdam. The police had already identified some of the 250 suspects in a soccer riot from the previous April, but most were unidentified but captured on video. In an effort to help, they sent text messages to 17,000 phones known to be in the vicinity of the riots, asking that anyone with information contact the police. The result was more evidence, and more arrests.

The differences between the Rotterdam and Las Vegas incidents are instructive. The Rotterdam police needed specific data for a specific purpose. Its members worked with federal justice officials to ensure that they complied with the country's strict privacy laws. They obtained the phone numbers without any names attached, and deleted them immediately after sending the single text message. And their actions were public, widely reported in the press.

On the other hand, the FBI has no judicial oversight. With only a vague hinting that a Las Vegas attack might occur, the bureau vacuumed up an enormous amount of information. First its members tried asking for the data; then they turned to national security letters and, in some cases, subpoenas. There was no requirement to delete the data, and there is every reason to believe that the FBI still has it all. And the bureau worked in secret; the only reason we know this happened is that the operation leaked.

These differences illustrate four principles that should guide our use of personal information by the police. The first is oversight: In order to obtain personal information, the police should be required to show probable cause, and convince a judge to issue a warrant for the specific information needed. Second, minimization: The police should only get the specific information they need, and not any more. Nor should they be allowed to collect large blocks of information in order to go on "fishing expeditions," looking for suspicious behavior. The third is transparency: The public should know, if not immediately then eventually, what information the police are getting and how it is being used. And fourth, destruction. Any data the police obtains should be destroyed immediately after its court-authorized purpose is achieved. The police should not be able to hold on to it, just in case it might become useful at some future date.

This isn't about our ability to combat terrorism; it's about police power. Traditional law already gives police enormous power to peer into the personal lives of people, to use new crime-fighting technologies, and to correlate that information. But unfettered police power quickly resembles a police state, and checks on that power make us all safer.

As more of our lives become digital, we leave an ever-widening audit trail in our wake. This information has enormous social value -- not just for national security and law enforcement, but for purposes as mundane as using cell-phone data to track road congestion, and as important as using medical data to track the spread of diseases. Our challenge is to make this information available when and where it needs to be, but also to protect the principles of privacy and liberty our country is built on.

This essay originally appeared in the Minneapolis Star-Tribune.

Posted on November 22, 2005 at 06:06 AM • 34 Comments • View Blog Reactions

The Sony Rootkit Saga Continues

I'm just not able to keep up with all the twists and turns in this story. (My previous posts are here, here, here, and here, but a way better summary of the events is on BoingBoing: here, here, and here. Actually, you should just read every post on the topic in Freedom to Tinker. This is also worth reading.)

Many readers pointed out to me that the DMCA is one of the reasons antivirus companies aren't able to disable invasive copy-protection systems like Sony's rootkit: it may very well be illegal for them to do so. (Adam Shostack made this point.)

Here are two posts about the rootkit before Russinovich posted about it.

And it turns out you can easily defeat the rootkit:

With a small bit of tape on the outer edge of the CD, the PC then treats the disc as an ordinary single-session music CD and the commonly used music "rip" programs continue to work as usual.

(Original here.)

The fallout from this has been simply amazing. I've heard from many sources that the anti-copy-protection forces in Sony and other companies have newly found power, and that copy-protection has been set back years. Let's hope that the entertainment industry realizes that digital copy protection is a losing game here, and starts trying to make money by embracing the characteristics of digital technology instead of fighting against them. I've written about that here and here (both from 2001).

Even Foxtrot has a cartoon on the topic.

I think I'm done here. Others are covering this much more extensively than I am. Unless there's a new twist that I simply have to comment on....

EDITED TO ADD (11/21): The EFF is suing Sony. (The page is a good summary of the whole saga.)

EDITED TO ADD (11/22): Here's a great idea; Sony can use a feature of the rootkit to inform infected users that they're infected.

As it turns out, there's a clear solution: A self-updating messaging system already built into Sony's XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony's server. As Russinovich explained, usually Sony's server sends back a null response. But with small adjustments on Sony's end -- just changing the output of a single script on a Sony web server -- the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.

This is so obviously the right thing to do. My guess is that it'll never happen.

Texas is suing Sony. According to the official statement:

The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.

And here's something I didn't know: the rootkit consumes 1% - 2% of CPU time, whether or not you're playing a Sony CD. You'd think there would be a "theft of services" lawsuit in there somewhere.

EDITED TO ADD (11/30): Business Week has a good article on the topic.

Posted on November 21, 2005 at 04:34 PM • 37 Comments • View Blog Reactions

Reminiscences of a 75-Year-Old Jewel Thief

The amazing story of Doris Payne:

Never did she grab the jewels and run. That wasn't her way. Instead, she glided in, engaged the clerk in one of her stories, confused them and easily slipped away with a diamond ring, usually to a waiting taxi cab.

Don't think that she never got caught:

She wasn’t always so lucky. She’s been arrested more times than she can remember. One detective said her arrest report is more than 6 feet long — she’s done time in Ohio, Kentucky, West Virginia, Colorado and Wisconsin. Still, the arrests are really “just the tip of the iceberg,� said FBI supervisory special agent Paul G. Graupmann.

Posted on November 21, 2005 at 03:00 PM • 24 Comments • View Blog Reactions

Possible Net Objects Fusion 9 Vulnerability

I regularly get anonymous e-mail from people exposing software vulnerabilities. This one looks interesting.

Beta testers have discovered a serious security flaw that exposes a site created using Net Objects Fusion 9 (NOF9) that has the potential to expose an entire site to hacking, including passwords and log in info for that site. The vulnerability exists for any website published using versioning (that is, all sites using nPower).

The vulnerability is easy to exploit. In your browser enter:
http://domain.com/_versioning_repository_/rollbacklog.xml

Now enter:
http://domain.com/_versioning_repository_/n.zip, where n is the number you got from rollback.xml.

Then, open Fusion and create a new site from the d/l'ed template. Edit and republish.

This means that anyone can edit a NOF9 site and get any usernames and passwords involved in it. Every site using versioning in NOF9 is exposing their site.

Website Pros has refused to fix the hole. The only concession that they have made is to put a warning in the publishing dialog box telling the user to "Please make sure your profiles repository are [sic] stored in a secure area of your remote server."

I don't use NOF9, and I haven't tested this vulnerability. Can someone do so and get back to me? And if it is a real problem, spread the word. I don't know yet if Website Pros prefers to pay lawyers to suppress information rather than pay developers to fix software vulnerabilities.

Posted on November 21, 2005 at 12:31 PM • 12 Comments • View Blog Reactions

Automatic Lie Detector

Coming soon to airports:

Tested in Russia, the two-stage GK-1 voice analyser requires that passengers don headphones at a console and answer "yes" or "no" into a microphone to questions about whether they are planning something illicit.

The software will almost always pick up uncontrollable tremors in the voice that give away liars or those with something to hide, say its designers at Israeli firm Nemesysco.

Fascinating.

In general, I prefer security systems that are invasive yet anonymous to ones that are based on massive databases. And automatic systems that divide people into a "probably fine" and "investigate a bit more" categories seem like a good use of technology. I have no idea whether this system works (there is a lot of evidence that it does not), what the false positive and false negative rates are (this article states a completely useless 12% false positive rate), or how easy it would be to learn how to fool the system, though. And in all of these trade-off discussions, the devil is in the details.

Posted on November 21, 2005 at 08:07 AM • 26 Comments • View Blog Reactions

Cartoon

Security theater humor.

Posted on November 19, 2005 at 10:31 AM • 15 Comments • View Blog Reactions

Prisons and Guards

This Iowa prison break illustrates an important security principle:

State Sen. Gene Fraise said he was told by prison officials that the inmates somehow got around a wire that is supposed to activate an alarm when touched. The wall also had razor wire, he said.

"The only thing I know for sure is they went over the wall in the southwest corner with a rope and a grappling hook they fashioned out of metal from somewhere," Fraise said.

Fred Scaletta, a Corrections Department spokesman, said the inmates used upholstery webbing, a material used by inmates who make furniture at a shop inside the prison, to scale the wall. The guard tower in that section of the prison was unmanned at the time because of budget cuts, he said.

"I don't want to say I told you so, but those towers were put there for security, and when you don't man those towers, that puts a hole in your security," Fraise said.

Guards = dynamic security. Tripwires = static security. Dynamic security is better than static security.

Unfortunately, some people simply don't understand the fundamentals of security:

State Rep. Lance Horbach, a Republican, criticized Fraise for suggesting budget cuts were a factor in the escape.

"In reality, we should explore why the taut wire system failed to alert guards and security staff that these two convicts were attempting to escape," he said.

Actually, in reality you should be putting guards in the guard towers.

Posted on November 18, 2005 at 03:34 PM • 42 Comments • View Blog Reactions

Fraud and Western Union

Western Union has been the conduit of a lot of fraud. But since they're not the victim, they don't care much about security. It's an externality to them. It took a lawsuit to convince them to take security seriously.

Western Union, one of the world's most frequently used money transfer services, will begin warning its customers against possible fraud in their transactions.

Persuading consumers to send wire transfers, particularly to Canada, has been a popular method for con artists. Recent scams include offering consumers counterfeit cashier's checks, advance-fee loans and phony lottery winnings.

More than $113 million was swindled in 2002 from U.S. residents through wire transfer fraud to Canada alone, according to a survey conducted by investigators in seven states.

Washington was one of 10 states that negotiated an $8.5 million settlement with Western Union. Most of the settlement would fund a national program to counsel consumers against telemarketing fraud.

In addition to the money, the company has agreed to increase fraud awareness at more than 50,000 locations, develop a computer program that would spot likely fraud-induced transfers before they are completed and block transfers from specific consumers to specific recipients when the company receives fraud information from state authorities.

Posted on November 18, 2005 at 11:06 AM • 106 Comments • View Blog Reactions

Ex-MI5 Chief Calls ID Cards "Useless"

Refreshing candor:

The case for identity cards has been branded "bogus" after an ex-MI5 chief said they might not help fight terror.

Dame Stella Rimington has said most documents could be forged and this would render ID cards "useless".

[...]

She said: "ID cards have possibly some purpose.

"But I don't think that anybody in the intelligence services, particularly in my former service, would be pressing for ID cards.

"My angle on ID cards is that they may be of some use but only if they can be made unforgeable - and all our other documentation is quite easy to forge.

"If we have ID cards at vast expense and people can go into a back room and forge them they are going to be absolutely useless.

"ID cards may be helpful in all kinds of things but I don't think they are necessarily going to make us any safer."

Posted on November 18, 2005 at 06:48 AM • 26 Comments • View Blog Reactions

U.S. Compromises Canadian Privacy

A Canadian reporter was able to get phone records for the personal and professional accounts held by Canadian Privacy Commissioner Jennifer Stoddart through an American data broker, locatecell.com. The security concerns are obvious.

Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting. My guess is that's the only reason we haven't seen an American reporter pull phone records on one of our government officials.

Posted on November 17, 2005 at 02:32 PM • 21 Comments • View Blog Reactions

Hackers and Criminals

More evidence that hackers are migrating into crime:

Since then, organised crime units have continued to provide a fruitful income for a group of hackers that are effectively on their payroll. Their willingness to pay for hacking expertise has also given rise to a new subset of hackers. These are not hardcore criminals in pursuit of defrauding a bank or duping thousands of consumers. In one sense, they are the next generation of hackers that carry out their activities in pursuit of credibility from their peers and the 'buzz' of hacking systems considered to be unbreakable.

Where they come into contact with serious criminals is through underworld forums and chatrooms, where their findings are published and they are paid effectively for their intellectual property. This form of hacking - essentially 'hacking for hire' - is becoming more common with hackers trading zero-day exploit information, malcode, bandwidth, identities and toolkits underground for cash. So a hacker might package together a Trojan that defeats the latest version of an anti-virus client and sell that to a hacking community sponsored by criminals.

Posted on November 17, 2005 at 12:25 PM • 15 Comments • View Blog Reactions

Sony's DRM Rootkit: The Real Story

This is my sixth column for Wired.com:

It's a David and Goliath story of the tech blogs defeating a mega-corporation.

On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it.

The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can't be removed; trying to get rid of it damages Windows.

This story was picked up by other blogs (including mine), followed by the computer press. Finally, the mainstream media took it up.

The outcry was so great that on Nov. 11, Sony announced it was temporarily halting production of that copy-protection scheme. That still wasn't enough -- on Nov. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free.

But that's not the real story here.

It's a tale of extreme hubris. Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers' computers. When its actions were first discovered, Sony offered a "fix" that didn't remove the rootkit, just the cloaking.

Sony claimed the rootkit didn't phone home when it did. On Nov. 4, Thomas Hesse, Sony BMG's president of global digital business, demonstrated the company's disdain for its customers when he said, "Most people don't even know what a rootkit is, so why should they care about it?" in an NPR interview. Even Sony's apology only admits that its rootkit "includes a feature that may make a user's computer susceptible to a virus written specifically to target the software."

However, imperious corporate behavior is not the real story either.

This drama is also about incompetence. Sony's latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library's license agreement. But even that is not the real story.

It's an epic of class-action lawsuits in California and elsewhere, and the focus of criminal investigations. The rootkit has even been found on computers run by the Department of Defense, to the Department of Homeland Security's displeasure. While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be. And lawsuits are never the whole story.

This saga is full of weird twists. Some pointed out how this sort of software would degrade the reliability of Windows. Someone created malicious code that used the rootkit to hide itself. A hacker used the rootkit to avoid the spyware of a popular game. And there were even calls for a worldwide Sony boycott. After all, if you can't trust Sony not to infect your computer when you buy its music CDs, can you trust it to sell you an uninfected computer in the first place? That's a good question, but -- again -- not the real story.

It's yet another situation where Macintosh users can watch, amused (well, mostly) from the sidelines, wondering why anyone still uses Microsoft Windows. But certainly, even that is not the real story.

The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.

Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.

McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software."

The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.

You might expect Microsoft to be the first company to condemn this rootkit. After all, XCP corrupts Windows' internals in a pretty nasty way. It's the sort of behavior that could easily lead to system crashes -- crashes that customers would blame on Microsoft. But it wasn't until Nov. 13, when public pressure was just too great to ignore, that Microsoft announced it would update its security tools to detect and remove the cloaking portion of the rootkit.

Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light.

Bad security happens. It always has and it always will. And companies do stupid things; always have and always will. But the reason we buy security products from Symantec, McAfee and others is to protect us from bad security.

I truly believed that even in the biggest and most-corporate security company there are people with hackerish instincts, people who will do the right thing and blow the whistle. That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.

Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?

We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?

These questions are the real story, and we all deserve answers.

EDITED TO ADD (11/17): SlashDotted.

EDITED TO ADD (11/19): Details of Sony's buyback program. And more GPL code was stolen and used in the rootkit.

Posted on November 17, 2005 at 09:08 AM • 152 Comments • View Blog Reactions

Identity Theft Over-Reported

I'm glad to see that someone wrote this article. For a long time now, I've been saying that the rate of identity theft has been grossly overestimated: too many things are counted as identity theft that are just traditional fraud. Here's some interesting data to back that claim up:

Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft. But what exactly is identity theft?

The Identity Theft and Assumption Deterrence Act of 1998 defines it as the illegal use of someone's "means of identification" — including a credit card. So if you lose your card and someone else uses it to buy a candy bar, technically you have been the victim of identity theft.

Of course misuse of lost, stolen or surreptitiously copied credit cards is a serious matter. But it shouldn't force anyone to hide in a cave.

Federal law caps our personal liability at $50, and even that amount is often waived. That's why surveys have found that about two-thirds of people classified as identity theft victims end up paying nothing out of their own pockets.

The more pernicious versions of identity theft, in which fraudsters use someone else's name to open lines of credit or obtain government documents, are much rarer.

Consider a February survey for insurer Chubb Corp. of 1,866 people nationwide. Nearly 21 percent said they had been an identity theft victim in the previous year.

But when the questioners asked about specific circumstances -- and broadened the time frame beyond just the previous year -- the percentages diminished. About 12 percent said a collection agency had demanded payment for purchases they hadn't made. Some 8 percent said fraudulent checks had been drawn against their accounts.

In both cases, the survey didn't ask whether a faulty memory or a family member -- rather than a shadowy criminal -- turned out to be to be the culprit.

It wouldn't be uncommon. In a 2005 study by Synovate, a research firm, half of self-described victims blamed relatives, friends, neighbors or in-home employees.

When Chubb's report asked whether people had suffered the huge headache of finding that someone else had taken out loans in their name, 2.4 percent -- one in 41 people -- said yes.

So what about the claim that 10 million Americans are hit every year, a number often used to pitch credit monitoring services? That statistic, which would amount to about one in 22 adults, also might not be what it seems.

The figure arose in a 2003 report by Synovate commissioned by the Federal Trade Commission. A 2005 update by Synovate put the figure closer to 9 million.

Both totals include misuse of existing credit cards.

Subtracting that, the identity theft numbers were still high but not as frightful: The FTC report determined that fraudsters had opened new accounts or committed similar misdeeds in the names of 3.2 million Americans in the previous year.

The average victim lost $1,180 and wasted 60 hours trying to resolve the problem. Clearly, it's no picnic.

But there was one intriguing nugget deep in the report.

Some 38 percent of identity theft victims said they hadn't bothered to notify anyone -- not the police, not their credit card company, not a credit bureau. Even when fraud losses purportedly exceeded $5,000, the kept-it-to-myself rate was 19 percent.

Perhaps some people decide that raising a stink over a wrongful charge isn't worth the trouble. Even so, the finding made the overall validity of the data seem questionable to Fred Cate, an Indiana University law professor who specializes in privacy and security issues.

"That's not identity theft," he said. "I'm just confident if you saw a charge that wasn't yours, you'd contact somebody."

Identity theft is a serious crime, and it's a major growth industry in the criminal world. But we do everyone a disservice when we count things as identity theft that really aren't.

Posted on November 16, 2005 at 01:21 PM • 36 Comments • View Blog Reactions

Stride-Based Security

Can a cell phone detect if it is stolen by measuring the gait of the person carrying it?

Researchers at the VTT Technical Research Centre of Finland have developed a prototype of a cell phone that uses motion sensors to record a user's walking pattern of movement, or gait. The device then periodically checks to see that it is still in the possession of its legitimate owner, by measuring the current stride and comparing it against that stored in its memory.

Clever, as long as you realize that there are going to be a lot of false alarms. This seems okay:

If the phone suspects it has fallen into the wrong hands, it will prompt the user for a password if they attempt to make calls or access its memory.

Posted on November 16, 2005 at 06:26 AM • 29 Comments • View Blog Reactions

Still More on Sony's DRM Rootkit

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

Posted on November 15, 2005 at 03:16 PM • 57 Comments • View Blog Reactions

Hans Bethe on Security

Hans Bethe was one of the first nuclear scientists, a member of the Manhattan Project, and a political activist. In this article about him, there's a great quote:

Sometimes insistence on 100 percent security actually impairs our security, while the bold decision -- though at the time it seems to involve some risk -- will give us more security in the long run.

Posted on November 15, 2005 at 12:41 PM • 6 Comments • View Blog Reactions

NSA for Kids

The NSA has a site for kids.

Crypto Cat, Decipher Dog, and friends.

Posted on November 15, 2005 at 07:41 AM • 27 Comments • View Blog Reactions

Airport Security Against Chemical and Biological Terrorism

There's a new report from Sandia National Laboratories (written with Lawrence Berkeley National Laboratory) titled "Guidelines to Improve Airport Preparedness Against Chemical and Biological Terrorism." It's classified, but there's an unclassified version available. (Press release. Unclassified report.)

I haven't read it yet, but it looks interesting.

Posted on November 14, 2005 at 03:19 PM • 12 Comments • View Blog Reactions

Metadata in MS Office

Hidden metadata is in the news again. The New York Times reported that an unsigned Microsoft Word document being circulated by the Democratic National Committee was actually written by, wait for it, the Democratic National Committee.

Okay, so that's not much of a revelation, but it does serve to remind us that there can be all sorts of unintended information hidden in Microsoft Office documents. The particular bits of unintended information that precipitated this news story is the metadata.

Metadata is information on who created the file, what it was originally called, etc. To see your metadata, open a file, go to the "File" menu, and choose "Properties."

I'll bet at least some of you will be really surprised by what's in there. Not because it's secret, but because it has nothing to do with you or your document. That's because metadata follows the file, and not its contents.

Here's what I do when I want to create a MS Word document. Maybe it's a file I've written, and maybe it's a file I received from someone else. I find some other document that has basically the same style I want, open it up, delete all the contents, and save it under a new filename. MS Word doesn't change the metadata, so whatever was in the "Title," "Subject", "Author," "Company," and other fields of the original document remains in my new document. This means that occasionally those metadata fields are filled with information I've never seen of before and from who knows where. I'm sure I'm not the only one who uses this trick to avoid dealing with MS Word stylesheets. So metadata is much less a smoking gun than many make it out to be.

I don't mean this to minimize the problem of hidden data in Microsoft Office documents. It's not just the metadata, but comments, deleted parts of the document, even parts of other documents (it's happened).

I have two recommendations regarding Microsoft Office and hidden data. The first is to realize that programs like Word and Excel are designed for authoring documents, not for publishing them. Get into the habit of saving your documents into pdf before distributing them. (Although if you're going to redact a pdf document, be smart about it or you'll have similar problems.)

The second is to install Microsoft's tool for deleting hidden data. (Works for Office 2003; there are third-party tools for older versions.) Or at least read the page about deleting private data in MS Office files. And to follow through on deleting data.

This probably won't