Slashdot Mirror


Online Search Engines Lift Cover Of Privacy

Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information. Some of this information includes 'Medical records, bank account numbers, students' grades, and the docking locations of 804 U.S. Navy ships, submarines and destroyers.'"

24 of 460 comments (clear)

  1. Um. by Anonymous Coward · · Score: 5, Insightful

    While googlestalking is scary and bad and I'm not condoning it, in this *specific* case, if the docking locations of U.S. naval ships is something that they do not want made public perhaps they should simply not make them public?

    1. Re:Um. by Anonymous Coward · · Score: 5, Insightful

      Maybe you should use some kind of security instead of just really -hoping- no one crawls/reads/caches your document.

    2. Re:Um. by ecalkin · · Score: 5, Insightful

      documents that should not be available to the general public should be a) behind firewalls where the general public is on the other side, b) stored on web servers that require authentication to read such pages (where the general public does not have username/password), or c) not be stored on a web server!

      i think that this is somewhat an issues of bad management and somewhat (maybe more) and issue of the weakness of web service security (compared to something like local novell services).

      eric

    3. Re:Um. by pla · · Score: 5, Insightful

      Let's say you put a page on your site
      <snip>
      And it is not linked to ever.

      Then you have still put it in a publically accessible place, and bear full blame for others finding it.

      For a physical-world analogy, let's say that you want to give a note to a friend (which, for some reason, requires a non-conventional mode of delivery). You could leave it at page 416 of "The complete minutes of the Town of Dullsville, 1853 to 1862", which no one had checked out in the past 30 years. Tell your friend where to find it, and 999 times out of 1000, you'd have no problems.

      If you one day used that same method of sending a note, only to discover someone checked out the book and removed the note, would you actually have the gall to blame anyone but yourself?


      Slashdotters, of all people, have heard this over and over and over... Security through obscurity may help in addition to some form of "real" security, but it almost never works by itself. The web counts as a very public place. If you place sensitive information on it with no security beyond a "hidden" URL, don't act surprised when the NYT has it as a headline the next week.

      And for reference, yeah, I too have stuck random files up on my site for a friend to grab. But never when it would have mattered if someone else randomly found those files.

  2. Cover of "Privacy" by mobiGeek · · Score: 5, Insightful
    What "privacy"? The information is posted on the WORLD WIDE Web...

    --

    ...Beware the IDEs of Microsoft...

    1. Re:Cover of "Privacy" by IntelliTubbie · · Score: 4, Insightful

      What "privacy"? The information is posted on the WORLD WIDE Web...

      Perhaps a more accurate title would have been "Online Search Engines Remove Delusion Of Privacy."

      Cheers,
      IT

      --

      Power corrupts. PowerPoint corrupts absolutely.

  3. Why Google? by lostchicken · · Score: 4, Insightful

    Why do people always have to drag Google into this sort of thing? Somewhere, someone is pissed off at Google for putting their medical records on the web, and letting people get at them, when they should be angry at the people who posted them to the web in the first place. It's like calling Southwest Bell your partner in crime because you used DSL to steal from an online bank. It just makes SWBell look bad, just as this makes Google look bad.

    --
    -twb
    1. Re:Why Google? by agentZ · · Score: 4, Insightful

      Google is a tool, and tools can be used for good or for bad.

  4. Hard to hide by BWJones · · Score: 4, Insightful

    This all brings up one of the central tenets of computer network security: If it is connected to the Internet, it can be accessed, and sometimes the probing computers that are looking leave their little IP footprints all over the place. For instance, I was rather surprised a couple of years ago watching some IP's scroll through while someone/a software bot was accessing my workstation. Whois revealed nothing, but traceroute revealed an IP that allowed me to do a little more poking around to find out the identity as something from a "Special Collections Service" in Maryland. A little more poking around revealed it to be something involving a state department program whereupon I rather quickly decided to stop investigating. I still don't know anything about them or what they do, but it is surprising how hard it can be to be anonymous on the web. Hey, I am sure even all those Slashdot anonymous coward posters are leaving IP's that can and are documented. :-)

    --
    Visit Jonesblog and say hello.
  5. web servers for morons by belmolis · · Score: 5, Insightful

    The real story here is that companies and other organizations and institutions are setting machines up as servers and are too stupid to create an appropriate robots.txt file and/or keep their confidential information elsewhere. Google doesn't just drop in, even on networked machines. I have some sympathy for individuals who don't understand what they are doing when they make their machine a server, but surely any professional sysadmin, even one with limited training and experience, should know better than this. It's the same as leaving your briefcase on the front seat of an unlocked car.

  6. so who owns it, how can we stop it? by HealYourChurchWebSit · · Score: 5, Insightful



    Part of this problem comes out of who owns the daggoned data. For example, let's say a hospital, instead of using clipboards, uses smartcards to hocket about patient records.

    Who own's the data. The hospital, the insurance company paying the bill, or the poor schmuck on the business end of a colonoscopy?

    I ask because without the indiviual having the write to own the data, there seems to me little that can be done to protect oneself other than go through expensive and tedious legal channels.

    And if someone else can own sensitive data about me, then what can we do, as private citizens with limited resources, to make sure larger entities such as insurance companies play by rules like HIPPA?

    --
    --- have you healed your church website?
  7. Geez by Wolfier · · Score: 4, Insightful

    If your information is "sensitive" or "private", do yourself a favor and don't put it on the web.

    Peeps nowadays...

  8. Re:Google threatens privacy and national security by JanneM · · Score: 4, Insightful

    Shouldn't Google take precautions to make sure that sensitive data doesn't fall into the wrong hands?

    No, they should not. They are not in a position to know what _is_ sensitive - and to whom. They can reasonably only assume that anything reachable with an ordinary, polite spider is meant to be accessible to the world at large. If you feel certain information should not be made accessible, bring it up with those actually making it accessible, not with those just indexing it once it is.

    Shooting the messenger is not just pointless, it is counterproductive.

    --
    Trust the Computer. The Computer is your friend.
  9. Re:Google threatens privacy and national security by Concerned+Onlooker · · Score: 4, Insightful
    Sensitive data? Just because it's found through Google online doesn't make it any more sensitive or useful for terrorists. You can walk into any aviation bookstore and buy sectionals for the whole country, and they've got a lot more info than some MapBlast gif file.

    --
    http://www.rootstrikers.org/
  10. docking locations of 804 ships? by usn2fsu03 · · Score: 5, Insightful
    That's more than twice the number of ships currently in service.

    Also, these are not precise locations. Yeah, you can find that the USS Roosevelt (DDG-80) is homeported in Mayport, Florida but you're not going to find the precise pier number.

    As for ships on deployment, one can find their general locations just by looking at the latest issue of the Navy Times and by reading the newspaper of the town that the ship and its battlegroup are from.

    The Navy really tightened up on what get's posted on official ship's websites after 9/11. If there is sensitive information still out there, Google is not at fault, but rather the unit's webmaster, Commanding Officer, and the Operational Security people who are supposed to be looking out for that sort of thing.

  11. Fuck that shit by Anonymous Coward · · Score: 4, Insightful

    Maybe they should just use the fricking robots.txt protocol. That's what it's *FOR*. You can put a little file named robots.txt in the directory you want hidden, put text in it that says "i want this hidden, google", and google will ignore your directory forevermore.

    No one has any right to complain if their page is in a search engine unless they followed the robots.txt protocol and the search engine did not.

    1. Re:Fuck that shit by Senior+Frac · · Score: 4, Insightful

      Not if the robots.txt file prevents you from accessing that data, which it does.

      The robots.txt file prevents nothing. It's merely a request that the spider "not go here." It's not a lock on the door. It's a sign that says, "please do not enter my house."

  12. Re:Nothing new by Ivan+the+Terrible · · Score: 4, Insightful

    If Bill Gates is using the same SS # that was leaked in 1995, then he is a total moron. He is not a moron. Therefore he is not using the same SS # that was leaked in 1995. QED

  13. old skool trick by shird · · Score: 4, Insightful

    An old trick I used to do was searching for something along the lines of

    "http://*:*@" member

    and you would get a bunch of sites with direct links into passworded member sites. Microsoft will put a stop to this with their latest update to IE however.

    --
    I.O.U One Sig.
  14. Re:Nothings private by MrNybbles · · Score: 5, Insightful
    Am I just another cynical bastard?
    Yes, you are a cynical bastard, and the world needs more of you.

    And on a totally unrelated thought. . .

    Online search engines lift cover of privacy
    Is Yuki Noguchi on crack? Google does not do anything to privacy. All Google does is make it easier to find publicly available information. Maybe "Online search engines act as a catalyst to find private information" would be more a accurate title. ". . .cover of privacy" makes it sound like it was protected in the first place.
    --
    Losing faith in humanity one person at a time.
  15. Re:I've heard of "cow orkers"... by jridley · · Score: 4, Insightful

    OT:
    How come Homer and Krusty look like clones?

    It's intentional. MG originally intended it to be a joke; Bart didn't respect his dad, but he worshiped a clown who looked exactly like his dad. He mentioned this on an NPR interview last week.

  16. Re:wait... by djupedal · · Score: 4, Insightful

    Or you realize that putting something on the internet means that it is no longer private..... regardless of how stupid it is to say that google will leave it alone if you just ask..

  17. Good! by ottffssent · · Score: 5, Insightful

    Hopefully this sort of flagrant violation will draw at least a modicum of public attention.

    This isn't some hardened criminal mastermind at work. It's not a seasoned cracker attacking military targets. This isn't even some script kiddie poking at IIS. It's a MACHINE. A machine that respects robots.txt for Eris' sake!

    If medical records and other "real" secrets are this visible, something is terribly wrong and I want to see public floggings. Seriously, this is not a case of weak security, or poor security, or incompetent security. It's a case of there not being so much as a screen door between the public and sensitive information.

    This is actually a case where I think the government (or at least the courts) can do some good. You'll notice banks don't get hacked on a daily basis. That's because they'd lose squintillions of dollars if it happened. But nobody cares about my medical records because it costs money not to have incompetent asses running things. On the other hand, if revealing to without were punishible by a $1000 fine per person, per offense, you'd notice a severe tightening of security in a mighty big hurry.

    It's a shame that suing people is sometimes the only way to get their attention, but with the decline of basic civil responsibility it might be inevitable.

  18. This is *not* Hacking? by DeanFox · · Score: 4, Insightful

    I know this is very late in the discussion.

    But, if I wander into an unprotected system, like a bank or military site, and I start reading confidential documents... Is this not a crime?

    What's the difference if I locate the unprotected documents via a search engine or by using a port scanner with an IP range.

    I think what I'm saying is that port scanning and finding an vunerable system, going into that system and looking around is now a crime.

    But didn't I just describe what's going on with google hacking?

    I don't advocate nor believe any of this is a crime but where and why is a line drawn between them?

    I've often said about hacking that just because I go to the market and forget to lock my front door, that doesn't mean I expect to come home and find someone rumaging through my house.

    If it's an administrator who forgets to lock down a port or one how inadvertantly places confidential materal on the wrong box... Again, Where is the line and how is it drawn, and why, between criminal hacking and "it's on an open system, google found it so it's legal".

    I'm just asking. It's early in the AM and my brain isn't working because it's not seeing the difference. I'm only seeing a very fine line between what one might consider a "public" system versus one that expected to be "private". Is the only difference our "expectation" of privacy that makes one illegal and another a sport?