Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Google, users privacy & the developers security.
Posted by: jungsonn
Date: November 05, 2006 03:16PM

Who is responsible for the weakest link concerning stolen privacy, theft of information which is made public through search engines?

I read some article last week about Google code-search: http://www.kottke.org/06/10/google-code-search

I'm not impressed about that actually, think that everyone knows this:

This could be done since Google launched it's service wayback, by just Googling for files, filetypes, etc. The code-search is neat, but mosty searches in C, JavaScript etc. User information isn't stored in these files. A better place to search is into .sql & .csv dumpfiles which some developers upload on their server (handy a backup now and then).

take these queries for instance:

"phpMyAdmin" filetype:sql -demo -foobar
"table users" filetype:sql -demo -foo
"mysql dump" filetype:sql -demo -foobar
"Dumping data for table 'users'" filetype:sql
etc, etc...

This get's me alot of info, sometimes with passwords not hashed:

INSERT INTO users VALUES('rahul','jedi knight','red6',2);
INSERT INTO users VALUES('matt','The Scotsman','masaladosa',3);
INSERT INTO users VALUES('dilip','PHP MultiMedia','matrix',4);

And even if they are hashed, we can use a rainbowtable search which are increasingly easy to find on the net: http://www.md5decrypt.com/

Like these results i got:

INSERT INTO mos_users VALUES (62,'James Allison','admin','allisons@cox.net','818d9de366375085abdb756bcb9e9cbc','superadministrator');
INSERT INTO mos_users VALUES (63,'Zeeshan','zeeshanalisangri','zeeshan_ali_sangri@gawab.com','11ab82d6171429d4caad91c12b95b313');
INSERT INTO mos_users VALUES (64,'Jaskaran','Singh','jessysingh313@hotmail.com','0cf054e09014fbff53ffc7c5913cf974');
INSERT INTO mos_users VALUES (65,'bhupendra','maurya','b_maurya@desiwebs.com','2f9afb26e39435464f340b56b018d483');

Storing passwords verbatim is dumb, but even hashes aren't safe. a way around this would be salting the hashes, and prefer to store them in a different table for instance.

Conclusions i personal have about it:

1) developers should be responsible of the stored information and proper hashes/encryption
2) Users should take care of their information, and not using the same pass on every site at a minimum.
3) Google should have more social responsibility, i mean why should one ever need to search into "filetype:sql" ?


So i like to know what you guys think about this,

Who is responsible for the users personal information?
What measures should each party take?

Every idea/flame/discussion is welcome. :)



Edited 1 time(s). Last edit at 11/18/2006 11:37AM by jungsonn.

Options: ReplyQuote
Re: Google, users privacy & the developers security.
Posted by: id
Date: November 05, 2006 03:38PM

Really there is no good solution, RSnake as posted about it before, but basically the whole net is fucked.

Users shouldn't have to know anything other than that they need a good password. Holders of data need to protect that data. Users cannot judge which sites really know their shit and can protect their data. And worst of all, a lot of sites think they are doing a good job while not having a clue about security.

1. they just don't have enough of a clue
2. They should, this is Microsoft and Apple's responsibility IMO, and partly Firefox/Opera/web browsers. If you're on *NIX you're supposed to have half a clue... All web browsers at this point should have a way to integrate with websites requiring a password, the users should never see it and there should be no way for them to see it. Maybe a USB fob functionality to store a profile encrypted or something to make it portable.
3. Google is evil, but as far as searches go they are no worse than any other search engine.

/throws his hands up in the air and screams "We're all fucked"

-id

Options: ReplyQuote
Re: Google, users privacy & the developers security.
Posted by: id
Date: November 05, 2006 03:42PM

Just to clarify, MS and Apple should have password management integrated into their OS's and browsers. Users cannot be relied on to come up with good passwords, RSA key fob style two factor authentication should be the standard, not corporate thing. The major PC vendors could add this functionality along with MS/Apple if any of them gave a fuck about actual security.

-id

Options: ReplyQuote
Re: Google, users privacy & the developers security.
Posted by: jungsonn
Date: November 05, 2006 03:52PM

haha yes indeed :)

BTW: i made a FireFox extension a while ago: https://addons.mozilla.org/firefox/3208/
called Fire Encrypter, which also has an secure password generator in it.
I made it for the few hopes that users will actually use it/or learn about these issues.

But think you're right about that such things should be standard, and the management of the passwords, ticky business.



Edited 1 time(s). Last edit at 11/05/2006 03:53PM by jungsonn.

Options: ReplyQuote


Sorry, only registered users may post in this forum.