|
Posted by Ronnie on June 14, 2007, 11:03 am
If you were Registered and logged in, you could reply and use other advanced thread options
wrote:
>Ronnie wrote:
>
>
>> (a) The styles.xml contained all the styles that are in my 'normal'
>> template in Word (which has been modified and extended to accommodate
>> the work I do).
>> ...... [snip]
>The style names can be edited from the GUI, at least in OOo.
>
The OP had suggested using a piece of software to hide his identity
from the letter he was drafting, but I wouldn't recommend that he or
his correspondent employed a manual process to do this - seems much
too prone to error and, without a great deal of care, prone to
inconsistency in subsequent letters which might alert a recipient
checking for these things.
>> (b) Several of the XML files contain some standard-ish W3 headers, and
>> the order and pattern of these might change with different OOo
>> releases, so the version of OOo used to generate the odt can be
>> revealed by these headers. Additionally, OOo announces its version
>> number in one of the files, but even if this was extracted by an
>> author, the version would leave this 'fingerprint' of the W3 header
>> sequence.
>
>
>Well, and now please estimate how many unique bits these are, and what their
>real entropy is. As a bad estimate: If only 80% of the users are running the
>latest version of OOo, and you do as well, this gives an attacker about 0.3
>bits of additional information.
>
Sebastian, the issue is simpler than this. Unless the OP and his
correspondent are both running exactly the same version of OOo (or
Word, probably), then the metadata that OOo (or Word, probably)
produces will reveal that the letter was not drafted on the
correspondent's machine.
>> I was very surprised. I'm a fan of OpenOffice.org, but I don't think
>> it solves the OP's need in this instance.
>
>
>Depends on how you use it. After all, the OP is using Word. Now consider
>opening the created .doc file, load it up in OOo, save it as .odt, load it
>again, save it as .doc. Now, what do you think, how much of OOo's or Word's
>settings are preserved in this conversion process?
I am sure that a security expert, or even the OP if he had the time
and skills, could spend a lot of time finding all the telltale data
there is to find, and then erase it. But it will be a manual process
for him, error prone, and not what he has asked for.
>
>If you're not happy with that, try AbiWord. It's small enough to let you
>compile it yourself without a hassle, and just modify the .doc and .odt
>import/export filters, which by themselves already do a pretty decent job on
>not adding much more data than needed.
Maybe. But, the type of data revealed by Word and by OOo seems to be
the type of data that Abiword might also reveal - the OP mentioned
margin settings - he is aware that there are many aspects of a
document that might reveal that it had been generated elsewhere. This
is true of any modern word processor, because they all, rightly, try
to assist collaborative working and hence carry metadata across from
one machine to another.
He needs to use an interchange format that restricts formatting
information ONLY to fonts and spacing, includes his text, and excludes
any naming, or any other information such as version or package or
whatever. He ALSO needs to ensure that the page layout properties,
and (probably) the fonts available, are the same on both machines.
I'm not aware of any modern word processor, or file format, that will
meet his need. I think RTF comes close, but still names fonts, I
think, and I don't know if RTF allows other metadata to be inserted
under some reserved code.
I think he has set a difficult problem. The suggestions elsewhere in
the thread to 'clone' his correspondent's machine in a sort of VM
might be the best, he still needs version and preference and settings
equivalence, though.
______________
regards,
Ron
| 
XML site map