Slashdot Mirror

← Back to Stories (view on slashdot.org)

Has Google Indexed Your Backup Drive?

Posted by samzenpus on from the it's-out-there dept.

itwbennett writes Depending on how you've configured the device, your backup drive may have been indexed by Google, making some seriously personal information freely available online to anyone who knows what they're looking for. Using a few simple Google searches, CSO's Steve Ragan discovered thousands of personal records and documents online, including sales receipts with credit card information and tax documents with social security numbers. In all cases, the files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router.

121 comments

  1. Right by Anonymous Coward · · Score: 0, Insightful

    How idiots got their backups indexed ?

    1. Re:Right by Anonymous Coward · · Score: 1, Insightful

      How idiots got their backups indexed ?

      As it turns out, dumbass people do dumbass things - things like taking a significant risk with something complex that you do not remotely understand. You either decline the risk entirely, learn a few fundamentals about how it works, or hire someone who has learned them. Those are your sole rational choices. Dumbasses think there's a viable fourth option: invest more heavily than you think in something you know (or should know) you don't understand.

      You can see how "I am not a computer expert!" and other bullshit excuses are just a smokescreen. If you really knew that to be a fact, you wouldn't try to tackle it yourself. It's just egos doing what egos do, playing stupid blame games instead of identifying and solving the problem.

      Ignorance is far superior to stupidity because ignorance potentially learns from its mistakes and does not repeat them.

    2. Re:Right by mlts · · Score: 1

      Until it was killed, I had Google index my backups all the time with Google Desktop. It was useful at the time for finding archived files.

    3. Re:Right by CaptainDork · · Score: 1

      ... or hire someone who has learned them.

      Bingo!

      When you buy hardware/software, that's exactly what you're doing: Hiring experts.

      Storage appliances should not allow anonymous access to sensitive data by default.

      For those who deliberately take risks, they don't need to " ... hire someone who has learned them."

      --
      It little behooves the best of us to comment on the rest of us.
  2. Never changes by Anonymous Coward · · Score: 0

    It doesn't matter how many times this happens, or if it happens to customers, companies, or the government, nothing changes. Everyone points fingers, people are confused about what's going on because they aren't a 'computer person', the 'computer people' get annoyed that their grandma is giving them shit because they didn't configure something correctly and her cc info got stolen and sold to some Russian kid, and everyone else just doesn't even care at all.

    Security apocalypse when?

  3. The web crawler would only index it if... by CraigCruden · · Score: 2

    There was a link on another webpage that pointed to that server in the first place.

    Not only the most insecure set up, but he already had links to that insecure setup.

    1. Re:The web crawler would only index it if... by The+New+Guy+2.0 · · Score: 2

      Google's crawler also indexes "sites" that exist as an IP address... leave a home router connected with its web interface coming out the WAN port, you better have a robots.txt file blocking Google, Bing, etc.

    2. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 5, Informative

      robots.txt has nothing to do with security or blocking.

    3. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 1

      Google also index websites mentioned in Google's services. E-mail the address of your server to yourself or a friend and you are added to the list of sites to take a peek at.

    4. Re:The web crawler would only index it if... by Mashiki · · Score: 5, Insightful

      If this is what amounts to network security these days, we're doomed.

      --
      Om, nomnomnom...
    5. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      Google's crawler also indexes "sites" that exist as an IP address... leave a home router connected with its web interface coming out the WAN port, you better have a robots.txt file blocking Google, Bing, etc.

      A URL is only one method of identifying a "site", an IP address is another, as are directory listings.
      And if you have a web interface on your WAN port then you're most likely doing things very wrong to begin with. If you want a publicly reachable interface into your LAN, don't fucking use your piece of shit router to do it. It's probably chock full of exploits anyhow, but that's a pretty moot point if you've left it wide fucking open for any random script to stumble across and access.

    6. Re:The web crawler would only index it if... by AmiMoJo · · Score: 1

      Google uses the malware protection in Chrome and Firefox to index sites that are not linked to anywhere. When a user visits an unindexed site with one of these browsers, by default the browser pings Google with the URL (in an allegedly anonymous way) so that it can be checked for malware and added to the search index.

      So, if you have any publicly accessible but unlinked pages they can be found after you visit them yourself. I'm not sure how it deals with things like "unlisted" URLs that Google likes to use for semi-private sharing of content (they generate a URL with a long random sequence for the content that you can then share, but which isn't indexed or easy to guess). They could whitelist Google unlisted URLs but what about other sites?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      correct.

    8. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      We are.

    9. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      the browser pings Google with the URL (in an allegedly anonymous way)

      where's the specs or technical information on this so one might examine such traffic and configure their browser to only utilize the datafile for malware domains that is stored locally?

    10. Re: The web crawler would only index it if... by Anonymous Coward · · Score: 1

      URL looks up IP. Not different. You suck.

    11. Re:The web crawler would only index it if... by shortscruffydave · · Score: 2, Insightful

      And if you have a web interface on your WAN port then you're most likely doing things very wrong to begin with. If you want a publicly reachable interface into your LAN, don't fucking use your piece of shit router to do it. It's probably chock full of exploits anyhow, but that's a pretty moot point if you've left it wide fucking open for any random script to stumble across and access.

      Hint: If you want people to take notice of advice about IT security, it may be more effective to speak respectfully than to let loose with an expletive-filled tirade

    12. Re:The web crawler would only index it if... by 140Mandak262Jamuna · · Score: 1

      Yes, the robots.txt is a good idea. All the good guys who respect robots.txt will stay away. And the Nigerian princes and Bulgarian hackers and the Chinese 413th Cyber Warriors Battalian, and NSA will know which files are sensitive and which are fluff so that they can get the really interesting stuff without having to crawl through the whole backup drive.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    13. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      Yeah but you're missing the point, the decision and subsequent stories just came out about Apple continuing to allow China's dodgy certificate servers.

      If you haven't noticed that each time Apple gets a bit of negative press a non-story about Google and privacy is cooked up and rushed to media across the globe to try and deflect attention then you haven't been paying attention over the last 8 - 10 years.

      This is a deflection story and nothing more. It's nonsense because it's the best they could dig up in such short order, but has been given enough association to Google to make it look like Google is somehow responsible for a really contrived vulnerability that takes quite a special amount of idiocy to make yourself vulnerable to.

      It's a boring old "If you make something public on the net then it's public" story twisted into a Google blame game.

    14. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      Yeah, because we all know that every bot on the web adheres to 'robots.txt'

    15. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0, Insightful

      And if you have a web interface on your WAN port then you're most likely doing things very wrong to begin with. If you want a publicly reachable interface into your LAN, don't fucking use your piece of shit router to do it. It's probably chock full of exploits anyhow, but that's a pretty moot point if you've left it wide fucking open for any random script to stumble across and access.

      Hint: If you want people to take notice of advice about IT security, it may be more effective to speak respectfully than to let loose with an expletive-filled tirade

      Counterhint: if you think kissing someone's ass just to get them to do something in their own best interests, that they should have already known from the slightest little bit of RTFM, for free, is acceptable, then your testicles have become unattached and stored in a jar someplace.

      No the problem is that stupidity is not painful enough. It does not command respect because it does not deserve respect. Let the morons choose what is more important to them: their egos or their security.

    16. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      This is a deflection story and nothing more. It's nonsense because it's the best they could dig up in such short order

      Really? You don't think this is better?

      Actually, I guess better is relative. It would probably be more difficult for you to make the same argument about the story I linked, therefore, in your opinion, I guess that story wouldn't be better.

    17. Re:The web crawler would only index it if... by wbr1 · · Score: 2

      Robots.txt is about as secure as leaving a cash drawer with the key in it and a post-it that states "please leave cash inside".

      --
      Silence is a state of mime.
    18. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      the browser pings Google with the URL (in an allegedly anonymous way)

      where's the specs or technical information on this so one might examine such traffic and configure their browser to only utilize the datafile for malware domains that is stored locally?

      With how fast the URLs change, you might as well turn the feature off completely if you aren't going to grab the latest file. The services have enough trouble keeping up in real time, I can only imagine the miss rate when you get rid of the fast response time.

    19. Re:The web crawler would only index it if... by The+New+Guy+2.0 · · Score: 1

      Robots.txt is essentially a "KEEP OUT!" sign telling Google and Bing to go away... who else is crawling the Internet lately?

    20. Re:The web crawler would only index it if... by Cramer · · Score: 1

      True, but it will tell any compliant bot to fuck off. So no matter how many links there are to your stuff, it will not be indexed (and thus easily found.)

    21. Re: The web crawler would only index it if... by Anonymous Coward · · Score: 0

      If they are paying for my advice, they get it sugarcoated

    22. Re:The web crawler would only index it if... by The+New+Guy+2.0 · · Score: 1

      robots.text is a note to Google and Bing to stop. It doesn't stop a web browser, but you can't be found in the search engines.

    23. Re:The web crawler would only index it if... by The+New+Guy+2.0 · · Score: 1

      The Google and Bing bots do... who's publishing a crawl of the web that doesn't?

    24. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 0

      robots.txt has nothing to do with security or blocking.

      No, for that you need a properly configured humans.txt file...

      - T

  4. Clickbait-ish Headline by Midnight_Falcon · · Score: 5, Insightful
    When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?

    I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.

    1. Re:Clickbait-ish Headline by snowgirl · · Score: 5, Insightful

      yeah, you'll probably deserved get indexed by Google.

      deservedly*

      But not only that, it's not like Google can infer intent to share the data... you put it out there, and Google said, "hey, this is publically available, obviously people want this to be indexed!"

      There's no adequate way to fix this either, because if it's opt-in, then unknowing individuals will fail to opt-in for indexing... if it's opt-out, then unknowing individuals will fail to properly opt-out (robots.txt for example)

      If you put up private data publically on the internet then you simply have to accept the fact that no one else could have known that you didn't want to share the data...

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    2. Re:Clickbait-ish Headline by Midnight_Falcon · · Score: 1

      s/you'll/you/g :)

    3. Re:Clickbait-ish Headline by hawguy · · Score: 2

      When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?

      I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.

      Yeah, I thought the same thing as you when I saw the headline. I'm a little less interested to learn that if you open your data to the public (even if you didn't mean to), it's viewable by the public.

    4. Re:Clickbait-ish Headline by Anonymous Coward · · Score: 0

      It's those people who deploy a public-facing server with no or default authentication who share information of others that we should be worried about.

    5. Re:Clickbait-ish Headline by michaelmalak · · Score: 1

      "Crawled your file server" would have been more accurate.

    6. Re:Clickbait-ish Headline by LordWabbit2 · · Score: 2

      But that's the thing, the DID want to share it, probably not with everyone granted, but then they should have secured it so only the people they did want to give access to it would have access. I love the way the article implies it's somehow google's fault that some clueless idiot didn't click on a tick box and enter a user name and password. If people don't want to RTFM then they are going to get burned.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    7. Re:Clickbait-ish Headline by Anonymous Coward · · Score: 0

      As a sysadmin I have been told by some software or hardware provider technician(people who were really supposed to know better) to "chmod 777 the file and it will work" (linux/unix) or "allow all access to all users and it works" that I wouldn't be surprised someone just opened a port on the router following some guide to the internet, tested the thing saw it working and just said "it works, that was easy" and leave it open up for the world.

      The "it works" test is quite common and quite a bogus one, something can "work" but the way it is working cause many other problems you don't notice with a naive test but that are there to byte you later.

    8. Re:Clickbait-ish Headline by Anonymous Coward · · Score: 0

      Wow. Just wow. If this was Bing doing the same thing you'd be crying it should be opt in only but you're such a good little goose stepper for Google.

    9. Re:Clickbait-ish Headline by bill_mcgonigle · · Score: 2

      There's no adequate way to fix this either, because if it's opt-in

      If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users. If they don't then their reputation should be thoroughly punished in reviews.

      Oh, but why buy a $120 NAS when there's a $20 box available on eBay?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    10. Re:Clickbait-ish Headline by Phreakiture · · Score: 1

      Get your whole life indexed by Google with this one weird trick! You won't believe what happens next!

      --
      www.wavefront-av.com
    11. Re:Clickbait-ish Headline by Coren22 · · Score: 2

      The comment had nothing to do with Google. All search engines are opt-out. If they discover your web site, they index it. If you have no robots.txt telling them what you want them to ignore, they put it all in the index.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    12. Re:Clickbait-ish Headline by Coren22 · · Score: 2

      I have a Synology. It tries to do uPNP, but luckily, it has no idea how to do so with my Verizon FiOS router, so I guess I dodged that bullet. It never occurred to me that Google would Index it, and I do IT for a living. I feel like a moron :)

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    13. Re:Clickbait-ish Headline by david_thornley · · Score: 2

      It might be interesting to figure out why people unwittingly open their data to the public, and what can be done about it, so the average person is highly unlikely to do it by accident.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    14. Re:Clickbait-ish Headline by snowgirl · · Score: 2

      As noted by the sibling post. Bing already does do this. And it's the right thing to do.

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    15. Re:Clickbait-ish Headline by snowgirl · · Score: 1

      Yeah, my OpenBSD machine specifically refuses to do uPnP as well, because "security"... I've looked into getting some sort of uPnP working... but in the end, I'm just like, "nah... it makes my life a little bit more of a pain, but at least I know what ports are open"

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    16. Re:Clickbait-ish Headline by snowgirl · · Score: 1

      If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users.

      INDEED! If they screw that up, it's bad, and they should be the ones holding the responsibility if it accidentally exposes data that they don't want exposed through uPnP... no one else is able to properly infer the right thing to do.

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    17. Re:Clickbait-ish Headline by TubeSteak · · Score: 1

      If you have no robots.txt telling them what you want them to ignore, they put it all in the index.

      A quick search kicks back FTPs with robots.txt in the root directory.
      allinurl:ftp:// XXXX robots.txt
      User-agent: *
      Disallow: /

      It doesn't really seem like Google is indexing the FTP.
      Instead Google seems to be crawling through and only indexing txt, doc, pdf, html, xls, xml, aspx, rtf, etc.

      If Google was indexing ftps, a search like intext:"Up to higher level directory" inurl:ftp:// XXXXXX.net should kick back folder directories, but it doesn't.

      --
      [Fuck Beta]
      o0t!
  5. I'm a little baffled by squiggleslash · · Score: 5, Interesting

    So there are lots of people out there who are:

    1. Enabling FTP on their NAS boxes.
    2. Enabling anonymous access on this FTP service
    3. Allowing their Firewall/Router to let incoming FTP connections directly to the NAS box.

    I mean, the authors suggest those enabling FTP do not realize the implications, but how can you do ALL THREE and not realize the implications? Any one of those, particularly disabling anonymous access, would foil random search engines (and lazy hackers) trying to get at your files. But to do all three at once?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:I'm a little baffled by jedidiah · · Score: 1

      No, it sounds like they have allowed a machine on their network to become a part of the Google botnet. It's like that brand of TV (LG I believe) that likes to snoop around. All it takes is installing the wrong app and then not fully understanding it.

      Any software or hardware you allow on your network could be up to no good and reporting back to the mothership. This kind of nonsense isn't just for Microsoft or Sony anymore.

      Unfortunately, most people are rubes and are actively encouraged to stay that way.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    2. Re:I'm a little baffled by Dutch+Gun · · Score: 5, Insightful

      I own a Synology NAS, and it comes with all sorts of nifty software that lets it do general server-like things. You can view photos or watch movies from anywhere on the internet. You can set up Wikis, serve webpages, and do all sorts of other stuff.

      I partake in none of this. I use it as a file system, a data backup, and for streaming media to my videogame consoles, and absolutely nothing else. Frankly, opening up your NAS to the internet in any capacity is insane. It's where the phrase "A little knowledge is a dangerous thing" is never more appropriate. Even if you set up everything correctly, you're only a single security flaw away from the entire box being compromised. Most people see all these cool features and are encouraged to experiment with them a bit. No one ever tells them "Hey, if you screw this up, you could accidentally leak all your personal information to bad guys on the Internet."

      It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through (or are STILL going through in the worst examples). People first think of cool things they can do with the internet, and then security-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:I'm a little baffled by dbIII · · Score: 1

      It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through

      Except we've gone through it on dev networks, virtual networks, or no network at all with machines that we can just happily wipe and start over if necessary.

    4. Re:I'm a little baffled by Scoth · · Score: 1

      I stumbled across some of these myself recently, while googling on a random obscure Windows dll I thought was broken on a box - I found a bunch of Windows installations backed up on these. I suspect it may have something to do with upnp or port triggering. These Western Digital backup devices seem to have FTP access, but they also allow setting it up completely open. I have to assume people are enabling this option to allow internal usage and backing up without realizing it's making it public. I really doubt it's their actual intent. I suppose it's also possible they have one of the newer routers with a USB port for a mass storage device to allow similar functions.

      This isn't really anything new. I remember when I was a teenager in the late 90s and early 2000s doing netbios scans and having no problems finding dozens of public, open Windows shares and printers. Technology has changed but it still makes it easy to screw up permissions if you don't understand it.

    5. Re:I'm a little baffled by Blaskowicz · · Score: 2

      You make it sound like #2 is hard, in linux you would surely do some "advanced" command line thingies[*] but if you ever installed a ftp server on Windows in the late 90s/early 00s (to get around SMB shares not found, not working, authentication error etc.) you'd know that can be as easy as checking a box or even leaving the default alone.

      What's more : File Explorer in Windows XP (or old IE) behaves very conveniently, you feed it "ftp://192.168.0.1" and it works like a regular file manager window, AND you can access the ftp at least download-only from every web browser in the house. So it is very convenient, very easy to set up and works all the time, and in other words rewarding to the user.

      If the user - who didn't set up the network, the ISP's dhcp/router/modem box did - tries to inform self then he/she will learn FTP stands for "file transfer protocol" but beyond that there's computer gibberish, lots of results about client or server software etc. but no real warning about security issues.

      [*] searching for which ftp daemon to install in the first place, sudo editing the /etc/vghrblubftpd.conf and sifting through a hundred commented lines, then /etc/init.d/vghrblubftpd.conf restart or whatever the flavor of the month it is..

    6. Re:I'm a little baffled by Anonymous Coward · · Score: 0

      how about all those people with their google/microsoft cloud drives set to public security and have been indexed.

      WARNING: do not attempt this from work or in public.
      DOUBLE WARNING: you cannot unsee something. use at your own risk.

    7. Re:I'm a little baffled by Dutch+Gun · · Score: 2

      Hmm, I would say the big difference is that the professionals tend to lose control of their customers' data rather than their own.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    8. Re:I'm a little baffled by Anonymous Coward · · Score: 0

      It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through

      Except we've gone through it on dev networks, virtual networks, or no network at all with machines that we can just happily wipe and start over if necessary.

      Not to mention to analyze the ramifications before setting up anything at all. Most stuff can be stopped at the drawing board.

    9. Re:I'm a little baffled by dbIII · · Score: 2

      I'd say the big difference is the professionals lose stuff where it doesn't matter before they can seriously be called professionals by their peers. I'm sorry that was not obvious enough from the above post.

    10. Re:I'm a little baffled by Dutch+Gun · · Score: 1

      Ah, I see, you're talking about training. Apologies, I didn't quite catch that.

      I wasn't exactly talking about that necessarily. I was talking about the tendency of people (programmers like myself in particular) to ask "what cool stuff can we do with this?" first, long before anyone considers the question "what bad stuff could also be done with this?" as well.

      For instance, when e-mail programs first allowed any file to be added as an attachment, it seems no one thought about the fact that it would be trivial to send a computer virus that way. Or in more modern terms, did no one ever stop to consider that it's trivial to transmit malicious code through a website with 3rd party advertisements that can use scripting? Time after time, we see programmers racing ahead with new technology without stopping to first consider the security aspects. I think it's fairly natural, because most people don't think like a criminal, so it's not in their nature to ask "How could I use this for malicious purposes?" It's hard enough to build things that simply work.

      Recently, we keep hearing about huge organizations who keep losing the keys to the kingdom time after time after time. If the "professionals" can't seem to keep hackers out, what chance do ordinary shlubs have? Frankly, that's why I don't connect anything unnecessary to the internet.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    11. Re:I'm a little baffled by Anonymous Coward · · Score: 0

      Synology had a remote exploit last year that was exploited by ransomware. You're insane to expose your NAS to the internet, even if it apparently has security enabled. Get a VPN capable router.

    12. Re:I'm a little baffled by Dutch+Gun · · Score: 4, Informative

      Synology had a remote exploit last year that was exploited by ransomware. You're insane to expose your NAS to the internet, even if it apparently has security enabled. Get a VPN capable router.

      Yep, I followed that breaking news fairly carefully.

      Although in fairness to Synology, it was only exploitable if you didn't actually patch your device (you can do this with a single button click) for quite some time. Then again, in fairness to users, Synology NAS devices didn't have a way to schedule automatic patching for your device like they do now. I think it may have been this incident which prompted them to add that feature, which I was glad to see.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    13. Re:I'm a little baffled by Anonymous Coward · · Score: 1

      People first think of cool things they can do, and then safety-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.

      FTFY. People think of cool things all the time, without looking at the risks, not only related to the internet. Especially in the requests or changes in the law, they rarely think of the possibility that this new rule may one dat apply to themselves as well.

    14. Re:I'm a little baffled by JSG · · Score: 1

      Actually I suspect it's a case of the devices being "helpful":

      1. FTP switched on by default on NAS
      2. Anon access switched on by default
      3. UPnP does the rest

      OK the end user may have to enable 1 and 2 manually but they are probably unaware of what UPnP can be made to do.

    15. Re:I'm a little baffled by Anonymous Coward · · Score: 0

      This sounds like someone (not you...) uneducated in the ways of modern technology.

      LIke many people here, I imagine, I normally just want a dumb device. Be it TV, monitor, or smartphone. I have little to no need to interface my data with social networking sites. Especially ones I've never even heard of. If the only way to get certain hardware capabilities is to suffer through the additions of such integrations, the likely result of that will be user modification by way of hacking. We've seen it before, and we'll see it again.

      If I had to write the lingering scenario for this type of thing, it would be, 'more bloatware results in more circumvention' against said bloatware.

    16. Re:I'm a little baffled by CastrTroy · · Score: 1

      That being said, even Anonymous FTP requires you to "log in". I'm not sure if Google should be trying to log in, even anonymously to FTP servers. I mean, if they don't other people surely will, but I don't think most people expect that web bots are connection to servers that aren't HTTP/HTTPS. I wouldn't leave an anonymous ftp server open to the internet unless I truly wanted something public, but I really wouldn't expect that well behaving bot would start indexing my FTP server if I left it open.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    17. Re:I'm a little baffled by gstoddart · · Score: 1

      You know, that sounds awesome and all ... but you'd be utterly shocked at the number of companies who simply don't have testbeds, and have only a live system.

      it's the old thing about the cobblers children having no shoes ... the internal spending/dilligence/investment on IT in many tech firms can be pretty pathetic.

      Often times there's short sighted management who thinks they can't afford these things, right up until they find themselves with a massive and costly outage that can't be easily fixed.

      It's like backups and DR planning, sometimes people just think "we can't afford that" or "we don't have time for that". Only to eventually discover that the cost of not having had it can be painful.

      --
      Lost at C:>. Found at C.
    18. Re:I'm a little baffled by CaptainDork · · Score: 2

      Good observation.

      Many people implement best practices regarding data backups the second time around.

      --
      It little behooves the best of us to comment on the rest of us.
    19. Re:I'm a little baffled by gstoddart · · Score: 1

      LOL, again, most of the professionals I know who know to be wary, cautious, paranoid, methodical, and overly attentive to the process at hand have all gotten that way from having seen the process fail (or almost fail) in a place where it really did matter.

      There's nothing like that giant "oh, shit" moment to make you realize "I shall never do this carelessly again".

      In my experience, the people who have only lost stuff where it doesn't matter can sometimes be an accident waiting to happen, because they don't yet treat it like "if I do this wrong, this will seriously hurt".

      Caution is a learned thing, and until you've been bitten, you often don't see the need for it.

      --
      Lost at C:>. Found at C.
    20. Re:I'm a little baffled by dbIII · · Score: 1

      it seems no one thought about the fact that it would be trivial to send a computer virus that way

      Apart from publications even as mainstream as "Scientific American" you mean? I remember reading stuff along those lines in the very early 1980s.

      Or in more modern terms, did no one ever stop to consider that it's trivial to transmit malicious code through a website with 3rd party advertisements that can use scripting?

      Lots of us did but we were all ignored because we stood in the way of convenience. The history of computing is full of the same mistakes made over and over again due to a short attention span and a rush to get things out before they are finished.

    21. Re:I'm a little baffled by tlhIngan · · Score: 1

      What's more : File Explorer in Windows XP (or old IE) behaves very conveniently, you feed it "ftp://192.168.0.1" and it works like a regular file manager window, AND you can access the ftp at least download-only from every web browser in the house. So it is very convenient, very easy to set up and works all the time, and in other words rewarding to the user.

      It works still in Windows 8.1.

      It's actually provided by a service called "WebClient" that's basically a userspace filesystem handler for Windows. It's handy if you need an FTP client in a pinch. I think it handles WebDAV and other common disk-like protocols as well.

    22. Re:I'm a little baffled by cusco · · Score: 1

      Did something like this deliberately once on an internal network, because the person needing access to the files was too inept to follow even the most basic instructions but too highly ranked to ignore. It was supposed to be temporary, but I then **forgot** to turn the security back on in the morning. A month later one of my bosses noticed she could get into HR data that she wasn't supposed to access and raised a red flag. Oops. Thank all the gods that our network didn't have remote access yet.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    23. Re:I'm a little baffled by Anonymous Coward · · Score: 0

      There are lots of boards and "helpful" troubleshooting website that say "I had the same problem, I fixed it by enabling FTP on the NAS, for anon, and then opening up some port on the router. Don't know why it worked, just glad I got my work done".

      Come on, most people here are in IT, and we've all met the office techie, designated so because he can install Windows on his home system and set up a printer.

    24. Re:I'm a little baffled by dbIII · · Score: 1

      but you'd be utterly shocked at the number of companies who simply don't have testbeds, and have only a live system.

      Hence utterly ridiculous shit like the massive security holes in dropbox in it's early days (eg. being able to get in without a password and the file hash trick to get other people's files without permission). Not shocked just annoyed at the number of cowboys and turkeys. I had a web hosting bunch near me go broke overnight because their only "backup" was an online mirror that faithfully copied all the corrupted files over the top of the previous known good copy.
      Even now there's a pervasive "no need for a backup if you have RAID" mentality to fight against any time budgets are being worked out.

      My favourite example is the bunch that used large wheeled rubbish bins (trash cans) for bulk tape storage. A new cleaning contractor got rid of ALL the backup tapes for eight federal government departments in one night because the IT contractor (an Australian company known as Telstra) had implemented such a cost saving. Even such an obvious accident waiting to happen, which then happened, wasn't enough to lose the contract.

    25. Re:I'm a little baffled by Zaiff+Urgulbunger · · Score: 1

      Maybe it's people connecting USB storage to their routers? I seem to recall there have been security issues regarding routers sharing these devices externally even though they're only supposed to allow local access.

  6. Dilbert by johnsnails · · Score: 1

    maybe sort of related... http://freer.com/bits/wp-conte...

  7. Bad news by Anonymous Coward · · Score: 0

    No Yipppeeeeee!

  8. Well.. by Anonymous Coward · · Score: 0

    By now even the slowest 'puter users should be wise that once it leaves your machine it ain't yours anymore.

  9. Google, NAS, NSA by Anonymous Coward · · Score: 0

    It's just all the same, along with FTP, FBI, WIFI, ICMP, ICBM, IBM, and RTFM. It's not different than the road.. clearly they're driving, just not clue on how to do it or how it works.

    1. Re:Google, NAS, NSA by BevanFindlay · · Score: 1

      I wonder if I should feel bad that I know all of those acronyms so well (including that WiFi isn't normally capitalised like you had it - though personally I hate camel case).

      You really do have to hope that someone RTFM before trying to use the ICBM though, and never, ever opens it up to FTP or WiFi... I'm not even sure I'd trust IBM or the FBI or NSA with an ICBM. :-)

    2. Re: Google, NAS, NSA by gladish · · Score: 1

      WiFi is Pascal case wIfI is camel case. The difference being whether the first character is upper or lower case.

    3. Re: Google, NAS, NSA by Etzos · · Score: 1

      Er, wouldn't it be wiFi then?

    4. Re: Google, NAS, NSA by BevanFindlay · · Score: 1

      I bow to your superior geekery. I still don't like capitals in the middle of words though. :-)

  10. Box by Anonymous Coward · · Score: 0

    I store my bank statements in a "personal cloud" too. They come in the post and then I place them in a blue metal box I keep in my cupboard. Good luck indexing that, Google.

    1. Re:Box by BevanFindlay · · Score: 1

      Like this one? Now that would be hard to break into.

  11. What's your excuse? by Hartree · · Score: 1

    So, you're saying you're a Republican?

    1. Re:What's your excuse? by BevanFindlay · · Score: 2

      So, someone needs to post a click-bait headline specifically aimed at Democrat supporters who think themselves smarter than Republicans...? :-) (Of course, now I'm trying to think of a politically-loaded headline that would be clickbait to anyone with strong political views...) I'm guessing from the GP's stereotyping that they're a Democrat supporter, though as an outside observer of American politics, I'm glad I don't have to vote for either party.

    2. Re:What's your excuse? by Anonymous Coward · · Score: 0

      It's the Democratic party, and thus the people are called Democratic supporters. Unless your post was a deliberate attempt to sound like a Republican.

    3. Re:What's your excuse? by BevanFindlay · · Score: 1

      "outside observer of American politics" (I've only been there once). I had no idea I had that wrong, sorry. Though, my post was a deliberate attempt to be an amusing, slightly-trolling response to an obviously stupid GP comment (although, in thinking about it, that GP's comment about how click-bait works on Republicans was in itself a sort of comment-bait...) To my amusement however, my comment has been modded +1 Insightful.

  12. Shit Post by Anonymous Coward · · Score: 0

    Scaremongering bullshit. Fuck you Slashdot.

  13. Following Linus by pikine · · Score: 2

    Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)

    Great to see that many are following his footsteps now!

    --
    I once had a signature.
  14. Google is the least of your problems by dbIII · · Score: 1

    If you've got sensitive stuff naked on the net then you have seriously fucked up and should not be allowed near other people's sensitive stuff.

  15. Really by Anonymous Coward · · Score: 1

    Google indexes everything?
    -inurl:htm -inurl:html -inurl:php intitle:”index of” (mp3) “singing in the rain”

    1. Re:Really by jones_supa · · Score: 1

      Heh, you know your search-fu.

  16. Search Parameter Instructions by Anonymous Coward · · Score: 0

    I cannot find any sort of extensive manual at google for how to perform highly advanced searches.
    I understand google search can support nearly regex like syntax and has all sorts of set and type modifiers.

    Does anyone have a link to a really good google search cheatsheet for advanced users?

    1. Re:Search Parameter Instructions by Anonymous Coward · · Score: 1

      Yeah, Google Advanced Search https://www.google.ca/advanced_search

    2. Re:Search Parameter Instructions by sydsavage · · Score: 1

      Did you try googling it?

      http://lmgtfy.com/?q=advanced+...

    3. Re:Search Parameter Instructions by BevanFindlay · · Score: 1

      Does this help? (Amusingly, found using a non-advanced Google search...!)

    4. Re:Search Parameter Instructions by BevanFindlay · · Score: 1

      Or this?

    5. Re:Search Parameter Instructions by Anonymous Coward · · Score: 0

      http://www.googleguide.com/advanced_operators_reference.html
      https://support.google.com/websearch/answer/2466433?hl=en&rd=1

      The other replies don't seem to understand what you're talking about and just keep pointing you to the "advanced" search page.

    6. Re:Search Parameter Instructions by Anonymous Coward · · Score: 0

      Googling how to use google? Isn't that a chicken and egg problem? Good thing there are those tutorial sites showing how to do that.

  17. Let's target Google by Anonymous Coward · · Score: 0

    I love how Google is mentioned here while all of the other search engines get a free pass. As if their crawlers haven't done the same thing.

  18. Click bait alert, twit in bound. by Anonymous Coward · · Score: 0

    Actual the twit in poster or author of the pieces is out of bounds.

    Useless FUD, except the huge buckets of cash twit is searching for. Rubbish post.

  19. Wow... by dark.nebulae · · Score: 4, Interesting

    A quick search returned bank statements, someones 2012 1040 tax form (completed w/ soc and everything)...

    Couldn't find any porn though. I guess those aren't making it into the google indexes...

    1. Re:Wow... by Anonymous Coward · · Score: 0

      Is just metadata. Was not that supposedly OK to gather by everybody?

  20. Subject by Neil+Boekend · · Score: 2

    Is Google really at fault? They handled it poorly, yes, but the data was already out there to be used by blackhats. It would be better if they placed a file on the FTP "You know these files are open to the internet because your router configuration sucks, right?.txt".

    --
    Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
    1. Re:Subject by shortscruffydave · · Score: 1

      A truly skilled hacker indeed if they can use a '?' character in a file name ;-)

    2. Re:Subject by jaavaaguru · · Score: 1

      Is that supposed to be hard to do? Here is me doing it...
      http://i.imgur.com/cV1UBU6.png

      --
      Follow me
  21. The entire article could have been replaced with by The+Cisco+Kid · · Score: 2

    a one liner: "If you've made your private files available publically (either intentionally or through ignorance) then your private files are available publically."

    Removing them from google results is far less important than making the files themselves no longer available.

    Looking on google to see if they are available is sort of silly - if you're using one of these silly commercial "automatic backup" packages that came bundled with an external drive, read its manual and documentation, and review its configuration, as well as that of your router.

  22. Sigh by ledow · · Score: 2

    "Has Google Indexed Your Backup Drive?"

    Yes, if you're a pillock that's configured your backup drive in such a way that you allow authenticated remote access to it from the Internet and it has FTP or HTTP protocols enabled.

    "Has Google Indexed Your Naked Pictures Of Your Wife?"

    Similar answer.

    1. Re:Sigh by ledow · · Score: 1

      "unauthenticated" that should be, obviously.

  23. Plain FTP should have died in the early 1990s by Anonymous Coward · · Score: 0

    Plain FTP should have died in the 1990s. sftp is the replacement.

    Why are we even having this issue today?

    1. Re:Plain FTP should have died in the early 1990s by GuB-42 · · Score: 1

      The problem is not FTP, it would have been the same with HTTP or any protocol that allows anonymous access to files. Although it is uncommon, you can even do it with with SFTP.
      The issue is that people are making private files public through misconfigured routers, and Google's crawler is very good at finding and indexing anything public.

  24. Re:The entire article could have been replaced wit by Anonymous Coward · · Score: 0

    Not if you use Google's cached webpages

  25. No but, it happened to my group at work once by TheCarp · · Score: 1

    so I was working at a University several years back. At the time there was an old webserver, actually a desktop. It was previously used by an admin who left and left behind a web service with notes. It was a collection of brain dumps, notes, old emails etc....which all of us admins knew about and occasionally referenced, that's why we never shut it down....or particularly considered its contents.

    That is until we saw an article in the local school student run rumor mill, which most of us read, about this fascinating website on campus with a number of internal emails shedding new insight on some of the inner workings of the staff.

    Of course, we saw the article because half the staff found the rumor site amusing and read it on a regular basis, so it was shut down immediately, but it didn't take long before someone posted a link to it in the google cache. Smart kids, as annoying as it was, it still put a smile on my face to see how resourceful they were.

    --
    "I opened my eyes, and everything went dark again"
  26. Not surprising by duke_cheetah2003 · · Score: 1

    When you have millions of people using the internet and setting up devices connected to the internet when they haven't the slightest clue how to properly configure, administer and maintain such devices... yeah...

    When you hand unqualified people advanced technology, stupidity happens.

    I just hope that in the name of safety for the millions of unqualified we don't get ISP's closing down running services of any kind from home. Probably will happen though, in the name of safety. Glad I migrated all my internet facing services to AWS years ago.

    Personally, I think people should require a license to connect ANYTHING to the internet, sort of like how we have to have a license to operate motor vehicles, or HAM radios. There's just too much stupid out there messing things up for the qualified.

  27. Dumbass developers, too by Peter+Desnoyers · · Score: 1

    I'm reminded of the old bag of glass SNL skit - some products (or product features) are just plain dangerous, and saying "but we explain the risks in page 17 of the manual" isn't a good excuse.

    How much effort would it take to set defaults that (1) disable anonymous FTP for addresses outside of the local subnet, and (b) inject a fake robots.txt that prevents search engine indexing? And then add an explanation of the risks if you try to disable those defaults?

  28. Clickbait by Anonymous Coward · · Score: 0

    This is not a google problem, it's a moron problem.

    Headline should read "Have YOU misconfigured your backup drive?"

  29. No by Anonymous Coward · · Score: 0

    I have never agreed to any terms and conditions to google or anybody else, and by providing the service, google have agreed to MY terms and conditions.

    My data is my intelectual property and any attempt to access it by any means is an act of war. and subject to a measured response.

  30. No. by Gallomimia · · Score: 1

    It was Apple.

    --
    Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.