dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
415
share rss forum feed

Dick Lasswel

join:2008-04-05
Portland, OR

some advice about internet fishing?

I'm looking for some guidance here. This guidance may be "legal", but may also be just about courtesy. Here's the situation.

I run a website that offers slides for presentations that my colleagues will be giving. I have a home page that links to those presentations when they are ready to be delivered, inviting people to download them. The file names being linked to look like this ... "Joe_2-23-13" or "Jane_4-12-13". But before I'm ready to offer them, I advertise an agenda, pointing to future presentations. As in ".... and Sarah is going to be sharing with us on July 2. Please join!"

Now, I see (non-bot) IPs fishing around in my public folder for "Sarah_7-2-13" before I've invited anyone to access that material. People are trying to preview Sarah's materials. Yes, its a "Public" area, but I haven't made that file name explicit to anyone. Now, I've left her materials in an intentionally unsecured place. It's like a lock that's really easy to pick. But it strikes me as the equivalent of someone rummaging around in my (unlocked) filing cabinet. Can this be regarded as "theft", or is it perhaps just professional discourtesy?

Is there a name for this kind of internet fishing? Are there legal issues involved? Are files in a "Public" area really considered free access to anyone and everyone? Sure, it's no big deal for me to keep this stuff out of the "Public" area of my server until it's ready to circulate, but I was just curious.

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
First of all, that's not fishing. Actually, it's spelled "phishing", which is a completely different thing than what you're posting about.

If you don't want other people to access the files, then why are you putting the links to those files on a publicly accessible page? Of course people are going to find them, the internet is full of bots and search engine crawlers that index the contents of websites, subsequently allowing actual people to find them.

Also, do you allow directory listings on the webserver? That could be another reason.

If you want to restrict access to only certain people, this can be done quite easily. You can password-protect the webserver directory so anyone trying to access it will have to enter a username and password. The exact methodology depends on what webserver software you're running. For Apache, it would be done using .htaccess and .htpasswd files. If you're using a web hosting provider, contact them and ask about this.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 recommendation

reply to Dick Lasswel
said by Dick Lasswel:

Now, I see (non-bot) IPs fishing around in my public folder for "Sarah_7-2-13" before I've invited anyone to access that material.

I do stuff like that. Many organizations upload content before they get around to telling everyone about it. Since they use a easily guessed filename and path it's easy to get stuff before someone bothers to publish that it's up. I've always wondered why they can't coordinate the two.

Now other organizations go to great lengths to hide stuff by using CLSID type pathnames and/or filenames.

In short if you tell people stuff is going to be there and/or you do it regularly plus use easily guessed names you're going to get this.
--
Don't feed trolls--it only makes them grow!

Dick Lasswel

join:2008-04-05
Portland, OR
Thanks, to both of you. I'm familiar with the word "phishing" but wasn't sure if it applied to exactly this case.

Also, this isn't a "problem" for me. As I said, it's no big deal for me to keep the material off of the publicly accessible part of my volume. Putting it there is just a convenience.

I do NOT allow directory listings. So the person doing the phishing has not been told explicitly that the material is there. I don't want to bother with password protection, though I know how to do it.

I think Stuart probably has it right, that if I'm telling people the stuff will be there, and give them the key to make the phishing easy (even if I don't tell them the filename), I can pretty much expect that people will do it.

Dick Lasswel

join:2008-04-05
Portland, OR
reply to Dick Lasswel
Well, here's an Apache server question. It would seem that these IPs have located files in my Public folder that I never told anyone about, and I have an index file in that folder that is supposed to prevent anyone from getting a directory of that folder.

How are they getting a directory of that folder such that they know what's in there. Is there some workaround to get a directory of a Public folder?

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
Only way I can think of that happening is if you have the "DirectorySlash" option enabled.

With that enabled, the behaviour is as follows:

»domain.tld/somedirectory/ -> serves the index file

»domain.tld/somedirectory -> serves directory listing

Of course, there could be other avenues by which they are becoming aware of the presence of the files.