"for official use only" or "U//FOUO" brings up interesting results, the pdf "U//FOUO Sovereign citizens extremist ideology" by the FBI was a good read so were all the Interpol recent internal reports about all their weapons that have been "misplaced" or stolen.
I seem to remember that they were using it to punish out-of-date browsers. But since I'm getting it with up-to-date Chrome, it doesn't seem to be very well targeted.
Uh. Unless I'm mistaken, that particular inmate pleaded guilty and was convicted of 937 various counts raised against him, including murder and rape. He kidnapped three women (in 2002, 2003 and 2004) and kept them imprisoned in his basement for nearly 11 years during which time he did horrible, unspeakable things to them.
Alright, I'll bite. People like this guy, serial killers, malignant sociopaths operate outside of society's morality borders that you're talking about. How can we possibly evaluate them within them?
IANAL, but typically CFAA violations revolve around crafting special URLs, as in a forced browsing attack. Simply following a URL, is AFAIK not (yet) a crime.
Intent is key, not the technical approach. If you're intentionally trying to access files you clearly aren't intended to be accessing, you're probably guilty of unauthorized access.
This is pretty interesting. One did say "Not for Public Release UNTIL", so could presumably be intended, but in a lot of cases webmasters probably didn't think something would be found and indexed by Google wherever they put it. And were wrong.
This is a great example of the house of cards all our network systems are built on top of.
Imagine this scenario: you maintain a network of web servers, database servers, file servers, etc. They all combine to generate a large website used by tens of millions of users every month. One day you are just doing a cursory look over a certain server, but you see something strange. Someone is logged in to your server. And they have a Russian IP address.
What do you do? Obviously, the first step is you login to your edge routers and null route all of Russia. GFTO. Next, you've got an idle session on one server. What were they doing?
How can you reconstruct what they were doing? bash history? maybe. Network forensics? Your network probably isn't recording every historical connection between servers—99.9999% of the time useless—but critical in this case. File system access? Your file system probably isn't logging every historical access—useless 99.99999% of the time—but would be really freaking useful in this case.
So, you investigate their history, double check some database logs, check netstat, check lsof, and in the end, you really have no idea what they were doing at all. Our systems don't leave enough bread crums around to reconstruct even interior hostile activities, much less semi-intelligently disallowing Google to not index confidential information when accidentally left exposed.
WRT detecting Google doing indexing, it's actually trivial. Web server logs will clearly show Google's web spider(s), and if you want you can set some monitoring (lots of methods here, all the way up from a cron job running a grep).
I can't remember the quote exactly, but if you're reacting to a breach it's too late.
Obviously this case is detectable, but it's detectable after it happens since permissions weren't correct in the first place.
Who keeps web logs these days? It's all spyware javascript tracking for pretty graph printing.
Plus, any notifications depend on actually instrumenting any monitoring or triggers or processing to even notice your "sensitive" content has been accessed out of context.
(and this is just web stuff. imagine how impossible it is to track who forwards your confidential emails or other internal documents around without your permission.)
> Who keeps web logs these days? It's all spyware javascript tracking for pretty graph printing.
Anyone who needs records of what has been accessed, so larger companies and organisations.
> Plus, any notifications depend on actually instrumenting any monitoring or triggers or processing to even notice your "sensitive" content has been accessed out of context.
Yup. Hence a cron job automatically emailing its result (crude (or simple?) but it would work).
> (and this is just web stuff. imagine how impossible it is to track who forwards your confidential emails or other internal documents around without your permission.)
I don't have to imagine that. This is why DRM exists; document/knowledge management systems should have the ability to allow access to information but not further dissemination. There's still the user education aspect though (and users don't like change...).
Oh, and the insistence of wanting to using external services like Dropbox... gah. "But, but, everyone else uses it!"
But we live in a new world. A world of BYOD and now, in 2015, Bring-Your-Own-SaaS. Employees put content up on company platforms, on third party platforms, on high heel platforms.
The problem of solving data privacy at a _competent_ level across every organization is intractable with so many "just do whatever you want" vibes in the air.
Now, that obviously doesn't happen everywhere, but it happens everywhere until it doesn't. Biggest offenders are usually non-technical offices: sales using 8 hosted platforms for metrics, email, surveys, project management, job hiring, etc. All impossible to actually control at any sane level outside of 340 UI clicks of the mouse across webby webby land.
tl;dr give up and go live in a cave for the next 30 years until all this gets sorted
when you decide to buy something for $x instead of paying someone who knows what they are doing to implement something with proper standards for $5x show on things like this
They should have at least have set an owner password for these documents. (In practice, they are not effective preventing people to disregard limitation that you set on the document, but at least it'll exclude documents for indexing at least by Google.)
If the results are identical, then who cares? If it's just a matter of saving five keystrokes, I wonder if your 60-keystroke comment was a good use of time...
