Thoughts on this little PDF security issue
My office has these legal PDF documents that are published on our website. For years, they have always been protected via a password from Acrobat's built in policy features. They are only allowed to be printed. No copying or editing of text.
So someone emailed me asking if he could get access to them for a college project he is doing, which happens to involve software that does word searches. Won't work for him because the security prevents that.
So here is how this conversation is going about it....
Me: Let's remove the password. The documents are meant for the public and the password only provides a hindrance. It was obviously put in many years ago and there is no good reason to maintain it.
Management: The password stops people from editing the text though.
Me: They don't edit the live text. Only we can do that and push them to the website. Besides, someone can still print/scan/OCR and do that since we allow these documents to be printed. Taking it a step further, a teenager can photoshop the entire thing in 5 minutes if he wanted to. And he could d also do that with documents from the federal government websites.
Management: Oh, but this way it slows them down a little.
Me: It slows this particular person down. What do you want to do about that?
Management: Let's just give him the password. We can just change it again in the future.
Me: That removes the security argument. The majority of our other files do not have passwords on them.
Basically, management is unable to prove there is any security at all. While I feel I have proven that it does not prevent what it was originally intended to at all. And I am here scratching my head that these 3 people are not seeing this.
I really thought this would be solved via email and I would be done with it. Now I want to go into a meeting to and really drive this in because their confusion is just bothering the hell out of me.
Can I implement other "security" measures in the office to "slow" bad guys down a little bit? Making sure it includes a similar inconvenience of course. I could get very creative with that.
So someone emailed me asking if he could get access to them for a college project he is doing, which happens to involve software that does word searches. Won't work for him because the security prevents that.
So here is how this conversation is going about it....
Me: Let's remove the password. The documents are meant for the public and the password only provides a hindrance. It was obviously put in many years ago and there is no good reason to maintain it.
Management: The password stops people from editing the text though.
Me: They don't edit the live text. Only we can do that and push them to the website. Besides, someone can still print/scan/OCR and do that since we allow these documents to be printed. Taking it a step further, a teenager can photoshop the entire thing in 5 minutes if he wanted to. And he could d also do that with documents from the federal government websites.
Management: Oh, but this way it slows them down a little.
Me: It slows this particular person down. What do you want to do about that?
Management: Let's just give him the password. We can just change it again in the future.
Me: That removes the security argument. The majority of our other files do not have passwords on them.
Basically, management is unable to prove there is any security at all. While I feel I have proven that it does not prevent what it was originally intended to at all. And I am here scratching my head that these 3 people are not seeing this.
I really thought this would be solved via email and I would be done with it. Now I want to go into a meeting to and really drive this in because their confusion is just bothering the hell out of me.
Can I implement other "security" measures in the office to "slow" bad guys down a little bit? Making sure it includes a similar inconvenience of course. I could get very creative with that.
WGU B.S.IT - 9/1/2015 >>> ???
Comments
-
Asif Dasl Member Posts: 2,116 ■■■■■■■■□□I'd give them an unprotected version or even better yet let them go to PDFUnlock.com and say there is nothing I can do to prevent you from visiting that website, and leave it up to them. I wouldn't give them the password...
-
SteveLord Member Posts: 1,717There really is no harm. But I would rather just not have password, instead of having to making more work for myself or the public who runs into it.
Anyway, I replied back that I insisted we have further discussion. Meeting with director on Monday.WGU B.S.IT - 9/1/2015 >>> ???