NEWS FROM THE LAB - Wednesday, December 16, 2009

How Not To Redact Confidential Information Posted by Mikko @ 13:59 GMT

We read with interest about yet another PDF redaction snafu.

In this case it was the attorney of TJX / 7-11 hacker Albert Gonzales, who posted an indictment that was redacted digitally and posted online as a PDF file — making it trivial to recover the original unredacted text.


Last week the US Travel Security Authority (TSA) sacked 5 persons for posting a digitally "redacted" security guideline document online.


Most people who know about digital redaction problems think it's just about being able to copy and paste the redacted texts of the document.

But in fact it's a much deeper problem. Most users only have a PDF Reader on their system (and most of those have specifically Adobe PDF Reader, unfortunately).

So because they can only read PDF files, they consider them PDF files to be read-only. This is not true.

Even most of the users who do create PDF files do it with a virtual printer. So they prepare the file in, say, Word, then just "print" it to a PDF file.

However, there's a wide variety of PDF Editors available. With a PDF Editor, you can open up any PDF file and modify it in any way you want. This includes being able to select the redaction black boxes and moving them away, uncovering the content underneath.

Here's a video from our YouTube channel that shows just how easy it is.

(Video — How Not To Redact a PDF File)

So, how to publish these securely then?

It's easy. There are several ways. We recommend the following…

Print the redacted document to paper.

Then scan it back as a PDF file.

Blam! No problems.