Forgot your password?
typodupeerror
Security Privacy The Internet

Online Search Engines Lift Cover Of Privacy 460

Posted by timothy
from the bathwater-around-the-baby dept.
Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information. Some of this information includes 'Medical records, bank account numbers, students' grades, and the docking locations of 804 U.S. Navy ships, submarines and destroyers.'"
This discussion has been archived. No new comments can be posted.

Online Search Engines Lift Cover Of Privacy

Comments Filter:
  • Um. (Score:5, Insightful)

    by Anonymous Coward on Monday February 09, 2004 @10:20PM (#8233464)
    While googlestalking is scary and bad and I'm not condoning it, in this *specific* case, if the docking locations of U.S. naval ships is something that they do not want made public perhaps they should simply not make them public?
    • Re:Um. (Score:5, Interesting)

      by Anonymous Coward on Monday February 09, 2004 @10:26PM (#8233512)
      The problem comes when google searches down records in web servers, and using partners such as Opera, will crawl into pages that are normally not publicly accessible!

      Here's how it works. Let's say you put a page on your site called

      http://yoursite.com/temporary/hidden/dontreadthi s/ private_document.html

      And it is not linked to ever.

      If you send that URL to someone using Opera with the right settings (but you don't know that) and they read the private document, within minutes GOOGLE WILL CRAWL THAT DOCUMENT!

      Nothing is private any more under situations like that. Let's say that private document then links to all your older private documents. Google can then freely crawl it's way in to read the rest.

      Who's to blame for this then? not you. You've already ensured you hadn't linked to it. Not the opera user, as they have read the document, and respecting your privacy they've not mentioned it to anyone else

      However underhanded tactics like sneaking in a google crawl in this manner is unacceptable to me. My firewall blocks all google crawler bots for this very reason
      • Re:Um. (Score:5, Insightful)

        by Anonymous Coward on Monday February 09, 2004 @10:33PM (#8233573)
        Maybe you should use some kind of security instead of just really -hoping- no one crawls/reads/caches your document.
        • Fuck that shit (Score:4, Insightful)

          by Anonymous Coward on Monday February 09, 2004 @10:43PM (#8233646)
          Maybe they should just use the fricking robots.txt protocol. That's what it's *FOR*. You can put a little file named robots.txt in the directory you want hidden, put text in it that says "i want this hidden, google", and google will ignore your directory forevermore.

          No one has any right to complain if their page is in a search engine unless they followed the robots.txt protocol and the search engine did not.
          • Re:Fuck that shit (Score:3, Insightful)

            by Anonymous Coward
            The problem with this is, anybody can now download your robots.txt and have a list of your unprotected sensitive data.
            • Re:Fuck that shit (Score:4, Interesting)

              by saforrest (184929) on Tuesday February 10, 2004 @12:23PM (#8238365) Homepage Journal
              The problem with this is, anybody can now download your robots.txt and have a list of your unprotected sensitive data.

              Not really. I mean, you're not really giving much away with

              Disallow: /personal/

              unless going to http://mysite.com/personal/ returns a directory listing.

              The general point is that yes, you do have to trust people to respect the robots.txt. The problem we're talking about is Google, though, and we know they do respect it.
      • Re:Um. (Score:5, Informative)

        by mhesseltine (541806) on Monday February 09, 2004 @10:41PM (#8233633) Homepage Journal

        .htaccess anyone?

        That, along with an appropriate robots.txt file should be all you would need to prevent a crawl, right?

      • Re:Um. (Score:5, Informative)

        by Elwood P Dowd (16933) <judgmentalist@gmail.com> on Monday February 09, 2004 @10:42PM (#8233644) Journal
        Here's how it works. Let's say you put a page on your site called

        http://yoursite.com/temporary/hidden/dontreadthi s/ private_document.html

        And it is not linked to ever.


        I realize this is redundant, and you were likely trolling, but Google will leave you right the fuck alone, so long as you put another little file at:

        http://yoursite.com/robots.txt

        That contains the text:

        User-agent: *
        Disallow: /

        I realize this is opt-out rather than opt-in, but there's just one place you have to opt, and there isn't another way that Google could possibly do their job. Everybody else seems to understand that the internet is a publicly accessible network.

        So who's to blame? You. You put a sensitive document in a publicly accessible location on the internet, and took no precautions to keep it secure. Not linking to it is not a precaution.
        • wait... (Score:4, Interesting)

          by djupedal (584558) on Monday February 09, 2004 @11:43PM (#8234045)
          Google will leave you right the fuck alone

          All it takes is one cross-link from a site that links, and a number of hits, and google will advertise the cross-link, robots.txt or not.
          • Re:wait... (Score:3, Insightful)

            by Elwood P Dowd (16933)
            Right. And then you can complain about that site doing the cross linking, or you can think about putting access controls on that sensitive document that you've put on the world-readable public internet.
      • Re:Um. (Score:5, Insightful)

        by pla (258480) on Monday February 09, 2004 @11:00PM (#8233775) Journal
        Let's say you put a page on your site
        <snip>
        And it is not linked to ever.

        Then you have still put it in a publically accessible place, and bear full blame for others finding it.

        For a physical-world analogy, let's say that you want to give a note to a friend (which, for some reason, requires a non-conventional mode of delivery). You could leave it at page 416 of "The complete minutes of the Town of Dullsville, 1853 to 1862", which no one had checked out in the past 30 years. Tell your friend where to find it, and 999 times out of 1000, you'd have no problems.

        If you one day used that same method of sending a note, only to discover someone checked out the book and removed the note, would you actually have the gall to blame anyone but yourself?


        Slashdotters, of all people, have heard this over and over and over... Security through obscurity may help in addition to some form of "real" security, but it almost never works by itself. The web counts as a very public place. If you place sensitive information on it with no security beyond a "hidden" URL, don't act surprised when the NYT has it as a headline the next week.

        And for reference, yeah, I too have stuck random files up on my site for a friend to grab. But never when it would have mattered if someone else randomly found those files.
      • Get a clue (Score:5, Informative)

        by Chuck Chunder (21021) on Monday February 09, 2004 @11:02PM (#8233788) Homepage Journal
        The google mediapartners bot which will look at pages for the purposes of advertising such as in Opera is different and seperate from the bot that adds pages to Google's search database. The mediapartners bot does not feed the Google search engine [webmasterworld.com].
      • Re:Um. (Score:3, Insightful)

        by AstroDrabb (534369)
        If the information is not meant to be public, then it should not be on a publicly addressable server.

        Where I work we have a few servers that are addressable from the internet in a DMZ. Everthing else is untouchable, so the Opera trick doesn't work. The next block we have is that we use Netegrity for corporate wide single-sign-on. Every non-public webserver has a Netegrity client installed. To get any document, you need to first authenticate against the Netegrity policy server over SSL.

        There is also

      • Re:Um. (Score:3, Insightful)

        by Jeremi (14640)
        Who's to blame for this then? not you. You've already ensured you hadn't linked to it.


        Absolutely you, because you assumed that not linking to a document would make it private. Bad assumption. Even without Opera's "feature", someone could stumble upon the proper URL by blind luck, or as part of a dictionary attack, or by sniffing HTTP header traffic.


        If you want to keep something private, don't put it on a public web site. Period.

    • Re:Um. (Score:5, Insightful)

      by ecalkin (468811) on Monday February 09, 2004 @10:44PM (#8233658)
      documents that should not be available to the general public should be a) behind firewalls where the general public is on the other side, b) stored on web servers that require authentication to read such pages (where the general public does not have username/password), or c) not be stored on a web server!

      i think that this is somewhat an issues of bad management and somewhat (maybe more) and issue of the weakness of web service security (compared to something like local novell services).

      eric
  • by baryon351 (626717) on Monday February 09, 2004 @10:20PM (#8233465)
    Go into kazaa and gnutella and search for any .doc files. Or some likely sounding names like "resume" or "job application"

    It's surprising what people will sit in their kazaa upload directory, using it like a documents dump. Legal papers, company's employee policy documents, employee records, sensitive stuff, medical records.

    Taken straight from people's HDs, no hacking, cracking or other media-unfriendly terms needed, just the ignorance of the people who leave this stuff open is needed.
    • by sunrein (580805) on Monday February 09, 2004 @10:29PM (#8233544)
      No kidding. I did a search using Poisoned (kazaa, gnutella, etc.) to find some tax software. Some colossal moron had left a copy of his tax papers in pdf format in his upload directory. Good thing I'm a kind soul and let him know about it. That would've been easy pickings for someone looking to do some identity theft.
    • by tsvk (624784) on Monday February 09, 2004 @10:45PM (#8233664)
      Go into kazaa and gnutella and search for any .doc files. Or some likely sounding names like "resume" or "job application".

      Other examples are ".dbx", the file name extension for mail folders in Outlook Express. Or ".pwl", the Windows 9x system password file (supposedly easily crackable with the correct tool).

      There are unfortunately clueless users who share their whole hard drive. File sharing programs have however started getting better in discouraging or preventing the users from doing this.

    • What I like (Score:5, Informative)

      by Anonymous Coward on Monday February 09, 2004 @10:46PM (#8233677)
      The thing is that most people will literally inadvertantly share their entire hard drive's contents, or at least all "media files".

      What I like to do is go on gnutella or kazaa and search for "DSN" or one of a number of similar prefixes. Why? Because most digital cameras save their files in a specific hardwired format, and the kind of people who leave their entire hard drive shared on kazaa are the kind of people who don't rename their digital cameras.

      You can find the most random, interesting, occationally personal shit that way.

      I'm trying to remember the other common prefixes besides DSN and failing.

      -- Super ugly ultraman
    • nmap -sS -iR -p 445 -PS 445 -vv is also rather entertaining.
    • Bank records ! A long time ago on a p2p I did a search for shits and grins on .xls and got a whole shitload relating to a bank in Indiana, Soooo I called up the guy whose docs were up and sure enough his kid had installed it (Kazza Morpheus Napster dont remeber what I was using then) and shared My Documents , The guy was in a total panic he was like the VP of the bank and there were LOTS of very sensitive docs.
    • Go into kazaa and gnutella and search for any .doc files. Or some likely sounding names like "resume" or "job application"

      I dont know about you but the more people that see my resume the better.

      JV

  • Cover of "Privacy" (Score:5, Insightful)

    by mobiGeek (201274) on Monday February 09, 2004 @10:21PM (#8233468)
    What "privacy"? The information is posted on the WORLD WIDE Web...

    • by LostCluster (625375) *
      What "privacy"? The information is posted on the WORLD WIDE Web... One person's blog topic is another's secret sometimes. There's a big diference to information to give to your family and information you should be leaving within view of Google... but some people don't realize that yet.
    • by IntelliTubbie (29947) on Monday February 09, 2004 @11:19PM (#8233903)
      What "privacy"? The information is posted on the WORLD WIDE Web...

      Perhaps a more accurate title would have been "Online Search Engines Remove Delusion Of Privacy."

      Cheers,
      IT
  • by Black Parrot (19622) on Monday February 09, 2004 @10:21PM (#8233469)


    ...but what the heck are "googled orks"?

  • Why Google? (Score:5, Insightful)

    by lostchicken (226656) on Monday February 09, 2004 @10:21PM (#8233472)
    Why do people always have to drag Google into this sort of thing? Somewhere, someone is pissed off at Google for putting their medical records on the web, and letting people get at them, when they should be angry at the people who posted them to the web in the first place. It's like calling Southwest Bell your partner in crime because you used DSL to steal from an online bank. It just makes SWBell look bad, just as this makes Google look bad.
    • Re:Why Google? (Score:5, Insightful)

      by agentZ (210674) on Monday February 09, 2004 @10:30PM (#8233559)
      Google is a tool, and tools can be used for good or for bad.
    • Re:Why Google? (Score:5, Informative)

      by Xenographic (557057) on Monday February 09, 2004 @10:44PM (#8233654) Homepage Journal
      1) This is old. I remember searching for things like '"index +of" vti' and other such things (try it and modify that search if you like, but it was interesting to find out just what sort of interesting tidbits one might find in such a folder).

      2) This is an article from MSN. This information was available long before Google, but it is, at the very least, curious to see this sort of article from Microsoft when they have been going to the press lately about how Microsoft intends to develop their own search technology...
    • by frovingslosh (582462) on Tuesday February 10, 2004 @12:29AM (#8234277)
      Google is great for a quick, lazy first pass. But there is a lot of information out there that Google never indexes, and some of it is full of interesting stuff. Several years ago a company I was working for tried to do a I.P.O. Curiously, the copy of the paperwork that they released to key people internally didn't have the good information in it. But I found the real I.P.O. paperwork on the Security & Exchange Commisions website (www.sec.gov). Great reading. They had to include the salary and perks of the President and all the V.P.'s (including the one I reported to).

      I don't know why Google never indexes this stuff, it's clearly public record and can be of interest to a lot of people, but they never did (I checked them many times, including just now, and they show no indication of the document). I wonder what other good government documents are out there if you only know where to look for them.

      • This [sec.gov] might have something to do with it...

        User-agent: *
        Disallow: /Archives
        Disallow: /Archives/bin
        Disallow: /Archives/dev
        Disallow: /Archives/etc
        Disallow: /Archives/ftp
        Disallow: /Archives/gopher
        Disallow: /Archives/tmp
        Disallow: /Archives/usr
        Disallow: /cgi-bin
        Disallow: /bin
        Disallow: /oursite/previews

  • SS Minnow (Score:5, Funny)

    by flewp (458359) on Monday February 09, 2004 @10:21PM (#8233477)
    But can they find the last port location of the SS Minnow?!
  • The worst example.. (Score:5, Informative)

    by centralizati0n (714381) <tommy.york@gmaLA ... m minus math_god> on Monday February 09, 2004 @10:22PM (#8233483) Homepage Journal
    The worst example I saw was the FBI NCIC 2000 manual [state.fl.us] [PDF]. It gives you examples of how to look up criminal records and such... which could be very useful to the criminally vested social engineer.
  • by leeum (156395) on Monday February 09, 2004 @10:24PM (#8233497) Homepage Journal
    This isn't anything too new. For kicks, I once searched for "Resume" and "Credit card" on KaZaA and got hundreds of results. Presumably, the trouble is that people sometimes believe that security through obscurity works - or, in the case of KaZaA, a lack of attention leads people to share files they didn't really want to.

    Interestingly, I found a text file with all the user names and passwords for brokerage firms, and bank accounts, of the IT director at the firm I was working in. Scary, considering he was supposed to have "15 years in the IT industry".
  • Could happen to you (Score:5, Interesting)

    by bendelo (737558) on Monday February 09, 2004 @10:25PM (#8233504) Homepage

    A while back I Googled my credit card number for a laugh. I was shocked to find it in an indexed webserver log for a site I had previously 'tried' to purchase from. (the form timed-out and I gave up).

    A quick call to the bank and a few angry calls to the company sorted it, but I was not impressed.

    Perhaps a tool to search for ones own private details should be developed to keep an eye on this?

    • by Animaether (411575) on Monday February 09, 2004 @10:50PM (#8233704) Journal
      Question is.. do you trust the search engine(s) being used ?

      You say you typed your CC# into Google. Unless I missed something, this means that...
      1. It was transmitted over an unsecure connection
      2. It may have been logged as part of regular access logs
      and for the paranoid
      3. It may have been logged specifically as a potential CC# at Google (either due to the company having such a dubious programme, or a rogue employee / group of employees).

      For all you know now, if you searched Yahoo in the future (for whatever reason), your search query with Google may pop up :)
    • by bobthemuse (574400) on Monday February 09, 2004 @11:13PM (#8233866)
      A while back I Googled my credit card number for a laugh.

      I wonder if google has a feature where I can view recent search terms...? You had a laugh, I get a giggle, we're all having fun!
    • by dmiller (581)

      A while back I Googled my credit card number for a laugh

      You therefore send your credit card number, unencrypted, over the Internet. Along the way it would have probably been logged at a proxy cache and would have certainly been logged at Google. You sure are a trusting fellow.

  • by Clinoti (696723) on Monday February 09, 2004 @10:25PM (#8233505)
    The most basic way to keep Google from reaching information in a "Web server", security experts said, is to set up a "digital gatekeeper in the form of an instruction sheet for the search-engine's crawler. That file, which is called "fembots.txt"
  • Nothing new (Score:4, Informative)

    by dattaway (3088) on Monday February 09, 2004 @10:25PM (#8233508) Homepage Journal
    People have used this for years to find things like Bill Gates' social security number and all kinds of things we think should be private. Chances are, if its in a record somewhere, that information will leak onto the internet sooner than most people think.
  • by Quizo69 (659678) on Monday February 09, 2004 @10:26PM (#8233516) Homepage
    Hmmm, let's see:

    1. Microsoft has stated it wants to win the search engine war.

    2. MSNBC (Microsoft owned) puts out story calling Google insecure because it invades your privacy.

    3. MSN Search comes out with "secure, private searching" for only $9.95 a month.

    4. Profit???

    Conclusion: This is nothing more than a FUD story designed to sow the seeds of doubt about Google.
  • by form3hide (302171) on Monday February 09, 2004 @10:27PM (#8233522) Homepage
    Lets pretend I'm taking a computer science course.

    Lets pretend each week I have a program to code.

    You see if you pretend, of course, I put the filename into google, and clicked search. In pretend, you know what came up?

    The source code to the program I had to write for my university.

    But remember, this is in pretend land.
  • Hard to hide (Score:5, Insightful)

    by BWJones (18351) * on Monday February 09, 2004 @10:27PM (#8233529) Homepage Journal
    This all brings up one of the central tenets of computer network security: If it is connected to the Internet, it can be accessed, and sometimes the probing computers that are looking leave their little IP footprints all over the place. For instance, I was rather surprised a couple of years ago watching some IP's scroll through while someone/a software bot was accessing my workstation. Whois revealed nothing, but traceroute revealed an IP that allowed me to do a little more poking around to find out the identity as something from a "Special Collections Service" in Maryland. A little more poking around revealed it to be something involving a state department program whereupon I rather quickly decided to stop investigating. I still don't know anything about them or what they do, but it is surprising how hard it can be to be anonymous on the web. Hey, I am sure even all those Slashdot anonymous coward posters are leaving IP's that can and are documented. :-)

    • Re:Hard to hide (Score:3, Interesting)

      by Phroggy (441) *
      Heh, in about 1996 or so I got a hit on my home page from gatekeeper.eop.gov. I have no idea what that was about.
  • by belmolis (702863) <`billposer' `at' `alum.mit.edu'> on Monday February 09, 2004 @10:28PM (#8233532) Homepage

    The real story here is that companies and other organizations and institutions are setting machines up as servers and are too stupid to create an appropriate robots.txt file and/or keep their confidential information elsewhere. Google doesn't just drop in, even on networked machines. I have some sympathy for individuals who don't understand what they are doing when they make their machine a server, but surely any professional sysadmin, even one with limited training and experience, should know better than this. It's the same as leaving your briefcase on the front seat of an unlocked car.

  • by HealYourChurchWebSit (615198) on Monday February 09, 2004 @10:28PM (#8233541) Homepage


    Part of this problem comes out of who owns the daggoned data. For example, let's say a hospital, instead of using clipboards, uses smartcards to hocket about patient records.

    Who own's the data. The hospital, the insurance company paying the bill, or the poor schmuck on the business end of a colonoscopy?

    I ask because without the indiviual having the write to own the data, there seems to me little that can be done to protect oneself other than go through expensive and tedious legal channels.

    And if someone else can own sensitive data about me, then what can we do, as private citizens with limited resources, to make sure larger entities such as insurance companies play by rules like HIPPA?

  • Read this once... (Score:3, Interesting)

    by Comatose51 (687974) on Monday February 09, 2004 @10:28PM (#8233542) Homepage
    I read once that an old trick some people used to use is to do a search for "root" on Altavista (yeah, this was back in the days) and it would actually return useful information for gaining access. Not sure if that was just a geek urban legend but it sound plausible to me.
  • Geez (Score:5, Insightful)

    by Wolfier (94144) on Monday February 09, 2004 @10:31PM (#8233562)
    If your information is "sensitive" or "private", do yourself a favor and don't put it on the web.

    Peeps nowadays...
  • nothing new (Score:5, Funny)

    by martin-boundary (547041) on Monday February 09, 2004 @10:38PM (#8233616)
    People have been doing searches for private, sensitive, pr0n logins and passwords for years...

    Err, not me of course ;-)

  • by usn2fsu03 (711294) on Monday February 09, 2004 @10:42PM (#8233643)
    That's more than twice the number of ships currently in service.

    Also, these are not precise locations. Yeah, you can find that the USS Roosevelt (DDG-80) is homeported in Mayport, Florida but you're not going to find the precise pier number.

    As for ships on deployment, one can find their general locations just by looking at the latest issue of the Navy Times and by reading the newspaper of the town that the ship and its battlegroup are from.

    The Navy really tightened up on what get's posted on official ship's websites after 9/11. If there is sensitive information still out there, Google is not at fault, but rather the unit's webmaster, Commanding Officer, and the Operational Security people who are supposed to be looking out for that sort of thing.

    • by xant (99438) on Monday February 09, 2004 @11:28PM (#8233960) Homepage
      Google and the wayback machine, respectively, have memories. Just because you take something off the web doesn't mean it can't be found by those services; it just means it won't respond to your browser's request. Cached results and so forth are dangerous. If there ever was leaked data about the locations of those ships, it can still probably be found somewhere, and if that information hasn't changed since it was taken off the web, it's still a problem.

      This applies to any information that's ever been stored electronically; I call it the "backup tape problem". Someday, that information may (will?) find its way online, a public service will index it, and the genie will be out of the bottle forever.
  • by saskboy (600063) on Monday February 09, 2004 @10:42PM (#8233645) Homepage Journal
    Imagine if the US government gets in its head that search engines are a terrorist tool?

    Wouldn't that be interesting?
  • /. google! (Score:3, Funny)

    by potpie (706881) on Monday February 09, 2004 @10:44PM (#8233661) Journal
    now's our chance! I think we can slashdot Google!
  • by l0ungeb0y (442022) on Monday February 09, 2004 @10:46PM (#8233669) Homepage Journal
    Well then again... it is an MSNBC article.
    Seems some one in the mainstream press got a clue and has decided that the other 98% of the people should join in on the fun... if they can figure out how to use Google that is.

    Who knows, maybe they'll even teach the clueless about Google image search... which came in handy this last weekend when a girl who wanted to model but couldn't figure out how to send me a pic attached in an email... Curious as to what she looked like, I googled and found her [google.com].

    As you can see, the stuff you can find on image search sure as hell beats those top-secret pentagon word documents anyday :)
  • by Lifewish (724999) on Monday February 09, 2004 @10:53PM (#8233726) Homepage Journal
    I am a member of a university organisation called the Assassins Guild [ucam.org], the basic premise being that, on the basis of the most limited possible information, we hunt down and "kill" other guild members with weapons such as cap guns and cardboard swords. As such, I have some personal experience of the use of Google in stalking. I can tell you that, in a university composed presumably of some of the most net-savvy people around, I have only found a photo once. Occasionally I have found a usenet posting or slashdot account. Old schools are common, but the folk at my uni are often those who are mentioned in school newsletters. The average web presence of the average user is approximately nil. In a range of cases, someone may become more prominent (either by accident or design - Darl McBride for example), but on the whole there is very little you can gather from Google. Occasionally it's enough to kill your target, but don't count on bank details.
  • old skool trick (Score:5, Insightful)

    by shird (566377) on Monday February 09, 2004 @10:55PM (#8233740) Homepage Journal
    An old trick I used to do was searching for something along the lines of

    "http://*:*@" member

    and you would get a bunch of sites with direct links into passworded member sites. Microsoft will put a stop to this with their latest update to IE however.
  • by Shimmer (3036) <brianberns@gmail.com> on Monday February 09, 2004 @11:26PM (#8233946) Homepage Journal
    This article is from the Washington Post, not from Microsoft. Please adjust your conspiracy theories accordingly.
  • by a.koepke (688359) on Monday February 09, 2004 @11:30PM (#8233970)
    I was looking at a few examples and tried out intitle:"Index of..etc" passwd [google.com]. The first result [gray-world.net] is a honey pot :)

    They have some Webalizer stats [gray-world.net] for the honey pot too.
  • by Felinoid (16872) on Monday February 09, 2004 @11:31PM (#8233983) Homepage Journal
    How to use this for evil is obveous. (Actually I do searches on myself ever now and then just to see what I look like on the Internet. Do it yourself it's fun.)

    Your an evil badguy and go nuts on Google... Credit Cards... Horray... Now to go nutz.

    Leave it to MS NBC to neglect to mention that this is also a tool for good.

    Your a credit card holder..... Now go google your credit cards... DO IT NOW.
    Did you find it? I didn't.

    I've got 4 credit cards.. two store cards one business visa and one personal mastercard.
    (Oh yeah hackers the name on the card is Felinoid) Yeah they'll buy that.. not...

    Don't need to use Google BTW... Use Alta Vista.. or Microsoft serch.. or Lycos...

    Oh yeah and when your done put your credit cards away (I had to leave desk while entering post an left my wallet on desk... Now my credit cards are gone and I think I saw a stuffed teady bear running down the street yelling "Charge it"... Just kidding got all my cards..).
    (Oh yeah if you do see a teady bear running down the street your missing credit cards are the least of your conserns)

    Now to set up a bot to trap all thies searches on Google....
    (Oh come on it had to be said)
    • Your a credit card holder..... Now go google your credit cards... DO IT NOW. Did you find it? I didn't.
      Oh sure, it's all fun and games until your credit card number gets displayed on the Live Query [hofstra.edu] screen at Google HQ... :-p
  • Good! (Score:5, Insightful)

    by ottffssent (18387) on Tuesday February 10, 2004 @12:10AM (#8234191)
    Hopefully this sort of flagrant violation will draw at least a modicum of public attention.

    This isn't some hardened criminal mastermind at work. It's not a seasoned cracker attacking military targets. This isn't even some script kiddie poking at IIS. It's a MACHINE. A machine that respects robots.txt for Eris' sake!

    If medical records and other "real" secrets are this visible, something is terribly wrong and I want to see public floggings. Seriously, this is not a case of weak security, or poor security, or incompetent security. It's a case of there not being so much as a screen door between the public and sensitive information.

    This is actually a case where I think the government (or at least the courts) can do some good. You'll notice banks don't get hacked on a daily basis. That's because they'd lose squintillions of dollars if it happened. But nobody cares about my medical records because it costs money not to have incompetent asses running things. On the other hand, if revealing to without were punishible by a $1000 fine per person, per offense, you'd notice a severe tightening of security in a mighty big hurry.

    It's a shame that suing people is sometimes the only way to get their attention, but with the decline of basic civil responsibility it might be inevitable.
  • stop right there (Score:3, Interesting)

    by ajagci (737734) on Tuesday February 10, 2004 @12:20AM (#8234246)
    "The scariest thing is that this could be happening to the government and they may never know it was happening," Long said.

    This isn't "happening to the government", as if the government is some innocent victim. Rather, "the government screwed up big time". Likewise, if some company has sensitive personal information lying around on a public web server, the company is at fault and should be liable.

    Let's not make victims out of perpetrators.
  • by ajagci (737734) on Tuesday February 10, 2004 @12:28AM (#8234276)
    You can find out whether personal information about you is available accidentally by searching for your name and a piece of your sensitive information on Google, say, your name and the last four digits of your SSN, the last four digits of a credit card number, parts of your phone number, or your street address. Leaked personal information would have to contain both your name and that other information. Chances are that you will retrieve only a few documents, which you can quickly review.

    Keep in mind, however, that Google queries are not encrypted and are not guaranteed to be private or secure, so, for your search, don't use the full SSN or anything else that shouldn't be disclosed.
  • Military Records (Score:3, Informative)

    by prestidigital (341064) * on Tuesday February 10, 2004 @01:39AM (#8234706) Journal
    Just tonight I was Googling for "number personnel U.S. military" and I was surprised to find many links along the lines of "How to find U.S. military personnel." The site with the most links to directories has a Netherlands domain name, which seemed odd. I tried to find some family members and did turn up some information. Some sites were DoD and had recognizable warnings about monitoring. Another was a .com for the military community and required standard registration procedures. I don't know if it's a good idea to have this information online and I wonder what military folks think about it. I reckon there are pros & cons.
  • by DeanFox (729620) <spam.mynameNO@SPAMgmail.com> on Tuesday February 10, 2004 @08:49AM (#8236277)
    I know this is very late in the discussion.

    But, if I wander into an unprotected system, like a bank or military site, and I start reading confidential documents... Is this not a crime?

    What's the difference if I locate the unprotected documents via a search engine or by using a port scanner with an IP range.

    I think what I'm saying is that port scanning and finding an vunerable system, going into that system and looking around is now a crime.

    But didn't I just describe what's going on with google hacking?

    I don't advocate nor believe any of this is a crime but where and why is a line drawn between them?

    I've often said about hacking that just because I go to the market and forget to lock my front door, that doesn't mean I expect to come home and find someone rumaging through my house.

    If it's an administrator who forgets to lock down a port or one how inadvertantly places confidential materal on the wrong box... Again, Where is the line and how is it drawn, and why, between criminal hacking and "it's on an open system, google found it so it's legal".

    I'm just asking. It's early in the AM and my brain isn't working because it's not seeing the difference. I'm only seeing a very fine line between what one might consider a "public" system versus one that expected to be "private". Is the only difference our "expectation" of privacy that makes one illegal and another a sport?
    • Consider the analogy of not locking your door and then coming home to find someone rummaging through your house.

      In most of the cases referenced in this article, the sites hosting the sensitive data didn't just leave their doors unlocked, they brought the data outside and dumped it on the curb. If you're walking by and see something worth salvaging in what for all purposes appears to be someone's trash, do you consider it illegal to pick it up and take it with you?

16.5 feet in the Twilight Zone = 1 Rod Serling

Working...