lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri Jul  7 10:53:14 2006
From: misterfitzy at gmail.com (Patrick Fitzgerald)
Subject: Re: Google and Yahoo search engine zero-day code

I never reply to this mailing list but I feel that this blatant and
unashamed plagiarism should be exposed!  This 'breaking' news by the
n3td3v research branch was written about by Michal Zalewski in his
excellent book, 'silence on the wire'.  Maybe Zalewski is part of the
'fearsome' :) netdev group but I doubt it!

On 7/5/06, Dave No, not that one Korn <davek_throwaway@...mail.com> wrote:
> Denis Jedig wrote:
> > n3td3v wrote:
> >
> >> Today's disclosure involves Google and Yahoo search engines:
> >>
> >> All you need to do is put in the code to a web page, when Google and
> >> Yahoo visit it, then the code exploits the software they use and
> >> makes them start caching 'other' pages. Including 'no index' pages,
> >> where sites have setup a robot text file on their server to protect
> >> corporate and consumer interests.
> >
> > I think you missed the concept here. Whatever is on the webservers and
> > is available to the public is... well... available to the public.
> >
> > It does not help security matters to introduce a robots.txt - the
> > purpose of this directives file is not to secure something but to
> > reduce traffic and keep irrelevant content out of search engines.
> >
> > If you need security, you introduce some kind of authentication
> > *before* access is allowed to sensitive data. You will find that a
> > sign reading "Do not enter and do not steal any gold" will not help
> > much at the Fort Knox entrance if it is the only security measure.
>
>
>   Also, Google and Yahoo *do* respect the robots.txt file and do check it
> for every server they fetch files from, and the whole thing is garbage.  His
> so-called 'example' is a fraud because it shows yahoo caching a page from
> the site mtf.news.yahoo.com, which DOES NOT HAVE A ROBOTS.TXT FILE.
>
>     cheers,
>       DaveK
> --
> Can't think of a witty .sigline today....
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ