Whose file is it anyway?

One of the things that starting out as a computer science major does for you is give you a finer appreciation for just how buggy software is. While massive storage, middleware and caching, ever more sophisticated microprocessors, service-oriented architecture, and the like make things appear a little more reliable, the fact is it’s a miracle all of this stuff works half of the time.
The truth is, when it comes to security, rather than a than a Swiss bank, your average application more closely resembles Swiss cheese in terms of the number of holes by which it may be compromised. Frequently, the path to poking through the holes and compromising an app’s security is through user-level controls (or the lack thereof).
There have been a number of recent examples of these types of security holes in situations as innocuous as document and file management. For example, here’s a good example involving Facebook as documented in an InformationWeek article earlier this year entitled “25 Things Facebook Couldn’t Keep Secret in Court.”

 

As a senior product manager for Adobe surmised in the article: “At some point in the document’s workflow, it appears that someone added a white rectangle over white text in order to cover it. And that’s what they thought was sufficient to make that content undiscoverable. That’s not the right way to redact content.” No duh, as my teenage son would say.
Clever, but that’s nothing compared to some of the other PDF security holes plugged by Adobe this year. How about having an attacker take over complete control of your computer? In March, CNET wrote about the zero-day Reader vulnerability that Adobe was scrambling to patch. Overall, document and file attacks have become a ripe area for bad guys, with twice as many PDF attacks in July as in all of the first half of 2008.
It’s no surprise. If anyone like me can remember working with Microsoft Office in the mid-1990s, then you probably remember the Concept (sometimes called the Normal.dot macro) virus which was all about exploiting Microsoft Word and Excel files. That was the first time I remember cleaning my PC and installing security software, Norton at the time.
But, our ignorance with what’s in our files and the information they carry is beyond technical. For example, when was the last time you looked at or consciously modified the Properties of your MS-Office file? (Do you even know what or where file properties are?)
Well, the next time you have a moment, take a look at them. If you are running the last version of MS-Office, you can follow the sequence shown in the Scrib’d figures.

One of the things I’ve done for years is to add information to my summary file properties, to designate authorship, copyright, user permissions, and other important elements. Just in case a form document or thought piece for a company of mine somehow gets involved in a dispute.

In the reverse, a mild form of entertainment of mine is to occasionally browse the File Properties of documents that I receive from others – especially when they are from 3rd party service providers.

It’s amazing the little tidbits you can discover, related to document origination, travel history, etc. It’s especially humorous to get a form document from one law firm that the File Properties shows was created at another law firm – it’s happened!

As usual, the answer to whose file is it anyway is: “it’s yours.” That is, if you care about what happens to it and its contents. Therefore, just keep in mind that knowing a little more about files and applications and where they come from can make a difference in protecting your investment in the ideas and information that you share with others.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s