Not sure, but they need to do something.

I don't think they do. Hackers have used search engines for ages to search for websites that are vounerable because they haven't been patched properly or whatever.

It isn't the search engines' fault that people don't know how to secure their servers and sites... People just need to start investing more in security.

the fact remains that the security flaw exists and can be found _with or without_ the cache. the only difference is that the site supposedly is not informed of the attempt (forgot about the images and stylesheets etc still coming from server?). google doesn't decrease security at all.

>>Not sure, but they need to do something.

Sorry, I meant from a PR perspective. It is up to the webmaster to secure thier site. Hackers will find the information if they want to.

These are hardly mainstream rags, I don't think they're likely to cause a mass exodus to other SE's

other SE's

Other SE's than Google? Where? Surely not. ;)

Google are unlikely to worry about this - hackers can use other search engines as well to find this info (or their address bar). It isn't as if Google created a hacker toolbar or something.

I would hardly call the NS a rag :)

WRT Metro, they have coverage to the public and that counts. If it appeared in the FT in some oscure section I cant see it causing any great "panic" but Metro is all over the gaff with a big reading public.

I found this on my travels, can put a date on it but

Metro (London) remains the largest free regional morning with a distribution of 375,328

More than enough web using public will get that, and that is London only, I got this in town near Birmingham.

I understand where you are coming from Ukgimp, we discussed a similar thing about Joe publics perception of the word Spam on SE forums.

To me spam is and always will be UCE but google decided to to call hidden text and anything which is dark seo as Spam.

Search google for spam it does mention hidden text in fact the serps return mainly site about UCE. So when webmaster world members post about spam joe public think we are talking about UCE and not hidden text, it puts WebmasterWorld in a bad light just the same has headlines like "google aids hackers"

Joe public starts saying things like I read if you use google people can hacker you site or computer.

DaveN

Given that site security is NOT being affected by Google, this story will simply blow over. It says more about the rag printing it than it does about Google.

Kaled.

Dont underestimate "The Rag" [univ-pau.fr]

"It's the Sun wot won it"

I too am familiar with 'The Metro' on the number 16 bus into Hockley. Most of them end up littered all over the place so it's not taken all that seriously.

Maybe google makes the work shorter for hackers, but not easier. As the same way they can inspect the cached pages in google, they can enter once the website and copy it partially to the hard drive to work off line. Many users do this to access the page while they are not connected to internet (oh, yes! The mortals are not like the webmasters. they are not always on-line ;)), and not many webmasters suspect when this is done. But google does not help hackers (nor any other reverse-enginyers that are not hackers) to find security holes in remote systems. The webpages that are cached in google do not use to contain interesting information for a hacker (unless it is the cache of a hackers' site ;)). So don't worry by this. If a hacker is able to enter your system, s/he will be able to do it with our without google; and in any case you will notice her/his "visit".

A major german magazine "spiegel online" (a reputable one, too, though mostly on political/social topics) also ran the story. Interestingly they've had one or two "anti-google" articles in the last couple months, which for knowledgable folks are just laughable.

I still can't see how it is "aiding hacking", if you are into security by obscurity there may be a little chance under some rather unlikely circumstances(*) someone who wanted to hack your site, might have a slight advantage. Although removing the cache feature would not stop anyone. The german article also said:

Die dort abgebildeten Seiten sind weitgehend funktionsfähig, das Vorhandensein vieler Sicherheitslücken lässt sich schon anhand des Caches überprüfen. Das gibt dem Cracker eine Gelegenheit zur "Generalprobe": Der am Ende erfolgende Angriff ist dann zielgerichteter und schwerer zu bemerken, als wenn ihm eine Phase des "Stocherns" vorausgeht.

which roughly translates to

The [cached pages] are mostly functional, the existence of many security holes can be confirmed via the cache. This lets the cracker rehearse the attack: The finally successful and real attack will be more "on target" and harder to notice, because no poking around on the real site will be necessary.

That is pure and plain FUD. Nobody can run rehearsal attacks on cached pages; they are not "mostly funtional", it's plain html. There must be a couple journalists that are either really dumb or really dangerous, spreading targeted paranioa like that.

RE: unlikely curcomstances(*):
The only scenario where the cache would be useful that I can think of is this:
1) the site is using a widely known application on the webserver AND
2) an exploit has been published AND
3) instead of fixing the hole, you try to "cover it up" by making it look like your site is safe, e.g. by changing version numbers, de-linking those pages etc. AND
4) The attackers are checking google in the few weeks between you making the changes, and google updating the cache.

[Without 3+4 any and every searchengine w/o cache will achive the same]

It's just ridiculous trying to make an actual story out of this.

When you look at the Google cache your visit is NOT invisible. You cannot hide.

The external CSS, external JS, and all of the images are still pulled from the real live domain.

<<Some geezer called Danny Sullivan tells it more like what it is, that Google can aid the hacker as well as the user.>>

"Geezer"?

That article is silly.

You can't "hide" your visit by using the Google cache.

>>That article is silly

We know that, but your average web surfing geezer (i'll get to that :)) will just assume the worst. If you read something whether it is true technially or not, in a well distributed newspaper a lot of people will believe it. That is the point I am trying to make, that public perception can make big difference whether it is true or not.

>>Geezer

a slang phrase for a bloke :), as in he's a bit of a geezer, lad, jack about town etc. You can also be an "old geezer" but that is a little different. You gotta loove the English language and all our slang :)

If you are having problems with the words some of us British chaps use :)

www.peevish.co.uk/slang/g.htm (the second definition is where is was)

Why does this affect the surfer, it's more a concern - if anything - for webmasters!

This is a mountain out of a molehill - Anyone readin that article - if anyone did, bar interested webmasters/SEO's - will have already forgotten about it... fish & chips wrapping paper 'n' all that.

If the BBC and the New Scientist are covering it and with most threads here getting a good ranking the public will find it if they want, so its not just the Metro that will carry news of it.

Craig

twp

If you dont wish to belive that untruths can and do have impact take a look at this:

www.ojr.org/ojr/glaser/1059692646.php

This is the most unpolitical one I can think of or is not close to monster can of worms in subject matter. It was a blatant lie but somehow got onto TV. Factor into a story about being hacked and you can see how far something "could" go.

Cheers

google aids everyone, including hackers. if say a cms developer issues a bug alert a hacker could download the cms onto their own machine, check out the exploit/vulnerability on their own system, then use google to search out websites that use that cms. in all likelihood there will be lots of websites that haven't applied the fix and the hacker can hack to his hearts content.

in all likelihood there will be lots of websites that haven't applied the fix and the hacker can hack to his hearts content.

This is what I said in my post - but I also mentioned that it isn't the search engines that are responsible for updating the CMS systems of the websites that they index.

What are they on about?

Even IF the Google cache didn't show anything in the server logs, when a cracker (hacker is the wrong word IMO but I know it is not for some) viewed a page on the site how does that alert an admin to him being a cracker anyway?

'Look Janice someone from xxx.xxx.xxx.xxx viewed our homepage today, we'd better be careful it looks like a cracker to me....' hmmmm...

These are public pages which anybody could be viewing all the time anyway.

Complete rubbish unless I'm missing something.

I think, in common usage, a cracker works on local software trying to get past registration lockouts, etc. whilst a hacker works with networks trying to get past security, etc. I tend to use the terms interchangably but I think they used the right term in the article.

Frankly, I don't think this is even a storm in a teacup. More like the flap of a butterfly's wings in a concert hall.

Kaled.

PS
Please, no chaos-theory-nonsense in reply.

Anyone find the old thread from 2000? Same story - different year...

[news.com.com...]
[vnunet.com...]
[internetnews.com...]
[wired.com...]
[kilwinning.org...]
[foi.missouri.edu...]

Every year around summer unskilled journalists who still have to prove that they are worth the monthly paycheck see their sources for news disappearing for a while, as governments and companies embrace the holiday season. Then, they have to (*) dig up something, make up something, or just write about minor news, ie. bathwater temperatures or cucumber sizes.

/claus

---

(*) added: unless they want do do some research and write real stories of course.

Ok, let's get some perspective on it; It's been nigh on a week since this was (again) reported... Has anyone got a reliable damage assessment, GoogleGuy?

First, I wan't to defend the art of hacking:
A hacker is not a cracker. A hacker is only a curious person that enters systems only to make a sunday afternoon lightier or to take a look to an interesting connfiguration, like a kender. A cracker is a @#$%& that enters a system and trully atacks it: takes and sells private data, harms the system, etc. like a thief.
So don't use the word hacker to speak about crackers nor take the hackers as if the were crackers. Thanks :)

And now, returning to the topic, it has been said too many times:
A hacker or cracker that wants to enter some site can use the google cache, of course. But what use is this? If she/he does not use the cache, the hacker or cracker will do the same "noise" that a random surfer or an interested visitor. Even, going further, the cache is not allways up to date. A cracker could find holes inthe cache that are not longer in the "true" site and, when trying to enter thru them, get caught. So, if a site is well maintained and frequently checked, then google cache can even be a trap for crackers and undesidered visitors.

Herenvardö

Why stop at hacking?

Google aids organized crime! It finds restaurants and bars within the gang's area, so they can be visited with threats and extortion...

Google aids terrorists! It provides maps to vulnerable targets, and schedules for hijackable airline flights.

Google aids telemarketers! It provides access to phone numbers.

Google aids Republicans! It provides access to companies who are potential donors.

This is stupider than stupid -- this is ... JOURNALISM. <rant>Reporters who probably have trouble finding the ANY key, who flunked out of 5th grade arithmetic and never even HEARD of formal logic, trying to explain technical details with no tools except a glib command of grade-school grammar and the unshakeable confidence that can only come through total, intractable ignorance of the entire scientific and technical history of the last 6 millenia.

You all seem to be missing my point. I know the article is horse but Joe Public who does not have our technical know how does not. Articles like this can and do influence the public. The Sun in the UK is hardly a top class newspaper, but it s contents are widely read and widely believed. Now add that sort of coverage to a few repected publications (New Scientist)and you have fuel. The article may be re writtent para phrased plagiarism but it is still out there and that was all I was trying to get across, not a critique of how technically correct the content of the piece is.

Cheers