PDF Redacting Failure

I wasn't going to even bother writing about this, but I got too many e-mails from people.

We all know that masking over the text of a PDF document doesn't actually erase the underlying text, right?

Don't we?

Seems like we don't.

Italian media have published classified sections of an official US military inquiry into the accidental killing of an Italian agent in Baghdad.

A Greek medical student at Bologna University who was surfing the web early on Sunday found that with two simple clicks of his computer mouse he could restore censored portions of the report.

Posted on May 3, 2005 at 9:11 AM • 24 Comments

Comments

Jim ThompsonMay 3, 2005 10:37 AM

The US government has all sorts of regulations for how classified material must be handled, and where it can be stored. (What kind of file cabinet can be used to store classified documents, for example.) Does the government not also have regulations for what kind of software can handle classified documents? Or are those regs just being ignored? Given the many failures of PDF to protect classified information, it would seem prudent to ban Acrobat as a handler of classified information, convenience be damned.

Precision BloggerMay 3, 2005 10:48 AM

At least some of the time, when this happenes, I'm sure the person who "censored" the document knew perfectly well how easy it would be to restore it, and was happy to pull this trick, feeling that it wa important to disseminate the uncensored material.

Similarly, two years ago at Salon.com, when the website asked you to login or get a daypass, you could click the "back" button on your browser to bypass the login screen. I'm sure this was done on purpose by a website developer who disagreed with the login requirement.


- The Precision Blogger
http://precision-blogging.blogspot.com

RampoMay 3, 2005 10:51 AM

First the US became unpopular in Italy for the shooting of Calipari (fault irrelevant) -- now the US has blown the cover of the second secret service agent in the car, inflicting another blow to Italy. Caspita!

Davi OttenheimerMay 3, 2005 11:13 AM

@Precision

I believe you are referring to the subject of yesterday's log entry:

"Users Disabling Security
It's an old story: users disable a security measure because it's annoying, allowing an attacker to bypass the measure."

Did the pdf author intentionally "disable" security, or did they make an unreasonable and uninformed decision about the risk/reward of using Adobe products?

Davi OttenheimerMay 3, 2005 11:15 AM

Bruce, perhaps you should have added to yesterday's log "we all know that disabling buzzers and leaving doors unlocked does not prevent people from gaining unlawful entry, right?"

Sardinian PerspectiveMay 3, 2005 12:00 PM

Was this leak a deliberate mistake?

Since it happened
the Italian public opinion has now
begun to sympathize with the
stressed out soldier who shot the
wrong car in fear.

Clearly the US would never admit
liability officially. This leak lets them
say sorry in an informal manner.

Jeff KorpaMay 3, 2005 12:23 PM

>Does the government not also have regulations for what
>kind of software can handle classified documents? Or
>are those regs just being ignored? Given the many
>failures of PDF to protect classified information, it
>would seem prudent to ban Acrobat as a handler of
>classified information, convenience be damned.

There are "TD" (Trusted Download) procedures for moving unlassified info off of classified systems. In my experience, TD for electronic media is something that must be specifically aproved by the government. In addition TD's can only be performed by people who have had a TD briefing. The number of people authorized to do TD is kept intentionally small.

Also, there are only a handfull of acceptable file formats that one may perfom TD on. *.txt files is one. If the material in question is not one of the acceppted file formats, the person performing the TD must convert said material to the proper format. Otherwise, the document stays classified.

When performing the TD, there is a strict procedure (typically a checklist) one must folow.

In addition, before a person can finish a TD, a knowledgable authority must review and sign off on the material. A record of the TD (i.e. who, what, where, when) is kept on file, usually with the local Information Security Officer (ISO).

The problem I've seen is that people think that TD is a way to de-classify material when it isn't.

Since the .pdf has SECRET NONFORN material in it, there is no way it should have been TDd, even if was a .txt file. There was some serious cluelessness at multiple points in the stream of events that caused a serious breach of security.

Jeff KorpaMay 3, 2005 12:33 PM

I need to clarify something:

>If the material in question is not one of the
>acceppted file formats, the person performing
>the TD must convert said material to the proper
>format. Otherwise, the document stays
>classified.

If an unclassified document is on a classified system, the document is considered classified. So, even if you know a particular document 100% unclassified, it is still classified by virtue of the fact that it is on a classified system. It is like there are two types of "classified" -- de facto and de jure.

gary heathMay 4, 2005 1:20 AM

The problem is that smaller companies like ours with better solutions for publishing with content security / redaction can't easily get market awareness against established content publishing standards like PDF.

Chung LeongMay 4, 2005 12:08 PM

Is there even a blackout feature in Acrobat? It looks like the document was originally in Word, and the censor just changed the background color to black.

Hugh NoeMay 5, 2005 7:41 AM

It's extremely unlikely that a PDF document was redacted. More likely is that a Word document was redacted, as a previous comment suggests, and then was converted to PDF with the mistaken belief that this would remove the "redacted" data since converting does remove other hidden data from Word documents.

MospawMay 10, 2005 7:05 AM

The amazing thing is it's just as easy to create a properly redacted PDF, where the removed information is no longer available, as it is to create the other kind. Simply scan a redacted document from paper, convert to a pure binary bitmap (black or white, no gray scale), and throw the results into a PDF. There's no way to "get behind" the redactions.

Another alternative is to alter the text before creating the PDF, such as replacing redacted information with "XXXXX".

The first option has the benefit of being secure but the disadvantage of not having the text selectable. The second option has selectable text, but is more subject to errors if the editing is sloppy.

munikosMay 31, 2005 8:46 AM

At least some of the time, when this happenes, I'm sure the person who "censored" the document knew perfectly well how easy it would be to restore it, and was happy to pull this trick, feeling that it wa important to disseminate the uncensored material.

---------
http://medlem.jubii.dk/telechargernero/

Telecharger MSNAugust 27, 2005 2:36 PM

of course all the time people that "owns the world" are handling the news that may or may not appear in the news... so we can only see whatever they want us to see... always was like this...

brown steinAugust 27, 2005 10:15 PM

Italian media have published classified sections of an official US military inquiry into the accidental killing of an Italian agent in Baghdad.

A Greek medical student at Bologna University who was surfing the web early on Sunday found that with two simple clicks of his computer mouse he could restore censored portions of the report.

TugJobsSeptember 20, 2005 1:41 PM

The amazing thing is it's just as easy to create a properly redacted PDF, where the removed information is no longer available, as it is to create the other kind. Simply scan a redacted document from paper, convert to a pure binary bitmap (black or white, no gray scale), and throw the results into a PDF. There's no way to "get behind" the redactions.

Another alternative is to alter the text before creating the PDF, such as replacing redacted information with "XXXXX".

The first option has the benefit of being secure but the disadvantage of not having the text selectable. The second option has selectable text, but is more subject to errors if the editing is sloppy.

AssparadeSeptember 21, 2005 12:28 AM

There are "TD" (Trusted Download) procedures for moving unlassified info off of classified systems. In my experience, TD for electronic media is something that must be specifically aproved by the government. In addition TD's can only be performed by people who have had a TD briefing. The number of people authorized to do TD is kept intentionally small.

Also, there are only a handfull of acceptable file formats that one may perfom TD on. *.txt files is one. If the material in question is not one of the acceppted file formats, the person performing the TD must convert said material to the proper format. Otherwise, the document stays classified.

When performing the TD, there is a strict procedure (typically a checklist) one must folow.

In addition, before a person can finish a TD, a knowledgable authority must review and sign off on the material. A record of the TD (i.e. who, what, where, when) is kept on file, usually with the local Information Security Officer (ISO).

The problem I've seen is that people think that TD is a way to de-classify material when it isn't.

Since the .pdf has SECRET NONFORN material in it, there is no way it should have been TDd, even if was a .txt file. There was some serious cluelessness at multiple points in the stream of events that caused a serious breach of security.

TugjobsOctober 4, 2005 7:50 PM

nice...Italian media have published classified sections of an official US military inquiry into the accidental killing of an Italian agent in Baghdad.

A Greek medical student at Bologna University who was surfing the web early on Sunday found that with two simple clicks of his computer mouse he could restore censored portions of the report.

bang busOctober 11, 2005 3:18 AM

It's extremely unlikely that a PDF document was redacted. More likely is that a Word document was redacted, as a previous comment suggests, and then was converted to PDF with the mistaken belief that this would remove the "redacted" data since converting does remove other hidden data from Word documents.

Camel ToeOctober 24, 2005 2:52 PM

The amazing thing is it's just as easy to create a properly redacted PDF, where the removed information is no longer available, as it is to create the other kind. Simply scan a redacted document from paper, convert to a pure binary bitmap (black or white, no gray scale), and throw the results into a PDF. There's no way to "get behind" the redactions.

Another alternative is to alter the text before creating the PDF, such as replacing redacted information with "XXXXX".

The first option has the benefit of being secure but the disadvantage of not having the text selectable. The second option has selectable text, but is more subject to errors if the editing is sloppy.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..