Online Search Engines Lift Cover Of Privacy 460
Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information. Some of this information includes 'Medical records, bank account numbers, students' grades, and the docking locations of 804 U.S. Navy ships, submarines and destroyers.'"
Kazaa and Gnutella are cooler (Score:5, Interesting)
It's surprising what people will sit in their kazaa upload directory, using it like a documents dump. Legal papers, company's employee policy documents, employee records, sensitive stuff, medical records.
Taken straight from people's HDs, no hacking, cracking or other media-unfriendly terms needed, just the ignorance of the people who leave this stuff open is needed.
You can do this on KaZaA too. (Score:5, Interesting)
Interestingly, I found a text file with all the user names and passwords for brokerage firms, and bank accounts, of the IT director at the firm I was working in. Scary, considering he was supposed to have "15 years in the IT industry".
Could happen to you (Score:5, Interesting)
A while back I Googled my credit card number for a laugh. I was shocked to find it in an indexed webserver log for a site I had previously 'tried' to purchase from. (the form timed-out and I gave up).
A quick call to the bank and a few angry calls to the company sorted it, but I was not impressed.
Perhaps a tool to search for ones own private details should be developed to keep an eye on this?
Re:Um. (Score:5, Interesting)
Here's how it works. Let's say you put a page on your site called
http://yoursite.com/temporary/hidden/dontreadth
And it is not linked to ever.
If you send that URL to someone using Opera with the right settings (but you don't know that) and they read the private document, within minutes GOOGLE WILL CRAWL THAT DOCUMENT!
Nothing is private any more under situations like that. Let's say that private document then links to all your older private documents. Google can then freely crawl it's way in to read the rest.
Who's to blame for this then? not you. You've already ensured you hadn't linked to it. Not the opera user, as they have read the document, and respecting your privacy they've not mentioned it to anyone else
However underhanded tactics like sneaking in a google crawl in this manner is unacceptable to me. My firewall blocks all google crawler bots for this very reason
FUD Story to pump MSN Search? (Score:3, Interesting)
1. Microsoft has stated it wants to win the search engine war.
2. MSNBC (Microsoft owned) puts out story calling Google insecure because it invades your privacy.
3. MSN Search comes out with "secure, private searching" for only $9.95 a month.
4. Profit???
Conclusion: This is nothing more than a FUD story designed to sow the seeds of doubt about Google.
problem is not google (Score:2, Interesting)
Read this once... (Score:3, Interesting)
Re:Kazaa and Gnutella are cooler (Score:4, Interesting)
Re:YOU SUCK AT FP (Score:0, Interesting)
Wow, a story that would have been well timed... (Score:1, Interesting)
Wow, this clearly shows that the better solution would be a more limited search engine that doesn't actually let the user search for whatever he/she wants, just in case it's naughty. Perhaps something tied into a Trusted platform that can make these legal judgement calls on the user's behalf.
Wasn't SCO planning to sue Google soon? Wow, what an incredible coincidence! Bad timing for your IPO, Google!
I'd end this with [/tinfoil hat], but I think I could actually be right...
Re:Cover of "Privacy" (Score:3, Interesting)
Re:Nothing new (Score:1, Interesting)
People have used this for years to find things like Bill Gates' social security number
For the curious, it's 539-60-5125. Leaked in 1995. The 539 means it was issued in Washington.
Re:Nothings private (Score:4, Interesting)
Anyone else notice that the site is msnbc.msn.com? Isn't Microsoft trying to develop a google competitor?
Am I just another cynical bastard?
Re:Could happen to you (Score:5, Interesting)
You say you typed your CC# into Google. Unless I missed something, this means that...
1. It was transmitted over an unsecure connection
2. It may have been logged as part of regular access logs
and for the paranoid
3. It may have been logged specifically as a potential CC# at Google (either due to the company having such a dubious programme, or a rogue employee / group of employees).
For all you know now, if you searched Yahoo in the future (for whatever reason), your search query with Google may pop up
Google can't always hack it (Score:5, Interesting)
Re:The worst example.. (Score:2, Interesting)
Re:Why Google? (Score:5, Interesting)
The same as a metal detector or store directory leaflet - these are tools used for information retrieval.
Re:Kazaa and Gnutella are cooler (Score:4, Interesting)
Here, you can get registered names, phone numbers, software keys, and all kinds of other scary stuff...
I tried it once, and was shocked at how many I found it in just a few seconds...
Re:Could happen to you (Score:2, Interesting)
If I recall correctly it was sent over a secure connection, however a script on their webserver that was meant to interface with the merchant system failed.
The resulting error dump (containing CC# and personal information) was logged then indexed. A log of my Google searches would only contain the CC# number which is useless out of context.
Re:The worst example.. (Score:4, Interesting)
Most of the codes are actually to enter stolen property. To query a CCH on a person you need a name, sex and DOB. You can also use a SSN.
Most of the info you get back is kinda boring. With the exception of juvenile arrest data, it's all public record. But you'd have to know what court house to go to. the NCIC CCH file brings it all into one place.
You'd get, name, race, sex, dob, ssn and dl info, along with height, weight, hair and eye color, fingerprint classification along with a listing of arrests, and court dispositions of those arrests.
If you are going to steal someone's identity, you could do better than stealing a crook's.
If you know someone has been arrested by the Anytown Police Department. Go to their records section and do an open records act request for the last arrest's booking sheet. Most likely you'll get most of their identifying info except the SSN.
But whatever you do, don't ever run the President's DL. The Secret Service gets real nasty about that!Just gotta watch out for the honey pots (Score:5, Interesting)
They have some Webalizer stats [gray-world.net] for the honey pot too.
Now to use it for good (Score:3, Interesting)
Your an evil badguy and go nuts on Google... Credit Cards... Horray... Now to go nutz.
Leave it to MS NBC to neglect to mention that this is also a tool for good.
Your a credit card holder..... Now go google your credit cards... DO IT NOW.
Did you find it? I didn't.
I've got 4 credit cards.. two store cards one business visa and one personal mastercard.
(Oh yeah hackers the name on the card is Felinoid) Yeah they'll buy that.. not...
Don't need to use Google BTW... Use Alta Vista.. or Microsoft serch.. or Lycos...
Oh yeah and when your done put your credit cards away (I had to leave desk while entering post an left my wallet on desk... Now my credit cards are gone and I think I saw a stuffed teady bear running down the street yelling "Charge it"... Just kidding got all my cards..).
(Oh yeah if you do see a teady bear running down the street your missing credit cards are the least of your conserns)
Now to set up a bot to trap all thies searches on Google....
(Oh come on it had to be said)
Word of Mouth On Ships (Score:2, Interesting)
Re:Kazaa and Gnutella are cooler (Score:3, Interesting)
wait... (Score:4, Interesting)
All it takes is one cross-link from a site that links, and a number of hits, and google will advertise the cross-link, robots.txt or not.
Re:That's good to avoid cheaters (Score:3, Interesting)
Re:Could happen to you (Score:3, Interesting)
A while back I Googled my credit card number for a laugh
You therefore send your credit card number, unencrypted, over the Internet. Along the way it would have probably been logged at a proxy cache and would have certainly been logged at Google. You sure are a trusting fellow.
Re:Hard to hide (Score:3, Interesting)
stop right there (Score:3, Interesting)
This isn't "happening to the government", as if the government is some innocent victim. Rather, "the government screwed up big time". Likewise, if some company has sensitive personal information lying around on a public web server, the company is at fault and should be liable.
Let's not make victims out of perpetrators.
Confusing (Score:2, Interesting)
Rican writes "MSNBC has an interesting article about how 'Googledorks' are using the powerful search engine to do searches across the web for sensitive and/or private information."
---
From the website:
googleDork (gOO gol'Dork) noun 1. Slang. An inept or foolish person as revealed by Google.
---
Ok... So who here is the googledork (hint: It's not me)? The dork who googles for the victim's information or the clever person who googles for the dork's information? Confused? If the website is more authoritative than the original slashdot poster (Rican) then maybe Rican is the dork?
There's good stuff out there not on Google (Score:5, Interesting)
I don't know why Google never indexes this stuff, it's clearly public record and can be of interest to a lot of people, but they never did (I checked them many times, including just now, and they show no indication of the document). I wonder what other good government documents are out there if you only know where to look for them.
google is very useful for finding vunl cgi (Score:2, Interesting)
for example:
allinurl: cgi print site:.mil
You would cry if you realized that to hack
Anyway, using common cgi tricks like dot traversal, poison null byte (RFP you can kiss my ass), obfuscation (".." == "%2e%2e"), etc... Oh dont forget the pipe operator.
I agree with other posters who say it is not Google's fault. They do a great job. It is the people who program those cgis need to really take a bit more time.
Re:What I like (Score:5, Interesting)
Click on the "show me some pictures" button at the upper-right.
Re:Um. (Score:2, Interesting)
This does not end up in Google's web search index.
Re:Um. (Score:4, Interesting)
robot.txt and http authentication (Score:2, Interesting)
above all of that, does it was a stupid idea to hide an information with just no link point it? u must make sure it's properly secure with access control like ip address or password of the visitor.
maybe some people it was not simple to build access control using some content management or any self build scripting. but i think it was so simple to use http autenthication whose provided by most web server.
"All search engines will get you this," (Score:1, Interesting)
But the MSN story, just a few lines later, says:
"And it is all legal, using the world's most powerful Internet search engine."
Hmm... Excuse me if I smell a rat.
Re:What I like (Score:2, Interesting)
Cited MSNNBC web page severely crippled (Score:2, Interesting)
These fuckers never give up.
Re:Fuck that shit (Score:4, Interesting)
Not really. I mean, you're not really giving much away with
Disallow:
unless going to http://mysite.com/personal/ returns a directory listing.
The general point is that yes, you do have to trust people to respect the robots.txt. The problem we're talking about is Google, though, and we know they do respect it.
www.whitehouse.gov/robots.txt (Score:1, Interesting)
Disallow:
Disallow:
Disallow:
Disallow:
Disallow:
The listings end in either "text" or "iraq". Is "iraq" an acronym? If so, it's pretty funny.