Slashdot Mirror
Online Search Engines Lift Cover Of Privacy
Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information. Some of this information includes 'Medical records, bank account numbers, students' grades, and the docking locations of 804 U.S. Navy ships, submarines and destroyers.'"
Nothing's private anymore anyways. Bleh. What's this world coming to.
FuckTheFuckingFuckers.com - Post your th
While googlestalking is scary and bad and I'm not condoning it, in this *specific* case, if the docking locations of U.S. naval ships is something that they do not want made public perhaps they should simply not make them public?
Go into kazaa and gnutella and search for any .doc files. Or some likely sounding names like "resume" or "job application"
It's surprising what people will sit in their kazaa upload directory, using it like a documents dump. Legal papers, company's employee policy documents, employee records, sensitive stuff, medical records.
Taken straight from people's HDs, no hacking, cracking or other media-unfriendly terms needed, just the ignorance of the people who leave this stuff open is needed.
Actually, the GoogleDorks are the ones being FOUND using google.
That googledorsk link... You're telling me if i put the word "googledorks" on my website and wait a few months i will be one because it appears in a google search?
Is googledorks a real hacker movement or just some random key word any one with a high ranking web page can abuse?
On another note, the best thing i found that was supposed to be hidden was with the query "quality hentai" This was last year. It has since been secured (by being taken offline).
What have you found?
...but what the heck are "googled orks"?
Sheesh, evil *and* a jerk. -- Jade
Why do people always have to drag Google into this sort of thing? Somewhere, someone is pissed off at Google for putting their medical records on the web, and letting people get at them, when they should be angry at the people who posted them to the web in the first place. It's like calling Southwest Bell your partner in crime because you used DSL to steal from an online bank. It just makes SWBell look bad, just as this makes Google look bad.
-twb
Right here...
Lets teach the terrorists new tricks!
NOT!
But can they find the last port location of the SS Minnow?!
WWJD.... for a Klondike bar?
The worst example I saw was the FBI NCIC 2000 manual [PDF]. It gives you examples of how to look up criminal records and such... which could be very useful to the criminally vested social engineer.
To dock is to put it out of water. Right here...
I'd MW but they went subscription... for a dictionary. Is there no end?
This isn't anything too new. For kicks, I once searched for "Resume" and "Credit card" on KaZaA and got hundreds of results. Presumably, the trouble is that people sometimes believe that security through obscurity works - or, in the case of KaZaA, a lack of attention leads people to share files they didn't really want to.
Interestingly, I found a text file with all the user names and passwords for brokerage firms, and bank accounts, of the IT director at the firm I was working in. Scary, considering he was supposed to have "15 years in the IT industry".
A while back I Googled my credit card number for a laugh. I was shocked to find it in an indexed webserver log for a site I had previously 'tried' to purchase from. (the form timed-out and I gave up).
A quick call to the bank and a few angry calls to the company sorted it, but I was not impressed.
Perhaps a tool to search for ones own private details should be developed to keep an eye on this?
The most basic way to keep Google from reaching information in a "Web server", security experts said, is to set up a "digital gatekeeper in the form of an instruction sheet for the search-engine's crawler. That file, which is called "fembots.txt"
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
People have used this for years to find things like Bill Gates' social security number and all kinds of things we think should be private. Chances are, if its in a record somewhere, that information will leak onto the internet sooner than most people think.
Hmmm, let's see:
1. Microsoft has stated it wants to win the search engine war.
2. MSNBC (Microsoft owned) puts out story calling Google insecure because it invades your privacy.
3. MSN Search comes out with "secure, private searching" for only $9.95 a month.
4. Profit???
Conclusion: This is nothing more than a FUD story designed to sow the seeds of doubt about Google.
Visceral Psyche Films
If it is true that the locations of military deployments can be traced using a search engine like Google, the possibility exists that terrorists are using this information to plot further attacks. The USS Cole, which was blown up in the Port of Aden, was tracked in a similar manner by Al Queda bombers.
Likewise, sites like Mapblast now provide aerial photographs of the entire United States and parts of Mexico and Canada, all available with the click of a button. How can we not hold Mapblast (how's that name for irony!) partially responsible for the Two Towers tragedy when several aerial photographs from the site were found in Atta's car?
Search engines have an important part to play. I use Google every day to find information related to my job and for my own personal amusement. However, my job isn't to find ways to circumvent and undermine the U.S. government, so I'm a safe customer. How many people out there aren't as safe as I? Shouldn't Google take precautions to make sure that sensitive data doesn't fall into the wrong hands?
I have been pwned because my
Lets pretend I'm taking a computer science course.
Lets pretend each week I have a program to code.
You see if you pretend, of course, I put the filename into google, and clicked search. In pretend, you know what came up?
The source code to the program I had to write for my university.
But remember, this is in pretend land.
Interesting - only a few days after an article about Microsoft trying to take on Google, they seem to be spreading Google-FUD. Coincidence?
Corruptissima re publica plurimae leges.
This all brings up one of the central tenets of computer network security: If it is connected to the Internet, it can be accessed, and sometimes the probing computers that are looking leave their little IP footprints all over the place. For instance, I was rather surprised a couple of years ago watching some IP's scroll through while someone/a software bot was accessing my workstation. Whois revealed nothing, but traceroute revealed an IP that allowed me to do a little more poking around to find out the identity as something from a "Special Collections Service" in Maryland. A little more poking around revealed it to be something involving a state department program whereupon I rather quickly decided to stop investigating. I still don't know anything about them or what they do, but it is surprising how hard it can be to be anonymous on the web. Hey, I am sure even all those Slashdot anonymous coward posters are leaving IP's that can and are documented. :-)
Visit Jonesblog and say hello.
The real story here is that companies and other organizations and institutions are setting machines up as servers and are too stupid to create an appropriate robots.txt file and/or keep their confidential information elsewhere. Google doesn't just drop in, even on networked machines. I have some sympathy for individuals who don't understand what they are doing when they make their machine a server, but surely any professional sysadmin, even one with limited training and experience, should know better than this. It's the same as leaving your briefcase on the front seat of an unlocked car.
Is slashdot just becoming a MSNBC news highligher? This is the second story today reporting on an MSNBC report. Why not just read MSNBC?
The article seems to imply that the problem is Google, but that simply isn't fair--the problem is that people are posting private info to the web. If you don't want the public to see it, don't post it in public.
Part of this problem comes out of who owns the daggoned data. For example, let's say a hospital, instead of using clipboards, uses smartcards to hocket about patient records.
Who own's the data. The hospital, the insurance company paying the bill, or the poor schmuck on the business end of a colonoscopy?
I ask because without the indiviual having the write to own the data, there seems to me little that can be done to protect oneself other than go through expensive and tedious legal channels.
And if someone else can own sensitive data about me, then what can we do, as private citizens with limited resources, to make sure larger entities such as insurance companies play by rules like HIPPA?
--- have you healed your church website?
I read once that an old trick some people used to use is to do a search for "root" on Altavista (yeah, this was back in the days) and it would actually return useful information for gaining access. Not sure if that was just a geek urban legend but it sound plausible to me.
EvilCON - Made Famous by
in the article, it says "and it is all legal", then it continues to talk about security breaches, so is the whole thing legal or not?
is there such thing as legally breaching a security?
article:
Since 2001, the FTC has settled cases with Eli
Lilly & Co., Microsoft Corp. and clothing maker
Guess Inc. for not taking "reasonable" measures
to keep medical or financial information
secure, said Jessica Rich, assistant
director of the commission's bureau of consumer
protection. Letting customer information
reside on an unsecure server can open
up a business to such liability.
If your information is "sensitive" or "private", do yourself a favor and don't put it on the web.
Peeps nowadays...
You suck at making fun of people's sucky FP.
Hasn't the government ever heard of creating a robots.txt file or something of similar nature to prevent search engines from caching files? Maybe the government just changed the permission to all files on their webserver to 755 so anyone could see. We should have another one about search engines scanning forums... That's even worse. My Sig: http://www.toadywonders.com Nothing like some good clean advertising
http://www.toadywonders.com The Empire of Todd
...to coincide with Google's IPO, had they not delayed it. A story saying Google is a threat to privacy AND national security. May as will throw Intellectual Property into the mix too, for all the warez searches. Just like that operating system our congresspeople were just informed about by the alert people at SCO.
Wow, this clearly shows that the better solution would be a more limited search engine that doesn't actually let the user search for whatever he/she wants, just in case it's naughty. Perhaps something tied into a Trusted platform that can make these legal judgement calls on the user's behalf.
Wasn't SCO planning to sue Google soon? Wow, what an incredible coincidence! Bad timing for your IPO, Google!
I'd end this with [/tinfoil hat], but I think I could actually be right...
If you don't want people to see it, don't put it on the internet.
One would be led to think this would be a evident to anyone intelligent enough to tie their shoes.
But hey, this is scary stuff! People are stupid, so let's shut down google - the hackers tool for identity theft and terrorism!
I wonder how many poor Asian people turned caucasian while reading that article. O_O
Err, not me of course ;-)
Go to Google and type in a name. You'll be suprised by the results. This works a bit better with unique screen names, such as Wolf305819. Though, you could get better information off of your city's website which holds criminal and property information. This latest craze over Google is due to their success, nothing more.
nt
take a look at this
anyone want to buy a yacht?
the date on the fourm is Sat Feb 07, 2004 10:20 pm so um im guessing most of those are still valid.
Also, these are not precise locations. Yeah, you can find that the USS Roosevelt (DDG-80) is homeported in Mayport, Florida but you're not going to find the precise pier number.
As for ships on deployment, one can find their general locations just by looking at the latest issue of the Navy Times and by reading the newspaper of the town that the ship and its battlegroup are from.
The Navy really tightened up on what get's posted on official ship's websites after 9/11. If there is sensitive information still out there, Google is not at fault, but rather the unit's webmaster, Commanding Officer, and the Operational Security people who are supposed to be looking out for that sort of thing.
Imagine if the US government gets in its head that search engines are a terrorist tool?
Wouldn't that be interesting?
Saskboy's blog is good. 9 out of 10 dentists agree.
Maybe they should just use the fricking robots.txt protocol. That's what it's *FOR*. You can put a little file named robots.txt in the directory you want hidden, put text in it that says "i want this hidden, google", and google will ignore your directory forevermore.
No one has any right to complain if their page is in a search engine unless they followed the robots.txt protocol and the search engine did not.
Ok, Lets make some connections here people:
This article places the google search engine as the medium for this activity.
This article is from MSNBC.
MSNBC is owned by Micro$oft
Wasn't Micro$oft trying to compete with Google for search engine market?
Someone please tell me I'm just being paranoid
now's our chance! I think we can slashdot Google!
Esoteric reference.
I would have contacted a lawyer first... As for me... I wish I had some form of luck
MoFscker
Well then again... it is an MSNBC article.
:)
Seems some one in the mainstream press got a clue and has decided that the other 98% of the people should join in on the fun... if they can figure out how to use Google that is.
Who knows, maybe they'll even teach the clueless about Google image search... which came in handy this last weekend when a girl who wanted to model but couldn't figure out how to send me a pic attached in an email... Curious as to what she looked like, I googled and found her.
As you can see, the stuff you can find on image search sure as hell beats those top-secret pentagon word documents anyday
The thing is that most people will literally inadvertantly share their entire hard drive's contents, or at least all "media files".
What I like to do is go on gnutella or kazaa and search for "DSN" or one of a number of similar prefixes. Why? Because most digital cameras save their files in a specific hardwired format, and the kind of people who leave their entire hard drive shared on kazaa are the kind of people who don't rename their digital cameras.
You can find the most random, interesting, occationally personal shit that way.
I'm trying to remember the other common prefixes besides DSN and failing.
-- Super ugly ultraman
Didn't Kevin Mitnick get into trouble when he *accidentally* accessed a web page that was not linked from anywhere and sort of existed on its own. I can't seem to find the link to that right now.
Which brings me to my question that the article doesn't really make clear. If I do find a document that I think is sensitive, should I inform the webmaster?
If I do, how do I prove that I was not *looking* for it and only found it accidentally. Will that get me into trouble?
Free XBox, PS2
googleDork (gOO gol'Dork) noun 1. Slang. An inept or foolish person as revealed by Google.
Wouldn't that mean the people with the sensitive information on the net are the googledorks, and not the people doing the searches?
If you are going to link to the definition, at least read it.
I.O.U One Sig.
I am a member of a university organisation called the Assassins Guild, the basic premise being that, on the basis of the most limited possible information, we hunt down and "kill" other guild members with weapons such as cap guns and cardboard swords. As such, I have some personal experience of the use of Google in stalking. I can tell you that, in a university composed presumably of some of the most net-savvy people around, I have only found a photo once. Occasionally I have found a usenet posting or slashdot account. Old schools are common, but the folk at my uni are often those who are mentioned in school newsletters. The average web presence of the average user is approximately nil. In a range of cases, someone may become more prominent (either by accident or design - Darl McBride for example), but on the whole there is very little you can gather from Google. Occasionally it's enough to kill your target, but don't count on bank details.
For the love of God, please learn to spell "ridiculous"!!!
An old trick I used to do was searching for something along the lines of
"http://*:*@" member
and you would get a bunch of sites with direct links into passworded member sites. Microsoft will put a stop to this with their latest update to IE however.
I.O.U One Sig.
I've noticed the worst sites, security wise, are American universities and British hospitals. Greatest thing found has to be the admin username/password for a company specializing in secure web design
Negerschwanz. Sag ich mal.
Ein Gruss an meine Neger auf der Strasse.
Book sales are tracked
The google mediapartners bot which will look at pages for the purposes of advertising such as in Opera is different and seperate from the bot that adds pages to Google's search database. The mediapartners bot does not feed the Google search engine.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
One line blog. I hear that they're called Twitters now.
Professors could put fake answers for the homework on the internet and just wait for the cheaters to download it
Please webmasters, learn to use the proper code for preventing bots from scanning your page. The Robot meta tag will do that quite effectively. Alternately, you could just /not/ make a webpage with your usernames and passwords, and that would be a lot easier.
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
I am a web server administrator, and I must say that I was very surprised / disturbed when I saw how easily crackers (mostly from Europe) discovered what kind of shopping cart we were using and then proceeded to brute-force guess administrative passwords. This all showed up in the server logs.
They did a search on "Your cart is empty" or the like. At the same time, I admired how resourceful this was. Needless to say we immediately disallowed client control of passwords =)
- rabs
Somebody quick! Alert John Ashcroft. I call upon all nerds everywhere to do their patriotic duty and help slashdot google.
Opera doesn't even send such urls to Google.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Get back to watching scheisse videos, you filthy kraut!
This article is from the Washington Post, not from Microsoft. Please adjust your conspiracy theories accordingly.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Google and the wayback machine, respectively, have memories. Just because you take something off the web doesn't mean it can't be found by those services; it just means it won't respond to your browser's request. Cached results and so forth are dangerous. If there ever was leaked data about the locations of those ships, it can still probably be found somewhere, and if that information hasn't changed since it was taken off the web, it's still a problem.
This applies to any information that's ever been stored electronically; I call it the "backup tape problem". Someday, that information may (will?) find its way online, a public service will index it, and the genie will be out of the bottle forever.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
I was looking at a few examples and tried out intitle:"Index of..etc" passwd. The first result is a honey pot :)
They have some Webalizer stats for the honey pot too.
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
Right, right! Because if i was a hacker making a web spider, i would -never- make one that reads robots.txt and indexes only the 'disallowed' areas.
care to make it any easier?
How to use this for evil is obveous. (Actually I do searches on myself ever now and then just to see what I look like on the Internet. Do it yourself it's fun.)
Your an evil badguy and go nuts on Google... Credit Cards... Horray... Now to go nutz.
Leave it to MS NBC to neglect to mention that this is also a tool for good.
Your a credit card holder..... Now go google your credit cards... DO IT NOW.
Did you find it? I didn't.
I've got 4 credit cards.. two store cards one business visa and one personal mastercard.
(Oh yeah hackers the name on the card is Felinoid) Yeah they'll buy that.. not...
Don't need to use Google BTW... Use Alta Vista.. or Microsoft serch.. or Lycos...
Oh yeah and when your done put your credit cards away (I had to leave desk while entering post an left my wallet on desk... Now my credit cards are gone and I think I saw a stuffed teady bear running down the street yelling "Charge it"... Just kidding got all my cards..).
(Oh yeah if you do see a teady bear running down the street your missing credit cards are the least of your conserns)
Now to set up a bot to trap all thies searches on Google....
(Oh come on it had to be said)
I don't actually exist.
This is an interesting article. However, I can say from experience that there are searches, like searching for the titles or authors of classified documents that will bring down the spooks on you. It pays to be a little bit careful if you don't want to loose your computers or be put on watch lists. For example try researching AEC documents...
Azurite is fine covellite is mine.
See subject. I can be laconic if I want to. Second-grade CMS.
This isn't news when it comes to the ships for the navy. For years I have been a member of a small group of warship fans in the Seattle who have swapped emails for years about ship X being at location Y. It basically amounts to: "That new destroyer put into Bremerton last week. Go take a look at it!" Of course the only difference here is now that that information is available to the general public. Whoopee! Disaster! You might know something!
And your's definately wouldn't be considered "good"!
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Google will leave you right the fuck alone
All it takes is one cross-link from a site that links, and a number of hits, and google will advertise the cross-link, robots.txt or not.
Banks, hospitals, the military, etc. are putting information up in the electronic equivalent of the storefront window, and that's ok. But when people drive by and look in the window, everyone freaks out?
Damn, sign ME up for that mission to Mars. It's getting scary down here.
Ignorance is the root of all evil.
I'm betting that it's often not the person's doing but that of a moronic company they dealt with. I certianly don't go posting my CC #, I don't store it on my computer either (why would I need to, even if I didn't have it memorized it's always in my wallet) however, there are companies that have it. If one of them did something dumb, it could get on the web.
I am sure there are other reasons you could get your SSN changed, like "I'm Bill Gates, and every jokester in the world has my SSN..."
This issue is a bit more complicated than you think.
> existance of that page get from Opera to Google such that it
> could pin-point (not crawl) that page?
Opera submits URLs browsed to by users, to google, when advert support is turned on.
http://www.opera.com/adsupport/
From that page:
--------
What is the connection between the Web page and the relevant ad displayed by Google?
Opera's interaction with the Google ad system:
The Opera browser sends Google the URL of the web page you are visiting and your IP address (with the exceptions Opera filters out -- see below)
--------
Exceptions are https, forms, passwords, cgi, and non-http URLs.
As an example from my apache log file last night, when I gave a friend a URL to a photo:It's surprising how many Opera users will deny this happens, despite the evidence. That's a 5 minute delay, google is pretty quick with its crawling. Personally, I don't mind. I put things up in my temporary directory and pull them down fairly soon after. I know nothing is secure if it's just an unprotected URL, so I'm not worried like the grandparent poster. However, Opera does send URLs to google, and google does come back and check them out.
ya because we all know that google is in fact made up of a group of super-hackers bent on distroying the world... stfu
Recipe:
Acquire 1 laptop.
Acquire 1 802.11b wireless card.
If using Windows, acquire 1 software firewall (or enable ICS).
Locate an unsecured wireless point broadcasting SID. Not hard, might be a clueless neighbour or any of the many cafes offering free access these days.
Mix and surf.
You are totally untracable except if the genius running an unsecured accesspoint happens to log MACs. That is easily countered by either getting a card that will allow you to program your own MAC (they are available) or simply destroying the card after use.
All the unsecured wireless out there makes it real easy to break the evidentiary chain. People really need to get educated and start securing their APs. However, given that they can't even learn not to infect their computers, I'm not hopeful.
"Online Search Engines Lift Cover Of Privacy"
Psst, hey bub! Your privacy is flapping in the breeze?
I just did a quick search on myself - yahoo search on "my name" gets 230+ hits and google gets 300+ hits... not a common name, but apparently not uncommon. None of the references are me. Academics, comics, writers... none me.
A yahoo "people search" does turn "me" up in a list of 9 hits - 2 of them are me, but both for old addresses [I am a homeowner]. Oddly, my current address of 5+ years does NOT show up. Good.
An "email" yahoo search is even better - I get 10 hits, and 4 of them are actually me!
The newest email address hasn't been used in over 6 years. The oldest is more than 15 years old [uucp days!]
Bottom line - I wouldn't bet much on the info you find on the Internet, and if there is something out there that you don't want people to know, you are doing something wrong.
Half the bills that come to my house have misspellings in my name... why would I want to correct that? I pay the bills... they are happy, I'm happy.
This issue is a bit more complicated than you think.
Hopefully this sort of flagrant violation will draw at least a modicum of public attention.
This isn't some hardened criminal mastermind at work. It's not a seasoned cracker attacking military targets. This isn't even some script kiddie poking at IIS. It's a MACHINE. A machine that respects robots.txt for Eris' sake!
If medical records and other "real" secrets are this visible, something is terribly wrong and I want to see public floggings. Seriously, this is not a case of weak security, or poor security, or incompetent security. It's a case of there not being so much as a screen door between the public and sensitive information.
This is actually a case where I think the government (or at least the courts) can do some good. You'll notice banks don't get hacked on a daily basis. That's because they'd lose squintillions of dollars if it happened. But nobody cares about my medical records because it costs money not to have incompetent asses running things. On the other hand, if revealing to without were punishible by a $1000 fine per person, per offense, you'd notice a severe tightening of security in a mighty big hurry.
It's a shame that suing people is sometimes the only way to get their attention, but with the decline of basic civil responsibility it might be inevitable.
High-speed Road Trip (18.000KPH)
Inquiring minds want to know.
Damn! I tried to search for the WMDs on Google...Not even Google could find them! hehehe...
I say why blame just one person/group/entity. Let's blame the people who publicly post the personal information AND the people who use that information to hurt people. But let's not blame Google or any other search engine for doing too good of a job.
Losing faith in humanity one person at a time.
s/BLOATED/shrivel/
"The scariest thing is that this could be happening to the government and they may never know it was happening," Long said.
This isn't "happening to the government", as if the government is some innocent victim. Rather, "the government screwed up big time". Likewise, if some company has sensitive personal information lying around on a public web server, the company is at fault and should be liable.
Let's not make victims out of perpetrators.
If I may add to the redundancy with a stupid question, this really DOES sound like the old "FUD" tactics again. Microsoft truly seems to hope that maybe people are stupid and will start not trusting Google because they're, "like so directly responsible for this" when Microsoft themselves obviously couldn't do any better.
Sorry to state the obvious again. I will admit that I truly hate Microsoft, and wish that people would shout "FUD" at them more often than they do.
Google and Janet Jackson's right boob are CLEARLY the causes of the deterioration of our society!!!!!!!!!
From the article:
Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information."
---
From the website:
googleDork (gOO gol'Dork) noun 1. Slang. An inept or foolish person as revealed by Google.
---
Ok... So who here is the googledork (hint: It's not me)? The dork who googles for the victim's information or the clever person who googles for the dork's information? Confused? If the website is more authoritative than the original slashdot poster (Rican) then maybe Rican is the dork?
You can find out whether personal information about you is available accidentally by searching for your name and a piece of your sensitive information on Google, say, your name and the last four digits of your SSN, the last four digits of a credit card number, parts of your phone number, or your street address. Leaked personal information would have to contain both your name and that other information. Chances are that you will retrieve only a few documents, which you can quickly review.
Keep in mind, however, that Google queries are not encrypted and are not guaranteed to be private or secure, so, for your search, don't use the full SSN or anything else that shouldn't be disclosed.
I don't know why Google never indexes this stuff, it's clearly public record and can be of interest to a lot of people, but they never did (I checked them many times, including just now, and they show no indication of the document). I wonder what other good government documents are out there if you only know where to look for them.
I'm an American. I love this country and the freedoms that we used to have.
Are those anything like the Goofy Service Jerks?
I left the Big Picture a long time ago.
Despite the fact that someone linked it above, it bears repeating:
From the front page of the Washington Post today:
Online Search Engines Lift Cover of Privacy
Jesus guys, this was the *front page* story on the Post. It was their freaking headline! You guys lifted it, and then ran a link to MSNBC instead - *without attribution* to the Post. What the *hell* are you thinking??
I mean, did you just think nobody would notice? Some of you guys live *right here* in DC.
What the hell?
sad! sad sad sad! sad! also scary!
Wow, applying lessons learned at Def Con. Shocking!
Sounds to me like these "search engines" are nothing more than tools used by those "internet hackers" for their evil deeds. Lets all write letters to our congressmen; these criminals can be tolerated no longer!
It's late in the discussion and I hope someone is still reading down here who can answer me. If a file is in a directory on a web server and that file is not linked to by anything. How exactly does Google (or other search bot) find it. I expect it retrieves the top level directory listing of the server and then recurses through the tree, indexing files as it goes. But can't that be turned off in some web servers?? I don't just mean by using robots.txt. I mean, prevent the web server from giving out a file listing to anything!
The allinurl and site search features can be used to good affect when looking for machines with vunl cgi that give one execute or read permissions.
.gov and .mil one only needs a web browser to gain the foothold on their DMZ/LAN. (Heh, DMZ, giving them way too much credit).
for example:
allinurl: cgi print site:.mil
You would cry if you realized that to hack
Anyway, using common cgi tricks like dot traversal, poison null byte (RFP you can kiss my ass), obfuscation (".." == "%2e%2e"), etc... Oh dont forget the pipe operator.
I agree with other posters who say it is not Google's fault. They do a great job. It is the people who program those cgis need to really take a bit more time.
Leave out a few digits (not the last 4) and you should be alright, I think.
And the googlebot (in this mode) doesn't check any policy files like robots.txt? I suppose that Opera doesn't indicate this setting in the browser name passed, and probably allows masquerading as IE in any case. (Otherwise redirect Opera users to a "We don't serve their kind!"/no droids allowed page.)
One line blog. I hear that they're called Twitters now.
Google has cached the contents of robot.txt file for whitehouse.gov which shows all of the disallowed url's that are not to be scanned. Stuff on iraq and about 500 (estimate) other disallowed url's.
Did not go look at the actual site though... thought better of it for obvious reasons... same with posting anon.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
This goes back to the security vs obscurity argument.
/www/private/secretfile.txt - bad idea right (even if I rely on blocking Google w/ robot.txt)? What if I rename the file to secretfile.zip (so its still a text file) or - better yet - I actually make the file a compressed archive.
My understanding is that Google searches for keywords within text & PDF documents and possibly Word documents.
Lets say I sent a friend a link to
While the contents are *still* unsafe, would this at least stop google from publishing what's *inside* the document? In this context, who cares if the file name shows up on searches after you remove the file, its the contents you don't want showing up. So on a temporary basis, is this what you could recommend someone to do?
The question is where would this put you legally? Say I discover something pretty juicy, say Bill Gate's email password in an excel file as a lame example. It's not exactly that I breached the company's security to get it, is it? But then if I was searching for say "bill gates username password .xls" then clearly I had intent.
Just tonight I was Googling for "number personnel U.S. military" and I was surprised to find many links along the lines of "How to find U.S. military personnel." The site with the most links to directories has a Netherlands domain name, which seemed odd. I tried to find some family members and did turn up some information. Some sites were DoD and had recognizable warnings about monitoring. Another was a .com for the military community and required standard registration procedures. I don't know if it's a good idea to have this information online and I wonder what military folks think about it. I reckon there are pros & cons.
a) Mediapartners-google does check robots.txt
b) Opera always has the name "Opera" in it's UA string, even when masquerading as IE.
c) Mediapartners-google doesn't feed the Google search engine. It is only used for Google adverts.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
People get jailed for stuff like that in the US now.
If anyone is dumb enough to have their "sensitive and/or private information" publicly accesable than they deserve to have it findable from a search engine.
So here is a noble idea why not get ride of this stupidity and waste of money on trying to keep this crap a secret and pay for our debts for the other 2 trillion dollars of military crap we have. Or even better get ride of most of our subs and really start to balance our budget, ask your self who does the US need to hide from with these things? what other nations ships do really have to sneek up on? what nation do we really need to have 10 ways to destroy?
And to those people who say we should liberate the world and expose them to our from of freedom I say, We (US) managed to free ourselves from the biggest empire in the world mostly by ourselves why can't they?
A strong military should not define a world policy
There's something wrong with your story but I can't quite put my finger on it. suffice to say I don't believe that excerpt is an unedited part of an apache logfile. Felt like spreading a little FUD against Opera and Linux today did we?
Get a life
I can't remember the site now, but about a year ago a story came out about people crawling robots.txt's, looking for promising "off-limits" areas, and punching them up in their browser.
The article seems to suggest that robots.txt will make the information secure. you know, it's a *gatekeeper*!!!
how about robot.txt? is it forgotten? does current modern search engine ignore them?
above all of that, does it was a stupid idea to hide an information with just no link point it? u must make sure it's properly secure with access control like ip address or password of the visitor.
maybe some people it was not simple to build access control using some content management or any self build scripting. but i think it was so simple to use http autenthication whose provided by most web server.
----
so many dreams r swinging out of the blue we let them come true (forever young, alphavile)
I suspect that, at the level of financial complexity of Bill Gates, he no longer has a standard type credit record, but something that looks more like a business trust credit record.
It is entirely possible that he has a regular SSN. Indeed, that 1995 SSN may reference him, but that credit record may be blank/unused.
It is not insightful, it is trool, stupid.
robots.txt is a polite request not to do something.
Of course rogue people will not even notice this or will use it to their advantage.
IANAL but write like a drunk one.
If you want untargeted ads you can have them.
A user specifically has to ask for those type of ads to be turned on and Opera tells them up front exactly what it will send and won't send.
Opera empowers users to make their own educated decisions. If that puts them in the place in your mind as crooks and criminals I can only imagine it's because your mind is so tiny that there's not much capacity in there for proper filing.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
So... thieves, privacy intruders, spam l0rds and terrorists are the ones using Google. Thats it - I'm using MSN Search from now on. Thank God for media like MSNBC for providing unbiased news coverage.
3 24 0&mode=thread&tid=109&tid=126&tid=187&tid= 95
http://slashdot.org/article.pl?sid=04/02/01/185
SIG: TAKE OFF EVERY 'CAPTAIN'!!
its nothing about 'hacking' google, or abusing google in any way, shape or form.
its about using googles database to find information that really shouldnt be in the database.
and whose fault is that? not googles! All google does is send out little 'bots' to scour the web pages and collect the data. it can only go to sites that normal, non priviledged, non password'd people can browse to themselves. (and even then a simply robot deny entry can stop this).
the blame lies squarely at the admins and people running the sites that hand out this data. the insecure IIS site which is letting anyone browse their customers records etc etc.
all google gives is a nice way to search the x billion pages it knows about for 1 or 2 words.
so you dont have to do the leg work...or browse through portals or directories (remember those
gopher days?)
O'Ferrell said.
But the MSN story, just a few lines later, says:
"And it is all legal, using the world's most powerful Internet search engine."
Hmm... Excuse me if I smell a rat.
The moment it is painted in the plane or ship it is public.
With electronic advancements that is kind of unnecessary, honestly, what reason there is to paint in big bright letters this kind of information?
IANAL but write like a drunk one.
Did anyone notice how heavily "enhanced" the cited MSNBC web page is? Try to print it using Mozilla 1.2.1 on Linux and it crashes the browser. Try to view it with Mozilla 1.1 on Windoze XP and page is displayed very incorrectly. Even printing with IE from XP took 3 tries.
These fuckers never give up.
would anyone put anything that they didn't want read onto a webpage in the first place?
That is absurd enough - but then to complain that people are reading it?
sig under development
I know this is very late in the discussion.
But, if I wander into an unprotected system, like a bank or military site, and I start reading confidential documents... Is this not a crime?
What's the difference if I locate the unprotected documents via a search engine or by using a port scanner with an IP range.
I think what I'm saying is that port scanning and finding an vunerable system, going into that system and looking around is now a crime.
But didn't I just describe what's going on with google hacking?
I don't advocate nor believe any of this is a crime but where and why is a line drawn between them?
I've often said about hacking that just because I go to the market and forget to lock my front door, that doesn't mean I expect to come home and find someone rumaging through my house.
If it's an administrator who forgets to lock down a port or one how inadvertantly places confidential materal on the wrong box... Again, Where is the line and how is it drawn, and why, between criminal hacking and "it's on an open system, google found it so it's legal".
I'm just asking. It's early in the AM and my brain isn't working because it's not seeing the difference. I'm only seeing a very fine line between what one might consider a "public" system versus one that expected to be "private". Is the only difference our "expectation" of privacy that makes one illegal and another a sport?
f Bill Gates is using the same broswer that he pushed in 1995, then he is a total moron. He is not a moron. Therefore he is not using the same browser that he pushed in 1995,IE, QED
dumb, de-dumb, dumb.
Nice of MSNBC to malign the thing M$ can neither match nor buy.
Friends don't help friends install M$ junk.
This is just Microsoft's next agenda item. They are going after google so they can embrace and extend the search technology of the internet.
Instead of critizing google why don't they tell people how to have their site not spidered or whatever you want to call it. But no here comes the FUD campaign against google.
A word to Microsoft - LEAVE GOOGLE ALONE - you make nothing but a crap desktop OS - do not screw up google or any other search engine.
We do not need you in IT - can't you just go off in some corner and count your money you already illegally made and be happy.
I am sick of your FUD - just shut up - and fsck off!!
I find it interesting how people are quick to dismiss TIA et. al. and quick to accept google doing very nearly the same thing.
Now, granted these government programs will go out and get physical records from Libraries/Companies, etc., but they did make the claim that those records are freely available to one who wants to do the work. And as everything moves online due to ease of use, it will be very easy for a search engine to do the same thing. The differences become less. It seems we may be dealing with very thing lines on what is actually "acceptable."
Personally, I don't really like information about myself, personal or not, to be available on the web unless I explicitly put it there. And while I don't like these programs and search engines, I have to admit that they are using information that I at one time or another freely gave out. Bah - I should've never gotten that library card.
The snow doesn't give a soft white damn whom it touches. -- ee cummings
OK, Microsoft Dorks did not write this latest article maligning the service they can neither match nor purchase, they simply trumpeted it by republication to the place where M$ Windoze takes people who puch the default "news" buttons on their browser and desktop. What do I have to adjust exactly?
Friends don't help friends install M$ junk.
A lot of the personal data that is publicly accessible was not made publicly accessible by the data subject, but by a third person/party.
People say I'm crazy, I got diamonds on the soles of my shoes...
Have you seen their webpage? it opens with:
GRAY-WORLD.NET TEAM
Unusual firewall bypassing techniques, network and computer security.
If someone puts crap on a publically accessable website without password protection, and they come whining that somebody read it they should be slapped upside the head. Not linking to a document has never been an acceptable form of security.
Eat at Joe's.
That is nice! I don't know any other way to force Google to crawl a document...
Eat at Joe's.
This isn't a new idea, people have been searching for exploitable or misconfigured pages with google for years!
/.
must be a slow day on
The Washington Post gets it wrong (again!)
Googledorks are NOT hackers; it's a term for people who leave documents unprotected in a stupid or egregious manner.
Google hacking may be an old phenomenon but Long et al. have taken it to a new level of sophistication, with
scripted interactions with Google and a huge database of custom queries for finding protected documents and
information.
The Googledorks Page.
And lastly, despite people at private security firms "tracking the issue" and Homeland Security being "aware" of the problem but "unable to do anything about it", the truth is the issue could be stopped cold. Most of the hacks are built around a small set of specially crafted queries such as intitle:"index of". Blacklisting these queries at the search engine would end 99% of Google hacking in its current form.
Of course, leave it to the billions of wasted dollars at DHS to get it wrong. At least we have Johnny (:
I see the Foxes are out :)
/only/ if you have enabled the Google-customized advertisements. You can select to receive the non-customized adverts if you want to -and don't want to pay the registration fee.
Opera only feeds data to Google if you have the nonregistered version and then
Marxist evolution is just N generations away!
Yes, we have a lot of other laws not worth copying. No, it won't solve everything. OTOH, it will go quite a long way.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
Could someone post a mirror to the site, b/c I can load the site... but there's not text, no article.
"I have found hidden files in directories by looking at the location of images and looking in those directories. Those directories and some of the files were not directly linked to the rest of the site other to an index page that was also not linked to the rest of the site." That seems so much more wordy though.
To get to that generated index requires traversing the directory which was not linked anywhere. This took a small leap of faith that an auto-generated index would actually exist, but they too often do. The point was that the guy did not expect anyone to come across that stuff because it wasn't directly linked anywhere. I also told the guy about it just so he would be aware that these files could easily be found. Actually I was more concerned about him running a telnet daemon/service on his machine.
I disagree with your definition of guessable filenames and subdirectories being linked even without an explicit refrence to the file or directory though. To me an implied refrence or the likelihood of a file existing isn't being linked even though it means someone can just as easily access it. A parent directory not linked anywhere is still not linked, even if it's existance is implied by a file within that directory. The same with a web page that refrences only hyatt001.jpg and hyatt002.jpg. Everyone reading this should see the pattern guess that hyatt003.jpg may exist even without an explicit link.
I guess people with tripod or Yahoo! GeoCities hosted "homepages" usually don't need to worry, but almost everyone else should. I just wish the secure logins were the default and only allow secure FTP though.Losing faith in humanity one person at a time.
He, he. I just googled for "filetype:txt inurl:robots.txt" and the first hit was www.whitehouse.gov/robots.txt. It contains very interesting entries like: /911/911day/iraq /911/response/iraq /vicepresident/iraq /space/iraq /president/winterwonderland/iraq
Disallow:
Disallow:
Disallow:
Disallow:
Disallow:
The listings end in either "text" or "iraq". Is "iraq" an acronym? If so, it's pretty funny.
The US Navy wishes it had 804 ships. More like 294.
And what in the world is "docking location"? Their home port? Big whoop. What's important is where they are when they're on mission, not what city the sailors happen to live in.
It's not like you can hide a warship from public knowledge in any case. Anyone with a waterfront view can tell you what ships are in port.
"You despise me, don't you?"
"If I gave you any thought, I probably would."
Just to check if that person was "FUD"ing or not, I downloaded Opera and requested some pages I had set up one called fgt.html [fucking google test] and the others were a copy of a
Note that for the second page, the gbot didn't ask for the robots.txt, maybe because it cached that info because for the 3rd page, it asked for it again. Also, I had requested the / page before all the others, so I don't know why it bot'd that one last unless the queue on 87.66 was just longer than the others.
Will google find this?
The locations of all CIA agents in the world
Google will try to index it, but it won't since it doesn't exist (?) Dumber spiders might index it though.
Seriously: Somebody might place a file in public_html by accident (a symbolic link gone awry, or dropping a file in the wrong folder icon); but basing your security on not being searched is retarded.
Irene KHAAAAAAN!
Then you have still put it in a publically accessible place, and bear full blame for others finding it.
The line isn't quite so clear. There's a difference between a box along the street saying "Free letters to read" and a box along the side of the street serving as your mailbox. Are your letters in the mailbox out along the public street publicly accessible because you didn't ship them in a locked steel vault?
Yeah, of course if you NEED security you take strong precautions. But when you simply expect privacy, sometimes the situation can be effectively handled by convention. Example: Someone who owns a building could put a camera in the bathroom, but you typically don't wear a ski mask to use the restroom. We handle this situation by a chosen convention. We expect people to not place cameras in this environment, and sometimes we even pass laws to help enforce the convention without making life more difficult.
So as N other people have said, if you put the information somewhere that your http server will hand it to anyone who asks for it, then you're handing it to anyone who asks for it, whether you were paying attention or not, so don't be stupid. Crypto is your friend, but don't think that it's enough - http://secretplans.army.mil/norobots,please/invasi ons/Cuba/October-2004.pgp is still leaking information even though nobody can read it.
Norobots.txt is a good place to put disinformation for harvesters, though - sugarplums for spam harvesters and intrusion detectors are the main uses for it. While norobots was partly motivated by the concern about information privacy, the other big motivation was slow web servers getting stomped all over by fast search engines. You really don't want Altavista and Google and Yahoo and 43000 spammers downloading your Linux ISO distributions to see if there are popular keywords or spammable email addresses in them. The big search engines were also polite enough to spread their load around rather than doing too much depth-first-search; some spammers also do that, usually to avoid getting detected.
On the other hand, using passwords, SSL, and client certs gives you some level of protection, but even then, the people who download your stuff may be careless about where they leave it, and Google's real security threat is finding stuff like that.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks