Searching For Trouble With Google 506
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
Quicken files (Score:5, Insightful)
Simon
FBI use? (Score:5, Insightful)
Re:I blame the Google Toolbar for a lot of this (Score:5, Insightful)
In the long run, thus, we'll have real security and ease of use.
Re:Nothing wrong with this... (Score:5, Insightful)
It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.
It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't
This is supposed to be wrong? (Score:3, Insightful)
Time to join the 21st Century (Score:5, Insightful)
Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.
The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.
Comment removed (Score:5, Insightful)
Re:Nothing wrong with this... (Score:3, Insightful)
Re:Nothing wrong with this... (Score:5, Insightful)
Re:Liability (Score:2, Insightful)
Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
If a google search finds it then google is not publishing it; rather, google is simply providing a link to something that is already published. IANAL but, cacheing aside, all they are doing is providing a link to something that is already publicly accessible, so I don't see how they could be liable. The situation may be more complicated if the data were illegally published, later pulled from the web site, but remain in google's cache.Re:Nothing wrong with this... (Score:3, Insightful)
You don't have to be dumb to make mistakes like this, a single typo can do it. Being dumb just helps.
The sad thing... (Score:5, Insightful)
Re:Nothing wrong with this... (Score:5, Insightful)
Re:on the right track, except for... (Score:2, Insightful)
Remember Microsoft? Corporate giant, kinda unethical? Their producs are notoriously unsecure, and yet people still use Windows/IE/Outlook. Why? Because free market economics don't work in a corporate dominated environment. We don't have free market capitalism, we have corporate monculture, and it's notoriously unreliable for producing good, solid, honest products. Instead we get salesweasels shovel^H^H^H^H selling producs that don't work as advertised. Better alternatives are quashed, or relegated to the open source community (which is good, but lacks an R&D budget). I think you're being overly optimistic.
Some of them plants? (Score:5, Insightful)
Re:The sad thing... (Score:3, Insightful)
Without the signature a cardholder can repudiate the transaction. So if you didn't buy the stuff, just tell the Issuing Bank that you didn't and just don't pay for that transaction.
Then either the Merchant loses or the Bank loses. You, the cardholder don't unless you use a crappy card company that charges you to reissue a new card. Of course there's the inconvenience of being short of one usable credit card. But it's not as big a disaster to cardholders as some people make it.
In short with credit cards, if anything happens it's mainly SOMEONE ELSE's money involved NOT yours. Whereas cash, debit cards, cheques are riskier. Coz if anything happens - it's YOUR money.
So many people are ignorant of this and say stuff like "Buying stuff online with your credit card? Is that safe?".
It's selling stuff online that's risky. You ship goods, cardholder says "nope not me", and EVEN if cardholder screws up and forgot, you LOSE.
Re:Nothing wrong with this... (Score:4, Insightful)
And then you give the PIN to the business to complete the transaction and now they have that. Exactly how does this improve security when you transact business with a company? It might improve security if someone were to steal your wallet, but without some complicated and difficult to verify one time hash scheme. Which has been done and tried (Amex gave me a smart card reader, Visa has tried 1-time CC numbers picked up their site.
robots.txt (Score:1, Insightful)
Re:Nothing wrong with this... (Score:5, Insightful)
You do realize that to do business on line, you would still have to give them your pin, right?
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
Re:Terrifying (Score:4, Insightful)
Is there anything we can advise these people to do to minimize the damage at this point?
That's a nice thought, but how can you word it so it doesn't sound like you're either threatening them or selling them something? People have been called illegal hackers for trying to help other people out by pointing out blatantly obvious security holes before.
And why it isn't a big deal.. (Score:3, Insightful)
For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card number generator.
Lastly this article implies (and a number of posters here) that the credit card numbersfound are the result of carelessness by credit card holders on the web and therfor it is their own fault. This is not the case. Google did not expose any mass stupidity by internet users, it simply exposed some of the sites that havest credit card numbers.
Re:Nothing wrong with this... (Score:5, Insightful)
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.
Unfortunately, this doesn't usually have a lot to do with intelligence.
Re:Nothing wrong with this... (Score:5, Insightful)
Think about this as somebody with some technical background. What is more secure?
1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
2. Providing your credit card number to Amazon.
So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.
I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.
Re:Nothing wrong with this... (Score:3, Insightful)
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
No, I do not realize this. You are not using your imagination.
During the checkout phase, you get a code. You log on to your bank/credit card/whatever account, paste that code into a field to authorize the funds, and get an order confirmation from the place where you bought your stuff.
There are probably a ton of other ways to make this work, too. It is not a requirement that you feed an online business enough information to make purchases using your credit card, that's just how it happens to be set up now.
Re:I blame the Google Toolbar for a lot of this (Score:5, Insightful)
People still 'hide' house keys under their doormat. Try explaining to them why they shouldn't do it on the Internet.
Comment removed (Score:5, Insightful)
Re:The sad thing... (Score:3, Insightful)
No, the merchant loses. The bank never loses.
Re:Nothing wrong with this... (Score:4, Insightful)
However, "Even then, it doesn't do them any good without your card" is flat wrong, cards can be forged, magnetic stripes rewritten (Ever see a cashier verify the numbers that got approved are the numbers on the card? They rarely confirm the signature, and I've even used other peoples Photo Visa's).
Also, video cameras can record pin numbers, electronic eavesdropping tricks could "hear" the PIN number, etc. Heck, what guarantee do you have walking into any store that the CC terminal is legitimate, and not a fake designed to capture your CC number and PIN before passing it on to a legitimate machine in the back? Dig around for ATM fraud to see what is actively going on.
Re:Liability (Score:3, Insightful)
If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
Bad analogy. A better one: If the neighbor posts his naked photo on a public bulletin board, does that mean you can show other people where it is?
Stuff that's on the web is there because someone put it there, i.e. they published it. The fact that they may not have *meant* to publish it doesn't change the fact that they did. If you place an ad in the newspaper, but screw up and give the paper a steamy letter to your secret gay lover instead of the blurb about the 1998 Camaro you want to sell, are they liable for the damage done to your reputation when they publish it? (Assuming, of course, that you consider it more damaging to be 'outed' as a closet homosexual than as a Camaro owner).
Re:Nothing wrong with this... (Score:3, Insightful)
The cost, however, is passed onto the consumer as the merchants have to charge premiums for fraud in an insecure system, as do the banks, and everyone else along the chain that has to support fraudulent transactions.
This is no small thing, the very large bank I worked at had to spend a great deal of money around this and online-billpay activity.
The credit card is an unfortunate half-breed trying to be somewhere between cash and a check. Historical reasons and trying to gain usage and market acceptance have pushed it into this rols perhaps, but where its at now is broken.
Also try searching for outlook databases (Score:3, Insightful)
Re:Nothing wrong with this... (Score:2, Insightful)
Re:Nothing wrong with this... (Score:3, Insightful)
I disagree. It also includes avoiding being killed before reproducing.
Unfortunately, this doesn't usually have a lot to do with intelligence.
Avoiding predators and other dangers may not require intelligence, but it requires instincts. Being conspicuously careless--to bring this somewhat back on-topic--is not usually a good survival trait.
Re:robots.txt (Score:4, Insightful)
I can't tell if you're being ironic or just stupid.
You're suggesting that you "secure" you sensitive information by listing where it is in robots.txt? I think I want to have a look in your robots.txt, now.
The purpose of robots.txt is not to secure your information, it is to avoid getting eaten alive by bandwidth-hogging search spiders, and to prevent spiders from indexing irrelevant or out of date information.
If you want your information to be secure, here's a hint: don't put it on a fricking web server.
Re:Nothing wrong with this... (Score:3, Insightful)
Re: additionally (Score:3, Insightful)
One thing I don't think I've seen mentioned yet though, is that everyone is assuming that people choose to post the data in question. While this is probably true to a large part, it is by no means always the case. Some of the data may have been stolen due in no part to the victims (hacked website, disgruntled employee at a bank, etc) was then posted.
Re:Nothing wrong with this... (Score:3, Insightful)
.htaccess? (Score:1, Insightful)
Not Very Good Examples (Score:1, Insightful)