Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
I feel sorry for 'Haley' and others with their Quicken files being shown to all of /. and presumably friends etc. I wonder what the 'reach' of the slashdot crowd is when it's a "You're not going to believe this!" story...
Simon
Physicists get Hadrons!
Looks more like Google found forums where people were swapping credit card numbers.
Which in the long run is a good thing, because people will then use real security, and if it is not easy enough to set up, some solutions will emerge.
In the long run, thus, we'll have real security and ease of use.
It often has very little to do with *you*.
It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.
It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't
Having google blocked (presumably from google's end) from this is just security through obscurity. Well it's not even that really, it means there is (1) stuff available in plain text which is a part of a website's (2) public access AND (3) for one reason or another has searching enabled. The problem is part 1 and/or 2, the symptom is 3. Cure the problem, not the symptom.
Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.
The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.
Comment removed based on user account deletion
I realize that this was intended to be a joke; however, it is likely that many of these credit card numbers were derived from a malicious application. Although one might argue that anybody inexperienced enough to execute a malicious application is also "deserving," I have often observed that those individuals are -- perhaps ironically -- averse to conducting electronic transactions.
Do you like German cars?
It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
If a google search finds it then google is not publishing it; rather, google is simply providing a link to something that is already published. IANAL but, cacheing aside, all they are doing is providing a link to something that is already publicly accessible, so I don't see how they could be liable. The situation may be more complicated if the data were illegally published, later pulled from the web site, but remain in google's cache.I've accidently put my IM logs on the internet. Sometimes it can be easy enough to make a mistake (ie. deny,allow rather than allow,deny). A shitload of private stuff got out to everyone I know (I'm 14, so I have to be with these people a lot of the time), and now I use GnuPG with a 4096-bit key, and digest authentication.
You don't have to be dumb to make mistakes like this, a single typo can do it. Being dumb just helps.
The sad thing is that now people will be Googling for their credit card numbers to be sure they're 'safe', but doing so means their credit card number will show up in the list of things people are Googling.
Ask your bank for a second Credit Card with a few hundred dollar limit. Use that to buy stuff online, and if someone steals it, it won't cost you that much.
Looks can be deceiving. Or CAN they?
Well that gets us back to the free market correcting itself. I would ask you though if that's necessarily a good thing.
Remember Microsoft? Corporate giant, kinda unethical? Their producs are notoriously unsecure, and yet people still use Windows/IE/Outlook. Why? Because free market economics don't work in a corporate dominated environment. We don't have free market capitalism, we have corporate monculture, and it's notoriously unreliable for producing good, solid, honest products. Instead we get salesweasels shovel^H^H^H^H selling producs that don't work as advertised. Better alternatives are quashed, or relegated to the open source community (which is good, but lacks an R&D budget). I think you're being overly optimistic.
Erotic is when you use a feather. Exotic is when you use the whole chicken.
At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...
...in bed
And then you give the PIN to the business to complete the transaction and now they have that. Exactly how does this improve security when you transact business with a company? It might improve security if someone were to steal your wallet, but without some complicated and difficult to verify one time hash scheme. Which has been done and tried (Amex gave me a smart card reader, Visa has tried 1-time CC numbers picked up their site.
You are in a maze of twisted little posts, all alike.
Hasn't anyone heard of using a robots.txt to block web spiders? If people are stupid enough not to, then their hidden data is just asking to be found by anyone. Thats my 2 cents.
It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.
You do realize that to do business on line, you would still have to give them your pin, right?
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
Is there anything we can advise these people to do to minimize the damage at this point?
That's a nice thought, but how can you word it so it doesn't sound like you're either threatening them or selling them something? People have been called illegal hackers for trying to help other people out by pointing out blatantly obvious security holes before.
Yes and they also mentioned that this wasn't as big a deal as people think.
For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card number generator.
Lastly this article implies (and a number of posters here) that the credit card numbersfound are the result of carelessness by credit card holders on the web and therfor it is their own fault. This is not the case. Google did not expose any mass stupidity by internet users, it simply exposed some of the sites that havest credit card numbers.
Evolution is about being *good enough*, not the best.
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.
Unfortunately, this doesn't usually have a lot to do with intelligence.
You know, I really wish the paranoia about using credit cards on the internet will go away.
Think about this as somebody with some technical background. What is more secure?
1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
2. Providing your credit card number to Amazon.
So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.
I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.
People couldn't type. We realized: Death would eventually take care of this.
You do realize that to do business on line, you would still have to give them your pin, right?
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
No, I do not realize this. You are not using your imagination.
During the checkout phase, you get a code. You log on to your bank/credit card/whatever account, paste that code into a field to authorize the funds, and get an order confirmation from the place where you bought your stuff.
There are probably a ton of other ways to make this work, too. It is not a requirement that you feed an online business enough information to make purchases using your credit card, that's just how it happens to be set up now.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
People still 'hide' house keys under their doormat. Try explaining to them why they shouldn't do it on the Internet.
UNIX/Linux Consulting
I don't even think it needs to be that high tech. How about this:
You bank sends you in the SNAIL MAIL a sheet monthly of longish letters/numbers that represent an authorization to spend money. In fact, each one could be rated for a certain amount of money, say, up to $100 or $250, or something like that. That, in combination with a number on the back of your card (what are they called, CCV2 or something), forms a use-once key for an online purchase. That way you have to have the card present, plus your statement of authorization codes, to purchase goods online. The e-tailer never needs to know your card number, and the codes are only good for a single use. Even if a cracker got a hold of the site database, the CCV2 code would not be usuable for anything unless the cracker also got a hold of your randomly generated, time-sensitive, preset codes.
Something like this would cost practically nothing to implement, be very easy to maintain (you gotta send bank statements monthly anyways), easy to regulate - for example, pass a regulation saying that these can only be sent through the USPS or private carrier, never electronically or ever given out over the phone), and greatly improve security.
On top of that, it'd be great for people without regular banks or bank accounts. An intrepid consumer could easily sell pre-paid authorisation numbers on little scratch-loto style tickets.
On the processing side all we would need is a strong central party (or number of them), like Visa, Mastercard, or AmEx to recieve valid authorisation numbers from banks and hitch that into the POS and online processing systems.
In fact, even a strong libertarian, it makes me cringe to think how much trust and financial power we place into the hands of Visa, Mastercard, and their ilk. It might make sense at some point to expand the mission of the Federal Reserve or the Treasury to handle the verification and routing of authorisation numbers like I've described.
However, "Even then, it doesn't do them any good without your card" is flat wrong, cards can be forged, magnetic stripes rewritten (Ever see a cashier verify the numbers that got approved are the numbers on the card? They rarely confirm the signature, and I've even used other peoples Photo Visa's).
Also, video cameras can record pin numbers, electronic eavesdropping tricks could "hear" the PIN number, etc. Heck, what guarantee do you have walking into any store that the CC terminal is legitimate, and not a fake designed to capture your CC number and PIN before passing it on to a legitimate machine in the back? Dig around for ATM fraud to see what is actively going on.
You are in a maze of twisted little posts, all alike.
If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
Bad analogy. A better one: If the neighbor posts his naked photo on a public bulletin board, does that mean you can show other people where it is?
Stuff that's on the web is there because someone put it there, i.e. they published it. The fact that they may not have *meant* to publish it doesn't change the fact that they did. If you place an ad in the newspaper, but screw up and give the paper a steamy letter to your secret gay lover instead of the blurb about the 1998 Camaro you want to sell, are they liable for the damage done to your reputation when they publish it? (Assuming, of course, that you consider it more damaging to be 'outed' as a closet homosexual than as a Camaro owner).
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You are correct from a consumers point of view only in the context of th transaction.
The cost, however, is passed onto the consumer as the merchants have to charge premiums for fraud in an insecure system, as do the banks, and everyone else along the chain that has to support fraudulent transactions.
This is no small thing, the very large bank I worked at had to spend a great deal of money around this and online-billpay activity.
The credit card is an unfortunate half-breed trying to be somewhere between cash and a check. Historical reasons and trying to gain usage and market acceptance have pushed it into this rols perhaps, but where its at now is broken.
"outlook.pst" filetype:pst
Actually it's more like survival of the most adaptable. Anything that can't or won't change dies. That which does adapt to the "new" conditions will survive and live on.
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.
I disagree. It also includes avoiding being killed before reproducing.
Unfortunately, this doesn't usually have a lot to do with intelligence.
Avoiding predators and other dangers may not require intelligence, but it requires instincts. Being conspicuously careless--to bring this somewhat back on-topic--is not usually a good survival trait.
Yes, but the point is that intelligence can be very helpful towards the goal of staying alive. And since, as you say, staying alive is part of being successful at reproduction, this means that being smart does help your evolutionary chances (although of course other things can help too, and sometimes enough to offset lack of intelligence). The fact that humans evolved from fairly unintelligent life (at least if you go far enough back) is pretty good evidence of this.
I'd rather be lucky than good.
One thing I don't think I've seen mentioned yet though, is that everyone is assuming that people choose to post the data in question. While this is probably true to a large part, it is by no means always the case. Some of the data may have been stolen due in no part to the victims (hacked website, disgruntled employee at a bank, etc) was then posted.
Vote Quimby.
s/rabbits/bacteria/;
-insert a witty something-
'nuff said.
Considering the examples the writer used, such as Visa numbers and Quicken files. Did you notice there were only about 22 results a piece? Now take that number from the total amount of web pages crawled (4,285,199,774), and you'll have a nice percentage that tells you exactly how many people include insecure web page content. ...not many