DOJ security trumped by copy/paste
Matt Blaze accidentally discovered some arguably sensitive information in a US Justice Department audit of wiretapping expenditures. Blaze is a security wizard, so it should come as no surprise that he is well-versed in the art of breaking secure systems.
His technique in this case, however, relied on nothing more than copy-and-paste (via Wired):
It turns out that there's sensitive text hidden in the PDF version of the report, which is prominently marked "REDACTED - FOR PUBLIC RELEASE" on each page. It seems that whoever tried to sanitize the public version of the document did so by pasting an opaque PDF layer atop the sensitive data in several figures. This is widely known to be a completely ineffective technique, since the extra layer can be removed easily with Adobe's own Acrobat software or by just cutting and pasting text. I discovered the hidden text by accident while copying part of the document into an email message to one of my students.
Even more hilarious is this later update to his blog post:
Addendum, 16 May 2008, 11pm: The entire Office of the Inspector General's section of the DoJ's web site (where the report had been hosted) seems to have vanished this evening, with all of the pages returning 404 errors, presumably while someone checks for other improperly sanitized documents.
Stupid security knows no partisan or occupational boundaries.