back to article cDc automates Google Hacking

Infamous hacking group the Cult of the Dead Cow (cDc) has published a tool that searches for vulnerabilities and private data using carefully-selected Google search queries. The process of so-called Google hacking is already well known, largely due to the efforts of Johnny "I Hack Stuff" Long, whose presentation on the subject …

COMMENTS

This topic is closed for new posts.
  1. Tim

    l33t d00dz

    These guys are so cool that they've banned anyone from visting their site if they're using Internet Explorer. What muppets.

    I can't help what my corporate policy forces me to use.

  2. Anonymous Coward
    Happy

    Title.

    With this in the wild, every winbrat with internet access is going to be in possession of "hacking software", actually making that infamous law useless (which is a good thing). And it will incitate terminally braindead webmasters and admins to be a tad more carefull in the way they handle user/customer data (which would be about time).

    OK, still it's just another Windows/.NET thinggie. Why do people use these ugly, unfriendly, counter-intuitive and ressource-chompy pieces of crap anyway?

    I heard that some even pay for that. No wonder that our economy is decaying that fast. Come on people, move to a real operating system. Something that doesn't need at least 20G HD space and 2G RAM, and that ONLY FOR THE OS, would be a step forward...

  3. Solomon Grundy

    Results

    Just for fun I downloaded "Goolag" and it's not much fun. I expected to find lots of interesting tidbits out there but so far I got nothing except "0 results found". Maybe I'm doing something wrong, but it would be nice if it returned something.

  4. Myles Long
    Thumb Up

    Official site

    http://www.goolag.org/

  5. Ru

    In .net's defence...

    It isn't an awful platform to develop in (having done Win32 programming before, which was awful beyond belief). The problem is that it facilities massively sloppy code, which can easily eat an order of magnitude more resources more than needed if an uncaring or lazy programmer lets it. And there are no shortage of those.

    But yes, something a little smaller and cleaner and portable would have been nice.

  6. Anonymous Coward
    Flame

    @Ru

    You got it wrong, mate. How are we going to get that flame war started if you start expressing balanced views that early?

  7. Ru

    @AC

    Ack, I do apologise.

    I'll go away and think about the bad thing I did, and come back filled with malice and bile especially for use on closed-source script kiddy tools, released seemingly as a slightly irresponsible publicity stunt rather than a serious application.

  8. Not That Andrew
    Coat

    @ Anon Coward Re Flame War

    Clearly expressed. balanced views are no barrier to a good flame war!

  9. Anonymous Coward
    Thumb Up

    @Anonymous Coward

    Well i for one welcome it, I have to develop web apps. Fortunately i am a linux user for both desktop and server, but i often have to deal with existing situations which may include (and it hurts to see it) things like IIS, so having a tool from those very funny people at the cDc (aside from their other skills), is a great help. The more known exploits are the more likely they are to be fixed! Also practices in coding that expose these exploits are better known by the masses of website producing than hidden away.

    Get the information out there, its best in the long run!

  10. Anonymous Coward
    Dead Vulture

    @Anon. Coward

    Skip the balanced view and aim for the jugular:

    I invoke Godwin's against Ru.

  11. Teh_Vermicious_Knid
    Stop

    @ Ru....

    I think you'll find the goolag app source is fully available on the goolag website.

  12. Anonymous Coward
    Anonymous Coward

    @ Tim

    "l33t d00dz

    By Tim

    Posted Friday 22nd February 2008 17:22 GMT

    These guys are so cool that they've banned anyone from visting their site if they're using Internet Explorer. What muppets."

    It sounds as if you're writing the cDc of as a bunch of clueless muppets but may I suggest you look into their history? They've always been a powerful force in pushing for improvements to internet security, albeit by questionable methods sometimes but there's no denying their aim is good even if their methodology isn't always.

    Similarly, they've always campaigned to improve human rights in countries where there are problems such as China and so on.

    I'm not sure if I misunderstood the tone of your post, but writing them off as l33t d00dz when they've done more for network security and censorship avoidance than you likely ever have, and have been doing it since long before the internet began (23 years now in fact) it seems a bit harsh when they're simply in a different league to the average script kiddie.

  13. Anonymous Coward
    Heart

    Good show

    This is the most polite flame war that I have seen in many a long winter. It's so lovely that civility can prevail in this time of drinkin, muggin and stabbin.

    Good on you all.

  14. Alan Donaly

    Like all tools

    your mind does the guidance, and your hands do the work. I am not sure if this helps any more than just going to Johnny's web site and pulling up his list of embarrassing files he and others have accessed via Google. it's quite extensive.

  15. F Seiler

    re in .net's defence...

    Just wanted to add it's not win32 programming that is ugly, it is MFC/AFX. If you leave that out and work only directly with the windows API calls from plain old C/C++ with "only" windows.h as link to the windows stuff its actually decent. Just don't get sucked into microsofts define hell and those "CSomething" classes.

    Ofc above i'm not talking about placing buttons ("GUI design") here, but for that too other tools exist than MFC, or dot net for that matter. I think dot net's GUI tools are quite nice to the programmer, but that's exactly the problem - make a shitty environment and make it easy on the place-button-write-handler programmer so we get all the little tools running only in this tar pit because the programmer went the easiest route for her.

    (oh, yes, i finished my coffee, and no, i didn't bring a coat (say hi to spring=))

  16. Pierre
    Paris Hilton

    Hands and mind

    Now that you mention it, I realize that I have 2 hands and only one brain. What-ho-what am I gonna do with this extra hand???

    Paris might have a clue...

    Coat, hat and KY

  17. DR

    @@Time (AC)

    Yes they are l337 doodz, and acting like kids.

    nobody denied that they done loads for security.

    but both IE and firefox have bugs, an holes and security fixes.

    and the fixes are rolled out at roughly the same speed. and massive holes in both have gone unfixed in the past for ages on both browsers.

    the point is that when they act like the little script kiddie bratz saying stuff like firefox is so cool, and you need to use it, and if you use IE we won't even let you use our site...

    that's when they loose credibility

  18. toby

    using this may be illegal

    i love cDc to bits and the world would be a much poorer place without them. its also great to see them back in the news!

    i belive this is a good tool in that it gives anyone who manages a website a chance to see if their ass is hanging out - that cant be a bad thing.

    however, regardless of what you think of cDc, using this tool in the uk on a domain you are not responsible for may be illegal.

    there's a very good, brief article here :

    http://www.heise-online.co.uk/security/Google-scanning-is-it-legal--/features/110089

  19. Anonymous Coward
    Coat

    @DR

    Yep... and once the credibility gets loose, there's no telling what it'll do.

  20. Pierre
    Boffin

    @TR about credibility

    *ahem* since when IE and firefox are the only browsers available out there?

    Talk about credibility...

    The fact that IE repetedly won the award for the unsafest browser ever might also been taken in consideration. Plus, the fact that it's bundeled with Win, wich itself is force-fed to the masses via deals between MS and computer-makers, whereas any other browser has to be choosen deliberately (OK, let's exclude Safary for this one) leads to a logical conclusion: people using IE are more likely to be totally clueless about security.

    Actually, though it has more gaping security holes than any other browser that I'm aware of, IE is probably not THAT bad. You just need to be extra-careful when using it. The problem being that most people using it are just clueless (force-feeding etc... see upper). (an other problem of course is it's "funny" way of parsing HTML, but since when would MS be standard-compliant?).

    When bundling a browser with an OS that you force-feed to the masses, you should make it über-secure by default. And IE is by default a total whore, through which you can access the very deep "heart" of the system. Usability, yes indeed. The same way hookers are usable. With the same epidemiologic hazards (not to mention that IE got its new shiny features by actually copying mozilla-derived products).

    So it might be a bit childish from cdc indeed. A bit of a revenge, considering the number of websites that strongly "advise" you to use IE. But still it's ho-so-very justified, security-wise, and it can only make the interwub a better place to be (regarding security AND crappy, standard-uncompliant web design).

    Next step is the ban of every browser other than Links, Lynx, w3m an the like (dillo MIGHT be allowed after a suitable probation period).

  21. Pink

    @DR

    I can get at their site with Internet Explorer. Have they then removed the 'Firefox is so cool' part?

    I am testing this using IE running under Wine on Linux though.

    Just testing now on an XP box. Yep works there just fine too.

    I don't think I'd ever class cDc as acting like script kiddies. And if they wish to block IE then fair play to them.

    For my personal web site I can't be bothered to code for IE (I use CSS but don't bother with */hacks /* for IE and with javascript I do object/function detection but can't be bothered to work around specific IE-isms). I don't actively block it, but it is my site, I'm not forcing anyone to visit or use any particular piece of software.

    How is this any different than a restaurant saying you have to wear a tie? You don't have to go to the restaurant, but if you do want to then they expect you to wear a tie. Do you call restaurants (or anywhere with a dress code) kiddiez?

    By your logic all the sites that code for IE only (and say unsupported browser for firefox et al, Linux et al) then are run by script kiddie bratz?

    I think Firefox is cool, that's my _opinion_. Yours is not that way inclined. I'm glad you are able to think for yourself and make your own decision.

  22. gratte

    gimme a break

    DR - may I politely suggest that UR DOING IT WRONG?!

    IE is certainly NOT blocked on any cDc sites (I'm on goolag.net right now with it, just to check). And if it is, it's a mistake.

    You also seem to have some weird anti-Firefox chip on your shoulder. For the record, I prefer Opera and Safari. More importantly... nobody cares about silly crap like browsers and platforms.

    Cheers,

    G. Ratte'/cDc

  23. Anonymous Coward
    IT Angle

    I read the headline, and I thought...

    ...what the hell do the Centers for Disease Control have to do with IT?

  24. Jim_
    Happy

    On a side note...

    It was kinda funny to see them (cDc) at the 6th HOPE running a T-shirt finger painting booth, I should have bought one...

  25. Ambi Valent

    And i ask myself......

    ...why would anyone not take web security seriously

  26. Anonymous Coward
    Anonymous Coward

    Elucidation needed

    Please could someone explain what "l33t d00dz" and "l337 doodz" transliterate to - and then, probably, what does the result actually MEAN?

    (It sounds as though it ought to be pretty hip, daddy-o!)

  27. breakfast Silver badge
    Boffin

    @Elucidation needed

    You know, AC, l33t d00dz basically means Hax0rs and those who seek to pwn one's interwebs.

    I believe there is often a crossover with those who want to gank people's nubs, though whether there is any scientific proof of this I couldn't say.

  28. Luke

    Re@Elucidation needed

    1337 d00dz-

    Leetspeak-Internet language

    1337 is translated using the "1" as an "L",the "3" as an "E" and the "7" as a "T"

    It is Netz shorthand for "Elite"

    Elite-Leet-1337...

    d00dz is of course "Dude,as with most word/memes here on the tubez it is given the suffix "z",

    You also may see words such as "HaX0r".means hacker

    I R 1337 haX0r

    F335 Mi Ski77z

    Translation- I am an elite hacker,fear my skill...z :)

    I love the internet...

  29. David S

    @Luke

    ...and the internet loves you right back...

  30. Sceptical Bastard
    Coat

    The birth of the glorious revolution

    Quote (snipped):

    "... they've done more for network security and censorship avoidance ... and have been doing it since long before the internet began (23 years now in fact)"

    Oh, I hadn't realised the internet 'began' after 1985.

    I was labouring under the silly notion that ARPANET went live in December 1969, that three networks (ARPANET, Packet Radio Network and the Atlantic Satellite network) connected in about 1977, that the International Packet Switched Service (IPSS) was born in 1978 and that JANET also started in the 1970s. I foolishly believed the whole bang-shoot was more or less complete by the early 1980s and grew steadily until 1992/3 when Tim Berners Lee's nifty little wheeze enabled every Tom, Dick, Harry (and the rest of the great unwashed) to browse p0rn to their heart's content - OK, maybe 'heart' wasn't the exact organ but you get my drift.

    Sorry, getting me coat - the one with 'pedant' stencilled on the back.

  31. Alexander
    Stop

    @luke

    Elite comes form good old days of BBS, and meant the top level of access a sysop could grant you on his board, it then became twisted into L33T by halfwit brigade

  32. Myles Long
    Thumb Up

    Wowie

    > 25,000 Goolag Scanner downloads to date.

    http://www.goolag.org/ | http://www.cultdeadcow.com/

  33. Geoff Mackenzie

    IE blocking

    I prefer a more generous approach; allow users in, but add a warning for their eyes only that their browser is broken and don't allow them to submit bug reports relating to the markup. I don't code for IE any more but I agree that shutting out IE users entirely is a little excessive.

  34. Bob Hoskins

    Nothing new.

    Foundstone did this years ago and better with SIteDigger.

This topic is closed for new posts.