Home » How secure is ‘blacking out’ sensitive information using MS Paint?

How secure is ‘blacking out’ sensitive information using MS Paint?

Solutons:


As mentioned in the answers to a very similar question, scribbling over part of an image will destroy the original pixels, assuming that your editor doesn’t store any layers or undo history in the saved image. (Paint doesn’t.) There are some things to watch out for, though:

  • The width of the blanked region places an upper bound on the length of the secret data
  • The height of the region could tell attackers whether the text representation of the data has ascenders or descenders (like in the letters b and p)
  • Any spaces in the blanked region provide information about the relative lengths of the data’s parts/words (mentioned in David Schwartz’s comment)

If you use a blur rather than a plain opaque rectangle/brush, a determined attacker could try lots of different possibilities in the image to see what text(s) get close to your image when blurred. Some effects can be undone almost perfectly, so make sure the one you use involves a lot of randomness or actual data destruction (e.g. a blocky pixellization). Of course, Paint doesn’t have any special effects, so you should be fine.

One possible thing to be wary of is JPEG compression artifacts around the secret data, which could be used to get clues about the shape of the text. It never hurts to overwrite more information than necessary when you’re concerned about secrecy. (This attack isn’t a problem if the image never went through JPEG compression before your redaction.)

Ditto Ben N, but let me add a couple of points that are too long to fit as comments.

I’d emphasize the distinction between layered and un-layered data formats. Drawing a black box over a section of a GIF, JPG, or PNG image destroys the previous contents. Drawing a black box over a section of a Photoshop, Corel Draw, or Paint Shop Pro native image does not destroy the previous contents if it’s on a different layer.

I’d be very cautious about blurring. You’d have to know how the software does the blur. If the blurring does not involve any randomness, if it’s a deterministic algorithm, it may be possible to undo the blur with appropriate software. No way would I rely on it without thoroughly understanding the algorithm. Unless there was some very good reason to blur rather than black out, I just wouldn’t do it.

Of course any attempt to redact with solid blocks must completely cover the original contents to be safe. You want to draw a black box, not scribble over it with a black pen that might leave gaps.

Some formats may keep an internal history log. Not quite the same thing, but I once had a case where my organization produced documents in PDF, another company edited those documents and then sent then back to us. We found that errors had been introduced in the documents and, to put it bluntly, blamed them. They claimed that the documents must have been like this to begin with because they didn’t do it. Apparently they were unaware that PDF has an internal log of all changes, and I was able to identify exactly what text was changed and the exact time and date of every change.

When blacking out sensitive information in Paint the original pixels are destroyed. But using Inkscape to black out part of a vector image does not destroy the pixels, but instead covers them. If someone removes the black cover they can see the pixels. The same applies to things like Foxit Reader (I almost sent a document with sensitive information which had been covered with a black square).

So using MS Paint to black out sensitive information is safe. JPEG artifacts might show some of the text like @BenN says.

Just don’t blur it if you don’t blur enough and MS Paint doesn’t support blur anyway.

Related Solutions

Extract file from docker image?

You can extract files from an image with the following commands: docker create $image # returns container ID docker cp $container_id:$source_path $destination_path docker rm $container_id According to the docker create documentation, this doesn't run the...

Transfer files using scp: permission denied

Your commands are trying to put the new Document to the root (/) of your machine. What you want to do is to transfer them to your home directory (since you have no permissions to write to /). If path to your home is something like /home/erez try the following:...

What’s the purpose of DH Parameters?

What exactly is the purpose of these DH Parameters? These parameters define how OpenSSL performs the Diffie-Hellman (DH) key-exchange. As you stated correctly they include a field prime p and a generator g. The purpose of the availability to customize these...

How to rsync multiple source folders

You can pass multiple source arguments. rsync -a /etc/fstab /home/user/download bkp This creates bkp/fstab and bkp/download, like the separate commands you gave. It may be desirable to preserve the source structure instead. To do this, use / as the source and...

Benefits of Structured Logging vs basic logging

There are two fundamental advances with the structured approach that can't be emulated using text logs without (sometimes extreme levels of) additional effort. Event Types When you write two events with log4net like: log.Debug("Disk quota {0} exceeded by user...

Interfaces vs Types in TypeScript

2019 Update The current answers and the official documentation are outdated. And for those new to TypeScript, the terminology used isn't clear without examples. Below is a list of up-to-date differences. 1. Objects / Functions Both can be used to describe the...

Get total as you type with added column (append) using jQuery

One issue if that the newly-added column id's are missing the id number. If you look at the id, it only shows "price-", when it should probably be "price-2-1", since the original ones are "price-1", and the original ones should probably be something like...

Determining if a file is a hard link or symbolic link?

Jim's answer explains how to test for a symlink: by using test's -L test. But testing for a "hard link" is, well, strictly speaking not what you want. Hard links work because of how Unix handles files: each file is represented by a single inode. Then a single...

How to restrict a Google search to results of a specific language?

You can do that using the advanced search options: http://www.googleguide.com/sharpening_queries.html I also found this, which might work for you: http://www.searchenginejournal.com/how-to-see-google-search-results-for-other-locations/25203/ Just wanted to add...

Random map generation

Among the many other related questions on the site, there's an often linked article for map generation: Polygonal Map Generation for Games you can glean some good strategies from that article, but it can't really be used as is. While not a tutorial, there's an...

How to prettyprint a JSON file?

The json module already implements some basic pretty printing in the dump and dumps functions, with the indent parameter that specifies how many spaces to indent by: >>> import json >>> >>> your_json = '["foo", {"bar":["baz", null,...

How can I avoid the battery charging when connected via USB?

I have an Android 4.0.3 phone without root access so can't test any of this but let me point you to /sys/class/power_supply/battery/ which gives some info/control over charging issues. In particular there is charging_enabled which gives the current state (0 not...

How to transform given dataset in python? [closed]

From your expected result, it appears that each "group" is based on contiguous id values. For this, you can use the compare-cumsum-groupby pattern, and then use agg to get the min and max values. # Sample data. df = pd.DataFrame( {'id': [1, 2, 2, 2, 2, 2, 1, 1,...

Output of the following C++ Program [closed]

It works exactly like this non-recursive translation: int func_0() { return 2; } int func_1() { return 3; } int func_2() { return func_1() + func_0(); } // Returns 3 + 2 = 5 int func_3() { return func_2() + func_1(); } // Returns 5 + 3 = 8 int func_4() { return...

Making a circle out of . (periods) [closed]

Here's the maths and even an example program in C: http://pixwiki.bafsoft.com/mags/5/articles/circle/sincos.htm (link no longer exists). And position: absolute, left and top will let you draw: http://www.w3.org/TR/CSS2/visuren.html#choose-position Any further...

Should I use a code converter (Python to C++)?

Generally it's an awful way to write code, and does not guarantee that it will be any faster. Things which are simple and fast in one language can be complex and slow in another. You're better off either learning how to write fast Python code or learning C++...

tkinter: cannot concatenate ‘str’ and ‘float’ objects

This one line is more than enough to cause the problem: text="რეგულარი >> "+2.23+ 'GEL' 2.23 is a floating-point value; 'GEL' is a string. What does it mean to add an arithmetic value and a string of letters? If you want the string label 'რეგულარი...