back to article Oz fed police in PDF redaction SNAFU

You can't make this stuff up: one of the lead agencies involved in agitating for Australia to implement a data retention regime has fallen prey to not knowing how to properly redact information in PDFs. The Guardian Australia which broke the story, saying documents the AFP provided to parliament contained the sensitive …

  1. Sorry that handle is already taken. Silver badge

    “one phone number and an address could, under certain circumstances, be accessed”

    I absolutely love police-speak. "Under certain circumstances" speak translates to "the select text tool".

    I remember when the FIA made the same mistake a few years back, accidentally publishing the salaries of some key engineers in F1 during their investigation of some "spying." That was funny though, it's a lot more scary when the AFP does it.

    1. Anonymous Coward
      Anonymous Coward

      You can but smile over this balls up, it's something that we have come to expect when any Government Agency uses technology.

      Gov and Tech in the same sentence? An Oxymoron if ever there was one.

  2. Mark 85

    Not the same bunch that didn't realize shared servers on one IP?

    And I thought we had idiots running things here in the States. Is idiocy contagious?

    1. Captain DaFt

      Re: Not the same bunch that didn't realize shared servers on one IP?

      To quote some old parable from long ago:

      "Why are you so bad at this? You're the cream of the crop!"

      A voice from the back: "Scum also rises."

      1. Anonymous Coward
        Trollface

        Re: Not the same bunch that didn't realize shared servers on one IP?

        "You're the cream of the crop!""

        ALL THE CLOTS!!!!!!

    2. Anonymous Coward
      Anonymous Coward

      Re: Not the same bunch that didn't realize shared servers on one IP?

      And I thought we had idiots running things here in the States. Is idiocy contagious?

      At government level, yes. They tend to infect each other at those high brow meetings that are name "G" and a number, like G8. You can spot the signs: the ability to count goes first, which is why the number after the "G" never matches the actual countries present.

  3. Anonymous Coward
    Anonymous Coward

    Same AFP who seriously botched the Haneef "terror" case

    http://en.wikipedia.org/wiki/Muhamed_Haneef

    1. Sorry that handle is already taken. Silver badge

      And the same AFP that seriously botched the Colin Winchester murder case

      Whether or not David Eastman is guilty, his conviction has just been quashed, 19 years later, as a result of the ridiculous way the investigation and prosecution were handled.

  4. dan1980

    This is one of the core problems with any surveillance/data-collection programs - sensitive data will get out or be misused. Whether its a genuine mistake, insufficient oversight, poor education, bad practices, malicious intent or self-serving individuals, it will happen.

    The best way to prevent this is just to make sure the information is not recorded in the first place.

    That's not overly helpful so in practice you must restrict the data to ONLY what is needed. This is achieved by careful selection of what data is collected and then applying ruthlessly strict controls over who can access what and when, coupled with all-pervading oversight and enforced punishments for any lapses.

    The biggest issue and the reason this discussion keeps getting bogged-down is that those who want this retention are unwilling to be honest and upfront about the risks. In their rhetoric, there are no risks - everything is completely safe, locked-down and no one has any cause to worry.

    The truth, however, is that the more information they have access to and the more easily they can access that information, the higher the risk to the public. Once that is admitted and out in the open, we can all have a honest discussion about how much risk we want to accept.

    But of course there is no interest in having an open conversation with the public.

    1. David Pollard

      Open conversation

      " ... of course there is no interest in having an open conversation with the public."

      Yet this would bring greater security than almost anything else that could be done. It's one of the factors that keep democracies stable.

      1. Anonymous Coward
        Anonymous Coward

        Re: Open conversation

        " ... of course there is no interest in having an open conversation with the public."

        Yet this would bring greater security than almost anything else that could be done. It's one of the factors that keep democracies stable.

        It's never about security for the public - it's about profit for the few. Hence the lack of interest in discussion - if it gets too honest, profits diminish because true democracies have this pesky demand to see value for money.

    2. Adam 1

      BUT, er Team Australia!

  5. Adrian Midgley 1

    Plain Text

    has something to be said for it.

    What actually do PDFs usually have in them that improves on that?

    1. Pascal Monett Silver badge

      The only benefit of PDF is that it is not modifiable.

      That is why it is so widely used.

      1. bpfh
        Boffin

        But in the end you can modify PDF's...

        Unless they are bitmap only (where you need an image manipulation app...).

        1. Anonymous Coward
          Anonymous Coward

          Re: But in the end you can modify PDF's...

          Unless they are bitmap only (where you need an image manipulation app...).

          If the resolution is good (which is normally the case if it's digital output) you can OCR most of it and cut out the images, then re-assemble it in any word processor. It's not even that much work.

          However, bitmap rendering is ESSENTIAL when you have to blank out stuff because that's the only way you can be certain the content underneath the blanked out parts is actually gone. I cannot believe they didn't do that.

          1. Sorry that handle is already taken. Silver badge

            Re: But in the end you can modify PDF's...

            I cannot believe they didn't do that

            I can!

      2. Vic

        > The only benefit of PDF is that it is not modifiable.

        Errr - PDFs are easily modifiable..

        Vic.

        1. Swarthy
          Devil

          PDFs are believed to be non-modifiable.

          According to many managerial/HR types PDFs are not modifiable. You can change the data in a form, but the text and images of a PDF are inviolate.

          When I get a new employment contract I have to resist the temptation to abuse this belief, and alter the contract (add an extra 0 to the salary, remove the clauses for termination with cause, etc.)

      3. Anonymous Coward
        Anonymous Coward

        The only benefit of PDF is that it is not modifiable.

        PDFs immutable? That was once - long ago. Now you can just stick it in a PDF editor. Even those flagged as non-changeable you can simply reproduce - stick the content in a word processor and print a PDF yourself, and presto. As long as you get it in digital format you can do pretty much what you want - exactly because of that widespread belief.

        A few years ago I've amused myself for a while by changing PDF contracts and putting all sorts of weird stuff in there - not to use it, but just to prove the point. When people send a PDF contract they indeed assume it cannot be changed, so as long as the first page looks the same and the last page ends roughly where the original ended, nobody tends to bother checking the pages in between - plenty of scope for entertainment. As long as you send them back a file with the pages slightly at an angle so it looks scanned, nobody will actually check :)

      4. razorfishsl

        It is modifiable…

        By two moethods

        1. using a public domain PDF program that does not implement security

        2. By idiots not setting the security on the PDF.

    2. Paul Crawford Silver badge

      Re: Plain Text

      Another benefit of PDFs is they actually retain the correct/intended page layout on different systems (unlike Word, etc, where changes in software version, local printer settings, etc, alter the layout).

  6. chris lively
    Mushroom

    Security by Obscurity...

    Security by Obscurity fails again.

    Shouldn't they have a training class on this by now?

  7. phil dude
    Coat

    the uk banks have it sussed....

    Ask the bank for a subject access request for your statements, and get back scans of printed material halfway redacted. Guaranteed to require manual parsing...

    P.

  8. JeffyPoooh
    Pint

    ██████████████

    <SPAN style="BACKGROUND-COLOR: black">This is *NOT* redaction.</SPAN>

    This *IS* █████████.

  9. Anonymous Coward
    FAIL

    Well, the good news about surveillance state goons....

    Is that they seem to be really, really DUMB. God help us if they ever get smart.

    Some choice examples:

    1. We're only doing what Google or Facebook are doing! (Forgetting that Google or Facebook could go out of business tomorrow if they piss off enough customers, whereas your average, even demonstrably abusive government bureaucracy is harder to kill than an army of steroid-enhanced super-fertile cockroaches)

    2. We're in charge of worldwide data communications interception, storage and analysis, but we have no idea how many files defector X took with him!

    3. This article's "We're in charge of data confidentiality, but (oops!!) we just leaked that you were once investigated for tax fraud or drug smuggling."

    Frickin' numbskulls, all of them. At least in the private sector you pretty much have to get hacked, or at least lose a laptop or flash drive to get this kind of material out into the public.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon