From: Paul A. Miller (pmiller@gramcord.org)
Date: Sat Apr 13 1996 - 13:52:32 EDT
This morning I was shocked to find that someone had "aliased" a message to
b-greek under my name. (I want to publicly state that I have no particular
interest in the matter involving Maurice Robinson and Carlton Winbery and
have no interest posting to the list concerning it.)
In investigating it on the teleport.com server, I discovered that the file
had been "edited" from material stored on the FTP space of our website where
the b-greek archives and other files contributed by the public are being
compiled for access by Internet users as a public service. Most of these
files are meant to be downloaded and used but in this case someone
apparently thought a "hacker's joke" was in order? (What was posted to
b-greek under my name could have been produced in a variety of ways but I
received several other "prank" messages this week that tell me several
things were afoot that I won't go into.) I have no interest in getting into
a dialogue on the issue that was posted under my name and I am personally
embarrassed by this prank.
After investigating this -- even though this is a bit technical -- I feel
compelled to describe the "web security" issue behind this issue that others
may wish to be aware of.
I consulted the various "web searcher/directory" programs used to do WWW
keyword searches (e.g. Yahoo, Alta Vista, etc.). Amongst the entries I was
very surprised to see listed excerpts from what I thought were non-public
files on my teleport.com FTP space. Even though these files were not linked
to the public website, the web-crawlers apparently do keyword indexing of
all (?) the files in that FTP directory even though they are not connected
to the public links of the registered virtual domain based in that
directory. As a result, I found that not only were "under-construction"
webpages thereby searched and indexed by certain "web crawlers" and
summarized for public use (and the exact file addresses revealed), but even
files posted by others to that FTP space can get "scanned" and indexed and
attributed to our website. Thus, I was SURPRISED TO FIND that any file
posted to our website FTP space -- even though there is no "public link" to
it from the website -- can be cross-referenced and listed in these Internet
directory services and be attributed to the GRAMCORD keyword!
I realize the above may be confusing, but let me summarize in another way.
It appears that if you are using server file space and that that space is
linked to a registered virtual domain (in my case, "gramcord.org"),
everything on that FTP file space may be scanned and indexed by the various
web crawler and directory services so that the public can do keyword
searches on them. As a result, files which you would consider non-public --
including perhaps your own file/document archives and files from other
people which have been posted to the site which you may not have even read
-- become searchable in quite powerful ways via various web keyword search
programs. In fact, if your old email is archived in such a space, it can
potentially be scanned and indexed by keyword for access on a web search
program! Imagine finding out that anyone on the Internet can do a search for
"Aunt Matilda" and mouse-click their way to some birthday greetings you sent
a family member! (Hypothetical situation; I don't have an Aunt Matilda.)
The good news for 99% of the people reading this post is that the average
Internet user does not have a website which is addressed using a virtual
domain name -- so your file space is probably not being scanned. (Most
Internet users don't have a website at all and even if they do, they
probably aren't storing many files there.)
Now that I have a better idea of what is going on, I am making changes in
how our website FTP file space is set up.
Unfortunately, I don't have the technical expertise to prevent aliasing of
email addresses. (If I did, I could probably stop the annoying magazine
offers which are repeatedly posted to B-Greek. They come from a bogus
aliased email address which is why you can't send back a response to or
track down the sender .)
Even so, this brings up another "security issue" that has concerned me every
since I started making preparations to offer a public archive of the b-greek
digests. Since the files will be available for downloading, it is very easy
for someone to edit them, quote them out of context, plagiarize, forward
them, etc. in ways that may be embarrassing to the original author. I am
concerned about this for obvious reasons --- including potential liabilities
on the part of the GRAMCORD Institute -- especially if someone feels that
the Institute is culpable because it has made the files so publicly
available on the world-wide-web. (Posted disclaimers really don't provide
much legal protection nowadays.) Anyway, I would be interested in opinions
and/or advice as we prepare to offer not only the archive texts on-line, but
a search engine to easily reference them.
Again, I was shocked to read the posting and will instigate some changes to
make a recurrence less likely. So, PLEASE, don't spam me for a very bizarre
situation.
Wow, today hasn't gotten off to a very weird start.
Now. . . . back to Greek (and pardon my strange but necessary excursus).
*************************************************************************
Prof. Paul A. Miller (Email: pmiller@GRAMCORD.org)
The GRAMCORD Institute
2218 NE Brookview Dr., Vancouver, WA 98686, U.S.A.
Voice (360)576-3000; FAX (503)761-0626; Homepage: http://www.GRAMCORD.org
Computer-Assisted Biblical Language Research (IBM & MAC)
*************************************************************************
This archive was generated by hypermail 2.1.4 : Sat Apr 20 2002 - 15:37:40 EDT