Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Search Engines Lift Cover Of Privacy

Posted by timothy on from the bathwater-around-the-baby dept.

Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information. Some of this information includes 'Medical records, bank account numbers, students' grades, and the docking locations of 804 U.S. Navy ships, submarines and destroyers.'"

21 of 460 comments (clear)

  1. Um. by Anonymous Coward · · Score: 5, Insightful

    While googlestalking is scary and bad and I'm not condoning it, in this *specific* case, if the docking locations of U.S. naval ships is something that they do not want made public perhaps they should simply not make them public?

    1. Re:Um. by Anonymous Coward · · Score: 5, Interesting

      The problem comes when google searches down records in web servers, and using partners such as Opera, will crawl into pages that are normally not publicly accessible!

      Here's how it works. Let's say you put a page on your site called

      http://yoursite.com/temporary/hidden/dontreadthi s/ private_document.html

      And it is not linked to ever.

      If you send that URL to someone using Opera with the right settings (but you don't know that) and they read the private document, within minutes GOOGLE WILL CRAWL THAT DOCUMENT!

      Nothing is private any more under situations like that. Let's say that private document then links to all your older private documents. Google can then freely crawl it's way in to read the rest.

      Who's to blame for this then? not you. You've already ensured you hadn't linked to it. Not the opera user, as they have read the document, and respecting your privacy they've not mentioned it to anyone else

      However underhanded tactics like sneaking in a google crawl in this manner is unacceptable to me. My firewall blocks all google crawler bots for this very reason

    2. Re:Um. by Anonymous Coward · · Score: 5, Insightful

      Maybe you should use some kind of security instead of just really -hoping- no one crawls/reads/caches your document.

    3. Re:Um. by ecalkin · · Score: 5, Insightful

      documents that should not be available to the general public should be a) behind firewalls where the general public is on the other side, b) stored on web servers that require authentication to read such pages (where the general public does not have username/password), or c) not be stored on a web server!

      i think that this is somewhat an issues of bad management and somewhat (maybe more) and issue of the weakness of web service security (compared to something like local novell services).

      eric

    4. Re:Um. by pla · · Score: 5, Insightful

      Let's say you put a page on your site
      <snip>
      And it is not linked to ever.

      Then you have still put it in a publically accessible place, and bear full blame for others finding it.

      For a physical-world analogy, let's say that you want to give a note to a friend (which, for some reason, requires a non-conventional mode of delivery). You could leave it at page 416 of "The complete minutes of the Town of Dullsville, 1853 to 1862", which no one had checked out in the past 30 years. Tell your friend where to find it, and 999 times out of 1000, you'd have no problems.

      If you one day used that same method of sending a note, only to discover someone checked out the book and removed the note, would you actually have the gall to blame anyone but yourself?


      Slashdotters, of all people, have heard this over and over and over... Security through obscurity may help in addition to some form of "real" security, but it almost never works by itself. The web counts as a very public place. If you place sensitive information on it with no security beyond a "hidden" URL, don't act surprised when the NYT has it as a headline the next week.

      And for reference, yeah, I too have stuck random files up on my site for a friend to grab. But never when it would have mattered if someone else randomly found those files.

  2. Kazaa and Gnutella are cooler by baryon351 · · Score: 5, Interesting

    Go into kazaa and gnutella and search for any .doc files. Or some likely sounding names like "resume" or "job application"

    It's surprising what people will sit in their kazaa upload directory, using it like a documents dump. Legal papers, company's employee policy documents, employee records, sensitive stuff, medical records.

    Taken straight from people's HDs, no hacking, cracking or other media-unfriendly terms needed, just the ignorance of the people who leave this stuff open is needed.

    1. Re:Kazaa and Gnutella are cooler by tsvk · · Score: 5, Informative
      Go into kazaa and gnutella and search for any .doc files. Or some likely sounding names like "resume" or "job application".

      Other examples are ".dbx", the file name extension for mail folders in Outlook Express. Or ".pwl", the Windows 9x system password file (supposedly easily crackable with the correct tool).

      There are unfortunately clueless users who share their whole hard drive. File sharing programs have however started getting better in discouraging or preventing the users from doing this.

  3. Cover of "Privacy" by mobiGeek · · Score: 5, Insightful
    What "privacy"? The information is posted on the WORLD WIDE Web...

    --

    ...Beware the IDEs of Microsoft...

  4. I've heard of "cow orkers"... by Black+Parrot · · Score: 5, Funny


    ...but what the heck are "googled orks"?

    --
    Sheesh, evil *and* a jerk. -- Jade
  5. The worst example.. by centralizati0n · · Score: 5, Informative

    The worst example I saw was the FBI NCIC 2000 manual [PDF]. It gives you examples of how to look up criminal records and such... which could be very useful to the criminally vested social engineer.

  6. You can do this on KaZaA too. by leeum · · Score: 5, Interesting

    This isn't anything too new. For kicks, I once searched for "Resume" and "Credit card" on KaZaA and got hundreds of results. Presumably, the trouble is that people sometimes believe that security through obscurity works - or, in the case of KaZaA, a lack of attention leads people to share files they didn't really want to.

    Interestingly, I found a text file with all the user names and passwords for brokerage firms, and bank accounts, of the IT director at the firm I was working in. Scary, considering he was supposed to have "15 years in the IT industry".

  7. Could happen to you by bendelo · · Score: 5, Interesting

    A while back I Googled my credit card number for a laugh. I was shocked to find it in an indexed webserver log for a site I had previously 'tried' to purchase from. (the form timed-out and I gave up).

    A quick call to the bank and a few angry calls to the company sorted it, but I was not impressed.

    Perhaps a tool to search for ones own private details should be developed to keep an eye on this?

  8. Cue Dr. Evil by Clinoti · · Score: 5, Funny

    The most basic way to keep Google from reaching information in a "Web server", security experts said, is to set up a "digital gatekeeper in the form of an instruction sheet for the search-engine's crawler. That file, which is called "fembots.txt"

    --

    Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep

  9. web servers for morons by belmolis · · Score: 5, Insightful

    The real story here is that companies and other organizations and institutions are setting machines up as servers and are too stupid to create an appropriate robots.txt file and/or keep their confidential information elsewhere. Google doesn't just drop in, even on networked machines. I have some sympathy for individuals who don't understand what they are doing when they make their machine a server, but surely any professional sysadmin, even one with limited training and experience, should know better than this. It's the same as leaving your briefcase on the front seat of an unlocked car.

  10. so who owns it, how can we stop it? by HealYourChurchWebSit · · Score: 5, Insightful



    Part of this problem comes out of who owns the daggoned data. For example, let's say a hospital, instead of using clipboards, uses smartcards to hocket about patient records.

    Who own's the data. The hospital, the insurance company paying the bill, or the poor schmuck on the business end of a colonoscopy?

    I ask because without the indiviual having the write to own the data, there seems to me little that can be done to protect oneself other than go through expensive and tedious legal channels.

    And if someone else can own sensitive data about me, then what can we do, as private citizens with limited resources, to make sure larger entities such as insurance companies play by rules like HIPPA?

    --
    --- have you healed your church website?
  11. docking locations of 804 ships? by usn2fsu03 · · Score: 5, Insightful
    That's more than twice the number of ships currently in service.

    Also, these are not precise locations. Yeah, you can find that the USS Roosevelt (DDG-80) is homeported in Mayport, Florida but you're not going to find the precise pier number.

    As for ships on deployment, one can find their general locations just by looking at the latest issue of the Navy Times and by reading the newspaper of the town that the ship and its battlegroup are from.

    The Navy really tightened up on what get's posted on official ship's websites after 9/11. If there is sensitive information still out there, Google is not at fault, but rather the unit's webmaster, Commanding Officer, and the Operational Security people who are supposed to be looking out for that sort of thing.

  12. What I like by Anonymous Coward · · Score: 5, Informative

    The thing is that most people will literally inadvertantly share their entire hard drive's contents, or at least all "media files".

    What I like to do is go on gnutella or kazaa and search for "DSN" or one of a number of similar prefixes. Why? Because most digital cameras save their files in a specific hardwired format, and the kind of people who leave their entire hard drive shared on kazaa are the kind of people who don't rename their digital cameras.

    You can find the most random, interesting, occationally personal shit that way.

    I'm trying to remember the other common prefixes besides DSN and failing.

    -- Super ugly ultraman

  13. Google can't always hack it by Lifewish · · Score: 5, Interesting

    I am a member of a university organisation called the Assassins Guild, the basic premise being that, on the basis of the most limited possible information, we hunt down and "kill" other guild members with weapons such as cap guns and cardboard swords. As such, I have some personal experience of the use of Google in stalking. I can tell you that, in a university composed presumably of some of the most net-savvy people around, I have only found a photo once. Occasionally I have found a usenet posting or slashdot account. Old schools are common, but the folk at my uni are often those who are mentioned in school newsletters. The average web presence of the average user is approximately nil. In a range of cases, someone may become more prominent (either by accident or design - Darl McBride for example), but on the whole there is very little you can gather from Google. Occasionally it's enough to kill your target, but don't count on bank details.

    --
    For the love of God, please learn to spell "ridiculous"!!!
  14. Re:Nothings private by MrNybbles · · Score: 5, Insightful
    Am I just another cynical bastard?
    Yes, you are a cynical bastard, and the world needs more of you.

    And on a totally unrelated thought. . .

    Online search engines lift cover of privacy
    Is Yuki Noguchi on crack? Google does not do anything to privacy. All Google does is make it easier to find publicly available information. Maybe "Online search engines act as a catalyst to find private information" would be more a accurate title. ". . .cover of privacy" makes it sound like it was protected in the first place.
    --
    Losing faith in humanity one person at a time.
  15. Re:Uh-huh. by Anonymous Coward · · Score: 5, Informative
    > Want to expand on that or are you just trolling? How did the
    > existance of that page get from Opera to Google such that it
    > could pin-point (not crawl) that page?

    Opera submits URLs browsed to by users, to google, when advert support is turned on.

    http://www.opera.com/adsupport/

    From that page:
    --------
    What is the connection between the Web page and the relevant ad displayed by Google?
    Opera's interaction with the Google ad system:

    The Opera browser sends Google the URL of the web page you are visiting and your IP address (with the exceptions Opera filters out -- see below)
    --------

    Exceptions are https, forms, passwords, cgi, and non-http URLs.

    As an example from my apache log file last night, when I gave a friend a URL to a photo:
    xxxxxxx.upc-g.chello.nl - - [10/Feb/2004:02:23:53 +1100] "GET /temporary/sooted.jpg HTTP/1.1" 200 74339 "-" "Opera/7.23 (X11; Linux i686; U) [en-GB]"
    crawler8.googlebot.com - - [10/Feb/2004:02:28:39 +1100] "GET /temporary/sooted.jpg HTTP/1.0" 200 74339 "-" "Mediapartners-Google/2.1 (+http://www.googlebot.com/bot.html)"
    It's surprising how many Opera users will deny this happens, despite the evidence. That's a 5 minute delay, google is pretty quick with its crawling. Personally, I don't mind. I put things up in my temporary directory and pull them down fairly soon after. I know nothing is secure if it's just an unprotected URL, so I'm not worried like the grandparent poster. However, Opera does send URLs to google, and google does come back and check them out.
  16. Good! by ottffssent · · Score: 5, Insightful

    Hopefully this sort of flagrant violation will draw at least a modicum of public attention.

    This isn't some hardened criminal mastermind at work. It's not a seasoned cracker attacking military targets. This isn't even some script kiddie poking at IIS. It's a MACHINE. A machine that respects robots.txt for Eris' sake!

    If medical records and other "real" secrets are this visible, something is terribly wrong and I want to see public floggings. Seriously, this is not a case of weak security, or poor security, or incompetent security. It's a case of there not being so much as a screen door between the public and sensitive information.

    This is actually a case where I think the government (or at least the courts) can do some good. You'll notice banks don't get hacked on a daily basis. That's because they'd lose squintillions of dollars if it happened. But nobody cares about my medical records because it costs money not to have incompetent asses running things. On the other hand, if revealing to without were punishible by a $1000 fine per person, per offense, you'd notice a severe tightening of security in a mighty big hurry.

    It's a shame that suing people is sometimes the only way to get their attention, but with the decline of basic civil responsibility it might be inevitable.

    --
    High-speed Road Trip (18.000KPH)