MS Word and (unintended) steganography

Nicholas Bohm nbohm at ernest.net
Thu, 17 May 2001 10:50:13 +0100 

Suppose that the word file described below had been digitally signed, and
in legal proceedings the signature had been admitted as evidence of its
authenticity (including the signatory's intention that it have legal effect
- see ECA 2000 subsection 15(2)(a)(iii)).  How does the court decide what
the signature proves the signatory to have intended to have legal effect?
The answer depends on the evidence of the signatory, no doubt supported by
the surrounding correspondence, and perhaps on expert evidence about what
the signatory probably saw himself as signing.

Digital signatures are often presented as absolutely conclusive evidence.
This nicely illustrates how much less than conclusive they can be, even
apart from the problems of keeping the private key private.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone	01279 871272	(+44 1279 871272)
Fax	01279 870215	(+44 1279 870215)
Mobile	07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF


At 09:13 17/05/2001 +0100, Q G Campbell wrote:
>I thought I would bring the list back on track [:-)] with a cautionary
>tale that involves MS Word and (unintended) steganography.
>
>This follows on the heals of Bruce Schneier's recent account [in latest
>CRYPTO-GRAM Newsletter] of how Alcatel posted a MS Word file that
>contained a record of deleted changes. Schneier comments that the draft
>document made much more interesting and revealing reading than the final
>one.
>
>The following is contributed by a member of staff in a UK University:
>
>------------- cut here
>>The risks involved when using Microsoft Word, which merely hides text 
>>when it appears to have been deleted, have been covered before.  Today,
>
>>however, I encountered a extreme example which nearly fooled me.  A 
>>computer company responded to my request for a quotation for disc 
>>drives by sending me an email with the quotation as a Word attachment.
>>
>>As a user of Unix and Linux systems, I find Word files mildly annoying,
>
>>but I can decode most of them easily using the Unix utility word2x; 
>>this works quite well except on files which contains graphics.  This 
>>time, however, the resulting text file revealed a quite different 
>>letter, intended for someone at the Univerity of XXXXXXXXXX, for a 
>>completely different set of equipment.  When I copied the file to a 
>>Windows box and used Word to view it, it did not show this at all, only
>
>>the quotation which I had requested.
>>
>>So: one Word file is capable of producing two entirely disjoint texts.
>>
>>The Unix "strings" utility also revealed only the XXXXXXXXXX quotation,
>
>>so it appears that the deleted text is left as ASCII, while the 
>>undeleted text is encoded in some other way.  How odd.
>>
>>The risk: not only that you may reveal information you did not want to 
>>reveal, in some cases you may reveal nothing else.
>>
>----------------- cut here
>
>   
>Quentin
>--
>PHONE: +44 191 222 8209    Computing Service, University of Newcastle
>FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinions expressed above are mine. The University can get its own."