Police To Google: Make Our Site More Secure By Delisting It

from the how-not-to-fix-anything dept

Having trouble keeping your secure website secure? Why not try a DMCA takedown request?

Of all the things DMCA takedowns have been used for (mainly removing infringing material, censorship), I've yet to see one deployed as an ad hoc extension of a cop shop's IT department.

The Idaho State Police would apparently like Google to forget all about its publicly-accessible login page for its evidence database.

We have a private login page that is not on any internet webpage. It is law enforcement sensitive and we are trying to minimize the attempts to hack the site. We would appreciate Google not indexing the site. https://ilims.isp.idaho.gov/prelog/LIMSPrelog/
It's still indexed, although you have to perform a very specific search to see it. The URL takes you to the login page for access to its LIMS (Laboratory Information Management System) database. That's it.


It's not the only page of its type accessible via a Google search. Login pages for law enforcement agencies from York County (South Carolina), Westchester County (New York), Kansas (Criminal Justice Information System) and Minnesota (Dept. of Public Safety) can all be accessed using "LIMS" "prelog" or other related terms. If you'd like a copy of Porter Lee's "Crime Fighter BEAST" software -- which most of these databases utilize -- the Alabama Department of Forensics has a handy download link on its website. (Not that you can do anything with it but attempt to log in...)

A DMCA notice is not for removing pages you'd rather Google didn't index. It's for taking down infringing content. Beyond that, simply delisting the link will likely have no noticeable effect on hacking attempts. The page will still be accessible from the web -- and that's the main problem if the Idaho State Police are looking for a more closed/protected system. (And it doesn't help that the login screen indicates Internet Explorer and Adobe's PDF reader are both needed to make full use of the site…both of which have their own security issues, especially the latter.) It appears a blanket disallow was added to the site's robot.txt, but all it seems to have done is prevent Google from returning any descriptive information along with the URL.

Google appears to have ignored the request, which is how it should be. This has nothing to do with copyright and everything to do with people thinking DMCA takedown notices are the best hammer for every nail they come across.

Filed Under: censorship, copyright, dmca, idaho state police, lims prelog, security, takedown


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 17 Feb 2016 @ 11:50am

    "although you have to perform a very specific search to see it."

    Bet it's going to be quite a bit easier to find now after they made such a big deal in trying to hide it. Idaho State Police meet the Streisand effect!

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 17 Feb 2016 @ 12:02pm

    And bonus points

    if the default admin account/password are still in place.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 12:04pm

    Haven't they heard about robots.txt, which just about all search engines respect as a means of keeping pages out of search indexes?
    Perhaps they have the same IQ requirement for I.T. staff as they have for police officers!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Feb 2016 @ 12:11pm

      Re:

      I think explaining to them how a robots.txt file works is a little above their heads when they don't know the the difference between public and private.

      reply to this | link to this | view in chronology ]

      • icon
        hij (profile), 17 Feb 2016 @ 12:13pm

        Re: Re:

        It is too late now. The only hope is to start singing "The Way We Were," and hope it all goes back to the good old days before the URL has been splattered across the web.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Feb 2016 @ 12:35pm

      Re:

      Besides, you are looking to shallow. Whether it's listed or not ISN'T the problem. The problem is that they don't understand what a "Internet web page" actually is. What they really need to accomplish what they want is a VPN. But this is what happens when you put hire someone for a job like that that likely thinks Google is the Internet.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Feb 2016 @ 1:59pm

      Re:

      They haven't heard of streisand.txt, either.

      reply to this | link to this | view in chronology ]

    • identicon
      David, 17 Feb 2016 @ 3:47pm

      Haven't they heard about robots.txt, which just about all search engines respect as a means of keeping pages out of search indexes?


      Did you actually read the article?

      It appears a blanket disallow was added to the site's robot.txt, but all it seems to have done is prevent Google from returning any descriptive information along with the URL.

      reply to this | link to this | view in chronology ]

    • identicon
      JBDragon, 17 Feb 2016 @ 5:05pm

      Re:

      I was going to say the same. Really, who at this point in time doing web pages doesn't know about the simple to use robots.txt file?

      Google and all the other search engines won't list the site in the first place. All these company's and people complain about Google listing them, linking to them whatever and all they had to do was a simple txt file and their problem is no problem at all. This is like Web page design 101. Web Page Design for Dummies!!!!

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 Feb 2016 @ 5:11pm

      Re:

      Robots.txt might be a bit underpowered for their needs. However, they can do server-side checking of traffic sources and create more effective blocks.

      But honestly -- they're off on the wrong foot in the first place. They shouldn't have such sensitive access points open to the web at large at all. Don't they have a VPN?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Feb 2016 @ 6:45am

        Re: Re:

        Exactly. But really, if they don't realize the difference between public networks and private ones, do you really expect them to know what a VPN is much less have one?

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 18 Feb 2016 @ 10:10am

          Re: Re: Re:

          I know, but I would have hoped that even if they don't think it's worth the money to maintain a competent IT staff, they're at least be willing to fork over a few grand to have a contractor set things up properly.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 12:08pm

    "We have a private login page that is not on any internet webpage."

    /facepalm

    Uh... yeah it is. If it weren't it wouldn't be publicly accessible. Perhaps this give some insight into why law enforcement seems to have a bad habit of invading the privacy of others. Could it be that they don't know what the word "private" actually means afterall?

    reply to this | link to this | view in chronology ]

    • icon
      Cdaragorn (profile), 17 Feb 2016 @ 3:18pm

      Re:

      I couldn't stop laughing reading this. I wonder of someone put the page up in the folder and just doesn't understand that the entire folder structure will be made available on the internet.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 12:15pm

    SSL Labs grades the site an "F"

    I guess they better work on their server configuration ;-)

    No wonder they don't want anyone hacking away.

    reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 17 Feb 2016 @ 12:23pm

    (And it doesn't help that the login screen indicates Internet Explorer and Adobe's PDF reader are both needed to make full use of the siteā€¦both of which have their own security issues, especially the latter.)

    Anyone still using either of those in 2016 should be put up against the wall with the Marketing Division of the Sirius Cybernetics Corporation.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 12:27pm

    Some moron probably caused it to be indexed...

    By typing the URL into a google search (which I watch a staggering number of people do), they probably caused it to be indexed initially.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Feb 2016 @ 12:40pm

      Re: Some moron probably caused it to be indexed...

      That would be "Officer Moron" to you...

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Feb 2016 @ 12:46pm

        Re: Re: Some moron probably caused it to be indexed...

        If Idaho is like Texas THAT comment would put you in a world of hurt. State Police (in Texas that's the DPS) don't consider themselves "Officers." They are "Troopers" and expect to be referred to as such.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 12:30pm

    These are the kinds of mistakes made by people who do NOT understand technology, who do not understand how browsers and bookmarks work. These are the same people who do a Google search for EVERY SINGLE PAGE the load. The problem with idiots is that they drag you down to their level then beat you with experience.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Feb 2016 @ 12:36pm

      Re:

      I have seen in person the fabled "search for google in the browser search bar to bring up google, then search for youtube", and the darkness stared back.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 12:43pm

    Security through obscurity. While that may work for your standard users, it won't have any effect on the hackers they are trying to stop.

    reply to this | link to this | view in chronology ]

  • icon
    ArkieGuy (profile), 17 Feb 2016 @ 12:47pm

    Let me google that for you....

    Curiously enough, when you do a google search on that url, it shows up on a few pages - including the "Idaho State Police Forensic Services" home page. Hmmmm, maybe that's how Google found it.

    http://bfy.tw/4JUe

    At this point, about all they can do is change the url and make sure that the robots.txt is correct before they publish the new url. ;)

    reply to this | link to this | view in chronology ]

  • icon
    Keroberos (profile), 17 Feb 2016 @ 2:26pm

    Someone doesn't understand how "robots.txt" works.

    It will not block indexing if some other site links to that URL. They should be using the robots meta tag in the HTTP header of that web page and all other pages they don't want indexed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Feb 2016 @ 2:35pm

      Re: Someone doesn't understand how "robots.txt" works.

      Why not move it to an to a real private network that is only publicly accessible through a VPN so the Google indexing point is moot?

      reply to this | link to this | view in chronology ]

    • identicon
      Oninoshiko, 17 Feb 2016 @ 2:38pm

      Re: Someone doesn't understand how "robots.txt" works.

      or, you know, not put the thing on the open internet...

      but what do I know?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 3:29pm

    Police: "Don't be evil Google. Protect our website from bad guys using Internet Explorer."

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 17 Feb 2016 @ 4:15pm

    Security via Obscurity

    The amount of evidence being presented to my suppositions is making the case for them being real.

    Google = Internet.
    We hired a cousins nephew who set the clock on the VCR to setup our website. You mean OTHER people can find it on the internet?! Quick make Google fix it.

    Someone with some free time want to submit a FOIA request to find out how much cash was kicked back from the idiot who set this up? I'm willing to bet millions were and continue to be spent keeping this trainwreck rolling.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 4:53pm

    So - LEOs are going dark?
    lol

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 5:06pm

    The silly part here is that they use a *DMCA* request. DMCA deals with copyright. It's not a catch-all "we want this taken down" mechanism.

    To be fair, the rules on what you must do to de-list a page are not intuitive. On the other hand, they are easily googleable:

    "Important! For the noindex meta tag to be effective, the page must not be blocked by a robots.txt file. If the page is blocked by a robots.txt file, the crawler will never see the noindex tag, and the page can still appear in search results, for example if other pages link to it."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2016 @ 5:08pm

    Tim: I notice you didn't put a nofol on that link to that login page. What are you trying to do, improve its page rank so it appears in MORE searches?

    reply to this | link to this | view in chronology ]

  • icon
    Lisa Westveld (profile), 18 Feb 2016 @ 1:01am

    Has anyone even looked at this site?

    Come on, guys! They don't want it off the Google-index because it's all secret but worse: it's butt-ugly! You need Internet Explorer to correctly see the page, else things look a bit weird. And it has been developed in an Ancient .NET version in a pretty bad way. And it would not surprise me if a hacker gets inside within 15 minutes of experimenting.
    But the page... And the Code... Oh, it hurts my eyes so badly! Quick! Close it, forget it, BURN IT DOWN! I agree with them and this should be DMCA'd because no one should be able to see such ugliness...
    It's Geocities all over again...

    reply to this | link to this | view in chronology ]

  • identicon
    JamesK, 20 Feb 2016 @ 4:43pm

    Robots.txt

    Isnt a very bright idea either considering thats where most bots check first in order to see what they should and should noy see. Just sayin........

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.