[Netalyzr] did you know I can find all the results by IP address in Google

Len Lavens mailforlen at yahoo.com
Sat Aug 6 11:15:19 PDT 2011

this is quite surprising

first it seems nobody really read the posts about this software and the essential privace and security questions which weren't traited
it seems you were - as scientists -  so absorbed in your project that you forgot the wider impact and possibilities of your project
the technical questions pushed the security and privacyproblems into the background

first the google searchterm didn't show links to reports on other forums but on your site itself
the google searchterm was site:yoursite and has shown all results on your site 

that these results are also posted on other sites makes the problem even greater
so that response is a mistake and its only purpose is to neglect your responsability
you should put however an article in your conditions - that you don't have (in a superlegalistic country like the US?) that this information shouldn't be 

published on the internet because it has too much dangerous security information and that you aren't responsable etc....

three sideremarks on the question that a robot.txt will be made
* this changes nothing about the fact that the security information in the reports can be extremely dangerous
* this changes nothing about the fact that that information should be better protected against prying eyes
* this changes nothing about the fact that the information will still be on the site for scanners and searchengines that don't respect the robot.txt 

secondly there are several things you should do
* you should limit the tests to people who aren't behind a NAT (network)
the reason is that there are other people responsable for a network and that only those people should be able to use your service
you should also automatically refuse to it being used by certain organisations and firms like military, offical government and banks 

to be sure that you aren't being used 
you should make it possilble for the networkadmins to use your service but only after registration and control and with their official emailadress
and with a number of 'unresponsabilities" for you to sign for them

* you should change the structure and that people sign a declaration before the test is run 

I don't understand why in the time of Lulzsec you take all these responsabilites without a disclaimer that is sufficient in the present situation of the internet and legal environment

* and some other things I think about
but it all depends 

do you want to do the right thing or do you still think that there is only a limited problem

If you want me to help you
I will 

but If you think that I am just a stupid kid
than I will continue my research and campaign

From: Nicholas Weaver <nweaver at icsi.berkeley.edu>
To: Len Lavens <mailforlen at yahoo.com>
Cc: Nicholas Weaver <nweaver at icsi.berkeley.edu>; "netalyzr at mailman.ICSI.Berkeley.EDU" <netalyzr at ICSI.Berkeley.EDU>
Sent: Friday, August 5, 2011 7:58 PM
Subject: Re: [Netalyzr] did you know I can find all the results by IP address in Google

More specifically, the ones Google has indexed are summary reports which people have posted links to in a place where Google has crawled.  Almost all are League of Legends users, where the advanced network debugging instructions are specifically for users to publically post Netalyzr links in the forums.

Thus even with a robots.txt (which we are going to add), these will still be discoverable by searching for URLs pointing TO netalyzr.  

On Aug 5, 2011, at 1:58 AM, Len Lavens wrote:

> belsec.skynetblogs.be 
> Yes Google has indexed all the results it has found during its visits
> and your robot.txt doesn't probably exclude the results
> so now all that information is public
> and if you would like to ask Google also to delete all the results from its cache
> when you have installed your robot.txt and your Google accounts 
> just to be sure no hacker sees all the very technical and useful information 
> mailforlen
> _______________________________________________
> Netalyzr mailing list
> Netalyzr at mailman.ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20110806/8c2b8837/attachment.html 

More information about the Netalyzr mailing list