A new document from the National Security Agency is getting a lot of link love, thanks to a recent mention by Cory Doctorow at BoingBoing.
Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF, which has a publication date of December 13, 2005, covers an important topic, and the authors do a good job of getting across their primary message: If you plan to publish a document originally created in Word, you have to look very carefully for sensitive information that you don’t want to reveal. When you find it, you have to delete it, permanently, not just hide it or cover it up.
So far, so good. But I was taken aback by this statement:
The following steps were tested with MS Word 2000 and Acrobat 5.0 and 6.0. Other recent versions should work similarly.
“Should work similarly”? That doesn’t give me a lot of confidence. If you’re going to go to the trouble of producing a definitive set of guidelines for such a crucial subject, why use only one seven-year-old version of Word? How long could it have taken to test these procedures with Word 2002 (from Office XP) and Word 2003 (from Office 2003)? And why not give it a run-through with Acrobat 7.0, the current version?
Ed Bott 
Pretty funny that the author at NSA uses the “cat” Microsoft assistant. They must be trying to improve their image after all the bad press they received lately.
They’re lowly government employees, Ed, they don’t have the money to bu… hey wait, they do!
This was probably an “Oh, we should write up an advisory about ” idea, which their supervisor was less than enthusiastic about. So when he agreed to let them waste their time on it, they sure weren’t going to go back to him with a request to spend money on versions of software they didn’t already have.
We’ve got (very large) clients at work still phasing out Windows 2000 Professional machines, I’m not at all surprised there are people running Office 2000 still. And we’re still using Adobe 5 on a few machines at work, because there are very few changes that would make it worth an extra $200 for a new version when all we need is to make the lousy document into a PDF.
That was “Oh, we should write up an advisory about <this>”, I just forget that WP interprets my <‘s and >’s as tags when I comment…
Good theory, Chris. Of course, Office 2003 is available in a free-for-evaluation version (order a CD of the Professional edition or download it here).
And I’m sure someone, somewhere in the NSA has a copy of Office XP.
If they only had access to Word 2000, they could have just said, “We tested this using Word 2000. If you use a later version it might work the same way, but we can’t be 100% sure.” The statement they made implied a level of knowledge that seems incongruous with the lofty goals of this report.
The version up on nsa.gov has a different sentence — it says it was tested on the most recent versions of Word and Acrobat.
Hey Semi – got a link? I can’t find the paper at nsa.gov using their search tools.
Looks like you can’t link it directly, the site just redirects you to the opening page. Go to nsa.gov, Information Assurance, Security Configuration Guides, and it’s on the “What’s New” Sidebar.