Laurentiu Cristofor's blog @microsoft.com : search engines

Privacy and search engines

lcris — Fri, 11 Dec 2009 17:46:00 GMT

It is no secret that search engines keep track of searches made. Any website logs accesses and most websites track your activity via cookies for reasons involving both your benefit and that of the site you're accessing. You may be surprised to find out that even video players used for online videos come with their own version of cookies that are not under the control of browsers. In other words there's a lot of tracking going around. As someone that has been raised in a communist country, I still remember my parents cautioning me to not discuss "politics" at school and no matter what, under any circumstances, ever make any mention of listening to Radio Free Europe. So, I can say that in a sense privacy has been instilled in me from quite a young age and that makes me very sensitive to comments basically saying that "if you're good, you have nothing to hide" - because that makes the assumption that you have nothing to hide from other good guys. Yes, but what about the bad guys and what about good guys later turning bad?

All this makes me feel uneasy when I hear dismissive talk of privacy from people that should know better (won't say who - important people). Bruce Schneier writes often about the value of privacy and if you find appeal in the idea that privacy is just for bad people, then it might help read one of his articles on privacy. I'll just end with a famous quote from a famous American: “Anyone who trades liberty for security deserves neither liberty nor security”.

bing adds twitter integration

lcris — Wed, 21 Oct 2009 19:59:00 GMT

See it work at: http://www.bing.com/twitter.

[UPDATE 10/22/2009]:

Reactions:

http://googleblog.blogspot.com/2009/10/rt-google-tweets-and-updates-and-search.html
http://www.businessinsider.com/henry-blodget-well-what-do-you-know-google-is-actually-nervous-about-microsoft-bing-2009-10

bing has launched!

lcris — Mon, 01 Jun 2009 20:56:00 GMT

I haven't posted anything new for some time, but now I have some news related to my current area of work: bing is Microsoft's new search engine, it has launched yesterday, and you can now find it at www.bing.com. Give it a try and let me know what you think about it.

A SQL Injection attack and search engines

lcris — Tue, 05 Aug 2008 22:07:00 GMT

A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links:

http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html

A search for the query string "http://1.verynx.cn/w.js" (the quotes are part of the search string) shows that there are still sites infected today.

So, SQL Injection is alive and kicking - no big surprise here. But what may come as a surprise to you, if you're not aware of it yet, is that there is a further vulnerability here: vulnerable sites are discoverable using a search engine - it happens when the SQL Injection results in some link getting inserted in web pages, as is the case in this recent attack. This means another attacker can use a search engine to get a list of vulnerable sites and hack them a second time, for a more devastating effect. This is an instance of Search Engine Hacking - Google Hacking is currently the popular term, but any search engine can be used, not just google. Note that this is not really about hacking the search engine, but about using the search engine for hacking.

Here is more in-depth information on this techique of search engine hacking:

Google Hacking for Penetration Testers
Google Hacking page on Wikipedia
Google Hacking Database

Also note that search engine hacking goes beyond SQL Injection attacks - the sources mentioned above contain more examples of searching for different vulnerabilities. If you're the administrator of a Web site, you cannot afford to ignore this technique.