Google "hacked our website"

[mariush]

Google "hacked our website"

School takes on the might of Google

By Nick Farrell: Monday 26 June 2006, 07:31
A SCHOOL board has won a temporary injunction against the search engine outfit Google.

Judge Richard D. Boner (no really) issued the injunction in favour of Catawba County Schools which alleges conversion and trespass against Google.

The schools claim that Google's search engine spider grabbed information they shouldn’t have and posted it on the Interweb.

The data included the names, Social Security numbers and test scores of 619 students which are still available online when the page was removed by the schools.

Catawba County Schools chief technology officer Judith Ray the information was stored in the system’s DocuShare server, which required a username and password to access. She said that one of the students on the list had a presence on the Web. Google’s web spider latched onto her name in this document.

"We were not aware that password-protected sites are set up like that. To our knowledge, Google could only cache unsecure information that did not require a password or username," she said.

A spokesGoogle said that it was impossible for its spider to bypass a password.

http://www.theinquirer.net/?article=32637
http://www.journalnow.com/servlet/Sa...=1037645509099

[Art]

I saw this previously but wasn't sure if anyone else had posted it. Can the Googlebot visit pages through passworded links? i.e. http://USERNAME:PASS@school.edu? Perhaps they should've found the initial access point where the spider managed to read all their knowledge.

In all seriousness... is the Googlebot meant to be psychic? How does it know what to spider and what not to spider? The issue lies with the school's IT department and not Google. If a spider could get in... think about the people who want to get in.

[NoobieDoobieDo]

Ya, hacked implies steps were taken by hand out via an automatic program for the purpose of illegally gaining access to something.

If you give me a link with the username/pass included it's a bit of a stretch to say I "hacked" it.

[lorien1973]

Quote:

Can the Googlebot visit pages through passworded links? i.e. http://USERNAME:PASS@school.edu? Perhaps they should've found the initial access point where the spider managed to read all their knowledge.

Not sure, but if the password was used something like:

http://school.edu/login.php?user=bob...d=bobspassword

google sure could. Wouldn't be google's fault that the school had a shitty software setup.

[latehorn]

I'm 100% on googles side this time.

1. Googlebot doesn't hack session passwords, just stupid GET passwords
2. In other case, use the robot.txt if you don't want some pages to get indexed.

[Art]

Quote:

Originally Posted by lorien1973

Not sure, but if the password was used something like:

http://school.edu/login.php?user=bob...d=bobspassword

google sure could. Wouldn't be google's fault that the school had a shitty software setup.

Any school that employed an IT department that most likely set up their entire intranet but just so happened to use GET to pass their user/pass variables needs to fire their entire department.

It sounds like their IT team messed up and threw the blame onto Google... some heads will roll when all is explained. Earning the ire of a massive corporation isn't my idea of fun.

[Endurer]

Quote:

Originally Posted by latehorn

I'm 100% on googles side this time.

1. Googlebot doesn't hack session passwords, just stupid GET passwords
2. In other case, use the robot.txtif you don't want some pages to get indexed.

Right on the mark, latehorn!

[Tara33]

Quote:

Originally Posted by latehorn

I'm 100% on googles side this time.

1. Googlebot doesn't hack session passwords, just stupid GET passwords
2. In other case, use the robot.txt if you don't want some pages to get indexed.

I was waiting for someone to make this point! Anyone should know that a robots.txt will keep the spiders out; regardless of Google supposedly not being able to get into password protected areas. I see this as the only sure way to have a case against Google for indexing pages, which are not supposed to be indexed - with an robot exclusion command.

I think they can forget about legal action, and would be appalled if they actually got one cent from Google.

I also think parents should have issue with their childrens' SS numbers and private information be (potentially) advertised on the Internet by school systems. They should assign them a student ID and relate only part of their SS# to that ID; or something. Putting their SS#'s on the Internet was stupid to begin with, whether the page was protected or not!

[Dejavu]

http://thedailywtf.com/forums/thread/66126.aspx

[RH78]

I'd have to agree and say that Google is blameless on this one. The IT dept. is probably someone who is just the contact person for the company that set the LAN there in the first place.

A simple robots.txt can do wonders.

[Endurer]

It's like they are blaming google for their own mistakes. Poor parents having no clue of how the web works will easily get fooled. Someone tell those parents to sue this school for being irresponsible with data privacy & protection.

[The Webmaster]

Its not google's fault.

The school board should have been more carefull about their own security.
Google dont read POST data/Sessions.
There must be a loophole in the school's security.

[talkwebz]

i know..its not googles fault...seriously the school board needs higher security cause a simple spider can go into the school's infomation...wonder what will happen if it was a real hacker's spider or crawler...then the school is doomed..actually this will teach the school board some lesson..use higher security next time

[Grokodile]

LOL. It's that darn "interweb" thingy... causing trouble again. What a bunch of retards at the school board.

[Phynder]

Okay, so I will be the first person to defend the school.

Google walks by someone's house and notices that the door is unlocked. They walk in and take a bunch of stuff. That is okay because the houseowner left his door unlocked? Sorry - I doubt you will find a court that will allow that.

Does anyone have the facts in this case? Do you know what the robots.txt file looks like? Googlebot is notorious for reading files it is not supposed to - yet Google ignores complaints from webmasters.

Sorry guys - I am on the school's side!

[Dekker]

Ummmm Phynder, it's more like a person holding a sign that said "Hello" in big red letters, and then sued you for reading it.

[The Webmaster]

Quote:

Originally Posted by Phynder

Okay, so I will be the first person to defend the school.

Google walks by someone's house and notices that the door is unlocked. They walk in and take a bunch of stuff. That is okay because the houseowner left his door unlocked? Sorry - I doubt you will find a court that will allow that.

Does anyone have the facts in this case? Do you know what the robots.txt file looks like? Googlebot is notorious for reading files it is not supposed to - yet Google ignores complaints from webmasters.

Sorry guys - I am on the school's side!

Did they say that Google indexed pages even it was prohibited in robots.txt (and yes we know how robots.txt looks like)?
How would google know that what page it should not index unless explicitly said so??
The school and its lame Web department (usualy run by a bunch of students) made mistakes after mistakes and now they crying out on google.

[Phynder]

Quote:

Originally Posted by SVZ

Ummmm Phynder, it's more like a person holding a sign that said "Hello" in big red letters, and then sued you for reading it.

Okay, but I still see it like this. A foolish/self-important SUV driver leaves his gas guzzling vehicle running, unlocked with the keys in the ignition in front of the Starbucks while he goes into to get his hot caffeine-based drink of choice.

No matter how stooopid he is and how much we feel he might deserve it - anyone caught taking the vehicle (unsecured) will still be liable for prosecution.

Sorry - I think this scenario is more appropriate to compare with the School vs. Google.

[Phynder]

Quote:

Originally Posted by The Webmaster

Did they say that Google indexed pages even it was prohibited in robots.txt (and yes we know how robots.txt looks like)?

Cool - please post their robots.txt.

[Dekker]

Quote:

Originally Posted by Phynder

Okay, but I still see it like this. A foolish/self-important SUV driver leaves his gas guzzling vehicle running, unlocked with the keys in the ignition in front of the Starbucks while he goes into to get his hot caffeine-based drink of choice.

No matter how stooopid he is and how much we feel he might deserve it - anyone caught taking the vehicle (unsecured) will still be liable for prosecution.

Sorry - I think this scenario is more appropriate to compare with the School vs. Google.

No...because this would mean Google used their social insurance numbers to commit fraud or a crime.