Police To Google: Make Our Site More Secure By Delisting It

(Mis)Uses of Technology

from the how-not-to-fix-anything dept

Wed, Feb 17th 2016 11:38am — Tim Cushing

Having trouble keeping your secure website secure? Why not try a DMCA takedown request?

Of all the things DMCA takedowns have been used for (mainly removing infringing material, censorship), I've yet to see one deployed as an ad hoc extension of a cop shop's IT department.

The Idaho State Police would apparently like Google to forget all about its publicly-accessible login page for its evidence database.

We have a private login page that is not on any internet webpage. It is law enforcement sensitive and we are trying to minimize the attempts to hack the site. We would appreciate Google not indexing the site. https://ilims.isp.idaho.gov/prelog/LIMSPrelog/

It's still indexed, although you have to perform a very specific search to see it. The URL takes you to the login page for access to its LIMS (Laboratory Information Management System) database. That's it.

It's not the only page of its type accessible via a Google search. Login pages for law enforcement agencies from York County (South Carolina), Westchester County (New York), Kansas (Criminal Justice Information System) and Minnesota (Dept. of Public Safety) can all be accessed using "LIMS" "prelog" or other related terms. If you'd like a copy of Porter Lee's "Crime Fighter BEAST" software -- which most of these databases utilize -- the Alabama Department of Forensics has a handy download link on its website. (Not that you can do anything with it but attempt to log in...)

A DMCA notice is not for removing pages you'd rather Google didn't index. It's for taking down infringing content. Beyond that, simply delisting the link will likely have no noticeable effect on hacking attempts. The page will still be accessible from the web -- and that's the main problem if the Idaho State Police are looking for a more closed/protected system. (And it doesn't help that the login screen indicates Internet Explorer and Adobe's PDF reader are both needed to make full use of the site…both of which have their own security issues, especially the latter.) It appears a blanket disallow was added to the site's robot.txt, but all it seems to have done is prevent Google from returning any descriptive information along with the URL.

Google appears to have ignored the request, which is how it should be. This has nothing to do with copyright and everything to do with people thinking DMCA takedown notices are the best hammer for every nail they come across.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: censorship, copyright, dmca, idaho state police, lims prelog, security, takedown

40 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 17 Feb 2016 @ 11:50am

"although you have to perform a very specific search to see it."

Bet it's going to be quite a bit easier to find now after they made such a big deal in trying to hide it. Idaho State Police meet the Streisand effect!
[ link to this | view in chronology ]
- DannyB (profile), 17 Feb 2016 @ 1:35pm
  
  Re:
  Are they aware that there are other search engines? For example, one that looks like a duck but doesn't quack when you visit its page?
  [ link to this | view in chronology ]
TheResidentSkeptic (profile), 17 Feb 2016 @ 12:02pm

And bonus points
if the default admin account/password are still in place.
[ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 12:04pm

Haven't they heard about robots.txt, which just about all search engines respect as a means of keeping pages out of search indexes?
Perhaps they have the same IQ requirement for I.T. staff as they have for police officers!
[ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 12:11pm
  
  Re:
  I think explaining to them how a robots.txt file works is a little above their heads when they don't know the the difference between public and private.
  [ link to this | view in chronology ]
  - hij (profile), 17 Feb 2016 @ 12:13pm
    
    Re: Re:
    It is too late now. The only hope is to start singing "The Way We Were," and hope it all goes back to the good old days before the URL has been splattered across the web.
    [ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 12:35pm
  
  Re:
  Besides, you are looking to shallow. Whether it's listed or not ISN'T the problem. The problem is that they don't understand what a "Internet web page" actually is. What they really need to accomplish what they want is a VPN. But this is what happens when you put hire someone for a job like that that likely thinks Google is the Internet.
  [ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 1:59pm
  
  Re:
  They haven't heard of streisand.txt, either.
  [ link to this | view in chronology ]
- David, 17 Feb 2016 @ 3:47pm
  
  Haven't they heard about robots.txt, which just about all search engines respect as a means of keeping pages out of search indexes?
  
  Did you actually read the article?
  
  It appears a blanket disallow was added to the site's robot.txt, but all it seems to have done is prevent Google from returning any descriptive information along with the URL.
  [ link to this | view in chronology ]
- JBDragon, 17 Feb 2016 @ 5:05pm
  
  Re:
  I was going to say the same. Really, who at this point in time doing web pages doesn't know about the simple to use robots.txt file?
  
  Google and all the other search engines won't list the site in the first place. All these company's and people complain about Google listing them, linking to them whatever and all they had to do was a simple txt file and their problem is no problem at all. This is like Web page design 101. Web Page Design for Dummies!!!!
  [ link to this | view in chronology ]
- John Fenderson (profile), 17 Feb 2016 @ 5:11pm
  
  Re:
  Robots.txt might be a bit underpowered for their needs. However, they can do server-side checking of traffic sources and create more effective blocks.
  
  But honestly -- they're off on the wrong foot in the first place. They shouldn't have such sensitive access points open to the web at large at all. Don't they have a VPN?
  [ link to this | view in chronology ]
  - Anonymous Coward, 18 Feb 2016 @ 6:45am
    
    Re: Re:
    Exactly. But really, if they don't realize the difference between public networks and private ones, do you really expect them to know what a VPN is much less have one?
    [ link to this | view in chronology ]
    - John Fenderson (profile), 18 Feb 2016 @ 10:10am
      
      Re: Re: Re:
      I know, but I would have hoped that even if they don't think it's worth the money to maintain a competent IT staff, they're at least be willing to fork over a few grand to have a contractor set things up properly.
      [ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 12:08pm

"We have a private login page that is not on any internet webpage."

/facepalm

Uh... yeah it is. If it weren't it wouldn't be publicly accessible. Perhaps this give some insight into why law enforcement seems to have a bad habit of invading the privacy of others. Could it be that they don't know what the word "private" actually means afterall?
[ link to this | view in chronology ]
- Cdaragorn (profile), 17 Feb 2016 @ 3:18pm
  
  Re:
  I couldn't stop laughing reading this. I wonder of someone put the page up in the folder and just doesn't understand that the entire folder structure will be made available on the internet.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 12:15pm

SSL Labs grades the site an "F"
I guess they better work on their server configuration ;-)

No wonder they don't want anyone hacking away.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 12:18pm
  
  Re: SSL Labs grades the site an "F"
  Ah, no wonder it's running IIS/7.5
  [ link to this | view in chronology ]
Rich Kulawiec, 17 Feb 2016 @ 12:23pm

(And it doesn't help that the login screen indicates Internet Explorer and Adobe's PDF reader are both needed to make full use of the site…both of which have their own security issues, especially the latter.)

Anyone still using either of those in 2016 should be put up against the wall with the Marketing Division of the Sirius Cybernetics Corporation.
[ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 12:27pm

Some moron probably caused it to be indexed...
By typing the URL into a google search (which I watch a staggering number of people do), they probably caused it to be indexed initially.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 12:40pm
  
  Re: Some moron probably caused it to be indexed...
  That would be "Officer Moron" to you...
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Feb 2016 @ 12:46pm
    
    Re: Re: Some moron probably caused it to be indexed...
    If Idaho is like Texas THAT comment would put you in a world of hurt. State Police (in Texas that's the DPS) don't consider themselves "Officers." They are "Troopers" and expect to be referred to as such.
    [ link to this | view in chronology ]
    - Wendy Cockcroft, 18 Feb 2016 @ 6:17am
      
      Re: Re: Re: Some moron probably caused it to be indexed...
      There's a 2000AD reference in there somewhere...!
      [ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 12:30pm

These are the kinds of mistakes made by people who do NOT understand technology, who do not understand how browsers and bookmarks work. These are the same people who do a Google search for EVERY SINGLE PAGE the load. The problem with idiots is that they drag you down to their level then beat you with experience.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 12:36pm
  
  Re:
  I have seen in person the fabled "search for google in the browser search bar to bring up google, then search for youtube", and the darkness stared back.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 12:43pm

Security through obscurity. While that may work for your standard users, it won't have any effect on the hackers they are trying to stop.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 12:48pm
  
  Re:
  Hey this looks like a perfect place to try out using encryption with a backdoor to see how well it works out.
  [ link to this | view in chronology ]
ArkieGuy (profile), 17 Feb 2016 @ 12:47pm

Let me google that for you....
Curiously enough, when you do a google search on that url, it shows up on a few pages - including the "Idaho State Police Forensic Services" home page. Hmmmm, maybe that's how Google found it.

http://bfy.tw/4JUe

At this point, about all they can do is change the url and make sure that the robots.txt is correct before they publish the new url. ;)
[ link to this | view in chronology ]
- Anonymous Anonymous Coward, 17 Feb 2016 @ 1:04pm
  
  Re: Let me google that for you....
  If they do that then none of their legitimate users will ever find them again.
  [ link to this | view in chronology ]
  - DannyB (profile), 17 Feb 2016 @ 1:31pm
    
    Re: Re: Let me google that for you....
    But wouldn't that be good news for doughnut farmers?
    [ link to this | view in chronology ]
    - Anonymous Anonymous Coward, 17 Feb 2016 @ 1:51pm
      
      Re: Re: Re: Let me google that for you....
      Not being a farmer, I have been wondering about that. Does Monsanto control the sprinkles seeds?
      [ link to this | view in chronology ]
Keroberos (profile), 17 Feb 2016 @ 2:26pm

Someone doesn't understand how "robots.txt" works.
It will not block indexing if some other site links to that URL. They should be using the robots meta tag in the HTTP header of that web page and all other pages they don't want indexed.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Feb 2016 @ 2:35pm
  
  Re: Someone doesn't understand how "robots.txt" works.
  Why not move it to an to a real private network that is only publicly accessible through a VPN so the Google indexing point is moot?
  [ link to this | view in chronology ]
- Oninoshiko, 17 Feb 2016 @ 2:38pm
  
  Re: Someone doesn't understand how "robots.txt" works.
  or, you know, not put the thing on the open internet...
  
  but what do I know?
  [ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 3:29pm

Police: "Don't be evil Google. Protect our website from bad guys using Internet Explorer."
[ link to this | view in chronology ]
That Anonymous Coward (profile), 17 Feb 2016 @ 4:15pm

Security via Obscurity
The amount of evidence being presented to my suppositions is making the case for them being real.

Google = Internet.
We hired a cousins nephew who set the clock on the VCR to setup our website. You mean OTHER people can find it on the internet?! Quick make Google fix it.

Someone with some free time want to submit a FOIA request to find out how much cash was kicked back from the idiot who set this up? I'm willing to bet millions were and continue to be spent keeping this trainwreck rolling.
[ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 4:53pm

So - LEOs are going dark?
lol
[ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 5:06pm

The silly part here is that they use a *DMCA* request. DMCA deals with copyright. It's not a catch-all "we want this taken down" mechanism.

To be fair, the rules on what you must do to de-list a page are not intuitive. On the other hand, they are easily googleable:

"Important! For the noindex meta tag to be effective, the page must not be blocked by a robots.txt file. If the page is blocked by a robots.txt file, the crawler will never see the noindex tag, and the page can still appear in search results, for example if other pages link to it."
[ link to this | view in chronology ]
Anonymous Coward, 17 Feb 2016 @ 5:08pm

Tim: I notice you didn't put a nofol on that link to that login page. What are you trying to do, improve its page rank so it appears in MORE searches?
[ link to this | view in chronology ]
Lisa Westveld (profile), 18 Feb 2016 @ 1:01am

Has anyone even looked at this site?
Come on, guys! They don't want it off the Google-index because it's all secret but worse: it's butt-ugly! You need Internet Explorer to correctly see the page, else things look a bit weird. And it has been developed in an Ancient .NET version in a pretty bad way. And it would not surprise me if a hacker gets inside within 15 minutes of experimenting.
But the page... And the Code... Oh, it hurts my eyes so badly! Quick! Close it, forget it, BURN IT DOWN! I agree with them and this should be DMCA'd because no one should be able to see such ugliness...
It's Geocities all over again...
[ link to this | view in chronology ]
JamesK, 20 Feb 2016 @ 4:43pm

Robots.txt
Isnt a very bright idea either considering thats where most bots check first in order to see what they should and should noy see. Just sayin........
[ link to this | view in chronology ]