lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 30 Sep 2008 17:55:18 -0400
From: "Eliah Kagan" <degeneracypressure@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [inbox] Re: Supporters urge halt to, hacker's,
	extradition to US

I wrote:
>> When a http indexing bot (like those used by Google, for instance)
>> comes upon a hyperlink into a page that is http authenticated, does it
>> follow the link and try a blank password, or does it not follow the
>> link? Is there some accepted standard for that?
>>
>> If it is considered acceptable to assume that access is permitted to
>> any system that doesn't have passwords set but present http
>> authentication, it would be hard to argue that other forms of
>> authentication are different. Of course, having gained access, making
>> deliberate modifications, however slight, would be illegal.

n3td3v wrote:
> All you do is give Googlebot the password and hey presto! Read below:
>
> https://www.google.com/adsense/support/bin/answer.py?answer=37081

Yes, but what I'm asking about is what happens if the Google bot (or
other bots) are indexing and come upon a hyperlink, which otherwise
would be followed, of the form:

http://someone@[subdomains.]somewhere.tld

Does it then try the null ("") password to authenticate, or does it
stop there? Would it be considered computer fraud to try the null
password in this situation?

This is not necessary a page of a Google AdSense customer. It could be anything.

Isn't think what happened to make a whole bunch of Papa Johns'
corporate emails public via the Google cache? (And nobody pressed
criminal charges against Google developers...)

-Eliah

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ