Wednesday, December 09, 2009

TSA Oops

You may have heard on the news that the TSA (temporarily) put up their Screening Management Standard Operating Procedure on the web. As pointed out on this blog (and elsewhere), they made a small error:

"So the decision to publish it on the Internet is probably a questionable one. On top of that, however, is where the real idiocy shines. They chose to publish a redacted version of the document, hiding all the super-important stuff from the public. But they apparently don’t understand how redaction works in the electronic document world. See, rather than actually removing the offending text from the document they just drew a black box on top of it. Turns out that PDF documents don’t really care about the black box like that and the actual content of the document is still in the file."

Oops. Apparently, somebody hasn't read Harry Lewis's book Blown to Bits; the start of Chapter 3 discusses several similar cases where somebody thought they had redacted something from a PDF file... but didn't.

5 comments:

Anonymous said...

At some point, you have to say that this is as much a software problem as a user problem. Users expect redaction to work electronically. Perhaps they should know better by now. But the software developers should really just have fixed it to work the way it should.

Harry Lewis said...

Except that I'll bet they just used the highlighter tool and changed the color to black. that seems to happened enough times that the developers could put a warning message when someone tries to do that, though.

Anonymous said...

Yeah, but removing the black boxes is punishable under the DMCA. You're not supposed to be "hacking" the document--you should print it first and then pretend it's unreadable!

ben said...

MediaCurves.com conducted a study among 665 Americans viewing a news clip featuring the leak of the TSA (Transportation Security Administration) security manual on the Internet. Results found that the percentage of viewers who reported feeling “not at all safe” with air travel drastically increased after viewing the news clip about the leak. The percentage of viewers who reported feeling “safe” in an airport decreased from 47% to 28% after viewing the video and the percentage of viewers who reported that the government does an adequate job of maintaining air travel safety fell from 70% to 42% after viewing the video. More in depth results can be seen at:
http://www.mediacurves.com/NationalMediaFocus/J7673-AirportScreeningManual/Index.cfm
Thanks,
Ben

Harry Lewis said...

You know, I am amazed that so many people think that the TSA rituals have solved the airline security problems. It has been known for years (thanks, Chris Soghoian) that you can print a bogus boarding pass in your real name to get past security with your actual ID, and then get on the plane even if you are on the no-fly list by producing a real boarding pass for a ticket booked in a phony name. They don't check IDs at the gate and they don't scan the boarding pass at security. Yet I have been at very high level discussions where people talk about our success in cybersecuring our airline transportation system. (At least you can't check a bag this way, since they now check your ID and scan your boarding pass when you do that.)