Delivered-To: | dds@aueb.gr |
Return-Path: | <risks-bounces+dds=aueb.gr@csl.sri.com> |
Received: | from mailgate-internal2.sri.com ([::ffff:128.18.84.104]) |
by blue.servers.aueb.gr with esmtp; Thu, 26 Aug 2004 21:19:41 +0300 | |
Received: | (qmail 2560 invoked from network); 26 Aug 2004 18:19:31 -0000 |
Received: | from localhost (HELO mailgate-internal2.SRI.COM) (127.0.0.1) |
by mailgate-internal2.sri.com with SMTP; 26 Aug 2004 18:19:31 -0000 | |
Received: | from postal.csl.sri.com ([130.107.1.19]) |
by mailgate-internal2.SRI.COM (SAVSMTP 3.1.2.35) with SMTP id M2004082611193010054 | |
for <dds@aueb.gr>; Thu, 26 Aug 2004 11:19:30 -0700 | |
Received: | from postal.csl.sri.com (localhost [127.0.0.1]) |
by postal.csl.sri.com (8.12.9p2/8.12.9) with ESMTP id i7QIJSZi032875 | |
for <dds@aueb.gr>; Thu, 26 Aug 2004 11:19:30 -0700 (PDT) | |
(envelope-from risks-bounces+dds=aueb.gr@csl.sri.com) | |
From: | RISKS List Owner <risko@csl.sri.com> |
Date: | Thu, 26 Aug 2004 10:47:55 PDT |
precedence: | bulk |
To: | risks-resend@csl.sri.com |
Message-ID: | <CMM.0.90.4.1093542475.risko@chiron.csl.sri.com> |
Cc: | |
Subject: | [RISKS] Risks Digest 23.50 |
List-Id: | RISKS <risks.csl.sri.com> |
List-Unsubscribe: | <http://lists.csl.sri.com/mailman/listinfo/risks>, |
<mailto:risks-request@csl.sri.com?subject=unsubscribe> | |
List-Post: | <mailto:risks@csl.sri.com> |
List-Help: | <mailto:risks-request@csl.sri.com?subject=help> |
List-Subscribe: | <http://lists.csl.sri.com/mailman/listinfo/risks>, |
<mailto:risks-request@csl.sri.com?subject=subscribe> | |
Sender: | risks-bounces+dds=aueb.gr@csl.sri.com |
Errors-To: | risks-bounces+dds=aueb.gr@csl.sri.com |
blue.servers.aueb.gr | |
version=2.63-20040415.180434 |
RISKS-LIST: Risks-Forum Digest Thursday 26 August 2004 Volume 23 : Issue 50 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/23.50.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Sequoia's new paper audit trail voting systems (PGN) New Mexico votes lost in 2000 (Jeremy Epstein) Mac Year 2004 bug (Tom Van Vleck) Ford dumps Oracle system after four years of trouble (Lindsay Marshall) Don't get stuck in the dark: a year later (Jeff Jonas) U.S. air travel without government identification (Dan Wallach) U.S. military sites offer a quarter million Microsoft Word documents (Diomidis Spinellis) The GTS Katie - A risk of privatization or outsourcing (Joshua Newman) Fire engine startup risks (J.D. Baldwin via Gary G. Taylor) Google as back door for pay-per-view information (Sergei Lewis) Network vandals face prison sentences (NewsScan) "EXIT" signs too high (Henry Baker) Re: U.K.: Don't smile for your passport picture! (James Moyer, Michael Bednarek) Re: Airport Express crypto broken by DVD Jon (Marshall Clow) REVIEW: "Computer Security for the Home and Small Office", Thomas C. Greene (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- [...] Date: Wed, 25 Aug 2004 23:33:02 +0300 From: Diomidis Spinellis <dds@aueb.gr> Subject: U.S. military sites offer a quarter million Microsoft Word documents I was Google-searching for the Air Force Operational Test & Evaluation Center publication "Software Maintainability - Evaluation Guide". To make my search more efficient I restricted it to military (.mil) sites, using the Google keyword "site:.mil". I was not able to find the publication I was looking for, but was surprised to see a number of Microsoft Word documents in the search results. Most comp.risks readers are surely aware that earlier versions of Word, running on earlier versions of Windows would include in unused portions of the document file anything that was previously in the memory space where Word was executing. A number of past comp.risks articles have documented embarrassing incidents of confidential data leaking through Microsoft Word documents; see for example RISKS-17.76, Thomas Gebe, "Risks of using Microsoft Word", and RISKS-21.40, Clive Page, "Word file turns into two disjoint texts". I then modified my search to look for Microsoft Word documents made available on the web by US military sites: http://www.google.com/search?q=+site%3A.mil+filetype%3Adoc The search reports about 266,000 results. I am aware that the US military implements a strict separation policy between operational computers and machines connected to the Internet, and that truly confidential data is probably stored in multilevel secure systems protected by mandatory access controls.[*] However, I doubt that no gems are to be found in such a large volume of inherently leaky data. Diomidis Spinellis - http://www.spinellis.gr Athens University of Economics and Business [* Probably not multilevel secure. More likely "system high" all aggregated together at a particular level such as Top Secret. PGN] ------------------------------ [...] End of RISKS-FORUM Digest 23.50 ************************