Those of you who shudder over my aggressive adoration of "security by obscurity" will cheer the article in the Register that reveals the latest on-camera bloopers.
It seems that thousands of webcams (little cameras for PCs) install and open up webservers by default. Now, this is a fine thing to do if you can keep your webserver "hidden" from view. (That's what we mean by security by obscurity!) But recall that google and/or others have been shipping spyware tools that capture secret URLs from chat sessions and email sessions, and then forward them to search engines! Well, it was only a matter of time before someone figured out a way to search google for all those secret cameras ...
Suddenly, the age old trick of using a secret webserver or URL to distribute a private document no longer works. Whoops. Security by obscurity just flipped that trick on its head.
But, let's not throw out the baby with the bathwater. Anyone using that trick should have known that they were taking a risk. Now we know the risk is dramatically enhanced by spyware snaffling secret URLs. So, stop doing it. But, while it lasted, it was a good trick, and it saved lots of people lots of costs.
Oh, for the victims - those companies shipping the webserver camera setups that are unsecure by default - well, you deserve to be embarrassed. And the people spyed upon by the bloggers ... consider the greater good of teaching us how to secure our world as your compensation. And let's hope you weren't doing anything too embarrassing.
Posted by iang at January 10, 2005 09:37 AM | TrackBackIt's not so sudden - do you remember the case of that Swedish company that put up their quarterly data report on the website and named the file after the same scheme as the old ones? They didn't link it, but apparently someone at Reuters was clever, pulled the file down and published the data...
Posted by: Axel at January 10, 2005 10:14 AMRight! In fact I think the spyware thing broke about 3 months back, but to be honest I didn't have time to go scarfing back for links. The reason I say "suddenly" even though it's been going on for a while is that I used the trick this morning and I should know better ;-)
Posted by: Iang at January 10, 2005 10:30 AMWhat is the spyware tool that Google has shipped which captures secret URLs from chat sessions and email sessions, and then forwards them back to Google?
Posted by: Cypherpunk at January 10, 2005 02:11 PMHi Cypherpunk,
to be honest I couldn't recall the details. ah here we go, Google got a Big Brother Award Nomination. Here's an article that puts it in balance:
http://searchenginewatch.com/sereport/article.php/2175251#spyware
Now, I recall another plugin or program (not Google) was also snaffling URLs from chat sessions. But I can't recall who or where or why.
The important thing is not the storm in a teacup over who's being evil and who's being silly, but the effect this has on the overall security assumptions that we make.
Posted by: Iang at January 10, 2005 02:46 PM