Tuesday, December 8, 2009

Redaction FAIL

by Iron Knee

Back in the days when I was frequently negotiating legal contracts, I had a trick I sometimes used to gain an unfair advantage. Most legal documents would be sent back in forth in electronic form, typically using Microsoft Word. But what most lawyers didn't realize was that when you deleted something from a document, Word didn't actually delete it from the document source, it just didn't display it.

So it was relatively easy to open the document source in a programming editor and see what sections the opposing side had deleted. Companies often write new contracts by simply copying some other similar contract they had previously negotiated and making changes to it, so we could easily see what terms they had given in other similar deals, which needless to say gave us a negotiating advantage.

Microsoft has long since removed that feature, but I was reminded of it today when I read about a monumental screwup by the Transportation Security Administration, which is part of the Department of Homeland Security. It seems that the TSA posted their Screening Management Standard Operating Procedure document to the web last March. This is the document that defines who and what gets screened at airports, so is obviously something that we shouldn't let terrorists read.

So what did TSA do? On every page, they have a warning notice (in capital letters, even):

SENSITIVE SECURITY INFORMATION
WARNING: THIS RECORD CONTAINS SENSITIVE SECURITY INFORMATION THAT IS CONTROLLED UNDER 49 CFR PARTS 15 AND 1520. NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A "NEED TO KNOW" …

This clearly says that no part can be disclosed, so shouldn't they not be posting it to the web? But that's ok, because they carefully redacted it.

But here is the ironic part. They did the redaction by drawing black boxes in the document over text they didn't want people to read. So the redacted text is still there. In fact, reading it is simple: all you have to do is select the text containing the redaction using your computer's standard cut and paste commands, and then paste it into a different document. Voila, the black boxes are gone, and you can read the secret message.

Sadly, the government agency that is responsible for our nation's security doesn't seem to know the first thing about electronic security.

http://politicalirony.com/2009/12/07/redaction-fail/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+politicalirony+%28Political+Irony%29

No comments: