Mittwoch, 23. Februar 2011

Hiding in Plain Sight

As a reader of the 'Risks' magazine, I just received the new 'Risks Digest 25.56' (you can find it here) and found an interesting Article about one of my favorite topics in it.

(Date/Datum: 2009-02-20-10:52)

Here is the posting:
Date: Thu, 19 Feb 2009 12:05:44 -0500
From: Jeremy Epstein
Subject: Hiding in plain sight

I recently started working on a project that has a * in the middle of its
name - think of GM's On*Star as an example. Google (and other search
engines I tried, including Microsoft Live, Yahoo!, and Lycos) all treat the
* as a wildcard, and don't allow wildcard escaping.

Now On*Star isn't hard to find with Google, because the words "on" and
"star" rarely appear together except in this context. But if you take two
other words that frequently occur together, put a * between them, and then
try to find references to that unique term, you won't get very far. For
example, stimulus*package would not be a good name, nor would high*tech.

It's not clear to me whether the people who started this project knew that
their project name would make it effectively impossible to find the project
and either did that intentionally or didn't care, or whether it's a
happenstance that is now a problem. But in any case, it's a way to hide in
plain sight - any websites they have can be indexed by robots, but won't be
found by searchers.

The risk is the interaction between name selection and search engine
operation. If someone deliberately picks a name this way, and then the
search engines change their behavior, the value (anonymity) instantly
disappears. The classic security problem of a distributed system with
uncoordinated security policies....

Keine Kommentare:

Kommentar veröffentlichen