Police To Google: Make Our Site More Secure By Delisting It
from the how-not-to-fix-anything dept
Having trouble keeping your secure website secure? Why not try a DMCA takedown request?
Of all the things DMCA takedowns have been used for (mainly removing infringing material, censorship), I’ve yet to see one deployed as an ad hoc extension of a cop shop’s IT department.
The Idaho State Police would apparently like Google to forget all about its publicly-accessible login page for its evidence database.
We have a private login page that is not on any internet webpage. It is law enforcement sensitive and we are trying to minimize the attempts to hack the site. We would appreciate Google not indexing the site. https://ilims.isp.idaho.gov/prelog/LIMSPrelog/
It’s still indexed, although you have to perform a very specific search to see it. The URL takes you to the login page for access to its LIMS (Laboratory Information Management System) database. That’s it.
It’s not the only page of its type accessible via a Google search. Login pages for law enforcement agencies from York County (South Carolina), Westchester County (New York), Kansas (Criminal Justice Information System) and Minnesota (Dept. of Public Safety) can all be accessed using “LIMS” “prelog” or other related terms. If you’d like a copy of Porter Lee’s “Crime Fighter BEAST” software — which most of these databases utilize — the Alabama Department of Forensics has a handy download link on its website. (Not that you can do anything with it but attempt to log in…)
A DMCA notice is not for removing pages you’d rather Google didn’t index. It’s for taking down infringing content. Beyond that, simply delisting the link will likely have no noticeable effect on hacking attempts. The page will still be accessible from the web — and that’s the main problem if the Idaho State Police are looking for a more closed/protected system. (And it doesn’t help that the login screen indicates Internet Explorer and Adobe’s PDF reader are both needed to make full use of the site…both of which have their own security issues, especially the latter.) It appears a blanket disallow was added to the site’s robot.txt, but all it seems to have done is prevent Google from returning any descriptive information along with the URL.
Google appears to have ignored the request, which is how it should be. This has nothing to do with copyright and everything to do with people thinking DMCA takedown notices are the best hammer for every nail they come across.
Filed Under: censorship, copyright, dmca, idaho state police, lims prelog, security, takedown
Comments on “Police To Google: Make Our Site More Secure By Delisting It”
“although you have to perform a very specific search to see it.”
Bet it’s going to be quite a bit easier to find now after they made such a big deal in trying to hide it. Idaho State Police meet the Streisand effect!
Re: Re:
Are they aware that there are other search engines? For example, one that looks like a duck but doesn’t quack when you visit its page?
And bonus points
if the default admin account/password are still in place.
Haven’t they heard about robots.txt, which just about all search engines respect as a means of keeping pages out of search indexes?
Perhaps they have the same IQ requirement for I.T. staff as they have for police officers!
Re: Re:
I think explaining to them how a robots.txt file works is a little above their heads when they don’t know the the difference between public and private.
Re: Re: Re:
It is too late now. The only hope is to start singing “The Way We Were,” and hope it all goes back to the good old days before the URL has been splattered across the web.
Re: Re:
Besides, you are looking to shallow. Whether it’s listed or not ISN’T the problem. The problem is that they don’t understand what a “Internet web page” actually is. What they really need to accomplish what they want is a VPN. But this is what happens when you put hire someone for a job like that that likely thinks Google is the Internet.
Re: Re:
They haven’t heard of streisand.txt, either.
Re:
Did you actually read the article?
Re: Re:
I was going to say the same. Really, who at this point in time doing web pages doesn’t know about the simple to use robots.txt file?
Google and all the other search engines won’t list the site in the first place. All these company’s and people complain about Google listing them, linking to them whatever and all they had to do was a simple txt file and their problem is no problem at all. This is like Web page design 101. Web Page Design for Dummies!!!!
Re: Re:
Robots.txt might be a bit underpowered for their needs. However, they can do server-side checking of traffic sources and create more effective blocks.
But honestly — they’re off on the wrong foot in the first place. They shouldn’t have such sensitive access points open to the web at large at all. Don’t they have a VPN?
Re: Re: Re:
Exactly. But really, if they don’t realize the difference between public networks and private ones, do you really expect them to know what a VPN is much less have one?
Re: Re: Re: Re:
I know, but I would have hoped that even if they don’t think it’s worth the money to maintain a competent IT staff, they’re at least be willing to fork over a few grand to have a contractor set things up properly.
“We have a private login page that is not on any internet webpage.”
/facepalm
Uh… yeah it is. If it weren’t it wouldn’t be publicly accessible. Perhaps this give some insight into why law enforcement seems to have a bad habit of invading the privacy of others. Could it be that they don’t know what the word “private” actually means afterall?
Re: Re:
I couldn’t stop laughing reading this. I wonder of someone put the page up in the folder and just doesn’t understand that the entire folder structure will be made available on the internet.
SSL Labs grades the site an "F"
I guess they better work on their server configuration 😉
No wonder they don’t want anyone hacking away.
Re: SSL Labs grades the site an "F"
Ah, no wonder it’s running IIS/7.5
(And it doesn’t help that the login screen indicates Internet Explorer and Adobe’s PDF reader are both needed to make full use of the site…both of which have their own security issues, especially the latter.)
Anyone still using either of those in 2016 should be put up against the wall with the Marketing Division of the Sirius Cybernetics Corporation.
Some moron probably caused it to be indexed...
By typing the URL into a google search (which I watch a staggering number of people do), they probably caused it to be indexed initially.
Re: Some moron probably caused it to be indexed...
That would be “Officer Moron” to you…
Re: Re: Some moron probably caused it to be indexed...
If Idaho is like Texas THAT comment would put you in a world of hurt. State Police (in Texas that’s the DPS) don’t consider themselves “Officers.” They are “Troopers” and expect to be referred to as such.
Re: Re: Re: Some moron probably caused it to be indexed...
There’s a 2000AD reference in there somewhere…!
These are the kinds of mistakes made by people who do NOT understand technology, who do not understand how browsers and bookmarks work. These are the same people who do a Google search for EVERY SINGLE PAGE the load. The problem with idiots is that they drag you down to their level then beat you with experience.
Re: Re:
I have seen in person the fabled “search for google in the browser search bar to bring up google, then search for youtube”, and the darkness stared back.
Security through obscurity. While that may work for your standard users, it won’t have any effect on the hackers they are trying to stop.
Re: Re:
Hey this looks like a perfect place to try out using encryption with a backdoor to see how well it works out.
Let me google that for you....
Curiously enough, when you do a google search on that url, it shows up on a few pages – including the “Idaho State Police Forensic Services” home page. Hmmmm, maybe that’s how Google found it.
http://bfy.tw/4JUe
At this point, about all they can do is change the url and make sure that the robots.txt is correct before they publish the new url. 😉
Re: Let me google that for you....
If they do that then none of their legitimate users will ever find them again.
Re: Re: Let me google that for you....
But wouldn’t that be good news for doughnut farmers?
Re: Re: Re: Let me google that for you....
Not being a farmer, I have been wondering about that. Does Monsanto control the sprinkles seeds?
Someone doesn't understand how "robots.txt" works.
It will not block indexing if some other site links to that URL. They should be using the robots meta tag in the HTTP header of that web page and all other pages they don’t want indexed.
Re: Someone doesn't understand how "robots.txt" works.
Why not move it to an to a real private network that is only publicly accessible through a VPN so the Google indexing point is moot?
Re: Someone doesn't understand how "robots.txt" works.
or, you know, not put the thing on the open internet…
but what do I know?
Police: “Don’t be evil Google. Protect our website from bad guys using Internet Explorer.”
Security via Obscurity
The amount of evidence being presented to my suppositions is making the case for them being real.
Google = Internet.
We hired a cousins nephew who set the clock on the VCR to setup our website. You mean OTHER people can find it on the internet?! Quick make Google fix it.
Someone with some free time want to submit a FOIA request to find out how much cash was kicked back from the idiot who set this up? I’m willing to bet millions were and continue to be spent keeping this trainwreck rolling.
So – LEOs are going dark?
lol
The silly part here is that they use a *DMCA* request. DMCA deals with copyright. It’s not a catch-all “we want this taken down” mechanism.
To be fair, the rules on what you must do to de-list a page are not intuitive. On the other hand, they are easily googleable:
“Important! For the noindex meta tag to be effective, the page must not be blocked by a robots.txt file. If the page is blocked by a robots.txt file, the crawler will never see the noindex tag, and the page can still appear in search results, for example if other pages link to it.”
Tim: I notice you didn’t put a nofol on that link to that login page. What are you trying to do, improve its page rank so it appears in MORE searches?
Has anyone even looked at this site?
Come on, guys! They don’t want it off the Google-index because it’s all secret but worse: it’s butt-ugly! You need Internet Explorer to correctly see the page, else things look a bit weird. And it has been developed in an Ancient .NET version in a pretty bad way. And it would not surprise me if a hacker gets inside within 15 minutes of experimenting.
But the page… And the Code… Oh, it hurts my eyes so badly! Quick! Close it, forget it, BURN IT DOWN! I agree with them and this should be DMCA’d because no one should be able to see such ugliness…
It’s Geocities all over again…
Robots.txt
Isnt a very bright idea either considering thats where most bots check first in order to see what they should and should noy see. Just sayin……..